This is TDL4.03 dropper.
new sort of quotes.
Our friend have a new stuff on board :)
new sort of quotes.
The Joan W. and Irving B. Harris Theater for Music and Dance is a 1525-seat theater for the performing arts located along the northern edge of Millennium Park in the Loop community area of Chicago.
%1d.%1d %04d SP%1d.%1d ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ %x%x%x%x%x%x prn3 %s|%s|%s|%x|%x|%s|%s %.*s %[^;];%[^;];%[^;]; \ f s d e v %.*s %.*s %[^;];%[^;];%[^;]; _snwprintf ntdll.dll imagepath \ { % 0 8 x - % 0 4 x - % 0 4 x - % 0 4 x - % 0 4 x % 0 8 x } \??\ system\currentcontrolset\services\%s type \ r e g i s t r y \ m a c h i n e \ % S cmd.dll \\?\globalroot%wZ\%s cfg.ini \\?\globalroot%wZ\%s bckfg.tmp \\?\globalroot%wZ\%s cmd.dll * inject aid main sid main %[^|]|%[^|]|%s srv cmd wsrv cmd psrv cmd %d.%d.%d %d:%d:%d \\?\globalroot\systemroot %d builddate main ldr16 \\?\globalroot%wZ\%s ldr32 \\?\globalroot%wZ\%s ldr64 \\?\globalroot%wZ\%s drv64 \\?\globalroot%wZ\%s cmd64.dll \\?\globalroot%wZ\%s cmd64.dll * (x64) inject drv32 \\?\globalroot%wZ\%s 0 0 \ ? ? \ c : \ ? ? \ p h y s i c a l d r i v e % d _snwprintf ntdll.dll %[^;];%[^;];%[^;]; \ { % 0 8 x - % 0 4 x - % 0 4 x - % 0 4 x - % 0 4 x % 0 8 x } %.*s %.*s %[^|]|%[^|]|%s [main]
aid=%s
sid=%s
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=%s
wsrv=%s
psrv=%s
cfg.ini mbr ldr16 ldr32 ldr64 drv32 drv64 cmd.dll cmd64.dll bckfg.tmp s e r v i c e s . e x e IsWow64Process kernel32 \ \ ? \ g l o b a l r o o t % s % s . m a n i f e s t . e x e . m a n i f e s t <?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security><ms_asmv2:requestedPrivileges><ms_asmv2:requestedExecutionLevel level="requireAdministrator"></ms_asmv2:requestedExecutionLevel></ms_asmv2:requestedPrivileges></ms_asmv2:security></ms_asmv2:trustInfo></assembly> \ R P C C o n t r o l \ s p o o l s s \ \ ? \ g l o b a l r o o t % s \ ? ? \ G L O B A L R O O T \ R P C C o n t r o l \ s p o o l s s ZwConnectPort ntdll.dll spooler
[main]TDL files in attach
version=0.03
aid=40311
sid=0
builddate=4096
rnd=1202660629
knt=1289395086
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://zz87lhfda88.com/;hxxps://01n02n4cx00.com/;hxxps://1l1i16b0.com/;hxxps://zz87ihfda88.com/;hxxps://10n02n4cx00.com/
wsrv=hxxp://cijkcplxelabn.com/;hxxp://aurelehopkin.com/;hxxp://blacklistchek.com/;hxxp://teiretorkie.com/;hxxp://pxlratotor.com/
psrv=hxxp://advcpworld.com/
version=0.15
bsh=7cc58f823385d3db130c319bc8c1eef122acbfd1
delay=7200
csrv=hxxp://z0g7yail0.com/
Our friend have a new stuff on board :)
RPC Control\spoolss
Attachments
pass: malware
(70.67 KiB) Downloaded 112 times
(70.67 KiB) Downloaded 112 times
Ring0 - the source of inspiration
