Trojan.DownLoader5.15664

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.mrxsmb] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'88.##2.148.56':34354
'64.##.172.135':34354
'95.##.104.57':34354
'24.##2.66.135':34354
'19#.#06.55.94':34354
'10#.#29.187.73':34354
'87.##5.51.167':34354
'70.##3.53.102':34354
'95.##7.167.11':34354
'17#.68.3.35':34354
'92.##.86.142':34354
'92.#3.23.11':34354
'95.#8.48.68':34354
'99.##.208.22':34354
'18#.#27.118.84':34354
'17#.#0.108.188':34354
'12.##0.142.8':34354
'10#.#39.47.97':34354
'13#.#.32.200':34354
'10#.#98.112.65':34354
'81.##.151.158':34354
'17#.#9.163.113':34354
'17#.#26.75.202':34354
'98.##4.202.61':34354
'62.##3.156.153':34354
'99.##7.17.218':34354
'20#.#15.193.139':34354
'21#.#6.20.248':34354
'18#.#4.90.173':34354
'96.##.64.129':34354
'71.##2.69.169':34354
'18#.#3.48.162':34354
'17#.#7.16.138':34354
'92.##.217.110':34354
'17#.#71.18.179':34354
'93.##6.8.233':34354
'2.###.208.106':34354
'17#.#1.224.252':34354
'95.##.122.178':34354
'27.#.212.209':34354
'17#.#0.231.255':34354
'91.##7.60.22':34354
'91.##.246.154':34354
'66.##9.198.122':34354
'94.##.100.176':34354
'19#.#20.162.6':34354
'72.##1.104.169':34354
'17#.#0.108.253':34354
'74.##.172.232':34354
'97.##2.217.105':34354
'96.##.106.255':34354
'10#.#29.190.39':34354
'17#.#29.146.8':34354
'76.##6.201.209':34354
'84.##2.27.181':34354
'17#.#9.23.127':34354
'41.##1.116.23':34354
'17#.#9.207.142':34354
'65.##.119.140':34354
'18#.#9.34.112':34354
'10#.#5.55.24':34354
'10#.#27.70.211':34354
'65.#5.98.37':34354
'18#.#53.118.64':34354
'68.##0.59.204':34354
'10#.#7.59.133':34354
'85.##.187.170':34354
'95.##.38.219':34354
'49.##8.173.44':34354
'75.##7.221.155':34354
'81.##.221.41':34354
'12.#3.53.44':34354
'97.##.105.85':34354
'20#.#4.227.108':34354
'99.##3.193.64':34354
'17#.#57.164.131':34354
'82.##5.24.47':34354
'95.##.153.187':34354
'81.##.195.54':34354
'79.##8.203.144':34354
'2.###.129.22':34354
'20#.#15.90.7':34354
'20#.#22.235.65':34354
'24.#0.46.97':34354
'74.##4.96.163':34354
'94.##7.219.164':34354
'17#.#25.203.25':34354
'18#.#26.180.151':34354
'93.##.99.185':34354
'72.##0.32.255':34354
'10#.#37.141.226':34354
'46.##.155.46':34354
'81.#1.55.31':34354
'69.##3.217.249':34354
'21#.#86.31.44':34354
'95.##.78.215':34354
'92.##4.174.237':34354
'24.##2.71.50':34354
'71.##.127.182':34354
'21#.#04.85.233':34354
'50.##.234.181':34354
'12#.#36.68.102':34354
'99.##.86.116':34354
'24.##1.12.52':34354
'83.##.81.106':34354
'18#.3.11.26':34354
'2.###.20.210':34354
'95.##.208.45':34354
'95.##.205.47':34354
'69.##4.180.148':34354
'82.##5.177.110':34354
'77.##8.75.47':34354
'59.##8.49.146':34354
'95.##0.177.140':34354
'95.#9.78.61':34354
'19#.#.210.61':34354
'67.#3.25.19':34354
'24.##3.134.127':34354
'92.##.195.35':34354
'82.##1.104.35':34354
'10#.#69.207.56':34354
'69.##2.51.18':34354
'11#.#00.157.253':34354
'46.##9.132.171':34354
'11#.#06.136.57':34354
'18#.#79.217.216':34354
'31.#3.3.83':34354
'24.##.178.168':34354
'76.#12.6.55':34354
'17#.#9.49.242':34354
'11#.#46.95.207':34354
'11#.#93.103.252':34354
'11#.#07.228.249':34354
'95.##.234.41':34354
'41.##.124.56':34354
'10#.#29.44.34':34354
'92.##.220.204':34354
'92.##5.112.75':34354
'87.##.91.102':34354
'17#.#75.126.227':34354
'95.##.116.13':34354
'41.##9.7.178':34354
'68.##8.201.84':34354
'93.##6.73.210':34354
'87.##.150.21':34354
'85.##6.187.23':34354
'69.##7.205.177':34354
'19#.#06.36.49':34354
'85.##.186.182':34354
'18#.#6.243.165':34354
'17#.#78.114.131':34354
'70.##8.220.94':34354
'17#.#26.54.90':34354
'17#.1.103.8':34354
'2.###.39.211':34354
'78.##.237.128':34354
'69.##.105.50':34354
'2.##.126.1':34354
'18#.#0.156.79':34354
'10#.#25.15.136':34354
'85.##.172.126':34354
'19#.#05.165.108':34354
'24.##9.64.75':34354
'84.##0.226.132':34354
'46.#0.45.99':34354
'71.##0.60.176':34354
'84.##.67.116':34354
'99.##2.169.73':34354
'95.##.151.231':34354
'21#.#.136.125':34354
'95.##.252.33':34354
'localhost':80
'18#.#3.97.100':34354
'49.##1.236.250':34354
'75.##6.5.161':34354
'83.#3.20.77':34354
'75.##.29.132':34354
'12#.#22.4.13':34354
'86.##6.206.138':34354
'95.##.232.75':34354
'10#.#01.172.45':34354
'76.##.230.125':34354
'24.##.58.106':34354
'18#.#23.136.165':34354
'2.###.69.115':34354
'93.##1.234.67':34354
'17#.#8.229.226':34354
'18#.#14.209.139':34354
'17#.#9.126.208':34354
'76.##.241.211':34354
'71.##.14.151':34354
'17#.#25.61.226':34354
'67.##1.106.61':34354
'87.##1.198.147':34354
'95.##.217.227':34354
'89.##5.242.184':34354
'76.#7.37.24':34354
'85.##5.26.224':34354
'95.##.225.245':34354
'95.##.57.167':34354
'83.##.187.48':34354
'95.##.203.68':34354
'13#.#80.209.209':34354
'85.##.182.134':34354
'17#.#02.44.17':34354
'87.##5.83.193':34354
'87.##7.41.109':34354
'21#.#2.199.65':34354
'12#.#27.133.12':34354
'19#.#74.48.75':34354
'19#.#33.128.140':34354
'90.##4.208.38':34354
'17#.#0.155.41':34354
'20#.#53.72.134':34354
'94.##9.229.229':34354
'46.##.59.131':34354
'99.##.214.87':34354
'2.###.84.187':34354
'95.##.88.205':34354
'60.#0.4.16':34354
'94.##3.121.65':34354
'70.##1.124.212':34354
'77.##.63.143':34354
'46.##.128.109':34354
'71.#2.2.83':34354
'17#.#0.102.124':34354
'87.##7.37.83':34354
'10#.#39.44.76':34354
'46.##.178.210':34354
'98.##9.80.156':34354
'11#.#4.224.180':34354
'18#.#7.207.74':34354
'65.##5.46.26':34354
'84.##5.14.134':34354
'17#.#22.252.97':34354
'95.##.150.51':34354
'85.##.178.154':34354
'95.##.204.165':34354
'67.##1.237.182':34354
'21#.#53.87.7':34354
'2.###.137.102':34354
'95.##1.191.46':34354
'19#.#09.68.153':34354
'77.##5.2.197':34354
'95.#9.49.95':34354
'12#.#29.114.104':34354
'85.##8.38.104':34354
'17#.#34.193.151':34354
'2.##3.23.30':34354
'67.##9.190.4':34354
'95.##.209.69':34354
'91.##5.148.249':34354
'46.##9.249.5':34354
'19#.#42.130.158':34354
'92.##.52.213':34354
'18#.#8.41.146':34354
'19#.#4.132.149':34354

TCP:

Запросы HTTP GET:

nw##bpes.cn/stat2.php?&a###
nw##bpes.cn/stat2.php?&a##

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней