Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '?e215d0' = 'mshta javascript:M2pOB8kx="xveD47";QE30=new%20ActiveXObject("WScript.Shell");Vm7DzmI6P="hoQv9j";OsM4I1=QE30.RegRead...
- [HKLM\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'a2cd0142' = 'mshta javascript:oToExe9W="Z79GDvUdcL";nX38=new%20ActiveXObject("WScript.Shell");hx0aohy="6mV4e3...
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '?e215d0' = 'mshta javascript:uRVNUp0EU="zy";zq2=new%20ActiveXObject("WScript.Shell");P2uNM7By="bz2cN";Ar2yY=zq2.RegRead("HKCU\\software\\d2...
Вредоносные функции
Внедряет код в
следующие системные процессы:
- %WINDIR%\syswow64\regsvr32.exe
Изменяет следующие настройки браузера Windows Internet Explorer
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1206' = '00000000'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2300' = '00000000'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1809' = '00000003'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1206' = '00000000'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '2300' = '00000000'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1809' = '00000003'
Изменения в файловой системе
Самоудаляется.
Сетевая активность
Подключается к
- '23#.#3.200.251':80
- '15.#.152.53':8080
- '11#.#23.10.165':80
- '10#.#0.175.166':80
- '80.##6.34.181':80
- '13#.#64.105.105':443
- '16#.#49.113.1':443
- '84.##3.210.205':8080
- '20#.#0.244.95':80
- '59.##7.211.63':443
- '12#.#2.108.64':80
- '21#.#86.237.46':80
- '89.##.34.180':80
- '81.##6.96.149':80
- '23#.#32.19.15':80
- '14#.#69.140.131':80
- '63.##3.29.52':80
- '19#.#99.128.207':80
- '10#.#93.238.231':80
- '20#.#51.234.30':80
- '20#.#7.53.93':80
- '15#.#33.56.107':80
- '67.##4.125.143':80
- '85.##.212.208':80
- '14#.#48.28.159':8080
- '28.##.18.223':80
- '13#.#2.207.245':80
- '19#.#33.229.188':80
- '23#.#9.116.210':80
- '81.##.237.126':80
- '65.#27.79.7':80
- '25#.#99.254.98':80
- '20#.#9.132.13':80
- '64.##1.170.255':80
- '20#.#0.91.153':80
- '16#.#32.226.45':80
- '17#.#02.92.194':80
- '78.##5.41.235':80
- '19#.#56.145.195':80
- '66.##8.83.108':80
- '25#.#4.46.138':80
- '11#.#2.230.231':80
- '13#.#0.120.82':80
- '51.##0.192.151':443
- '10#.#4.186.49':8080
- '85.##4.73.250':80
- '3.###.239.88':80
- '30.##.13.214':80
- '17#.#6.211.173':80
- '20#.#8.5.143':80
- '12#.#46.159.37':8080
- '24#.#45.170.36':80
- '10.##0.119.233':80
- '1.###.180.210':80
- '38.#.82.184':8080
- '23#.#03.220.90':80
- '1.##.179.110':80
- '11#.#9.132.96':80
- '21.##.212.41':80
- '23#.#42.159.103':80
- '14#.#07.76.207':80
- '10.##.59.214':80
- '23#.#74.242.22':80
- '67.##.181.190':80
- '37.##5.239.9':80
- '24#.#03.145.93':80
- '18#.#22.88.201':80
- '42.##7.23.40':80
- '23#.#2.36.227':80
- '23#.#.45.254':80
- '36.##5.86.225':80
- '87.##2.123.143':443
- '23#.#79.144.28':80
- '18#.#7.233.35':80
Другое
Ищет следующие окна
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Создает и запускает на исполнение
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' iex $env:gkqvcccn' (со скрытым окном)
Запускает на исполнение
- '<SYSTEM32>\mshta.exe' javascript:sD6Ua3cH="4SdJG";I79u=new%20ActiveXObject("WScript.Shell");hOo8xQj="N";Oui9M=I79u.RegRead("HKLM\\software\\Wow6432Node\\usfcLtkeqc\\PoaZQy");lJas1jXR="hA9obqQd";eval(Oui9M);dUd0uDhz=...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' iex $env:gkqvcccn
- '%WINDIR%\syswow64\regsvr32.exe'
