BackDoor.Maxplus.1343

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.afd] 'ImagePath' = '\?'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Сетевая активность:

Подключается к:

'65.##.109.157':34354
'24.##1.68.205':34354
'86.#5.92.76':34354
'70.##.68.207':34354
'70.##1.84.58':34354
'75.##.37.129':34354
'18#.#9.119.22':34354
'46.##.230.181':34354
'75.##.71.192':34354
'97.##.200.239':34354
'69.##2.11.83':34354
'74.##7.13.54':34354
'70.##1.162.246':34354
'71.##6.180.136':34354
'46.##8.128.24':34354
'71.##.130.106':34354
'10#.#6.60.28':34354
'66.##7.205.64':34354
'75.##4.92.199':34354
'76.#23.95.0':34354
'68.#1.5.107':34354
'65.##.168.131':34354
'71.##.200.112':34354
'98.##4.101.186':34354
'17#.#97.59.48':34354
'72.##3.211.140':34354
'74.##.70.193':34354
'74.#8.57.84':34354
'98.##5.221.100':34354
'97.##.194.154':34354
'69.##9.231.117':34354
'15#.#81.140.34':34354
'98.##2.192.206':34354
'75.#.194.143':34354
'74.##.80.111':34354
'98.##0.29.143':34354
'50.#1.22.46':34354
'66.##.172.166':34354
'66.##.63.240':34354
'83.##5.22.126':34354
'99.##5.168.225':34354
'68.##7.132.61':34354
'68.##.202.93':34354
'76.##5.248.120':34354
'72.##7.31.168':34354
'17#.#8.237.99':34354
'96.##.12.228':34354
'98.##7.21.143':34354
'98.##0.0.134':34354
'2.###.244.149':34354
'12#.#33.85.28':34354
'18#.#7.177.135':34354
'98.##4.62.28':34354
'90.##9.14.44':34354
'75.##3.144.111':34354
'70.##9.223.41':34354
'98.##5.128.92':34354
'17#.#03.23.173':34354
'75.##5.39.205':34354
'24.##3.34.41':34354
'67.##.243.156':34354
'91.##.39.109':34354
'75.##.150.59':34354
'68.##4.76.152':34354
'96.##.145.194':34354
'24.##.89.247':34354
'50.#3.81.47':34354
'68.#2.6.52':34354
'70.##.218.103':34354
'75.##0.216.113':34354
'70.##3.184.75':34354
'79.##.28.147':34354
'98.##1.41.151':34354
'71.##9.118.7':34354
'67.#6.3.86':34354
'71.##1.237.144':34354
'71.##2.73.142':34354
'66.##2.240.251':34354
'12#.#25.103.228':34354
'74.##4.111.212':34354
'18#.#2.251.171':34354
'76.##1.140.114':34354
'88.##.172.195':34354
'68.##6.172.159':34354
'50.##.146.136':34354
'71.##7.65.162':34354
'24.#.253.185':34354
'97.##.132.167':34354
'76.##0.151.89':34354
'67.##1.84.28':34354
'10#.8.29.15':34354
'65.##8.238.181':34354
'10#.#7.87.83':34354
'94.##9.233.6':34354
'17#.#8.251.57':34354
'71.##5.103.112':34354
'76.##.41.241':34354
'75.##8.171.212':34354
'69.##7.223.212':34354
'98.##0.210.179':34354
'97.##0.169.194':34354
'24.##4.21.76':34354
'74.##5.125.228':34354
'76.#0.83.99':34354
'69.##7.70.222':34354
'18#.#97.217.205':34354
'46.##9.104.132':34354
'96.##.11.195':34354
'71.##8.188.1':34354
'67.##.44.219':34354
'18#.#63.76.14':34354
'76.##6.97.31':34354
'74.##5.107.16':34354
'96.##.250.75':34354
'70.##5.191.153':34354
'68.##3.142.202':34354
'98.#46.8.65':34354
'75.##7.123.208':34354
'68.##.165.62':34354
'69.##7.94.156':34354
'65.##.44.100':34354
'17#.#7.230.205':34354
'71.#1.201.1':34354
'61.##.104.222':34354
'98.##4.89.22':34354
'18#.#5.43.145':34354
'71.##7.185.65':34354
'70.##.39.193':34354
'24.##.38.218':34354
'74.#7.129.0':34354
'71.##.88.170':34354
'21#.#1.121.233':34354
'74.##.153.108':34354
'98.##4.99.59':34354
'70.##5.192.46':34354
'68.##.151.37':34354
'17#.#01.11.11':34354
'69.##9.180.248':34354
'76.##6.57.204':34354
'20#.#31.106.105':34354
'67.##.132.223':34354
'70.##8.151.228':34354
'72.##3.207.210':34354
'18#.#60.48.204':34354
'24.##1.36.95':34354
'18#.#61.27.131':34354
'66.##5.87.130':34354
'76.##9.118.143':34354
'19#.#5.175.151':34354
'98.##5.189.220':34354
'72.##8.78.153':34354
'71.##7.108.169':34354
'69.##0.164.192':34354
'70.##7.31.44':34354
'12.##0.232.109':34354
'67.##1.91.144':34354
'24.##1.170.235':34354
'68.##.131.31':34354
'18#.#4.41.134':34354
'24.##.194.195':34354
'76.##8.51.123':34354
'10#.#91.173.58':34354
'71.##5.155.68':34354
'69.##3.177.118':34354
'17#.#17.87.182':34354
'46.##9.31.74':34354
'17#.#4.132.249':34354
'98.##2.101.141':34354
'97.##.234.222':34354
'24.##1.170.6':34354
'98.##6.207.106':34354
'pr####.fling.com':80
'24.##2.250.28':34354
'98.##8.78.235':34354
'17#.#6.77.86':34354
'75.##8.38.13':34354
'24.##.141.17':34354
'94.##6.64.65':34354
'76.##0.105.26':34354
'76.##5.202.169':34354
'24.##.18.143':34354
'17#.#40.104.106':34354
'76.##.167.151':34354
'72.##5.67.147':34354
'76.##5.226.163':34354
'24.##6.203.119':34354
'10#.#.214.186':34354
'76.##1.203.162':34354
'67.##3.182.195':34354
'92.##4.70.139':34354
'68.#.252.87':34354
'19#.#12.66.232':34354
'10#.#.252.160':34354
'96.##.20.164':34354
'71.##.48.193':34354
'71.##8.209.48':34354
'17#.#09.176.226':34354
'76.##0.91.110':34354
'24.##.45.166':34354
'76.##7.122.225':34354
'19#.#13.108.128':34354
'74.##.36.189':34354
'69.##4.50.156':34354
'20#.#55.4.85':34354
'64.##9.168.14':34354
'68.##.111.110':34354
'75.#5.36.62':34354
'98.##2.101.207':34354
'95.##9.46.51':34354
'76.##9.151.19':34354
'20#.#22.50.34':34354
'74.##5.176.55':34354
'67.##1.148.202':34354
'10#.#0.249.4':34354
'24.##.178.250':34354
'76.##0.189.123':34354
'75.##2.83.37':34354
'17#.#0.200.120':34354
'24.##4.20.114':34354
'19#.#2.214.164':34354
'67.##.72.107':34354
'12#.#77.62.186':34354
'50.##3.12.44':34354
'18#.17.6.39':34354
'69.##4.99.156':34354
'69.##.235.228':34354
'76.##3.96.94':34354
'17#.#22.146.185':34354
'98.#9.253.7':34354
'80.##1.49.64':34354
'82.##.35.112':34354
'24.##0.153.78':34354
'75.#0.150.2':34354
'50.##.197.197':34354
'66.##.161.239':34354
'24.##3.72.213':34354
'91.##.238.22':34354
'66.##3.101.147':34354
'98.#28.17.4':34354
'67.##1.145.184':34354
'74.##.153.15':34354
'24.##5.242.136':34354
'86.#.37.170':34354
'98.##2.21.222':34354
'10#.#8.112.251':34354
'82.##1.201.248':34354
'71.##4.145.132':34354
'99.##.201.128':34354
'72.##5.62.251':34354
'71.##.141.62':34354
'75.##0.119.37':34354
'67.##.163.254':34354
'69.##3.225.186':34354
'64.##.195.204':34354
'71.##6.136.91':34354
'96.##.165.170':34354
'76.##.125.255':34354

TCP:

Запросы HTTP GET:

pr####.fling.com/geo/txt/city.php

UDP:

DNS ASK pr####.fling.com
'localhost':752
'8.#.8.8':1035

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней