Trojan.DownLoader5.42138

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.mrxsmb] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Сетевая активность:

Подключается к:

'76.##0.161.38':34354
'76.##8.23.174':34354
'72.##8.4.146':34354
'75.##.233.144':34354
'68.#.243.9':34354
'71.##7.58.14':34354
'75.##8.48.54':34354
'76.##4.117.104':34354
'71.##9.171.20':34354
'76.##.177.133':34354
'71.##9.24.145':34354
'71.##4.238.160':34354
'72.##1.213.219':34354
'71.#.137.130':34354
'71.#1.99.61':34354
'67.##1.80.207':34354
'19#.#06.129.27':34354
'10#.#30.227.134':34354
'71.#7.71.64':34354
'98.##3.248.104':34354
'71.##8.188.1':34354
'10#.#1.26.65':34354
'24.##8.146.157':34354
'24.##.179.228':34354
'98.##2.254.119':34354
'76.#4.3.254':34354
'69.##7.143.76':34354
'69.#23.6.30':34354
'17#.#1.251.92':34354
'76.##7.183.62':34354
'17#.#00.204.127':34354
'97.##3.187.92':34354
'24.##2.199.124':34354
'70.##2.176.70':34354
'68.##4.200.189':34354
'69.##4.78.111':34354
'67.##8.138.234':34354
'68.#.1.4':34354
'18#.#53.191.234':34354
'75.##7.188.186':34354
'70.##0.243.2':34354
'70.##9.181.41':34354
'72.##9.163.154':34354
'66.##9.28.152':34354
'98.##6.45.189':34354
'24.##5.214.202':34354
'70.##0.144.218':34354
'24.#8.10.56':34354
'79.#.108.52':34354
'17#.#75.59.182':34354
'76.##8.17.107':34354
'24.##.57.161':34354
'70.##2.215.48':34354
'19#.#00.159.87':34354
'50.#7.213.2':34354
'72.##1.237.36':34354
'20#.#04.16.216':34354
'10#.4.91.99':34354
'69.##1.215.129':34354
'67.##8.104.166':34354
'66.##9.105.196':34354
'24.##8.2.178':34354
'70.##7.83.57':34354
'24.##3.248.110':34354
'98.##4.12.76':34354
'76.##7.49.247':34354
'71.##8.98.93':34354
'76.##1.134.92':34354
'10#.#8.10.18':34354
'24.#.231.175':34354
'75.##.186.223':34354
'68.##2.174.232':34354
'70.##3.187.184':34354
'99.##6.194.36':34354
'18#.#91.133.11':34354
'75.##.102.48':34354
'97.#2.55.14':34354
'50.##.154.238':34354
'98.##.168.73':34354
'71.##2.214.186':34354
'75.##.20.108':34354
'17#.#1.3.213':34354
'67.##7.174.186':34354
'17#.#8.103.251':34354
'98.##.182.104':34354
'24.#.176.223':34354
'66.##3.134.107':34354
'18#.#76.17.107':34354
'17#.#9.158.58':34354
'84.##.62.100':34354
'18#.#7.41.196':34354
'68.##0.227.97':34354
'68.##.234.47':34354
'75.##4.62.144':34354
'50.##.81.140':34354
'98.##9.32.223':34354
'24.##3.103.133':34354
'68.#8.72.81':34354
'24.##8.141.48':34354
'68.##.120.17':34354
'67.##9.162.85':34354
'69.##6.162.128':34354
'64.##2.143.85':34354
'72.##1.102.130':34354
'21#.#0.94.166':34354
'24.##.183.170':34354
'12.#70.59.2':34354
'10#.#22.5.69':34354
'71.##.45.251':34354
'68.##.56.141':34354
'19#.#73.28.4':34354
'71.##.166.11':34354
'17#.#4.94.66':34354
'68.##.192.165':34354
'24.##1.214.185':34354
'69.##0.229.198':34354
'24.##.153.231':34354
'98.##6.134.73':34354
'69.##6.81.214':34354
'86.##.98.168':34354
'68.##7.204.97':34354
'76.##1.143.179':34354
'98.##5.4.176':34354
'65.##.103.127':34354
'99.##1.101.182':34354
'68.##0.190.37':34354
'24.##2.71.50':34354
'2.###.75.117':34354
'24.##.221.173':34354
'66.##.16.133':34354
'10#.#91.176.11':34354
'64.##9.166.51':34354
'71.##.53.231':34354
'71.##.22.167':34354
'75.##.143.197':34354
'67.##.44.109':34354
'96.##.84.233':34354
'67.##5.96.114':34354
'76.##7.37.66':34354
'15#.#24.149.190':34354
'67.##1.43.112':34354
'18#.#3.58.224':34354
'71.#6.7.55':34354
'85.##5.226.90':34354
'75.##5.83.150':34354
'21#.#10.241.61':34354
'68.##3.246.199':34354
'70.#2.80.50':34354
'70.##.231.208':34354
'98.##7.186.248':34354
'19#.#41.122.45':34354
'24.#.110.29':34354
'21#.#11.170.3':34354
'69.##6.72.173':34354
'69.##3.225.245':34354
'69.##3.174.99':34354
'17#.#07.232.85':34354
'69.##4.63.162':34354
'24.##6.172.247':34354
'68.##9.192.85':34354
'18#.#99.90.144':34354
'79.##8.33.154':34354
'98.#6.36.55':34354
'99.##.22.241':34354
'24.##.135.29':34354
'17#.#10.195.209':34354
'24.##.221.214':34354
'98.##8.68.52':34354
'15#.#81.137.193':34354
'76.##.137.102':34354
'68.##.239.249':34354
'localhost':80
'69.##5.205.70':34354
'68.##.73.102':34354
'99.##0.135.203':34354
'71.##5.62.96':34354
'98.##2.118.165':34354
'68.##7.209.72':34354
'68.##.154.184':34354
'10#.#.107.129':34354
'76.##2.165.170':34354
'66.#6.0.252':34354
'69.##0.202.121':34354
'17#.#58.112.189':34354
'70.##.82.251':34354
'69.##0.9.212':34354
'64.##4.98.254':34354
'76.#1.7.122':34354
'68.#3.75.71':34354
'74.##7.152.205':34354
'68.##.167.57':34354
'68.##.255.180':34354
'76.##.123.28':34354
'10#.#7.189.157':34354
'98.##.217.95':34354
'68.##4.48.32':34354
'70.##6.123.188':34354
'75.##3.61.158':34354
'75.##6.75.13':34354
'20#.#10.143.50':34354
'15#.#5.150.142':34354
'67.##4.106.103':34354
'17#.#9.187.41':34354
'13#.#42.198.67':34354
'24.##.210.186':34354
'69.##4.104.35':34354
'19#.#03.78.141':34354
'69.##2.8.241':34354
'68.##6.113.64':34354
'68.#3.84.4':34354
'17#.#68.2.230':34354
'64.##1.231.73':34354
'24.##5.85.245':34354
'17#.#1.101.98':34354
'89.##.105.113':34354
'69.##5.10.180':34354
'24.##6.81.227':34354
'67.##2.209.102':34354
'67.##8.109.94':34354
'69.##1.2.167':34354
'20#.#36.228.200':34354
'97.##.145.68':34354
'98.#45.4.36':34354
'76.##7.229.35':34354
'17#.#.206.41':34354
'75.##7.208.82':34354
'75.##9.119.127':34354
'13#.#4.34.34':34354
'10#.5.35.92':34354
'82.##7.35.197':34354
'17#.#6.147.154':34354
'99.##.39.216':34354
'82.##4.201.145':34354
'75.##.77.113':34354
'19#.#73.155.199':34354
'93.##4.252.74':34354
'10#.#0.61.163':34354
'17#.#2.121.7':34354
'72.##2.233.169':34354
'75.##1.96.147':34354
'98.##1.250.144':34354
'24.##9.216.162':34354
'68.##1.45.58':34354
'18#.#2.225.37':34354
'98.##2.106.124':34354
'24.#3.4.65':34354
'17#.#73.3.148':34354
'70.##7.69.177':34354
'76.##8.174.143':34354
'74.#9.47.77':34354
'76.##.193.81':34354
'70.##9.50.42':34354
'68.##0.193.118':34354
'64.##.218.191':34354
'76.##7.76.62':34354
'65.##.218.154':34354
'69.##3.15.104':34354

TCP:

Запросы HTTP GET:

eg##kkid.cn/stat2.php?&a#################
eg##kkid.cn/stat2.php?&a################

Технології

Терміни

Навчання

Міфи

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней