Win32.HLLW.Autoruner1.10761

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = '<LS_APPDATA>\f5a698ed\X'

Malicious functions:

Creates and executes the following:

<LS_APPDATA>\f5a698ed\X

Executes the following:

%WINDIR%\explorer.exe

Injects code into

the following system processes:

%WINDIR%\Explorer.EXE

Modifies file system :

Creates the following files:

<LS_APPDATA>\f5a698ed\X
<LS_APPDATA>\f5a698ed\@

Deletes itself.

Network activity:

Connects to:

'83.##5.10.48':21810
'19#.#06.10.11':21810
'21#.#11.131.155':21810
'83.##3.102.209':21810
'18#.#73.40.226':21810
'31.#92.8.55':21810
'87.##0.8.171':21810
'79.##2.214.146':21810
'80.##8.252.145':21810
'79.##4.129.224':21810
'92.##1.152.48':21810
'10.##4.96.86':21810
'18#.#57.33.226':21810
'80.##.168.113':21810
'12.##.91.248':21810
'18#.#9.137.36':21810
'14.##.105.87':21810
'11#.#03.58.188':21810
'79.##4.224.115':21810
'85.##6.222.193':21810
'18#.#15.206.81':21810
'91.##8.31.116':21810
'86.#7.28.86':21810
'70.##6.17.112':21810
'1.##.81.32':21810
'17#.#46.194.177':21810
'93.##7.139.181':21810
'68.##7.213.73':21810
'17#.#5.210.8':21810
'59.##.118.167':21810
'11#.#98.49.231':21810
'85.##.225.207':21810
'18#.#8.193.238':21810
'19#.#90.39.243':21810
'19#.#13.133.238':21810
'79.##2.192.24':21810
'2.###.127.115':21810
'89.##.124.239':21810
'17#.#57.179.238':21810
'17#.#18.192.143':21810
'83.##2.165.167':21810
'17#.#05.213.120':21810
'89.#2.51.78':21810
'18#.#37.32.254':21810
'20#.#12.188.142':21810
'76.#48.21.9':21810
'11#.#54.24.161':21810
'79.##3.188.26':21810
'59.##4.40.23':21810
'78.##1.141.223':21810
'79.##3.31.83':21810
'18#.#79.69.166':21810
'18#.#73.77.199':21810
'11#.#19.191.46':21810
'14#.#3.197.165':21810
'79.##9.177.200':21810
'95.##.251.199':21810
'18#.#6.209.139':21810
'18#.#3.95.66':21810
'89.##.148.56':21810
'18#.#6.2.231':21810
'18#.#73.126.243':21810
'18#.#9.150.174':21810
'1.##.161.176':21810
'77.##2.13.170':21810
'20#.#7.117.172':21810
'11#.#97.70.131':21810
'31.##0.6.250':21810
'19#.#89.33.75':21810
'95.##5.60.123':21810
'19#.#99.89.143':21810
'80.##7.96.169':21810
'11#.#48.172.71':21810
'46.##4.228.244':21810
'19#.#78.168.198':21810
'95.##1.119.10':21810
'46.##.197.38':21810
'87.##1.70.20':21810
'89.##.52.154':21810
'95.##.111.198':21810
'83.##6.6.226':21810
'18#.#96.131.174':21810
'89.##2.237.183':21810
'20#.#41.152.50':21810
'11#.#99.91.147':21810
'68.##4.196.135':21810
'11#.#9.29.233':21810
'17#.#1.14.127':21810
'88.##8.32.52':21810
'78.##.42.245':21810
'94.##3.156.207':21810
'18#.#15.14.123':21810
'80.#5.89.7':21810
'21#.#32.253.206':21810
'93.##4.219.194':21810
'19#.#73.123.120':21810
'20#.#23.36.119':21810
'18#.#01.169.213':21810
'19#.#05.154.210':80
'80.##.202.154':21810
'18#.#9.143.102':21810
'94.##.248.239':21810
'18#.#4.13.62':21810
'19#.#06.153.48':21810
'10#.#7.166.47':21810
'18#.2.170.9':21810
'83.##3.62.222':21810
'18#.#33.168.247':21810
'46.##4.165.189':21810
'12#.#7.216.45':21810
'84.##.21.151':21810
'17#.#38.213.28':21810
'72.##7.200.176':21810
'27.#.85.39':21810
'21#.#3.162.107':21810
'11#.#00.57.197':21810
'18#.#9.240.40':21810
'71.##4.85.199':21810
'19#.#7.201.87':21810
'27.#.218.110':21810
'11#.#5.71.92':21810
'89.##.136.224':21810
'17#.#24.88.248':21810
'20#.#46.230.87':21810
'61.#5.96.35':21810
'93.##5.43.29':21810
'17#.#4.12.103':21810
'11#.#2.79.33':21810
'85.##2.234.253':21810
'79.##1.126.127':21810
'18#.0.192.7':21810
'11#.#95.98.81':21810
'67.##0.70.127':21810
'79.##2.155.16':21810
'79.##4.22.152':21810
'12#.#26.174.76':21810
'11#.#2.74.152':21810
'17#.#1.239.235':21810
'20#.#20.107.200':21810
'18#.#6.124.46':21810
'41.##4.233.111':21810
'21#.#03.184.26':21810
'19#.#64.186.44':21810
'81.##3.188.241':21810
'18#.#5.160.239':21810
'11#.#03.147.4':21810
'62.##1.145.115':21810

TCP:

HTTP GET requests:

19#.#05.154.210/stat2.php?w=################################################
19#.#05.154.210/stat2.php?w=#################################################

技术

术语

教育培训

误区

Technical Information