just.addsyrup.net 174.120.225.25
C&C Server: 174.120.225.25:6667
Server Password:
Username: 9273
Nickname: [9273|DEU|XP]
Channel: ##syrup## (Password: da32rga4a)
Channeltopic: :http://teamwaffle.net/bots/syrup.exe
Registry Changes by all processes
Create or Open
Changes HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Microsoft Windows Hosting Service Login” = C:DOKUME~1ADMINI~1LOKALE~1Tempexplorer.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Microsoft Windows Hosting Service Login” = C:DOKUME~1ADMINI~1LOKALE~1Tempexplorer.exe
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “Microsoft Windows Hosting Service Login” = C:DOKUME~1ADMINI~1LOKALE~1Tempexplorer.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography “MachineGuid”
HKEY_CURRENT_USERSoftwareMicrosoftVisual Basic6.0 “AllowUnsafeObjectPassing”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
File Changes by all processes
New Files c:syrup.exe
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoft
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCrypto
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSA
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-500
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-500f9992b1ed3cdc054077ba50d8115ad69_4753af40-18d9-4cbf-965d-fc294223cd81
C:DOKUME~1ADMINI~1LOKALE~1Tempexplorer.exe
DeviceRasAcd
Opened Files .PIPElsarpc
c:autoexec.bat
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-500f9992b1ed3cdc054077ba50d8115ad69_4753af40-18d9-4cbf-965d-fc294223cd81
Deleted Files
Chronological Order Create/Open File: c:syrup.exe (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Create File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoft
Create File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCrypto
Create File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSA
Create File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-500
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-500f9992b1ed3cdc054077ba50d8115ad69_4753af40-18d9-4cbf-965d-fc294223cd81 (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-500f9992b1ed3cdc054077ba50d8115ad69_*
Create/Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-500f9992b1ed3cdc054077ba50d8115ad69_4753af40-18d9-4cbf-965d-fc294223cd81 (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempexplorer.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:syrup.exe to C:DOKUME~1ADMINI~1LOKALE~1Tempexplorer.exe
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempexplorer.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
heres the exploit page: (DONT RUN IT WITHOUT VIRTUAL MACHINE) trashonthis.com/4chan