Trojan.DownLoader5.29758

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.netbt] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'94.##.146.190':34354
'74.##.123.192':34354
'76.##.126.245':34354
'76.##.241.11':34354
'67.##.159.85':34354
'98.##3.188.231':34354
'98.##3.30.230':34354
'69.##1.154.193':34354
'96.##.104.112':34354
'69.##2.114.183':34354
'24.##.102.180':34354
'74.##.20.211':34354
'11#.#46.215.93':34354
'79.##9.37.93':34354
'20#.#7.119.16':34354
'70.##4.91.94':34354
'21#.#9.19.83':34354
'24.##6.219.3':34354
'71.##.55.207':34354
'24.##.252.72':34354
'80.##9.220.63':34354
'76.##.36.210':34354
'72.##2.211.69':34354
'68.##.155.64':34354
'71.##5.76.210':34354
'74.##.146.250':34354
'71.#5.109.7':34354
'76.#8.4.232':34354
'14#.#26.89.75':34354
'10#.#.223.62':34354
'66.##8.220.206':34354
'10#.#5.164.76':34354
'17#.#20.59.56':34354
'24.##0.206.121':34354
'71.##6.111.28':34354
'18#.#51.138.54':34354
'31.##.208.23':34354
'50.##.140.124':34354
'67.##2.58.223':34354
'17#.#6.107.24':34354
'92.##7.139.166':34354
'99.##.60.168':34354
'98.##5.70.48':34354
'24.##0.116.134':34354
'67.##0.114.169':34354
'71.##.56.173':34354
'70.##7.91.48':34354
'69.##1.183.126':34354
'78.##.238.110':34354
'62.##3.159.228':34354
'76.##.104.22':34354
'70.#4.0.113':34354
'69.##.95.105':34354
'24.##.85.180':34354
'24.##0.211.178':34354
'68.##.82.179':34354
'14#.#96.28.176':34354
'31.##6.134.115':34354
'10#.#6.48.118':34354
'69.##7.40.118':34354
'99.##4.167.226':34354
'31.##5.131.227':34354
'21#.#9.123.115':34354
'95.##.191.114':34354
'18#.#1.126.242':34354
'98.##5.206.176':34354
'67.##3.177.173':34354
'75.##1.189.174':34354
'18#.#52.31.244':34354
'98.##5.55.18':34354
'75.##6.176.179':34354
'66.##.167.243':34354
'71.##4.161.161':34354
'69.##.156.34':34354
'89.##4.181.30':34354
'46.##2.62.30':34354
'24.##1.94.28':34354
'83.##.244.26':34354
'24.##.25.212':34354
'65.##5.193.211':34354
'75.##.143.197':34354
'17#.#22.162.249':34354
'75.#10.85.7':34354
'87.##0.1.197':34354
'18#.#52.235.203':34354
'24.#.110.233':34354
'24.##.165.182':34354
'68.##9.121.199':34354
'74.##2.35.187':34354
'93.##5.121.190':34354
'66.#69.5.17':34354
'15#.#0.36.185':34354
'24.##.127.246':34354
'97.##1.26.195':34354
'68.#3.23.11':34354
'24.##.140.191':34354
'76.##.110.123':34354
'24.##2.236.123':34354
'68.##1.231.56':34354
'68.##.29.223':34354
'75.#1.55.52':34354
'66.#4.57.56':34354
'89.##8.21.223':34354
'98.##4.71.52':34354
'18#.#8.157.236':34354
'98.##4.4.230':34354
'78.##0.115.3':34354
'24.##.84.232':34354
'17#.#58.73.104':34354
'72.##5.142.57':34354
'66.##.247.59':34354
'85.##.165.240':34354
'78.##6.92.35':34354
'15#.#5.159.150':34354
'75.##.23.147':34354
'75.##.156.36':34354
'69.##3.130.154':34354
'15#.#1.134.161':34354
'79.##3.230.151':34354
'67.##6.106.212':34354
'82.##.104.221':34354
'99.##0.24.136':34354
'19#.#8.37.126':34354
'11#.#4.92.222':34354
'68.##4.193.241':34354
'67.##3.11.146':34354
'71.#0.15.43':34354
'10#.#3.249.209':34354
'98.##2.220.219':34354
'24.##7.123.84':34354
'71.##.49.251':34354
'24.##0.173.80':34354
'10#.#41.21.6':34354
'19#.#10.77.124':34354
'68.##0.211.58':34354
'89.##.225.134':34354
'17#.#1.85.198':34354
'87.##9.76.123':34354
'75.#8.10.62':34354
'95.##.243.53':34354
'96.##.74.108':34354
'17#.#8.107.108':34354
'99.#5.32.42':34354
'24.##2.74.70':34354
'17#.#7.62.238':34354
'24.##4.26.31':34354
'65.##0.152.221':34354
'17#.#5.58.20':34354
'70.##8.235.10':34354
'68.##0.216.162':34354
'81.##4.106.73':34354
'17#.#17.50.62':34354
'66.##8.152.237':34354
'71.##4.154.6':34354
'66.##.38.170':34354
'24.#9.56.75':34354
'84.##5.180.134':34354
'98.#39.87.5':34354
'70.##8.119.120':34354
'95.#5.0.136':34354
'31.##.107.184':34354
'17#.#14.238.90':34354
'15#.#5.175.137':34354
'18#.#5.236.131':34354
'17#.#.104.253':34354
'17#.#1.86.20':34354
'80.#.75.230':34354
'68.##.250.226':34354
'24.##9.74.173':34354
'18#.#75.54.119':34354
'72.##6.231.31':34354
'localhost':80
'67.##0.141.153':34354
'12#.#20.131.136':34354
'74.##.97.114':34354
'95.#6.39.60':34354
'19#.#42.67.21':34354
'17#.#5.226.217':34354
'67.##6.218.166':34354
'17#.#52.209.4':34354
'67.##1.76.114':34354
'70.##6.70.227':34354
'17#.#3.198.9':34354
'74.##.10.246':34354
'69.##9.180.76':34354
'17#.#9.166.92':34354
'10#.#2.249.126':34354
'62.##.243.137':34354
'17#.#03.82.16':34354
'71.#8.54.23':34354
'12.##.27.235':34354
'68.##.209.58':34354
'68.##.83.182':34354
'63.##8.142.217':34354
'69.##2.8.241':34354
'18#.2.17.88':34354
'64.##9.154.137':34354
'76.#0.7.152':34354
'76.##8.43.32':34354
'75.##3.204.98':34354
'24.##4.107.153':34354
'17#.#4.111.229':34354
'84.#.19.135':34354
'21#.#31.169.166':34354
'19#.#8.85.200':34354
'18#.#6.24.195':34354
'18#.#9.78.194':34354
'15#.#9.229.165':34354
'12#.#47.16.203':34354
'18#.#0.41.34':34354
'31.##7.242.217':34354
'69.##2.213.154':34354
'98.##4.91.158':34354
'17#.#30.128.164':34354
'72.##2.3.166':34354
'68.##5.72.136':34354
'68.#4.12.45':34354
'18#.#36.135.41':34354
'75.##0.48.42':34354
'70.##2.217.148':34354
'10#.#2.79.39':34354
'17#.#.169.140':34354
'69.##1.127.31':34354
'71.##9.117.142':34354
'74.##5.41.242':34354
'17#.#1.78.185':34354
'76.##9.252.28':34354
'68.##.178.63':34354
'70.##1.235.225':34354
'74.##9.94.102':34354
'50.##.232.98':34354
'75.##.141.115':34354
'76.##3.76.200':34354
'10#.#.210.106':34354
'10#.5.35.92':34354
'95.##5.190.92':34354
'69.##3.12.79':34354
'95.##.166.180':34354
'24.#.158.92':34354
'24.##.188.51':34354
'24.##3.129.102':34354
'76.##6.30.22':34354
'17#.#11.83.52':34354
'72.##9.92.83':34354
'76.##8.105.173':34354
'75.##.17.127':34354
'72.##3.208.240':34354
'69.##1.217.6':34354
'75.##5.161.79':34354
'92.##.245.119':34354
'95.#7.65.29':34354
'69.##8.197.206':34354
'97.##.22.213':34354
'11#.#7.33.113':34354
'78.#.62.178':34354
'74.##0.226.234':34354
'72.##1.12.142':34354

TCP:

Запросы HTTP GET:

eg##kkid.cn/stat2.php?&a#################
eg##kkid.cn/stat2.php?&a################

Технології

Терміни

Навчання

Міфи

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней