Trojan.DownLoader32.51929

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'update' = '%WINDIR%\system\update.scr'

Creates the following services

[<HKLM>\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Task Manager (Taskmgr)
Registry Editor (RegEdit)
Windows Update
Windows Security Center

modifies the following system settings:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'DisallowRun' = '00000001'

Executes the following

'%WINDIR%\syswow64\netsh.exe' firewall set opmode disable

Modifies file system

Creates the following files

%WINDIR%\system\update
%WINDIR%\system\reload.bat

Moves the following files

from %WINDIR%\system\update to %WINDIR%\system\update.scr

Substitutes the following files

%HOMEPATH%\ntuser.pol
%PROGRAMDATA%\ntuser.pol

Network activity

Connects to

'dr####a1.no-ip.biz':1234

UDP

DNS ASK dr####a1.no-ip.biz

Miscellaneous

Searches for the following windows

ClassName: 'Tapplication' WindowName: 'ULTIMOS DIAS'

Creates and executes the following

'%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v update /t reg_sz /d %WINDIR%\system\update.scr /f' (with hidden window)
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableTaskMgr /t reg_dword /d 0x00000001 /f' (with hidden window)
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableRegistryTools /t reg_dword /d 0x00000001 /f' (with hidden window)
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t reg_dword /d 0x00000001 /f' (with hidden window)
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 1 /t reg_sz /d msconfig.exe /f' (with hidden window)
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 2 /t reg_sz /d taskkill.exe /f' (with hidden window)
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 3 /t reg_sz /d cmd.exe /f' (with hidden window)
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 4 /t reg_sz /d command.exe /f' (with hidden window)
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 3 /t reg_sz /d ComboFix.exe /f' (with hidden window)
'%WINDIR%\syswow64\gpupdate.exe' /force /wait:100' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /k sc config wscsvc start= disabled&sc stop wscsvc&netsh firewall set opmode disable&sc config SharedAccess start= disabled&sc stop SharedAccess&sc config wuauserv start= disabled&sc stop wuaus...' (with hidden window)
'%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Taskmgr /t reg_sz /d %WINDIR%\system\reload.bat /f' (with hidden window)

Executes the following

'%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v update /t reg_sz /d %WINDIR%\system\update.scr /f
'%WINDIR%\syswow64\sc.exe' config wuauserv start= disabled
'%WINDIR%\syswow64\sc.exe' stop SharedAccess
'<SYSTEM32>\gpscript.exe' /RefreshSystemParam
'%WINDIR%\syswow64\sc.exe' config SharedAccess start= disabled
'%WINDIR%\syswow64\sc.exe' stop wscsvc
'%WINDIR%\syswow64\sc.exe' config wscsvc start= disabled
'%WINDIR%\syswow64\reg.exe' add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Taskmgr /t reg_sz /d %WINDIR%\system\reload.bat /f
'%WINDIR%\syswow64\cmd.exe' /k sc config wscsvc start= disabled&sc stop wscsvc&netsh firewall set opmode disable&sc config SharedAccess start= disabled&sc stop SharedAccess&sc config wuauserv start= disabled&sc stop wuaus...
'%WINDIR%\syswow64\gpupdate.exe' /force /wait:100
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 3 /t reg_sz /d ComboFix.exe /f
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 4 /t reg_sz /d command.exe /f
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 3 /t reg_sz /d cmd.exe /f
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 2 /t reg_sz /d taskkill.exe /f
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 1 /t reg_sz /d msconfig.exe /f
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t reg_dword /d 0x00000001 /f
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableRegistryTools /t reg_dword /d 0x00000001 /f
'%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableTaskMgr /t reg_dword /d 0x00000001 /f
'%WINDIR%\syswow64\sc.exe' stop wuauserv
'<SYSTEM32>\raserver.exe' /offerraupdate

Демо бесплатно на 14 дней

Выдаётся при установке

Скачать с сайта

Скачать с Google Play

Скачайте
Dr.Web для Android

Бесплатно на 3 месяца
Все компоненты защиты
Продление демо через
AppGallery/Google Pay

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней