TROJ_INJECT.XXTWZ
Trojan:Win32/Emotet.G(Microsoft);Trojan-Dropper.Win32.Injector.lmaq (Kaspersky);Gen:Variant.Zusy.131675(Bitdefender)
Windows
- マルウェアタイプ: トロイの木馬型
- 破壊活動の有無: なし
- 暗号化:
- 感染報告の有無: はい
概要
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
マルウェア マルウェアは、自身(コンピュータに侵入して最初に自身のコピーを作成した マルウェア )を削除します。
詳細
侵入方法
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
インストール
マルウェアは、感染したコンピュータ内に以下のように自身のコピーを作成します。
- %AppDataLocal%\{random name}\{random name}.exe
(註:%AppDataLocal%フォルダは、Windows 2000、XP および Server 2003 の場合、通常、"C:\Documents and Settings\<ユーザ名>\Local Settings\Application Data"、Windows Vista および 7 の場合、"C:\Users\<ユーザ名>\AppData\Local" です。)
自動実行方法
マルウェアは、自身のコピーがWindows起動時に自動実行されるよう以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random name} = "%AppDataLocal%\{random name}\{random name}.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random name} = "%AppDataLocal%\{random name}\{random name}.exe"
他のシステム変更
マルウェアは、以下のレジストリキーを追加します。
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_AJAX_CONNECTIONEVENTS
HKEY_LOCAL_MACHINE\Software\{8 random values}
HKEY_CURRENT_USER\Software\{8 random values}
マルウェアは、以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = "1"
HKEY_LOCAL_MACHINE\SYSTEM\{Current Control Set}\
Hardware Profiles\0001\Software\
Microsoft\windows\CurrentVersion\
Internet Settings
ProxyEnable = "1"
その他
マルウェアは、以下の不正なWebサイトにアクセスします。
- {BLOCKED}.{BLOCKED}9.21.250:8080
- {BLOCKED}.{BLOCKED}3.161.177:80
- {BLOCKED}.{BLOCKED}7.194.46:80
- {BLOCKED}.{BLOCKED}5.142.131:80
- {BLOCKED}.{BLOCKED}1.47.22:443
- {BLOCKED}.{BLOCKED}.241.186:80
- {BLOCKED}.{BLOCKED}.83.74:443
- {BLOCKED}.{BLOCKED}6.139.156:443
- {BLOCKED}.{BLOCKED}.99.3:443
- {BLOCKED}.{BLOCKED}5.72.92:80
- {BLOCKED}.{BLOCKED}4.7.148:8080
- {BLOCKED}.{BLOCKED}86.112.134:80
- {BLOCKED}.{BLOCKED}97.99.69:8080
- {BLOCKED}.{BLOCKED}.15.45:80
- {BLOCKED}.{BLOCKED}.57.87:8080
- {BLOCKED}.{BLOCKED}.153.101:8080
- {BLOCKED}.{BLOCKED}.18.146:80
- {BLOCKED}.{BLOCKED}.7.120:80
- {BLOCKED}.{BLOCKED}09.235.201:8080
- {BLOCKED}.{BLOCKED}.16.193:443
- {BLOCKED}.{BLOCKED}2.242.48:80
- {BLOCKED}.{BLOCKED}.13.32:80
- {BLOCKED}.{BLOCKED}2.88.253:28758
- {BLOCKED}.{BLOCKED}.105.47:80
- {BLOCKED}.{BLOCKED}.92.78:443
- {BLOCKED}.{BLOCKED}76.236.241:80
- {BLOCKED}.{BLOCKED}11.205.134:80
- {BLOCKED}.{BLOCKED}.228.133:80
- {BLOCKED}.{BLOCKED}2.124.140:443
- {BLOCKED}.{BLOCKED}9.183.148:8080
- {BLOCKED}.{BLOCKED}73.195.66:80
- {BLOCKED}.{BLOCKED}9.52.195:80
- {BLOCKED}.{BLOCKED}3.249.187:80
- {BLOCKED}.{BLOCKED}.229.173:80
- {BLOCKED}.{BLOCKED}4.210.77:80
- {BLOCKED}.{BLOCKED}4.237.242:80
- {BLOCKED}.{BLOCKED}13.15.115:80
- {BLOCKED}.{BLOCKED}7.23.211:80
- {BLOCKED}.{BLOCKED}48.136.24:80
- {BLOCKED}.{BLOCKED}1.167.241:80
- {BLOCKED}.{BLOCKED}15.130.227:80
- {BLOCKED}.{BLOCKED}19.70.89:80
- {BLOCKED}.{BLOCKED}41.170.166:80
- {BLOCKED}.{BLOCKED}9.4.66:80
- {BLOCKED}.{BLOCKED}1.70.219:80
- {BLOCKED}.{BLOCKED}7.137.72:80
- {BLOCKED}.{BLOCKED}2.209.162:80
- {BLOCKED}.{BLOCKED}3.73.246:443
- {BLOCKED}.{BLOCKED}82.124.121:80
- {BLOCKED}.{BLOCKED}5.239.176:56513
- {BLOCKED}.{BLOCKED}2.250.142:8080
- {BLOCKED}.{BLOCKED}.122.224:80
- {BLOCKED}.{BLOCKED}90.214.11:31106
- {BLOCKED}.{BLOCKED}85.79.12:28215
- {BLOCKED}.{BLOCKED}9.110.47:443
- {BLOCKED}.{BLOCKED}.165.134:80
- {BLOCKED}.{BLOCKED}22.242.28:80
- {BLOCKED}.{BLOCKED}8.47.115:443
- {BLOCKED}.{BLOCKED}43.58.77:48021
- {BLOCKED}.{BLOCKED}9.37.119:80
- {BLOCKED}.{BLOCKED}6.146.143:443
- {BLOCKED}.{BLOCKED}9.34.104:443
- {BLOCKED}.{BLOCKED}123.41:8080
- {BLOCKED}.{BLOCKED}6.192.138:80
- {BLOCKED}.{BLOCKED}0.23.91:80
- {BLOCKED}.{BLOCKED}41.123.198:80
- {BLOCKED}.{BLOCKED}79.129.139:80
- {BLOCKED}.{BLOCKED}2.103.176:80
- {BLOCKED}.{BLOCKED}51.106.144:80
- {BLOCKED}.{BLOCKED}2.144.135:80
- {BLOCKED}.{BLOCKED}8.26.189:80
- {BLOCKED}.{BLOCKED}26.46.131:443
- {BLOCKED}.{BLOCKED}64.73.157:80
- {BLOCKED}.{BLOCKED}43.134.222:80
- {BLOCKED}.{BLOCKED}18.3.73:80
- {BLOCKED}.{BLOCKED}8.103.182:80
- {BLOCKED}.{BLOCKED}30.239.63:29803
- {BLOCKED}.{BLOCKED}.65.126:443
- {BLOCKED}.{BLOCKED}.105.104:80
- {BLOCKED}.{BLOCKED}06.168.143:80
- {BLOCKED}.{BLOCKED}31.95.99:80
- {BLOCKED}.{BLOCKED}2.224.246:55024
- {BLOCKED}.{BLOCKED}37.141.244:51488
- {BLOCKED}.{BLOCKED}.229.163:59478
- {BLOCKED}.{BLOCKED}0.231.98:443
- {BLOCKED}.{BLOCKED}3.120.44:8080
- {BLOCKED}.{BLOCKED}7.65.188:80
- {BLOCKED}.{BLOCKED}8.31.23:443
- {BLOCKED}.{BLOCKED}6.27.38:443
- {BLOCKED}.{BLOCKED}67.202.220:80
- {BLOCKED}.{BLOCKED}.55.198:80
- {BLOCKED}.{BLOCKED}.174.240:80
- {BLOCKED}.{BLOCKED}3.236.137:43325
- {BLOCKED}.{BLOCKED}03.102.35:443
- {BLOCKED}.{BLOCKED}09.121.223:80
- {BLOCKED}.{BLOCKED}0.151.54:53258
- {BLOCKED}.{BLOCKED}6.96.117:20426
- {BLOCKED}.{BLOCKED}.45.65:80
- {BLOCKED}.{BLOCKED}.165.143:80
- {BLOCKED}.{BLOCKED}01.95.202:21376
- {BLOCKED}.{BLOCKED}.19.154:30088
- {BLOCKED}.{BLOCKED}35.201.215:80
- {BLOCKED}.{BLOCKED}5.87.179:8080
- {BLOCKED}.{BLOCKED}03.73.88:80
- {BLOCKED}.{BLOCKED}41.63.165:80
- {BLOCKED}.{BLOCKED}1.36.45:80
- {BLOCKED}.{BLOCKED}94.240.184:8080
- {BLOCKED}.{BLOCKED}40.243.106:8080
- {BLOCKED}.{BLOCKED}4.90.70:443
- {BLOCKED}.{BLOCKED}9.80.200:29501
- {BLOCKED}.{BLOCKED}5.160.78:8080
- {BLOCKED}.{BLOCKED}6.172.42:80
- {BLOCKED}.{BLOCKED}47.46.81:443
- {BLOCKED}.{BLOCKED}.186.37:8080
- {BLOCKED}.{BLOCKED}3.236.236:80
- {BLOCKED}.{BLOCKED}2.119.158:80
- {BLOCKED}.{BLOCKED}.222.105:443
- {BLOCKED}.{BLOCKED}9.202.239:443
- {BLOCKED}.{BLOCKED}.135.138:80
- {BLOCKED}.{BLOCKED}6.22.209:8080
- {BLOCKED}.{BLOCKED}11.172.92:80
- {BLOCKED}.{BLOCKED}1.138.11:80
- {BLOCKED}.{BLOCKED}8.241.223:80
- {BLOCKED}.{BLOCKED}7.248.2:443
- {BLOCKED}.{BLOCKED}//b14-mini.ru/upload.php
マルウェア は、自身(コンピュータに侵入して最初に自身のコピーを作成した マルウェア )を削除します。