Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Sat, Nov 1 2013
- #DhiaLite - On shady AS49236 "Leksim": New malicious campaign delivered so far from 8 IPs in the range 62.122.73.200 to 254.
- Example VT report of payload
- https://www.virustotal.com/en/file/626a40dce7f19428a4a3fc5cd6e561f32b90d989f16bf19105c7152cf6dc142c/analysis/
- ->Prediction with proof: The totality of the IPs in the 62.122.73.200-254 range are currently hosting malware payload and will start hosting domains to pursue the ongoing malicious campaign.
- Read on for details:
- Currently 62.122.73.206 to 209 and 62.122.73.211 to 214 are hosting malware domains. All under 62.122.72.0/23 of AS49236 "Leksim".
- ASN has 1 single CIDR that has been exclusively used for malicious purposes.
- Reported for example in the past in:
- http://www.welivesecurity.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection/
- http://blog.dynamoo.com/2011/04/evil-network-leksim-ltd-relnet-net.html
- TWO CURRENT INTERESTING FACTS:
- 1) All IPs in the range 62.122.73.200 to 254 are currently hosting identical malware payload:
- encrypt_html_pro_crack.exe (and possibly other payloads), but only 8 of these IPs are hosting domains.
- 62.122.73.214
- 62.122.73.213
- 62.122.73.212
- 62.122.73.208
- 62.122.73.211
- 62.122.73.209
- 62.122.73.207
- 62.122.73.206
- 2) Within the same /23, another IP range 62.122.72.200 to 254 already showed this pattern of hosting common payload across all IPs with hosted domains:
- agricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exe
- Below are the dates of first time and last time the IP hosted a malware domain, with number of days it has been used.
- 62.122.72.254 2013-10-29 2013-10-31 2
- 62.122.72.253 2013-10-29 2013-10-31 2
- 62.122.72.252 2013-10-29 2013-10-30 1
- 62.122.72.251 2013-10-28 2013-10-30 2
- 62.122.72.250 2013-10-28 2013-10-30 2
- 62.122.72.247 2013-10-27 2013-10-31 4
- 62.122.72.249 2013-10-27 2013-10-30 3
- 62.122.72.248 2013-10-27 2013-10-30 3
- 62.122.72.244 2013-10-26 2013-11-01 6
- 62.122.72.246 2013-10-26 2013-10-31 5
- 62.122.72.245 2013-10-26 2013-10-28 2
- 62.122.72.243 2013-10-26 2013-10-28 2
- 62.122.72.242 2013-10-25 2013-10-26 1
- 62.122.72.241 2013-10-25 2013-10-26 1
- 62.122.72.240 2013-10-25 2013-10-26 1
- 62.122.72.237 2013-10-24 2013-11-01 8
- 62.122.72.239 2013-10-24 2013-10-31 7
- 62.122.72.238 2013-10-24 2013-10-26 2
- 62.122.72.236 2013-10-23 2013-10-27 4
- 62.122.72.235 2013-10-22 2013-11-01 10
- 62.122.72.225 2013-10-22 2013-10-22 0
- 62.122.72.234 2013-10-21 2013-11-01 11
- 62.122.72.233 2013-10-21 2013-11-01 11
- 62.122.72.232 2013-10-20 2013-10-31 11
- 62.122.72.231 2013-10-20 2013-10-24 4
- 62.122.72.230 2013-10-19 2013-11-01 13
- 62.122.72.229 2013-10-19 2013-11-01 13
- 62.122.72.228 2013-10-19 2013-10-31 12
- 62.122.72.221 2013-10-19 2013-10-19 0
- 62.122.72.227 2013-10-18 2013-11-01 14
- 62.122.72.226 2013-10-18 2013-11-01 14
- 62.122.72.224 2013-10-18 2013-10-30 12
- 62.122.72.223 2013-10-17 2013-10-31 14
- 62.122.72.220 2013-10-16 2013-10-21 5
- 62.122.72.219 2013-10-16 2013-10-16 0
- 62.122.72.218 2013-10-15 2013-10-31 16
- 62.122.72.217 2013-10-14 2013-11-01 18
- 62.122.72.215 2013-10-14 2013-11-01 18
- 62.122.72.216 2013-10-14 2013-10-31 17
- 62.122.72.214 2013-10-13 2013-11-01 19
- 62.122.72.212 2013-10-13 2013-11-01 19
- 62.122.72.213 2013-10-13 2013-10-31 18
- 62.122.72.211 2013-10-12 2013-11-01 20
- 62.122.72.209 2013-10-12 2013-11-01 20
- 62.122.72.210 2013-10-12 2013-10-29 17
- 62.122.72.208 2013-10-12 2013-10-28 16
- 62.122.72.207 2013-10-11 2013-11-01 21
- 62.122.72.206 2013-10-11 2013-11-01 21
- 62.122.72.205 2013-10-10 2013-11-01 22
- 62.122.72.204 2013-10-10 2013-11-01 22
- 62.122.72.201 2013-10-10 2013-10-29 19
- 62.122.72.203 2013-10-09 2013-11-01 23
- 62.122.72.202 2013-10-09 2013-11-01 23
- 62.122.72.200 2013-10-08 2013-10-31 23
- Prediction: Remaining IPs in the 62.122.73.200-254 range are currently dormant but will start hosting new malware domains to serve the ongoing campaign.
- Very likley the entire /23 is used for the same or other malicious campaigns.
- #Dates when the 8 IPs started hosting malware domains in the past 2 days:
- 62.122.73.214 2013-11-01
- 62.122.73.213 2013-11-01
- 62.122.73.212 2013-11-01
- 62.122.73.208 2013-11-01
- 62.122.73.211 2013-10-31
- 62.122.73.209 2013-10-31
- 62.122.73.207 2013-10-31
- 62.122.73.206 2013-10-30
- #VirusTotal reports
- https://www.virustotal.com/en/ip-address/62.122.73.206/information/
- https://www.virustotal.com/en/ip-address/62.122.73.207/information/
- https://www.virustotal.com/en/ip-address/62.122.73.208/information/
- https://www.virustotal.com/en/ip-address/62.122.73.209/information/
- https://www.virustotal.com/en/ip-address/62.122.73.211/information/
- https://www.virustotal.com/en/ip-address/62.122.73.212/information/
- https://www.virustotal.com/en/ip-address/62.122.73.213/information/
- #Sample domains on each IP:
- dlc.sumsungstock.ru 62.122.73.206
- sumsungstock.ru 62.122.73.206
- dlc.downloads-msk.ru 62.122.73.207
- downloads-msk.ru 62.122.73.207
- dlc.sumsungphone.ru 62.122.73.208
- dlc.download-russia.ru 62.122.73.209
- download-russia.ru 62.122.73.209
- dlc.hot-file.ru 62.122.73.211
- hot-file.ru 62.122.73.211
- dlc.moisumsung.ru 62.122.73.212
- dlc.sumsungsearch.ru 62.122.73.213
- dlc.freshfiles.ru 62.122.73.214
- dlc.volga-files.ru 62.122.73.214
- #Example check for payloads on IPs 62.122.72.200 to 254
- bash-3.2$ curl -A 'Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)' "http://62.122.72.206/download/203c3c387267672f27242c2b2d263c3a2d663a3d672f2d3c1730252477/25243a2c212c757b7f707a7d7b7d78716e2e21242d17212c75/06d4e448/torrent/agricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exe" > agricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exe
- % Total % Received % Xferd Average Speed Time Time Time Current
- Dload Upload Total Spent Left Speed
- 100 129k 100 129k 0 0 83084 0 0:00:01 0:00:01 --:--:-- 97106
- bash-3.2$ file agricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exeagricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
- https://www.virustotal.com/en/file/0d054d0c2aa50cb8fc30256784bf9df48f47d964b8d0c9e5a8d130f447543a86/analysis/1383424746/
- #Example check for payloads on IPs 62.122.73.200 to 254
- bash-3.2$ curl -A 'Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)' "http://62.122.73.246/download/302c2c2862777735212b2d352b2d363f762a2d773f3d2c0720353467/35342a2b2c3a656b7e3c313c656b616c6c6d61696d687e3e31343d07313c65/0736a358/setup3/encrypt_html_pro_crack.exe" > encrypt_html_pro_crack.exe
- % Total % Received % Xferd Average Speed Time Time Time Current
- Dload Upload Total Spent Left Speed
- 100 129k 100 129k 0 0 85561 0 0:00:01 0:00:01 --:--:-- 99570
- bash-3.2$ file encrypt_html_pro_crack.exe
- encrypt_html_pro_crack.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
- https://malwr.com/analysis/NDk3ZmZiZTdjMzNiNGFkZGE5ZTQ5MzA5ZDFkNTRhY2Q/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement