Техническая информация
Для обеспечения автозапуска и распространения
Создает следующие сервисы
- [<HKLM>\System\CurrentControlSet\Services\dump_viochange] 'ImagePath' = '<DRIVERS>\dump_viochange.sys'
- [<HKLM>\System\CurrentControlSet\Services\wlwgqeggzj] 'ImagePath' = '<DRIVERS>\jcv6D8r.sys'
- [<HKLM>\System\CurrentControlSet\Services\EA8qO6gA1pE2iA9w] 'ImagePath' = '<SYSTEM32>\NhpWvs.sys'
Вредоносные функции
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\winlogon.exe
Изменяет следующие настройки браузера Windows Internet Explorer
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = ''
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\qukcuvce\svchost.exe
- %TEMP%\diomdvil\b.dll
- %TEMP%\diomdvil\tc.dll
- %TEMP%\diomdvil\cq.dll
- %TEMP%\diomdvil\ren010.exe
- %WINDIR%\xtrunxa.dll
- <DRIVERS>\dump_viochange.sys
- %PROGRAMDATA%\rekeywiz.exe
- <DRIVERS>\jcv6d8r.sys
- <SYSTEM32>\nhpwvs.sys
- <SYSTEM32>\g2qm63qc.tmp
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\on1x489v.cat
- %WINDIR%\temp\udd1ae2.tmp
Присваивает атрибут 'скрытый' для следующих файлов
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\on1x489v.cat
Удаляет следующие файлы
- <DRIVERS>\jcv6d8r.sys
- %TEMP%\diomdvil\ren010.exe
- <SYSTEM32>\g2qm63qc.tmp
- %WINDIR%\temp\udd1ae2.tmp
- <SYSTEM32>\nhpwvs.sys
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\on1x489v.cat
Подменяет следующие файлы
- <SYSTEM32>\nhpwvs.sys
Самоудаляется.
Сетевая активность
TCP
Запросы HTTP GET
- http://ap#.#.taobao.com/rest/api3.do?ap##########################
- http://cd#.#oluobl.cn/API/General/lsrpu
- http://11#.#29.33.201/report.php?ty##############################################################################################################################################################...
- http://tu##utd.cn/api/r/ip
- http://do##.onefast.cc/cfg/pub/ms.json
- http://cd#.#oluobl.cn/api/userconfig/uc_a0dcf3ed0637cf5693ab35b8dbcd0acf.json
- http://cd#.#oluobl.cn/API/General/shiled
- http://do##.onefast.cc/cfg/user/c995ec7fd4f57c0d/4f3d70b44eda5920.json
- http://sp#.#aidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?qu##############################################################
- http://ap##.#ame.qq.com/comm-htdocs/ip/get_ip.php
- http://cd#.#oluobl.cn/appi/appi/ren010
- http://yo#####engine.stnts.com/v1/plug/up?ci######################################################################################################
- http://12#.#12.254.170/web/wow/liu_admin6_fm.txt
- http://12#.#12.254.170/web/wow/liu_fm_NCadmin6.txt
- http://12#.#12.254.170/web/wow/install.php?ma#############################
- http://do##.onefast.cc/pgm/mpr/c995ec7fd4f57c0d/4f3d70b44eda5920.zip
- http://cd#.#oluobl.cn/api/file/bizmoduleconfig.json?ty####
- http://cd#.#oluobl.cn/api/file/41.json?ty####
Запросы HTTP POST
- http://by#.###.bydj2019.com/checkver
- http://by#.###.bydj2019.com/downfile
- http://by#.###.bydj2019.com/zzz
- http://ds##.#oolsabc.cn/?op###############
- http://tu##utd.cn/api/r/mcm
UDP
- DNS ASK ap#.#.taobao.com
- DNS ASK ru#lmi
- DNS ASK tu##utd.cn
- DNS ASK ti##########web.qiniu.com.w.kunlunno.com
- DNS ASK ti####.##ina.line.qiniudns.com
- DNS ASK sp#.#aidu.com
- DNS ASK ap##.#ame.qq.com
- DNS ASK yo#####engine.stnts.com
- DNS ASK cl####.vbnm34567.xyz
- DNS ASK cd#.#oluobl.cn
- DNS ASK cd########l-cn-idv9fxk.qiniudns.com
- DNS ASK ds##.#oolsabc.cn
- DNS ASK nq#####z.slt.cdntip.com
- DNS ASK do##.####ast.cc.cdn.dnsv1.com
- DNS ASK id#.#cafeba.com
- DNS ASK by#.###.bydj2019.com
- DNS ASK do##.onefast.cc
- '<LOCALNET>.21.172':19483
- '<LOCALNET>.21.161':10228
- '<LOCALNET>.21.160':14293
- '<LOCALNET>.21.162':16140
- '<LOCALNET>.21.164':30545
- '<LOCALNET>.21.163':12075
- '<LOCALNET>.21.169':42748
- '<LOCALNET>.21.167':18226
- '<LOCALNET>.21.168':46813
- '<LOCALNET>.21.170':11353
- '<LOCALNET>.21.171':15418
- '<LOCALNET>.21.165':26480
- '<LOCALNET>.21.166':22291
- '<LOCALNET>.21.158':58254
- '<LOCALNET>.21.159':62383
- '<LOCALNET>.21.175':21569
- '<LOCALNET>.21.176':25634
- '<LOCALNET>.21.177':29699
- '<LOCALNET>.21.178':34284
- '<LOCALNET>.21.179':38349
- '<LOCALNET>.21.180':15439
- '<LOCALNET>.21.174':17504
- '<LOCALNET>.21.182':13464
- '<LOCALNET>.21.183':19502
- '<LOCALNET>.21.184':21598
- '<LOCALNET>.21.185':17535
- '<LOCALNET>.21.186':29724
- '<LOCALNET>.21.187':25661
- '<LOCALNET>.21.173':13447
- '<LOCALNET>.21.150':25222
- '<LOCALNET>.21.188':38354
- '<LOCALNET>.21.141':16790
- '<LOCALNET>.21.128':31257
- '<LOCALNET>.21.129':27192
- '<LOCALNET>.21.130':51232
- '<LOCALNET>.21.131':55297
- '<LOCALNET>.21.132':59490
- '<LOCALNET>.21.133':63555
- '<LOCALNET>.21.134':34980
- '<LOCALNET>.21.135':39045
- '<LOCALNET>.21.136':43238
- '<LOCALNET>.21.137':47303
- '<LOCALNET>.21.138':18728
- '<LOCALNET>.21.139':22793
- '<LOCALNET>.21.140':20919
- '<LOCALNET>.21.142':29173
- '<LOCALNET>.21.156':10677
- '<LOCALNET>.21.143':25044
- '<LOCALNET>.21.144':14504
- '<LOCALNET>.21.145':10375
- '<LOCALNET>.21.146':12657
- '<LOCALNET>.21.147':18629
- '<LOCALNET>.21.148':53439
- '<LOCALNET>.21.149':49310
- '<LOCALNET>.21.181':11376
- '<LOCALNET>.21.151':29351
- '<LOCALNET>.21.152':17092
- '<LOCALNET>.21.153':21221
- '<LOCALNET>.21.154':18807
- '<LOCALNET>.21.155':12835
- '<LOCALNET>.21.157':14806
- '<LOCALNET>.21.189':34291
- '<LOCALNET>.21.199':46786
- '<LOCALNET>.21.191':14282
- '<LOCALNET>.21.226':49799
- '<LOCALNET>.21.227':53926
- '<LOCALNET>.21.228':19134
- '<LOCALNET>.21.229':13160
- '<LOCALNET>.21.230':37232
- '<LOCALNET>.21.231':33105
- '<LOCALNET>.21.232':45362
- '<LOCALNET>.21.233':41235
- '<LOCALNET>.21.234':53748
- '<LOCALNET>.21.235':49621
- '<LOCALNET>.21.236':61878
- '<LOCALNET>.21.237':57751
- '<LOCALNET>.21.224':58053
- '<LOCALNET>.21.225':62180
- '<LOCALNET>.21.238':14317
- '<LOCALNET>.21.241':16443
- '<LOCALNET>.21.242':10405
- '<LOCALNET>.21.243':14468
- '<LOCALNET>.21.244':18531
- '<LOCALNET>.21.245':22594
- '<LOCALNET>.21.246':26657
- '<LOCALNET>.21.247':30720
- '<LOCALNET>.21.248':35311
- '<LOCALNET>.21.249':39374
- '<LOCALNET>.21.250':15318
- '<LOCALNET>.21.251':11255
- '<LOCALNET>.21.252':17161
- '<LOCALNET>.21.239':10190
- '<LOCALNET>.21.240':12380
- '<LOCALNET>.21.223':37410
- '<LOCALNET>.21.222':33283
- '<LOCALNET>.21.221':45664
- '<LOCALNET>.21.193':16125
- '<LOCALNET>.21.194':26479
- '<LOCALNET>.21.195':30542
- '<LOCALNET>.21.196':18221
- '<LOCALNET>.21.197':22284
- '<LOCALNET>.21.127':35830
- '<LOCALNET>.21.190':10219
- '<LOCALNET>.21.200':50211
- '<LOCALNET>.21.201':54274
- '<LOCALNET>.21.202':58465
- '<LOCALNET>.21.203':62528
- '<LOCALNET>.21.204':33959
- '<LOCALNET>.21.205':38022
- '<LOCALNET>.21.192':12062
- '<LOCALNET>.21.206':42213
- '<LOCALNET>.21.208':17707
- '<LOCALNET>.21.209':21770
- '<LOCALNET>.21.210':63250
- '<LOCALNET>.21.211':59187
- '<LOCALNET>.21.212':55120
- '<LOCALNET>.21.213':51057
- '<LOCALNET>.21.214':46998
- '<LOCALNET>.21.125':43956
- '<LOCALNET>.21.216':38868
- '<LOCALNET>.21.217':34805
- '<LOCALNET>.21.218':30234
- '<LOCALNET>.21.219':26171
- '<LOCALNET>.21.220':41537
- '<LOCALNET>.21.207':46276
- '<LOCALNET>.21.198':42723
- '<LOCALNET>.21.215':42935
- '<LOCALNET>.21.119':16235
- '<LOCALNET>.21.61':19178
- '<LOCALNET>.21.31':46367
- '<LOCALNET>.21.32':34172
- '<LOCALNET>.21.33':38237
- '<LOCALNET>.21.34':58810
- '<LOCALNET>.21.35':62875
- '<LOCALNET>.21.36':50680
- '<LOCALNET>.21.37':54745
- '<LOCALNET>.21.38':19371
- '<LOCALNET>.21.39':13335
- '<LOCALNET>.21.40':15529
- '<LOCALNET>.21.41':11400
- '<LOCALNET>.21.42':17504
- '<LOCALNET>.21.43':13375
- '<LOCALNET>.21.45':27660
- '<LOCALNET>.21.59':40625
- '<LOCALNET>.21.46':23663
- '<LOCALNET>.21.47':19534
- '<LOCALNET>.21.48':48545
- '<LOCALNET>.21.49':44416
- '<LOCALNET>.21.50':14093
- '<LOCALNET>.21.51':18222
- '<LOCALNET>.21.52':12250
- '<LOCALNET>.21.12':58142
- '<LOCALNET>.21.54':20252
- '<LOCALNET>.21.55':24381
- '<LOCALNET>.21.56':28510
- '<LOCALNET>.21.57':32639
- '<LOCALNET>.21.58':36496
- '<LOCALNET>.21.30':42302
- '<LOCALNET>.21.44':31789
- '<LOCALNET>.21.53':16379
- '<LOCALNET>.21.11':54141
- '<LOCALNET>.21.9':33251
- '<LOCALNET>.21.8':37314
- '<LOCALNET>.21.7':24621
- '<LOCALNET>.21.6':28684
- '<LOCALNET>.21.5':16495
- '<LOCALNET>.21.4':20558
- '<LOCALNET>.21.24':55149
- '<LOCALNET>.21.2':12424
- '<LOCALNET>.21.1':10336
- '255.255.255.255':32455
- '255.255.255.255':56003
- '<LOCALNET>.21.10':50012
- '<LOCALNET>.21.3':18462
- '<LOCALNET>.21.29':11931
- '<LOCALNET>.21.28':15996
- '<LOCALNET>.21.13':62271
- '<LOCALNET>.21.14':33752
- '<LOCALNET>.21.15':37881
- '<LOCALNET>.21.16':41882
- '<LOCALNET>.21.17':46011
- '<LOCALNET>.21.18':16980
- '<LOCALNET>.21.27':59112
- '<LOCALNET>.21.20':38415
- '<LOCALNET>.21.21':34350
- '<LOCALNET>.21.22':46669
- '<LOCALNET>.21.23':42604
- '<LOCALNET>.21.25':50858
- '<LOCALNET>.21.26':63177
- '<LOCALNET>.21.19':21109
- '<LOCALNET>.21.60':23243
- '<LOCALNET>.21.102':48433
- '<LOCALNET>.21.62':31369
- '<LOCALNET>.21.97':14866
- '<LOCALNET>.21.98':52221
- '<LOCALNET>.21.99':56284
- '<LOCALNET>.21.100':40307
- '<LOCALNET>.21.101':36178
- '<LOCALNET>.21.124':48021
- '<LOCALNET>.21.103':44304
- '<LOCALNET>.21.104':56823
- '<LOCALNET>.21.105':52694
- '<LOCALNET>.21.106':64949
- '<LOCALNET>.21.107':60820
- '<LOCALNET>.21.108':17392
- '<LOCALNET>.21.95':16837
- '<LOCALNET>.21.96':10803
- '<LOCALNET>.21.109':13263
- '<LOCALNET>.21.112':36352
- '<LOCALNET>.21.113':40481
- '<LOCALNET>.21.114':61126
- '<LOCALNET>.21.115':65255
- '<LOCALNET>.21.116':52868
- '<LOCALNET>.21.117':56997
- '<LOCALNET>.21.253':13098
- '<LOCALNET>.21.126':39895
- '<LOCALNET>.21.120':64273
- '<LOCALNET>.21.121':60208
- '<LOCALNET>.21.122':56147
- '<LOCALNET>.21.123':52082
- '<LOCALNET>.21.110':44610
- '<LOCALNET>.21.111':48739
- '<LOCALNET>.21.94':12774
- '<LOCALNET>.21.93':31382
- '<LOCALNET>.21.92':27319
- '<LOCALNET>.21.64':16836
- '<LOCALNET>.21.65':12771
- '<LOCALNET>.21.66':14861
- '<LOCALNET>.21.67':10796
- '<LOCALNET>.21.68':56259
- '<LOCALNET>.21.69':52194
- '<LOCALNET>.21.70':27130
- '<LOCALNET>.21.71':31195
- '<LOCALNET>.21.72':18872
- '<LOCALNET>.21.73':22937
- '<LOCALNET>.21.74':10622
- '<LOCALNET>.21.75':14687
- '<LOCALNET>.21.76':12465
- '<LOCALNET>.21.63':27304
- '<LOCALNET>.21.77':16530
- '<LOCALNET>.21.79':63699
- '<LOCALNET>.21.80':31172
- '<LOCALNET>.21.81':27109
- '<LOCALNET>.21.82':22918
- '<LOCALNET>.21.83':18855
- '<LOCALNET>.21.84':14656
- '<LOCALNET>.21.85':10593
- '<LOCALNET>.21.86':16503
- '<LOCALNET>.21.87':12440
- '<LOCALNET>.21.88':63692
- '<LOCALNET>.21.89':59629
- '<LOCALNET>.21.90':19189
- '<LOCALNET>.21.91':23252
- '<LOCALNET>.21.78':59634
- '<LOCALNET>.21.118':12106
- '<LOCALNET>.21.254':31570
Другое
Ищет следующие окна
- ClassName: 'ProgMan' WindowName: ''
- ClassName: 'SHELLDLL_DefView' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
Создает и запускает на исполнение
- '%TEMP%\qukcuvce\svchost.exe' -k
- '%TEMP%\diomdvil\ren010.exe'
- '%PROGRAMDATA%\rekeywiz.exe'
- '<SYSTEM32>\ipconfig.exe' /flushdns' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c del /Q /F "%TEMP%\DIomDVil\ren010.exe"' (со скрытым окном)
Запускает на исполнение
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%TEMP%\qukcuvce\svchost.exe"
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\explorer.exe"
- '<SYSTEM32>\recdisc.exe'
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '%WINDIR%\syswow64\cmd.exe' /c del /Q /F "%TEMP%\DIomDVil\ren010.exe"
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<SYSTEM32>\dwm.exe"
