Trojan.DownLoader5.16282

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\.netbt] 'ImagePath' = '\*'

Malicious functions:

Injects code into

the following system processes:

<SYSTEM32>\winlogon.exe

Modifies file system :

Creates the following files:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Network activity:

Connects to:

'18#.#35.106.222':34354
'18#.#9.197.182':34354
'95.##.231.94':34354
'10#.#01.169.43':34354
'98.##0.73.128':34354
'12#.#25.73.24':34354
'14.##2.20.77':34354
'68.##.39.108':34354
'17#.#75.166.181':34354
'24.##3.184.146':34354
'21#.#9.72.137':34354
'69.##6.56.203':34354
'18#.#46.72.73':34354
'10#.#.76.119':34354
'72.##.54.183':34354
'95.##.120.117':34354
'19#.#74.85.60':34354
'90.##8.59.86':34354
'11#.#2.153.133':34354
'46.##.251.129':34354
'78.#37.52.9':34354
'10#.#01.169.27':34354
'20#.#18.179.194':34354
'17#.#00.14.116':34354
'12#.#11.209.99':34354
'2.###.32.100':34354
'10#.#39.47.97':34354
'87.##7.33.147':34354
'10#.#02.163.174':34354
'21#.#25.210.108':34354
'91.#8.17.33':34354
'75.##1.235.160':34354
'72.##1.106.231':34354
'76.##0.43.25':34354
'95.##.252.81':34354
'50.##.187.113':34354
'41.##.160.175':34354
'24.##5.53.242':34354
'68.##9.253.245':34354
'98.##6.175.120':34354
'94.##.170.31':34354
'95.##.18.147':34354
'95.#8.7.114':34354
'95.#8.45.97':34354
'18#.#4.86.194':34354
'21#.#8.88.34':34354
'74.##1.91.246':34354
'86.#9.3.201':34354
'77.##9.13.16':34354
'11#.#9.178.254':34354
'74.##.249.66':34354
'17#.#0.109.184':34354
'50.#.89.108':34354
'68.##8.45.89':34354
'95.##8.102.238':34354
'17#.#3.10.134':34354
'19#.#07.234.235':34354
'90.##9.171.168':34354
'21#.#2.127.28':34354
'92.##.220.78':34354
'72.##9.142.29':34354
'19#.#2.128.207':34354
'24.##.27.236':34354
'68.##.151.37':34354
'10#.#23.21.53':34354
'2.##3.45.71':34354
'95.##.70.188':34354
'84.##0.206.56':34354
'24.##2.28.114':34354
'68.#3.23.11':34354
'18#.#64.24.244':34354
'18#.#.14.171':34354
'68.##8.241.60':34354
'11#.#7.142.26':34354
'86.##.216.149':34354
'50.##2.81.145':34354
'58.##.211.196':34354
'11#.#00.155.61':34354
'17#.#0.96.41':34354
'12#.#20.177.232':34354
'68.##0.55.130':34354
'89.##6.88.203':34354
'84.##0.215.15':34354
'69.##3.65.183':34354
'88.##6.82.133':34354
'17#.#.59.217':34354
'18#.#31.30.136':34354
'69.##0.91.181':34354
'10#.#6.51.87':34354
'81.##.195.54':34354
'11#.#19.6.33':34354
'67.#72.7.8':34354
'70.##9.219.14':34354
'92.##.212.15':34354
'87.##7.42.43':34354
'99.##.133.118':34354
'96.##.140.159':34354
'18#.#2.43.122':34354
'67.#8.40.18':34354
'87.##.91.102':34354
'95.##.251.97':34354
'17#.#22.120.193':34354
'84.##2.27.181':34354
'31.##9.1.229':34354
'21#.#06.36.1':34354
'17#.#0.88.187':34354
'17#.#40.112.33':34354
'91.##.245.123':34354
'11#.65.38.4':34354
'85.#5.70.56':34354
'87.##7.32.198':34354
'17#.#87.42.111':34354
'18#.#14.31.244':34354
'89.##.105.113':34354
'86.##4.44.212':34354
'95.#8.193.4':34354
'18#.#32.109.3':34354
'14.##.137.236':34354
'10#.#4.68.20':34354
'17#.#03.4.60':34354
'17#.#0.56.13':34354
'17#.#1.41.231':34354
'91.##3.24.197':34354
'17#.#34.79.6':34354
'95.##.92.193':34354
'79.##2.227.136':34354
'71.##.59.251':34354
'94.##.128.88':34354
'76.##7.202.246':34354
'17#.#25.133.68':34354
'11#.#10.187.236':34354
'17#.#9.175.59':34354
'95.#8.42.40':34354
'10#.#39.44.76':34354
'72.##5.19.63':34354
'67.##4.247.158':34354
'14#.#63.242.235':34354
'89.##.180.92':34354
'46.##.198.167':34354
'89.##6.232.134':34354
'88.#87.99.1':34354
'11#.#5.52.68':34354
'14#.#01.27.119':34354
'86.#.222.130':34354
'31.#69.0.5':34354
'91.##.101.81':34354
'18#.#32.83.101':34354
'95.##.218.144':34354
'21#.#7.191.0':34354
'17#.90.49.4':34354
'92.#3.45.85':34354
'24.##.252.192':34354
'2.###.29.240':34354
'92.##.75.135':34354
'17#.#.175.133':34354
'41.##3.64.138':34354
'24.##.116.34':34354
'2.###.194.159':34354
'17#.#2.120.192':34354
'89.#2.55.85':34354
'12#.#3.128.205':34354
'98.##4.152.253':34354
'17#.#0.156.116':34354
'21#.#2.199.65':34354
'79.##7.11.122':34354
'18#.#1.71.18':34354
'14.##.161.163':34354
'17#.#41.43.180':34354
'84.##0.253.89':34354
'24.#.227.127':34354
'68.##.73.138':34354
'localhost':80
'71.##.217.161':34354
'18#.#84.56.82':34354
'78.#2.71.32':34354
'12#.#.167.169':34354
'95.##.77.197':34354
'18#.#7.103.24':34354
'91.##7.60.22':34354
'78.#0.95.16':34354
'91.#87.5.60':34354
'89.##6.200.90':34354
'10#.#0.132.12':34354
'89.##2.141.157':34354
'80.#1.125.4':34354
'89.##6.60.226':34354
'85.##.189.146':34354
'85.##4.186.65':34354
'18#.#35.202.123':34354
'75.##1.17.155':34354
'92.##.226.28':34354
'19#.#6.121.35':34354
'72.#23.70.3':34354
'95.#9.71.23':34354
'70.##4.48.133':34354
'66.##9.73.58':34354
'93.##5.68.99':34354
'75.#40.2.10':34354
'24.##1.232.215':34354
'18#.#76.176.32':34354
'17#.#48.44.96':34354
'18#.#53.119.209':34354
'92.#6.58.20':34354
'70.##1.27.83':34354
'11#.#02.131.187':34354
'79.##2.32.125':34354
'84.##0.219.25':34354
'65.#5.66.57':34354
'17#.#0.27.243':34354
'72.##6.37.44':34354
'67.##6.183.53':34354
'98.##8.210.4':34354
'98.##.220.107':34354
'77.##5.103.178':34354
'68.##0.200.38':34354
'24.#.187.59':34354
'12#.#25.37.120':34354
'84.##.133.213':34354
'65.##.155.139':34354
'21#.#66.222.40':34354
'77.##1.95.201':34354
'84.##0.212.62':34354
'46.##.244.239':34354
'24.#.199.12':34354
'11#.#01.138.90':34354
'80.##.193.217':34354
'96.##.204.194':34354
'82.##0.164.162':34354
'91.##.236.61':34354
'14.##.132.27':34354
'95.##.194.195':34354
'39.##1.133.20':34354
'15#.#9.67.46':34354
'95.##.218.15':34354
'92.##.139.227':34354
'10#.#34.22.3':34354
'68.##.120.203':34354
'17#.#25.175.109':34354
'17#.#24.106.248':34354
'75.##4.247.142':34354
'98.##6.117.248':34354
'66.##9.239.129':34354
'95.##.56.110':34354
'11#.#87.57.192':34354
'17#.#38.232.219':34354
'21#.#60.186.100':34354
'95.##.230.13':34354
'19#.#4.55.86':34354
'76.##7.59.197':34354
'11#.#25.201.79':34354
'62.##.45.121':34354
'18#.#7.148.126':34354
'92.##4.10.116':34354
'71.##.115.193':34354
'24.##.24.209':34354
'67.##2.69.61':34354
'78.##.135.179':34354

TCP:

HTTP GET requests:

eg##kkid.cn/stat2.php?&a###
eg##kkid.cn/stat2.php?&a##

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней