API tools faq
paste
Advertisement
MalwareMustDie

Four full set of spam campaign gameovers

MalwareMustDie
Apr 5th, 2014
2,133
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 2.52 KB | None | 0 0
raw download clone embed print report
  1. //===============================
  2.   #MalwareMustDie! GMO analysis
  3.   $ whoami ; date
  4.   unixfreaxjp
  5.   Sat Apr  5 21:15:01 JST 2014
  6. //===============================
  7.  
  8. Four full set of spam campaign gameover analyzed:
  9. Pic: https://twitter.com/MalwareMustDie/status/452398976986128384
  10.  
  11. 2 fails (binary crashed and 404)
  12.  
  13. // 021 "HMRC..."
  14. Relayed:  (HELO ip-78-94-74-96.unitymediagroup.de) (78.94.74.96)
  15. ======> fail binary.....
  16.  
  17. // 022 xerox local scan
  18. Relayed:  (HELO 79.109.232.90.dyn.user.ono.com) (79.109.232.90)
  19. =======> Zeus cant be downloaded (404)
  20.  
  21. And 4 succeed, can be used as evidence to takedown, please.
  22.  
  23. // 020 - "Homicide..spam" ,
  24. Relayed: (HELO ?14.47.238.211?) (14.47.238.211)
  25. Relayed: (HELO ?197.155.140.130?) (197.155.140.130)
  26. Relayed: (HELO 190-82-83-98.static.tie.cl) (190.82.83.98)
  27.  
  28. and...
  29.  
  30. // 023 "Outlook instruction spam..."
  31. Relayed:  (HELO 50-223-114-200.fibertel.com.ar) (200.114.223.50)
  32. Relayed:  (HELO pt.lu) (83.99.38.205)
  33. Relayed:  (HELO h69-129-183-234.applwi.dedicated.static.tds.net) (69.129.183.234)
  34.  
  35. GMO (same ones, first VT is original downloaded decrypted bins)
  36. https://www.virustotal.com/en/file/527acb5d7b43c1915784da2a82e9808e1401008781e65f5f68d719b4d011ba3e/analysis/
  37. https://www.virustotal.com/en/file/ff002a7bccbdad339966124cb1c960903a493714c4558513b410542497694a28/analysis/1396698692/
  38.  
  39.  
  40. UPATRE DOWNLOADS SOURCE:
  41. chiropractorincenterville.com/wp-content/uploads/2014/04/0404USm.tax
  42. IP: 192.254.187.227|46606 | 192.254.128.0/18 | UNIFIEDLAYER-AS-1 | US | WEBSITEWELCOME.COM | WEBSITEWELCOME.COM
  43. $
  44.  
  45. DGA:
  46.  
  47.  ojamxrwylyxwshgixjzormqo.com
  48.  dikzhhiealaypkbvwlemha.info
  49.  huuofukzdeguflbhmafyivkj.biz
  50.  vheaiheudairozltvxwhscx.com
  51.  hdrgcshsjbnbobylampt.ru
  52.  mnvrwhzhskyxceucztswavohcegu.org
  53.  alvohyhgypfyrsgewgifcrgifjz.net
  54.  aulbbiwslxpvvphxnjij.biz
  55.  dadgimjlbordcjnzhjzgavwfav.info
  56.  ztpuodmgehgqrwxobiptjnp.net
  57.  mvgfjvwhjfljdmjkvtpbmtg.org
  58.  aulbbiwslxpvvphxnjij.biz
  59.  
  60. ALIVE IP (Noted: By domains, non responsing to HTTP POST)
  61.  
  62. 23.92.19.67     POST /write HTTP/1.1
  63. 50.116.4.71     POST /write HTTP/1.1
  64. 192.81.130.196  POST /write HTTP/1.1
  65.  
  66.  
  67. LOG WITH GEOIP:
  68. Sat Apr  5 20:26:03 JST 2014|23.92.19.67|li644-67.members.linode.com.|8001 | 23.92.16.0/21 | NET-ACCESS-CORP | US | LINODE.COM | LINODE
  69. Sat Apr  5 20:26:46 JST 2014|50.116.4.71|li430-71.members.linode.com.|6939 | 50.116.0.0/20 | HURRICANE | US | LINODE.COM | LINODE
  70. Sat Apr  5 20:27:52 JST 2014|192.81.130.196|li592-196.members.linode.com.|6939 | 192.81.128.0/22 | HURRICANE | US | LINODE.COM | LINODE
  71.  
  72. ---
  73. #MalwareMustDie!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!