Search
Keyword: URL
auto-run registry {string 2} can be any of the following: Informer Verifyer Saver Notifyer Checker Updater It connects to randomly generated IP addresses with the following as URL path: /online.htm /main.htm
said file is not present, it uses the default proxy settings. It accesses the following URL to read its configuration: http://www.{BLOCKED}n.com/style/index2.php Its configuration contains the C&C domain
Updater It connects to randomly generated IP addresses with the following as URL path: /online.htm /main.htm /start.htm /install.htm /login.htm /setup.htm /welcome.htm /search.htm /home.htm /default.htm
of the following: Informer Verifyer Saver Notifyer Checker Updater It connects to randomly generated IP addresses with the following as URL path: /online.htm /main.htm /start.htm /install.htm
of the following: Informer Verifyer Saver Notifyer Checker Updater It connects to randomly generated IP addresses with the following as URL path: /online.htm /main.htm /start.htm /install.htm
Download Routine This Trojan downloads the file from the following URL and renames the file when stored in the affected system: {BLOCKED}plive.com/upload/html.exe {BLOCKED}e.com/knowledge/misc/html.exe
following URL and renames the file when stored in the affected system: http://{BLOCKED}fronteira.net/paris/ScheduleWMI.php http://{BLOCKED}emfronteira.net/paris/storagewmi.js It saves the files it downloads
%User Temp% as EXE{number}.exe . The decrypted file is detected as TSPY_DYRE.AATX. It accesses the URL http://{BLOCKED}2.{BLOCKED}3.35.133/2312uk12/{computername}/-/{OS Version}-{Service Pack}/0/ to send
affected system. Other Details However, as of this writing, the said sites are inaccessible. It deletes the initially executed copy of itself NOTES: This Trojan accesses the URL http://{BLOCKED}.{BLOCKED
\Classes\ FTDownloader URL Protocol = HKEY_LOCAL_MACHINE\Software\Classes\ FTDownloader (Default) = FTDownloader URI HKEY_LOCAL_MACHINE\Software\Classes\ FTDownloader Content Type =
. This configuration file contains the following: Sleep time of the malware The URL it connects to File names of the component files Bot ID It connects to the following remote site to download a
6666 8888 0000 4444 5555 7777 9999 12345Admin 56789Admin 1234Admin does the following to the remote machine: create directory:/var/... delete files under /var/ connects to the following URL to download
--algo=ALGO specify the algorithm to use (cryptonight, cryptonight-lite, cryptonight-heavy) -o, --url=URL URL of mining server -O, --userpass=U:P username:password pair for mining server -u, --user
following URL links: http://i.{BLOCKED}r.com/TqykUo3.png Disables the following Key Strokes: Ctrl +Esc Alt + Tab Alt + Esc It displays the Ransom Note asking the victim to subscribe by following the link :
User:43zqYTWj1JG1H1idZFQWwJZLTos3hbJ5iR3tJpEtwEi43UBbzPeaQxCRysdjYTtdc8aHao7csiWa5BTP9PfNYzyfSbbrwoR.xmrxmr2019 Password:x Accepts the following parameters: -a, --algo=ALGO specify the algorithm to use cryptonight cryptonight-lite cryptonight-heavy -o, --url=URL URL of mining server -O, --userpass=U:P
-a, --algo=ALGO cryptonight, cryptonight-lite, cryptonight-heavy -o, --url=URL URL of mining server -O, --userpass=U:P username:password pair for mining server -u, --user=USERNAME username for mining
It accepts the following parameters: -a, --algo=ALGO — specify the algorithm to use (cryptonight, cryptonight-lite, cryptonight-heavy) -o, --url=URL — URL of mining server -O, --userpass=U:P
accepts the following parameters: -a, --algo=ALGO → cryptonight (default) or cryptonight-lite -o, --url=URL → URL of mining server -O, --userpass=U:P → username:password pair for mining server -u, --user
7.) Other Details This Ransomware does the following: This Ransomware connects to the following malicious URL to create and send encryption keys: http://{BLOCKED}ost/{BLOCKED}keys.php http://{BLOCKED
commands from a remote malicious user: Download and execute arbitrary files USB Spreader Visit a URL / Display pop-up advertisements MSN spreader P2P Spreader DDOS (TCP/UDP Flooding) Retrieve Stored Browser