picard.ebdgroup.com(botnet hosted in Germany Hetzner Online Ag)

Remote Host Port Number 80 80 1866

USER hh “” “lol” :hh
JOIN #!h!
PONG 422

* The data identified by the following URLs was then requested from the remote web server:
o http://kissfendi.com/wp-content/uploads/karissa.jpg

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion]
+ Start Page = “http://redirecturls.info”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java Update Manager = “%AppData%WIN-2045-7453-2214sysloop.exe”
+ Kernel Drivers = “%AppData%systemproc.exe”

so that sysloop.exe runs every time Windows starts
so that systemproc.exe runs every time Windows starts

* The following Registry Value was modified:
o [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
+ Start Page =

Memory Modifications

* Attention! The following process was intentionally hidden from the user:

Process Name Main Module Size
3873284.exe 45,056 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %AppData%B88JNglgm1.txt
%System%winrtsnr.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
2 %AppData%systemproc.exe 61,440 bytes MD5: 0x8255A83E8902745EC77BCAA6B027230A
SHA-1: 0x2ED07A00B6D34231C4EB5FBF9D634184148524B8
3 %AppData%WIN-2045-7453-2214sysloop.exe
%Temp%qqj.exe 70,144 bytes MD5: 0x844F66FC1C89977A44A643463F000055
SHA-1: 0xD0A4D40A083CFC4EEB20C0A65897277CE74605F4
4 %Temp%DgHIGmdCkfg.txt
%Temp%KhCIdDLI8LiM1kK.txt 2,560 bytes MD5: 0xD3C30B4B46C128973B652BA2D5C0BAE2
SHA-1: 0xED0D7F7B3FAAD8F68476BB7A5387D5C83FC0F478
5 [file and pathname of the sample #1] 44,032 bytes MD5: 0x6D71B0CF1BA5F69F25A9046AA950A125
SHA-1: 0x36E11EE8B176E2E0E1D599A2BBFC2CDAE15E1F3A

infos about posting:

Categories: Uncategorized