Report - CrySyS Lab
Report - CrySyS Lab
Report - CrySyS Lab
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Registrant Street1:g. Lugansk, Hersonskaya 52<br />
Registrant Street2:<br />
Registrant Street3:<br />
Registrant City:Lugansk<br />
Registrant State/Province:Lugansk<br />
Registrant Postal Code:91000<br />
Registrant Country:UA<br />
Registrant Phone:+3.80443640571<br />
Registrant Phone Ext.:<br />
Registrant FAX:+3.80443640571<br />
Registrant FAX Ext.:<br />
Registrant Email:krepov@i.ua<br />
Figure 9 – bulbanews.org whois record<br />
Domain Name:PLANETANEWS.ORG<br />
Created On:23-Mar-2012 08:52:26 UTC<br />
Last Updated On:06-Sep-2012 13:59:36 UTC<br />
Expiration Date:23-Mar-2014 08:52:26 UTC<br />
Sponsoring Registrar:OnlineNIC Inc. (R64-LROR)<br />
Status:CLIENT TRANSFER PROHIBITED<br />
Registrant ID:oln122048890<br />
Registrant Name:Krepov Bogdan Serafimovich<br />
Registrant Organization:-<br />
Registrant Street1:g. Lugansk, Hersonskaya 52<br />
Registrant Street2:<br />
Registrant Street3:<br />
Registrant City:Lugansk<br />
Registrant State/Province:Lugansk<br />
Registrant Postal Code:91000<br />
Registrant Country:UA<br />
Registrant Phone:+3.80443640571<br />
Registrant Phone Ext.:<br />
Registrant FAX:+3.80443640571<br />
Registrant FAX Ext.:<br />
Registrant Email:krepov@i.ua<br />
Figure 10 – planetanews.org whois record<br />
Note that Krepov Bogdan Serafimovich registered multiple domains and this name is a link between<br />
those C&C servers. On the C&C server “planetanews.org” the unix user name used by the web server<br />
components is also “krepov”.<br />
3.2 C&C communications<br />
The attackers remotely control the malware running on victim computers using the TeamViewer<br />
application. On the victim computers, teamviewer.exe runs as a legitimate process, started from<br />
HKCU\Software\Microsoft\CurrentVersion\Run as shown in the figure below:<br />
10