BackDoor.Maxplus.586

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\.mrxsmb] 'ImagePath' = '\*'

Malicious functions:

Injects code into

the following system processes:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Modifies file system :

Creates the following files:

%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Network activity:

Connects to:

'17#.#1.227.208':34354
'70.##1.130.207':34354
'67.##2.30.35':34354
'69.##5.120.36':34354
'18#.#2.121.206':34354
'98.##2.181.204':34354
'76.##2.97.154':34354
'98.##2.93.26':34354
'24.##8.173.103':34354
'49.##6.145.228':34354
'11#.#7.152.229':34354
'69.##4.217.25':34354
'75.##.176.211':34354
'68.##6.104.152':34354
'24.#8.4.223':34354
'98.##.69.216':34354
'74.##.239.183':34354
'62.##3.230.77':34354
'20#.#41.238.59':34354
'17#.#71.40.190':34354
'10#.#10.169.173':34354
'75.##3.92.176':34354
'96.##.169.71':34354
'67.#9.118.0':34354
'17#.#0.220.155':34354
'76.##.207.201':34354
'68.##8.134.204':34354
'18#.#9.40.203':34354
'10#.#12.231.169':34354
'75.##.11.170':34354
'17#.#74.155.190':34354
'98.##8.154.59':34354
'98.##6.197.197':34354
'67.##1.190.124':34354
'71.##.60.212':34354
'71.#3.1.79':34354
'46.#7.147.2':34354
'69.##2.159.3':34354
'72.##8.79.126':34354
'99.##.81.126':34354
'68.#4.200.7':34354
'98.##9.159.131':34354
'68.##.127.222':34354
'99.##.252.134':34354
'14#.#5.240.208':34354
'68.#.141.128':34354
'96.##.182.43':34354
'69.##1.159.213':34354
'67.##7.87.246':34354
'19#.#06.1.245':34354
'98.##7.43.250':34354
'82.##5.244.111':34354
'98.##0.230.17':34354
'70.##0.180.106':34354
'69.##1.214.136':34354
'18#.#5.75.108':34354
'18#.#1.245.115':34354
'68.#.141.115':34354
'70.##0.4.118':34354
'98.##4.152.4':34354
'75.##.51.250':34354
'71.##9.152.112':34354
'97.##.36.253':34354
'50.##.140.124':34354
'99.#2.87.20':34354
'17#.#2.231.17':34354
'17#.#1.96.241':34354
'17#.#72.202.242':34354
'97.#2.71.75':34354
'75.##7.126.102':34354
'21#.#41.53.108':34354
'70.##8.48.111':34354
'17#.#9.52.218':34354
'24.##.210.100':34354
'71.##7.123.10':34354
'65.##.107.30':34354
'39.##9.192.148':34354
'98.##5.76.143':34354
'20#.#29.176.226':34354
'24.##1.169.129':34354
'17#.#6.160.6':34354
'71.##.166.91':34354
'24.##3.22.114':34354
'18#.#22.23.7':34354
'98.##2.235.171':34354
'18#.#06.177.80':34354
'67.#.228.56':34354
'98.##0.113.57':34354
'75.##9.93.99':34354
'76.##.192.96':34354
'71.##.40.246':34354
'75.##.144.103':34354
'69.##7.126.92':34354
'68.##4.211.251':34354
'98.##.109.246':34354
'66.##.225.152':34354
'24.##.72.195':34354
'24.##6.95.253':34354
'69.##3.61.165':34354
'69.##.255.118':34354
'76.##2.171.52':34354
'98.##0.255.159':34354
'18#.#0.140.200':34354
'76.##.55.201':34354
'74.##2.184.119':34354
'24.##9.108.185':34354
'24.#.28.179':34354
'17#.#1.102.183':34354
'71.##6.65.172':34354
'74.##.85.165':34354
'66.##2.40.171':34354
'71.##5.79.254':34354
'95.##.138.128':34354
'98.##8.114.117':34354
'75.##.39.208':34354
'24.##3.42.153':34354
'17#.#8.118.150':34354
'98.##1.126.32':34354
'75.##5.89.36':34354
'85.##5.80.10':34354
'17#.#1.237.91':34354
'98.##5.155.127':34354
'24.##6.80.202':34354
'69.##1.151.202':34354
'24.##1.100.153':34354
'68.#14.9.41':34354
'11#.#0.197.43':34354
'92.##.72.155':34354
'72.##3.199.43':34354
'68.##.174.187':34354
'76.##6.44.82':34354
'68.##.184.141':34354
'96.##.47.133':34354
'76.##8.84.33':34354
'24.##8.13.112':34354
'18#.#7.73.40':34354
'72.##6.50.135':34354
'75.##7.208.82':34354
'66.##8.61.122':34354
'67.##9.120.232':34354
'72.##4.148.80':34354
'70.##5.183.51':34354
'98.##0.202.92':34354
'76.##.219.20':34354
'64.##.197.89':34354
'17#.#6.102.140':34354
'98.##4.85.203':34354
'76.#48.45.8':34354
'24.##.239.136':34354
'99.#8.10.29':34354
'69.##4.254.51':34354
'69.##1.175.50':34354
'98.##0.213.9':34354
'68.##3.164.212':34354
'68.##7.227.207':34354
'98.##5.35.129':34354
'17#.#10.192.37':34354
'68.##.73.214':34354
'71.##.150.205':34354
'82.##.65.129':34354
'98.##4.194.206':34354
'21#.#0.76.94':34354
'71.##.56.155':34354
'67.##9.33.220':34354
'68.##3.96.42':34354
'18#.#8.123.181':34354
'72.##5.99.232':34354
'18#.#67.240.57':34354
'24.##.145.216':34354
'98.##3.255.60':34354
'98.##7.157.183':34354
'localhost':80
'62.##.236.253':34354
'11#.#0.193.206':34354
'96.##.161.188':34354
'20#.#72.186.45':34354
'98.##.231.232':34354
'19#.#04.197.112':34354
'75.##6.104.96':34354
'18#.#54.86.167':34354
'75.##.69.158':34354
'69.##5.205.70':34354
'10#.#4.195.184':34354
'68.##.175.211':34354
'98.##3.30.230':34354
'98.##7.51.219':34354
'77.##1.161.2':34354
'92.##6.88.151':34354
'24.##5.0.149':34354
'17#.#0.166.242':34354
'17#.#2.235.7':34354
'14#.#69.115.105':34354
'24.##0.153.108':34354
'24.##6.171.227':34354
'69.##4.85.71':34354
'99.##5.38.183':34354
'24.##8.93.67':34354
'68.##5.21.62':34354
'68.#3.82.13':34354
'20#.#81.228.13':34354
'50.##5.194.13':34354
'76.##7.78.84':34354
'68.#2.60.71':34354
'70.##.213.233':34354
'67.##.12.241':34354
'71.##4.154.179':34354
'85.##.182.23':34354
'71.##.61.231':34354
'24.##6.208.161':34354
'19#.#2.181.53':34354
'71.##.162.201':34354
'68.##0.3.250':34354
'10#.#01.160.54':34354
'98.##1.105.31':34354
'70.##.109.254':34354
'76.##.172.51':34354
'24.##4.240.203':34354
'17#.#22.232.9':34354
'71.##8.208.224':34354
'24.##0.217.95':34354
'96.##.250.152':34354
'68.##.161.246':34354
'66.##.15.199':34354
'75.##3.121.152':34354
'17#.#0.59.190':34354
'67.#1.29.99':34354
'76.##8.107.27':34354
'69.##4.36.57':34354
'76.##0.162.191':34354
'98.#1.46.94':34354
'74.##4.240.243':34354
'98.##2.14.27':34354
'24.##.170.152':34354
'75.##5.80.201':34354
'98.##2.2.106':34354
'74.##2.135.111':34354
'71.##2.110.142':34354
'96.##.241.220':34354
'24.##.81.196':34354
'68.##8.234.147':34354
'65.##.48.247':34354
'67.##2.52.163':34354
'76.##.152.23':34354
'24.##9.136.70':34354
'68.#.43.163':34354
'24.##6.223.238':34354
'67.##2.175.81':34354
'18#.#0.186.3':34354
'17#.#6.90.168':34354
'75.##2.121.243':34354
'98.##8.33.159':34354
'98.#8.89.62':34354
'89.#.247.26':34354
'19#.#8.78.180':34354
'24.##9.145.161':34354
'18.##9.99.98':34354
'72.##0.150.87':34354

TCP:

HTTP GET requests:

eg##kkid.cn/stat2.php?&a################
eg##kkid.cn/stat2.php?&a#################

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней