Reader Kevin Branch wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori. In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendori's reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of October 2012, Sendori has over 1,000,000 active users" this download is alarming and indicates something else is likely afoot with Sendori's site and/or updater process.
The URL path (to be considered hostile) is: hxxp://upgrade.sendori.com/upgrade/2_0_16/sendori-win-upgrader.exe.
MD5 hash: 9CBBAE007AC9BD4A6ACEE192175811F4
For those of you who may block or monitor for this, the updater request data follows:
GET /upgrade/2_0_16/sendori-win-upgrader.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Sendori-Client-Win32/2.0.15
Host: upgrade.sendori.com
VirusTotal results currently nine malware hits (9/46).
Malwr results are rather damning, and as Kevin stated, Zeus-like. In particular the mutexes are very reminiscent.
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
_!MSFTHISTORY!_
c:!documents and settings!user!local settings!temporary internet files!content.ie5!
c:!documents and settings!user!cookies!
c:!documents and settings!user!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
WininetProxyRegistryMutex
Other filenames for this sample as seen in the wild:
sendori-win-upgrader.exe
SendoriSetup-2.0.15.exe
update_flash_player.exe
14542884
output.14542884.txt
Update_flash_player.exe
Password and credential stealing are definitely in play and I experienced ransomware activity in my sandbox; it hijacked my VM with the "This is the FBI, you have been blocked warning." Awesome.
It is recommended that, should you allow Sendori at all in your environments that you block update.sendori.com via web filtering for the time being.
Sendori replied to Kevin's notification with; they are engaged and investigating:
Hi Kevin, we have engaged our network and security team. They will analyze and take appropriate action to resolve this issue. They will contact if they need any additional information from you.
Thanks again for bringing this to our notice.
Thanks
Sendori Support team
Thanks for sharing, Kevin.
Readers, if you spot similar or variations on the theme, please feel free to let us know.
|
Russ McRee 203 Posts ISC Handler Aug 29th 2013 |
Thread locked Subscribe |
Aug 29th 2013 8 years ago |
I checked again this morning and the file sendori-win-upgrader.exe they are hosting has now changed to a smaller version with MD5 771f2382ce00d6f8378f56510fa0da43.
I was hoping that meant the Sendori folks cleaned things up but VirusTotal still throws 4 malware hits on the file, and a fresh Malwr analysis looks as evil as before. It looks like whoever is exploiting Sendori's auto-update system has just "freshened up" the file for better AV evasion. I updated my ticket with Sendori Support. My first sighting of this issue was on 2013-08-28 at 4:58pm EST when my first client was nailed with it. Kevin Branch Branch Network Consulting www.branchnetconsulting.com |
Anonymous |
Quote |
Aug 29th 2013 8 years ago |
I just got off the phone with Sendori, and believe they now understand the magnitude of their problem. They agreed to my recommendations to reset their DNS management credentials and then make a DNS change to direct everyone away from the compromised CDN nodes hosting upgrade.sendori.com. Thanks to an already short TTL on that DNS record, it appears that http://upgrade.sendori.com is now no longer responding to auto-update requests.
Kevin Branch |
Anonymous |
Quote |
Aug 29th 2013 8 years ago |
We have also seen the same Malware via our Palo Alto Wildfire.
This defintely looks like FakeAV or other trojans, and phone homes was to Germany, along with compromised user desktops on Broadband internet providers in the USA. Refering site was in Amazons Cloud: 54.230.54.194 Behaviors: Behavior Created a file in the Windows folder Connected to a non standard HTTP port Created an executable file in a user document folder Sample used a suspicious User-Agent Spawned new processes Deleted itself Injected code into another process Modified Windows registries Stole saved user passwords from Firefox Downloaded executable files Changed security settings of Internet Explorer Created or modified files Attempted to sleep for a long period Used direct IP instead of host name Started a process from a user document folder Modified file attributes externally with attrib.exe Malware came from a malware domain Used the POST method in HTTP Communications outbound: Method URL User Agent GET crl.verisign.com/pca3-g5.crl Microsoft-CryptoAPI/5.131.2600.2180 POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) POST 76.117.96.125/yHTpu8?XttTfjIHqxuMOfd=TUMRXwQpkyPXuKHGn&psNNPBKOXab=YDPQgwwKpWVjOBc&NhxQfjlBmVCnK=fnXpFHXSXWKTreJdA Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) GET corp-firewall.com/6.exe Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) POST 72.241.220.114/cb3Cnu2kv?xjLpkbEftTDJ=KpJFQcQtjEcba&MvckjpKYSQIPK Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) POST 72.241.220.114/hEaldS?egFAtctlIkeuk=CypkJbtNwLKVB&crQwTHHSKOiFDc=nVVHLyBqdMSBlxi Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) GET www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt Microsoft-CryptoAPI/5.131.2600.2180 POST 71.76.6.218/493247/481236f/index.php Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) POST 72.241.220.114/Zb6brl?SSxQpfFfNSYnMuE=wqynRMOPiECRtJ&dawtphRknhmoh=qSMNSvPBwxkgSEtD&ofTBJYbDVtMRjrHo=CFYugXQbGovTKvaLi Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) POST corp-firewall.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) POST 72.241.220.114/g5Wlhj?SeuBthLHpvhuka=cyQwIukBfUpmQkB&OeGiiSOJhoJ=eMiSSlWGjDikd&iPNcKNgDBa Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) GET csc3-2010-crl.verisign.com/CSC3-2010.crl Microsoft-CryptoAPI/5.131.2600.2180 POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) GET corp-firewall.com/1.exe?c=8 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Registry Changes: Registry Action HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Delete HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies Set HKCU\Software\WinRAR\HWID Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set HKCU\Software\WinRAR\Client Hash Set HKCU\Software\WinRAR\AFE5E36719992528A073AB83CD79EBB3 Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Set HKLM\SAM\SAM\Domains\Account\Users\000003E8\F Set HKLM\SAM\SAM\Domains\Account\Users\000001F5\F Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies Set HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents Set HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass Set HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop Set HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Set HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Set HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Set HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Set HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies Set HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\All Users\Application Data\sdsir.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Set HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies File changes: Process Parent Process Action C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\winlogon.exe Terminate C:\sample.exe explorer.exe Create C:\sample.exe C:\sample.exe Create C:\sample.exe explorer.exe Terminate C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe C:\sample.exe Create C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe Create C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe C:\sample.exe Terminate C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe Create UNKNOWN C:\sample.exe Create C:\sample.exe C:\sample.exe Terminate UNKNOWN C:\sample.exe Terminate UNKNOWN C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe Create C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe Terminate UNKNOWN UNKNOWN Create UNKNOWN UNKNOWN Terminate UNKNOWN C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe Terminate C:\Documents and Settings\All Users\Application Data\sdsir.exe UNKNOWN Create C:\WINDOWS\system32\svchost.exe UNKNOWN Create C:\Documents and Settings\All Users\Application Data\rcrh.exe UNKNOWN Create C:\Documents and Settings\All Users\Application Data\ufiaa.exe UNKNOWN Create C:\Documents and Settings\All Users\Application Data\ufiaa.exe C:\WINDOWS\system32\csrss.exe Create C:\Documents and Settings\All Users\Application Data\kbaj.exe UNKNOWN Create File Process Action C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 explorer.exe Write C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 explorer.exe Write C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 explorer.exe Write C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 explorer.exe Write C:\Documents and Settings\Administrator\Local Settings\Temp\Cab1.tmp explorer.exe Write C:\Documents and Settings\Administrator\Local Settings\Temp\Tar2.tmp explorer.exe Write C:\Documents and Settings\Administrator\Local Settings\Temp\Cab1.tmp explorer.exe Delete C:\Documents and Settings\Administrator\Local Settings\Temp\Tar2.tmp explorer.exe Delete C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F explorer.exe Write C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F explorer.exe Write C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 explorer.exe Write C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 explorer.exe Write C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe C:\sample.exe Write C:\Documents and Settings\Administrator\Local Settings\Temp\136343.bat C:\sample.exe Write C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\csrss.exe Write C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\winlogon.exe Delete C:\WINDOWS\wtxt.itn C:\WINDOWS\explorer.exe Write C:\WINDOWS\wtxt.itn C:\Program Files\Capture\CaptureClient.exe Delete C:\Documents and Settings\Administrator\Local Settings\Temp\2iTmBSXSlEWwMN.bat C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe Write C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\svchost.exe Delete C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\ctfmon.exe Delete C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\svchost.exe Delete C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\cmd.exe Delete C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\cmd.exe Write C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\svchost.exe Delete C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\svchost.exe Write C:\sample.exe UNKNOWN Delete C:\Documents and Settings\Administrator\Local Settings\Temp\136343.bat UNKNOWN Delete C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe UNKNOWN Delete C:\Documents and Settings\Administrator\Local Settings\Temp\2iTmBSXSlEWwMN.bat UNKNOWN Delete C:\Documents and Settings\All Users\Application Data\bqych\fgmui.auy C:\WINDOWS\system32\csrss.exe Write C:\Documents and Settings\All Users\Application Data\ufiaa.exe C:\WINDOWS\system32\csrss.exe Write C:\Documents and Settings\All Users\Application Data\ufiaa.exe C:\WINDOWS\system32\csrss.exe Delete C:\Documents and Settings\All Users\Application Data\bqych\fgmui.auy C:\WINDOWS\system32\services.exe Delete C:\Documents and Settings\All Users\Application Data\bqych\fgmui.auy C:\WINDOWS\system32\services.exe Write C:\Documents and Settings\All Users\Application Data\sdsir.exe C:\WINDOWS\system32\services.exe Write C:\Documents and Settings\All Users\Application Data\rcrh.exe C:\WINDOWS\system32\svchost.exe Write C:\Documents and Settings\All Users\Application Data\bqych\fgmui.auy C:\Program Files\Capture\CaptureClient.exe Delete C:\Documents and Settings\All Users\Application Data\bqych\fgmui.auy C:\Program Files\Capture\CaptureClient.exe Write C:\Documents and Settings\All Users\Application Data\kbaj.exe C:\Program Files\Capture\CaptureClient.exe Write C:\Documents and Settings\All Users\Application Data\bqych\dovbv.bsv C:\Documents and Settings\All Users\Application Data\sdsir.exe Write C:\WINDOWS\bkstr.arr C:\Documents and Settings\All Users\Application Data\sdsir.exe Write C:\WINDOWS\qrrwou.svt C:\Documents and Settings\All Users\Application Data\sdsir.exe Write Edward Ziots, CISSP, CISA |
Edward 8 Posts |
Quote |
Aug 30th 2013 8 years ago |
I have captured two sample file yesterday.
MD5: 2f616238f8b6fd8a424ecd7e899b6dec Virustotal: https://www.virustotal.com/en/file/7ca9847feb799b1d3c108f0fcb24be187204406e0bed22de334c16b4ba1b7dff/analysis/1378447931/ GET /upgrade/Main_Branch/sendori-win-upgrader.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Sendori-Client-Win32/2.0.15 Host: upgrade.sendori.com HTTP/1.1 200 OK Server: nginx/0.8.54 Date: Thu, 05 Sep 2013 11:59:11 GMT Content-Type: application/octet-stream Content-Length: 96840 Last-Modified: Thu, 05 Sep 2013 07:26:58 GMT Connection: keep-alive Accept-Ranges: bytes MD5: 2fa9437820466b947f425392b642e5ee Virustotal: https://www.virustotal.com/en/file/f19f95769e1c41456863aaf3294bea6ced36f0223674ab0f6dd32b3c98fc31b2/analysis/1378448066/ GET /upgrade/Main_Branch/sendori-win-upgrader.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Sendori-Client-Win32/2.0.15 Host: upgrade.sendori.com HTTP/1.1 200 OK Server: nginx/0.8.54 Date: Thu, 05 Sep 2013 19:19:03 GMT Content-Type: application/octet-stream Content-Length: 96840 Last-Modified: Thu, 05 Sep 2013 17:15:04 GMT Connection: keep-alive Accept-Ranges: bytes DNS query when the malware executing: Protocol Type: udp Qtype: Host Address Hostname: main-firewalls.com Imagepath: C:\sendori-win-upgrader.exe Protocol Type: udp Qtype: Host Address Hostname: translate.google.com Imagepath: C:\sendori-win-upgrader.exe Protocol Type: udp Qtype: Host Address Hostname: simple-cdn-node.com Imagepath: C:\sendori-win-upgrader.exe Best Regards, YF Chan |
Edward 1 Posts |
Quote |
Sep 6th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!