Trojan.Carberp.2058

Техническая информация

Вредоносные функции

Для затруднения выявления своего присутствия в системе

блокирует отображение:

скрытых файлов

Внедряет код в

следующие системные процессы:

<SYSTEM32>\werfault.exe

следующие пользовательские процессы:

iexplore.exe

Перехватывает функции

в браузерах

Процесс firefox.exe, модуль wininet.dll
Процесс firefox.exe, модуль mswsock.dll
Процесс iexplore.exe, модуль mswsock.dll
Процесс iexplore.exe, модуль wininet.dll
Процесс firefox.exe, модуль nss3.dll

Изменения в файловой системе

Создает следующие файлы

%WINDIR%\g4v5nwu.dll
%WINDIR%\xuj4r\xuj4r.txt
%WINDIR%\t1nymwz56v.dll
%WINDIR%\vjz41hii2x\2ec9a0f507efb7a88b34fc48544d6d70.dll
%WINDIR%\vjz41hii2x\64cb3ff07c560bc2196b127cb11546ab.exe
%WINDIR%\vjz41hii2x\fa409fa8a1cdf94fa31fbaf2bd270b92.exe
%WINDIR%\vjz41hii2x\972ba02eedc0504d8d0b6d48118992bb.dll
%WINDIR%\syswow64\rszuww.dll
%WINDIR%\syswow64\qxsagu.dll
%WINDIR%\xuj4r\hpmgghclgbignihledekkililbigcipm\1.0.7\manifest.json
%WINDIR%\xuj4r\hpmgghclgbignihledekkililbigcipm\1.0.7\background.js
%WINDIR%\xuj4r\hpmgghclgbignihledekkililbigcipm\1.0.7\background.html
%WINDIR%\xuj4r\hpmgghclgbignihledekkililbigcipm\1.0.7\jquery.min.js
%WINDIR%\xuj4r\hpmgghclgbignihledekkililbigcipm\1.0.7\lib\content.js

Присваивает атрибут 'скрытый' для следующих файлов

%WINDIR%\g4v5nwu.dll
%WINDIR%\t1nymwz56v.dll
%WINDIR%\vjz41hii2x\2ec9a0f507efb7a88b34fc48544d6d70.dll
%WINDIR%\vjz41hii2x\f1ou3s15l.exe
%WINDIR%\vjz41hii2x\2us2th0.exe
%WINDIR%\vjz41hii2x\972ba02eedc0504d8d0b6d48118992bb.dll

Удаляет следующие файлы

%WINDIR%\t1nymwz56v.dll

Перемещает следующие файлы

%WINDIR%\vjz41hii2x\64cb3ff07c560bc2196b127cb11546ab.exe в %WINDIR%\vjz41hii2x\f1ou3s15l.exe
%WINDIR%\vjz41hii2x\fa409fa8a1cdf94fa31fbaf2bd270b92.exe в %WINDIR%\vjz41hii2x\2us2th0.exe

Самоудаляется.

Сетевая активность

Подключается к

'nq#####z.slt.cdntip.com':80

TCP

Запросы HTTP GET

http://43.##9.193.78/data/uploads/product/20200609/f81aff95f10068d42bdb64b05dcd171d.dll
http://do##.onefast.cc/cfg/cmc/sfbd.txt
http://do##.onefast.cc/pgm/mds/422ed73a26bc994c/8f6b181e9acd6089dec5e7bed571131d5ebe26b59e6ff5c664.zip
http://17#.##8.160.45:88/tongji.php?us##################################################### via 17#.#08.160.45
http://st##.#ei163.com:680/api/index/index?st################################################################################ via st##.fei163.com
http://do##.onefast.cc/cfg/cmc/b2.txt
http://do##.onefast.cc/cfg/cmc/qzpass.txt
http://do##.onefast.cc/cfg/cmc/slfdm.txt
http://pl##.mu-pay.com/seo06.dll
http://12#.#12.254.170/web/wow/liu_admin10021_fm.txt
http://pl##.mu-pay.com/360.dll
http://12#.#12.254.170/web/wow/liu_fm_NCadmin10021.txt
http://do##.onefast.cc/pgm/mds/c1c6e537fb3295c8/2478b1c7bf2a8bfcdb765744c8f3a9d5703f5031721f796564.zip
http://li##.baidu.com/jquery/2.1.4/jquery.min.js
http://do##.onefast.cc/pgm/mds/05631e93ccdb00ee/f79e9e12124babd5dcd4bbe446c7802993a2c4a90c52d44a64.zip
http://11#.#29.33.201/report.php?ty##############################################################################################################################################################...
http://do##.onefast.cc/cfg/pub/ps.json
http://td.##-pay.com/getPlugList.php?ap###########################################
http://do##.onefast.cc/cfg/pub/ms.json
http://do##.onefast.cc/cfg/user/c995ec7fd4f57c0d/e4e4c015c7a7df4c.json
http://43.##9.193.78/data/uploads/product/20200518/ef1b4584c80b3b8ff36f233fb52a03e4.dll
http://cd#.#oluobl.cn/appi/appi/ren004
http://sp#.#aidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?qu##############################################################
http://ap##.#ame.qq.com/comm-htdocs/ip/get_ip.php
http://43.##9.193.78/data/uploads/product/3/dac41a150f406ff988a75f64b27abbf1.exe
http://do##.onefast.cc/pgm/mpr/c995ec7fd4f57c0d/e4e4c015c7a7df4c.zip
http://43.##9.193.78/data/uploads/product/20200610/d8f19ac4730c23f121fc0dd414ca2aed.exe
http://12#.#12.254.170/web/wow/install.php?ma#################################
http://do##.onefast.cc/cfg/cmc/chct.txt

Запросы HTTP POST

http://10#.#4.242.6/?c=###################
http://td.##-pay.com/UpdateClient.php
http://63.##1.246.178/101345/seoc.txt

'gs##g8.com':62282

'43.##9.193.78':10240

'sp#.#aidu.com':443

UDP

DNS ASK li##.baidu.com
DNS ASK ba##u.com
DNS ASK se.##r2g4e.top
DNS ASK nm#####.hjkl45678.xyz
DNS ASK st##.fei163.com
DNS ASK se.##nfke.top
DNS ASK dg###yjsd.top
DNS ASK 9i#5.cn
DNS ASK cl####.vbnm34567.xyz
DNS ASK pl##.mu-pay.com
DNS ASK sp#.#aidu.com
DNS ASK ap##.#ame.qq.com
DNS ASK to##skfyjr
DNS ASK cd#.#oluobl.cn
DNS ASK nq#####z.slt.cdntip.com
DNS ASK do##.####ast.cc.cdn.dnsv1.com
DNS ASK td.##-pay.com
DNS ASK gs##g8.com
DNS ASK do##.onefast.cc
'<LOCALNET>.40.178':10741
'<LOCALNET>.40.171':47324
'<LOCALNET>.40.177':55322
'<LOCALNET>.40.166':64266
'<LOCALNET>.40.167':60203
'<LOCALNET>.40.169':12890
'<LOCALNET>.40.173':39070
'<LOCALNET>.40.168':16953
'<LOCALNET>.40.172':35007
'<LOCALNET>.40.174':59513
'<LOCALNET>.40.175':63576
'<LOCALNET>.40.155':40506
'<LOCALNET>.40.170':43261
'<LOCALNET>.40.188':14795
'<LOCALNET>.40.189':10730
'<LOCALNET>.40.182':39041
'<LOCALNET>.40.183':34976
'<LOCALNET>.40.184':63559
'<LOCALNET>.40.185':59494
'<LOCALNET>.40.186':55301
'<LOCALNET>.40.187':51236
'<LOCALNET>.40.165':52073
'<LOCALNET>.40.176':51259
'<LOCALNET>.40.190':35826
'<LOCALNET>.40.191':39891
'<LOCALNET>.40.192':43952
'<LOCALNET>.40.179':14804
'<LOCALNET>.40.180':47299
'<LOCALNET>.40.181':43234
'<LOCALNET>.40.164':56136
'<LOCALNET>.40.158':20375
'<LOCALNET>.40.203':22617
'<LOCALNET>.40.137':15443
'<LOCALNET>.40.138':58673
'<LOCALNET>.40.139':62736
'<LOCALNET>.40.140':64942
'<LOCALNET>.40.141':60815
'<LOCALNET>.40.142':56812
'<LOCALNET>.40.143':52685
'<LOCALNET>.40.144':48426
'<LOCALNET>.40.145':44299
'<LOCALNET>.40.146':40296
'<LOCALNET>.40.147':36169
'<LOCALNET>.40.148':31910
'<LOCALNET>.40.135':13468
'<LOCALNET>.40.162':48014
'<LOCALNET>.40.149':27783
'<LOCALNET>.40.152':61149
'<LOCALNET>.40.153':65276
'<LOCALNET>.40.154':36379
'<LOCALNET>.40.193':48017
'<LOCALNET>.40.156':44633
'<LOCALNET>.40.157':48760
'<LOCALNET>.40.196':60212
'<LOCALNET>.40.159':24502
'<LOCALNET>.40.160':39884
'<LOCALNET>.40.161':35821
'<LOCALNET>.40.163':43951
'<LOCALNET>.40.194':52086
'<LOCALNET>.40.150':52895
'<LOCALNET>.40.151':57022
'<LOCALNET>.40.229':40817
'<LOCALNET>.40.208':59698
'<LOCALNET>.40.201':30747
'<LOCALNET>.40.232':17568
'<LOCALNET>.40.233':13439
'<LOCALNET>.40.234':32237
'<LOCALNET>.40.235':28108
'<LOCALNET>.40.236':23983
'<LOCALNET>.40.237':19854
'<LOCALNET>.40.238':48225
'<LOCALNET>.40.239':44096
'<LOCALNET>.40.240':42238
'<LOCALNET>.40.241':46303
'<LOCALNET>.40.242':33980
'<LOCALNET>.40.243':38045
'<LOCALNET>.40.244':58490
'<LOCALNET>.40.231':11592
'<LOCALNET>.40.245':62555
'<LOCALNET>.40.247':54297
'<LOCALNET>.40.248':19819
'<LOCALNET>.40.249':13783
'<LOCALNET>.40.250':38863
'<LOCALNET>.40.251':34798
'<LOCALNET>.40.252':46989
'<LOCALNET>.40.253':42924
'<LOCALNET>.40.254':55115
'23#.#23.112.211':39567
'<LOCALNET>.40.228':36688
'<LOCALNET>.40.227':32447
'<LOCALNET>.40.226':28318
'<LOCALNET>.40.225':24317
'<LOCALNET>.40.246':50232
'<LOCALNET>.40.230':15721
'<LOCALNET>.40.197':64277
'<LOCALNET>.40.199':16976
'<LOCALNET>.40.202':18552
'<LOCALNET>.40.134':19506
'<LOCALNET>.40.204':10430
'<LOCALNET>.40.205':14495
'<LOCALNET>.40.206':12401
'<LOCALNET>.40.207':16466
'<LOCALNET>.40.136':11380
'<LOCALNET>.40.209':63763
'<LOCALNET>.40.195':56151
'<LOCALNET>.40.210':23307
'<LOCALNET>.40.212':31561
'<LOCALNET>.40.213':27496
'<LOCALNET>.40.200':26682
'<LOCALNET>.40.198':12911
'<LOCALNET>.40.214':17156
'<LOCALNET>.40.217':11244
'<LOCALNET>.40.218':55811
'<LOCALNET>.40.219':51746
'<LOCALNET>.40.220':13773
'<LOCALNET>.40.98':61894
'<LOCALNET>.40.222':11802
'<LOCALNET>.40.223':15931
'<LOCALNET>.40.224':20188
'<LOCALNET>.40.211':19242
'<LOCALNET>.40.133':21594
'<LOCALNET>.40.127':10223
'<LOCALNET>.40.131':29720
'<LOCALNET>.40.215':13091
'<LOCALNET>.40.216':15309
'<LOCALNET>.40.35':53152
'<LOCALNET>.40.124':16129
'<LOCALNET>.40.37':61410
'<LOCALNET>.40.39':13729
'<LOCALNET>.40.40':11783
'<LOCALNET>.40.41':15912
'<LOCALNET>.40.42':20037
'<LOCALNET>.40.43':14065
'<LOCALNET>.40.44':17942
'<LOCALNET>.40.45':22071
'<LOCALNET>.40.46':26196
'<LOCALNET>.40.47':30325
'<LOCALNET>.40.48':34714
'<LOCALNET>.40.49':38843
'<LOCALNET>.40.50':13731
'<LOCALNET>.40.51':19703
'<LOCALNET>.40.31':36644
'<LOCALNET>.40.1':24170
'<LOCALNET>.40.54':29991
'<LOCALNET>.40.55':25862
'<LOCALNET>.40.56':21861
'<LOCALNET>.40.57':17732
'<LOCALNET>.40.58':46251
'<LOCALNET>.40.59':42122
'<LOCALNET>.40.65':12373
'<LOCALNET>.40.61':28881
'<LOCALNET>.40.62':16562
'<LOCALNET>.40.63':20627
'<LOCALNET>.40.34':57217
'<LOCALNET>.40.64':18409
'<LOCALNET>.40.33':44902
'<LOCALNET>.40.52':15702
'<LOCALNET>.40.53':11573
'<LOCALNET>.40.60':24816
'<LOCALNET>.40.18':30831
'<LOCALNET>.40.15':43458
'<LOCALNET>.40.14':47587
'<LOCALNET>.40.13':51460
'<LOCALNET>.40.12':55589
'<LOCALNET>.40.11':59718
'<LOCALNET>.40.10':63847
'<LOCALNET>.40.6':11917
'<LOCALNET>.40.8':53059
'<LOCALNET>.40.7':16044
'<LOCALNET>.40.5':18019
'<LOCALNET>.40.4':13892
'<LOCALNET>.40.16':39329
'<LOCALNET>.40.9':57186
'<LOCALNET>.40.2':28169
'<LOCALNET>.40.17':35200
'<LOCALNET>.40.19':26702
'<LOCALNET>.40.20':44084
'<LOCALNET>.40.21':48149
'<LOCALNET>.40.22':35958
'<LOCALNET>.40.23':40023
'<LOCALNET>.40.25':64657
'<LOCALNET>.40.26':52466
'<LOCALNET>.40.3':32296
'<LOCALNET>.40.28':11580
'<LOCALNET>.40.29':15645
'<LOCALNET>.40.30':40709
'<LOCALNET>.40.32':48967
'<LOCALNET>.40.132':17531
'<LOCALNET>.40.27':56531
'<LOCALNET>.40.67':14220
'<LOCALNET>.40.109':41027
'<LOCALNET>.40.102':14493
'<LOCALNET>.40.104':29166
'<LOCALNET>.40.105':25039
'<LOCALNET>.40.106':20908
'<LOCALNET>.40.107':16781
'<LOCALNET>.40.108':45154
'<LOCALNET>.40.38':17794
'<LOCALNET>.40.110':10704
'<LOCALNET>.40.111':14831
'<LOCALNET>.40.112':18830
'<LOCALNET>.40.113':12856
'<LOCALNET>.40.114':17119
'<LOCALNET>.40.115':21246
'<LOCALNET>.40.99':57831
'<LOCALNET>.40.103':10366
'<LOCALNET>.40.116':25245
'<LOCALNET>.40.119':37746
'<LOCALNET>.40.120':22280
'<LOCALNET>.40.121':18217
'<LOCALNET>.40.122':30538
'<LOCALNET>.40.123':26475
'<LOCALNET>.40.36':65475
'<LOCALNET>.40.125':12066
'<LOCALNET>.40.126':14286
'<LOCALNET>.40.128':54784
'<LOCALNET>.40.129':50721
'<LOCALNET>.40.130':25657
'<LOCALNET>.40.100':12650
'<LOCALNET>.40.117':29372
'<LOCALNET>.40.118':33619
'<LOCALNET>.40.66':10155
'<LOCALNET>.40.97':10142
'<LOCALNET>.40.101':18624
'<LOCALNET>.40.69':61913
'<LOCALNET>.40.70':21441
'<LOCALNET>.40.71':17376
'<LOCALNET>.40.72':29571
'<LOCALNET>.40.73':25506
'<LOCALNET>.40.74':15034
'<LOCALNET>.40.75':10969
'<LOCALNET>.40.76':13063
'<LOCALNET>.40.77':19099
'<LOCALNET>.40.78':53961
'<LOCALNET>.40.79':49896
'<LOCALNET>.40.80':17407
'<LOCALNET>.40.81':21470
'<LOCALNET>.40.68':57848
'<LOCALNET>.40.82':25533
'<LOCALNET>.40.84':10992
'<LOCALNET>.40.85':15055
'<LOCALNET>.40.86':19118
'<LOCALNET>.40.87':13080
'<LOCALNET>.40.88':49911
'<LOCALNET>.40.89':53974
'<LOCALNET>.40.90':28878
'<LOCALNET>.40.91':24815
'<LOCALNET>.40.92':20620
'<LOCALNET>.40.93':16557
'<LOCALNET>.40.94':12362
'<LOCALNET>.40.95':18400
'<LOCALNET>.40.96':14205
'<LOCALNET>.40.83':29596
'<LOCALNET>.40.221':17902
'255.255.255.255':3779

Другое

Добавляет корневой сертификат

Ищет следующие окна

ClassName: 'ProgMan' WindowName: ''
ClassName: 'SHELLDLL_DefView' WindowName: ''
ClassName: 'SysListView32' WindowName: ''

Создает и запускает на исполнение

'%WINDIR%\vjz41hii2x\f1ou3s15l.exe'
'%WINDIR%\vjz41hii2x\2us2th0.exe'
'%WINDIR%\t1nymwz56v.dll'
'<SYSTEM32>\ipconfig.exe' /flushdns' (со скрытым окном)
'%WINDIR%\syswow64\cmd.exe' /c del /Q /F "%WINDIR%\VJz41hIi2X\F1oU3s15l.exe"' (со скрытым окном)

Запускает на исполнение

'<SYSTEM32>\svchost.exe'
'<SYSTEM32>\ipconfig.exe' /flushdns
'%WINDIR%\syswow64\svchost.exe'
'<SYSTEM32>\rdpclip.exe'
'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\explorer.exe"
'%WINDIR%\syswow64\cmd.exe' /c del /Q /F "%WINDIR%\VJz41hIi2X\F1oU3s15l.exe"

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней