Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'HostSecurePlugin3' = '%PROGRAM_FILES%\Host Secure\HostSecure.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'HostSecurePlugin' = '%PROGRAM_FILES%\Host Secure\HostSecure.exe'
Вредоносные функции:
Создает и запускает на исполнение:
- '%PROGRAM_FILES%\Host Secure\ofertas\HostSecurePlugin-5.31.6-x64.exe' /pid=0x5e8 /log
- '%PROGRAM_FILES%\Host Secure\ofertas\HostSecurePlugin-5.31.6-x64.exe' 0x9d4 hostsecure.exe
- '%PROGRAM_FILES%\Host Secure\ofertas\HostSecurePlugin-5.31.6-x86.exe' /pid=0xb34 /log
- '%PROGRAM_FILES%\Host Secure\HostSecure.exe' " "
- '%PROGRAM_FILES%\Host Secure\ofertas\HostSecurePlugin-5.31.6-x64.exe'
- '%PROGRAM_FILES%\Host Secure\ofertas\HostSecurePlugin-5.31.6-x86.exe'
Запускает на исполнение:
- '<SYSTEM32>\conhost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
- '<SYSTEM32>\schtasks.exe' /create /tn "SecureHost" /tr " %PROGRAM_FILES%\Host Secure\HostSecure.exe " /sc onstart /RL HIGHEST
- '<SYSTEM32>\regsvr32.exe' 0x580 cmd.exe
- '<SYSTEM32>\conhost.exe' /create /tn "HostSecure3" /tr " %PROGRAM_FILES%\Host Secure\HostSecure.exe " /sc daily /st 10:00 /RL HIGHEST
- '<SYSTEM32>\schtasks.exe' /create /tn "HostSecure2" /tr " %PROGRAM_FILES%\Host Secure\HostSecure.exe " /sc daily /st 18:00 /RL HIGHEST
- '<SYSTEM32>\conhost.exe' /c cd %PROGRAM_FILES%\Host Secure && SCHTASKS /create /tn "HostSecure2" /tr " %PROGRAM_FILES%\Host Secure\HostSecure.exe " /sc daily /st 18:00 /RL HIGHEST
- '<SYSTEM32>\schtasks.exe' /create /tn "HostSecure3" /tr " %PROGRAM_FILES%\Host Secure\HostSecure.exe ejemplo " /sc daily /st 10:00 /RL HIGHEST
- '<SYSTEM32>\schtasks.exe' /create /tn "HostSecure2" /tr " %PROGRAM_FILES%\Host Secure\HostSecure.exe ejemplo " /sc daily /st 18:00 /RL HIGHEST
- '<SYSTEM32>\schtasks.exe' /create /tn "SecureHost" /tr " %PROGRAM_FILES%\Host Secure\HostSecure.exe ejemplo " /sc onstart /RL HIGHEST
- '<SYSTEM32>\regsvr32.exe' /s "%PROGRAM_FILES%\HostSecurePlugin\forge32.dll"
- '<SYSTEM32>\regsvr32.exe' /s "%PROGRAM_FILES%\HostSecurePlugin\bho64.dll"
- '<SYSTEM32>\regsvr32.exe' /s "%PROGRAM_FILES%\HostSecurePlugin\forge64.dll"
Изменения в файловой системе:
Создает следующие файлы:
- %PROGRAM_FILES%\HostSecurePlugin\bho64.dll
- %PROGRAM_FILES%\HostSecurePlugin\forge32.dll
- %TEMP%\nsz2473.tmp\System.dll
- %PROGRAM_FILES%\HostSecurePlugin\forge64.dll
- %TEMP%\nsj3830.tmp
- %TEMP%\nsj3831.tmp\UserInfo.dll
- %PROGRAM_FILES%\HostSecurePlugin\bho32.dll
- %PROGRAM_FILES%\HostSecurePlugin\Uninstall.exe
- %PROGRAM_FILES%\HostSecurePlugin\forge\app_config.js
- %PROGRAM_FILES%\HostSecurePlugin\forge\disable-frames.js
- %PROGRAM_FILES%\HostSecurePlugin\forge\all-priv.js
- %PROGRAM_FILES%\HostSecurePlugin\forge\all.js
- %PROGRAM_FILES%\HostSecurePlugin\forge32.exe
- %PROGRAM_FILES%\HostSecurePlugin\frame32.dll
- %PROGRAM_FILES%\HostSecurePlugin\forge64.exe
- %PROGRAM_FILES%\HostSecurePlugin\frame64.dll
- %TEMP%\nsj3831.tmp\System.dll
- %APPDATA%\Roaming\Extensions\HostSecurePlugin\forge\all-priv.js
- %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HostSecurePlugin.lnk
- %APPDATA%\Roaming\Extensions\HostSecurePlugin\forge\disable-frames.js
- %APPDATA%\Roaming\Extensions\HostSecurePlugin\forge\all.js
- %PROGRAM_FILES%\Host Secure\uninstall.exe
- %TEMP%\nstC8F.tmp\System.dll
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new
- %APPDATA%\Roaming\Extensions\HostSecurePlugin\crxkey.pem
- %APPDATA%\Roaming\Extensions\HostSecurePlugin\forge.html
- <Служебный элемент>
- %APPDATA%\Roaming\Extensions\HostSecurePlugin\manifest.json
- %APPDATA%\Roaming\Extensions\HostSecurePlugin\src\js\main.js
- %APPDATA%\Roaming\Extensions\HostSecurePlugin\forge\app_config.js
- %APPDATA%\Roaming\Extensions\HostSecurePlugin\src\index.html
- %APPDATA%\Roaming\Extensions\HostSecurePlugin\src\css\bootstrap.css
- %PROGRAM_FILES%\HostSecurePlugin\src\js\main.js
- %TEMP%\nstC8F.tmp\AccessControl.dll
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab11DB.tmp
- %PROGRAM_FILES%\Host Secure\Interop.IWshRuntimeLibrary.dll
- %PROGRAM_FILES%\Host Secure\TaskScheduler.dll
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab12D8.tmp
- %TEMP%\Cab1363.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab120B.tmp
- %TEMP%\Cab12C5.tmp
- %PROGRAM_FILES%\Host Secure\ofertas\HostSecurePlugin-5.31.6-x86.exe
- %PROGRAM_FILES%\Host Secure\ofertas\HostSecurePlugin.crx
- %TEMP%\nsz9F0.tmp
- %PROGRAM_FILES%\Host Secure\ofertas\HostSecurePlugin-5.31.6-x64.exe
- %PROGRAM_FILES%\Host Secure\7za.exe
- %PROGRAM_FILES%\Host Secure\HostSecure.exe
- %PROGRAM_FILES%\Host Secure\ofertas\HostSecurePlugin.xpi
- %PROGRAM_FILES%\Host Secure\RegAsm.exe
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab1386.tmp
- %PROGRAM_FILES%\HostSecurePlugin\defaults
- %PROGRAM_FILES%\HostSecurePlugin\forge.ico
- %TEMP%\nsj2472.tmp
- %TEMP%\nsz2473.tmp\UserInfo.dll
- %PROGRAM_FILES%\HostSecurePlugin\src\index.html
- %PROGRAM_FILES%\HostSecurePlugin\src\css\bootstrap.css
- %PROGRAM_FILES%\HostSecurePlugin\manifest.json
- %PROGRAM_FILES%\HostSecurePlugin\forge.html
- %TEMP%\Cab149F.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab14B2.tmp
- %TEMP%\Cab13E1.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab1424.tmp
- <SYSTEM32>\Tasks\HostSecure3
- %PROGRAM_FILES%\Host Secure\Args.ini
- <SYSTEM32>\Tasks\SecureHost
- <SYSTEM32>\Tasks\HostSecure2
Удаляет следующие файлы:
- %TEMP%\nsz2473.tmp\System.dll
- %TEMP%\nsz2473.tmp\UserInfo.dll
- %TEMP%\Cab149F.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab14B2.tmp
- %TEMP%\nstC8F.tmp\AccessControl.dll
- %TEMP%\nstC8F.tmp\System.dll
- %TEMP%\nsj3831.tmp\System.dll
- %TEMP%\nsj3831.tmp\UserInfo.dll
- %TEMP%\Cab12C5.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab12D8.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab11DB.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab120B.tmp
- %TEMP%\Cab13E1.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab1424.tmp
- %TEMP%\Cab1363.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab1386.tmp
Перемещает следующие файлы:
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new в %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new в %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
Сетевая активность:
Подключается к:
- 'st####.#ostsecureplugin.com':80
- 'ct###.#indowsupdate.com':80
TCP:
Запросы HTTP GET:
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?49##############
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?88##############
- st####.#ostsecureplugin.com/sdb/fd/host-secure-updater.xml
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?15##############
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2a##############
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?dc##############
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?34##############
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?86##############
UDP:
- DNS ASK st####.#ostsecureplugin.com
- DNS ASK ct###.#indowsupdate.com
Другое:
Ищет следующие окна:
- ClassName: 'IEFrame' WindowName: ''
