BackDoor.Maxplus.1741

Техническая информация

Для обеспечения автозапуска и распространения:

Модифицирует следующие ключи реестра:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Создает следующие сервисы:

[<HKLM>\SYSTEM\ControlSet001\Services\.ipsec] 'ImagePath' = '\?'

Вредоносные функции:

Внедряет код в

следующие системные процессы:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Изменения в файловой системе:

Создает следующие файлы:

%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Самоудаляется.

Сетевая активность:

Подключается к:

'76.##0.124.36':34354
'76.##7.173.90':34354
'27.##7.39.92':34354
'20#.#7.210.90':34354
'71.##4.138.61':34354
'95.##.219.42':34354
'70.##0.75.137':34354
'76.##0.63.12':34354
'98.##.104.221':34354
'71.##.154.197':34354
'67.##.174.136':34354
'10#.#33.79.63':34354
'71.##1.19.27':34354
'24.##6.220.0':34354
'62.##1.235.145':34354
'95.##9.171.240':34354
'24.#9.64.7':34354
'67.##3.168.95':34354
'24.##.214.158':34354
'24.##.178.245':34354
'98.##6.197.229':34354
'68.##.225.178':34354
'68.##2.155.123':34354
'17#.#34.249.114':34354
'71.##9.174.10':34354
'67.##.102.116':34354
'99.##1.116.16':34354
'18#.#8.137.185':34354
'50.##.83.155':34354
'97.##.126.172':34354
'66.#7.7.152':34354
'21#.#29.229.232':34354
'75.##.31.174':34354
'68.#.19.74':34354
'17#.#2.122.119':34354
'98.#1.19.78':34354
'67.##.123.52':34354
'21#.#54.98.202':34354
'94.##0.225.84':34354
'76.#7.145.8':34354
'78.##.193.147':34354
'68.#8.11.83':34354
'97.#3.12.78':34354
'75.#.128.135':34354
'76.#9.20.43':34354
'70.#88.32.5':34354
'70.##6.132.170':34354
'95.##9.14.160':34354
'76.##.239.176':34354
'93.##2.164.39':34354
'74.##0.67.62':34354
'74.##0.170.100':34354
'50.##3.14.173':34354
'75.##.56.152':34354
'76.##9.110.134':34354
'17#.#00.246.34':34354
'66.##.180.114':34354
'74.##3.144.190':34354
'75.##.146.137':34354
'71.##3.120.43':34354
'18#.#55.122.71':34354
'24.##6.158.192':34354
'98.##4.213.137':34354
'24.##6.85.41':34354
'74.##2.137.188':34354
'24.##.121.69':34354
'68.##6.89.215':34354
'69.##.157.203':34354
'70.##2.219.253':34354
'94.##4.81.102':34354
'17#.#9.139.75':34354
'24.#1.41.82':34354
'24.##1.22.97':34354
'76.##1.51.169':34354
'93.##.42.152':34354
'98.##6.233.159':34354
'71.##.109.52':34354
'68.##6.164.255':34354
'69.##0.232.210':34354
'74.#8.42.1':34354
'67.##0.46.47':34354
'18#.#22.158.206':34354
'20#.#00.192.28':34354
'19#.#8.85.200':34354
'76.##7.58.251':34354
'74.##.178.40':34354
'50.#2.29.46':34354
'86.##.10.128':34354
'72.##1.77.13':34354
'20#.#79.18.244':34354
'68.##.235.172':34354
'67.##2.160.122':34354
'64.##5.139.106':34354
'70.##2.228.82':34354
'66.##9.244.160':34354
'68.#.131.112':34354
'70.##5.178.85':34354
'70.##6.156.34':34354
'74.##.179.41':34354
'72.##8.60.198':34354
'74.##.175.185':34354
'15#.#0.53.68':34354
'24.##7.126.40':34354
'17#.#02.252.223':34354
'65.##.231.36':34354
'68.##5.122.12':34354
'19#.#28.92.218':34354
'70.##.194.53':34354
'18#.#4.57.164':34354
'65.##.108.179':34354
'15#.#81.128.127':34354
'75.##7.50.183':34354
'31.##0.201.107':34354
'65.##.150.108':34354
'17#.#9.151.0':34354
'68.#0.6.42':34354
'67.##.11.137':34354
'71.##.175.145':34354
'68.##.82.122':34354
'18#.#6.137.133':34354
'69.##4.113.180':34354
'68.##.32.195':34354
'76.##2.67.88':34354
'99.##4.129.240':34354
'76.##2.151.148':34354
'98.##5.50.210':34354
'74.##2.48.139':34354
'71.##8.188.1':34354
'17#.#5.127.245':34354
'71.##.208.211':34354
'98.##.240.219':34354
'71.##.161.69':34354
'69.##3.206.32':34354
'18#.#16.167.130':34354
'71.##0.252.171':34354
'91.##7.60.22':34354
'17#.#17.149.167':34354
'75.##2.29.93':34354
'50.#0.88.15':34354
'17#.#4.132.249':34354
'72.##6.14.165':34354
'69.##6.109.171':34354
'98.##9.209.251':34354
'17#.#1.59.243':34354
'24.##9.33.243':34354
'76.##6.163.131':34354
'98.##2.21.103':34354
'71.##.50.151':34354
'74.##.253.219':34354
'69.#4.13.29':34354
'92.##4.240.155':34354
'76.##5.90.221':34354
'71.##.56.173':34354
'67.##4.26.139':34354
'18#.#88.84.233':34354
'71.##.109.128':34354
'70.##9.75.139':34354
'70.##1.111.199':34354
'18#.#0.41.72':34354
'98.##.136.244':34354
'85.##9.252.218':34354
'17#.#9.164.144':34354
'24.##8.164.38':34354
'72.##4.153.149':34354
'74.##4.61.73':34354
'98.##4.156.0':34354
'76.##.156.51':34354
'17#.#03.226.71':34354
'68.#.38.240':34354
'67.##.63.244':34354
'18#.#7.161.203':34354
'pr####.fling.com':80
'18#.#.141.223':34354
'98.##9.245.254':34354
'69.##1.161.85':34354
'76.##.152.53':34354
'17#.#02.216.160':34354
'24.##5.158.207':34354
'24.##2.224.46':34354
'24.##1.128.164':34354
'71.##4.161.170':34354
'18#.#7.10.210':34354
'69.##.123.143':34354
'24.##0.144.246':34354
'31.##.243.45':34354
'21#.#18.7.38':34354
'78.##.231.54':34354
'98.##2.189.228':34354
'24.##.156.68':34354
'72.##1.78.27':34354
'76.##0.208.67':34354
'69.##4.250.207':34354
'50.##.219.165':34354
'18#.#7.129.76':34354
'67.##.181.23':34354
'96.#.21.68':34354
'68.##.190.91':34354
'75.##.146.95':34354
'66.##8.156.158':34354
'10#.#91.173.58':34354
'71.##7.123.10':34354
'71.##.224.184':34354
'68.##.209.242':34354
'76.##6.7.103':34354
'89.##7.49.143':34354
'67.##.248.84':34354
'13#.#59.47.159':34354
'94.##0.83.123':34354
'98.##1.41.151':34354
'17#.#17.106.109':34354
'68.##.122.37':34354
'10#.#0.46.201':34354
'76.##1.140.213':34354
'84.##9.163.133':34354
'68.##4.184.106':34354
'72.##1.136.142':34354
'67.#2.45.56':34354
'24.##5.151.200':34354
'68.##7.143.143':34354
'76.#1.5.147':34354
'71.#6.98.69':34354
'99.#9.96.20':34354
'75.##2.28.20':34354
'24.##1.68.201':34354
'24.##6.254.86':34354
'69.#15.6.74':34354
'24.##0.243.93':34354
'17#.#8.62.134':34354
'98.##.205.240':34354
'71.##4.76.173':34354
'70.##.161.115':34354
'80.##1.198.122':34354
'24.##6.144.53':34354
'74.##3.21.135':34354
'72.##0.70.32':34354
'68.##7.199.226':34354
'15#.#7.106.132':34354
'10#.#28.101.1':34354
'83.##3.133.66':34354
'17#.#72.223.45':34354
'20#.#31.106.105':34354
'70.##9.182.105':34354
'68.#.53.89':34354
'64.##.195.204':34354
'17#.#37.19.94':34354
'98.##.47.254':34354
'98.##6.27.223':34354
'76.##1.3.157':34354
'24.#.215.135':34354
'96.##.55.127':34354
'69.##.128.174':34354
'98.##3.31.214':34354
'12#.#18.179.184':34354
'66.##.221.146':34354
'72.##8.212.163':34354
'11#.#7.33.110':34354
'24.##.143.31':34354

TCP:

Запросы HTTP GET:

pr####.fling.com/geo/txt/city.php

UDP:

DNS ASK pr####.fling.com
'localhost':752
'8.#.8.8':1037

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней