Trojan.DownLoader5.29329

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.mrxsmb] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Сетевая активность:

Подключается к:

'12#.#08.185.122':34354
'90.##8.252.232':34354
'95.##7.98.41':34354
'98.##4.184.84':34354
'68.#4.84.80':34354
'71.##6.239.88':34354
'75.##5.249.83':34354
'98.##.227.170':34354
'17#.#12.76.68':34354
'75.##.143.197':34354
'98.#06.2.68':34354
'76.##0.252.147':34354
'68.##2.4.181':34354
'24.##0.251.56':34354
'20#.#07.106.197':34354
'2.###.28.249':34354
'24.##.106.184':34354
'17#.#13.209.189':34354
'68.##2.230.182':34354
'96.##.113.183':34354
'68.##.158.201':34354
'17#.#5.115.68':34354
'50.##.250.93':34354
'60.##.73.166':34354
'76.##8.253.178':34354
'24.##.51.180':34354
'95.##.204.89':34354
'17#.#0.19.174':34354
'70.##.170.182':34354
'71.##1.46.74':34354
'24.##.178.170':34354
'15#.82.2.93':34354
'98.##4.236.152':34354
'71.##9.174.10':34354
'91.##8.69.86':34354
'24.##.189.44':34354
'76.##9.61.221':34354
'92.##.122.107':34354
'98.##1.67.79':34354
'17#.#1.174.152':34354
'66.#6.6.219':34354
'98.##6.50.58':34354
'24.##5.198.135':34354
'76.##1.113.220':34354
'98.##1.16.27':34354
'17#.#9.68.173':34354
'90.##9.159.207':34354
'98.##2.2.134':34354
'72.##3.101.224':34354
'11#.#95.73.103':34354
'71.##.189.40':34354
'71.##.231.57':34354
'68.##.44.207':34354
'17#.#18.68.159':34354
'24.##3.176.129':34354
'74.##2.247.64':34354
'17#.#90.66.219':34354
'17#.#0.221.4':34354
'98.##.131.41':34354
'24.#.235.23':34354
'75.#1.98.10':34354
'17#.#6.123.217':34354
'76.##3.146.32':34354
'24.##.59.153':34354
'67.##9.5.123':34354
'68.#2.88.87':34354
'75.##.162.118':34354
'24.#3.6.25':34354
'98.##3.61.244':34354
'50.##.18.245':34354
'71.##.77.237':34354
'17#.#1.172.241':34354
'18#.#10.83.118':34354
'12.##.110.131':34354
'98.#0.21.40':34354
'24.##4.49.116':34354
'68.##8.159.228':34354
'68.##.27.229':34354
'68.##3.244.227':34354
'20#.#2.169.29':34354
'74.##2.200.5':34354
'10#.#0.249.4':34354
'98.##.172.104':34354
'75.##3.205.250':34354
'87.##0.244.108':34354
'98.##5.66.141':34354
'20#.#31.106.105':34354
'59.#7.137.4':34354
'18#.#.123.16':34354
'71.##9.151.240':34354
'74.##.10.246':34354
'96.##.242.119':34354
'75.##2.28.169':34354
'98.##4.22.165':34354
'17#.#8.168.246':34354
'67.##1.238.13':34354
'11#.#41.218.211':34354
'98.##6.7.212':34354
'99.##2.78.210':34354
'17#.#1.12.200':34354
'68.#.244.103':34354
'50.##3.94.153':34354
'69.##1.68.214':34354
'70.##7.198.154':34354
'71.##6.209.67':34354
'98.##.207.201':34354
'24.#1.4.96':34354
'67.##9.20.98':34354
'75.##1.137.156':34354
'94.##.94.156':34354
'76.##8.255.201':34354
'75.##8.182.99':34354
'66.##.124.42':34354
'11#.#07.61.42':34354
'2.###.77.109':34354
'46.##6.134.220':34354
'92.#50.73.4':34354
'67.##6.237.48':34354
'17#.#55.244.109':34354
'98.##1.209.145':34354
'71.##.141.105':34354
'99.##0.189.219':34354
'60.##1.93.153':34354
'76.##4.32.105':34354
'41.##7.25.45':34354
'67.##4.193.44':34354
'10#.#7.76.49':34354
'67.#77.79.4':34354
'67.##.131.148':34354
'93.##2.164.75':34354
'68.##4.239.181':34354
'70.##3.126.51':34354
'12.##5.97.214':34354
'18#.#4.247.120':34354
'70.#5.99.94':34354
'17#.#3.242.105':34354
'93.##.248.122':34354
'75.#4.65.96':34354
'13#.#4.105.18':34354
'76.##.170.73':34354
'95.##.76.101':34354
'74.##.33.252':34354
'72.##2.213.246':34354
'71.##.59.222':34354
'95.##.180.232':34354
'17#.#5.208.167':34354
'50.##6.97.54':34354
'69.##4.111.65':34354
'10#.#18.77.247':34354
'98.##.142.195':34354
'98.##8.141.23':34354
'18#.#27.101.155':34354
'66.##.120.193':34354
'18#.#7.171.152':34354
'79.##3.224.184':34354
'97.#6.23.66':34354
'12#.#20.1.218':34354
'98.##9.26.12':34354
'98.##5.74.162':34354
'69.##7.158.53':34354
'68.##5.80.72':34354
'79.##9.35.74':34354
'67.##.114.210':34354
'92.##4.72.188':34354
'50.##.159.77':34354
'95.##.135.112':34354
'17#.#.91.155':34354
'71.##9.86.142':34354
'10#.#.106.166':34354
'68.##6.182.100':34354
'17#.#02.40.163':34354
'localhost':80
'64.##.218.191':34354
'85.##5.22.118':34354
'18#.#3.172.8':34354
'99.##.64.209':34354
'98.##9.89.44':34354
'17#.#71.202.104':34354
'17#.#9.190.232':34354
'70.##1.45.63':34354
'99.##.220.186':34354
'98.##.236.11':34354
'50.##.83.207':34354
'74.##.141.118':34354
'76.#9.188.0':34354
'95.##.106.227':34354
'87.##.91.102':34354
'69.##4.81.20':34354
'68.##.182.103':34354
'18#.#9.146.20':34354
'79.##3.193.196':34354
'69.##5.205.70':34354
'76.##.137.135':34354
'17#.#0.23.132':34354
'74.##7.24.115':34354
'71.##9.138.75':34354
'67.##5.253.134':34354
'85.##0.50.152':34354
'11#.#68.92.46':34354
'70.##8.113.20':34354
'65.##.160.171':34354
'75.##5.165.165':34354
'17#.#1.17.196':34354
'69.##6.91.69':34354
'98.##8.140.29':34354
'13#.#4.34.34':34354
'69.##.223.226':34354
'24.##0.159.62':34354
'69.##2.4.205':34354
'19#.#9.130.64':34354
'17#.#8.185.55':34354
'70.##8.9.218':34354
'71.##.142.93':34354
'69.##0.159.243':34354
'97.##.240.254':34354
'71.##.218.69':34354
'67.##1.254.233':34354
'18#.#44.66.152':34354
'66.##7.23.61':34354
'68.##4.60.239':34354
'68.##7.215.110':34354
'24.##0.52.120':34354
'71.##.135.73':34354
'71.##.24.116':34354
'98.##.197.21':34354
'70.##7.204.31':34354
'69.##2.208.79':34354
'78.##0.124.80':34354
'96.##.180.78':34354
'50.##.16.170':34354
'83.##.217.22':34354
'75.##.11.170':34354
'76.##.70.118':34354
'24.##.238.109':34354
'24.##.175.254':34354
'24.##9.226.31':34354
'98.##2.142.153':34354
'94.##3.248.213':34354
'98.##4.76.119':34354
'71.##9.100.65':34354
'76.##9.106.253':34354
'17#.#17.106.209':34354
'69.##0.92.218':34354
'95.##.70.104':34354
'70.##4.35.74':34354
'17#.#91.4.199':34354
'71.##.201.170':34354
'71.#1.9.87':34354
'75.##3.80.214':34354
'98.##.34.241':34354
'50.##.115.104':34354
'17#.#9.8.246':34354
'75.##2.5.182':34354
'67.##3.234.78':34354
'96.##.53.214':34354
'65.##.206.58':34354
'69.##5.220.28':34354

TCP:

Запросы HTTP GET:

eg##kkid.cn/stat2.php?&a################
eg##kkid.cn/stat2.php?&a###############

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней