BackDoor.Maxplus.1427

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.ipsec] 'ImagePath' = '\?'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'50.##3.14.173':34354
'76.#9.69.12':34354
'12#.#12.144.112':34354
'69.##8.51.57':34354
'90.##9.10.212':34354
'72.##8.1.135':34354
'65.##.234.158':34354
'70.##2.210.156':34354
'15#.#5.150.148':34354
'75.##.110.229':34354
'63.##9.13.202':34354
'98.##1.30.37':34354
'11#.#00.203.73':34354
'24.##6.152.109':34354
'80.##1.228.220':34354
'67.##4.149.77':34354
'20#.#10.192.10':34354
'97.##.42.228':34354
'99.##.83.176':34354
'24.##1.210.244':34354
'96.##.241.124':34354
'76.#67.87.0':34354
'75.##.109.149':34354
'96.##.166.201':34354
'72.##9.173.90':34354
'98.##2.7.222':34354
'76.##3.232.220':34354
'24.##6.239.3':34354
'98.##.15.250':34354
'50.##.212.118':34354
'74.##7.207.59':34354
'97.##.45.178':34354
'68.#9.66.72':34354
'66.##.211.185':34354
'99.##.234.29':34354
'72.##6.147.122':34354
'76.#08.7.46':34354
'67.##1.64.219':34354
'68.##8.189.22':34354
'68.##.131.182':34354
'75.##.11.170':34354
'98.##.189.79':34354
'19#.#61.135.140':34354
'67.##6.10.217':34354
'68.##7.222.232':34354
'68.##2.68.115':34354
'18#.#9.9.231':34354
'38.##7.70.33':34354
'46.##.14.188':34354
'69.##6.225.0':34354
'71.##.192.59':34354
'76.##.186.139':34354
'50.##9.234.3':34354
'68.##8.166.58':34354
'65.##.170.224':34354
'24.#.166.45':34354
'74.##4.111.212':34354
'81.##3.201.57':34354
'76.##.92.126':34354
'20#.#31.106.105':34354
'24.##.24.180':34354
'15#.#24.149.190':34354
'46.##2.113.220':34354
'75.##0.112.161':34354
'99.#41.94.7':34354
'98.##.130.226':34354
'98.##0.0.134':34354
'76.##.109.203':34354
'76.##9.13.97':34354
'18#.#6.226.11':34354
'24.##4.3.116':34354
'11#.#69.176.151':34354
'99.##.220.186':34354
'24.#9.9.205':34354
'71.##.237.39':34354
'24.##9.42.96':34354
'68.##7.82.215':34354
'24.##1.67.134':34354
'75.##5.50.206':34354
'68.##1.20.25':34354
'24.##8.166.70':34354
'24.##6.230.69':34354
'17#.#.42.123':34354
'24.##9.45.43':34354
'10#.#1.106.231':34354
'10#.#.253.237':34354
'50.#1.22.46':34354
'99.##.209.63':34354
'70.##7.77.137':34354
'76.##8.169.212':34354
'10#.#.225.184':34354
'19#.#09.103.157':34354
'24.##0.136.86':34354
'66.#1.46.71':34354
'24.##.248.214':34354
'68.#1.88.96':34354
'71.#0.8.180':34354
'70.#26.71.5':34354
'67.##0.252.217':34354
'18#.#60.46.184':34354
'72.#2.155.5':34354
'76.#7.29.41':34354
'68.##.166.158':34354
'75.##5.166.57':34354
'87.##1.22.56':34354
'72.##8.60.198':34354
'10#.#0.229.194':34354
'98.##.203.185':34354
'60.##.207.199':34354
'99.##7.52.23':34354
'98.##1.240.192':34354
'76.##.37.189':34354
'76.#88.20.4':34354
'21#.#8.245.70':34354
'89.##8.118.227':34354
'76.##.150.37':34354
'98.##.108.30':34354
'69.##8.95.30':34354
'72.##2.124.78':34354
'12#.#86.142.61':34354
'74.##.234.118':34354
'70.##9.82.15':34354
'68.##3.252.29':34354
'67.##.173.143':34354
'10#.#62.64.116':34354
'17#.#2.176.115':34354
'99.##1.244.96':34354
'76.##.47.108':34354
'72.##1.123.175':34354
'19#.#02.253.71':34354
'50.#.165.42':34354
'71.##.116.138':34354
'69.##2.241.41':34354
'18#.#91.75.219':34354
'98.##7.105.140':34354
'17#.#17.123.151':34354
'17#.#0.143.154':34354
'76.##.253.251':34354
'20#.#61.193.126':34354
'35.##.37.245':34354
'75.##.238.159':34354
'24.##7.198.57':34354
'24.##9.130.88':34354
'11#.#9.209.33':34354
'12#.#23.126.47':34354
'99.#9.12.19':34354
'80.##7.254.95':34354
'98.##8.192.189':34354
'82.##9.18.173':34354
'70.##7.152.179':34354
'24.#02.1.78':34354
'71.##5.9.221':34354
'98.##1.43.227':34354
'76.##0.240.9':34354
'69.##7.199.30':34354
'68.##.95.198':34354
'50.##3.81.53':34354
'18#.#91.249.114':34354
'98.##2.2.106':34354
'71.##9.55.161':34354
'66.##.119.141':34354
'71.##.181.234':34354
'76.##9.114.87':34354
'21#.#9.229.254':34354
'12.##1.150.185':34354
'94.##1.193.176':34354
'68.##0.131.199':34354
'50.#0.78.63':34354
'74.##2.129.7':34354
'18#.#8.13.95':34354
'76.##.46.242':34354
'pr####.fling.com':80
'71.#0.88.32':34354
'76.##1.72.160':34354
'17#.63.1.48':34354
'75.##3.163.61':34354
'67.##7.92.175':34354
'99.#2.0.172':34354
'67.##.173.29':34354
'17#.#34.101.96':34354
'68.#1.7.35':34354
'95.##5.9.166':34354
'85.##6.58.118':34354
'18#.#6.137.133':34354
'68.#.58.112':34354
'68.#95.70.8':34354
'69.##1.48.186':34354
'17#.#98.87.64':34354
'24.#0.30.41':34354
'78.##1.164.81':34354
'72.##1.11.24':34354
'66.##4.42.71':34354
'75.##4.155.211':34354
'18#.#7.140.67':34354
'88.##1.60.33':34354
'70.##5.244.189':34354
'71.##.175.145':34354
'18#.#5.57.16':34354
'98.##7.75.185':34354
'70.##.226.72':34354
'11#.#4.152.60':34354
'12#.#2.44.58':34354
'70.##7.200.139':34354
'72.##1.248.172':34354
'98.##6.209.49':34354
'67.##1.12.124':34354
'71.##.48.193':34354
'17#.#10.192.33':34354
'68.##.232.185':34354
'75.##9.41.25':34354
'18#.#6.44.104':34354
'76.#05.68.2':34354
'67.#6.6.72':34354
'10#.#0.249.4':34354
'91.##7.60.22':34354
'87.#20.1.8':34354
'74.##.253.219':34354
'79.##.100.65':34354
'93.##6.171.123':34354
'19#.#8.85.200':34354
'76.##6.107.182':34354
'98.##5.50.210':34354
'67.##5.98.176':34354
'66.##1.113.249':34354
'65.##4.192.56':34354
'68.##5.51.31':34354
'68.##4.0.241':34354
'12#.#.227.153':34354
'98.##7.24.180':34354
'76.##8.59.68':34354
'24.##.243.45':34354
'69.##8.36.186':34354
'67.##0.140.170':34354
'74.##.159.211':34354
'70.##8.35.115':34354
'50.##3.85.31':34354
'68.##8.92.234':34354
'18#.#10.225.23':34354
'99.##.152.251':34354
'17#.#7.84.38':34354
'17#.#6.8.155':34354
'78.##1.125.30':34354
'74.##4.186.152':34354
'71.##.161.171':34354
'69.##4.111.34':34354
'24.##2.68.184':34354
'96.##.44.160':34354
'71.#5.5.5':34354
'67.##.125.112':34354
'18#.#3.224.175':34354
'17#.#70.152.161':34354
'98.##5.221.185':34354
'68.##.209.94':34354
'69.##2.248.91':34354
'68.##.226.80':34354
'75.##6.124.215':34354
'72.##2.118.17':34354

TCP:

Запросы HTTP GET:

pr####.fling.com/geo/txt/city.php

UDP:

DNS ASK pr####.fling.com
'localhost':752
'8.#.8.8':1035

Технології

Терміни

Навчання

Міфи

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней