Техническая информация
Вредоносные функции
Запускает на исполнение
- '<SYSTEM32>\net.exe' stop lanmanserver / y
- '<SYSTEM32>\taskkill.exe' /f /t /im rundllhost.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im dlllhost.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im KvMonXP.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im lsars.exe /im lsacs.exe
- '<SYSTEM32>\taskkill.exe' /f /im dllhots.exe
- '<SYSTEM32>\taskkill.exe' /f /im d11hots.exe
Завершает или пытается завершить
следующие системные процессы:
- <SYSTEM32>\cmd.exe
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\1.tmp\2.bat
- <SYSTEM32>\dllcache\avifile.dll.new
- <SYSTEM32>\dllcache\commdlg.dll.new
- <SYSTEM32>\dllcache\keyboard.drv.new
- <SYSTEM32>\dllcache\lzexpand.dll.new
- <SYSTEM32>\dllcache\mciavi.drv.new
- <SYSTEM32>\dllcache\mciseq.drv.new
- <SYSTEM32>\dllcache\mciwave.drv.new
- <SYSTEM32>\dllcache\mmsystem.dll.new
- <SYSTEM32>\dllcache\mmtask.tsk.new
- <SYSTEM32>\dllcache\mouse.drv.new
- <SYSTEM32>\dllcache\msvideo.dll.new
- <SYSTEM32>\dllcache\olecli.dll.new
- <SYSTEM32>\dllcache\olesvr.dll.new
- <SYSTEM32>\dllcache\shell.dll.new
- <SYSTEM32>\dllcache\sound.drv.new
- <SYSTEM32>\dllcache\stdole.tlb.new
- <SYSTEM32>\dllcache\system.drv.new
- <SYSTEM32>\dllcache\tapi.dll.new
- <SYSTEM32>\dllcache\timer.drv.new
- <SYSTEM32>\dllcache\ver.dll.new
- <SYSTEM32>\dllcache\vga.drv.new
- <SYSTEM32>\dllcache\avicap.dll.new
- <SYSTEM32>\dllcache\wfwnet.drv.new
- %WINDIR%\system\winspool.drv.new
- %WINDIR%\system\vga.drv.new
- %WINDIR%\system\avicap.dll.new
- %WINDIR%\system\avifile.dll.new
- %WINDIR%\system\commdlg.dll.new
- %WINDIR%\system\keyboard.drv.new
- %WINDIR%\system\lzexpand.dll.new
- %WINDIR%\system\mciavi.drv.new
- %WINDIR%\system\mciseq.drv.new
- %WINDIR%\system\mciwave.drv.new
- %WINDIR%\system\mmsystem.dll.new
- %WINDIR%\system\mmtask.tsk.new
- %WINDIR%\system\mouse.drv.new
- %WINDIR%\system\msvideo.dll.new
- %WINDIR%\system\olecli.dll.new
- %WINDIR%\system\olesvr.dll.new
- %WINDIR%\system\shell.dll.new
- %WINDIR%\system\sound.drv.new
- %WINDIR%\system\stdole.tlb.new
- %WINDIR%\system\system.drv.new
- %WINDIR%\system\tapi.dll.new
- %WINDIR%\system\timer.drv.new
- %WINDIR%\system\ver.dll.new
- %WINDIR%\system\wfwnet.drv.new
- <SYSTEM32>\dllcache\winspool.drv.new
Удаляет следующие файлы
- %WINDIR%\system\avicap.dll
- %WINDIR%\system\winspool.drv
- %WINDIR%\system\wfwnet.drv
- %WINDIR%\system\vga.drv
- %WINDIR%\system\ver.dll
- %WINDIR%\system\timer.drv
- %WINDIR%\system\tapi.dll
- %WINDIR%\system\system.drv
- %WINDIR%\system\stdole.tlb
- %WINDIR%\system\sound.drv
- %WINDIR%\system\shell.dll
- %WINDIR%\system\setup.inf
- <DRIVERS>\etc\hosts
- %WINDIR%\system\olesvr.dll
- %WINDIR%\system\msvideo.dll
- %WINDIR%\system\mouse.drv
- %WINDIR%\system\mmtask.tsk
- %WINDIR%\system\mmsystem.dll
- %WINDIR%\system\mciwave.drv
- %WINDIR%\system\mciseq.drv
- %WINDIR%\system\mciavi.drv
- %WINDIR%\system\lzexpand.dll
- %WINDIR%\system\keyboard.drv
- %WINDIR%\system\commdlg.dll
- %WINDIR%\system\avifile.dll
- %WINDIR%\system\olecli.dll
- %TEMP%\1.tmp\2.bat
Подменяет следующие файлы
- <SYSTEM32>\dllcache\avicap.dll.new
- <SYSTEM32>\dllcache\vga.drv.new
- <SYSTEM32>\dllcache\ver.dll.new
- <SYSTEM32>\dllcache\timer.drv.new
- <SYSTEM32>\dllcache\tapi.dll.new
- <SYSTEM32>\dllcache\system.drv.new
- <SYSTEM32>\dllcache\stdole.tlb.new
- <SYSTEM32>\dllcache\sound.drv.new
- <SYSTEM32>\dllcache\shell.dll.new
- <SYSTEM32>\dllcache\olesvr.dll.new
- <SYSTEM32>\dllcache\olecli.dll.new
- <SYSTEM32>\dllcache\msvideo.dll.new
- <SYSTEM32>\dllcache\mouse.drv.new
- <SYSTEM32>\dllcache\mmtask.tsk.new
- <SYSTEM32>\dllcache\mmsystem.dll.new
- <SYSTEM32>\dllcache\mciwave.drv.new
- <SYSTEM32>\dllcache\mciseq.drv.new
- <SYSTEM32>\dllcache\mciavi.drv.new
- <SYSTEM32>\dllcache\lzexpand.dll.new
- <SYSTEM32>\dllcache\keyboard.drv.new
- <SYSTEM32>\dllcache\commdlg.dll.new
- <SYSTEM32>\dllcache\avifile.dll.new
- <SYSTEM32>\dllcache\wfwnet.drv.new
- <SYSTEM32>\dllcache\winspool.drv.new
Подменяет файл HOSTS.
Другое
Ищет следующие окна
- ClassName: '' WindowName: ''
Запускает на исполнение
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\2.bat" <Полный путь к файлу>"
- '<SYSTEM32>\sc.exe' stop "Smart Card Report"
- '<SYSTEM32>\sc.exe' delete "mssecsvc2.1"
- '<SYSTEM32>\sc.exe' stop "mssecsvc2.1"
- '<SYSTEM32>\sc.exe' delete "mssecsvc2.0"
- '<SYSTEM32>\sc.exe' stop "mssecsvc2.0"
- '<SYSTEM32>\sc.exe' delete Microsarver
- '<SYSTEM32>\sc.exe' stop Microsarver
- '<SYSTEM32>\sc.exe' stop MicrosotMaims
- '<SYSTEM32>\sc.exe' delete MicrosotMaims
- '<SYSTEM32>\sc.exe' delete MicrosotMais
- '<SYSTEM32>\sc.exe' stop MicrosotMais
- '<SYSTEM32>\sc.exe' delete ServicesMain
- '<SYSTEM32>\sc.exe' stop ServicesMain
- '<SYSTEM32>\sc.exe' stop Hostserver
- '<SYSTEM32>\sc.exe' stop "jgumfoxl update"
- '<SYSTEM32>\sc.exe' delete HostManger
- '<SYSTEM32>\sc.exe' stop HostManger
- '<SYSTEM32>\sc.exe' delete "clr_optimzation_v4.0.52738 _64"
- '<SYSTEM32>\sc.exe' stop "clr_optimzation_v4.0.52738 _64"
- '<SYSTEM32>\sc.exe' delete Famserver
- '<SYSTEM32>\sc.exe' stop Famserver
- '<SYSTEM32>\sc.exe' delete FormManger
- '<SYSTEM32>\sc.exe' stop FormManger
- '<SYSTEM32>\sc.exe' delete NetPipeAtcivator
- '<SYSTEM32>\sc.exe' stop NetPipeAtcivator
- '<SYSTEM32>\sc.exe' delete ServiceMaims
- '<SYSTEM32>\sc.exe' stop ServiceMaims
- '<SYSTEM32>\sc.exe' delete Hostserver
- '<SYSTEM32>\cacls.exe' "C:\ProgramData\Microsoft\WmiApprsv\csrss.exe" /d everyone
- '<SYSTEM32>\sc.exe' delete "jgumfoxl update"
- '<SYSTEM32>\attrib.exe' +s +h +a +r <DRIVERS>\etc\hosts
- '<SYSTEM32>\attrib.exe' -s -h -a -r <DRIVERS>\etc\hosts
- '<SYSTEM32>\cacls.exe' <DRIVERS>\etc\hosts /g users:f
- '<SYSTEM32>\netsh.exe' ipsec static set policy name=Aliyun assign=y
- '<SYSTEM32>\netsh.exe' ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
- '<SYSTEM32>\netsh.exe' ipsec static add filteraction name=deny action=block
- '<SYSTEM32>\netsh.exe' ipsec static add filteraction name=Allow action=permit
- '<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
- '<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
- '<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
- '<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
- '<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
- '<SYSTEM32>\netsh.exe' ipsec static add filterlist name=denylist
- '<SYSTEM32>\sc.exe' delete ServiceMais
- '<SYSTEM32>\sc.exe' delete "Smart Card Report"
- '<SYSTEM32>\wbem\wmic.exe' process where "name='lsass.exe' and ExecutablePath='C:\\Windows\\Fonts\\lsass.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\Fonts\\conhost.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\Fonts\\svchost.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\csrss.exe" /g everyone:f
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\svchost.exe" /g everyone:f
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\conhost.exe" /g everyone:f
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\dlllhost.exe" /g everyone:f
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\rundllhost.exe" /g everyone:f
- '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\csrss.exe
- '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\svchost.exe
- '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\conhost.exe
- '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\dlllhost.exe
- '<SYSTEM32>\netsh.exe' ipsec static add policy name=Aliyun
- '<SYSTEM32>\attrib.exe' -s -h -r %WINDIR%\Fonts\rundllhost.exe
- '<SYSTEM32>\sc.exe' stop ServiceMais
- '<SYSTEM32>\sc.exe' delete ServiceSais
- '<SYSTEM32>\sc.exe' stop ServiceSais
- '<SYSTEM32>\sc.exe' delete COMSysCts
- '<SYSTEM32>\cmd.exe' /S /D /c" echo y"
- '<SYSTEM32>\attrib.exe' +s +h +r %WINDIR%\svchost.exe
- '<SYSTEM32>\sc.exe' delete clr_optimization_v4.0.30318_64
- '<SYSTEM32>\sc.exe' stop clr_optimization_v4.0.30318_64
- '<SYSTEM32>\sc.exe' delete RpcEpt
- '<SYSTEM32>\sc.exe' stop RpcEpt
- '<SYSTEM32>\sc.exe' delete lanmanserver
- '<SYSTEM32>\sc.exe' config lanmanserver start= DISABLED
- '<SYSTEM32>\net1.exe' stop lanmanserver / y
- '<SYSTEM32>\sc.exe' delete "Windows TrustedInstaller"
- '<SYSTEM32>\sc.exe' stop "Windows TrustedInstaller"
- '<SYSTEM32>\sc.exe' delete clr_optimization_v4.0.33018_64
- '<SYSTEM32>\cacls.exe' <DRIVERS>\etc\hosts /d everyone
- '<SYSTEM32>\cacls.exe' "C:\ProgramData\clr_optimization_v4.0.30318_64\svchost.exe" /d everyone
- '<SYSTEM32>\sc.exe' stop COMSysCts
- '<SYSTEM32>\sc.exe' delete wmiApSrv
- '<SYSTEM32>\sc.exe' stop wmiApSrv
- '<SYSTEM32>\sc.exe' delete WmiAppSvr
- '<SYSTEM32>\sc.exe' stop WmiAppSvr
- '<SYSTEM32>\sc.exe' delete WmiAppSrv
- '<SYSTEM32>\sc.exe' stop WmiAppSrv
- '<SYSTEM32>\sc.exe' delete WmSrv
- '<SYSTEM32>\sc.exe' stop WmSrv
- '<SYSTEM32>\sc.exe' delete WinTcpAutoProxySvc
- '<SYSTEM32>\sc.exe' stop WinTcpAutoProxySvc
- '<SYSTEM32>\wbem\wmic.exe' process where "name='LDE.exe' and ExecutablePath='C:\\ProgramData\\WinTcpAutoProxySvc\\LDE.exe'" call Terminate
- '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f.
- '<SYSTEM32>\sc.exe' stop clr_optimization_v4.0.33018_64
- '<SYSTEM32>\netsh.exe' ipsec static add filterlist name=Allowlist
- '<SYSTEM32>\cacls.exe' "C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\csrss.exe" /d everyone
- '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\clr_optimization_v4.0.33018_64\\svchost.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\svchost.exe'" call Terminate
- '<SYSTEM32>\sc.exe' delete ServiceSaims
- '<SYSTEM32>\sc.exe' stop ServiceSaims
- '<SYSTEM32>\sc.exe' delete MicrosotSaims
- '<SYSTEM32>\sc.exe' stop MicrosotSaims
- '<SYSTEM32>\sc.exe' delete MicrosotSais
- '<SYSTEM32>\sc.exe' stop MicrosotSais
- '<SYSTEM32>\wbem\wmic.exe' process where "name='WmiApSrv.exe' and ExecutablePath='C:\\Windows\\sysnative\\svchost.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='WmiApSrv.exe' and ExecutablePath='C:\\Windows\\system32\\wbem\\WmiApSrv.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSvr\\csrss.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\WmiAppSrv\\csrss.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\programdata\\wmiapprsv\\svchost.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSvr\\svchost.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\programdata\\clr_optimization_v4.0.30318_64\\svchost.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='svchost.exe' and ExecutablePath='C:\\programdata\\wmiappsrv\\svchost.exe'" call Terminate
- '<SYSTEM32>\cacls.exe' %WINDIR%\svchost.exe /d everyone
- '<SYSTEM32>\cacls.exe' "C:\ProgramData\Microsoft\WmiAppSvr\csrss.exe" /d everyone
- '<SYSTEM32>\cacls.exe' "C:\ProgramData\Microsoft\WmiAppSrv\csrss.exe" /d everyone
- '<SYSTEM32>\cacls.exe' "C:\ProgramData\WmiApprsv\svchost.exe" /d everyone
- '<SYSTEM32>\cacls.exe' "C:\ProgramData\WmiAppSvr\svchost.exe" /d everyone
- '<SYSTEM32>\cacls.exe' "C:\ProgramData\WmiAppSrv\svchost.exe" /d everyone
- '<SYSTEM32>\cacls.exe' "%WINDIR%\tasksche.exe" /d everyone
- '<SYSTEM32>\cacls.exe' "C:\ProgramData\WmiAppSrv\csrss.exe" /d everyone
- '<SYSTEM32>\cacls.exe' "C:\ProgramData\clr_optimization_v4.0.33018_64\svchost.exe" /d everyone
- '<SYSTEM32>\cacls.exe' "%WINDIR%\Temp\Networks\taskmgr.exe" /d everyone
- '<SYSTEM32>\wbem\wmic.exe' process where "name='taskmgr.exe' and ExecutablePath='C:\\Windows\\Temp\\Networks\\taskmgr.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\WmiAppSrv\\csrss.exe'" call Terminate
- '<SYSTEM32>\wbem\wmic.exe' process where "name='csrss.exe' and ExecutablePath='C:\\ProgramData\\Microsoft\\clr_optimization_v4.0.30318_64\\csrss.exe'" call Terminate
- '<SYSTEM32>\cacls.exe' "<SYSTEM32>\wbem\WmiApSrv.exe" /d everyone
- '<SYSTEM32>\ipconfig.exe' /flushdns
