Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie!!
- // @unixfreaxjp /malware]$ date
- // Fri Jul 5 00:19:58 JST 2013
- // ----------------------------
- // Kuluoz botnet communications sniffed TODAY at the below requests from infection PC:
- // During the decryption found
- - the second payload request (updates)
- - Kuluoz botnet private botnet networking
- - CnC data.
- // Today's Requested IP:PROXY form the infected Kuluoz PCs are:
- 178.208.35.190:8080
- 186.112.214.158:8080
- 95.140.42.27:8080
- 203.146.208.180:8090
- 202.29.229.232:8080
- 77.92.140.241:8080
- // Locations...
- 178.208.35.190 NL Greup, Netherlands 51.7862, 4.4377 Combell Group Nv Combell Group Nv combell.com
- 186.112.214.158 CO Bogota D.C., Colombia, 4.6492, -74.0628 Colombia Telecomunicaciones S.A. Esp Telecomunicaciones S.A. Esp
- 95.140.42.27 HU Hungary, Europe 47, 20 Szervernet Ltd. Szervernet Ltd.
- 203.146.208.180 TH Bangkok, Thailand, Asia 13.754, 100.5014 Loxley Information Company Ltd. CS LoxInfo
- 202.29.229.232 TH Thailand, Asia 15, 100 UniNet(Inter-university network) Unspecified Uninet-th
- 77.92.140.241 TR Sanayi, Antalya, Turkey, 36.9031,30.6991 Hosting Internet Hizmetleri Sanayi ve Ticaret Anon Hosting Internet Hizmetleri Sanayi ve Ticaret Anon sadecehosting.net
- // We are recording all requests as per below and decrypting the first three IP
- // for the shutdown purpose
- log.txt(31): h00p://203.146.208.180:8090/cxErZ1nDF6A7F10CFB0D822BD6A442451FF7F6C13E44C2E57D87B6E3C4FDA5455DC4011C16648B6036867F2B52C6BF8443D7533EBD2144838C95B4F4482BC08D5B4EDD1C4691FB5D63
- log.txt(35): h00p://203.146.208.180:8090/nXFB1CY2D5D2B54A46DA4A63C19398EBEB87C65335ED99145D0CEE49C0217FEFC14537B77AEA61BAA54E88C5EBE8F33BB77218FDB11EB56E0711183A3905A12F33E664D73D09D4ACB5
- log.txt(39): h00p://203.146.208.180:8090/CIov24rb5B9F5B4763E27016CD035F7FCDCA75C17EE2437510D5673C1BBD04E514A2F8BCF78EE618D59427B9C1D64C7702F56E7A69CF90AC733C015B07DAC382622AD5CEC22B72F5
- log.txt(43): h00p://203.146.208.180:8090/lzPiZZrB235F17B5B261B27A0B483BFCF8FC269CCED21019300F53F8CC2B001AB9C42EAE0F18215FEE292F4F6DDB8090A2EE580697AE14C58321394303890C37B16EC60456E974209D
- log.txt(47): h00p://203.146.208.180:8090/YpITvFiK1C9DD8C10860C4EF8AA5F367A003B2DF0129E09E9BD9A6A28B09C9248D9F44173A6FEFBBA539C5A5781B529C1433B229B8706B589FC9442439BC5F6F10F0B5130B34B82244
- log.txt(51): h00p://202.29.229.232:8080/EQqpctxY81BBEBAB855D656245D292F4450405BF3E5F9DA980BBAA1FE39850A5C1EB435EF5684CD7B340C1F196455C2DE68F9DEBBD41DEEED2FED66B450CAD1C02E178E68992FB2EF5
- log.txt(56): h00p://178.208.35.190:8080/9A4cfSPd994616860C0D9882494F7EDF4AB098644431D0549A1B0A0011DFEEF4BA360F49376697385C600F92A740674C6051F2DE786376D235BAD61A0B932C3F5D7412FBDE036393AB
- log.txt(61): h00p://178.208.35.190:8080/9A4cfSPd994616860C0D9882494F7EDF4AB098644438DE55D34B3B471ED0CED0F8790C066152D3660A046EC7
- log.txt(84): h00p://95.140.42.27:8080/WvvUBQ610EC76E893E8D01859561D313435808245F1ED6F2078FEB3E6D78D5050CB189D770B7E66D7B57073F9F6BC6C4A3113A53C8EA8A147B1D261B9AB5D85616CF8371C55C773487
- log.txt(96): h00p://95.140.42.27:8080/Yki83XNuEC0BE99C56D912EC410C5E3A11885312593832807508530DCAA6F5DB3D9A902B14B324B66B5B80656E4E60AE09BBF92475FFF25887E3F2FC1F7FD8B5B451E622CAF747F69C
- log.txt(101): h00p://95.140.42.27:8080/pjuR8A3eFC05C3D6062AB6DBF00A15A2B1389FAE53CADA146201712150B54E732C57336FEA8CC7A085C0D8963E732FC563557FCF5BD589B67162E97054706912876624996AE68DB8
- log.txt(106): h00p://95.140.42.27:8080/tJcKoBSsEDE95904DB7FA2B3EFA8124C03C088C58D1910B95E39D149B6A34BFD842DF390C5A03DAC33929DAE
- log.txt(140): h00p://186.112.214.158:8080/L2ZynNQhCABAA843114F2B108A1AA560C7234B4E68D1601E9EF77D90C75275B75E62DAE5EC9B2AB4B545AAC02F808CCF19AD2574E0E6DD53D653D7AE53618586299C84AA89C74AD16F
- log.txt(144): h00p://186.112.214.158:8080/dWguhErv004DE435B7C67DB5F8B98F4B6187D6CD771F89A31173BBDE27DED967C13A9606E7EA2872B66E03A40F394FE29EEE6B9B59FDC3E1B31BC60EF0EDD795356D008FE5BD4D6F88
- log.txt(148): h00p://186.112.214.158:8080/lpcvWowk243A89131B397A6CC392CA8725FC67F01F51ABA24B842F6FD4C012F50CB5A9FE73C9CECAEDF5C6893C390FF9E55D118AA0EC7855F5DAADCFA6869393BBE189DC62B3B80CE8
- log.txt(152): h00p://186.112.214.158:8080/lpcvWowk243A89131B397A6CC392CA8725FC67F01F58A5A302812F7FCEFE0EF641FAAAB170CCDD818AAD80D3
- log.txt(175): h00p://186.112.214.158:8080/oU9HTVxTEC2C2A72BFBB8455F713402CB0874EC7BE9A5DB58E36C391E9D0CB9E579040C3894BCF121DDF6BC9
- // Decryption Report
- ===============================
- 178.208.35.190 NL Greup, Netherlands
- ===============================
- // Kuluoz HTTP Botnet Requests sent are:
- http://178.208.35.190:8080/9A4cfSPd994616860C0D9882494F7EDF4AB098644431D0549A1B0A0011DFEEF4BA360F49376697385C600F92A740674C6051F2DE786376D235BAD61A0B932C3F5D7412FBDE036393AB
- // decrypted →/index.php?r=gate&id=9A4cfSPd&group=0711rcm&debug=0&ips=192.168.0.128
- // response: c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=8e2275d02cfbbddf623f60394bb71926
- // 2nd payload: /get/e0e989581b9ab693e0424fe419a17399.exe
- http://178.208.35.190:8080/9A4cfSPd994616860C0D9882494F7EDF4AB098644438DE55D34B3B471ED0CED0F8790C066152D3660A046EC7
- // decrypted →/index.php?r=gate/getipslist&id=9A4cfSPd
- // response:
- 0000 87 1B 41 CC 5B 44 86 DC 10 0C 71 83 46 EF C3 29 ..A.[D....q.F..)
- 0010 18 24 B3 09 92 0C 7A 00 42 97 89 96 F0 22 5F 01 .$....z.B...."_.
- 0020 60 23 DF 35 66 66 06 95 FB 12 3B 58 2A 06 A1 9F `#.5ff....;X*...
- 0030 31 6F 73 CC 66 F2 95 1F 0A A0 29 26 42 7B 18 FB 1os.f.....)&B{..
- 0040 DF 19 62 8F A1 D3 0D E4 01 E0 69 6D D6 BE 29 BB ..b.......im..).
- 0050 3F F7 3B 88 82 31 47 A1 2B A7 84 19 CE E8 E2 76 ?.;..1G.+......v
- 0060 7E AE 30 CB 79 AD 74 2C F7 43 5E EB BC 90 1A 7B ~.0.y.t,.C^....{
- 0070 83 16 94 7F 87 .....
- // response decrypted, and the data are the CNC lists of this session's Kuluoz...
- 149.210.130.18:993
- 95.140.42.27:8080.
- 186.112.214.158:8080.
- 77.92.140.241:8080.
- 202.29.229.232:8080.
- 178.208.35.190:8080.
- ===============================
- 95.140.42.27 Szervernet Hungary
- ===============================
- // Kuluoz HTTP Botnet Requests sent are:
- http://95.140.42.27:8080/WvvUBQ610EC76E893E8D01859561D313435808245F1ED6F2078FEB3E6D78D5050CB189D770B7E66D7B57073F9F6BC6C4A3113A53C8EA8A147B1D261B9AB5D85616CF8371C55C773487
- // decrypted (RAW):
- 2f 69 6e 64 65 78 2e 70 68 70 3f 72 3d 67 61 74 /index.php?r=gat
- 65 26 69 64 3d 57 76 76 55 42 51 36 31 26 67 72 e&id=WvvUBQ61&gr
- 6f 75 70 3d 30 37 31 31 72 63 6d 26 64 65 62 75 oup=0711rcm&debu
- 67 3d 30 26 69 70 73 3d 31 39 32 2e 31 36 38 2e g=0&ips=192.168.
- 30 2e 31 33 37 0.137
- // decrypted → /index.php?r=gate&id=WvvUBQ61&group=0711rcm&debug=0&ips=192.168.0.137
- // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=733b75728281f1afbe32f725aecf0991
- http://95.140.42.27:8080/Yki83XNuEC0BE99C56D912EC410C5E3A11885312593832807508530DCAA6F5DB3D9A902B14B324B66B5B80656E4E60AE09BBF92475FFF25887E3F2FC1F7FD8B5B451E622CAF747F69C
- // decrypted → /index.php?r=gate&id=Yki83XNu&group=0711rcm&debug=0&ips=192.168.0.128
- // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=733b75728281f1afbe32f725aecf0991
- http://95.140.42.27:8080/pjuR8A3eFC05C3D6062AB6DBF00A15A2B1389FAE53CADA146201712150B54E732C57336FEA8CC7A085C0D8963E732FC563557FCF5BD589B67162E97054706912876624996AE68DB8
- // decrypted → /index.php?r=gate&id=pjuR8A3e&group=3006rcm&debug=0&ips=192.168.0.58
- // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=733b75728281f1afbe32f725aecf0991
- http://95.140.42.27:8080/tJcKoBSsEDE95904DB7FA2B3EFA8124C03C088C58D1910B95E39D149B6A34BFD842DF390C5A03DAC33929DAE
- // response (RAW):
- 0000 F3 B4 0E 4E 8C 36 BC ED B6 EB 1D 10 0F 9F D3 88 ...N.6..........
- 0010 D1 05 7D E5 1F 7E 90 0E EA E4 0C BB 8C 76 A0 97 ..}..~.......v..
- 0020 89 DA 66 D7 56 E1 F6 EB 69 96 24 47 4E 51 E3 AF ..f.V...i.$GNQ..
- 0030 4D 74 C5 EE 03 6D 2C D0 9A 8E D2 39 8E 55 69 63 Mt...m,....9.Uic
- 0040 5D 85 F7 69 E3 D5 50 3A 84 A7 72 72 D8 8B 0A 39 ]..i..P:..rr...9
- 0050 2C 1B 76 30 51 BA 6F 4F 13 10 D2 D9 3E 2F 4A 81 ,.v0Q.oO....>/J.
- 0060 F6 91 A8 2D 0C 99 C0 71 06 D3 E6 BD E1 07 89 F4 ...-...q........
- 0070 19 99 2C F0 C4 51 B2 C8 D6 55 01 5E 3A 13 CB 92 ..,..Q...U.^:...
- 0080 8E E0 1F 1A 1D 58 A5 .....X.
- // decrypted (RAW):
- 31 34 39 2e 32 31 30 2e 31 33 30 2e 31 38 3a 39 149.210.130.18:9
- 39 33 0a 39 35 2e 31 34 30 2e 34 32 2e 32 37 3a 93.95.140.42.27:
- 38 30 38 30 0a 31 38 36 2e 31 31 32 2e 32 31 34 8080.186.112.214
- 2e 31 35 38 3a 38 30 38 30 0a 37 37 2e 39 32 2e .158:8080.77.92.
- 31 34 30 2e 32 34 31 3a 38 30 38 30 0a 32 30 32 140.241:8080.202
- 2e 32 39 2e 32 32 39 2e 32 33 32 3a 38 30 38 30 .29.229.232:8080
- 0a 31 37 38 2e 32 30 38 2e 33 35 2e 31 39 30 3a .178.208.35.190:
- 38 30 38 30 0a 36 32 2e 31 31 33 2e 32 30 30 2e 8080.62.113.200.
- 39 35 3a 39 39 33 0a 95:993.
- // decrypted response shows CnC:data....
- 149.210.130.18:993
- 95.140.42.27:8080
- 186.112.214.158:8080
- 77.92.140.241:8080
- 202.29.229.232:8080
- 178.208.35.190:8080
- 62.113.200.95:993.
- ===================================================
- 186.112.214.158 ColombiaTel Bogota D.C., Colombia
- ===================================================
- // Kuluoz HTTP Botnet Requests sent are:
- http://186.112.214.158:8080/L2ZynNQhCABAA843114F2B108A1AA560C7234B4E68D1601E9EF77D90C75275B75E62DAE5EC9B2AB4B545AAC02F808CCF19AD2574E0E6DD53D653D7AE53618586299C84AA89C74AD16F
- // decrypted → /index.php?r=gate&id=L2ZynNQh&group=0711rcm&debug=0&ips=192.168.0.128
- // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=cbca008e4bc329beb3567020a8d54512
- http://186.112.214.158:8080/dWguhErv004DE435B7C67DB5F8B98F4B6187D6CD771F89A31173BBDE27DED967C13A9606E7EA2872B66E03A40F394FE29EEE6B9B59FDC3E1B31BC60EF0EDD795356D008FE5BD4D6F88
- // decrypted → /index.php?r=gate&id=dWguhErv&group=0711rcm&debug=0&ips=192.168.0.128
- // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=cbca008e4bc329beb3567020a8d54512
- http://186.112.214.158:8080/lpcvWowk243A89131B397A6CC392CA8725FC67F01F51ABA24B842F6FD4C012F50CB5A9FE73C9CECAEDF5C6893C390FF9E55D118AA0EC7855F5DAADCFA6869393BBE189DC62B3B80CE8
- // decrypted → /index.php?r=gate&id=lpcvWowk&group=0711rcm&debug=0&ips=192.168.0.133
- // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=cbca008e4bc329beb3567020a8d54512
- http://186.112.214.158:8080/lpcvWowk243A89131B397A6CC392CA8725FC67F01F58A5A302812F7FCEFE0EF641FAAAB170CCDD818AAD80D3
- // decrypted → /index.php?r=gate/getipslist&id=lpcvWowk
- // response:
- 0000 3A 67 DE 59 4C 70 64 32 9A D1 C5 DB 29 A3 3C BD :g.YLpd2....).<.
- 0010 43 44 C8 FF 43 C6 6E 38 92 B9 49 B0 49 A1 F9 B6 CD..C.n8..I.I...
- 0020 24 8C 86 C7 D7 F3 CF 8E 60 6B 53 ED AF 0A 42 CB $.......`kS...B.
- 0030 E9 E0 7D 4B A6 92 EE CA A7 B5 96 8A A4 EE 83 DC ..}K............
- 0040 63 A9 B9 11 E9 59 7C 3A 2F EA 6A F3 AB A5 1B 28 c....Y|:/.j....(
- 0050 EC D1 9F 05 E4 5A D9 23 CA 5F 33 32 F2 CB A2 A0 .....Z.#._32....
- 0060 29 45 4B BF 8E 0C 49 2D 6A 72 32 E5 AB EF 26 30 )EK...I-jr2...&0
- 0070 77 82 62 45 C4 84 F6 98 C5 2D C9 B7 14 2E 86 5A w.bE.....-.....Z
- 0080 8F F7 EB 57 7F F5 28 ...W..(
- // decrypted response shows CnC:data....
- 149.210.130.18:993
- 95.140.42.27:8080
- 186.112.214.158:8080
- 77.92.140.241:8080
- 202.29.229.232:8080
- 178.208.35.190:8080
- 62.113.200.95:993.
- http://186.112.214.158:8080/oU9HTVxTEC2C2A72BFBB8455F713402CB0874EC7BE9A5DB58E36C391E9D0CB9E579040C3894BCF121DDF6BC9
- // decrypted → /index.php?r=gate/getipslist&id=oU9HTVxT
- // response:
- 0000 F2 71 7D 38 E8 F2 9A 0B AE 50 4F 70 BC D8 15 8A .q}8.....POp....
- 0010 E2 86 30 E9 CF 71 82 D6 B5 97 8C D8 5F CB 13 C4 ..0..q......_...
- 0020 DE 2E CE 6A 43 B8 2B AB BD 24 D1 EA 17 B5 4A E4 ...jC.+..$....J.
- 0030 D1 73 3C 40 EA 7A 87 D4 25 3C 8C BB 36 DB FB B1 .s<@.z..%<..6...
- 0040 C1 0D 23 A5 55 BF 2A EF 95 F3 AD ED F0 11 5D 26 ..#.U.*.......]&
- 0050 01 C6 14 7B 4F 8A DA 55 69 4C 73 2B DF B8 6B 53 ...{O..UiLs+..kS
- 0060 5F 5F 44 7D BA 2C F1 83 EC 0F F5 38 D6 B8 53 00 __D}.,.....8..S.
- 0070 BC BF B2 94 9B 8B E9 80 A8 30 BE 0A 4C 9B 53 96 .........0..L.S.
- 0080 33 6C 5A 00 46 6B D8 3lZ.Fk.
- // decrypted response shows CnC:data....
- 149.210.130.18:993
- 95.140.42.27:8080
- 186.112.214.158:8080
- 77.92.140.241:8080
- 202.29.229.232:8080
- 178.208.35.190:8080
- 62.113.200.95:993.
- // Verdicted as per evidence above,
- // Please help to shutdown or block these malicous traffic.
- ---
- #MalwareMustDie!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement