Page 66 - index

P. 66

- Under C:\Users\[UserName]\AppData\Roaming (all files use hidden attribute):
















































Image 5. Infected machine beacons to CnC

Here is a text version of the GET request made by the malware:

/getinfo.php?id=[0-
9]{9}&stat=1&tout=60&osbt=1&osv=5.1&osbd=2600&ossp=3.0&ulv=4&elv=1&rad=1&agp=1&devic
ea=1&devicev=0&uname=[username]&cname=[computer_name]&vpn=1&tvrv=0.2.2.1


Variables Definition

id is a random 9 digits number
id=[0-9]{9} associated to the infected machine

stat=1

66 Cyber Warnings E-Magazine – September 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide

61   62   63   64   65   66   67   68   69   70   71