![]() ![]() msi package, the infected host sent a screenshot of the desktop to the same C2 server at 46.151.24226. Each HTTP request returned a 404 Not Found until approximately 2 and 1/2 minutes later, when one of the HTTP GET requests returned a 200 OK that provided another. HTTP GET requests to 46.151.24226 occurred several times each minute. Terminal App Service.vbs generated HTTP traffic to a Command and Control (C2) server at 46.151.24226. Shown above: Content of the Terminal App Service.vbs file. vbs file was saved to C:\ProgramData\Cis\Terminal App Service.vbs and made persistent through a Windows shortcut under the Start Menu's Programs -> Startup directory. Shown above: Contents of the ke.msi file. Opening ke.msi in 7-Zip revealed the package contains a 262 byte Visual Basic Script (.vbs) named Terminal_App_Service.vbs as shown below. msi file, unless the HTTP request headers contain the following line: Opening the downloaded file TeamViewer_Setup.js revealed script with some slight obfuscation. Shown above: Downloaded TeamViewer_Setup.js file opened in a text editor. online domains switched between my first and second infection runs on Wednesday. js file hosted on compromised server at: hxxps://coldcreekranchcom/z1/Īs shown above, the.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |