Cluster E

387 samples (WinXP (54%)
Win2K-f (46%))


Ports
Attack portPorts
445 (100%)12045 (100%)
Files
DropsProcesses
ctfmom.exe (80%)
cmd.exe (48%)
csrss.exe (48%)
explorer.exe (48%)
lsass.exe (48%)
services.exe (48%)

full list

cmd.exe (98%)
csrss.exe (98%)
explorer.exe (98%)
lsass.exe (98%)
services.exe (98%)
spoolsv.exe (98%)

full list

Snort
Snort IDsSnort Egg IDsSnort Outbound IDs
1:22000032:6 (100%)
1:22466:7 (100%)
1:292000032:99 (100%)
1:299913:1 (54%)
1:299906:1 (46%)		1:5001684:99 (100%)1:52123:3 (100%)
Registry
Registry keysRegistry values
...currentversion/runservices (100%)
...currentversion/runonce (100%)
...currentversion/runonce (100%)

full list

windowsupdatess (54%)
syspersonalfirewall (46%)
Servers
DNS LookupsFailed connectionsC & C IPs
US:chat-shqip.org (84%)
US:w3bs.chat-shqip.org (73%)		US:69.247.147.113:13001 (96%)
US:69.247.147.113:12351 (92%)		69.247.147.113:13001 (80%)
69.247.147.113:12351 (20%)
Chatter
FTP chatterHTTP chatterIRC chatter
pass=a (100%)
user=a (100%)
exec=ctfmom.exe (80%)		--
Static Analysis
Antivirus labelsPacked MD5Unpacked MD5
sophos (96%)
wootbot (72%)
forbot (61%)
drweb (58%)
backdoorwootbot (57%)
fortinet (56%)

full list

17739a... (43%)
ca15c0... (10%)

diversity: 34.4%

full list

diversity: N/A