Report - CrySyS Lab

More documents

Recommendations

Info

Table stat_TV_log has essentially the same content. Most of the Russian IP addresses seem to located in Ingushethia (e.g., 212.94.14.XXX from ingushsvyaz network). Note, that this map was created by the IP addresses only, so it is possible that some victims with dynamic IP addresses are shown multiple times. While stat_TV table is the most interesting, as “TV” refers to the TeamViewer campaign, the victim IP information stored in different tables among different C&C servers are also revealing. Here, we show distribution of IP addresses on heat maps for each information source. One can clearly see how different campaigns focus on different geographic regions. Figure 20 – Distribution of IP address used to upload files into the bannetwork.org FTP server, 2010-02-01 – 2013-02-25 16
Figure 21– Distributions of IP addresses in the stat2 table of bannetwork.org, 2010-05-14 - 2010-07-29 Figure 22– Distributions of IP addresses in the stat5057 table of bannetwork.org, 2010-07-16- 2010-07-29 17
Page 1 and 2: TeamSpy - Obshie manevri. Ispolzova
Page 3 and 4: 1. Introduction The CrySyS Lab, Bud
Page 5 and 6: 2. Overview of malicios activities
Page 7 and 8: 3. C&C servers Known TeamSpy C&C se
Page 9 and 10: Domain Name:BANNETWORK.ORG Created
Page 11 and 12: Figure 11 - teamviewer.exe is runni
Page 13 and 14: We obtained information from the fo
Page 15: Note that the IP address 208.80.194
Page 19 and 20: Figure 25- Distributions of IP addr
Page 21 and 22: Figure 29- Distributions of IP addr
Page 23 and 24: 4. Hashes of known malware modules
Page 25 and 26: c21fddbb247813f0742c34f9e9678acef58
Page 27 and 28: getiosdata.exe InstallTV.exe ipconf
Page 29 and 30: 5.2 Modules found on bannetwork.org
Page 31 and 32: Figure 38 - The keylogger is runnin
Page 33 and 34: SystemInfoSafe_2.jpg hash: 341B430D
Page 35 and 36: Interestingly, executable contains
Page 37 and 38: BA 2A ED 00 2B D4 A1 CD 93 25 CC E8
Page 39 and 40: otr.txt MD5 hash: 0f9c86ea21f37d0a3
Page 41 and 42: overlay\201606\9.txt MD5 hash: 9c2f
Page 43 and 44: 5.5 Other related samples We have l
Page 45 and 46: 5.6 Partially analyzed / unanalyzed
Page 47 and 48: _NtDSLLRC@4 _NtDSLLRV@8 _NtDSLLSP@2
Page 49 and 50: 11:32:50 PM OPEN LINK.....COM3 11:3
Page 51 and 52: 8656219860cf087a9c2be05a7706556b444
Page 53: 7. Conclusions In this document, we

Report - CrySyS Lab

Create successful ePaper yourself

Delete template?

Save as template?