Trojan.DownLoader5.15563

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.netbt] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Сетевая активность:

Подключается к:

'89.##4.179.47':34354
'76.##6.110.114':34354
'72.##7.160.38':34354
'46.#5.6.114':34354
'15#.#24.149.190':34354
'70.##9.209.242':34354
'91.#92.3.48':34354
'41.##2.178.87':34354
'88.##7.87.244':34354
'20#.#4.253.44':34354
'85.##5.26.224':34354
'74.##3.101.112':34354
'17#.#02.35.174':34354
'19#.#77.154.150':34354
'68.##6.114.177':34354
'10#.#7.189.161':34354
'11#.#06.136.57':34354
'16#.#37.161.231':34354
'46.##6.242.120':34354
'17#.#5.18.185':34354
'19#.#09.68.153':34354
'90.##.214.135':34354
'98.##.85.131':34354
'18#.#4.174.35':34354
'17#.#.126.127':34354
'92.##3.208.179':34354
'18#.#23.121.86':34354
'24.##8.201.141':34354
'18#.#2.120.194':34354
'69.##0.64.31':34354
'70.##0.30.204':34354
'46.##2.105.78':34354
'74.##.130.102':34354
'17#.#17.226.82':34354
'20#.#.249.120':34354
'71.##7.163.157':34354
'18#.#6.193.230':34354
'11#.#7.146.115':34354
'19#.#04.107.145':34354
'17#.#13.81.18':34354
'95.##.230.240':34354
'97.#6.39.52':34354
'20#.#09.32.214':34354
'18#.#9.219.144':34354
'20#.#10.207.221':34354
'69.##4.180.148':34354
'98.##7.157.220':34354
'95.##.166.54':34354
'75.##3.157.149':34354
'18#.#0.201.103':34354
'76.##7.112.254':34354
'96.##.33.172':34354
'70.##3.53.102':34354
'71.##.193.246':34354
'85.##8.38.108':34354
'91.#0.212.7':34354
'2.##3.54.89':34354
'19#.#19.148.94':34354
'18#.#2.128.43':34354
'17#.#62.124.79':34354
'84.##2.27.181':34354
'20#.#5.55.197':34354
'24.##5.82.23':34354
'19#.#77.155.28':34354
'16#.#54.153.220':34354
'65.##.123.229':34354
'76.##.172.37':34354
'93.##8.8.175':34354
'21#.#83.247.103':34354
'98.##7.178.163':34354
'72.##6.37.44':34354
'20#.#88.178.77':34354
'74.##0.193.198':34354
'46.##.155.46':34354
'70.#5.63.51':34354
'18#.#23.57.222':34354
'20#.#66.43.232':34354
'17#.#88.240.45':34354
'17#.#1.108.157':34354
'17#.#6.241.228':34354
'11#.#01.27.178':34354
'11#.#03.121.41':34354
'11#.#55.243.87':34354
'76.##5.76.247':34354
'67.##9.58.120':34354
'70.##6.39.133':34354
'20#.#0.97.128':34354
'96.##.140.159':34354
'77.##4.102.169':34354
'18#.#2.14.113':34354
'67.##8.43.101':34354
'90.##6.95.168':34354
'24.##.222.246':34354
'12#.#78.175.222':34354
'75.##8.216.215':34354
'19#.#64.107.231':34354
'18#.#07.112.22':34354
'70.##1.27.249':34354
'15#.#5.175.68':34354
'46.##0.177.243':34354
'17#.#00.230.27':34354
'76.##0.170.237':34354
'98.##3.10.78':34354
'69.##7.209.151':34354
'12#.#03.203.195':34354
'88.##1.52.66':34354
'18#.#4.68.68':34354
'89.##5.33.185':34354
'59.##8.120.52':34354
'24.##9.183.236':34354
'19#.#.210.61':34354
'75.##.110.36':34354
'68.##9.228.66':34354
'18#.#6.120.106':34354
'41.##0.93.60':34354
'95.##.204.231':34354
'67.##2.26.99':34354
'24.##8.207.201':34354
'92.##.136.30':34354
'17#.48.43.4':34354
'97.##.238.152':34354
'18#.#33.27.26':34354
'11#.#04.117.154':34354
'17#.#8.80.206':34354
'11#.#49.148.190':34354
'19#.#9.3.228':34354
'19#.#4.119.22':34354
'67.##7.37.42':34354
'76.#12.6.55':34354
'95.##.81.207':34354
'19#.#74.160.91':34354
'21#.#1.188.197':34354
'17#.#48.2.49':34354
'76.##7.190.219':34354
'18#.#57.75.43':34354
'74.##0.112.28':34354
'20#.#91.245.73':34354
'70.##1.131.232':34354
'68.##.209.151':34354
'17#.#24.194.100':34354
'21#.#33.8.133':34354
'76.##.240.191':34354
'76.##0.170.158':34354
'68.##.119.178':34354
'94.##1.39.19':34354
'74.##.82.176':34354
'72.##0.3.108':34354
'41.##1.8.210':34354
'76.##1.0.129':34354
'17#.#9.23.123':34354
'19#.#06.199.75':34354
'18#.#6.171.151':34354
'31.##5.112.124':34354
'20#.#31.181.133':34354
'10#.#38.26.102':34354
'31.##2.188.113':34354
'17#.#4.50.28':34354
'95.##.209.35':34354
'19#.#22.201.211':34354
'95.##.238.225':34354
'87.##.91.102':34354
'10#.#18.14.144':34354
'71.##9.64.168':34354
'19#.#18.89.53':34354
'71.#.200.88':34354
'84.#.32.88':34354
'77.##.221.165':34354
'24.##6.83.216':34354
'21#.#0.233.243':34354
'99.##0.204.92':34354
'18#.#26.204.2':34354
'localhost':80
'82.##2.128.251':34354
'71.##7.182.131':34354
'71.##8.10.225':34354
'18#.#94.32.120':34354
'69.##5.188.147':34354
'62.##5.144.249':34354
'79.##6.182.180':34354
'20#.#73.10.138':34354
'98.##.183.165':34354
'75.##5.184.31':34354
'17#.#1.54.247':34354
'18#.#97.115.157':34354
'2.##.140.141':34354
'10#.#4.110.230':34354
'24.##.40.158':34354
'20#.#35.164.80':34354
'65.#.0.145':34354
'96.#7.41.3':34354
'74.##5.182.197':34354
'79.#4.0.106':34354
'71.##6.37.209':34354
'98.##4.99.162':34354
'76.##5.74.146':34354
'84.##.100.30':34354
'21#.#3.80.88':34354
'17#.#5.114.38':34354
'18#.#9.248.241':34354
'10#.#6.51.87':34354
'24.#.158.21':34354
'12#.#21.44.158':34354
'75.##0.160.158':34354
'46.##7.76.230':34354
'72.##8.81.118':34354
'19#.#5.44.82':34354
'10#.#10.147.168':34354
'91.##7.60.22':34354
'71.##1.200.100':34354
'94.##7.100.69':34354
'19#.#07.229.157':34354
'96.##.182.134':34354
'74.##4.169.33':34354
'24.##4.191.66':34354
'95.##.242.126':34354
'75.##9.13.220':34354
'41.##1.48.69':34354
'92.##6.71.187':34354
'75.#.223.69':34354
'50.##.204.126':34354
'20#.#65.27.132':34354
'19#.#38.219.137':34354
'19#.#24.136.235':34354
'24.##3.191.56':34354
'75.##3.22.145':34354
'10#.#34.186.98':34354
'21#.#25.232.221':34354
'98.##9.226.234':34354
'75.##0.244.130':34354
'24.#.131.50':34354
'4.##.160.10':34354
'19#.#06.99.128':34354
'11#.#20.105.114':34354
'67.##.13.187':34354
'84.##2.246.9':34354
'18#.#4.124.225':34354
'13#.#1.170.205':34354
'67.##0.126.48':34354
'71.##2.191.125':34354
'66.##0.243.157':34354
'75.#44.81.6':34354
'87.##5.248.10':34354
'74.#95.8.80':34354
'68.##7.186.4':34354
'17#.#07.244.165':34354
'69.##4.186.210':34354
'20#.#60.232.90':34354
'2.##.21.73':34354
'46.##.149.197':34354
'98.##4.93.189':34354
'17#.#1.87.55':34354
'96.#9.84.56':34354
'24.##3.222.3':34354
'17#.#02.4.22':34354
'89.##5.240.34':34354
'76.##3.76.200':34354
'71.##2.255.76':34354

TCP:

Запросы HTTP GET:

localhost/stat2.php?&a###
localhost/stat2.php?&a##

Технології

Терміни

Навчання

Міфи

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней