Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Config file for the Upatre sample in "Malware spam: "New instructions" / "instructions_document.exe"
- ====================================================================================================
- see: http://blog.dynamoo.com/2015/06/malware-spam-new-instructions.html
- Config file extracted with this IDA script: http://www.johannesbader.ch/2015/06/Win32-Upatre-BI-Part-2-Config/#observed-config-files
- 45 of the 50 download targets have been active as of June 21, 2015 11:00 CET, all delivering the same payload. The (encrypted) payload has the md5 sum: b845e3d0d7d4dbeb405e40d0427f4859. It decrypts to the following executable:
- MD5: ad931a78fd807e691a883cb10493f59d
- Virustotal: https://www.virustotal.com/en/file/5044bd53359d88684ece5868acf9be7ca4a007ee015017c809e60da372c015b6/analysis/1434879618/
- Malwr: https://malwr.com/analysis/NGJkNTgxMzRkMjg5NGYzMDk5MzJlZmI1NDIzMmM5YjM/
- KSA: check key
- field | value | comment
- --- | --- | ---
- port | 13220 | range 13220-13223
- accept-type | text/*, application/* |
- user-agent | Mozilla/5.0 (Windows NT 6.1) AppleWebKit/538.35 (KHTML, like Gecko) Chrome/43.0.2457.82 Safari/538.35 |
- malware name | jurecam.exe | in %Temp% folder
- temp file | Jurecam_setup.log | in %Temp% folder
- 1 decrypt. key | 58535f65 |
- 1 check key | 06853bb0 |
- C2 server | 93.93.194.202 |
- nr of targets | 51 |
- client ip | http://icanhazip.com/ | id = C21, file = HWM8.exe
- download 1 | https://66.196.63.33/c_f21.zip | id = C21, file = HWM8.exe
- download 2 | https://71.99.130.24/c_f21.zip | id = C21, file = HWM8.exe
- download 3 | https://216.16.93.250/c_f21.zip | id = C21, file = HWM8.exe
- download 4 | https://24.19.25.40/c_f21.zip | id = C21, file = HWM8.exe
- download 5 | https://98.246.210.27/c_f21.zip | id = C21, file = HWM8.exe
- download 6 | https://66.196.61.218/c_f21.zip | id = C21, file = HWM8.exe
- download 7 | https://98.214.11.253/c_f21.zip | id = C21, file = HWM8.exe
- download 8 | https://24.148.217.188/c_f21.zip | id = C21, file = HWM8.exe
- download 9 | https://98.209.75.164/c_f21.zip | id = C21, file = HWM8.exe
- download 10 | https://76.105.248.137/c_f21.zip | id = C21, file = HWM8.exe
- download 11 | https://173.216.247.74/c_f21.zip | id = C21, file = HWM8.exe
- download 12 | https://64.111.36.35/c_f21.zip | id = C21, file = HWM8.exe
- download 13 | https://77.48.30.156/c_f21.zip | id = C21, file = HWM8.exe
- download 14 | https://77.95.195.68/c_f21.zip | id = C21, file = HWM8.exe
- download 15 | https://37.57.144.177/c_f21.zip | id = C21, file = HWM8.exe
- download 16 | https://68.55.59.145/c_f21.zip | id = C21, file = HWM8.exe
- download 17 | https://95.143.141.50/c_f21.zip | id = C21, file = HWM8.exe
- download 18 | https://188.255.243.105/c_f21.zip | id = C21, file = HWM8.exe
- download 19 | https://95.143.132.118/c_f21.zip | id = C21, file = HWM8.exe
- download 20 | https://194.228.203.19/c_f21.zip | id = C21, file = HWM8.exe
- download 21 | https://94.127.129.182/c_f21.zip | id = C21, file = HWM8.exe
- download 22 | https://87.249.142.189/c_f21.zip | id = C21, file = HWM8.exe
- download 23 | https://85.135.104.170/c_f21.zip | id = C21, file = HWM8.exe
- download 24 | https://76.84.81.120/c_f21.zip | id = C21, file = HWM8.exe
- download 25 | https://84.246.161.47/c_f21.zip | id = C21, file = HWM8.exe
- download 26 | https://217.168.210.122/c_f21.zip | id = C21, file = HWM8.exe
- download 27 | https://81.90.175.7/c_f21.zip | id = C21, file = HWM8.exe
- download 28 | https://62.204.250.26/c_f21.zip | id = C21, file = HWM8.exe
- download 29 | https://94.103.54.19/c_f21.zip | id = C21, file = HWM8.exe
- download 30 | https://81.93.205.218/c_f21.zip | id = C21, file = HWM8.exe
- download 31 | https://81.93.205.251/c_f21.zip | id = C21, file = HWM8.exe
- download 32 | https://87.229.109.250/c_f21.zip | id = C21, file = HWM8.exe
- download 33 | https://216.51.193.145/c_f21.zip | id = C21, file = HWM8.exe
- download 34 | https://96.46.103.232/c_f21.zip | id = C21, file = HWM8.exe
- download 35 | https://68.70.242.203/c_f21.zip | id = C21, file = HWM8.exe
- download 36 | https://66.215.30.118/c_f21.zip | id = C21, file = HWM8.exe
- download 37 | https://96.46.99.183/c_f21.zip | id = C21, file = HWM8.exe
- download 38 | https://96.46.100.49/c_f21.zip | id = C21, file = HWM8.exe
- download 39 | https://64.111.36.52/c_f21.zip | id = C21, file = HWM8.exe
- download 40 | https://188.255.167.90/c_f21.zip | id = C21, file = HWM8.exe
- download 41 | https://194.106.166.22/c_f21.zip | id = C21, file = HWM8.exe
- download 42 | https://188.255.147.104/c_f21.zip | id = C21, file = HWM8.exe
- download 43 | https://188.255.236.184/c_f21.zip | id = C21, file = HWM8.exe
- download 44 | https://75.98.149.138/c_f21.zip | id = C21, file = HWM8.exe
- download 45 | https://79.101.42.247/c_f21.zip | id = C21, file = HWM8.exe
- download 46 | https://96.46.99.215/c_f21.zip | id = C21, file = HWM8.exe
- download 47 | https://178.222.250.35/c_f21.zip | id = C21, file = HWM8.exe
- download 48 | https://94.154.107.172/c_f21.zip | id = C21, file = HWM8.exe
- download 49 | https://64.203.121.6/c_f21.zip | id = C21, file = HWM8.exe
- download 50 | https://104.174.123.66/c_f21.zip | id = C21, file = HWM8.exe
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement