Suspect Sendori software

Published: 2013-08-29
Last Updated: 2013-08-29 15:29:58 UTC
by Russ McRee (Version: 1)
4 comment(s)

Reader Kevin Branch wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori.  In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendori's reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of October 2012, Sendori has over 1,000,000 active users" this download is alarming and indicates something else is likely afoot with Sendori's site and/or updater process.

The URL path (to be considered hostile) is: hxxp://upgrade.sendori.com/upgrade/2_0_16/sendori-win-upgrader.exe.
MD5 hash:  9CBBAE007AC9BD4A6ACEE192175811F4
For those of you who may block or monitor for this, the updater request data follows:
GET /upgrade/2_0_16/sendori-win-upgrader.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Sendori-Client-Win32/2.0.15
Host: upgrade.sendori.com
 
VirusTotal results currently nine malware hits (9/46).
Malwr results are rather damning, and as Kevin stated, Zeus-like. In particular the mutexes are very reminiscent. 
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
_!MSFTHISTORY!_
c:!documents and settings!user!local settings!temporary internet files!content.ie5!
c:!documents and settings!user!cookies!
c:!documents and settings!user!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
WininetProxyRegistryMutex
 
Other filenames for this sample as seen in the wild:
sendori-win-upgrader.exe
SendoriSetup-2.0.15.exe
update_flash_player.exe
14542884
output.14542884.txt
Update_flash_player.exe
 
Password and credential stealing are definitely in play and I experienced ransomware activity in my sandbox; it hijacked my VM with the "This is the FBI, you have been blocked warning." Awesome.
It is recommended that, should you allow Sendori at all in your environments that you block update.sendori.com via web filtering for the time being.
 
Sendori replied to Kevin's notification with; they are engaged and investigating:
Hi Kevin, we have engaged our network and security team. They will analyze and take appropriate action to resolve this issue. They will contact if they need any additional information from you.
Thanks again for bringing this to our notice.
Thanks
Sendori Support team
 
Thanks for sharing, Kevin. 
Readers, if you spot similar or variations on the theme, please feel free to let us know.
 
 
Keywords: malware advisory
4 comment(s)

Comments

I checked again this morning and the file sendori-win-upgrader.exe they are hosting has now changed to a smaller version with MD5 771f2382ce00d6f8378f56510fa0da43.
I was hoping that meant the Sendori folks cleaned things up but VirusTotal still throws 4 malware hits on the file, and a fresh Malwr analysis looks as evil as before. It looks like whoever is exploiting Sendori's auto-update system has just "freshened up" the file for better AV evasion. I updated my ticket with Sendori Support.

My first sighting of this issue was on 2013-08-28 at 4:58pm EST when my first client was nailed with it.

Kevin Branch
Branch Network Consulting
www.branchnetconsulting.com
I just got off the phone with Sendori, and believe they now understand the magnitude of their problem. They agreed to my recommendations to reset their DNS management credentials and then make a DNS change to direct everyone away from the compromised CDN nodes hosting upgrade.sendori.com. Thanks to an already short TTL on that DNS record, it appears that http://upgrade.sendori.com is now no longer responding to auto-update requests.

Kevin Branch
We have also seen the same Malware via our Palo Alto Wildfire.
This defintely looks like FakeAV or other trojans, and phone homes was to Germany, along with compromised user desktops on Broadband internet providers in the USA.

Refering site was in Amazons Cloud:
54.230.54.194

Behaviors:
Behavior
Created a file in the Windows folder
Connected to a non standard HTTP port
Created an executable file in a user document folder
Sample used a suspicious User-Agent
Spawned new processes
Deleted itself
Injected code into another process
Modified Windows registries
Stole saved user passwords from Firefox
Downloaded executable files
Changed security settings of Internet Explorer
Created or modified files
Attempted to sleep for a long period
Used direct IP instead of host name
Started a process from a user document folder
Modified file attributes externally with attrib.exe
Malware came from a malware domain
Used the POST method in HTTP

Communications outbound:
Method URL User Agent
GET crl.verisign.com/pca3-g5.crl Microsoft-CryptoAPI/5.131.2600.2180
POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
POST 76.117.96.125/yHTpu8?XttTfjIHqxuMOfd=TUMRXwQpkyPXuKHGn&psNNPBKOXab=YDPQgwwKpWVjOBc&NhxQfjlBmVCnK=fnXpFHXSXWKTreJdA Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
GET corp-firewall.com/6.exe Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
POST 72.241.220.114/cb3Cnu2kv?xjLpkbEftTDJ=KpJFQcQtjEcba&MvckjpKYSQIPK Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
POST 72.241.220.114/hEaldS?egFAtctlIkeuk=CypkJbtNwLKVB&crQwTHHSKOiFDc=nVVHLyBqdMSBlxi Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
GET www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt Microsoft-CryptoAPI/5.131.2600.2180
POST 71.76.6.218/493247/481236f/index.php Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
POST 72.241.220.114/Zb6brl?SSxQpfFfNSYnMuE=wqynRMOPiECRtJ&dawtphRknhmoh=qSMNSvPBwxkgSEtD&ofTBJYbDVtMRjrHo=CFYugXQbGovTKvaLi Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
POST corp-firewall.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
POST 72.241.220.114/g5Wlhj?SeuBthLHpvhuka=cyQwIukBfUpmQkB&OeGiiSOJhoJ=eMiSSlWGjDikd&iPNcKNgDBa Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
GET csc3-2010-crl.verisign.com/CSC3-2010.crl Microsoft-CryptoAPI/5.131.2600.2180
POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
GET corp-firewall.com/1.exe?c=8 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
POST amazon.com/gate.php Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Registry Changes:
Registry Action
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Delete
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies Set
HKCU\Software\WinRAR\HWID Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set
HKCU\Software\WinRAR\Client Hash Set
HKCU\Software\WinRAR\AFE5E36719992528A073AB83CD79EBB3 Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Set
HKLM\SAM\SAM\Domains\Account\Users\000003E8\F Set
HKLM\SAM\SAM\Domains\Account\Users\000001F5\F Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies Set
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents Set
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass Set
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop Set
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Set
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Set
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Set
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Set
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies Set
HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\All Users\Application Data\sdsir.exe Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

File changes:
Process Parent Process Action
C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\winlogon.exe Terminate
C:\sample.exe explorer.exe Create
C:\sample.exe C:\sample.exe Create
C:\sample.exe explorer.exe Terminate
C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe C:\sample.exe Create
C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe Create
C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe C:\sample.exe Terminate
C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe Create
UNKNOWN C:\sample.exe Create
C:\sample.exe C:\sample.exe Terminate
UNKNOWN C:\sample.exe Terminate
UNKNOWN C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe Create
C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe Terminate
UNKNOWN UNKNOWN Create
UNKNOWN UNKNOWN Terminate
UNKNOWN C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe Terminate
C:\Documents and Settings\All Users\Application Data\sdsir.exe UNKNOWN Create
C:\WINDOWS\system32\svchost.exe UNKNOWN Create
C:\Documents and Settings\All Users\Application Data\rcrh.exe UNKNOWN Create
C:\Documents and Settings\All Users\Application Data\ufiaa.exe UNKNOWN Create
C:\Documents and Settings\All Users\Application Data\ufiaa.exe C:\WINDOWS\system32\csrss.exe Create
C:\Documents and Settings\All Users\Application Data\kbaj.exe UNKNOWN Create
File Process Action
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 explorer.exe Write
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 explorer.exe Write
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 explorer.exe Write
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 explorer.exe Write
C:\Documents and Settings\Administrator\Local Settings\Temp\Cab1.tmp explorer.exe Write
C:\Documents and Settings\Administrator\Local Settings\Temp\Tar2.tmp explorer.exe Write
C:\Documents and Settings\Administrator\Local Settings\Temp\Cab1.tmp explorer.exe Delete
C:\Documents and Settings\Administrator\Local Settings\Temp\Tar2.tmp explorer.exe Delete
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F explorer.exe Write
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F explorer.exe Write
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 explorer.exe Write
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 explorer.exe Write
C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe C:\sample.exe Write
C:\Documents and Settings\Administrator\Local Settings\Temp\136343.bat C:\sample.exe Write
C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\csrss.exe Write
C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\winlogon.exe Delete
C:\WINDOWS\wtxt.itn C:\WINDOWS\explorer.exe Write
C:\WINDOWS\wtxt.itn C:\Program Files\Capture\CaptureClient.exe Delete
C:\Documents and Settings\Administrator\Local Settings\Temp\2iTmBSXSlEWwMN.bat C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe Write
C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\svchost.exe Delete
C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\ctfmon.exe Delete
C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\svchost.exe Delete
C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\cmd.exe Delete
C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\cmd.exe Write
C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\svchost.exe Delete
C:\WINDOWS\wtxt.itn C:\WINDOWS\system32\svchost.exe Write
C:\sample.exe UNKNOWN Delete
C:\Documents and Settings\Administrator\Local Settings\Temp\136343.bat UNKNOWN Delete
C:\Documents and Settings\Administrator\Local Settings\Temp\123812.exe UNKNOWN Delete
C:\Documents and Settings\Administrator\Local Settings\Temp\2iTmBSXSlEWwMN.bat UNKNOWN Delete
C:\Documents and Settings\All Users\Application Data\bqych\fgmui.auy C:\WINDOWS\system32\csrss.exe Write
C:\Documents and Settings\All Users\Application Data\ufiaa.exe C:\WINDOWS\system32\csrss.exe Write
C:\Documents and Settings\All Users\Application Data\ufiaa.exe C:\WINDOWS\system32\csrss.exe Delete
C:\Documents and Settings\All Users\Application Data\bqych\fgmui.auy C:\WINDOWS\system32\services.exe Delete
C:\Documents and Settings\All Users\Application Data\bqych\fgmui.auy C:\WINDOWS\system32\services.exe Write
C:\Documents and Settings\All Users\Application Data\sdsir.exe C:\WINDOWS\system32\services.exe Write
C:\Documents and Settings\All Users\Application Data\rcrh.exe C:\WINDOWS\system32\svchost.exe Write
C:\Documents and Settings\All Users\Application Data\bqych\fgmui.auy C:\Program Files\Capture\CaptureClient.exe Delete
C:\Documents and Settings\All Users\Application Data\bqych\fgmui.auy C:\Program Files\Capture\CaptureClient.exe Write
C:\Documents and Settings\All Users\Application Data\kbaj.exe C:\Program Files\Capture\CaptureClient.exe Write
C:\Documents and Settings\All Users\Application Data\bqych\dovbv.bsv C:\Documents and Settings\All Users\Application Data\sdsir.exe Write
C:\WINDOWS\bkstr.arr C:\Documents and Settings\All Users\Application Data\sdsir.exe Write
C:\WINDOWS\qrrwou.svt C:\Documents and Settings\All Users\Application Data\sdsir.exe Write

Edward Ziots, CISSP, CISA
I have captured two sample file yesterday.

MD5: 2f616238f8b6fd8a424ecd7e899b6dec
Virustotal: https://www.virustotal.com/en/file/7ca9847feb799b1d3c108f0fcb24be187204406e0bed22de334c16b4ba1b7dff/analysis/1378447931/
GET /upgrade/Main_Branch/sendori-win-upgrader.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Sendori-Client-Win32/2.0.15 Host: upgrade.sendori.com HTTP/1.1 200 OK Server: nginx/0.8.54 Date: Thu, 05 Sep 2013 11:59:11 GMT Content-Type: application/octet-stream Content-Length: 96840 Last-Modified: Thu, 05 Sep 2013 07:26:58 GMT Connection: keep-alive Accept-Ranges: bytes

MD5: 2fa9437820466b947f425392b642e5ee
Virustotal: https://www.virustotal.com/en/file/f19f95769e1c41456863aaf3294bea6ced36f0223674ab0f6dd32b3c98fc31b2/analysis/1378448066/
GET /upgrade/Main_Branch/sendori-win-upgrader.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Sendori-Client-Win32/2.0.15 Host: upgrade.sendori.com HTTP/1.1 200 OK Server: nginx/0.8.54 Date: Thu, 05 Sep 2013 19:19:03 GMT Content-Type: application/octet-stream Content-Length: 96840 Last-Modified: Thu, 05 Sep 2013 17:15:04 GMT Connection: keep-alive Accept-Ranges: bytes

DNS query when the malware executing:
Protocol Type: udp Qtype: Host Address Hostname: main-firewalls.com
Imagepath: C:\sendori-win-upgrader.exe

Protocol Type: udp Qtype: Host Address Hostname: translate.google.com
Imagepath: C:\sendori-win-upgrader.exe

Protocol Type: udp Qtype: Host Address Hostname: simple-cdn-node.com
Imagepath: C:\sendori-win-upgrader.exe


Best Regards,
YF Chan

Diary Archives