Search
Keyword: URL
auto-run registry {string 2} can be any of the following: Informer Verifyer Saver Notifyer Checker Updater It connects to randomly generated IP addresses with the following as URL path: /online.htm /main.htm
of the following: Informer Verifyer Saver Notifyer Checker Updater It connects to randomly generated IP addresses with the following as URL path: /online.htm /main.htm /start.htm /install.htm
of the following: Informer Verifyer Saver Notifyer Checker Updater It connects to randomly generated IP addresses with the following as URL path: /online.htm /main.htm /start.htm /install.htm
Updater It connects to randomly generated IP addresses with the following as URL path: /online.htm /main.htm /start.htm /install.htm /login.htm /setup.htm /welcome.htm /search.htm /home.htm /default.htm
Download Routine This Trojan downloads the file from the following URL and renames the file when stored in the affected system: {BLOCKED}plive.com/upload/html.exe {BLOCKED}e.com/knowledge/misc/html.exe
Updater It connects to randomly generated IP addresses with the following as URL path: /online.htm /main.htm /start.htm /install.htm /login.htm /setup.htm /welcome.htm /search.htm /home.htm /default.htm
following URL and renames the file when stored in the affected system: http://{BLOCKED}fronteira.net/paris/ScheduleWMI.php http://{BLOCKED}emfronteira.net/paris/storagewmi.js It saves the files it downloads
affected system. Other Details However, as of this writing, the said sites are inaccessible. It deletes the initially executed copy of itself NOTES: This Trojan accesses the URL http://{BLOCKED}.{BLOCKED
%User Temp% as EXE{number}.exe . The decrypted file is detected as TSPY_DYRE.AATX. It accesses the URL http://{BLOCKED}2.{BLOCKED}3.35.133/2312uk12/{computername}/-/{OS Version}-{Service Pack}/0/ to send
\Classes\ FTDownloader URL Protocol = HKEY_LOCAL_MACHINE\Software\Classes\ FTDownloader (Default) = FTDownloader URI HKEY_LOCAL_MACHINE\Software\Classes\ FTDownloader Content Type =
. This configuration file contains the following: Sleep time of the malware The URL it connects to File names of the component files Bot ID It connects to the following remote site to download a
commands from a remote malicious user: Download and execute arbitrary files USB Spreader Visit a URL / Display pop-up advertisements MSN spreader P2P Spreader DDOS (TCP/UDP Flooding) Retrieve Stored Browser
-a, --algo=ALGO cryptonight, cryptonight-lite, cryptonight-heavy -o, --url=URL URL of mining server -O, --userpass=U:P username:password pair for mining server -u, --user=USERNAME username for mining
--algo=ALGO specify the algorithm to use (cryptonight, cryptonight-lite, cryptonight-heavy) -o, --url=URL URL of mining server -O, --userpass=U:P username:password pair for mining server -u, --user
It accepts the following parameters: -a, --algo=ALGO — specify the algorithm to use (cryptonight, cryptonight-lite, cryptonight-heavy) -o, --url=URL — URL of mining server -O, --userpass=U:P
User:43zqYTWj1JG1H1idZFQWwJZLTos3hbJ5iR3tJpEtwEi43UBbzPeaQxCRysdjYTtdc8aHao7csiWa5BTP9PfNYzyfSbbrwoR.xmrxmr2019 Password:x Accepts the following parameters: -a, --algo=ALGO specify the algorithm to use cryptonight cryptonight-lite cryptonight-heavy -o, --url=URL URL of mining server -O, --userpass=U:P
following URL links: http://i.{BLOCKED}r.com/TqykUo3.png Disables the following Key Strokes: Ctrl +Esc Alt + Tab Alt + Esc It displays the Ransom Note asking the victim to subscribe by following the link :
6666 8888 0000 4444 5555 7777 9999 12345Admin 56789Admin 1234Admin does the following to the remote machine: create directory:/var/... delete files under /var/ connects to the following URL to download
ignoreallfailures NOTES: The ransomware displays the following as it's ransom note: Typing the url will not redirect to the proper site. The user needs to click the buttons on the page for it to properly redirect.
accepts the following parameters: -a, --algo=ALGO → cryptonight (default) or cryptonight-lite -o, --url=URL → URL of mining server -O, --userpass=U:P → username:password pair for mining server -u, --user