Trojan.DownLoader5.28476

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.afd] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Сетевая активность:

Подключается к:

'19#.#40.125.86':34354
'17#.#4.223.49':34354
'62.##3.135.202':34354
'10#.5.30.57':34354
'71.##9.201.43':34354
'17#.#08.38.61':34354
'76.##8.153.85':34354
'15#.#3.95.175':34354
'69.##2.40.95':34354
'18#.#58.23.134':34354
'70.##2.218.96':34354
'50.#2.85.95':34354
'67.##.79.172':34354
'68.##9.163.252':34354
'75.##8.203.164':34354
'71.#1.100.3':34354
'71.##.252.75':34354
'17#.#22.222.195':34354
'18#.#45.248.246':34354
'88.##8.135.185':34354
'76.##6.74.185':34354
'24.##6.174.196':34354
'10#.#10.182.76':34354
'69.##5.205.70':34354
'75.##7.151.64':34354
'76.##.110.182':34354
'66.##.197.198':34354
'24.##4.122.64':34354
'10#.#38.130.193':34354
'84.#.161.191':34354
'71.##.146.78':34354
'75.##.143.197':34354
'18#.#31.67.13':34354
'68.##.16.240':34354
'46.##.60.120':34354
'94.##.85.241':34354
'69.##.223.226':34354
'12#.#1.132.225':34354
'24.##6.221.122':34354
'17#.#6.183.23':34354
'24.##6.139.71':34354
'70.##5.235.111':34354
'17#.#40.83.135':34354
'11#.#99.159.15':34354
'24.##0.52.120':34354
'18#.#32.42.14':34354
'17#.#7.134.177':34354
'67.##0.22.163':34354
'11#.#24.40.152':34354
'93.##.201.216':34354
'50.##.46.221':34354
'68.##4.2.219':34354
'68.##.206.214':34354
'98.##9.221.48':34354
'74.##2.72.153':34354
'69.##3.107.216':34354
'66.#1.2.106':34354
'72.##1.35.224':34354
'77.##2.79.38':34354
'85.#4.6.148':34354
'11#.#4.47.43':34354
'24.##1.67.134':34354
'72.##0.152.148':34354
'50.##.169.17':34354
'2.###.80.239':34354
'98.##3.47.112':34354
'74.##7.4.237':34354
'69.##7.162.144':34354
'19#.#09.61.138':34354
'24.#.83.118':34354
'74.##.74.141':34354
'10#.#.152.16':34354
'68.#.78.225':34354
'89.##6.196.34':34354
'68.##0.154.146':34354
'17#.8.1.225':34354
'67.##.131.229':34354
'24.##2.178.235':34354
'75.##5.38.110':34354
'18#.#8.52.110':34354
'17#.#0.9.248':34354
'76.##5.31.209':34354
'41.##1.59.10':34354
'50.##6.86.190':34354
'68.##8.170.6':34354
'17#.#9.243.249':34354
'98.##4.194.206':34354
'71.##.200.197':34354
'72.##9.251.118':34354
'75.##9.12.14':34354
'10#.#00.76.228':34354
'18#.#14.31.244':34354
'67.##0.164.11':34354
'98.##6.234.244':34354
'24.##2.234.134':34354
'67.##9.241.12':34354
'75.##0.158.57':34354
'18#.#8.126.174':34354
'24.##.252.60':34354
'78.##.164.58':34354
'75.#5.69.54':34354
'17#.#58.72.51':34354
'68.##1.162.55':34354
'67.##.103.173':34354
'74.##.191.80':34354
'69.##6.100.182':34354
'67.##4.115.1':34354
'67.##7.198.255':34354
'17#.#68.123.180':34354
'68.##4.19.179':34354
'24.##.161.63':34354
'24.##0.159.62':34354
'18#.#49.27.221':34354
'71.##3.131.102':34354
'71.##.98.100':34354
'15#.#1.196.101':34354
'17#.#28.111.41':34354
'72.##4.30.104':34354
'21#.#17.195.102':34354
'11#.#34.190.150':34354
'24.#1.4.96':34354
'70.##5.39.97':34354
'68.##7.162.87':34354
'68.##.60.168':34354
'20#.#7.223.153':34354
'68.##.162.54':34354
'62.##.187.48':34354
'18#.#39.1.162':34354
'68.##.65.125':34354
'71.##.56.173':34354
'97.##.166.37':34354
'70.##8.238.113':34354
'98.#0.77.82':34354
'64.##.144.168':34354
'72.##3.61.74':34354
'17#.#73.0.137':34354
'24.##1.28.90':34354
'24.#.248.200':34354
'76.##9.231.102':34354
'98.##3.107.74':34354
'62.##.103.137':34354
'17#.#8.246.204':34354
'11#.#49.147.234':34354
'67.##9.33.220':34354
'98.##5.236.255':34354
'76.#1.7.122':34354
'98.##1.84.201':34354
'84.##4.110.168':34354
'71.##9.174.10':34354
'18#.#3.179.161':34354
'46.##7.71.132':34354
'68.##.178.140':34354
'74.##9.29.15':34354
'17#.#0.192.74':34354
'92.#2.46.27':34354
'85.##.118.14':34354
'67.#1.76.44':34354
'10#.#91.162.86':34354
'17#.#6.195.133':34354
'71.##.200.190':34354
'68.##5.121.32':34354
'17#.#17.206.233':34354
'17#.#3.166.169':34354
'68.##5.152.152':34354
'10#.4.31.88':34354
'10#.#99.236.84':34354
'71.##.83.111':34354
'69.##9.200.73':34354
'46.#5.9.100':34354
'78.##.169.61':34354
'11#.#7.182.54':34354
'localhost':80
'77.##.175.239':34354
'12#.#95.116.85':34354
'76.##8.133.216':34354
'10#.#5.164.8':34354
'71.##.178.162':34354
'64.#3.33.79':34354
'11#.#7.95.88':34354
'10#.#37.38.46':34354
'76.##6.180.26':34354
'71.#5.32.68':34354
'68.##.151.37':34354
'62.#8.58.47':34354
'75.##6.34.51':34354
'98.##0.128.97':34354
'17#.8.3.191':34354
'46.##.238.185':34354
'18#.#7.171.152':34354
'76.##1.140.213':34354
'71.##1.21.220':34354
'17#.#6.175.163':34354
'18#.#8.194.172':34354
'71.##.104.107':34354
'74.##.254.77':34354
'95.#7.5.170':34354
'69.##2.101.170':34354
'99.##7.153.101':34354
'76.##.149.123':34354
'72.##4.106.81':34354
'71.##7.6.181':34354
'65.#7.168.4':34354
'24.##6.64.225':34354
'70.##3.235.2':34354
'98.##7.177.162':34354
'59.##.245.69':34354
'11#.#39.69.242':34354
'71.#2.145.3':34354
'70.#2.30.25':34354
'10#.#54.14.3':34354
'91.##.184.162':34354
'67.#81.9.70':34354
'75.##8.242.214':34354
'24.##.102.129':34354
'68.##3.252.142':34354
'95.##.164.20':34354
'98.#34.6.45':34354
'12#.#44.82.89':34354
'72.##7.171.170':34354
'15#.#4.252.39':34354
'14#.#55.69.50':34354
'76.##0.190.152':34354
'17#.#6.254.233':34354
'17#.#6.79.202':34354
'88.##2.253.109':34354
'67.##9.5.123':34354
'17#.#51.175.240':34354
'50.##.23.100':34354
'67.##.113.163':34354
'71.##.60.212':34354
'20#.#4.34.190':34354
'17#.#4.53.103':34354
'86.##.216.149':34354
'74.##4.240.243':34354
'98.##2.136.48':34354
'92.##.190.83':34354
'68.##4.129.200':34354
'91.##7.60.22':34354
'20#.#13.240.25':34354
'79.##2.228.198':34354
'70.##7.69.177':34354
'17#.#0.239.154':34354
'78.##.132.48':34354
'89.##6.202.213':34354
'17#.#6.69.211':34354
'69.##2.8.241':34354
'31.##.243.160':34354
'18#.#8.133.118':34354
'67.##.150.87':34354
'66.##8.97.247':34354
'70.##5.20.218':34354
'76.##4.122.139':34354
'75.##.249.31':34354
'74.##.91.114':34354
'21#.#06.48.183':34354
'18#.#4.161.160':34354
'75.##9.166.72':34354

TCP:

Запросы HTTP GET:

eg##kkid.cn/stat2.php?&a#################
eg##kkid.cn/stat2.php?&a################

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней