Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [<HKLM>\Software\Classes\cclaunch\shell\open\command] '' = '"%ProgramFiles%\CCleaner\ccleaner.exe" /%1'
Создает или изменяет следующие файлы
- <SYSTEM32>\tasks\ccleaner update
Вредоносные функции
Запускает на исполнение
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="CCleaner Block" program="%ProgramFiles%\CCleaner\CCleaner.exe" dir=out action=block profile=all
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="CCleaner64 Block" program="%ProgramFiles%\CCleaner\CCleaner64.exe" dir=out action=block profile=all
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\aut88aa.tmp
- %ProgramFiles%\ccleaner\lang\lang-1092.dll
- %ProgramFiles%\ccleaner\lang\lang-1090.dll
- %ProgramFiles%\ccleaner\lang\lang-1087.dll
- %ProgramFiles%\ccleaner\lang\lang-1086.dll
- %ProgramFiles%\ccleaner\lang\lang-1081.dll
- %ProgramFiles%\ccleaner\lang\lang-1071.dll
- %ProgramFiles%\ccleaner\lang\lang-1079.dll
- %ProgramFiles%\ccleaner\lang\lang-1102.dll
- %ProgramFiles%\ccleaner\lang\lang-1068.dll
- %ProgramFiles%\ccleaner\lang\lang-1066.dll
- %ProgramFiles%\ccleaner\lang\lang-1065.dll
- %ProgramFiles%\ccleaner\lang\lang-1063.dll
- %ProgramFiles%\ccleaner\lang\lang-1062.dll
- %ProgramFiles%\ccleaner\lang\lang-1061.dll
- %ProgramFiles%\ccleaner\lang\lang-1060.dll
- %ProgramFiles%\ccleaner\lang\lang-1059.dll
- %ProgramFiles%\ccleaner\lang\lang-1067.dll
- %ProgramFiles%\ccleaner\lang\lang-1104.dll
- %ProgramFiles%\ccleaner\lang\lang-1109.dll
- %ProgramFiles%\ccleaner\lang\lang-1110.dll
- %TEMP%\asw9ffe17a6f9af7dc2.tmp
- %TEMP%\asw8cd0129cab8663c3.tmp
- %ProgramFiles%\ccleaner\setup\4ae8d414-7fcc-4eae-a7ed-b6f122460cb0.dll
- %ProgramFiles%\ccleaner\setup\92625c94-3163-48ce-a00d-8d4825e43074.ini
- %ProgramFiles%\ccleaner\ccleaner.dat
- %TEMP%\aut761.tmp
- %ProgramFiles%\ccleaner\uninst.exe
- %PROGRAMDATA%\microsoft\windows\start menu\programs\ccleaner\ccleaner homepage.url
- %PROGRAMDATA%\microsoft\windows\start menu\programs\ccleaner\ccleaner.lnk
- C:\users\public\desktop\ccleaner.lnk
- %ProgramFiles%\ccleaner\lang\lang-9999.dll
- %ProgramFiles%\ccleaner\lang\lang-5146.dll
- %ProgramFiles%\ccleaner\lang\lang-3098.dll
- %ProgramFiles%\ccleaner\lang\lang-2074.dll
- %ProgramFiles%\ccleaner\lang\lang-2070.dll
- %ProgramFiles%\ccleaner\lang\lang-2052.dll
- %ProgramFiles%\ccleaner\lang\lang-1155.dll
- %ProgramFiles%\ccleaner\lang\lang-1058.dll
- %TEMP%\aswe2c469a73bd03249.tmp
- %ProgramFiles%\ccleaner\lang\lang-1057.dll
- %ProgramFiles%\ccleaner\lang\lang-1054.dll
- %ProgramFiles%\ccleaner\lang\lang-1029.dll
- %ProgramFiles%\ccleaner\lang\lang-1028.dll
- %ProgramFiles%\ccleaner\lang\lang-1027.dll
- %ProgramFiles%\ccleaner\lang\lang-1026.dll
- %ProgramFiles%\ccleaner\lang\lang-1025.dll
- %ProgramFiles%\ccleaner\branding.dll
- %ProgramFiles%\ccleaner\ccupdate.exe
- %ProgramFiles%\ccleaner\lang\lang-1030.dll
- %ProgramFiles%\ccleaner\ccleaner64.exe
- %TEMP%\nsr93f7.tmp\inetc.dll
- %TEMP%\nsr93f7.tmp\nsprocess.dll
- %TEMP%\nsr93f7.tmp\p\pfbl.dll
- %TEMP%\nsr93f7.tmp\userinfo.dll
- %TEMP%\nsr93f7.tmp\system.dll
- %TEMP%\nsl93d6.tmp
- %CommonProgramFiles(x86)%\~gnpmlsv.tmp
- %TEMP%\checkupdate.log
- %ProgramFiles%\ccleaner\lang\lang-1031.dll
- %ProgramFiles%\ccleaner\lang\lang-1032.dll
- %ProgramFiles%\ccleaner\lang\lang-1034.dll
- %ProgramFiles%\ccleaner\lang\lang-1053.dll
- %ProgramFiles%\ccleaner\lang\lang-1052.dll
- %ProgramFiles%\ccleaner\lang\lang-1051.dll
- %ProgramFiles%\ccleaner\lang\lang-1050.dll
- %ProgramFiles%\ccleaner\lang\lang-1049.dll
- %ProgramFiles%\ccleaner\lang\lang-1048.dll
- %ProgramFiles%\ccleaner\lang\lang-1046.dll
- %ProgramFiles%\ccleaner\lang\lang-1045.dll
- %ProgramFiles%\ccleaner\lang\lang-1044.dll
- %ProgramFiles%\ccleaner\lang\lang-1043.dll
- %ProgramFiles%\ccleaner\lang\lang-1042.dll
- %ProgramFiles%\ccleaner\lang\lang-1041.dll
- %ProgramFiles%\ccleaner\lang\lang-1040.dll
- %ProgramFiles%\ccleaner\lang\lang-1038.dll
- %ProgramFiles%\ccleaner\lang\lang-1037.dll
- %ProgramFiles%\ccleaner\lang\lang-1036.dll
- %ProgramFiles%\ccleaner\lang\lang-1035.dll
- %ProgramFiles%\ccleaner\lang\lang-1055.dll
- %ProgramFiles%\ccleaner\setup\eb85226e-ffb4-4212-8348-56802b180828.xml
Присваивает атрибут 'скрытый' для следующих файлов
- %CommonProgramFiles(x86)%\~gnpmlsv.tmp
Удаляет следующие файлы
- %TEMP%\aut88aa.tmp
- %TEMP%\checkupdate.log
- %TEMP%\nsr93f7.tmp\inetc.dll
- %TEMP%\nsr93f7.tmp\nsprocess.dll
- %TEMP%\nsr93f7.tmp\p\pfbl.dll
- %TEMP%\nsr93f7.tmp\system.dll
- %TEMP%\nsr93f7.tmp\userinfo.dll
- %CommonProgramFiles(x86)%\~gnpmlsv.tmp
- %TEMP%\aut761.tmp
- <SYSTEM32>\tasks\ccleaner update
- %ProgramFiles%\ccleaner\setup\92625c94-3163-48ce-a00d-8d4825e43074.ini
- %TEMP%\asw8cd0129cab8663c3.tmp
- %TEMP%\asw9ffe17a6f9af7dc2.tmp
- %TEMP%\aswe2c469a73bd03249.tmp
- %ProgramFiles%\ccleaner\setup\4ae8d414-7fcc-4eae-a7ed-b6f122460cb0.dll
- %ProgramFiles%\ccleaner\setup\eb85226e-ffb4-4212-8348-56802b180828.xml
Сетевая активность
TCP
Запросы HTTP GET
- http://se#####.piriform.com/installcheck.aspx?p=#################################################################################################################################################...
- http://ip#####.ff.avast.com/v2/info
- http://cc######.tools.avcdn.net/tools/ccleaner/update/patches.ini
- http://cc######.tools.avcdn.net/tools/ccleaner/update/20180205.dll
- http://www.go#####analytics.com/collect?v=###################################################################################################################################
- http://www.go#####analytics.com/collect?v=############################################################################################################################################
- http://www.go#####analytics.com/collect?v=########################################################################################################################################
- http://cc######.tools.avcdn.net/tools/ccleaner/update/updates.xml
- http://oc##.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
UDP
- DNS ASK an#####cs.ff.avast.com
- DNS ASK se#####.piriform.com
- DNS ASK sh#####d.ff.avast.com
- DNS ASK ip#####.ff.avast.com
- DNS ASK em####te.avcdn.net
- DNS ASK cc######.tools.avcdn.net
- DNS ASK go#####analytics.com
- DNS ASK oc##.thawte.com
Другое
Ищет следующие окна
- ClassName: 'PiriformRegistration' WindowName: ''
- ClassName: '#32770' WindowName: 'CCleaner'
- ClassName: '#32770' WindowName: 'Piriform CCleaner'
- ClassName: 'ThunderRT6FormDC' WindowName: 'CCleaner'
- ClassName: 'PiriformCCleaner' WindowName: ''
- ClassName: '#32770' WindowName: ''
Создает и запускает на исполнение
- '%CommonProgramFiles(x86)%\~gnpmlsv.tmp' /S /L=1055
- '%ProgramFiles%\ccleaner\ccleaner64.exe' /createSkipUAC
- '%ProgramFiles%\ccleaner\ccupdate.exe' /reg
- '%ProgramFiles%\ccleaner\ccupdate.exe' /emupdater /applydll "%ProgramFiles%\CCleaner\Setup\4ae8d414-7fcc-4eae-a7ed-b6f122460cb0.dll"
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /Delete /TN "CCleaner Update" /F' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="CCleaner Block" program="%ProgramFiles%\CCleaner\CCleaner.exe" dir=out action=block profile=all' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="CCleaner64 Block" program="%ProgramFiles%\CCleaner\CCleaner64.exe" dir=out action=block profile=all' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /Delete /TN "CCleaner Update" /F
- '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "CCleaner Update" /F
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="CCleaner Block" program="%ProgramFiles%\CCleaner\CCleaner.exe" dir=out action=block profile=all
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="CCleaner64 Block" program="%ProgramFiles%\CCleaner\CCleaner64.exe" dir=out action=block profile=all
