Trojan.DownLoader5.32154

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.<Служебное имя>] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'76.#09.9.52':34354
'71.##.252.81':34354
'17#.#97.75.33':34354
'67.##4.191.138':34354
'46.##.11.149':34354
'18#.#6.134.158':34354
'97.#5.52.90':34354
'66.##0.235.80':34354
'18#.#7.166.121':34354
'24.##8.31.90':34354
'97.##.247.37':34354
'76.##5.104.121':34354
'69.##2.25.89':34354
'79.##8.41.35':34354
'67.##2.76.123':34354
'24.##.78.124':34354
'17#.#8.156.215':34354
'68.##.145.22':34354
'17#.#2.107.23':34354
'24.##1.198.209':34354
'17#.#8.105.233':34354
'98.##4.158.234':34354
'78.##1.105.16':34354
'68.##.178.63':34354
'84.##8.141.164':34354
'24.#.61.74':34354
'15#.#4.157.160':34354
'10#.#3.19.52':34354
'68.##.184.185':34354
'67.##6.102.29':34354
'98.##8.221.167':34354
'17#.#7.135.169':34354
'70.##0.64.30':34354
'17#.#5.173.169':34354
'95.##.125.95':34354
'18#.#23.194.184':34354
'98.##.146.159':34354
'74.##.149.88':34354
'20#.#08.107.210':34354
'24.##1.114.192':34354
'77.#8.26.76':34354
'66.##.92.123':34354
'88.##.91.122':34354
'19#.#35.153.162':34354
'20#.7.73.32':34354
'93.##2.48.63':34354
'24.#6.62.55':34354
'98.##.107.233':34354
'83.##1.24.26':34354
'70.##5.88.169':34354
'76.#6.207.3':34354
'69.##4.22.142':34354
'17#.#7.170.113':34354
'98.##4.33.96':34354
'71.##8.115.108':34354
'66.##6.128.108':34354
'19#.#06.49.227':34354
'98.##3.122.44':34354
'76.##0.229.209':34354
'24.##8.85.46':34354
'75.##6.102.144':34354
'76.##2.255.141':34354
'71.##6.5.147':34354
'18#.#2.176.159':34354
'89.##5.243.24':34354
'98.#19.1.24':34354
'96.#1.56.26':34354
'17#.#0.170.192':34354
'19#.#20.164.216':34354
'98.##5.200.220':34354
'18#.#2.76.195':34354
'98.##2.80.201':34354
'69.##6.71.168':34354
'46.#46.8.31':34354
'68.##9.171.150':34354
'99.##4.164.163':34354
'67.#5.61.27':34354
'75.##7.67.26':34354
'18#.#36.219.183':34354
'75.##8.163.186':34354
'67.##.60.240':34354
'95.##.135.250':34354
'68.##.191.115':34354
'98.##2.113.98':34354
'66.##1.177.52':34354
'75.#3.80.52':34354
'98.##3.86.47':34354
'71.##9.170.251':34354
'74.##2.35.187':34354
'92.##0.50.123':34354
'98.##4.109.56':34354
'76.##.82.130':34354
'17#.#9.160.117':34354
'18#.#07.36.11':34354
'17#.#72.156.121':34354
'10#.#2.161.12':34354
'98.##1.59.68':34354
'75.##3.165.70':34354
'18#.#94.144.56':34354
'68.##.214.62':34354
'31.##5.132.254':34354
'85.##7.137.77':34354
'96.##.157.72':34354
'19#.#5.155.254':34354
'17#.#02.220.188':34354
'99.#5.228.6':34354
'69.##3.197.7':34354
'10#.#.42.247':34354
'24.##0.164.255':34354
'67.##1.193.1':34354
'75.##8.240.56':34354
'75.##.142.55':34354
'10#.#0.40.225':34354
'13#.#4.105.18':34354
'99.##4.167.226':34354
'10#.#64.92.11':34354
'74.##2.229.34':34354
'17#.#7.61.222':34354
'24.#9.42.5':34354
'74.##.197.19':34354
'75.#5.40.89':34354
'98.##.96.233':34354
'72.##3.177.83':34354
'96.#0.87.84':34354
'70.##1.76.106':34354
'61.##0.51.115':34354
'18#.#73.251.103':34354
'24.#3.8.104':34354
'68.##.167.149':34354
'21#.#11.133.110':34354
'24.##.223.139':34354
'17#.#34.29.64':34354
'46.##.238.185':34354
'21#.#6.41.201':34354
'76.##2.109.93':34354
'18#.#10.13.171':34354
'67.##.13.187':34354
'98.##4.243.26':34354
'87.##.91.102':34354
'71.##2.53.38':34354
'71.#4.14.73':34354
'76.##0.139.139':34354
'70.##9.111.242':34354
'17#.#0.72.222':34354
'17#.#6.103.224':34354
'77.##1.161.2':34354
'72.##8.73.187':34354
'19#.#02.240.32':34354
'67.##1.122.80':34354
'92.##.216.20':34354
'10#.#8.95.212':34354
'98.#28.17.4':34354
'76.##.16.166':34354
'68.##6.190.45':34354
'70.#2.94.80':34354
'17#.#75.21.168':34354
'68.##.79.125':34354
'17#.#03.220.99':34354
'19#.#6.192.168':34354
'24.##1.78.55':34354
'71.#5.46.61':34354
'46.##2.95.54':34354
'78.##.125.247':34354
'71.##9.32.111':34354
'92.##.203.69':34354
'65.##.100.162':34354
'17#.#8.13.182':34354
'11#.#03.237.63':34354
'84.##0.222.126':34354
'76.##.218.58':34354
'71.##5.179.100':34354
'localhost':80
'69.##1.60.89':34354
'24.#2.65.33':34354
'70.##2.115.80':34354
'76.##.133.152':34354
'69.##.244.110':34354
'95.#4.250.7':34354
'75.#5.30.47':34354
'70.##.133.56':34354
'18#.#5.128.128':34354
'66.##8.248.173':34354
'50.#.248.225':34354
'92.##4.175.202':34354
'76.##9.48.111':34354
'71.##.217.160':34354
'19#.#12.115.231':34354
'24.##4.49.94':34354
'94.##1.238.104':34354
'96.##.35.219':34354
'17#.#68.200.96':34354
'71.##.199.140':34354
'68.##.65.218':34354
'24.##1.208.243':34354
'98.##0.59.183':34354
'79.##6.106.137':34354
'71.##.135.73':34354
'11#.#98.242.225':34354
'17#.#7.155.217':34354
'99.##9.229.137':34354
'68.##0.55.130':34354
'24.##5.206.124':34354
'79.##3.242.128':34354
'75.##.10.228':34354
'99.##.240.146':34354
'75.##.34.201':34354
'69.##2.82.135':34354
'97.##.197.252':34354
'77.##4.167.129':34354
'74.##.79.242':34354
'71.##.56.173':34354
'17#.#7.94.118':34354
'98.##.239.46':34354
'68.##4.93.141':34354
'24.##.120.231':34354
'76.##.212.176':34354
'17#.#34.212.206':34354
'98.##4.236.152':34354
'68.#1.78.99':34354
'76.##.127.69':34354
'69.##2.114.35':34354
'24.##.24.111':34354
'98.##2.131.177':34354
'76.##5.126.190':34354
'71.##.128.144':34354
'68.##.175.211':34354
'76.##3.235.138':34354
'72.##0.91.252':34354
'18#.#15.176.253':34354
'69.##9.94.246':34354
'72.##7.226.216':34354
'67.##0.169.72':34354
'17#.#.56.150':34354
'72.##2.74.251':34354
'75.##.74.237':34354
'24.##2.39.44':34354
'98.##1.163.85':34354
'81.##.195.54':34354
'71.##5.169.122':34354
'18#.#23.216.100':34354
'84.##2.27.181':34354
'94.##.25.205':34354
'69.##6.225.139':34354
'76.##6.233.145':34354
'10#.#6.139.242':34354
'71.##.134.112':34354
'76.##4.108.35':34354
'69.#6.8.233':34354
'21#.#81.101.10':34354
'24.##.90.252':34354
'72.##7.44.23':34354
'17#.#78.88.57':34354
'83.##5.40.21':34354
'70.##3.132.232':34354
'71.##.129.44':34354
'78.##.53.130':34354
'24.##1.200.187':34354

TCP:

Запросы HTTP GET:

nw##bpes.cn/stat2.php?&a#################
nw##bpes.cn/stat2.php?&a################

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней