Trojan.DownLoader26.54305

Technical Information

To ensure autorun and distribution:

Creates or modifies the following files:

%WINDIR%\Tasks\ZB20DCImbe4Yvtz.job

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\EBC8360psDNVz] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\EBC8360psDNVz] 'ImagePath' = '<Current directory>\EBC8360psDN.exe .PleaseDoNotReportMe'

Malicious functions:

Executes the following:

'<SYSTEM32>\net.exe' stop sqlbrowsers
'<SYSTEM32>\net.exe' stop WinRDPSvc
'<SYSTEM32>\net.exe' stop RpcEptManger
'<SYSTEM32>\net.exe' stop Samserver
'<SYSTEM32>\net.exe' stop eccm
'<SYSTEM32>\net.exe' stop WSService
'<SYSTEM32>\net.exe' stop Googler
'<SYSTEM32>\net.exe' stop MsUpdateServiceD
'<SYSTEM32>\net.exe' stop TaskNetHost
'<SYSTEM32>\net.exe' stop reg
'<SYSTEM32>\net.exe' stop Service4
'<SYSTEM32>\net.exe' stop sqlservrd
'<SYSTEM32>\net.exe' stop LocalConnectXdc
'<SYSTEM32>\net.exe' stop WindowsDefender
'<SYSTEM32>\net.exe' stop AdobeFlashPlayerHash
'<SYSTEM32>\net.exe' stop RegGroom
'<SYSTEM32>\net.exe' stop LanmanServersetes

Injects code into

the following system processes:

%WINDIR%\XXInstall\ps.exe

Modifies file system:

Creates the following files:

<Current directory>\EBC8360psDN.exe

Sets the 'hidden' attribute to the following files:

<Current directory>\EBC8360psDN.exe

Deletes the following files:

<Full path to file>

Network activity:

Connects to:

'21#.#3.190.122':888
'po##.#upportxmr.com':3333
'po##.#upportxmr.com':5555
'po##.#upportxmr.com':80
'po##.#upportxmr.com':8080
'21#.#32.25.156':3333
'21#.#32.25.156':5555
'21#.#32.25.156':80
'21#.#32.25.156':8080

UDP:

DNS ASK po##.#upportxmr.com

Miscellaneous:

Creates and executes the following:

'<Current directory>\EBC8360psDN.exe' .PleaseDoNotReportMe

Executes the following:

'<SYSTEM32>\cmd.exe' /c <SYSTEM32>\schtasks.exe /Delete /TN * /F >nul 2>&1
'<SYSTEM32>\net1.exe' stop RpcEptManger
'<SYSTEM32>\cmd.exe' /c net stop RpcEptManger
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop RpcEptManger >nul 2>&1
'<SYSTEM32>\sc.exe' config Samserver start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config Samserver start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config Samserver start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop Samserver
'<SYSTEM32>\cmd.exe' /c net stop Samserver
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop Samserver >nul 2>&1
'<SYSTEM32>\sc.exe' config eccm start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config eccm start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config eccm start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop eccm
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config TaskNetHost start= Disabled >nul 2>&1
'<SYSTEM32>\cmd.exe' /c net stop eccm
'<SYSTEM32>\sc.exe' config WSService start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config WSService start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config WSService start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop WSService
'<SYSTEM32>\cmd.exe' /c net stop WSService
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop WSService >nul 2>&1
'<SYSTEM32>\sc.exe' config Googler start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config Googler start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config Googler start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop Googler
'<SYSTEM32>\cmd.exe' /c net stop Googler
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop Googler >nul 2>&1
'<SYSTEM32>\sc.exe' config TaskNetHost start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop eccm >nul 2>&1
'<SYSTEM32>\cmd.exe' /c sc config TaskNetHost start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config RpcEptManger start= Disabled >nul 2>&1
'<SYSTEM32>\cmd.exe' /c sc config WinDefend start= disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config WMIUpdateService start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop WMIUpdateService
'%WINDIR%\XXInstall\ps.exe' stop WMIUpdateService
'<SYSTEM32>\cmd.exe' /c net stop WMIUpdateService
'<SYSTEM32>\sc.exe' config LanmanServersetes start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config LanmanServersetes start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config LanmanServersetes start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop LanmanServersetes
'<SYSTEM32>\cmd.exe' /c net stop LanmanServersetes
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop LanmanServersetes >nul 2>&1
'<SYSTEM32>\sc.exe' stop WinDefend
'<SYSTEM32>\cmd.exe' /c sc stop WinDefend
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc stop WinDefend >nul 2>&1
'<SYSTEM32>\sc.exe' config RpcEptManger start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config RpcEptManger start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config WinDefend start= disabled >nul 2>&1
'<SYSTEM32>\sc.exe' config MsUpdateServiceD start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config MsUpdateServiceD start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config MsUpdateServiceD start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop MsUpdateServiceD
'<SYSTEM32>\cmd.exe' /c net stop MsUpdateServiceD
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop MsUpdateServiceD >nul 2>&1
'<SYSTEM32>\sc.exe' config WinRDPSvc start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config WinRDPSvc start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config WinRDPSvc start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop WinRDPSvc
'<SYSTEM32>\cmd.exe' /c net stop WinRDPSvc
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop WinRDPSvc >nul 2>&1
'<SYSTEM32>\sc.exe' config WinDefend start= disabled
'<SYSTEM32>\net1.exe' stop TaskNetHost
'<SYSTEM32>\cmd.exe' /c net stop TaskNetHost
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop TaskNetHost >nul 2>&1
'<SYSTEM32>\cmd.exe' /c sc config WindowsDefender start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config WindowsDefender start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop WindowsDefender
'<SYSTEM32>\cmd.exe' /c net stop WindowsDefender
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop WindowsDefender >nul 2>&1
'<SYSTEM32>\sc.exe' config AdobeFlashPlayerHash start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config AdobeFlashPlayerHash start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config AdobeFlashPlayerHash start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop AdobeFlashPlayerHash
'<SYSTEM32>\cmd.exe' /c net stop AdobeFlashPlayerHash
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop AdobeFlashPlayerHash >nul 2>&1
'<SYSTEM32>\sc.exe' delete sqlbrowsers
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop LocalConnectXdc >nul 2>&1
'<SYSTEM32>\cmd.exe' /c sc delete sqlbrowsers
'<SYSTEM32>\sc.exe' config sqlbrowsers start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config sqlbrowsers start= Disabled
'<SYSTEM32>\schtasks.exe' /Create /tn ZB20DCImbe4Yvtz /tr "<Current directory>\EBC8360psDN.exe" /sc HOURLY /mo 3 /st 00:00:00 /ru SYSTEM
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config sqlbrowsers start= Disabled >nul 2>&1
'<SYSTEM32>\cmd.exe' /c <SYSTEM32>\schtasks.exe /Create /tn ZB20DCImbe4Yvtz /tr "<Current directory>\EBC8360psDN.exe" /sc HOURLY /mo 3 /st 00:00:00 /ru SYSTEM >nul 2>&1
'<SYSTEM32>\cmd.exe' /c echo Y
'<SYSTEM32>\net1.exe' stop sqlbrowsers
'<SYSTEM32>\schtasks.exe' /Delete /TN *
'<SYSTEM32>\cmd.exe' /c start /b /min <SYSTEM32>\cmd.exe /c echo Y
'<SYSTEM32>\cmd.exe' /c %comspec% /c start /b /min %comspec% /c echo Y|<SYSTEM32>\schtasks.exe /Delete /TN * >nul 2>&1
'<SYSTEM32>\cmd.exe' /c net stop sqlbrowsers
'<SYSTEM32>\schtasks.exe' /Delete /TN * /F
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop sqlbrowsers >nul 2>&1
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc delete sqlbrowsers >nul 2>&1
'<SYSTEM32>\cmd.exe' /c net stop LocalConnectXdc
'<SYSTEM32>\sc.exe' config WindowsDefender start= Disabled
'<SYSTEM32>\net1.exe' stop LocalConnectXdc
'<SYSTEM32>\sc.exe' config RegGroom start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config Service4 start= Disabled >nul 2>&1
'<SYSTEM32>\cmd.exe' /c sc config RegGroom start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config RegGroom start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop RegGroom
'<SYSTEM32>\cmd.exe' /c net stop RegGroom
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop RegGroom >nul 2>&1
'<SYSTEM32>\sc.exe' config reg start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config reg start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config reg start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop reg
'<SYSTEM32>\cmd.exe' /c net stop reg
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop reg >nul 2>&1
'<SYSTEM32>\sc.exe' config Service4 start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config Service4 start= Disabled
'<SYSTEM32>\net1.exe' stop Service4
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config LocalConnectXdc start= Disabled >nul 2>&1
'<SYSTEM32>\cmd.exe' /c net stop Service4
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop Service4 >nul 2>&1
'<SYSTEM32>\sc.exe' delete sqlservrd
'<SYSTEM32>\cmd.exe' /c sc delete sqlservrd
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc delete sqlservrd >nul 2>&1
'<SYSTEM32>\sc.exe' config sqlservrd start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config sqlservrd start= Disabled
'<SYSTEM32>\cmd.exe' /c %comspec% /c sc config sqlservrd start= Disabled >nul 2>&1
'<SYSTEM32>\net1.exe' stop sqlservrd
'<SYSTEM32>\cmd.exe' /c net stop sqlservrd
'<SYSTEM32>\cmd.exe' /c %comspec% /c net stop sqlservrd >nul 2>&1
'<SYSTEM32>\sc.exe' config LocalConnectXdc start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config LocalConnectXdc start= Disabled
'<SYSTEM32>\cmd.exe' /c sc config WMIUpdateService start= Disabled
'<SYSTEM32>\sc.exe' config WMIUpdateService start= Disabled

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней