Trojan.DownLoader25.23893

Добавлен в вирусную базу Dr.Web: 2017-08-21

Описание добавлено: 2017-08-21

Technical Information

Malicious functions:

Creates and executes the following:

'%APPDATA%\byteexec\pac-cmd.exe' on http://12#.#.0.1:38252/vpuiyo7cb5md68ns22st4l9syicdtls2/firefly.pac

Executes the following:

'<SYSTEM32>\rundll32.exe' url.dll,FileProtocolHandler https://gofirefly.org/page/
'%ProgramFiles%\Internet Explorer\IEXPLORE.EXE' -nohome
'<SYSTEM32>\rundll32.exe' url.dll,FileProtocolHandler http://12#.#.0.1:38252/vpuiyo7cb5md68ns22st4l9syicdtls2/settings

Modifies file system:

Creates the following files:

%APPDATA%\byteexec\pac-cmd.exe
%TEMP%\systray_temp_icon155879071
%APPDATA%\systray\systray.dll
%HOMEPATH%\.firefly.conf

Network activity:

Connects to:

'10#.#0.54.99':443
'10#.#0.40.190':443
'10#.#6.76.226':443
'10#.#6.40.225':443
'10#.#6.27.54':443
'10#.#6.40.153':443
'10#.16.8.44':443
'10#.#6.54.172':443
'10#.#6.21.176':443
'10#.16.66.8':443
'10#.#6.72.167':443
'10#.#6.59.212':443
'10#.#0.66.216':443
'10#.#4.16.61':443
'10#.#0.68.55':443
'10#.25.4.36':443
'10#.#6.66.138':443
'10#.#0.63.134':443
'10#.#6.102.93':443
'10#.#0.10.135':443
'10#.24.6.75':443
'10#.#6.126.172':443
'10#.#0.89.91':443
'10#.25.7.20':443
'10#.#6.1.195':443
'10#.#6.44.248':443
'10#.#0.63.120':443
'10#.#5.39.28':443
'10#.#6.32.142':443
'10#.#6.108.172':443
'10#.#6.88.97':443
'10#.#5.59.19':443
'10#.#0.76.41':443
'10#.#0.4.106':443
'10#.#6.51.137':443
'10#.#6.127.131':443
'10#.#0.40.140':443
'10#.#6.105.131':443
'10#.#0.80.175':443
'10#.#0.86.157':443
'10#.#6.103.97':443
'10#.#5.175.28':443
'10#.#6.67.196':443
'10#.#6.90.97':443
'10#.#0.63.170':443
'10#.#0.21.145':443
'10#.#6.38.181':443
'10#.#5.145.21':443
'10#.#0.47.183':443
'10#.#6.78.70':443
'10#.#0.55.192':443
'10#.#5.106.5':443
'10#.#5.148.32':443
'10#.#6.72.217':443
'10#.#5.162.11':443
'10#.#6.123.161':443
'10#.#6.16.89':443
'19#.#1.214.8':443
'10#.#0.92.133':443
'10#.#6.53.146':443
'10#.#6.71.237':443
'10#.#0.51.124':443
'10#.#0.80.30':443
'10#.#5.69.12':443
'10#.#6.96.101':443
'10#.#0.49.34':443
'10#.#0.23.159':443
'10#.#6.56.241':443
'10#.#6.98.159':443
'10#.#6.119.202':443
'10#.#6.126.159':443
'10#.#6.115.234':443
'10#.#6.125.8':443
'10#.#6.100.21':443
'10#.#0.45.179':443
'10#.#6.31.136':443
'10#.#6.86.237':443
'10#.#6.87.118':443
'10#.#0.71.110':443
'10#.#5.205.23':443
'10#.#6.11.223':443
'10#.#0.48.44':443
'10#.#0.89.207':443
'10#.#0.91.55':443
'10#.#0.87.201':443
'10#.#6.116.235':443
'10#.#6.42.169':443
'10#.#0.88.116':443
'10#.#4.23.92':443
'10#.#6.33.242':443
'10#.#6.71.205':443
'10#.#6.58.190':443
'10#.#6.127.182':443
'10#.#0.48.79':443
'10#.16.85.9':443
'10#.#6.37.217':443
'10#.#6.52.145':443
'10#.#0.31.130':443
'10#.#0.67.43':443
'10#.#6.79.124':443
'10#.#6.69.205':443
'10#.#6.26.74':443
'10#.16.95.9':443
'10#.#6.87.207':443
'10#.#6.26.67':443
'10#.#6.124.149':443
'10#.#6.101.160':443
'10#.#0.89.121':443
'10#.#6.76.196':443
'10#.#0.79.210':443
'14#.#01.114.173':443
'10#.#0.50.111':443
'10#.#6.79.133':443
'10#.#6.63.245':443
'10#.#6.52.197':443
'10#.#5.131.19':443
'10#.#6.57.244':443
'10#.#0.35.213':443
'10#.#0.25.97':443
'10#.#6.18.126':443
'10#.#0.88.187':443
'10#.#0.44.115':443
'10#.#0.92.129':443
'10#.#6.39.242':443
'10#.#6.58.191':443
'10#.#6.45.238':443
'10#.#0.71.153':443
'10#.#6.109.159':443
'10#.#6.41.177':443
'10#.#6.53.230':443
'10#.24.0.58':443
'10#.#6.44.161':443
'10#.#6.12.89':443
'10#.#5.182.30':443
'10#.#6.109.228':443
'10#.#5.221.21':443
'10#.#0.84.159':443
'10#.#6.127.109':443
'10#.#6.49.89':443
'10#.#0.5.123':443
'10#.#5.13.10':443
'10#.#6.54.85':443
'10#.#6.81.244':443
'10#.#5.250.32':443
'10#.#6.91.12':443
'10#.#0.53.48':443
'10#.#6.119.203':443
'10#.#6.104.188':443
'10#.#0.42.178':443
'10#.#5.142.20':443
'10#.#6.77.131':443
'10#.#6.107.147':443
'10#.#6.92.102':443
'10#.#6.30.116':443
'10#.16.67.4':443
'10#.#0.14.76':443
'10#.#6.82.244':443
'10#.#6.68.141':443
'10#.#6.100.244':443
'10#.#6.54.110':443
'10#.#6.108.137':443
'10#.#6.111.85':443
'10#.#6.95.244':443
'10#.25.27.4':443
'10#.#6.91.127':443
'10#.#5.107.20':443
'10#.#0.95.215':443
'10#.#0.73.112':443
'10#.#6.95.86':443
'10#.#5.190.8':443
'10#.#0.7.177':443
'10#.#6.57.230':443
'10#.#6.41.236':443
'10#.#5.86.12':443
'10#.#6.114.247':443
'10#.#0.72.83':443
'10#.#0.73.149':443
'10#.#6.15.72':443
'10#.#6.92.250':443
'10#.#6.9.136':443
'10#.#6.86.138':443
'10#.#6.86.228':443
'10#.#6.80.217':443
'10#.#6.63.207':443
'10#.#6.46.105':443
'localhost':38252
'localhost':38251
'www.go#####analytics.com':443
'localhost':1040
'localhost':1045
'10#.#6.62.109':443
'localhost':38250
'localhost':1037
'10#.#4.12.36':443
'10#.#6.18.100':443
'10#.#6.8.171':443
'10#.25.6.32':443
'10#.#6.43.128':443
'10#.#6.122.193':443
'10#.#0.79.46':443
'10#.#6.87.149':443
'10#.#0.63.110':443
'10#.#0.61.127':443
'10#.#6.89.181':443
'10#.#0.32.96':443
'10#.#6.116.16':443
'10#.#6.93.109':443
'10#.#0.73.204':443
'10#.#6.97.218':443
'10#.#6.90.131':443
'10#.#6.110.228':443
'10#.#0.61.79':443
'10#.#6.50.196':443
'10#.#0.37.129':443
'10#.#6.109.200':443
'10#.#0.88.123':443
'10#.#5.100.17':443
'10#.#6.1.110':443
'10#.#6.55.199':443
'10#.#6.79.135':443
'10#.#6.46.200':443
'10#.#6.119.251':443
'10#.#0.40.120':443
'10#.#6.97.100':443
'10#.#6.43.82':443
'10#.#6.33.126':443
'10#.#6.81.212':443
'10#.#6.96.153':443
'10#.#6.67.133':443
'10#.#6.54.118':443
'10#.#6.37.207':443
'10#.#6.102.200':443
'10#.#0.42.145':443
'10#.#0.73.164':443
'10#.#5.48.26':443
'10#.24.6.94':443
'10#.#0.41.56':443
'10#.#6.61.139':443
'10#.#6.41.192':443
'10#.#6.99.67':443
'10#.#0.79.63':443
'10#.#0.71.201':443
'10#.#0.69.102':443
'10#.#6.40.132':443
'10#.#5.112.34':443
'10#.#6.43.158':443
'10#.#0.7.218':443
'10#.#0.57.86':443
'10#.#5.147.31':443
'10#.#6.17.67':443
'10#.#6.81.131':443
'10#.#5.185.7':443
'10#.#6.56.216':443
'10#.#6.38.170':443
'10#.#0.95.165':443
'10#.#0.13.160':443
'10#.#5.237.6':443
'10#.#6.53.193':443
'10#.#6.29.86':443
'10#.#6.17.247':443
'10#.#6.34.226':443
'10#.#6.22.216':443
'10#.#6.39.147':443
'10#.16.8.56':443
'10#.#6.89.233':443
'10#.16.5.83':443
'10#.#6.83.231':443
'10#.#6.108.238':443
'10#.#6.38.106':443
'10#.#6.66.128':443
'10#.#6.68.116':443
'10#.#0.93.122':443
'10#.#6.76.150':443
'10#.#6.114.227':443
'10#.#6.106.16':443
'10#.#4.31.23':443
'10#.#3.130.83':443
'10#.#6.5.118':443
'10#.#6.121.187':443
'10#.#6.77.145':443
'10#.#6.112.141':443

TCP:

HTTP GET requests:

http://12#.#.0.1:38252/vpuiyo7cb5md68ns22st4l9syicdtls2/firefly.pac via localhost

UDP:

DNS ASK www.go#####analytics.com

Miscellaneous:

Modifies value of AutoConfigURL parameter to 'http://127.0.0.1:38252/vpuiyo7cb5md68ns22st4l9syicdtls2/firefly.pac'

Searches for the following windows:

ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebcheckMonitor' WindowName: ''
ClassName: 'IEFrame' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: '' WindowName: ''

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней