Trojan.DownLoader22.27085

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Visual User Alerts Assistant AuthIP Now' = 'C:\frpxywhgq\sxpyerx.exe'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\SNMP DLL Identity Encryption] 'ImagePath' = 'C:\frpxywhgq\sxpyerx.exe'
[<HKLM>\SYSTEM\ControlSet001\Services\SNMP DLL Identity Encryption] 'Start' = '00000002'

Malicious functions:

Executes the following:

'C:\frpxywhgq\oirrkqst.exe' "c:\frpxywhgq\sxpyerx.exe"
'C:\frpxywhgq\sxpyerx.exe'
'C:\frpxywhgq\iivv2uzwjvghj1imqovp.exe'

Modifies file system:

Creates the following files:

C:\frpxywhgq\sxpyerx.exe
C:\frpxywhgq\oirrkqst.exe
C:\frpxywhgq\iivv2uzwjvghj1imqovp.exe
%WINDIR%\frpxywhgq\bvlhkgkshjcq
C:\frpxywhgq\bvlhkgkshjcq

Sets the 'hidden' attribute to the following files:

C:\frpxywhgq\oirrkqst.exe
C:\frpxywhgq\sxpyerx.exe

Deletes the following files:

C:\frpxywhgq\iivv2uzwjvghj1imqovp.exe
%WINDIR%\frpxywhgq\bvlhkgkshjcq

Network activity:

Connects to:

'br####language.net':80
're####settle.net':80
'br####settle.net':80
're####device.net':80
'br####device.net':80
're####language.net':80
'fe####settle.net':80
'pr####before.net':80
'do####before.net':80
'fe####before.net':80
'fe####device.net':80
'fe####language.net':80
'pr####ebefore.net':80
'de####device.net':80
'pr####edevice.net':80
'st#####hlanguage.net':80
'st####thsettle.net':80
'de####before.net':80
'pr####esettle.net':80
're####before.net':80
'br####before.net':80
'de####language.net':80
'pr####elanguage.net':80
'de####settle.net':80
'bu####ngbefore.net':80
'ev####gdevice.net':80
'bu####ngdevice.net':80
'mi###settle.net':80
'st###settle.net':80
'ev####gbefore.net':80
'bu####ngsettle.net':80
'ou####ebefore.net':80
'mo####ntbefore.net':80
'ev####glanguage.net':80
'bu#####glanguage.net':80
'ev####gsettle.net':80
'do####language.net':80
'pr####settle.net':80
'do####settle.net':80
'pr####device.net':80
'do####device.net':80
'pr####language.net':80
'st###device.net':80
'mi####anguage.net':80
'st####anguage.net':80
'mi###before.net':80
'st###before.net':80
'mi###device.net':80

TCP:

HTTP GET requests:

http://br####language.net/index.php
http://re####settle.net/index.php
http://br####settle.net/index.php
http://re####device.net/index.php
http://br####device.net/index.php
http://re####language.net/index.php
http://fe####settle.net/index.php
http://pr####before.net/index.php
http://do####before.net/index.php
http://fe####before.net/index.php
http://fe####device.net/index.php
http://fe####language.net/index.php
http://pr####ebefore.net/index.php
http://de####device.net/index.php
http://pr####edevice.net/index.php
http://st#####hlanguage.net/index.php
http://st####thsettle.net/index.php
http://de####before.net/index.php
http://pr####esettle.net/index.php
http://re####before.net/index.php
http://br####before.net/index.php
http://de####language.net/index.php
http://pr####elanguage.net/index.php
http://de####settle.net/index.php
http://bu####ngbefore.net/index.php
http://ev####gdevice.net/index.php
http://bu####ngdevice.net/index.php
http://mi###settle.net/index.php
http://st###settle.net/index.php
http://ev####gbefore.net/index.php
http://bu####ngsettle.net/index.php
http://ou####ebefore.net/index.php
http://mo####ntbefore.net/index.php
http://ev####glanguage.net/index.php
http://bu#####glanguage.net/index.php
http://ev####gsettle.net/index.php
http://do####language.net/index.php
http://pr####settle.net/index.php
http://do####settle.net/index.php
http://pr####device.net/index.php
http://do####device.net/index.php
http://pr####language.net/index.php
http://st###device.net/index.php
http://mi####anguage.net/index.php
http://st####anguage.net/index.php
http://mi###before.net/index.php
http://st###before.net/index.php
http://mi###device.net/index.php

UDP:

DNS ASK br####language.net
DNS ASK re####settle.net
DNS ASK br####settle.net
DNS ASK re####device.net
DNS ASK br####device.net
DNS ASK re####language.net
DNS ASK fe####settle.net
DNS ASK pr####before.net
DNS ASK do####before.net
DNS ASK fe####before.net
DNS ASK fe####device.net
DNS ASK fe####language.net
DNS ASK pr####ebefore.net
DNS ASK de####device.net
DNS ASK pr####edevice.net
DNS ASK st#####hlanguage.net
DNS ASK st####thsettle.net
DNS ASK de####before.net
DNS ASK pr####esettle.net
DNS ASK re####before.net
DNS ASK br####before.net
DNS ASK de####language.net
DNS ASK pr####elanguage.net
DNS ASK de####settle.net
DNS ASK bu####ngbefore.net
DNS ASK ev####gdevice.net
DNS ASK bu####ngdevice.net
DNS ASK mi###settle.net
DNS ASK st###settle.net
DNS ASK ev####gbefore.net
DNS ASK bu####ngsettle.net
DNS ASK ou####ebefore.net
DNS ASK mo####ntbefore.net
DNS ASK ev####glanguage.net
DNS ASK bu#####glanguage.net
DNS ASK ev####gsettle.net
DNS ASK do####language.net
DNS ASK pr####settle.net
DNS ASK do####settle.net
DNS ASK pr####device.net
DNS ASK do####device.net
DNS ASK pr####language.net
DNS ASK st###device.net
DNS ASK mi####anguage.net
DNS ASK st####anguage.net
DNS ASK mi###before.net
DNS ASK st###before.net
DNS ASK mi###device.net

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial

Dans les réseaux sociaux