Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'epyvocag' = '"%WINDIR%\enanubit.exe"'
Malicious functions:
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Executes the following:
- '%WINDIR%\explorer.exe'
Injects code into
the following system processes:
- %WINDIR%\explorer.exe
Searches for registry branches where third party applications store passwords:
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
- [<HKCU>\Software\Microsoft\Internet Account Manager\Accounts]
- [<HKCU>\Software\Microsoft\Internet Account Manager]
- [<HKLM>\Software\Microsoft\Internet Account Manager]
- [<HKCU>\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings]
Modifies file system:
Creates the following files:
- %APPDATA%\video.png
- %APPDATA%\HEB.zdct
- %APPDATA%\LoadLayers.exv
- %APPDATA%\win32_MoveDrop32x32.gif
- %APPDATA%\preview.png
- %APPDATA%\VsTextured.hlsl
- %APPDATA%\500-14.htm
- %APPDATA%\tweakChkDsk_nl.p5p
- %APPDATA%\forward32.png
- %APPDATA%\embedding.xml
- %APPDATA%\name-test.js
- %APPDATA%\toast_critical_message.png
- %APPDATA%\titlefoil.html.xml
- %APPDATA%\Ataghan.G
- %APPDATA%\w3c-prev.png
- %APPDATA%\ulink.hyphenate.chars.xml
- %APPDATA%\t12.png
- %APPDATA%\MergeModules
- %APPDATA%\Frosted Detail Plastic - Frosted Ultra Detail.3PP
- %APPDATA%\b_dk.jpg
- %APPDATA%\calendar2.png
- %APPDATA%\Alienlabs.UpgradeService.dll.config
- %APPDATA%\GMT+11
- %APPDATA%\navig.graphics.extension.xml
- %APPDATA%\Havana
- %APPDATA%\BMC blue 2.ADO
- %APPDATA%\no.next.image.xml
- %APPDATA%\GIF 128 No Dither.irs
- %APPDATA%\Aero.dll
- %ALLUSERSPROFILE%\Application Data\uciqelufyjyryluj\ifugupat
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\plain[1]
- %ALLUSERSPROFILE%\Application Data\uciqelufyjyryluj\atugolat
- %ALLUSERSPROFILE%\Application Data\uciqelufyjyryluj\emugavat
- %WINDIR%\enanubit.exe
- %APPDATA%\78-RKSJ-V
- %APPDATA%\man.th.title.max.length.xml
- %APPDATA%\toc.line.properties.xml
- %APPDATA%\arrow_right_disabled.png
- %APPDATA%\tweakRepairWinsock_it.p5p
- %APPDATA%\plus.image.xml
- %APPDATA%\Novokuznetsk
- %APPDATA%\race.js
- %APPDATA%\cpu_stress.xml
- %APPDATA%\Frosted Detail Plastic - Frosted Detail.3PP
- %APPDATA%\no-module.js
- %APPDATA%\sound.png
- %APPDATA%\GMT-14
- %APPDATA%\formal.title.properties.xml
- %APPDATA%\Cool Gray 9 bl 4.ADO
- %APPDATA%\OpenMapleLicensing.txt
- %APPDATA%\modem.xml
- %APPDATA%\pt-PT.pak
- %APPDATA%\Yellow Filter.blw
- %APPDATA%\ulink.footnotes.xml
- %APPDATA%\services.png
- %APPDATA%\windows.png
- %APPDATA%\generate.section.toc.level.xml
- %APPDATA%\column.count.back.xml
- %APPDATA%\xbStyle.js.xml
- %TEMP%\nsj2.tmp\System.dll
- %APPDATA%\DomeConstrictor.h
- %APPDATA%\use.id.function.xml
- %APPDATA%\profile.revisionflag.xml
- %APPDATA%\console.log
- %APPDATA%\htmlhelp.enhanced.decompilation.xml
- %APPDATA%\tweakNetworkingManual_fi.p5p
- %APPDATA%\computer_server_stack.png
- %APPDATA%\VisiBone2.aco
- %APPDATA%\SceneButtonInset_Alpha1.png
- %APPDATA%\xercesImpl.NOTICE.txt
- %APPDATA%\CommandTemplate.mws
- %APPDATA%\hidetoc.gif
- %APPDATA%\tweakChkDsk_fi.p5p
- %APPDATA%\README_kn_IN.txt
- %APPDATA%\doap.rdf
- %APPDATA%\blockquote.properties.xml
- %APPDATA%\profile.audience.xml
- %APPDATA%\Mbabane
- %APPDATA%\arbortext.extensions.xml
- %APPDATA%\goURL_lr_photoshop_kr.csv
- %APPDATA%\olduninstall.iss
- %APPDATA%\HKm314-B5-V
- %APPDATA%\refresh_disabled.png
- %APPDATA%\palm_alpha_0.png
- %APPDATA%\13.gif
- %APPDATA%\callout.graphics.xml
- %APPDATA%\cursors.properties
- %APPDATA%\slides.css
- %APPDATA%\90-synthetic.conf
- %APPDATA%\HKdlb-B5-V
Network activity:
Connects to:
- 'yb#####j.jordaust.biz':443
- 'cs######oca.jordaust.biz':443
- 'ot#####fy.jordaust.biz':443
- 'rd#####.jordaust.biz':443
- 'on####.jordaust.biz':443
- 'ex######evo.jordaust.biz':443
- 'yr#####.jordaust.biz':443
- 'op####.jordaust.biz':443
- 'es##.#ordaust.biz':443
- 'ix##.#ordaust.biz':443
- 'ag#####rep.jordaust.biz':443
- 'ow#####wu.jordaust.biz':443
- 'ig##.#ordaust.biz':443
- 'ol#####.jordaust.biz':443
- 'zz######iwa.jordaust.biz':443
- 'yq#####gys.jordaust.biz':443
- 'ov##.#ordaust.biz':443
- 'ef#####.jordaust.biz':443
- 'if######eko.jordaust.biz':443
- 'er#####z.jordaust.biz':443
- 'ez###.jordaust.biz':443
- 'ic####.jordaust.biz':443
- '19#.#3.244.244':443
- 'yq####.jordaust.biz':443
- 'af###.jordaust.biz':443
- '19#.#09.206.212':443
- 'ip##ho.net':80
- '86.#9.21.38':443
- 'ej####.jordaust.biz':443
- 'qg##.#ordaust.biz':443
- 'iq##.#ordaust.biz':443
- '17#.#5.193.9':80
- 'ij###.jordaust.biz':443
- 'ih###.jordaust.biz':443
- 'xj####.jordaust.biz':443
- 'oh#####.jordaust.biz':443
- '15#.35.32.5':443
- 'iv#####bes.jordaust.biz':443
TCP:
HTTP GET requests:
- http://ip##ho.net/plain
UDP:
- DNS ASK ot#####fy.jordaust.biz
- DNS ASK rd#####.jordaust.biz
- DNS ASK ov##.#ordaust.biz
- DNS ASK ix##.#ordaust.biz
- DNS ASK on####.jordaust.biz
- DNS ASK op####.jordaust.biz
- DNS ASK yb#####j.jordaust.biz
- DNS ASK cs######oca.jordaust.biz
- DNS ASK ag#####rep.jordaust.biz
- DNS ASK ow#####wu.jordaust.biz
- DNS ASK ig##.#ordaust.biz
- DNS ASK ol#####.jordaust.biz
- DNS ASK if######eko.jordaust.biz
- DNS ASK yq#####gys.jordaust.biz
- DNS ASK zz######iwa.jordaust.biz
- DNS ASK ef#####.jordaust.biz
- DNS ASK es##.#ordaust.biz
- DNS ASK ic####.jordaust.biz
- DNS ASK er#####z.jordaust.biz
- DNS ASK oh#####.jordaust.biz
- DNS ASK ej####.jordaust.biz
- DNS ASK ip##ho.net
- DNS ASK af###.jordaust.biz
- DNS ASK ez###.jordaust.biz
- DNS ASK yq####.jordaust.biz
- DNS ASK ij###.jordaust.biz
- DNS ASK qg##.#ordaust.biz
- DNS ASK ex######evo.jordaust.biz
- DNS ASK yr#####.jordaust.biz
- DNS ASK iv#####bes.jordaust.biz
- DNS ASK xj####.jordaust.biz
- DNS ASK iq##.#ordaust.biz
- DNS ASK ih###.jordaust.biz
