Jump to content

Recommended Posts

Hi guys,

My first post here, dont even know whether this is the right place.

One thing i am sure is that i need some help here.

I tested a few banking Trojan on my Lab computer, and trying to find out how do they steal people's logins.

I monitored network activities after executed the malware. There are some DNS query to some foreign IP, some of them have http queries to GET some files from other sites, some have POST activity.

It is very good to find these, however, I could not figure out whether all these IP or sites have something to do with the "info chain".

Example here:

DNS query www.xxxx.org.

Outgoing tcp connection to IP: xx3.xx5.xx8.xx1 PORT: 80 (http)

http query: http://www.xxxx.org:80 POST /components/xxx/assets/xxx.php HTTP/1.0

Is the domain www.xxxx.org "drop zone"? all info collected is dropped to the xxxx.php file?

I thought so until I get another confusing result:

This is what i got from a facebook malware:

DNS query: smtp.mail.ru.

Outgoing tcp connection to IP: 2xx.xx4.x8.1x7 PORT: 25 (smtp)

SMTP message

Outgoing tcp connection to IP: 2xx.1xx.2x.5x PORT: 8080 (webcache)

Outgoing udp connection to IP: 2xx.1xx.2x.5x PORT: 53 (domain)

Outgoing connection to IP: 2xx.1xx.2x.5x PORT:53

I am no network professional, but smtp.mail.ru seems like a very genuine domain,right? and what is all the smtp, webcache, domain doing here?

Very interesting into this malware analysis things, hope we can have a good discussion here~

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.