Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'engel' = '%APPDATA%\updates\updates.exe'
Вредоносные функции:
Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Запускает на исполнение:
- <SYSTEM32>\netsh.exe advfirewall firewall add rule name="<Имя вируса>" dir=in action=allow program="<Полный путь к вирусу>"
Изменения в файловой системе:
Создает следующие файлы:
- %APPDATA%\engel\updates.exe
Сетевая активность:
Подключается к:
- '92.##5.96.123':3128
- '11#.#98.196.182':3128
- '85.##4.169.5':3128
- '99.##7.197.172':3128
- '82.##5.226.110':3128
- '19#.#24.143.48':3128
- '20#.#3.233.211':3128
- '20#.#53.211.195':3128
- '19#.#39.88.117':3128
- '18#.#24.159.83':3128
- '59.##.236.30':3128
- '78.##.19.211':3128
- '78.#9.30.32':3128
- '19#.#29.151.32':3128
- '88.##5.193.113':3128
- '77.##5.90.212':3128
- '11#.#35.52.126':3128
- '19#.#0.157.59':3128
- '84.##8.50.74':3128
- '76.##9.47.171':3128
- '12#.#53.123.91':3128
- '18#.#24.17.177':3128
- '21#.#09.162.104':3128
- '18#.#24.12.29':3128
- '19#.#07.110.169':3128
- '18#.#24.158.217':3128
- '19#.#1.117.230':3128
- '17#.137.2.4':3128
- '95.##9.207.220':3128
- '59.##.253.131':3128
- '85.##7.57.116':3128
- '85.##4.47.87':3128
- '21#.#5.57.126':3128
- '19#.#17.42.73':3128
- '80.##6.84.76':3128
- '84.##0.69.127':3128
- '18#.#27.42.6':3128
- '18#.#24.12.16':3128
- '20#.#64.211.106':3128
- '20#.#17.185.3':3128
- '11#.#97.218.182':3128
- '21#.#71.160.117':3128
- '19#.#39.80.19':3128
- '19#.#39.88.191':3128
- '11#.#59.83.35':3128
- '82.##.137.53':3128
- '19#.#29.159.47':3128
- '20#.#84.1.127':3128
- '20#.#17.162.145':3128
- '17#.#37.180.196':3128
- '87.#0.38.40':3128
- '19#.#6.123.129':3128
- '59.##.248.192':3128
- '22#.#06.111.177':3128
- '71.##6.135.4':3128
- '11#.#99.112.143':3128
- '89.##3.253.161':3128
- '21#.#19.194.130':3128
- '78.##.242.233':3128
- '12#.#.41.218':3128
- '78.#9.3.114':3128
- '80.##2.64.58':3128
- '18#.#24.155.125':3128
- '21#.#96.69.16':3128
- '89.##6.204.197':3128
- '87.#.47.101':3128
- '11#.#65.224.66':3128
- '19#.#24.141.15':3128
- '78.#0.42.34':3128
- '83.##.153.57':3128
- '12#.#20.128.112':3128
- '95.##.180.251':3128
- '19#.3.229.6':3128
- '11#.#4.78.190':3128
- '78.##.37.212':3128
- '20#.#17.182.36':3128
- '87.#.47.31':3128
- '81.##.215.203':3128
- '22#.#43.176.79':3128
- '20#.#17.146.22':3128
- '10#.#48.17.211':3128
- '11#.#46.86.131':3128
- '83.#3.44.75':3128
- '85.##.106.150':3128
- '60.##0.147.209':3128
- '19#.#0.202.238':3128
- '19#.#39.82.64':3128
- '87.##0.166.58':3128
- '20#.#61.157.152':3128
- '19#.#74.8.206':3128
- '19#.#17.47.185':3128
- '18#.#24.41.145':3128
- '11#.#04.64.62':3128
- '19#.#29.146.2':3128
- '20#.#53.211.127':3128
- '19#.#77.97.140':3128
- '59.##.240.53':3128
- '77.##7.81.66':3128
- '92.##3.210.171':3128
- '76.##6.111.108':3128
- 'localhost':2
- 'localhost':1933
- '85.##6.196.130':3128
- '59.##3.49.128':3128
- '89.##2.59.122':3128
- '84.##8.50.36':3128
- '19#.#0.156.206':3128
- '77.##3.66.247':3128
- '89.##3.71.53':3128
- '21#.#38.4.164':3128
- '89.##6.163.114':3128
- '19#.#39.82.52':3128
- '20#.#27.170.49':3128
- '81.##5.4.137':3128
- '94.##2.156.132':3128
- '11#.#41.40.47':3128
- '21#.#6.47.24':3128
- '19#.#24.145.171':3128
- '41.##3.57.74':3128
- '18#.#24.157.131':3128
- '20#.#17.183.224':3128
- '78.##.10.143':3128
- '20#.#17.183.70':3128
- '19#.#1.121.26':3128
- '58.##4.176.3':3128
- '19#.#74.9.203':3128
- '22#.#20.38.68':3128
- '21#.#98.142.157':3128
- '19#.#1.117.212':3128
- '18#.#24.39.42':3128
- '84.##8.50.80':3128
- '11#.#2.205.59':3128
- '11#.#60.61.239':3128
- '59.##.221.102':3128
- '20#.#53.210.125':3128
- '41.##0.163.21':3128
- '19#.#.200.175':3128
- '60.##.219.42':3128
- '11#.#4.181.202':3128
- '18#.#29.208.111':3128
- '84.##9.208.25':3128
- '18#.#3.128.57':3128
- '78.##.61.250':3128
- '72.##8.40.67':3128
- '24.##2.25.216':3128
- '19#.#29.147.140':3128
- '41.##0.14.20':3128
- '21#.#21.220.233':3128
- '20#.#5.34.169':3128
- '82.#0.9.243':3128
- '11#.#02.26.111':3128
- '84.##7.161.221':3128
- '11#.#98.167.99':3128
- '84.##8.50.51':3128
- '82.##6.61.184':3128
- '18#.#24.157.187':3128
- '20#.#88.191.121':3128
- '92.##3.103.93':3128
- '18#.#24.43.201':3128
- '17#.#37.176.175':3128
- '12#.#20.131.123':3128
- '16#.#7.221.216':3128
- '59.##3.48.229':3128
- '20#.#48.205.12':3128
- '59.##.243.231':3128
- '77.#31.34.6':3128
- '78.##.10.241':3128
- '20#.#53.204.175':3128
- '11#.#4.73.131':3128
- '19#.#9.109.100':3128
- '85.##6.250.116':3128
- '59.##.239.232':3128
- '87.##.47.105':3128
- '19#.#29.155.63':3128
- '11#.#65.3.20':3128
- '19#.#29.157.101':3128
- '11#.#04.64.122':3128
- '12#.#27.64.54':3128
- '89.##6.142.79':3128
- '18#.#24.159.95':3128
- '85.##6.205.102':3128
- '11#.#4.207.188':3128
- '78.#9.12.78':3128
- '85.##8.179.130':3128
- '85.#4.84.89':3128
- '21#.#86.183.4':3128
- '11#.#01.49.119':3128
- '11#.#37.114.80':3128
- '19#.#1.120.139':3128
- '78.##.27.189':3128
- '18#.#24.158.123':3128
- '17#.#38.31.45':3128
- '18#.#24.153.76':3128
- '12#.#20.135.207':3128
- '12#.#27.65.106':3128
- '19#.#1.116.226':3128
- '19#.#51.53.33':3128
- '91.##8.97.106':3128
- '81.##8.141.145':3128
- '89.##2.107.138':3128
- '78.#9.46.68':3128
- '22#.#43.58.39':3128
- '59.##.200.104':3128
- '83.##2.81.217':3128
- '18#.#20.96.170':3128
- '10#.#89.128.133':3128
- '19#.#24.143.135':3128
- '18#.#24.12.123':3128
- '20#.#87.228.5':3128
- '18#.#24.41.117':3128
- '18#.#92.145.215':3128
- '85.##5.100.50':3128
- '11#.#4.234.56':3128
- '12#.#.68.172':3128
- '11#.#37.120.187':3128
- '59.##3.48.117':3128
- '19#.#0.144.89':3128
- '82.##2.103.247':3128
- '62.##7.194.58':3128
- '19#.#29.153.94':3128
- '89.##6.177.141':3128
- '17#.#38.38.248':3128
- '12#.#20.104.159':3128
- '11#.#35.92.6':3128
- '19#.#24.141.220':3128
- '17#.#68.42.151':3128
- '59.##8.36.157':3128
- '12#.#05.186.8':3128
- '19#.#29.155.249':3128
- '19#.#29.146.5':3128
- '20#.#1.160.62':3128
- '20#.#54.75.11':3128
- '80.##8.199.250':3128
- '93.##3.135.32':3128
- '88.##3.145.188':3128
- '20#.#8.132.195':3128
- '11#.#33.64.51':3128
- '19#.#1.120.29':3128
- '61.##.13.198':3128
- '95.##3.6.131':3128
- '41.##3.57.76':3128
- '95.##.101.164':3128
- '85.##7.165.12':3128
- '11#.#99.114.204':3128
- '19#.#0.147.40':3128
- '11#.#35.53.23':3128
- '20#.#53.205.36':3128
- '79.##.40.188':3128
- '20#.#52.243.171':3128
- '59.##.248.45':3128
- '19#.#29.147.10':3128
- '13#.#32.68.126':3128
- '20#.#65.144.232':3128
- '20#.#27.174.251':3128
- '94.##6.151.72':3128
- '20#.#53.210.154':3128
- '82.##.231.20':3128
- '86.##9.130.35':3128
- '41.##0.167.92':3128
- '62.##3.174.192':3128
- '18#.#24.37.142':3128
- '19#.#24.143.86':3128
- '17#.#37.176.30':3128
- '78.##.99.105':3128
- '78.##.68.249':3128
- '78.##.22.252':3128
- '19#.#0.16.125':3128
- '11#.#04.67.97':3128
- '19#.#29.156.119':3128
- '77.#1.20.25':3128
- '11#.#97.100.72':3128
- '87.#1.44.39':3128
- '19#.#7.161.125':3128
- '83.#0.4.151':3128
- '96.##.168.115':3128
- '17#.#38.47.229':3128
- '89.##6.169.166':3128
- '87.##.55.244':3128
- '17#.#37.12.20':3128
- '19#.#0.157.33':3128
- '59.##.200.101':3128
- '19#.#44.37.43':3128
- '11#.#65.2.135':3128
- '17#.#38.34.58':3128
- '74.#15.5.41':3128
- '60.##.88.105':3128
- '19#.#19.180.11':3128
- '21#.#5.92.189':3128
- '11#.#65.226.33':3128
- '20#.#8.132.138':3128
- '92.##3.76.255':3128
- '79.##3.252.210':3128
- '21#.#32.88.176':3128
- '93.##0.28.178':3128
- '19#.#25.200.109':3128
- '87.#1.44.19':3128
- '41.##3.57.72':3128
- '78.##.99.116':3128
- '74.##.209.166':3128
- '18#.#24.156.176':3128
- '77.##6.249.40':3128
- '11#.#39.57.44':3128
UDP:
- DNS ASK 11#.#4.234.http
Другое:
Ищет следующие окна:
- ClassName: 'Indicator' WindowName: ''
