Remote Host Port Number
77.68.56.80 81
addr: oki.nerashti.net ip: 77.68.56.80
addr: oki.nerashti.net ip: 88.208.209.166
Domain from this criminal lamer is hosted in australia and is strange how they allow botnet use from domains registered on :https://www.melbourneit.com.au/
Here infos about australian hosting:
Sales
Australian callers: 1300 654 677
Other callers: +61 3 8624 2300
Support
Australian callers: 1300 654 677
Other callers: +61 3 8624 2300
Australia | Melbourne | Head Office
Street Address
Level 2, 120 King Street
Melbourne Victoria 3000
Australia
Office Hours
24 hours a day – 7 days a week
Affiliate Support
Australian callers: 1300 360 875
Other callers: +61 3 8624 2300
Fax: +61 3 9620 2388
these guys host 30k botnet conected to nerashti.net
NICK n|USA|XP|COMPUTERNAME|fgfbdpb
USER n “” “lol” :n
JOIN #bul#
PONG 422
PONG :request1.not.found
Now talking in #bul#
(rdp) .im /99/106/112/81/55/59/40/125/111/122/35/103/121/122/118/96/115/106/44/126/39/116/100/75/12/110/118/127/125/126/116/107/103/102/47/80/105/115/54/31/74/72/76/82/67/36/48/59/37/38/89/84/99/
Registry Modifications
* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ MSNUpdateServices = “%AppData%S-3685-5437-5687winsrvn.exe”
so that winsrvn.exe runs every time Windows starts
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %AppData%S-3685-5437-5687winsrvn.exe
[file and pathname of the sample #1] 217 088 bytes MD5: 0x98F921C44AE7B688A5DD49A97282904B
SHA-1: 0xB0766C9C8A29E606C7357784207758F8A905A057
2 %AppData%wimknrncds.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709