Trojan.BtcMine.697

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'CNminer' = '%APPDATA%\Images\CNminer.exe'

Modifies file system

Creates the following files

%TEMP%\nsubba1.tmp
%APPDATA%\images\images.exe
%TEMP%\nsud7a9.tmp
%APPDATA%\images\nscpucnminer32.exe
%APPDATA%\images\nscpucnminer64.exe
%APPDATA%\images\pools.txt
%APPDATA%\images\cnminer.exe
%TEMP%\nsaf0c6.tmp\inetc.dll
%TEMP%\nsaf0c6.tmp\nsrandom.dll
%TEMP%\nsaf0c6.tmp\nsexec.dll
%TEMP%\nsaf0c6.tmp\system.dll

Network activity

UDP

DNS ASK tr###tests.ru

Miscellaneous

Creates and executes the following

'%APPDATA%\images\images.exe' SW_HIDE

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.20.12
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 19#.#69.243.111
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 15#.#15.248.47
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 15#.#15.248.47
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 24#.#7.4.193
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 24#.#7.4.193
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 4.##3.14.55
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 4.##3.14.55
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#7.90.36
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#6.50.226
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 17#.#6.50.226
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#7.232.122
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#69.243.111
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 17#.#7.90.36
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 19#.#68.145.3
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#7.38.231
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 19#.#68.193.188
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.193.188
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 14#.#34.78.138
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 14#.#34.78.138
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 10#.#96.141.234
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 38.##1.107.196
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 38.##1.107.196
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 17#.#7.38.231
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 10#.#96.141.234
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.145.3
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 19#.#68.180.81
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 17#.#7.232.122
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#7.104.106
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#69.220.215
'%WINDIR%\syswow64\cmd.exe' /c net use J: \\19#.#69.220.215\C$
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 19#.#68.156.115
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.156.115
'%WINDIR%\syswow64\net.exe' use J: \\19#.#69.220.215\C$
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.159.190
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 17#.#7.104.106
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#7.215.4
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 19#.#68.3.73
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 19#.#69.26.179
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.137.69
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 19#.#69.220.215
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#69.26.179
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 17#.#7.116.28
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 19#.#68.20.12
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 19#.#68.137.69
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 19#.#68.159.190
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#7.116.28
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.3.73
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#6.189.163
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#69.43.209
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 17#.#7.215.4
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 17#.#6.189.163
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.180.81
'%WINDIR%\syswow64\ping.exe' -n 1 -w 900 19#.#69.43.209
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#6.189.163' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.3.73' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.193.188' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#69.243.111' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.145.3' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 10#.#96.141.234' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#69.220.215' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.20.12' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#7.215.4' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#69.26.179' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.180.81' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#7.104.106' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#7.90.36' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#7.38.231' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#69.43.209' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#7.232.122' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 15#.#15.248.47' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#7.116.28' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c net use J: \\19#.#69.220.215\C$' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.156.115' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 4.##3.14.55' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.159.190' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 17#.#6.50.226' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 19#.#68.137.69' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 38.##1.107.196' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 14#.#34.78.138' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ping -n 1 -w 900 24#.#7.4.193' (with hidden window)

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial