Trojan.DownLoader5.31535

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.ipsec] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Сетевая активность:

Подключается к:

'66.##6.143.236':34354
'66.##6.249.102':34354
'69.##4.36.57':34354
'69.##7.186.164':34354
'59.##1.136.35':34354
'72.##7.234.8':34354
'17#.#5.110.214':34354
'76.##1.239.27':34354
'71.##.228.184':34354
'98.##1.137.76':34354
'68.##.195.43':34354
'74.##.102.18':34354
'68.##1.208.167':34354
'68.##.171.106':34354
'72.##8.143.162':34354
'98.##9.183.85':34354
'67.##3.109.240':34354
'76.##5.85.87':34354
'68.##.105.147':34354
'72.##0.22.184':34354
'24.##3.210.60':34354
'17#.#18.98.168':34354
'75.##3.109.186':34354
'17#.#0.69.193':34354
'98.##3.47.39':34354
'95.##.100.98':34354
'17#.#34.209.2':34354
'97.##.84.112':34354
'69.##0.17.49':34354
'67.##0.65.237':34354
'72.##3.170.90':34354
'76.##3.128.71':34354
'68.##.175.104':34354
'69.##8.133.210':34354
'71.##5.88.171':34354
'71.##9.117.142':34354
'24.##.246.62':34354
'69.##5.106.16':34354
'72.##8.109.43':34354
'70.##0.205.50':34354
'20#.#11.76.225':34354
'96.##.161.24':34354
'65.##.199.165':34354
'66.##.141.152':34354
'67.##3.163.107':34354
'71.##4.239.35':34354
'69.##1.226.213':34354
'98.##8.3.105':34354
'76.##7.75.24':34354
'98.##5.71.233':34354
'99.##6.209.4':34354
'98.##2.185.227':34354
'99.##.186.42':34354
'74.##.227.209':34354
'66.##.28.102':34354
'76.##8.92.212':34354
'18#.#4.106.81':34354
'69.##2.196.116':34354
'76.##.255.113':34354
'17#.#6.241.31':34354
'18#.#78.138.233':34354
'69.##1.178.194':34354
'75.#4.55.1':34354
'17#.#3.134.37':34354
'74.##.154.14':34354
'65.##.195.228':34354
'68.#.177.254':34354
'96.##.53.214':34354
'67.##.79.225':34354
'71.##4.72.233':34354
'74.##3.204.213':34354
'17#.#06.113.10':34354
'77.##.126.123':34354
'75.##6.61.22':34354
'68.##8.189.14':34354
'68.#.181.102':34354
'69.##.201.166':34354
'98.##6.138.104':34354
'17#.#3.184.164':34354
'71.##6.210.74':34354
'12#.#18.177.149':34354
'72.##7.175.112':34354
'24.##5.87.160':34354
'24.##5.187.149':34354
'75.##6.48.216':34354
'76.##6.33.146':34354
'68.##.42.136':34354
'71.##9.116.248':34354
'76.##.20.212':34354
'70.##0.92.235':34354
'18#.#76.176.32':34354
'17#.#16.201.123':34354
'16#.#2.152.170':34354
'75.##.11.170':34354
'65.##.24.205':34354
'24.##7.253.62':34354
'76.##6.130.102':34354
'46.##5.1.207':34354
'75.##9.140.114':34354
'76.##.185.43':34354
'68.##3.96.42':34354
'99.##9.182.111':34354
'18#.#91.76.169':34354
'69.##6.89.114':34354
'69.##7.233.194':34354
'17#.#11.80.2':34354
'76.##.78.182':34354
'18#.#18.236.79':34354
'10#.#07.53.176':34354
'98.##8.232.243':34354
'17#.#1.78.109':34354
'98.#39.6.30':34354
'75.#4.84.95':34354
'71.##.188.200':34354
'75.##9.25.246':34354
'50.##3.135.211':34354
'65.##4.151.195':34354
'24.##6.26.135':34354
'68.#8.9.200':34354
'76.#7.57.28':34354
'98.##6.194.6':34354
'66.##6.174.107':34354
'97.##.43.120':34354
'68.##7.53.87':34354
'67.##3.171.8':34354
'18#.#10.215.152':34354
'20#.#2.34.239':34354
'74.#7.8.101':34354
'68.##6.55.172':34354
'74.##.87.176':34354
'72.##9.184.88':34354
'18#.#55.26.170':34354
'75.##0.92.221':34354
'68.##.76.228':34354
'98.##8.139.74':34354
'67.##7.162.178':34354
'68.##.156.11':34354
'74.##2.229.3':34354
'67.##.113.163':34354
'67.##0.141.153':34354
'17#.#1.56.43':34354
'24.##.32.130':34354
'69.##7.210.7':34354
'65.##.186.199':34354
'24.##6.2.136':34354
'19#.#62.217.132':34354
'18#.#46.56.14':34354
'24.##2.8.176':34354
'17#.#48.245.49':34354
'99.##0.47.121':34354
'18#.#7.14.125':34354
'68.#3.1.209':34354
'71.##3.20.254':34354
'69.##5.27.179':34354
'24.##0.137.197':34354
'24.#9.64.7':34354
'50.##.26.230':34354
'17#.#00.210.220':34354
'24.#.18.128':34354
'99.##9.227.104':34354
'10#.#5.122.184':34354
'98.#1.96.64':34354
'24.##7.34.78':34354
'24.##0.159.62':34354
'74.##.71.133':34354
'76.##6.155.58':34354
'70.##9.92.227':34354
'76.##9.48.111':34354
'67.##.205.170':34354
'98.##5.55.32':34354
'24.##5.241.205':34354
'localhost':80
'17#.#1.46.56':34354
'75.##6.62.234':34354
'67.##1.230.142':34354
'68.#.204.204':34354
'24.#.133.252':34354
'1.##.82.149':34354
'58.##0.140.244':34354
'69.##9.70.124':34354
'18#.#48.42.158':34354
'12#.#08.49.1':34354
'98.##4.211.74':34354
'70.##0.49.224':34354
'12#.#45.75.194':34354
'72.##0.75.81':34354
'65.#5.97.83':34354
'69.##9.110.9':34354
'76.##5.115.82':34354
'76.##7.123.4':34354
'17#.#3.135.108':34354
'74.##7.56.43':34354
'67.##3.109.143':34354
'24.##.38.194':34354
'76.##.152.53':34354
'50.##.218.165':34354
'17#.#58.65.41':34354
'75.#2.27.56':34354
'76.##7.117.217':34354
'17#.#4.103.212':34354
'70.##.176.187':34354
'71.#0.30.5':34354
'98.##7.91.24':34354
'18#.#8.52.110':34354
'69.##6.194.58':34354
'96.##.38.120':34354
'71.##4.60.23':34354
'18#.#9.76.73':34354
'11#.#17.177.38':34354
'67.##4.205.171':34354
'74.##.33.175':34354
'24.##.147.103':34354
'68.##4.255.202':34354
'67.##7.149.190':34354
'20#.#1.120.121':34354
'19#.#40.125.86':34354
'68.##2.174.232':34354
'78.##0.127.8':34354
'17#.#8.93.196':34354
'68.##.165.62':34354
'17#.1.103.8':34354
'72.#00.2.16':34354
'68.##.226.252':34354
'71.##.115.217':34354
'24.##4.120.223':34354
'64.##0.203.29':34354
'67.##2.232.216':34354
'98.##2.50.84':34354
'67.##.189.58':34354
'71.##5.91.35':34354
'10#.#0.249.4':34354
'76.##.112.233':34354
'24.#5.59.33':34354
'75.##3.67.54':34354
'67.##3.234.78':34354
'46.##.232.95':34354
'68.#.54.117':34354
'97.##.140.249':34354
'96.#9.43.22':34354
'76.##6.23.193':34354
'72.##.255.191':34354
'11#.#01.116.208':34354
'69.##2.131.113':34354
'98.##0.150.1':34354
'67.##9.240.179':34354
'11#.#19.190.158':34354
'98.##6.22.211':34354
'68.##6.54.42':34354
'98.##8.245.79':34354
'69.##.68.195':34354
'13#.#4.105.18':34354
'96.##.202.19':34354
'70.##2.99.45':34354
'72.##.184.226':34354
'89.##3.102.145':34354
'18#.#9.94.127':34354
'64.##.218.191':34354

TCP:

Запросы HTTP GET:

eg##kkid.cn/stat2.php?&a#################
eg##kkid.cn/stat2.php?&a################

Технології

Терміни

Навчання

Міфи

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней