Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #TOFSEE
- fb3581f3e000845de152a70cd83a7051f37200340c5e4a1442d6f4725a73ae36
- VT First Submission 2018-02-05 23:20:02
- Network:
- * 185.161.211.75:8080
- * lazystax.ru
- * 104.23.129.76:443 (omegle.com)
- * 104.23.129.76:80 (omegle.com)
- * 43.231.4.6:483
- * 43.231.4.7:443
- * 62.112.8.10:80
- * 85.25.119.25:427
- * 144.76.199.2:427
- * 144.76.199.43:427
- * 176.111.49.43:427
- * microsoft.com
- * yahoo.com
- * google.com
- * 13.77.92.139:443 (a.login.skype.com)
- * 13.81.65.66:443 (a.login.skype.com)
- * mail.ru
- tcp localhost <---> 43.231.4.6:483 (encrypted communications)
- tcp localhost <---> 43.231.4.7:443 (encrypted communications)
- tcp localhost <---> 144.76.199.43:427 (encrypted communications)
- tcp localhost <---> 144.76.199.2:427 (encrypted communications)
- tcp localhost <---> 85.25.119.25:427 (encrypted communications)
- tcp localhost <---> 176.111.49.43:427 (encrypted communications)
- tcp localhost ---> 13.77.92.139 (a.login.skype.com) :443
- tcp localhost ---> 185.161.211.75:8080: (coin mining pool)
- {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"123","pass":"x","agent":"XMRig/1.0.1 (Windows NT 6.1) libuv/1.12.1-dev msvc/2017"}}
- tcp 185.161.211.75:8080 ---> localhost: (coin mining pool)
- {"id":1,"jsonrpc":"2.0","result":{"id":"3bdfe02e-f5cb-4bb3-8981-e345df666c41","job":{"blob":"060689ded2d5058f7922eb536a671718a6ff92b6177fbf2175288151bb4c372ec8b545c70cb91300000090a57b31d66556c10e58958b20ae5bb95a3d30874bd9930a54263dbe9ade3e786501","job_id":"zgVbFOHUheAkBMzCHGP5lYvz1Sgn900","target":"c51a0d00"},"status":"OK"}}
- {"id":1,"jsonrpc":"2.0","result":{"id":"3bdfe02e-f5cb-4bb3-8981-e345df666c41","job":{"blob":"060689ded2d5058f7922eb536a671718a6ff92b6177fbf2175288151bb4c372ec8b545c70cb91300000090a57b31d66556c10e58958b20ae5bb95a3d30874bd9930a54263dbe9ade3e786501","job_id":"zgVbFOHUheAkBMzCHGP5lYvz1Sgn900","target":"c51a0d00"},"status":"OK"}}
- etc...
- Suspicious behaviour:
- "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\system32\niqejnil\
- "C:\Windows\System32\cmd.exe" /C move /Y "%TEMP%\udtnmluk.exe" C:\Windows\system32\niqejnil\
- "C:\Windows\System32\sc.exe" create niqejnil binPath= "C:\Windows\system32\niqejnil\udtnmluk.exe /d\"<original path>"" type= own start= auto DisplayName= "wifi support"
- "C:\Windows\System32\sc.exe" description niqejnil "wifi internet conection"
- "C:\Windows\System32\sc.exe" start niqejnil
- "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\system32\svchost.exe" enable=yes>nul
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement