Trojan.DownLoader23.458

Technical Information

To ensure autorun and distribution:

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\TMBMServer] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\tmactmon] 'ImagePath' = '<DRIVERS>\tmactmon.sys'
[<HKLM>\SYSTEM\ControlSet001\Services\TMBMServer] 'ImagePath' = '"%WINDIR%\PEAgent\AEGIS\TMBMSRV.EXE" /service'
[<HKLM>\SYSTEM\ControlSet001\Services\MicroSamSock.exe] 'ImagePath' = '"%WINDIR%\AuthCertPrefetch\MicroSamSock.exe" "%WINDIR%\AuthCertPrefetch\NtFileATL"'
[<HKLM>\SYSTEM\ControlSet001\Services\MicroSamSock.exe] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\tmactmon] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\tmcomm] 'Start' = '00000002'
[<HKLM>\SYSTEM\ControlSet001\Services\TMAgent] 'ImagePath' = '%WINDIR%\PEAgent\PEAgent.exe /SERVICE'
[<HKLM>\SYSTEM\ControlSet001\Services\tmcomm] 'ImagePath' = '<DRIVERS>\tmcomm.sys'
[<HKLM>\SYSTEM\ControlSet001\Services\tmevtmgr] 'ImagePath' = '<DRIVERS>\tmevtmgr.sys'
[<HKLM>\SYSTEM\ControlSet001\Services\tmevtmgr] 'Start' = '00000002'

Malicious functions:

Executes the following:

'%WINDIR%\Temp\CipherUpdMS.exe'
'%WINDIR%\PEAgent\AEGIS\TMBMSRV.exe' /service
'%WINDIR%\PEAgent\PEAgentMonitor.exe'
'%WINDIR%\Temp\DllPrefetchTool.exe'
'%WINDIR%\Temp\DllPrefetchTool.exe' /RunWatchdog
'<SYSTEM32>\msiexec.exe' /V
'<SYSTEM32>\msiexec.exe' /i "%TEMP%\RarSFX0\PEAgent.msi" /quiet
'<SYSTEM32>\msiexec.exe' -Embedding 56E9C020295F2715A3C127B7E95181F8
'%WINDIR%\PEAgent\PEAgent.exe' /SERVICE
'%WINDIR%\PEAgent\PEAgent.exe' /init persist 112.100.3.100:5088 /start /port:5091 /icon:off

Hooks the following functions in System Service Descriptor Table (SSDT):

NtRenameKey, handler: unknown
NtRestoreKey, handler: unknown
NtOpenThread, handler: unknown
NtOpenProcess, handler: unknown
NtOpenSection, handler: unknown
NtTerminateThread, handler: unknown
NtWriteVirtualMemory, handler: unknown
NtTerminateProcess, handler: unknown
NtSetSystemInformation, handler: unknown
NtSetValueKey, handler: unknown
NtLoadDriver, handler: unknown
NtCreateProcessEx, handler: unknown
NtCreateSymbolicLinkObject, handler: unknown
NtCreateProcess, handler: unknown
NtCreateKey, handler: unknown
NtCreateMutant, handler: unknown
NtDeleteValueKey, handler: unknown
NtDuplicateObject, handler: unknown
NtDeleteKey, handler: unknown
NtCreateThread, handler: unknown
NtDebugActiveProcess, handler: unknown

Modifies file system:

Creates the following files:

%WINDIR%\COMMciCLR\RGCigpv\CGIKU\vogxvoit.kph
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\vogxvoit.ecv
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\vogxvoit.uau
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\voynwvkn.fnn
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\VORGO.fnn
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\VoGpiFtx.fnn
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\voeqogpi.fnn
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\VODOUTX.gzg
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\voeqoo.ecv
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\voeqoo.uau
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\voeqoo.kph
%WINDIR%\COMMciCLR\RGCigpv\CGIKU.og
%WINDIR%\COMMciCLR\RGCigpv\ecejg\VOXC.gzg
%WINDIR%\COMMciCLR\RGCigpv\ecejg\TEO
%WINDIR%\COMMciCLR\RGCigpv\ecejg\xcr
%WINDIR%\COMMciCLR\RGCigpv\je_jgnr.fnn
%WINDIR%\COMMciCLR\RGCigpv\JENqiRctugt.fnn
%WINDIR%\COMMciCLR\RGCigpv\ecejg\FEV
%WINDIR%\COMMciCLR\RGCigpv\CGIKU_bkrejgem
%WINDIR%\COMMciCLR\RGCigpv\CGIKU.bkr
%WINDIR%\COMMciCLR\RGCigpv\Dcnnqqp.fnn
%WINDIR%\COMMciCLR\RGCigpv\ecejg\FEG
%WINDIR%\COMMciCLR\RGCigpv\ec.etv
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\kgrnwi.fnn
<SYSTEM32>\PEAgentBackupFileHash.txt
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\Rcvvgtpu\vocce.rvp
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\Rcvvgtpu\voiqehi.rvp
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\Rcvvgtpu\vodoehi.rvp
%WINDIR%\COMMciCLR\Tgikuvta
%WINDIR%\PEAgent\AEGIS.me
<DRIVERS>\tmactmon.sys
%WINDIR%\AuthCertPrefetch\MicroSamSock.exe
%WINDIR%\Temp\PEAgentRecoveryLog.txt
%WINDIR%\AuthCertPrefetch\NtFileATL
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\Rcvvgtpu\voiqien.rvp
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\vocevoqp.ecv
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\Rtqhkngu\vorqnkea.ehi
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\vocevoqp.kph
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\VODOENK.fnn
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\vocevoqp.uau
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\Rcvvgtpu\voynejm.rvp
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\Rcvvgtpu\vonqien.rvp
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\Rcvvgtpu\vonqehi.rvp
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\Rcvvgtpu\vornekph.zon
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\Rcvvgtpu\vovf.rvp
%WINDIR%\COMMciCLR\RGCigpv\CGIKU\Rcvvgtpu\vorqnkea.rvp
%WINDIR%\COMMciCLR\RGCigpv\nkdgca54.fnn
%WINDIR%\Temp\tma_dct_1476883211\tsc.ptn
%WINDIR%\Temp\tma_dct_tmp\tsc.ptn
%WINDIR%\Temp\tma_RCM_tmp\tmcomm.cat
%WINDIR%\Temp\tma_RCM_tmp\tmcomm.sys
%WINDIR%\Temp\tma_RCM_tmp\tmcomm.inf
%WINDIR%\Temp\tma_dce_1476883210\tsc.exe
%WINDIR%\COMMciCLR\RGCigpv\bnkd3.fnn
%WINDIR%\COMMciCLR\RGCigpv\zgtegu-e_5_3.fnn
%WINDIR%\PEAgent\PEAgentWatchLog.txt
%WINDIR%\Temp\tma_dce_tmp\tsc.exe
%WINDIR%\PEAgent\PEAgentMonitor.txt
%WINDIR%\Temp\tma_RCM_1476883212\tmcomm.cat
%WINDIR%\Temp\tma_TMVA.exe_1476883212\tmva\RMAgentOutput.dll
%WINDIR%\Temp\tma_TMVA.exe_1476883212\tmva\RMAgent.exe
%WINDIR%\Temp\tma_vap_tmp\tmvamain.ptn
%TEMP%\~DFBC38.tmp
%WINDIR%\Temp\tma_vap_1476883213\tmvamain.ptn
%WINDIR%\Temp\tma_TMVA.exe_1476883212\tmva\Psapi.Dll
%WINDIR%\Temp\tma_RCM_1476883212\tmcomm.sys
%WINDIR%\Temp\tma_RCM_1476883212\tmcomm.inf
%WINDIR%\Temp\tma_TMVA.exe_tmp\tmva\Psapi.Dll
%WINDIR%\Temp\tma_TMVA.exe_tmp\tmva\RMAgentOutput.dll
%WINDIR%\Temp\tma_TMVA.exe_tmp\tmva\RMAgent.exe
%WINDIR%\COMMciCLR\RGCigpv\ouxet02.fnn
%WINDIR%\COMMciCLR\RGCigpv\ouxer02.fnn
%WINDIR%\COMMciCLR\RGCigpv\RcuuyfRtqvgevkqp.gzg
%WINDIR%\COMMciCLR\RGCigpv\RGCigpvCnctoKpkv.gzg
%WINDIR%\COMMciCLR\RGCigpv\RGCigpv.gzg
%WINDIR%\COMMciCLR\RGCigpv\OUHY.fnn
%WINDIR%\COMMciCLR\RGCigpv\OgfgxceUwoocta.zun
%WINDIR%\COMMciCLR\RGCigpv\nkegpugu.fqe
%WINDIR%\COMMciCLR\RGCigpv\ohe02.fnn
%WINDIR%\COMMciCLR\RGCigpv\Oketquqhv.XE02.OHE.ocpkhguv
%WINDIR%\COMMciCLR\RGCigpv\Oketquqhv.XE02.ETV.ocpkhguv
%WINDIR%\COMMciCLR\RGCigpv\RGCigpvCnctoUhz.gzg
%WINDIR%\COMMciCLR\RGCigpv\vocigpv.rgo
%WINDIR%\COMMciCLR\RGCigpv\UwdokvUKEENK.gzg
%WINDIR%\COMMciCLR\RGCigpv\XNqiOqp.fnn
%WINDIR%\COMMciCLR\RGCigpv\XNqiOqp_QUEG.fnn
%WINDIR%\COMMciCLR\RGCigpv\XNqiOqp.kpk
%WINDIR%\COMMciCLR\RGCigpv\uungca54.fnn
%WINDIR%\COMMciCLR\RGCigpv\RGCigpvNcuvUgvvkpi.kpk
%WINDIR%\COMMciCLR\RGCigpv\RGCigpvCRK.fnn
%WINDIR%\COMMciCLR\RGCigpv\RGCigpvOqpkvqt.gzg
%WINDIR%\COMMciCLR\RGCigpv\RGCigpvYcvej.gzg
%WINDIR%\COMMciCLR\RGCigpv\RGCigpvTgeqxgta.gzg
<DRIVERS>\tmcomm.sys
%WINDIR%\PEAgent\PEAgentAlarmInit.exe
%WINDIR%\PEAgent\PasswdProtection.exe
%WINDIR%\PEAgent\PEAgentAlarmSfx.exe
%WINDIR%\PEAgent\PEAgent.exe
%WINDIR%\PEAgent\PEAgentAPI.dll
%WINDIR%\PEAgent\msvcr80.dll
%WINDIR%\PEAgent\MSFW.dll
%WINDIR%\PEAgent\mfc80.dll
%WINDIR%\PEAgent\Microsoft.VC80.CRT.manifest
%WINDIR%\PEAgent\msvcp80.dll
%WINDIR%\PEAgent\Microsoft.VC80.MFC.manifest
%WINDIR%\PEAgent\PEAgentMonitor.exe
%WINDIR%\PEAgent\cache\vap
%WINDIR%\PEAgent\cache\TMVA.exe
%WINDIR%\PEAgent\VLogMon_OSCE.dll
%WINDIR%\PEAgent\VLogMon.ini
%WINDIR%\PEAgent\VLogMon.dll
%WINDIR%\PEAgent\tmagent.pem
%WINDIR%\PEAgent\PEAgentWatch.exe
%WINDIR%\PEAgent\PEAgentRecovery.exe
%WINDIR%\PEAgent\cache\RCM
%WINDIR%\PEAgent\SubmitSICCLI.exe
%WINDIR%\PEAgent\ssleay32.dll
%APPDATA%\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6
%APPDATA%\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6
%WINDIR%\Installer\24212.ipi
%WINDIR%\Installer\MSI1.tmp
%TEMP%\~DF63A7.tmp
%APPDATA%\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
%WINDIR%\Installer\24210.msi
%TEMP%\RarSFX0\PEAgent.msi
%APPDATA%\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
%APPDATA%\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
%APPDATA%\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
%WINDIR%\Installer\MSI2.tmp
%WINDIR%\PEAgent\HCLogParser.dll
%WINDIR%\PEAgent\hc_help.dll
%WINDIR%\PEAgent\libeay32.dll
%WINDIR%\PEAgent\MedevacSummary.xsl
%WINDIR%\PEAgent\licenses.doc
%WINDIR%\PEAgent\cache\DCT
%WINDIR%\PEAgent\AEGIS.zip
C:\Config.Msi\24213.rbs
%WINDIR%\PEAgent\Balloon.dll
%WINDIR%\PEAgent\cache\DCE
%WINDIR%\PEAgent\ca.crt
%WINDIR%\PEAgent\xerces-c_3_1.dll
%WINDIR%\PEAgent\AEGIS\tmactmon.inf
%WINDIR%\PEAgent\AEGIS\tmactmon.cat
%WINDIR%\PEAgent\AEGIS\tmactmon.sys
%WINDIR%\PEAgent\AEGIS\TMBMSRV.exe
%WINDIR%\PEAgent\AEGIS\TMBMCLI.dll
%WINDIR%\PEAgent\AEGIS\Profiles\tmpolicy.cfg
%WINDIR%\PEAgent\AEGIS\Patterns\tmplcinf.xml
%WINDIR%\PEAgent\AEGIS\Patterns\tmlogcl.ptn
%WINDIR%\PEAgent\AEGIS\Patterns\tmpolicy.ptn
%WINDIR%\PEAgent\AEGIS\Patterns\tmwlchk.ptn
%WINDIR%\PEAgent\AEGIS\Patterns\tmtd.ptn
%WINDIR%\PEAgent\AEGIS\tmcomeng.dll
%WINDIR%\PEAgent\AEGIS\TMPEM.dll
%WINDIR%\PEAgent\AEGIS\tmevtmgr.sys
%WINDIR%\PEAgent\AEGIS\tmwlutil.dll
<DRIVERS>\tmevtmgr.sys
%WINDIR%\PEAgent\AEGIS_zipcheck
%WINDIR%\PEAgent\AEGIS\tmevtmgr.inf
%WINDIR%\PEAgent\AEGIS\tmcomm.inf
%WINDIR%\PEAgent\AEGIS\tmcomm.cat
%WINDIR%\PEAgent\AEGIS\tmcomm.sys
%WINDIR%\PEAgent\AEGIS\tmevtmgr.cat
%WINDIR%\PEAgent\AEGIS\TmEngDrv.dll
%WINDIR%\Temp\Microsoft.VC80.CRT.manifest
%WINDIR%\Temp\msvcp80.dll
%WINDIR%\Temp\xerces-c_3_1.dll
%WINDIR%\Temp\zlib1.dll
%WINDIR%\Temp\PEAgentAPI.dll
%WINDIR%\Temp\msvcr80.dll
%WINDIR%\Installer\24214.msi
%WINDIR%\PEAgent\zlib1.dll
%WINDIR%\Installer\{E5C2F177-7FF4-4C71-A8DC-2C58A898ACD5}\icon
%WINDIR%\PEAgent\PEAgentLog.txt
%WINDIR%\PEAgent\PEAgentLastSetting.ini
%WINDIR%\Temp\ssleay32.dll
%WINDIR%\PEAgent\AEGIS\Patterns\tmbmcfg.ptn
%WINDIR%\PEAgent\AEGIS\Patterns\tmaac.ptn
%WINDIR%\PEAgent\AEGIS\Patterns\tmgocfg.ptn
%WINDIR%\PEAgent\AEGIS\Patterns\tmlocfg.ptn
%WINDIR%\PEAgent\AEGIS\Patterns\tmgogcl.ptn
%WINDIR%\PEAgent\AEGIS\ieplug.dll
%WINDIR%\Temp\tmagent.pem
%WINDIR%\Temp\libeay32.dll
%WINDIR%\Temp\ca.crt
%WINDIR%\Temp\CipherUpdMS.exe
%WINDIR%\Temp\DllPrefetchTool.exe

Deletes the following files:

%WINDIR%\Temp\tma_TMVA.exe_1476883212\tmva\Psapi.Dll
%WINDIR%\Temp\tma_TMVA.exe_1476883212\tmva\RMAgent.exe
%WINDIR%\Temp\tma_TMVA.exe_tmp\tmva\RMAgentOutput.dll
%WINDIR%\Temp\tma_TMVA.exe_tmp\tmva\Psapi.Dll
%WINDIR%\Temp\tma_TMVA.exe_tmp\tmva\RMAgent.exe
%WINDIR%\Temp\tma_TMVA.exe_1476883212\tmva\RMAgentOutput.dll
%WINDIR%\Installer\24210.msi
%WINDIR%\Installer\24212.ipi
C:\Config.Msi\24213.rbs
%WINDIR%\Temp\tma_vap_tmp\tmvamain.ptn
%WINDIR%\Temp\tma_vap_1476883213\tmvamain.ptn
%WINDIR%\Temp\tma_RCM_1476883212\tmcomm.sys
%WINDIR%\Temp\tma_dce_1476883210\tsc.exe
%WINDIR%\Temp\tma_dct_tmp\tsc.ptn
%WINDIR%\Temp\tma_dce_tmp\tsc.exe
%WINDIR%\Installer\MSI1.tmp
%WINDIR%\Installer\MSI2.tmp
%WINDIR%\Temp\tma_dct_1476883211\tsc.ptn
%WINDIR%\Temp\tma_RCM_1476883212\tmcomm.cat
%WINDIR%\Temp\tma_RCM_1476883212\tmcomm.inf
%WINDIR%\Temp\tma_RCM_tmp\tmcomm.sys
%WINDIR%\Temp\tma_RCM_tmp\tmcomm.cat
%WINDIR%\Temp\tma_RCM_tmp\tmcomm.inf

Network activity:

Connects to:

'localhost':5091
'11#.#00.3.100':5088
'cs######0-crl.verisign.com':80
'wp#d':80
'crl.verisign.com':80

TCP:

HTTP GET requests:

http://crl.verisign.com/pca3-g5.crl
http://cs######0-crl.verisign.com/CSC3-2010.crl
http://11#.#11.111.1/wpad.dat via wp#d
http://crl.verisign.com/pca3.crl

UDP:

DNS ASK cs######0-crl.verisign.com
DNS ASK crl.verisign.com
DNS ASK wp#d

Miscellaneous:

Searches for the following windows:

ClassName: 'TMFileRcServer' WindowName: ''
ClassName: 'TMRegRcServer' WindowName: ''
ClassName: 'TMRegRcServer' WindowName: 'Ready'
ClassName: 'TMFileRcServer' WindowName: 'Ready'
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'EDIT' WindowName: ''
ClassName: 'TM.AuditServerClass' WindowName: ''
ClassName: 'PEAgentRecoveryClass' WindowName: ''

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней