Техническая информация
Для обеспечения автозапуска и распространения:
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\45af27e5ebbbd19] 'ImagePath' = '<DRIVERS>\45af27e5ebbbd19.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\45af27e5ebbbd19] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\syshost32] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\18e70] 'Start' = '00000001'
Вредоносные функции:
Создает и запускает на исполнение:
- %WINDIR%\Installer\{9D60B38E-7D0F-65DC-93C3-47A5696F24CE}\syshost.exe /service
Перехватывает следующие функции в SSDT (System Service Descriptor Table):
- NtOpenThread, драйвер-обработчик: unknown
- NtOpenProcess, драйвер-обработчик: unknown
Изменения в файловой системе:
Создает следующие файлы:
- <DRIVERS>\45af27e5ebbbd19.sys
- <DRIVERS>\18e70.sys
- %WINDIR%\Installer\{9D60B38E-7D0F-65DC-93C3-47A5696F24CE}\syshost.exe
Удаляет следующие файлы:
- <DRIVERS>\18e70.sys
Самоперемещается:
- из <Полный путь к вирусу> в %TEMP%\a4bf92ca.tmp
Самоудаляется.
Сетевая активность:
Подключается к:
- 'll###egpmrht.mn':80
- 'bx####fmsasluaxc.mu':80
- 'et######elfpwdxvjpqmnt.mu':80
- 'su######pxjputtbvqghl.sh':80
- 'no####tlwxufv.mu':80
- 'jb#######tfgyqgahyfpbsckt.mn':80
- 'qm######glpfpnqwtseuh.tj':80
- 'ew#####movngblxffuk.mu':80
- 'qb####eqencwq.mu':80
- 'id###jtpnbmt.nu':80
- 'or####uslwtvj.mu':80
- 'uj####bkairfqrms.cm':80
- 'lp#####evfawnhyjn.tw':80
- 'nn####renhivolia.cx':80
- 'nj#####ebbswwyafp.sc':80
- 'qc######kxdtaytktpwfkxu.mu':80
- 'ka####gdjasbsqrc.cm':80
- 'ko#####bmwlrwovjssj.nf':80
- 'mm####xhrcssajjj.la':80
- 'hu###ogewl.im':80
- 'qf###jmvldlb.cm':80
- 'pf#####kkilwqtvpu.cc':80
- 'qp###blcuse.cc':80
- 'hm####smifhcehms.cx':80
- 'qn######akqrtrodqmvgjrhs.im':80
- 'rj####gtmhqym.ki':80
- 'lu###cpqumb.la':80
- 'lg####xmpccoli.la':80
- 'gy#####bltgpbyjnsok.in':80
- 'ol######lencshapoeoovmc.mu':80
- 'kx####vusiueo.cx':80
- 'no######xvugshnatjjwe.mu':80
- 'og######bnhvkfqmdiakjhv.sc':80
- 'pv####ceolqeemtx.sh':80
- 'rk####hoaooypbu.tj':80
- 'lm####nfbvcnk.ac':80
- 'qr####uxxkvbide.nu':80
- 'ga####ycojuqbh.so':80
- 'ca###dkuqy.mu':80
- '62.##.229.126':80
- '62.##.229.131':80
- '20#.#6.232.182':80
- '62.##.229.134':80
- 'is###gydkpk.ac':80
- 'dq######cddcthmbfvhti.cc':80
- 'fa###ook.com':80
- 'ry###qfmjqs.ki':80
- 'ug###sospxij.in':80
- 'nl####olvnisl.mu':80
- 'bv#####vjexpltqtito.ms':80
- 'yv###kiaxxba.ac':80
- 'xr####crdmbugdjd.ms':80
- 'cl######cnqmbegquvfsldgo.nu':80
- 'gl#####atqlmrrxtyl.so':80
- 'lf#####xymklwkmyas.nu':80
- 'ny####nkhhmioqf.ms':80
- 'xh######rxxqjfksgvejwlc.nf':80
- 'os####mlvfqctlq.tj':80
- 'jh#####ulgdgcvnqg.so':80
- 'xh####ktxwwnivx.sc':80
- 'iv#####wbhifwwbwoyxp.la':80
TCP:
Запросы HTTP POST:
- ll###egpmrht.mn/xxdb.cgi
- bx####fmsasluaxc.mu/xxdb.cgi
- et######elfpwdxvjpqmnt.mu/xxdb.cgi
- su######pxjputtbvqghl.sh/xxdb.cgi
- no####tlwxufv.mu/xxdb.cgi
- jb#######tfgyqgahyfpbsckt.mn/xxdb.cgi
- qm######glpfpnqwtseuh.tj/xxdb.cgi
- uj####bkairfqrms.cm/xxdb.cgi
- qb####eqencwq.mu/xxdb.cgi
- id###jtpnbmt.nu/xxdb.cgi
- nj#####ebbswwyafp.sc/xxdb.cgi
- ew#####movngblxffuk.mu/xxdb.cgi
- lp#####evfawnhyjn.tw/xxdb.cgi
- nn####renhivolia.cx/xxdb.cgi
- rj####gtmhqym.ki/xxdb.cgi
- qc######kxdtaytktpwfkxu.mu/xxdb.cgi
- ka####gdjasbsqrc.cm/xxdb.cgi
- ko#####bmwlrwovjssj.nf/xxdb.cgi
- mm####xhrcssajjj.la/xxdb.cgi
- hu###ogewl.im/xxdb.cgi
- qf###jmvldlb.cm/xxdb.cgi
- pf#####kkilwqtvpu.cc/xxdb.cgi
- lu###cpqumb.la/xxdb.cgi
- hm####smifhcehms.cx/xxdb.cgi
- qn######akqrtrodqmvgjrhs.im/xxdb.cgi
- ol######lencshapoeoovmc.mu/xxdb.cgi
- qp###blcuse.cc/xxdb.cgi
- lg####xmpccoli.la/xxdb.cgi
- gy#####bltgpbyjnsok.in/xxdb.cgi
- or####uslwtvj.mu/xxdb.cgi
- rk####hoaooypbu.tj/xxdb.cgi
- no######xvugshnatjjwe.mu/xxdb.cgi
- og######bnhvkfqmdiakjhv.sc/xxdb.cgi
- ga####ycojuqbh.so/xxdb.cgi
- xh######rxxqjfksgvejwlc.nf/xxdb.cgi
- lm####nfbvcnk.ac/xxdb.cgi
- qr####uxxkvbide.nu/xxdb.cgi
- 62.##.229.134/cgi-bin/meta.cgi
- 62.##.229.126/cgi-bin/meta.cgi
- 62.##.229.131/cgi-bin/meta.cgi
- dq######cddcthmbfvhti.cc/xxdb.cgi
- pv####ceolqeemtx.sh/xxdb.cgi
- ca###dkuqy.mu/xxdb.cgi
- is###gydkpk.ac/xxdb.cgi
- ny####nkhhmioqf.ms/xxdb.cgi
- bv#####vjexpltqtito.ms/xxdb.cgi
- ry###qfmjqs.ki/xxdb.cgi
- ug###sospxij.in/xxdb.cgi
- cl######cnqmbegquvfsldgo.nu/xxdb.cgi
- kx####vusiueo.cx/xxdb.cgi
- yv###kiaxxba.ac/xxdb.cgi
- xr####crdmbugdjd.ms/xxdb.cgi
- iv#####wbhifwwbwoyxp.la/xxdb.cgi
- os####mlvfqctlq.tj/xxdb.cgi
- lf#####xymklwkmyas.nu/xxdb.cgi
- xh####ktxwwnivx.sc/xxdb.cgi
- nl####olvnisl.mu/xxdb.cgi
- gl#####atqlmrrxtyl.so/xxdb.cgi
- jh#####ulgdgcvnqg.so/xxdb.cgi
UDP:
- DNS ASK mm####xhrcssajjj.la
- DNS ASK ud####xhryhbb.im
- DNS ASK pf#####kkilwqtvpu.cc
- DNS ASK fd#####yeiydnkiwou.tw
- DNS ASK ux###xhjplwg.cx
- DNS ASK qc######kxdtaytktpwfkxu.mu
- DNS ASK ly######cbcxkunyrrbqurm.la
- DNS ASK yj#####qwpuablrxnf.la
- DNS ASK qf###jmvldlb.cm
- DNS ASK qx#####ymbxqabevhbod.nu
- DNS ASK ue###inuxp.mn
- DNS ASK km#####pgacofrars.cc
- DNS ASK nd###ooifer.jp
- DNS ASK wx#####idqhgvlndaxe.ac
- DNS ASK ol######lencshapoeoovmc.mu
- DNS ASK gy#####bltgpbyjnsok.in
- DNS ASK hp#####moiafqwnmjjrd.cm
- DNS ASK lu###cpqumb.la
- DNS ASK qn######akqrtrodqmvgjrhs.im
- DNS ASK my#####rbjfotfrsmabm.sh
- DNS ASK hm####smifhcehms.cx
- DNS ASK ka####gdjasbsqrc.cm
- DNS ASK hi####bpsitxo.la
- DNS ASK lw#####mfbyvmmywp.sh
- DNS ASK ko#####bmwlrwovjssj.nf
- DNS ASK lg####xmpccoli.la
- DNS ASK qp###blcuse.cc
- DNS ASK cl#####fpfoqjwhrwel.tj
- DNS ASK mx######qearfhqikesukug.cx
- DNS ASK ce#######ybtluxbhegwnbmml.cx
- DNS ASK yq######ulqbwehuderkefu.sc
- DNS ASK lu######otmwiqrrljuum.nf
- DNS ASK vs######cwlqdmddakbii.ms
- DNS ASK hu###ogewl.im
- DNS ASK tq####yyincrvmyc.nf
- DNS ASK cy#####pvewwxvdbnynl.tw
- DNS ASK op######fouxvbcbdjybf.nu
- DNS ASK rg###kbbhvcc.so
- DNS ASK ta###lgipwvr.in
- DNS ASK pq###uwxtk.mn
- DNS ASK ep####wjicwox.mn
- DNS ASK bq####ymhxjdnsa.jp
- DNS ASK ji######qrvntcxeeofmtb.in
- DNS ASK al#######nxqjuwxnohxifsre.nu
- DNS ASK pb#######rxsrjsphykqyxbcr.sh
- DNS ASK th######xoppimdkumkgthw.im
- DNS ASK ky######jylcqhloixmhad.ac
- DNS ASK dn#######lrpkrtofiybendrt.in
- DNS ASK yn#####icjlfjbmhkev.im
- DNS ASK uf######irfykownvodio.cc
- DNS ASK lv######pobdfeqkisuqov.sc
- DNS ASK gy######alfrglyuklxuv.ki
- DNS ASK xn#####mhxwcycyunx.cc
- DNS ASK qu######rxkevhqmnhtbj.tj
- DNS ASK tx####tyytrkhc.nu
- DNS ASK me####ulsdjjbov.tw
- DNS ASK rj####gtmhqym.ki
- DNS ASK qr####uxxkvbide.nu
- DNS ASK lm####nfbvcnk.ac
- DNS ASK xh######rxxqjfksgvejwlc.nf
- DNS ASK ga####ycojuqbh.so
- DNS ASK og######bnhvkfqmdiakjhv.sc
- DNS ASK rk####hoaooypbu.tj
- DNS ASK no######xvugshnatjjwe.mu
- DNS ASK xh####ktxwwnivx.sc
- DNS ASK tm###ykqelnd.ki
- DNS ASK jh#####ulgdgcvnqg.so
- DNS ASK iv#####wbhifwwbwoyxp.la
- DNS ASK ny####nkhhmioqf.ms
- DNS ASK lf#####xymklwkmyas.nu
- DNS ASK os####mlvfqctlq.tj
- DNS ASK ba###cvupwl.com
- DNS ASK fa###ook.com
- DNS ASK pr####hzcmqkmj.com
- DNS ASK rq###hhxsd.com
- DNS ASK microsoft.com
- DNS ASK gl###svipd.com
- DNS ASK xd####eqwmrsjnn.com
- DNS ASK is###gydkpk.ac
- DNS ASK ca###dkuqy.mu
- DNS ASK pv####ceolqeemtx.sh
- DNS ASK dq######cddcthmbfvhti.cc
- DNS ASK ix###qnsri.com
- DNS ASK zm####nvfmmogj.com
- DNS ASK jf####lontwf.com
- DNS ASK et######elfpwdxvjpqmnt.mu
- DNS ASK du####totxell.cm
- DNS ASK bx####fmsasluaxc.mu
- DNS ASK ew#####movngblxffuk.mu
- DNS ASK nj#####ebbswwyafp.sc
- DNS ASK nn####renhivolia.cx
- DNS ASK lp#####evfawnhyjn.tw
- DNS ASK no####tlwxufv.mu
- DNS ASK ik####dwvwjhwd.ac
- DNS ASK cq###deboska.in
- DNS ASK jb#######tfgyqgahyfpbsckt.mn
- DNS ASK ll###egpmrht.mn
- DNS ASK su######pxjputtbvqghl.sh
- DNS ASK qm######glpfpnqwtseuh.tj
- DNS ASK ry###qfmjqs.ki
- DNS ASK bv#####vjexpltqtito.ms
- DNS ASK cl######cnqmbegquvfsldgo.nu
- DNS ASK rl####qeppwlnk.ms
- DNS ASK gl#####atqlmrrxtyl.so
- DNS ASK nl####olvnisl.mu
- DNS ASK ug###sospxij.in
- DNS ASK id###jtpnbmt.nu
- DNS ASK qb####eqencwq.mu
- DNS ASK uj####bkairfqrms.cm
- DNS ASK or####uslwtvj.mu
- DNS ASK xr####crdmbugdjd.ms
- DNS ASK yv###kiaxxba.ac
- DNS ASK kx####vusiueo.cx
