Remote Host Port Number
67.202.108.130 6567 s1m0n3t4
67.202.109.164 80
MODE [SI|USA|00|P|34779] -ix
JOIN #nuevocsm# c1rc0dus0leil
PRIVMSG #nuevocsm# :[Dl]: File download: 84.0KB to: C:DOCUME~1UserNameLOCALS~1Temperaseme_83035.exe @ 84.0KB/sec.
QUIT [Update]: Updating to new bin.
NICK [SI|USA|00|P|51927]
USER XP-2630 * 0 :COMPUTERNAME
MODE [SI|USA|00|P|51927] -ix
JOIN #xd# c1rc0dus0leil
NICK [SI|USA|00|P|34779]
USER XP-7375 * 0 :COMPUTERNAME
MODE [SI|USA|00|P|38552] -ix
JOIN #update# c1rc0dus0leil
PONG Coupe.Network
NICK [SI|USA|00|P|38552]
USER XP-4514 * 0 :COMPUTERNAME
* The data identified by the following URL was then requested from the remote web server:
o http://67.202.109.164/make/xdrlz.exe
* The following port was open in the system:
Port Protocol Process
1054 TCP oldbin.exe (%Windir%oldbin.exe)
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Ci Servs = “oldbin.exe”
so that oldbin.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Ci Servs = “oldbin.exe”
so that oldbin.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
oldbin.exe %Windir%oldbin.exe 335 872 bytes
eraseme_83035.exe %Temp%eraseme_83035.exe 335 872 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %Temp%eraseme_83035.exe
%Windir%oldbin.exe 86 016 bytes MD5: 0x4B141FC8CAFBFAF434441B0927124E40
SHA-1: 0xD73205D1249BDE36A46B988C5CDFBBB895AC51EE
2 [file and pathname of the sample #1] 86 016 bytes MD5: 0x8CC3C3D2E40D59B8A4B6E7342AB2F794
SHA-1: 0x89A892C0206F339064BED4CFACAA9D2CCDD20C5B