Техническая информация
Для обеспечения автозапуска и распространения
Устанавливает следующие настройки сервисов
- [<HKLM>\System\CurrentControlSet\Services\bmrlcdugqro] 'ImagePath' = '<DRIVERS>\MWdlF33r.sys'
Создает следующие сервисы
- 'bmrlcdugqro' <DRIVERS>\MWdlF33r.sys
Вредоносные функции
Внедряет код в
следующие системные процессы:
- %WINDIR%\explorer.exe
Читает файлы, отвечающие за хранение паролей сторонними программами
- %HOMEPATH%\desktop\delete.avi
- %HOMEPATH%\desktop\coffee.bmp
- %HOMEPATH%\desktop\archer.avi
- %HOMEPATH%\desktop\dashborder_120.bmp
- %HOMEPATH%\desktop\glidescope_review_rev_010.docx
Изменения в файловой системе
Создает следующие файлы
- %ProgramFiles%\pcalua.exe
- <DRIVERS>\mwdlf33r.sys
Удаляет следующие файлы
- <DRIVERS>\mwdlf33r.sys
Самоудаляется.
Сетевая активность
Подключается к
- 'nq#####z.slt.cdntip.com':80
- 'nm#####.hjkl45678.xyz':80
- 'mp####.hjkl45678.xyz':80
TCP
Запросы HTTP GET
- http://do##.onefast.cc/pgm/mpr/c995ec7fd4f57c0d/af0c8d0a6ec9e336.zip
- http://do##.onefast.cc/pgm/mds/e02f10e3a7d5dc64/eb5925c644b45612004dabc2ed8ab2935192d9d762ce5cae64.zip
- http://do##.onefast.cc/cfg/cmc/nmlhjk.txt
- http://do##.onefast.cc/cfg/cmc/b2.txt
- http://do##.onefast.cc/cfg/cmc/qzpass.txt
- http://do##.onefast.cc/cfg/cmc/slfdm.txt
- http://do##.onefast.cc/pgm/mds/006866ef1b75dc55/48293f91dddad83d51dc0e9a7902eca06eeea6469fcd775a64.zip
- http://do##.onefast.cc/pgm/mds/52408051d2c341e5/3fd88158fb5b2ae0090fd71c11092b2317c7278d11ff922664.zip
- http://do##.onefast.cc/pgm/mds/05631e93ccdb00ee/8f007cd4c25ecb56f9148b1de97a00267819e24f874d9b4164.zip
- http://do##.onefast.cc/cfg/pub/ps.json
- http://42.##2.127.146/report.php?ty##############################################################################################################################################################...
- http://do##.onefast.cc/cfg/pub/ms.json
- http://do##.onefast.cc/cfg/user/c995ec7fd4f57c0d/af0c8d0a6ec9e336.json
- http://sp#.#aidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?qu##############################################################
- http://ap##.#ame.qq.com/comm-htdocs/ip/get_ip.php
- http://do##.onefast.cc/cfg/cmc/userpq.zip
- http://42.##2.127.146/report/report_data?da######################################################################################################################################################...
- http://11#.#29.100.93/report.php?da##############################################################################################################################################################...
UDP
- DNS ASK a8#######9df21eb.vbnm34567.xyz
- DNS ASK mp####.hjkl45678.xyz
- DNS ASK 8k##6.com
- DNS ASK nm#####.hjkl45678.xyz
- DNS ASK cl####.vbnm34567.xyz
- DNS ASK 8k##h22.com
- DNS ASK ap##.#ame.qq.com
- DNS ASK nq#####z.slt.cdntip.com
- DNS ASK do##.####ast.cc.cdn.dnsv1.com
- DNS ASK do##.onefast.cc
- DNS ASK sp#.#aidu.com
- '<LOCALNET>.40.171':52632
- '<LOCALNET>.40.175':36124
- '<LOCALNET>.40.174':40253
- '<LOCALNET>.40.173':60890
- '<LOCALNET>.40.172':65019
- '<LOCALNET>.40.170':56761
- '<LOCALNET>.40.165':48685
- '<LOCALNET>.40.168':28544
- '<LOCALNET>.40.167':40559
- '<LOCALNET>.40.166':36430
- '<LOCALNET>.40.176':48511
- '<LOCALNET>.40.164':44556
- '<LOCALNET>.40.169':32673
- '<LOCALNET>.40.161':65193
- '<LOCALNET>.40.182':60869
- '<LOCALNET>.40.179':19600
- '<LOCALNET>.40.180':52615
- '<LOCALNET>.40.181':56742
- '<LOCALNET>.40.162':52938
- '<LOCALNET>.40.183':64996
- '<LOCALNET>.40.184':36099
- '<LOCALNET>.40.185':40226
- '<LOCALNET>.40.186':44353
- '<LOCALNET>.40.187':48480
- '<LOCALNET>.40.188':19599
- '<LOCALNET>.40.189':23726
- '<LOCALNET>.40.190':65206
- '<LOCALNET>.40.163':57067
- '<LOCALNET>.40.177':44382
- '<LOCALNET>.40.160':61064
- '<LOCALNET>.40.158':15059
- '<LOCALNET>.40.147':63501
- '<LOCALNET>.40.133':18579
- '<LOCALNET>.40.134':20985
- '<LOCALNET>.40.135':16856
- '<LOCALNET>.40.136':29115
- '<LOCALNET>.40.137':24986
- '<LOCALNET>.40.138':36981
- '<LOCALNET>.40.139':32852
- '<LOCALNET>.40.140':35050
- '<LOCALNET>.40.141':39115
- '<LOCALNET>.40.142':43176
- '<LOCALNET>.40.143':47241
- '<LOCALNET>.40.144':51310
- '<LOCALNET>.40.191':61079
- '23#.#23.112.211':11044
- '<LOCALNET>.40.132':12607
- '<LOCALNET>.40.148':12631
- '<LOCALNET>.40.149':16696
- '<LOCALNET>.40.150':48091
- '<LOCALNET>.40.151':44026
- '<LOCALNET>.40.152':39833
- '<LOCALNET>.40.153':35768
- '<LOCALNET>.40.154':64351
- '<LOCALNET>.40.155':60286
- '<LOCALNET>.40.156':56093
- '<LOCALNET>.40.157':52028
- '<LOCALNET>.40.178':23729
- '<LOCALNET>.40.159':10994
- '<LOCALNET>.40.146':59436
- '<LOCALNET>.40.145':55375
- '<LOCALNET>.40.130':14578
- '<LOCALNET>.40.198':32702
- '<LOCALNET>.40.227':13168
- '<LOCALNET>.40.228':64020
- '<LOCALNET>.40.229':59957
- '<LOCALNET>.40.230':18477
- '<LOCALNET>.40.231':22540
- '<LOCALNET>.40.232':26735
- '<LOCALNET>.40.233':30798
- '<LOCALNET>.40.234':12318
- '<LOCALNET>.40.235':16381
- '<LOCALNET>.40.236':10475
- '<LOCALNET>.40.237':14538
- '<LOCALNET>.40.238':51493
- '<LOCALNET>.40.239':55556
- '<LOCALNET>.40.226':17231
- '<LOCALNET>.40.193':52949
- '<LOCALNET>.40.225':11193
- '<LOCALNET>.40.243':57817
- '<LOCALNET>.40.244':37182
- '<LOCALNET>.40.245':33055
- '<LOCALNET>.40.246':45436
- '<LOCALNET>.40.247':41309
- '<LOCALNET>.40.248':20658
- '<LOCALNET>.40.249':16531
- '<LOCALNET>.40.250':57995
- '<LOCALNET>.40.251':62122
- '<LOCALNET>.40.252':49865
- '<LOCALNET>.40.253':53992
- '<LOCALNET>.40.254':41487
- '<LOCALNET>.40.241':49563
- '<LOCALNET>.40.240':53690
- '<LOCALNET>.40.192':57076
- '<LOCALNET>.40.223':19327
- '<LOCALNET>.40.210':11855
- '<LOCALNET>.40.196':40560
- '<LOCALNET>.40.197':36433
- '<LOCALNET>.40.194':48690
- '<LOCALNET>.40.199':28575
- '<LOCALNET>.40.200':17651
- '<LOCALNET>.40.201':13524
- '<LOCALNET>.40.202':15676
- '<LOCALNET>.40.203':11549
- '<LOCALNET>.40.204':24058
- '<LOCALNET>.40.205':19931
- '<LOCALNET>.40.206':32184
- '<LOCALNET>.40.207':28057
- '<LOCALNET>.40.224':15256
- '<LOCALNET>.40.131':10449
- '<LOCALNET>.40.195':44563
- '<LOCALNET>.40.211':15982
- '<LOCALNET>.40.212':13698
- '<LOCALNET>.40.213':17825
- '<LOCALNET>.40.214':28363
- '<LOCALNET>.40.215':32490
- '<LOCALNET>.40.216':20105
- '<LOCALNET>.40.217':24232
- '<LOCALNET>.40.218':44871
- '<LOCALNET>.40.219':48998
- '<LOCALNET>.40.220':31516
- '<LOCALNET>.40.129':45925
- '<LOCALNET>.40.222':23390
- '<LOCALNET>.40.209':35927
- '<LOCALNET>.40.208':40054
- '<LOCALNET>.40.221':27453
- '<LOCALNET>.40.125':29417
- '<LOCALNET>.40.114':14235
- '<LOCALNET>.40.35':12034
- '<LOCALNET>.40.36':14318
- '<LOCALNET>.40.37':10191
- '<LOCALNET>.40.38':54816
- '<LOCALNET>.40.39':50689
- '<LOCALNET>.40.40':52927
- '<LOCALNET>.40.41':56990
- '<LOCALNET>.40.42':61181
- '<LOCALNET>.40.43':65244
- '<LOCALNET>.40.44':36411
- '<LOCALNET>.40.45':40474
- '<LOCALNET>.40.46':44665
- '<LOCALNET>.40.32':30570
- '<LOCALNET>.40.62':34975
- '<LOCALNET>.40.31':18185
- '<LOCALNET>.40.50':64910
- '<LOCALNET>.40.51':60847
- '<LOCALNET>.40.52':56780
- '<LOCALNET>.40.53':52717
- '<LOCALNET>.40.54':48394
- '<LOCALNET>.40.55':44331
- '<LOCALNET>.40.56':40264
- '<LOCALNET>.40.57':36201
- '<LOCALNET>.40.58':31878
- '<LOCALNET>.40.59':27815
- '<LOCALNET>.40.63':39102
- '<LOCALNET>.40.61':47356
- '<LOCALNET>.40.48':20407
- '<LOCALNET>.40.47':48728
- '<LOCALNET>.40.49':24470
- '<LOCALNET>.40.60':43229
- '<LOCALNET>.40.16':20876
- '<LOCALNET>.40.9':23147
- '<LOCALNET>.40.13':10398
- '<LOCALNET>.40.12':14461
- '<LOCALNET>.40.11':18656
- '<LOCALNET>.40.10':12618
- '<LOCALNET>.40.8':19018
- '<LOCALNET>.40.3':64289
- '<LOCALNET>.40.6':43908
- '<LOCALNET>.40.5':39911
- '<LOCALNET>.40.4':35782
- '<LOCALNET>.40.30':22312
- '<LOCALNET>.40.2':60160
- '<LOCALNET>.40.7':48037
- '<LOCALNET>.40.29':62768
- '<LOCALNET>.40.14':29134
- '<LOCALNET>.40.17':16813
- '<LOCALNET>.40.18':45122
- '<LOCALNET>.40.19':41059
- '<LOCALNET>.40.1':56163
- '<LOCALNET>.40.21':29752
- '<LOCALNET>.40.22':17499
- '<LOCALNET>.40.23':21626
- '<LOCALNET>.40.24':19474
- '<LOCALNET>.40.25':13500
- '<LOCALNET>.40.26':11348
- '<LOCALNET>.40.27':15475
- '<LOCALNET>.40.28':58641
- '<LOCALNET>.40.15':25071
- '<LOCALNET>.40.20':25625
- '<LOCALNET>.40.128':41796
- '<LOCALNET>.40.64':59481
- '<LOCALNET>.40.99':10698
- '<LOCALNET>.40.100':17454
- '<LOCALNET>.40.101':21519
- '<LOCALNET>.40.34':16161
- '<LOCALNET>.40.103':29773
- '<LOCALNET>.40.104':11295
- '<LOCALNET>.40.105':15360
- '<LOCALNET>.40.106':19549
- '<LOCALNET>.40.107':13513
- '<LOCALNET>.40.108':50470
- '<LOCALNET>.40.109':54535
- '<LOCALNET>.40.110':30495
- '<LOCALNET>.40.111':26430
- '<LOCALNET>.40.98':14827
- '<LOCALNET>.40.97':51204
- '<LOCALNET>.40.96':55333
- '<LOCALNET>.40.115':10170
- '<LOCALNET>.40.116':16206
- '<LOCALNET>.40.117':12141
- '<LOCALNET>.40.118':62999
- '<LOCALNET>.40.119':58934
- '<LOCALNET>.40.120':18881
- '<LOCALNET>.40.121':12909
- '<LOCALNET>.40.122':10627
- '<LOCALNET>.40.123':14756
- '<LOCALNET>.40.124':25288
- '<LOCALNET>.40.242':61944
- '<LOCALNET>.40.126':17034
- '<LOCALNET>.40.113':18300
- '<LOCALNET>.40.112':22365
- '<LOCALNET>.40.102':25708
- '<LOCALNET>.40.95':59462
- '<LOCALNET>.40.81':39923
- '<LOCALNET>.40.67':55354
- '<LOCALNET>.40.68':10709
- '<LOCALNET>.40.69':14836
- '<LOCALNET>.40.70':39916
- '<LOCALNET>.40.71':35789
- '<LOCALNET>.40.72':48046
- '<LOCALNET>.40.73':43919
- '<LOCALNET>.40.74':56168
- '<LOCALNET>.40.75':52041
- '<LOCALNET>.40.76':64298
- '<LOCALNET>.40.77':60171
- '<LOCALNET>.40.78':16985
- '<LOCALNET>.40.79':12858
- '<LOCALNET>.40.65':63608
- '<LOCALNET>.40.66':51227
- '<LOCALNET>.40.82':43920
- '<LOCALNET>.40.83':48049
- '<LOCALNET>.40.84':52054
- '<LOCALNET>.40.85':56183
- '<LOCALNET>.40.86':60180
- '<LOCALNET>.40.87':64309
- '<LOCALNET>.40.88':12879
- '<LOCALNET>.40.89':17008
- '<LOCALNET>.40.90':47331
- '<LOCALNET>.40.91':43202
- '<LOCALNET>.40.92':39073
- '<LOCALNET>.40.93':34944
- '<LOCALNET>.40.94':63591
- '<LOCALNET>.40.80':35794
- '<LOCALNET>.40.127':21163
Другое
Ищет следующие окна
- ClassName: 'ProgMan' WindowName: ''
- ClassName: 'SHELLDLL_DefView' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
Создает и запускает на исполнение
- '%ProgramFiles%\pcalua.exe'
- '<SYSTEM32>\ipconfig.exe' /flushdns' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c timeout /t 1 & del /Q /F "<Полный путь к файлу>"' (со скрытым окном)
Запускает на исполнение
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '%WINDIR%\syswow64\cmd.exe' /c timeout /t 1 & del /Q /F "<Полный путь к файлу>"
- '%WINDIR%\syswow64\timeout.exe' /t 1
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%ProgramFiles%\pcalua.exe"
