Техническая информация
Вредоносные функции
Запускает на исполнение
- '<SYSTEM32>\taskkill.exe' /f /im KsDumperClient.exe
- '<SYSTEM32>\taskkill.exe' /f /im Dbg32.exe
- '<SYSTEM32>\taskkill.exe' /f /im Dbg64.exe
- '<SYSTEM32>\taskkill.exe' /f /im Ida64.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /f /im x32dbg.exe
- '<SYSTEM32>\taskkill.exe' /f /im x64dbg.exe
- '<SYSTEM32>\taskkill.exe' /f /im OllyDbg.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTP Debugger Windows Service (32 bit).exe
- '<SYSTEM32>\taskkill.exe' /f /im cheatengine-i386.exe
- '<SYSTEM32>\taskkill.exe' /f /im MugenJinFuu-i386.exe
- '<SYSTEM32>\taskkill.exe' /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
- '<SYSTEM32>\taskkill.exe' /f /im cheatengine-x86_64-SSE4-AVX2.exe
- '<SYSTEM32>\taskkill.exe' /f /im cheatengine-x86_64.exe
- '<SYSTEM32>\taskkill.exe' /f /im Cheat Engine.exe
- '<SYSTEM32>\taskkill.exe' /f /im de4dot.exe
- '<SYSTEM32>\taskkill.exe' /f /im Xenos32.exe
- '<SYSTEM32>\taskkill.exe' /f /im Xenos.exe
- '<SYSTEM32>\taskkill.exe' /f /im Xenos64.exe
- '<SYSTEM32>\taskkill.exe' /f /im FiddlerEverywhere.exe
- '<SYSTEM32>\taskkill.exe' /f /im Fiddler.exe
- '<SYSTEM32>\taskkill.exe' /f /im Wireshark.exe
- '<SYSTEM32>\taskkill.exe' /f /im idaq64.exe
- '<SYSTEM32>\taskkill.exe' /f /im idaq.exe
- '<SYSTEM32>\taskkill.exe' /f /im ProcessHacker.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerSvc.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerUI.exe
- '<SYSTEM32>\taskkill.exe' /f /im KsDumper.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq cheatengine*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq processhacker*" /IM * /F /T
Запускает большое число процессов
Ищет следующие окна с целью
обнаружения утилит для анализа:
- ClassName: 'PROCEXPL', WindowName: ''
- ClassName: '', WindowName: 'The Wireshark Network Analyzer'
- ClassName: 'OLLYDBG', WindowName: ''
Изменения в файловой системе
Создает следующие файлы
- nul
Другое
Ищет следующие окна
- ClassName: '' WindowName: ''
- ClassName: 'cheatengine-i386.exe' WindowName: ''
- ClassName: 'Cheat Engine.exe' WindowName: ''
- ClassName: 'idaq64.exe' WindowName: ''
- ClassName: 'KsDumper' WindowName: ''
- ClassName: 'x64dbg' WindowName: ''
- ClassName: 'The Wireshark Network Analyzer' WindowName: ''
- ClassName: 'Progress Telerik Fiddler Web Debugger' WindowName: ''
- ClassName: 'dnSpy' WindowName: ''
- ClassName: 'IDA v7.0.170914' WindowName: ''
- ClassName: 'ImmunityDebugger' WindowName: ''
- ClassName: 'ollydbg.exe' WindowName: ''
- ClassName: 'KsDumper.exe' WindowName: ''
- ClassName: 'createdump.exe' WindowName: ''
- ClassName: 'HTTPDebuggerSvc.exe' WindowName: ''
- ClassName: 'Fiddler.exe' WindowName: ''
- ClassName: 'sniff_hit.exe' WindowName: ''
- ClassName: 'windbg.exe' WindowName: ''
- ClassName: 'sysAnalyzer.exe' WindowName: ''
- ClassName: 'proc_analyzer.exe' WindowName: ''
- ClassName: 'dumpcap.exe' WindowName: ''
- ClassName: 'HookExplorer.exe' WindowName: ''
- ClassName: 'Dump-Fixer.exe' WindowName: ''
- ClassName: 'kdstinker.exe' WindowName: ''
- ClassName: 'Vmwareuser.exe' WindowName: ''
- ClassName: 'LordPE.exe' WindowName: ''
- ClassName: 'PETools.exe' WindowName: ''
- ClassName: 'ImmunityDebugger.exe' WindowName: ''
- ClassName: 'radare2.exe' WindowName: ''
- ClassName: 'x64dbg.exe' WindowName: ''
- ClassName: 'MugenJinFuu-x86_64.exe' WindowName: ''
- ClassName: '' WindowName: 'OllyDbg - [CPU]'
- ClassName: 'MugenJinFuu-i386.exe' WindowName: ''
- ClassName: 'MugenJinFuu-x86_64-SSE4-AVX2.exe' WindowName: ''
- ClassName: 'dbgviewClass' WindowName: ''
- ClassName: 'XTPMainFrame' WindowName: ''
- ClassName: 'WdcWindow' WindowName: 'Resource Monitor'
- ClassName: '' WindowName: 'cheatengine-x86_64-SSE4-AVX2.exe'
- ClassName: '' WindowName: 'MugenJinFuu-i386.exe'
- ClassName: '' WindowName: 'Mugen JinFuu.exe'
- ClassName: '' WindowName: 'MugenJinFuu-x86_64-SSE4-AVX2.exe'
- ClassName: '' WindowName: 'MugenJinFuu-x86_64.exe'
- ClassName: '' WindowName: 'Progress Telerik Fiddler Web Debugger'
- ClassName: '' WindowName: 'x64dbg'
- ClassName: '' WindowName: 'KsDumper'
- ClassName: '' WindowName: 'dnSpy'
- ClassName: '' WindowName: 'idaq64'
- ClassName: '' WindowName: 'Fiddler Everywhere'
- ClassName: '' WindowName: 'Wireshark'
- ClassName: '' WindowName: 'Dumpcap'
- ClassName: '' WindowName: 'Fiddler.WebUi'
- ClassName: '' WindowName: 'HTTP Debugger (32bits)'
- ClassName: '' WindowName: 'HTTP Debugger'
- ClassName: '' WindowName: 'ida64'
- ClassName: '' WindowName: 'IDA v7.0.170914'
- ClassName: 'WinDbgFrameClass' WindowName: ''
- ClassName: 'IDA' WindowName: ''
- ClassName: 'IDA64' WindowName: ''
- ClassName: 'ida64.exe' WindowName: ''
- ClassName: 'cheatengine-x86_64.exe' WindowName: ''
- ClassName: 'cheatengine-x86_64-SSE4-AVX2.exe' WindowName: ''
- ClassName: 'Cheat Engine' WindowName: ''
- ClassName: 'ida.exe' WindowName: ''
- ClassName: 'Mugen JinFuu.exe' WindowName: ''
- ClassName: '' WindowName: 'Immunity Debugger - [CPU]'
Запускает на исполнение
- '<SYSTEM32>\cmd.exe' /c cls
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Dbg32.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Dbg64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Ida64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im x32dbg.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im x64dbg.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im OllyDbg.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Cheat Engine.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Xenos32.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Xenos.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Xenos64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Fiddler.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Wireshark.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im idaq64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im idaq.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im ProcessHacker.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im KsDumper.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im KsDumperClient.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im de4dot.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
