BackDoor.Maxplus.247

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.ipsec] 'ImagePath' = '\*'

Вредоносные функции:

Запускает на исполнение:

%WINDIR%\explorer.exe

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB48617$\2804554435\cfg.ini
%WINDIR%\$NtUninstallKB48617$\2804554435\@
%WINDIR%\$NtUninstallKB48617$\2804554435\Desktop.ini
%WINDIR%\$NtUninstallKB48617$\2804554435\L\acbrwqkz

Самоудаляется.

Сетевая активность:

Подключается к:

'76.##7.121.92':34354
'91.##.187.144':34354
'72.##3.139.85':34354
'66.##.173.135':34354
'67.##.231.209':34354
'19#.#6.180.101':34354
'76.##.67.139':34354
'99.#.79.188':34354
'24.##6.235.126':34354
'24.##8.150.165':34354
'20#.#90.30.251':34354
'95.##.221.153':34354
'2.###.12.231':34354
'18#.#62.203.94':34354
'12#.#20.171.249':34354
'10#.#27.30.220':34354
'71.##.62.192':34354
'18#.#7.197.102':34354
'70.##3.202.67':34354
'69.##9.72.166':34354
'17#.#1.57.164':34354
'68.##.201.64':34354
'24.##1.18.224':34354
'18#.#0.128.11':34354
'76.##5.55.35':34354
'11#.#00.163.13':34354
'60.##.180.108':34354
'95.##.101.146':34354
'19#.#6.57.15':34354
'75.##5.19.230':34354
'20#.#.122.27':34354
'99.##.47.119':34354
'17#.#25.146.224':34354
'97.##.217.46':34354
'19#.#2.129.103':34354
'76.#1.83.97':34354
'76.##0.175.62':34354
'67.##1.44.115':34354
'95.#7.17.55':34354
'68.##9.31.150':34354
'17#.#8.249.195':34354
'24.##2.235.113':34354
'18#.#80.4.91':34354
'12#.#43.210.34':34354
'76.##7.183.13':34354
'24.##.111.238':34354
'19#.#13.219.200':34354
'95.##.76.191':34354
'17#.#0.231.224':34354
'95.##.250.113':34354
'92.##.132.74':34354
'12#.#6.136.240':34354
'18#.#9.1.130':34354
'11#.#11.198.48':34354
'71.##7.84.203':34354
'18#.#90.146.171':34354
'12#.#45.67.63':34354
'98.##.173.144':34354
'97.##.137.156':34354
'98.##9.240.81':34354
'95.##.238.55':34354
'95.##.15.159':34354
'17#.#02.168.248':34354
'71.#3.46.67':34354
'18#.#79.9.127':34354
'76.##0.182.52':34354
'76.##.13.225':34354
'18#.#95.78.207':34354
'19#.#55.211.82':34354
'92.##.198.68':34354
'20#.#.156.27':34354
'72.##8.64.206':34354
'76.##.57.100':34354
'70.##2.217.129':34354
'95.##0.108.76':34354
'98.##0.66.154':34354
'58.##.72.107':34354
'21#.#30.122.125':34354
'11#.#34.13.21':34354
'71.##6.8.200':34354
'75.##1.21.254':34354
'19#.#42.237.32':34354
'67.##.71.247':34354
'2.##2.61.47':34354
'74.##5.72.44':34354
'85.##.118.14':34354
'21#.#3.104.251':34354
'17#.#3.16.239':34354
'96.##.193.176':34354
'10#.#10.113.72':34354
'19#.#7.80.30':34354
'11#.#9.143.187':34354
'18#.27.4.86':34354
'84.##0.204.219':34354
'75.##.195.146':34354
'20#.#60.156.117':34354
'11#.#9.140.134':34354
'91.##8.154.141':34354
'92.##.41.105':34354
'59.##3.3.140':34354
'19#.#3.100.40':34354
'98.##7.91.139':34354
'68.##9.41.102':34354
'<IP-адрес в локальной сети>':34354
'74.#60.4.37':34354
'17#.#34.213.14':34354
'17#.#6.249.14':34354
'68.##1.218.246':34354
'76.##9.229.66':34354
'19#.#74.186.227':34354
'64.##0.211.100':34354
'17#.58.55.5':34354
'24.##7.85.144':34354
'75.#31.4.28':34354
'71.##.109.113':34354
'31.##.201.75':34354
'19#.#79.174.161':34354
'18#.#3.171.39':34354
'18#.#3.56.11':34354
'68.##9.253.108':34354
'20#.#2.244.15':34354
'10#.#5.41.18':34354
'24.##0.233.137':34354
'10#.#34.129.5':34354
'19#.#4.0.231':34354
'75.##9.43.241':34354
'20#.#4.171.188':34354
'17#.#7.243.48':34354
'19#.#6.228.49':34354
'75.##7.180.42':34354
'71.##.147.150':34354
'92.#6.30.60':34354
'98.##3.90.117':34354
'20#.#17.18.154':34354
'61.##.104.19':34354
'71.##.166.230':34354
'71.##6.195.169':34354
'70.##5.242.231':34354
'95.#9.68.79':34354
'99.##2.55.82':34354
'14.##6.86.153':34354
'68.##.237.15':34354
'97.##.91.218':34354
'95.#8.16.15':34354
'76.##.77.206':34354
'10#.#8.195.111':34354
'75.##8.145.121':34354
'66.##7.157.253':34354
'66.##9.186.165':34354
'96.##.69.138':34354
'16#.#30.134.216':34354
'18#.#9.85.90':34354
'98.##8.21.180':34354
'19#.#9.126.146':34354
'72.##2.46.52':34354
'12#.#20.213.150':34354
'17#.#17.170.166':34354
'11#.#40.36.49':34354
'20#.#8.62.115':34354
'20#.#37.171.250':34354
'79.##4.168.27':34354
'21#.#1.203.111':34354
'18#.#92.196.216':34354
'78.##4.161.52':34354
'58.#.210.147':34354
'69.##.207.73':34354
'76.##2.216.148':34354
'70.##1.221.131':34354
'46.##.59.238':34354
'71.##8.32.42':34354
'68.##4.52.187':34354
'localhost':80
'65.##3.173.245':34354
'98.##7.7.218':34354
'11#.#7.191.77':34354
'24.##.14.197':34354
'89.##6.116.100':34354
'84.##.103.153':34354
'67.#8.216.3':34354
'97.##.57.148':34354
'72.##.241.244':34354
'98.##3.220.216':34354
'99.##.170.223':34354
'72.##5.210.130':34354
'65.##.100.30':34354
'72.##.115.77':34354
'10#.#0.42.77':34354
'75.##.139.57':34354
'10#.#11.85.61':34354
'17#.#0.14.151':34354
'99.##.210.201':34354
'67.#40.31.6':34354
'17#.#06.144.174':34354
'24.##3.39.19':34354
'95.##.216.233':34354
'18#.#.119.141':34354
'24.##3.108.4':34354
'75.##3.118.100':34354
'50.##.27.114':34354
'95.##0.184.168':34354
'71.##9.83.167':34354
'76.##.142.147':34354
'92.##.224.41':34354
'70.##7.210.115':34354
'95.##.217.106':34354
'41.##.158.105':34354
'18#.#8.68.149':34354
'19#.#77.197.199':34354
'98.##.85.131':34354
'17#.#6.30.131':34354
'19#.#7.20.154':34354
'20#.#.207.196':34354
'10#.#.203.211':34354
'12.##.162.29':34354
'95.##.252.84':34354
'71.##9.76.136':34354
'18#.#84.123.90':34354
'69.##9.194.199':34354
'95.##.104.181':34354
'10#.#01.171.177':34354
'69.##6.67.147':34354
'19#.#07.167.131':34354
'18#.#72.9.239':34354
'24.##4.6.247':34354
'83.##8.207.202':34354
'17#.#9.157.26':34354
'18#.#95.70.249':34354
'24.##2.232.174':34354
'18#.#9.156.45':34354
'19#.#77.164.172':34354
'18#.#3.152.131':34354
'75.##7.123.252':34354
'10#.#35.4.128':34354
'11#.#54.50.38':34354
'68.##.124.200':34354
'24.#.194.28':34354
'69.##7.214.101':34354
'76.##.187.171':34354
'68.##5.213.104':34354
'67.##.211.51':34354
'18#.#23.117.131':34354
'18#.#2.112.181':34354
'20#.#7.208.206':34354
'68.##4.163.57':34354
'95.##.204.222':34354
'92.#6.5.177':34354
'18#.#3.136.165':34354
'17#.#37.15.64':34354
'17#.#40.211.121':34354
'18#.#54.116.221':34354
'21#.#5.68.60':34354
'11#.#01.170.179':34354
'67.##6.211.184':34354
'17#.#1.186.43':34354
'17#.#7.3.240':34354
'18#.#84.141.217':34354
'12#.#3.147.117':34354

TCP:

Запросы HTTP GET:

localhost/stat2.php?w=#################################################
localhost/stat2.php?w=################################################

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней