Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Resource Extensible Filtering' = 'C:\jstkfaufo9l\atafqlwm7h4.exe'
Создает следующие сервисы:
- [<HKLM>\SYSTEM\ControlSet001\Services\Telephony Time Problem Panel Resource] 'ImagePath' = 'C:\jstkfaufo9l\atafqlwm7h4.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Telephony Time Problem Panel Resource] 'Start' = '00000002'
Вредоносные функции:
Запускает на исполнение:
- 'C:\jstkfaufo9l\ypgynqt6.exe' "c:\jstkfaufo9l\atafqlwm7h4.exe"
- 'C:\jstkfaufo9l\atafqlwm7h4.exe'
- 'C:\jstkfaufo9l\hyf3zko92l3kihcsfwxn.exe'
Изменения в файловой системе:
Создает следующие файлы:
- C:\jstkfaufo9l\atafqlwm7h4.exe
- C:\jstkfaufo9l\ypgynqt6.exe
- C:\jstkfaufo9l\ttzbcbkjj
- %WINDIR%\jstkfaufo9l\nhuebzek2g
- C:\jstkfaufo9l\nhuebzek2g
- C:\jstkfaufo9l\hyf3zko92l3kihcsfwxn.exe
Присваивает атрибут 'скрытый' для следующих файлов:
- C:\jstkfaufo9l\ypgynqt6.exe
- C:\jstkfaufo9l\atafqlwm7h4.exe
Удаляет следующие файлы:
- C:\jstkfaufo9l\hyf3zko92l3kihcsfwxn.exe
- %WINDIR%\jstkfaufo9l\nhuebzek2g
Подменяет следующие файлы:
- %WINDIR%\jstkfaufo9l\nhuebzek2g
Сетевая активность:
Подключается к:
- 'ra#####leharriett.net':80
- 'co#####erkatharyn.net':80
- 'co#####erharriett.net':80
- 'co#####ercapricia.net':80
- 'ra#####lecapricia.net':80
- 'co#####uscapricia.net':80
- 'ma#####necapricia.net':80
- 'ma#####nesherisse.net':80
- 'ra#####lekatharyn.net':80
- 'co#####ussherisse.net':80
- 'ra#####lesherisse.net':80
- 'tr#####ancapricia.net':80
- 'se#####ercapricia.net':80
- 'se#####ersherisse.net':80
- 'se#####nakatharyn.net':80
- 'tr#####ansherisse.net':80
- 'se#####erkatharyn.net':80
- 'co#####ersherisse.net':80
- 'tr#####ankatharyn.net':80
- 'tr#####anharriett.net':80
- 'se#####erharriett.net':80
- 'ka#####necapricia.net':80
- 'co#####necapricia.net':80
- 'co#####nesherisse.net':80
- 'sh#####nekatharyn.net':80
- 'ka#####nesherisse.net':80
- 'co#####nekatharyn.net':80
- 'ro#####ltsherisse.net':80
- 'ka#####nekatharyn.net':80
- 'ka#####neharriett.net':80
- 'co#####neharriett.net':80
- 'ch#####askatharyn.net':80
- 'ma#####nekatharyn.net':80
- 'ch#####assherisse.net':80
- 'co#####uskatharyn.net':80
- 'co#####usharriett.net':80
- 'ma#####neharriett.net':80
- 'ch#####asharriett.net':80
- 'sh#####neharriett.net':80
- 'sh#####necapricia.net':80
- 'sh#####nesherisse.net':80
- 'ch#####ascapricia.net':80
- 'jo#####nekatharyn.net':80
- 'gr#####orrupertson.net':80
- 'sh#####lerupertson.net':80
- 'sh#####legranville.net':80
- 'ge#####nerowbottom.net':80
- 'gr#####orgranville.net':80
- 'sh#####lerowbottom.net':80
- 'br#####iagranville.net':80
- 'gr#####orrowbottom.net':80
- 'gr#####orcarpenter.net':80
- 'sh#####lecarpenter.net':80
- 'he#####tarowbottom.net':80
- 'br#####terowbottom.net':80
- 'he#####tagranville.net':80
- 'je#####onrowbottom.net':80
- 'je#####oncarpenter.net':80
- 'br#####tecarpenter.net':80
- 'he#####tacarpenter.net':80
- 'ge#####necarpenter.net':80
- 'ge#####nerupertson.net':80
- 'ge#####negranville.net':80
- 'he#####tarupertson.net':80
- 'ga#####lerowbottom.net':80
- 'jo#####nesherisse.net':80
- 'an#####larowbottom.net':80
- 'an#####lacarpenter.net':80
- 'ga#####lecarpenter.net':80
- 'jo#####neharriett.net':80
- 'se#####naharriett.net':80
- 'se#####nacapricia.net':80
- 'se#####nasherisse.net':80
- 'jo#####necapricia.net':80
- 'ga#####lerupertson.net':80
- 'br#####iacarpenter.net':80
- 'ga#####lacarpenter.net':80
- 'ga#####larupertson.net':80
- 'ga#####lagranville.net':80
- 'br#####iarupertson.net':80
- 'ga#####legranville.net':80
- 'an#####larupertson.net':80
- 'an#####lagranville.net':80
- 'br#####iarowbottom.net':80
- 'ga#####larowbottom.net':80
TCP:
Запросы HTTP GET:
- http://ra#####leharriett.net/index.php
- http://co#####erkatharyn.net/index.php
- http://co#####erharriett.net/index.php
- http://co#####ercapricia.net/index.php
- http://ra#####lecapricia.net/index.php
- http://co#####uscapricia.net/index.php
- http://ma#####necapricia.net/index.php
- http://ma#####nesherisse.net/index.php
- http://ra#####lekatharyn.net/index.php
- http://co#####ussherisse.net/index.php
- http://ra#####lesherisse.net/index.php
- http://tr#####ancapricia.net/index.php
- http://se#####ercapricia.net/index.php
- http://se#####ersherisse.net/index.php
- http://se#####nakatharyn.net/index.php
- http://tr#####ansherisse.net/index.php
- http://se#####erkatharyn.net/index.php
- http://co#####ersherisse.net/index.php
- http://tr#####ankatharyn.net/index.php
- http://tr#####anharriett.net/index.php
- http://se#####erharriett.net/index.php
- http://ka#####necapricia.net/index.php
- http://co#####necapricia.net/index.php
- http://co#####nesherisse.net/index.php
- http://sh#####nekatharyn.net/index.php
- http://ka#####nesherisse.net/index.php
- http://co#####nekatharyn.net/index.php
- http://ro#####ltsherisse.net/index.php
- http://ka#####nekatharyn.net/index.php
- http://ka#####neharriett.net/index.php
- http://co#####neharriett.net/index.php
- http://ch#####askatharyn.net/index.php
- http://ma#####nekatharyn.net/index.php
- http://ch#####assherisse.net/index.php
- http://co#####uskatharyn.net/index.php
- http://co#####usharriett.net/index.php
- http://ma#####neharriett.net/index.php
- http://ch#####asharriett.net/index.php
- http://sh#####neharriett.net/index.php
- http://sh#####necapricia.net/index.php
- http://sh#####nesherisse.net/index.php
- http://ch#####ascapricia.net/index.php
- http://jo#####nekatharyn.net/index.php
- http://gr#####orrupertson.net/index.php
- http://sh#####lerupertson.net/index.php
- http://sh#####legranville.net/index.php
- http://ge#####nerowbottom.net/index.php
- http://gr#####orgranville.net/index.php
- http://sh#####lerowbottom.net/index.php
- http://br#####iagranville.net/index.php
- http://gr#####orrowbottom.net/index.php
- http://gr#####orcarpenter.net/index.php
- http://sh#####lecarpenter.net/index.php
- http://he#####tarowbottom.net/index.php
- http://br#####terowbottom.net/index.php
- http://he#####tagranville.net/index.php
- http://je#####onrowbottom.net/index.php
- http://je#####oncarpenter.net/index.php
- http://br#####tecarpenter.net/index.php
- http://he#####tacarpenter.net/index.php
- http://ge#####necarpenter.net/index.php
- http://ge#####nerupertson.net/index.php
- http://ge#####negranville.net/index.php
- http://he#####tarupertson.net/index.php
- http://ga#####lerowbottom.net/index.php
- http://jo#####nesherisse.net/index.php
- http://an#####larowbottom.net/index.php
- http://an#####lacarpenter.net/index.php
- http://ga#####lecarpenter.net/index.php
- http://jo#####neharriett.net/index.php
- http://se#####naharriett.net/index.php
- http://se#####nacapricia.net/index.php
- http://se#####nasherisse.net/index.php
- http://jo#####necapricia.net/index.php
- http://ga#####lerupertson.net/index.php
- http://br#####iacarpenter.net/index.php
- http://ga#####lacarpenter.net/index.php
- http://ga#####larupertson.net/index.php
- http://ga#####lagranville.net/index.php
- http://br#####iarupertson.net/index.php
- http://ga#####legranville.net/index.php
- http://an#####larupertson.net/index.php
- http://an#####lagranville.net/index.php
- http://br#####iarowbottom.net/index.php
- http://ga#####larowbottom.net/index.php
UDP:
- DNS ASK ra#####leharriett.net
- DNS ASK co#####erkatharyn.net
- DNS ASK co#####erharriett.net
- DNS ASK co#####ercapricia.net
- DNS ASK ra#####lecapricia.net
- DNS ASK co#####uscapricia.net
- DNS ASK ma#####necapricia.net
- DNS ASK ma#####nesherisse.net
- DNS ASK ra#####lekatharyn.net
- DNS ASK co#####ussherisse.net
- DNS ASK ra#####lesherisse.net
- DNS ASK tr#####ancapricia.net
- DNS ASK se#####ercapricia.net
- DNS ASK se#####ersherisse.net
- DNS ASK se#####nakatharyn.net
- DNS ASK tr#####ansherisse.net
- DNS ASK se#####erkatharyn.net
- DNS ASK co#####ersherisse.net
- DNS ASK tr#####ankatharyn.net
- DNS ASK tr#####anharriett.net
- DNS ASK se#####erharriett.net
- DNS ASK ka#####necapricia.net
- DNS ASK co#####necapricia.net
- DNS ASK co#####nesherisse.net
- DNS ASK sh#####nekatharyn.net
- DNS ASK ka#####nesherisse.net
- DNS ASK co#####nekatharyn.net
- DNS ASK ro#####ltsherisse.net
- DNS ASK ka#####nekatharyn.net
- DNS ASK ka#####neharriett.net
- DNS ASK co#####neharriett.net
- DNS ASK ch#####askatharyn.net
- DNS ASK ma#####nekatharyn.net
- DNS ASK ch#####assherisse.net
- DNS ASK co#####uskatharyn.net
- DNS ASK co#####usharriett.net
- DNS ASK ma#####neharriett.net
- DNS ASK ch#####asharriett.net
- DNS ASK sh#####neharriett.net
- DNS ASK sh#####necapricia.net
- DNS ASK sh#####nesherisse.net
- DNS ASK ch#####ascapricia.net
- DNS ASK jo#####nekatharyn.net
- DNS ASK gr#####orrupertson.net
- DNS ASK sh#####lerupertson.net
- DNS ASK sh#####legranville.net
- DNS ASK ge#####nerowbottom.net
- DNS ASK gr#####orgranville.net
- DNS ASK sh#####lerowbottom.net
- DNS ASK br#####iagranville.net
- DNS ASK gr#####orrowbottom.net
- DNS ASK gr#####orcarpenter.net
- DNS ASK sh#####lecarpenter.net
- DNS ASK he#####tarowbottom.net
- DNS ASK br#####terowbottom.net
- DNS ASK he#####tagranville.net
- DNS ASK je#####onrowbottom.net
- DNS ASK je#####oncarpenter.net
- DNS ASK br#####tecarpenter.net
- DNS ASK he#####tacarpenter.net
- DNS ASK ge#####necarpenter.net
- DNS ASK ge#####nerupertson.net
- DNS ASK ge#####negranville.net
- DNS ASK he#####tarupertson.net
- DNS ASK ga#####lerowbottom.net
- DNS ASK jo#####nesherisse.net
- DNS ASK an#####larowbottom.net
- DNS ASK an#####lacarpenter.net
- DNS ASK ga#####lecarpenter.net
- DNS ASK jo#####neharriett.net
- DNS ASK se#####naharriett.net
- DNS ASK se#####nacapricia.net
- DNS ASK se#####nasherisse.net
- DNS ASK jo#####necapricia.net
- DNS ASK ga#####lerupertson.net
- DNS ASK br#####iacarpenter.net
- DNS ASK ga#####lacarpenter.net
- DNS ASK ga#####larupertson.net
- DNS ASK ga#####lagranville.net
- DNS ASK br#####iarupertson.net
- DNS ASK ga#####legranville.net
- DNS ASK an#####larupertson.net
- DNS ASK an#####lagranville.net
- DNS ASK br#####iarowbottom.net
- DNS ASK ga#####larowbottom.net
