Advertisement
unixfreaxjp

The Return of the CHINESE TROJANS SET in ODN Softbank N/W

Mar 26th, 2012
119
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. THE CASE OF #OCJP-021 IS REOPEN / ←本件のケース
  2. COMMENT ADDED: http://unixfreaxjp.blogspot.jp/2012/02/ocjp-021.html?showComment=1332761381445#c1890660745097712696
  3.  
  4. MALWARE IS REAPPREARED IN THE PREVIOUS URL:
  5. hxxp://211.121.253.172/vct/set.rar 642ef29e0194075c830d0f2a418d8fce
  6. hxxp://211.121.253.172/vct/stL1.rar a200699ce01d73c61a1b9ccb9009d9c6
  7. hxxp://211.121.253.172/vct/vel19.rar 472c2c1ff132392bf8656a2b427e8f22
  8. hxxp://211.121.253.172/int/vel20.rar 09b3818d4480a486db78ef2bd34c7e38
  9.  
  10. SOFTBANK TELECOM Corp.
  11. [Allocation] 211.121.0.0/16
  12. a. [Network Number] 211.121.192.0/18
  13. b. [Network Name] ODN
  14. g. [Organization] Open Data Network(JAPAN TELECOM CO.,LTD.)
  15. m. [Administrative Contact] JP00035900
  16. n. [Technical Contact] JP00035900
  17. p. [Nameserver] ns2.odn.ne.jp
  18. p. [Nameserver] ns4.odn.ne.jp
  19.  
  20. WEB SERVER OF THE MALWARES (SIGNATURES MATCHED)
  21. Last-Modified: Mon, 26 Mar 2012 11:15:15 GMT
  22. Accept-Ranges: bytes
  23. Etag: W/"f653fbb741bcd1:2a8"
  24. Server: Microsoft-IIS/6.0
  25. Date: Mon, 26 Mar 2012 11:15:16 GMT
  26.  
  27. PROOF:
  28. --19:51:08-- hxxp://211.121.253.172/int/vel20.rar
  29. => `vel20.rar'
  30. Connecting to 211.121.253.172:80... connected.
  31. hxxp request sent, awaiting response... 200 OK
  32. Length: 73,728 (72K) [application/octet-stream]
  33. 100%[====================================>] 73,728 337.48K/s
  34. 19:51:09 (336.93 KB/s) - `vel20.rar' saved [73728/73728]
  35.  
  36. --19:51:32-- hxxp://211.121.253.172/vct/stL1.rar
  37. => `stL1.rar'
  38. Connecting to 211.121.253.172:80... connected.
  39. hxxp request sent, awaiting response... 200 OK
  40. Length: 249,856 (244K) [application/octet-stream]
  41. 100%[===================================> ] 249,856 740.11K/s
  42. 19:51:33 (738.00 KB/s) - `stL1.rar' saved [249856/249856]
  43.  
  44. --19:51:42-- hxxp://211.121.253.172/vct/vel19.rar
  45. => `vel19.rar'
  46. Connecting to 211.121.253.172:80... connected.
  47. hxxp request sent, awaiting response... 200 OK
  48. Length: 73,728 (72K) [application/octet-stream]
  49. 100%[====================================>] 73,728 --.--K/s
  50. 19:51:42 (529.53 KB/s) - `vel19.rar' saved [73728/73728]
  51.  
  52. --19:51:56-- hxxp://211.121.253.172/vct/set.rar
  53. => `set.rar'
  54. Connecting to 211.121.253.172:80... connected.
  55. hxxp request sent, awaiting response... 200 OK
  56. Length: 28,672 (28K) [application/octet-stream]
  57. 100%[====================================>] 28,672 --.--K/s
  58. 19:51:57 (299.76 KB/s) - `set.rar' saved [28672/28672]
  59.  
  60. VIRUS TOTAL REPORT:
  61. https://www.virustotal.com/file/50cc09617912edf3a5077fb09fe540803e6c467a7bff6417bc41d02d60c39d76/analysis/1332759518/
  62. https://www.virustotal.com/file/5a8c16df19d7198b5c0ea2a36c90f34bc835202e6108afa8a49221cb598f9c4f/analysis/1332759446/
  63. https://www.virustotal.com/file/f8faf5656a27f6df63ad5b49cf4747ad3cb474fc1e94caf939b8b17133ec6595/analysis/1332759462/
  64. https://www.virustotal.com/file/f72556dadc6bc5ae4e4dd3911f94e1d012a3987e555aa4b55170c20f41184d95/analysis/1332759402/
  65.  
  66. SOME QUICK ANALYSIS 調査証拠↓
  67. payload: aho.exe
  68. MD5: 2aa259224e8ffa280d11ce2e19d9adb3
  69. SHA-1: 3007a22e0d049e8685db1303f36ee3b708e48ff4
  70. File Size: 20,480 Bytes
  71. Command Line: $shell= "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aho.exe"
  72. registry:
  73. Iprip
  74. SERVICE_AUTO_START
  75. %SystemRoot%\System32\svchost.exe -k netsvcs
  76. (SAME AS PREVIOUS REPORT..)
  77. Note: Changes in MD5 noted. Same sized, trace of the crypter tools.
  78. ----
  79. ZeroDay Japan http://0day.jp
  80. OPERATION CLEAUP JAPAN | #OCJP
  81. PIC: Hendrik ADRIAN, Malware Researcher / Twitter/ Google: @unixfreaxjp
  82. Malware Analysis Blog: http://unixfreaxjp.blogspot.jp/
  83. sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com
Advertisement
RAW Paste Data Copied
Advertisement