– DNS Queries:
Name Query Type Query Result Successful Protocol
www.myrouji.com DNS_TYPE_A 74.126.183.34 1
– Unknown TCP Traffic:
74.126.183.34:8883
State: Connection established, not terminated – Transferred outbound Bytes: 160 – Transferred inbound Bytes: 22
Data sent:
4768 3073 74a0 0000 00e0 0000 0078 9c4b Gh0st……..x.K
8bf6 669e c3c0 c0c0 0ac4 8c40 acc1 c5c0 ..f……..@….
c004 a483 538b ca32 9353 1502 1293 b315 ….S..2.S……
8c19 c040 04aa 0606 04a0 3413 0790 70f8 …@……4…p.
5bcf e0f0 bd1e 2677 25d6 9bb9 746f 9ab7 […..&w%…to..
c57f 6fe6 03b3 9a6b 38d4 1a6a fe03 c19d ..o….k8..j….
f313 6aa4 e734 d428 0035 c7c4 7933 bf54 ..j..4.(.5..y3.T
5ac4 0462 cb00 f1aa 4406 8167 4c4e cc2a Z..b….D..gLN.*
ffbc 9999 4186 3032 329c 6667 6038 b082 ….A.022.fg`8..
81a9 2099 8154 e0bd 1ee8 1100 4c32 2625
Data received:
4768 3073 7416 0000 0001 0000 0078 9c63 Gh0st……..x.c
0000 0001 0001
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlMediaResourcesmsvideo
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IRMON
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IRMON�000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IRMON�000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmon
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmonParameters
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmonSecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmonEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlMediaResourcesmsvideo
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_IRMON
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_IRMON�000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_IRMON�000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIrmon
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIrmonParameters
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIrmonSecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIrmonEnum
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IRMON�000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Irmon”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IRMON�000]
+ Service = “Irmon”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “COM++ Event Systems”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IRMON]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmonEnum]
+ 0 = “RootLEGACY_IRMON�000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmonSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmonParameters]
+ ServiceDll = “%System%Irmontype.dll”
+ ServiceMain = “MainService”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmon]
+ Type = 0x00000120
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “%System%svchost.exe -k netsvcs”
+ DisplayName = “COM++ Event Systems”
+ ObjectName = “LocalSystem”
+ Description = “Support System Event Notification Service (SENS),If you stop this service, SENS will close,other services will not start.”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_IRMON�000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Irmon”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_IRMON�000]
+ Service = “Irmon”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “COM++ Event Systems”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_IRMON]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIrmonEnum]
+ 0 = “RootLEGACY_IRMON�000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIrmonSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIrmonParameters]
+ ServiceDll = “%System%Irmontype.dll”
+ ServiceMain = “MainService”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIrmon]
+ Type = 0x00000120
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “%System%svchost.exe -k netsvcs”
+ DisplayName = “COM++ Event Systems”
+ ObjectName = “LocalSystem”
+ Description = “Support System Event Notification Service (SENS),If you stop this service, SENS will close,other services will not start.”
Memory Modifications
* There was a new memory page created in the address space of the system process(es):
Process Name Process Filename Allocated Size
svchost.exe %System%svchost.exe 253,952 bytes
* The following module was loaded into the address space of other process(es):
Module Name Module Filename Address Space Details
irmontype.dll %System%irmontype.dll Process name: svchost.exe
Process filename: %System%svchost.exe
Address space: 0x10000000 – 0x10056000
* There was a new service created in the system:
Service Name Display Name Status Service Filename
Irmon COM++ Event Systems “Running” %System%svchost.exe -k netsvcs
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %System%Irmontype.dll 231,971 bytes MD5: 0x55AEEF1210CFCD23DF0FD238E0C8045C
SHA-1: 0x47438F3D62F87563EB68B6622FDD2C2260DA5F45 Trojan-GameThief.Win32.Magania.edjk [Kaspersky Lab]
Suspect-AB!55AEEF1210CF [McAfee]
Mal/Behav-170 [Sophos]
Backdoor:Win32/Farfli.K [Microsoft]
Virus.Fat.Obfuscated [Ikarus]
2 [file and pathname of the sample #1] 387,835 bytes MD5: 0x0ECD189BCED8916BEED1F6B67C0BB93A
SHA-1: 0x03007C15ADBB8A1A767439D8544E3DD5308B3E4D Mal/ResDro-B [Sophos] ……
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmon “Type” = [REG_DWORD, value: 00000004]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmon “Description” = Support System Event Notification Service (SENS),If you stop this service, SENS will close,other services will not start.
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmonParameters “ServiceDll” = [REG_EXPAND_SZ, value: C:WINDOWSsystem32Irmontype.dll]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmonParameters “ServiceMain” = MainService
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIrmon “InstallModule” = c:beauty.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost “netsvcs”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Log File Max Size”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Repository Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ProcessID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnablePrivateObjectHeap”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ContextLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ObjectLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “IdentifierLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnableObjectValidation”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Sink Transmit Buffer Size”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “DefaultRpcStackSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnableObjectValidation”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Log File Max Size”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C}InprocServer32 “ThreadingModel”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C}InprocServer32 “Synchronization”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C}InprocServer32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C} “”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C} “AppId”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionHotFixKB956572 “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOMSecuredHostProviders “ROOTCIMV2:__Win32Provider.Name=”CIMWin32″”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “ProductName”
File Changes by all processes
New Files C:DOKUME~1ADMINI~1LOKALE~1Temp3027093_res.tmp
C:WINDOWSsystem32Irmontype.dll
Opened Files c:beauty.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
c:beauty.exe
.PIPElsarpc
.PIPEsamr
.PIPElsarpc
C:WINDOWSRegistrationR000000000007.clb
.PIPElsarpc
.pipePIPE_EVENTROOT/CIMV2PROVIDERSUBSYSTEM
C:WINDOWSRegistrationR000000000007.clb
C:WINDOWSREPAIRSETUP.LOG
Deleted Files C:WINDOWSsystem32Irmontype.dll
C:DOKUME~1ADMINI~1LOKALE~1Temp3027093_res.tmp
Chronological Order Open File: c:beauty.exe (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32taskkill.exe
Open File: c:beauty.exe (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPEsamr (OPEN_EXISTING)
Delete File: C:WINDOWSsystem32Irmontype.dll
Get File Attributes: C:WINDOWSsystem32Irmontype.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp3027093_res.tmp
Set File Time: C:DOKUME~1ADMINI~1LOKALE~1Temp3027093_res.tmp
Move File: C:DOKUME~1ADMINI~1LOKALE~1Temp3027093_res.tmp to C:WINDOWSsystem32Irmontype.dll
Delete File: C:DOKUME~1ADMINI~1LOKALE~1Temp3027093_res.tmp
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32WBEMLogs Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .pipePIPE_EVENTROOT/CIMV2PROVIDERSUBSYSTEM (OPEN_EXISTING)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32WBEMLogs Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSREPAIRSETUP.LOG ()
info about hoster here:
http://whois.domaintools.com/74.126.183.34