Trojan.DownLoader22.62296

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Copy Accounts Control Defender Credential' = '<SYSTEM32>\fyqqiou.exe'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\Endpoint Software Networking Filtering] 'ImagePath' = '<SYSTEM32>\fyqqiou.exe'
[<HKLM>\SYSTEM\ControlSet001\Services\Endpoint Software Networking Filtering] 'Start' = '00000002'

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Security Center

Executes the following:

'<SYSTEM32>\sutdevx.exe' "<SYSTEM32>\fyqqiou.exe"
'%WINDIR%\Temp\feqv0wib2vvlhueen.exe' -r 37895 tcp
'%TEMP%\feqv0wib2mtmhueent2djqhr.exe'
'<SYSTEM32>\fyqqiou.exe'

Modifies file system:

Creates the following files:

<SYSTEM32>\rroekdezpjukrym\run
<SYSTEM32>\rroekdezpjukrym\rng
%WINDIR%\Temp\feqv0wib2vvlhueen.exe
<SYSTEM32>\rroekdezpjukrym\cfg
<SYSTEM32>\sutdevx.exe
%TEMP%\feqv0wib2mtmhueent2djqhr.exe
<SYSTEM32>\rroekdezpjukrym\tst
<SYSTEM32>\fyqqiou.exe
<SYSTEM32>\rroekdezpjukrym\etc

Sets the 'hidden' attribute to the following files:

<SYSTEM32>\sutdevx.exe
<SYSTEM32>\fyqqiou.exe

Deletes the following files:

%WINDIR%\Temp\feqv0wib2vvlhueen.exe
<DRIVERS>\etc\hosts
%TEMP%\feqv0wib2mtmhueent2djqhr.exe

Substitutes the HOSTS file.

Network activity:

Connects to:

'st###once.net':80
'we###nce.net':80
'we###oss.net':80
'we###tudy.net':80
'st###loss.net':80
'fo###study.net':80
'af###loss.net':80
'af###study.net':80
'af###uncle.net':80
'fo###uncle.net':80
'st###study.net':80
'wa###tudy.net':80
'mo###loss.net':80
'mo###study.net':80
'mo###uncle.net':80
'wa###ncle.net':80
'st###uncle.net':80
'we###ncle.net':80
'wa###nce.net':80
'wa###oss.net':80
'mo###once.net':80
'na###tudy.net':80
'dr###loss.net':80
'dr###study.net':80
'dr###uncle.net':80
'na###ncle.net':80
'fi###free.net':80
'qu###free.net':80
'na###nce.net':80
'na###oss.net':80
'dr###once.net':80
'we####dayonce.net':80
'se###ncle.net':80
'we####dayuncle.net':80
'fo###once.net':80
'fo###loss.net':80
'af###once.net':80
'we####dayloss.net':80
'se###nce.net':80
'se###oss.net':80
'se###tudy.net':80
'we####daystudy.net':80
'dr###army.net':80
'na###rmy.net':80
'na###pril.net':80
'al###being.net':80
'ri###nstorm.net':80
'qu###uncle.net':80
'fi###study.net':80
'fi###uncle.net':80
'dr###edge.net':80
'na###dge.net':80
'ca####nbring.net':80
'cr#####onaraminta.net':80
'le###form.net':80
'jo####ymeasure.net':80
'ef###tbuilt.net':80
'th###while.net':80
'mo###olor.net':80
'pr####tbottom.net':80
'ab###ell.net':80
'mo###ugust.net':80
'mi###hown.net':80
'fa###ncle.net':80
'le###study.net':80
'le###uncle.net':80
'bo###nce.net':80
'ga###nce.net':80
'le###once.net':80
'fa###nce.net':80
'fa###oss.net':80
'fa###tudy.net':80
'le###loss.net':80
'ga###oss.net':80
'fi###once.net':80
'qu###once.net':80
'qu###loss.net':80
'qu###study.net':80
'fi###loss.net':80
'ga###tudy.net':80
'bo###oss.net':80
'bo###tudy.net':80
'bo###ncle.net':80
'ga###ncle.net':80

TCP:

HTTP GET requests:

http://st###once.net/index.php
http://we###nce.net/index.php
http://we###oss.net/index.php
http://we###tudy.net/index.php
http://st###loss.net/index.php
http://fo###study.net/index.php
http://af###loss.net/index.php
http://af###study.net/index.php
http://af###uncle.net/index.php
http://fo###uncle.net/index.php
http://st###study.net/index.php
http://wa###tudy.net/index.php
http://mo###loss.net/index.php
http://mo###study.net/index.php
http://mo###uncle.net/index.php
http://wa###ncle.net/index.php
http://st###uncle.net/index.php
http://we###ncle.net/index.php
http://wa###nce.net/index.php
http://wa###oss.net/index.php
http://mo###once.net/index.php
http://na###tudy.net/index.php
http://dr###loss.net/index.php
http://dr###study.net/index.php
http://dr###uncle.net/index.php
http://na###ncle.net/index.php
http://fi###free.net/index.php
http://qu###free.net/index.php
http://na###nce.net/index.php
http://na###oss.net/index.php
http://dr###once.net/index.php
http://we####dayonce.net/index.php
http://se###ncle.net/index.php
http://we####dayuncle.net/index.php
http://fo###once.net/index.php
http://fo###loss.net/index.php
http://af###once.net/index.php
http://we####dayloss.net/index.php
http://se###nce.net/index.php
http://se###oss.net/index.php
http://se###tudy.net/index.php
http://we####daystudy.net/index.php
http://dr###army.net/index.php
http://na###rmy.net/index.php
http://na###pril.net/index.php
http://al###being.net/index.php
http://ri###nstorm.net/index.php
http://qu###uncle.net/index.php
http://fi###study.net/index.php
http://fi###uncle.net/index.php
http://dr###edge.net/index.php
http://na###dge.net/index.php
http://ca####nbring.net/index.php
http://cr#####onaraminta.net/index.php
http://le###form.net/index.php
http://jo####ymeasure.net/index.php
http://ef###tbuilt.net/index.php
http://th###while.net/index.php
http://mo###olor.net/index.php
http://pr####tbottom.net/index.php
http://ab###ell.net/index.php
http://mo###ugust.net/index.php
http://mi###hown.net/index.php
http://fa###ncle.net/index.php
http://le###study.net/index.php
http://le###uncle.net/index.php
http://bo###nce.net/index.php
http://ga###nce.net/index.php
http://le###once.net/index.php
http://fa###nce.net/index.php
http://fa###oss.net/index.php
http://fa###tudy.net/index.php
http://le###loss.net/index.php
http://ga###oss.net/index.php
http://fi###once.net/index.php
http://qu###once.net/index.php
http://qu###loss.net/index.php
http://qu###study.net/index.php
http://fi###loss.net/index.php
http://ga###tudy.net/index.php
http://bo###oss.net/index.php
http://bo###tudy.net/index.php
http://bo###ncle.net/index.php
http://ga###ncle.net/index.php

UDP:

DNS ASK st###once.net
DNS ASK we###nce.net
DNS ASK we###oss.net
DNS ASK we###tudy.net
DNS ASK st###loss.net
DNS ASK fo###study.net
DNS ASK af###loss.net
DNS ASK af###study.net
DNS ASK af###uncle.net
DNS ASK fo###uncle.net
DNS ASK st###study.net
DNS ASK wa###tudy.net
DNS ASK mo###loss.net
DNS ASK mo###study.net
DNS ASK mo###uncle.net
DNS ASK wa###ncle.net
DNS ASK st###uncle.net
DNS ASK we###ncle.net
DNS ASK wa###nce.net
DNS ASK wa###oss.net
DNS ASK mo###once.net
DNS ASK fo###loss.net
DNS ASK dr###loss.net
DNS ASK na###oss.net
DNS ASK na###tudy.net
DNS ASK na###ncle.net
DNS ASK dr###study.net
DNS ASK qu###free.net
DNS ASK fi###forty.net
DNS ASK fi###free.net
DNS ASK dr###once.net
DNS ASK na###nce.net
DNS ASK dr###uncle.net
DNS ASK we####dayuncle.net
DNS ASK se###tudy.net
DNS ASK se###ncle.net
DNS ASK af###once.net
DNS ASK fo###once.net
DNS ASK se###nce.net
DNS ASK we####dayonce.net
DNS ASK we####dayloss.net
DNS ASK we####daystudy.net
DNS ASK se###oss.net
DNS ASK dr###army.net
DNS ASK na###rmy.net
DNS ASK na###pril.net
DNS ASK al###being.net
DNS ASK ri###nstorm.net
DNS ASK qu###uncle.net
DNS ASK fi###study.net
DNS ASK fi###uncle.net
DNS ASK dr###edge.net
DNS ASK na###dge.net
DNS ASK ca####nbring.net
DNS ASK cr#####onaraminta.net
DNS ASK le###form.net
DNS ASK jo####ymeasure.net
DNS ASK ef###tbuilt.net
DNS ASK th###while.net
DNS ASK mo###olor.net
DNS ASK pr####tbottom.net
DNS ASK ab###ell.net
DNS ASK mo###ugust.net
DNS ASK mi###hown.net
DNS ASK fa###ncle.net
DNS ASK le###study.net
DNS ASK le###uncle.net
DNS ASK bo###nce.net
DNS ASK ga###nce.net
DNS ASK le###once.net
DNS ASK fa###nce.net
DNS ASK fa###oss.net
DNS ASK fa###tudy.net
DNS ASK le###loss.net
DNS ASK ga###oss.net
DNS ASK fi###once.net
DNS ASK qu###once.net
DNS ASK qu###loss.net
DNS ASK qu###study.net
DNS ASK fi###loss.net
DNS ASK ga###tudy.net
DNS ASK bo###oss.net
DNS ASK bo###tudy.net
DNS ASK bo###ncle.net
DNS ASK ga###ncle.net
'23#.#55.255.250':1900

Tecnologías

Términos

Formación y educación

Mitos

Technical Information

Curing recommendations

Free trial