Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [HKLM\Software\Classes\Fiddler.ArchiveZip\Shell\Open\command] '' = '"%ProgramFiles(x86)%\Fiddler2\Fiddler.exe" -noattach "%1"'
- [HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E}] 'Exec' = '"%ProgramFiles(x86)%\Fiddler2\Fiddler.exe"'
- [HKLM\Software\Microsoft\Internet Explorer\Extensions\{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E}] 'Exec' = '"%ProgramFiles(x86)%\Fiddler2\Fiddler.exe"'
Вредоносные функции
Запускает на исполнение
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="FiddlerProxy" program="%ProgramFiles(x86)%\Fiddler2\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound conn...
Ищет следующие окна с целью
обнаружения утилит для анализа:
- ClassName: '', WindowName: 'Fiddler - HTTP Debugging Proxy'
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\7zscc53.tmp\fiddler4setup.exe
- %ProgramFiles(x86)%\fiddler2\responsetemplates\204_nocontent.dat
- %ProgramFiles(x86)%\fiddler2\responsetemplates\302_redirect.dat
- %ProgramFiles(x86)%\fiddler2\responsetemplates\303_redirectwithget.dat
- %ProgramFiles(x86)%\fiddler2\responsetemplates\304_notmodified.dat
- %ProgramFiles(x86)%\fiddler2\responsetemplates\307_redirectwithmethod.dat
- %ProgramFiles(x86)%\fiddler2\responsetemplates\401_authbasic.dat
- %ProgramFiles(x86)%\fiddler2\responsetemplates\401_authdigest.dat
- %ProgramFiles(x86)%\fiddler2\responsetemplates\403_authdeny.dat
- %ProgramFiles(x86)%\fiddler2\responsetemplates\404_plain.dat
- %ProgramFiles(x86)%\fiddler2\responsetemplates\407_proxyauthbasic.dat
- %ProgramFiles(x86)%\fiddler2\responsetemplates\502_unreachable.dat
- %TEMP%\nsxd79b.tmp\system.dll
- %ProgramFiles(x86)%\fiddler2\fiddlerhook\chrome.manifest
- %ProgramFiles(x86)%\fiddler2\fiddlerhook\install.rdf
- %ProgramFiles(x86)%\fiddler2\fiddlerhook\content\about.xul
- %ProgramFiles(x86)%\fiddler2\fiddlerhook\content\fiddlerhook.png
- %ProgramFiles(x86)%\fiddler2\fiddlerhook\content\firefoxoverlay.xul
- %ProgramFiles(x86)%\fiddler2\fiddlerhook\content\overlay.js
- %ProgramFiles(x86)%\fiddler2\fiddlerhook\defaults\preferences\fiddlerhook.js
- %ProgramFiles(x86)%\fiddler2\fiddlerhook\locale\en-us\about.dtd
- %ProgramFiles(x86)%\fiddler2\fiddlerhook\locale\en-us\fiddlerhook.dtd
- %ProgramFiles(x86)%\fiddler2\fiddlerhook\locale\en-us\fiddlerhook.properties
- %ProgramFiles(x86)%\fiddler2\fiddlerhook\skin\overlay.css
- %ProgramFiles(x86)%\fiddler2\fiddlerhook\skin\toolbar-button.png
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\fiddler2.lnk
- %ProgramFiles(x86)%\fiddler2\uninst.exe
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\a88-0\xceed.zip.v5.4.dll
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\290-0\xceed.filesystem.v5.4.dll
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\448-0\xceed.compression.v5.4.dll
- %ProgramFiles(x86)%\fiddler2\responsetemplates\200_transpixel.dat
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\b0c-0\xceed.compression.formats.v5.4.dll
- %ProgramFiles(x86)%\fiddler2\responsetemplates\200_simplehtml.dat
- %ProgramFiles(x86)%\fiddler2\importexport\vswebtestexport.dll
- %TEMP%\nssd45f.tmp
- %ProgramFiles(x86)%\fiddler2\updatefiddler.exe
- %ProgramFiles(x86)%\fiddler2\updatefiddler2.exe
- %ProgramFiles(x86)%\fiddler2\fiddler.exe
- %ProgramFiles(x86)%\fiddler2\trustcert.exe
- %ProgramFiles(x86)%\fiddler2\fiddler.exe.config
- %ProgramFiles(x86)%\fiddler2\credits.txt
- %ProgramFiles(x86)%\fiddler2\makecert.exe
- %ProgramFiles(x86)%\fiddler2\countdown.wav
- %ProgramFiles(x86)%\fiddler2\screenshot.wav
- %ProgramFiles(x86)%\fiddler2\loadscript.wav
- %ProgramFiles(x86)%\fiddler2\loadscripterror.wav
- %ProgramFiles(x86)%\fiddler2\ie_toolbar.ico
- %ProgramFiles(x86)%\fiddler2\saz.ico
- %ProgramFiles(x86)%\fiddler2\xceed.filesystem.v5.4.dll
- %ProgramFiles(x86)%\fiddler2\xceed.zip.v5.4.dll
- %ProgramFiles(x86)%\fiddler2\xceed.compression.v5.4.dll
- %ProgramFiles(x86)%\fiddler2\xceed.compression.formats.v5.4.dll
- %ProgramFiles(x86)%\fiddler2\execaction.exe
- %ProgramFiles(x86)%\fiddler2\forcecpu.exe
- %ProgramFiles(x86)%\fiddler2\inspectors\standard.dll
- %ProgramFiles(x86)%\fiddler2\inspectors\be.windows.forms.hexbox.dll
- %ProgramFiles(x86)%\fiddler2\tools\zopfli.exe
- %ProgramFiles(x86)%\fiddler2\tools\dwebp.exe
- %ProgramFiles(x86)%\fiddler2\scripts\samplerules.js
- %ProgramFiles(x86)%\fiddler2\scripts\simplefilter.dll
- %ProgramFiles(x86)%\fiddler2\scripts\timeline.dll
- %ProgramFiles(x86)%\fiddler2\scripts\geoedge.dll
- %ProgramFiles(x86)%\fiddler2\importexport\basicformats.dll
- %ProgramFiles(x86)%\fiddler2\responsetemplates\200_fiddlergif.dat
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\a7c-0\fiddler.exe
Удаляет следующие файлы
- %TEMP%\nsxd79b.tmp\system.dll
- %TEMP%\7zscc53.tmp\fiddler4setup.exe
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\index7d.dat
Перемещает следующие файлы
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\a88-0\xceed.zip.v5.4.dll в %WINDIR%\assembly\nativeimages_v4.0.30319_64\xceed.zip.v5.4\f6b0372a1018cea8cc592408dfef0456\xceed.zip.v5.4.ni.dll
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\290-0\xceed.filesystem.v5.4.dll в %WINDIR%\assembly\nativeimages_v4.0.30319_64\xceed.filesystem.v5#\399830a509408a467a59f2364167726c\xceed.filesystem.v5.4.ni.dll
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\448-0\xceed.compression.v5.4.dll в %WINDIR%\assembly\nativeimages_v4.0.30319_64\xceed.compression.v#\eea32ea5baba1b47338b5319b7b4c1a3\xceed.compression.v5.4.ni.dll
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\b0c-0\xceed.compression.formats.v5.4.dll в %WINDIR%\assembly\nativeimages_v4.0.30319_64\xceed.compression.f#\184a84c963712b13e46f2e9ecb780231\xceed.compression.formats.v5.4.ni.dll
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\a7c-0\fiddler.exe в %WINDIR%\assembly\nativeimages_v4.0.30319_64\fiddler\fc2a6dc8ee051932519092c8037ae52d\fiddler.ni.exe
Другое
Ищет следующие окна
- ClassName: '' WindowName: 'Fiddler2 ScriptEditor'
Создает и запускает на исполнение
- '%TEMP%\7zscc53.tmp\fiddler4setup.exe' /S
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="FiddlerProxy"' (со скрытым окном)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="FiddlerProxy" program="%ProgramFiles(x86)%\Fiddler2\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound conn...' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\ngen.exe' install "%ProgramFiles(x86)%\Fiddler2\Fiddler.exe"' (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\ngen.exe' install "%ProgramFiles(x86)%\Fiddler2\EnableLoopback.exe"' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="FiddlerProxy"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\ngen.exe' install "%ProgramFiles(x86)%\Fiddler2\Fiddler.exe"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\ngen.exe' install "%ProgramFiles(x86)%\Fiddler2\EnableLoopback.exe"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\mscorsvw.exe' -UseCLSID {BB8C4FBC-DC50-4DE8-9A04-4AD0AFD54004} -Comment "NGen Worker Process"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\mscorsvw.exe' -UseCLSID {302FE408-BB68-4C8D-BB07-A21904A9653E} -Comment "NGen Worker Process"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\mscorsvw.exe' -UseCLSID {904D9E79-1504-46A6-89E8-B42CDDF73EEB} -Comment "NGen Worker Process"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\mscorsvw.exe' -UseCLSID {46C6E430-54FD-47B2-B4C7-114D16B545FC} -Comment "NGen Worker Process"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\mscorsvw.exe' -UseCLSID {DF507DA1-E64A-4928-92F6-328F57BB06A0} -Comment "NGen Worker Process"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\mscorsvw.exe' -UseCLSID {9628B1C5-F12C-47DB-8980-6901B5AB9A5C} -Comment "NGen Worker Process"
