BackDoor.Maxplus.563

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.ipsec] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Сетевая активность:

Подключается к:

'17#.#0.102.30':34354
'71.##.236.97':34354
'71.##3.129.71':34354
'16#.#32.33.111':34354
'17#.#.149.184':34354
'24.##9.40.211':34354
'74.##4.71.251':34354
'70.##4.209.230':34354
'67.##1.131.86':34354
'98.##6.201.31':34354
'70.##0.160.5':34354
'18#.#22.153.192':34354
'41.##9.248.5':34354
'74.##7.4.237':34354
'71.##.241.95':34354
'65.##5.126.95':34354
'76.##.95.112':34354
'17#.#0.36.79':34354
'67.##6.110.115':34354
'68.##8.210.81':34354
'17#.#08.100.139':34354
'19#.#3.179.93':34354
'15#.#81.155.156':34354
'69.##6.99.140':34354
'50.#1.45.15':34354
'17#.#07.236.124':34354
'66.##5.221.213':34354
'10#.#08.34.202':34354
'17#.#8.123.228':34354
'17#.#09.141.101':34354
'24.##3.176.129':34354
'85.##1.201.242':34354
'74.##2.116.51':34354
'24.##7.147.64':34354
'20#.#29.52.121':34354
'66.##.150.112':34354
'72.##9.239.228':34354
'98.##.48.128':34354
'72.##9.162.116':34354
'68.##.142.39':34354
'98.##6.62.20':34354
'18#.#.111.25':34354
'17#.#0.48.63':34354
'71.##7.36.82':34354
'68.#.236.153':34354
'71.##.149.194':34354
'18#.#8.49.231':34354
'50.##6.34.43':34354
'76.##7.166.42':34354
'63.##1.237.194':34354
'11#.#46.215.93':34354
'76.##0.222.190':34354
'76.##8.223.105':34354
'69.##.22.125':34354
'24.#8.80.77':34354
'17#.#9.44.145':34354
'69.##3.28.138':34354
'97.##.138.108':34354
'19#.#01.27.160':34354
'24.#.233.13':34354
'17#.#9.159.176':34354
'74.##.203.138':34354
'76.##.249.224':34354
'21#.#02.82.90':34354
'24.##.153.231':34354
'68.##.212.22':34354
'99.##5.160.241':34354
'65.##4.196.180':34354
'24.##7.198.174':34354
'74.##1.100.220':34354
'72.##3.70.245':34354
'76.##9.5.230':34354
'20#.#43.165.222':34354
'24.##6.119.234':34354
'10#.#46.243.30':34354
'68.##.179.27':34354
'98.##8.45.234':34354
'24.#7.5.240':34354
'20#.#08.107.210':34354
'50.##6.86.190':34354
'72.##9.101.173':34354
'68.##3.201.49':34354
'66.##.90.127':34354
'24.##.201.61':34354
'24.##.171.205':34354
'71.##9.117.142':34354
'46.##.24.181':34354
'17#.#34.228.239':34354
'79.##3.183.96':34354
'17#.#17.200.125':34354
'24.##3.72.135':34354
'99.##.189.227':34354
'66.##6.88.232':34354
'75.##.62.176':34354
'76.##.227.135':34354
'10#.4.31.88':34354
'69.##2.198.68':34354
'76.##.123.28':34354
'69.##4.198.116':34354
'98.##8.141.23':34354
'68.##8.96.244':34354
'72.##0.104.114':34354
'71.##.69.242':34354
'68.##2.127.170':34354
'24.##6.199.236':34354
'76.##6.154.83':34354
'71.##.234.148':34354
'70.##.184.127':34354
'97.##.54.218':34354
'71.##.179.119':34354
'17#.#7.59.28':34354
'68.#3.41.63':34354
'75.#4.5.198':34354
'79.##7.105.38':34354
'74.##8.54.236':34354
'68.##.161.202':34354
'18#.#89.87.180':34354
'50.##.178.109':34354
'74.##3.132.138':34354
'69.##0.237.210':34354
'41.#6.66.29':34354
'76.##.196.172':34354
'68.##.240.85':34354
'69.##8.224.50':34354
'92.##.148.214':34354
'98.##7.151.80':34354
'74.##2.200.5':34354
'98.##9.29.100':34354
'24.##.53.179':34354
'74.##3.137.14':34354
'98.##6.197.197':34354
'72.##3.195.56':34354
'76.##.190.152':34354
'97.##.47.127':34354
'76.#1.7.122':34354
'76.##9.201.111':34354
'24.##.106.250':34354
'75.##2.182.90':34354
'20#.#40.113.103':34354
'17#.#06.165.2':34354
'76.##7.34.108':34354
'76.##2.126.54':34354
'86.##6.192.135':34354
'98.##.83.180':34354
'74.##.191.80':34354
'68.#9.93.86':34354
'71.##6.190.232':34354
'67.##1.248.22':34354
'24.##.154.129':34354
'98.##3.119.9':34354
'68.##.144.161':34354
'71.##.41.233':34354
'74.##.24.148':34354
'97.##4.58.196':34354
'71.##.112.76':34354
'67.##6.96.243':34354
'24.##0.159.62':34354
'24.##.105.66':34354
'24.##6.139.71':34354
'24.#4.7.114':34354
'71.##4.242.182':34354
'19#.#7.208.66':34354
'69.##1.159.55':34354
'68.##2.68.141':34354
'74.##0.224.186':34354
'70.##8.125.86':34354
'85.##5.21.204':34354
'68.##8.184.28':34354
'76.##.226.164':34354
'71.##9.174.10':34354
'98.##8.181.44':34354
'localhost':80
'24.##2.196.7':34354
'74.#3.9.217':34354
'17#.#6.69.211':34354
'17#.#58.73.93':34354
'98.##3.83.116':34354
'50.##9.58.136':34354
'18#.#27.101.155':34354
'24.##.25.212':34354
'69.##2.101.170':34354
'46.##.238.185':34354
'76.##.164.227':34354
'70.##2.186.146':34354
'75.##.11.170':34354
'76.##7.161.107':34354
'75.##.143.197':34354
'98.#0.77.82':34354
'19#.#8.85.200':34354
'19#.#89.113.169':34354
'17#.#9.179.159':34354
'76.##6.41.27':34354
'24.##7.54.150':34354
'50.##.201.37':34354
'99.##6.252.48':34354
'24.##.195.128':34354
'24.#.121.246':34354
'24.#.217.33':34354
'17#.#2.232.89':34354
'75.#.228.54':34354
'76.##.239.183':34354
'18#.#7.197.9':34354
'68.##6.13.71':34354
'98.##1.61.19':34354
'10#.3.71.43':34354
'66.##.213.106':34354
'75.##.172.191':34354
'98.##3.5.250':34354
'17#.#18.77.16':34354
'17#.#1.55.227':34354
'98.##2.187.228':34354
'71.##.160.235':34354
'17#.#01.39.11':34354
'98.##1.250.18':34354
'67.##1.107.182':34354
'68.##7.47.18':34354
'76.#9.79.9':34354
'99.##4.11.109':34354
'74.##.144.156':34354
'76.##5.246.25':34354
'72.##9.35.177':34354
'17#.#4.132.249':34354
'76.##2.208.196':34354
'69.##6.94.110':34354
'75.##4.1.219':34354
'71.##.56.173':34354
'90.##9.40.70':34354
'76.##2.228.92':34354
'67.#3.30.57':34354
'75.#3.108.6':34354
'98.##.216.48':34354
'98.##9.252.227':34354
'18#.#6.49.116':34354
'24.##.150.35':34354
'75.##6.89.192':34354
'24.##9.38.129':34354
'76.##9.45.95':34354
'18#.93.46.8':34354
'84.##1.150.82':34354
'98.##.181.156':34354
'19#.#3.224.205':34354
'76.##6.69.252':34354
'24.##.198.161':34354
'96.##.35.219':34354
'24.##4.132.83':34354
'69.##.220.120':34354
'74.##1.203.166':34354
'17#.#09.139.251':34354
'75.##3.3.103':34354
'67.#.33.140':34354
'76.##0.163.202':34354
'66.##2.205.243':34354
'76.##3.21.151':34354
'18#.#1.167.192':34354
'99.##.52.217':34354
'75.##.114.191':34354
'24.##1.49.70':34354

TCP:

Запросы HTTP GET:

nw##bpes.cn/stat2.php?&a################
nw##bpes.cn/stat2.php?&a#################

Технології

Терміни

Навчання

Міфи

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней