Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- SHA-1 Description ESET detection name
- CF117E5CA26594F497E0F15106518FEE52B88D8D MSI file MSIL/TrojanDownloader.Agent.FSC
- D16AC192499192F06A3903192A4AA57A28CCCA5A Console.exe loader MSIL/TrojanDownloader.Agent.FSC
- 462D6AD77860D3D523D2CAFBC227F012952E513C MSIL/Kryptik.TBD
- 0A5BBEC328FDD4E8B2379AF770DF8B180411B05D LoadDllMSI.dll loader MSIL/TrojanDownloader.Agent.FSC
- 0AA349050B7EF173BFA34B92687554E81EEB28FF System.Logins.Initial.dll MSIL/Agent.TIX
- 5B19E2D1950ADD701864D5F0F18A1111AAABEA28
- 186E590239083A5B54971CAB66A58301230164C2 System.Modules.Initial.dll
- E1B2FD94F16237379E4CAD6832A6FCE7F543DC40 System.Modules.Initial.dll MSIL/Janeleiro.A
- 4061B2FBEB7F1026E54EE928867169D1B001B7A5
- Version 0.0.2A
- SHA-1 Description ESET detection name
- 8674E61B421A905DA8B866A194680D08D27D77AE Main Trojan Loader MSIL/Agent.AAI
- 2E5F7D5F680152E738B8910E694651D48126382A MSIL/Janeleiro.A
- 06E4F11A2A6EF8284C6AAC5A924D186410257650 Main Trojan MSIL/Agent.AAI
- Version 0.0.2B
- SHA-1 Description ESET detection name
- 291A5F0DF18CC68FA0DA1B7F401EAD17C9FBDD7F MSI file MSIL/Janeleiro.A
- FB246A5A1105B83DFA8032394759DBC23AB81529
- 6F6FF405F6DA50B517E82FF9D1A546D8F13EC3F7 Main trojan
- 742E0AEDC8970D47F16F5549A6B61D839485DE3C
- Version 0.0.3
- SHA-1 Description ESET detection name
- 455FAF2A741C28BA1EFCE8635AC0FCE935C080FF MSI file MSIL/Janeleiro.A
- D71EB97FC1F5FE50D608518D2820CB96F2A3376F
- 158DA5AB85BFAC471DC2B2EE66FD99AEF7432DBB Main trojan
- 6BFAEFCC0930DA5A2BAEC19723C8C835A003D1EC
- Download URLs
- In the following <NNNNNNNNNNN> is a random number between 10000000000 and 90000000000.
- Downloading only Janeleiro
- https://recuperaglobaldanfeonline.eastus.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNNN>
- https://protocolo-faturamento-servico.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
- https://acessoriapremierfantasiafaturas.eastus.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
- Downloading Janeleiro and other Delphi banking trojans
- https://portalrotulosfechamento.eastus.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
- https://servicosemitidosglobalnfe.southcentralus.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
- https://emissaocomprovanteatrasado.eastus.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
- Downloading Delphi bankers
- https://emitidasfaturasfevereiro.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
- https://dinamicoscontratosvencidos.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
- https://arquivosemitidoscomsucesso.eastus.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
- https://fatura-digital-arquiv-lo.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
- https://nota-eletronica-servicos.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
- https://eletronicadanfe.brazilsouth.cloudapp.azure[.]com/nfedown.php?dw=<NNNNNNNNNN>
- C&C servers
- These are the IP addresses of the C&C servers where Janeleiro connects to report, receive commands and send data:
- 52.204.58[.]11
- 35.174.60[.]172
- These are the tracking URLs where Janeleiro sends information about the compromised system during installation:
- http://tasoofile.us-east-1.elasticbeanstalk[.]com/count
- http://slkvemnemim.us-east-1.elasticbeanstalk[.]com/count
- http://checa-env.cf3tefmhmr.eu-north-1.elasticbeanstalk[.]com/cnt/
- These are the URLs used by System.Logins.dll to exfiltrate the harvested data:
- http://comunicador.duckdns[.]org/catalista/emails/checkuser.php
- http://comunicador.duckdns[.]org/catalista/lixo/index.php
- IPs associated with the domain:
- 178.79.178[.]203
- 138.197.101[.]4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement