https://www.google.co.kr/webhp?hl=ko&tab=ww#newwindow=1&hl=ko&q=cgi-bin+post.cgi+rovnix

https://www.hybrid-analysis.com/sample/86ba46b22c7f217d03100df507daa550456dc57fc2132f0f6fedb4da198a1693?environmentId=2


특정 서버로 POST ~~~~/post.cgi HTTP/1.0 전송하며, Body에는 아래와 같은 시스템 정보를 전송


POST /cgi-bin/251115/post.cgi HTTP/1.0


====================================================================================

[0]

LP=1

[2]

VID=3447292517

====================================================================================

[0]

ID=-- default --

LP=C:\Users\PSPUBWS\AppData\Local\Temp\L3447292517

[2]

D=0

OS=Windows 7 Home Premium Edition / Service Pack 1 / 64 bit

FS=NTFS

VID=3447292517

[1]

ID=

D=10.12.2015

T=06:39:39

CPID=568

CFN=C:\Users\PSPUBWS\AppData\Local\Temp\dhl invoice.exe

PPID=1920

PFN=DHLnx__dhl_wfdp_.scr.exe

CDR=C:\Users\PSPUBWS\AppData\Local\Temp

CUSR=PSPUBWS-PC\PSPUBWS

EUSR=PSPUBWS-PC\PSPUBWS

LVL=HIGH

[3]

E=1

====================================================================================

[0]

ID=-- default --

LP=C:\Users\PSPUBWS\AppData\Local\Temp\L3447292517

[2]

D=0

OS=Windows 7 Home Premium Edition / Service Pack 1 / 64 bit

FS=NTFS

VID=3447292517

[1]

ID=

D=10.12.2015

T=06:39:39

CPID=568

CFN=C:\Users\PSPUBWS\AppData\Local\Temp\dhl invoice.exe

PPID=1920

PFN=DHLnx__dhl_wfdp_.scr.exe

CDR=C:\Users\PSPUBWS\AppData\Local\Temp

CUSR=PSPUBWS-PC\PSPUBWS

EUSR=PSPUBWS-PC\PSPUBWS

LVL=HIGH

[3]

E=1

OS=6.1 [7601,2]

[7]

ALD=1,0

ASD=1,0

BSD=1,0

[8]

CF=1,0

RO=1,0,0

RS=1,0

[4]

BKI=1


http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_rovnix.ypob


.{1,100}\/cgi\-bin\/.{1,10}\/post\.cgi

-- default --

pqqdrfqqnq

TTGU\DVPDU


저작자표시 비영리

+ Recent posts

티스토리툴바