Trojan.DownLoader17.40326

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Profile HomeGroup Workstation Volume' = '<SYSTEM32>\hiybfroucc.exe'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\Plug Player Controls Discovery Microsoft Detection] 'Start' = '00000002'

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Security Center

Creates and executes the following:

'<SYSTEM32>\takkmzpfuq.exe' "<SYSTEM32>\hiybfroucc.exe"
'%WINDIR%\Temp\vjqpxemz2wm2qhbts.exe' -r 32510 tcp
'%TEMP%\vjqpxemz2sqqqhbtssth4psdj.exe'
'<SYSTEM32>\hiybfroucc.exe'

Modifies file system :

Creates the following files:

<SYSTEM32>\kzkbjqkc\run
<SYSTEM32>\kzkbjqkc\rng
%WINDIR%\Temp\vjqpxemz2wm2qhbts.exe
<SYSTEM32>\kzkbjqkc\cfg
<SYSTEM32>\takkmzpfuq.exe
%TEMP%\vjqpxemz2sqqqhbtssth4psdj.exe
<SYSTEM32>\kzkbjqkc\tst
<SYSTEM32>\hiybfroucc.exe
<SYSTEM32>\kzkbjqkc\etc

Sets the 'hidden' attribute to the following files:

<SYSTEM32>\takkmzpfuq.exe
<SYSTEM32>\hiybfroucc.exe

Deletes the following files:

%WINDIR%\Temp\vjqpxemz2wm2qhbts.exe
<DRIVERS>\etc\hosts
%TEMP%\vjqpxemz2sqqqhbtssth4psdj.exe

Substitutes the HOSTS file.

Network activity:

Connects to:

'wa###june.net':80
'fa###une.net':80
'fa###ild.net':80
'vi###kind.net':80
'wa###wild.net':80
'fa###ind.net':80
'dr###wild.net':80
'wa###kind.net':80
'wa###began.net':80
'fa###egan.net':80
'sp###kind.net':80
'gr###kind.net':80
'sp###wild.net':80
'eq###kind.net':80
'eq###began.net':80
'gr###began.net':80
'sp###began.net':80
'vi###began.net':80
'vi###june.net':80
'vi###wild.net':80
'sp###june.net':80
'so###open.net':80
'up###oat.net':80
'ar###open.net':80
'ar###rest.net':80
'so###rest.net':80
'up###est.net':80
'wh###rest.net':80
'wh###press.net':80
'wh###boat.net':80
'up###ress.net':80
'so###press.net':80
'dr###began.net':80
'th###egan.net':80
'th###une.net':80
'th###ild.net':80
'dr###june.net':80
'so###boat.net':80
'ar###press.net':80
'ar###boat.net':80
'dr###kind.net':80
'th###ind.net':80
'up###ild.net':80
'wh###wild.net':80
'so###kind.net':80
'so###began.net':80
'ar###kind.net':80
'wh###began.net':80
'up###ind.net':80
'up###egan.net':80
'up###une.net':80
'wh###june.net':80
'be##lxc.com':80
'mi###hown.net':80
'ab###ell.net':80
'mo###ugust.net':80
'cr#####onaraminta.net':80
'le###form.net':80
'al###being.net':80
'ri###nstorm.net':80
'ca####nbring.net':80
'mo###olor.net':80
'pr####tbottom.net':80
'ta###began.net':80
'gl###ind.net':80
'gl###egan.net':80
'gl###une.net':80
'ta###june.net':80
'eq###june.net':80
'gr###june.net':80
'gr###wild.net':80
'ta###kind.net':80
'eq###wild.net':80
'ta###wild.net':80
'sp###une.net':80
'sa###une.net':80
'sa###ild.net':80
'wh###kind.net':80
'sp###ild.net':80
'sa###ind.net':80
'gl###ild.net':80
'sp###ind.net':80
'sp###egan.net':80
'sa###egan.net':80

TCP:

HTTP GET requests:

http://wa###june.net/index.php
http://fa###une.net/index.php
http://fa###ild.net/index.php
http://vi###kind.net/index.php
http://wa###wild.net/index.php
http://fa###ind.net/index.php
http://dr###wild.net/index.php
http://wa###kind.net/index.php
http://wa###began.net/index.php
http://fa###egan.net/index.php
http://sp###kind.net/index.php
http://gr###kind.net/index.php
http://sp###wild.net/index.php
http://eq###kind.net/index.php
http://eq###began.net/index.php
http://gr###began.net/index.php
http://sp###began.net/index.php
http://vi###began.net/index.php
http://vi###june.net/index.php
http://vi###wild.net/index.php
http://sp###june.net/index.php
http://so###open.net/index.php
http://up###oat.net/index.php
http://ar###open.net/index.php
http://ar###rest.net/index.php
http://so###rest.net/index.php
http://up###est.net/index.php
http://wh###rest.net/index.php
http://wh###press.net/index.php
http://wh###boat.net/index.php
http://up###ress.net/index.php
http://so###press.net/index.php
http://dr###began.net/index.php
http://th###egan.net/index.php
http://th###une.net/index.php
http://th###ild.net/index.php
http://dr###june.net/index.php
http://so###boat.net/index.php
http://ar###press.net/index.php
http://ar###boat.net/index.php
http://dr###kind.net/index.php
http://th###ind.net/index.php
http://up###ild.net/index.php
http://wh###wild.net/index.php
http://so###kind.net/index.php
http://so###began.net/index.php
http://ar###kind.net/index.php
http://wh###began.net/index.php
http://up###ind.net/index.php
http://up###egan.net/index.php
http://up###une.net/index.php
http://wh###june.net/index.php
http://be##lxc.com/index.php
http://mi###hown.net/index.php
http://ab###ell.net/index.php
http://mo###ugust.net/index.php
http://cr#####onaraminta.net/index.php
http://le###form.net/index.php
http://al###being.net/index.php
http://ri###nstorm.net/index.php
http://ca####nbring.net/index.php
http://mo###olor.net/index.php
http://pr####tbottom.net/index.php
http://ta###began.net/index.php
http://gl###ind.net/index.php
http://gl###egan.net/index.php
http://gl###une.net/index.php
http://ta###june.net/index.php
http://eq###june.net/index.php
http://gr###june.net/index.php
http://gr###wild.net/index.php
http://ta###kind.net/index.php
http://eq###wild.net/index.php
http://ta###wild.net/index.php
http://sp###une.net/index.php
http://sa###une.net/index.php
http://sa###ild.net/index.php
http://wh###kind.net/index.php
http://sp###ild.net/index.php
http://sa###ind.net/index.php
http://gl###ild.net/index.php
http://sp###ind.net/index.php
http://sp###egan.net/index.php
http://sa###egan.net/index.php

UDP:

DNS ASK wa###june.net
DNS ASK fa###une.net
DNS ASK fa###ild.net
DNS ASK vi###kind.net
DNS ASK wa###wild.net
DNS ASK fa###ind.net
DNS ASK dr###wild.net
DNS ASK wa###kind.net
DNS ASK wa###began.net
DNS ASK fa###egan.net
DNS ASK sp###kind.net
DNS ASK gr###kind.net
DNS ASK sp###wild.net
DNS ASK eq###kind.net
DNS ASK eq###began.net
DNS ASK gr###began.net
DNS ASK sp###began.net
DNS ASK vi###began.net
DNS ASK vi###june.net
DNS ASK vi###wild.net
DNS ASK sp###june.net
DNS ASK th###ild.net
DNS ASK up###oat.net
DNS ASK wh###boat.net
DNS ASK so###open.net
DNS ASK so###rest.net
DNS ASK ar###open.net
DNS ASK wh###rest.net
DNS ASK up###pen.net
DNS ASK up###est.net
DNS ASK up###ress.net
DNS ASK wh###press.net
DNS ASK ar###rest.net
DNS ASK th###egan.net
DNS ASK dr###kind.net
DNS ASK dr###began.net
DNS ASK dr###june.net
DNS ASK th###une.net
DNS ASK ar###press.net
DNS ASK so###press.net
DNS ASK so###boat.net
DNS ASK th###ind.net
DNS ASK ar###boat.net
DNS ASK up###ild.net
DNS ASK wh###wild.net
DNS ASK so###kind.net
DNS ASK so###began.net
DNS ASK ar###kind.net
DNS ASK wh###began.net
DNS ASK up###ind.net
DNS ASK up###egan.net
DNS ASK up###une.net
DNS ASK wh###june.net
DNS ASK be##lxc.com
DNS ASK mi###hown.net
DNS ASK ab###ell.net
DNS ASK mo###ugust.net
DNS ASK cr#####onaraminta.net
DNS ASK le###form.net
DNS ASK al###being.net
DNS ASK ri###nstorm.net
DNS ASK ca####nbring.net
DNS ASK mo###olor.net
DNS ASK pr####tbottom.net
DNS ASK ta###began.net
DNS ASK gl###ind.net
DNS ASK gl###egan.net
DNS ASK gl###une.net
DNS ASK ta###june.net
DNS ASK eq###june.net
DNS ASK gr###june.net
DNS ASK gr###wild.net
DNS ASK ta###kind.net
DNS ASK eq###wild.net
DNS ASK ta###wild.net
DNS ASK sp###une.net
DNS ASK sa###une.net
DNS ASK sa###ild.net
DNS ASK wh###kind.net
DNS ASK sp###ild.net
DNS ASK sa###ind.net
DNS ASK gl###ild.net
DNS ASK sp###ind.net
DNS ASK sp###egan.net
DNS ASK sa###egan.net
'23#.#55.255.250':1900

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial