BackDoor.Maxplus.1258

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.i8042prt] 'ImagePath' = '\?'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Сетевая активность:

Подключается к:

'96.##.177.250':34354
'10#.#7.114.220':34354
'74.##.241.236':34354
'74.#95.8.80':34354
'46.##9.85.161':34354
'93.##3.232.62':34354
'19#.#12.115.231':34354
'68.##.133.76':34354
'87.#.49.50':34354
'68.##.155.249':34354
'68.#1.7.35':34354
'71.##.184.95':34354
'83.##5.164.216':34354
'98.##4.215.197':34354
'68.##6.82.90':34354
'94.##9.13.33':34354
'98.##3.197.73':34354
'91.##7.60.22':34354
'98.##5.59.65':34354
'69.##9.23.251':34354
'24.##.55.224':34354
'75.##2.156.145':34354
'75.#1.45.62':34354
'76.##3.90.21':34354
'98.##8.224.160':34354
'67.##9.67.222':34354
'20#.#31.250.149':34354
'98.##3.10.217':34354
'70.##7.186.67':34354
'69.##7.6.245':34354
'74.##.147.192':34354
'77.##3.218.27':34354
'50.##3.144.200':34354
'95.##.93.119':34354
'90.##9.119.96':34354
'98.##6.236.211':34354
'75.#4.9.213':34354
'68.#2.4.108':34354
'64.##1.177.214':34354
'92.#9.131.4':34354
'75.##4.214.32':34354
'21#.#3.107.92':34354
'70.##3.96.87':34354
'68.##1.165.197':34354
'98.##.133.251':34354
'66.##.34.128':34354
'71.##.183.95':34354
'97.##.71.129':34354
'17#.#3.230.0':34354
'69.##.135.98':34354
'72.##8.49.116':34354
'98.##3.139.100':34354
'81.##0.23.232':34354
'24.##.117.127':34354
'71.##7.226.236':34354
'74.##.147.97':34354
'68.##.152.112':34354
'18#.#88.84.233':34354
'89.##.105.113':34354
'71.##.61.113':34354
'68.##0.179.113':34354
'76.##.208.247':34354
'69.##4.185.117':34354
'17#.#06.142.63':34354
'86.##.114.196':34354
'75.##.107.146':34354
'76.##7.15.196':34354
'91.##0.133.75':34354
'75.##.219.151':34354
'99.##9.84.225':34354
'68.##.135.20':34354
'69.##5.222.19':34354
'98.##7.159.28':34354
'72.##4.91.57':34354
'76.##9.151.185':34354
'50.##1.30.56':34354
'67.##2.124.238':34354
'82.##8.65.193':34354
'66.##.15.191':34354
'72.#7.2.150':34354
'72.##9.134.254':34354
'69.##7.212.128':34354
'24.##6.126.5':34354
'17#.#33.152.213':34354
'24.##7.185.44':34354
'21#.#31.21.206':34354
'76.##7.166.254':34354
'68.#8.17.2':34354
'68.##.47.252':34354
'95.##5.35.231':34354
'69.##2.212.226':34354
'72.##0.167.198':34354
'24.##2.196.7':34354
'24.##2.71.254':34354
'75.#5.11.10':34354
'10#.#32.45.9':34354
'68.##5.157.115':34354
'68.#.175.47':34354
'17#.#49.246.48':34354
'76.#14.29.4':34354
'17#.#75.2.45':34354
'81.#5.36.41':34354
'98.##4.246.237':34354
'79.##9.226.168':34354
'14#.#70.233.241':34354
'67.##6.212.249':34354
'18#.#4.186.56':34354
'71.##2.91.13':34354
'98.##3.57.135':34354
'17#.#.81.166':34354
'24.##6.208.199':34354
'70.#.57.141':34354
'78.##0.198.181':34354
'14#.#69.138.247':34354
'98.#99.97.0':34354
'71.##.155.34':34354
'18#.#4.158.31':34354
'10#.#6.206.233':34354
'18#.#6.255.219':34354
'18#.#5.241.181':34354
'67.##3.188.168':34354
'24.##7.132.39':34354
'69.#11.7.41':34354
'71.##0.43.40':34354
'24.#.221.35':34354
'17#.#5.16.219':34354
'70.##8.53.38':34354
'50.##7.10.36':34354
'67.##1.125.216':34354
'71.##.164.168':34354
'17#.#50.36.61':34354
'24.##5.132.143':34354
'72.##1.170.221':34354
'99.##0.197.98':34354
'76.##9.88.68':34354
'69.##.159.54':34354
'68.##4.225.220':34354
'68.#2.65.98':34354
'70.##2.47.33':34354
'10#.#5.164.145':34354
'70.##4.202.141':34354
'94.##9.237.10':34354
'24.##.123.202':34354
'17#.#08.97.129':34354
'15#.#81.155.74':34354
'70.#3.26.2':34354
'71.##4.20.142':34354
'69.##4.100.158':34354
'12.##1.24.219':34354
'17#.#6.139.153':34354
'24.##.116.142':34354
'69.##2.84.142':34354
'75.##5.182.10':34354
'72.##3.58.45':34354
'10#.#30.229.194':34354
'82.##6.26.148':34354
'17#.#97.59.48':34354
'68.##.83.149':34354
'24.##9.96.18':34354
'89.#6.28.25':34354
'18#.#14.223.102':34354
'69.##3.246.5':34354
'24.##9.13.208':34354
'79.##5.56.254':34354
'93.##8.34.73':34354
'24.#1.70.68':34354
'17#.#.198.169':34354
'89.##.170.232':34354
'79.##6.75.51':34354
'76.##5.75.125':34354
'76.##.16.166':34354
'pr####.fling.com':80
'10#.#0.249.4':34354
'50.##.97.249':34354
'41.##.189.155':34354
'93.##4.252.74':34354
'68.#9.8.111':34354
'72.##3.100.188':34354
'17#.#3.234.171':34354
'98.##4.22.255':34354
'76.##1.177.206':34354
'10#.#.99.166':34354
'98.##6.79.247':34354
'75.##.169.162':34354
'10#.#2.157.154':34354
'68.##.84.223':34354
'17#.#17.226.82':34354
'98.##1.132.30':34354
'75.##.25.245':34354
'68.##.175.211':34354
'24.##.119.202':34354
'20#.#78.24.28':34354
'18#.#49.69.31':34354
'24.##6.52.49':34354
'70.##0.58.219':34354
'79.##4.167.60':34354
'68.##0.162.246':34354
'98.##6.125.223':34354
'98.##6.21.249':34354
'21#.#51.30.158':34354
'91.##6.196.167':34354
'17#.#10.198.64':34354
'76.##.206.191':34354
'75.##5.243.39':34354
'17#.#74.17.124':34354
'17#.#9.20.84':34354
'10#.#30.35.97':34354
'46.##.34.108':34354
'17#.#2.162.246':34354
'24.##0.153.78':34354
'69.##6.46.30':34354
'12#.#6.112.34':34354
'76.##6.14.186':34354
'68.##.111.86':34354
'70.##7.35.24':34354
'24.#3.0.28':34354
'71.#5.73.27':34354
'17#.#09.210.151':34354
'68.#.67.170':34354
'18#.#12.192.42':34354
'96.##.144.217':34354
'89.##6.253.179':34354
'17#.#02.252.223':34354
'98.##.185.170':34354
'67.##7.7.171':34354
'98.##2.162.67':34354
'68.#.131.233':34354
'91.##3.66.142':34354
'93.#02.2.56':34354
'88.##5.125.21':34354
'10#.#30.137.163':34354
'10#.#01.161.189':34354
'76.#1.78.92':34354
'69.##3.136.12':34354
'96.##.237.177':34354
'68.#3.10.5':34354
'96.##0.156.75':34354
'74.##.180.48':34354
'83.##3.160.197':34354
'68.##.239.249':34354
'76.##9.59.143':34354
'68.##0.13.96':34354
'98.##3.30.77':34354
'87.##.130.223':34354
'75.##2.47.237':34354
'74.##.12.147':34354
'69.##6.178.230':34354
'68.##3.222.149':34354
'41.##2.156.198':34354
'18#.#75.54.119':34354
'64.##.195.204':34354
'11#.#40.113.153':34354
'24.##7.41.106':34354
'19#.#9.51.169':34354
'90.##4.83.23':34354
'93.#5.33.70':34354
'17#.#.36.221':34354

TCP:

Запросы HTTP GET:

pr####.fling.com/geo/txt/city.php

UDP:

DNS ASK pr####.fling.com
'localhost':752
'8.#.8.8':1035

Технології

Терміни

Навчання

Міфи

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней