Trojan.DownLoader22.26047

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Smart Keying Firewall Defragmenter' = 'C:\midxrouwaut\jngpdnvnv.exe'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\Modules Software ActiveX Key] 'ImagePath' = 'C:\midxrouwaut\jngpdnvnv.exe'
[<HKLM>\SYSTEM\ControlSet001\Services\Modules Software ActiveX Key] 'Start' = '00000002'

Malicious functions:

Executes the following:

'C:\midxrouwaut\gclldeo.exe' "c:\midxrouwaut\jngpdnvnv.exe"
'C:\midxrouwaut\jngpdnvnv.exe'
'C:\midxrouwaut\xo2sfgf9wciz5da.exe'

Modifies file system:

Creates the following files:

C:\midxrouwaut\jngpdnvnv.exe
C:\midxrouwaut\gclldeo.exe
C:\midxrouwaut\wvodznice5jr
%WINDIR%\midxrouwaut\gxdevc1
C:\midxrouwaut\gxdevc1
C:\midxrouwaut\xo2sfgf9wciz5da.exe

Sets the 'hidden' attribute to the following files:

C:\midxrouwaut\gclldeo.exe
C:\midxrouwaut\jngpdnvnv.exe

Deletes the following files:

C:\midxrouwaut\xo2sfgf9wciz5da.exe
%WINDIR%\midxrouwaut\gxdevc1

Network activity:

Connects to:

'pe#####condition.net':80
'wi####please.net':80
'pe####splease.net':80
'su####tsoldier.net':80
'su####tnation.net':80
'wi####condition.net':80
'pe####snation.net':80
'po#####econdition.net':80
'mo#####ncondition.net':80
'wi####soldier.net':80
'pe####ssoldier.net':80
'wi####nation.net':80
'fi####condition.net':80
'le###please.net':80
'fi####please.net':80
'pr####lynation.net':80
'sw###nation.net':80
'le####ondition.net':80
'fi####nation.net':80
'su#####condition.net':80
'su####tplease.net':80
'le####oldier.net':80
'fi####soldier.net':80
'le###nation.net':80
'se####condition.net':80
'la###please.net':80
'se####please.net':80
'mo####nation.net':80
'si####nation.net':80
'la####ondition.net':80
'se####nation.net':80
'ma#####ldaughter.net':80
'se####ldaughter.net':80
'la####oldier.net':80
'se####soldier.net':80
'la###nation.net':80
'mo####insoldier.net':80
'po####lenation.net':80
'mo####innation.net':80
'po####leplease.net':80
'mo####inplease.net':80
'po####lesoldier.net':80
'si####please.net':80
'mo####soldier.net':80
'si####soldier.net':80
'mo####condition.net':80
'si####condition.net':80
'mo####please.net':80

TCP:

HTTP GET requests:

http://pe#####condition.net/index.php?me########
http://wi####please.net/index.php?me########
http://pe####splease.net/index.php?me########
http://su####tsoldier.net/index.php?me########
http://su####tnation.net/index.php?me########
http://wi####condition.net/index.php?me########
http://pe####snation.net/index.php?me########
http://po#####econdition.net/index.php?me########
http://mo#####ncondition.net/index.php?me########
http://wi####soldier.net/index.php?me########
http://pe####ssoldier.net/index.php?me########
http://wi####nation.net/index.php?me########
http://fi####condition.net/index.php?me########
http://le###please.net/index.php?me########
http://fi####please.net/index.php?me########
http://pr####lynation.net/index.php?me########
http://sw###nation.net/index.php?me########
http://le####ondition.net/index.php?me########
http://fi####nation.net/index.php?me########
http://su#####condition.net/index.php?me########
http://su####tplease.net/index.php?me########
http://le####oldier.net/index.php?me########
http://fi####soldier.net/index.php?me########
http://le###nation.net/index.php?me########
http://se####condition.net/index.php?me########
http://la###please.net/index.php?me########
http://se####please.net/index.php?me########
http://mo####nation.net/index.php?me########
http://si####nation.net/index.php?me########
http://la####ondition.net/index.php?me########
http://se####nation.net/index.php?me########
http://ma#####ldaughter.net/index.php?me########
http://se####ldaughter.net/index.php?me########
http://la####oldier.net/index.php?me########
http://se####soldier.net/index.php?me########
http://la###nation.net/index.php?me########
http://mo####insoldier.net/index.php?me########
http://po####lenation.net/index.php?me########
http://mo####innation.net/index.php?me########
http://po####leplease.net/index.php?me########
http://mo####inplease.net/index.php?me########
http://po####lesoldier.net/index.php?me########
http://si####please.net/index.php?me########
http://mo####soldier.net/index.php?me########
http://si####soldier.net/index.php?me########
http://mo####condition.net/index.php?me########
http://si####condition.net/index.php?me########
http://mo####please.net/index.php?me########

UDP:

DNS ASK wi####condition.net
DNS ASK pe#####condition.net
DNS ASK wi####please.net
DNS ASK su####tplease.net
DNS ASK su####tsoldier.net
DNS ASK su####tnation.net
DNS ASK wi####nation.net
DNS ASK pe####snation.net
DNS ASK po#####econdition.net
DNS ASK pe####splease.net
DNS ASK wi####soldier.net
DNS ASK pe####ssoldier.net
DNS ASK le####ondition.net
DNS ASK fi####condition.net
DNS ASK le###please.net
DNS ASK sw####oldier.net
DNS ASK pr####lynation.net
DNS ASK sw###nation.net
DNS ASK le###nation.net
DNS ASK fi####nation.net
DNS ASK su#####condition.net
DNS ASK fi####please.net
DNS ASK le####oldier.net
DNS ASK fi####soldier.net
DNS ASK mo#####ncondition.net
DNS ASK se####condition.net
DNS ASK la###please.net
DNS ASK se####please.net
DNS ASK mo####nation.net
DNS ASK si####nation.net
DNS ASK la####ondition.net
DNS ASK se####nation.net
DNS ASK ma#####ldaughter.net
DNS ASK se####ldaughter.net
DNS ASK la####oldier.net
DNS ASK se####soldier.net
DNS ASK la###nation.net
DNS ASK mo####insoldier.net
DNS ASK po####lenation.net
DNS ASK mo####innation.net
DNS ASK po####leplease.net
DNS ASK mo####inplease.net
DNS ASK po####lesoldier.net
DNS ASK si####please.net
DNS ASK mo####soldier.net
DNS ASK si####soldier.net
DNS ASK mo####condition.net
DNS ASK si####condition.net
DNS ASK mo####please.net

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial

Dans les réseaux sociaux