Search
Keyword: URL
{data/code}" Download/Execute Arbitrary Plugins Uninstall itself Drops and executes the following: %User Temp%\xxm{random}.bat Change the Interval of activity time Change the C&C URL accessed Download and
to the Windows HOSTS file: {BLOCKED}.{BLOCKED}.0.1 www.{BLOCKED}5.com ← blocks connection to the URL Dropped:Trojan.GenericKD.64427241 (BITDEFENDER)
name of the encrypted files: .NEVADA It drops the following file(s) as ransom note: {Encrypted Directory}\readme.txt It avoids encrypting files with the following file extensions: exe ini dll url lnk scr
cryptonight-lite -o, --url=URL -> URL of mining server -O, --userpass=U:P -> username:password pair for mining server -u, --user=USERNAME -> username for mining server -p, --pass=PASSWORD -> password for
triggered, repeat every 00:01:00 indefinitely. Action: Start a program → {Malware Path}\{Malware Filename} It loads the following URL twice into the default web browser: https://{BLOCKED}mes/claim?name
server TUNNEL → used to establish tunnel connections between compromise machines TUNNELCLOSE → used to disconnect the connection set up by the TUNNEL command DOWNEXEC → used to download a file from a url
website to send and receive information. It gathers certain information on the affected computer. It steals system information. On succeeding connections, it connects to a specific URL to check for new IP
(SOAP) to find the network routers and get the following information: manufacturer modelName modelNumber controlURL It accesses the control URL of the router depending on the discovered UPnP device:
Download and execute a file from a pre-determined URL bring-log - Upload WSH logs down-n-exec - Download and execute a file from the given URL filemanager - Download and execute fm-plugin.exe rdp - Download
following possibly malicious URL: http://www.{BLOCKED}8.com/{Random URL Query} http://www.{BLOCKED}6.com/{Random URL Query} http://www.{BLOCKED}7.com/?Dll NOTES: This malware chooses files located in a
Manager\Accounts\Bigfoot LDAP URL = "http://www.{BLOCKED}t.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP Search Return = "64" HKEY_CURRENT_USER\Software\Microsoft
the QuickTime specification known as wired actions, which allows QuickTime files to take certain actions – in this case, go to a URL where the malicious content is located. Are Trend Micro users
into buying a rogue antivirus (AV) product. In the case of TROJ_FRAUDLO.LO, it also disables Task Manager, connects to a malicious URL and downloads its component files. Both TROJ_FAKEAV.SGN and
redirected to the URL http://mw-{BLOCKED}tion.com/buy-now.php?bid=117 . The following window is displayed containing the returned webpage: However, as of this writing, the said site is inaccessible.
svchost.exe Backdoor Routine This backdoor executes the following commands from a remote malicious user: Sleep/Idle (2 minutes) Download and execute arbitrary file Update and uninstall itself Visit URL It
=force&userid={userid} {domain}/h_check.php {domain}/h_info_ajax.php {check_domain}/h_check.php {check_domain}/h_info_ajax.php NOTES: The URL where this malware connects to displays pornographic content to lure
uninstalls a package execOpenUrl - opens a URL The said commands are obtained from the following URL: http://{BLOCKED}h.gongfu-android.com:8511/search/getty.php It reports the result (if it fails to complete
it connects to the following URL to continue the purchase: http://{BLOCKED}edpaymentgate.com/buy.php? Connects to URLs/Ips, Displays windows
When users agree to buy the software, it connects to the following URL to continue the purchase: http://{BLOCKED}.{BLOCKED}.132.56/ http://{BLOCKED}megasoft.com/buy.php
=27&passphrase=fkjvhsdvlksdhvlsd&socks=0&version=27&crc=00000000 It then waits for the user to visit any target URL and injects codes to the said website. It does this by hooking certain APIs. It is also capable