SHARE
TWEET

#MalwareMustDie - RedDot Infection at 46.4.179.118 Analysis

MalwareMustDie Apr 7th, 2013 157 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #malwareMustDie - Ransomware infection in 46.4.179.118
  2. #Reported by : @nyxbone
  3. #Analysis: @unixfreaxjp
  4. [0x00000000:0x00400000]> !date
  5. Sun Apr  7 15:47:26 JST 2013
  6.  
  7. // sources
  8.  
  9. h00p://hitmaest.org/traff.html
  10. h00p://estkoks.biz/traff.html
  11. h00p://fackhouse.biz/traff.html
  12.  
  13. // Landing page evidence:
  14.  
  15. --2013-04-07 15:11:00--  h00p://hitmaest.org/traff.html
  16. Resolving hitmaest.org... seconds 0.00, 46.4.179.118
  17. Caching hitmaest.org => 46.4.179.118
  18. Connecting to hitmaest.org|46.4.179.118|:80... seconds 0.00, connected.
  19.   :
  20. GET /traff.html h00p/1.0
  21. Host: hitmaest.org
  22. h00p request sent, awaiting response...
  23.   :
  24. h00p/1.1 200 OK
  25. Server: nginx
  26. Date: Sun, 07 Apr 2013 06:10:44 GMT
  27. Content-Type: text/html; charset=utf-8
  28. Connection: keep-alive
  29. X-Powered-By: PHP/5.3.23
  30. Cache-Control: no-store, no-cache
  31. Expires: Sun, 07 Apr 2013 06:10:16 GMT
  32. Vary: Accept-Encoding,User-Agent
  33. Content-Length: 549
  34.   :
  35. 200 OK
  36. Registered socket 1896 for persistent reuse.
  37. Length: 549 [text/html]
  38. Saving to: `traff-1.html'
  39. 2013-04-07 15:11:02 (15.5 MB/s) - `traff-1.html' saved [549/549]
  40.  
  41.  
  42. --2013-04-07 15:13:42--  h00p://estkoks.biz/traff.html
  43. Resolving estkoks.biz... seconds 0.00, 46.4.179.118
  44. Caching estkoks.biz => 46.4.179.118
  45. Connecting to estkoks.biz|46.4.179.118|:80... seconds 0.00, connected.
  46.   :
  47. GET /traff.html h00p/1.0
  48. Host: estkoks.biz
  49. h00p request sent, awaiting response...
  50.   :
  51. h00p/1.1 200 OK
  52. Server: nginx
  53. Date: Sun, 07 Apr 2013 06:13:26 GMT
  54. Content-Type: text/html; charset=utf-8
  55. Connection: keep-alive
  56. X-Powered-By: PHP/5.3.23
  57. Cache-Control: no-store, no-cache
  58. Expires: Sun, 07 Apr 2013 06:12:57 GMT
  59. Vary: Accept-Encoding,User-Agent
  60. Content-Length: 548
  61.   :
  62. 200 OK
  63. Registered socket 1892 for persistent reuse.
  64. Length: 548 [text/html]
  65. Saving to: `traff-2.html'
  66. 2013-04-07 15:13:43 (20.6 MB/s) - `traff-2.html' saved [548/548]
  67.  
  68.  
  69. --2013-04-07 15:14:40--  h00p://fackhouse.biz/traff.html
  70. Resolving fackhouse.biz... seconds 0.00, 46.4.179.118
  71. Caching fackhouse.biz => 46.4.179.118
  72. Connecting to fackhouse.biz|46.4.179.118|:80... seconds 0.00, connected.
  73.    :
  74. GET /traff.html h00p/1.0
  75. Host: fackhouse.biz
  76. h00p request sent, awaiting response...
  77.    :
  78. h00p/1.1 200 OK
  79. Server: nginx
  80. Date: Sun, 07 Apr 2013 06:14:24 GMT
  81. Content-Type: text/html; charset=utf-8
  82. Connection: keep-alive
  83. X-Powered-By: PHP/5.3.23
  84. Cache-Control: no-store, no-cache
  85. Expires: Sun, 07 Apr 2013 06:13:55 GMT
  86. Vary: Accept-Encoding,User-Agent
  87. Content-Length: 550
  88.    :
  89. 200 OK
  90. Registered socket 1896 for persistent reuse.
  91. Length: 550 [text/html]
  92. Saving to: `traff-3.html'
  93. 2013-04-07 15:14:41 (18.6 MB/s) - `traff-3.html' saved [550/550]
  94.  
  95.  
  96. // JAR embedded with the Ransomware binary evidence:
  97.  
  98. --2013-04-07 15:18:11--  h00p://hitmaest.org/traff.jar
  99. Resolving hitmaest.org... 46.4.179.118
  100. Connecting to hitmaest.org|46.4.179.118|:80... connected.
  101. h00p request sent, awaiting response... 200 OK
  102. Length: 79339 (77K) [application/java-archive]
  103. Saving to: `traff-1.jar'
  104. 2013-04-07 15:18:12 (57.8 KB/s) - `traff-1.jar' saved [79339/79339]
  105.  
  106. --2013-04-07 15:20:36--  h00p://estkoks.biz/traff.jar
  107. Resolving estkoks.biz... 46.4.179.118
  108. Connecting to estkoks.biz|46.4.179.118|:80... connected.
  109. h00p request sent, awaiting response... 200 OK
  110. Length: 79339 (77K) [application/java-archive]
  111. Saving to: `traff-2.jar'
  112. 2013-04-07 15:20:38 (58.0 KB/s) - `traff-2.jar' saved [79339/79339]
  113.  
  114. --2013-04-07 15:21:09--  h00p://fackhouse.biz/traff.jar
  115. Resolving fackhouse.biz... 46.4.179.118
  116. Connecting to fackhouse.biz|46.4.179.118|:80... connected.
  117. h00p request sent, awaiting response... 200 OK
  118. Length: 79339 (77K) [application/java-archive]
  119. Saving to: `traff-3.jar'
  120. 2013-04-07 15:21:11 (56.6 KB/s) - `traff-3.jar' saved [79339/79339]
  121.  
  122. // jar exploit with ransomeware:
  123. 013/04/07  15:18  79,339 traff-1.jar c7f5392421345c401d8292de98133655
  124. 013/04/07  15:20  79,339 traff-2.jar c7f5392421345c401d8292de98133655
  125. 013/04/07  15:21  79,339 traff-3.jar c7f5392421345c401d8292de98133655
  126. (same file eh?)
  127.  
  128. // embedded encoded malware
  129.  
  130. 2013/04/06  21:13   33,280 traff-one    c1eee80c044baeceae962d0a9168d0a4
  131. 2013/04/06  21:13   33,280 traff-three  c1eee80c044baeceae962d0a9168d0a4
  132. 2013/04/06  21:13   33,280 traff-two    c1eee80c044baeceae962d0a9168d0a4
  133.  
  134. // Ransomware installer malware:
  135.  
  136. 2013/04/07  15:29  33,280 traf-one-XOR-out.exe    16dfc87021d974cb653695693a4c644b
  137. 2013/04/07  15:33  33,280 traf-three-XOR-out.exe  16dfc87021d974cb653695693a4c644b
  138. 2013/04/07  15:31  33,280 traf-two-XOR-out.exe    16dfc87021d974cb653695693a4c644b
  139.  
  140. // all same file indeed:
  141.  
  142.    .text 0x1000 0x24f 1024
  143.    .data 0x2000 0x6d3c 28160
  144.    .idata 0x9000 0x1e8 512
  145.    .rsrc 0xa000 0x95c 2560
  146.  
  147. Entry Point at 0x400
  148. Virtual Address is 0x401000
  149. 0000   4D 5A 80 00 01 00 00 00 04 00 10 00 FF FF 00 00    MZ..............
  150. 0010   40 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00    @.......@.......
  151. 0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  152. 0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
  153. 0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
  154. 0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
  155. 0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
  156. 0070   6D 6F 64 65 2E 0D 0A 24 00 00 00 00 00 00 00 00    mode...$........
  157. 0080   50 45 00 00 4C 01 04 00 E3 12 60 51 00 00 00 00    PE..L.....`Q....
  158. 0090   00 00 00 00 E0 00 0F 01 0B 01 01 47 00 04 00 00    ...........G....
  159.  
  160. // VT = 2/ 46
  161.  
  162. VT: https://www.virustotal.com/en/file/cc7d711e14761205386b7451644f006ad2bbbe4a1784209e29bff60aa52bc1aa/analysis/1365316713/
  163.  
  164. Malwarebytes             : Trojan.Ransom.SML
  165. Kaspersky                : UDS:DangerousObject.Multi.Generic
  166.  
  167. // OTHER SUSPECTED HOSTS:
  168.  
  169. bastapils.biz
  170. estkoks.biz
  171. fackhouse.biz
  172. gangaon.biz
  173. gerspins.org
  174. hitmaest.org
  175. ogololes.org
  176.  
  177. // samples:
  178.  
  179. 2013/04/07  15:29   33,280 traf-one-XOR-out.exe    16dfc87021d974cb653695693a4c644b
  180. 2013/04/07  15:33   33,280 traf-three-XOR-out.exe  16dfc87021d974cb653695693a4c644b
  181. 2013/04/07  15:31   33,280 traf-two-XOR-out.exe    16dfc87021d974cb653695693a4c644b
  182. 2013/04/07  15:11      549 traff-1.html            4f691beb9b86e09eb62544399a6223d0
  183. 2013/04/07  15:18   79,339 traff-1.jar             c7f5392421345c401d8292de98133655
  184. 2013/04/07  15:13      548 traff-2.html            484f9f69b4126ce698a0414b4825101f
  185. 2013/04/07  15:20   79,339 traff-2.jar             c7f5392421345c401d8292de98133655
  186. 2013/04/07  15:14      550 traff-3.html            a5c8dc4c5b81784d6aea4662bc60d16c
  187. 2013/04/07  15:21   79,339 traff-3.jar             c7f5392421345c401d8292de98133655
  188. 2013/04/06  21:13   33,280 traff-one               c1eee80c044baeceae962d0a9168d0a4
  189. 2013/04/06  21:13   33,280 traff-three             c1eee80c044baeceae962d0a9168d0a4
  190. 2013/04/06  21:13   33,280 traff-two               c1eee80c044baeceae962d0a9168d0a4
  191.  
  192.  
  193. // sample shares:
  194.  
  195. http://www.mediafire.com/?rz2p8444wj6bhu2
  196.  
  197.  
  198. #MalwareMustDie!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top