Trojan.DownLoader23.48518

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Filtering Trap Engine Socket Profile' = '<SYSTEM32>\jlmdvthlnfs.exe'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\Software Receiver Extender Call Initiator] 'ImagePath' = '<SYSTEM32>\jlmdvthlnfs.exe'
[<HKLM>\SYSTEM\ControlSet001\Services\Software Receiver Extender Call Initiator] 'Start' = '00000002'

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Security Center

Executes the following:

'<SYSTEM32>\awniedk.exe' "<SYSTEM32>\jlmdvthlnfs.exe"
'%WINDIR%\Temp\vz8o9qj2rgaql6.exe' -r 29989 tcp
'%TEMP%\vz8o9qj2i9kql6icukmtx.exe'
'<SYSTEM32>\jlmdvthlnfs.exe'

Modifies file system:

Creates the following files:

<SYSTEM32>\omtpmmchhfvm\run
<SYSTEM32>\omtpmmchhfvm\rng
%WINDIR%\Temp\vz8o9qj2rgaql6.exe
<SYSTEM32>\omtpmmchhfvm\cfg
<SYSTEM32>\awniedk.exe
%TEMP%\vz8o9qj2i9kql6icukmtx.exe
<SYSTEM32>\omtpmmchhfvm\tst
<SYSTEM32>\jlmdvthlnfs.exe
<SYSTEM32>\omtpmmchhfvm\etc

Sets the 'hidden' attribute to the following files:

<SYSTEM32>\awniedk.exe
<SYSTEM32>\jlmdvthlnfs.exe

Deletes the following files:

%WINDIR%\Temp\vz8o9qj2rgaql6.exe
<DRIVERS>\etc\hosts
%TEMP%\vz8o9qj2i9kql6icukmtx.exe

Substitutes the HOSTS file.

Network activity:

Connects to:

'yo###ook.net':80
'tr###come.net':80
'tr###took.net':80
'tr###weight.net':80
'yo###eight.net':80
'lr###weight.net':80
'vi###eight.net':80
'yo###erve.net':80
'yo###ome.net':80
'tr###nerve.net':80
'ta###ives.net':80
'wa###aste.net':80
'ta###aste.net':80
'mu###ives.net':80
'mu###llow.net':80
'pi###gives.net':80
'ta###llow.net':80
'wa###ives.net':80
'wa###llow.net':80
'wa###arth.net':80
'ta###arth.net':80
'lr###took.net':80
'le###weight.net':80
'se###took.net':80
'se###weight.net':80
'pl###nerve.net':80
'fi###erve.net':80
'se###nerve.net':80
'le###nerve.net':80
'le###come.net':80
'le###took.net':80
'se###come.net':80
'fi###ome.net':80
'lr###nerve.net':80
'vi###erve.net':80
'vi###ome.net':80
'vi###ook.net':80
'lr###come.net':80
'fi###ook.net':80
'pl###come.net':80
'pl###took.net':80
'pl###weight.net':80
'fi###eight.net':80
'pi###allow.net':80
'fi###ives.net':80
'se###taste.net':80
'pl###gives.net':80
'pl###allow.net':80
'fi###llow.net':80
'se###allow.net':80
'le###allow.net':80
'le###earth.net':80
'le###taste.net':80
'se###earth.net':80
'fi###arth.net':80
'de###lxc.com':80
'vi###llow.net':80
'be##lxc.com':80
'ri###nstorm.net':80
'af###sllc.com':80
'fi###aste.net':80
'pl###earth.net':80
'pl###taste.net':80
'lr###gives.net':80
'vi###ives.net':80
'se###gives.net':80
've###llow.net':80
'we###ives.net':80
'we###llow.net':80
'we###arth.net':80
've###arth.net':80
'pi###earth.net':80
'mu###arth.net':80
'mu###aste.net':80
've###ives.net':80
'pi###taste.net':80
've###aste.net':80
'to###arth.net':80
'fa###arth.net':80
'fa###aste.net':80
'le###gives.net':80
'to###aste.net':80
'fa###ives.net':80
'we###aste.net':80
'to###ives.net':80
'to###llow.net':80
'fa###llow.net':80

TCP:

HTTP GET requests:

http://yo###ook.net/index.php
http://tr###come.net/index.php
http://tr###took.net/index.php
http://tr###weight.net/index.php
http://yo###eight.net/index.php
http://lr###weight.net/index.php
http://vi###eight.net/index.php
http://yo###erve.net/index.php
http://yo###ome.net/index.php
http://tr###nerve.net/index.php
http://ta###ives.net/index.php
http://wa###aste.net/index.php
http://ta###aste.net/index.php
http://mu###ives.net/index.php
http://mu###llow.net/index.php
http://pi###gives.net/index.php
http://ta###llow.net/index.php
http://wa###ives.net/index.php
http://wa###llow.net/index.php
http://wa###arth.net/index.php
http://ta###arth.net/index.php
http://lr###took.net/index.php
http://le###weight.net/index.php
http://se###took.net/index.php
http://se###weight.net/index.php
http://pl###nerve.net/index.php
http://fi###erve.net/index.php
http://se###nerve.net/index.php
http://le###nerve.net/index.php
http://le###come.net/index.php
http://le###took.net/index.php
http://se###come.net/index.php
http://fi###ome.net/index.php
http://lr###nerve.net/index.php
http://vi###erve.net/index.php
http://vi###ome.net/index.php
http://vi###ook.net/index.php
http://lr###come.net/index.php
http://fi###ook.net/index.php
http://pl###come.net/index.php
http://pl###took.net/index.php
http://pl###weight.net/index.php
http://fi###eight.net/index.php
http://pi###allow.net/index.php
http://fi###ives.net/index.php
http://se###taste.net/index.php
http://pl###gives.net/index.php
http://pl###allow.net/index.php
http://fi###llow.net/index.php
http://se###allow.net/index.php
http://le###allow.net/index.php
http://le###earth.net/index.php
http://le###taste.net/index.php
http://se###earth.net/index.php
http://fi###arth.net/index.php
http://de###lxc.com/index.php
http://vi###llow.net/index.php
http://be##lxc.com/index.php
http://ri###nstorm.net/index.php
http://af###sllc.com/index.php
http://fi###aste.net/index.php
http://pl###earth.net/index.php
http://pl###taste.net/index.php
http://lr###gives.net/index.php
http://vi###ives.net/index.php
http://se###gives.net/index.php
http://ve###llow.net/index.php
http://we###ives.net/index.php
http://we###llow.net/index.php
http://we###arth.net/index.php
http://ve###arth.net/index.php
http://pi###earth.net/index.php
http://mu###arth.net/index.php
http://mu###aste.net/index.php
http://ve###ives.net/index.php
http://pi###taste.net/index.php
http://ve###aste.net/index.php
http://to###arth.net/index.php
http://fa###arth.net/index.php
http://fa###aste.net/index.php
http://le###gives.net/index.php
http://to###aste.net/index.php
http://fa###ives.net/index.php
http://we###aste.net/index.php
http://to###ives.net/index.php
http://to###llow.net/index.php
http://fa###llow.net/index.php

UDP:

DNS ASK tr###took.net
DNS ASK yo###ook.net
DNS ASK yo###eight.net
DNS ASK ta###ives.net
DNS ASK tr###weight.net
DNS ASK tr###come.net
DNS ASK lr###weight.net
DNS ASK vi###eight.net
DNS ASK yo###erve.net
DNS ASK yo###ome.net
DNS ASK tr###nerve.net
DNS ASK mu###ives.net
DNS ASK wa###aste.net
DNS ASK pi###gives.net
DNS ASK pi###allow.net
DNS ASK mu###llow.net
DNS ASK ta###aste.net
DNS ASK ta###llow.net
DNS ASK wa###ives.net
DNS ASK wa###llow.net
DNS ASK wa###arth.net
DNS ASK ta###arth.net
DNS ASK se###weight.net
DNS ASK le###weight.net
DNS ASK fi###erve.net
DNS ASK fi###ome.net
DNS ASK pl###nerve.net
DNS ASK se###took.net
DNS ASK se###nerve.net
DNS ASK le###nerve.net
DNS ASK le###come.net
DNS ASK le###took.net
DNS ASK se###come.net
DNS ASK vi###ome.net
DNS ASK lr###nerve.net
DNS ASK lr###come.net
DNS ASK lr###took.net
DNS ASK vi###ook.net
DNS ASK vi###erve.net
DNS ASK fi###ook.net
DNS ASK pl###come.net
DNS ASK pl###took.net
DNS ASK pl###weight.net
DNS ASK fi###eight.net
DNS ASK fi###ives.net
DNS ASK se###taste.net
DNS ASK pl###gives.net
DNS ASK pl###allow.net
DNS ASK fi###llow.net
DNS ASK se###allow.net
DNS ASK le###allow.net
DNS ASK le###earth.net
DNS ASK le###taste.net
DNS ASK se###earth.net
DNS ASK fi###arth.net
DNS ASK de###lxc.com
DNS ASK vi###llow.net
DNS ASK be##lxc.com
DNS ASK ri###nstorm.net
DNS ASK af###sllc.com
DNS ASK fi###aste.net
DNS ASK pl###earth.net
DNS ASK pl###taste.net
DNS ASK lr###gives.net
DNS ASK vi###ives.net
DNS ASK se###gives.net
DNS ASK ve###llow.net
DNS ASK we###ives.net
DNS ASK we###llow.net
DNS ASK we###arth.net
DNS ASK ve###arth.net
DNS ASK pi###earth.net
DNS ASK mu###arth.net
DNS ASK mu###aste.net
DNS ASK ve###ives.net
DNS ASK pi###taste.net
DNS ASK ve###aste.net
DNS ASK to###arth.net
DNS ASK fa###arth.net
DNS ASK fa###aste.net
DNS ASK le###gives.net
DNS ASK to###aste.net
DNS ASK fa###ives.net
DNS ASK we###aste.net
DNS ASK to###ives.net
DNS ASK to###llow.net
DNS ASK fa###llow.net
'23#.#55.255.250':1900

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней