Trojan.DownLoader5.26767

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.ipsec] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Сетевая активность:

Подключается к:

'18#.#1.219.8':34354
'69.##4.255.206':34354
'71.##.192.120':34354
'68.##.116.173':34354
'75.##.237.93':34354
'75.##1.58.166':34354
'75.##.143.197':34354
'98.#2.189.6':34354
'75.##3.130.53':34354
'24.##8.229.83':34354
'21#.#75.66.249':34354
'69.##9.64.234':34354
'24.#6.50.74':34354
'70.##7.204.210':34354
'17#.#2.135.6':34354
'71.##5.255.80':34354
'72.##0.91.252':34354
'75.##1.251.221':34354
'31.##8.86.216':34354
'69.##4.209.69':34354
'18#.75.5.43':34354
'20#.#20.19.75':34354
'68.##7.81.118':34354
'98.##7.184.113':34354
'76.#1.57.87':34354
'18#.#06.7.216':34354
'68.#4.10.73':34354
'75.##.213.52':34354
'98.##.217.252':34354
'98.##9.117.196':34354
'75.##1.110.136':34354
'98.##9.159.131':34354
'20#.#41.18.164':34354
'69.##4.185.117':34354
'50.#2.85.95':34354
'76.##1.222.212':34354
'67.##5.96.114':34354
'50.#33.2.72':34354
'65.##.45.237':34354
'71.#34.21.8':34354
'24.##.56.160':34354
'2.##2.6.122':34354
'69.##1.189.43':34354
'11#.#01.108.67':34354
'68.##.23.155':34354
'17#.#0.91.230':34354
'68.##2.15.158':34354
'97.##.205.236':34354
'74.##5.37.164':34354
'24.##5.58.123':34354
'24.##7.52.139':34354
'75.#1.107.2':34354
'72.##0.73.218':34354
'74.#8.107.1':34354
'18#.#1.100.6':34354
'68.##.179.23':34354
'74.##4.243.16':34354
'17#.#34.109.4':34354
'71.##3.241.114':34354
'69.#2.71.71':34354
'24.##6.64.225':34354
'72.##2.213.246':34354
'1.##.56.231':34354
'17#.#1.205.120':34354
'96.##.70.175':34354
'71.##.40.235':34354
'70.##9.249.21':34354
'71.##9.62.133':34354
'17#.#72.242.225':34354
'98.##2.178.123':34354
'68.##6.87.173':34354
'75.##.125.32':34354
'68.##.52.171':34354
'98.##0.63.208':34354
'76.##.134.208':34354
'50.##3.9.126':34354
'75.##.127.213':34354
'75.##.255.114':34354
'17#.#5.235.74':34354
'69.##4.81.68':34354
'75.##.137.147':34354
'11#.#4.13.200':34354
'68.#0.30.5':34354
'76.##6.110.120':34354
'20#.#39.213.21':34354
'19#.#74.121.244':34354
'67.##4.56.94':34354
'98.##2.198.40':34354
'69.##3.114.73':34354
'65.##.187.163':34354
'19#.#74.59.168':34354
'71.##.116.228':34354
'65.##.208.119':34354
'88.##4.104.102':34354
'24.#.103.47':34354
'74.##9.49.79':34354
'66.##.247.21':34354
'67.##6.112.137':34354
'97.##.240.161':34354
'98.##1.167.230':34354
'98.##5.99.40':34354
'98.##0.67.27':34354
'71.##0.104.15':34354
'76.##5.43.175':34354
'72.##7.230.154':34354
'71.##4.196.231':34354
'67.##.253.167':34354
'17#.#07.100.45':34354
'24.#.139.152':34354
'69.##1.144.129':34354
'24.##7.50.154':34354
'70.##0.183.102':34354
'10#.#12.73.67':34354
'76.##.212.176':34354
'97.##.118.26':34354
'18#.#66.184.227':34354
'75.##.187.243':34354
'24.##4.49.116':34354
'17#.#0.86.187':34354
'17#.#82.156.136':34354
'70.##0.247.31':34354
'69.##1.48.32':34354
'68.##.27.220':34354
'24.#.233.171':34354
'17#.#40.83.135':34354
'18#.#84.90.252':34354
'17#.#9.158.8':34354
'71.##.56.173':34354
'71.##9.117.142':34354
'24.##.228.173':34354
'68.#.49.141':34354
'98.##4.104.149':34354
'76.##0.139.139':34354
'18#.#8.60.96':34354
'66.##0.27.64':34354
'69.#35.6.16':34354
'96.##.35.219':34354
'11#.#01.87.175':34354
'68.#6.37.45':34354
'99.##9.195.21':34354
'98.##2.129.100':34354
'67.##.181.247':34354
'84.##1.150.82':34354
'17#.#6.172.10':34354
'17#.#5.109.165':34354
'76.##.58.137':34354
'72.##5.138.78':34354
'66.##7.71.28':34354
'67.##4.152.169':34354
'13#.#4.105.18':34354
'66.##.160.219':34354
'75.##7.151.64':34354
'99.##.133.113':34354
'75.##6.102.144':34354
'24.#.239.77':34354
'24.##.159.190':34354
'76.##2.167.103':34354
'17#.#69.231.160':34354
'68.##.120.203':34354
'17#.#1.211.56':34354
'83.##3.237.232':34354
'17#.#4.29.72':34354
'67.##0.164.11':34354
'71.#4.87.3':34354
'71.##.122.143':34354
'24.##.198.161':34354
'67.##.32.252':34354
'64.##.125.77':34354
'75.#8.38.70':34354
'96.##.242.119':34354
'19#.#9.51.169':34354
'localhost':80
'15#.#81.135.111':34354
'75.##.218.43':34354
'70.#26.0.55':34354
'21#.#86.184.32':34354
'67.##.130.130':34354
'18#.#45.52.44':34354
'74.##8.54.236':34354
'17#.#08.78.31':34354
'71.##0.192.170':34354
'99.##.136.21':34354
'76.##.108.240':34354
'65.##.125.185':34354
'68.##6.227.246':34354
'75.##9.42.197':34354
'66.##.181.217':34354
'17#.#6.197.44':34354
'69.##6.59.181':34354
'68.#5.112.3':34354
'97.##.22.122':34354
'67.##5.36.170':34354
'68.##.50.222':34354
'69.##2.218.185':34354
'96.##.47.133':34354
'50.##9.16.61':34354
'71.##6.105.207':34354
'24.#3.3.215':34354
'72.##9.35.177':34354
'68.#3.60.26':34354
'24.##.117.189':34354
'50.##.178.29':34354
'76.##7.246.96':34354
'71.#6.40.21':34354
'10#.#.34.119':34354
'20#.#20.143.188':34354
'50.#1.47.2':34354
'85.##.227.167':34354
'98.##7.125.11':34354
'70.##5.120.15':34354
'72.##5.235.191':34354
'71.#8.11.51':34354
'71.##.142.93':34354
'21#.#8.161.93':34354
'68.##.156.226':34354
'98.##2.212.89':34354
'98.##.230.52':34354
'17#.#7.26.155':34354
'24.##0.116.134':34354
'50.##.39.192':34354
'10#.#.119.46':34354
'17#.#02.40.163':34354
'10#.#0.249.4':34354
'65.##.220.190':34354
'76.##.70.118':34354
'71.##4.30.244':34354
'24.##2.74.255':34354
'18#.#75.131.114':34354
'24.##0.159.62':34354
'98.##4.238.60':34354
'98.##8.41.194':34354
'70.##6.204.243':34354
'98.##8.141.23':34354
'24.##3.72.135':34354
'74.##.190.188':34354
'66.##.11.214':34354
'18#.#1.104.181':34354
'69.##1.190.12':34354
'12.##7.53.210':34354
'71.#2.145.3':34354
'76.##.170.73':34354
'72.##8.184.25':34354
'20#.#31.246.207':34354
'98.##.111.12':34354
'76.##7.110.122':34354
'75.##6.9.198':34354
'75.#3.240.7':34354
'24.##3.208.8':34354
'50.#4.21.69':34354
'50.##.37.124':34354
'24.##9.74.152':34354
'74.##.23.104':34354
'71.##5.165.15':34354
'70.##.228.94':34354
'72.##1.139.146':34354
'17#.#6.67.126':34354
'96.##.246.16':34354

TCP:

Запросы HTTP GET:

eg##kkid.cn/stat2.php?&a#################
eg##kkid.cn/stat2.php?&a################

Технології

Терміни

Навчання

Міфи

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней