Техническая информация
Для обеспечения автозапуска и распространения
Устанавливает следующие настройки сервисов
- [<HKLM>\System\CurrentControlSet\Services\olcowubfkcm] 'ImagePath' = '<DRIVERS>\dWQPiYf.sys'
Создает следующие сервисы
- 'olcowubfkcm' <DRIVERS>\dWQPiYf.sys
Вредоносные функции
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\winlogon.exe
Читает файлы, отвечающие за хранение паролей сторонними программами
- %HOMEPATH%\desktop\dashborder_144.bmp
- %HOMEPATH%\desktop\glidescope_review_rev_010.docx
- %HOMEPATH%\desktop\applicantform_en.doc
Изменения в файловой системе
Создает следующие файлы
- <DRIVERS>\dwqpiyf.sys
Удаляет следующие файлы
- <DRIVERS>\dwqpiyf.sys
Самоудаляется.
Сетевая активность
Подключается к
- 'mp####.hjkl45678.xyz':80
- 'nq#####z.slt.cdntip.com':80
TCP
Запросы HTTP GET
- http://do##.onefast.cc/pgm/mpr/c995ec7fd4f57c0d/e4e4c015c7a7df4c.zip
- http://do##.onefast.cc/cfg/cmc/bcbd.txt
- http://do##.onefast.cc/pgm/mds/e02f10e3a7d5dc64/eb5925c644b456129ae4a2f716342f517f1b2e3ae2c1a0bb64.zip
- http://do##.onefast.cc/cfg/cmc/kfbdu.txt
- http://do##.onefast.cc/cfg/cmc/kfbd.txt
- http://do##.onefast.cc/pgm/mds/f5d2972ba2a267dd/01b52f532c849cf0a0826e6cc91a81e065f5f85f2c18615f64.zip
- http://do##.onefast.cc/cfg/cmc/sfbd.txt
- http://do##.onefast.cc/pgm/mds/422ed73a26bc994c/8f6b181e9acd608997be30b44587702c5fa71ab95043b48164.zip
- http://12#.#1.239.87/report.php?da###############################################################################################################################################################...
- http://do##.onefast.cc/cfg/cmc/b2.txt
- http://do##.onefast.cc/cfg/cmc/cpbd.txt
- http://11#.#29.33.201/report/report_data?da######################################################################################################################################################...
- http://do##.onefast.cc/cfg/cmc/slfdm.txt
- http://do##.onefast.cc/pgm/mds/05631e93ccdb00ee/f79e9e12124babd5ae7a84a082f955b00887814286eb172a64.zip
- http://11#.#29.33.201/report.php?ty##############################################################################################################################################################...
- http://do##.onefast.cc/cfg/pub/ps.json
- http://do##.onefast.cc/cfg/pub/ms.json
- http://do##.onefast.cc/cfg/user/c995ec7fd4f57c0d/e4e4c015c7a7df4c.json
- http://sp#.#aidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?qu##############################################################
- http://ap##.#ame.qq.com/comm-htdocs/ip/get_ip.php
- http://do##.onefast.cc/cfg/cmc/userpq.zip
- http://do##.onefast.cc/cfg/cmc/qzpass.txt
- http://do##.onefast.cc/cfg/cmc/wea.txt
UDP
- DNS ASK do##.onefast.cc
- DNS ASK ca#######client-a.meiqia.com
- DNS ASK s3#######.meiqiausercontent.com
- DNS ASK nm#####.hjkl45678.xyz
- DNS ASK s3#####ud.meiqia.com
- DNS ASK st####.meiqia.com
- DNS ASK zx###xltzy.com
- DNS ASK mp####.hjkl45678.xyz
- DNS ASK wh.###jgjsdh.top
- DNS ASK 52.##c81.top
- DNS ASK ch#####k.mstatik.com
- DNS ASK te########ets.meiqiausercontent.com
- DNS ASK gd####sshlja1.com
- DNS ASK lo#.#nefast.cc
- DNS ASK 62##333.com
- DNS ASK cl####.vbnm34567.xyz
- DNS ASK sp#.#aidu.com
- DNS ASK ap##.#ame.qq.com
- DNS ASK do##.####ast.cc.cdn.dnsv1.com
- DNS ASK nq#####z.slt.cdntip.com
- DNS ASK dz##pae.com
- DNS ASK ne####i.meiqia.com
- DNS ASK vi##014.com
- DNS ASK ty##603.com
- DNS ASK vi##548.com
- '<LOCALNET>.81.182':11905
- '<LOCALNET>.81.179':42585
- '<LOCALNET>.81.180':20163
- '<LOCALNET>.81.189':46695
- '<LOCALNET>.81.178':46712
- '<LOCALNET>.81.181':14191
- '<LOCALNET>.81.15':34440
- '<LOCALNET>.81.185':30699
- '<LOCALNET>.81.186':18312
- '<LOCALNET>.81.187':22441
- '<LOCALNET>.81.188':42566
- '<LOCALNET>.81.183':16034
- '<LOCALNET>.81.184':26570
- '<LOCALNET>.81.176':22454
- '<LOCALNET>.81.202':55285
- '<LOCALNET>.81.192':13373
- '<LOCALNET>.81.177':18327
- '<LOCALNET>.81.194':21755
- '<LOCALNET>.81.195':17626
- '<LOCALNET>.81.196':29881
- '<LOCALNET>.81.197':25752
- '<LOCALNET>.81.198':38263
- '<LOCALNET>.81.199':34134
- '<LOCALNET>.81.200':63415
- '<LOCALNET>.81.201':59286
- '<LOCALNET>.81.191':11219
- '<LOCALNET>.81.203':51156
- '<LOCALNET>.81.204':46899
- '<LOCALNET>.81.190':15348
- '<LOCALNET>.81.173':11912
- '<LOCALNET>.81.165':21732
- '<LOCALNET>.81.161':15317
- '<LOCALNET>.81.147':14905
- '<LOCALNET>.81.148':58155
- '<LOCALNET>.81.149':62218
- '<LOCALNET>.81.150':20754
- '<LOCALNET>.81.151':16691
- '<LOCALNET>.81.152':29008
- '<LOCALNET>.81.153':24945
- '<LOCALNET>.81.154':14603
- '<LOCALNET>.81.155':10540
- '<LOCALNET>.81.156':12756
- '<LOCALNET>.81.157':18794
- '<LOCALNET>.81.158':53274
- '<LOCALNET>.81.159':49211
- '<LOCALNET>.81.206':38769
- '<LOCALNET>.81.174':30708
- '<LOCALNET>.81.162':19320
- '<LOCALNET>.81.163':13346
- '<LOCALNET>.81.164':17605
- '<LOCALNET>.81.193':19345
- '<LOCALNET>.81.166':25735
- '<LOCALNET>.81.167':29862
- '<LOCALNET>.81.168':34121
- '<LOCALNET>.81.169':38248
- '<LOCALNET>.81.170':14192
- '<LOCALNET>.81.171':20166
- '<LOCALNET>.81.172':16039
- '<LOCALNET>.81.205':42770
- '<LOCALNET>.81.175':26581
- '<LOCALNET>.81.160':11190
- '<LOCALNET>.81.143':21056
- '<LOCALNET>.81.220':37333
- '<LOCALNET>.81.241':11090
- '<LOCALNET>.81.242':17062
- '<LOCALNET>.81.243':12933
- '<LOCALNET>.81.244':31735
- '<LOCALNET>.81.245':27606
- '<LOCALNET>.81.246':23477
- '<LOCALNET>.81.247':19348
- '<LOCALNET>.81.248':47739
- '<LOCALNET>.81.249':43610
- '<LOCALNET>.81.250':12215
- '<LOCALNET>.81.251':16344
- '<LOCALNET>.81.252':10240
- '<LOCALNET>.81.253':14369
- '<LOCALNET>.81.254':18630
- '<LOCALNET>.81.238':19297
- '<LOCALNET>.81.237':53763
- '<LOCALNET>.81.11':50700
- '<LOCALNET>.81.10':54829
- '<LOCALNET>.81.9':54764
- '<LOCALNET>.81.8':50637
- '<LOCALNET>.81.7':13346
- '<LOCALNET>.81.6':19320
- '<LOCALNET>.81.5':15317
- '<LOCALNET>.81.4':11190
- '<LOCALNET>.81.3':29862
- '<LOCALNET>.81.2':25735
- '<LOCALNET>.81.1':21732
- '<LOCALNET>.81.240':15219
- '<LOCALNET>.81.239':13261
- '23#.#23.112.211':39567
- '<LOCALNET>.81.209':26270
- '<LOCALNET>.81.146':10842
- '<LOCALNET>.81.225':49520
- '<LOCALNET>.81.211':54439
- '<LOCALNET>.81.212':58564
- '<LOCALNET>.81.213':62693
- '<LOCALNET>.81.214':33794
- '<LOCALNET>.81.215':37923
- '<LOCALNET>.81.216':42048
- '<LOCALNET>.81.217':46177
- '<LOCALNET>.81.218':17806
- '<LOCALNET>.81.219':21935
- '<LOCALNET>.81.145':12934
- '<LOCALNET>.81.221':33268
- '<LOCALNET>.81.207':34640
- '<LOCALNET>.81.222':45463
- '<LOCALNET>.81.208':30399
- '<LOCALNET>.81.210':50310
- '<LOCALNET>.81.226':61715
- '<LOCALNET>.81.227':57650
- '<LOCALNET>.81.228':14418
- '<LOCALNET>.81.80':27829
- '<LOCALNET>.81.230':41700
- '<LOCALNET>.81.231':45765
- '<LOCALNET>.81.232':33446
- '<LOCALNET>.81.233':37511
- '<LOCALNET>.81.234':57952
- '<LOCALNET>.81.235':62017
- '<LOCALNET>.81.236':49698
- '<LOCALNET>.81.223':41398
- '<LOCALNET>.81.14':38569
- '<LOCALNET>.81.224':53585
- '<LOCALNET>.81.229':10353
- '<LOCALNET>.81.134':47920
- '<LOCALNET>.81.130':64436
- '<LOCALNET>.81.52':15019
- '<LOCALNET>.81.53':10890
- '<LOCALNET>.81.54':23149
- '<LOCALNET>.81.55':19020
- '<LOCALNET>.81.56':31279
- '<LOCALNET>.81.57':27150
- '<LOCALNET>.81.58':39905
- '<LOCALNET>.81.59':35776
- '<LOCALNET>.81.60':20410
- '<LOCALNET>.81.61':24475
- '<LOCALNET>.81.62':28664
- '<LOCALNET>.81.49':47345
- '<LOCALNET>.81.63':32729
- '<LOCALNET>.81.47':22847
- '<LOCALNET>.81.46':18718
- '<LOCALNET>.81.67':16221
- '<LOCALNET>.81.68':52914
- '<LOCALNET>.81.69':56979
- '<LOCALNET>.81.144':18972
- '<LOCALNET>.81.71':27818
- '<LOCALNET>.81.72':23753
- '<LOCALNET>.81.73':19688
- '<LOCALNET>.81.74':15375
- '<LOCALNET>.81.75':11310
- '<LOCALNET>.81.76':17346
- '<LOCALNET>.81.77':13281
- '<LOCALNET>.81.64':14003
- '<LOCALNET>.81.48':43216
- '<LOCALNET>.81.65':18068
- '<LOCALNET>.81.66':12156
- '<LOCALNET>.81.70':31883
- '<LOCALNET>.81.33':32812
- '<LOCALNET>.81.26':58296
- '<LOCALNET>.81.29':14796
- '<LOCALNET>.81.28':10731
- '<LOCALNET>.81.27':62361
- '<LOCALNET>.81.30':45135
- '<LOCALNET>.81.25':54235
- '<LOCALNET>.81.19':18180
- '<LOCALNET>.81.23':45853
- '<LOCALNET>.81.22':41788
- '<LOCALNET>.81.21':37727
- '<LOCALNET>.81.20':33662
- '<LOCALNET>.81.31':41070
- '<LOCALNET>.81.24':50170
- '<LOCALNET>.81.16':46827
- '<LOCALNET>.81.32':36877
- '<LOCALNET>.81.34':61643
- '<LOCALNET>.81.35':57578
- '<LOCALNET>.81.36':53385
- '<LOCALNET>.81.37':49320
- '<LOCALNET>.81.38':12615
- '<LOCALNET>.81.39':18651
- '<LOCALNET>.81.40':10712
- '<LOCALNET>.81.41':14841
- '<LOCALNET>.81.42':12559
- '<LOCALNET>.81.43':16688
- '<LOCALNET>.81.17':42698
- '<LOCALNET>.81.45':31101
- '<LOCALNET>.81.78':64899
- '<LOCALNET>.81.44':26972
- '<LOCALNET>.81.50':16990
- '<LOCALNET>.81.79':60834
- '<LOCALNET>.81.115':52595
- '<LOCALNET>.81.116':64784
- '<LOCALNET>.81.117':60721
- '<LOCALNET>.81.118':17491
- '<LOCALNET>.81.119':13428
- '<LOCALNET>.81.120':51333
- '<LOCALNET>.81.121':55460
- '<LOCALNET>.81.122':59591
- '<LOCALNET>.81.123':63718
- '<LOCALNET>.81.124':34817
- '<LOCALNET>.81.51':12861
- '<LOCALNET>.81.126':43075
- '<LOCALNET>.81.127':47202
- '<LOCALNET>.81.114':56658
- '<LOCALNET>.81.113':44469
- '<LOCALNET>.81.112':48532
- '<LOCALNET>.81.131':60309
- '<LOCALNET>.81.132':56310
- '<LOCALNET>.81.133':52183
- '<LOCALNET>.81.12':63087
- '<LOCALNET>.81.13':58958
- '<LOCALNET>.81.136':39794
- '<LOCALNET>.81.137':35667
- '<LOCALNET>.81.138':31420
- '<LOCALNET>.81.139':27293
- '<LOCALNET>.81.140':25123
- '<LOCALNET>.81.141':29186
- '<LOCALNET>.81.142':16993
- '<LOCALNET>.81.129':22956
- '<LOCALNET>.81.128':18829
- '<LOCALNET>.81.125':38944
- '<LOCALNET>.81.111':36343
- '<LOCALNET>.81.97':12131
- '<LOCALNET>.81.83':23766
- '<LOCALNET>.81.84':11313
- '<LOCALNET>.81.85':15376
- '<LOCALNET>.81.86':13288
- '<LOCALNET>.81.87':17351
- '<LOCALNET>.81.88':60861
- '<LOCALNET>.81.89':64924
- '<LOCALNET>.81.90':24452
- '<LOCALNET>.81.91':20389
- '<LOCALNET>.81.92':32710
- '<LOCALNET>.81.93':28647
- '<LOCALNET>.81.94':18037
- '<LOCALNET>.81.95':13974
- '<LOCALNET>.81.81':31892
- '<LOCALNET>.81.82':19703
- '<LOCALNET>.81.98':56972
- '<LOCALNET>.81.99':52909
- '<LOCALNET>.81.100':44775
- '<LOCALNET>.81.101':48838
- '<LOCALNET>.81.102':36517
- '<LOCALNET>.81.103':40580
- '<LOCALNET>.81.104':61027
- '<LOCALNET>.81.105':65090
- '<LOCALNET>.81.106':52769
- '<LOCALNET>.81.107':56832
- '<LOCALNET>.81.108':12271
- '<LOCALNET>.81.109':16334
- '<LOCALNET>.81.110':40406
- '<LOCALNET>.81.96':16194
- '<LOCALNET>.81.135':43793
Другое
Ищет следующие окна
- ClassName: 'ProgMan' WindowName: ''
- ClassName: 'SHELLDLL_DefView' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
Создает и запускает на исполнение
- '<SYSTEM32>\ipconfig.exe' /flushdns' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c timeout /t 1 & del /Q /F "<Полный путь к файлу>"' (со скрытым окном)
Запускает на исполнение
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '%WINDIR%\syswow64\cmd.exe' /c timeout /t 1 & del /Q /F "<Полный путь к файлу>"
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\explorer.exe"
- '%WINDIR%\syswow64\timeout.exe' /t 1
