Cluster C

656 samples (WinXP (100%))


Ports
Attack port
445 (100%)
Files
DropsProcesses
x.exe (100%)
ftpupd.exe (84%)
cmd.exe (83%)
csrss.exe (83%)
explorer.exe (83%)
lsass.exe (83%)

full list

cmd.exe (94%)
csrss.exe (94%)
explorer.exe (94%)
lsass.exe (94%)
services.exe (94%)
spoolsv.exe (94%)

full list

Snort
Snort IDsSnort Egg IDsSnort Outbound IDs
1:22000032:6 (65%)
1:22466:7 (65%)
1:292000032:99 (65%)
1:299913:1 (65%)
1:2000032:6 (35%)
1:2000032:99 (35%)

full list

1:3000003:99 (100%)
1:2001683:3 (99%)
1:3000000:99 (99%)
1:5001684:99 (99%)		555:5555005:1 (89%)
1:2001569:11 (88%)
Registry
Registry keysRegistry values
...microsoft/wireless (100%)

full list

id (100%)
Servers
DNS LookupsFailed connectionsC & C IPs
UA:citi-bank.ru (76%)UA:194.54.90.246:80 (88%)194.54.90.246:80 (87%)
85.114.137.60:65520 (8%)
85.114.137.60:80 (5%)
Chatter
FTP chatterHTTP chatterIRC chatter
-UA=mozilla/4.0 (100%)
filename=/x.exe (100%)
version=1.0 (100%)		-
Static Analysis
Antivirus labelsPacked MD5Unpacked MD5
sophos (100%)
korgo (99%)
symantec (99%)
padobot (99%)
authentium (99%)
etrust (99%)

full list

7d99b0... (29%)
7f6016... (18%)
d42c1c... (7%)
3ae357... (5%)

diversity: 16.3%

full list

7a70e1... (29%)
1aad8e... (18%)
af9ca5... (7%)
462a7b... (5%)

diversity: 7.7%

full list