Remote Host Port Number 81

NICK n[USA|XP]1167074
USER s “” “lol” :s
JOIN #newbin#
PONG 422
JOIN #USA (null)

* The following port was open in the system:

Port Protocol Process
1053 TCP msnd.exe (%AppData%msnd.exe)

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
msnd.exe %AppData%msnd.exe 65 536 bytes

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows System Guard = “%AppData%msnd.exe”

so that msnd.exe runs every time Windows starts

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %AppData%msnd.exe
[file and pathname of the sample #1] 151 552 bytes MD5: 0x06F4B78EC07D5A3CAB22FDFFC1B89968
SHA-1: 0x0EDD4CE79193BE566367B1F5BF1FD6C0FE65F17A Backdoor.LolBot [PCTools]
VirTool:Win32/VBInject.JX [Microsoft]
2 %System%winlogon.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)

Categories: Uncategorized
Previous post
Next post