174.120.205.250

Remote Host Port Number
174.120.205.250 81

NICK n[USA|XP]0115398
USER s “” “lol” :s
JOIN #newbin#
PONG 422
JOIN #USA (null)

  • The following port was open in the system:
Port Protocol Process
1055 TCP msnd.exe (%AppData%msnd.exe)

Registry Modifications

  • The newly created Registry Value is:
    • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
      • Windows System Guard = “%AppData%msnd.exe”

      so that msnd.exe runs every time Windows starts

       

Memory Modifications

  • There was a new process created in the system:
Process Name Process Filename Main Module Size
msnd.exe %AppData%msnd.exe 65 536 bytes
File System Modifications

  • The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%msnd.exe
[file and pathname of the sample #1]
155 648 bytes MD5: 0x0935ED1DC39BAEB138F576A12CEC4C56
SHA-1: 0x53C2F7207DBBD11F95DA7D87584A8471F1659725
Backdoor.LolBot [PCTools]
2 %System%winlogon.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
(not available)