BackDoor.Maxplus.875

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\.afd] 'ImagePath' = '\?'

Malicious functions:

Injects code into

the following system processes:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Modifies file system :

Creates the following files:

%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Deletes itself.

Network activity:

Connects to:

'17#.#25.111.163':34354
'70.##.87.166':34354
'77.##2.128.118':34354
'72.##3.47.159':34354
'24.#.230.185':34354
'95.#8.40.70':34354
'75.##4.215.23':34354
'24.##.77.184':34354
'18#.#34.24.146':34354
'72.##6.33.158':34354
'71.##4.122.126':34354
'98.##0.219.140':34354
'68.##6.181.79':34354
'64.#3.33.79':34354
'78.#9.89.55':34354
'75.##.34.158':34354
'19#.#2.198.247':34354
'69.#33.78.2':34354
'15#.#5.150.10':34354
'75.##3.134.10':34354
'18#.#15.139.253':34354
'74.##.183.60':34354
'82.##9.175.110':34354
'68.#5.45.61':34354
'72.##8.238.68':34354
'75.##1.202.21':34354
'97.##4.10.70':34354
'24.##1.206.21':34354
'24.##1.198.209':34354
'24.##1.25.239':34354
'68.##.85.190':34354
'31.##5.137.206':34354
'71.##9.182.81':34354
'68.##6.1.146':34354
'68.##0.192.14':34354
'24.##0.159.62':34354
'50.##.20.125':34354
'71.##5.155.65':34354
'10#.4.5.104':34354
'50.##.255.214':34354
'76.##4.91.165':34354
'75.##.229.190':34354
'21#.#03.173.161':34354
'64.##1.50.155':34354
'89.##.127.46':34354
'81.##6.89.57':34354
'74.##2.35.187':34354
'68.##.206.108':34354
'84.##7.133.51':34354
'10#.#.74.106':34354
'24.##.177.235':34354
'77.##9.232.221':34354
'24.#84.12.2':34354
'93.##6.212.51':34354
'98.##6.232.107':34354
'64.##6.79.32':34354
'10#.#4.40.61':34354
'75.##.113.166':34354
'65.##5.66.99':34354
'17#.#34.237.212':34354
'98.##1.202.12':34354
'87.##3.77.188':34354
'17#.#0.176.169':34354
'91.##7.60.22':34354
'24.##9.38.51':34354
'24.##2.86.95':34354
'17#.#26.8.43':34354
'71.##6.119.230':34354
'18#.#8.25.82':34354
'64.##9.142.221':34354
'82.##8.86.176':34354
'69.##.133.217':34354
'10#.#7.160.108':34354
'68.##1.159.247':34354
'17#.#4.63.27':34354
'24.##1.66.166':34354
'72.##2.211.69':34354
'74.##1.21.188':34354
'97.##.158.245':34354
'18#.#1.46.244':34354
'24.##2.100.176':34354
'24.##7.6.108':34354
'98.##4.76.185':34354
'19#.#7.174.244':34354
'17#.#3.250.81':34354
'17#.#7.228.177':34354
'70.##.117.109':34354
'98.##6.233.109':34354
'69.##2.34.44':34354
'69.##9.233.80':34354
'67.##.95.226':34354
'50.##.72.128':34354
'18#.#6.136.241':34354
'24.##6.230.10':34354
'75.##4.16.255':34354
'70.##7.173.74':34354
'24.##.82.208':34354
'85.##9.248.205':34354
'68.##6.24.221':34354
'71.##5.59.82':34354
'98.##.229.97':34354
'91.##.202.107':34354
'17#.#99.9.96':34354
'24.##.216.96':34354
'10#.#31.14.58':34354
'69.##6.228.241':34354
'68.##0.201.210':34354
'98.##1.50.251':34354
'76.##1.182.233':34354
'58.##.159.229':34354
'24.##.27.234':34354
'89.##.122.13':34354
'10#.#46.243.30':34354
'99.##4.105.255':34354
'71.##7.212.28':34354
'98.##0.111.148':34354
'71.#96.8.60':34354
'18#.#7.253.37':34354
'68.##3.206.115':34354
'75.##4.50.66':34354
'72.##5.72.170':34354
'46.##5.140.41':34354
'75.##3.23.194':34354
'68.#.168.188':34354
'98.##4.19.160':34354
'50.##.225.36':34354
'15#.#81.186.167':34354
'98.##6.209.49':34354
'17#.#99.74.146':34354
'19#.#8.85.200':34354
'24.##.74.197':34354
'76.##0.186.175':34354
'87.##7.41.222':34354
'89.##.222.21':34354
'10#.#.99.166':34354
'20#.#55.220.108':34354
'68.##.186.142':34354
'17#.#12.98.222':34354
'96.##.114.166':34354
'74.##.197.85':34354
'72.##3.63.151':34354
'72.##4.106.129':34354
'21#.#11.201.125':34354
'75.##.121.93':34354
'72.#.83.5':34354
'76.##7.209.63':34354
'24.##3.88.92':34354
'71.##.22.189':34354
'98.#7.9.105':34354
'95.##4.116.171':34354
'76.##7.32.67':34354
'70.##2.77.33':34354
'18#.#7.247.30':34354
'24.#5.60.17':34354
'17#.#03.12.171':34354
'98.##9.61.184':34354
'68.##.149.150':34354
'92.##.178.169':34354
'65.##5.64.76':34354
'67.##3.81.100':34354
'74.##2.247.64':34354
'92.#1.2.54':34354
'46.##1.210.16':34354
'94.##9.249.73':34354
'67.##0.145.64':34354
'76.##5.31.50':34354
'98.#1.3.231':34354
'20#.#01.224.228':34354
'15#.#5.163.17':34354
'24.##.179.14':34354
'67.##2.175.171':34354
'pr####.fling.com':80
'24.##.124.118':34354
'18#.#5.65.96':34354
'97.##.152.121':34354
'15#.#81.135.87':34354
'74.##3.138.6':34354
'68.##.175.211':34354
'24.##5.113.30':34354
'50.##.169.26':34354
'69.#5.71.12':34354
'98.##6.190.154':34354
'71.##.231.224':34354
'75.##.177.180':34354
'75.##4.229.231':34354
'50.#.53.23':34354
'76.##9.48.111':34354
'99.##.213.18':34354
'24.##8.19.49':34354
'98.##2.229.67':34354
'18#.#7.165.148':34354
'98.##1.230.201':34354
'24.#07.1.45':34354
'81.##0.23.232':34354
'76.##9.203.229':34354
'71.##.123.90':34354
'68.#8.11.83':34354
'24.##.111.66':34354
'98.##1.187.41':34354
'96.##.89.130':34354
'67.##3.14.140':34354
'79.##8.161.27':34354
'76.##7.164.240':34354
'68.##5.116.244':34354
'2.##4.73.17':34354
'70.##6.218.128':34354
'75.##2.19.166':34354
'97.##.202.237':34354
'66.##.115.112':34354
'71.#5.45.6':34354
'75.##4.33.235':34354
'84.##.255.216':34354
'68.#28.26.5':34354
'94.##.37.241':34354
'69.##8.231.60':34354
'75.#10.1.22':34354
'98.##2.79.70':34354
'68.##3.78.90':34354
'10#.#34.51.194':34354
'50.##9.61.31':34354
'20#.#02.109.218':34354
'95.##3.54.99':34354
'65.##.131.17':34354
'69.##6.64.183':34354
'98.##8.3.210':34354
'17#.#9.57.41':34354
'17#.#1.174.152':34354
'74.##7.27.99':34354
'70.##2.91.18':34354
'18#.59.1.56':34354
'72.##9.133.196':34354
'18#.#0.24.90':34354
'67.##.44.210':34354
'71.##5.76.210':34354
'84.##9.125.233':34354
'17#.#26.5.53':34354
'75.##.68.232':34354
'14#.#16.27.57':34354
'88.##0.96.224':34354
'68.##4.164.113':34354
'24.##.243.81':34354
'74.##.222.84':34354
'2.###.129.88':34354
'70.##.172.87':34354
'17#.#21.157.220':34354
'68.#.251.7':34354
'69.#2.30.72':34354
'99.##5.189.26':34354
'69.##8.205.66':34354
'67.##.110.147':34354
'67.##3.167.215':34354
'72.##3.167.19':34354
'68.##1.173.189':34354
'71.##.149.166':34354
'24.##6.176.231':34354
'95.##.209.73':34354
'71.##6.124.167':34354

TCP:

HTTP GET requests:

pr####.fling.com/geo/txt/city.php

UDP:

DNS ASK pr####.fling.com
'localhost':752
'8.#.8.8':1035

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней