#MalwareMustDie - Infection of Cridex/Fareit ()

1. =========================================
2. #MalwareMustDie
3. Latest Cridex/Fareit Infection via BHEK
4. (Credential Stealer Crime Evidence)
5. BHEK Domain / host used: eziponoma.ru:8080
6. @unixfreaxjp /malware]$ date
7. Sat Jan 26 19:56:20 JST 2013
8. =========================================
9.  
10. // infector
11. h00p://www.tounichi-g.co.jp/info.htm (redirector)
12. h00p://eziponoma.ru:8080/forum/links/column.php (landing page)
13.  
14. // swf
15. h00p://eziponoma.ru:8080/forum/links/column.php?uvdexgag=30:1n:1i:1i:33&wyxtg=3m:34:33:3k:3d&plxyuc=2v:1k:1m:32:33:1k:1k:31:1j:1o&zgcoapeq=dsl
16. h00p://eziponoma.ru:8080/forum/links/column.php?uhe=30:1n:1i:1i:33&gwapy=3c:3k:38:3e&arp=2v:1k:1m:32:33:1k:1k:31:1j:1o&kwo=lxmxja
17.  
18. // pdf
19. h00p://eziponoma.ru:8080/forum/links/column.php?dalzfmq=30:1n:1i:1i:33&msrsrdpm=3f:39:32&jddzbak=2v:1k:1m:32:33:1k:1k:31:1j:1o&sqlxaoig=1k:1d:1f:1d:1g:1d:1f
20. h00p://eziponoma.ru:8080/forum/links/column.php?qaxcdv=30:1n:1i:1i:33&opynqk=39&tviura=2v:1k:1m:32:33:1k:1k:31:1j:1o&mddqxkqz=1k:1d:1f:1d:1g:1d:1f
21.  
22. // payload
23. h00p://eziponoma.ru:8080/forum/links/column.php?nf=30:1n:1i:1i:33&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&sg=n&sc=c
24.  
25. //samples (with MD5 + UrlQuery report url)
26. 2013/01/26 18:11 d0fe2ce87f933ff73f5ce0c0efadd462 422 info.htm http://urlquery.net/report.php?id=850246
27. 2013/01/26 18:21 f1b7f17e653cdedbfc78d3e9fa2bef4d 117,752 column.php http://urlquery.net/report.php?id=842744
28. 2013/01/26 19:15 d60be18003ae07ea165d193db087957b 7,238 flash1.swf http://urlquery.net/report.php?id=850229
29. 2013/01/26 19:16 a5a1308ee3ca7f75fe85fe4d9a14752f 946 flash2.swf http://urlquery.net/report.php?id=850230
30. 2013/01/26 19:17 361f6e22e55ca3732d8cbeff43ecb1d4 21,599 infector1.pdf http://urlquery.net/report.php?id=850240
31. 2013/01/26 19:17 ef4c398c0138c3e8adabcdb647b2283b 11,183 infector2.pdf http://urlquery.net/report.php?id=850236
32. 2013/01/26 18:23 95c06ae7b26fcbe338532bbaa1e137c4 15,420 java1.jar http://urlquery.net/report.php?id=842744
33. 2013/01/26 18:24 5599f12b1c2ce9c68dc629d013241273 15,592 java2.jar http://urlquery.net/report.php?id=842744
34. 2013/01/26 18:42 9fb4dd1b3e0b6002eff7e6f63a6b6d07 98,304 about.exe http://urlquery.net/report.php?id=850234
35. 2013/01/26 20:39 b152dacee9c5ca22543fe9e435177496 110,592 KB00777165.exe -
36.  
37. //additional: plugindetect
38. 2013/01/26 19:12 47a1882f9677bb24f51405d71c6c7536 56,904 BHEK-PD079.txt
39.  
40. // Virus Total: (as per above sample sequence)
41. https://www.virustotal.com/file/1da4c5bf69ae062b525c25538401b9fc6752b0780f4e9494431140350fc74ac9/analysis/1359196122/
42. https://www.virustotal.com/file/59ab9f3e6a2cf40f8ce5ff37d5afdc36e68bd9c59facf72b3537adeb178fd105/analysis/1359196138/
43. https://www.virustotal.com/file/f41f8102bb2d7b0e7bf97f61332e768d63fb5ccfa35693b5857c23b9e58e9622/analysis/1359196175/
44. https://www.virustotal.com/file/3beb8ae0ce0ba1c7a8235d93aefcadded2ab7917414b70ce424836ad0ca4a721/analysis/1359196214/
45. https://www.virustotal.com/file/66fb2a78aaef9b11d1e0adfaa49a81f380248230add1663cb7a75bd263b854e4/analysis/1359196230/
46. https://www.virustotal.com/file/1fa06ce003b01fbc41b9e959f1d478f3ba56fe367f498921a757255627c67bb0/analysis/1359196247/
47. https://www.virustotal.com/file/7ef8f67e7e4b39086387570b7fd8de505684b87318e9acccef34e20e0a8122b4/analysis/1359196264/
48. https://www.virustotal.com/file/63106ebc5076fe6e1c8195a4e5f0dfb35668c0b0334e9e7fa840f4a28ce4830c/analysis/1359196283/
49. https://www.virustotal.com/file/4ac71ec87577944cfb098b379bd55e9ddc8234cd791d994f621b892d969c699f/analysis/1359193394/
50. https://www.virustotal.com/file/6a18c125b64f20432f8bb63ab92afcbaf9bc234968c8e8c2b472832877ee35a7/analysis/1359275410/
51. ----
52. #MalwareMustDie!