Trojan.DownLoader5.29235

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.<Служебное имя>] 'ImagePath' = '\*'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Сетевая активность:

Подключается к:

'71.##8.200.219':34354
'98.##8.186.194':34354
'68.##4.14.24':34354
'75.##3.109.186':34354
'68.#.162.66':34354
'69.##3.224.68':34354
'98.##.223.184':34354
'69.##.147.152':34354
'95.##4.84.79':34354
'17#.#8.27.234':34354
'98.##.172.110':34354
'17#.#1.78.109':34354
'87.#.188.20':34354
'17#.#04.73.147':34354
'76.#5.74.76':34354
'76.#6.207.3':34354
'14#.#0.94.178':34354
'76.##.50.115':34354
'81.##0.146.87':34354
'17#.#09.153.60':34354
'24.##.120.231':34354
'98.##7.27.229':34354
'17#.#0.74.234':34354
'10#.#94.249.47':34354
'89.##.100.72':34354
'24.##3.75.155':34354
'65.#6.96.69':34354
'76.##3.231.70':34354
'76.##.107.249':34354
'68.#.127.132':34354
'98.##5.55.147':34354
'75.##.252.64':34354
'70.##6.171.150':34354
'17#.#03.211.221':34354
'17#.#71.11.121':34354
'50.##.44.185':34354
'67.##3.54.12':34354
'75.#85.25.9':34354
'75.##.11.170':34354
'17#.#9.62.99':34354
'67.##3.109.143':34354
'76.##8.95.12':34354
'68.##1.237.250':34354
'74.##4.63.21':34354
'67.##3.170.6':34354
'82.##.47.172':34354
'71.##.105.71':34354
'76.##0.1.252':34354
'17#.#34.209.2':34354
'68.##4.142.41':34354
'76.##.255.245':34354
'17#.#.40.254':34354
'24.##8.128.56':34354
'74.##.138.137':34354
'68.##7.251.125':34354
'79.##8.249.178':34354
'72.##7.55.20':34354
'64.##1.145.252':34354
'68.##1.60.245':34354
'20#.#1.120.121':34354
'68.##2.15.181':34354
'98.##9.35.230':34354
'74.##7.126.158':34354
'66.##.160.19':34354
'14#.#17.121.214':34354
'98.##4.41.216':34354
'74.##6.235.41':34354
'24.#.72.120':34354
'17#.#48.245.49':34354
'99.##7.160.130':34354
'17#.#0.46.217':34354
'72.##9.124.217':34354
'70.##1.75.28':34354
'89.##5.187.184':34354
'87.##0.27.147':34354
'17#.#7.5.146':34354
'68.##9.51.40':34354
'19#.#.248.126':34354
'24.##4.249.140':34354
'64.##.70.131':34354
'99.##6.209.4':34354
'76.##.160.234':34354
'69.##8.113.100':34354
'70.##6.132.98':34354
'46.##.202.152':34354
'98.##2.61.248':34354
'84.##2.249.84':34354
'17#.#87.109.64':34354
'71.##4.19.14':34354
'11#.#27.29.221':34354
'70.##9.19.15':34354
'24.#0.75.14':34354
'67.##3.206.102':34354
'66.##8.156.100':34354
'74.##.111.224':34354
'17#.#06.113.10':34354
'24.##.27.122':34354
'15#.#81.161.199':34354
'24.##.25.212':34354
'71.##.244.207':34354
'88.##7.101.185':34354
'78.##.75.133':34354
'76.##6.102.199':34354
'24.##.166.88':34354
'71.#3.7.192':34354
'31.##7.201.108':34354
'76.##3.18.54':34354
'24.##1.228.100':34354
'76.##7.246.96':34354
'72.##1.170.90':34354
'49.##7.82.220':34354
'68.##2.174.232':34354
'71.##.250.178':34354
'69.##2.174.162':34354
'10#.#0.243.80':34354
'67.##3.226.2':34354
'69.##9.92.174':34354
'68.##1.170.32':34354
'24.#2.73.31':34354
'17#.#5.22.120':34354
'10#.#2.156.183':34354
'76.##7.146.181':34354
'98.##2.160.37':34354
'70.##7.237.26':34354
'71.##3.20.254':34354
'72.##9.229.112':34354
'92.##0.207.34':34354
'72.##8.143.34':34354
'12#.#45.55.197':34354
'75.##9.39.80':34354
'90.##.245.253':34354
'75.##7.255.36':34354
'75.##1.88.162':34354
'74.##9.37.78':34354
'64.##.186.22':34354
'76.##1.149.192':34354
'68.##2.78.65':34354
'17#.#70.199.53':34354
'75.##1.105.150':34354
'17#.#10.192.33':34354
'15#.#2.121.76':34354
'72.##3.112.113':34354
'76.##0.193.116':34354
'91.##7.60.22':34354
'17#.#17.224.85':34354
'17#.#47.126.146':34354
'12.##6.184.195':34354
'65.##5.64.76':34354
'17#.#15.87.140':34354
'69.##1.137.250':34354
'24.##7.198.229':34354
'71.##3.254.114':34354
'74.##.48.110':34354
'87.##.91.102':34354
'22#.#41.35.180':34354
'10#.#28.224.226':34354
'69.##6.69.131':34354
'67.#49.43.0':34354
'99.##4.13.251':34354
'81.##.67.232':34354
'71.#1.8.177':34354
'67.##7.30.246':34354
'94.##6.64.65':34354
'93.##4.252.74':34354
'98.##8.121.170':34354
'24.##1.125.57':34354
'66.##9.77.32':34354
'76.##8.11.94':34354
'68.##9.192.85':34354
'74.##2.56.183':34354
'86.##2.229.237':34354
'localhost':80
'66.##.239.97':34354
'70.##1.83.28':34354
'91.##0.180.52':34354
'75.#6.4.108':34354
'50.##.221.149':34354
'10#.#25.160.152':34354
'87.##7.71.37':34354
'71.##.33.131':34354
'75.##7.43.70':34354
'79.##8.164.234':34354
'24.##.135.177':34354
'18#.#7.11.119':34354
'24.##2.190.37':34354
'68.#17.0.2':34354
'69.##8.221.143':34354
'69.##4.19.187':34354
'92.##8.163.185':34354
'14.#8.25.55':34354
'18#.#9.27.232':34354
'66.##0.10.211':34354
'70.##3.116.39':34354
'98.##2.39.41':34354
'98.##2.185.227':34354
'18#.#53.88.85':34354
'74.##7.153.136':34354
'50.##9.61.31':34354
'74.##9.197.55':34354
'50.##.185.42':34354
'76.##5.67.42':34354
'98.##0.46.65':34354
'17#.#58.65.41':34354
'17#.#0.85.39':34354
'24.##.223.139':34354
'75.##.70.173':34354
'12#.#06.98.56':34354
'70.##8.17.73':34354
'68.##.82.122':34354
'68.#.126.180':34354
'95.##2.230.161':34354
'24.#7.11.20':34354
'24.##3.210.60':34354
'24.#8.31.96':34354
'92.##4.16.143':34354
'71.##9.117.142':34354
'66.##9.20.43':34354
'64.##.138.196':34354
'17#.#0.136.86':34354
'75.##6.178.115':34354
'76.#7.41.35':34354
'69.##9.96.156':34354
'88.##1.60.33':34354
'68.##1.125.84':34354
'17#.#01.83.249':34354
'24.##0.159.62':34354
'24.#.133.252':34354
'68.##1.112.85':34354
'68.##0.25.60':34354
'68.##5.5.196':34354
'72.##9.169.96':34354
'76.##5.115.140':34354
'75.##7.156.17':34354
'81.##.151.29':34354
'46.##8.136.230':34354
'96.##.142.33':34354
'24.##5.236.29':34354
'98.##8.28.66':34354
'70.##2.48.107':34354
'70.##.122.71':34354
'92.##.194.212':34354
'76.##1.118.5':34354
'21#.#22.174.123':34354
'24.#2.99.8':34354
'76.##8.122.99':34354
'80.#86.1.27':34354
'75.##.192.162':34354
'95.#7.203.1':34354
'74.#8.44.29':34354
'68.##5.99.237':34354
'17#.#.237.92':34354
'69.##2.196.116':34354
'46.##1.210.16':34354
'98.##7.121.240':34354
'17#.#3.242.105':34354
'72.##0.14.201':34354
'70.#4.34.17':34354

TCP:

Запросы HTTP GET:

eg##kkid.cn/stat2.php?&a#################
eg##kkid.cn/stat2.php?&a################

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней