Remote Host Port Number
66.187.108.125 81
NICK n[USA|XP|COMPUTERNAME]vdpunpf
USER n “” “lol” :n
JOIN #biz#
PONG 422
JOIN #USA# (null)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ WindowsDriverControl = “%AppData%C-76947-8457-2745winmsngrn.exe”
so that winmsngrn.exe runs every time Windows starts
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%C-76947-8457-2745winmsngrn.exe
[file and pathname of the sample #1] 245 760 bytes MD5: 0xBDC37932ACF691FCDA0BEC6185C52BBC
SHA-1: 0x1DCA23F074B6C47EE9A62C91492F5A9E0B7C05A0 Backdoor.LolBot [PCTools]
2 %System%winrtsnr.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
updateserver.net DNS_TYPE_A 173.1.102.34
173.1.102.35
66.187.108.125
updateserver.net :81
Nick: n[AUS|XP|pc9]jzovegr
Username: n
Joined Channel: #biz#
Joined Channel: #AUS#
Channel Topic for Channel #biz#: “.j”
Private Message to Channel #biz#: “.s /99/106/112/81/55/59/40/56/107/101/98/120/116/50/121/102/98/39/122/122/125/120/57/22/18/40/50/43/58/58/41/63/97/92/107/80/102/”
Process Created
HKUS-1-5-21-842925246-1425521274-308236825-500SOFTWAREMicrosoftWindowsCurrentVersionRun
WindowsDriverControl
C:Documents and SettingsAdministratorApplication DataC-76947-8457-2745winmsngrn.exe