Техническая информация
Для обеспечения автозапуска и распространения
Устанавливает следующие настройки сервисов
- [<HKLM>\System\CurrentControlSet\Services\dsxnvrozh] 'ImagePath' = '<DRIVERS>\RxbMB6fD.sys'
Создает следующие сервисы
- 'dsxnvrozh' <DRIVERS>\RxbMB6fD.sys
Вредоносные функции
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\deviceeject.exe
Изменения в файловой системе
Создает следующие файлы
- <Текущая директория>\hrtrts.exe
- %WINDIR%\inf\label.exe
- <DRIVERS>\rxbmb6fd.sys
Удаляет следующие файлы
- <DRIVERS>\rxbmb6fd.sys
- <Текущая директория>\hrtrts.exe
Сетевая активность
Подключается к
- 'nq#####z.slt.cdntip.com':80
TCP
Запросы HTTP GET
- http://21#.##0.218.154:808/xjg.bin via 21#.#50.218.154
- http://do##.onefast.cc/pgm/mds/422ed73a26bc994c/8f6b181e9acd608997be30b44587702c5fa71ab95043b48164.zip
- http://do##.onefast.cc/cfg/cmc/kfbd.txt
- http://do##.onefast.cc/pgm/mds/f5d2972ba2a267dd/01b52f532c849cf0806bd3d18fd238b64bb7774f1979663d64.zip
- http://do##.onefast.cc/cfg/cmc/kfbdu.txt
- http://do##.onefast.cc/cfg/cmc/b2.txt
- http://do##.onefast.cc/cfg/cmc/qzpass.txt
- http://11#.#29.100.93/report.php?da##############################################################################################################################################################...
- http://do##.onefast.cc/cfg/cmc/slfdm.txt
- http://11#.#29.33.201/report/report_data?da######################################################################################################################################################...
- http://do##.onefast.cc/pgm/mds/52408051d2c341e5/b7105bcf4953db376d82a9b9cd752bda9a98ad2ddad2539e64.zip
- http://do##.onefast.cc/pgm/mds/05631e93ccdb00ee/f79e9e12124babd5dda118b6e600fe01224e5b79c6de680064.zip
- http://11#.#29.33.201/report.php?ty##############################################################################################################################################################...
- http://do##.onefast.cc/cfg/pub/ps.json
- http://do##.onefast.cc/cfg/pub/ms.json
- http://do##.onefast.cc/cfg/user/c995ec7fd4f57c0d/ef7dcae404ea5476.json
- http://sp#.#aidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?qu##############################################################
- http://ap##.#ame.qq.com/comm-htdocs/ip/get_ip.php
- http://do##.onefast.cc/cfg/cmc/userpq.zip
- http://do##.onefast.cc/pgm/mpr/c995ec7fd4f57c0d/ef7dcae404ea5476.zip
- http://do##.onefast.cc/cfg/cmc/sfbd.txt
- http://do##.onefast.cc/pgm/mds/e02f10e3a7d5dc64/eb5925c644b456129ae4a2f716342f517f1b2e3ae2c1a0bb64.zip
UDP
- DNS ASK do##.onefast.cc
- DNS ASK ca#######client-a.meiqia.com
- DNS ASK nm#####.hjkl45678.xyz
- DNS ASK mp####.hjkl45678.xyz
- DNS ASK lo#.#nefast.cc
- DNS ASK zx###xltzy.com
- DNS ASK st####.meiqia.com
- DNS ASK cl####.vbnm34567.xyz
- DNS ASK s3#####ud.meiqia.com
- DNS ASK ne####i.meiqia.com
- DNS ASK sq##26.com
- DNS ASK cu####fas-vveqs.com
- DNS ASK ch#####k.mstatik.com
- DNS ASK tf.#o2k.xyz
- DNS ASK ld.#puv.xyz
- DNS ASK s3#######.meiqiausercontent.com
- DNS ASK je#.#qz226.com
- DNS ASK do##.####ast.cc.cdn.dnsv1.com
- DNS ASK nq#####z.slt.cdntip.com
- DNS ASK ap##.#ame.qq.com
- DNS ASK sp#.#aidu.com
- DNS ASK te########ets.meiqiausercontent.com
- '<LOCALNET>.17.177':13454
- '<LOCALNET>.17.178':64758
- '<LOCALNET>.17.179':60631
- '<LOCALNET>.17.188':60616
- '<LOCALNET>.17.181':32225
- '<LOCALNET>.17.180':28096
- '<LOCALNET>.17.187':17564
- '<LOCALNET>.17.184':11588
- '<LOCALNET>.17.185':15717
- '<LOCALNET>.17.186':13435
- '<LOCALNET>.17.14':56330
- '<LOCALNET>.17.182':19842
- '<LOCALNET>.17.183':23971
- '<LOCALNET>.17.175':11611
- '<LOCALNET>.17.200':48441
- '<LOCALNET>.17.191':20176
- '<LOCALNET>.17.176':17581
- '<LOCALNET>.17.193':28306
- '<LOCALNET>.17.194':17898
- '<LOCALNET>.17.195':13769
- '<LOCALNET>.17.196':15927
- '<LOCALNET>.17.197':11798
- '<LOCALNET>.17.198':57337
- '<LOCALNET>.17.199':53208
- '<LOCALNET>.17.190':24305
- '<LOCALNET>.17.201':44312
- '<LOCALNET>.17.202':40315
- '<LOCALNET>.17.203':36186
- '<LOCALNET>.17.189':64745
- '<LOCALNET>.17.173':19869
- '<LOCALNET>.17.165':17887
- '<LOCALNET>.17.160':20175
- '<LOCALNET>.17.146':18539
- '<LOCALNET>.17.147':22602
- '<LOCALNET>.17.148':43429
- '<LOCALNET>.17.149':47492
- '<LOCALNET>.17.150':17169
- '<LOCALNET>.17.151':13106
- '<LOCALNET>.17.152':15326
- '<LOCALNET>.17.153':11263
- '<LOCALNET>.17.154':23320
- '<LOCALNET>.17.155':19257
- '<LOCALNET>.17.156':31578
- '<LOCALNET>.17.157':27515
- '<LOCALNET>.17.158':39572
- '<LOCALNET>.17.205':60828
- '<LOCALNET>.17.204':64957
- '<LOCALNET>.17.161':24302
- '<LOCALNET>.17.162':28301
- '<LOCALNET>.17.163':32428
- '<LOCALNET>.17.164':13760
- '<LOCALNET>.17.192':32435
- '<LOCALNET>.17.166':11785
- '<LOCALNET>.17.167':15912
- '<LOCALNET>.17.168':53191
- '<LOCALNET>.17.169':57318
- '<LOCALNET>.17.170':32254
- '<LOCALNET>.17.171':28127
- '<LOCALNET>.17.172':23996
- '<LOCALNET>.17.174':15738
- '<LOCALNET>.17.159':35509
- '<LOCALNET>.17.142':12388
- '<LOCALNET>.17.218':13941
- '<LOCALNET>.17.240':29181
- '<LOCALNET>.17.241':25052
- '<LOCALNET>.17.242':20927
- '<LOCALNET>.17.243':16798
- '<LOCALNET>.17.244':12665
- '<LOCALNET>.17.245':18637
- '<LOCALNET>.17.246':14512
- '<LOCALNET>.17.247':10383
- '<LOCALNET>.17.248':61685
- '<LOCALNET>.17.249':57556
- '<LOCALNET>.17.250':17100
- '<LOCALNET>.17.251':21229
- '<LOCALNET>.17.252':25230
- '<LOCALNET>.17.253':29359
- '<LOCALNET>.17.237':39053
- '<LOCALNET>.17.236':34988
- '<LOCALNET>.17.11':36015
- '<LOCALNET>.17.10':40078
- '<LOCALNET>.17.9':16899
- '<LOCALNET>.17.8':12836
- '<LOCALNET>.17.7':64320
- '<LOCALNET>.17.6':60257
- '<LOCALNET>.17.5':56066
- '<LOCALNET>.17.4':52003
- '<LOCALNET>.17.3':48068
- '<LOCALNET>.17.2':44005
- '<LOCALNET>.17.1':39814
- '<LOCALNET>.17.239':31043
- '<LOCALNET>.17.238':26978
- '<LOCALNET>.17.254':10685
- '<LOCALNET>.17.208':15409
- '<LOCALNET>.17.145':30728
- '<LOCALNET>.17.224':39903
- '<LOCALNET>.17.210':36360
- '<LOCALNET>.17.211':40489
- '<LOCALNET>.17.212':44618
- '<LOCALNET>.17.213':48747
- '<LOCALNET>.17.214':52876
- '<LOCALNET>.17.215':57005
- '<LOCALNET>.17.216':61134
- '<LOCALNET>.17.217':65263
- '<LOCALNET>.17.143':16451
- '<LOCALNET>.17.219':18070
- '<LOCALNET>.17.220':56155
- '<LOCALNET>.17.206':56831
- '<LOCALNET>.17.221':52090
- '<LOCALNET>.17.207':52702
- '<LOCALNET>.17.209':11280
- '<LOCALNET>.17.225':35838
- '<LOCALNET>.17.226':48029
- '<LOCALNET>.17.227':43964
- '<LOCALNET>.17.228':23123
- '<LOCALNET>.17.79':42753
- '<LOCALNET>.17.230':59498
- '<LOCALNET>.17.231':63563
- '<LOCALNET>.17.232':51240
- '<LOCALNET>.17.233':55305
- '<LOCALNET>.17.234':43246
- '<LOCALNET>.17.235':47311
- '<LOCALNET>.17.222':64281
- '<LOCALNET>.17.144':26665
- '<LOCALNET>.17.223':60216
- '<LOCALNET>.17.229':19058
- '<LOCALNET>.17.12':48332
- '<LOCALNET>.17.129':14999
- '<LOCALNET>.17.50':20554
- '<LOCALNET>.17.51':16491
- '<LOCALNET>.17.52':28680
- '<LOCALNET>.17.53':24617
- '<LOCALNET>.17.54':14403
- '<LOCALNET>.17.55':10340
- '<LOCALNET>.17.56':12428
- '<LOCALNET>.17.57':18466
- '<LOCALNET>.17.58':53570
- '<LOCALNET>.17.59':49507
- '<LOCALNET>.17.60':11406
- '<LOCALNET>.17.47':15121
- '<LOCALNET>.17.61':15533
- '<LOCALNET>.17.45':13278
- '<LOCALNET>.17.44':19316
- '<LOCALNET>.17.65':21948
- '<LOCALNET>.17.66':26079
- '<LOCALNET>.17.67':30206
- '<LOCALNET>.17.68':33809
- '<LOCALNET>.17.13':44269
- '<LOCALNET>.17.70':13864
- '<LOCALNET>.17.72':15839
- '<LOCALNET>.17.73':11712
- '<LOCALNET>.17.74':30380
- '<LOCALNET>.17.75':26253
- '<LOCALNET>.17.76':22254
- '<LOCALNET>.17.62':19664
- '<LOCALNET>.17.46':11058
- '<LOCALNET>.17.63':13690
- '<LOCALNET>.17.64':17821
- '<LOCALNET>.17.69':37936
- '<LOCALNET>.17.31':60109
- '<LOCALNET>.17.28':18645
- '<LOCALNET>.17.27':47418
- '<LOCALNET>.17.26':43291
- '<LOCALNET>.17.25':39288
- '<LOCALNET>.17.24':35161
- '<LOCALNET>.17.23':63934
- '<LOCALNET>.17.18':17659
- '<LOCALNET>.17.21':55804
- '<LOCALNET>.17.20':51677
- '<LOCALNET>.17.19':13596
- '<LOCALNET>.17.17':60521
- '<LOCALNET>.17.29':22772
- '<LOCALNET>.17.22':59807
- '<LOCALNET>.17.15':52267
- '<LOCALNET>.17.30':64236
- '<LOCALNET>.17.32':55982
- '<LOCALNET>.17.33':51855
- '<LOCALNET>.17.34':47720
- '<LOCALNET>.17.35':43593
- '<LOCALNET>.17.36':39466
- '<LOCALNET>.17.37':35339
- '<LOCALNET>.17.38':31716
- '<LOCALNET>.17.39':27589
- '<LOCALNET>.17.40':25467
- '<LOCALNET>.17.16':64584
- '<LOCALNET>.17.42':17209
- '<LOCALNET>.17.43':21272
- '<LOCALNET>.17.77':18127
- '<LOCALNET>.17.41':29530
- '<LOCALNET>.17.48':57971
- '<LOCALNET>.17.78':46880
- '<LOCALNET>.17.114':38876
- '<LOCALNET>.17.115':34813
- '<LOCALNET>.17.116':47006
- '<LOCALNET>.17.117':42943
- '<LOCALNET>.17.118':22096
- '<LOCALNET>.17.119':18033
- '<LOCALNET>.17.120':33291
- '<LOCALNET>.17.121':37418
- '<LOCALNET>.17.122':41545
- '<LOCALNET>.17.49':62034
- '<LOCALNET>.17.124':49807
- '<LOCALNET>.17.125':53934
- '<LOCALNET>.17.126':58061
- '<LOCALNET>.17.113':59195
- '<LOCALNET>.17.112':63258
- '<LOCALNET>.17.111':51065
- '<LOCALNET>.17.130':45370
- '<LOCALNET>.17.131':41243
- '<LOCALNET>.17.132':37240
- '<LOCALNET>.17.133':33113
- '23#.#23.112.211':24196
- '<LOCALNET>.17.135':57759
- '<LOCALNET>.17.136':53756
- '<LOCALNET>.17.137':49629
- '<LOCALNET>.17.138':12338
- '<LOCALNET>.17.139':18312
- '<LOCALNET>.17.140':10413
- '<LOCALNET>.17.141':14476
- '<LOCALNET>.17.128':10872
- '<LOCALNET>.17.127':62188
- '<LOCALNET>.17.123':45672
- '<LOCALNET>.17.110':55128
- '<LOCALNET>.17.96':30177
- '<LOCALNET>.17.82':11721
- '<LOCALNET>.17.83':15850
- '<LOCALNET>.17.84':26258
- '<LOCALNET>.17.85':30387
- '<LOCALNET>.17.86':18128
- '<LOCALNET>.17.87':22257
- '<LOCALNET>.17.88':42782
- '<LOCALNET>.17.89':46911
- '<LOCALNET>.17.90':15516
- '<LOCALNET>.17.91':11387
- '<LOCALNET>.17.92':13669
- '<LOCALNET>.17.93':19641
- '<LOCALNET>.17.94':21923
- '<LOCALNET>.17.80':19851
- '<LOCALNET>.17.81':13879
- '<LOCALNET>.17.97':26048
- '<LOCALNET>.17.98':37935
- '<LOCALNET>.17.99':33806
- '<LOCALNET>.17.100':58473
- '<LOCALNET>.17.101':62536
- '<LOCALNET>.17.102':50219
- '<LOCALNET>.17.103':54282
- '<LOCALNET>.17.104':42221
- '<LOCALNET>.17.105':46284
- '<LOCALNET>.17.106':33967
- '<LOCALNET>.17.107':38030
- '<LOCALNET>.17.108':25953
- '<LOCALNET>.17.109':30016
- '<LOCALNET>.17.95':17794
- '<LOCALNET>.17.134':61886
Другое
Добавляет корневой сертификат
Ищет следующие окна
- ClassName: 'ProgMan' WindowName: ''
- ClassName: 'SHELLDLL_DefView' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
Создает и запускает на исполнение
- '<Текущая директория>\hrtrts.exe'
- '%WINDIR%\inf\label.exe'
- '<SYSTEM32>\ipconfig.exe' /flushdns' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c timeout /t 1 & del /Q /F "<Текущая директория>\hrtrts.exe"' (со скрытым окном)
Запускает на исполнение
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\inf\label.exe"
- '%WINDIR%\syswow64\cmd.exe' /c timeout /t 1 & del /Q /F "<Текущая директория>\hrtrts.exe"
- '%WINDIR%\syswow64\timeout.exe' /t 1
- '<SYSTEM32>\deviceeject.exe'
