Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //===============================
- #MalwareMustDie! GMO analysis
- $ whoami ; date
- unixfreaxjp
- Sat Apr 5 21:15:01 JST 2014
- //===============================
- Four full set of spam campaign gameover analyzed:
- Pic: https://twitter.com/MalwareMustDie/status/452398976986128384
- 2 fails (binary crashed and 404)
- // 021 "HMRC..."
- Relayed: (HELO ip-78-94-74-96.unitymediagroup.de) (78.94.74.96)
- ======> fail binary.....
- // 022 xerox local scan
- Relayed: (HELO 79.109.232.90.dyn.user.ono.com) (79.109.232.90)
- =======> Zeus cant be downloaded (404)
- And 4 succeed, can be used as evidence to takedown, please.
- // 020 - "Homicide..spam" ,
- Relayed: (HELO ?14.47.238.211?) (14.47.238.211)
- Relayed: (HELO ?197.155.140.130?) (197.155.140.130)
- Relayed: (HELO 190-82-83-98.static.tie.cl) (190.82.83.98)
- and...
- // 023 "Outlook instruction spam..."
- Relayed: (HELO 50-223-114-200.fibertel.com.ar) (200.114.223.50)
- Relayed: (HELO pt.lu) (83.99.38.205)
- Relayed: (HELO h69-129-183-234.applwi.dedicated.static.tds.net) (69.129.183.234)
- GMO (same ones, first VT is original downloaded decrypted bins)
- https://www.virustotal.com/en/file/527acb5d7b43c1915784da2a82e9808e1401008781e65f5f68d719b4d011ba3e/analysis/
- https://www.virustotal.com/en/file/ff002a7bccbdad339966124cb1c960903a493714c4558513b410542497694a28/analysis/1396698692/
- UPATRE DOWNLOADS SOURCE:
- chiropractorincenterville.com/wp-content/uploads/2014/04/0404USm.tax
- IP: 192.254.187.227|46606 | 192.254.128.0/18 | UNIFIEDLAYER-AS-1 | US | WEBSITEWELCOME.COM | WEBSITEWELCOME.COM
- $
- DGA:
- ojamxrwylyxwshgixjzormqo.com
- dikzhhiealaypkbvwlemha.info
- huuofukzdeguflbhmafyivkj.biz
- vheaiheudairozltvxwhscx.com
- hdrgcshsjbnbobylampt.ru
- mnvrwhzhskyxceucztswavohcegu.org
- alvohyhgypfyrsgewgifcrgifjz.net
- aulbbiwslxpvvphxnjij.biz
- dadgimjlbordcjnzhjzgavwfav.info
- ztpuodmgehgqrwxobiptjnp.net
- mvgfjvwhjfljdmjkvtpbmtg.org
- aulbbiwslxpvvphxnjij.biz
- ALIVE IP (Noted: By domains, non responsing to HTTP POST)
- 23.92.19.67 POST /write HTTP/1.1
- 50.116.4.71 POST /write HTTP/1.1
- 192.81.130.196 POST /write HTTP/1.1
- LOG WITH GEOIP:
- Sat Apr 5 20:26:03 JST 2014|23.92.19.67|li644-67.members.linode.com.|8001 | 23.92.16.0/21 | NET-ACCESS-CORP | US | LINODE.COM | LINODE
- Sat Apr 5 20:26:46 JST 2014|50.116.4.71|li430-71.members.linode.com.|6939 | 50.116.0.0/20 | HURRICANE | US | LINODE.COM | LINODE
- Sat Apr 5 20:27:52 JST 2014|192.81.130.196|li592-196.members.linode.com.|6939 | 192.81.128.0/22 | HURRICANE | US | LINODE.COM | LINODE
- ---
- #MalwareMustDie!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement