SHARE
TWEET

BHEK "closest" ver. Multiple payloads - 20130207 #2(Germany)

MalwareMustDie Feb 7th, 2013 123 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =========================================================
  2. #MalwareMustDie! BLOCK THESE URL AND 178.63.214.21 ASAP!!
  3. @unixfreaxjp  Thu Feb  7 04:37:01  2013
  4. Blackhole "/closest/" version
  5. Multiple Landing Page, multiple Payload per landing page
  6.  
  7. At IP: 178.63.214.21 (Dynamic Addr)
  8. ---------------------------------------------------------------------------------
  9. ASN   |Prefix         |ASName   |CN  |Domain          |ISP of an IP Address
  10. ---------------------------------------------------------------------------------
  11. 24940 | 178.63.0.0/16 | HETZNER | DE | YOUR-SERVER.DE | JUST HOSTING
  12.  
  13. MO: changes of the domain infector i.e. :
  14. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  15. 44edkjhgc.mymom.info   
  16. 4wjgiwgjw.mymom.info   
  17. 4drguvub.mywww.biz     
  18. 5uwdfhwui.mywww.biz    
  19. 4tyuijhbnm.mywww.biz   
  20. 5jijefijdjw.mywww.biz  
  21. ===========================================================
  22.  
  23. 1. http://178.63.214.21/closest/black_dragon.php
  24. 2. http://178.63.214.21/closest/984y3fh8u3hfu3jcihei.php
  25. 3. http://178.63.214.21/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php
  26. 4. http://178.63.214.21/closest/209tuj2dsljdglsgjwrigslgkjskga.php
  27. 5. http://178.63.214.21/closest/98y7y432ufh49gj23sldkkqowpsskfnv.php
  28. 6. http://178.63.214.21/closest/209tuj2dsljdglsgjwrigslgkjskga.php
  29.  
  30. landing page1: http://178.63.214.21/closest/black_dragon.php  --> Cridex (27/45)
  31.  
  32. jar1: https://www.virustotal.com/file/32023c224aa49ad4187f610e09cb65a1c99bc11ea11c944a39cf4ff2f1f4b5e8/analysis/1360240607/
  33. jar2: https://www.virustotal.com/file/e22a7a11dfb2ac17de9f590f9a5f5f1f17afea5a46d9d61cef689bdd131df800/analysis/1360240617/
  34. pdf1: https://www.virustotal.com/file/bf74ba6d5bf1ea4a16d6a11a2819667ede24baacfe7c04525a8f1baa643c911c/analysis/1360240743/
  35. pdf2: https://www.virustotal.com/file/6357a00c86c9b36f15766e31c4c4f5cbb7385167fbfb766dd1188cb758c6c9c0/analysis/1360240751/
  36. Payload: https://www.virustotal.com/file/7876ab47a6ef51ef87545a2634528cf0d887d62f97675c97d74175714fc975ae/analysis/1360238712/
  37.  
  38. landing page2: http://178.63.214.21/closest/984y3fh8u3hfu3jcihei.php --> Trojan Dropper DLL (run w/rundll32.exe)
  39.  
  40. pdf1 https://www.virustotal.com/file/f7c54a821afec66e89d598e767d93b86a09f2332f8245babbfdc0c7d2cef4a8d/analysis/1360243427/
  41. pdf2 https://www.virustotal.com/file/5516d2525c0c5bf45625d1309d97a77df547a48d3517b5502e93c96c19158c80/analysis/1360243440/
  42. jar1 https://www.virustotal.com/file/32023c224aa49ad4187f610e09cb65a1c99bc11ea11c944a39cf4ff2f1f4b5e8/analysis/
  43. jar2 https://www.virustotal.com/file/e22a7a11dfb2ac17de9f590f9a5f5f1f17afea5a46d9d61cef689bdd131df800/analysis/
  44. Payload: https://www.virustotal.com/file/38a4e42d8a1de1c666d3672173862eab246193e7ab800a58883a23a49bd5ef31/analysis/
  45.  
  46.  
  47. The below landing page also loaded and weaponized:
  48.                     ^^^^^^^^^^^^^^^^^^^
  49.  http://178.63.214.21/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php
  50.  http://178.63.214.21/closest/209tuj2dsljdglsgjwrigslgkjskga.php
  51.  http://178.63.214.21/closest/98y7y432ufh49gj23sldkkqowpsskfnv.php
  52.  http://178.63.214.21/closest/209tuj2dsljdglsgjwrigslgkjskga.php
  53.  
  54. ----
  55. #MalwareMustDie!! @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top