Техническая информация
Вредоносные функции
Внедряет код в
следующие пользовательские процессы:
- moxt2.exe
- bash.exe
Изменения в файловой системе
Создает следующие файлы
- <Текущая директория>\mobaxterm.ini
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\fo
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\fr
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\gb
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ge
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\gh
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\gn
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\gr
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\group
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\hr
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\hu
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ie
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\es
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\il
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\inet
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\iq
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ir
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\is
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\it
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\jp
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\kg
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\kh
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\kpdl
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\kr
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\kz
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\eurosign
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\fi
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\et
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\epo
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\latam
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\al
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\altwin
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\am
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ara
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\az
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ba
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\bd
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\be
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\bg
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\br
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\la
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ad
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\in
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\brai
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\capslock
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\cd
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ch
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\cn
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\compose
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ctrl
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\cz
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\de
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\dk
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ee
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\bt
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\by
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ca
- %TEMP%\user_mobaxterm\usr\share\x11\locale\locale.dir
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\latin
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\sy
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\terminate
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\th
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\tj
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\tm
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\tr
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\typo
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ua
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\us
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\uz
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\vn
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\za
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\srvr_ctrl
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\pc
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\sn
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\types\complete
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\types\default
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\types\extra
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\types\iso9995
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\types\level5
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\types\mousekeys
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\types\numpad
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\types\pc
- %TEMP%\user_mobaxterm\tmp\.x11-unix\x0
- %TEMP%\user_mobaxterm\tmp\.tx0-lock
- %TEMP%\user_mobaxterm\var\log\xwin\xwin.0.log
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\types\cancel
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\types\basic
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\af
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\si
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\nl
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\lk
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\lt
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\lv
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ma
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\mao
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\me
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\mk
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\mm
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\mn
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\mt
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\mv
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\sk
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\level3
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\level5
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\no
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\np
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\olpc
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\pk
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\pl
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\pt
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ro
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\rs
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ru
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\se
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\shift
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\ng
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\nbsp
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\symbols\keypad
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\semantics\xtest
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\semantics\default
- %TEMP%\user_mobaxterm\bin\mobacomparefolders
- %TEMP%\user_mobaxterm\usr\share\terminfo\78\xterm
- %TEMP%\user_mobaxterm\usr\share\terminfo\63\cygwin
- %TEMP%\user_mobaxterm\etc\bash_completion
- %TEMP%\user_mobaxterm\usr\share\zoneinfo\posixrules
- %TEMP%\user_mobaxterm\etc\inputrc
- %TEMP%\user_mobaxterm\registry
- %TEMP%\user_mobaxterm\bin\sh
- %TEMP%\user_mobaxterm\etc\hosts
- %TEMP%\user_mobaxterm\etc\networks
- %TEMP%\user_mobaxterm\bin\mobacalc
- %TEMP%\user_mobaxterm\bin\bash.exe
- %TEMP%\user_mobaxterm\bin\mobacomparefiles
- %TEMP%\user_mobaxterm\etc\protocol
- %TEMP%\user_mobaxterm\home\mobaxterm\launcherfolder
- %TEMP%\user_mobaxterm\home\mobaxterm\drives
- %TEMP%\user_mobaxterm\cygdrive
- %TEMP%\user_mobaxterm\mnt
- %TEMP%\user_mobaxterm\media
- %TEMP%\user_mobaxterm\bin\rm
- %TEMP%\user_mobaxterm\bin\xkbcomp.exe
- %TEMP%\user_mobaxterm\bin\cygx11-6.dll
- %TEMP%\user_mobaxterm\bin\cygxcb-1.dll
- %TEMP%\user_mobaxterm\bin\cygxau-6.dll
- %TEMP%\user_mobaxterm\etc\services
- %TEMP%\user_mobaxterm\home\mobaxterm\desktop
- %TEMP%\user_mobaxterm\home\mobaxterm\mydocuments
- %TEMP%\user_mobaxterm\tmp\xkb_mkjeum
- %TEMP%\user_mobaxterm\bin\cygxdmcp-6.dll
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\xkbcomp
- %TEMP%\user_mobaxterm\home\user
- %TEMP%\user_mobaxterm\etc\profile
- %TEMP%\user_mobaxterm\etc\ssh_config
- %TEMP%\user_mobaxterm\etc\baseprofile
- %TEMP%\user_mobaxterm\etc\passwd
- %TEMP%\user_mobaxterm\etc\group
- %TEMP%\user_mobaxterm\etc\init.d\ftpd
- %TEMP%\user_mobaxterm\etc\init.d\telnetd
- %TEMP%\user_mobaxterm\etc\init.d\httpd
- %TEMP%\user_mobaxterm\etc\init.d\tftpd
- %TEMP%\user_mobaxterm\etc\init.d\dnsd
- %TEMP%\user_mobaxterm\bin\mobalistports
- %TEMP%\user_mobaxterm\bin\mobapictureviewer
- %TEMP%\user_mobaxterm\bin\cygwin1.dll
- %TEMP%\user_mobaxterm\bin\cygintl-8.dll
- %TEMP%\user_mobaxterm\bin\cygiconv-2.dll
- %TEMP%\user_mobaxterm\bin\cygreadline7.dll
- %TEMP%\user_mobaxterm\bin\cygncurses-9.dll
- %TEMP%\user_mobaxterm\bin\moxt2.exe
- %TEMP%\user_mobaxterm\bin\cygwin-console-helper.exe
- %TEMP%\user_mobaxterm\bin\busybox.exe
- %TEMP%\mobaconsole2.ttf
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\xorg
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\xorg.lst
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\xorg.xml
- %TEMP%\user_mobaxterm\etc\fstab
- %TEMP%\user_mobaxterm\bin\cyggcc_s-1.dll
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\types\caps
- %TEMP%\user_mobaxterm\bin\cygxkbfile-1.dll
- %TEMP%\user_mobaxterm\usr\share\x11\xkeysymdb
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\misc
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\mousekeys
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\norepeat
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\olpc
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\pc
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\pc98
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\xfree86
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\xtest
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\geometry\pc
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\keycodes\aliases
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\keycodes\xfree86
- %TEMP%\user_mobaxterm\lib\x11\protocol.txt
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\level5
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\ledscroll
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\base.extras.xml
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\base.lst
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\base.xml
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\evdev
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\evdev.extras.xml
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\evdev.lst
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\evdev.xml
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\xfree98
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\xkb.dtd
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\semantics\basic
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\semantics\complete
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\keycodes\xfree98
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\base
- %TEMP%\user_mobaxterm\lib\dri\swrast_dri.so
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\keymap\xfree98
- %TEMP%\user_mobaxterm\bin\mobatexteditor
- %TEMP%\user_mobaxterm\bin\xwin.exe
- %TEMP%\user_mobaxterm\bin\cygbz2-1.dll
- %TEMP%\user_mobaxterm\bin\cygcrypto-0.9.8.dll
- %TEMP%\user_mobaxterm\bin\cygz.dll
- %TEMP%\user_mobaxterm\bin\cygfontenc-1.dll
- %TEMP%\user_mobaxterm\bin\cygfreetype-6.dll
- %TEMP%\user_mobaxterm\bin\cygglapi-0.dll
- %TEMP%\user_mobaxterm\bin\cygxcursor-1.dll
- %TEMP%\user_mobaxterm\bin\cygxfixes-3.dll
- %TEMP%\user_mobaxterm\bin\cygxrender-1.dll
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\keymap\xfree86
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\keypad
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\lednum
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\ledcaps
- %TEMP%\user_mobaxterm\usr\share\x11\locale\iso8859-1\xlc_locale
- %TEMP%\user_mobaxterm\usr\share\fonts\misc\6x13-iso8859-1.pcf
- %TEMP%\user_mobaxterm\usr\share\fonts\misc\cursor.pcf
- %TEMP%\user_mobaxterm\usr\share\fonts\misc\fonts.alias
- %TEMP%\user_mobaxterm\usr\share\fonts\misc\fonts.dir
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\accessx
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\basic
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\complete
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\default
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\iso9995
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\compat\japan
- %TEMP%\user_mobaxterm\usr\share\x11\locale\locale.alias
- %TEMP%\user_mobaxterm\usr\share\x11\locale\c\xlc_locale
- %TEMP%\user_mobaxterm\var\lib\xkb\server-0.xkm
Присваивает атрибут 'скрытый' для следующих файлов
- %TEMP%\user_mobaxterm\home\user
- %TEMP%\user_mobaxterm\mnt
- %TEMP%\user_mobaxterm\cygdrive
- %TEMP%\user_mobaxterm\home\mobaxterm\drives
- %TEMP%\user_mobaxterm\home\mobaxterm\launcherfolder
- %TEMP%\user_mobaxterm\home\mobaxterm\mydocuments
- %TEMP%\user_mobaxterm\home\mobaxterm\desktop
- %TEMP%\user_mobaxterm\etc\services
- %TEMP%\user_mobaxterm\media
- %TEMP%\user_mobaxterm\etc\protocol
- %TEMP%\user_mobaxterm\etc\hosts
- %TEMP%\user_mobaxterm\bin\sh
- %TEMP%\user_mobaxterm\registry
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\xkbcomp
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\xorg.xml
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\xorg.lst
- %TEMP%\user_mobaxterm\usr\share\x11\xkb\rules\xorg
- %TEMP%\user_mobaxterm\etc\networks
- %TEMP%\user_mobaxterm\bin\rm
Удаляет следующие файлы
- %TEMP%\user_mobaxterm\tmp\xkb_mkjeum
- %TEMP%\user_mobaxterm\var\lib\xkb\server-0.xkm
Другое
Ищет следующие окна
- ClassName: 'TMobaXtermForm' WindowName: ''
- ClassName: 'msctls_updown32' WindowName: ''
- ClassName: 'MoXT2' WindowName: ''
Создает и запускает на исполнение
- '%TEMP%\user_mobaxterm\bin\moxt2.exe' -s 80,28 -t "/home/mobaxterm" -c "<Текущая директория>\MobaXterm.ini" -w 524824 -n 1 -q 1 -a hide -p 2000,2000 -o ScrollbackLines=360000 -e /bin/bash.exe -l -i
- '%TEMP%\user_mobaxterm\bin\cygwin-console-helper.exe' 0x44 0x174
- '%TEMP%\user_mobaxterm\bin\moxt2.exe'
- '%TEMP%\user_mobaxterm\bin\cygwin-console-helper.exe' 0x1DC 0x1D4
- '%TEMP%\user_mobaxterm\bin\bash.exe' -l -i
- '%TEMP%\user_mobaxterm\bin\bash.exe'
- '%TEMP%\user_mobaxterm\bin\busybox.exe' -f /home/mobaxterm/*.stackdump
- '%TEMP%\user_mobaxterm\bin\bash.exe' -l -i -c "/bin/XWin.exe -silent-dup-error -notrayicon -extension RANDR -nolisten inet6 -hostintitle -clipboard -ac -multiwindow -fp /usr/share/fonts/misc :0"
- '%TEMP%\user_mobaxterm\bin\xwin.exe' -silent-dup-error -notrayicon -extension RANDR -nolisten inet6 -hostintitle -clipboard -ac -multiwindow -fp /usr/share/fonts/misc :0
- '%TEMP%\user_mobaxterm\bin\bash.exe' -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"/tmp/xkb_MKjEuM\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to...
- '%TEMP%\user_mobaxterm\bin\xkbcomp.exe' -w 1 -R/usr/share/X11/xkb -xkm /tmp/xkb_MKjEuM -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /var/lib/xkb/server-0.x...
- '%TEMP%\user_mobaxterm\bin\moxt2.exe' -s 80,28 -t "/home/mobaxterm" -c "<Текущая директория>\MobaXterm.ini" -w 524824 -n 1 -q 1 -a hide -p 2000,2000 -o ScrollbackLines=360000 -e /bin/bash.exe -l -i' (со скрытым окном)
- '%TEMP%\user_mobaxterm\bin\cygwin-console-helper.exe' 0x44 0x174' (со скрытым окном)
- '%TEMP%\user_mobaxterm\bin\cygwin-console-helper.exe' 0x1DC 0x1D4' (со скрытым окном)
- '%TEMP%\user_mobaxterm\bin\bash.exe' -l -i -c "/bin/XWin.exe -silent-dup-error -notrayicon -extension RANDR -nolisten inet6 -hostintitle -clipboard -ac -multiwindow -fp /usr/share/fonts/misc :0"' (со скрытым окном)
Запускает на исполнение
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 2 "%TEMP%\user_mobaxterm\bin\xwin.e...
