API tools faq
paste
Advertisement
MalwareMustDie

#MalwareMustDie - Evidence CookEK of Malware Infector Crime

MalwareMustDie
Jan 14th, 2013
1,611
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.53 KB | None | 0 0
raw download clone embed print report
  1. ====================================================================
  2. // #MalwareMustDie - Evidence of Malware Infector
  3. // CoolExploit Malware Infector,
  4. // Served IP ADDRESS 64.120.190.183
  5. // Infector URL: h00p://64.120.190.183/news/FLAT.DHTI
  6. // Connecting to 192.168.7.11:80... seconds 0.00, connected.
  7. // Registrant leads to bob@bobfaith.com (LOL) a hacked domain
  8. // looks like some cyber criminal is seriously want to frame Bob Faith.
  9. ====================================================================
  10.  
  11. ============================
  12. INTERNET / DOMAINS/REGISTRANT
  13. ============================
  14.  
  15. // Infector domain used (with the typical CookEK callback PseudoDomain)
  16.  
  17. 50f2c40a75730.buyliftem.org A 64.120.190.183
  18. 50f3308d0dc4d.mentalfocus.org A 64.120.190.183
  19. 50f2d9ddf1471.azhypnotistbob.com A 64.120.190.183
  20. 50f2afa39be68.azreptheatre.com A 64.120.190.183
  21. 50f28a4b9a4fe.tempeazhomeloans.com A 64.120.190.183
  22. 50f30534b0cb0.hypnoaz.com A 64.120.190.183
  23. 50f34659158a0.mentalfocusaz.com A 64.120.190.183
  24. 50f31ac55ce66.hypnotherapyaz.com A 64.120.190.183
  25.  
  26. leads to the CoolExploit Malware Infector at 64.120.190.183
  27. Via url: h00p://64.120.190.183/news/FLAT.DHTI
  28. Evidence: pic at https://twitter.com/kafeine/status/290607837250457600
  29.  
  30. // PoC of Current Pseudo Domain is connecting to 64.120.190.183
  31.  
  32. @unixfreaxjp /malware/checkdomains]$ date
  33. Mon Jan 14 15:51:39 JST 2013
  34. @unixfreaxjp /malware/checkdomains]$ dig 50f31ac55ce66.hypnotherapyaz.com
  35.  
  36. ; <<>> DiG 9.8.1-P1 <<>> 50f31ac55ce66.hypnotherapyaz.com
  37. ;; global options: +cmd
  38. ;; Got answer:
  39. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49149
  40. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
  41.  
  42. ;; QUESTION SECTION:
  43. ;50f31ac55ce66.hypnotherapyaz.com. IN A
  44.  
  45. ;; ANSWER SECTION:
  46. 50f31ac55ce66.hypnotherapyaz.com. 1755 IN A 64.120.190.183
  47.  
  48. ;; AUTHORITY SECTION:
  49. hypnotherapyaz.com. 3555 IN NS ns16.domaincontrol.com.
  50. hypnotherapyaz.com. 3555 IN NS ns15.domaincontrol.com.
  51.  
  52. ;; ADDITIONAL SECTION:
  53. ns15.domaincontrol.com. 768 IN A 216.69.185.8
  54. ns16.domaincontrol.com. 3568 IN A 208.109.255.8
  55.  
  56. ;; Query time: 15 msec
  57. ;; SERVER: 202.238.95.24#53(202.238.95.24)
  58. ;; WHEN: Mon Jan 14 15:51:53 2013
  59. ;; MSG SIZE rcvd: 150
  60.  
  61. ============================
  62. DNS SERVICE USED
  63. ============================
  64. NS15.DOMAINCONTROL.COM
  65. NS16.DOMAINCONTROL.COM
  66.  
  67. Related DNS Service:
  68. NSxxx.DOMAINCONTROL.COM
  69.  
  70. ============================
  71. THE REGISTRANT BEHIND THIS
  72. ============================
  73.  
  74. // the below domains was registered to the same contact IP:
  75.  
  76. mentalfocus.org, azhypnotistbob.com, hypnoaz.com, mentalfocusaz.com, hypnotherapyaz.com
  77.  
  78. Bob Faith Entertainment
  79. 660 S Parkcrest
  80. Mesa, Arizona 85206
  81. United States
  82. bob@bobfaith.com // must be a hacked domain
  83.  
  84. (other hacked domains also used, see the below PoC/Evidence part)
  85.  
  86. // PoC/Evidence:
  87.  
  88. Domain ID:D164373631-LROR
  89. Domain Name:MENTALFOCUS.ORG
  90. Created On:12-Jan-2012 20:35:36 UTC
  91. Last Updated On:13-Jan-2013 01:35:22 UTC
  92. Expiration Date:12-Jan-2014 20:35:36 UTC
  93. Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
  94. Status:CLIENT DELETE PROHIBITED
  95. Status:CLIENT RENEW PROHIBITED
  96. Status:CLIENT TRANSFER PROHIBITED
  97. Status:CLIENT UPDATE PROHIBITED
  98. Status:AUTORENEWPERIOD
  99. Registrant ID:CR102662608
  100. Registrant Name:Bob Faith
  101. Registrant Organization:Bob Faith Entertainment
  102. Registrant Street1:660 S Parkcrest
  103. Registrant Street2:
  104. Registrant Street3:
  105. Registrant City:Mesa
  106. Registrant State/Province:Arizona
  107. Registrant Postal Code:85206
  108. Registrant Country:US
  109. Registrant Phone:+1.4808980023
  110. Registrant Phone Ext.:
  111. Registrant FAX:+1.4808980023
  112. Registrant FAX Ext.:
  113. Registrant Email:bob@bobfaith.com
  114. Admin ID:CR102662610
  115. Admin Name:Bob Faith
  116. Admin Organization:Bob Faith Entertainment
  117. Admin Street1:660 S Parkcrest
  118. Admin Street2:
  119. Admin Street3:
  120. Admin City:Mesa
  121. Admin State/Province:Arizona
  122. Admin Postal Code:85206
  123. Admin Country:US
  124. Admin Phone:+1.4808980023
  125. Admin Phone Ext.:
  126. Admin FAX:+1.4808980023
  127. Admin FAX Ext.:
  128. Admin Email:bob@bobfaith.com
  129.  
  130.  
  131. Domain Name: AZHYPNOTISTBOB.COM
  132. Registrar: GODADDY.COM, LLC
  133. Whois Server: whois.godaddy.com
  134. Referral URL: http://registrar.godaddy.com
  135. Name Server: NS15.DOMAINCONTROL.COM
  136. Name Server: NS16.DOMAINCONTROL.COM
  137. Status: clientDeleteProhibited
  138. Status: clientRenewProhibited
  139. Status: clientTransferProhibited
  140. Status: clientUpdateProhibited
  141. Updated Date: 13-jan-2012
  142. Creation Date: 13-jan-2012
  143. Expiration Date: 13-jan-2013
  144. Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  145. Domain Name: AZHYPNOTISTBOB.COM
  146. Created on: 13-Jan-12
  147. Expires on: 13-Jan-13
  148. Last Updated on: 13-Jan-12
  149. Registrant:
  150. Bob Faith Entertainment
  151. 660 S Parkcrest
  152. Mesa, Arizona 85206
  153. United States
  154. Administrative Contact:
  155. Faith, Bob bob@bobfaith.com
  156. Bob Faith Entertainment
  157. 660 S Parkcrest
  158. Mesa, Arizona 85206
  159. United States
  160. (480) 898-0023 Fax -- (480) 898-0023
  161. Technical Contact:
  162. Faith, Bob bob@bobfaith.com
  163. Bob Faith Entertainment
  164. 660 S Parkcrest
  165. Mesa, Arizona 85206
  166. United States
  167. (480) 898-0023 Fax -- (480) 898-0023
  168. Domain servers in listed order:
  169. NS15.DOMAINCONTROL.COM
  170. NS16.DOMAINCONTROL.COM
  171.  
  172.  
  173. Domain Name: HYPNOAZ.COM
  174. Registrar: GODADDY.COM, LLC
  175. Whois Server: whois.godaddy.com
  176. Referral URL: http://registrar.godaddy.com
  177. Name Server: NS15.DOMAINCONTROL.COM
  178. Name Server: NS16.DOMAINCONTROL.COM
  179. Status: clientDeleteProhibited
  180. Status: clientRenewProhibited
  181. Status: clientTransferProhibited
  182. Status: clientUpdateProhibited
  183. Updated Date: 13-dec-2012
  184. Creation Date: 13-jan-2012
  185. Expiration Date: 13-jan-2015
  186. Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  187. Domain Name: HYPNOAZ.COM
  188. Created on: 13-Jan-12
  189. Expires on: 13-Jan-15
  190. Last Updated on: 13-Dec-12
  191. Registrant:
  192. Bob Faith Entertainment
  193. 660 S Parkcrest
  194. Mesa, Arizona 85206
  195. United States
  196. Administrative Contact:
  197. Faith, Bob bob@bobfaith.com
  198. Bob Faith Entertainment
  199. 660 S Parkcrest
  200. Mesa, Arizona 85206
  201. United States
  202. (480) 898-0023 Fax -- (480) 898-0023
  203. Technical Contact:
  204. Faith, Bob bob@bobfaith.com
  205. Bob Faith Entertainment
  206. 660 S Parkcrest
  207. Mesa, Arizona 85206
  208. United States
  209. (480) 898-0023 Fax -- (480) 898-0023
  210. Domain servers in listed order:
  211. NS15.DOMAINCONTROL.COM
  212. NS16.DOMAINCONTROL.COM
  213.  
  214.  
  215. Domain Name: MENTALFOCUSAZ.COM
  216. Registrar: GODADDY.COM, LLC
  217. Whois Server: whois.godaddy.com
  218. Referral URL: http://registrar.godaddy.com
  219. Name Server: NS15.DOMAINCONTROL.COM
  220. Name Server: NS16.DOMAINCONTROL.COM
  221. Status: clientDeleteProhibited
  222. Status: clientRenewProhibited
  223. Status: clientTransferProhibited
  224. Status: clientUpdateProhibited
  225. Updated Date: 13-jan-2013
  226. Creation Date: 12-jan-2012
  227. Expiration Date: 12-jan-2014
  228. Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  229. Domain Name: MENTALFOCUSAZ.COM
  230. Created on: 12-Jan-12
  231. Expires on: 12-Jan-13
  232. Last Updated on: 12-Jan-12
  233. Registrant:
  234. Bob Faith Entertainment
  235. 660 S Parkcrest
  236. Mesa, Arizona 85206
  237. United States
  238. Administrative Contact:
  239. Faith, Bob bob@bobfaith.com
  240. Bob Faith Entertainment
  241. 660 S Parkcrest
  242. Mesa, Arizona 85206
  243. United States
  244. +1.4808980023 Fax -- +1.4808980023
  245. Technical Contact:
  246. Faith, Bob bob@bobfaith.com
  247. Bob Faith Entertainment
  248. 660 S Parkcrest
  249. Mesa, Arizona 85206
  250. United States
  251. +1.4808980023 Fax -- +1.4808980023
  252. Domain servers in listed order:
  253. NS15.DOMAINCONTROL.COM
  254. NS16.DOMAINCONTROL.COM
  255.  
  256.  
  257. Domain Name: HYPNOTHERAPYAZ.COM
  258. Registrar: GODADDY.COM, LLC
  259. Whois Server: whois.godaddy.com
  260. Referral URL: http://registrar.godaddy.com
  261. Name Server: NS15.DOMAINCONTROL.COM
  262. Name Server: NS16.DOMAINCONTROL.COM
  263. Status: clientDeleteProhibited
  264. Status: clientRenewProhibited
  265. Status: clientTransferProhibited
  266. Status: clientUpdateProhibited
  267. Updated Date: 13-jan-2012
  268. Creation Date: 13-jan-2012
  269. Expiration Date: 13-jan-2013
  270. Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  271. Domain Name: HYPNOTHERAPYAZ.COM
  272. Created on: 13-Jan-12
  273. Expires on: 13-Jan-13
  274. Last Updated on: 13-Jan-12
  275. Registrant:
  276. Bob Faith Entertainment
  277. 660 S Parkcrest
  278. Mesa, Arizona 85206
  279. United States
  280. Administrative Contact:
  281. Faith, Bob bob@bobfaith.com
  282. Bob Faith Entertainment
  283. 660 S Parkcrest
  284. Mesa, Arizona 85206
  285. United States
  286. (480) 898-0023 Fax -- (480) 898-0023
  287. Technical Contact:
  288. Faith, Bob bob@bobfaith.com
  289. Bob Faith Entertainment
  290. 660 S Parkcrest
  291. Mesa, Arizona 85206
  292. United States
  293. (480) 898-0023 Fax -- (480) 898-0023
  294. Domain servers in listed order:
  295. NS15.DOMAINCONTROL.COM
  296. NS16.DOMAINCONTROL.COM
  297.  
  298.  
  299. Domain ID:D164348967-LROR
  300. Domain Name:BUYLIFTEM.ORG
  301. Created On:10-Jan-2012 16:36:00 UTC
  302. Last Updated On:11-Jan-2013 11:21:18 UTC
  303. Expiration Date:10-Jan-2014 16:36:00 UTC
  304. Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
  305. Status:CLIENT DELETE PROHIBITED
  306. Status:CLIENT RENEW PROHIBITED
  307. Status:CLIENT TRANSFER PROHIBITED
  308. Status:CLIENT UPDATE PROHIBITED
  309. Status:AUTORENEWPERIOD
  310. Registrant ID:CR102449532
  311. Registrant Name:Zoe Yeoman
  312. Registrant Organization:Lift 'Em, LLC
  313. Registrant Street1:Post Office Box 40283
  314. Registrant Street2:
  315. Registrant Street3:
  316. Registrant City:Phoenix
  317. Registrant State/Province:Arizona
  318. Registrant Postal Code:85067
  319. Registrant Country:US
  320. Registrant Phone:+1.6022341200
  321. Registrant Phone Ext.:
  322. Registrant FAX:
  323. Registrant FAX Ext.:
  324. Registrant Email:zoeyeoman@hotmail.com
  325. Admin ID:CR102449534
  326. Admin Name:Zoe Yeoman
  327. Admin Organization:Lift 'Em, LLC
  328. Admin Street1:Post Office Box 40283
  329. Admin Street2:
  330. Admin Street3:
  331. Admin City:Phoenix
  332. Admin State/Province:Arizona
  333. Admin Postal Code:85067
  334. Admin Country:US
  335. Admin Phone:+1.6022341200
  336. Admin Phone Ext.:
  337. Admin FAX:
  338. Admin FAX Ext.:
  339. Admin Email:zoeyeoman@hotmail.com
  340.  
  341.  
  342. Domain Name: AZREPTHEATRE.COM
  343. Registrar: GODADDY.COM, LLC
  344. Whois Server: whois.godaddy.com
  345. Referral URL: http://registrar.godaddy.com
  346. Name Server: NS51.DOMAINCONTROL.COM
  347. Name Server: NS52.DOMAINCONTROL.COM
  348. Status: clientDeleteProhibited
  349. Status: clientRenewProhibited
  350. Status: clientTransferProhibited
  351. Status: clientUpdateProhibited
  352. Updated Date: 01-oct-2012
  353. Creation Date: 30-sep-2010
  354. Expiration Date: 30-sep-2014
  355. Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  356. Domain Name: AZREPTHEATRE.COM
  357. Created on: 30-Sep-10
  358. Expires on: 30-Sep-14
  359. Last Updated on: 01-Oct-12
  360. Registrant:
  361. Domains By Proxy, LLC
  362. DomainsByProxy.com
  363. 14747 N Northsight Blvd Suite 111, PMB 309
  364. Scottsdale, Arizona 85260
  365. United States
  366. Administrative Contact:
  367. Private, Registration AZREPTHEATRE.COM@domainsbyproxy.com
  368. Domains By Proxy, LLC
  369. DomainsByProxy.com
  370. 14747 N Northsight Blvd Suite 111, PMB 309
  371. Scottsdale, Arizona 85260
  372. United States
  373. (480) 624-2599 Fax -- (480) 624-2598
  374. Technical Contact:
  375. Private, Registration AZREPTHEATRE.COM@domainsbyproxy.com
  376. Domains By Proxy, LLC
  377. DomainsByProxy.com
  378. 14747 N Northsight Blvd Suite 111, PMB 309
  379. Scottsdale, Arizona 85260
  380. United States
  381. (480) 624-2599 Fax -- (480) 624-2598
  382. Domain servers in listed order:
  383. NS51.DOMAINCONTROL.COM
  384. NS52.DOMAINCONTROL.COM
  385.  
  386.  
  387. Domain Name: TEMPEAZHOMELOANS.COM
  388. Registrar: GODADDY.COM, LLC
  389. Whois Server: whois.godaddy.com
  390. Referral URL: http://registrar.godaddy.com
  391. Name Server: NS15.DOMAINCONTROL.COM
  392. Name Server: NS16.DOMAINCONTROL.COM
  393. Status: clientDeleteProhibited
  394. Status: clientRenewProhibited
  395. Status: clientTransferProhibited
  396. Status: clientUpdateProhibited
  397. Updated Date: 15-jan-2012
  398. Creation Date: 15-jan-2012
  399. Expiration Date: 15-jan-2014
  400. Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  401. Domain Name: TEMPEAZHOMELOANS.COM
  402. Created on: 15-Jan-12
  403. Expires on: 15-Jan-14
  404. Last Updated on: 15-Jan-12
  405. Registrant:
  406. John Cabello
  407. 270 E. Pinion Way
  408. Gilbert, Arizona 85234
  409. United States
  410. Administrative Contact:
  411. Cabello, John john@cabellohomeloans.com
  412. 270 E. Pinion Way
  413. Gilbert, Arizona 85234
  414. United States
  415. (602) 326-5626
  416. Technical Contact:
  417. Cabello, John john@cabellohomeloans.com
  418. 270 E. Pinion Way
  419. Gilbert, Arizona 85234
  420. United States
  421. (602) 326-5626
  422. Domain servers in listed order:
  423. NS15.DOMAINCONTROL.COM
  424. NS16.DOMAINCONTROL.COM
  425.  
  426.  
  427. ============================
  428. ADDITIONAL: NETWORK / IP
  429. ============================
  430.  
  431. // Where is it hosted, and abuse contact PiC
  432.  
  433. IP: 64.120.190.183
  434. reverse IP Pointer: 64-120-190-183.static.hostnoc.net
  435.  
  436. NetRange: 64.120.128.0 - 64.120.255.255
  437. CIDR: 64.120.128.0/17
  438. OriginAS: AS21788
  439. NetName: HOSTNOC-5BLK
  440. NetHandle: NET-64-120-128-0-1
  441. Parent: NET-64-0-0-0-0
  442. NetType: Direct Allocation
  443. RegDate: 2009-04-27
  444. Updated: 2012-03-02
  445. Ref: http://whois.arin.net/rest/net/NET-64-120-128-0-1
  446. OrgName: Network Operations Center Inc.
  447. OrgId: NOC
  448. Address: PO Box 591
  449. City: Scranton
  450. StateProv: PA
  451. PostalCode: 18501-0591
  452. Country: US
  453. RegDate: 2001-04-04
  454. Updated: 2011-09-24
  455. Comment: Abuse Dept: abuse@hostnoc.net
  456. Ref: http://whois.arin.net/rest/org/NOC
  457.  
  458. OrgAbuseHandle: SMA4-ARIN
  459. OrgAbuseName: Arcus, S. Matthew
  460. OrgAbusePhone: +1-570-343-2200
  461. OrgAbuseEmail: nic@hostnoc.net
  462. OrgAbuseRef: http://whois.arin.net/rest/poc/SMA4-ARIN
  463.  
  464. ----
  465. #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!