Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Mining (Altcoins)
Re: [ANN] [1080 | 1080TI] ETHlargement - The Hashrate Hardener
by
OhGodAGirl
on 14/05/2018, 00:59:31 UTC
Quote from: kyovlodik on May 11, 2018, 09:15:43 PM
Devs, can you please explain the following behavior after the binary is launched?

Quote
Callback: 2.21.242.213:80
watadminsvc.exe
svchost.exe

Callback: 2.21.242.237:80
watadminsvc.exe
svchost.exe

Callback: 46.226.136.5:53

Quote
POST /6b06490d-f9fd-424c-8b6d-83edc4369e89/
HTTP/1.1
Cache-Control: no-cache
Connection: Close
Pragma: no-cache
Content-Type: application/soap+xml
User-Agent: WSDAPI
Content-Length: 733
Host: 192.168.56.153:5357

Quote
POST /fwlink/?LinkId=151645
HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: WAT
ClientContent-Length: 2500
Host: go.microsoft.com

S\agt;\alt;GROUPPEERNAME\agt;258e2e9f3bd43a297f050566f5788283bd087a85.HomeGroupPeerGroupClassifier\alt;/GROUPPEERNAME\agt;\alt;GROUPFRIENDLYNAME\agt;HomeGroup\sPeer\sGroup\alt;/GROUPFRIENDLYNAME\agt;\alt;/PEERINVITATION\agt;\r\n\l/INVITATION>\lGUIDNAME>{2D866516-217B-4A95-B31D-A9174BBCBE17}\l/GUIDNAME>\lOWNER>HAPUBWS\l/OWNER>\lOWNERID>ffff80eb2050085c6f3dee2f51f0e12ca9592d9b.HomeGroupClassifier\l/OWNERID>\lOWNERMACHINENAME>HAPUBWS-PC\l/OWNERMACHINENAME>\lLASTCHANGED>131567727744841250\l/LASTCHANGED>\lHOMEGROUPSIZE>1\l/HOMEGROUPSIZE>\lADDRESS>[fe80::7007:58d0:7dee:d3e2%11]:3587\l/ADDRESS>\lDIGITALHASH>-----BEGIN\sCERTIFICATE-----\r\n8FkcvuaS5BO6pbSEzPjpH7hORXNBnZZo4tsk3BH8Qt/tNvqIaIXH13t6xb3bcucC\r\nmYXGg9f0t74N7HyeY3ARTfbtSvURq4HJ5RNpyIFJK0SrEfpllxNPOf40tV4hcrQe\r\nEBBn0RIsOiFKIBZb1YscyetmIDy9fbfQeemD02Hl2jRuPr6SmbHiajDkwAh38pSA\r\nk1XQjdcHQTHM438w0wNDNnuwI/JXEYirq0ZwblOnNPrfuc2JLFa7FJCIpc5jrHNN\r\n2dHa3EXhFpS/euOMwWSg+Jot+bXoGlaiSBwbMQrm8JD+UvcVpim2XG42rLztZLOF\r\nhsEzS1cGRUAJ7vqG8Q9lLA==\r\n-----END\sCERTIFICATE-----\r\n\l/DIGITALHASH>\l/HOMEGROUP_RECORD>

Sandbox analysis: https://www.hybrid-analysis.com/sample/1261052e34b3205dc04f5dd9e4b76d2649dbcda738dc8e2665b07f56d659e716/5ae113157ca3e11cac3236dc

You're literally looking at something that is 100% normal and functioning in Windows. You're basically asking us to explain how Windows functions on binary launch. GG.

This just in: OhGodACompany is responsible for all Windows updates.

EDIT:

Wow, look, there are actually  three addresses! Microsoft's tool is also causing a DNS request to be made to access go.microsoft.com! Wow! Totally hacked! Wow!

Wow! It's also contacting 192.168.56.153 which would create martian packets on the internet that would not get routed. Wow, totally  can't be something internal to the analysis service, we are contacting the Russian mafia with silly tricks! Wow! Much hack! So scary!