Trojan.DownLoader11.46793

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Malwarebytes Anti-Exploit' = '%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae.exe'

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\ESProtectionDriver] 'Start' = '00000001'
[<HKLM>\SYSTEM\ControlSet001\Services\MbaeSvc] 'Start' = '00000002'

Вредоносные функции:

Создает и запускает на исполнение:

'%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae-svc.exe' -install
'%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae-svc.exe'
'%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae.exe' /open
'%WINDIR%\ToxiczUnattendeds\Setup.exe' /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
'%TEMP%\is-8U2F4.tmp\Setup.tmp' /SL5="$100EA,2364404,119296,%WINDIR%\ToxiczUnattendeds\Setup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
'%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae-uninstaller.exe' /install

Внедряет код в

следующие пользовательские процессы:

iexplore.exe
firefox.exe
chrome.exe
javaw.exe
java.exe
opera.exe

Изменения в файловой системе:

Создает следующие файлы:

%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-41G74.tmp
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-004V4.tmp
%ALLUSERSPROFILE%\Application Data\Malwarebytes Anti-Exploit\mbae-default.log
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae-uninstall.log
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-KUSRL.tmp
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-GPH3J.tmp
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-TEIMH.tmp
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-MBMAJ.tmp
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-V5RP7.tmp
%ALLUSERSPROFILE%\Start Menu\Programs\Malwarebytes Anti-Exploit\Malwarebytes Anti-Exploit.lnk
%ALLUSERSPROFILE%\Application Data\Malwarebytes Anti-Exploit\mbae-report.dat
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\unins000.dat
%ALLUSERSPROFILE%\Start Menu\Programs\Malwarebytes Anti-Exploit\Uninstall Malwarebytes Anti-Exploit.lnk
%ALLUSERSPROFILE%\Application Data\Malwarebytes Anti-Exploit\mbae-service.log
%ALLUSERSPROFILE%\Application Data\Malwarebytes Anti-Exploit\mbae-protector.xpe
%ALLUSERSPROFILE%\Application Data\Malwarebytes Anti-Exploit\mbae-config.dat
%ALLUSERSPROFILE%\Application Data\Malwarebytes Anti-Exploit\mbae-dll.log
%ALLUSERSPROFILE%\Application Data\Malwarebytes Anti-Exploit\mbae-svc.dat
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-085BP.tmp
%WINDIR%\ToxiczUnattendeds\Reg64.reg
%TEMP%\aut3.tmp
%WINDIR%\ToxiczUnattendeds\Reg86.reg
%TEMP%\aut4.tmp
%WINDIR%\ToxiczUnattendeds\Setup.exe
%WINDIR%\ToxiczUnattendeds\Toxicz.jpg
%TEMP%\aut1.tmp
%TEMP%\aut2.tmp
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-2FDO6.tmp
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-JU5NT.tmp
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-IH9SF.tmp
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-50M4R.tmp
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-1FS53.tmp
%TEMP%\is-NR7G7.tmp\_isetup\_shfoldr.dll
%TEMP%\is-8U2F4.tmp\Setup.tmp
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-TIUN6.tmp
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-9E66R.tmp

Удаляет следующие файлы:

%TEMP%\aut4.tmp
%TEMP%\is-NR7G7.tmp\_isetup\_shfoldr.dll
%TEMP%\aut3.tmp
%TEMP%\aut1.tmp
%TEMP%\aut2.tmp

Перемещает следующие файлы:

%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae.dll._ в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae.dll
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae64.dll._ в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae64.dll
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mb-lib.dll._ в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mb-lib.dll
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-KUSRL.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae.chm
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-004V4.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\version.txt
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-41G74.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\changelog.txt
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae.exe._ в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae.exe
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae64.exe._ в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae64.exe
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae-svc.exe._ в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae-svc.exe
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae-api.dll._ в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae-api.dll
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae.sys._ в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae.sys
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae64.sys._ в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae64.sys
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-JU5NT.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae64.dll._
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-2FDO6.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae.exe._
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-50M4R.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae-svc.exe._
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-9E66R.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\unins000.exe
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-TIUN6.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae64.exe._
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-1FS53.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae64.sys._
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-GPH3J.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mb-lib.dll._
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-V5RP7.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae-uninstaller.exe
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-MBMAJ.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\license.rtf
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-IH9SF.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae.sys._
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-085BP.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae-api.dll._
%PROGRAM_FILES%\Malwarebytes Anti-Exploit\is-TEIMH.tmp в %PROGRAM_FILES%\Malwarebytes Anti-Exploit\mbae.dll._