Trojan.MulDrop29.1612

Technical Information

To ensure autorun and distribution

Sets the following service settings

[HKLM\System\CurrentControlSet\Services\RYxxM] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\RYxxM] 'ImagePath' = '<SYSTEM32>\vjuh.exe'

Creates the following services

'RYxxM' <SYSTEM32>\vjuh.exe

Modifies file system

Creates the following files

%WINDIR%\syswow64\vjuh.exe

Miscellaneous

Executes the following

'%WINDIR%\syswow64\takeown.exe' /f "<SYSTEM32>\vjuh.exe"
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_e932cc2c30fc13b0\cmd.exe" /grant SYSTEM:F
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe" /grant SYSTEM:F
'%WINDIR%\syswow64\takeown.exe' /f "%WINDIR%\winsxs\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_e932cc2c30fc13b0\cmd.exe"
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\cscript.exe" /grant Users:F
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\cscript.exe" /grant Users:F
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\cscript.exe" /grant SYSTEM:F
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe" /grant Users:F
'%WINDIR%\syswow64\takeown.exe' /f "<SYSTEM32>\cscript.exe"
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\wscript.exe" /grant Users:F
'%WINDIR%\syswow64\takeown.exe' /f "%WINDIR%\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\wscript.exe"
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\wscript.exe" /grant SYSTEM:F
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\ftp.exe" /grant SYSTEM:F
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_e932cc2c30fc13b0\cmd.exe" /grant Users:F
'%WINDIR%\syswow64\takeown.exe' /f "<SYSTEM32>\wscript.exe"
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\cmd.exe" /grant SYSTEM:F
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\vjuh.exe" /grant SYSTEM:F
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\cscript.exe" /grant SYSTEM:F
'%WINDIR%\syswow64\takeown.exe' /f "<SYSTEM32>\cmd.exe"
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\ftp.exe" /grant Users:F
'%WINDIR%\syswow64\takeown.exe' /f "%WINDIR%\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\cscript.exe"
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\cmd.exe" /grant Users:F
'%WINDIR%\syswow64\takeown.exe' /f "%WINDIR%\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe"
'%WINDIR%\syswow64\takeown.exe' /f "<SYSTEM32>\ftp.exe"
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\wscript.exe" /grant Users:F
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\wscript.exe" /grant SYSTEM:F
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_e932cc2c30fc13b0\cmd.exe" /grant SYSTEM:F' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\cscript.exe" /grant SYSTEM:F' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\wscript.exe" /grant SYSTEM:F' (with hidden window)
'%WINDIR%\syswow64\takeown.exe' /f "%WINDIR%\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe"' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\ftp.exe" /grant Users:F' (with hidden window)
'%WINDIR%\syswow64\takeown.exe' /f "%WINDIR%\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\wscript.exe"' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe" /grant SYSTEM:F' (with hidden window)
'%WINDIR%\syswow64\takeown.exe' /f "%WINDIR%\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\cscript.exe"' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\wscript.exe" /grant Users:F' (with hidden window)
'%WINDIR%\syswow64\takeown.exe' /f "<SYSTEM32>\vjuh.exe"' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\cscript.exe" /grant SYSTEM:F' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe" /grant Users:F' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\wscript.exe" /grant Users:F' (with hidden window)
'%WINDIR%\syswow64\takeown.exe' /f "<SYSTEM32>\wscript.exe"' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\cmd.exe" /grant SYSTEM:F' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\cscript.exe" /grant Users:F' (with hidden window)
'%WINDIR%\syswow64\takeown.exe' /f "<SYSTEM32>\cscript.exe"' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\wscript.exe" /grant SYSTEM:F' (with hidden window)
'%WINDIR%\syswow64\takeown.exe' /f "%WINDIR%\winsxs\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_e932cc2c30fc13b0\cmd.exe"' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\ftp.exe" /grant SYSTEM:F' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_e932cc2c30fc13b0\cmd.exe" /grant Users:F' (with hidden window)
'%WINDIR%\syswow64\takeown.exe' /f "<SYSTEM32>\ftp.exe"' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\cmd.exe" /grant Users:F' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "<SYSTEM32>\vjuh.exe" /grant SYSTEM:F' (with hidden window)
'%WINDIR%\syswow64\takeown.exe' /f "<SYSTEM32>\cmd.exe"' (with hidden window)
'%WINDIR%\syswow64\icacls.exe' "%WINDIR%\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\cscript.exe" /grant Users:F' (with hidden window)

Демо бесплатно на 14 дней

Выдаётся при установке

Скачать с сайта

Скачать с Google Play

Скачайте
Dr.Web для Android

Бесплатно на 3 месяца
Все компоненты защиты
Продление демо через
AppGallery/Google Pay

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней