Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #MalwareMustDie - ZeuS open download
- # up and alive, careful in following the lead...
- # @unixfreaxjp $ date
- # Mon Apr 22 21:15:14 JST 2013
- //PoC:
- http://urlquery.net/report.php?id=2108907
- // Verdicted URL:
- h00p://dp26022227.lolipop.jp/6ycg8n.exe
- // downloads..
- --2013-04-22 18:28:48-- h00p://dp26022227.lolipop.jp/6ycg8n.exe
- Resolving dp26022227.lolipop.jp... 210.172.144.245
- Caching dp26022227.lolipop.jp => 210.172.144.245
- Connecting to dp26022227.lolipop.jp|210.172.144.245|:80... connected.
- :
- GET /6ycg8n.exe HTTP/1.1
- Host: dp26022227.lolipop.jp
- HTTP request sent, awaiting response...
- :
- HTTP/1.1 200 OK
- Date: Mon, 22 Apr 2013 09:28:29 GMT
- Server: Apache
- Last-Modified: Mon, 15 Apr 2013 22:41:00 GMT
- ETag: "868074c-4b000-f2677700"
- Accept-Ranges: bytes
- Content-Length: 307200
- Content-Type: application/octet-stream
- Keep-Alive: timeout=5, max=100
- Connection: Keep-Alive
- :
- 200 OK
- Length: 307200 (300K) [application/octet-stream]
- Saving to: ‘6ycg8n.exe’
- 2013-04-22 18:28:50 (725 KB/s) - ‘6ycg8n.exe’ saved [307200/307200]
- // PE info...
- Sections:
- .text 0x1000 0xe00 3584
- .rdata 0x2000 0x870 2560
- .data 0x3000 0x2000 512
- .rsrc 0x5000 0x4904f 299520
- Entry Point at 0x59e
- Virtual Address is 0x40119e
- Compile time: 2013-01-23 18:06:23
- ExifTool:
- MIMEType : application/octet-stream
- Subsystem : Windows GUI
- MachineType : Intel 386 or later, and compatibles
- TimeStamp : 2013:01:23 19:06:23+01:00
- FileType : Win32 EXE
- PEType : PE32
- CodeSize : 3584
- LinkerVersion : 2 25
- FileAccessDate : 2013:04:21 03:40:23+01:00
- Warning : Invalid Version Info block
- EntryPoint : 0x119e
- InitializedDataSize : 302592
- SubsystemVersion : 5 1
- ImageVersion : 0 0
- OSVersion : 5 1
- FileCreateDate : 2013:04:21 03:40:23+01:00
- UninitializedDataSize : 0
- 00004D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
- 0010B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
- 002000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 003000 00 00 00 00 00 00 00 01 00 00 00 80 00 00 00 ................
- 0040BB 11 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 ........!..L.!..
- 005054 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 This program mus
- 006074 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 t be run under W
- 007069 6E 33 32 0A 0D 24 37 00 00 00 00 00 00 00 00 in32..$7........
- 008050 45 00 00 4C 01 04 00 9F 26 00 51 00 00 00 00 PE..L....&.Q....
- 009000 00 00 00 E0 00 0F 03 0B 01 02 19 00 0E 00 00 ................
- 00A000 9E 04 00 00 00 00 00 9E 11 00 00 00 10 00 00 ................
- 00B000 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
- // VT
- SHA256: ebb5522800279af67e2d209c26b6c97a4c15ea6e384c5f02a51e5c1a2b92a590
- SHA1:fdc202a332c52a55b4a9939bd8e8c2d0b7c1f40e
- MD5: 1b55d07cb1ef519409d449ceb883999f
- File size: 300.0 KB ( 307200 bytes )
- File name: e68e83363dfcd5e48240116a502f0845f1f5a6c6
- File type: Win32 EXE
- Tags:peexe
- Detection ratio: 34 / 46
- Analysis date:2013-04-21 02:31:37 UTC ( 1 day, 8 hours ago )
- MicroWorld-eScan: Trojan.GenericKDZ.14448
- nProtect : Trojan.GenericKDZ.14448
- McAfee : PWS-FASY!1B55D07CB1EF
- Malwarebytes : Malware.Packer.EGX7
- K7AntiVirus : Trojan
- K7GW: Trojan
- Symantec : Packed.Generic.402
- Norman : Hlux.WH
- ESET-NOD32: a variant of Win32/Kryptik.AYWT
- TrendMicro-HouseCall : TROJ_SPNR.14DG13
- Avast : Win32:Kryptik-LKV [Trj]
- Kaspersky : Trojan-Spy.Win32.Zbot.kkce
- BitDefender : Trojan.GenericKDZ.14448
- Sophos : Mal/Zbot-KR
- Comodo : TrojWare.Win32.Kryptik.AYFK
- F-Secure : Trojan.GenericKDZ.14448
- DrWeb : Trojan.Packed.2928
- VIPRE : Trojan.Win32.Winwebsec.mdc (v)
- AntiVir: TR/Spy.ZBot.EB.325
- TrendMicro: TROJ_SPNR.14DG13
- McAfee-GW-Edition : Heuristic.LooksLike.Win32.Suspicious.B
- Emsisoft : Trojan-Spy.Win32.Zbot (A)
- Kingsoft : Win32.Troj.Zbot.KK.(kcloud)
- Microsoft : PWS:Win32/Zbot.gen!AM
- SUPERAntiSpyware: Trojan.Agent/Gen-Fynloski
- GData : Trojan.GenericKDZ.14448
- Commtouch : W32/Trojan.SQKB-8856
- AhnLab-V3 : Trojan/Win32.Foreign
- VBA32 : OScope.Malware-Cryptor.Hlux.6413
- PCTools: HeurEngine.MaliciousPacker
- Ikarus : Trojan-PWS.Win32.Zbot
- Fortinet : W32/Kryptik.X!tr
- AVG : Crypt_s.AZD
- Panda : Generic Malware
- // drop files...
- %AppData%\Lilagi(random, regex: [A-Z]{1}[a-z]{5})\veiby.exe (random, format regex: [a-z]{5}¥.exe )
- %Temp%\tmp7cf80627.bat (random, format regex: tmp[a-z|0-9]{8}¥.bat )
- %AppData%\Microsoft\Address Book\<USER>.wab
- // Process...
- C:\Documents and Settings\[PC-USER]\Application Data\Lilagi\veiby.exe""
- C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\[PC-USER]\LOCALS~1\Temp\tmp7cf80627.bat""
- // Deletion..
- %Temp%\Temp\tmp7cf80627.bat
- // Registry
- HKEY_CURRENT_USER\Software\Microsoft\Epnese\27h77jd0 / VALUE: TZK2ftIpZeQhBJelF7vDdg==
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server ID / VALUE: 0
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server ID/VALUE: 1
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server ID/VALUE: 2
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server ID/VALUE: 3
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Server ID/VALUE: 4
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVer/ VALUE: 4
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVerNTDS/VALUE: 1
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\Account Name/ VALUE: Active Directory
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server/VALUE: NULL
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Return/VALUE: 100
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Timeout/VALUE: 60
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Authentication/VALUE: 2
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Simple Search/VALUE: 0
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Bind DN/VALUE: 0
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Port/VALUE: 196
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Resolve Flag/VALUE: 1
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Secure Connection/VALUE: 0
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP User Name/VALUE: NULL
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Base/VALUE: NULL
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\Account Name/VALUE: Bigfoot Internet Directory Service
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server/VALUE: ldap.bigfoot.com
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP URL/VALUE: http://www.bigfoot.com
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Search Return/VALUE: 100
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Timeout/VALUE: 60
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Authentication/VALUE: 0
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Simple Search/VALUE: 1
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Logo/VALUE: %ProgramFiles%\Common Files\Services\bigfoot.bmp
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\Account Name/VALUE: VeriSign Internet Directory Service
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server/VALUE: directory.verisign.com
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP URL/VALUE: http://www.verisign.com
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Return/VALUE: 100
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Timeout/VALUE: 60
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Authentication/VALUE: 0
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Base
- [...]
- HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name\(null) /VALUE: C:\Documents and Settings\<USER>\Application Data\Microsoft\Address Book\<USER>.wab
- HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\OlkContactRefresh/VALUE: 0
- HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\OlkFolderRefresh/VALUE: 0
- HKEY_CURRENT_USER\Identities\{B0BB3B42-3666-47AA-8D85-B94B99DB4C9B}\Identity Ordinal/VALUE: 1
- HKEY_CURRENT_USER\Identities\Identity Ordinal/VALUE: 2
- HKEY_CURRENT_USER\Software\Microsoft\Epnese\230fjh3e/VALUE:
- // Network...
- 186.134.148.36:12460
- 75.6.222.103:11577
- 79.186.121.2:29666
- 195.169.125.228:29902
- 78.139.187.6:14384
- 190.21.87.83:15196
- ---
- #MalwareMustDie
Add Comment
Please, Sign In to add comment