Trojan.DownLoader21.23450

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Extensible Internet PNRP Resolution Drive' = '<SYSTEM32>\eldxeqetiuu.exe'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\Topology Builder Tunneling] 'ImagePath' = '<SYSTEM32>\eldxeqetiuu.exe'
[<HKLM>\SYSTEM\ControlSet001\Services\Topology Builder Tunneling] 'Start' = '00000002'

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Security Center

Creates and executes the following:

'<SYSTEM32>\otsaakhgope.exe' "<SYSTEM32>\eldxeqetiuu.exe"
'%WINDIR%\Temp\b6grakx2x4acdui.exe' -r 26652 tcp
'%TEMP%\b6grakx2qmscduihkxsasf.exe'
'<SYSTEM32>\eldxeqetiuu.exe'

Modifies file system:

Creates the following files:

<SYSTEM32>\gyphmpaaj\run
<SYSTEM32>\gyphmpaaj\rng
%WINDIR%\Temp\b6grakx2x4acdui.exe
<SYSTEM32>\gyphmpaaj\cfg
<SYSTEM32>\otsaakhgope.exe
%TEMP%\b6grakx2qmscduihkxsasf.exe
<SYSTEM32>\gyphmpaaj\tst
<SYSTEM32>\eldxeqetiuu.exe
<SYSTEM32>\gyphmpaaj\etc

Sets the 'hidden' attribute to the following files:

<SYSTEM32>\otsaakhgope.exe
<SYSTEM32>\eldxeqetiuu.exe

Deletes the following files:

%WINDIR%\Temp\b6grakx2x4acdui.exe
<DRIVERS>\etc\hosts
%TEMP%\b6grakx2qmscduihkxsasf.exe

Substitutes the HOSTS file.

Network activity:

Connects to:

'wh###allow.net':80
'up###ives.net':80
'up###llow.net':80
'up###arth.net':80
'wh###earth.net':80
'wh###gives.net':80
'sa###arth.net':80
'sp###llow.net':80
'sp###arth.net':80
'sp###aste.net':80
'sa###aste.net':80
'ar###earth.net':80
'so###earth.net':80
'so###taste.net':80
'th###uess.net':80
'ar###taste.net':80
'ar###allow.net':80
'up###aste.net':80
'wh###taste.net':80
'so###gives.net':80
'so###allow.net':80
'ar###gives.net':80
'gr###earth.net':80
'eq###allow.net':80
'eq###earth.net':80
'eq###taste.net':80
'gr###taste.net':80
'gr###allow.net':80
'vi###taste.net':80
'sp###earth.net':80
'sp###taste.net':80
'eq###gives.net':80
'gr###gives.net':80
'gl###aste.net':80
'ta###taste.net':80
'sa###ives.net':80
'sa###llow.net':80
'sp###ives.net':80
'gl###arth.net':80
'gl###ives.net':80
'ta###gives.net':80
'ta###allow.net':80
'ta###earth.net':80
'gl###llow.net':80
'dr###guess.net':80
'eq###stood.net':80
'gr###stood.net':80
'ta###guess.net':80
'ta###first.net':80
'gl###uess.net':80
'eq###kill.net':80
'eq###guess.net':80
'gr###guess.net':80
'gr###first.net':80
'gr###kill.net':80
'eq###first.net':80
'de###lxc.com':80
'sp###uess.net':80
'be##lxc.com':80
'ri###nstorm.net':80
'af###sllc.com':80
'sa###uess.net':80
'ta###kill.net':80
'gl###irst.net':80
'gl###ill.net':80
'gl###tood.net':80
'ta###stood.net':80
'wa###guess.net':80
'fa###uess.net':80
'fa###irst.net':80
'fa###ill.net':80
'wa###first.net':80
'dr###stood.net':80
'dr###first.net':80
'th###irst.net':80
'th###ill.net':80
'th###tood.net':80
'dr###kill.net':80
'vi###kill.net':80
'sp###first.net':80
'sp###kill.net':80
'sp###stood.net':80
'vi###stood.net':80
'vi###first.net':80
'fa###tood.net':80
'wa###kill.net':80
'wa###stood.net':80
'sp###guess.net':80
'vi###guess.net':80

TCP:

HTTP GET requests:

http://wh###allow.net/index.php
http://up###ives.net/index.php
http://up###llow.net/index.php
http://up###arth.net/index.php
http://wh###earth.net/index.php
http://wh###gives.net/index.php
http://sa###arth.net/index.php
http://sp###llow.net/index.php
http://sp###arth.net/index.php
http://sp###aste.net/index.php
http://sa###aste.net/index.php
http://ar###earth.net/index.php
http://so###earth.net/index.php
http://so###taste.net/index.php
http://th###uess.net/index.php
http://ar###taste.net/index.php
http://ar###allow.net/index.php
http://up###aste.net/index.php
http://wh###taste.net/index.php
http://so###gives.net/index.php
http://so###allow.net/index.php
http://ar###gives.net/index.php
http://gr###earth.net/index.php
http://eq###allow.net/index.php
http://eq###earth.net/index.php
http://eq###taste.net/index.php
http://gr###taste.net/index.php
http://gr###allow.net/index.php
http://vi###taste.net/index.php
http://sp###earth.net/index.php
http://sp###taste.net/index.php
http://eq###gives.net/index.php
http://gr###gives.net/index.php
http://gl###aste.net/index.php
http://ta###taste.net/index.php
http://sa###ives.net/index.php
http://sa###llow.net/index.php
http://sp###ives.net/index.php
http://gl###arth.net/index.php
http://gl###ives.net/index.php
http://ta###gives.net/index.php
http://ta###allow.net/index.php
http://ta###earth.net/index.php
http://gl###llow.net/index.php
http://dr###guess.net/index.php
http://eq###stood.net/index.php
http://gr###stood.net/index.php
http://ta###guess.net/index.php
http://ta###first.net/index.php
http://gl###uess.net/index.php
http://eq###kill.net/index.php
http://eq###guess.net/index.php
http://gr###guess.net/index.php
http://gr###first.net/index.php
http://gr###kill.net/index.php
http://eq###first.net/index.php
http://de###lxc.com/index.php
http://sp###uess.net/index.php
http://be##lxc.com/index.php
http://ri###nstorm.net/index.php
http://af###sllc.com/index.php
http://sa###uess.net/index.php
http://ta###kill.net/index.php
http://gl###irst.net/index.php
http://gl###ill.net/index.php
http://gl###tood.net/index.php
http://ta###stood.net/index.php
http://wa###guess.net/index.php
http://fa###uess.net/index.php
http://fa###irst.net/index.php
http://fa###ill.net/index.php
http://wa###first.net/index.php
http://dr###stood.net/index.php
http://dr###first.net/index.php
http://th###irst.net/index.php
http://th###ill.net/index.php
http://th###tood.net/index.php
http://dr###kill.net/index.php
http://vi###kill.net/index.php
http://sp###first.net/index.php
http://sp###kill.net/index.php
http://sp###stood.net/index.php
http://vi###stood.net/index.php
http://vi###first.net/index.php
http://fa###tood.net/index.php
http://wa###kill.net/index.php
http://wa###stood.net/index.php
http://sp###guess.net/index.php
http://vi###guess.net/index.php

UDP:

DNS ASK up###llow.net
DNS ASK wh###allow.net
DNS ASK wh###earth.net
DNS ASK wh###taste.net
DNS ASK up###arth.net
DNS ASK up###ives.net
DNS ASK sp###arth.net
DNS ASK sa###arth.net
DNS ASK sa###aste.net
DNS ASK wh###gives.net
DNS ASK sp###aste.net
DNS ASK so###taste.net
DNS ASK ar###earth.net
DNS ASK ar###taste.net
DNS ASK dr###guess.net
DNS ASK th###uess.net
DNS ASK so###earth.net
DNS ASK so###gives.net
DNS ASK up###aste.net
DNS ASK ar###gives.net
DNS ASK ar###allow.net
DNS ASK so###allow.net
DNS ASK sp###llow.net
DNS ASK gr###earth.net
DNS ASK eq###allow.net
DNS ASK eq###earth.net
DNS ASK eq###taste.net
DNS ASK gr###taste.net
DNS ASK gr###allow.net
DNS ASK vi###taste.net
DNS ASK sp###earth.net
DNS ASK sp###taste.net
DNS ASK eq###gives.net
DNS ASK gr###gives.net
DNS ASK gl###aste.net
DNS ASK ta###taste.net
DNS ASK sa###ives.net
DNS ASK sa###llow.net
DNS ASK sp###ives.net
DNS ASK gl###arth.net
DNS ASK gl###ives.net
DNS ASK ta###gives.net
DNS ASK ta###allow.net
DNS ASK ta###earth.net
DNS ASK gl###llow.net
DNS ASK eq###stood.net
DNS ASK gr###stood.net
DNS ASK ta###guess.net
DNS ASK ta###first.net
DNS ASK gl###uess.net
DNS ASK eq###kill.net
DNS ASK eq###guess.net
DNS ASK gr###guess.net
DNS ASK gr###first.net
DNS ASK gr###kill.net
DNS ASK eq###first.net
DNS ASK de###lxc.com
DNS ASK sp###uess.net
DNS ASK be##lxc.com
DNS ASK ri###nstorm.net
DNS ASK af###sllc.com
DNS ASK sa###uess.net
DNS ASK ta###kill.net
DNS ASK gl###irst.net
DNS ASK gl###ill.net
DNS ASK gl###tood.net
DNS ASK ta###stood.net
DNS ASK wa###guess.net
DNS ASK fa###uess.net
DNS ASK fa###irst.net
DNS ASK fa###ill.net
DNS ASK wa###first.net
DNS ASK dr###stood.net
DNS ASK dr###first.net
DNS ASK th###irst.net
DNS ASK th###ill.net
DNS ASK th###tood.net
DNS ASK dr###kill.net
DNS ASK vi###kill.net
DNS ASK sp###first.net
DNS ASK sp###kill.net
DNS ASK sp###stood.net
DNS ASK vi###stood.net
DNS ASK vi###first.net
DNS ASK fa###tood.net
DNS ASK wa###kill.net
DNS ASK wa###stood.net
DNS ASK sp###guess.net
DNS ASK vi###guess.net
'23#.#55.255.250':1900

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial