Trojan.DownLoader46.48962

Technical Information

Malicious functions

Executes the following

'<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerUI.exe
'<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerSvc.exe
'<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq cheatengine*" /IM * /F /T
'<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
'<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq processhacker*" /IM * /F /T
'<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq fiddler*" /IM * /F /T
'<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq wireshark*" /IM * /F /T
'<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq rawshark*" /IM * /F /T
'<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq charles*" /IM * /F /T
'<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq ida*" /IM * /F /T

Launches a large number of processes

Searches for windows to

detect analytical utilities:

ClassName: '', WindowName: 'The Wireshark Network Analyzer'

Modifies file system

Creates the following files

nul
%WINDIR%\temp\tar96e.tmp
%WINDIR%\temp\cab96d.tmp
%WINDIR%\temp\tarf1c7.tmp
%WINDIR%\temp\cabf1c6.tmp
%WINDIR%\temp\tarf148.tmp
%WINDIR%\temp\cabf147.tmp
%WINDIR%\temp\tard972.tmp
%WINDIR%\temp\cabd971.tmp
%WINDIR%\temp\tard896.tmp
%WINDIR%\temp\cabd895.tmp
%WINDIR%\temp\tarc0a1.tmp
%WINDIR%\temp\cabc090.tmp
%WINDIR%\temp\tarbfb5.tmp
%WINDIR%\temp\cab532b.tmp
%WINDIR%\temp\cabbfb4.tmp
%WINDIR%\temp\caba7ee.tmp
%WINDIR%\temp\tara770.tmp
%WINDIR%\temp\caba76f.tmp
%WINDIR%\temp\tara6f1.tmp
%WINDIR%\temp\caba6f0.tmp
%WINDIR%\temp\tara634.tmp
%WINDIR%\temp\caba633.tmp
%WINDIR%\temp\tar8e01.tmp
%WINDIR%\temp\cab8e00.tmp
%WINDIR%\temp\tar8d25.tmp
%WINDIR%\temp\cab8d24.tmp
%WINDIR%\temp\tar7465.tmp
%WINDIR%\temp\cab7454.tmp
%WINDIR%\temp\tara7ff.tmp
%WINDIR%\temp\tar532c.tmp

Deletes the following files

%WINDIR%\temp\cab7454.tmp
%WINDIR%\temp\tar96e.tmp
%WINDIR%\temp\cab96d.tmp
%WINDIR%\temp\tarf1c7.tmp
%WINDIR%\temp\cabf1c6.tmp
%WINDIR%\temp\tarf148.tmp
%WINDIR%\temp\cabf147.tmp
%WINDIR%\temp\tard972.tmp
%WINDIR%\temp\cabd971.tmp
%WINDIR%\temp\tard896.tmp
%WINDIR%\temp\cabd895.tmp
%WINDIR%\temp\tarc0a1.tmp
%WINDIR%\temp\cabc090.tmp
%WINDIR%\temp\tarbfb5.tmp
%WINDIR%\temp\cabbfb4.tmp
%WINDIR%\temp\tara7ff.tmp
%WINDIR%\temp\caba7ee.tmp
%WINDIR%\temp\tara770.tmp
%WINDIR%\temp\caba76f.tmp
%WINDIR%\temp\tara6f1.tmp
%WINDIR%\temp\caba6f0.tmp
%WINDIR%\temp\tara634.tmp
%WINDIR%\temp\caba633.tmp
%WINDIR%\temp\tar8e01.tmp
%WINDIR%\temp\cab8e00.tmp
%WINDIR%\temp\tar8d25.tmp
%WINDIR%\temp\cab8d24.tmp
%WINDIR%\temp\tar7465.tmp
%WINDIR%\temp\cab532b.tmp
%WINDIR%\temp\tar532c.tmp

Network activity

Connects to

'localhost':49185
'localhost':49187
'ke##uth.win':443
'x1.#.lencr.org':80
'x2.#.lencr.org':80

TCP

HTTP GET requests

http://x1.#.lencr.org/
http://x2.#.lencr.org/

Other

'localhost':49185
'localhost':49187
'localhost':49188
'ke##uth.win':443

UDP

DNS ASK ke##uth.win
DNS ASK x1.#.lencr.org
DNS ASK x2.#.lencr.org

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: 'Progress Telerik Fiddler Web Debugger'
ClassName: '' WindowName: 'x64dbg'
ClassName: '' WindowName: 'KsDumper'
ClassName: '' WindowName: ''

Executes the following

'<SYSTEM32>\cmd.exe' /c certutil -hashfile "<Full path to file>" MD5 | find /i /v "md5" | find /i /v "certutil"
'<SYSTEM32>\sc.exe' stop wireshark
'<SYSTEM32>\cmd.exe' /c sc stop wireshark >nul 2>&1
'<SYSTEM32>\sc.exe' stop KProcessHacker1
'<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker1 >nul 2>&1
'<SYSTEM32>\sc.exe' stop KProcessHacker2
'<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker2 >nul 2>&1
'<SYSTEM32>\sc.exe' stop KProcessHacker3
'<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker3 >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
'<SYSTEM32>\sc.exe' stop HTTPDebuggerPro
'<SYSTEM32>\cmd.exe' /c sc stop HTTPDebuggerPro >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
'<SYSTEM32>\find.exe' /i /v "certutil"
'<SYSTEM32>\find.exe' /i /v "md5"
'<SYSTEM32>\certutil.exe' -hashfile "<Full path to file>" MD5
'<SYSTEM32>\cmd.exe' /c sc stop npf >nul 2>&1
'<SYSTEM32>\sc.exe' stop npf

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial