BackDoor.Maxplus.590

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\.redbook] 'ImagePath' = '\?'

Malicious functions:

Injects code into

the following system processes:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Modifies file system :

Creates the following files:

%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Network activity:

Connects to:

'89.##2.113.219':34354
'46.##.128.58':34354
'24.##.169.106':34354
'83.##5.225.37':34354
'95.##.112.218':34354
'68.##.207.108':34354
'75.##3.186.130':34354
'10#.#29.191.64':34354
'75.##8.143.103':34354
'98.##2.122.81':34354
'68.##8.10.86':34354
'72.##7.29.42':34354
'67.##.36.198':34354
'17#.#22.143.93':34354
'24.##6.244.188':34354
'95.##.208.207':34354
'79.##8.232.124':34354
'67.##2.103.196':34354
'72.##8.212.107':34354
'17#.#0.56.39':34354
'10#.#28.67.3':34354
'87.##0.106.125':34354
'68.##.149.150':34354
'24.##.224.60':34354
'68.##.70.110':34354
'99.##2.25.71':34354
'68.##.136.117':34354
'71.##.122.88':34354
'75.##3.151.164':34354
'70.##8.142.175':34354
'99.##4.78.168':34354
'50.##.48.193':34354
'18#.#90.197.150':34354
'93.##3.99.206':34354
'71.##7.108.169':34354
'76.##1.118.5':34354
'76.##1.145.168':34354
'24.##2.150.31':34354
'17#.#0.252.59':34354
'20#.#04.152.69':34354
'17#.#17.128.35':34354
'18#.#93.108.87':34354
'68.##1.60.245':34354
'76.##8.20.137':34354
'24.##.145.170':34354
'75.##2.26.250':34354
'95.##8.245.135':34354
'10#.#0.65.223':34354
'69.##0.67.33':34354
'31.##5.132.11':34354
'24.#.49.111':34354
'98.##4.203.34':34354
'12.##0.33.13':34354
'97.##.84.112':34354
'24.##.32.130':34354
'99.##7.188.5':34354
'31.##7.240.136':34354
'67.##9.119.83':34354
'15#.#24.149.190':34354
'65.##.52.218':34354
'17#.#0.170.178':34354
'24.##6.220.238':34354
'76.##5.89.32':34354
'68.##4.255.202':34354
'82.##.102.102':34354
'19#.#91.35.23':34354
'17#.#6.67.210':34354
'70.##5.196.100':34354
'66.##3.38.109':34354
'17#.#3.135.112':34354
'24.##7.107.108':34354
'60.##7.161.20':34354
'24.##1.1.180':34354
'69.##6.109.28':34354
'98.##4.194.206':34354
'68.##.155.30':34354
'72.##6.28.96':34354
'68.##0.49.81':34354
'74.##6.209.224':34354
'19#.#4.100.173':34354
'95.##6.212.10':34354
'11#.#4.93.136':34354
'75.##1.65.226':34354
'71.##.40.132':34354
'69.##0.71.140':34354
'17#.#99.100.114':34354
'24.##2.205.137':34354
'91.##.143.146':34354
'94.##2.222.16':34354
'83.##3.183.16':34354
'78.##.241.215':34354
'76.##0.170.216':34354
'76.##5.98.237':34354
'67.##7.193.123':34354
'71.##.239.15':34354
'12#.#29.114.13':34354
'24.#9.5.25':34354
'92.#.130.44':34354
'84.##4.40.173':34354
'66.##.235.39':34354
'69.##6.188.42':34354
'76.##0.126.15':34354
'67.##6.104.197':34354
'71.##2.19.192':34354
'18#.#5.200.191':34354
'17#.#7.36.123':34354
'99.##3.82.59':34354
'24.#.115.148':34354
'24.##.197.134':34354
'75.##.77.251':34354
'70.##1.122.121':34354
'20#.#3.50.13':34354
'76.##6.88.201':34354
'69.##5.58.67':34354
'18#.#2.53.224':34354
'70.##.148.58':34354
'75.##.59.242':34354
'17#.#43.205.180':34354
'67.#.195.67':34354
'82.##.140.228':34354
'72.##4.178.40':34354
'98.##9.117.196':34354
'75.##4.163.248':34354
'17#.#07.60.199':34354
'69.##4.108.195':34354
'24.##.56.193':34354
'71.##2.149.50':34354
'18#.#91.215.51':34354
'94.##2.248.117':34354
'98.##0.20.201':34354
'97.##.246.16':34354
'68.#.58.230':34354
'75.##3.201.9':34354
'17#.#15.19.121':34354
'98.##9.108.33':34354
'13#.#6.169.252':34354
'68.##.135.20':34354
'20#.#34.144.154':34354
'98.##2.252.228':34354
'85.##.211.83':34354
'21#.#0.128.41':34354
'75.##.129.224':34354
'76.#4.83.98':34354
'98.##3.254.96':34354
'19#.#3.170.218':34354
'89.##.95.210':34354
'67.##4.191.34':34354
'18#.#8.194.172':34354
'94.##1.146.152':34354
'68.##.65.125':34354
'71.##.100.124':34354
'24.##5.133.234':34354
'70.##8.235.10':34354
'91.##0.180.52':34354
'98.##0.98.142':34354
'70.##0.206.95':34354
'67.##.205.170':34354
'18#.#48.42.209':34354
'24.#.133.252':34354
'24.##9.97.35':34354
'85.##.182.23':34354
'89.##4.115.200':34354
'98.##0.139.245':34354
'24.##1.72.128':34354
'99.##5.101.142':34354
'18#.#49.17.99':34354
'10#.#37.38.46':34354
'17#.#7.19.154':34354
'76.##7.172.51':34354
'69.##2.196.116':34354
'93.##3.184.38':34354
'pr####.fling.com':80
'50.##.224.81':34354
'11#.#00.81.194':34354
'79.##8.38.148':34354
'85.#4.4.66':34354
'10#.#3.185.103':34354
'75.##.161.30':34354
'68.##5.82.176':34354
'71.##9.117.142':34354
'17#.#0.119.140':34354
'74.##6.14.197':34354
'95.##.201.193':34354
'99.##.199.126':34354
'18#.#2.139.250':34354
'98.##7.159.28':34354
'71.##6.67.52':34354
'24.##2.71.254':34354
'98.##5.86.19':34354
'10#.#0.249.4':34354
'66.##.93.214':34354
'10#.#5.164.83':34354
'96.##.49.141':34354
'84.##0.216.27':34354
'68.#.142.84':34354
'69.##1.159.55':34354
'17#.#09.84.112':34354
'76.##7.249.74':34354
'50.#.121.149':34354
'75.##7.31.207':34354
'98.##4.224.192':34354
'17#.#71.94.194':34354
'75.#4.44.24':34354
'88.##5.79.26':34354
'10#.#97.43.58':34354
'76.##6.103.244':34354
'11#.#7.185.123':34354
'75.##2.151.63':34354
'12#.#47.16.203':34354
'71.##7.249.191':34354
'17#.#68.20.213':34354
'98.##9.98.173':34354
'41.##.227.208':34354
'96.##.244.33':34354
'98.##1.77.168':34354
'24.#3.28.63':34354
'71.##.233.19':34354
'71.##8.108.23':34354
'76.##.197.169':34354
'68.##.16.115':34354
'76.##9.48.111':34354
'67.##.225.128':34354
'76.##2.191.62':34354
'24.##.25.212':34354
'99.##.122.227':34354
'92.##.227.174':34354
'15#.#0.136.241':34354
'24.##7.238.172':34354
'68.##3.168.22':34354
'76.##.200.43':34354
'68.##.21.245':34354
'76.##1.68.150':34354
'67.##8.189.228':34354
'71.##.124.109':34354
'10#.#13.21.44':34354
'68.#.101.172':34354
'75.##.175.88':34354
'66.##8.254.91':34354
'69.##3.230.205':34354
'98.##3.117.50':34354
'46.##2.56.184':34354
'75.##5.130.80':34354
'68.##7.39.150':34354
'50.##.92.193':34354
'71.##1.110.176':34354
'89.##8.236.95':34354
'17#.#.30.168':34354
'76.##8.173.138':34354
'72.##9.240.138':34354
'84.##2.27.181':34354
'24.##9.196.115':34354
'76.##7.131.236':34354
'50.##.183.32':34354
'24.##.153.137':34354
'15#.#81.162.219':34354
'19#.#6.124.246':34354
'78.##7.30.142':34354

TCP:

HTTP GET requests:

pr####.fling.com/geo/txt/city.php

UDP:

DNS ASK pr####.fling.com
'localhost':752
'8.#.8.8':1036

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней