Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = '<LS_APPDATA>\f5a698ed\X'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\f5a698ed] 'ImagePath' = '%WINDIR%\3986204405:173631250.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\.mrxsmb] 'ImagePath' = '\?'
Вредоносные функции:
Создает и запускает на исполнение:
- %WINDIR%\3986204405:173631250.exe
- <LS_APPDATA>\f5a698ed\X
Запускает на исполнение:
- %WINDIR%\explorer.exe
Внедряет код в
следующие системные процессы:
- <SYSTEM32>\winlogon.exe
- %WINDIR%\Explorer.EXE
Изменения в файловой системе:
Создает следующие файлы:
- %WINDIR%\$NtUninstallKB37556$\4121336045\L\alehhooo
- %WINDIR%\$NtUninstallKB37556$\4121336045\@
- %WINDIR%\3986204405:173631250.exe
- <LS_APPDATA>\f5a698ed\@
- <LS_APPDATA>\f5a698ed\X
Самоудаляется.
Сетевая активность:
Подключается к:
- '77.##.167.93':21810
- '79.##2.193.96':21810
- '85.##1.82.93':21810
- '24.##.66.195':21810
- '18#.#15.71.231':21810
- '74.##6.111.99':21810
- '93.##3.177.88':21810
- '31.##4.231.28':21810
- '79.##4.5.194':21810
- '20#.#8.164.158':21810
- '27.##6.44.83':21810
- '19#.#07.117.85':21810
- '71.#.52.89':21810
- '85.##.196.233':21810
- '11#.#93.125.42':21810
- '12#.#1.113.97':21810
- '11#.#2.133.73':21810
- '16#.#59.120.184':21810
- '89.##6.76.26':21810
- '11#.#04.88.38':21810
- '91.##0.195.69':21810
- '11#.#4.14.116':21810
- '95.##4.110.112':21810
- '86.##6.169.115':21810
- '21#.#1.0.200':21810
- '12#.#92.159.205':21810
- '14.##.142.101':21810
- '89.##2.20.104':21810
- '94.##7.47.150':21810
- '77.##.210.74':21810
- '79.##4.252.76':21810
- '46.#0.61.75':21810
- '11#.#02.11.131':21810
- '21#.#17.10.119':21810
- '58.##6.27.182':21810
- '11#.#04.108.67':21810
- '11#.#41.81.118':21810
- '24.##9.144.133':21810
- '18#.#79.69.166':21810
- '10#.#31.149.118':21810
- '24.#2.9.247':21810
- '21#.#97.140.60':21810
- '14.#9.59.8':21810
- '89.##7.89.125':21810
- '18#.#36.243.225':21810
- '12#.#23.229.21':21810
- '18#.#19.41.222':21810
- '77.##.207.61':21810
- '10#.#21.155.80':21810
- '94.##8.58.144':21810
- '18#.#6.184.205':21810
- '18#.#15.159.142':21810
- '16#.#25.128.126':21810
- '17#.#18.81.237':21810
- '21#.#1.53.198':21810
- '67.##3.210.54':21810
- '21#.#0.32.216':21810
- '77.##.10.248':21810
- '93.##5.249.183':21810
- '89.##3.63.217':21810
- '85.##0.88.138':21810
- '1.##.234.23':21810
- '46.##9.53.163':21810
- '92.##.158.23':21810
- '20#.#6.87.188':21810
- '67.##3.110.120':21810
- '20#.#.254.23':21810
- '92.##4.217.189':21810
- '18#.#6.251.121':21810
- '46.##7.223.239':21810
- '46.##0.107.21':21810
- '75.##4.174.237':21810
- '95.#8.36.98':21810
- '21#.#33.198.29':21810
- '46.##9.218.83':21810
- '10#.#8.96.89':21810
- '11#.#05.105.104':21810
- '14.##.154.192':21810
- '95.##.109.99':21810
- '95.##2.156.99':21810
- '21#.#4.92.170':21810
- '11#.#98.8.168':21810
- '92.##.21.174':21810
- '17#.#22.13.127':21810
- '10#.#29.182.144':21810
- '27.#51.89.2':21810
- '31.##0.130.134':21810
- '12#.#8.162.135':21810
- '18#.#2.197.243':21810
- '46.##7.191.176':21810
- '42.#.35.122':21810
- '89.##.149.244':21810
- '41.##4.157.124':21810
- '79.##7.150.9':21810
- '89.##.80.124':21810
- '22#.#5.10.245':21810
- '91.##.198.132':21810
- '11#.#04.173.160':21810
- '94.##.10.170':21810
- '94.##6.163.58':21810
- '79.##2.14.225':21810
- '19#.#4.19.254':21810
- '18#.#04.178.54':21810
- '18#.#88.226.138':21810
- '95.##.142.243':21810
- '17#.#06.195.237':21810
- '58.#.227.119':21810
- '79.##6.96.64':21810
- '90.##7.17.13':21810
- '17#.#36.212.127':21810
- '59.#5.5.123':21810
- '65.##.216.244':21810
- '11#.#41.72.219':21810
- '82.##7.60.67':21810
- '59.##.179.42':21810
- '59.#5.78.59':21810
- '62.#.159.214':21810
- '76.##.255.73':21810
- '58.##.213.218':21810
- '93.##5.204.39':21810
- '77.##.177.152':21810
- '11#.#6.164.99':21810
- '18#.#12.142.224':21810
- '79.##3.91.145':21810
- '74.##.140.52':21810
- '17#.#87.224.222':21810
- '11#.#42.49.223':21810
- '82.##7.41.224':21810
- '18#.#73.50.8':21810
- '14#.#44.149.24':21810
- '86.##5.190.74':21810
- '21#.#73.46.204':21810
- '46.##.83.222':21810
- '59.##0.240.68':21810
- '70.##0.167.218':21810
- '18#.#40.39.157':21810
- '10#.#75.247.31':21810
- '95.##.20.242':21810
- '18#.#55.78.128':21810
- '20#.#12.168.184':21810
- '12#.#00.217.103':21810
- '18#.#5.158.198':21810
- '11#.#5.23.179':21810
- '11#.#42.124.196':21810
- '20#.#22.43.198':21810
- '18#.#6.212.132':21810
- '22#.#05.83.155':21810
- '46.##9.45.205':21810
- '13#.#3.155.160':21810
- '11#.#05.66.238':21810
- '94.##3.45.14':21810
- '94.##.227.199':21810
- '12#.#5.206.137':21810
- '18#.#8.199.71':21810
- '20#.#3.20.123':21810
- '11#.#05.193.242':21810
- '81.##3.188.241':21810
- '86.##7.240.220':21810
- '82.#2.52.18':21810
- '19#.#00.167.71':21810
- '10#.#85.227.69':21810
- '62.##4.144.151':21810
- '13#.#23.20.2':21810
- '72.##3.64.47':21810
- '18#.#43.83.18':21810
- '67.##1.73.150':21810
- '77.#9.0.108':21810
- '11#.#42.119.48':21810
- '88.##2.162.32':21810
- '12#.#58.70.28':21810
- '18#.#60.60.4':21810
- '19#.#05.154.210':80
- '18#.#6.169.233':21810
- '18#.#7.164.61':21810
- '87.#.211.188':21810
- '94.##.117.165':21810
- '11#.#41.154.227':21810
- '41.##0.68.245':21810
- '87.##6.27.170':21810
- '24.##1.59.63':21810
- '11#.#54.184.129':21810
- '11#.#2.145.253':21810
- '11#.#01.12.226':21810
- '93.##5.224.32':21810
- '18#.#84.225.51':21810
- '67.##6.151.6':21810
- '11#.#2.18.241':21810
- '81.##9.36.120':21810
- '95.##.112.90':21810
- '96.##.193.178':21810
- '89.##7.194.216':21810
- '84.##7.134.185':21810
- '67.#1.25.80':21810
- '93.##4.189.98':21810
- '50.##8.140.51':21810
- '24.##.211.149':21810
- '88.##6.132.50':21810
- '18#.#23.36.49':21810
- '12#.#38.229.193':21810
- '85.##1.208.98':21810
- '18#.#4.141.51':21810
- '31.##0.4.147':21810
- '11#.#41.133.236':21810
- '89.##.154.17':21810
- '31.##7.155.132':21810
- '88.#.101.240':21810
- '93.##6.3.185':21810
- '24.##6.13.21':21810
- '97.##.20.149':21810
- '11#.#41.142.247':21810
- '13#.#12.187.41':21810
- '13#.#4.245.118':21810
- '88.##4.119.57':21810
- '95.##.155.172':21810
- '18#.#32.26.237':21810
- '11#.#04.45.60':21810
- '41.##1.51.247':21810
- '12#.#3.64.107':21810
- '95.##.106.189':21810
- '81.##6.58.27':21810
- '69.##2.105.54':21810
- '41.##.90.230':21810
- '79.##6.45.40':21810
- '19#.#6.21.110':21810
- '78.#8.153.3':21810
- '11#.#93.119.209':21810
- '12#.#31.42.106':21810
- '87.#7.69.17':21810
- '82.##0.223.4':21810
- '89.##6.238.98':21810
- '79.##3.187.179':21810
- '94.##6.74.111':21810
- '85.#7.9.106':21810
- '21#.#8.187.115':21810
- '16#.#59.114.225':21810
- '79.##3.221.46':21810
- '93.##2.64.12':21810
- '59.##.241.107':21810
- '68.##6.220.2':21810
- '46.##0.3.184':21810
- '78.##1.94.42':21810
- '68.##.131.130':21810
- '59.##.216.53':21810
- '24.##.89.220':21810
- '18#.#74.162.222':21810
- '18#.#5.123.137':21810
- '77.##2.110.38':21810
- '18#.#60.24.230':21810
- '12#.#45.20.165':21810
- '1.##.17.203':21810
- '17#.#5.12.77':21810
- '10#.#98.221.81':21810
- '17#.#43.155.179':21810
- '18#.#35.187.11':21810
- '66.##.140.171':21810
- '12#.#45.140.207':21810
- '12#.#36.40.254':21810
TCP:
Запросы HTTP GET:
- 19#.#05.154.210/bad.php?w=#############################################
- 19#.#05.154.210/stat2.php?w=##########################################
- 19#.#05.154.210/stat2.php?w=###########################################
