API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 20th, 2017
61
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.25 KB | None | 0 0
raw download clone embed print report
  1.  
  2. ,-------------------------------------,
  3. / /
  4. / PEST CONTROL August 2017 /
  5. / /
  6. -------------------------------------`
  7. |\| |\|
  8. |/|/ |/|/
  9. |/ _, .---.__c--. |/
  10. / (__( )_._( )_`_> /
  11. `~~" `~"
  12.  
  13.  
  14. [Ratting on the RATTERS - issue 0x01]
  15.  
  16. $ whoami
  17. fox
  18.  
  19. RATTING is sad. RATTING is lame.
  20.  
  21.  
  22. --------------------------------------------------------------
  23. | 0x1 // Discover Samples |
  24. --------------------------------------------------------------
  25.  
  26. Find stubs / packers / misc malware using youtube keywords.
  27. These are typically "bait", cheat tools, hacking tools etc.
  28.  
  29. Youtube is a common place to spread malware.
  30.  
  31. Example to find a live sample;
  32.  
  33. Site .... https://www.youtube.com
  34. Keywords .... Hack tool download
  35. Result .... https://www.youtube.com/watch?v=RDAzC1rxTts
  36.  
  37. --------------------------------------------------------------
  38. | 0x2 // Grab those links |
  39. --------------------------------------------------------------
  40.  
  41. Investigate any linked information on the youtube account.
  42.  
  43. A linked rar archive download from the video description;
  44. https://mega.nz/#!h2YjjKzD!e--XB1wQ0J8a9hKMq3_AgyJCdYXFCHnnYIe0-skk3Dw
  45.  
  46. --------------------------------------------------------------
  47. | 0x3 // Dig deeper |
  48. --------------------------------------------------------------
  49.  
  50. Let's take a closer look at this download and see if we can find
  51. any valuable information, such as the C2 server.
  52.  
  53. $ unrar e Rust\ Plantinum\ Cracked.rar
  54.  
  55. $ ls
  56. ClientPlugin.dll SQLite.Interop.dll
  57. Rust Plantinum Cracked 1.5.7.exe System.Data.SQLite.dll
  58.  
  59. $ file Rust\ Plantinum\ Cracked\ 1.5.7.exe
  60. Rust Plantinum Cracked 1.5.7.exe: PE32 executable (GUI) Intel 80386, for MS Windows
  61.  
  62. Send that binded junk to virustotal. Looks like it's a new sample.
  63.  
  64. Detection ratio: 58 / 63
  65. https://virustotal.com/en/file/0af9b967683c3e19661951bed41c8ad3eac0607147b71b0c745443206c57a2d1/analysis/1503789652/
  66.  
  67. Well that's boring, we already know what this junk is by
  68. looking at that. We know it's a cheat tool that is binded
  69. to a trojan. Instead of examining this sample in a VM, we
  70. can simply check for hardcoded strings within the sample.
  71.  
  72. To save time, we can use kevthehermits RATDecoder.
  73.  
  74. [+] Reading file
  75. [+] Searching for Config
  76. [+] Printing Config to screen
  77. [-] Key: CampaignID Value: Guest16
  78. [-] Key: Domains Value: mrwhite8391.ddns.net:8015
  79. [-] Key: FTPHost Value:
  80. [-] Key: FTPKeyLogs Value:
  81. [-] Key: FTPPassword Value:
  82. [-] Key: FTPPort Value:
  83. [-] Key: FTPRoot Value:
  84. [-] Key: FTPSize Value:
  85. [-] Key: FTPUserName Value:
  86. [-] Key: FireWallBypass Value: 1
  87. [-] Key: Gencode Value: BZ8TyxZ4r2ms
  88. [-] Key: Mutex Value: DC_MUTEX-9TK1E8U
  89. [-] Key: OfflineKeylogger Value: 1
  90. [-] Key: Password Value:
  91. [-] Key: Version Value: #KCMDDC51#
  92. [+] End of Config
  93.  
  94. That was easy. Definitely a DarkComet...
  95. <insert whatyearisit.jpg>
  96.  
  97. Looking at the Version string, we can see this RAT server is
  98. potentially vulnerable to a remote file download vulnerability.
  99.  
  100.  
  101. --------------------------------------------------------------
  102. | 0x4 // Let the games begin |
  103. --------------------------------------------------------------
  104.  
  105. $ nslookup mrwhite8391.ddns.net
  106. Server: 208.67.222.222
  107. Address: 208.67.222.222#53
  108.  
  109. Non-authoritative answer:
  110. Name: mrwhite8391.ddns.net
  111. Address: 90.184.127.54
  112.  
  113. $ whois 90.184.127.54
  114. % This is the RIPE Database query service.
  115. % The objects are in RPSL format.
  116. %
  117. % The RIPE Database is subject to Terms and Conditions.
  118. % See http://www.ripe.net/db/support/db-terms-conditions.pdf
  119.  
  120. % Note: this output has been filtered.
  121. % To receive output for a database update, use the "-B" flag.
  122.  
  123. % Information related to '90.184.0.0 - 90.184.127.255'
  124.  
  125. % Abuse contact for '90.184.0.0 - 90.184.127.255' is 'abuse@fullrate.dk'
  126.  
  127. inetnum: 90.184.0.0 - 90.184.127.255
  128. netname: FULLRATE-POOL-TWO
  129. descr: Fullrate-DK-CUSTOMERS
  130. country: DK
  131. admin-c: FULL-RIPE
  132. tech-c: FULL-RIPE
  133. org: ORG-TOTA1-RIPE
  134. remarks: +--------------------------------------------------------
  135. remarks: | NB! In case of abuse, please contact abuse@fullrate.dk |
  136. remarks: +--------------------------------------------------------
  137. status: ASSIGNED PA
  138. mnt-routes: FULLRATE-MNT
  139. mnt-lower: FULLRATE-MNT
  140. mnt-by: FULLRATE-MNT
  141. created: 2006-10-17T14:06:32Z
  142. last-modified: 2014-08-08T12:54:28Z
  143. source: RIPE
  144.  
  145. organisation: ORG-TOTA1-RIPE
  146. org-name: Fullrate A/S
  147. org-type: OTHER
  148. address: Fullrate A/S
  149. address: Peter Maegbaek Madsen
  150. address: Telegade 2 bygn. 4
  151. address: 2630
  152. address: Taastrup
  153. address: DENMARK
  154. vphone: +4542124021
  155. fax-no: +4532154503
  156. descr: Fullrate
  157. admin-c: RL8463-RIPE
  158. mnt-ref: FULLRATE-MNT
  159. mnt-by: FULLRATE-MNT
  160. abuse-c: FULL-RIPE
  161. created: 2006-03-15T06:11:11Z
  162. last-modified: 2013-12-02T17:51:13Z
  163. source: RIPE # Filtered
  164.  
  165. role: Fullrate Technical Contact
  166. address: Fullrate A/S
  167. address: Telegade 2
  168. address: DK-2630 Taastrup
  169. admin-c: RL8463-RIPE
  170. tech-c: RL8463-RIPE
  171. nic-hdl: FULL-RIPE
  172. abuse-mailbox: abuse@fullrate.dk
  173. remarks: +--------------------------------------------------------
  174. remarks: | NB! In case of abuse, please contact abuse@fullrate.dk |
  175. remarks: +--------------------------------------------------------
  176. created: 2006-10-26T15:01:43Z
  177. last-modified: 2013-04-04T09:11:12Z
  178. source: RIPE # Filtered
  179. mnt-by: FULLRATE-MNT
  180.  
  181. % Information related to '90.184.0.0/15AS39554'
  182.  
  183. route: 90.184.0.0/15
  184. descr: fullrate A/S
  185. remarks:
  186. ***************************************************************
  187. remarks: * Any abuse reports, please send them to *
  188. remarks: * abuse@fullrate.dk *
  189. remarks:
  190. ***************************************************************
  191. origin: AS39554
  192. mnt-by: MNT-FULLRATE
  193. mnt-by: AS3292-MNT
  194. mnt-by: FULLRATE-MNT
  195. created: 2006-10-12T13:38:53Z
  196. last-modified: 2017-05-12T04:49:57Z
  197. source: RIPE
  198.  
  199. % This query was served by the RIPE Database Query Service version 1.89.2
  200. (WAGYU)
  201.  
  202.  
  203. --------------------------------------------------------------
  204. | 0x5 // Revealing the pest |
  205. --------------------------------------------------------------
  206.  
  207. So we already know this appears to be a home connection:
  208. Fullrate-DK-CUSTOMERS
  209.  
  210. We can guess the skid is hosting the RAT C2 on his home PC.
  211. Believe it or not, this is quite common...
  212.  
  213. $ nmap 90.184.127.54 -p 80,8080
  214. ...
  215. PORT STATE SERVICE
  216. 80/tcp open http
  217. ...
  218.  
  219. Accessing port 80 of the RAT server address, shows a generic
  220. unfirewalled router login page for a ZyXEL VMG8924-B10A device.
  221.  
  222. http://90.184.127.54:80
  223.  
  224. We can confirm this is a home connection by looking at the
  225. customer packages available from fullrate at their website.
  226.  
  227. The irony.
  228.  
  229. When you can't port forward a single port, so you just disable
  230. the entire firewall. Yep, that's what we're dealing with here.
  231.  
  232. An interesting thing is that mrwhite8391 used in the DNS looks
  233. like a username of sorts...
  234.  
  235. --------------------------------------------------------------
  236. | 0x6 // Search and destroy |
  237. --------------------------------------------------------------
  238.  
  239. Hello Mr. White!
  240.  
  241. At this point it's safe to say these are all publicly accessible
  242. accounts/profiles of one skiddividual. He seems to like his
  243. cheats and his games. The name mrwhite8391 seems unique enough
  244. that we can be sure about this.
  245.  
  246. Here's what we can find;
  247.  
  248. https://www.nulled.to/user/1101188-mrwhite8391
  249. Skid forums
  250. Account created 25th August 2017 (1 day before youtube sample)
  251.  
  252. https://ennui.ninja/forum/index.php?/profile/3283-mrwhite8391/
  253. "rust" cheating software profile
  254.  
  255. https://chods-cheats.com/profile/24415-mrwhite8391/
  256. More cheating software / forums
  257.  
  258. https://hypixel.net/members/mrwhite8391.1598335/
  259. Gaming website, he hacked his own profile!
  260. "Hackede by Mr. White / Skype: live:mrwhite8391"
  261.  
  262. https://d3sk1ng.com/index.php?members/mrwhite8391.6868/
  263. Discussion forum
  264. Profile mentions, "Birthday: May 27"
  265.  
  266. http://www.voidraids.com/
  267. Online store for sale of stolen user data
  268. Mentions contact email: MRWHITE8391@GMAIL.COM
  269. Transactions are processed through PayPal^
  270. Also references a discord chat server
  271.  
  272. https://www.reddit.com/user/mrwhite8391/
  273. Reddit account mentioning sale of steam/minecraft accounts
  274.  
  275. http://www.d3scene.com/forum/members/mrwhite8391.html
  276. Gaming forum
  277.  
  278. https://www.roblox.com/users/196134195/profile
  279. Roblox game
  280.  
  281. http://www.mrwhite8391.tk/
  282. Google cache
  283. HKC - Hacked Accounts For Cheap Prices!
  284. How To Buy. Contact us on Mail or Discord.*Discord is preferred!*
  285. MRWHITE8391@GMAIL.COM. Contact Us On Discord.
  286.  
  287. https://archive.nyafuu.org/bant/thread/1746597/
  288. Board spam
  289. "mrwhite8391.tk" -- Denmark GeoIP location presented on post
  290.  
  291.  
  292. --------------------------------------------------------------
  293. | 0x7 // Dig even deeper |
  294. --------------------------------------------------------------
  295.  
  296. 000webhost being used to serve the stolen ratted userdata
  297.  
  298. $ nslookup www.voidraids.com
  299. Server: 208.67.222.222
  300. Address: 208.67.222.222#53
  301.  
  302. Non-authoritative answer:
  303. www.voidraids.com canonical name = darkgrainstk.000webhostapp.com.
  304. darkgrainstk.000webhostapp.com canonical name =
  305. us-east-1.route-1.000webhost.awex.io.
  306. Name: us-east-1.route-1.000webhost.awex.io
  307. Address: 145.14.144.89
  308. Name: us-east-1.route-1.000webhost.awex.io
  309. Address: 2a02:4780:dead:1d0c::1
  310.  
  311.  
  312. GoDaddy also seems to be providing the domain
  313.  
  314. $ nslookup voidraids.com
  315. Server: 208.67.222.222
  316. Address: 208.67.222.222#53
  317.  
  318. Non-authoritative answer:
  319. Name: voidraids.com
  320. Address: 184.168.221.27
  321.  
  322.  
  323.  
  324. Discord chat (linked from above)
  325. https://discordapp.com/channels/332894635053809664/332894635053809664
  326.  
  327. Offline members:
  328. * JKR Jonas
  329. * Mr. Black
  330. * Mr. White
  331.  
  332. On load, a backlog shows previous chat session
  333.  
  334. >>> BEGIN DISCORD CHAT LOG
  335.  
  336. bruh - 08/13/2017
  337. bitches
  338.  
  339. Mr. White - 08/13/2017
  340. ?
  341.  
  342. bruh - 08/13/2017
  343. wanna fight scrub?
  344.  
  345. Mr. White - 08/13/2017
  346. Lmao, kid...
  347. I've got a Steam account with 33+ paid games and it's worth over 200$
  348. U gonna buy?
  349.  
  350. bruh - 08/13/2017
  351. never
  352.  
  353. Mr. White - 08/13/2017
  354. Well i've got a Minecraft account too, that might fit your age
  355.  
  356. bruh - 08/13/2017
  357. never
  358. White?
  359. Why not brown?
  360. mr.been!
  361.  
  362. Mr. White - 08/13/2017
  363. Beacause you havn't watched Breaking Bad...
  364.  
  365. bruh - 08/13/2017
  366. fucking sweet
  367. i'll rather watch the 100 tho
  368.  
  369. Mr. White - 08/13/2017
  370. How did u even get in this discord?
  371.  
  372. bruh - 08/13/2017
  373. found it on 4chan
  374.  
  375. Mr. White - 08/13/2017
  376. Lmao after i got banned..
  377.  
  378. ￰￰ - 08/13/2017
  379. @Mr. White
  380.  
  381. Mr. White - 08/13/2017
  382. @￰￰#6535 ?
  383.  
  384. Mr. White - 08/14/2017
  385. I wanted you to anwser me, but you didn't
  386. You've gotten a text on your phone. Send it to me.
  387. Now.
  388. Do it and i will delete all your information.
  389. @ToMaTokiller
  390. anniedion8@gmail.com
  391. What is your recover mail. U sent wrong code
  392. I will delete all information about you after this.
  393. anniedion8@gmail.com what is your recover mail
  394. Prénom de votre meilleur ami ?
  395. Anwser and this is over
  396. What is your best friends name
  397. Anwser or i'll release your family members information
  398. wrong
  399. wrong
  400. wrong
  401. Do not lie.
  402. Last Chance
  403. 184.162.177.179
  404. No
  405.  
  406. Mr. Black - Last Thursday at 7:00 PM
  407. fd
  408. f
  409. f
  410. f
  411. f
  412. fff
  413.  
  414. <<< END DISCORD CHAT LOG
  415.  
  416.  
  417. --------------------------------------------------------------
  418. | 0x8 // Summary |
  419. --------------------------------------------------------------
  420.  
  421. So what have we found from a single mallicious binary?
  422.  
  423. RAT malware .... DarkComet 5.1
  424. User / alias .... mrwhite8391
  425. Date of Birth .... 27th May (age unknown)
  426. Youtube .... http://youtube.com/channel/UCJrOL-tgMP_68jeO96Fj8-w
  427. Discord .... https://discordapp.com/channels/332894635053809664/332894635053809664
  428. Website .... http://www.voidraids.com/
  429. Skype .... live:mrwhite8391
  430. Gmail .... MRWHITE8391@GMAIL.COM
  431. Reddit .... mrwhite8391
  432. Net Address .... 90.184.127.54
  433. Location .... denmark
  434. ISP .... fullrate
  435.  
  436. --------------------------------------------------------------
  437. | 0x9 // v& |
  438. --------------------------------------------------------------
  439.  
  440. We've correlated enough information to rat on this RATTING
  441. skid. Confirmed of using their own home internet connection to
  442. serve up a DarkComet server, and in the process of searching
  443. online - we have found enough information to be certain
  444. the distributor of this malware is connected to this client on
  445. fullrate ISP.
  446.  
  447. He is operating the C2 server from his home net address.
  448.  
  449. As of this month, Fullrate-DK confirmed they have dealt with
  450. this individual using appropriate measures relating to cyber
  451. crime, voidraids has also been suspended permanently.
  452.  
  453. Conclusion? Don't RAT.
  454. Knock Knock... v&
  455.  
  456. EOF
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!