Trojan.DownLoader19.10493

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Link-Layer Windows Drive Function' = '<SYSTEM32>\fvqasqbwjbu.exe'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\Peer Fax Level Update Collector Controls] 'ImagePath' = '<SYSTEM32>\fvqasqbwjbu.exe'
[<HKLM>\SYSTEM\ControlSet001\Services\Peer Fax Level Update Collector Controls] 'Start' = '00000002'

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Security Center

Creates and executes the following:

'<SYSTEM32>\phzjqsob.exe' "<SYSTEM32>\fvqasqbwjbu.exe"
'%WINDIR%\Temp\k26jhq2uaaqsyy.exe' -r 38568 tcp
'%TEMP%\k26jhq2p9aqsyyauwogmoc.exe'
'<SYSTEM32>\fvqasqbwjbu.exe'

Modifies file system:

Creates the following files:

<SYSTEM32>\inbvgtluzsjhs\run
<SYSTEM32>\inbvgtluzsjhs\rng
%WINDIR%\Temp\k26jhq2uaaqsyy.exe
<SYSTEM32>\inbvgtluzsjhs\cfg
<SYSTEM32>\phzjqsob.exe
%TEMP%\k26jhq2p9aqsyyauwogmoc.exe
<SYSTEM32>\inbvgtluzsjhs\tst
<SYSTEM32>\fvqasqbwjbu.exe
<SYSTEM32>\inbvgtluzsjhs\etc

Sets the 'hidden' attribute to the following files:

<SYSTEM32>\phzjqsob.exe
<SYSTEM32>\fvqasqbwjbu.exe

Deletes the following files:

%WINDIR%\Temp\k26jhq2uaaqsyy.exe
<DRIVERS>\etc\hosts
%TEMP%\k26jhq2p9aqsyyauwogmoc.exe

Substitutes the HOSTS file.

Network activity:

Connects to:

'th####hirteen.net':80
'li###eft.net':80
'th###left.net':80
'li####irteen.net':80
'fe###ope.net':80
'li###urry.net':80
'th###hurry.net':80
'li###ope.net':80
'so####hirteen.net':80
'fi###left.net':80
'so###left.net':80
'fi####hirteen.net':80
'th###hope.net':80
'fi###hurry.net':80
'so###hurry.net':80
'le###eft.net':80
'ta###left.net':80
'le###ope.net':80
'ta####hirteen.net':80
'le###urry.net':80
'ta###hurry.net':80
'le####irteen.net':80
'ta###hope.net':80
'we###eft.net':80
'fe###eft.net':80
'we###ope.net':80
'fe####irteen.net':80
'we###urry.net':80
'fe###urry.net':80
'we####irteen.net':80
'no###our.net':80
'li###ompe.net':80
'no###ompe.net':80
'li###our.net':80
'no###ount.net':80
'li###ell.net':80
'no###ell.net':80
'ca###ount.net':80
'be##lxc.com':80
'af###sllc.com':80
'ri###nstorm.net':80
'de###lxc.com':80
'po###count.net':80
'ca###ell.net':80
'po###fell.net':80
'fa###fell.net':80
'ri###ell.net':80
'fa###hour.net':80
'ri###ount.net':80
'fi###hope.net':80
'so###hope.net':80
'fa###count.net':80
'ri###our.net':80
'we###our.net':80
'we###ompe.net':80
'li###ount.net':80
'we###ell.net':80
'fa###compe.net':80
'ri###ompe.net':80
'we###ount.net':80

TCP:

HTTP GET requests:

http://th####hirteen.net/index.php
http://li###eft.net/index.php
http://th###left.net/index.php
http://li####irteen.net/index.php
http://fe###ope.net/index.php
http://li###urry.net/index.php
http://th###hurry.net/index.php
http://li###ope.net/index.php
http://so####hirteen.net/index.php
http://fi###left.net/index.php
http://so###left.net/index.php
http://fi####hirteen.net/index.php
http://th###hope.net/index.php
http://fi###hurry.net/index.php
http://so###hurry.net/index.php
http://le###eft.net/index.php
http://ta###left.net/index.php
http://le###ope.net/index.php
http://ta####hirteen.net/index.php
http://le###urry.net/index.php
http://ta###hurry.net/index.php
http://le####irteen.net/index.php
http://ta###hope.net/index.php
http://we###eft.net/index.php
http://fe###eft.net/index.php
http://we###ope.net/index.php
http://fe####irteen.net/index.php
http://we###urry.net/index.php
http://fe###urry.net/index.php
http://we####irteen.net/index.php
http://no###our.net/index.php
http://li###ompe.net/index.php
http://no###ompe.net/index.php
http://li###our.net/index.php
http://no###ount.net/index.php
http://li###ell.net/index.php
http://no###ell.net/index.php
http://ca###ount.net/index.php
http://be##lxc.com/index.php
http://af###sllc.com/index.php
http://ri###nstorm.net/index.php
http://de###lxc.com/index.php
http://po###count.net/index.php
http://ca###ell.net/index.php
http://po###fell.net/index.php
http://fa###fell.net/index.php
http://ri###ell.net/index.php
http://fa###hour.net/index.php
http://ri###ount.net/index.php
http://fi###hope.net/index.php
http://so###hope.net/index.php
http://fa###count.net/index.php
http://ri###our.net/index.php
http://we###our.net/index.php
http://we###ompe.net/index.php
http://li###ount.net/index.php
http://we###ell.net/index.php
http://fa###compe.net/index.php
http://ri###ompe.net/index.php
http://we###ount.net/index.php

UDP:

DNS ASK th####hirteen.net
DNS ASK li###eft.net
DNS ASK th###left.net
DNS ASK li####irteen.net
DNS ASK fe###ope.net
DNS ASK li###urry.net
DNS ASK th###hurry.net
DNS ASK li###ope.net
DNS ASK so####hirteen.net
DNS ASK fi###left.net
DNS ASK so###left.net
DNS ASK fi####hirteen.net
DNS ASK th###hope.net
DNS ASK fi###hurry.net
DNS ASK so###hurry.net
DNS ASK le###eft.net
DNS ASK ta###left.net
DNS ASK le###ope.net
DNS ASK ta####hirteen.net
DNS ASK le###urry.net
DNS ASK ta###hurry.net
DNS ASK le####irteen.net
DNS ASK ta###hope.net
DNS ASK we###eft.net
DNS ASK fe###eft.net
DNS ASK we###ope.net
DNS ASK fe####irteen.net
DNS ASK we###urry.net
DNS ASK fe###urry.net
DNS ASK we####irteen.net
DNS ASK fi###hope.net
DNS ASK li###ompe.net
DNS ASK no###ompe.net
DNS ASK ca###ount.net
DNS ASK no###our.net
DNS ASK li###ell.net
DNS ASK no###ell.net
DNS ASK li###our.net
DNS ASK be##lxc.com
DNS ASK af###sllc.com
DNS ASK ri###nstorm.net
DNS ASK de###lxc.com
DNS ASK po###count.net
DNS ASK ca###ell.net
DNS ASK po###fell.net
DNS ASK no###ount.net
DNS ASK ri###ell.net
DNS ASK fa###hour.net
DNS ASK ri###our.net
DNS ASK fa###fell.net
DNS ASK so###hope.net
DNS ASK fa###count.net
DNS ASK ri###ount.net
DNS ASK we###our.net
DNS ASK we###ompe.net
DNS ASK li###ount.net
DNS ASK we###ell.net
DNS ASK fa###compe.net
DNS ASK ri###ompe.net
DNS ASK we###ount.net
'23#.#55.255.250':1900

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial