x1x4x0.net(SnK the russian hecker hosted with United States Chicago Hostforweb Inc)

– DNS Queries:
Name Query Type Query Result Successful Protocol
x1x4x0.net DNS_TYPE_A YES udp
winhostmanager.net DNS_TYPE_A YES udp
winupdatecontrol.net DNS_TYPE_A YES udp

Remote Host Port Number 5500

NICK |US|INF|12|6|55|737|
USER 55768 |US|.com :55768 |US|
PONG :422
JOIN #win#
PONG :leaf1.not.found

Now talking in #win#
Topic On: [ #win# ] [ , ]
Topic By: [ n ]
ACTION!> s slaps |US|INF|10|7|5|923| around a bit with a large trout

* The data identified by the following URLs was then requested from the remote web server:
o http://webyeeworx.com/b.exe
o http://www.facebook.sercaag.com/b.exe

Registry Modifications

* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ WindowsLiveUpdateServices = “%AppData%Microsoft-Update-Service-2568-6479-5400winrsnmgr.exe”

so that winrsnmgr.exe runs every time Windows starts

Memory Modifications

* There was a new memory page created in the address space of the system process(es):

Process Name Process Filename Allocated Size
winrsnmgr.exe %AppData%microsoft-update-service-2568-6479-5400winrsnmgr.exe 188,416 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %AppData%Microsoft-Update-Service-2568-6479-5400winrsnmgr.exe
[file and pathname of the sample #1] 57,344 bytes MD5: 0x14FE34D930F74A1C0B5C4AD67089E685
SHA-1: 0xDF095C2117514AE5312C24815E22482CBF059750 packed with UPX [Kaspersky Lab]
2 %AppData%wincbdrv32.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)

infos about hosting:

Categories: Uncategorized