ip.ipwhois.org.uk(maybe buterfly botnet)

DNS Lookup
Host Name IP Address
server1.unibaq.com
ip.ipwhois.org.uk 195.3.145.182
dell-d3e62f7e26 10.1.7.2
UDP Connections
Remote IP Address: Port: 7006
Send Datagram: packet(s) of size 7
Recv Datagram: 1866 packet(s) of size 0
Remote IP Address: 195.3.145.182 Port: 7006
Send Datagram: packet(s) of size 7
Send Datagram: 5 packet(s) of size 3
Send Datagram: packet(s) of size 61
Recv Datagram: 4098 packet(s) of size 0
Recv Datagram: 4 packet(s) of size 8
Recv Datagram: packet(s) of size 3
Recv Datagram: packet(s) of size 40

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:RECYCLERS-1-5-21-0269043666-4484119358-829669143-0766mwau.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”

File Changes by all processes
New Files C:RECYCLERS-1-5-21-0269043666-4484119358-829669143-0766Desktop.ini
C:RECYCLERS-1-5-21-0269043666-4484119358-829669143-0766mwau.exe
C:RECYCLERS-1-5-21-0269043666-4484119358-829669143-0766mwau.exe
C:RECYCLERS-1-5-21-0269043666-4484119358-829669143-0766Desktop.ini
.pipemmmGvbkgl87a
DeviceRasAcd
Opened Files .PIPElsarpc
Deleted Files
Chronological Order Set File Attributes: C:RECYCLER Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: C:RECYCLERS-1-5-21-0269043666-4484119358-829669143-0766 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create File: C:RECYCLERS-1-5-21-0269043666-4484119358-829669143-0766Desktop.ini
Copy File: c:bfc.exe to C:RECYCLERS-1-5-21-0269043666-4484119358-829669143-0766mwau.exe
Set File Attributes: C:RECYCLERS-1-5-21-0269043666-4484119358-829669143-0766mwau.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create/Open File: C:RECYCLERS-1-5-21-0269043666-4484119358-829669143-0766mwau.exe (OPEN_ALWAYS)
Create/Open File: C:RECYCLERS-1-5-21-0269043666-4484119358-829669143-0766Desktop.ini (OPEN_ALWAYS)
Create NamedPipe: .pipemmmGvbkgl87a
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)

Categories: Uncategorized
Previous post
Next post