SHARE
TWEET

New malicious campaign on 62.122.73.200-254 - Nov 1, 2013

DhiaLite Nov 2nd, 2013 567 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Sat, Nov 1 2013
  2. #DhiaLite - On shady AS49236 "Leksim": New malicious campaign delivered so far from 8 IPs in the range 62.122.73.200 to 254.
  3.  
  4. Example VT report of payload
  5. https://www.virustotal.com/en/file/626a40dce7f19428a4a3fc5cd6e561f32b90d989f16bf19105c7152cf6dc142c/analysis/
  6.  
  7. ->Prediction with proof: The totality of the IPs in the 62.122.73.200-254 range are currently hosting malware payload and will start hosting domains to pursue the ongoing malicious campaign.
  8.  
  9. Read on for details:
  10.  
  11. Currently 62.122.73.206 to 209 and 62.122.73.211 to 214 are hosting malware domains. All under 62.122.72.0/23 of AS49236 "Leksim".
  12. ASN has 1 single CIDR that has been exclusively used for malicious purposes.
  13.  
  14. Reported for example in the past in:
  15.  
  16. http://www.welivesecurity.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection/
  17. http://blog.dynamoo.com/2011/04/evil-network-leksim-ltd-relnet-net.html
  18.  
  19. TWO CURRENT INTERESTING FACTS:
  20.  
  21. 1) All IPs in the range 62.122.73.200 to 254 are currently hosting identical malware payload:
  22. encrypt_html_pro_crack.exe (and possibly other payloads), but only 8 of these IPs are hosting domains.
  23. 62.122.73.214
  24. 62.122.73.213
  25. 62.122.73.212
  26. 62.122.73.208
  27. 62.122.73.211
  28. 62.122.73.209
  29. 62.122.73.207
  30. 62.122.73.206
  31.  
  32. 2) Within the same /23, another IP range 62.122.72.200 to 254 already showed this pattern of hosting common payload across all IPs with hosted domains:
  33. agricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exe
  34.  
  35. Below are the dates of first time and last time the IP hosted a malware domain, with number of days it has been used.
  36.  
  37. 62.122.72.254 2013-10-29 2013-10-31 2
  38. 62.122.72.253 2013-10-29 2013-10-31 2
  39. 62.122.72.252 2013-10-29 2013-10-30 1
  40. 62.122.72.251 2013-10-28 2013-10-30 2
  41. 62.122.72.250 2013-10-28 2013-10-30 2
  42. 62.122.72.247 2013-10-27 2013-10-31 4
  43. 62.122.72.249 2013-10-27 2013-10-30 3
  44. 62.122.72.248 2013-10-27 2013-10-30 3
  45. 62.122.72.244 2013-10-26 2013-11-01 6
  46. 62.122.72.246 2013-10-26 2013-10-31 5
  47. 62.122.72.245 2013-10-26 2013-10-28 2
  48. 62.122.72.243 2013-10-26 2013-10-28 2
  49. 62.122.72.242 2013-10-25 2013-10-26 1
  50. 62.122.72.241 2013-10-25 2013-10-26 1
  51. 62.122.72.240 2013-10-25 2013-10-26 1
  52. 62.122.72.237 2013-10-24 2013-11-01 8
  53. 62.122.72.239 2013-10-24 2013-10-31 7
  54. 62.122.72.238 2013-10-24 2013-10-26 2
  55. 62.122.72.236 2013-10-23 2013-10-27 4
  56. 62.122.72.235 2013-10-22 2013-11-01 10
  57. 62.122.72.225 2013-10-22 2013-10-22 0
  58. 62.122.72.234 2013-10-21 2013-11-01 11
  59. 62.122.72.233 2013-10-21 2013-11-01 11
  60. 62.122.72.232 2013-10-20 2013-10-31 11
  61. 62.122.72.231 2013-10-20 2013-10-24 4
  62. 62.122.72.230 2013-10-19 2013-11-01 13
  63. 62.122.72.229 2013-10-19 2013-11-01 13
  64. 62.122.72.228 2013-10-19 2013-10-31 12
  65. 62.122.72.221 2013-10-19 2013-10-19 0
  66. 62.122.72.227 2013-10-18 2013-11-01 14
  67. 62.122.72.226 2013-10-18 2013-11-01 14
  68. 62.122.72.224 2013-10-18 2013-10-30 12
  69. 62.122.72.223 2013-10-17 2013-10-31 14
  70. 62.122.72.220 2013-10-16 2013-10-21 5
  71. 62.122.72.219 2013-10-16 2013-10-16 0
  72. 62.122.72.218 2013-10-15 2013-10-31 16
  73. 62.122.72.217 2013-10-14 2013-11-01 18
  74. 62.122.72.215 2013-10-14 2013-11-01 18
  75. 62.122.72.216 2013-10-14 2013-10-31 17
  76. 62.122.72.214 2013-10-13 2013-11-01 19
  77. 62.122.72.212 2013-10-13 2013-11-01 19
  78. 62.122.72.213 2013-10-13 2013-10-31 18
  79. 62.122.72.211 2013-10-12 2013-11-01 20
  80. 62.122.72.209 2013-10-12 2013-11-01 20
  81. 62.122.72.210 2013-10-12 2013-10-29 17
  82. 62.122.72.208 2013-10-12 2013-10-28 16
  83. 62.122.72.207 2013-10-11 2013-11-01 21
  84. 62.122.72.206 2013-10-11 2013-11-01 21
  85. 62.122.72.205 2013-10-10 2013-11-01 22
  86. 62.122.72.204 2013-10-10 2013-11-01 22
  87. 62.122.72.201 2013-10-10 2013-10-29 19
  88. 62.122.72.203 2013-10-09 2013-11-01 23
  89. 62.122.72.202 2013-10-09 2013-11-01 23
  90. 62.122.72.200 2013-10-08 2013-10-31 23
  91.  
  92. Prediction: Remaining IPs in the 62.122.73.200-254 range are currently dormant but will start hosting new malware domains to serve the ongoing campaign.
  93.  
  94. Very likley the entire /23 is used for the same or other malicious campaigns.
  95.  
  96. #Dates when the 8 IPs started hosting malware domains in the past 2 days:
  97. 62.122.73.214 2013-11-01
  98. 62.122.73.213 2013-11-01
  99. 62.122.73.212 2013-11-01
  100. 62.122.73.208 2013-11-01
  101. 62.122.73.211 2013-10-31
  102. 62.122.73.209 2013-10-31
  103. 62.122.73.207 2013-10-31
  104. 62.122.73.206 2013-10-30
  105.  
  106. #VirusTotal reports
  107. https://www.virustotal.com/en/ip-address/62.122.73.206/information/
  108. https://www.virustotal.com/en/ip-address/62.122.73.207/information/
  109. https://www.virustotal.com/en/ip-address/62.122.73.208/information/
  110. https://www.virustotal.com/en/ip-address/62.122.73.209/information/
  111. https://www.virustotal.com/en/ip-address/62.122.73.211/information/
  112. https://www.virustotal.com/en/ip-address/62.122.73.212/information/
  113. https://www.virustotal.com/en/ip-address/62.122.73.213/information/
  114.  
  115. #Sample domains on each IP:
  116. dlc.sumsungstock.ru 62.122.73.206
  117. sumsungstock.ru 62.122.73.206
  118. dlc.downloads-msk.ru 62.122.73.207
  119. downloads-msk.ru 62.122.73.207
  120. dlc.sumsungphone.ru 62.122.73.208
  121. dlc.download-russia.ru 62.122.73.209
  122. download-russia.ru 62.122.73.209
  123. dlc.hot-file.ru 62.122.73.211
  124. hot-file.ru 62.122.73.211
  125. dlc.moisumsung.ru 62.122.73.212
  126. dlc.sumsungsearch.ru 62.122.73.213
  127. dlc.freshfiles.ru 62.122.73.214
  128. dlc.volga-files.ru 62.122.73.214
  129.  
  130. #Example check for payloads on IPs 62.122.72.200 to 254
  131.  
  132. bash-3.2$ curl  -A 'Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)' "http://62.122.72.206/download/203c3c387267672f27242c2b2d263c3a2d663a3d672f2d3c1730252477/25243a2c212c757b7f707a7d7b7d78716e2e21242d17212c75/06d4e448/torrent/agricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exe" > agricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exe
  133.   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
  134.                                  Dload  Upload   Total   Spent    Left  Speed
  135. 100  129k  100  129k    0     0  83084      0  0:00:01  0:00:01 --:--:-- 97106
  136.  
  137. bash-3.2$ file agricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exeagricultural_simulator_2013_skachat_igry_cherez_torrent_-_skachat_igry_na_psp.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  138.  
  139. https://www.virustotal.com/en/file/0d054d0c2aa50cb8fc30256784bf9df48f47d964b8d0c9e5a8d130f447543a86/analysis/1383424746/
  140.  
  141.  
  142. #Example check for payloads on IPs 62.122.73.200 to 254
  143.  
  144. bash-3.2$ curl  -A 'Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)' "http://62.122.73.246/download/302c2c2862777735212b2d352b2d363f762a2d773f3d2c0720353467/35342a2b2c3a656b7e3c313c656b616c6c6d61696d687e3e31343d07313c65/0736a358/setup3/encrypt_html_pro_crack.exe" > encrypt_html_pro_crack.exe
  145.   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
  146.                                  Dload  Upload   Total   Spent    Left  Speed
  147. 100  129k  100  129k    0     0  85561      0  0:00:01  0:00:01 --:--:-- 99570
  148.  
  149. bash-3.2$ file encrypt_html_pro_crack.exe
  150. encrypt_html_pro_crack.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  151.  
  152. https://malwr.com/analysis/NDk3ZmZiZTdjMzNiNGFkZGE5ZTQ5MzA5ZDFkNTRhY2Q/
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top