Trojan.Carberp.2057

Technical Information

To ensure autorun and distribution

Creates the following services

[<HKLM>\System\CurrentControlSet\Services\dump_hiochange] 'ImagePath' = '<DRIVERS>\dump_hiochange.sys'
[<HKLM>\System\CurrentControlSet\Services\xdypzfxtkfk] 'ImagePath' = '<DRIVERS>\L4QAtB.sys'

Malicious functions

Injects code into

the following system processes:

%WINDIR%\explorer.exe

the following user processes:

iexplore.exe

Hooks functions

in browsers

firefox.exe process, nss3.dll module
firefox.exe process, mswsock.dll module
iexplore.exe process, wininet.dll module
iexplore.exe process, mswsock.dll module

Modifies settings of Windows Internet Explorer

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = ''

Modifies file system

Creates the following files

%WINDIR%\389e375fe1524261ba8e9e2a02da4432\svchost.exe
%TEMP%\zssxtmsk\tc.dll
%TEMP%\zssxtmsk\cq.dll
%TEMP%\zssxtmsk\ren010.exe
%WINDIR%\blwiuay.dll
<DRIVERS>\dump_hiochange.sys
%WINDIR%\fonts\diantz.exe
<DRIVERS>\l4qatb.sys

Deletes the following files

<DRIVERS>\l4qatb.sys
%TEMP%\zssxtmsk\ren010.exe

Deletes itself.

Network activity

TCP

HTTP GET requests

http://ap#.#.taobao.com/rest/api3.do?ap##########################
http://do##.onefast.cc/pgm/mds/422ed73a26bc994c/8f6b181e9acd6089dec5e7bed571131d5ebe26b59e6ff5c664.zip
http://do##.onefast.cc/cfg/cmc/b2.txt
http://do##.onefast.cc/cfg/cmc/qzpass.txt
http://do##.onefast.cc/cfg/cmc/slfdm.txt
http://tu##utd.cn/api/r/ip
http://cd#.#oluobl.cn/API/General/lsrpu
http://do##.onefast.cc/pgm/mds/c1c6e537fb3295c8/2478b1c7bf2a8bfcdb765744c8f3a9d5703f5031721f796564.zip
http://do##.onefast.cc/pgm/mds/05631e93ccdb00ee/f79e9e12124babd5d12613e5324db03aac2915df8a76bb6b64.zip
http://do##.onefast.cc/cfg/cmc/sfbd.txt
http://cd#.#oluobl.cn/api/userconfig/uc_a0dcf3ed0637cf5693ab35b8dbcd0acf.json
http://do##.onefast.cc/cfg/pub/ps.json
http://do##.onefast.cc/cfg/pub/ms.json
http://do##.onefast.cc/cfg/user/c995ec7fd4f57c0d/4f3d70b44eda5920.json
http://sp#.#aidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?qu##############################################################
http://ap##.#ame.qq.com/comm-htdocs/ip/get_ip.php
http://cd#.#oluobl.cn/appi/appi/ren010
http://yo#####engine.stnts.com/v1/plug/up?ci############################################################################################################
http://do##.onefast.cc/pgm/mpr/c995ec7fd4f57c0d/4f3d70b44eda5920.zip
http://11#.#29.33.201/report.php?ty##############################################################################################################################################################...
http://li##.baidu.com/jquery/2.1.4/jquery.min.js

HTTP POST requests

http://by#.###.bydj2019.com/checkver
http://by#.###.bydj2019.com/downfile
http://by#.###.bydj2019.com/zzz
http://ds##.#oolsabc.cn/?op###############
http://tu##utd.cn/api/r/mcm

'id#.#cafeba.com':32400

'<LOCALNET>.87.30':32500

'<LOCALNET>.87.30':49186

'sp#.#aidu.com':443

UDP

DNS ASK ap#.#.taobao.com
DNS ASK tu##utd.cn
DNS ASK nm#####.hjkl45678.xyz
DNS ASK dg###yjsd.top
DNS ASK js##.wanhwk.top
DNS ASK js##.wanehw.top
DNS ASK cn##.#xjvdre.top
DNS ASK cn##.wanwye.top
DNS ASK cn##.#gerltwi.top
DNS ASK 9.##n1.top
DNS ASK 9h###u.djku.top
DNS ASK 9h###u.w2sn.top
DNS ASK cn##.wanehr.top
DNS ASK cn##.wanesa.top
DNS ASK li##.baidu.com
DNS ASK 9i#5.cn
DNS ASK do##.onefast.cc
DNS ASK cn##.wanods.top
DNS ASK cd#.#oluobl.cn
DNS ASK cn##.#sgrejdf.top
DNS ASK cl####.vbnm34567.xyz
DNS ASK cd########l-cn-idv9fxk.qiniudns.com
DNS ASK sp#.#aidu.com
DNS ASK ap##.#ame.qq.com
DNS ASK yo#####engine.stnts.com
DNS ASK 9h####.592hcq.com
DNS ASK ti####.##ina.line.qiniudns.com
DNS ASK ti##########web.qiniu.com.w.kunlunno.com
DNS ASK ds##.#oolsabc.cn
DNS ASK do##.####ast.cc.cdn.dnsv1.com
DNS ASK id#.#cafeba.com
DNS ASK nq#####z.slt.cdntip.com
DNS ASK ek##ysmheyb
DNS ASK by#.###.bydj2019.com
'<LOCALNET>.87.182':35756
'<LOCALNET>.87.176':56086
'<LOCALNET>.87.171':44017
'<LOCALNET>.87.172':39826
'<LOCALNET>.87.173':35763
'<LOCALNET>.87.174':64340
'<LOCALNET>.87.175':60277
'<LOCALNET>.87.177':52023
'<LOCALNET>.87.178':15064
'<LOCALNET>.87.179':11001
'<LOCALNET>.87.186':52008
'<LOCALNET>.87.180':44014
'<LOCALNET>.87.181':48079
'<LOCALNET>.87.184':60266
'<LOCALNET>.87.192':47261
'<LOCALNET>.87.187':56073
'<LOCALNET>.87.188':10982
'<LOCALNET>.87.189':15047
'<LOCALNET>.87.170':48080
'<LOCALNET>.87.190':39135
'<LOCALNET>.87.191':35070
'<LOCALNET>.87.193':43196
'<LOCALNET>.87.196':63513
'<LOCALNET>.87.195':51322
'<LOCALNET>.87.183':39821
'<LOCALNET>.87.169':16701
'<LOCALNET>.87.161':39104
'<LOCALNET>.87.194':55387
'<LOCALNET>.87.185':64331
'<LOCALNET>.87.167':63494
'<LOCALNET>.87.156':48500
'<LOCALNET>.87.141':65186
'<LOCALNET>.87.144':44551
'<LOCALNET>.87.145':48678
'<LOCALNET>.87.146':36421
'<LOCALNET>.87.147':40548
'<LOCALNET>.87.148':28555
'<LOCALNET>.87.149':32682
'<LOCALNET>.87.150':56754
'<LOCALNET>.87.151':52627
'<LOCALNET>.87.152':65008
'<LOCALNET>.87.153':60881
'<LOCALNET>.87.154':40246
'<LOCALNET>.87.155':36119
'<LOCALNET>.87.142':52929
'<LOCALNET>.87.140':61059
'<LOCALNET>.87.232':13691
'<LOCALNET>.87.159':19611
'<LOCALNET>.87.160':35041
'<LOCALNET>.87.197':59448
'<LOCALNET>.87.162':43171
'<LOCALNET>.87.163':47234
'<LOCALNET>.87.164':51301
'<LOCALNET>.87.165':55364
'<LOCALNET>.87.166':59431
'<LOCALNET>.87.168':12638
'<LOCALNET>.87.198':16716
'<LOCALNET>.87.205':11186
'<LOCALNET>.87.200':31511
'<LOCALNET>.87.157':44373
'<LOCALNET>.87.158':23738
'<LOCALNET>.87.41':37729
'<LOCALNET>.87.86':42731
'<LOCALNET>.87.235':32481
'<LOCALNET>.87.237':24227
'<LOCALNET>.87.238':44876
'<LOCALNET>.87.239':49005
'<LOCALNET>.87.240':47059
'<LOCALNET>.87.241':42994
'<LOCALNET>.87.242':38801
'<LOCALNET>.87.243':34736
'<LOCALNET>.87.244':63319
'<LOCALNET>.87.245':59254
'<LOCALNET>.87.246':55061
'<LOCALNET>.87.247':50996
'<LOCALNET>.87.248':14043
'<LOCALNET>.87.249':20079
'<LOCALNET>.87.236':20098
'<LOCALNET>.87.250':34018
'<LOCALNET>.87.252':42144
'<LOCALNET>.87.253':46209
'<LOCALNET>.87.254':50278
'23#.#23.112.211':26945
'<LOCALNET>.87.30':62888
'255.255.255.255':32455
'255.255.255.255':56003
'<LOCALNET>.87.231':15973
'<LOCALNET>.87.199':12651
'<LOCALNET>.87.230':11844
'<LOCALNET>.87.228':40061
'<LOCALNET>.87.201':27446
'<LOCALNET>.87.202':23381
'<LOCALNET>.87.251':38083
'<LOCALNET>.87.203':19316
'<LOCALNET>.87.204':15251
'<LOCALNET>.87.139':58941
'<LOCALNET>.87.207':13157
'<LOCALNET>.87.208':64031
'<LOCALNET>.87.209':59966
'<LOCALNET>.87.210':18470
'<LOCALNET>.87.211':22535
'<LOCALNET>.87.212':26724
'<LOCALNET>.87.213':30789
'<LOCALNET>.87.214':12311
'<LOCALNET>.87.215':16376
'<LOCALNET>.87.216':10464
'<LOCALNET>.87.217':14529
'<LOCALNET>.87.218':51502
'<LOCALNET>.87.219':55567
'<LOCALNET>.87.206':17222
'<LOCALNET>.87.143':57056
'<LOCALNET>.87.222':15671
'<LOCALNET>.87.223':11542
'<LOCALNET>.87.224':24049
'<LOCALNET>.87.225':19920
'<LOCALNET>.87.226':32179
'<LOCALNET>.87.227':28050
'<LOCALNET>.87.229':35932
'<LOCALNET>.87.1':50653
'<LOCALNET>.87.137':12136
'<LOCALNET>.87.136':16199
'<LOCALNET>.87.37':27184
'<LOCALNET>.87.38':39903
'<LOCALNET>.87.39':35838
'<LOCALNET>.87.221':13513
'<LOCALNET>.87.233':17820
'<LOCALNET>.87.40':33600
'<LOCALNET>.87.123':29766
'<LOCALNET>.87.42':41730
'<LOCALNET>.87.45':54245
'<LOCALNET>.87.46':58246
'<LOCALNET>.87.47':62375
'<LOCALNET>.87.48':10685
'<LOCALNET>.87.49':14814
'<LOCALNET>.87.50':45169
'<LOCALNET>.87.36':31249
'<LOCALNET>.87.51':41040
'<LOCALNET>.87.53':32786
'<LOCALNET>.87.54':61685
'<LOCALNET>.87.55':57556
'<LOCALNET>.87.56':53431
'<LOCALNET>.87.4':38264
'<LOCALNET>.87.44':50116
'<LOCALNET>.87.70':54803
'<LOCALNET>.87.60':58658
'<LOCALNET>.87.61':62723
'<LOCALNET>.87.62':50528
'<LOCALNET>.87.63':54593
'<LOCALNET>.87.64':42406
'<LOCALNET>.87.65':46471
'<LOCALNET>.87.66':34276
'<LOCALNET>.87.52':36915
'<LOCALNET>.87.67':38341
'<LOCALNET>.87.35':19058
'<LOCALNET>.87.33':10932
'<LOCALNET>.87.2':62910
'<LOCALNET>.87.58':12665
'<LOCALNET>.87.59':18637
'<LOCALNET>.87.3':58783
'<LOCALNET>.87.57':49302
'<LOCALNET>.87.5':34137
'<LOCALNET>.87.18':64957
'<LOCALNET>.87.16':17384
'<LOCALNET>.87.34':23123
'<LOCALNET>.87.15':11280
'<LOCALNET>.87.14':15409
'<LOCALNET>.87.11':27796
'<LOCALNET>.87.12':23799
'<LOCALNET>.87.10':31925
'<LOCALNET>.87.9':17621
'<LOCALNET>.87.8':21748
'<LOCALNET>.87.19':60828
'<LOCALNET>.87.7':42267
'<LOCALNET>.87.13':19670
'<LOCALNET>.87.20':10726
'<LOCALNET>.87.28':43246
'<LOCALNET>.87.22':12569
'<LOCALNET>.87.23':16634
'<LOCALNET>.87.24':26978
'<LOCALNET>.87.25':31043
'<LOCALNET>.87.26':18720
'<LOCALNET>.87.27':22785
'<LOCALNET>.87.29':47311
'<LOCALNET>.87.31':12907
'<LOCALNET>.87.32':14997
'<LOCALNET>.87.17':13255
'<LOCALNET>.87.138':63004
'<LOCALNET>.87.68':25642
'<LOCALNET>.87.6':46394
'<LOCALNET>.87.21':14791
'<LOCALNET>.87.105':29410
'<LOCALNET>.87.220':17642
'<LOCALNET>.87.122':25703
'<LOCALNET>.87.73':58992
'<LOCALNET>.87.110':14571
'<LOCALNET>.87.111':10444
'<LOCALNET>.87.112':12596
'<LOCALNET>.87.113':18570
'<LOCALNET>.87.114':20978
'<LOCALNET>.87.115':16851
'<LOCALNET>.87.116':29104
'<LOCALNET>.87.117':24977
'<LOCALNET>.87.118':36990
'<LOCALNET>.87.104':25283
'<LOCALNET>.87.119':32863
'<LOCALNET>.87.121':21508
'<LOCALNET>.87.43':45859
'<LOCALNET>.87.109':45934
'<LOCALNET>.87.234':28352
'<LOCALNET>.87.125':15349
'<LOCALNET>.87.126':19544
'<LOCALNET>.87.127':13506
'<LOCALNET>.87.129':54540
'<LOCALNET>.87.130':30484
'<LOCALNET>.87.131':26421
'<LOCALNET>.87.132':22358
'<LOCALNET>.87.133':18295
'<LOCALNET>.87.134':14224
'<LOCALNET>.87.135':10161
'<LOCALNET>.87.120':17445
'<LOCALNET>.87.69':29707
'<LOCALNET>.87.106':17025
'<LOCALNET>.87.124':11286
'<LOCALNET>.87.108':41807
'<LOCALNET>.87.103':14745
'<LOCALNET>.87.101':12902
'<LOCALNET>.87.74':38551
'<LOCALNET>.87.75':34486
'<LOCALNET>.87.76':46805
'<LOCALNET>.87.77':42740
'<LOCALNET>.87.78':22299
'<LOCALNET>.87.79':18234
'<LOCALNET>.87.80':50733
'<LOCALNET>.87.81':54796
'<LOCALNET>.87.82':58991
'<LOCALNET>.87.83':63054
'<LOCALNET>.87.84':34473
'<LOCALNET>.87.102':10618
'<LOCALNET>.87.72':63057
'<LOCALNET>.87.85':38536
'<LOCALNET>.87.88':18213
'<LOCALNET>.87.89':22276
'<LOCALNET>.87.90':62748
'<LOCALNET>.87.91':58685
'<LOCALNET>.87.92':54622
'<LOCALNET>.87.93':50559
'<LOCALNET>.87.94':46488
'<LOCALNET>.87.95':42425
'<LOCALNET>.87.96':38362
'<LOCALNET>.87.97':34299
'<LOCALNET>.87.98':29716
'<LOCALNET>.87.99':25653
'<LOCALNET>.87.100':18876
'<LOCALNET>.87.87':46794
'<LOCALNET>.87.71':50738
'<LOCALNET>.87.107':21152
'<LOCALNET>.87.128':50477

Miscellaneous

Adds a root certificate

Searches for the following windows

ClassName: 'ProgMan' WindowName: ''
ClassName: 'SHELLDLL_DefView' WindowName: ''
ClassName: 'SysListView32' WindowName: ''

Creates and executes the following

'%WINDIR%\389e375fe1524261ba8e9e2a02da4432\svchost.exe' -k
'%TEMP%\zssxtmsk\ren010.exe'
'%WINDIR%\fonts\diantz.exe'
'<SYSTEM32>\ipconfig.exe' /flushdns' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c del /Q /F "%TEMP%\ZSSxtMsK\ren010.exe"' (with hidden window)

Executes the following

'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\explorer.exe"
'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\389e375fe1524261ba8e9e2...
'<SYSTEM32>\ipconfig.exe' /flushdns
'<SYSTEM32>\fxscover.exe'
'<SYSTEM32>\taskhost.exe'
'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\fonts\diantz.exe"
'%WINDIR%\syswow64\cmd.exe' /c del /Q /F "%TEMP%\ZSSxtMsK\ren010.exe"

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial