Trojan.DownLoader33.37328

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'winupdate' = '%APPDATA%\<File name>.exe'

Modifies file system

Creates the following files

%TEMP%\_mei18282\pil\_imaging.cp36-win_amd64.pyd
%TEMP%\_mei25202\pyexpat.pyd
%TEMP%\_mei25202\mfc140u.dll
%TEMP%\_mei25202\client.exe.manifest
%TEMP%\_mei25202\_win32sysloader.pyd
%TEMP%\_mei25202\_ssl.pyd
%TEMP%\_mei25202\_sqlite3.pyd
%TEMP%\_mei25202\_socket.pyd
%TEMP%\_mei25202\_multiprocessing.pyd
%TEMP%\_mei25202\python36.dll
%TEMP%\_mei25202\_lzma.pyd
%TEMP%\_mei25202\_distutils_findvs.pyd
%TEMP%\_mei25202\_decimal.pyd
%TEMP%\_mei25202\_ctypes.pyd
%TEMP%\_mei25202\_cffi_backend.cp36-win_amd64.pyd
%TEMP%\_mei25202\_bz2.pyd
%TEMP%\_mei25202\vcruntime140.dll
%TEMP%\_mei25202\pil\_webp.cp36-win_amd64.pyd
%TEMP%\_mei25202\pil\_imagingtk.cp36-win_amd64.pyd
%TEMP%\_mei25202\_hashlib.pyd
%TEMP%\_mei25202\win32wnet.pyd
%TEMP%\tmpllsh3jma\gen_py\dicts.dat
%TEMP%\_mei25202\select.pyd
%TEMP%\tmpllsh3jma\gen_py\__init__.py
%TEMP%\d76e9lzc
%TEMP%\_mei25202\lib2to3\tests\data\readme
%TEMP%\_mei25202\lib2to3\patterngrammar3.6.7.final.0.pickle
%TEMP%\_mei25202\lib2to3\patterngrammar.txt
%TEMP%\_mei25202\lib2to3\grammar3.6.7.final.0.pickle
%TEMP%\_mei25202\lib2to3\grammar.txt
%TEMP%\_mei25202\base_library.zip
%TEMP%\_mei25202\pil\_imagingft.cp36-win_amd64.pyd
%TEMP%\_mei25202\include\pyconfig.h
%TEMP%\_mei25202\win32ui.pyd
%TEMP%\_mei25202\win32trace.pyd
%TEMP%\_mei25202\win32event.pyd
%TEMP%\_mei25202\win32crypt.pyd
%TEMP%\_mei25202\win32com\shell\shell.pyd
%TEMP%\_mei25202\win32api.pyd
%TEMP%\_mei25202\unicodedata.pyd
%TEMP%\_mei25202\sqlite3.dll
%TEMP%\_mei25202\pythoncom36.dll
%TEMP%\_mei25202\pywintypes36.dll
%TEMP%\_mei25202\pil\_imaging.cp36-win_amd64.pyd
%TEMP%\_mei18282\pythoncom36.dll
%TEMP%\_mei18282\mfc140u.dll
%TEMP%\_mei18282\client.exe.manifest
%TEMP%\_mei18282\_win32sysloader.pyd
%TEMP%\_mei18282\_ssl.pyd
%TEMP%\_mei18282\_sqlite3.pyd
%TEMP%\_mei18282\_socket.pyd
%TEMP%\_mei18282\_multiprocessing.pyd
%TEMP%\_mei18282\_lzma.pyd
%TEMP%\_mei18282\pyexpat.pyd
%TEMP%\_mei18282\_hashlib.pyd
%TEMP%\_mei18282\_decimal.pyd
%TEMP%\_mei18282\_ctypes.pyd
%TEMP%\_mei18282\_cffi_backend.cp36-win_amd64.pyd
%TEMP%\_mei18282\_bz2.pyd
%TEMP%\_mei18282\vcruntime140.dll
%TEMP%\_mei18282\pil\_webp.cp36-win_amd64.pyd
%TEMP%\_mei18282\pil\_imagingtk.cp36-win_amd64.pyd
%TEMP%\_mei18282\pil\_imagingft.cp36-win_amd64.pyd
%TEMP%\_mei18282\_distutils_findvs.pyd
%TEMP%\_mei18282\win32ui.pyd
%TEMP%\tmp6_iwh_g9\gen_py\__init__.py
%TEMP%\_mei18282\pywintypes36.dll
%TEMP%\1bsif7bf
%TEMP%\_mei18282\lib2to3\tests\data\readme
%TEMP%\_mei18282\lib2to3\patterngrammar3.6.7.final.0.pickle
%TEMP%\_mei18282\lib2to3\patterngrammar.txt
%TEMP%\_mei18282\lib2to3\grammar3.6.7.final.0.pickle
%TEMP%\_mei18282\lib2to3\grammar.txt
%TEMP%\_mei18282\base_library.zip
%TEMP%\_mei18282\include\pyconfig.h
%TEMP%\tmp6_iwh_g9\gen_py\dicts.dat
%TEMP%\_mei18282\win32wnet.pyd
%TEMP%\_mei18282\win32trace.pyd
%TEMP%\_mei18282\win32event.pyd
%TEMP%\_mei18282\win32crypt.pyd
%TEMP%\_mei18282\win32com\shell\shell.pyd
%TEMP%\_mei18282\win32api.pyd
%TEMP%\_mei18282\unicodedata.pyd
%TEMP%\_mei18282\sqlite3.dll
%TEMP%\_mei18282\select.pyd
%TEMP%\_mei18282\python36.dll
%APPDATA%\<File name>.exe

Deletes the following files

%TEMP%\1bsif7bf
%TEMP%\_mei18282\win32com\shell\shell.pyd
%TEMP%\_mei18282\win32crypt.pyd
%TEMP%\_mei18282\win32event.pyd
%TEMP%\_mei18282\win32trace.pyd
%TEMP%\_mei18282\win32ui.pyd
%TEMP%\_mei18282\win32wnet.pyd
%TEMP%\_mei18282\_bz2.pyd
%TEMP%\_mei18282\vcruntime140.dll
%TEMP%\_mei18282\win32api.pyd
%TEMP%\_mei18282\_cffi_backend.cp36-win_amd64.pyd
%TEMP%\_mei18282\_distutils_findvs.pyd
%TEMP%\_mei18282\_hashlib.pyd
%TEMP%\_mei18282\_lzma.pyd
%TEMP%\_mei18282\_multiprocessing.pyd
%TEMP%\_mei18282\_socket.pyd
%TEMP%\_mei18282\_sqlite3.pyd
%TEMP%\_mei18282\_ssl.pyd
%TEMP%\_mei18282\_ctypes.pyd
%TEMP%\_mei18282\_decimal.pyd
%TEMP%\_mei18282\unicodedata.pyd
%TEMP%\_mei18282\sqlite3.dll
%TEMP%\_mei18282\select.pyd
%TEMP%\tmp6_iwh_g9\gen_py\__init__.py
%TEMP%\_mei18282\base_library.zip
%TEMP%\_mei18282\client.exe.manifest
%TEMP%\_mei18282\include\pyconfig.h
%TEMP%\_mei18282\lib2to3\grammar.txt
%TEMP%\_mei18282\lib2to3\grammar3.6.7.final.0.pickle
%TEMP%\_mei18282\lib2to3\patterngrammar.txt
%TEMP%\_mei18282\lib2to3\patterngrammar3.6.7.final.0.pickle
%TEMP%\tmp6_iwh_g9\gen_py\dicts.dat
%TEMP%\_mei18282\lib2to3\tests\data\readme
%TEMP%\_mei18282\pil\_imaging.cp36-win_amd64.pyd
%TEMP%\_mei18282\pil\_imagingft.cp36-win_amd64.pyd
%TEMP%\_mei18282\pil\_imagingtk.cp36-win_amd64.pyd
%TEMP%\_mei18282\pil\_webp.cp36-win_amd64.pyd
%TEMP%\_mei18282\pyexpat.pyd
%TEMP%\_mei18282\python36.dll
%TEMP%\_mei18282\pythoncom36.dll
%TEMP%\_mei18282\pywintypes36.dll
%TEMP%\_mei18282\mfc140u.dll
%TEMP%\_mei18282\_win32sysloader.pyd
%TEMP%\d76e9lzc

Moves itself

from <Full path to file> to %TEMP%\winupdate\<File name>.exe

Network activity

Connects to

'<LOCALNET>.1.140':4444

Miscellaneous

Creates and executes the following

'<SYSTEM32>\cmd.exe' /c "timeout 2 & move /y <Full path to file> %TEMP%\winupdate\<File name>.exe & cd /d %TEMP%\winupdate\ & %TEMP%\winupdate\<File name>.exe"' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c "timeout 2 & move /y <Full path to file> %TEMP%\winupdate\<File name>.exe & cd /d %TEMP%\winupdate\ & %TEMP%\winupdate\<File name>.exe"
'<SYSTEM32>\timeout.exe' 2

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial