Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ================================
- # MalwareMustDie!
- Case: JDB Exploit Kit Dropped
- A Nayrabot IRC Malware with:
- 1) USB worm autorunner;
- 2) UDP flood;
- 3) Bot Killer;
- 4) Downloader;
- 5) Can update itself.
- ================================
- 0x00004D !This program cannot be run in DOS mode.
- 0x0001C8 .data
- 0x0001F0 .idata
- 0x000218 .rsrc
- 0x00023F @.reloc
- 0x000768 Botkiller
- 0x000774 Successfully Killed And Removed Malicious File: "%s"
- 0x000800 Usage: %s IP PORT DELAY LENGTH
- 0x000828 Failed To Start Thread: "%d"
- 0x00084C Failed: Mis Parameter
- 0x000868 WinINet
- 0x000874 Failed: "%d"
- 0x000884 Visit
- 0x00088C Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
- 0x0008D4 Filed To Visit: "%s"
- 0x0008F0 Successfully Visited: "%s"
- 0x000920 %s #%s
- 0x00092C %s %s
- 0x000940 Terminated WGet Thread
- 0x000964 Running From: "%s"
- 0x00097C [%s][%s] - "%s"
- 0x000990 hh':'mm':'ss
- 0x0009E8 {%s}: %s
- 0x000A18 Update Complete, Uninstalling
- 0x000A3C Successfully Executed Process: "%s"
- 0x000A68 Failed To Create Process: "%s", Reason: "%d"
- 0x000AA0 Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot
- 0x000B48 Successfully Downloaded File To: "%s"
- 0x000B78 Downloading File: "%s"
- 0x000B94 Download
- 0x000C40 IsWow64Process
- 0x000C84 h00p://api.wipmania.com/
- 0x0013D4 PRIVMSG
- 0x00145C Config
- 0x001464 Failed to load config
- 0x00152C AryaN{%s-%s-x%d}%s
- 0x001544 New{%s-%s-x%d}%s
- 0x001558 %s "" "%s" :%s
- 0x00156C %s %s
- 0x001574 %s %s :[AryaN]: %s
- 0x001590 %s %s %s
- 0x0015A4 Finished Flooding "%s:%d"
- 0x0015C4 Terminated UDP Flood Thread
- 0x0015E8 %d%d%d%d%d%d%d%d
- 0x001600 Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
- 0x0017A4 LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
- 0x0019B4 AutoRun Infected Removable Device: "%s\"
- 0x001C57 4 RAS_e
- 0x001C77 4 RAS
- 0x001EC9 z)ze'
- 0x00217D /4*&{
- 0x00219D O(hHj
- 0x002FBB OWShX
- 0x003213 D$0Pht
- 0x0038DA SSPhZ
- 0x003FB9 j[YPSSh
- 0x004026 SSSSh
- 0x00405F t)SSj
- 0x004609 Yt3Pj
- 0x004702 QQSVj
- 0x0049C9 Yt}Vh
- 0x0049FA tF@Pj
- 0x004B20 SUVWh
- 0x004C22 VVVVh
- 0x004C3C SVVVVh
- 0x004D27 tDVWWh$
- 0x004EF9 tUWSV
- 0x004F31 WWWPWW
- 0x005033 +Y4;YPw2
- 0x0050B0 Yt8Pj
- 0x005314 SUVWh
- 0x005498 QSUVWj
- 0x0057A7 YYVVVhx
- 0x005899 VVVhF
- 0x005A50 UUUVUU
- 0x005B0F PVVj(WVVV
- 0x005D20 VPVh?
- 0x005E30 VPVh?
- 0x005F14 QSVW3
- 0x006020 YtPhL
- 0x006131 VVVhY
- 0x006235 QQSVWj,
- 0x0062F7 VSSSh
- 0x00675A PWhD!@
- 0x006770 PWh,!@
- 0x006814 YPhX!@
- 0x0069A2 trSWh,
- 0x006D5B Vh@"@
- 0x006E8E Rh|5@
- 0x0071B2 PVVh%
- 0x0075A8 Ph0%@
- 0x00848A wcsstr
- 0x008494 memset
- 0x00849E _snwprintf
- 0x0084AC wcscmp
- 0x0084BE strncmp
- 0x0084C8 strstr
- 0x0084D2 _snprintf
- 0x0084DE strcmp
- 0x0084E8 strncpy
- 0x0084FA printf
- 0x008504 _vsnprintf
- 0x008512 wprintf
- 0x00851C _vsnwprintf
- 0x00852A srand
- 0x008532 strlen
- 0x00853C wcstombs
- 0x008548 mbstowcs
- 0x008554 strcpy
- 0x00855E memcpy
- 0x008568 _wcsicmp
- 0x008574 malloc
- 0x008586 wcscpy
- 0x008590 realloc
- 0x00859A strtok
- 0x0085A4 fclose
- 0x0085AE fwprintf
- 0x0085BA _wfopen
- 0x0085C2 MSVCRT.dll
- 0x0085D0 HeapFree
- 0x0085DC ExpandEnvironmentStringsW
- 0x0085F8 HeapAlloc
- 0x008604 CloseHandle
- 0x008612 Process32NextW
- 0x008624 DeleteFileW
- 0x008632 MoveFileW
- 0x00863E SetFileAttributesW
- 0x008654 Sleep
- 0x00865C Process32FirstW
- 0x00866E CreateToolhelp32Snapshot
- 0x00868A lstrlenA
- 0x008696 SetThreadPriority
- 0x0086AA GetLastError
- 0x0086BA CreateThread
- 0x0086CA GetLocaleInfoA
- 0x0086DC TerminateThread
- 0x0086EE GetModuleFileNameA
- 0x008704 GetModuleHandleA
- 0x008718 GetTimeFormatA
- 0x00872A GetTimeFormatW
- 0x00873C OutputDebugStringA
- 0x008752 OutputDebugStringW
- 0x008768 ReleaseMutex
- 0x008778 WaitForSingleObject
- 0x00878E WriteFile
- 0x00879A CreateFileW
- 0x0087A8 GetTickCount
- 0x0087B8 SetLastError
- 0x0087C8 FindNextFileW
- 0x0087D8 FindNextFileA
- 0x0087E8 OpenProcess
- 0x0087F6 GetProcAddress
- 0x008808 LoadLibraryW
- 0x008818 GetFileAttributesW
- 0x00882E GetVersionExA
- 0x00883E ReadFile
- 0x00884A GetFileSize
- 0x008858 CreateMutexW
- 0x008868 OpenMutexW
- 0x008876 GetProcessHeap
- 0x008888 CreateRemoteThread
- 0x00889E WriteProcessMemory
- 0x0088B4 VirtualProtectEx
- 0x0088C8 VirtualAllocEx
- 0x0088DA ReadProcessMemory
- 0x0088EE GetCurrentProcess
- 0x008902 VirtualAlloc
- 0x008912 GetCurrentProcessId
- 0x008928 LockResource
- 0x008938 LoadResource
- 0x008948 SizeofResource
- 0x00895A FindResourceW
- 0x00896A ExitProcess
- 0x008978 ExitThread
- 0x008986 GetDriveTypeW
- 0x008996 GetModuleFileNameW
- 0x0089AC GetModuleHandleW
- 0x0089C0 SetErrorMode
- 0x0089D0 CreateProcessW
- 0x0089E2 TerminateProcess
- 0x0089F6 lstrlenW
- 0x008A02 CreateEventW
- 0x008A12 CreateDirectoryW
- 0x008A26 CopyFileW
- 0x008A32 FindFirstFileW
- 0x008A44 GetLogicalDriveStringsW
- 0x008A5C KERNEL32.dll
- 0x008A6A WS2_32.dll
- 0x008A78 PathAppendW
- 0x008A84 SHLWAPI.dll
- 0x008A92 InternetReadFile
- 0x008AA6 InternetOpenUrlA
- 0x008ABA InternetCloseHandle
- 0x008AD0 InternetOpenW
- 0x008ADE WININET.dll
- 0x008AEC CoCreateInstance
- 0x008B00 CoUninitialize
- 0x008B12 CoInitialize
- 0x008B20 ole32.dll
- 0x008B2C GetModuleFileNameExW
- 0x008B42 PSAPI.DLL
- 0x008B4E ShellExecuteA
- 0x008B5E SHGetFolderPathW
- 0x008B70 SHELL32.dll
- 0x008B7E RegCloseKey
- 0x008B8C RegDeleteValueW
- 0x008B9E RegCreateKeyExW
- 0x008BB0 RegQueryValueExW
- 0x008BC4 RegOpenKeyExW
- 0x008BD4 RegSetValueExW
- 0x008BE6 RegNotifyChangeKeyValue
- 0x008C00 GetUserNameW
- 0x008C0E ADVAPI32.dll
- 0x008E88 vnKA7LAG9gOBFXnAYVnhjJUrmhdgXrPA
- 0x008EC7 lixay~d
- 0x008ECF n#cb d}#b
- 0x008EE5 .~|xd
- 0x008EF9 nxcy~
- 0x008F0A ?>9dbg>9db;fazf>
- 0x008F1D Zdcxi}
- 0x008F3A {d~dy
- 0x008F4D hnbcchny
- 0x008F56 ibzcabli
- 0x008F5F ibzcabli~yb}
- 0x008F6C obyfdaa
- 0x008F74 xi}kabbi
- 0x008F7D xi}kabbi~yb}
- 0x008F8A PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
- 0x00071D %userprofile%
- 0x000740 %appdata%
- 0x000758 %temp%
- 0x0007B4 %s\removethis_%d%d%d.exe
- 0x0009C8 hh':'mm':'ss
- 0x0009F4 {%s}: %s
- 0x000B18 %temp%\oldfile.exe
- 0x000BA0 Mozilla/5.0 (compatible)
- 0x000BDC %s\%d%d%d.exe
- 0x000C00 explorer.exe
- 0x000C20 Kernel32.dll
- 0x000C60 %s-deadlock
- 0x000CA4 %s\SysWOW64
- 0x001170 advapi32.dll
- 0x001190 comsupp.dll
- 0x0011AC shell32.dll
- 0x0011C8 wininet.dll
- 0x0011E4 shlwapi.dll
- 0x001200 dnsapi.dll
- 0x00121C user32.dll
- 0x001238 ws2_32.dll
- 0x001254 psapi.dll
- 0x00126C Ole32.dll
- 0x001284 kernel32.dll
- 0x0012A4 msvcrt.dll
- 0x0012C0 dwm.exe
- 0x0012D4 alg.exe
- 0x0012E8 csrss.exe
- 0x001300 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- 0x001370 %s-readfile
- 0x001448 cmd.exe
- 0x0014BC Software\Microsoft\Windows\CurrentVersion\Run
- 0x001640 %temp%\deletethis.exe
- 0x001674 Removable_Drive.exe
- 0x0016BC %s\{%s-%s}
- 0x0016D8 /k "%s" Open %s
- 0x001700 %windir%\System32\cmd.exe
- 0x001740 %s\Removable_Drive.exe
- 0x001778 %s\%s
- 0x001788 %s\%s.lnk
- 0x001990 %s\autorun.inf
- 0x00004D !This program cannot be run in DOS mode.
- 0x0001C8 .data
- 0x0001F0 .idata
- 0x000218 .rsrc
- 0x00023F @.reloc
- 0x000768 Botkiller
- 0x000774 Successfully Killed And Removed Malicious File: "%s"
- 0x000800 Usage: %s IP PORT DELAY LENGTH
- 0x000828 Failed To Start Thread: "%d"
- 0x00084C Failed: Mis Parameter
- 0x000868 WinINet
- 0x000874 Failed: "%d"
- 0x000884 Visit
- 0x00088C Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
- 0x0008D4 Filed To Visit: "%s"
- 0x0008F0 Successfully Visited: "%s"
- 0x000920 %s #%s
- 0x00092C %s %s
- 0x000940 Terminated WGet Thread
- 0x000964 Running From: "%s"
- 0x00097C [%s][%s] - "%s"
- 0x000990 hh':'mm':'ss
- 0x0009E8 {%s}: %s
- 0x000A18 Update Complete, Uninstalling
- 0x000A3C Successfully Executed Process: "%s"
- 0x000A68 Failed To Create Process: "%s", Reason: "%d"
- 0x000AA0 Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot
- 0x000B48 Successfully Downloaded File To: "%s"
- 0x000B78 Downloading File: "%s"
- 0x000B94 Download
- 0x000C40 IsWow64Process
- 0x000C84 http://api.wipmania.com/
- 0x0013D4 PRIVMSG
- 0x00145C Config
- 0x001464 Failed to load config
- 0x00152C AryaN{%s-%s-x%d}%s
- 0x001544 New{%s-%s-x%d}%s
- 0x001558 %s "" "%s" :%s
- 0x00156C %s %s
- 0x001574 %s %s :[AryaN]: %s
- 0x001590 %s %s %s
- 0x0015A4 Finished Flooding "%s:%d"
- 0x0015C4 Terminated UDP Flood Thread
- 0x0015E8 %d%d%d%d%d%d%d%d
- 0x001600 Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
- 0x0017A4 LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
- 0x0019B4 AutoRun Infected Removable Device: "%s\"
- 0x001C57 4 RAS_e
- 0x001C77 4 RAS
- 0x001EC9 z)ze'
- 0x00217D /4*&{
- 0x00219D O(hHj
- 0x002FBB OWShX
- 0x003213 D$0Pht
- 0x0038DA SSPhZ
- 0x003FB9 j[YPSSh
- 0x004026 SSSSh
- 0x00405F t)SSj
- 0x004609 Yt3Pj
- 0x004702 QQSVj
- 0x0049C9 Yt}Vh
- 0x0049FA tF@Pj
- 0x004B20 SUVWh
- 0x004C22 VVVVh
- 0x004C3C SVVVVh
- 0x004D27 tDVWWh$
- 0x004EF9 tUWSV
- 0x004F31 WWWPWW
- 0x005033 +Y4;YPw2
- 0x0050B0 Yt8Pj
- 0x005314 SUVWh
- 0x005498 QSUVWj
- 0x0057A7 YYVVVhx
- 0x005899 VVVhF
- 0x005A50 UUUVUU
- 0x005B0F PVVj(WVVV
- 0x005D20 VPVh?
- 0x005E30 VPVh?
- 0x005F14 QSVW3
- 0x006020 YtPhL
- 0x006131 VVVhY
- 0x006235 QQSVWj,
- 0x0062F7 VSSSh
- 0x00675A PWhD!@
- 0x006770 PWh,!@
- 0x006814 YPhX!@
- 0x0069A2 trSWh,
- 0x006D5B Vh@"@
- 0x006E8E Rh|5@
- 0x0071B2 PVVh%
- 0x0075A8 Ph0%@
- 0x00848A wcsstr
- 0x008494 memset
- 0x00849E _snwprintf
- 0x0084AC wcscmp
- 0x0084BE strncmp
- 0x0084C8 strstr
- 0x0084D2 _snprintf
- 0x0084DE strcmp
- 0x0084E8 strncpy
- 0x0084FA printf
- 0x008504 _vsnprintf
- 0x008512 wprintf
- 0x00851C _vsnwprintf
- 0x00852A srand
- 0x008532 strlen
- 0x00853C wcstombs
- 0x008548 mbstowcs
- 0x008554 strcpy
- 0x00855E memcpy
- 0x008568 _wcsicmp
- 0x008574 malloc
- 0x008586 wcscpy
- 0x008590 realloc
- 0x00859A strtok
- 0x0085A4 fclose
- 0x0085AE fwprintf
- 0x0085BA _wfopen
- 0x0085C2 MSVCRT.dll
- 0x0085D0 HeapFree
- 0x0085DC ExpandEnvironmentStringsW
- 0x0085F8 HeapAlloc
- 0x008604 CloseHandle
- 0x008612 Process32NextW
- 0x008624 DeleteFileW
- 0x008632 MoveFileW
- 0x00863E SetFileAttributesW
- 0x008654 Sleep
- 0x00865C Process32FirstW
- 0x00866E CreateToolhelp32Snapshot
- 0x00868A lstrlenA
- 0x008696 SetThreadPriority
- 0x0086AA GetLastError
- 0x0086BA CreateThread
- 0x0086CA GetLocaleInfoA
- 0x0086DC TerminateThread
- 0x0086EE GetModuleFileNameA
- 0x008704 GetModuleHandleA
- 0x008718 GetTimeFormatA
- 0x00872A GetTimeFormatW
- 0x00873C OutputDebugStringA
- 0x008752 OutputDebugStringW
- 0x008768 ReleaseMutex
- 0x008778 WaitForSingleObject
- 0x00878E WriteFile
- 0x00879A CreateFileW
- 0x0087A8 GetTickCount
- 0x0087B8 SetLastError
- 0x0087C8 FindNextFileW
- 0x0087D8 FindNextFileA
- 0x0087E8 OpenProcess
- 0x0087F6 GetProcAddress
- 0x008808 LoadLibraryW
- 0x008818 GetFileAttributesW
- 0x00882E GetVersionExA
- 0x00883E ReadFile
- 0x00884A GetFileSize
- 0x008858 CreateMutexW
- 0x008868 OpenMutexW
- 0x008876 GetProcessHeap
- 0x008888 CreateRemoteThread
- 0x00889E WriteProcessMemory
- 0x0088B4 VirtualProtectEx
- 0x0088C8 VirtualAllocEx
- 0x0088DA ReadProcessMemory
- 0x0088EE GetCurrentProcess
- 0x008902 VirtualAlloc
- 0x008912 GetCurrentProcessId
- 0x008928 LockResource
- 0x008938 LoadResource
- 0x008948 SizeofResource
- 0x00895A FindResourceW
- 0x00896A ExitProcess
- 0x008978 ExitThread
- 0x008986 GetDriveTypeW
- 0x008996 GetModuleFileNameW
- 0x0089AC GetModuleHandleW
- 0x0089C0 SetErrorMode
- 0x0089D0 CreateProcessW
- 0x0089E2 TerminateProcess
- 0x0089F6 lstrlenW
- 0x008A02 CreateEventW
- 0x008A12 CreateDirectoryW
- 0x008A26 CopyFileW
- 0x008A32 FindFirstFileW
- 0x008A44 GetLogicalDriveStringsW
- 0x008A5C KERNEL32.dll
- 0x008A6A WS2_32.dll
- 0x008A78 PathAppendW
- 0x008A84 SHLWAPI.dll
- 0x008A92 InternetReadFile
- 0x008AA6 InternetOpenUrlA
- 0x008ABA InternetCloseHandle
- 0x008AD0 InternetOpenW
- 0x008ADE WININET.dll
- 0x008AEC CoCreateInstance
- 0x008B00 CoUninitialize
- 0x008B12 CoInitialize
- 0x008B20 ole32.dll
- 0x008B2C GetModuleFileNameExW
- 0x008B42 PSAPI.DLL
- 0x008B4E ShellExecuteA
- 0x008B5E SHGetFolderPathW
- 0x008B70 SHELL32.dll
- 0x008B7E RegCloseKey
- 0x008B8C RegDeleteValueW
- 0x008B9E RegCreateKeyExW
- 0x008BB0 RegQueryValueExW
- 0x008BC4 RegOpenKeyExW
- 0x008BD4 RegSetValueExW
- 0x008BE6 RegNotifyChangeKeyValue
- 0x008C00 GetUserNameW
- 0x008C0E ADVAPI32.dll
- 0x008E88 vnKA7LAG9gOBFXnAYVnhjJUrmhdgXrPA
- 0x008EC7 lixay~d
- 0x008ECF n#cb d}#b
- 0x008EE5 .~|xd
- 0x008EF9 nxcy~
- 0x008F0A ?>9dbg>9db;fazf>
- 0x008F1D Zdcxi}
- 0x008F3A {d~dy
- 0x008F4D hnbcchny
- 0x008F56 ibzcabli
- 0x008F5F ibzcabli~yb}
- 0x008F6C obyfdaa
- 0x008F74 xi}kabbi
- 0x008F7D xi}kabbi~yb}
- 0x008F8A PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
- 0x00071D %userprofile%
- 0x000740 %appdata%
- 0x000758 %temp%
- 0x0007B4 %s\removethis_%d%d%d.exe
- 0x0009C8 hh':'mm':'ss
- 0x0009F4 {%s}: %s
- 0x000B18 %temp%\oldfile.exe
- 0x000BA0 Mozilla/5.0 (compatible)
- 0x000BDC %s\%d%d%d.exe
- 0x000C00 explorer.exe
- 0x000C20 Kernel32.dll
- 0x000C60 %s-deadlock
- 0x000CA4 %s\SysWOW64
- 0x001170 advapi32.dll
- 0x001190 comsupp.dll
- 0x0011AC shell32.dll
- 0x0011C8 wininet.dll
- 0x0011E4 shlwapi.dll
- 0x001200 dnsapi.dll
- 0x00121C user32.dll
- 0x001238 ws2_32.dll
- 0x001254 psapi.dll
- 0x00126C Ole32.dll
- 0x001284 kernel32.dll
- 0x0012A4 msvcrt.dll
- 0x0012C0 dwm.exe
- 0x0012D4 alg.exe
- 0x0012E8 csrss.exe
- 0x001300 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- 0x001370 %s-readfile
- 0x001448 cmd.exe
- 0x0014BC Software\Microsoft\Windows\CurrentVersion\Run
- 0x001640 %temp%\deletethis.exe
- 0x001674 Removable_Drive.exe
- 0x0016BC %s\{%s-%s}
- 0x0016D8 /k "%s" Open %s
- 0x001700 %windir%\System32\cmd.exe
- 0x001740 %s\Removable_Drive.exe
- 0x001778 %s\%s
- 0x001788 %s\%s.lnk
- 0x001990 %s\autorun.inf
- ---
- #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement