Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ,-------------------------------------,
- / /
- / PEST CONTROL August 2017 /
- / /
- -------------------------------------`
- |\| |\|
- |/|/ |/|/
- |/ _, .---.__c--. |/
- / (__( )_._( )_`_> /
- `~~" `~"
- [Ratting on the RATTERS - issue 0x01]
- $ whoami
- fox
- RATTING is sad. RATTING is lame.
- --------------------------------------------------------------
- | 0x1 // Discover Samples |
- --------------------------------------------------------------
- Find stubs / packers / misc malware using youtube keywords.
- These are typically "bait", cheat tools, hacking tools etc.
- Youtube is a common place to spread malware.
- Example to find a live sample;
- Site .... https://www.youtube.com
- Keywords .... Hack tool download
- Result .... https://www.youtube.com/watch?v=RDAzC1rxTts
- --------------------------------------------------------------
- | 0x2 // Grab those links |
- --------------------------------------------------------------
- Investigate any linked information on the youtube account.
- A linked rar archive download from the video description;
- https://mega.nz/#!h2YjjKzD!e--XB1wQ0J8a9hKMq3_AgyJCdYXFCHnnYIe0-skk3Dw
- --------------------------------------------------------------
- | 0x3 // Dig deeper |
- --------------------------------------------------------------
- Let's take a closer look at this download and see if we can find
- any valuable information, such as the C2 server.
- $ unrar e Rust\ Plantinum\ Cracked.rar
- $ ls
- ClientPlugin.dll SQLite.Interop.dll
- Rust Plantinum Cracked 1.5.7.exe System.Data.SQLite.dll
- $ file Rust\ Plantinum\ Cracked\ 1.5.7.exe
- Rust Plantinum Cracked 1.5.7.exe: PE32 executable (GUI) Intel 80386, for MS Windows
- Send that binded junk to virustotal. Looks like it's a new sample.
- Detection ratio: 58 / 63
- https://virustotal.com/en/file/0af9b967683c3e19661951bed41c8ad3eac0607147b71b0c745443206c57a2d1/analysis/1503789652/
- Well that's boring, we already know what this junk is by
- looking at that. We know it's a cheat tool that is binded
- to a trojan. Instead of examining this sample in a VM, we
- can simply check for hardcoded strings within the sample.
- To save time, we can use kevthehermits RATDecoder.
- [+] Reading file
- [+] Searching for Config
- [+] Printing Config to screen
- [-] Key: CampaignID Value: Guest16
- [-] Key: Domains Value: mrwhite8391.ddns.net:8015
- [-] Key: FTPHost Value:
- [-] Key: FTPKeyLogs Value:
- [-] Key: FTPPassword Value:
- [-] Key: FTPPort Value:
- [-] Key: FTPRoot Value:
- [-] Key: FTPSize Value:
- [-] Key: FTPUserName Value:
- [-] Key: FireWallBypass Value: 1
- [-] Key: Gencode Value: BZ8TyxZ4r2ms
- [-] Key: Mutex Value: DC_MUTEX-9TK1E8U
- [-] Key: OfflineKeylogger Value: 1
- [-] Key: Password Value:
- [-] Key: Version Value: #KCMDDC51#
- [+] End of Config
- That was easy. Definitely a DarkComet...
- <insert whatyearisit.jpg>
- Looking at the Version string, we can see this RAT server is
- potentially vulnerable to a remote file download vulnerability.
- --------------------------------------------------------------
- | 0x4 // Let the games begin |
- --------------------------------------------------------------
- $ nslookup mrwhite8391.ddns.net
- Server: 208.67.222.222
- Address: 208.67.222.222#53
- Non-authoritative answer:
- Name: mrwhite8391.ddns.net
- Address: 90.184.127.54
- $ whois 90.184.127.54
- % This is the RIPE Database query service.
- % The objects are in RPSL format.
- %
- % The RIPE Database is subject to Terms and Conditions.
- % See http://www.ripe.net/db/support/db-terms-conditions.pdf
- % Note: this output has been filtered.
- % To receive output for a database update, use the "-B" flag.
- % Information related to '90.184.0.0 - 90.184.127.255'
- % Abuse contact for '90.184.0.0 - 90.184.127.255' is 'abuse@fullrate.dk'
- inetnum: 90.184.0.0 - 90.184.127.255
- netname: FULLRATE-POOL-TWO
- descr: Fullrate-DK-CUSTOMERS
- country: DK
- admin-c: FULL-RIPE
- tech-c: FULL-RIPE
- org: ORG-TOTA1-RIPE
- remarks: +--------------------------------------------------------
- remarks: | NB! In case of abuse, please contact abuse@fullrate.dk |
- remarks: +--------------------------------------------------------
- status: ASSIGNED PA
- mnt-routes: FULLRATE-MNT
- mnt-lower: FULLRATE-MNT
- mnt-by: FULLRATE-MNT
- created: 2006-10-17T14:06:32Z
- last-modified: 2014-08-08T12:54:28Z
- source: RIPE
- organisation: ORG-TOTA1-RIPE
- org-name: Fullrate A/S
- org-type: OTHER
- address: Fullrate A/S
- address: Peter Maegbaek Madsen
- address: Telegade 2 bygn. 4
- address: 2630
- address: Taastrup
- address: DENMARK
- vphone: +4542124021
- fax-no: +4532154503
- descr: Fullrate
- admin-c: RL8463-RIPE
- mnt-ref: FULLRATE-MNT
- mnt-by: FULLRATE-MNT
- abuse-c: FULL-RIPE
- created: 2006-03-15T06:11:11Z
- last-modified: 2013-12-02T17:51:13Z
- source: RIPE # Filtered
- role: Fullrate Technical Contact
- address: Fullrate A/S
- address: Telegade 2
- address: DK-2630 Taastrup
- admin-c: RL8463-RIPE
- tech-c: RL8463-RIPE
- nic-hdl: FULL-RIPE
- abuse-mailbox: abuse@fullrate.dk
- remarks: +--------------------------------------------------------
- remarks: | NB! In case of abuse, please contact abuse@fullrate.dk |
- remarks: +--------------------------------------------------------
- created: 2006-10-26T15:01:43Z
- last-modified: 2013-04-04T09:11:12Z
- source: RIPE # Filtered
- mnt-by: FULLRATE-MNT
- % Information related to '90.184.0.0/15AS39554'
- route: 90.184.0.0/15
- descr: fullrate A/S
- remarks:
- ***************************************************************
- remarks: * Any abuse reports, please send them to *
- remarks: * abuse@fullrate.dk *
- remarks:
- ***************************************************************
- origin: AS39554
- mnt-by: MNT-FULLRATE
- mnt-by: AS3292-MNT
- mnt-by: FULLRATE-MNT
- created: 2006-10-12T13:38:53Z
- last-modified: 2017-05-12T04:49:57Z
- source: RIPE
- % This query was served by the RIPE Database Query Service version 1.89.2
- (WAGYU)
- --------------------------------------------------------------
- | 0x5 // Revealing the pest |
- --------------------------------------------------------------
- So we already know this appears to be a home connection:
- Fullrate-DK-CUSTOMERS
- We can guess the skid is hosting the RAT C2 on his home PC.
- Believe it or not, this is quite common...
- $ nmap 90.184.127.54 -p 80,8080
- ...
- PORT STATE SERVICE
- 80/tcp open http
- ...
- Accessing port 80 of the RAT server address, shows a generic
- unfirewalled router login page for a ZyXEL VMG8924-B10A device.
- http://90.184.127.54:80
- We can confirm this is a home connection by looking at the
- customer packages available from fullrate at their website.
- The irony.
- When you can't port forward a single port, so you just disable
- the entire firewall. Yep, that's what we're dealing with here.
- An interesting thing is that mrwhite8391 used in the DNS looks
- like a username of sorts...
- --------------------------------------------------------------
- | 0x6 // Search and destroy |
- --------------------------------------------------------------
- Hello Mr. White!
- At this point it's safe to say these are all publicly accessible
- accounts/profiles of one skiddividual. He seems to like his
- cheats and his games. The name mrwhite8391 seems unique enough
- that we can be sure about this.
- Here's what we can find;
- https://www.nulled.to/user/1101188-mrwhite8391
- Skid forums
- Account created 25th August 2017 (1 day before youtube sample)
- https://ennui.ninja/forum/index.php?/profile/3283-mrwhite8391/
- "rust" cheating software profile
- https://chods-cheats.com/profile/24415-mrwhite8391/
- More cheating software / forums
- https://hypixel.net/members/mrwhite8391.1598335/
- Gaming website, he hacked his own profile!
- "Hackede by Mr. White / Skype: live:mrwhite8391"
- https://d3sk1ng.com/index.php?members/mrwhite8391.6868/
- Discussion forum
- Profile mentions, "Birthday: May 27"
- http://www.voidraids.com/
- Online store for sale of stolen user data
- Mentions contact email: MRWHITE8391@GMAIL.COM
- Transactions are processed through PayPal^
- Also references a discord chat server
- https://www.reddit.com/user/mrwhite8391/
- Reddit account mentioning sale of steam/minecraft accounts
- http://www.d3scene.com/forum/members/mrwhite8391.html
- Gaming forum
- https://www.roblox.com/users/196134195/profile
- Roblox game
- http://www.mrwhite8391.tk/
- Google cache
- HKC - Hacked Accounts For Cheap Prices!
- How To Buy. Contact us on Mail or Discord.*Discord is preferred!*
- MRWHITE8391@GMAIL.COM. Contact Us On Discord.
- https://archive.nyafuu.org/bant/thread/1746597/
- Board spam
- "mrwhite8391.tk" -- Denmark GeoIP location presented on post
- --------------------------------------------------------------
- | 0x7 // Dig even deeper |
- --------------------------------------------------------------
- 000webhost being used to serve the stolen ratted userdata
- $ nslookup www.voidraids.com
- Server: 208.67.222.222
- Address: 208.67.222.222#53
- Non-authoritative answer:
- www.voidraids.com canonical name = darkgrainstk.000webhostapp.com.
- darkgrainstk.000webhostapp.com canonical name =
- us-east-1.route-1.000webhost.awex.io.
- Name: us-east-1.route-1.000webhost.awex.io
- Address: 145.14.144.89
- Name: us-east-1.route-1.000webhost.awex.io
- Address: 2a02:4780:dead:1d0c::1
- GoDaddy also seems to be providing the domain
- $ nslookup voidraids.com
- Server: 208.67.222.222
- Address: 208.67.222.222#53
- Non-authoritative answer:
- Name: voidraids.com
- Address: 184.168.221.27
- Discord chat (linked from above)
- https://discordapp.com/channels/332894635053809664/332894635053809664
- Offline members:
- * JKR Jonas
- * Mr. Black
- * Mr. White
- On load, a backlog shows previous chat session
- >>> BEGIN DISCORD CHAT LOG
- bruh - 08/13/2017
- bitches
- Mr. White - 08/13/2017
- ?
- bruh - 08/13/2017
- wanna fight scrub?
- Mr. White - 08/13/2017
- Lmao, kid...
- I've got a Steam account with 33+ paid games and it's worth over 200$
- U gonna buy?
- bruh - 08/13/2017
- never
- Mr. White - 08/13/2017
- Well i've got a Minecraft account too, that might fit your age
- bruh - 08/13/2017
- never
- White?
- Why not brown?
- mr.been!
- Mr. White - 08/13/2017
- Beacause you havn't watched Breaking Bad...
- bruh - 08/13/2017
- fucking sweet
- i'll rather watch the 100 tho
- Mr. White - 08/13/2017
- How did u even get in this discord?
- bruh - 08/13/2017
- found it on 4chan
- Mr. White - 08/13/2017
- Lmao after i got banned..
- - 08/13/2017
- @Mr. White
- Mr. White - 08/13/2017
- @#6535 ?
- Mr. White - 08/14/2017
- I wanted you to anwser me, but you didn't
- You've gotten a text on your phone. Send it to me.
- Now.
- Do it and i will delete all your information.
- @ToMaTokiller
- anniedion8@gmail.com
- What is your recover mail. U sent wrong code
- I will delete all information about you after this.
- anniedion8@gmail.com what is your recover mail
- Prénom de votre meilleur ami ?
- Anwser and this is over
- What is your best friends name
- Anwser or i'll release your family members information
- wrong
- wrong
- wrong
- Do not lie.
- Last Chance
- 184.162.177.179
- No
- Mr. Black - Last Thursday at 7:00 PM
- fd
- f
- f
- f
- f
- fff
- <<< END DISCORD CHAT LOG
- --------------------------------------------------------------
- | 0x8 // Summary |
- --------------------------------------------------------------
- So what have we found from a single mallicious binary?
- RAT malware .... DarkComet 5.1
- User / alias .... mrwhite8391
- Date of Birth .... 27th May (age unknown)
- Youtube .... http://youtube.com/channel/UCJrOL-tgMP_68jeO96Fj8-w
- Discord .... https://discordapp.com/channels/332894635053809664/332894635053809664
- Website .... http://www.voidraids.com/
- Skype .... live:mrwhite8391
- Gmail .... MRWHITE8391@GMAIL.COM
- Reddit .... mrwhite8391
- Net Address .... 90.184.127.54
- Location .... denmark
- ISP .... fullrate
- --------------------------------------------------------------
- | 0x9 // v& |
- --------------------------------------------------------------
- We've correlated enough information to rat on this RATTING
- skid. Confirmed of using their own home internet connection to
- serve up a DarkComet server, and in the process of searching
- online - we have found enough information to be certain
- the distributor of this malware is connected to this client on
- fullrate ISP.
- He is operating the C2 server from his home net address.
- As of this month, Fullrate-DK confirmed they have dealt with
- this individual using appropriate measures relating to cyber
- crime, voidraids has also been suspended permanently.
- Conclusion? Don't RAT.
- Knock Knock... v&
- EOF
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement