Trojan.DownLoader5.29830

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.mrxsmb] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'17#.#16.73.88':34354
'75.#5.55.87':34354
'68.##.195.188':34354
'69.##9.66.90':34354
'79.##4.106.85':34354
'67.##0.172.84':34354
'66.##8.154.189':34354
'17#.#0.148.248':34354
'65.##.105.182':34354
'68.##9.248.95':34354
'14.##.149.177':34354
'21#.#6.11.182':34354
'67.##.13.187':34354
'67.##0.43.23':34354
'18#.#6.11.24':34354
'24.##6.211.186':34354
'71.##6.219.201':34354
'71.##0.26.75':34354
'65.#2.54.76':34354
'17#.#01.26.245':34354
'68.##.82.206':34354
'17#.#23.176.241':34354
'74.##0.212.202':34354
'24.##.112.244':34354
'46.##9.56.247':34354
'98.##8.177.196':34354
'50.#0.18.84':34354
'24.##4.132.83':34354
'92.##.22.198':34354
'70.##8.91.76':34354
'98.#81.7.82':34354
'76.##4.53.31':34354
'24.#.245.122':34354
'68.##.74.137':34354
'76.##2.162.14':34354
'68.##.154.127':34354
'18#.#3.104.158':34354
'72.##1.113.160':34354
'67.##6.195.142':34354
'18#.#33.240.144':34354
'11#.#19.185.129':34354
'96.##.81.134':34354
'79.#17.84.1':34354
'80.##2.125.132':34354
'71.##.246.12':34354
'24.#.1.13':34354
'12#.#22.25.4':34354
'67.##.189.135':34354
'24.##.145.170':34354
'64.##8.183.18':34354
'98.##.168.176':34354
'17#.#26.142.110':34354
'72.##9.35.177':34354
'99.##1.124.105':34354
'21#.#25.143.108':34354
'79.##8.163.249':34354
'18#.#1.245.115':34354
'97.##1.167.170':34354
'19#.#9.51.169':34354
'96.##.110.116':34354
'50.##.169.17':34354
'11#.#04.58.111':34354
'87.##0.22.171':34354
'17#.#5.213.172':34354
'17#.#54.128.24':34354
'71.#0.46.95':34354
'82.##2.136.192':34354
'17#.8.3.191':34354
'24.##.13.106':34354
'17#.#09.139.251':34354
'98.##8.141.23':34354
'24.#.44.183':34354
'75.##.95.211':34354
'12#.#47.16.203':34354
'89.#2.9.64':34354
'68.##.107.65':34354
'98.##3.97.30':34354
'98.##0.254.192':34354
'70.##0.223.196':34354
'76.##3.163.63':34354
'17#.#6.199.6':34354
'76.##3.115.4':34354
'68.#4.127.7':34354
'98.##8.236.6':34354
'76.##2.161.251':34354
'78.##.74.228':34354
'24.#.116.126':34354
'98.#28.17.4':34354
'68.##1.245.15':34354
'75.##.229.123':34354
'75.#1.107.2':34354
'68.##9.43.110':34354
'24.##5.206.124':34354
'18#.#7.30.10':34354
'65.#5.53.13':34354
'98.##5.126.124':34354
'88.##7.198.61':34354
'93.##.201.216':34354
'76.##.192.40':34354
'74.##.149.212':34354
'76.##7.186.219':34354
'67.#3.30.57':34354
'98.##8.176.59':34354
'10#.#.28.237':34354
'71.##8.248.213':34354
'85.##.183.215':34354
'68.##.175.211':34354
'72.##0.209.66':34354
'78.##.241.215':34354
'76.##0.123.240':34354
'66.#5.65.66':34354
'94.##.85.241':34354
'24.##6.50.226':34354
'74.##7.4.237':34354
'67.##.239.130':34354
'75.#5.5.222':34354
'17#.#8.23.41':34354
'18#.#14.58.237':34354
'70.##2.203.41':34354
'58.##.163.59':34354
'17#.#69.180.54':34354
'74.##8.54.236':34354
'50.#.28.223':34354
'80.##8.14.224':34354
'87.##1.225.47':34354
'68.##8.247.232':34354
'69.##.223.226':34354
'24.##.120.233':34354
'49.##9.175.252':34354
'17#.#58.73.93':34354
'75.##0.126.143':34354
'66.##.236.156':34354
'19#.#01.99.45':34354
'24.##1.243.154':34354
'10#.#.133.247':34354
'87.##.91.102':34354
'79.##9.38.146':34354
'69.##4.115.35':34354
'24.##0.217.95':34354
'75.#.253.70':34354
'62.##.60.249':34354
'85.##5.21.204':34354
'68.##.160.239':34354
'69.##8.56.100':34354
'87.#.181.130':34354
'72.##8.169.56':34354
'69.##1.62.112':34354
'70.##.246.24':34354
'95.##4.27.151':34354
'24.#.133.252':34354
'20#.#10.215.171':34354
'19#.#60.97.178':34354
'76.##8.221.66':34354
'76.##2.183.37':34354
'24.##6.221.122':34354
'66.##.24.161':34354
'21#.#31.32.35':34354
'80.##5.124.82':34354
'46.##5.163.244':34354
'76.#77.5.30':34354
'66.##.81.192':34354
'18#.#24.181.82':34354
'24.##.136.200':34354
'24.##7.91.22':34354
'24.##6.235.2':34354
'98.##3.118.145':34354
'66.##.126.213':34354
'68.##.32.193':34354
'69.##5.205.70':34354
'50.##3.9.126':34354
'78.##.169.61':34354
'localhost':80
'89.##3.205.174':34354
'18#.#37.181.31':34354
'68.##9.192.85':34354
'18#.#6.133.174':34354
'10#.#99.176.148':34354
'20#.54.8.86':34354
'17#.#5.136.137':34354
'74.##9.49.79':34354
'78.##1.255.110':34354
'75.#3.67.21':34354
'2.###.147.198':34354
'20#.#6.161.135':34354
'19#.#7.208.66':34354
'99.##7.210.129':34354
'99.##1.84.198':34354
'85.##5.92.111':34354
'10#.#99.236.240':34354
'66.#5.7.99':34354
'69.##6.16.228':34354
'11#.#41.18.65':34354
'71.##6.23.117':34354
'66.##9.174.148':34354
'71.##.250.147':34354
'24.##9.64.73':34354
'18.##1.21.215':34354
'98.#0.27.38':34354
'74.##3.162.77':34354
'95.##.64.146':34354
'20#.#74.89.66':34354
'70.##.222.120':34354
'66.##9.36.56':34354
'90.##0.135.159':34354
'71.##.117.159':34354
'24.##7.50.154':34354
'75.##.143.197':34354
'15#.#81.155.156':34354
'62.#8.58.47':34354
'17#.#22.141.227':34354
'89.##.105.113':34354
'17#.#.139.250':34354
'67.##3.238.220':34354
'17#.#1.96.129':34354
'17#.#5.101.59':34354
'76.##.171.122':34354
'11#.#93.76.135':34354
'18#.#8.105.49':34354
'72.##9.251.118':34354
'70.##1.117.145':34354
'76.#1.7.122':34354
'66.##.203.90':34354
'10#.#5.139.137':34354
'92.##4.16.143':34354
'71.##9.117.142':34354
'71.#2.35.76':34354
'18#.#0.118.143':34354
'74.##2.72.153':34354
'72.##.187.184':34354
'86.##2.230.93':34354
'18#.#3.164.105':34354
'68.##8.81.71':34354
'10#.#01.222.138':34354
'14#.#15.176.57':34354
'76.##9.56.227':34354
'74.##.69.251':34354
'69.##3.182.70':34354
'95.##.244.148':34354
'18#.#.250.46':34354
'12#.#64.16.172':34354
'20#.#36.228.200':34354
'76.##.123.28':34354
'95.##.175.51':34354
'98.##5.191.112':34354
'95.##.32.196':34354
'24.#.32.171':34354
'62.##3.24.119':34354
'74.##.25.162':34354
'98.#0.77.82':34354
'79.##4.240.44':34354
'17#.#68.123.206':34354
'75.##0.184.53':34354
'77.##.79.242':34354
'18#.#7.35.178':34354
'69.##7.49.41':34354
'71.##.56.173':34354
'66.##8.75.236':34354

TCP:

Запросы HTTP GET:

eg##kkid.cn/stat2.php?&a#################
eg##kkid.cn/stat2.php?&a################

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней