Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'StAgtMnt' = '"%ProgramFiles(x86)%\SkyRecon\StormShield Agent\ssmon.exe"'
Создает следующие сервисы
- [<HKLM>\System\CurrentControlSet\Services\StormShield Agent] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\StormShield Agent] 'ImagePath' = '"%ProgramFiles(x86)%\SkyRecon\StormShield Agent\SRService.exe"'
- [<HKLM>\System\CurrentControlSet\Services\heimdall] 'Start' = '00000001'
- [<HKLM>\System\CurrentControlSet\Services\heimdall] 'ImagePath' = '<SYSTEM32>\heimdall-sys.sra'
- [<HKLM>\System\CurrentControlSet\Services\thor3] 'Start' = '00000000'
- [<HKLM>\System\CurrentControlSet\Services\thor3] 'ImagePath' = 'system32\drivers\thor3.sra'
- [<HKLM>\System\CurrentControlSet\Services\odin] 'Start' = '00000000'
- [<HKLM>\System\CurrentControlSet\Services\odin] 'ImagePath' = 'system32\odin-sys.sra'
- [<HKLM>\System\CurrentControlSet\Services\nep_sys] 'Start' = '00000000'
- [<HKLM>\System\CurrentControlSet\Services\nep_sys] 'ImagePath' = 'system32\drivers\nep-sys.sra'
- [<HKLM>\System\CurrentControlSet\Services\meili] 'Start' = '00000001'
- [<HKLM>\System\CurrentControlSet\Services\meili] 'ImagePath' = 'system32\DRIVERS\meili.sra'
- [<HKLM>\System\CurrentControlSet\Services\baldr] 'Start' = '00000001'
- [<HKLM>\System\CurrentControlSet\Services\baldr] 'ImagePath' = '<DRIVERS>\baldr.sra'
Вредоносные функции
Внедряет код в
следующие пользовательские процессы:
- srservice.exe
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\sky.tmp\sky.cnf
- %ProgramFiles(x86)%\skyrecon\stormshield agent\loki-sys.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\meili.inf
- %ProgramFiles(x86)%\skyrecon\stormshield agent\meili.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\meilix86.cat
- %ProgramFiles(x86)%\skyrecon\stormshield agent\nep-sys.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\nepcom.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\nepctrl.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\netact.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\odin-sys.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\recovery.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\scapi.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\sdk.srx
- %ProgramFiles(x86)%\skyrecon\stormshield agent\skyrecon.cer
- %ProgramFiles(x86)%\skyrecon\stormshield agent\sr.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\srimc.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\srservice.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\srsha.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\licenses.txt
- %ProgramFiles(x86)%\skyrecon\stormshield agent\sslogdll.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\libxml2.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\libiconv2.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\surt.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\uninstall_thor3.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\ziputils.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\baldr.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\bootloader.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\burn.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\csws.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\detour.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\detour64.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\detoured.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\evbmenu.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\evbov.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\evbshred.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\framework.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\getcert.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\heimdall-sys.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\ldapad.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\libscm.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\ssmon.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\stopagent.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\thor2.sra
- <DRIVERS>\baldr.sra
- %TEMP%\nsgbbe5.tmp\ns7f5.tmp
- %WINDIR%\temp\uddac4.tmp
- %ProgramFiles(x86)%\skyrecon\stormshield agent\log\framework.log
- %WINDIR%\temp\uddad4.tmp
- %ProgramFiles(x86)%\skyrecon\stormshield agent\vfs\recycle.dfs
- %ProgramFiles(x86)%\skyrecon\stormshield agent\log\software.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\vfs\data.dfs
- %ProgramFiles(x86)%\skyrecon\stormshield agent\log\heimdall.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\log\device.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\log\deferred.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\log\skybatch.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\netif.srx
- %ProgramFiles(x86)%\skyrecon\stormshield agent\log\output.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\log\output_err.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\vfs\vfat.dfs
- %WINDIR%\inf\oem2.pnf
- <DRIVERS>\set31f.tmp
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat
- %TEMP%\{43094506-ddcb-13dd-6ed1-b9193f78ce0f}\sete6de.tmp
- %TEMP%\{43094506-ddcb-13dd-6ed1-b9193f78ce0f}\sete612.tmp
- %ProgramFiles(x86)%\skyrecon\stormshield agent\updater.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\verif_patch.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\meiliamd64.cat
- %ProgramFiles(x86)%\skyrecon\stormshield agent\recovery.exe
- %TEMP%\nsgbbe5.tmp\nsexec.dll
- %TEMP%\nsgbbe5.tmp\nscd7a.tmp
- %TEMP%\nsgbbe5.tmp\nsd144.tmp
- %ProgramFiles(x86)%\skyrecon\stormshield agent\ssogina.dll
- <SYSTEM32>\heimdall-sys.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\srservice.log
- <SYSTEM32>\odin-sys.sra
- <DRIVERS>\nep-sys.sra
- %WINDIR%\temp\uddd894.tmp
- %WINDIR%\temp\uddd8d3.tmp
- %WINDIR%\temp\uddd923.tmp
- %WINDIR%\temp\uddd943.tmp
- %TEMP%\{43094506-ddcb-13dd-6ed1-b9193f78ce0f}\sete527.tmp
- %ProgramFiles(x86)%\skyrecon\stormshield agent\thor3.sra
- <DRIVERS>\thor3.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\log\thor.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\ssocredentialprovider.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\jedi\nhc-stormshield.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modloki.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modpeers.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modprint.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modrecovery.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modsslog.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modtoken.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modtracker.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modupdate.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modxml2srx.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\nep.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\odin.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\ssmon.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\thor.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\vfs.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\conf\build.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\conf\framework.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\conf\lockfile.srx
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modlockfile.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\conf\meta-rules.srx
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modldap.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modgetconf.sra
- %TEMP%\sky.tmp\agent.exe
- %TEMP%\sky.tmp\conf.srx
- %TEMP%\nsgbbe5.tmp\nsregexp.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\install.log
- %ProgramFiles(x86)%\skyrecon\stormshield agent\srend.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\heimdall.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modacl.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modaction.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modap.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modauth.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modav.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modcert.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modcom.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modconf.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modcrypto.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\moddial.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modenforcement.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\modules\modids.sra
- %ProgramFiles(x86)%\skyrecon\stormshield agent\conf\modids.srn
- %ProgramFiles(x86)%\skyrecon\stormshield agent\conf\modpeers.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\conf\overtrust.srx
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\ssmonres-es.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\ssmonres-fr.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\ssmonres-pt-br.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\ssres-aranda software.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\ssres-matrix42.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\ssres-skyrecon.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\av\unrar.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\protect_bfe.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\av\oemlogo.png
- %TEMP%\nsgbbe5.tmp\system.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\bin64\ssocredentialprovider.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\bin64\detoured.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\bin64\evbov.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\antiflood.dll
- %ProgramFiles(x86)%\skyrecon\stormshield agent\certmgr.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\meili_installer.exe
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\ssmonres-de.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\ssmonres-en.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\pt-br-sslog-software.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\pt-br-sslog-device.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\pt-br-sslog-thor.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\de-sslog-heimdall.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\de-sslog-thor.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\de-sslog-device.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\de-sslog-software.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\en-sslog-heimdall.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\en-sslog-thor.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\en-sslog-device.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\pubkey.pem
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\es-sslog-heimdall.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\en-sslog-software.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\es-sslog-device.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\es-sslog-software.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\fr-sslog-heimdall.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\fr-sslog-thor.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\fr-sslog-device.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\fr-sslog-software.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\pt-br-sslog-heimdall.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\conf\version.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\res\es-sslog-thor.sro
- %ProgramFiles(x86)%\skyrecon\stormshield agent\host_guid.sro
Присваивает атрибут 'скрытый' для следующих файлов
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat
Удаляет следующие файлы
- %TEMP%\sky.tmp\sky.cnf
- %TEMP%\nsgbbe5.tmp\nscd7a.tmp
- %WINDIR%\temp\uddd894.tmp
- %WINDIR%\temp\uddd8d3.tmp
- %WINDIR%\temp\uddd923.tmp
- %WINDIR%\temp\uddd943.tmp
- %TEMP%\{43094506-ddcb-13dd-6ed1-b9193f78ce0f}\meili.inf
- %TEMP%\{43094506-ddcb-13dd-6ed1-b9193f78ce0f}\meili.sra
- %TEMP%\{43094506-ddcb-13dd-6ed1-b9193f78ce0f}\meiliamd64.cat
- %TEMP%\nsgbbe5.tmp\nsd144.tmp
- %WINDIR%\temp\uddac4.tmp
- %WINDIR%\temp\uddad4.tmp
- %TEMP%\nsgbbe5.tmp\ns7f5.tmp
- %TEMP%\nsgbbe5.tmp\nsexec.dll
- %TEMP%\nsgbbe5.tmp\nsregexp.dll
- %TEMP%\nsgbbe5.tmp\system.dll
Перемещает следующие файлы
- %TEMP%\sky.tmp\conf.srx в %ProgramFiles(x86)%\skyrecon\stormshield agent\conf\conf.srx
- %TEMP%\{43094506-ddcb-13dd-6ed1-b9193f78ce0f}\sete527.tmp в %TEMP%\{43094506-ddcb-13dd-6ed1-b9193f78ce0f}\meiliamd64.cat
- %TEMP%\{43094506-ddcb-13dd-6ed1-b9193f78ce0f}\sete612.tmp в %TEMP%\{43094506-ddcb-13dd-6ed1-b9193f78ce0f}\meili.inf
- %TEMP%\{43094506-ddcb-13dd-6ed1-b9193f78ce0f}\sete6de.tmp в %TEMP%\{43094506-ddcb-13dd-6ed1-b9193f78ce0f}\meili.sra
- <DRIVERS>\set31f.tmp в <DRIVERS>\meili.sra
Сетевая активность
Подключается к
- 'localhost':16011
- '<LOCALNET>.128.77':443
Другое
Ищет следующие окна
- ClassName: 'SSMonAppClass' WindowName: ''
Создает и запускает на исполнение
- '%TEMP%\sky.tmp\agent.exe' silent
- '%ProgramFiles(x86)%\skyrecon\stormshield agent\meili_installer.exe' /Install
- '%ProgramFiles(x86)%\skyrecon\stormshield agent\framework.exe'
- '%TEMP%\nsgbbe5.tmp\ns7f5.tmp' net start "StormShield Agent"
- '%ProgramFiles(x86)%\skyrecon\stormshield agent\certmgr.exe' -add skyrecon.cer -c -s -r localMachine TrustedPublisher
- '%TEMP%\nsgbbe5.tmp\nsd144.tmp' "%ProgramFiles(x86)%\SkyRecon\StormShield Agent\SRService.exe" -i
- '%ProgramFiles(x86)%\skyrecon\stormshield agent\srservice.exe'
- '%ProgramFiles(x86)%\skyrecon\stormshield agent\getcert.exe' "https://192.168.128.77:443/ssl/cgi" "980303ad2c8aa2e282e3b56152dceefd&779959910" "agent.srn~"
- '%ProgramFiles(x86)%\skyrecon\stormshield agent\srservice.exe' -i
- '%ProgramFiles(x86)%\skyrecon\stormshield agent\csws.exe' -i
- '%TEMP%\nsgbbe5.tmp\nscd7a.tmp' csws.exe -i
- '%ProgramFiles(x86)%\skyrecon\stormshield agent\ssmon.exe'
- '%ProgramFiles(x86)%\skyrecon\stormshield agent\framework.exe' ' (со скрытым окном)
- '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\SkyRecon\StormShield Agent\evbov.dll"' (со скрытым окном)
- '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\SkyRecon\StormShield Agent\bin64\evbov.dll"' (со скрытым окном)
- '%TEMP%\nsgbbe5.tmp\nsd144.tmp' "%ProgramFiles(x86)%\SkyRecon\StormShield Agent\SRService.exe" -i' (со скрытым окном)
- '%ProgramFiles(x86)%\skyrecon\stormshield agent\meili_installer.exe' /Install' (со скрытым окном)
- '%TEMP%\nsgbbe5.tmp\ns7f5.tmp' net start "StormShield Agent"' (со скрытым окном)
- '%TEMP%\nsgbbe5.tmp\nscd7a.tmp' csws.exe -i' (со скрытым окном)
- '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\SkyRecon\StormShield Agent\evbmenu.dll"' (со скрытым окном)
Запускает на исполнение
- '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\SkyRecon\StormShield Agent\evbov.dll"
- '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\SkyRecon\StormShield Agent\bin64\evbov.dll"
- '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\SkyRecon\StormShield Agent\evbmenu.dll"
- '%WINDIR%\syswow64\net.exe' start "StormShield Agent"
- '%WINDIR%\syswow64\net1.exe' start "StormShield Agent"
