Page 1

services.exe 484

svchost.exe 608

vmacthlp.exe 668

mcibckaj.exe 3056

dllhost.exe 3896

dllhost.exe 2176

dllhost.exe 3732

dllhost.exe 2716

svchost.exe 2004

explorer.exe 2384

__PAYLOAD__.exe 3120

wusa.exe 736

wusa.exe 3904

cmd.exe 3032

cmd.exe 3296

sc.exe 3760

sc.exe 3096

sc.exe 2892

rlnkeakp.exe 3244

consent.exe 1916

wusa.exe 2176

wusa.exe 3200

cmd.exe 464

sc.exe 2068

sc.exe 2668

cmd.exe 3184

consent.exe 3112

23.100.122.175 80

23.103.156.42 25

43.231.4.7 443

74.6.137.64 25

85.25.185.229 483

LISTENING ON 2416

152.163.0.67 25

67.195.229.59 25

74.125.200.27 25

104.44.194.234 25

66.218.85.52 25

173.194.203.27 25

65.55.37.88 25

65.54.188.110 25

67.195.229.58 25

65.55.37.104 25

212.27.48.7 25

65.55.92.152 25

144.76.199.43 427

144.76.199.2 427

85.25.119.25 427

176.111.49.43 427

216.239.38.120 80

87.240.129.177 443

64.12.88.164 25

98.136.101.117 25

65.54.188.94 25

74.6.137.63 25

104.44.194.231 25

66.218.85.139 25

65.55.92.168 25

98.137.159.28 25

212.27.48.6 25

65.55.37.120 25

216.239.38.21 80

94.100.180.31 25

64.12.88.131 25

74.125.204.27 25

98.137.159.26 25

98.136.102.54 25

65.55.37.72 25

65.55.92.184 25

104.44.194.233 25

74.6.137.65 25

98.137.159.24 25

104.44.194.237 25

104.44.194.236 25

104.44.194.235 25

104.44.194.232 25

104.47.10.33 25

152.163.0.68 25

98.136.102.55 25

207.46.8.199 25

65.54.188.72 25

17.57.8.143 25

52.169.122.66 443

152.163.0.100 25

64.12.91.195 25

108.177.14.26 25

98.137.159.27 25

65.55.92.136 25

216.58.207.3 443

23.160.0.107 443

64.12.88.132 25

THE BAD GUY (STAGE #1)

"C:\Windows\System32\wusa.exe"

cmd /C mkdir C:\Windows\SysWOW64\ifbwqrky\

cmd /C move /Y "C:\Users\foo\AppData\Local\Temp\mcibckaj.exe" C:\Windows\SysWOW64\ifbwqrky\

sc create ifbwqrky binPath= "C:\Windows\SysWOW64\ifbwqrky\mcibckaj.exe /d\"C:\Users\foo\Desktop\TROJAN.exe\""

type= own start= auto DisplayName= "wiﬁ support"

sc description ifbwqrky "wiﬁ internet conection"

sc start ifbwqrky

C:\Windows\SysWOW64\ifbwqrky\mcibckaj.exe /d"C:\Users\foo\Desktop\TROJAN.exe"

"C:\Users\foo\rlnkeakp.exe" /d"C:\Users\foo\Desktop\TROJAN.exe" /e5502021400000102

Windows\SysWOW64\ifbwqrky\mcibckaj.exe /d"C:\Users\foo\Desktop\TROJAN.exe"

svchost.exe

cmd /C move /Y "C:\Users\foo\AppData\Local\Temp\hjevmgng.exe" C:\Windows\SysWOW64\ifbwqrky\

sc conﬁg ifbwqrky binPath= "C:\Windows\SysWOW64\ifbwqrky\hjevmgng.exe /d\"C:\Users\foo\rlnkeakp.exe\""

sc start ifbwqrky

cmd /c ""C:\Users\foo\AppData\Local\Temp\5116.bat" "

sc description rokfzath "wiﬁ internet conection"

netsh advﬁrewall ﬁrewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:

\Windows\SysWOW64\svchost.exe" enable=yes>nul

google.com

ttvnw.net

mx4.hotmail.com

aol.com

everyone.net

mta5.am0.yahoodns.net

mx4.hotmail.com

mailin-04.mx.aol.com

mx1.hotmail.com

mailin-01.mx.aol.com

ipinfo.io

mailin-04.mx.aol.com

ttvnw.net

mta5.am0.yahoodns.net

netscape.com

USE SC.EXE TO CREATE A NEW SERVICE

FOLLOW THE BLUE LINE TO SEE THE NEXT STAGE(s)

FILE DELETION SCRIPT

PAYLOAD SPAWNED THE FOLLOWING COMMANDS

SVCHOST opens a port 2416

SOCKS proxy server

INSTALL BACKDOORS

MINE CRYPTOCURRENCY

SEND-OUT EMAILS

SPAM-BOT

CREDENTIAL THEFT

OPENS A PORT (SOCKSPROXY)

INSTALL NEW PLUGINS (PART OF CONFIGURATION)

CODE PATH TO DDOS

INSTALL SERVICE(S)

SUMMARY

DROPPED FILES

SOME OF THE DOMAINS

EMAIL COMMUNICATION

C2 COMMUNICATION ON PORT 482

USER-AGENTS USED FOR C2 COMMUNICATION

Python/3.5 aiohttp/2.3.10

Wget

Mozilla

FINAL STAGE WHERE SVCHOST

STARTS C2 COMMUNICATION

AND OPENS A PORT (2416)

SOME OF THE IP’s AND PORTS USED TO CONNECT TO C2 and SEND OUT EMAILS

CODE VIEW (DNS && EMAIL)