Trojan.DownLoader5.17644

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.i8042prt] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Сетевая активность:

Подключается к:

'17#.#9.89.95':34354
'88.##4.30.254':34354
'10#.#.226.91':34354
'81.##.153.93':34354
'67.##9.190.4':34354
'17#.#22.178.53':34354
'95.##.238.99':34354
'20#.#.149.252':34354
'27.##5.32.14':34354
'19#.#74.147.169':34354
'15#.#39.217.233':34354
'92.##.74.187':34354
'64.##8.16.88':34354
'86.##8.249.90':34354
'46.##.19.237':34354
'17#.#7.165.170':34354
'65.#4.97.66':34354
'2.###.246.12':34354
'95.##.74.114':34354
'72.##9.152.114':34354
'97.##.123.227':34354
'17#.#02.75.60':34354
'31.#9.7.234':34354
'20#.#04.163.232':34354
'18#.#6.99.109':34354
'17#.#9.95.73':34354
'74.#16.32.5':34354
'75.##.147.107':34354
'97.##3.167.245':34354
'2.###.162.243':34354
'17#.#01.74.250':34354
'65.#0.48.72':34354
'10#.#31.48.32':34354
'79.##5.208.54':34354
'10#.#6.143.216':34354
'19#.#3.102.212':34354
'85.##.182.53':34354
'68.##.116.173':34354
'95.##.166.54':34354
'10#.#35.184.4':34354
'71.##.59.251':34354
'11#.#84.178.86':34354
'95.##.249.59':34354
'18#.#89.223.215':34354
'91.##.144.120':34354
'96.##.190.20':34354
'11#.#19.196.180':34354
'17#.#09.139.116':34354
'68.##2.196.100':34354
'18#.#7.236.93':34354
'66.##5.151.83':34354
'17#.#05.134.247':34354
'46.##0.159.161':34354
'18#.#8.223.162':34354
'10#.#20.85.25':34354
'92.#3.45.85':34354
'18#.#7.103.101':34354
'18#.#26.27.135':34354
'95.##5.77.209':34354
'17#.#06.222.134':34354
'68.##.243.149':34354
'19#.#07.5.171':34354
'41.##2.201.5':34354
'41.##2.194.143':34354
'2.###.165.218':34354
'41.##0.176.19':34354
'21#.#25.210.20':34354
'21#.#97.149.213':34354
'24.##7.254.117':34354
'89.##4.124.230':34354
'85.##.191.220':34354
'67.##6.24.18':34354
'66.##.177.25':34354
'17#.#8.17.198':34354
'18#.#07.161.26':34354
'98.##1.150.197':34354
'17#.#10.209.56':34354
'95.#8.18.57':34354
'17#.#6.107.24':34354
'75.##.39.122':34354
'10#.#39.47.110':34354
'18#.#5.24.251':34354
'68.#2.16.72':34354
'92.#7.108.7':34354
'89.##6.161.80':34354
'87.##.91.102':34354
'21#.#83.247.103':34354
'69.##7.171.78':34354
'17#.#5.165.115':34354
'21#.76.7.65':34354
'88.##4.206.62':34354
'17#.#22.8.121':34354
'10#.#36.62.70':34354
'86.#6.8.8':34354
'71.##.124.239':34354
'92.#3.23.11':34354
'19#.#17.227.28':34354
'96.##.64.129':34354
'10#.#01.171.122':34354
'98.##7.104.124':34354
'12#.#44.211.29':34354
'59.##8.49.146':34354
'82.##1.67.131':34354
'18#.#9.228.141':34354
'18#.#07.11.217':34354
'19#.#3.204.121':34354
'46.##.110.120':34354
'18#.#91.185.59':34354
'19#.#39.142.208':34354
'70.##6.201.199':34354
'84.##.55.117':34354
'71.##.201.212':34354
'17#.#43.182.178':34354
'84.##8.130.153':34354
'17#.#75.166.181':34354
'94.##9.15.186':34354
'17#.#2.174.190':34354
'69.##4.25.191':34354
'18#.#2.182.144':34354
'68.##8.66.128':34354
'19#.#09.68.153':34354
'79.##2.181.160':34354
'71.##8.35.151':34354
'20#.#40.205.152':34354
'89.##7.198.186':34354
'1.##3.26.1':34354
'69.##2.214.164':34354
'21#.#71.60.170':34354
'72.##5.145.146':34354
'50.##.234.181':34354
'75.##6.105.150':34354
'17#.#67.92.3':34354
'24.##1.109.58':34354
'18#.#6.31.167':34354
'17#.#0.232.226':34354
'19#.#7.52.92':34354
'89.#1.80.20':34354
'97.##.80.239':34354
'10#.#07.192.26':34354
'71.#.238.119':34354
'17#.#0.239.172':34354
'78.##.222.196':34354
'95.##.171.161':34354
'17#.#9.20.19':34354
'10#.#85.90.194':34354
'68.##0.47.248':34354
'80.##6.246.230':34354
'76.##2.145.156':34354
'71.##2.245.244':34354
'76.##6.235.123':34354
'66.#6.55.11':34354
'98.##9.101.69':34354
'75.##.33.218':34354
'89.##9.91.15':34354
'95.##.165.252':34354
'91.##7.60.22':34354
'99.##8.70.74':34354
'67.#67.9.92':34354
'69.##0.70.38':34354
'46.##1.214.43':34354
'97.##.94.112':34354
'68.#7.197.7':34354
'65.##.143.254':34354
'89.##6.119.92':34354
'18#.#1.16.211':34354
'93.##.162.42':34354
'24.##5.86.187':34354
'95.#9.23.16':34354
'95.#9.77.60':34354
'1.##.130.31':34354
'77.##5.6.192':34354
'localhost':80
'66.##.252.247':34354
'75.#87.82.9':34354
'98.##8.160.159':34354
'65.##.215.165':34354
'18#.#8.57.108':34354
'21#.#.33.163':34354
'68.##9.69.44':34354
'68.##.33.235':34354
'76.##2.165.241':34354
'66.##9.73.58':34354
'91.##2.25.22':34354
'76.##6.94.132':34354
'20#.#32.224.14':34354
'19#.#3.217.87':34354
'76.##.25.121':34354
'41.##7.180.27':34354
'71.##5.149.252':34354
'98.##7.150.48':34354
'68.#.170.96':34354
'19#.#88.167.167':34354
'69.##5.200.141':34354
'65.##.193.93':34354
'18#.#19.118.5':34354
'17#.#6.79.202':34354
'17#.#7.186.50':34354
'17#.#95.54.135':34354
'17#.#27.15.229':34354
'86.##6.102.51':34354
'75.##.244.38':34354
'18#.#5.172.163':34354
'66.##.252.95':34354
'12#.#47.16.99':34354
'50.#.239.88':34354
'99.##7.135.198':34354
'18#.#1.110.94':34354
'72.##0.120.22':34354
'18#.#15.14.230':34354
'50.##.255.72':34354
'85.##5.26.224':34354
'21#.#05.3.187':34354
'98.##2.177.234':34354
'98.##1.19.32':34354
'98.##2.209.120':34354
'10#.#01.182.37':34354
'18#.#73.69.170':34354
'79.##9.38.134':34354
'76.##.146.195':34354
'76.##8.133.92':34354
'67.##2.78.134':34354
'77.##8.220.238':34354
'79.#.85.183':34354
'92.##.227.103':34354
'77.##.57.173':34354
'95.##.252.55':34354
'72.##6.150.52':34354
'99.##2.18.63':34354
'78.##.135.179':34354
'95.#9.33.63':34354
'66.##.54.148':34354
'99.##0.204.201':34354
'10#.#37.38.46':34354
'78.##4.185.78':34354
'95.##.72.184':34354
'92.##5.110.254':34354
'24.##5.67.77':34354
'24.##6.157.241':34354
'67.#82.2.68':34354
'99.#0.15.92':34354
'12#.#11.209.99':34354
'93.##2.159.132':34354
'76.##4.90.233':34354
'18#.#33.2.74':34354
'18#.#1.65.124':34354
'89.##.105.113':34354
'98.##4.73.245':34354
'75.##4.249.167':34354
'74.##1.205.169':34354
'95.#9.72.20':34354
'95.##5.210.25':34354
'95.#9.73.31':34354
'46.##5.248.236':34354
'90.##7.185.30':34354
'77.##3.173.75':34354
'69.##0.219.87':34354
'18#.#8.117.195':34354

TCP:

Запросы HTTP GET:

eg##kkid.cn/stat2.php?&a###
eg##kkid.cn/stat2.php?&a##

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней