Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ec525f4' = '%APPDATA%\ec525f4.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ec525f' = 'C:\ec525f4\ec525f4.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\ec525f4.exe
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- System Restore (SR)
Executes the following:
- '<SYSTEM32>\vssadmin.exe' Delete Shadows /All /Quiet
- '<SYSTEM32>\svchost.exe' netsvcs
- '%WINDIR%\explorer.exe'
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system :
Creates the following files:
- %APPDATA%\ec525f4.exe
- C:\ec525f4\ec525f4.exe
Network activity:
Connects to:
- 'co######yneuroclinic.com':80
- 'ma######guehomerepair.com':80
- 'sh###dtoyou.com':80
- 'br###fross.com':80
- 'ch####scrosson.com':80
- 'gl###zona.com':80
- 'mo###coffee.com':80
- 'mo##red.pl':80
- 'ch####yfross.com':80
- 'ge##th.com':80
- 'ho####yle1974.com':80
- 'bi####okerage.com':80
- 'co####zzabrasil.com':80
- 'gr###lysts.com':80
- 'ed###ntage.com':80
- 'im##au24.de':80
- 'cp##ash.com':80
- 'fa#####people.com.br':80
- 'mo###deep.com':80
- 'fe###alnirs.com':80
- 'ei###hai.net':80
- 'hi####-drivers.com':80
- 'ja####azonia.com':80
- 'mi####-jewelry.com':80
- 'ga####nesexboys.com':80
- 'fu######mtechnologies.com':80
- 'el###hmias.com':80
- 'gr###oup.co.il':80
- 'ca###apan.com':80
- 'gs###kansas.com':80
- 'ap###acii.com':80
- 'id##-lab.kz':80
- 'in#####ofmycamera.com':80
- 'cl###r-x.com':80
- 'is####hcebakim.com':80
- 'cu###yip.com':80
- 'my####rnalip.com':80
- 'ip##ddr.es':80
- 'ke##uk.cz':80
- 'pa####lane.co.id':80
- 'co#####zacolombia.com':80
- 'mi#######nationalthailand.com':80
- 'co#####zavenezuela.com':80
- 'co#######deramaquillarse.com':80
- 'os##tec.com':80
- 'ch####ndermagic.com':80
- 'co###ctao.com':80
- 'co#####-into-cash.com':80
- 'hk##m.com':80
- 'co####zzachile.com':80
- 'kw#####proci.mazury.pl':80
- 'ca####midwifery.com':80
- 'co#####onakeychain.com':80
- 'fo###cegypt.com':80
- 'co#####zauruguay.com':80
TCP:
HTTP GET requests:
- http://cu###yip.com/
- http://my####rnalip.com/raw
- http://ip##ddr.es/
HTTP POST requests:
- http://gl###zona.com/plugins/system/plg_system_rewrite/rr.php?d=##########
- http://co######yneuroclinic.com/wp-content/themes/twentytwelve/cccc.php?h=##########
- http://ma######guehomerepair.com/wp-content/uploads/rrrr.php?e=##########
- http://gr###lysts.com/wp-content/uploads/rrr.php?d=##########
- http://br###fross.com/wp-content/themes/twentyeleven/ccccc.php?e=##########
- http://ch####scrosson.com/wp-content/plugins/woodojo/ccccc.php?x=##########
- http://sh###dtoyou.com/download/cc.php?d=##########
- http://co####zzabrasil.com/wp-content/plugins/revision-control/ccc.php?d=##########
- http://mo##red.pl/wp-content/uploads/rrrrr.php?i=##########
- http://ch####yfross.com/wp-content/themes/twentyfourteen/cccc.php?c=##########
- http://mo###coffee.com/wp-content/uploads/cc.php?q=##########
- http://ho####yle1974.com/wp-content/uploads/rrr.php?s=##########
- http://bi####okerage.com/wp-content/plugins/wp-antibot-standart/rrr.php?y=##########
- http://ed###ntage.com/wp-content/uploads/rrrr.php?u=##########
- http://im##au24.de/templates/atomic/rr.php?a=##########
- http://cp##ash.com/wp-content/themes/twentytwelve/c.php?m=##########
- http://fa#####people.com.br/wp-content/themes/mazine/rrrrr.php?p=##########
- http://mo###deep.com/wp-content/uploads/rrr.php?c=##########
- http://fe###alnirs.com/wp-content/plugins/revslider/temp/c.php?x=##########
- http://ei###hai.net/wp-content/themes/twentytwelve/rr.php?u=##########
- http://hi####-drivers.com/wp-content/plugins/revslider/temp/cc.php?k=##########
- http://ja####azonia.com/wp-content/uploads/r.php?f=##########
- http://mi####-jewelry.com/wp-content/uploads/rr.php?k=##########
- http://ga####nesexboys.com/wp-content/uploads/rrrr.php?a=##########
- http://fu######mtechnologies.com/wp-content/plugins/jetpack/ccccc.php?l=##########
- http://el###hmias.com/wp-content/uploads/r.php?b=##########
- http://id##-lab.kz/wp-content/uploads/rrr.php?g=##########
- http://in#####ofmycamera.com/albums/ccc.php?r=##########
- http://cl###r-x.com/wp-content/plugins/sitepress-multilingual-cms/ccccc.php?y=##########
- http://kw#####proci.mazury.pl/images/ccccc.php?l=##########
- http://ca####midwifery.com/wp-content/plugins/ultimate-branding/c.php?b=##########
- http://mi#######nationalthailand.com/wp-content/cccc.php?o=##########
- http://ca###apan.com/wp-content/plugins/bwp-recent-comments/ccc.php?g=##########
- http://ke##uk.cz/wp-content/uploads/rrrr.php?q=##########
- http://pa####lane.co.id/site/ccccc.php?r=##########
- http://co#####zacolombia.com/wp-content/plugins/pods/cc.php?j=##########
- http://gs###kansas.com/wp-content/plugins/wp-antibot-standart/rrrr.php?e=##########
- http://ap###acii.com/openx/www/delivery/ccc.php?g=##########
- http://is####hcebakim.com/wp-content/uploads/rrrr.php?a=##########
- http://co###ctao.com/wp-content/themes/twentyeleven/cc.php?d=##########
- http://co#####-into-cash.com/wp-content/plugins/pretty-link/cc.php?d=##########
- http://co#####zavenezuela.com/wp-content/plugins/stickyfooter/ccccc.php?g=##########
- http://ge##th.com/ckfinder/cc.php?i=##########
- http://gr###oup.co.il/wp-content/plugins/revslider/temp/cccc.php?a=##########
- http://ch####ndermagic.com/wp-content/plugins/wp-quick-contact-us/cc.php?u=##########
- http://co#######deramaquillarse.com/wp-content/themes/twentyten/c.php?u=##########
- http://fo###cegypt.com/blog/wp-content/themes/twentyfourteen/rrr.php?q=##########
- http://co#####zauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?s=##########
- http://co####zzachile.com/wp-content/plugins/gravityforms/ccc.php?e=##########
- http://os##tec.com/board/cccc.php?n=##########
- http://hk##m.com/wp-content/themes/xinji/rrrr.php?v=##########
- http://co#####onakeychain.com/wp-content/plugins/wp-smushit/ccc.php?a=##########
UDP:
- DNS ASK co######yneuroclinic.com
- DNS ASK ma######guehomerepair.com
- DNS ASK sh###dtoyou.com
- DNS ASK br###fross.com
- DNS ASK ch####scrosson.com
- DNS ASK gl###zona.com
- DNS ASK mo###coffee.com
- DNS ASK mo##red.pl
- DNS ASK ch####yfross.com
- DNS ASK ge##th.com
- DNS ASK ho####yle1974.com
- DNS ASK bi####okerage.com
- DNS ASK co####zzabrasil.com
- DNS ASK gr###lysts.com
- DNS ASK ed###ntage.com
- DNS ASK im##au24.de
- DNS ASK cp##ash.com
- DNS ASK fa#####people.com.br
- DNS ASK mo###deep.com
- DNS ASK fe###alnirs.com
- DNS ASK ei###hai.net
- DNS ASK hi####-drivers.com
- DNS ASK ja####azonia.com
- DNS ASK mi####-jewelry.com
- DNS ASK ga####nesexboys.com
- DNS ASK fu######mtechnologies.com
- DNS ASK el###hmias.com
- DNS ASK gr###oup.co.il
- DNS ASK ca###apan.com
- DNS ASK gs###kansas.com
- DNS ASK ap###acii.com
- DNS ASK id##-lab.kz
- DNS ASK in#####ofmycamera.com
- DNS ASK cl###r-x.com
- DNS ASK is####hcebakim.com
- DNS ASK cu###yip.com
- DNS ASK my####rnalip.com
- DNS ASK ip##ddr.es
- DNS ASK ke##uk.cz
- DNS ASK pa####lane.co.id
- DNS ASK co#####zacolombia.com
- DNS ASK mi#######nationalthailand.com
- DNS ASK co#####zavenezuela.com
- DNS ASK co#######deramaquillarse.com
- DNS ASK os##tec.com
- DNS ASK ch####ndermagic.com
- DNS ASK co###ctao.com
- DNS ASK co#####-into-cash.com
- DNS ASK hk##m.com
- DNS ASK co####zzachile.com
- DNS ASK kw#####proci.mazury.pl
- DNS ASK ca####midwifery.com
- DNS ASK co#####onakeychain.com
- DNS ASK fo###cegypt.com
- DNS ASK co#####zauruguay.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
