| | Attack port | Ports |
|---|
| 445 (100%) | 44445 (100%) |
|
| | Drops | Processes |
|---|
resource32w.exe (100%)
cmd.exe (31%)
csrss.exe (31%)
explorer.exe (31%)
lsass.exe (31%)
services.exe (31%)full list | cmd.exe (45%)
csrss.exe (45%)
explorer.exe (45%)
lsass.exe (45%)
services.exe (45%)
spoolsv.exe (45%)full list
random 9
character filename |
|
| | Snort IDs | Snort Egg IDs | Snort Outbound IDs |
|---|
1:22466:7 (62%)
1:292000032:99 (62%)
1:22000032:6 (59%)
1:2000032:99 (38%)
1:2466:7 (38%)
1:2000032:6 (38%)full list | 1:5001684:99 (98%)
1:2001683:3 (97%)
1:31000004:99 (62%)
1:3000004:99 (38%) | 1:52123:3 (63%)
555:5555005:1 (37%) |
|
| | Registry keys | Registry values |
|---|
...currentversion/runservices (87%)
...microsoft/ole (86%)
...internetsettings/5.0 (55%)
...internetsettings/connections (55%)
...microsoft/ole (32%)full list | networkhostservice (86%)
defaultconnectionsettings (55%) |
|
| | DNS Lookups | Failed connections | C & C IPs |
|---|
:proxim.ircgalaxy.pl (45%)
DE:proxim.ircgalaxy.pl (38%) | CZ:217.170.244.2:443 (98%)
CZ:82.114.64.251:443 (87%) | 217.170.244.2:443 (90%) |
|
| | FTP chatter | HTTP chatter | IRC chatter |
|---|
exec=resource32w.exe (100%)
pass=a (98%)
user=a (98%) | - | - |
|
| | Antivirus labels | Packed MD5 | Unpacked MD5 |
|---|
sdbot (99%)
rbot (99%)
spybot (97%)
_trojano (96%)
antivir (88%)
backdoorrbot (84%)full list | 7fdfe3... (71%) diversity: 18.4%
full list | 10862e... (71%) diversity: 3.6%
full list |
|
