Trojan.DownLoader9.33714

Technical Information

Malicious functions:

Executes the following:

'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.37
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.36
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.35
'<SYSTEM32>\ping.exe' /c net view \\10.0.0.40
'<SYSTEM32>\ping.exe' /pid=3192
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.38
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.34
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.31
'<SYSTEM32>\ping.exe' /pid=3024
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.30
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.33
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.32
'<SYSTEM32>\ping.exe' /c net view \\10.0.0.31
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.48
'<SYSTEM32>\ping.exe' /c ping -a -n 1 -l 1 -w 3000 10.0.0.46
'<SYSTEM32>\ping.exe' view \\10.0.0.45
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.51
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.50
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.49
'<SYSTEM32>\ping.exe' /c net view \\10.0.0.45
'<SYSTEM32>\ping.exe' /pid=3792
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.41
'<SYSTEM32>\ping.exe' view \\10.0.0.40
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.45
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.44
'<SYSTEM32>\ping.exe' /c ping -a -n 1 -l 1 -w 3000 10.0.0.42
'<SYSTEM32>\ping.exe' /pid=2656
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.10
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.9
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.8
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.13
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.12
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.11
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.7
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.3
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.2
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.1
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.6
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.5
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.4
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.26
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.25
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.23
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.29
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.28
'<SYSTEM32>\ping.exe' /c net view \\10.0.0.26
'<SYSTEM32>\ping.exe' /c net view \\10.0.0.22
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.16
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.15
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.14
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.20
'<SYSTEM32>\ping.exe' /pid=3108
'<SYSTEM32>\ping.exe' -a -n 1 -l 1 -w 3000 10.0.0.19

Injects code into

the following system processes:

<SYSTEM32>\net.exe
<SYSTEM32>\ping.exe
<SYSTEM32>\cmd.exe

Modifies file system :

Creates the following files:

%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\whatismyip[1].8949766436
\Device\LanmanRedirector\10.0.0.2\PIPE\srvsvc
%TEMP%\~ip.tmp
<Current directory>\CRNJEUFU - %USERNAME% [20130612-170856] [<Virus name>.exe].ini
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\checkip.dyndns[1].5526291698

Deletes the following files:

%TEMP%\~ip.tmp

Network activity:

Connects to:

'<Private IP address>':445
'<Private IP address>':139
'ch####p.dyndns.org':80
'www.wh###smyip.com':80

TCP:

HTTP GET requests:

www.wh###smyip.com/?rn########################################
ch####p.dyndns.org/?rn#########################################

UDP:

DNS ASK 35.#.#.10.in-addr.arpa
DNS ASK 34.#.#.10.in-addr.arpa
DNS ASK 33.#.#.10.in-addr.arpa
DNS ASK 38.#.#.10.in-addr.arpa
DNS ASK 37.#.#.10.in-addr.arpa
DNS ASK 36.#.#.10.in-addr.arpa
DNS ASK 32.#.#.10.in-addr.arpa
DNS ASK 28.#.#.10.in-addr.arpa
DNS ASK 27.#.#.10.in-addr.arpa
DNS ASK 26.#.#.10.in-addr.arpa
DNS ASK 31.#.#.10.in-addr.arpa
DNS ASK 30.#.#.10.in-addr.arpa
DNS ASK 29.#.#.10.in-addr.arpa
DNS ASK 48.#.#.10.in-addr.arpa
DNS ASK 47.#.#.10.in-addr.arpa
DNS ASK 46.#.#.10.in-addr.arpa
DNS ASK 51.#.#.10.in-addr.arpa
DNS ASK 50.#.#.10.in-addr.arpa
DNS ASK 49.#.#.10.in-addr.arpa
DNS ASK 45.#.#.10.in-addr.arpa
DNS ASK 41.#.#.10.in-addr.arpa
DNS ASK 40.#.#.10.in-addr.arpa
DNS ASK 39.#.#.10.in-addr.arpa
DNS ASK 44.#.#.10.in-addr.arpa
DNS ASK 43.#.#.10.in-addr.arpa
DNS ASK 42.#.#.10.in-addr.arpa
DNS ASK 9.#.#.#0.in-addr.arpa
DNS ASK 8.#.#.#0.in-addr.arpa
DNS ASK 7.#.#.#0.in-addr.arpa
DNS ASK 12.#.#.10.in-addr.arpa
DNS ASK 11.#.#.10.in-addr.arpa
DNS ASK 10.#.#.10.in-addr.arpa
DNS ASK 6.#.#.#0.in-addr.arpa
DNS ASK 1.#.#.#0.in-addr.arpa
DNS ASK www.wh###smyip.com
DNS ASK ch####p.dyndns.org
DNS ASK 5.#.#.#0.in-addr.arpa
DNS ASK 4.#.#.#0.in-addr.arpa
DNS ASK 3.#.#.#0.in-addr.arpa
DNS ASK 22.#.#.10.in-addr.arpa
DNS ASK 21.#.#.10.in-addr.arpa
DNS ASK 20.#.#.10.in-addr.arpa
DNS ASK 25.#.#.10.in-addr.arpa
DNS ASK 24.#.#.10.in-addr.arpa
DNS ASK 23.#.#.10.in-addr.arpa
DNS ASK 19.#.#.10.in-addr.arpa
DNS ASK 15.#.#.10.in-addr.arpa
DNS ASK 14.#.#.10.in-addr.arpa
DNS ASK 13.#.#.10.in-addr.arpa
DNS ASK 18.#.#.10.in-addr.arpa
DNS ASK 17.#.#.10.in-addr.arpa
DNS ASK 16.#.#.10.in-addr.arpa

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial