Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Drops itself in:
- C:\Users\<user>\AppData\Roaming\Microsoft\<random>\[a-z]{8}.exe; may have name like:
- crypptsp.exe
- devissec.exe
- bcrypnet.exe
- aviftenc.exe
- adprtext.exe
- Seen injecting into:
- C:\Windows\system32\svchost.exe
- C:\Windows\explorer.exe
- May createe several bi[n] files:
- C:\Users\<users>\AppData\Local\Temp\<random>.bi[n]
- Method of persistence:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\<random>
- sets:
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\<UUID>\Client
- Checks external address:
- ipinfo.io/ip
- Sends c2 traffic via 443 and sometimes 80
- GET version
- Uses "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" as UA
- links look like:
- /images/CDzdWeMdka_2/BfAsviJFG6f/T9Rq5AfZ_2FRhq/wYLOYjZ2kpDQ4XI_2BZwt/yVJmdVq3Ma9Wa9SZ/klxiE0bP3j8wA4h/vtLlwXFoWU5fug7Wvt/s7GX7nvfe/Uzo_2BIguff_2FBEmrye/EHAgf2o8IhaWJPp9E2d/590F5.gif
- POST version:
- Uses "Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0" as UA
- links look like:
- Uc3jIdGLBD2d_2Bg0eAd/BjVypUozDtfR/1Ys6jjeV/vPQ86aL7O1F1LiLLXLRLi/YPhLKJ5Jf_2BMyxVrsd/oPqZstY_2BSxf1rh/jPRNN28T1LBQfB/iZrtHqH1jisCjolJ/VYA_2BAxYEbo3Bd3XCbosS/vInzmwMy44i/kw0X8jwqh31kc/n5NcknEHIn6Hn8F/wdwlHFHU/tyjmH
- currently downloading as .class files.
- additional bat file certutil method: https://pastebin.com/mERmdFvM
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement