Trojan.DownLoader34.55709

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'Win32 SystemNetwork Application' = '%ALLUSERSPROFILE%\SystemNetwork\nCoreManager.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Win32 SystemNetwork Application' = '%ALLUSERSPROFILE%\SystemNetwork\nCoreManager.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Win32 SystemNetwork Application' = '%ALLUSERSPROFILE%\SystemNetwork\nCoreManager.exe'

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '%ALLUSERSPROFILE%\IntelCore\WinRing0x64.sys'

Creates the following services

'WinRing0_1_2_0' %ALLUSERSPROFILE%\IntelCore\WinRing0x64.sys

Malicious functions

Searches for windows to

detect analytical utilities:

ClassName: 'OLLYDBG', WindowName: ''
ClassName: 'GBDYLLO', WindowName: ''
ClassName: 'pediy06', WindowName: ''
ClassName: 'FilemonClass', WindowName: ''
ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
ClassName: 'RegmonClass', WindowName: ''
ClassName: '', WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'

Modifies file system

Creates the following files

%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%ALLUSERSPROFILE%\intelcore\config.json
%ALLUSERSPROFILE%\systemnetwork\arch.txt
%ALLUSERSPROFILE%\systemnetwork\video.txt
%ALLUSERSPROFILE%\systemnetwork\ncoremanager.exe
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
%APPDATA%\microsoft\windows\cookies\low\index.dat
%ALLUSERSPROFILE%\intelcore\applicationsframehost.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\llrzo8r1\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\lzoq3twh\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\jfi402v4\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\akztq843\desktop.ini
%ALLUSERSPROFILE%\commonsfiles\cpu_arch.txt

Sets the 'hidden' attribute to the following files

%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\jfi402v4\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\lzoq3twh\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\akztq843\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\llrzo8r1\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%ALLUSERSPROFILE%\intelcore\applicationsframehost.exe
%ALLUSERSPROFILE%\commonsfiles\cpu_arch.txt

Deletes itself.

Network activity

TCP

HTTP GET requests

http://vm#####98.kvm.had.yt/zzztop/nCoreManager.exe
http://vm#####98.kvm.had.yt/zzztop/x64/config.json
http://vm#####98.kvm.had.yt/zzztop/x64/ApplicationsFrameHost.exe

'vm#####02.kvm.had.yt':3333

UDP

DNS ASK vm#####98.kvm.had.yt
DNS ASK vm#####02.kvm.had.yt

Miscellaneous

Searches for the following windows

ClassName: '18467-41' WindowName: ''

Creates and executes the following

'%ALLUSERSPROFILE%\systemnetwork\ncoremanager.exe'
'%ALLUSERSPROFILE%\intelcore\applicationsframehost.exe'
'%WINDIR%\syswow64\cmd.exe' /k ping -n 5 localhost < nul & del /F /Q "<Full path to file>"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c WMIC OS get osarchitecture >%ALLUSERSPROFILE%\SystemNetwork\arch.txt' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c wmic path win32_VideoController get name >%ALLUSERSPROFILE%\SystemNetwork\video.txt' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c icacls %ALLUSERSPROFILE%\SystemNetwork /deny "%username%:(R,REA,RA)"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c icacls %ALLUSERSPROFILE%\SystemNetwork /deny "Users:(R,REA,RA)"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c icacls %ALLUSERSPROFILE%\SystemNetwork /deny "Administrators:(R,REA,RA))"' (with hidden window)
'%ALLUSERSPROFILE%\intelcore\applicationsframehost.exe' ' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c icacls %ALLUSERSPROFILE%\IntelCore /deny "%username%:(R,REA,RA)"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c icacls %ALLUSERSPROFILE%\IntelCore /deny "Users:(R,REA,RA)"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c icacls %ALLUSERSPROFILE%\IntelCore /deny "Administrators:(R,REA,RA))"' (with hidden window)

Executes the following

'%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
'%WINDIR%\syswow64\icacls.exe' %ALLUSERSPROFILE%\IntelCore /deny "Users:(R,REA,RA)"
'%WINDIR%\syswow64\cmd.exe' /c icacls %ALLUSERSPROFILE%\IntelCore /deny "Administrators:(R,REA,RA))"
'%WINDIR%\syswow64\cmd.exe' /c icacls %ALLUSERSPROFILE%\IntelCore /deny "Users:(R,REA,RA)"
'%WINDIR%\syswow64\cmd.exe' /c icacls %ALLUSERSPROFILE%\IntelCore /deny "%username%:(R,REA,RA)"
'%WINDIR%\syswow64\icacls.exe' %ALLUSERSPROFILE%\SystemNetwork /deny "Administrators:(R,REA,RA))"
'%WINDIR%\syswow64\icacls.exe' %ALLUSERSPROFILE%\SystemNetwork /deny "user:(R,REA,RA)"
'%WINDIR%\syswow64\icacls.exe' %ALLUSERSPROFILE%\SystemNetwork /deny "Users:(R,REA,RA)"
'%WINDIR%\syswow64\icacls.exe' %ALLUSERSPROFILE%\IntelCore /deny "Administrators:(R,REA,RA))"
'%WINDIR%\syswow64\cmd.exe' /c icacls %ALLUSERSPROFILE%\SystemNetwork /deny "Administrators:(R,REA,RA))"
'%WINDIR%\syswow64\cmd.exe' /c icacls %ALLUSERSPROFILE%\SystemNetwork /deny "%username%:(R,REA,RA)"
'%WINDIR%\syswow64\wbem\wmic.exe' path win32_VideoController get name
'%WINDIR%\syswow64\cmd.exe' /c wmic path win32_VideoController get name >%ALLUSERSPROFILE%\SystemNetwork\video.txt
'%WINDIR%\syswow64\wbem\wmic.exe' OS get osarchitecture
'%WINDIR%\syswow64\cmd.exe' /c WMIC OS get osarchitecture >%ALLUSERSPROFILE%\SystemNetwork\arch.txt
'%WINDIR%\syswow64\ping.exe' -n 5 localhost
'%WINDIR%\syswow64\cmd.exe' /k ping -n 5 localhost < nul & del /F /Q "<Full path to file>"
'%WINDIR%\syswow64\cmd.exe' /c icacls %ALLUSERSPROFILE%\SystemNetwork /deny "Users:(R,REA,RA)"
'%WINDIR%\syswow64\icacls.exe' %ALLUSERSPROFILE%\IntelCore /deny "user:(R,REA,RA)"

Демо бесплатно на 14 дней

Выдаётся при установке

Скачать с сайта

Скачать с Google Play

Завантажте
Dr.Web для Android

Безкоштовно на 3 місяці
Всі компоненти захисту
Подовження демо в
AppGallery/Google Pay

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней