Техническая информация
Для обеспечения автозапуска и распространения:
Создает или изменяет следующие файлы:
- %WINDIR%\Tasks\At98.job
- %WINDIR%\Tasks\At97.job
- %WINDIR%\Tasks\At100.job
- %WINDIR%\Tasks\At99.job
- %WINDIR%\Tasks\At96.job
- %WINDIR%\Tasks\At93.job
- %WINDIR%\Tasks\At92.job
- %WINDIR%\Tasks\At95.job
- %WINDIR%\Tasks\At94.job
- %WINDIR%\Tasks\At107.job
- %WINDIR%\Tasks\At106.job
- %WINDIR%\Tasks\At109.job
- %WINDIR%\Tasks\At108.job
- %WINDIR%\Tasks\At105.job
- %WINDIR%\Tasks\At102.job
- %WINDIR%\Tasks\At101.job
- %WINDIR%\Tasks\At104.job
- %WINDIR%\Tasks\At103.job
- %WINDIR%\Tasks\At80.job
- %WINDIR%\Tasks\At79.job
- %WINDIR%\Tasks\At82.job
- %WINDIR%\Tasks\At81.job
- %WINDIR%\Tasks\At78.job
- %WINDIR%\Tasks\At75.job
- %WINDIR%\Tasks\At74.job
- %WINDIR%\Tasks\At77.job
- %WINDIR%\Tasks\At76.job
- %WINDIR%\Tasks\At89.job
- %WINDIR%\Tasks\At88.job
- %WINDIR%\Tasks\At91.job
- %WINDIR%\Tasks\At90.job
- %WINDIR%\Tasks\At87.job
- %WINDIR%\Tasks\At84.job
- %WINDIR%\Tasks\At83.job
- %WINDIR%\Tasks\At86.job
- %WINDIR%\Tasks\At85.job
- %WINDIR%\Tasks\At134.job
- %WINDIR%\Tasks\At133.job
- %WINDIR%\Tasks\At136.job
- %WINDIR%\Tasks\At135.job
- %WINDIR%\Tasks\At132.job
- %WINDIR%\Tasks\At129.job
- %WINDIR%\Tasks\At128.job
- %WINDIR%\Tasks\At131.job
- %WINDIR%\Tasks\At130.job
- %WINDIR%\Tasks\At143.job
- %WINDIR%\Tasks\At142.job
- %WINDIR%\Tasks\At145.job
- %WINDIR%\Tasks\At144.job
- %WINDIR%\Tasks\At141.job
- %WINDIR%\Tasks\At138.job
- %WINDIR%\Tasks\At137.job
- %WINDIR%\Tasks\At140.job
- %WINDIR%\Tasks\At139.job
- %WINDIR%\Tasks\At116.job
- %WINDIR%\Tasks\At115.job
- %WINDIR%\Tasks\At118.job
- %WINDIR%\Tasks\At117.job
- %WINDIR%\Tasks\At114.job
- %WINDIR%\Tasks\At111.job
- %WINDIR%\Tasks\At110.job
- %WINDIR%\Tasks\At113.job
- %WINDIR%\Tasks\At112.job
- %WINDIR%\Tasks\At125.job
- %WINDIR%\Tasks\At124.job
- %WINDIR%\Tasks\At127.job
- %WINDIR%\Tasks\At126.job
- %WINDIR%\Tasks\At123.job
- %WINDIR%\Tasks\At120.job
- %WINDIR%\Tasks\At119.job
- %WINDIR%\Tasks\At122.job
- %WINDIR%\Tasks\At121.job
- %WINDIR%\Tasks\At73.job
- %WINDIR%\Tasks\At25.job
- %WINDIR%\Tasks\At24.job
- %WINDIR%\Tasks\At27.job
- %WINDIR%\Tasks\At26.job
- %WINDIR%\Tasks\At23.job
- %WINDIR%\Tasks\At20.job
- %WINDIR%\Tasks\At19.job
- %WINDIR%\Tasks\At22.job
- %WINDIR%\Tasks\At21.job
- %WINDIR%\Tasks\At34.job
- %WINDIR%\Tasks\At33.job
- %WINDIR%\Tasks\At36.job
- %WINDIR%\Tasks\At35.job
- %WINDIR%\Tasks\At32.job
- %WINDIR%\Tasks\At29.job
- %WINDIR%\Tasks\At28.job
- %WINDIR%\Tasks\At31.job
- %WINDIR%\Tasks\At30.job
- %WINDIR%\Tasks\At7.job
- %WINDIR%\Tasks\At6.job
- %WINDIR%\Tasks\At9.job
- %WINDIR%\Tasks\At8.job
- %WINDIR%\Tasks\At5.job
- %WINDIR%\Tasks\At2.job
- %WINDIR%\Tasks\At1.job
- %WINDIR%\Tasks\At4.job
- %WINDIR%\Tasks\At3.job
- %WINDIR%\Tasks\At16.job
- %WINDIR%\Tasks\At15.job
- %WINDIR%\Tasks\At18.job
- %WINDIR%\Tasks\At17.job
- %WINDIR%\Tasks\At14.job
- %WINDIR%\Tasks\At11.job
- %WINDIR%\Tasks\At10.job
- %WINDIR%\Tasks\At13.job
- %WINDIR%\Tasks\At12.job
- %WINDIR%\Tasks\At61.job
- %WINDIR%\Tasks\At60.job
- %WINDIR%\Tasks\At63.job
- %WINDIR%\Tasks\At62.job
- %WINDIR%\Tasks\At59.job
- %WINDIR%\Tasks\At56.job
- %WINDIR%\Tasks\At55.job
- %WINDIR%\Tasks\At58.job
- %WINDIR%\Tasks\At57.job
- %WINDIR%\Tasks\At70.job
- %WINDIR%\Tasks\At69.job
- %WINDIR%\Tasks\At72.job
- %WINDIR%\Tasks\At71.job
- %WINDIR%\Tasks\At68.job
- %WINDIR%\Tasks\At65.job
- %WINDIR%\Tasks\At64.job
- %WINDIR%\Tasks\At67.job
- %WINDIR%\Tasks\At66.job
- %WINDIR%\Tasks\At43.job
- %WINDIR%\Tasks\At42.job
- %WINDIR%\Tasks\At45.job
- %WINDIR%\Tasks\At44.job
- %WINDIR%\Tasks\At41.job
- %WINDIR%\Tasks\At38.job
- %WINDIR%\Tasks\At37.job
- %WINDIR%\Tasks\At40.job
- %WINDIR%\Tasks\At39.job
- %WINDIR%\Tasks\At52.job
- %WINDIR%\Tasks\At51.job
- %WINDIR%\Tasks\At54.job
- %WINDIR%\Tasks\At53.job
- %WINDIR%\Tasks\At50.job
- %WINDIR%\Tasks\At47.job
- %WINDIR%\Tasks\At46.job
- %WINDIR%\Tasks\At49.job
- %WINDIR%\Tasks\At48.job
Вредоносные функции:
Запускает на исполнение:
- '<SYSTEM32>\schtasks.exe' /create /sc minute /mo 20 /tn mbrytpcugh /f /ed 01/01/2017 /tr "<SYSTEM32>\5ba0jH3p.com"
- '<SYSTEM32>\schtasks.exe' /create /sc minute /mo 20 /tn ksvdkxwoko /f /ed 01/01/2017 /tr "<LS_APPDATA>\5ba0jH3p.exe"
- '<SYSTEM32>\wermgr.exe' -queuereporting
- '<SYSTEM32>\schtasks.exe' /create /sc minute /mo 20 /tn hhmmhgioxm /f /ed 01/01/2017 /tr "%WINDIR%\Fonts\5ba0jH3p.com"
Изменяет следующие настройки браузера Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'WarnOnZoneCrossing' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2500' = '00000003'
Изменения в файловой системе:
Создает следующие файлы:
- <LS_APPDATA>\5ba0jH3p.exe
- <SYSTEM32>\Tasks\mbrytpcugh
- <SYSTEM32>\Tasks\At98
- <SYSTEM32>\Tasks\At97
- <SYSTEM32>\Tasks\At96
- <SYSTEM32>\Tasks\At93
- <SYSTEM32>\Tasks\At92
- <SYSTEM32>\Tasks\At95
- <SYSTEM32>\Tasks\At94
- <SYSTEM32>\Tasks\At99
- <SYSTEM32>\Tasks\At106
- <SYSTEM32>\Tasks\At105
- <SYSTEM32>\Tasks\At108
- <SYSTEM32>\Tasks\At107
- <SYSTEM32>\Tasks\At104
- <SYSTEM32>\Tasks\At101
- <SYSTEM32>\Tasks\At100
- <SYSTEM32>\Tasks\At103
- <SYSTEM32>\Tasks\At102
- <SYSTEM32>\Tasks\At79
- <SYSTEM32>\Tasks\At78
- <SYSTEM32>\Tasks\At81
- <SYSTEM32>\Tasks\At80
- <SYSTEM32>\Tasks\At77
- <SYSTEM32>\Tasks\At74
- <SYSTEM32>\Tasks\At73
- <SYSTEM32>\Tasks\At76
- <SYSTEM32>\Tasks\At75
- <SYSTEM32>\Tasks\At82
- <SYSTEM32>\Tasks\At89
- <SYSTEM32>\Tasks\At88
- <SYSTEM32>\Tasks\At91
- <SYSTEM32>\Tasks\At90
- <SYSTEM32>\Tasks\At87
- <SYSTEM32>\Tasks\At84
- <SYSTEM32>\Tasks\At83
- <SYSTEM32>\Tasks\At86
- <SYSTEM32>\Tasks\At85
- <SYSTEM32>\Tasks\At109
- <SYSTEM32>\Tasks\At135
- <SYSTEM32>\Tasks\At134
- <SYSTEM32>\Tasks\At137
- <SYSTEM32>\Tasks\At136
- <SYSTEM32>\Tasks\At133
- <SYSTEM32>\Tasks\At130
- <SYSTEM32>\Tasks\At129
- <SYSTEM32>\Tasks\At132
- <SYSTEM32>\Tasks\At131
- <SYSTEM32>\Tasks\At138
- <SYSTEM32>\Tasks\ksvdkxwoko
- <SYSTEM32>\Tasks\At144
- <SYSTEM32>\Tasks\At145
- C:\ProgramData\5ba0jH3p.exe
- <SYSTEM32>\Tasks\At143
- <SYSTEM32>\Tasks\At140
- <SYSTEM32>\Tasks\At139
- <SYSTEM32>\Tasks\At142
- <SYSTEM32>\Tasks\At141
- <SYSTEM32>\Tasks\At116
- <SYSTEM32>\Tasks\At115
- <SYSTEM32>\Tasks\At118
- <SYSTEM32>\Tasks\At117
- <SYSTEM32>\Tasks\At114
- <SYSTEM32>\Tasks\At111
- <SYSTEM32>\Tasks\At110
- <SYSTEM32>\Tasks\At113
- <SYSTEM32>\Tasks\At112
- <SYSTEM32>\Tasks\At119
- <SYSTEM32>\Tasks\At126
- <SYSTEM32>\Tasks\At125
- <SYSTEM32>\Tasks\At128
- <SYSTEM32>\Tasks\At127
- <SYSTEM32>\Tasks\At124
- <SYSTEM32>\Tasks\At121
- <SYSTEM32>\Tasks\At120
- <SYSTEM32>\Tasks\At123
- <SYSTEM32>\Tasks\At122
- <SYSTEM32>\Tasks\At72
- <SYSTEM32>\Tasks\At22
- <SYSTEM32>\Tasks\At21
- <SYSTEM32>\Tasks\At24
- <SYSTEM32>\Tasks\At23
- <SYSTEM32>\Tasks\At20
- <SYSTEM32>\Tasks\At17
- <SYSTEM32>\Tasks\At16
- <SYSTEM32>\Tasks\At19
- <SYSTEM32>\Tasks\At18
- <SYSTEM32>\Tasks\At25
- <SYSTEM32>\Tasks\At32
- <SYSTEM32>\Tasks\At31
- <SYSTEM32>\Tasks\At34
- <SYSTEM32>\Tasks\At33
- <SYSTEM32>\Tasks\At30
- <SYSTEM32>\Tasks\At27
- <SYSTEM32>\Tasks\At26
- <SYSTEM32>\Tasks\At29
- <SYSTEM32>\Tasks\At28
- <SYSTEM32>\Tasks\At3
- <SYSTEM32>\Tasks\At2
- <SYSTEM32>\Tasks\At5
- <SYSTEM32>\Tasks\At4
- <SYSTEM32>\Tasks\At1
- %WINDIR%\Fonts\5ba0jH3p.com
- C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_fdaad129-04df-4089-bb80-174ce725f721
- <SYSTEM32>\Microsoft\Protect\S-1-5-18\User\7512db08-1df5-4da3-8265-6570d24fdca0
- <SYSTEM32>\Tasks\At6
- <SYSTEM32>\Tasks\At13
- <SYSTEM32>\Tasks\At12
- <SYSTEM32>\Tasks\At15
- <SYSTEM32>\Tasks\At14
- <SYSTEM32>\Tasks\At11
- <SYSTEM32>\Tasks\At8
- <SYSTEM32>\Tasks\At7
- <SYSTEM32>\Tasks\At10
- <SYSTEM32>\Tasks\At9
- <SYSTEM32>\Tasks\At35
- <SYSTEM32>\Tasks\At59
- <SYSTEM32>\Tasks\At58
- <SYSTEM32>\Tasks\At61
- <SYSTEM32>\Tasks\At60
- <SYSTEM32>\Tasks\At57
- <SYSTEM32>\Tasks\At54
- <SYSTEM32>\Tasks\At53
- <SYSTEM32>\Tasks\At56
- <SYSTEM32>\Tasks\At55
- <SYSTEM32>\Tasks\At62
- <SYSTEM32>\Tasks\At69
- <SYSTEM32>\Tasks\At68
- <SYSTEM32>\Tasks\At71
- <SYSTEM32>\Tasks\At70
- <SYSTEM32>\Tasks\At67
- <SYSTEM32>\Tasks\At64
- <SYSTEM32>\Tasks\At63
- <SYSTEM32>\Tasks\At66
- <SYSTEM32>\Tasks\At65
- <SYSTEM32>\Tasks\At42
- <SYSTEM32>\Tasks\At41
- <SYSTEM32>\Tasks\At44
- <SYSTEM32>\Tasks\At43
- <SYSTEM32>\Tasks\At40
- <SYSTEM32>\Tasks\At37
- <SYSTEM32>\Tasks\At36
- <SYSTEM32>\Tasks\At39
- <SYSTEM32>\Tasks\At38
- <SYSTEM32>\Tasks\At45
- <SYSTEM32>\Tasks\At50
- <SYSTEM32>\Tasks\At49
- <SYSTEM32>\Tasks\At52
- <SYSTEM32>\Tasks\At51
- <SYSTEM32>\5ba0jH3p.com
- <SYSTEM32>\Tasks\At47
- <SYSTEM32>\Tasks\At46
- <SYSTEM32>\Tasks\hhmmhgioxm
- <SYSTEM32>\Tasks\At48
Удаляет следующие файлы:
- %TEMP%\~DF9E8EE31A620A8099.TMP
- %TEMP%\~DF93B9001B642EE52D.TMP
- %TEMP%\~DF41CB46833F9DBE03.TMP
- %TEMP%\~DFBD856D55262B941F.TMP
Сетевая активность:
UDP:
- DNS ASK 6.#.#.###.##########.#####79882.0.0.4b264c5739da7569bf2edde8c86f862ae0314a96a257211619.method.in
- DNS ASK 4b################2edde8c86f862ae0314a96a257211619.0.0.f3.method.in
- DNS ASK 60#.###############9bf2edde8c86f862ae0314a96a257211619.ofi.method.in
- '94.##8.209.132':60948
- '94.##8.209.132':61283
- '94.##8.209.132':60588
- '94.##8.209.132':58853
- '94.##8.209.132':53696
- '94.##8.209.132':63861
- '94.##8.209.132':64510
- '94.##8.209.132':49932
- '94.##8.209.132':63063
- '94.##8.209.132':64392
- '94.##8.209.132':63489
- '94.##8.209.132':62534
- '94.##8.209.132':55725
- '94.##8.209.132':58033
- '94.##8.209.132':56699
- '94.##8.209.132':55405
- '94.##8.209.132':62324
