Search
Keyword: URL
by users when visiting malicious sites. Download Routine This Trojan downloads the file from the following URL and renames the file when stored in the affected system: http://{BLOCKED}.{BLOCKED
to the Windows HOSTS file: {BLOCKED}.{BLOCKED}.0.1 www.{BLOCKED}5.com ← blocks connection to the URL Dropped:Trojan.GenericKD.64427241 (BITDEFENDER)
name of the encrypted files: .NEVADA It drops the following file(s) as ransom note: {Encrypted Directory}\readme.txt It avoids encrypting files with the following file extensions: exe ini dll url lnk scr
cryptonight-lite -o, --url=URL -> URL of mining server -O, --userpass=U:P -> username:password pair for mining server -u, --user=USERNAME -> username for mining server -p, --pass=PASSWORD -> password for
triggered, repeat every 00:01:00 indefinitely. Action: Start a program → {Malware Path}\{Malware Filename} It loads the following URL twice into the default web browser: https://{BLOCKED}mes/claim?name
server TUNNEL → used to establish tunnel connections between compromise machines TUNNELCLOSE → used to disconnect the connection set up by the TUNNEL command DOWNEXEC → used to download a file from a url
Manager\Accounts\Bigfoot LDAP URL = "http://www.{BLOCKED}t.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP Search Return = "64" HKEY_CURRENT_USER\Software\Microsoft
(SOAP) to find the network routers and get the following information: manufacturer modelName modelNumber controlURL It accesses the control URL of the router depending on the discovered UPnP device:
website to send and receive information. It gathers certain information on the affected computer. It steals system information. On succeeding connections, it connects to a specific URL to check for new IP
following possibly malicious URL: http://www.{BLOCKED}8.com/{Random URL Query} http://www.{BLOCKED}6.com/{Random URL Query} http://www.{BLOCKED}7.com/?Dll NOTES: This malware chooses files located in a
Download and execute a file from a pre-determined URL bring-log - Upload WSH logs down-n-exec - Download and execute a file from the given URL filemanager - Download and execute fm-plugin.exe rdp - Download
the QuickTime specification known as wired actions, which allows QuickTime files to take certain actions – in this case, go to a URL where the malicious content is located. Are Trend Micro users
into buying a rogue antivirus (AV) product. In the case of TROJ_FRAUDLO.LO, it also disables Task Manager, connects to a malicious URL and downloads its component files. Both TROJ_FAKEAV.SGN and
redirected to the URL http://mw-{BLOCKED}tion.com/buy-now.php?bid=117 . The following window is displayed containing the returned webpage: However, as of this writing, the said site is inaccessible.
The malware author can change the contents of index.jsp? in the malicious URL to point to another malicious URL. As of this writing, it is pointing to a non-malicious site. It does not have rootkit
its intended routine. NOTES: This Trojan connects to certain URL to download additional information and updated copy of itself. It saves its downloaded file as {random}~MTMP{random}.EXE . It can be
following URL to send and receive information: {BLOCKED}whoisrecord.co.uk As of this writing, the said servers are currently inaccessible. It retrieves machine GUID and digital product ID by querying the
svchost.exe Backdoor Routine This backdoor executes the following commands from a remote malicious user: Sleep/Idle (2 minutes) Download and execute arbitrary file Update and uninstall itself Visit URL It
=force&userid={userid} {domain}/h_check.php {domain}/h_info_ajax.php {check_domain}/h_check.php {check_domain}/h_info_ajax.php NOTES: The URL where this malware connects to displays pornographic content to lure
=27&passphrase=fkjvhsdvlksdhvlsd&socks=0&version=27&crc=00000000 It then waits for the user to visit any target URL and injects codes to the said website. It does this by hooking certain APIs. It is also capable