Trojan.MulDrop8.62628

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'wextract_cleanup0' = 'rundll32.exe <SYSTEM32>\advpack.dll,DelNodeRunDLL32 "%TEMP%\IXP000.TMP\"'

Вредоносные функции:

Завершает или пытается завершить

следующие системные процессы:

<SYSTEM32>\dmadmin.exe

Изменения в файловой системе:

Создает следующие файлы:

%TEMP%\IXP000.TMP\017892ae7a4d1ccfba3421a4345666d2.exe
C:\WOLF_2018.05.03\bin\ADQueryInput.xml
C:\WOLF_2018.05.03\bin\aut6a59089ff0719dfaf625.exe
C:\WOLF_2018.05.03\bin\autorunsc.exe
C:\WOLF_2018.05.03\bin\AutorunsParse.vbs
C:\WOLF_2018.05.03\bin\BinDir.txt
C:\WOLF_2018.05.03\bin\c8d3ae3940b63a7350b96f09efcfca10.exe
C:\WOLF_2018.05.03\bin\CABINET.dll
C:\WOLF_2018.05.03\bin\choice.exe
C:\WOLF_2018.05.03\bin\d1205d0e2804fa836d478df2743f515a.exe
C:\WOLF_2018.05.03\bin\d2667513cd52459bb3b6c2b3a083b9e7.exe
C:\WOLF_2018.05.03\bin\5e9d3ccfe2b13fdfcecb55b0fef67e22.exe
C:\WOLF_2018.05.03\bin\d697219770411f1eee30409a383d23ed.exe
C:\WOLF_2018.05.03\bin\diskpart_script.txt
C:\WOLF_2018.05.03\bin\du.exe
C:\WOLF_2018.05.03\bin\ef9e71f3c025e0614d72ee02.exe
C:\WOLF_2018.05.03\bin\express.cmd
C:\WOLF_2018.05.03\bin\fs1a5fc09dcd95535a0f.exe
C:\WOLF_2018.05.03\bin\Getdate.vbs
C:\WOLF_2018.05.03\bin\GetVer.exe
C:\WOLF_2018.05.03\bin\gsort.exe
C:\WOLF_2018.05.03\bin\libiconv2.dll
C:\WOLF_2018.05.03\bin\libintl3.dll
C:\WOLF_2018.05.03\bin\a51813affa20a56c3fd0f912ae4ac0a1.cmd
C:\WOLF_2018.05.03\bin\ADWolf.vbs
C:\WOLF_2018.05.03\bin\9a97b47ffed6fab2f13c68001de5efec.exe
C:\WOLF_2018.05.03\bin\9a76b1643a845e99f90cd4af7a250257.exe
C:\WOLF_2018.05.03\bin\99592bb84f181f1ac14f.exe
C:\WOLF_2018.05.03\bin\017892ae7a4d1ccfba3421a4345666d2.exe
C:\WOLF_2018.05.03\bin\0423efb969f57d23150b2ae328d03fe0.exe
C:\WOLF_2018.05.03\bin\168ab03b563a2cf977120ff9c9303bdbd.exe
C:\WOLF_2018.05.03\bin\19094e3805a819e24c36ceeed7cc4895.exe
C:\WOLF_2018.05.03\bin\1c2c08248ea83fb70b030a92c6f2084b.exe
C:\WOLF_2018.05.03\bin\24317e2d95535a0f.exe
C:\WOLF_2018.05.03\bin\3723b5f854802e590197d6fb4674cd.exe
C:\WOLF_2018.05.03\bin\47a8ff1de10901edb66503d906ac5f21.exe
C:\WOLF_2018.05.03\bin\4aec9a078d1e5d731b49c88b7783a1f6.exe
C:\WOLF_2018.05.03\bin\54f3d300b4366591b1aca795.exe
C:\WOLF_2018.05.03\bin\link.exe
C:\WOLF_2018.05.03\bin\d74ca13d06ce6270bee8.exe
C:\WOLF_2018.05.03\bin\5cbef12f3ace18023169a2f495710ead.exe
C:\WOLF_2018.05.03\bin\61d81123b8a5d0b23519368d2d5f54ce.exe
C:\WOLF_2018.05.03\bin\649d395f62b13f64ce6456b08ef37e64.exe
C:\WOLF_2018.05.03\bin\6570cfe3ccb3b82cef1d8352025eba95.exe
C:\WOLF_2018.05.03\bin\68281de5a45b42f4c9b6.exe
C:\WOLF_2018.05.03\bin\70a8907196fb4b1952ba90c60fab027d.exe
C:\WOLF_2018.05.03\bin\77f16f0f952564531215247fda2549cc.exe
C:\WOLF_2018.05.03\bin\7aa8f4d97c93655d99a5fc09dc7c01be.exe
C:\WOLF_2018.05.03\bin\801cfe446fff3cf4750a65b831.exe
C:\WOLF_2018.05.03\bin\80dcf2ee5e82d906.exe
C:\WOLF_2018.05.03\bin\90df810a87f2a3059abc1fe740d156ca.exe
C:\WOLF_2018.05.03\RUN_WOLF.cmd
C:\WOLF_2018.05.03\bin\61c92a93d61abfe5b417c64a8a234423.exe
C:\WOLF_2018.05.03\bin\net1-2000.exe
C:\WOLF_2018.05.03\bin\ZipWolf.exe
C:\WOLF_2018.05.03\bin\msvcr70.dll
C:\WOLF_2018.05.03\bin\t013u4od0a.exe
C:\WOLF_2018.05.03\bin\wusscan.dll
C:\WOLF_2018.05.03\bin\x86e4cfc7021b34f8cdb7144c622bccc0.exe
C:\WOLF_2018.05.03\bin\x64e4cfc7021b34f8cdb7144c622bccc0.exe
C:\WOLF_2018.05.03\bin\30e88b4c59c183d1dabd75c49ea85x86.exe
C:\WOLF_2018.05.03\bin\30e88b4c59c183d1dabd75c49ea85x64.exe
C:\WOLF_2018.05.03\bin\142206cff8ba39b109b5d95780ff32c9.exe
C:\WOLF_2018.05.03\bin\91921074da949d6a1d332d2277517db7.exe
C:\WOLF_2018.05.03\bin\RunWebShellScanner.vbs
C:\WOLF_2018.05.03\bin\iisiis.vbs
C:\WOLF_2018.05.03\bin\msdia20.dll
C:\WOLF_2018.05.03\bin\getAgain.bat
C:\WOLF_2018.05.03\bin\WebShclsId.cfg
C:\WOLF_2018.05.03\bin\webshell.csv
C:\WOLF_2018.05.03\bin\WebShellScanner.exe
C:\WOLF_2018.05.03\bin\WebShPattern.cfg
C:\WOLF_2018.05.03\bin\x64diskpartcn.exe
C:\WOLF_2018.05.03\bin\ZipCompress.vbs
C:\WOLF_2018.05.03\bin\TPQ.vbs
C:\WOLF_2018.05.03\bin\USNInfo_x64.exe
C:\WOLF_2018.05.03\bin\USNInfo_x86.exe
C:\WOLF_2018.05.03\bin\USNInfo.vbs
C:\WOLF_2018.05.03\bin\quser.xp
C:\WOLF_2018.05.03\bin\Sysinternals_Keys.reg.txt
C:\WOLF_2018.05.03\bin\query.xp
C:\WOLF_2018.05.03\bin\psapi.dll
C:\WOLF_2018.05.03\bin\PassPolicy.vbs
C:\WOLF_2018.05.03\bin\msxml2.dll
C:\WOLF_2018.05.03\bin\msxml2r.dll
C:\WOLF_2018.05.03\bin\net-2000.exe
C:\WOLF_2018.05.03\bin\net-2000.hlp
C:\WOLF_2018.05.03\bin\net-2003.exe
C:\WOLF_2018.05.03\bin\net-2003.hlp
C:\WOLF_2018.05.03\bin\net-2008.exe
C:\WOLF_2018.05.03\bin\net-Vista.exe
C:\WOLF_2018.05.03\bin\net-Win7.exe
C:\WOLF_2018.05.03\bin\net-XP.exe
C:\WOLF_2018.05.03\bin\mspdb71.dll
C:\WOLF_2018.05.03\WOLF_EULA.txt
C:\WOLF_2018.05.03\bin\net-XP.hlp
C:\WOLF_2018.05.03\bin\net1-2008.exe
C:\WOLF_2018.05.03\bin\net1-Vista.exe
C:\WOLF_2018.05.03\bin\net1-Win7.exe
C:\WOLF_2018.05.03\bin\net1-XP.exe
C:\WOLF_2018.05.03\bin\ntfscd91a5fc09d553x64.exe
C:\WOLF_2018.05.03\bin\ntfscd91a5fc09d553x86.exe
C:\WOLF_2018.05.03\bin\ntfscd91a5fc09d553x64-v2.exe
C:\WOLF_2018.05.03\bin\ntfscd91a5fc09d553x86-v2.exe
C:\WOLF_2018.05.03\bin\p9ol7.exe
C:\WOLF_2018.05.03\bin\PassPolicy.bat
C:\WOLF_2018.05.03\bin\msvcr71.dll
C:\WOLF_2018.05.03\bin\net1-2003.exe
C:\WOLF_2018.05.03\bin\msvcr90.dll
C:\WOLF_2018.05.03\do_not_run.cmd
%TEMP%\IXP000.TMP\USNInfo_x64.exe
%TEMP%\IXP000.TMP\a51813affa20a56c3fd0f912ae4ac0a1.cmd
%TEMP%\IXP000.TMP\ADQueryInput.xml
%TEMP%\IXP000.TMP\ADWolf.vbs
%TEMP%\IXP000.TMP\aut6a59089ff0719dfaf625.exe
%TEMP%\IXP000.TMP\autorunsc.exe
%TEMP%\IXP000.TMP\AutorunsParse.vbs
%TEMP%\IXP000.TMP\BinDir.txt
%TEMP%\IXP000.TMP\c8d3ae3940b63a7350b96f09efcfca10.exe
%TEMP%\IXP000.TMP\CABINET.dll
%TEMP%\IXP000.TMP\choice.exe
%TEMP%\IXP000.TMP\5cbef12f3ace18023169a2f495710ead.exe
%TEMP%\IXP000.TMP\d1205d0e2804fa836d478df2743f515a.exe
%TEMP%\IXP000.TMP\d697219770411f1eee30409a383d23ed.exe
%TEMP%\IXP000.TMP\d74ca13d06ce6270bee8.exe
%TEMP%\IXP000.TMP\diskpart_script.txt
%TEMP%\IXP000.TMP\do_not_run.cmd
%TEMP%\IXP000.TMP\du.exe
%TEMP%\IXP000.TMP\ef9e71f3c025e0614d72ee02.exe
%TEMP%\IXP000.TMP\express.cmd
%TEMP%\IXP000.TMP\fs1a5fc09dcd95535a0f.exe
%TEMP%\IXP000.TMP\getAgain.bat
%TEMP%\IXP000.TMP\Getdate.vbs
%TEMP%\IXP000.TMP\9a76b1643a845e99f90cd4af7a250257.exe
%TEMP%\IXP000.TMP\9a97b47ffed6fab2f13c68001de5efec.exe
%TEMP%\IXP000.TMP\99592bb84f181f1ac14f.exe
%TEMP%\IXP000.TMP\91921074da949d6a1d332d2277517db7.exe
%TEMP%\IXP000.TMP\90df810a87f2a3059abc1fe740d156ca.exe
%TEMP%\IXP000.TMP\142206cff8ba39b109b5d95780ff32c9.exe
%TEMP%\IXP000.TMP\168ab03b563a2cf977120ff9c9303bdbd.exe
%TEMP%\IXP000.TMP\19094e3805a819e24c36ceeed7cc4895.exe
%TEMP%\IXP000.TMP\1c2c08248ea83fb70b030a92c6f2084b.exe
%TEMP%\IXP000.TMP\24317e2d95535a0f.exe
%TEMP%\IXP000.TMP\30e88b4c59c183d1dabd75c49ea85x64.exe
%TEMP%\IXP000.TMP\30e88b4c59c183d1dabd75c49ea85x86.exe
%TEMP%\IXP000.TMP\3723b5f854802e590197d6fb4674cd.exe
%TEMP%\IXP000.TMP\47a8ff1de10901edb66503d906ac5f21.exe
%TEMP%\IXP000.TMP\4aec9a078d1e5d731b49c88b7783a1f6.exe
%TEMP%\IXP000.TMP\GetVer.exe
%TEMP%\IXP000.TMP\d2667513cd52459bb3b6c2b3a083b9e7.exe
%TEMP%\IXP000.TMP\54f3d300b4366591b1aca795.exe
%TEMP%\IXP000.TMP\61c92a93d61abfe5b417c64a8a234423.exe
%TEMP%\IXP000.TMP\61d81123b8a5d0b23519368d2d5f54ce.exe
%TEMP%\IXP000.TMP\649d395f62b13f64ce6456b08ef37e64.exe
%TEMP%\IXP000.TMP\6570cfe3ccb3b82cef1d8352025eba95.exe
%TEMP%\IXP000.TMP\68281de5a45b42f4c9b6.exe
%TEMP%\IXP000.TMP\70a8907196fb4b1952ba90c60fab027d.exe
%TEMP%\IXP000.TMP\77f16f0f952564531215247fda2549cc.exe
%TEMP%\IXP000.TMP\7aa8f4d97c93655d99a5fc09dc7c01be.exe
%TEMP%\IXP000.TMP\801cfe446fff3cf4750a65b831.exe
%TEMP%\IXP000.TMP\80dcf2ee5e82d906.exe
%TEMP%\IXP000.TMP\0423efb969f57d23150b2ae328d03fe0.exe
%TEMP%\IXP000.TMP\5e9d3ccfe2b13fdfcecb55b0fef67e22.exe
%TEMP%\IXP000.TMP\net1-Vista.exe
%TEMP%\IXP000.TMP\ZipCompress.vbs
%TEMP%\IXP000.TMP\libiconv2.dll
%TEMP%\IXP000.TMP\PassPolicy.bat
%TEMP%\IXP000.TMP\PassPolicy.vbs
%TEMP%\IXP000.TMP\psapi.dll
%TEMP%\IXP000.TMP\query.xp
%TEMP%\IXP000.TMP\quser.xp
%TEMP%\IXP000.TMP\RUN_WOLF.cmd
%TEMP%\IXP000.TMP\RunWebShellScanner.vbs
%TEMP%\IXP000.TMP\Sysinternals_Keys.reg.txt
%TEMP%\IXP000.TMP\t013u4od0a.exe
%TEMP%\IXP000.TMP\TPQ.vbs
%TEMP%\IXP000.TMP\gsort.exe
%TEMP%\IXP000.TMP\USNInfo.vbs
%TEMP%\IXP000.TMP\USNInfo_x86.exe
%TEMP%\IXP000.TMP\WebShclsId.cfg
%TEMP%\IXP000.TMP\webshell.csv
%TEMP%\IXP000.TMP\WebShellScanner.exe
%TEMP%\IXP000.TMP\WebShPattern.cfg
%TEMP%\IXP000.TMP\WOLF_EULA.txt
%TEMP%\IXP000.TMP\wusscan.dll
%TEMP%\IXP000.TMP\x64diskpartcn.exe
%TEMP%\IXP000.TMP\x64e4cfc7021b34f8cdb7144c622bccc0.exe
%TEMP%\IXP000.TMP\x86e4cfc7021b34f8cdb7144c622bccc0.exe
%TEMP%\IXP000.TMP\ntfscd91a5fc09d553x86-v2.exe
%TEMP%\IXP000.TMP\p9ol7.exe
%TEMP%\IXP000.TMP\ntfscd91a5fc09d553x86.exe
%TEMP%\IXP000.TMP\ntfscd91a5fc09d553x64-v2.exe
%TEMP%\IXP000.TMP\ntfscd91a5fc09d553x64.exe
%TEMP%\IXP000.TMP\link.exe
%TEMP%\IXP000.TMP\msdia20.dll
%TEMP%\IXP000.TMP\mspdb71.dll
%TEMP%\IXP000.TMP\msvcr70.dll
%TEMP%\IXP000.TMP\msvcr71.dll
%TEMP%\IXP000.TMP\msvcr90.dll
%TEMP%\IXP000.TMP\msxml2.dll
%TEMP%\IXP000.TMP\msxml2r.dll
%TEMP%\IXP000.TMP\net1-2000.exe
%TEMP%\IXP000.TMP\net1-2003.exe
%TEMP%\IXP000.TMP\iisiis.vbs
%TEMP%\IXP000.TMP\ZipWolf.exe
%TEMP%\IXP000.TMP\net1-2008.exe
%TEMP%\IXP000.TMP\net1-XP.exe
%TEMP%\IXP000.TMP\net-2000.exe
%TEMP%\IXP000.TMP\net-2000.hlp
%TEMP%\IXP000.TMP\net-2003.exe
%TEMP%\IXP000.TMP\net-2003.hlp
%TEMP%\IXP000.TMP\net-2008.exe
%TEMP%\IXP000.TMP\net-Vista.exe
%TEMP%\IXP000.TMP\net-Win7.exe
%TEMP%\IXP000.TMP\net-XP.exe
%TEMP%\IXP000.TMP\net-XP.hlp
%TEMP%\IXP000.TMP\libintl3.dll
%TEMP%\IXP000.TMP\net1-Win7.exe
C:\WOLF_2018.05.03\bin\iis\webshell.csv

Другое:

Создает и запускает на исполнение:

'C:\WOLF_2018.05.03\bin\GetVer.exe'

Запускает на исполнение:

'<SYSTEM32>\cmd.exe' /c %TEMP%\IXP000.TMP\run_wolf.cmd /sccm
'<SYSTEM32>\mode.com' CON COLS=100 LINES=28
'<SYSTEM32>\cmd.exe' /S /D /c" ECHO <SYSTEM32>;%WINDIR%;<SYSTEM32>\Wbem "
'<SYSTEM32>\find.exe' ";;"
'<SYSTEM32>\diskpart.exe' /s C:\WOLF_2018.05.03\bin\diskpart_script.txt
'<SYSTEM32>\find.exe' "no fixed disks"
'<SYSTEM32>\dmadmin.exe' /com

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней