Trojan.DownLoader9.14676

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'engel' = '%APPDATA%\updates\updates.exe'

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'

Executes the following:

'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="<Virus name>" dir=in action=allow program="<Full path to virus>"

Modifies file system :

Creates the following files:

%APPDATA%\engel\updates.exe

Network activity:

Connects to:

'87.#1.44.19':3128
'11#.#4.207.188':3128
'18#.#24.37.142':3128
'20#.#17.146.22':3128
'71.##6.135.4':3128
'85.##7.57.116':3128
'78.##.242.233':3128
'59.##.200.101':3128
'20#.#3.233.211':3128
'17#.137.2.4':3128
'41.##3.57.74':3128
'19#.#19.180.11':3128
'99.##7.197.172':3128
'11#.#04.64.62':3128
'79.##.40.188':3128
'20#.#1.160.62':3128
'77.#31.34.6':3128
'77.#1.20.25':3128
'19#.#0.16.125':3128
'20#.#53.205.36':3128
'11#.#97.100.72':3128
'78.#9.30.32':3128
'19#.#39.80.19':3128
'85.##5.100.50':3128
'20#.#52.243.171':3128
'60.##.219.42':3128
'18#.#24.157.187':3128
'19#.#1.116.226':3128
'93.##3.135.32':3128
'59.##3.48.229':3128
'11#.#65.3.20':3128
'78.##.68.249':3128
'22#.#06.111.177':3128
'41.##0.163.21':3128
'82.##5.226.110':3128
'18#.#24.155.125':3128
'78.##.61.250':3128
'19#.#29.146.2':3128
'89.##6.163.114':3128
'20#.#61.157.152':3128
'89.##2.59.122':3128
'89.##6.204.197':3128
'20#.#53.210.125':3128
'19#.#1.120.139':3128
'85.##6.250.116':3128
'11#.#46.86.131':3128
'20#.#27.174.251':3128
'92.##3.76.255':3128
'80.##2.64.58':3128
'84.##8.50.74':3128
'11#.#4.78.190':3128
'93.##0.28.178':3128
'84.##7.161.221':3128
'89.##6.169.166':3128
'12#.#.41.218':3128
'24.##2.25.216':3128
'78.#0.42.34':3128
'87.##.47.105':3128
'21#.#5.57.126':3128
'18#.#29.208.111':3128
'78.#9.46.68':3128
'85.##4.169.5':3128
'17#.#37.176.30':3128
'20#.#48.205.12':3128
'19#.#77.97.140':3128
'95.##.180.251':3128
'10#.#89.128.133':3128
'18#.#24.43.201':3128
'92.##5.96.123':3128
'96.##.168.115':3128
'59.##.239.232':3128
'11#.#99.114.204':3128
'62.##3.174.192':3128
'22#.#20.38.68':3128
'17#.#37.12.20':3128
'20#.#88.191.121':3128
'74.##.209.166':3128
'92.##3.103.93':3128
'20#.#17.183.70':3128
'11#.#37.114.80':3128
'89.##2.107.138':3128
'19#.#74.9.203':3128
'89.##3.253.161':3128
'19#.#44.37.43':3128
'19#.#29.151.32':3128
'78.##.99.105':3128
'19#.#17.47.185':3128
'17#.#68.42.151':3128
'88.##3.145.188':3128
'18#.#24.12.16':3128
'20#.#17.185.3':3128
'76.##9.47.171':3128
'12#.#05.186.8':3128
'85.#4.84.89':3128
'18#.#24.41.145':3128
'21#.#6.47.24':3128
'19#.#24.145.171':3128
'12#.#27.65.106':3128
'11#.#60.61.239':3128
'19#.#74.8.206':3128
'78.ttp':0
'21#.#5.57.126':312
'13#.#32.68.126':3128
'59.#13.ttp':0
'59.##8.36.157':3128
'84.##8.50.51':3128
'81.##8.141.145':3128
'12#.#20.131.123':3128
'77.##6.249.40':3128
'18#.#24.153.76':3128
'17#.#37.176.175':3128
'41.##3.57.76':3128
'60.##.88.105':3128
'85.##8.179.130':3128
'83.#3.44.75':3128
'19#.#1.121.26':3128
'83.##2.81.217':3128
'59.##3.49.128':3128
'17#.#38.47.229':3128
'11#.#39.57.44':3128
'18#.#24.157.131':3128
'59.##.253.131':3128
'76.##6.111.108':3128
'82.##6.61.184':3128
'87.#0.38.40':3128
'12#.#27.64.54':3128
'19#.#0.157.59':3128
'19#.#0.202.238':3128
'19#.#29.146.5':3128
'11#.#98.196.182':3128
'95.##.101.164':3128
'11#.#4.234.56':3128
'19#.#9.109.100':3128
'19#.#7.161.125':3128
'11#.#04.64.122':3128
'58.##4.176.3':3128
'91.##8.97.106':3128
'12#.#53.123.91':3128
'19#.#24.141.15':3128
'16#.#7.221.216':3128
'20#.#17.162.145':3128
'78.##.27.189':3128
'18#.#24.17.177':3128
'74.#15.5.41':3128
'94.##6.151.72':3128
'82.##2.103.247':3128
'19#.#1.117.230':3128
'11#.#4.181.202':3128
'17#.#38.38.248':3128
'19#.#24.141.220':3128
'22#.#43.58.39':3128
'20#.#87.228.5':3128
'85.##4.47.87':3128
'59.##.243.231':3128
'87.##0.166.58':3128
'85.##6.205.102':3128
'19#.#29.159.47':3128
'19#.#29.153.94':3128
'21#.#32.88.176':3128
'84.##0.69.127':3128
'20#.#27.170.49':3128
'78.##.10.241':3128
'11#.#97.218.182':3128
'19#.#0.157.33':3128
'11#.#59.83.35':3128
'12#.#.68.172':3128
'11#.#02.26.111':3128
'19#.#.200.175':3128
'21#.#5.92.189':3128
'19#.#17.42.73':3128
'79.##3.252.210':3128
'60.##0.147.209':3128
'77.##5.90.212':3128
'78.##.22.252':3128
'18#.#24.12.123':3128
'87.#.47.31':3128
'19#.#1.117.212':3128
'78.##.99.116':3128
'19#.#0.147.40':3128
'62.##7.194.58':3128
'18#.#27.42.6':3128
'17#.#37.180.196':3128
'18#.#24.39.42':3128
'78.##.37.212':3128
'19#.#39.82.64':3128
'19#.#29.157.101':3128
'59.##.240.53':3128
'10#.#48.17.211':3128
'19#.#39.88.191':3128
'21#.#71.160.117':3128
'59.##.200.104':3128
'21#.#96.69.16':3128
'11#.#65.2.135':3128
'18#.#24.159.83':3128
'77.##7.81.66':3128
'19#.#07.110.169':3128
'19#.#39.82.52':3128
'84.##8.50.36':3128
'83.#0.4.151':3128
'21#.#09.162.104':3128
'80.##6.84.76':3128
'21#.#21.220.233':3128
'89.##3.71.53':3128
'86.##9.130.35':3128
'21#.#19.194.130':3128
'83.##.153.57':3128
'11#.#65.224.66':3128
'11#.#35.92.6':3128
'85.##7.165.12':3128
'61.##.13.198':3128
'19#.#29.156.119':3128
'81.##.215.203':3128
'19#.3.229.6':3128
'12#.#20.135.207':3128
'11#.#41.40.47':3128
'20#.#53.210.154':3128
'17#.#38.34.58':3128
'19#.#24.143.135':3128
'80.##8.199.250':3128
'92.##3.210.171':3128
'11#.#99.112.143':3128
'18#.#24.159.95':3128
'94.##2.156.132':3128
'84.##8.50.80':3128
'20#.#84.1.127':3128
'11#.#4.73.131':3128
'11#.#35.52.126':3128
'41.##0.14.20':3128
'18#.#24.41.117':3128
'89.##6.142.79':3128
'20#.#8.132.138':3128
'20#.#53.204.175':3128
'20#.#53.211.127':3128
'85.##6.196.130':3128
'95.##9.207.220':3128
'78.##.19.211':3128
'20#.#17.182.36':3128
'19#.#51.53.33':3128
'77.##3.66.247':3128
'59.##3.48.117':3128
'82.#0.9.243':3128
'21#.#98.142.157':3128
'18#.#20.96.170':3128
'18#.#24.158.123':3128
'18#.#24.156.176':3128
'18#.#3.128.57':3128
'20#.#17.183.224':3128
'19#.#29.155.63':3128
'20#.#54.75.11':3128
'17#.#38.31.45':3128
'87.#.47.101':3128
'18#.#24.12.29':3128
'20#.#65.144.232':3128
'19#.#25.200.109':3128
'18#.#92.145.215':3128
'41.##0.167.92':3128
'12#.#20.104.159':3128
'85.##.106.150':3128
'19#.#29.147.140':3128
'11#.#04.67.97':3128
'20#.#64.211.106':3128
'78.#9.12.78':3128
'78.#9.3.114':3128
'41.##3.57.72':3128
'11#.#37.120.187':3128
'19#.#24.143.86':3128
'82.##.137.53':3128
'88.##5.193.113':3128
'59.##.248.45':3128
'84.##9.208.25':3128
'11#.#35.53.23':3128
'72.##8.40.67':3128
'87.##.55.244':3128
'19#.#39.88.117':3128
'89.##6.177.141':3128
'22#.#43.176.79':3128
'19#.#0.156.206':3128
'19#.#0.144.89':3128
'19#.#6.123.129':3128
'11#.#01.49.119':3128
'19#.#29.155.249':3128
'18#.#24.158.217':3128
'87.#1.44.39':3128
'59.##.236.30':3128
'11#.#33.64.51':3128
'59.##.248.192':3128
'11#.#65.226.33':3128
'21#.#86.183.4':3128
'11#.#2.205.59':3128
'78.##.10.143':3128
'59.##.221.102':3128
'19#.#29.147.10':3128
'95.##3.6.131':3128
'11#.#98.167.99':3128
'19#.#24.143.48':3128
'20#.#8.132.195':3128
'81.##5.4.137':3128
'20#.#5.34.169':3128
'12#.#20.128.112':3128
'82.##.231.20':3128
'19#.#1.120.29':3128
'21#.#38.4.164':3128
'20#.#53.211.195':3128

UDP:

DNS ASK 78.ttp
DNS ASK 59.#13.ttp

Miscellaneous:

Searches for the following windows:

ClassName: 'Indicator' WindowName: ''

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial