MrWiiWii.IRC.NET

Remote Host Port Number
72.20.30.114 2265

NICK [USA-0142-XP]
USER 0522020 “” “lol” :0522020
JOIN #wiiwii
PONG :MrWiiWii.IRC.NET

Remote Host Port Number
72.20.30.114 2232
USER BAIO 8 * :Blackout AIO IRC Bot
NICK [COMPUTERNAME]952
JOIN #wiiwii
PONG :MrWiiWii.IRC.NET

(MoDz) !login #wiiwii
([ESP-2151-XP]) Hai BoSS!
([USA-7671-VIS]) Hai BoSS!

(MoDz) !version
([ESP-2151-XP]) VanaDiuM iRC BOT v1.3.0.
([USA-7671-VIS]) VanaDiuM iRC BOT v1.3.0.

(MoDz) !homeddos 127.0.0.1 30
(MoDz) !usb

Other details

* The following port was open in the system:

Port Protocol Process
1051 TCP asofsrvs.exe (%AppData%asofsrvs.exe)

Other details

* The following port was open in the system:

Port Protocol Process
1053 TCP okwOcxluTNqsZty.exe.exe (%Templates%okwOcxluTNqsZty.exe.exe)

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
asofsrvs.exe %AppData%asofsrvs.exe 81 920 bytes

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
okwOcxluTNqsZty.exe.exe %Templates%okwocxlutnqszty.exe.exe N/A

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ AsofServices = “%AppData%asofsrvs.exe”

so that asofsrvs.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ AsofServices = “%AppData%asofsrvs.exe”

so that asofsrvs.exe runs every time Windows starts

le System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %AppData%asofsrvs.exe
[file and pathname of the sample #1] 60 928 bytes MD5: 0xA701E142373A525B6A5F2437A8673E29
SHA-1: 0xF3C5263998DB6B271C578CB903AAB3A081D52FB9 New Malware.b [McAfee]

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %Templates%okwOcxluTNqsZty.exe.exe 32 768 bytes MD5: 0x25938529895F67B3C5E8A947423F9C99
SHA-1: 0x1F6B9C8D82C4DCB6FE6B8307185AD449BC99A0B5
2 [file and pathname of the sample #1] 442 368 bytes MD5: 0x167D2FFDE0B24A27F500DCF412BC7C42
SHA-1: 0x05F4237D1E3F883F600578890733F335A1666892