Cluster K

311 samples (Win2K-f (64%)
WinXP (36%))


Ports
Attack port
445 (100%)
Files
DropsProcesses
hotefix.exe (100%)
cmd.exe (28%)
csrss.exe (28%)
explorer.exe (28%)
lsass.exe (28%)
services.exe (28%)

full list

hotefix.exe (100%)
cmd.exe (53%)
csrss.exe (53%)
explorer.exe (53%)
lsass.exe (53%)
services.exe (53%)

full list

Snort
Snort IDsSnort Egg IDsSnort Outbound IDs
1:1390:5 (86%)
1:2001944:3 (86%)
1:99998:2 (86%)
1:3003:4 (85%)		1:3000006:99 (99%)
1:2001684:3 (86%)		555:5555005:1 (100%)
1:2001569:11 (94%)
Registry
Registry keysRegistry values
...currentversion/runservices (100%)
...currentversion/runonce (55%)
...currentversion/runonce (55%)
...currentversion/run (45%)

full list

hotefix (100%)
Servers
DNS LookupsFailed connectionsC & C IPs
CN:hail.dns2go.com (75%)
CN:scorti1.dns2go.com (63%)		CN:211.96.97.44:7000 (39%)
CN:222.177.11.165:7000 (32%)		222.177.11.165:7000 (40%)
211.96.97.44:7000 (31%)
209.250.232.240:7000 (14%)
210.217.196.11:7000 (11%)
Chatter
FTP chatterHTTP chatter
exec=hotefix.exe (100%)
user=a (100%)
pass=a (68%)
pass=saad (27%)		-
Static Analysis
Antivirus labelsPacked MD5Unpacked MD5
_agent (100%)
ikarus (100%)
sophos (100%)
webwasher (100%)
kaspersky (99%)
symantec (98%)

full list

a2a036... (87%)

diversity: 11.6%

full list

diversity: 100.0%