- Nov 26, 2016
- 2
Hello guys, I am new to FireEye nx2400. Malwares detected on my network, I don't have a background on malware analysis, can somebody help me to figure out those things?
Code:
<?xml version="1.0" encoding="utf-8" ?>
- <alert id="5234" name="malware-callback" severity="crit">
- <explanation analysis="content" protocol="tcp">
- <malware-detected>
<malware name="Backdoor.APT.Mirage" sid="33352722" stype="bot-command" />
</malware-detected>
- <cnc-services>
- <cnc-service port="80" protocol="tcp">
<address>107.151.206.103</address>
<location>US/WY/Cheyenne</location>
<channel>POST /search%3Fgid%3Dgfadpbdbptcpajedsxbwpnugpemgzofa HTTP/1.1 Accept: */* Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; Tablet PC 2.0) Content-Type: application/x-www-form-urlencoded Connection: Close Host: 107.151.206.103 Content-Length: 320 \251\221\200\377\311\322{\314\307$=\321\350\250\351(\226}t\3500\243\237\332A4\275\226Kh\245\240\212\207\350\260\257,\373\303__\370\334]\314Xg\250\242\243\315\246?\225*`L\224.{\230\323\362\313\361\200\266\377\366t\334\352y>\325e8\346g~\222\237tY*B\277\000\374J6\361\225\212\340\262\312\214\277\366\316\245q_\251*8\257\262\371\2574\304\337q\345\226\356\314\370!*b=\244\224}\340S\353\243\215z@\364\370S^\326\321\357\331\377\324\310D\232\202\303\226\304c+m\321U\324#\3454\206\336\274\300+wC\342\234#t\353\340\241\305\305?p<P\261\312\346\241\347\363\253\374nY\203\210U"\341\316\262\321\3146\335\325\235\324xFW|\245q \231%\345J\233\271\232\327%Q\335\232\220*\311 \223\307\260\271\233cq\300\274lL\205|\201\341n\331\362\215\3379\362,0\363\237cV\321\304\362G\373&\261\350\214?\250\260\232\235\237\2228\224\272!?\336s\314-\336Q</channel>
</cnc-service>
</cnc-services>
</explanation>
- <src vlan="0">
<ip>--</ip>
<port>50931</port>
<mac>--</mac>
</src>
- <dst>
<ip>107.151.206.103</ip>
<mac>--</mac>
<port>80</port>
</dst>
<locations>US/WY/Cheyenne</locations>
<occurred>2016-11-26T03:50:33Z</occurred>
<interface label="A" mode="inline">pether4</interface>
<alert-url>--</alert-url>
<action>blocked</action>
</alert>
Last edited by a moderator: