Search
Keyword: URL
help instructions KILL - terminates client KILL_PORT - terminates socket/port GET - download arbitrary file from arbitrary url SSHX - ssh scan provided credentials SSH - ssh scan KILLALL - terminates all
result, malicious routines of the downloaded files are exhibited on the affected system. NOTES: This malware connects to the following URL http://{BLOCKED}.{BLOCKED}.49.18/img?k=316serena123456aaaac&v=1 to
downloads a possibly malicious file from a certain URL. The URL where this malware downloads the said file depends on the following parameter(s) passed on to it by its components: size Exploit-FKJ
visiting malicious sites. Download Routine This Trojan downloads the file from the following URL and renames the file when stored in the affected system: http://{BLOCKED}chingsolution.com/images/tere2611.exe
bypass, it downloads its shell code as logo.gif . The URL where it downloads its shell code is the same as where this malware is uploaded. Troj/SwfExp-CM (Sophos), Exploit:SWF/ShellCode.U (Microsoft)
the file from the following URL and renames the file when stored in the affected system: http://{BLOCKED}5.{BLOCKED}3.com/tj.asp?time=20160101160935&mac=00-00-00-00-00-00&username=blog_folder&content
server safe_mode status web host URL web host server address remote user server address Stolen Information This backdoor sends the data it gathers to the following email addresses via SMTP: {BLOCKED
the file from the following URL and renames the file when stored in the affected system: http://{BLOCKED}ek.co.uk/system/logs/98yt It saves the files it downloads using the following names: %User Temp%
Server 2008, and Windows Server 2012.) NOTES: It connects the following URL to download data related to GeoIP https://www.{BLOCKED}d.com/en/locate-my-ip-address The downloaded data should not contain any
files in all drives Connect to a website to check IP address Gather information of affected computer Send information gathered to a specific URL It locks the screen and displays the following image:
" -windowstyle hidden -noninteractive -ExecutionPolicy bypass -EncodedCommand {Base64 encoded powershell command} The base64 encoded powershell command is used to connect to the following URL to download a string
following: Connects to the following URL for coinmining activities: bit.p{BLOCKED}.com Format of the executed command -v {algorithm} -o {CnC} -u {username} -p {password} -t {number of CPU threads}
String2 any of the following filename of the files found on %User Temp% It attempts to connect to an unknown malicious site. However, URL is not specified. (Note: %User Temp% is the current user's Temp
{Server}/r Other Details This Backdoor does the following: This backdoor checks for the connection to the following URL to choose which C2 server to send and receive information: http://{BLOCKED}.{BLOCKED
Copy files and directories Move a directory or a file Create a new directory Change timestamps of a file or directory Download a file from a URL Execute a process and capture its output Connect to a SQL
\ Search Assistant DefaultSearchURL = "http://www.{BLOCKED}l.co.uk/index.php?page=search/web&search=" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\SearchScopes URL = "http://www.{BLOCKED
remote URL where a copy of the worm may be downloaded. It may also post similar content to Facebook wall. In order to accomplish its malicious routines, it downloads a configuration file from any of the
websites to download files: http://www.pta.gov.pk/index.php - non-malicious URL Note: The malware repeatedly connects to this URL, to perform its DDOS attack. It saves the files it downloads using the
CAB cab CMD cmd COM com cpl CPL exe EXE ini INI dll DLL lnk LNK url URL ttf TTF DECRYPT.txt It avoids encrypting files with the following strings in their file path: $RECYCLE.BIN rsa NTDETECT.COM ntldr
\ WorkgroupCrawler\Shares shared = "\New Folder.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\SearchScopes URL = "{random characters}" HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer