API tools faq
paste
Advertisement
Guest User

Malware spam: "New instructions" / "instructions_document.ex

a guest
Jun 21st, 2015
277
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.09 KB | None | 0 0
raw download clone embed print report
  1. Config file for the Upatre sample in "Malware spam: "New instructions" / "instructions_document.exe"
  2. ====================================================================================================
  3. see: http://blog.dynamoo.com/2015/06/malware-spam-new-instructions.html
  4.  
  5. Config file extracted with this IDA script: http://www.johannesbader.ch/2015/06/Win32-Upatre-BI-Part-2-Config/#observed-config-files
  6.  
  7. 45 of the 50 download targets have been active as of June 21, 2015 11:00 CET, all delivering the same payload. The (encrypted) payload has the md5 sum: b845e3d0d7d4dbeb405e40d0427f4859. It decrypts to the following executable:
  8.  
  9. MD5: ad931a78fd807e691a883cb10493f59d
  10. Virustotal: https://www.virustotal.com/en/file/5044bd53359d88684ece5868acf9be7ca4a007ee015017c809e60da372c015b6/analysis/1434879618/
  11. Malwr: https://malwr.com/analysis/NGJkNTgxMzRkMjg5NGYzMDk5MzJlZmI1NDIzMmM5YjM/
  12. KSA: check key
  13.  
  14.  
  15. field | value | comment
  16. --- | --- | ---
  17. port | 13220 | range 13220-13223
  18. accept-type | text/*, application/* |
  19. user-agent | Mozilla/5.0 (Windows NT 6.1) AppleWebKit/538.35 (KHTML, like Gecko) Chrome/43.0.2457.82 Safari/538.35 |
  20. malware name | jurecam.exe | in %Temp% folder
  21. temp file | Jurecam_setup.log | in %Temp% folder
  22. 1 decrypt. key | 58535f65 |
  23. 1 check key | 06853bb0 |
  24. C2 server | 93.93.194.202 |
  25. nr of targets | 51 |
  26. client ip | http://icanhazip.com/ | id = C21, file = HWM8.exe
  27. download 1 | https://66.196.63.33/c_f21.zip | id = C21, file = HWM8.exe
  28. download 2 | https://71.99.130.24/c_f21.zip | id = C21, file = HWM8.exe
  29. download 3 | https://216.16.93.250/c_f21.zip | id = C21, file = HWM8.exe
  30. download 4 | https://24.19.25.40/c_f21.zip | id = C21, file = HWM8.exe
  31. download 5 | https://98.246.210.27/c_f21.zip | id = C21, file = HWM8.exe
  32. download 6 | https://66.196.61.218/c_f21.zip | id = C21, file = HWM8.exe
  33. download 7 | https://98.214.11.253/c_f21.zip | id = C21, file = HWM8.exe
  34. download 8 | https://24.148.217.188/c_f21.zip | id = C21, file = HWM8.exe
  35. download 9 | https://98.209.75.164/c_f21.zip | id = C21, file = HWM8.exe
  36. download 10 | https://76.105.248.137/c_f21.zip | id = C21, file = HWM8.exe
  37. download 11 | https://173.216.247.74/c_f21.zip | id = C21, file = HWM8.exe
  38. download 12 | https://64.111.36.35/c_f21.zip | id = C21, file = HWM8.exe
  39. download 13 | https://77.48.30.156/c_f21.zip | id = C21, file = HWM8.exe
  40. download 14 | https://77.95.195.68/c_f21.zip | id = C21, file = HWM8.exe
  41. download 15 | https://37.57.144.177/c_f21.zip | id = C21, file = HWM8.exe
  42. download 16 | https://68.55.59.145/c_f21.zip | id = C21, file = HWM8.exe
  43. download 17 | https://95.143.141.50/c_f21.zip | id = C21, file = HWM8.exe
  44. download 18 | https://188.255.243.105/c_f21.zip | id = C21, file = HWM8.exe
  45. download 19 | https://95.143.132.118/c_f21.zip | id = C21, file = HWM8.exe
  46. download 20 | https://194.228.203.19/c_f21.zip | id = C21, file = HWM8.exe
  47. download 21 | https://94.127.129.182/c_f21.zip | id = C21, file = HWM8.exe
  48. download 22 | https://87.249.142.189/c_f21.zip | id = C21, file = HWM8.exe
  49. download 23 | https://85.135.104.170/c_f21.zip | id = C21, file = HWM8.exe
  50. download 24 | https://76.84.81.120/c_f21.zip | id = C21, file = HWM8.exe
  51. download 25 | https://84.246.161.47/c_f21.zip | id = C21, file = HWM8.exe
  52. download 26 | https://217.168.210.122/c_f21.zip | id = C21, file = HWM8.exe
  53. download 27 | https://81.90.175.7/c_f21.zip | id = C21, file = HWM8.exe
  54. download 28 | https://62.204.250.26/c_f21.zip | id = C21, file = HWM8.exe
  55. download 29 | https://94.103.54.19/c_f21.zip | id = C21, file = HWM8.exe
  56. download 30 | https://81.93.205.218/c_f21.zip | id = C21, file = HWM8.exe
  57. download 31 | https://81.93.205.251/c_f21.zip | id = C21, file = HWM8.exe
  58. download 32 | https://87.229.109.250/c_f21.zip | id = C21, file = HWM8.exe
  59. download 33 | https://216.51.193.145/c_f21.zip | id = C21, file = HWM8.exe
  60. download 34 | https://96.46.103.232/c_f21.zip | id = C21, file = HWM8.exe
  61. download 35 | https://68.70.242.203/c_f21.zip | id = C21, file = HWM8.exe
  62. download 36 | https://66.215.30.118/c_f21.zip | id = C21, file = HWM8.exe
  63. download 37 | https://96.46.99.183/c_f21.zip | id = C21, file = HWM8.exe
  64. download 38 | https://96.46.100.49/c_f21.zip | id = C21, file = HWM8.exe
  65. download 39 | https://64.111.36.52/c_f21.zip | id = C21, file = HWM8.exe
  66. download 40 | https://188.255.167.90/c_f21.zip | id = C21, file = HWM8.exe
  67. download 41 | https://194.106.166.22/c_f21.zip | id = C21, file = HWM8.exe
  68. download 42 | https://188.255.147.104/c_f21.zip | id = C21, file = HWM8.exe
  69. download 43 | https://188.255.236.184/c_f21.zip | id = C21, file = HWM8.exe
  70. download 44 | https://75.98.149.138/c_f21.zip | id = C21, file = HWM8.exe
  71. download 45 | https://79.101.42.247/c_f21.zip | id = C21, file = HWM8.exe
  72. download 46 | https://96.46.99.215/c_f21.zip | id = C21, file = HWM8.exe
  73. download 47 | https://178.222.250.35/c_f21.zip | id = C21, file = HWM8.exe
  74. download 48 | https://94.154.107.172/c_f21.zip | id = C21, file = HWM8.exe
  75. download 49 | https://64.203.121.6/c_f21.zip | id = C21, file = HWM8.exe
  76. download 50 | https://104.174.123.66/c_f21.zip | id = C21, file = HWM8.exe
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!