Search

Users Profile%\22\run.vbs" %All Users Profile%\22\run.vbs "%System%\schtasks.exe" /delete /tn GoogleUpdateTaskUI /f schtasks /delete /tn GoogleUpdateTaskUI /f "%System%\schtasks.exe" /create /RU users /sc

the dropped files with the following paramaters: timeout $timeout ./{Malware Path}/shitscanner $port -i $interface -s $speed where: $timeout - 130 $port - 22 $interface - eth0 $speed -

Direct = %ProgramData%\Direct.exe Other Details This backdoor connects to the following possibly malicious URL: internat.{BLOCKED}b.com Uses Port/s: 443, 23, and 22 {BLOCKED}.{BLOCKED}.18.100 Uses Port/s:

networks the systems are attached to: Scans IP format {random ip}.{random ip}.{1 to 256}.{1 to 256} via port 22 Backdoor Routine This Backdoor opens the following ports: 9000 Other Details This Backdoor

22 23 Download Routine This backdoor connects to the following URL(s) to download its component file(s): http://l.{BLOCKED}ost.host/{digit} Other Details This backdoor does the following: Uses common

) It scans the following specific ports to try and exploit the vulnerable devices that uses specific ports: 6379 ← for Redis server 443 ← for SSH 22 80 8090 It may spread to other devices: using

2d" HKEY_CURRENT_USER\Software\Microsoft\ Clock D2 = "22 20 2E 23 23" HKEY_CURRENT_USER\Software\Microsoft\ Clock D3 = "2f 22 2f 2c" HKEY_CURRENT_USER\Software\Microsoft\ Clock pr = "66 7A 78 70 70 64

Description Name: BANKER - HTTP (Request) - Variant 22 . This is Trend Micro detection for packets passing through HTTP network protocols that can be used as Command and Control Communication. This also indicates a malware infection. Below are some i...

the root folder, which is usually C:\. It is also where the operating system is located.) Other System Modifications This spyware deletes the following files: %System%\drivers\etc\hosts %System Root%\22

Vulnerabilities (Server) - 16 1008972 - ImageMagick Multiple Security Vulnerabilities (Server) - 20 1008976 - ImageMagick Multiple Security Vulnerabilities (Server) - 22 1008978 - ImageMagick Multiple Security

then use ./scan -p 22 -i 0 p 192.168 as agrument for ip file -m 0 for non selective scanning -P 0 leave default password unchanged. Changes password by default. -s [TIMEOUT]: Change the timeout. Default

port 22 (with username:pi and password:raspberry) and try to drop a copy and execute it -a sets the algorithm -o sets the url for mining server -u sets username for mining server --> Dropped by other

/usr/bin/python /usr/bin/python3 device - returns the string “SSH” if there is a file “/usr/sbin/telnetd”, otherwise, it will return “Unknown Device” Port - returns the string “22” if the four files mentioned above

servers. Default is 2 Use -f 1 for A.B class /16. Default is 2 for A.B.C /24 -i [IPSCAN] → use -i 0 to scan ip class A.B. Default is 1 if you use -i 0 then use ./scan -p 22 -i 0 p 192.168 as argument for ip

--force-yes apt-get install zmap sshpass -y --force-yes Scans for networks with an open port 22 using Zmap and uses the credentials username: pi and password: raspberry or raspberryraspberry993311 to drop a

conditions: Local TCP port = 51640 Remote TCP port = 51640 Remote TCP port = 6379 Remote TCP port = 22 It connects to the following URL(s) to download and execute another shell script: http://lsd.{BLOCKED

\Adobe\Reader 10.0\Esl\Desktop_.ini %Program Files%\Adobe\Reader 10.0\Reader\Desktop_.ini %User Temp%\33$$.Ico %User Temp%\75$$.Ico %User Temp%\22$$.Ico %User Temp%\23$$.Ico %User Temp%\58$$.Ico %Program

ports: 20 21 22 80 135 137 139 443 445 DoS:Win32/FoxBlade.A!dha (MICROSOFT); Win32/Agent.OJC worm (NOD32) Downloaded from the Internet, Dropped by other malware

{BB631743-CB83-DEE4-F538-5E35E9432B2A}\Data DataB = "2b6" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ CLSID\{BB631743-CB83-DEE4-F538-5E35E9432B2A}\Data DataB = "22" Dropping Routine This Trojan drops the following files: %User Temp%\1.tmp

\ Windows\CurrentVersion\policies\ Explorer\DisallowRun 22 = "mcregwiz.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\policies\ Explorer\DisallowRun 23 = "mcagent.exe" HKEY_LOCAL_MACHINE