Remote Host Port Number
nope.nerashti.net 81
NICK [USA|XP]2405738
USER s “” “lol” :s
JOIN #newnew#
NICK [USA|XP]6710820
NICK n[USA|XP]0692699
Now talking in #newnew#
Topic On: [ #newnew# ] [ ]
Topic By: [ Burimi ]
* To mark the presence in the system, the following Mutex object was created:
o 3d6g7v5x2f4as7
* The following ports were open in the system:
Port Protocol Process
1034 TCP msnl.exe (%AppData%msnl.exe)
1035 TCP msnl.exe (%AppData%msnl.exe)
1036 TCP msnl.exe (%AppData%msnl.exe)
* The following Host Name was requested from a host database:
o nope.nerashti.net
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows System Guard = “%AppData%msnl.exe”
so that msnl.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
msnl.exe %AppData%msnl.exe 65 536 bytes
[filename of the sample #1] [file and pathname of the sample #1] 57 344 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%msnl.exe
[file and pathname of the sample #1] 163 840 bytes MD5: 0x01763A99222974D4D985A3566FABB488
SHA-1: 0x48F3220A8B68F772F27F77A249C254D48774D8E9 Suspicious.SillyFDC [Symantec]
VirTool:Win32/VBInject.gen!DX [Microsoft]
2 %System%winsvncs.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)