API tools faq
paste
Advertisement
PepperPotts

tofsee iocs (2018-02-05)

PepperPotts
Mar 26th, 2018
823
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.58 KB | None | 0 0
raw download clone embed print report
  1. #TOFSEE
  2.  
  3. fb3581f3e000845de152a70cd83a7051f37200340c5e4a1442d6f4725a73ae36
  4.  
  5. VT First Submission 2018-02-05 23:20:02
  6.  
  7. Network:
  8.  
  9. * 185.161.211.75:8080
  10. * lazystax.ru
  11. * 104.23.129.76:443 (omegle.com)
  12. * 104.23.129.76:80 (omegle.com)
  13. * 43.231.4.6:483
  14. * 43.231.4.7:443
  15. * 62.112.8.10:80
  16. * 85.25.119.25:427
  17. * 144.76.199.2:427
  18. * 144.76.199.43:427
  19. * 176.111.49.43:427
  20. * microsoft.com
  21. * yahoo.com
  22. * google.com
  23. * 13.77.92.139:443 (a.login.skype.com)
  24. * 13.81.65.66:443 (a.login.skype.com)
  25. * mail.ru
  26.  
  27. tcp localhost <---> 43.231.4.6:483 (encrypted communications)
  28. tcp localhost <---> 43.231.4.7:443 (encrypted communications)
  29. tcp localhost <---> 144.76.199.43:427 (encrypted communications)
  30. tcp localhost <---> 144.76.199.2:427 (encrypted communications)
  31. tcp localhost <---> 85.25.119.25:427 (encrypted communications)
  32. tcp localhost <---> 176.111.49.43:427 (encrypted communications)
  33. tcp localhost ---> 13.77.92.139 (a.login.skype.com) :443
  34. tcp localhost ---> 185.161.211.75:8080: (coin mining pool)
  35. {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"123","pass":"x","agent":"XMRig/1.0.1 (Windows NT 6.1) libuv/1.12.1-dev msvc/2017"}}
  36. tcp 185.161.211.75:8080 ---> localhost: (coin mining pool)
  37. {"id":1,"jsonrpc":"2.0","result":{"id":"3bdfe02e-f5cb-4bb3-8981-e345df666c41","job":{"blob":"060689ded2d5058f7922eb536a671718a6ff92b6177fbf2175288151bb4c372ec8b545c70cb91300000090a57b31d66556c10e58958b20ae5bb95a3d30874bd9930a54263dbe9ade3e786501","job_id":"zgVbFOHUheAkBMzCHGP5lYvz1Sgn900","target":"c51a0d00"},"status":"OK"}}
  38. {"id":1,"jsonrpc":"2.0","result":{"id":"3bdfe02e-f5cb-4bb3-8981-e345df666c41","job":{"blob":"060689ded2d5058f7922eb536a671718a6ff92b6177fbf2175288151bb4c372ec8b545c70cb91300000090a57b31d66556c10e58958b20ae5bb95a3d30874bd9930a54263dbe9ade3e786501","job_id":"zgVbFOHUheAkBMzCHGP5lYvz1Sgn900","target":"c51a0d00"},"status":"OK"}}
  39. etc...
  40.  
  41. Suspicious behaviour:
  42.  
  43. "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\system32\niqejnil\
  44. "C:\Windows\System32\cmd.exe" /C move /Y "%TEMP%\udtnmluk.exe" C:\Windows\system32\niqejnil\
  45. "C:\Windows\System32\sc.exe" create niqejnil binPath= "C:\Windows\system32\niqejnil\udtnmluk.exe /d\"<original path>"" type= own start= auto DisplayName= "wifi support"
  46. "C:\Windows\System32\sc.exe" description niqejnil "wifi internet conection"
  47. "C:\Windows\System32\sc.exe" start niqejnil
  48. "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\system32\svchost.exe" enable=yes>nul
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!