Trojan.Encoder.2286

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '1e6f17d9' = '%APPDATA%\1e6f17d9.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '1e6f17d' = 'C:\1e6f17d9\1e6f17d9.exe'

Creates or modifies the following files:

%HOMEPATH%\Start Menu\Programs\Startup\1e6f17d9.exe

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

System Restore (SR)

Executes the following:

'<SYSTEM32>\vssadmin.exe' Delete Shadows /All /Quiet
'<SYSTEM32>\svchost.exe' netsvcs
'%WINDIR%\explorer.exe'

Injects code into

the following system processes:

<SYSTEM32>\svchost.exe

Modifies file system :

Creates the following files:

%APPDATA%\1e6f17d9.exe
C:\1e6f17d9\1e6f17d9.exe

Network activity:

Connects to:

'fo####rsomaha.net':80
'de###pelli.it':80
'he###ine365.com':80
'ch#####ymenarguez.com':80
'go###alk.info':80
'sn###bid.com':80
'in###licus.com':80
'sa###hah.com':80
'ko#####-modellage.de':80
'hu####1morrow.com':80
'ex#####lbatterycase.com':80
'ha###nhosp.com':80
'ro####orldtours.in':80
'mo######statemanagement.com':80
'he#####shobbycenter.be':80
'ze####eative.com':80
'fa##out.com':80
'ew##eco.com':80
'gr###evap.com':80
've####ectric.com.au':80
'li###orphk.com':80
'bu###tale.com':80
'me########ijuanamiamiflorida.com':80
're####gonzalez.com':80
'es###qatee.com':80
'le######rholmeproject.co.uk':80
'ge######njurycenters.com':80
'mi####lesdelsur.com':80
'sp###rotn.com':80
'my####rnalip.com':80
'ip##ddr.es':80
'cu###yip.com':80
'ev#####gcareers.co.uk':80
'es######izaciondigital.com':80
'fu####mission.org':80
'me###aosea.net':80
'fa###ncepts.net':80
'hh###ovac.ca':80
'sm###aky.com':80
'tr###eno.com':80
'sl####tertime.com':80
'fo#####endargirls.com':80
'ft#####rityservices.com':80
'ge####ercables.com':80
'mi##a52.com':80

TCP:

HTTP GET requests:

http://cu###yip.com/
http://my####rnalip.com/raw
http://ip##ddr.es/

HTTP POST requests:

http://he###ine365.com/heelziggler.com/wp-content/plugins/siteorigin-panels/widgets/widgets/call-to-action/presets/1.php?b=###############
http://fo####rsomaha.net/wp-includes/Text/Diff/Renderer/ap3.php?z=###############
http://go###alk.info/Wp/wp-content/plugins/wp-wizard-cloak/static/js/jquery/farbtastic/5.php?o=###############
http://gr###evap.com/mtqzpa/templates/ap5.php?a=###############
http://ch#####ymenarguez.com/wp-content/plugins/js_composer/assets/css/lib/vc-linecons/fonts/2.php?g=###############
http://de###pelli.it/wp-content/plugins/wordpress-seo/vendor/composer/installers/tests/Composer/3.php?m=###############
http://ko#####-modellage.de/phpSitemapNG/inc/gsgxml/4.php?b=###############
http://in###licus.com/wp-content/uploads/gravity_forms/6-55cd98d82aec1ece039f3a32332929d1/tmp/3.php?t=###############
http://ex#####lbatterycase.com/wp-admin/js/ap4.php?w=###############
http://sn###bid.com/wp-content/themes/point/options/fields/radio/4.php?w=###############
http://hu####1morrow.com/wp-content/uploads/2013/12/2.php?l=###############
http://ha###nhosp.com/hagg2013/wp-includes/theme-compat/ap3.php?s=###############
http://ro####orldtours.in/js/2.php?a=###############
http://mo######statemanagement.com/m/images/1.php?z=###############
http://he#####shobbycenter.be/components/com_jce/editor/tiny_mce/plugins/mediamanager/classes/getid3/2.php?m=###############
http://ze####eative.com/cgi-bin/3.php?o=###############
http://fa##out.com/wp-includes/fonts/ap5.php?v=###############
http://ve####ectric.com.au/wp-includes/js/tinymce/skins/wordpress/images/1.php?z=###############
http://ew##eco.com/wp-admin/network/ap5.php?k=###############
http://mi####lesdelsur.com/wp-includes/js/jcrop/2.php?u=###############
http://li###orphk.com/js-js/5.php?f=###############
http://bu###tale.com/ilario_bordoni/assets/images/1.php?t=###############
http://mi####lesdelsur.com/wp-includes/js/jcrop/3.php?o=###############
http://le######rholmeproject.co.uk/js-js/1.php?a=###############
http://ge######njurycenters.com/backups_georgia/back%2007102014/ap4.php?i=###############
http://sl####tertime.com/wp-content/themes/blogoma/inc/blogoma-admin/options/validation/str_replace/3.php?m=###############
http://fo#####endargirls.com/wp-content/plugins/jetpack/modules/publicize/assets/rtl/4.php?e=###############
http://re####gonzalez.com/compras/image/data/1.php?p=###############
http://ev#####gcareers.co.uk/images/prettyPhoto/light_square/4.php?l=###############
http://es######izaciondigital.com/new/wp-includes/js/jcrop/5.php?p=###############
http://sp###rotn.com/4.php?g=###############
http://ev#####gcareers.co.uk/images/prettyPhoto/light_square/ap1.php?a=###############
http://es###qatee.com/wp-includes/css/ap1.php?r=###############
http://sm###aky.com/pdf/3.php?j=###############
http://fa###ncepts.net/wp-content/plugins/indonez-shortcodes/js/ap3.php?n=###############
http://hh###ovac.ca/ap1.php?m=###############
http://sa###hah.com/images/Image/2.php?j=###############
http://me########ijuanamiamiflorida.com/4.php?d=###############
http://fu####mission.org/wp-includes/theme-compat/ap5.php?c=###############
http://mi##a52.com/wp-content/plugins/iphorm-form-builder/js/jqueryui/themes/blitzer/images/1.php?z=###############
http://ft#####rityservices.com/wp-admin/images/ap2.php?i=###############
http://ge####ercables.com/wp-admin/user/ap1.php?p=###############
http://me###aosea.net/wp-content/plugins/wordpress-seo/vendor/composer/installers/tests/Composer/5.php?c=###############
http://tr###eno.com/flamingo/wp-content/plugins/jetpack/modules/shortcodes/css/rtl/2.php?i=###############

UDP:

DNS ASK fo####rsomaha.net
DNS ASK de###pelli.it
DNS ASK he###ine365.com
DNS ASK ch#####ymenarguez.com
DNS ASK go###alk.info
DNS ASK sn###bid.com
DNS ASK in###licus.com
DNS ASK sa###hah.com
DNS ASK ko#####-modellage.de
DNS ASK hu####1morrow.com
DNS ASK ex#####lbatterycase.com
DNS ASK ha###nhosp.com
DNS ASK ro####orldtours.in
DNS ASK mo######statemanagement.com
DNS ASK he#####shobbycenter.be
DNS ASK ze####eative.com
DNS ASK fa##out.com
DNS ASK ew##eco.com
DNS ASK gr###evap.com
DNS ASK ve####ectric.com.au
DNS ASK li###orphk.com
DNS ASK bu###tale.com
DNS ASK me########ijuanamiamiflorida.com
DNS ASK re####gonzalez.com
DNS ASK es###qatee.com
DNS ASK le######rholmeproject.co.uk
DNS ASK ge######njurycenters.com
DNS ASK mi####lesdelsur.com
DNS ASK sp###rotn.com
DNS ASK my####rnalip.com
DNS ASK ip##ddr.es
DNS ASK cu###yip.com
DNS ASK ev#####gcareers.co.uk
DNS ASK es######izaciondigital.com
DNS ASK fu####mission.org
DNS ASK me###aosea.net
DNS ASK fa###ncepts.net
DNS ASK hh###ovac.ca
DNS ASK sm###aky.com
DNS ASK tr###eno.com
DNS ASK sl####tertime.com
DNS ASK fo#####endargirls.com
DNS ASK ft#####rityservices.com
DNS ASK ge####ercables.com
DNS ASK mi##a52.com

Miscellaneous:

Searches for the following windows:

ClassName: 'Indicator' WindowName: ''

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial