BackDoor.DarkCrystal.52

Добавлен в вирусную базу Dr.Web: 2022-03-18

Описание добавлено: 2022-03-25

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\totalcmd\LANGUAGE\iexplore.exe"'
[<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\totalcmd\LANGUAGE\iexplore.exe"'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'dwm' = '"C:\Users\Default\Desktop\dwm.exe"'
[<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\totalcmd\LANGUAGE\iexplore.exe", "C:\Users\Default\Desktop\dwm.exe"'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'audiodg' = '"C:\Documents and Settings\audiodg.exe"'
[<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\totalcmd\LANGUAGE\iexplore.exe", "C:\Users\Default\Desktop\dwm.exe", "C:\Documents and Settings\audio...
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'Idle' = '"<Current directory>\Idle.exe"'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'WmiPrvSE' = '"C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe"'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] '<File name>' = '"C:\totalcmd\LANGUAGE\<File name>.exe"'

Creates or modifies the following files

<SYSTEM32>\tasks\sofsiexplore
<SYSTEM32>\tasks\gw0ridle
<SYSTEM32>\tasks\cbyzwmiprvse
<SYSTEM32>\tasks\yvytidle
<SYSTEM32>\tasks\audiodg
<SYSTEM32>\tasks\e1ynaudiodg
<SYSTEM32>\tasks\wwwwidle
<SYSTEM32>\tasks\vaimaudiodg
<SYSTEM32>\tasks\qmtd<File name>
<SYSTEM32>\tasks\5jroaudiodg
<SYSTEM32>\tasks\faei<File name>
<SYSTEM32>\tasks\wmiprvse
<SYSTEM32>\tasks\idle
<SYSTEM32>\tasks\n23hwmiprvse
<SYSTEM32>\tasks\nmr8dwm
<SYSTEM32>\tasks\<File name>
<SYSTEM32>\tasks\gstndwm
<SYSTEM32>\tasks\dcl7iexplore
<SYSTEM32>\tasks\iexplore
<SYSTEM32>\tasks\dwm
<SYSTEM32>\tasks\aurpdwm
<SYSTEM32>\tasks\dyx0iexplore
<SYSTEM32>\tasks\s95x<File name>
<SYSTEM32>\tasks\zpbowmiprvse

Malicious functions

Reads files which store third party applications passwords

%ProgramFiles(x86)%\steam\config\config.vdf
%ProgramFiles(x86)%\steam\config\dialogconfig.vdf
%LOCALAPPDATA%\google\chrome\user data\default\cookies
%APPDATA%\opera software\opera stable\login data
%LOCALAPPDATA%\google\chrome\user data\default\login data
%LOCALAPPDATA%\google\chrome\user data\default\web data

Modifies file system

Creates the following files

C:\totalcmd\language\iexplore.exe
%TEMP%\6xwvisadmd
%TEMP%\pvmk9svtzi
%TEMP%\ss7soypztf
%TEMP%\q3uz2gcchf
%TEMP%\jhbzudqbiy
%TEMP%\lldfjtui98
%TEMP%\pxstmnyfup
%TEMP%\9tu3yj4mii
%TEMP%\ftii3uwush
%TEMP%\pjpuwlvh8k
%TEMP%\fbncegtsgw
%TEMP%\u8wdpn5pff
%TEMP%\qrbepbjtkg
%TEMP%\t0thrqzxhe
%TEMP%\0poqlqlchk
C:\totalcmd\language\97e0b3c5637185
C:\totalcmd\language\<File name>.exe
C:\users\public\pictures\sample pictures\24dbde2999530e
C:\users\public\pictures\sample pictures\wmiprvse.exe
<Current directory>\6ccacd8608530f
<Current directory>\idle.exe
C:\documents and settings\42af1c969fbb7b
C:\documents and settings\audiodg.exe
C:\users\default\desktop\6cb0b6c459d5d3
C:\users\default\desktop\dwm.exe
C:\totalcmd\language\9db6e019d4f04e
%TEMP%\kranyb8dnz
%TEMP%\xbhdjuqkaj

Deletes the following files

%TEMP%\0poqlqlchk
%TEMP%\6xwvisadmd
%TEMP%\pvmk9svtzi
%TEMP%\ss7soypztf
%TEMP%\q3uz2gcchf
%TEMP%\jhbzudqbiy
%TEMP%\lldfjtui98
%TEMP%\qrbepbjtkg
%TEMP%\pxstmnyfup
%TEMP%\ftii3uwush
%TEMP%\pjpuwlvh8k
%TEMP%\fbncegtsgw
%TEMP%\u8wdpn5pff
%TEMP%\t0thrqzxhe
%TEMP%\kranyb8dnz
%TEMP%\9tu3yj4mii
%TEMP%\xbhdjuqkaj

Network activity

Connects to

'62.##9.2.159':80
'ip##fo.io':443
'ap#.##legram.org':443

TCP

HTTP GET requests

http://62.##9.2.159/protectGame/PhpBetterauth/67Game/Dle/UploadsPrivate2/ImageEternalDump/HttpTrack/GeoTestSql/CpuUpdate77/1LineUploadsUpdate/BigloadJavascripteternalpublic/Asynctraffic.php?8H#...
http://62.##9.2.159/protectGame/PhpBetterauth/67Game/Dle/UploadsPrivate2/ImageEternalDump/HttpTrack/GeoTestSql/CpuUpdate77/1LineUploadsUpdate/BigloadJavascripteternalpublic/Asynctraffic.php?pF#...

Other

'ip##fo.io':443
'ap#.##legram.org':443

UDP

DNS ASK ip##fo.io
DNS ASK ap#.##legram.org

Miscellaneous

Creates and executes the following

'C:\totalcmd\language\iexplore.exe'
'C:\totalcmd\language\iexplore.exe' ' (with hidden window)

Executes the following

'<SYSTEM32>\schtasks.exe' /create /tn "soFsiexplore" /sc MINUTE /mo 7 /tr "'C:\totalcmd\LANGUAGE\iexplore.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "s95x<File name>" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\<File name>.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "fAEi<File name>" /sc MINUTE /mo 7 /tr "'C:\totalcmd\LANGUAGE\<File name>.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "WmiPrvSE" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /f
'<SYSTEM32>\schtasks.exe' /create /tn "cbYzWmiPrvSE" /sc ONSTART /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "zPboWmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "N23HWmiPrvSE" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "Idle" /sc MINUTE /mo 11 /tr "'<Current directory>\Idle.exe'" /f
'<SYSTEM32>\schtasks.exe' /create /tn "gw0rIdle" /sc ONSTART /tr "'<Current directory>\Idle.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "WwWWIdle" /sc ONLOGON /tr "'<Current directory>\Idle.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "YVYtIdle" /sc MINUTE /mo 5 /tr "'<Current directory>\Idle.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "audiodg" /sc MINUTE /mo 11 /tr "'C:\Documents and Settings\audiodg.exe'" /f
'<SYSTEM32>\schtasks.exe' /create /tn "E1ynaudiodg" /sc ONSTART /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "VAimaudiodg" /sc ONLOGON /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "5JRoaudiodg" /sc MINUTE /mo 13 /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "dwm" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\dwm.exe'" /f
'<SYSTEM32>\schtasks.exe' /create /tn "Nmr8dwm" /sc ONSTART /tr "'C:\Users\Default\Desktop\dwm.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "AUrPdwm" /sc ONLOGON /tr "'C:\Users\Default\Desktop\dwm.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "gstndwm" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\dwm.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc MINUTE /mo 8 /tr "'C:\totalcmd\LANGUAGE\iexplore.exe'" /f
'<SYSTEM32>\schtasks.exe' /create /tn "Dcl7iexplore" /sc ONSTART /tr "'C:\totalcmd\LANGUAGE\iexplore.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "dyX0iexplore" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\iexplore.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "qMTd<File name>" /sc ONSTART /tr "'C:\totalcmd\LANGUAGE\<File name>.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "<File name>" /sc MINUTE /mo 9 /tr "'C:\totalcmd\LANGUAGE\<File name>.exe'" /f

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней