Trojan.DownLoader35.3666

Добавлен в вирусную базу Dr.Web: 2020-10-19

Описание добавлено: 2020-10-21

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\svchost
<SYSTEM32>\tasks\csrss
<SYSTEM32>\tasks\lsm
<SYSTEM32>\tasks\iexplore
<SYSTEM32>\tasks\dwm
<SYSTEM32>\tasks\wininit
<SYSTEM32>\tasks\explorer
<SYSTEM32>\tasks\audiodg
<SYSTEM32>\tasks\wmiprvse

Malicious functions

Searches for windows to

detect analytical utilities:

ClassName: 'OLLYDBG', WindowName: ''
ClassName: 'GBDYLLO', WindowName: ''
ClassName: 'pediy06', WindowName: ''
ClassName: 'FilemonClass', WindowName: ''
ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
ClassName: 'RegmonClass', WindowName: ''
ClassName: '', WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'

Modifies file system

Creates the following files

%TEMP%\runtimedll.exe
C:\perflogs\admin\f4d236fdec2fd03914189c3b26e5cb0dfea9d761
C:\perflogs\admin\svchost.exe
C:\perflogs\admin\24dbde2999530ef5fd907494bc374d663924116c
C:\perflogs\admin\wmiprvse.exe
%ALLUSERSPROFILE%\oracle\java\installcache_x64\24dbde2999530ef5fd907494bc374d663924116c
%ALLUSERSPROFILE%\oracle\java\installcache_x64\wmiprvse.exe
%ProgramFiles(x86)%\windows defender\42af1c969fbb7b2ae36b0e06bea61fc9a154b4af
%ProgramFiles(x86)%\windows defender\audiodg.exe
%ALLUSERSPROFILE%\application data\7a0fd90576e08807bde2cc57bcf9854bbce05fe3
%ALLUSERSPROFILE%\application data\explorer.exe
<Current directory>\f4d236fdec2fd03914189c3b26e5cb0dfea9d761
<Current directory>\svchost.exe
C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\886983d96e3d3e31032c679b2d4ea91b6c05afef
C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\csrss.exe
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\system.exe
C:\far2\plugins\tmppanel\9db6e019d4f04ef534d0f91b3462d805c40e9d20
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\560854153607923c4c5f107085a7db67be01f252
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\wininit.exe
%ALLUSERSPROFILE%\application data\6cb0b6c459d5d3455a3da700e713f2e2529862ff
%ALLUSERSPROFILE%\application data\dwm.exe
%ProgramFiles%\nod32kui\9db6e019d4f04ef534d0f91b3462d805c40e9d20
%ProgramFiles%\nod32kui\iexplore.exe
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\101b941d020240259ca4912829b53995ad543df6
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\lsm.exe
C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\886983d96e3d3e31032c679b2d4ea91b6c05afef
C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\csrss.exe
%TEMP%\ad0c3fba2bf08c05323568c4b4a3b91c.dat
%ProgramFiles(x86)%\windows defender\en-us\f4d236fdec2fd03914189c3b26e5cb0dfea9d761
%ProgramFiles(x86)%\windows defender\en-us\svchost.exe
%TEMP%\extrimhack_free_18.10.2020_.exe
C:\far2\plugins\tmppanel\iexplore.exe
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a

Network activity

TCP

'di##ord.gg':443
'vk.com':443
'su####0.userapi.com':443
'su####8.userapi.com':443
'su####.userapi.com':443
'su####2.userapi.com':443
'su####1.userapi.com':443
'su####5.userapi.com':443
'su####9.userapi.com':443
'su####6.userapi.com':443
'su####3.userapi.com':443
'su####4.userapi.com':443
'su####7.userapi.com':443

UDP

DNS ASK di##ord.gg
DNS ASK vk.com
DNS ASK microsoft.com
DNS ASK su####0.userapi.com
DNS ASK su####.userapi.com
DNS ASK su####2.userapi.com
DNS ASK su####8.userapi.com
DNS ASK su####1.userapi.com
DNS ASK su####5.userapi.com
DNS ASK su####9.userapi.com
DNS ASK su####6.userapi.com
DNS ASK su####3.userapi.com
DNS ASK su####4.userapi.com
DNS ASK su####7.userapi.com

Miscellaneous

Searches for the following windows

ClassName: '18467-41' WindowName: ''
ClassName: 'DDEMLMom' WindowName: ''
ClassName: 'IEFrame' WindowName: ''
ClassName: 'Static' WindowName: ''
ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebCheckMonitor' WindowName: ''

Creates and executes the following

'%TEMP%\runtimedll.exe'
'%TEMP%\extrimhack_free_18.10.2020_.exe'

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c start https://discord.gg/uS48TNZ
'<SYSTEM32>\schtasks.exe' /create /tn "dwm" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\svchost.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csrss.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "WUDFHost" /sc ONLOGON /tr "'%WINDIR%\IME\en-US\WUDFHost.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\System.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "svchost" /sc ONLOGON /tr "'C:\PerfLogs\Admin\svchost.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "WmiPrvSE" /sc ONLOGON /tr "'%ALLUSERSPROFILE%\Oracle\Java\installcache_x64\WmiPrvSE.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "audiodg" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Windows Defender\audiodg.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "dwm" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\dwm.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "explorer" /sc ONLOGON /tr "'%ALLUSERSPROFILE%\Application Data\explorer.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'C:\Far2\Plugins\TmpPanel\iexplore.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\wininit.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "dwm" /sc ONLOGON /tr "'%ALLUSERSPROFILE%\Application Data\dwm.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'%ProgramFiles%\nod32kui\iexplore.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\lsm.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "svchost" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Windows Defender\en-US\svchost.exe'" /rl HIGHEST /f
'%WINDIR%\syswow64\cmd.exe' /c start https://vk.com/extrimhack_free
'<SYSTEM32>\schtasks.exe' /create /tn "svchost" /sc ONLOGON /tr "'<Current directory>\svchost.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'%ProgramFiles%\ISPNews\spoolsv.exe'" /rl HIGHEST /f

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней