Trojan.DownLoader5.35672

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.mrxsmb] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'17#.2.62.45':34354
'71.##.194.19':34354
'69.##2.231.169':34354
'24.##9.203.245':34354
'97.##.196.77':34354
'69.##7.3.248':34354
'68.##1.147.68':34354
'99.##.86.116':34354
'98.##.224.171':34354
'24.##.243.245':34354
'84.##.154.53':34354
'85.##5.21.155':34354
'75.##.11.170':34354
'17#.#7.158.139':34354
'18#.#7.179.84':34354
'65.#.67.84':34354
'14#.#8.197.186':34354
'71.##5.57.160':34354
'76.#11.58.1':34354
'12#.#34.195.69':34354
'66.##.51.158':34354
'21#.#48.62.53':34354
'12#.#3.20.99':34354
'20#.#74.193.27':34354
'99.##1.135.250':34354
'69.##4.175.10':34354
'71.#.98.40':34354
'75.#85.1.78':34354
'87.##.91.102':34354
'18#.#27.108.198':34354
'66.##1.177.52':34354
'50.##.173.202':34354
'24.#53.5.74':34354
'75.##9.184.94':34354
'98.##0.63.216':34354
'99.##.128.76':34354
'75.##2.191.83':34354
'75.##1.43.134':34354
'68.##5.43.150':34354
'68.##.80.114':34354
'66.##0.242.153':34354
'97.#03.9.56':34354
'91.##7.60.22':34354
'69.##4.17.218':34354
'24.##.38.239':34354
'17#.#.227.42':34354
'76.##3.64.42':34354
'69.##0.67.25':34354
'69.##0.202.121':34354
'76.##7.204.193':34354
'18#.#0.240.96':34354
'69.##2.100.119':34354
'19#.#3.102.212':34354
'77.##.107.147':34354
'97.#6.8.13':34354
'75.##.190.92':34354
'75.##7.108.158':34354
'69.##2.71.22':34354
'18#.#55.35.177':34354
'68.##.181.156':34354
'69.##5.205.70':34354
'76.##6.13.197':34354
'2.###.29.105':34354
'20#.#29.146.73':34354
'69.##4.122.141':34354
'67.##8.181.9':34354
'19#.#8.85.200':34354
'70.##6.83.96':34354
'67.#.73.163':34354
'99.##6.208.227':34354
'68.##.46.189':34354
'71.##.239.57':34354
'80.##1.43.192':34354
'27.#.197.53':34354
'75.##6.115.133':34354
'18#.#6.164.187':34354
'20#.#08.100.75':34354
'15#.#5.173.199':34354
'66.##.121.195':34354
'24.##.223.197':34354
'11#.#68.87.236':34354
'10#.#0.126.135':34354
'98.##8.236.184':34354
'68.##7.203.137':34354
'75.##.95.116':34354
'42.##1.192.19':34354
'76.##1.35.135':34354
'17#.#0.156.116':34354
'74.##.208.60':34354
'75.##.108.251':34354
'24.##8.68.218':34354
'14.##6.177.183':34354
'68.#3.23.11':34354
'67.##.242.235':34354
'24.##1.240.11':34354
'24.#.20.233':34354
'71.##8.187.91':34354
'85.##6.190.34':34354
'75.##3.17.214':34354
'50.##.132.140':34354
'68.##2.237.73':34354
'24.##7.75.176':34354
'70.##.249.221':34354
'18#.#.245.89':34354
'75.##0.148.152':34354
'10#.#.45.168':34354
'21#.#11.71.171':34354
'12#.#4.170.152':34354
'94.##0.131.227':34354
'76.##1.30.66':34354
'76.##0.159.249':34354
'96.##.170.34':34354
'99.##0.175.117':34354
'17#.#8.190.80':34354
'75.##6.41.160':34354
'94.##7.12.116':34354
'75.##8.43.102':34354
'98.##.83.180':34354
'67.##4.121.184':34354
'71.##9.174.10':34354
'89.##4.116.58':34354
'24.##7.107.167':34354
'46.##9.123.74':34354
'24.##8.7.216':34354
'21#.#19.20.68':34354
'68.#.195.104':34354
'24.##8.30.130':34354
'24.##.161.63':34354
'66.#1.90.87':34354
'74.##1.125.158':34354
'17#.#2.113.231':34354
'68.##1.57.53':34354
'76.##0.159.107':34354
'72.##1.102.130':34354
'70.##6.70.145':34354
'76.##8.42.209':34354
'12.##.17.153':34354
'17#.#18.18.66':34354
'68.#8.89.25':34354
'50.##.160.27':34354
'68.#.72.35':34354
'75.##6.30.123':34354
'70.##9.240.160':34354
'68.##.168.93':34354
'66.##.203.174':34354
'24.##7.127.7':34354
'17#.59.9.42':34354
'71.##9.254.205':34354
'68.##4.243.11':34354
'71.##7.87.229':34354
'50.##.67.105':34354
'66.##9.5.117':34354
'70.##6.138.172':34354
'24.##.169.72':34354
'66.##.210.218':34354
'68.##.254.26':34354
'99.##6.25.132':34354
'17#.#3.211.17':34354
'24.##6.236.112':34354
'74.#0.68.18':34354
'75.##7.98.222':34354
'65.##.190.112':34354
'18#.#.239.47':34354
'71.#0.12.11':34354
'24.##6.174.0':34354
'68.##.109.165':34354
'68.##9.167.204':34354
'18#.#10.163.82':34354
'67.##.206.207':34354
'71.##.143.95':34354
'24.##6.206.67':34354
'localhost':80
'24.##7.73.23':34354
'75.##.186.195':34354
'71.##9.82.125':34354
'67.#91.15.6':34354
'42.##1.208.82':34354
'70.##2.86.153':34354
'50.##5.146.123':34354
'69.#40.94.9':34354
'10#.#9.50.70':34354
'21#.#7.238.158':34354
'62.##.134.92':34354
'68.#4.6.234':34354
'69.##8.177.55':34354
'24.##6.8.239':34354
'24.##0.42.134':34354
'99.##.115.212':34354
'66.##9.83.80':34354
'66.##.251.123':34354
'17#.#74.147.110':34354
'71.##.105.168':34354
'98.##7.125.11':34354
'68.##.175.92':34354
'75.##.222.247':34354
'99.##4.123.7':34354
'12.#.118.60':34354
'24.##.76.247':34354
'75.#3.14.62':34354
'68.##0.73.154':34354
'24.#2.9.25':34354
'98.##0.76.87':34354
'72.##0.7.200':34354
'75.##6.6.188':34354
'75.##0.244.34':34354
'76.##1.189.111':34354
'75.##2.111.243':34354
'76.##5.116.34':34354
'50.##.119.104':34354
'20#.#1.128.28':34354
'24.##8.253.30':34354
'69.##3.116.196':34354
'68.##5.182.244':34354
'50.##.231.161':34354
'75.##7.86.213':34354
'68.#4.55.54':34354
'19#.#38.110.38':34354
'98.##2.83.43':34354
'72.##4.103.187':34354
'71.##.225.175':34354
'71.##4.123.185':34354
'70.##.213.104':34354
'50.#8.95.49':34354
'76.##.164.103':34354
'99.##0.32.184':34354
'76.##.20.156':34354
'74.#2.82.48':34354
'68.##.108.184':34354
'71.##9.230.72':34354
'24.#4.23.90':34354
'99.##.206.47':34354
'17#.#72.246.73':34354
'50.##.47.135':34354
'98.##9.197.171':34354
'19#.#06.154.148':34354
'69.#1.1.79':34354
'11#.#00.93.53':34354
'17#.#8.217.199':34354
'76.##.59.205':34354
'70.##7.165.206':34354
'24.##5.197.66':34354
'75.##.39.208':34354
'24.##2.72.115':34354
'18#.#55.207.203':34354
'10#.#42.27.228':34354
'10#.#.58.206':34354
'17#.#34.212.206':34354
'72.##7.115.123':34354
'69.##.52.220':34354
'84.##0.220.242':34354
'62.##.22.136':34354
'76.#8.46.38':34354
'71.##4.222.109':34354
'75.##2.221.248':34354
'70.##.100.182':34354
'75.##9.18.62':34354
'71.##2.133.143':34354

TCP:

Запросы HTTP GET:

fd##ipjx.cn/stat2.php?&a#################
fd##ipjx.cn/stat2.php?&a################

Технології

Терміни

Навчання

Міфи

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней