Техническая информация
Для обеспечения автозапуска и распространения:
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\52834fbdace41a5f] 'ImagePath' = '<DRIVERS>\52834fbdace41a5f.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\52834fbdace41a5f] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\syshost32] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\19258] 'Start' = '00000001'
Вредоносные функции:
Создает и запускает на исполнение:
- %WINDIR%\Installer\{8B5D5175-5CFF-AE75-10C3-B041E6D6A177}\syshost.exe /service
Перехватывает следующие функции в SSDT (System Service Descriptor Table):
- NtOpenThread, драйвер-обработчик: unknown
- NtOpenProcess, драйвер-обработчик: unknown
Изменения в файловой системе:
Создает следующие файлы:
- <DRIVERS>\52834fbdace41a5f.sys
- <DRIVERS>\19258.sys
- %WINDIR%\Installer\{8B5D5175-5CFF-AE75-10C3-B041E6D6A177}\syshost.exe
Удаляет следующие файлы:
- <DRIVERS>\19258.sys
Самоперемещается:
- из <Полный путь к вирусу> в %TEMP%\ea42c1e8.tmp
Самоудаляется.
Сетевая активность:
Подключается к:
- 'uu#####rkecxahfgaetc.ac':80
- 'no######xvugshnatjjwe.mu':80
- 'cu####lpmwvgbx.la':80
- 'qp####ulkeanvdfc.ac':80
- 'mt####djhcvxws.nu':80
- 'gr####ghgonvn.in':80
- 'fw####tibtrdi.tw':80
- 'kx#####sbyvxqondmwvd.in':80
- 'hm######gksgfwhtatjbsf.mn':80
- 'ns#####qxidcctscmva.cm':80
- 'qs####heloswik.sh':80
- 'in####umohqjs.cm':80
- 'yf######ndcikpvyvxwlb.jp':80
- 'ka######hmbvomtlgrhxhqj.nu':80
- 'ls######xawtkqsouflnuwwe.nf':80
- 'mr####gxufjfja.ac':80
- 'vk#####ftgyhkfjkrir.im':80
- 'nc#####ueatsevsihw.ms':80
- 'rn####nmyfyokdk.in':80
- 'me####ulsdjjbov.tw':80
- 'ps######srsivrdcgqocjkx.jp':80
- 'mb######japnomlxorcdvm.cm':80
- 'rk######jahhviuxppamajgi.mu':80
- 'sx######blknfrnomsfdnaq.so':80
- 'nl####olvnisl.mu':80
- 'pi#####aqthiccfnqq.cx':80
- 'oi######vclrptmiihcdtjq.so':80
- 'ln#####vmhjmgwklsn.cm':80
- 'xj#####shqcrangwjgst.mn':80
- 'ir####ikxrlgvot.nf':80
- 'uy######qyycmahrenprmgjf.tj':80
- 'yi####ovbdgdku.mu':80
- 'ya####ienvcmdvsb.nf':80
- 'bv#####xfhmdudhrignf.mn':80
- 'iw######ldysmlwxhtlgkk.sc':80
- 'po####sqobubm.ac':80
- 'mw#####gijutcmcgwdsg.sh':80
- 'wk#####joqbfqbfsx.tj':80
- 'lu###cpqumb.la':80
- 'ic####pweurjctls.tj':80
- '62.##.229.134':80
- 'jv###lunuaag.mn':80
- '20#.#6.232.182':80
- '62.##.229.131':80
- 'yh####kjbfqqo.ms':80
- 'th######xoppimdkumkgthw.im':80
- 'wh####qcqkjvwwy.in':80
- 'bv#####vjexpltqtito.ms':80
- 'ks#####jucnsoexhl.cm':80
- 'py######hendaabnfascha.ms':80
- 'iw####umelehl.cx':80
- 'xb#####rkuabgyyfm.nf':80
- 'tg####vfuipmmjyy.jp':80
- 'tq#####sbgjgdbesygh.la':80
- 'oa###apdjcr.nf':80
- 'ur######pehmisqhrxoyya.in':80
- 'fr###jvnadim.mn':80
- 'qk###rrirexl.tj':80
- 'ex####edkmhmip.mu':80
- 'wg###hpkjboq.mu':80
- 'hm#######alslxrrlsdlbtdvt.in':80
- 'hj####mvldcgwb.mn':80
- 'hq####dfvlkfgd.tj':80
- 'nd###ooifer.jp':80
TCP:
Запросы HTTP POST:
- no######xvugshnatjjwe.mu/database.cgi
- uu#####rkecxahfgaetc.ac/database.cgi
- qp####ulkeanvdfc.ac/database.cgi
- fw####tibtrdi.tw/database.cgi
- gr####ghgonvn.in/database.cgi
- mt####djhcvxws.nu/database.cgi
- kx#####sbyvxqondmwvd.in/database.cgi
- cu####lpmwvgbx.la/database.cgi
- ns#####qxidcctscmva.cm/database.cgi
- hm######gksgfwhtatjbsf.mn/database.cgi
- in####umohqjs.cm/database.cgi
- ls######xawtkqsouflnuwwe.nf/database.cgi
- ka######hmbvomtlgrhxhqj.nu/database.cgi
- yf######ndcikpvyvxwlb.jp/database.cgi
- mr####gxufjfja.ac/database.cgi
- oi######vclrptmiihcdtjq.so/database.cgi
- nc#####ueatsevsihw.ms/database.cgi
- vk#####ftgyhkfjkrir.im/database.cgi
- me####ulsdjjbov.tw/database.cgi
- rk######jahhviuxppamajgi.mu/database.cgi
- mb######japnomlxorcdvm.cm/database.cgi
- ps######srsivrdcgqocjkx.jp/database.cgi
- sx######blknfrnomsfdnaq.so/database.cgi
- rn####nmyfyokdk.in/database.cgi
- pi#####aqthiccfnqq.cx/database.cgi
- nl####olvnisl.mu/database.cgi
- ln#####vmhjmgwklsn.cm/database.cgi
- uy######qyycmahrenprmgjf.tj/database.cgi
- ir####ikxrlgvot.nf/database.cgi
- xj#####shqcrangwjgst.mn/database.cgi
- yi####ovbdgdku.mu/database.cgi
- qs####heloswik.sh/database.cgi
- bv#####xfhmdudhrignf.mn/database.cgi
- ya####ienvcmdvsb.nf/database.cgi
- po####sqobubm.ac/database.cgi
- lu###cpqumb.la/database.cgi
- wk#####joqbfqbfsx.tj/database.cgi
- mw#####gijutcmcgwdsg.sh/database.cgi
- ic####pweurjctls.tj/database.cgi
- iw######ldysmlwxhtlgkk.sc/database.cgi
- jv###lunuaag.mn/database.cgi
- 62.##.229.134/cgi-bin/auth.cgi
- 62.##.229.131/cgi-bin/auth.cgi
- wh####qcqkjvwwy.in/database.cgi
- th######xoppimdkumkgthw.im/database.cgi
- yh####kjbfqqo.ms/database.cgi
- bv#####vjexpltqtito.ms/database.cgi
- ex####edkmhmip.mu/database.cgi
- py######hendaabnfascha.ms/database.cgi
- ks#####jucnsoexhl.cm/database.cgi
- xb#####rkuabgyyfm.nf/database.cgi
- oa###apdjcr.nf/database.cgi
- tq#####sbgjgdbesygh.la/database.cgi
- tg####vfuipmmjyy.jp/database.cgi
- ur######pehmisqhrxoyya.in/database.cgi
- iw####umelehl.cx/database.cgi
- qk###rrirexl.tj/database.cgi
- fr###jvnadim.mn/database.cgi
- wg###hpkjboq.mu/database.cgi
- hq####dfvlkfgd.tj/database.cgi
- hj####mvldcgwb.mn/database.cgi
- hm#######alslxrrlsdlbtdvt.in/database.cgi
- nd###ooifer.jp/database.cgi
UDP:
- DNS ASK ev###gmferek.so
- DNS ASK rk######jahhviuxppamajgi.mu
- DNS ASK si#####sscauruksxmxt.mu
- DNS ASK nc#####ueatsevsihw.ms
- DNS ASK es#####mvauflwyogl.sc
- DNS ASK ih#####fyawwovvmgf.nu
- DNS ASK no#######agckadwjwmldship.tj
- DNS ASK sx######blknfrnomsfdnaq.so
- DNS ASK si#####wjvkyiavxt.la
- DNS ASK yf######dfhrbakywohwu.sh
- DNS ASK tt#####ftpvctqliinow.im
- DNS ASK og####oheqjpok.la
- DNS ASK fu####vikyyksb.ms
- DNS ASK ep######qfhqtyydjhknt.cm
- DNS ASK hp###ywrub.mn
- DNS ASK cm######bytmhubalwgbjyb.ki
- DNS ASK rn####nmyfyokdk.in
- DNS ASK hd####pycankckw.sh
- DNS ASK ir####ikxrlgvot.nf
- DNS ASK uy######qyycmahrenprmgjf.tj
- DNS ASK yi####ovbdgdku.mu
- DNS ASK xj#####shqcrangwjgst.mn
- DNS ASK sp####efuubyio.cm
- DNS ASK lb######eiwruthovtgcsyli.ac
- DNS ASK vk#####ftgyhkfjkrir.im
- DNS ASK me####ulsdjjbov.tw
- DNS ASK hm####smifhcehms.cx
- DNS ASK bk######ooypbfcbngtclpfb.ms
- DNS ASK rd######kkiuvdoytremva.ms
- DNS ASK dh#####vdwadytvcsivj.sh
- DNS ASK jj#####vivlwfjsklt.mn
- DNS ASK rm#####ovrdaxtdykxr.tj
- DNS ASK qe####eldfnmcplr.tj
- DNS ASK xm###vyofig.in
- DNS ASK hp#####moiafqwnmjjrd.cm
- DNS ASK rx#####txovqopxugsdc.ms
- DNS ASK sk#######nnktsldqvomikraf.ac
- DNS ASK gg####pmbxekkkd.nf
- DNS ASK lu###tyybuew.jp
- DNS ASK qq######eegmfkfesaevgr.la
- DNS ASK um#####hqoenipffsi.cm
- DNS ASK xy######fugrfwhmedvfce.ki
- DNS ASK ox####eneiqsmg.ac
- DNS ASK qc######kxdtaytktpwfkxu.mu
- DNS ASK mb######japnomlxorcdvm.cm
- DNS ASK wb######gwfkjblorpxqqe.sh
- DNS ASK ps######srsivrdcgqocjkx.jp
- DNS ASK xo######xeaveosfqvvrxjd.in
- DNS ASK ta###iqxxhq.cm
- DNS ASK jh######hktowcxsgiggh.cm
- DNS ASK im#####jxqimulilrqgq.mn
- DNS ASK cv#####archoqllfwlf.nu
- DNS ASK ru###npygc.nu
- DNS ASK hl####jbbqvef.in
- DNS ASK qb###puofj.cx
- DNS ASK yr######eqjbhaunofforc.im
- DNS ASK ol######yemvecweilbyky.ac
- DNS ASK fq#####ecehhofhrk.cx
- DNS ASK de#####vlebjgalbw.ms
- DNS ASK ic####pweurjctls.tj
- DNS ASK mw#####gijutcmcgwdsg.sh
- DNS ASK wk#####joqbfqbfsx.tj
- DNS ASK lu###cpqumb.la
- DNS ASK po####sqobubm.ac
- DNS ASK ya####ienvcmdvsb.nf
- DNS ASK bv#####xfhmdudhrignf.mn
- DNS ASK hq####dfvlkfgd.tj
- DNS ASK nd###ooifer.jp
- DNS ASK hm#######alslxrrlsdlbtdvt.in
- DNS ASK qk###rrirexl.tj
- DNS ASK ex####edkmhmip.mu
- DNS ASK wg###hpkjboq.mu
- DNS ASK fr###jvnadim.mn
- DNS ASK iw######ldysmlwxhtlgkk.sc
- DNS ASK pl####itjbbsm.com
- DNS ASK fc####vgepnbp.com
- DNS ASK fi###mzdvca.com
- DNS ASK ju####ftgrbgu.com
- DNS ASK microsoft.com
- DNS ASK ly####ibdtpxgd.com
- DNS ASK ot####macjxvszt.com
- DNS ASK bv#####vjexpltqtito.ms
- DNS ASK yh####kjbfqqo.ms
- DNS ASK th######xoppimdkumkgthw.im
- DNS ASK wh####qcqkjvwwy.in
- DNS ASK sw####oomfvdvo.com
- DNS ASK ih####utlffwm.com
- DNS ASK jv###lunuaag.mn
- DNS ASK hj####mvldcgwb.mn
- DNS ASK no######xvugshnatjjwe.mu
- DNS ASK fw####tibtrdi.tw
- DNS ASK kx#####sbyvxqondmwvd.in
- DNS ASK uu#####rkecxahfgaetc.ac
- DNS ASK ka######hmbvomtlgrhxhqj.nu
- DNS ASK cu####lpmwvgbx.la
- DNS ASK qp####ulkeanvdfc.ac
- DNS ASK qf###jmvldlb.cm
- DNS ASK nl####olvnisl.mu
- DNS ASK pi#####aqthiccfnqq.cx
- DNS ASK ln#####vmhjmgwklsn.cm
- DNS ASK mt####djhcvxws.nu
- DNS ASK gr####ghgonvn.in
- DNS ASK oi######vclrptmiihcdtjq.so
- DNS ASK yf######ndcikpvyvxwlb.jp
- DNS ASK oa###apdjcr.nf
- DNS ASK ur######pehmisqhrxoyya.in
- DNS ASK tg####vfuipmmjyy.jp
- DNS ASK py######hendaabnfascha.ms
- DNS ASK iw####umelehl.cx
- DNS ASK xb#####rkuabgyyfm.nf
- DNS ASK ks#####jucnsoexhl.cm
- DNS ASK ns#####qxidcctscmva.cm
- DNS ASK ls######xawtkqsouflnuwwe.nf
- DNS ASK mr####gxufjfja.ac
- DNS ASK hm######gksgfwhtatjbsf.mn
- DNS ASK tq#####sbgjgdbesygh.la
- DNS ASK qs####heloswik.sh
- DNS ASK in####umohqjs.cm
