Trojan.DownLoader5.24741

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.i8042prt] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Сетевая активность:

Подключается к:

'92.#6.11.92':34354
'94.##1.238.104':34354
'77.##2.196.95':34354
'15#.#81.134.103':34354
'12#.#92.30.113':34354
'69.##9.104.114':34354
'67.##.44.109':34354
'91.##5.50.110':34354
'17#.#00.58.242':34354
'17#.#1.114.20':34354
'69.##4.145.4':34354
'93.##.174.107':34354
'17#.#.128.99':34354
'68.##.43.102':34354
'11#.#41.127.171':34354
'12#.#3.20.99':34354
'85.##5.21.155':34354
'69.##5.205.70':34354
'59.##8.49.146':34354
'18#.#75.54.119':34354
'12#.#34.195.69':34354
'78.##.245.158':34354
'93.#5.33.70':34354
'49.##9.165.69':34354
'10#.#.107.129':34354
'2.##4.17.85':34354
'92.##.166.117':34354
'94.##8.64.120':34354
'71.##9.61.76':34354
'17#.#9.49.76':34354
'95.#6.11.12':34354
'99.##2.44.132':34354
'76.##9.113.12':34354
'76.##.123.169':34354
'98.##8.224.55':34354
'69.##5.87.61':34354
'46.##2.79.58':34354
'69.##5.187.175':34354
'68.##.167.57':34354
'70.##6.30.171':34354
'62.##.236.105':34354
'24.##.55.108':34354
'12#.#.233.184':34354
'98.##.61.143':34354
'74.##8.89.48':34354
'91.##4.232.50':34354
'15#.#0.144.68':34354
'17#.#11.11.182':34354
'67.##1.247.150':34354
'17#.#34.0.92':34354
'10#.#2.156.183':34354
'95.##.180.155':34354
'21#.#01.48.141':34354
'24.##7.99.16':34354
'18#.#61.29.143':34354
'18#.#43.206.4':34354
'17#.#25.13.62':34354
'85.##5.226.90':34354
'17#.#75.13.60':34354
'11#.#00.204.61':34354
'10#.#8.220.91':34354
'85.##.140.123':34354
'24.##3.3.122':34354
'24.##8.250.163':34354
'15#.#9.67.16':34354
'67.##.242.235':34354
'21#.#31.35.229':34354
'79.##3.197.234':34354
'71.##.59.251':34354
'46.##.132.254':34354
'75.##7.156.245':34354
'24.##9.203.245':34354
'75.##.127.30':34354
'2.##0.52.30':34354
'24.##.59.210':34354
'76.##9.148.213':34354
'76.##.123.28':34354
'11#.#02.5.16':34354
'11#.#40.70.219':34354
'18#.#0.120.35':34354
'95.##.71.243':34354
'76.##0.126.129':34354
'76.##9.155.110':34354
'68.##5.165.194':34354
'10#.#24.199.34':34354
'76.##9.189.227':34354
'64.##7.181.230':34354
'17#.#11.255.89':34354
'98.##7.236.5':34354
'68.#.170.96':34354
'68.##.214.26':34354
'98.##1.43.254':34354
'18#.#.62.141':34354
'21#.#30.123.24':34354
'67.##3.107.180':34354
'74.##.97.173':34354
'90.##9.32.177':34354
'2.###.66.179':34354
'95.#6.1.8':34354
'95.##.51.174':34354
'12#.#21.108.60':34354
'71.##.201.53':34354
'70.##8.197.179':34354
'68.#.210.7':34354
'17#.#1.43.165':34354
'17#.#27.212.167':34354
'93.##3.184.67':34354
'76.##8.161.63':34354
'95.##0.166.60':34354
'75.##.11.170':34354
'79.##9.32.160':34354
'20#.#38.55.168':34354
'17#.#0.109.6':34354
'68.##.123.38':34354
'71.#8.4.189':34354
'75.##6.89.192':34354
'98.##9.206.14':34354
'46.##5.232.206':34354
'68.##.151.37':34354
'46.##1.223.34':34354
'85.##.189.181':34354
'76.##7.222.43':34354
'69.##9.64.51':34354
'84.##2.27.181':34354
'19#.#8.86.40':34354
'17#.#58.115.186':34354
'46.##1.234.42':34354
'79.##8.32.185':34354
'68.##.231.153':34354
'17#.#59.162.118':34354
'24.##8.68.171':34354
'68.##.195.231':34354
'67.#.61.141':34354
'69.##9.199.116':34354
'99.##.181.141':34354
'98.##9.172.3':34354
'75.##.156.30':34354
'67.##8.151.87':34354
'71.##.107.236':34354
'76.##.168.110':34354
'68.##.227.99':34354
'67.##7.234.222':34354
'69.##2.25.198':34354
'17#.#.164.205':34354
'92.##.128.132':34354
'20#.#.73.247':34354
'24.##.72.115':34354
'17#.#1.148.3':34354
'18#.#7.32.26':34354
'76.##.195.115':34354
'50.##.157.13':34354
'75.##7.145.14':34354
'97.##.60.137':34354
'87.##7.99.205':34354
'83.##8.58.125':34354
'98.##6.238.178':34354
'98.##6.234.104':34354
'17#.#5.137.189':34354
'89.##4.246.103':34354
'76.##9.123.186':34354
'76.##.177.133':34354
'71.##.254.38':34354
'71.##7.253.91':34354
'46.##4.92.130':34354
'90.##0.128.182':34354
'79.##7.89.234':34354
'93.##.120.22':34354
'17#.#8.48.155':34354
'98.##1.175.134':34354
'24.#1.6.163':34354
'localhost':80
'96.##.36.188':34354
'10#.#22.20.154':34354
'41.##0.36.40':34354
'98.##5.85.176':34354
'68.#.62.101':34354
'46.##8.146.8':34354
'19#.#49.195.119':34354
'70.##9.82.163':34354
'17#.#8.165.88':34354
'68.##.155.74':34354
'11#.#06.119.218':34354
'76.#7.20.2':34354
'76.##0.13.238':34354
'50.##.197.160':34354
'17#.#74.140.231':34354
'50.##3.10.192':34354
'17#.#18.139.160':34354
'71.##4.18.215':34354
'71.##.160.235':34354
'67.##1.53.58':34354
'78.##6.56.29':34354
'68.##0.100.226':34354
'17#.#02.220.253':34354
'49.##5.113.132':34354
'95.##.126.229':34354
'21#.#71.247.81':34354
'68.##.201.145':34354
'50.##3.229.21':34354
'75.##6.130.186':34354
'70.##.140.87':34354
'75.##8.231.194':34354
'89.#8.83.42':34354
'69.##8.169.117':34354
'71.##7.78.122':34354
'31.##0.153.115':34354
'70.##8.187.201':34354
'75.##.81.246':34354
'68.##2.164.215':34354
'88.##.46.226':34354
'68.##.152.193':34354
'17#.#9.105.177':34354
'99.##7.52.77':34354
'89.##7.172.203':34354
'99.##5.74.135':34354
'69.##8.223.209':34354
'11#.#18.205.246':34354
'68.##.239.88':34354
'14#.#80.27.26':34354
'70.##2.62.98':34354
'18#.#7.48.125':34354
'24.#.120.63':34354
'98.##.83.180':34354
'98.##5.67.248':34354
'17#.#68.66.241':34354
'69.##5.205.236':34354
'87.#.217.109':34354
'98.##0.81.191':34354
'67.##7.52.31':34354
'17#.#8.45.17':34354
'98.##5.31.139':34354
'11#.#1.191.164':34354
'68.##.90.187':34354
'68.##2.208.73':34354
'74.##.58.185':34354
'24.##.214.55':34354
'68.##.137.138':34354
'69.##2.186.187':34354
'68.##2.72.158':34354
'98.##2.174.233':34354
'17#.#0.32.98':34354
'17#.#7.200.136':34354
'69.##4.83.58':34354
'76.##8.82.39':34354
'72.##9.247.188':34354
'71.##2.172.126':34354
'66.##.210.146':34354
'69.##7.213.92':34354
'50.##.123.208':34354
'46.##2.22.173':34354
'98.##8.210.39':34354
'68.##.99.184':34354
'87.##9.168.232':34354
'64.##.241.141':34354
'18#.#84.244.136':34354
'17#.#58.120.33':34354

TCP:

Запросы HTTP GET:

eg##kkid.cn/stat2.php?&a#################
eg##kkid.cn/stat2.php?&a################

Технології

Терміни

Навчання

Міфи

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней