#MalwareMustDie - ZeuS open download

1. #MalwareMustDie - ZeuS open download
2. # up and alive, careful in following the lead...
3. # @unixfreaxjp $ date
4. # Mon Apr 22 21:15:14 JST 2013
5.  
6. //PoC:
7. http://urlquery.net/report.php?id=2108907
8.  
9. // Verdicted URL:
10. h00p://dp26022227.lolipop.jp/6ycg8n.exe
11.  
12. // downloads..
13.  
14. --2013-04-22 18:28:48-- h00p://dp26022227.lolipop.jp/6ycg8n.exe
15. Resolving dp26022227.lolipop.jp... 210.172.144.245
16. Caching dp26022227.lolipop.jp => 210.172.144.245
17. Connecting to dp26022227.lolipop.jp|210.172.144.245|:80... connected.
18. :
19. GET /6ycg8n.exe HTTP/1.1
20. Host: dp26022227.lolipop.jp
21. HTTP request sent, awaiting response...
22. :
23. HTTP/1.1 200 OK
24. Date: Mon, 22 Apr 2013 09:28:29 GMT
25. Server: Apache
26. Last-Modified: Mon, 15 Apr 2013 22:41:00 GMT
27. ETag: "868074c-4b000-f2677700"
28. Accept-Ranges: bytes
29. Content-Length: 307200
30. Content-Type: application/octet-stream
31. Keep-Alive: timeout=5, max=100
32. Connection: Keep-Alive
33. :
34. 200 OK
35. Length: 307200 (300K) [application/octet-stream]
36. Saving to: ‘6ycg8n.exe’
37. 2013-04-22 18:28:50 (725 KB/s) - ‘6ycg8n.exe’ saved [307200/307200]
38.  
39. // PE info...
40.  
41. Sections:
42. .text 0x1000 0xe00 3584
43. .rdata 0x2000 0x870 2560
44. .data 0x3000 0x2000 512
45. .rsrc 0x5000 0x4904f 299520
46.  
47. Entry Point at 0x59e
48. Virtual Address is 0x40119e
49. Compile time: 2013-01-23 18:06:23
50.  
51. ExifTool:
52. MIMEType : application/octet-stream
53. Subsystem : Windows GUI
54. MachineType : Intel 386 or later, and compatibles
55. TimeStamp : 2013:01:23 19:06:23+01:00
56. FileType : Win32 EXE
57. PEType : PE32
58. CodeSize : 3584
59. LinkerVersion : 2 25
60. FileAccessDate : 2013:04:21 03:40:23+01:00
61. Warning : Invalid Version Info block
62. EntryPoint : 0x119e
63. InitializedDataSize : 302592
64. SubsystemVersion : 5 1
65. ImageVersion : 0 0
66. OSVersion : 5 1
67. FileCreateDate : 2013:04:21 03:40:23+01:00
68. UninitializedDataSize : 0
69.  
70. 00004D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
71. 0010B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
72. 002000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
73. 003000 00 00 00 00 00 00 00 01 00 00 00 80 00 00 00 ................
74. 0040BB 11 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 ........!..L.!..
75. 005054 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 This program mus
76. 006074 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 t be run under W
77. 007069 6E 33 32 0A 0D 24 37 00 00 00 00 00 00 00 00 in32..$7........
78. 008050 45 00 00 4C 01 04 00 9F 26 00 51 00 00 00 00 PE..L....&.Q....
79. 009000 00 00 00 E0 00 0F 03 0B 01 02 19 00 0E 00 00 ................
80. 00A000 9E 04 00 00 00 00 00 9E 11 00 00 00 10 00 00 ................
81. 00B000 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
82.  
83. // VT
84.  
85. SHA256: ebb5522800279af67e2d209c26b6c97a4c15ea6e384c5f02a51e5c1a2b92a590
86. SHA1:fdc202a332c52a55b4a9939bd8e8c2d0b7c1f40e
87. MD5: 1b55d07cb1ef519409d449ceb883999f
88. File size: 300.0 KB ( 307200 bytes )
89. File name: e68e83363dfcd5e48240116a502f0845f1f5a6c6
90. File type: Win32 EXE
91. Tags:peexe
92. Detection ratio: 34 / 46
93. Analysis date:2013-04-21 02:31:37 UTC ( 1 day, 8 hours ago )
94.  
95. MicroWorld-eScan: Trojan.GenericKDZ.14448
96. nProtect : Trojan.GenericKDZ.14448
97. McAfee : PWS-FASY!1B55D07CB1EF
98. Malwarebytes : Malware.Packer.EGX7
99. K7AntiVirus : Trojan
100. K7GW: Trojan
101. Symantec : Packed.Generic.402
102. Norman : Hlux.WH
103. ESET-NOD32: a variant of Win32/Kryptik.AYWT
104. TrendMicro-HouseCall : TROJ_SPNR.14DG13
105. Avast : Win32:Kryptik-LKV [Trj]
106. Kaspersky : Trojan-Spy.Win32.Zbot.kkce
107. BitDefender : Trojan.GenericKDZ.14448
108. Sophos : Mal/Zbot-KR
109. Comodo : TrojWare.Win32.Kryptik.AYFK
110. F-Secure : Trojan.GenericKDZ.14448
111. DrWeb : Trojan.Packed.2928
112. VIPRE : Trojan.Win32.Winwebsec.mdc (v)
113. AntiVir: TR/Spy.ZBot.EB.325
114. TrendMicro: TROJ_SPNR.14DG13
115. McAfee-GW-Edition : Heuristic.LooksLike.Win32.Suspicious.B
116. Emsisoft : Trojan-Spy.Win32.Zbot (A)
117. Kingsoft : Win32.Troj.Zbot.KK.(kcloud)
118. Microsoft : PWS:Win32/Zbot.gen!AM
119. SUPERAntiSpyware: Trojan.Agent/Gen-Fynloski
120. GData : Trojan.GenericKDZ.14448
121. Commtouch : W32/Trojan.SQKB-8856
122. AhnLab-V3 : Trojan/Win32.Foreign
123. VBA32 : OScope.Malware-Cryptor.Hlux.6413
124. PCTools: HeurEngine.MaliciousPacker
125. Ikarus : Trojan-PWS.Win32.Zbot
126. Fortinet : W32/Kryptik.X!tr
127. AVG : Crypt_s.AZD
128. Panda : Generic Malware
129.  
130. // drop files...
131.  
132. %AppData%\Lilagi(random, regex: [A-Z]{1}[a-z]{5})\veiby.exe (random, format regex: [a-z]{5}¥.exe )
133. %Temp%\tmp7cf80627.bat (random, format regex: tmp[a-z|0-9]{8}¥.bat )
134. %AppData%\Microsoft\Address Book\<USER>.wab
135.  
136. // Process...
137. C:\Documents and Settings\[PC-USER]\Application Data\Lilagi\veiby.exe""
138. C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\[PC-USER]\LOCALS~1\Temp\tmp7cf80627.bat""
139.  
140. // Deletion..
141. %Temp%\Temp\tmp7cf80627.bat
142.  
143. // Registry
144. HKEY_CURRENT_USER\Software\Microsoft\Epnese\27h77jd0 / VALUE: TZK2ftIpZeQhBJelF7vDdg==
145. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server ID / VALUE: 0
146. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server ID/VALUE: 1
147. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server ID/VALUE: 2
148. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server ID/VALUE: 3
149. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Server ID/VALUE: 4
150. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVer/ VALUE: 4
151. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVerNTDS/VALUE: 1
152. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\Account Name/ VALUE: Active Directory
153. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server/VALUE: NULL
154. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Return/VALUE: 100
155. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Timeout/VALUE: 60
156. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Authentication/VALUE: 2
157. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Simple Search/VALUE: 0
158. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Bind DN/VALUE: 0
159. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Port/VALUE: 196
160. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Resolve Flag/VALUE: 1
161. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Secure Connection/VALUE: 0
162. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP User Name/VALUE: NULL
163. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Base/VALUE: NULL
164. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\Account Name/VALUE: Bigfoot Internet Directory Service
165. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server/VALUE: ldap.bigfoot.com
166. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP URL/VALUE: http://www.bigfoot.com
167. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Search Return/VALUE: 100
168. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Timeout/VALUE: 60
169. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Authentication/VALUE: 0
170. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Simple Search/VALUE: 1
171. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Logo/VALUE: %ProgramFiles%\Common Files\Services\bigfoot.bmp
172. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\Account Name/VALUE: VeriSign Internet Directory Service
173. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server/VALUE: directory.verisign.com
174. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP URL/VALUE: http://www.verisign.com
175. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Return/VALUE: 100
176. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Timeout/VALUE: 60
177. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Authentication/VALUE: 0
178. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Base
179. [...]
180. HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name\(null) /VALUE: C:\Documents and Settings\<USER>\Application Data\Microsoft\Address Book\<USER>.wab
181. HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\OlkContactRefresh/VALUE: 0
182. HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\OlkFolderRefresh/VALUE: 0
183. HKEY_CURRENT_USER\Identities\{B0BB3B42-3666-47AA-8D85-B94B99DB4C9B}\Identity Ordinal/VALUE: 1
184. HKEY_CURRENT_USER\Identities\Identity Ordinal/VALUE: 2
185. HKEY_CURRENT_USER\Software\Microsoft\Epnese\230fjh3e/VALUE:
186.  
187.  
188. // Network...
189.  
190. 186.134.148.36:12460
191. 75.6.222.103:11577
192. 79.186.121.2:29666
193. 195.169.125.228:29902
194. 78.139.187.6:14384
195. 190.21.87.83:15196
196.  
197. ---
198. #MalwareMustDie