Техническая информация
Для обеспечения автозапуска и распространения:
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\services\IKEEXT] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\services\syshost32] 'Start' = '00000002'
Вредоносные функции:
Создает и запускает на исполнение:
- '%WINDIR%\Installer\{C4D14928-0C1E-61B5-1653-63E60C6D8925}\syshost.exe' /service
Запускает на исполнение:
- '<SYSTEM32>\svchost.exe' -k NetworkServiceNetworkRestricted
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Core Networking - System IP Core" dir=out action=allow enable=yes profile=any
- '<SYSTEM32>\conhost.exe' --pid=0xc50 --log --managed
- '<SYSTEM32>\netsh.exe' advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Core Networking - System IP Core" dir=in action=allow enable=yes profile=any
- '<SYSTEM32>\netsh.exe' advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=any
Изменения в файловой системе:
Создает следующие файлы:
- <Служебный элемент>
- <APATH_DUMPS_DIR>_net\CmdDotNetDumper.log
- %WINDIR%\Installer\{C4D14928-0C1E-61B5-1653-63E60C6D8925}\syshost.exe
- %WINDIR%\Temp\95caeab8-8b62-6126-1b32-38c3f7f8105e.tmp
Самоперемещается:
- из <Полный путь к вирусу> в %TEMP%\5366dcff.tmp
Самоудаляется.
Сетевая активность:
Подключается к:
- '20#.121.0.6':80
- '20#.#7.152.151':80
- '21#.#21.230.23':80
- '20#.#85.192.125':80
- '21#.#17.180.172':80
- '19#.#5.251.236':31277
- '22#.#9.73.123':80
- '20#.#9.153.104':80
- '22#.#7.43.27':80
- '20#.#17.198.93':80
- '21#.#17.32.231':80
- '21#.#5.247.157':80
- '21#.#49.225.254':80
- '21#.#7.120.90':80
- '21#.#9.140.36':80
- '20#.#49.150.94':80
- '20#.#17.48.219':80
- '20#.#21.223.59':80
- '21#.#17.125.174':80
- '20#.#53.93.209':80
- '22#.#7.169.190':80
- '19#.#49.39.61':80
- '21#.#53.254.134':80
- '21#.#21.197.202':80
- '21#.#53.247.22':80
- '21#.#21.37.10':80
- '20#.#53.75.110':80
- '20#.#53.73.136':80
- '21#.#17.26.121':80
- '21#.#17.90.184':80
- '21#.#49.114.203':80
- '21#.#7.214.207':80
- '20#.#9.252.51':80
- '21#.#5.31.249':80
- '20#.#9.23.71':80
- '19#.#7.45.35':80
- '21#.#85.126.128':80
- '19#.57.15.8':80
- '21#.#17.242.155':80
- '20#.#21.20.232':80
- '19#.#17.4.46':80
- '21#.#21.204.171':80
- '20#.#17.40.186':80
- '21#.#49.26.48':80
- '20#.#73.68.178':18090
- '18#.#41.59.116':18951
- '20#.#7.99.124':80
- '21#.#5.229.100':80
- '20#.#17.135.189':80
- '21#.#5.55.50':80
- '21#.#49.117.159':80
- '2.###l.ntp.org':123
- '21#.#85.99.144':80
- '1.###l.ntp.org':123
- 'fa###ook.com':80
- '0.###l.ntp.org':123
- '17#.#30.89.213':13530
- '11#.#71.78.117':13845
- '21#.#97.103.112':13242
- '11#.#30.138.130':12065
- '14#.#4.224.204':12500
- '21#.#21.254.123':80
- '19#.#85.114.20':80
- '19#.#53.98.58':80
- '20#.#9.16.206':80
- '21#.#9.251.183':80
- '19#.#5.27.194':80
- '21#.#21.194.9':80
- '19#.#9.102.110':80
- '19#.#85.80.22':80
- '19#.#9.181.221':80
- '19#.#49.145.48':80
- '22#.#9.51.72':80
- '22#.#9.48.234':80
- '22#.#21.50.80':80
- '21#.#49.155.100':80
- '20#.#9.176.218':80
- '22#.#21.204.87':80
- '20#.#85.188.121':80
- '20#.#17.63.249':80
- '20#.#53.138.42':80
- '22#.#21.215.24':80
TCP:
Запросы HTTP POST:
- 20#.#17.198.93/faq/index.php
- 20#.#9.153.104/faq/index.php
- 20#.#7.152.151/faq/index.php
- 22#.#7.43.27/faq/index.php
- 20#.#9.23.71/faq/index.php
- 19#.#7.45.35/faq/index.php
- 22#.#9.73.123/faq/index.php
- 22#.#7.169.190/faq/index.php
- 20#.121.0.6/faq/index.php
- 20#.#21.223.59/faq/index.php
- 20#.#49.150.94/faq/index.php
- 21#.#17.125.174/faq/index.php
- 20#.#53.93.209/faq/index.php
- 21#.#17.180.172/faq/index.php
- 21#.#21.230.23/faq/index.php
- 20#.#17.48.219/faq/index.php
- 20#.#85.192.125/faq/index.php
- 21#.#5.31.249/faq/index.php
- 21#.#53.254.134/faq/index.php
- 21#.#17.90.184/faq/index.php
- 21#.#21.197.202/faq/index.php
- 19#.#49.39.61/faq/index.php
- 20#.#53.75.110/faq/index.php
- 20#.#53.73.136/faq/index.php
- 21#.#49.114.203/faq/index.php
- 21#.#17.26.121/faq/index.php
- 21#.#21.37.10/faq/index.php
- 20#.#21.20.232/faq/index.php
- 19#.#17.4.46/faq/index.php
- 21#.#7.214.207/faq/index.php
- 20#.#9.252.51/faq/index.php
- 19#.57.15.8/faq/index.php
- 21#.#53.247.22/faq/index.php
- 21#.#17.242.155/faq/index.php
- 21#.#85.126.128/faq/index.php
- 20#.#9.176.218/faq/index.php
- 22#.#21.50.80/faq/index.php
- 21#.#21.254.123/faq/index.php
- 21#.#49.155.100/faq/index.php
- 20#.#53.138.42/faq/index.php
- 22#.#21.215.24/faq/index.php
- 22#.#9.51.72/faq/index.php
- 22#.#9.48.234/faq/index.php
- 21#.#5.229.100/faq/index.php
- 21#.#21.204.171/faq/index.php
- 20#.#17.40.186/faq/index.php
- 21#.#85.99.144/faq/index.php
- 21#.#49.26.48/faq/index.php
- 20#.#17.135.189/faq/index.php
- 20#.#7.99.124/faq/index.php
- 21#.#5.55.50/faq/index.php
- 21#.#49.117.159/faq/index.php
- 20#.#17.63.249/faq/index.php
- 19#.#9.102.110/faq/index.php
- 21#.#7.120.90/faq/index.php
- 19#.#85.80.22/faq/index.php
- 21#.#21.194.9/faq/index.php
- 21#.#17.32.231/faq/index.php
- 21#.#5.247.157/faq/index.php
- 21#.#9.140.36/faq/index.php
- 21#.#49.225.254/faq/index.php
- 19#.#49.145.48/faq/index.php
- 21#.#9.251.183/faq/index.php
- 19#.#5.27.194/faq/index.php
- 22#.#21.204.87/faq/index.php
- 20#.#85.188.121/faq/index.php
- 19#.#53.98.58/faq/index.php
- 19#.#9.181.221/faq/index.php
- 20#.#9.16.206/faq/index.php
- 19#.#85.114.20/faq/index.php
UDP:
- DNS ASK dl####beauxbj.cm
- DNS ASK lb#####kihtkoboeu.me
- DNS ASK fi###sdrboet.ru
- DNS ASK rj####ikajtdh.cm
- DNS ASK ea#####pxefqmhxqqmb.cc
- DNS ASK li###fwg.biz
- DNS ASK ds####njqrvlkii.sc
- DNS ASK nb###hcwjyru.ir
- DNS ASK jw######nqdukbmvjyrn.bit
- DNS ASK ad#####mjmugladxf.mu
- DNS ASK xo####qapwqmai.su
- DNS ASK bd####lhhyasdqt.me
- DNS ASK pj###tbqj.sx
- DNS ASK dq#####svklsqmnngv.ug
- DNS ASK se######mxnidfthcqdkp.im
- DNS ASK ce###wrpgr.tw
- DNS ASK qx#####yvhsfjbqbukia.ki
- DNS ASK bs#####wyoheiqxer.tj
- DNS ASK ej#####byqhtmltphfen.ir
- DNS ASK nb####qygcvfwnxd.eu
- DNS ASK cv####hopwhrwt.co
- DNS ASK jg#####nssfldknmv.sc
- DNS ASK mj#####epvkjxlsnugq.bit
- DNS ASK pr######lhseykrrwgti.xxx
- DNS ASK kw#####axejcgpokd.xxx
- DNS ASK nb####tsyfytlhnv.mu
- DNS ASK gw##shn.mn
- DNS ASK qx####nkmqbieb.su
- DNS ASK ju###sofy.sh
- DNS ASK qn####onaloewey.jp
- DNS ASK cs#####bbumtecejbsck.cm
- DNS ASK jr####vmxhfpx.cx
- DNS ASK bk#####dbfiodxoiqel.tw
- DNS ASK hc####sqboanrohq.sc
- DNS ASK qh####olpxsdtm.org
- DNS ASK bd####uerbsc.com
- DNS ASK dd###iwvqwum.su
- DNS ASK fy####vbbufnhmb.ug
- DNS ASK fy####yxxcatvimb.cc
- DNS ASK hs#####mbtohciykv.xxx
- DNS ASK an###vgomus.us
- DNS ASK rh###ubeykv.cc
- DNS ASK no###mwfvmek.ki
- DNS ASK sa#####txjlgfhdgluw.xxx
- DNS ASK fm#####rrnfavnegfcmf.me
- DNS ASK vb#####yjjndqjemqfe.cx
- DNS ASK di###vlwwoqd.tw
- DNS ASK ii####vdrrdvn.pw
- DNS ASK an#####nwgrivfdskdu.su
- DNS ASK ap###huyw.su
- DNS ASK fd####oovwohy.org
- DNS ASK vi####niqyrsqgu.cc
- DNS ASK fd###sytwahg.sx
- DNS ASK le##osbw.ug
- DNS ASK rm###tktn.pw
- DNS ASK gl######lojptinnelcya.im
- DNS ASK rp###cyr.xxx
- DNS ASK ew######shyriuenmjltu.tj
- DNS ASK ot###ymcyrgu.de
- DNS ASK qb###slp.net
- DNS ASK nu##exff.nu
- DNS ASK gf###dbjplo.im
- DNS ASK sx###xhuevcd.us
- DNS ASK ji###hvpmh.jp
- DNS ASK at#####llatcdmbqvlnw.su
- DNS ASK fe###ncd.pro
- DNS ASK ao####etvdhkpfd.ug
- DNS ASK ku######arlgyylxljhgf.xxx
- DNS ASK hf###ojxfrfs.nf
- DNS ASK sd####tjprdexer.eu
- DNS ASK bw#####eaflqyftuylg.ki
- DNS ASK ei###yofuax.pro
- DNS ASK ti#####wisbrhiefbtlo.sh
- DNS ASK ui####ltehwpjim.com
- DNS ASK re####vgtzihhk.com
- DNS ASK ee####rzwbqr.com
- DNS ASK md####omtjbtmj.com
- DNS ASK lk###oevrq.com
- DNS ASK fa###ook.com
- DNS ASK 2.###l.ntp.org
- DNS ASK er###abbed.bit
- DNS ASK dn#.##ftncsi.com
- DNS ASK xv###ydxwzt.com
- DNS ASK 0.###l.ntp.org
- DNS ASK 1.###l.ntp.org
- DNS ASK jr####hrhuzrqxy.com
- DNS ASK do######xnhmjbunlgyg.org
- DNS ASK ki####bbdhjousv.net
- DNS ASK im#####snjhmaoofrxa.com
- DNS ASK ne###ibys.ms
- DNS ASK kl#####ubqoxedkjceq.ir
- DNS ASK uh#####stmefcohssl.me
- DNS ASK og#####bpumxsfoe.xxx
- DNS ASK ra###lbccfp.com
- DNS ASK qg####ctjicigou.jp
- DNS ASK wn#####jtctmrmejgu.cm
- DNS ASK fv######knrgsdujxvfgj.mx
- DNS ASK xn####dcuinfjhy.tv
- '91.#13.8.35':56953
- '18#.#19.207.59':24553
- '95.##1.195.245':50526
- '12#.#36.221.187':20454
- '18#.#7.195.170':31161
- '11#.#53.65.249':31649
- '27.##5.253.209':26257
- '17#.#2.31.41':65193
- '11#.#5.34.251':31465
- '12#.#23.174.203':27460
- '16#.#43.56.54':49165
- '42.##.75.145':5413
- '94.##1.81.244':65068
- '21#.#23.100.9':10728
- '17#.#45.194.182':16026
- '19#.#8.212.24':30847
- '58.##0.29.210':20127
- '27.##.144.118':6831
- '17#.#26.133.108':32081
- '18#.#7.86.151':17137
- '18#.#3.132.174':12512
- '89.##3.30.66':7302
- '18#.#15.155.138':13897
- '17#.#2.31.41':51371
- '20#.#43.198.160':25694
- '21#.#5.189.250':12283
- '21#.#6.184.163':32519
- '11#.#15.162.152':6258
- '12#.#14.89.66':11527
- '12#.#73.67.175':12087
- '16#.#43.56.54':62946
- '11#.#5.150.19':8410
- '18#.#9.168.172':11833
- '18#.#92.52.20':17773
- '86.##6.28.118':13893
- '91.#13.8.35':59090
- '18#.#4.234.188':5595
- '17#.#2.31.41':52963
- '89.##6.16.158':4295
- '21#.#66.151.167':18340
- '15#.#32.36.140':12744
- '95.##1.195.245':55220
- '20#.#09.59.65':5653
- '15#.#7.11.164':8418
- '17#.#55.157.93':32509
- '94.##1.81.244':57758
- '20#.#72.183.39':15805
- '1.##.100.138':9955
- '18#.#3.201.196':14605
- '19#.#85.235.166':11921
- '11#.#04.73.220':12290
- '95.##1.195.245':59412
- '17#.#73.166.91':9321
- '89.##.116.151':7913
- '19#.#03.125.236':18414
- '19#.#09.93.182':16223
- '95.##1.195.245':53760
- '21#.#27.124.54':29509
- '95.##1.195.245':62764
- '17#.#2.31.41':63502
- '94.##1.81.244':58044
- '16#.#43.56.54':64210
- '91.#13.8.35':63198
- '19#.#1.62.140':19159
- '19#.#05.22.63':24389
