Trojan.DownLoader6.38696

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.mrxsmb] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'24.##2.66.82':34354
'10#.#96.191.62':34354
'17#.#1.194.126':34354
'12.##6.160.47':34354
'70.##2.215.48':34354
'18#.#6.225.213':34354
'24.#.199.171':34354
'68.##7.162.87':34354
'99.##1.141.41':34354
'76.##.152.23':34354
'67.##0.138.210':34354
'68.#7.57.82':34354
'75.##0.95.87':34354
'19#.#53.211.8':34354
'71.##.14.201':34354
'50.##6.97.54':34354
'24.##7.50.154':34354
'50.#1.27.99':34354
'18#.#42.55.118':34354
'98.##6.124.124':34354
'68.##4.19.179':34354
'12.##1.197.59':34354
'89.##.105.113':34354
'68.##9.53.202':34354
'76.##7.192.192':34354
'18#.#8.199.4':34354
'17#.#0.239.154':34354
'76.##3.21.247':34354
'24.##4.169.219':34354
'17#.#37.139.30':34354
'17#.#3.156.87':34354
'85.#4.83.3':34354
'20#.4.111.3':34354
'66.##9.36.56':34354
'95.##.228.178':34354
'93.#5.33.70':34354
'98.##8.141.23':34354
'69.##2.101.170':34354
'84.##1.40.196':34354
'10#.#05.233.84':34354
'71.##9.171.20':34354
'24.##.173.178':34354
'17#.8.3.191':34354
'17#.#1.103.139':34354
'68.##.151.37':34354
'2.###.216.246':34354
'17#.#8.109.168':34354
'72.##5.254.88':34354
'98.##2.211.22':34354
'81.##4.196.35':34354
'65.##.148.224':34354
'12#.#06.138.155':34354
'24.##5.218.8':34354
'50.##.225.116':34354
'95.##.188.182':34354
'72.#0.59.3':34354
'72.##0.12.195':34354
'74.##9.37.78':34354
'17#.#.31.120':34354
'68.#2.68.66':34354
'63.##6.254.187':34354
'72.##9.244.242':34354
'67.#1.93.47':34354
'70.##6.154.30':34354
'71.#26.9.21':34354
'65.#7.168.4':34354
'75.##1.27.169':34354
'88.##5.193.66':34354
'68.##.34.111':34354
'18#.#61.23.236':34354
'98.##7.192.224':34354
'24.#0.5.231':34354
'98.##5.144.220':34354
'24.##.103.134':34354
'80.#.248.215':34354
'99.##.82.102':34354
'87.##.91.102':34354
'68.##6.242.102':34354
'74.##.201.118':34354
'24.#8.52.24':34354
'24.##.58.215':34354
'61.##3.142.33':34354
'96.#1.39.26':34354
'71.##.104.142':34354
'76.##1.86.251':34354
'98.##1.43.254':34354
'78.##0.57.169':34354
'70.##9.78.26':34354
'67.##5.4.110':34354
'74.##.39.121':34354
'18#.#8.128.242':34354
'59.##8.49.146':34354
'18#.#7.90.245':34354
'17#.#9.130.224':34354
'72.##2.32.148':34354
'17#.#.38.104':34354
'84.##1.150.82':34354
'79.##8.38.45':34354
'66.##.235.72':34354
'11#.#01.108.82':34354
'70.#0.242.2':34354
'75.##8.163.186':34354
'75.##.116.197':34354
'75.##.143.197':34354
'76.##7.146.181':34354
'15#.#53.105.70':34354
'98.##8.66.59':34354
'17#.#6.106.57':34354
'68.#3.6.79':34354
'67.##.159.81':34354
'75.##3.130.53':34354
'98.#8.84.51':34354
'76.##9.21.166':34354
'15#.#24.149.190':34354
'72.##5.89.249':34354
'68.#.127.32':34354
'98.##4.204.122':34354
'67.##8.104.166':34354
'97.##.182.100':34354
'24.##.114.214':34354
'10#.#85.48.210':34354
'95.#50.4.40':34354
'11#.#46.95.207':34354
'18#.#1.91.67':34354
'75.##.31.212':34354
'76.##6.243.33':34354
'69.#34.9.92':34354
'24.##8.173.92':34354
'46.##.151.98':34354
'18#.#8.122.249':34354
'68.##.10.132':34354
'12.##7.53.210':34354
'71.##7.96.252':34354
'95.#8.49.0':34354
'18#.#79.217.216':34354
'86.##4.219.241':34354
'50.#35.61.2':34354
'75.##6.131.48':34354
'22#.#24.243.3':34354
'92.##4.161.196':34354
'74.##4.71.251':34354
'91.##8.37.205':34354
'74.##.150.253':34354
'69.##4.115.35':34354
'17#.#18.179.134':34354
'20#.#5.122.132':34354
'76.##.121.188':34354
'78.##.120.78':34354
'76.##.196.121':34354
'24.##8.208.211':34354
'24.##.136.58':34354
'76.##8.168.128':34354
'50.##3.83.156':34354
'68.##1.215.60':34354
'76.##.15.206':34354
'20#.#4.39.238':34354
'79.##9.33.184':34354
'10#.#2.201.155':34354
'66.##5.202.194':34354
'76.##1.151.3':34354
'95.##.22.183':34354
'98.#5.32.12':34354
'80.##5.92.41':34354
'17#.#58.112.160':34354
'72.##1.54.42':34354
'66.##0.35.204':34354
'79.##8.91.34':34354
'15#.#81.162.1':34354
'72.##3.86.23':34354
'24.##6.64.225':34354
'15#.#81.153.195':34354
'localhost':80
'75.##5.132.27':34354
'11#.#3.31.102':34354
'18#.#81.100.119':34354
'12#.#44.82.89':34354
'75.##.11.170':34354
'72.##0.7.200':34354
'10#.#30.183.98':34354
'98.##2.83.162':34354
'18#.#46.230.237':34354
'67.##2.188.173':34354
'62.#4.60.43':34354
'61.##0.53.213':34354
'70.##1.245.11':34354
'85.##6.29.223':34354
'71.#1.126.3':34354
'69.##0.202.121':34354
'68.##.203.216':34354
'96.##.117.86':34354
'74.##0.179.215':34354
'70.##5.234.158':34354
'21#.#31.16.94':34354
'85.##3.128.110':34354
'76.##2.124.220':34354
'11#.#2.157.178':34354
'75.##6.89.192':34354
'74.##.176.68':34354
'98.##7.74.103':34354
'66.##.21.149':34354
'75.##1.246.207':34354
'98.##5.211.134':34354
'10#.#91.164.14':34354
'69.##5.205.70':34354
'79.##6.67.183':34354
'10#.#4.126.94':34354
'98.##1.90.169':34354
'17#.#1.84.242':34354
'17#.#33.128.42':34354
'91.##4.126.101':34354
'68.##9.33.29':34354
'17#.#4.211.176':34354
'69.##4.218.90':34354
'2.###.17.129':34354
'70.##.222.120':34354
'17#.#67.3.255':34354
'70.##1.121.101':34354
'71.##9.201.43':34354
'66.##5.225.237':34354
'67.##9.33.136':34354
'17#.#45.209.250':34354
'76.##6.139.239':34354
'12.##1.185.27':34354
'67.##.41.207':34354
'68.#9.34.77':34354
'13#.#4.105.18':34354
'79.##4.166.174':34354
'24.##8.6.247':34354
'75.##9.166.123':34354
'71.##.137.123':34354
'2.##.162.214':34354
'17#.#8.155.155':34354
'17#.#22.140.120':34354
'24.##1.97.44':34354
'69.##6.32.174':34354
'19#.#7.208.66':34354
'76.##.123.28':34354
'98.##7.105.86':34354
'72.##1.131.237':34354
'94.##1.238.104':34354
'24.##.195.129':34354
'72.##4.133.137':34354
'24.#.233.171':34354
'67.##0.159.65':34354
'17#.#3.139.210':34354
'79.##.210.26':34354
'68.##2.185.105':34354
'70.##5.25.137':34354
'72.##9.158.160':34354
'82.##1.235.64':34354
'62.##.60.249':34354
'69.##8.223.15':34354
'71.##0.255.82':34354
'98.#56.28.3':34354
'71.##0.104.15':34354
'75.#9.94.27':34354
'17#.#2.254.83':34354

TCP:

Запросы HTTP GET:

iw##tthp.cn/stat2.php?&a#################
iw##tthp.cn/stat2.php?&a################

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней