BackDoor.Maxplus.6053

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.i8042prt] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\cmd.exe
<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'69.#7.18.12':34354
'75.##3.56.230':34354
'97.##.138.108':34354
'24.##.188.111':34354
'82.##8.160.208':34354
'10#.#.25.172':34354
'68.#.123.207':34354
'80.##5.124.82':34354
'72.##8.60.243':34354
'75.##9.110.109':34354
'76.##4.165.86':34354
'98.##4.146.32':34354
'86.##3.47.41':34354
'89.##.230.151':34354
'21#.#78.13.148':34354
'75.##0.103.34':34354
'76.##7.98.205':34354
'76.##.249.15':34354
'67.##6.55.108':34354
'94.#6.166.3':34354
'76.##8.45.66':34354
'70.##0.47.15':34354
'24.##2.202.33':34354
'98.##3.70.174':34354
'92.#14.74.3':34354
'72.##0.24.78':34354
'94.##8.60.23':34354
'98.##5.29.24':34354
'66.##.95.135':34354
'70.##5.234.91':34354
'77.##.79.242':34354
'98.##3.167.225':34354
'18#.#91.210.162':34354
'75.##7.154.108':34354
'76.##1.206.102':34354
'72.##6.8.121':34354
'93.##1.137.105':34354
'67.##1.248.22':34354
'66.##9.77.207':34354
'68.##6.206.112':34354
'69.##2.208.183':34354
'98.##8.141.23':34354
'69.##3.45.182':34354
'98.##.168.176':34354
'19#.#8.134.242':34354
'10#.4.31.88':34354
'66.##8.133.15':34354
'75.##3.166.180':34354
'98.##4.14.199':34354
'17#.#95.30.144':34354
'76.##9.145.79':34354
'20#.54.8.86':34354
'75.##0.7.172':34354
'72.##9.103.136':34354
'24.##3.42.247':34354
'98.##.206.214':34354
'75.##0.167.30':34354
'24.##6.129.241':34354
'78.##.213.213':34354
'18#.#1.129.121':34354
'79.##4.23.150':34354
'10#.#30.43.195':34354
'68.#9.36.91':34354
'24.##6.221.122':34354
'24.#7.79.85':34354
'91.##4.91.85':34354
'91.##7.60.22':34354
'17#.#00.104.75':34354
'71.##3.152.90':34354
'14#.#54.228.104':34354
'69.##6.150.153':34354
'72.##8.128.89':34354
'67.##7.161.78':34354
'67.#.90.159':34354
'17#.#11.80.2':34354
'92.##.128.78':34354
'76.##1.133.214':34354
'17#.#9.47.85':34354
'17#.#52.71.83':34354
'95.#9.5.84':34354
'17#.#3.119.27':34354
'17#.28.45.3':34354
'74.##1.199.234':34354
'84.##.72.205':34354
'76.##.78.182':34354
'71.#0.121.3':34354
'71.##.162.29':34354
'68.##4.36.57':34354
'96.##.47.133':34354
'95.##.205.131':34354
'87.##.179.105':34354
'17#.#0.211.216':34354
'75.##.101.11':34354
'17#.#7.138.219':34354
'98.##8.11.13':34354
'69.##0.99.128':34354
'24.##.25.212':34354
'79.##3.240.244':34354
'99.##6.164.117':34354
'71.##6.212.43':34354
'68.##9.234.48':34354
'88.##5.135.242':34354
'50.##.31.190':34354
'76.#0.12.49':34354
'68.##0.216.162':34354
'19#.#74.44.110':34354
'21#.#62.122.17':34354
'95.##.255.59':34354
'24.##.62.198':34354
'87.##0.22.171':34354
'71.##3.45.122':34354
'18#.#55.49.111':34354
'74.##6.121.56':34354
'99.##8.103.1':34354
'72.##.205.41':34354
'72.#7.90.41':34354
'75.##3.165.70':34354
'71.##8.254.159':34354
'94.##3.123.66':34354
'17#.#1.203.205':34354
'74.##3.180.178':34354
'70.##3.215.49':34354
'18#.#67.240.57':34354
'98.##3.21.166':34354
'68.#3.78.42':34354
'18#.#53.181.171':34354
'98.##3.29.212':34354
'81.##4.79.192':34354
'76.##1.89.217':34354
'19#.#57.153.58':34354
'98.#81.5.71':34354
'70.##5.147.19':34354
'68.##5.160.17':34354
'68.#.131.233':34354
'74.##.239.183':34354
'94.##4.222.212':34354
'75.##.224.165':34354
'69.##7.214.165':34354
'85.##5.21.204':34354
'75.##0.12.178':34354
'88.##.124.196':34354
'67.##5.38.53':34354
'68.#.64.49':34354
'74.##2.35.187':34354
'75.#3.67.21':34354
'86.##2.230.93':34354
'74.##7.4.237':34354
'24.##.201.175':34354
'68.##8.175.146':34354
'98.##7.48.161':34354
'76.##.101.230':34354
'65.##.184.32':34354
'21#.#07.13.123':34354
'10#.#0.54.222':34354
'70.##2.216.231':34354
'24.##.213.117':34354
'10#.42.22.1':34354
'75.##8.117.222':34354
'71.##2.246.10':34354
'18#.#8.164.200':34354
'17#.#73.46.56':34354
'69.##7.43.140':34354
'18#.#6.133.174':34354
'46.##.238.185':34354
'75.#5.62.13':34354
'13#.#04.112.127':34354
'69.##2.234.242':34354
'24.##3.176.129':34354
'75.##2.107.86':34354
'98.##.130.157':34354
'24.##0.159.62':34354
'localhost':80
'97.##.63.183':34354
'69.##5.205.70':34354
'10#.#.183.155':34354
'71.##.208.48':34354
'68.#.167.191':34354
'17#.#02.42.138':34354
'21#.#0.88.68':34354
'24.##.99.120':34354
'2.###.43.198':34354
'76.##3.0.115':34354
'18#.#1.251.226':34354
'75.##.143.197':34354
'98.##6.0.197':34354
'68.##.225.72':34354
'74.##4.71.251':34354
'74.#8.67.90':34354
'71.##.201.242':34354
'78.##.241.215':34354
'93.##.161.111':34354
'17#.#68.20.213':34354
'65.##.234.45':34354
'96.##.161.47':34354
'76.##.45.122':34354
'69.##2.77.144':34354
'69.##7.9.102':34354
'72.##3.85.150':34354
'24.##.131.178':34354
'78.##.169.61':34354
'17#.#0.23.52':34354
'17#.#09.169.173':34354
'70.##3.51.42':34354
'10#.#2.156.183':34354
'17#.#.215.147':34354
'68.##2.174.80':34354
'24.##3.72.135':34354
'99.#7.0.209':34354
'67.#3.30.57':34354
'18#.#54.63.117':34354
'24.##.205.164':34354
'17#.29.54.7':34354
'71.##4.19.14':34354
'24.##5.86.220':34354
'24.##0.189.245':34354
'88.#8.34.57':34354
'18#.#9.99.191':34354
'94.##1.238.104':34354
'24.##3.36.112':34354
'76.##.192.40':34354
'75.##.11.170':34354
'18#.#37.191.101':34354
'74.##0.10.209':34354
'24.##4.75.163':34354
'10#.4.5.104':34354
'68.##.229.101':34354
'68.##0.237.23':34354
'17#.#1.240.250':34354
'68.##9.192.85':34354
'71.##5.118.93':34354
'75.##.34.201':34354
'17#.#71.47.194':34354
'74.##2.142.17':34354
'24.##0.124.46':34354
'24.##.26.125':34354
'19#.#7.208.66':34354
'98.##.142.195':34354
'24.##8.243.93':34354
'96.##.89.102':34354
'67.##5.36.170':34354
'69.##1.60.89':34354
'50.##.108.84':34354
'70.##8.93.42':34354
'17#.#9.227.190':34354
'82.##.28.114':34354
'98.##8.3.210':34354
'82.##1.49.50':34354
'19#.#10.77.124':34354
'71.##.216.15':34354
'67.##.79.201':34354
'68.##.239.108':34354
'77.##.116.82':34354
'76.##1.229.161':34354
'85.##5.199.233':34354
'19#.#9.51.169':34354
'70.##3.144.241':34354
'71.##9.138.75':34354

TCP:

Запросы HTTP GET:

ee##vnce.cn/stat2.php?&a#################
ee##vnce.cn/stat2.php?&a################

Технології

Терміни

Навчання

Міфи

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней