BackDoor.Maxplus.886

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
[<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\.redbook] 'ImagePath' = '\?'

Malicious functions:

Injects code into

the following system processes:

<SYSTEM32>\winlogon.exe
%WINDIR%\Explorer.EXE

Modifies file system :

Creates the following files:

%WINDIR%\$NtUninstallKB27979$\4121336045\@
%WINDIR%\$NtUninstallKB27979$\4121336045\cfg.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\Desktop.ini
%WINDIR%\$NtUninstallKB27979$\4121336045\L\alehhooo

Deletes itself.

Network activity:

Connects to:

'24.##2.100.176':34354
'75.##4.71.25':34354
'18#.#9.231.135':34354
'69.##7.226.91':34354
'66.##.220.193':34354
'76.##9.203.245':34354
'10#.#03.155.77':34354
'89.##.127.46':34354
'24.#.235.167':34354
'72.##1.229.120':34354
'95.##5.235.22':34354
'99.##1.204.178':34354
'71.##8.255.44':34354
'68.#.104.117':34354
'24.##8.129.80':34354
'19#.#12.115.231':34354
'75.##8.17.254':34354
'68.##.91.248':34354
'69.##9.72.184':34354
'70.##0.41.199':34354
'69.##4.160.113':34354
'68.##.164.226':34354
'17#.#0.216.169':34354
'17#.#8.245.248':34354
'18#.#5.212.44':34354
'75.#6.71.25':34354
'76.##.172.51':34354
'74.##.53.183':34354
'85.##4.197.70':34354
'17#.#2.202.99':34354
'99.##.38.157':34354
'17#.#34.237.206':34354
'93.##6.246.89':34354
'76.##.66.241':34354
'67.##6.129.111':34354
'17#.#9.132.253':34354
'68.##2.210.10':34354
'89.##6.77.81':34354
'84.##7.166.179':34354
'62.##0.179.126':34354
'89.##5.75.194':34354
'68.##.244.123':34354
'95.#6.74.30':34354
'2.###.164.64':34354
'24.##1.197.124':34354
'15#.#2.125.240':34354
'68.##0.205.6':34354
'62.##.116.66':34354
'62.##1.48.130':34354
'83.#.104.206':34354
'98.##7.159.28':34354
'17#.#67.89.46':34354
'11#.#2.74.114':34354
'89.##0.107.83':34354
'79.##5.176.212':34354
'68.##3.244.227':34354
'19#.#4.143.71':34354
'76.#4.12.9':34354
'18#.#37.145.130':34354
'74.##8.83.54':34354
'18#.#1.167.192':34354
'85.##3.246.77':34354
'96.##.111.69':34354
'10#.#30.35.97':34354
'95.##2.88.75':34354
'17#.#.187.48':34354
'94.##5.28.235':34354
'18#.#6.44.133':34354
'50.##7.148.161':34354
'17#.#17.226.82':34354
'78.##.86.183':34354
'41.##.211.75':34354
'98.#9.43.58':34354
'68.##0.24.66':34354
'12#.#45.46.139':34354
'17#.#68.167.250':34354
'69.##7.195.135':34354
'71.##.121.137':34354
'11#.#03.231.212':34354
'71.##.192.190':34354
'74.##2.128.9':34354
'74.##1.98.125':34354
'98.##2.143.91':34354
'98.##8.68.147':34354
'78.##.231.54':34354
'41.##1.81.134':34354
'69.##0.0.144':34354
'98.##6.199.143':34354
'71.##.169.252':34354
'70.##2.216.231':34354
'75.##2.5.182':34354
'21#.#71.244.81':34354
'95.#9.9.17':34354
'64.##1.20.44':34354
'75.##8.251.172':34354
'98.##0.182.26':34354
'18#.#6.26.254':34354
'70.##0.150.210':34354
'67.##2.124.68':34354
'68.##7.131.251':34354
'19#.#2.66.185':34354
'79.##3.88.191':34354
'71.#6.40.21':34354
'87.#.227.241':34354
'83.##9.105.117':34354
'95.##.33.211':34354
'68.##9.213.19':34354
'15#.#3.24.157':34354
'92.#3.61.96':34354
'46.##7.147.244':34354
'70.##7.156.27':34354
'76.##6.100.61':34354
'75.##9.158.99':34354
'70.##2.197.107':34354
'75.##3.165.70':34354
'18#.#78.147.186':34354
'17#.#.96.211':34354
'17#.92.4.24':34354
'85.##0.127.76':34354
'76.##9.177.227':34354
'76.##9.34.78':34354
'2.###.24.176':34354
'50.#.62.201':34354
'72.##8.76.108':34354
'18#.#88.230.164':34354
'93.##4.252.74':34354
'98.##.189.79':34354
'19#.#00.55.183':34354
'68.##4.11.146':34354
'37.##.178.180':34354
'17#.#52.29.23':34354
'76.##7.36.137':34354
'75.##0.64.136':34354
'24.#1.4.96':34354
'24.##1.91.217':34354
'15#.#24.149.190':34354
'71.##.56.173':34354
'18#.#7.82.69':34354
'24.##1.69.113':34354
'17#.#18.68.159':34354
'88.##.169.178':34354
'67.##2.98.57':34354
'69.##0.236.113':34354
'74.##.16.104':34354
'75.##6.153.75':34354
'75.#78.8.21':34354
'95.##7.103.16':34354
'17#.#76.243.43':34354
'82.##.35.112':34354
'24.#.110.233':34354
'24.##1.24.229':34354
'95.##.80.156':34354
'77.##1.168.183':34354
'74.##4.147.123':34354
'17#.8.16.31':34354
'99.##.213.18':34354
'17#.#25.119.52':34354
'71.##5.244.82':34354
'95.##.161.78':34354
'74.##2.177.56':34354
'10#.#91.162.186':34354
'68.##4.46.161':34354
'19#.#2.214.164':34354
'91.#5.6.80':34354
'76.##6.167.22':34354
'72.##9.145.79':34354
'75.##.127.35':34354
'70.##.147.142':34354
'95.##5.197.25':34354
'71.##.165.226':34354
'pr####.fling.com':80
'17#.#0.245.108':34354
'88.#04.8.58':34354
'84.##0.211.180':34354
'74.##4.63.116':34354
'24.##.24.180':34354
'76.##9.18.167':34354
'87.#.114.8':34354
'13#.#34.212.77':34354
'76.#1.19.32':34354
'70.##4.46.242':34354
'10#.#0.249.4':34354
'98.##.169.40':34354
'98.##9.212.245':34354
'10#.#33.196.62':34354
'11#.#3.51.235':34354
'69.##2.33.156':34354
'98.##1.124.7':34354
'49.##2.67.163':34354
'69.##4.161.173':34354
'69.##9.74.67':34354
'17#.#0.178.12':34354
'84.##9.125.233':34354
'72.##9.133.179':34354
'20#.#95.20.212':34354
'79.##7.31.10':34354
'75.##2.29.93':34354
'65.##1.18.99':34354
'97.##.118.26':34354
'24.##.127.42':34354
'66.##.173.205':34354
'17#.#27.82.33':34354
'72.##9.236.74':34354
'17#.#4.211.89':34354
'70.##3.45.143':34354
'65.##.179.142':34354
'76.##.245.236':34354
'19#.#04.210.64':34354
'98.##9.250.165':34354
'15#.#24.49.222':34354
'68.#.58.112':34354
'85.##.172.227':34354
'70.##8.69.237':34354
'79.##3.217.230':34354
'98.##0.229.103':34354
'83.##5.22.44':34354
'24.##5.199.194':34354
'41.##7.210.105':34354
'74.##.224.21':34354
'98.##4.238.60':34354
'15#.#1.43.126':34354
'76.#9.31.33':34354
'76.#3.94.21':34354
'17#.#.100.106':34354
'66.##.60.103':34354
'21#.#25.209.47':34354
'71.#.141.97':34354
'24.#.149.181':34354
'74.##9.78.90':34354
'24.##7.182.145':34354
'82.##2.21.125':34354
'18#.#5.247.227':34354
'79.##1.171.254':34354
'87.##.209.164':34354
'99.##1.16.127':34354
'66.##7.8.218':34354
'76.##6.26.22':34354
'62.##.123.53':34354
'50.##9.92.173':34354
'70.##.213.233':34354
'11#.#25.137.57':34354
'75.##3.10.111':34354
'24.##2.68.184':34354
'66.#7.4.194':34354
'82.##.72.120':34354
'76.##5.98.79':34354
'72.##9.17.30':34354
'65.##.221.29':34354
'71.##7.123.10':34354
'69.##5.248.69':34354
'17#.#26.203.8':34354
'17#.#1.195.71':34354
'20#.#41.223.175':34354
'17#.#1.10.252':34354
'78.##4.238.120':34354
'85.##9.216.130':34354

TCP:

HTTP GET requests:

pr####.fling.com/geo/txt/city.php

UDP:

DNS ASK pr####.fling.com
'localhost':752
'8.#.8.8':1035

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней