Trojan.DownLoader46.41249

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\] 'CSRSS' = '"%ALLUSERSPROFILE%\Drivers\csrss.exe"'

Creates or modifies the following files

<SYSTEM32>\tasks\firefox default browser agent fa36d2f4d1b55fea

Malicious functions

Injects code into

the following user processes:

df18.exe

Searches for windows to

detect analytical utilities:

ClassName: 'OLLYDBG', WindowName: ''
ClassName: 'GBDYLLO', WindowName: ''
ClassName: 'pediy06', WindowName: ''
ClassName: 'FilemonClass', WindowName: ''
ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
ClassName: 'RegmonClass', WindowName: ''

Modifies file system

Creates the following files

%APPDATA%\vctgvuc
%APPDATA%\wrdgucw
%TEMP%\df18.exe
%TEMP%\e782.exe
%TEMP%\f8a2.exe
%TEMP%\fda3.dll
%ALLUSERSPROFILE%\drivers\csrss.exe
%TEMP%\4kpv6a~1\state.tmp
%TEMP%\4kpv6a~1\unverified-microdesc-consensus.tmp
%TEMP%\4kpv6a~1\cached-certs.tmp
%TEMP%\4kpv6a~1\cached-microdesc-consensus.tmp
%TEMP%\4kpv6a~1\cached-microdescs.new

Sets the 'hidden' attribute to the following files

%APPDATA%\vctgvuc
%APPDATA%\wrdgucw
%ALLUSERSPROFILE%\drivers\csrss.exe

Deletes the following files

%TEMP%\fda3.dll
%TEMP%\4kpv6a~1\unverified-microdesc-consensus
%TEMP%\4kpv6a~1\state

Moves the following files

from %TEMP%\4kpv6a~1\state.tmp to %TEMP%\4kpv6a~1\state
from %TEMP%\4kpv6a~1\unverified-microdesc-consensus.tmp to %TEMP%\4kpv6a~1\unverified-microdesc-consensus
from %TEMP%\4kpv6a~1\cached-certs.tmp to %TEMP%\4kpv6a~1\cached-certs
from %TEMP%\4kpv6a~1\cached-microdesc-consensus.tmp to %TEMP%\4kpv6a~1\cached-microdesc-consensus

Substitutes the following files

%TEMP%\4kpv6a~1\state.tmp
%TEMP%\4kpv6a~1\state

Deletes itself.

Network activity

Connects to

'su####lituyo.org':80
'localhost':49824
'localhost':49822
'localhost':49820
'localhost':49818
'localhost':49816
'localhost':49815
'localhost':49814
'localhost':49813
'localhost':49812
'localhost':49810
'localhost':49808
'localhost':49828
'localhost':49826
'localhost':49785
'localhost':49784
'localhost':49782
'localhost':49781
'localhost':49779
'localhost':49777
'localhost':49775
'localhost':49773
'localhost':49771
'localhost':49769
'localhost':49767
'localhost':49806
'localhost':49697
'localhost':49829
'localhost':49859
'localhost':49858
'localhost':49857
'localhost':49856
'localhost':49855
'localhost':49854
'localhost':49853
'localhost':49852
'localhost':49851
'localhost':49850
'localhost':49849
'localhost':49848
'localhost':49847
'localhost':49846
'localhost':49845
'localhost':49844
'localhost':49843
'localhost':49842
'localhost':49841
'localhost':49840
'localhost':49839
'localhost':49836
'localhost':49834
'localhost':49832
'localhost':49831
'localhost':49765
'localhost':49787
'localhost':49762
'localhost':49764
'localhost':49761
'localhost':49667
'localhost':49690
'localhost':49687
'localhost':49685
'localhost':49683
'localhost':49680
'localhost':49679
'localhost':49677
'localhost':49675
'localhost':49673
'localhost':49671
'localhost':49668
'localhost':49665
'localhost':49693
'localhost':49663
'localhost':49661
'localhost':49659
'localhost':49657
'localhost':49655
'localhost':49653
'localhost':49651
'localhost':49649
'localhost':49645
'localhost':49646
'localhost':49642
'localhost':49860
'localhost':49830
'localhost':49695
'localhost':49701
'localhost':49689
'localhost':49756
'localhost':49753
'localhost':49750
'localhost':49749
'localhost':49876
'localhost':49495
'localhost':49741
'localhost':49735
'localhost':49733
'localhost':49731
'localhost':49729
'localhost':49727
'localhost':49724
'localhost':49723
'localhost':49721
'localhost':49719
'localhost':49717
'localhost':49715
'localhost':49713
'localhost':49711
'localhost':49709
'localhost':49707
'localhost':49705
'localhost':49703
'localhost':49699
'localhost':49861
'localhost':49862
'localhost':49865
'localhost':50272
'localhost':50274
'localhost':50278
'localhost':50257
'localhost':50255
'localhost':50256
'localhost':50254
'localhost':50220
'localhost':50227
'localhost':50224
'localhost':50234
'localhost':50235
'localhost':50236
'localhost':50239
'localhost':50219
'localhost':50221
'localhost':49743
'localhost':49744
'localhost':49745
'localhost':49746
'localhost':49747
'localhost':49748
'localhost':49751
'localhost':49752
'localhost':49737
'localhost':50277
'localhost':49875
'localhost':49641
'localhost':50113
'localhost':50326
'localhost':50295
'localhost':50009
'localhost':50008
'localhost':50007
'localhost':50006
'localhost':50005
'localhost':50004
'localhost':50003
'localhost':50002
'localhost':50001
'localhost':50000
'localhost':49999
'localhost':49998
'localhost':49997
'localhost':50201
'localhost':50202
'localhost':50203
'localhost':50204
'localhost':50205
'localhost':50206
'localhost':50207
'localhost':50208
'localhost':50120
'localhost':50119
'localhost':49738
'localhost':49811
'localhost':49754
'localhost':49817
'localhost':49821
'localhost':49823
'localhost':49825
'localhost':49827
'localhost':49833
'localhost':49835
'localhost':49837
'localhost':49864
'localhost':49866
'localhost':49867
'localhost':49868
'localhost':49869
'localhost':49870
'localhost':49871
'localhost':49872
'localhost':49873
'localhost':49874
'localhost':49739
'localhost':49802
'localhost':49799
'localhost':49797
'localhost':49795
'localhost':49792
'localhost':49789
'localhost':49791
'localhost':49819
'localhost':50321
'localhost':49757
'localhost':49809
'localhost':49758
'localhost':49759
'localhost':49760
'localhost':49763
'localhost':49766
'localhost':49768
'localhost':49770
'localhost':49772
'localhost':49774
'localhost':49776
'localhost':49778
'localhost':49780
'localhost':49783
'localhost':49786
'localhost':49788
'localhost':49790
'localhost':49793
'localhost':49794
'localhost':49796
'localhost':49798
'localhost':49800
'localhost':49801
'localhost':49804
'localhost':49805
'localhost':49807
'localhost':49755
'localhost':49972
'localhost':49639
'localhost':49579
'localhost':49342
'localhost':49340
'localhost':49338
'localhost':49336
'localhost':49333
'localhost':49332
'localhost':49328
'localhost':49329
'localhost':49326
'localhost':49322
'localhost':49323
'localhost':49346
'localhost':49344
'localhost':49315
'localhost':49314
'localhost':49310
'localhost':49311
'localhost':49308
'localhost':49306
'localhost':49304
'localhost':49301
'localhost':49300
'localhost':49298
'localhost':49296
'localhost':49320
'localhost':49234
'localhost':49348
'localhost':49400
'localhost':49398
'localhost':49396
'localhost':49394
'localhost':49392
'localhost':49390
'localhost':49388
'localhost':49386
'localhost':49384
'localhost':49382
'localhost':49380
'localhost':49378
'localhost':49376
'localhost':49374
'localhost':49372
'localhost':49370
'localhost':49368
'localhost':49366
'localhost':49364
'localhost':49362
'localhost':49360
'localhost':49358
'localhost':49356
'localhost':49354
'localhost':49352
'localhost':49294
'localhost':49318
'localhost':49292
'localhost':49290
'localhost':49288
'localhost':49204
'localhost':49226
'localhost':49224
'localhost':49222
'localhost':49220
'localhost':49218
'localhost':49216
'localhost':49214
'localhost':49212
'localhost':49210
'localhost':49208
'localhost':49206
'localhost':49202
'localhost':49230
'localhost':49200
'localhost':43153
'51.#1.48.10':443
'18#.#33.104.172':443
'18#.#20.101.20':10020
'10#.#7.25.148':443
'localhost':49187
'st#####luyastrelia.net':80
'li####oumumy.org':80
'li#####insteniki.org':80
'sn####ukeutit.org':80
'localhost':49402
'localhost':49350
'localhost':49232
'localhost':49238
'localhost':49228
'localhost':49286
'localhost':49284
'localhost':49282
'localhost':49280
'localhost':49278
'localhost':49275
'localhost':49274
'localhost':49272
'localhost':49270
'localhost':49268
'localhost':49266
'localhost':49264
'localhost':49262
'localhost':49260
'localhost':49258
'localhost':49256
'localhost':49254
'localhost':49250
'localhost':49251
'localhost':49248
'localhost':49246
'localhost':49244
'localhost':49242
'localhost':49240
'localhost':49236
'localhost':49404
'localhost':49406
'localhost':49408
'localhost':49575
'localhost':49573
'localhost':49571
'localhost':49569
'localhost':49567
'localhost':49565
'localhost':49563
'localhost':49561
'localhost':49559
'localhost':49557
'localhost':49555
'localhost':49553
'localhost':49551
'localhost':49549
'localhost':49545
'localhost':49547
'localhost':49543
'localhost':49541
'localhost':49539
'localhost':49537
'localhost':49535
'localhost':49533
'localhost':49530
'localhost':49529
'localhost':49527
'localhost':49577
'localhost':49581
'localhost':49637
'localhost':49583
'localhost':49633
'localhost':49630
'localhost':49629
'localhost':49627
'localhost':49625
'localhost':49623
'localhost':49621
'localhost':49619
'localhost':49617
'localhost':49615
'localhost':49613
'localhost':49611
'localhost':49609
'localhost':49605
'localhost':49606
'localhost':49603
'localhost':49601
'localhost':49599
'localhost':49597
'localhost':49595
'localhost':49593
'localhost':49591
'localhost':49589
'localhost':49587
'localhost':49585
'localhost':49525
'localhost':49464
'localhost':49523
'localhost':49462
'localhost':49458
'localhost':49456
'localhost':49454
'localhost':49452
'localhost':49450
'localhost':49448
'localhost':49446
'localhost':49444
'localhost':49442
'localhost':49440
'localhost':49438
'localhost':49436
'localhost':49434
'localhost':49432
'localhost':49430
'localhost':49428
'localhost':49426
'localhost':49424
'localhost':49422
'localhost':49420
'localhost':49418
'localhost':49416
'localhost':49414
'localhost':49412
'localhost':49410
'localhost':49460
'localhost':49635
'localhost':49519
'localhost':49466
'localhost':49517
'localhost':49515
'localhost':49511
'localhost':49512
'localhost':49509
'localhost':49507
'localhost':49505
'localhost':49503
'localhost':49501
'localhost':49499
'localhost':49497
'localhost':49494
'localhost':49490
'localhost':49491
'localhost':49488
'localhost':49486
'localhost':49484
'localhost':49482
'localhost':49480
'localhost':49478
'localhost':49476
'localhost':49474
'localhost':49472
'localhost':49470
'localhost':49468
'localhost':49521
'localhost':50322

TCP

HTTP GET requests

http://x5###############dj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onion/upd.php?n=#################################################################################################################...
http://x5###############dj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onion/task.php?n=################################################################################################################...
http://x5###############dj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onion/reg.php?n=#####################################################
http://x5###############dj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onion/hb.php?n=##############################

HTTP POST requests

http://su####lituyo.org/
http://sn####ukeutit.org/
http://li#####insteniki.org/
http://li####oumumy.org/
http://st#####luyastrelia.net/

Other

'10#.#7.25.148':443
'18#.#33.104.172':443
'51.#1.48.10':443
'localhost':43153
'localhost':49195
'localhost':49196
'localhost':49197
'localhost':49198
'localhost':49199

UDP

DNS ASK on###ituyrs.org
DNS ASK go##.netau
DNS ASK tr#####ionmallorca.com
DNS ASK st####cis.net.nz
DNS ASK i-##ech.com
DNS ASK se###sa.com.mx
DNS ASK bi####selmach.com
DNS ASK co#####byhillary.com
DNS ASK ja####jewelry.com
DNS ASK la###der.com
DNS ASK ac####mobile.com.my
DNS ASK oc###roject.com
DNS ASK gm##000.com
DNS ASK ka####i007.com.my
DNS ASK ru#####intothesun.com
DNS ASK te####ealtax.com
DNS ASK hf###sll.com
DNS ASK vo##inc.com
DNS ASK in####edcorp.com
DNS ASK p-##tro.com
DNS ASK ta####spitality.com
DNS ASK f7##.com
DNS ASK cr####motive.com
DNS ASK el####naircraft.com
DNS ASK co###pisco.com
DNS ASK no###maol.com
DNS ASK b6#####6f201f328.com
DNS ASK xo##e.com
DNS ASK lu###-niero.com
DNS ASK yo######lotteschools.com
DNS ASK up###eyx.com
DNS ASK ns##mi.com
DNS ASK a6#####79ef64e76.com
DNS ASK vi###gerosa.com
DNS ASK it##.com
DNS ASK ga#####dresidential.com
DNS ASK fi#####alker.plus.com
DNS ASK nu###obile.com
DNS ASK mu###alrock.com
DNS ASK in######llewonderland.comq
DNS ASK zn####upranm.com
DNS ASK do####hotels.com
DNS ASK ka###t.comtr
DNS ASK sp###al.compl
DNS ASK ve###ihyij.com
DNS ASK qo###ojz.com
DNS ASK dl##icx.com
DNS ASK kl###h.com.au
DNS ASK se###aycam.com
DNS ASK al#####ilcompany.com
DNS ASK po###ele.orgpl
DNS ASK ma###cap.com
DNS ASK pa###ronow.com
DNS ASK nf##.orgnp
DNS ASK id####outlets.com
DNS ASK cr##d.com
DNS ASK ad#######nfotechsolutions.com
DNS ASK ma##ule.com
DNS ASK sh##uk.com
DNS ASK jm###yman.com
DNS ASK mo####.baihe.com
DNS ASK d1###9d269.com
DNS ASK fh###rjs.com
DNS ASK le####your-way.com
DNS ASK mo###ystems.com
DNS ASK pd###atech.com
DNS ASK ro###oys.net
DNS ASK ev###vich.com
DNS ASK sh###works.com
DNS ASK ho###hurch.com
DNS ASK st#####luyastrelia.net
DNS ASK li####oumumy.org
DNS ASK li#####insteniki.org
DNS ASK sn####ukeutit.org
DNS ASK su####lituyo.org
DNS ASK jp###tlusa.com
DNS ASK gy#####iritmission.com
DNS ASK ea###qpsu.com
DNS ASK ve#####servicios.comco
DNS ASK he#####estaurant.com.au
DNS ASK ge.#sm.md
DNS ASK dv##ger.com
DNS ASK di###iels.org
DNS ASK go###ads.com
DNS ASK dm.#amm.us
DNS ASK th####-thr33.com
DNS ASK em####ngsalli.com
DNS ASK um##.commv
DNS ASK ka####usantara.com
DNS ASK m2###.comoj.com
DNS ASK dp##.com
DNS ASK ji####nsultant.com
DNS ASK or##scf.com
DNS ASK he###lmeats.com
DNS ASK ki#####ecenter.com.vn
DNS ASK sp###rumtp.com
DNS ASK pk##vm.com
DNS ASK sm####ytes.com.au
DNS ASK 91#####f3b3ebd36.com
DNS ASK ma####lentin.com
DNS ASK jm####ncompony.com
DNS ASK or###na.comua
DNS ASK at##fa.com

Miscellaneous

Searches for the following windows

ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
ClassName: '18467-41' WindowName: ''

Creates and executes the following

'%TEMP%\df18.exe'
'%TEMP%\e782.exe'
'%TEMP%\f8a2.exe'

Executes the following

'<SYSTEM32>\regsvr32.exe' /s %TEMP%\FDA3.dll

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней