Remote Host Port Number
94.76.225.88 1234
NICK n[USA|XP]6843869
USER 7028 “” “lol” :7028
JOIN #!l!
PONG :2.priv8net.com
a litle update here:
sto.leshatuki.com 201.140.27.83
C&C Server: 201.140.27.83:1234
Server Password:
Username: 1046
Nickname: n[DEU|XP]2202206
Channel: #!l! (Password: )
Channeltopic:
C&C Server: 201.140.27.83:1234
Server Password:
Username: 0593
Nickname: [DEU|XP]9257441
Channel: #!l! (Password: )
Channeltopic:
Registry Modifications
* The following Registry Value was modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Userinit =
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
winfil.exe %Windir%winfil.exe 65 536 bytes
[filename of the sample #1] [file and pathname of the sample #1] 147 456 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 c:a.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 [file and pathname of the sample #1]
%Windir%winfil.exe 147 458 bytes MD5: 0x6E0DF4C21066B3F365582E5ED6AFA787
SHA-1: 0xDB30613FD0342DD02EE01794681032B39D7B593D Backdoor.LolBot [PCTools]
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:IMAGE464facebook.com.JPG.jpg.exe” = c:IMAGE464facebook.com.JPG.jpg.exe:*:Enabled:Userinit
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Userinit” = C:WINDOWSsystem32userinit.exe,C:WINDOWSwinfil.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
File Changes by all processes
New Files C:WINDOWSwinfil.exe
DeviceRasAcd
C:a.txt
Opened Files C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWS
Deleted Files
Chronological Order Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSwinfil.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:IMAGE464facebook.com.JPG.jpg.exe to C:WINDOWSwinfil.exe
Set File Attributes: C:WINDOWSwinfil.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWS ()
Find File: C:WINDOWSwinfil.exe
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Create File: C:a.txt