SHARE
TWEET

#MalwareMustDie - Evidence CookEK of Malware Infector Crime

MalwareMustDie Jan 14th, 2013 209 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ====================================================================
  2. // #MalwareMustDie - Evidence of Malware Infector
  3. // CoolExploit Malware Infector,
  4. // Served IP ADDRESS 64.120.190.183
  5. // Infector URL: h00p://64.120.190.183/news/FLAT.DHTI
  6. // Connecting to 192.168.7.11:80... seconds 0.00, connected.
  7. // Registrant leads to bob@bobfaith.com (LOL) a hacked domain
  8. // looks like some cyber criminal is seriously want to frame Bob Faith.
  9. ====================================================================
  10.  
  11. ============================
  12. INTERNET / DOMAINS/REGISTRANT
  13. ============================
  14.  
  15. // Infector domain used (with the typical CookEK callback PseudoDomain)
  16.  
  17. 50f2c40a75730.buyliftem.org        A    64.120.190.183
  18. 50f3308d0dc4d.mentalfocus.org      A    64.120.190.183
  19. 50f2d9ddf1471.azhypnotistbob.com   A    64.120.190.183
  20. 50f2afa39be68.azreptheatre.com     A    64.120.190.183
  21. 50f28a4b9a4fe.tempeazhomeloans.com A    64.120.190.183
  22. 50f30534b0cb0.hypnoaz.com          A    64.120.190.183
  23. 50f34659158a0.mentalfocusaz.com    A    64.120.190.183
  24. 50f31ac55ce66.hypnotherapyaz.com   A    64.120.190.183
  25.  
  26. leads to the CoolExploit Malware Infector at  64.120.190.183
  27. Via url: h00p://64.120.190.183/news/FLAT.DHTI
  28. Evidence: pic at https://twitter.com/kafeine/status/290607837250457600
  29.  
  30. // PoC of Current Pseudo Domain is connecting to 64.120.190.183
  31.  
  32. @unixfreaxjp /malware/checkdomains]$ date
  33. Mon Jan 14 15:51:39 JST 2013
  34. @unixfreaxjp /malware/checkdomains]$ dig 50f31ac55ce66.hypnotherapyaz.com
  35.  
  36. ; <<>> DiG 9.8.1-P1 <<>> 50f31ac55ce66.hypnotherapyaz.com
  37. ;; global options: +cmd
  38. ;; Got answer:
  39. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49149
  40. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
  41.  
  42. ;; QUESTION SECTION:
  43. ;50f31ac55ce66.hypnotherapyaz.com. IN   A
  44.  
  45. ;; ANSWER SECTION:
  46. 50f31ac55ce66.hypnotherapyaz.com. 1755 IN A     64.120.190.183
  47.  
  48. ;; AUTHORITY SECTION:
  49. hypnotherapyaz.com.     3555    IN      NS      ns16.domaincontrol.com.
  50. hypnotherapyaz.com.     3555    IN      NS      ns15.domaincontrol.com.
  51.  
  52. ;; ADDITIONAL SECTION:
  53. ns15.domaincontrol.com. 768     IN      A       216.69.185.8
  54. ns16.domaincontrol.com. 3568    IN      A       208.109.255.8
  55.  
  56. ;; Query time: 15 msec
  57. ;; SERVER: 202.238.95.24#53(202.238.95.24)
  58. ;; WHEN: Mon Jan 14 15:51:53 2013
  59. ;; MSG SIZE  rcvd: 150
  60.  
  61. ============================
  62. DNS SERVICE USED
  63. ============================
  64. NS15.DOMAINCONTROL.COM    
  65. NS16.DOMAINCONTROL.COM
  66.  
  67. Related DNS Service:
  68. NSxxx.DOMAINCONTROL.COM
  69.  
  70. ============================
  71. THE REGISTRANT BEHIND THIS
  72. ============================
  73.  
  74. // the below domains was registered to the same contact IP:
  75.  
  76. mentalfocus.org, azhypnotistbob.com, hypnoaz.com, mentalfocusaz.com, hypnotherapyaz.com
  77.  
  78. Bob Faith Entertainment
  79. 660 S Parkcrest
  80. Mesa, Arizona 85206
  81. United States
  82. bob@bobfaith.com  // must be a hacked domain
  83.  
  84. (other hacked domains also used, see the below PoC/Evidence part)
  85.  
  86. // PoC/Evidence:
  87.  
  88. Domain ID:D164373631-LROR
  89. Domain Name:MENTALFOCUS.ORG
  90. Created On:12-Jan-2012 20:35:36 UTC
  91. Last Updated On:13-Jan-2013 01:35:22 UTC
  92. Expiration Date:12-Jan-2014 20:35:36 UTC
  93. Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
  94. Status:CLIENT DELETE PROHIBITED
  95. Status:CLIENT RENEW PROHIBITED
  96. Status:CLIENT TRANSFER PROHIBITED
  97. Status:CLIENT UPDATE PROHIBITED
  98. Status:AUTORENEWPERIOD
  99. Registrant ID:CR102662608
  100. Registrant Name:Bob Faith
  101. Registrant Organization:Bob Faith Entertainment
  102. Registrant Street1:660 S Parkcrest
  103. Registrant Street2:
  104. Registrant Street3:
  105. Registrant City:Mesa
  106. Registrant State/Province:Arizona
  107. Registrant Postal Code:85206
  108. Registrant Country:US
  109. Registrant Phone:+1.4808980023
  110. Registrant Phone Ext.:
  111. Registrant FAX:+1.4808980023
  112. Registrant FAX Ext.:
  113. Registrant Email:bob@bobfaith.com
  114. Admin ID:CR102662610
  115. Admin Name:Bob Faith
  116. Admin Organization:Bob Faith Entertainment
  117. Admin Street1:660 S Parkcrest
  118. Admin Street2:
  119. Admin Street3:
  120. Admin City:Mesa
  121. Admin State/Province:Arizona
  122. Admin Postal Code:85206
  123. Admin Country:US
  124. Admin Phone:+1.4808980023
  125. Admin Phone Ext.:
  126. Admin FAX:+1.4808980023
  127. Admin FAX Ext.:
  128. Admin Email:bob@bobfaith.com
  129.  
  130.  
  131. Domain Name: AZHYPNOTISTBOB.COM
  132. Registrar: GODADDY.COM, LLC
  133. Whois Server: whois.godaddy.com
  134. Referral URL: http://registrar.godaddy.com
  135. Name Server: NS15.DOMAINCONTROL.COM
  136. Name Server: NS16.DOMAINCONTROL.COM
  137. Status: clientDeleteProhibited
  138. Status: clientRenewProhibited
  139. Status: clientTransferProhibited
  140. Status: clientUpdateProhibited
  141. Updated Date: 13-jan-2012
  142. Creation Date: 13-jan-2012
  143. Expiration Date: 13-jan-2013
  144. Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  145. Domain Name: AZHYPNOTISTBOB.COM
  146.    Created on: 13-Jan-12
  147.    Expires on: 13-Jan-13
  148.    Last Updated on: 13-Jan-12
  149. Registrant:
  150. Bob Faith Entertainment
  151. 660 S Parkcrest
  152. Mesa, Arizona 85206
  153. United States
  154. Administrative Contact:
  155.    Faith, Bob  bob@bobfaith.com
  156.    Bob Faith Entertainment
  157.    660 S Parkcrest
  158.    Mesa, Arizona 85206
  159.    United States
  160.    (480) 898-0023      Fax -- (480) 898-0023
  161. Technical Contact:
  162.    Faith, Bob  bob@bobfaith.com
  163.    Bob Faith Entertainment
  164.    660 S Parkcrest
  165.    Mesa, Arizona 85206
  166.    United States
  167.    (480) 898-0023      Fax -- (480) 898-0023
  168. Domain servers in listed order:
  169.    NS15.DOMAINCONTROL.COM
  170.    NS16.DOMAINCONTROL.COM
  171.  
  172.  
  173. Domain Name: HYPNOAZ.COM
  174. Registrar: GODADDY.COM, LLC
  175. Whois Server: whois.godaddy.com
  176. Referral URL: http://registrar.godaddy.com
  177. Name Server: NS15.DOMAINCONTROL.COM
  178. Name Server: NS16.DOMAINCONTROL.COM
  179. Status: clientDeleteProhibited
  180. Status: clientRenewProhibited
  181. Status: clientTransferProhibited
  182. Status: clientUpdateProhibited
  183. Updated Date: 13-dec-2012
  184. Creation Date: 13-jan-2012
  185. Expiration Date: 13-jan-2015
  186.    Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  187.    Domain Name: HYPNOAZ.COM
  188.       Created on: 13-Jan-12
  189.       Expires on: 13-Jan-15
  190.       Last Updated on: 13-Dec-12
  191.    Registrant:
  192.       Bob Faith Entertainment
  193.       660 S Parkcrest
  194.       Mesa, Arizona 85206
  195.       United States
  196.    Administrative Contact:
  197.       Faith, Bob  bob@bobfaith.com
  198.       Bob Faith Entertainment
  199.       660 S Parkcrest
  200.       Mesa, Arizona 85206
  201.       United States
  202.       (480) 898-0023      Fax -- (480) 898-0023
  203.    Technical Contact:
  204.       Faith, Bob  bob@bobfaith.com
  205.       Bob Faith Entertainment
  206.       660 S Parkcrest
  207.       Mesa, Arizona 85206
  208.       United States
  209.       (480) 898-0023      Fax -- (480) 898-0023
  210.    Domain servers in listed order:
  211.       NS15.DOMAINCONTROL.COM
  212.       NS16.DOMAINCONTROL.COM
  213.  
  214.  
  215. Domain Name: MENTALFOCUSAZ.COM
  216. Registrar: GODADDY.COM, LLC
  217. Whois Server: whois.godaddy.com
  218. Referral URL: http://registrar.godaddy.com
  219. Name Server: NS15.DOMAINCONTROL.COM
  220. Name Server: NS16.DOMAINCONTROL.COM
  221. Status: clientDeleteProhibited
  222. Status: clientRenewProhibited
  223. Status: clientTransferProhibited
  224. Status: clientUpdateProhibited
  225. Updated Date: 13-jan-2013
  226. Creation Date: 12-jan-2012
  227. Expiration Date: 12-jan-2014
  228.    Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  229.    Domain Name: MENTALFOCUSAZ.COM
  230.       Created on: 12-Jan-12
  231.       Expires on: 12-Jan-13
  232.       Last Updated on: 12-Jan-12
  233.    Registrant:
  234.    Bob Faith Entertainment
  235.    660 S Parkcrest
  236.    Mesa, Arizona 85206
  237.    United States
  238.    Administrative Contact:
  239.       Faith, Bob  bob@bobfaith.com
  240.       Bob Faith Entertainment
  241.       660 S Parkcrest
  242.       Mesa, Arizona 85206
  243.       United States
  244.       +1.4808980023      Fax -- +1.4808980023
  245.    Technical Contact:
  246.       Faith, Bob  bob@bobfaith.com
  247.       Bob Faith Entertainment
  248.       660 S Parkcrest
  249.       Mesa, Arizona 85206
  250.       United States
  251.       +1.4808980023      Fax -- +1.4808980023
  252.    Domain servers in listed order:
  253.       NS15.DOMAINCONTROL.COM
  254.       NS16.DOMAINCONTROL.COM
  255.  
  256.  
  257. Domain Name: HYPNOTHERAPYAZ.COM
  258. Registrar: GODADDY.COM, LLC
  259. Whois Server: whois.godaddy.com
  260. Referral URL: http://registrar.godaddy.com
  261. Name Server: NS15.DOMAINCONTROL.COM
  262. Name Server: NS16.DOMAINCONTROL.COM
  263. Status: clientDeleteProhibited
  264. Status: clientRenewProhibited
  265. Status: clientTransferProhibited
  266. Status: clientUpdateProhibited
  267. Updated Date: 13-jan-2012
  268. Creation Date: 13-jan-2012
  269. Expiration Date: 13-jan-2013
  270. Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  271.    Domain Name: HYPNOTHERAPYAZ.COM
  272.       Created on: 13-Jan-12
  273.       Expires on: 13-Jan-13
  274.       Last Updated on: 13-Jan-12
  275.    Registrant:
  276.    Bob Faith Entertainment
  277.    660 S Parkcrest
  278.    Mesa, Arizona 85206
  279.    United States
  280.    Administrative Contact:
  281.       Faith, Bob  bob@bobfaith.com
  282.       Bob Faith Entertainment
  283.       660 S Parkcrest
  284.       Mesa, Arizona 85206
  285.       United States
  286.       (480) 898-0023      Fax -- (480) 898-0023
  287.    Technical Contact:
  288.       Faith, Bob  bob@bobfaith.com
  289.       Bob Faith Entertainment
  290.       660 S Parkcrest
  291.       Mesa, Arizona 85206
  292.       United States
  293.       (480) 898-0023      Fax -- (480) 898-0023
  294.    Domain servers in listed order:
  295.       NS15.DOMAINCONTROL.COM
  296.       NS16.DOMAINCONTROL.COM
  297.  
  298.  
  299. Domain ID:D164348967-LROR
  300. Domain Name:BUYLIFTEM.ORG
  301. Created On:10-Jan-2012 16:36:00 UTC
  302. Last Updated On:11-Jan-2013 11:21:18 UTC
  303. Expiration Date:10-Jan-2014 16:36:00 UTC
  304. Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
  305. Status:CLIENT DELETE PROHIBITED
  306. Status:CLIENT RENEW PROHIBITED
  307. Status:CLIENT TRANSFER PROHIBITED
  308. Status:CLIENT UPDATE PROHIBITED
  309. Status:AUTORENEWPERIOD
  310. Registrant ID:CR102449532
  311. Registrant Name:Zoe Yeoman
  312. Registrant Organization:Lift 'Em, LLC
  313. Registrant Street1:Post Office Box 40283
  314. Registrant Street2:
  315. Registrant Street3:
  316. Registrant City:Phoenix
  317. Registrant State/Province:Arizona
  318. Registrant Postal Code:85067
  319. Registrant Country:US
  320. Registrant Phone:+1.6022341200
  321. Registrant Phone Ext.:
  322. Registrant FAX:
  323. Registrant FAX Ext.:
  324. Registrant Email:zoeyeoman@hotmail.com
  325. Admin ID:CR102449534
  326. Admin Name:Zoe Yeoman
  327. Admin Organization:Lift 'Em, LLC
  328. Admin Street1:Post Office Box 40283
  329. Admin Street2:
  330. Admin Street3:
  331. Admin City:Phoenix
  332. Admin State/Province:Arizona
  333. Admin Postal Code:85067
  334. Admin Country:US
  335. Admin Phone:+1.6022341200
  336. Admin Phone Ext.:
  337. Admin FAX:
  338. Admin FAX Ext.:
  339. Admin Email:zoeyeoman@hotmail.com
  340.  
  341.  
  342. Domain Name: AZREPTHEATRE.COM
  343. Registrar: GODADDY.COM, LLC
  344. Whois Server: whois.godaddy.com
  345. Referral URL: http://registrar.godaddy.com
  346. Name Server: NS51.DOMAINCONTROL.COM
  347. Name Server: NS52.DOMAINCONTROL.COM
  348. Status: clientDeleteProhibited
  349. Status: clientRenewProhibited
  350. Status: clientTransferProhibited
  351. Status: clientUpdateProhibited
  352. Updated Date: 01-oct-2012
  353. Creation Date: 30-sep-2010
  354. Expiration Date: 30-sep-2014
  355.    Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  356.    Domain Name: AZREPTHEATRE.COM
  357.       Created on: 30-Sep-10
  358.       Expires on: 30-Sep-14
  359.       Last Updated on: 01-Oct-12
  360.    Registrant:
  361.    Domains By Proxy, LLC
  362.    DomainsByProxy.com
  363.    14747 N Northsight Blvd Suite 111, PMB 309
  364.    Scottsdale, Arizona 85260
  365.    United States
  366.    Administrative Contact:
  367.       Private, Registration  AZREPTHEATRE.COM@domainsbyproxy.com
  368.       Domains By Proxy, LLC
  369.       DomainsByProxy.com
  370.       14747 N Northsight Blvd Suite 111, PMB 309
  371.       Scottsdale, Arizona 85260
  372.       United States
  373.       (480) 624-2599      Fax -- (480) 624-2598
  374.    Technical Contact:
  375.       Private, Registration  AZREPTHEATRE.COM@domainsbyproxy.com
  376.       Domains By Proxy, LLC
  377.       DomainsByProxy.com
  378.       14747 N Northsight Blvd Suite 111, PMB 309
  379.       Scottsdale, Arizona 85260
  380.       United States
  381.       (480) 624-2599      Fax -- (480) 624-2598
  382.    Domain servers in listed order:
  383.       NS51.DOMAINCONTROL.COM
  384.       NS52.DOMAINCONTROL.COM
  385.  
  386.  
  387. Domain Name: TEMPEAZHOMELOANS.COM
  388. Registrar: GODADDY.COM, LLC
  389. Whois Server: whois.godaddy.com
  390. Referral URL: http://registrar.godaddy.com
  391. Name Server: NS15.DOMAINCONTROL.COM
  392. Name Server: NS16.DOMAINCONTROL.COM
  393. Status: clientDeleteProhibited
  394. Status: clientRenewProhibited
  395. Status: clientTransferProhibited
  396. Status: clientUpdateProhibited
  397. Updated Date: 15-jan-2012
  398. Creation Date: 15-jan-2012
  399. Expiration Date: 15-jan-2014
  400.    Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  401.    Domain Name: TEMPEAZHOMELOANS.COM
  402.       Created on: 15-Jan-12
  403.       Expires on: 15-Jan-14
  404.       Last Updated on: 15-Jan-12
  405.    Registrant:
  406.    John Cabello
  407.    270 E. Pinion Way
  408.    Gilbert, Arizona 85234
  409.    United States
  410.    Administrative Contact:
  411.       Cabello, John  john@cabellohomeloans.com
  412.       270 E. Pinion Way
  413.       Gilbert, Arizona 85234
  414.       United States
  415.       (602) 326-5626
  416.    Technical Contact:
  417.       Cabello, John  john@cabellohomeloans.com
  418.       270 E. Pinion Way
  419.       Gilbert, Arizona 85234
  420.       United States
  421.       (602) 326-5626
  422.    Domain servers in listed order:
  423.       NS15.DOMAINCONTROL.COM
  424.       NS16.DOMAINCONTROL.COM
  425.  
  426.  
  427. ============================
  428. ADDITIONAL: NETWORK / IP
  429. ============================
  430.  
  431. // Where is it hosted, and abuse contact PiC
  432.  
  433. IP: 64.120.190.183
  434. reverse IP Pointer: 64-120-190-183.static.hostnoc.net
  435.  
  436. NetRange:       64.120.128.0 - 64.120.255.255
  437. CIDR:   64.120.128.0/17
  438. OriginAS:       AS21788
  439. NetName:        HOSTNOC-5BLK
  440. NetHandle:      NET-64-120-128-0-1
  441. Parent: NET-64-0-0-0-0
  442. NetType:        Direct Allocation
  443. RegDate:        2009-04-27
  444. Updated:        2012-03-02
  445. Ref:    http://whois.arin.net/rest/net/NET-64-120-128-0-1
  446. OrgName:        Network Operations Center Inc.
  447. OrgId:  NOC
  448. Address:        PO Box 591
  449. City:   Scranton
  450. StateProv:      PA
  451. PostalCode:     18501-0591
  452. Country:        US
  453. RegDate:        2001-04-04
  454. Updated:        2011-09-24
  455. Comment:        Abuse Dept: abuse@hostnoc.net
  456. Ref:    http://whois.arin.net/rest/org/NOC
  457.  
  458. OrgAbuseHandle: SMA4-ARIN
  459. OrgAbuseName:   Arcus, S. Matthew
  460. OrgAbusePhone:  +1-570-343-2200
  461. OrgAbuseEmail:  nic@hostnoc.net
  462. OrgAbuseRef:    http://whois.arin.net/rest/poc/SMA4-ARIN
  463.  
  464. ----
  465. #MalwareMustDie!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top