armageddoncheats.net

By Pig, December 2, 2009

Remote Host Port Number
213.5.65.29 21
213.5.65.29 35989
213.5.65.29 80

ftp conections:
USER cmin04@armageddoncheats.net
USER rmin01@armageddoncheats.net
passwd:123456

* The data identified by the following URLs was then requested from the remote web server:
o http://armageddoncheats.net/1.php?p1=COMPUTERNAME_HXOR
o http://armageddoncheats.net/2.php?p1=COMPUTERNAME_HXOR&p2=.
o http://armageddoncheats.net/2.php?p1=COMPUTERNAME_HXOR&p2=..
o http://armageddoncheats.net/3.php?p1=COMPUTERNAME_HXOR

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IBUFFER
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IBUFFER000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IBUFFER000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIBuffer
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIBufferSecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIBufferEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_IBUFFER
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_IBUFFER000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_IBUFFER000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIBuffer
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIBufferSecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIBufferEnum

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IBUFFER000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “IBuffer”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IBUFFER000]
+ Service = “IBuffer”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Internet Buffer”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IBUFFER]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIBufferEnum]
+ 0 = “RootLEGACY_IBUFFER000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIBufferSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIBuffer]
+ Type = 0x00000010
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “[file and pathname of the sample #1]”
+ DisplayName = “Internet Buffer”
+ ObjectName = “LocalSystem”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_IBUFFER000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “IBuffer”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_IBUFFER000]
+ Service = “IBuffer”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Internet Buffer”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_IBUFFER]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIBufferEnum]
+ 0 = “RootLEGACY_IBUFFER000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIBufferSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIBuffer]
+ Type = 0x00000010
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “[file and pathname of the sample #1]”
+ DisplayName = “Internet Buffer”
+ ObjectName = “LocalSystem”
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ ProxyEnable = 0x00000000

* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
+ Cookies =
+ History =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 49 152 bytes

* There was a new service created in the system:

Service Name Display Name Status Service Filename
IBuffer Internet Buffer “Running” [file and pathname of the sample #1]

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1] 13 580 bytes MD5: 0x64D25494E2CC89CFEC606D02D044DA98
SHA-1: 0x1432F60C895C095F11F3FE2AADC89CC273D838DB packed with UPX [Kaspersky Lab]

* The following directory was created:
o c:RECYCLERCache

Categories: Uncategorized