Техническая информация
Для обеспечения автозапуска и распространения:
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\f1fb3d244c5c0902] 'ImagePath' = '<DRIVERS>\f1fb3d244c5c0902.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\f1fb3d244c5c0902] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\syshost32] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\18dd3] 'Start' = '00000001'
Вредоносные функции:
Создает и запускает на исполнение:
- %WINDIR%\Installer\{6B13FB35-4A15-69A4-AEC3-4EDD84BB50E7}\syshost.exe /service
Перехватывает следующие функции в SSDT (System Service Descriptor Table):
- NtOpenThread, драйвер-обработчик: unknown
- NtOpenProcess, драйвер-обработчик: unknown
Изменения в файловой системе:
Создает следующие файлы:
- <DRIVERS>\f1fb3d244c5c0902.sys
- <DRIVERS>\18dd3.sys
- %WINDIR%\Installer\{6B13FB35-4A15-69A4-AEC3-4EDD84BB50E7}\syshost.exe
Удаляет следующие файлы:
- <DRIVERS>\18dd3.sys
Самоперемещается:
- из <Полный путь к вирусу> в %TEMP%\dd199ab8.tmp
Самоудаляется.
Сетевая активность:
Подключается к:
- 'hg####phbwfops.nu':80
- 'nm#####sllqeonfds.ac':80
- 'da####nmbtesug.so':80
- 'jj#####vivlwfjsklt.mn':80
- 'kw###kepbb.nf':80
- 'ud#####nwofvnvtgado.mn':80
- 'iq#####twihoglxlesp.cm':80
- 'ep###ocopr.cc':80
- 'bq####xyuihnjiex.ms':80
- 'tt####feamjvkuh.ki':80
- 'lm####nfbvcnk.ac':80
- 'ks####ufulnije.ac':80
- 'wg#####wqokxkcffkx.cx':80
- 'bv#####vjexpltqtito.ms':80
- 'sl######pqjlaehpkfalw.ac':80
- 'bw#####thndyeboio.nf':80
- 'va###lahspv.im':80
- 'hm######gksgfwhtatjbsf.mn':80
- 'cl######dkxmhbcjfmyugaw.ms':80
- 'tj######lxwkpbfgsiobrqjo.la':80
- 'at#####atdfiddtlh.cm':80
- 'ys######blaproylthkiai.nf':80
- 'kc####ptldaqx.sc':80
- 'dh###bvdgh.im':80
- 'wl###xuctubi.tj':80
- 'pp#####nxtjoioyycrlw.nu':80
- 'yf######ndcikpvyvxwlb.jp':80
- 'lv###igxitpy.nu':80
- 'oe######dqfephppysqjfj.cx':80
- 'pd######tmrwbdcnerfgmc.im':80
- 'ny####nkhhmioqf.ms':80
- 'bq####ymhxjdnsa.jp':80
- 'de###qbsmc.tj':80
- 'lp#####evfawnhyjn.tw':80
- 'ji#####xpnvlmlxuqjac.nf':80
- 'rw#####uilkkvofanb.nf':80
- 'ea####xuemgdqpyp.tj':80
- 'rm######gnooqeqjajqgve.nu':80
- 'en######krlsfsqpjrfrd.cx':80
- 'np####benqndacux.so':80
- 'ro#####anlhdyracmxi.im':80
- '62.##.229.134':80
- '62.##.229.126':80
- '20#.#6.232.182':80
- '62.##.229.131':80
- 'wx#####idqhgvlndaxe.ac':80
- 'gu####lmxlvwn.sh':80
- 'fa###ook.com':80
- 'rg###kbbhvcc.so':80
- 'hc####dooylncrr.tj':80
- 'vk#####qitdyyhunq.ki':80
- 'if######qwlrgnjbxmlbnlca.so':80
- 'ik####dwvwjhwd.ac':80
- 'pq###jvfgwcv.sc':80
- 'yj#####qwpuablrxnf.la':80
- 'ou#####xgatrboqjoxpu.tj':80
- 'rk####hoaooypbu.tj':80
- 'ug###sospxij.in':80
- 'iw#####ppyiafoote.so':80
- 'ol######yemvecweilbyky.ac':80
- 'ja######ggbtskryabkcx.ms':80
- 'gf######bdkorurbqmygjwe.so':80
- 'tj#####qevjsessrfb.ac':80
- 'ix######kvfjytfadqgev.so':80
- 'gg###lsvcdog.sh':80
TCP:
Запросы HTTP POST:
- nm#####sllqeonfds.ac/database.cgi
- hg####phbwfops.nu/database.cgi
- jj#####vivlwfjsklt.mn/database.cgi
- iq#####twihoglxlesp.cm/database.cgi
- ud#####nwofvnvtgado.mn/database.cgi
- kw###kepbb.nf/database.cgi
- ep###ocopr.cc/database.cgi
- da####nmbtesug.so/database.cgi
- tt####feamjvkuh.ki/database.cgi
- bq####xyuihnjiex.ms/database.cgi
- ks####ufulnije.ac/database.cgi
- sl######pqjlaehpkfalw.ac/database.cgi
- bv#####vjexpltqtito.ms/database.cgi
- wg#####wqokxkcffkx.cx/database.cgi
- bw#####thndyeboio.nf/database.cgi
- yf######ndcikpvyvxwlb.jp/database.cgi
- hm######gksgfwhtatjbsf.mn/database.cgi
- va###lahspv.im/database.cgi
- tj######lxwkpbfgsiobrqjo.la/database.cgi
- kc####ptldaqx.sc/database.cgi
- ys######blaproylthkiai.nf/database.cgi
- at#####atdfiddtlh.cm/database.cgi
- dh###bvdgh.im/database.cgi
- cl######dkxmhbcjfmyugaw.ms/database.cgi
- pp#####nxtjoioyycrlw.nu/database.cgi
- wl###xuctubi.tj/database.cgi
- lv###igxitpy.nu/database.cgi
- ny####nkhhmioqf.ms/database.cgi
- pd######tmrwbdcnerfgmc.im/database.cgi
- oe######dqfephppysqjfj.cx/database.cgi
- bq####ymhxjdnsa.jp/database.cgi
- lm####nfbvcnk.ac/database.cgi
- np####benqndacux.so/database.cgi
- ji#####xpnvlmlxuqjac.nf/database.cgi
- lp#####evfawnhyjn.tw/database.cgi
- ro#####anlhdyracmxi.im/database.cgi
- ol######yemvecweilbyky.ac/database.cgi
- en######krlsfsqpjrfrd.cx/database.cgi
- rm######gnooqeqjajqgve.nu/database.cgi
- ea####xuemgdqpyp.tj/database.cgi
- 62.##.229.126/cgi-bin/auth.cgi
- 62.##.229.134/cgi-bin/auth.cgi
- 62.##.229.131/cgi-bin/auth.cgi
- rg###kbbhvcc.so/database.cgi
- rw#####uilkkvofanb.nf/database.cgi
- gu####lmxlvwn.sh/database.cgi
- wx#####idqhgvlndaxe.ac/database.cgi
- ja######ggbtskryabkcx.ms/database.cgi
- ou#####xgatrboqjoxpu.tj/database.cgi
- vk#####qitdyyhunq.ki/database.cgi
- hc####dooylncrr.tj/database.cgi
- rk####hoaooypbu.tj/database.cgi
- de###qbsmc.tj/database.cgi
- yj#####qwpuablrxnf.la/database.cgi
- pq###jvfgwcv.sc/database.cgi
- ik####dwvwjhwd.ac/database.cgi
- ix######kvfjytfadqgev.so/database.cgi
- iw#####ppyiafoote.so/database.cgi
- ug###sospxij.in/database.cgi
- gg###lsvcdog.sh/database.cgi
- if######qwlrgnjbxmlbnlca.so/database.cgi
- tj#####qevjsessrfb.ac/database.cgi
- gf######bdkorurbqmygjwe.so/database.cgi
UDP:
- DNS ASK rw####dfwrlkgfd.cm
- DNS ASK fa####nasmswdc.cm
- DNS ASK uw####kbtwtkj.cm
- DNS ASK ep#####hwcqjqyqskvhv.ki
- DNS ASK hm######gksgfwhtatjbsf.mn
- DNS ASK ig#####wcceijobhysy.tj
- DNS ASK ks######cgrofvaxxiygglbk.tw
- DNS ASK rt###xqdrg.cm
- DNS ASK dh###bvdgh.im
- DNS ASK ng####fbemoiokh.cx
- DNS ASK lc###crksfpe.so
- DNS ASK rg#######huchqkfpkxtlpofr.cm
- DNS ASK kc####ptldaqx.sc
- DNS ASK cu####lpmwvgbx.la
- DNS ASK oe######dqfephppysqjfj.cx
- DNS ASK pd######tmrwbdcnerfgmc.im
- DNS ASK hx#####siugqswfgqsh.in
- DNS ASK bq####ymhxjdnsa.jp
- DNS ASK qu######rxkevhqmnhtbj.tj
- DNS ASK pp#####nxtjoioyycrlw.nu
- DNS ASK ny####nkhhmioqf.ms
- DNS ASK cd####xidbggm.ki
- DNS ASK vp#####ksdkxnbidfr.ki
- DNS ASK va###lahspv.im
- DNS ASK ko#####bmwlrwovjssj.nf
- DNS ASK cl######dkxmhbcjfmyugaw.ms
- DNS ASK tj######lxwkpbfgsiobrqjo.la
- DNS ASK vh####ucpwmoc.sh
- DNS ASK lq###knghwfb.cc
- DNS ASK sf######rqocfqkbtdxeiaj.cc
- DNS ASK gx#####gbhfyisvsmmk.so
- DNS ASK ol######lencshapoeoovmc.mu
- DNS ASK uw####pdodeojq.mu
- DNS ASK tu####jlxnbdrxl.jp
- DNS ASK cn######ilkljumljaudxo.ki
- DNS ASK so#######gsvqynsyssvuxxqp.cc
- DNS ASK ky#####msptgowyfvw.ac
- DNS ASK ye####dnncoky.nf
- DNS ASK ob####wvexywvtlk.tj
- DNS ASK ex####lvdwlqysu.sh
- DNS ASK eo###wvipxr.la
- DNS ASK ta######jvinxdapeusxbibl.sc
- DNS ASK ut#####hyueahotgbk.ac
- DNS ASK xy####irjyyntwa.cc
- DNS ASK mh######dglrtogphucbbxnn.nf
- DNS ASK ne####anwmaxu.ki
- DNS ASK at#####atdfiddtlh.cm
- DNS ASK id###jtpnbmt.nu
- DNS ASK vh###oesvdqd.im
- DNS ASK lw######sqjmaomgbrkghnpb.ac
- DNS ASK cl#####npyvamllgnu.ki
- DNS ASK jw#######qkkdnvyfonysbbhj.jp
- DNS ASK vj###eokpw.nu
- DNS ASK nw#####ovgqkqhudko.mu
- DNS ASK ys######blaproylthkiai.nf
- DNS ASK ko######ljicrlokcpdid.sc
- DNS ASK wl###xuctubi.tj
- DNS ASK ro#####anlhdyracmxi.im
- DNS ASK rm######gnooqeqjajqgve.nu
- DNS ASK en######krlsfsqpjrfrd.cx
- DNS ASK np####benqndacux.so
- DNS ASK ea####xuemgdqpyp.tj
- DNS ASK lp#####evfawnhyjn.tw
- DNS ASK ji#####xpnvlmlxuqjac.nf
- DNS ASK ix######kvfjytfadqgev.so
- DNS ASK gg###lsvcdog.sh
- DNS ASK gf######bdkorurbqmygjwe.so
- DNS ASK iw#####ppyiafoote.so
- DNS ASK ol######yemvecweilbyky.ac
- DNS ASK ja######ggbtskryabkcx.ms
- DNS ASK ug###sospxij.in
- DNS ASK ji####hpaqgyn.com
- DNS ASK fa###ook.com
- DNS ASK as####pqbawoylp.com
- DNS ASK wx####iofpfs.com
- DNS ASK microsoft.com
- DNS ASK dk###grggt.com
- DNS ASK ur###rdkwkj.com
- DNS ASK wx#####idqhgvlndaxe.ac
- DNS ASK gu####lmxlvwn.sh
- DNS ASK rw#####uilkkvofanb.nf
- DNS ASK rg###kbbhvcc.so
- DNS ASK pp####xsdyerhf.com
- DNS ASK we####lcdbezsg.com
- DNS ASK cr###bhnhzg.com
- DNS ASK da####nmbtesug.so
- DNS ASK jj#####vivlwfjsklt.mn
- DNS ASK hg####phbwfops.nu
- DNS ASK bv#####vjexpltqtito.ms
- DNS ASK sl######pqjlaehpkfalw.ac
- DNS ASK bw#####thndyeboio.nf
- DNS ASK wg#####wqokxkcffkx.cx
- DNS ASK ud#####nwofvnvtgado.mn
- DNS ASK yf######ndcikpvyvxwlb.jp
- DNS ASK lv###igxitpy.nu
- DNS ASK kw###kepbb.nf
- DNS ASK nm#####sllqeonfds.ac
- DNS ASK iq#####twihoglxlesp.cm
- DNS ASK ep###ocopr.cc
- DNS ASK vk#####qitdyyhunq.ki
- DNS ASK ou#####xgatrboqjoxpu.tj
- DNS ASK rk####hoaooypbu.tj
- DNS ASK hc####dooylncrr.tj
- DNS ASK tj#####qevjsessrfb.ac
- DNS ASK if######qwlrgnjbxmlbnlca.so
- DNS ASK ik####dwvwjhwd.ac
- DNS ASK ks####ufulnije.ac
- DNS ASK bq####xyuihnjiex.ms
- DNS ASK tt####feamjvkuh.ki
- DNS ASK lm####nfbvcnk.ac
- DNS ASK pq###jvfgwcv.sc
- DNS ASK yj#####qwpuablrxnf.la
- DNS ASK de###qbsmc.tj
