Search
Keyword: URL
}report.com/images/2009/05/naughty-elephant.jpg It then saves and open it as follows: %Current Folder%\{Malware Name}.jpg This is done to trick users into thinking that the executed file is legitimate. It then connects to the following URL to
execution. NOTES: This backdoor connects to the URL http://www.msn.com . a variant of Win32/Injector.BBMB trojan(NOD32),Troj/Agent-AGRG(SOPHOS_LITE)
visiting malicious sites. Download Routine This Trojan downloads the file from the following URL and renames the file when stored in the affected system: http://{BLOCKED}chingsolution.com/images/tere2611.exe
bypass, it downloads its shell code as logo.gif . The URL where it downloads its shell code is the same as where this malware is uploaded. Troj/SwfExp-CM (Sophos), Exploit:SWF/ShellCode.U (Microsoft)
its installation routine: HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\Main TabProcGrowth = "0" HKEY_LOCAL_MACHINE\ SOFTWARE\ MICROSOFT\ Windows\ CURRENTVERSION\ URL SystemMgr = "Del
Server 2008, and Windows Server 2012.) NOTES: It connects the following URL to download data related to GeoIP https://www.{BLOCKED}d.com/en/locate-my-ip-address The downloaded data should not contain any
server safe_mode status web host URL web host server address remote user server address Stolen Information This backdoor sends the data it gathers to the following email addresses via SMTP: {BLOCKED
the file from the following URL and renames the file when stored in the affected system: http://{BLOCKED}5.{BLOCKED}3.com/tj.asp?time=20160101160935&mac=00-00-00-00-00-00&username=blog_folder&content
the file from the following URL and renames the file when stored in the affected system: http://{BLOCKED}ek.co.uk/system/logs/98yt It saves the files it downloads using the following names: %User Temp%
String2 any of the following filename of the files found on %User Temp% It attempts to connect to an unknown malicious site. However, URL is not specified. (Note: %User Temp% is the current user's Temp
{Server}/r Other Details This Backdoor does the following: This backdoor checks for the connection to the following URL to choose which C2 server to send and receive information: http://{BLOCKED}.{BLOCKED
following: Connects to the following URL for coinmining activities: bit.p{BLOCKED}.com Format of the executed command -v {algorithm} -o {CnC} -u {username} -p {password} -t {number of CPU threads}
Copy files and directories Move a directory or a file Create a new directory Change timestamps of a file or directory Download a file from a URL Execute a process and capture its output Connect to a SQL
remote URL where a copy of the worm may be downloaded. It may also post similar content to Facebook wall. In order to accomplish its malicious routines, it downloads a configuration file from any of the
\ Search Assistant DefaultSearchURL = "http://www.{BLOCKED}l.co.uk/index.php?page=search/web&search=" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\SearchScopes URL = "http://www.{BLOCKED
\ WorkgroupCrawler\Shares shared = "\New Folder.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\SearchScopes URL = "{random characters}" HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer
websites to download files: http://www.pta.gov.pk/index.php - non-malicious URL Note: The malware repeatedly connects to this URL, to perform its DDOS attack. It saves the files it downloads using the
CAB cab CMD cmd COM com cpl CPL exe EXE ini INI dll DLL lnk LNK url URL ttf TTF DECRYPT.txt It avoids encrypting files with the following strings in their file path: $RECYCLE.BIN rsa NTDETECT.COM ntldr
Microsoft Support site, it does look a legitimate Microsoft site only that the URL is not. The PC Support site fronts a Virus Removal Malware Support page wherein it visitors are guided through a step-by-step
designed to steal information from users. ZBOT variants typically access a URL where these retrieve a configuration file containing the list of websites these will monitor and steal information. Some reports