|
|
|
|
|
|
by amanvir_sangha
4818 days ago
|
|
|
Some basic analysis of the binary: Creates the following directories: %UserProfile%\537214
%UserProfile%\684544
%AppData%\dclogs
Creates a new registry value (so that it runs every time on startup) [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
537214 = "%UserProfile%\537214\svhost.exe"
Tries to connect to: tamere123.no-ip.org on ports 80 and 1604
The subdomain above leads to the following IP: 198.203.29.120
Which, according to iplocation.net is located in: Los Angeles
California
ISP: Hugeserver Networks Llc
It's very unusual for malware to be hosted in USA so I would assume that either it is a compromised computer/bot or it is some script kiddie using his home connection, the latter is more likely since there were no exploits used just social engineering and luck.File hashes: MD5: 0x81F8E4C33ADECE6BF89EF171D9930282
SHA-1: 0xF540BA6C5F1C2AA50B81A440E7D74F8CF588B4D7
|
|
|
It's a service by script kiddies for script kiddies.