Техническая информация
Для обеспечения автозапуска и распространения
Создает или изменяет следующие файлы
- <SYSTEM32>\tasks\createexplorershellunelevatedtask
- <SYSTEM32>\tasks\systemdailyupdate
Вредоносные функции
Запускает на исполнение
- '<SYSTEM32>\taskkill.exe' /f /im explorer.exe
Запускает большое число процессов
Завершает или пытается завершить
следующие системные процессы:
- %WINDIR%\explorer.exe
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\b15a.tmp\b15b.tmp\b15c.bat
- %TEMP%\b707.tmp\b708.tmp\b719.bat
- nul
- %TEMP%\setvolume.vbs
- %HOMEPATH%\pictures\rickroll_wallpaper.jpg
- %TEMP%\zgiyi5vv\zgiyi5vv.0.cs
- %TEMP%\zgiyi5vv\zgiyi5vv.cmdline
- %TEMP%\zgiyi5vv\zgiyi5vv.out
- %TEMP%\zgiyi5vv\csc6e0e4835e3124516a77b455ad3f1b333.tmp
- %TEMP%\rese26c.tmp
- %TEMP%\zgiyi5vv\zgiyi5vv.dll
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-690eefba-bd4.pma
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-690eefba-c7c.pma
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-690eefbd-113c.pma
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-690eefc5-e1c.pma
- %LOCALAPPDATA%\microsoft\edge\user data\default\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\default\000001.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\manifest-000002
- %LOCALAPPDATA%\microsoft\edge\user data\default\000002.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\index
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_0
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_2
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_3
- %LOCALAPPDATA%\microsoft\edge\user data\default\cookies-journal
- %LOCALAPPDATA%\microsoft\edge\user data\default\cookies
- %LOCALAPPDATA%\microsoft\edge\user data\default\cache\index
- %LOCALAPPDATA%\microsoft\edge\user data\default\session storage\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\default\session storage\000001.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\session storage\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\session storage\000003.log
- %LOCALAPPDATA%\microsoft\edge\user data\default\cache\data_0
- %LOCALAPPDATA%\microsoft\edge\user data\default\cache\data_2
- %LOCALAPPDATA%\microsoft\edge\user data\default\cache\data_3
- %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000001.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000003.log
- %LOCALAPPDATA%\microsoft\edge\user data\default\reporting and nel-journal
- %LOCALAPPDATA%\microsoft\edge\user data\default\reporting and nel
- %LOCALAPPDATA%\microsoft\edge\user data\default\extension state\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\default\extension state\000001.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\extension state\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\heavy_ad_intervention_opt_out.db-journal
- %LOCALAPPDATA%\microsoft\edge\user data\default\heavy_ad_intervention_opt_out.db
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\000001.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\manifest-000002
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\000002.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\previews_opt_out.db-journal
- %LOCALAPPDATA%\microsoft\edge\user data\default\previews_opt_out.db
- %LOCALAPPDATA%\microsoft\edge\user data\default\shortcuts-journal
- %LOCALAPPDATA%\microsoft\edge\user data\default\shortcuts
- %LOCALAPPDATA%\microsoft\edge\user data\default\network action predictor-journal
- %LOCALAPPDATA%\microsoft\edge\user data\default\network action predictor
- %LOCALAPPDATA%\microsoft\edge\user data\last browser
- %LOCALAPPDATA%\microsoft\edge\user data\default\preferredapps
- %LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\000001.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\eventdb\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\eventdb\000001.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\eventdb\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\availabilitydb\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\availabilitydb\000001.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\availabilitydb\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\autofillstrikedatabase\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\default\autofillstrikedatabase\000001.dbtmp
- %LOCALAPPDATA%\microsoft\edge\user data\default\autofillstrikedatabase\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\availabilitydb\000003.log
- %TEMP%\msg1.txt
- %TEMP%\msg2.txt
- %TEMP%\msg3.txt
- %TEMP%\msg4.txt
- %TEMP%\msg5.txt
- %TEMP%\msg6.txt
- %TEMP%\msg7.txt
- %LOCALAPPDATA%\packages\microsoft.windows.search_cw5n1h2txyewy\ac\microsoft\cryptneturlcache\metadata\c389fd106aaca95b265cc81a85b3522b_b8caf23bc080cdab951e004ff19485f6
- %APPDATA%\dailyupdate.bat
Удаляет файлы, которые сам же создал
- %TEMP%\b15a.tmp\b15b.tmp\b15c.bat
- %TEMP%\rese26c.tmp
- %TEMP%\zgiyi5vv\csc6e0e4835e3124516a77b455ad3f1b333.tmp
- %TEMP%\zgiyi5vv\zgiyi5vv.out
- %TEMP%\zgiyi5vv\zgiyi5vv.cmdline
- %TEMP%\zgiyi5vv\zgiyi5vv.dll
- %TEMP%\zgiyi5vv\zgiyi5vv.0.cs
- %LOCALAPPDATA%\microsoft\edge\user data\default\manifest-000001
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-690eefba-bd4.pma
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-690eefba-c7c.pma
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-690eefbd-113c.pma
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-690eefc5-e1c.pma
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\manifest-000001
Перемещает следующие файлы
- %LOCALAPPDATA%\microsoft\edge\user data\default\000001.dbtmp в %LOCALAPPDATA%\microsoft\edge\user data\default\current
- %LOCALAPPDATA%\microsoft\edge\user data\default\session storage\000001.dbtmp в %LOCALAPPDATA%\microsoft\edge\user data\default\session storage\current
- %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000001.dbtmp в %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\current
- %LOCALAPPDATA%\microsoft\edge\user data\default\extension state\000001.dbtmp в %LOCALAPPDATA%\microsoft\edge\user data\default\extension state\current
- %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\000001.dbtmp в %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\current
- %LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\000001.dbtmp в %LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\current
- %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\eventdb\000001.dbtmp в %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\eventdb\current
- %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\availabilitydb\000001.dbtmp в %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\availabilitydb\current
- %LOCALAPPDATA%\microsoft\edge\user data\default\autofillstrikedatabase\000001.dbtmp в %LOCALAPPDATA%\microsoft\edge\user data\default\autofillstrikedatabase\current
Изменяет следующие файлы
- %APPDATA%\microsoft\windows\themes\transcodedwallpaper
- %APPDATA%\microsoft\windows\themes\cachedfiles\cachedimage_1152_864_pos2.jpg
- %LOCALAPPDATA%\microsoft\edge\user data\last version
- %LOCALAPPDATA%\packages\microsoft.windows.search_cw5n1h2txyewy\ac\microsoft\cryptneturlcache\metadata\57c8edb95df3f0ad4ee2dc2b8cfd4157
- %LOCALAPPDATA%\microsoft\edge\user data\default\sync data\leveldb\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\sync data\leveldb\000003.log
- %LOCALAPPDATA%\microsoft\edge\user data\default\site characteristics database\log
- %LOCALAPPDATA%\microsoft\edge\user data\default\web data-journal
- %LOCALAPPDATA%\microsoft\edge\user data\default\web data
- %LOCALAPPDATA%\microsoft\tokenbroker\cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
- %LOCALAPPDATA%\packages\microsoft.windows.search_cw5n1h2txyewy\ac\microsoft\cryptneturlcache\metadata\e2c6cbaf0af08cf203ba74bf0d0ab6d5_363582827213c09529a76f35fb615187
- %LOCALAPPDATA%\packages\microsoft.windows.search_cw5n1h2txyewy\ac\microsoft\cryptneturlcache\metadata\fb0d848f74f70bb2eaa93746d24d9749
- %LOCALAPPDATA%\packages\microsoft.windows.search_cw5n1h2txyewy\ac\microsoft\cryptneturlcache\metadata\77ec63bda74bd0d0e0426dc8f8008506
- %LOCALAPPDATA%\packages\microsoft.windows.search_cw5n1h2txyewy\ac\microsoft\cryptneturlcache\content\77ec63bda74bd0d0e0426dc8f8008506
Подменяет следующие файлы
- %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
- %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Platform Notifications\LOG
Сетевая активность
Подключается к
- 'mo#####.map.fastly.net':443
- 'i.##gur.com':443
- 'ap#.msn.com':443
- 'oneocsp.microsoft.com':80
- 'co####.edge.skype.com':443
- 'yo##ube.com':443
TCP
Запросы HTTP GET
- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9a##############
- http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSzT%2FzqwcqNvhP9i4c4sCPz2JbzrAQU%2FglxQFUFEETYpIF1uJ4a6UoGiMgCEzMC5K5iRbrCteNQVoMAAALkrmI%3D
Другие
- 'i.##gur.com':443
- 'ap#.msn.com':443
- 'co####.edge.skype.com':443
- 'yo##ube.com':443
UDP
- DNS ASK mo#####.map.fastly.net
- DNS ASK i.##gur.com
- DNS ASK co##############e-chains.prod.autograph.services.mozaws.net
- DNS ASK ap#.msn.com
- DNS ASK oneocsp.microsoft.com
- DNS ASK co####.edge.skype.com
- DNS ASK yo##ube.com
Другое
Ищет следующие окна
- ClassName: '' WindowName: ''
- ClassName: 'Progman' WindowName: ''
- ClassName: 'Proxy Desktop' WindowName: ''
- ClassName: 'ApplicationFrameWindow' WindowName: ''
- ClassName: 'Chrome_MessageWindow' WindowName: '%LOCALAPPDATA%\Microsoft\Edge\User Data'
- ClassName: 'SystemTray_Main' WindowName: ''
- ClassName: 'BluetoothNotificationAreaIconWindowClass' WindowName: 'BluetoothNotificationAreaIconWindowClass'
- ClassName: 'BluetoothNotificationAreaIconWindowClass' WindowName: ''
Создает и запускает на исполнение
- '<SYSTEM32>\cscript.exe' //nologo "%TEMP%\setvolume.vbs"
Перезапускает анализируемый образец
Запускает на исполнение
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\B15A.tmp\B15B.tmp\B15C.bat <Полный путь к файлу>" (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c <Полный путь к файлу> max
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\B707.tmp\B708.tmp\B719.bat <Полный путь к файлу> max" (со скрытым окном)
- '<SYSTEM32>\timeout.exe' /t 2 /nobreak
- '<SYSTEM32>\timeout.exe' /t 1 /nobreak
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "& {Invoke-WebRequest -Uri 'https://i.imgur.com/LMtFDjt.jpg' -OutFile '%HOMEPATH%\Pictures\rickroll_wallpaper.jpg'}"
- '<SYSTEM32>\timeout.exe' /t 3 /nobreak
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "& {Add-Type -TypeDefinition 'using System;using System.Runtime.InteropServices;public class Wallpaper{[DllImport(\"user32.dll\",CharSet=CharSet.Auto)]public static extern int SystemPa...
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\zgiyi5vv\zgiyi5vv.cmdline" (со скрытым окном)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE26C.tmp" "%TEMP%\zgiyi5vv\CSC6E0E4835E3124516A77B455AD3F1B333.TMP" (со скрытым окном)
- '<SYSTEM32>\reg.exe' add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "%HOMEPATH%\Pictures\rickroll_wallpaper.jpg" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "2" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
- '<SYSTEM32>\rundll32.exe' user32.dll,UpdatePerUserSystemParameters
- '%WINDIR%\explorer.exe'
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Google\Chrome\Preferences" /v homepage /t REG_SZ /d "https://www.youtube.com/watch?v=dQw4w9WgXcQ" /f
- '<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Edge\Main" /v "Start Page" /t REG_SZ /d "https://www.youtube.com/watch?v=dQw4w9WgXcQ" /f
- '%WINDIR%\explorer.exe' /NoUACCheck
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --single-argument https://www.youtube.com/watch?v=dQw4w9WgXcQ
- '<SYSTEM32>\calc.exe'
- '%WINDIR%\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe' -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
- '%ProgramFiles%\windowsapps\microsoft.windowscalculator_10.1906.55.0_x64__8wekyb3d8bbwe\calculator.exe' -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --flag-switches-begin --flag-switches-end --do-not-de-elevate https://www.youtube.com/watch?v=dQw4w9WgXcQ (со скрытым окном)
- '<SYSTEM32>\svchost.exe' -k appmodel -p -s camsvc
- '<SYSTEM32>\mspaint.exe'
- '<SYSTEM32>\svchost.exe' -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
- '%WINDIR%\explorer.exe' %WINDIR%
- '%WINDIR%\explorer.exe' <SYSTEM32>
- '%ProgramFiles(x86)%\microsoft\edge\application\89.0.774.68\identity_helper.exe' --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1780,14947960861787082721,13707875020347578058,131072 --lang=en-US --service-sandbox-type=none --mojo...
- '%WINDIR%\explorer.exe' C:\Program Files
- '%WINDIR%\explorer.exe' %HOMEPATH%\Desktop
- '%WINDIR%\explorer.exe' %LOCALAPPDATA%\Temp
- '%WINDIR%\explorer.exe' C:\
- '%WINDIR%\explorer.exe' %HOMEPATH%\Documents
- '%WINDIR%\explorer.exe' %HOMEPATH%\Downloads
- '<SYSTEM32>\notepad.exe' "%TEMP%\msg1.txt"
- '<SYSTEM32>\notepad.exe' "%TEMP%\msg2.txt"
- '<SYSTEM32>\notepad.exe' "%TEMP%\msg3.txt"
- '<SYSTEM32>\notepad.exe' "%TEMP%\msg4.txt"
- '<SYSTEM32>\notepad.exe' "%TEMP%\msg5.txt"
- '<SYSTEM32>\notepad.exe' "%TEMP%\msg6.txt"
- '<SYSTEM32>\notepad.exe' "%TEMP%\msg7.txt"
- '<SYSTEM32>\schtasks.exe' /create /tn "SystemDailyUpdate" /tr "%APPDATA%\DailyUpdate.bat" /sc daily /st 12:00 /f
- '<SYSTEM32>\msg.exe' * "≡ƒÐâ╡ YOU'VE BEEN RICKROLLED! ≡ƒÐâ╡ System will RESTART in 60 seconds! Never gonna give you up!"
- '<SYSTEM32>\shutdown.exe' /r /t 60 /c "≡ƒÐâ╡ RICKROLLED! Never gonna give you up, never gonna let you down! System restarting in 60 seconds... ≡ƒÐâ╡"
