synrules.serveirc.com 188.165.47.211
Opened listening TCP connection on port: 113
* C&C Server: 188.165.47.211:6667
* Server Password:
* Username: htburv
* Nickname: I-[Scan]-265831
* Channel: #syn (Password: )
* Channeltopic: :no
NICK I-[Scan]-591967
USER sawbsh 0 0 :I-[Scan]-591967
USERHOST I-[Scan]-591967
MODE I-[Scan]-591967 -x+B
JOIN #syn
NOTICE I-[Scan]-591967 :.VERSION mIRC v6.12 Khaled Mardam-Bey.
PRIVMSG #syn :[MAIN]: Status: Ready. Bot Uptime: 0d 0h 0m.
PRIVMSG #syn :[MAIN]: Bot ID: Rockstar.
PRIVMSG #syn :[Scn]: Exploit Statistics: NetBios: 0, NTPass: 0, Dcom135: 0, Dcom1025: 0, Dcom2: 0, MSSQL: 0, lsass: 0, Total: 0 in 0d 0h 0m.
PRIVMSG #syn :[MAIN]: Uptime: 0d 0h 1m.
PRIVMSG #syn :[PROC]: Failed to terminate process: PROCESS_NAME_TO_TERMINATE
PRIVMSG #syn :[HTTPD]: Server listening on IP: 127.0.0.1:81, Directory: .
PRIVMSG #syn :[DDoS]: Flooding: (127.0.0.2:1234) for 50 seconds.
PRIVMSG #syn :[DDoS]: Done with flood (0KB/sec).
PRIVMSG #syn :[SYN]: Done with flood (0KB/sec).
PRIVMSG #syn :[SYN]: Flooding: (127.0.0.2:1234) for 50 seconds.
PRIVMSG #syn :[SCAN]: Random Port Scan started on 127.0.x.x:445 with a delay of 5 seconds for 0 minutes using 10 threads.
PRIVMSG #syn :[SCAN]: Random Port Scan started on 127.0.x.x:139 with a delay of 5 seconds for 0 minutes using 10 threads.
PRIVMSG #syn :[SCAN]: Failed to start scan, port is invalid.
NICK I-[Scan]-730518
USER djwmzvmc 0 0 :I-[Scan]-730518
USERHOST I-[Scan]-730518
MODE I-[Scan]-730518 -x+B
NICK I-[Scan]-691603
USER agkjvx 0 0 :I-[Scan]-691603
USERHOST I-[Scan]-691603
MODE I-[Scan]-691603 -x+B
NICK I-[Scan]-844435
USER marnqxe 0 0 :I-[Scan]-844435
USERHOST I-[Scan]-844435
MODE I-[Scan]-844435 -x+B
NICK I-[Scan]-313963
USER jrjpmj 0 0 :I-[Scan]-313963
USERHOST I-[Scan]-313963
MODE I-[Scan]-313963 -x+B
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Microsoft Update Machine” = kqedmk.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices “Microsoft Update Machine” = kqedmk.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Microsoft Update Machine” = kqedmk.exe
Reads HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
File Changes by all processes
New Files DeviceTcp
DeviceIp
DeviceIp
C:WINDOWSsystem32kqedmk.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
Opened Files .Ip
C:WINDOWSexplorer.exe
C:WINDOWSsystem32kqedmk.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.Ip
.PIPEROUTER
.PIPElsarpc
c:autoexec.bat
Deleted Files c:bwnxqd.exe
Chronological Order Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32kqedmk.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:bwnxqd.exe to C:WINDOWSsystem32kqedmk.exe
Open File: C:WINDOWSexplorer.exe (OPEN_EXISTING)
Open File: C:WINDOWSsystem32kqedmk.exe (OPEN_EXISTING)
Set File Time: C:WINDOWSsystem32kqedmk.exe
Set File Attributes: C:WINDOWSsystem32kqedmk.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32kqedmk.exe
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Delete File: c:bwnxqd.exe
Open File: .PIPEROUTER (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)