Trojan.Carberp.2340

Technical Information

To ensure autorun and distribution

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\ifobpqdol] 'ImagePath' = '<DRIVERS>\mY65NOb.sys'

Creates the following services

'ifobpqdol' <DRIVERS>\mY65NOb.sys

Malicious functions

Injects code into

the following system processes:

<SYSTEM32>\winlogon.exe

the following user processes:

iexplore.exe

Modifies file system

Creates the following files

%TEMP%\10f324.tmp.dll
%WINDIR%\syswow64\wpdshextautopla.dll
%WINDIR%\syswow64\tsthem.dll
%TEMP%\111fb0.tmp.dll
%WINDIR%\syswow64\wsmprovhos.dll
%TEMP%\1123e4.tmp.dll
%WINDIR%\syswow64\logagen.dll
%WINDIR%\syswow64\winrshos.dll
%WINDIR%\syswow64\upnpcon.dll
<DRIVERS>\my65nob.sys
%WINDIR%\media\hoiibgbcnaihkcnnhflfhkmhnoofgnkn\1.0.7\manifest.json
%WINDIR%\media\hoiibgbcnaihkcnnhflfhkmhnoofgnkn\1.0.7\background.js
%WINDIR%\media\hoiibgbcnaihkcnnhflfhkmhnoofgnkn\1.0.7\background.html
%WINDIR%\media\hoiibgbcnaihkcnnhflfhkmhnoofgnkn\1.0.7\jquery.min.js
%WINDIR%\media\hoiibgbcnaihkcnnhflfhkmhnoofgnkn\1.0.7\lib\content.js

Deletes the following files

<DRIVERS>\my65nob.sys

Network activity

Connects to

'nq#####z.slt.cdntip.com':80
'nm#####.hjkl45678.xyz':80
'mp####.hjkl45678.xyz':80

TCP

HTTP GET requests

http://do##.onefast.cc/pgm/mpr/c995ec7fd4f57c0d/af0c8d0a6ec9e336.zip
http://do##.onefast.cc/cfg/cmc/bcbd.txt
http://do##.onefast.cc/pgm/mds/e02f10e3a7d5dc64/eb5925c644b456129ae4a2f716342f517f1b2e3ae2c1a0bb64.zip
http://do##.onefast.cc/cfg/cmc/kfbdu.txt
http://do##.onefast.cc/cfg/cmc/kfbd.txt
http://11#.#29.33.201/report/report_data?da######################################################################################################################################################...
http://do##.onefast.cc/cfg/cmc/nmlhjk.txt
http://do##.onefast.cc/pgm/mds/f5d2972ba2a267dd/01b52f532c849cf0a0826e6cc91a81e065f5f85f2c18615f64.zip
http://do##.onefast.cc/pgm/mds/006866ef1b75dc55/48293f91dddad83d51dc0e9a7902eca06eeea6469fcd775a64.zip
http://do##.onefast.cc/cfg/cmc/sfbd.txt
http://do##.onefast.cc/pgm/mds/422ed73a26bc994c/8f6b181e9acd608997be30b44587702c5fa71ab95043b48164.zip
http://xz.###ti.top:801/ow6.dll via xz.##tti.top
http://do##.onefast.cc/cfg/cmc/b2.txt
http://do##.onefast.cc/cfg/cmc/wea.txt
http://el##.top:8860/down/yx02up.txt via el##.top
http://pv.#ohu.com/cityjson?ie######
http://do##.onefast.cc/cfg/cmc/slfdm.txt
http://do##.onefast.cc/pgm/mds/587896f2d4a85d7b/282ea8f06d5e5b761957ef907e15a650aa6a86af77728dee64.zip
http://do##.onefast.cc/pgm/mds/198cb51752d7841c/126b5e72c027fa6e0f5cf596fbed611c68040b8214bdf63664.zip
http://do##.onefast.cc/pgm/mds/05631e93ccdb00ee/f79e9e12124babd53368bd24341c933fcd34f2956314f06864.zip
http://do##.onefast.cc/cfg/pub/ps.json
http://11#.#29.33.201/report.php?ty##############################################################################################################################################################...
http://do##.onefast.cc/cfg/pub/ms.json
http://do##.onefast.cc/cfg/user/c995ec7fd4f57c0d/af0c8d0a6ec9e336.json
http://sp#.#aidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?qu##############################################################
http://ap##.#ame.qq.com/comm-htdocs/ip/get_ip.php
http://do##.onefast.cc/cfg/cmc/userpq.zip
http://do##.onefast.cc/cfg/cmc/qzpass.txt
http://do##.onefast.cc/cfg/cmc/chct.txt

UDP

DNS ASK do##.onefast.cc
DNS ASK gd####sshlja1.com
DNS ASK s3#######.meiqiausercontent.com
DNS ASK s3#####ud.meiqia.com
DNS ASK st####.meiqia.com
DNS ASK zx###xltzy.com
DNS ASK cq.##r478.top
DNS ASK tt#.ahas.pw
DNS ASK vv#.##uanqi365.vip
DNS ASK xz.##tti.top
DNS ASK el##.top
DNS ASK ca#######client-a.meiqia.com
DNS ASK ne####i.meiqia.com
DNS ASK pv.#ohu.com
DNS ASK js##.fsdgrs.top
DNS ASK ch#####k.mstatik.com
DNS ASK te########ets.meiqiausercontent.com
DNS ASK cl####.vbnm34567.xyz
DNS ASK sp#.#aidu.com
DNS ASK ap##.#ame.qq.com
DNS ASK do##.####ast.cc.cdn.dnsv1.com
DNS ASK 33##9.com
DNS ASK nq#####z.slt.cdntip.com
DNS ASK ty###2012.com
DNS ASK lo#.#nefast.cc
DNS ASK mp####.hjkl45678.xyz
DNS ASK nm#####.hjkl45678.xyz
DNS ASK 33##2.com
'<LOCALNET>.80.187':52703
'<LOCALNET>.80.193':48746
'<LOCALNET>.80.182':40314
'<LOCALNET>.80.183':36187
'<LOCALNET>.80.184':64956
'<LOCALNET>.80.186':56830
'<LOCALNET>.80.192':44619
'<LOCALNET>.80.188':15408
'<LOCALNET>.80.189':11281
'<LOCALNET>.80.190':36361
'<LOCALNET>.80.191':40488
'<LOCALNET>.80.180':48440
'<LOCALNET>.80.185':60829
'<LOCALNET>.80.194':52877
'<LOCALNET>.80.197':65262
'<LOCALNET>.80.181':44313
'<LOCALNET>.80.198':13942
'<LOCALNET>.80.199':18069
'<LOCALNET>.80.200':28097
'<LOCALNET>.80.201':32224
'<LOCALNET>.80.202':19843
'<LOCALNET>.80.203':23970
'<LOCALNET>.80.204':11589
'<LOCALNET>.80.205':15716
'<LOCALNET>.80.206':13436
'<LOCALNET>.80.207':17563
'<LOCALNET>.80.208':60617
'<LOCALNET>.80.18':60105
'<LOCALNET>.80.196':61135
'<LOCALNET>.80.195':57004
'<LOCALNET>.80.168':18100
'<LOCALNET>.80.210':24304
'<LOCALNET>.80.152':60198
'<LOCALNET>.80.153':64263
'<LOCALNET>.80.154':35808
'<LOCALNET>.80.155':39873
'<LOCALNET>.80.156':43938
'<LOCALNET>.80.157':48003
'<LOCALNET>.80.158':19052
'<LOCALNET>.80.159':23117
'<LOCALNET>.80.160':40503
'<LOCALNET>.80.161':36374
'<LOCALNET>.80.162':48757
'<LOCALNET>.80.163':44628
'<LOCALNET>.80.178':11278
'<LOCALNET>.80.177':56801
'<LOCALNET>.80.164':57011
'<LOCALNET>.80.167':61136
'<LOCALNET>.80.213':28307
'<LOCALNET>.80.169':13971
'<LOCALNET>.80.170':44294
'<LOCALNET>.80.171':48423
'<LOCALNET>.80.172':36164
'<LOCALNET>.80.173':40293
'<LOCALNET>.80.174':60802
'<LOCALNET>.80.175':64931
'<LOCALNET>.80.176':52672
'<LOCALNET>.80.209':64744
'<LOCALNET>.80.179':15407
'<LOCALNET>.80.165':52882
'<LOCALNET>.80.166':65265
'<LOCALNET>.80.212':32434
'<LOCALNET>.80.228':35499
'<LOCALNET>.80.216':15926
'<LOCALNET>.80.247':53730
'<LOCALNET>.80.248':18306
'<LOCALNET>.80.249':12332
'<LOCALNET>.80.250':37428
'<LOCALNET>.80.251':33301
'<LOCALNET>.80.252':45686
'<LOCALNET>.80.253':41559
'<LOCALNET>.80.254':53936
'23#.#23.112.211':11044
'<LOCALNET>.80.15':15204
'<LOCALNET>.80.14':11077
'<LOCALNET>.80.13':23458
'<LOCALNET>.80.12':19331
'<LOCALNET>.80.246':49603
'<LOCALNET>.80.11':31712
'<LOCALNET>.80.9':49052
'255.255.255.255':9953
'<LOCALNET>.80.8':44989
'<LOCALNET>.80.7':24146
'<LOCALNET>.80.6':20083
'<LOCALNET>.80.5':32272
'<LOCALNET>.80.4':28209
'<LOCALNET>.80.3':17995
'<LOCALNET>.80.2':13932
'<LOCALNET>.80.1':16020
'<LOCALNET>.80.244':57729
'<LOCALNET>.80.243':37222
'<LOCALNET>.80.242':33095
'<LOCALNET>.80.10':27585
'<LOCALNET>.80.245':61856
'<LOCALNET>.80.241':45348
'<LOCALNET>.80.214':17897
'<LOCALNET>.80.217':11799
'<LOCALNET>.80.218':57336
'<LOCALNET>.80.219':53209
'<LOCALNET>.80.220':13080
'<LOCALNET>.80.221':17143
'<LOCALNET>.80.222':11233
'<LOCALNET>.80.223':15296
'<LOCALNET>.80.224':19239
'<LOCALNET>.80.225':23302
'<LOCALNET>.80.211':20177
'<LOCALNET>.80.226':27493
'<LOCALNET>.80.151':56133
'<LOCALNET>.80.215':13770
'<LOCALNET>.80.150':52068
'<LOCALNET>.80.229':39562
'<LOCALNET>.80.115':22277
'<LOCALNET>.80.233':12390
'<LOCALNET>.80.234':30742
'<LOCALNET>.80.235':26679
'<LOCALNET>.80.236':22612
'<LOCALNET>.80.237':18549
'<LOCALNET>.80.238':47514
'<LOCALNET>.80.239':43451
'<LOCALNET>.80.240':41221
'<LOCALNET>.80.227':31556
'<LOCALNET>.80.149':27004
'<LOCALNET>.80.148':31069
'<LOCALNET>.80.230':14482
'<LOCALNET>.80.231':10419
'<LOCALNET>.80.147':34994
'<LOCALNET>.80.16':12924
'<LOCALNET>.80.54':59265
'<LOCALNET>.80.56':51139
'<LOCALNET>.80.57':55266
'<LOCALNET>.80.58':19842
'<LOCALNET>.80.59':13868
'<LOCALNET>.80.60':62038
'<LOCALNET>.80.61':57975
'<LOCALNET>.80.62':53780
'<LOCALNET>.80.63':49717
'<LOCALNET>.80.64':45778
'<LOCALNET>.80.65':41715
'<LOCALNET>.80.52':34631
'<LOCALNET>.80.66':37520
'<LOCALNET>.80.68':29534
'<LOCALNET>.80.49':11410
'<LOCALNET>.80.19':64232
'<LOCALNET>.80.71':53574
'<LOCALNET>.80.83':57658
'<LOCALNET>.80.73':61700
'<LOCALNET>.80.74':33251
'<LOCALNET>.80.75':37314
'<LOCALNET>.80.76':41377
'<LOCALNET>.80.77':45440
'<LOCALNET>.80.78':16495
'<LOCALNET>.80.79':20558
'<LOCALNET>.80.80':53593
'<LOCALNET>.80.67':33457
'<LOCALNET>.80.51':46884
'<LOCALNET>.80.50':42757
'<LOCALNET>.80.69':25471
'<LOCALNET>.80.70':49511
'<LOCALNET>.80.72':57637
'<LOCALNET>.80.37':32068
'<LOCALNET>.80.33':15808
'<LOCALNET>.80.29':44987
'<LOCALNET>.80.32':11745
'<LOCALNET>.80.31':17655
'<LOCALNET>.80.30':13592
'<LOCALNET>.80.28':49050
'<LOCALNET>.80.22':17989
'<LOCALNET>.80.26':24148
'<LOCALNET>.80.25':28215
'<LOCALNET>.80.24':32278
'<LOCALNET>.80.23':13926
'<LOCALNET>.80.35':23814
'<LOCALNET>.80.27':20085
'<LOCALNET>.80.20':16018
'<LOCALNET>.80.36':28005
'<LOCALNET>.80.38':36011
'<LOCALNET>.80.39':40074
'<LOCALNET>.80.40':37940
'<LOCALNET>.80.41':33813
'<LOCALNET>.80.42':46198
'<LOCALNET>.80.43':42071
'<LOCALNET>.80.44':54448
'<LOCALNET>.80.45':50321
'<LOCALNET>.80.46':62706
'<LOCALNET>.80.47':58579
'<LOCALNET>.80.48':15537
'<LOCALNET>.80.81':49528
'<LOCALNET>.80.21':11955
'<LOCALNET>.80.82':61723
'<LOCALNET>.80.84':37341
'<LOCALNET>.80.131':29155
'<LOCALNET>.80.119':38537
'<LOCALNET>.80.121':17106
'<LOCALNET>.80.122':29361
'<LOCALNET>.80.123':25232
'<LOCALNET>.80.124':14828
'<LOCALNET>.80.125':10699
'<LOCALNET>.80.126':12853
'<LOCALNET>.80.127':18825
'<LOCALNET>.80.128':54267
'<LOCALNET>.80.129':50138
'<LOCALNET>.80.130':25026
'<LOCALNET>.80.55':63392
'<LOCALNET>.80.132':16768
'<LOCALNET>.80.116':26470
'<LOCALNET>.80.120':21235
'<LOCALNET>.80.133':20897
'<LOCALNET>.80.136':10361
'<LOCALNET>.80.53':38758
'<LOCALNET>.80.138':57546
'<LOCALNET>.80.139':61675
'<LOCALNET>.80.140':63573
'<LOCALNET>.80.141':59508
'<LOCALNET>.80.142':55319
'<LOCALNET>.80.143':51254
'<LOCALNET>.80.144':47313
'<LOCALNET>.80.145':43248
'<LOCALNET>.80.146':39059
'<LOCALNET>.80.117':30535
'<LOCALNET>.80.134':18619
'<LOCALNET>.80.135':12647
'<LOCALNET>.80.17':17051
'<LOCALNET>.80.114':18212
'<LOCALNET>.80.118':34472
'<LOCALNET>.80.86':45471
'<LOCALNET>.80.87':41406
'<LOCALNET>.80.88':20561
'<LOCALNET>.80.89':16496
'<LOCALNET>.80.90':57960
'<LOCALNET>.80.91':62025
'<LOCALNET>.80.92':49706
'<LOCALNET>.80.93':53771
'<LOCALNET>.80.94':41708
'<LOCALNET>.80.95':45773
'<LOCALNET>.80.96':33454
'<LOCALNET>.80.97':37519
'<LOCALNET>.80.98':25440
'<LOCALNET>.80.85':33276
'<LOCALNET>.80.99':29505
'<LOCALNET>.80.101':19493
'<LOCALNET>.80.102':15432
'<LOCALNET>.80.103':11367
'<LOCALNET>.80.104':29717
'<LOCALNET>.80.105':25652
'<LOCALNET>.80.106':21591
'<LOCALNET>.80.107':17526
'<LOCALNET>.80.108':46489
'<LOCALNET>.80.109':42424
'<LOCALNET>.80.110':12053
'<LOCALNET>.80.111':16118
'<LOCALNET>.80.112':10210
'<LOCALNET>.80.113':14275
'<LOCALNET>.80.100':13457
'<LOCALNET>.80.232':16453
'<LOCALNET>.80.137':14490

Miscellaneous

Searches for the following windows

ClassName: 'ProgMan' WindowName: ''
ClassName: 'SHELLDLL_DefView' WindowName: ''
ClassName: 'SysListView32' WindowName: ''

Creates and executes the following

'<SYSTEM32>\ipconfig.exe' /flushdns' (with hidden window)

Executes the following

'%WINDIR%\syswow64\wpdshextautoplay.exe'
'%WINDIR%\syswow64\tstheme.exe'
'%WINDIR%\syswow64\wsmprovhost.exe'
'%WINDIR%\syswow64\logagent.exe'
'%WINDIR%\syswow64\winrshost.exe'
'%WINDIR%\syswow64\upnpcont.exe'
'<SYSTEM32>\ipconfig.exe' /flushdns
'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\syswow64\wpdshextautopl...
'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\explorer.exe"

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней