Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #MalwareMustDie - Fake Installer drops PUP Backdoor.
- # 2014-05-02 13:06:40 | @unixfreaxjp
- // Hint:
- https://www.virustotal.com/en/ip-address/5.39.5.226/information/
- http://urlquery.net/search.php?q=5.39.5.226&type=string&start=2011-06-25&end=2014-05-02&max=50
- // URL:
- http://dlp.procloudsvr3.com/4EHTX5KYU49ZDHwscT38XEJi6tq7n0jznJf_rmaMzCibzlRTvy7HyhYsHBZlm-hw1IqFSquT1VSezgSfwCwRbFwW5HHw-wnVSz5ya4ccE2K7zNB1mZd7QdfaiYCUPjs1
- http://dlp.procloudsvr3.com/aOgRjb4gp2n4HvWFlVqTLrn6snO3Hn-ePTRjtgI7nAxFZ8uQclq757TRufvlW9QHAhmQO7UKeS2AGEPl9GHNDAT10sIVKmZt8A3mm-R3mdBtThveg8FktM4dkeNtaxZY
- http://dlp.cloudsvr38.com/jmrRH5qz2zFU-p9rvlZnnzYC4-qW8Q-KMojSOpkPyZIgwB42YY9CTbV5rjQbnwawgPUmaDIuJ89DJ10cinqTiF9bnk3Kcvv8Aja2gsoF7xu-ChJ0GUAQQXasD3t5EiDe
- http://dlp.cloudsvr36.com/A2c8U9C8ubRJZU3EAmGEMz39nAzmh17c9dj8lF4e1zyW4_rEYmKpBELXsRn_hb4o96UMobSYVh1FUD9FfpgRVyVMHoNpYAZAg_BRoB68qDnWK8_pflLMKCMQlv_6WxqF
- http://dlp.cloudsvr36.com/0RbGL5gEYV2u6Y9bF5uhqOTUyINHr5OkHFGePCfE0OEyVOcbjLz4TKTof9Io3kRMIqr4Oht4ZqE8TDZWhN_Xq6svQjq041jo2cvo2WK8bleJ8omVAxmHFtPtYHxHa29F
- // Fetch record...
- --2014-05-02 12:43:07-- http://dlp.procloudsvr3.com/4EHTX5KYU49ZDHwscT38XEJi6tq7n0jznJf_rmaMzCibzlRTvy7HyhYsHBZlm-hw1IqFSquT1VSezgSfwCwRbFwW5HHw-wnVSz5ya4ccE2K7zNB1mZd7QdfaiYCUPjs1
- Resolving dlp.procloudsvr3.com (dlp.procloudsvr3.com)... 178.32.29.116
- Connecting to dlp.procloudsvr3.com (dlp.procloudsvr3.com)|178.32.29.116|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 499032 (487K) [application/octet-stream]
- Saving to: 'Setup.exe'
- 2014-05-02 12:43:11 (208 KB/s) - 'Setup.exe' saved [499032/499032]
- --2014-05-02 12:50:20-- http://dlp.procloudsvr3.com/aOgRjb4gp2n4HvWFlVqTLrn6snO3Hn-ePTRjtgI7nAxFZ8uQclq757TRufvlW9QHAhmQO7UKeS2AGEPl9GHNDAT10sIVKmZt8A3mm-R3mdBtThveg8FktM4dkeNtaxZY
- Resolving dlp.procloudsvr3.com (dlp.procloudsvr3.com)... 5.39.40.131
- Connecting to dlp.procloudsvr3.com (dlp.procloudsvr3.com)|5.39.40.131|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 499040 (487K) [application/octet-stream]
- Saving to: 'Setup.exe'
- 2014-05-02 12:50:23 (229 KB/s) - 'Setup.exe' saved [499040/499040]
- --2014-05-02 13:09:46-- http://dlp.cloudsvr38.com/jmrRH5qz2zFU-p9rvlZnnzYC4-qW8Q-KMojSOpkPyZIgwB42YY9CTbV5rjQbnwawgPUmaDIuJ89DJ10cinqTiF9bnk3Kcvv8Aja2gsoF7xu-ChJ0GUAQQXasD3t5EiDe
- Resolving dlp.cloudsvr38.com (dlp.cloudsvr38.com)... 46.105.161.137
- Connecting to dlp.cloudsvr38.com (dlp.cloudsvr38.com)|46.105.161.137|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 319832 (312K) [application/octet-stream]
- Saving to: 'Setup.exe'
- 2014-05-02 13:09:48 (169 KB/s) - 'Setup.exe' saved [319832/319832]
- // Debug
- GET /4EHTX5KYU49ZDHwscT38XEJi6tq7n0jznJf_rmaMzCibzlRTvy7HyhYsHBZlm-hw1IqFSquT1VSezgSfwCwRbFwW5HHw-wnVSz5ya4ccE2K7zNB1mZd7QdfaiYCUPjs1 HTTP/1.1
- Accept: */*
- Host: dlp.procloudsvr3.com
- Connection: Keep-Alive
- HTTP request sent, awaiting response...
- HTTP/1.1 200 OK
- Server: nginx
- Date: Fri, 02 May 2014 04:03:24 GMT
- Content-Type: application/octet-stream
- Content-Length: 499032
- Connection: keep-alive
- Vary: Accept-Language, Cookie
- Content-Language: en
- Content-Disposition: filename=Setup.exe
- 200 OK
- Registered socket 3 for persistent reuse.
- Length: 499032 (487K) [application/octet-stream]
- Saving to: 'Setup.exe'
- 100%[====================>] 499,032 197KB/s in 2.5s
- 2014-05-02 13:03:27 (197 KB/s) - 'Setup.exe' saved [499032/499032]
- // Full session:
- --2014-05-02 13:06:38-- http://dlp.cloudsvr38.com/jmrRH5qz2zFU-p9rvlZnnzYC4-qW8Q-KMojSOpkPyZIgwB42YY9CTbV5rjQbnwawgPUmaDIuJ89DJ10cinqTiF9bnk3Kcvv8Aja2gsoF7xu-ChJ0GUAQQXasD3t5EiDe
- Resolving dlp.cloudsvr38.com (dlp.cloudsvr38.com)... 54.200.252.181
- Caching dlp.cloudsvr38.com => 54.200.252.181
- Connecting to dlp.cloudsvr38.com (dlp.cloudsvr38.com)|54.200.252.181|:80... connected.
- GET /jmrRH5qz2zFU-p9rvlZnnzYC4-qW8Q-KMojSOpkPyZIgwB42YY9CTbV5rjQbnwawgPUmaDIuJ89DJ10cinqTiF9bnk3Kcvv8Aja2gsoF7xu-ChJ0GUAQQXasD3t5EiDe HTTP/1.1
- Accept: */*
- Host: dlp.cloudsvr38.com
- Connection: Keep-Alive
- HTTP request sent, awaiting response...
- HTTP/1.1 200 OK
- Content-Disposition: filename=Setup.exe
- Content-Language: en
- Content-Type: application/octet-stream
- Date: Fri, 02 May 2014 04:06:39 GMT
- Server: nginx
- Vary: Accept-Language, Cookie
- Content-Length: 499032
- Connection: keep-alive
- 200 OK
- Length: 499032 (487K) [application/octet-stream]
- Saving to: 'Setup.exe'
- 100%[=========>] 499,032 436KB/s in 1.1s
- 2014-05-02 13:06:40 (436 KB/s) - 'Setup.exe' saved [499032/499032]
- // Cloud DNS
- ;; QUESTION SECTION:
- ;dlp.procloudsvr3.com. IN A
- ;; ANSWER SECTION:
- dlp.procloudsvr3.com. 332 IN CNAME dlpr3.tgusrv.com.
- dlpr3.tgusrv.com. 12 IN A 54.200.252.181
- /* ↑Short TTL*/
- // RoundRobin IP
- $ while true; do dig +short dlpr3.tgusrv.com A; sleep 2; done
- 37.59.93.34
- 5.135.66.83
- 176.31.87.147
- 54.200.252.181
- 176.31.87.147
- 54.200.252.181
- 5.39.40.131
- 5.39.5.226
- ^C
- // There are two download payloads:
- Setup.exe
- https://www.virustotal.com/en/file/92d8677c6a4e7508edd9f96a1cae539b324bd1d3a4894d242b0bef941f4c9c25/analysis/1399007797/
- Setup2.exe
- https://www.virustotal.com/en/file/ee41130e11711ccb480ca8377f130be1c114d40e2eba48d48acd4900e4b64ae7/analysis/1399007809/
- // And both are dropping this PE:
- Android.exe / Apk_Setup.exe
- https://www.virustotal.com/en/file/5d4c7345e36592ec207055ca7eb51c8805cddea9e2b70eb4b7ba2966678e7bc9/analysis/1399007997/
- //Verdict Evidence:
- https://lh6.googleusercontent.com/-F72SeYsUzvY/U2MxkxIvGxI/AAAAAAAAPjw/7lqFjd-whGo/s1024/A1000101.png
- https://lh5.googleusercontent.com/-1kLFi8UaZh8/U2Mxk7fi4ZI/AAAAAAAAPjs/_dEMPrSe_E4/s1024/A2000101.png
- // Which is having these badness:
- // drops
- C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\nso2.tmp (successful)
- C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\android.exe (successful)
- C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\android.exe.config (successful)
- C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\Newtonsoft.Json.dll (successful)
- C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\SQLite.Interop.dll (successful)
- C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\System.Data.SQLite.dll (successful)
- // Spawn process of its own & daemonized..
- C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\android.exe (successful)
- https://jbxcloud.joesecurity.org/index.php/analysis/43101/0/html
- // Loading config for HTTP communication (backdoor)
- <?xml version="1.0"?>
- <configuration>
- <appSettings>
- <add key="UseElevatedPermissions" value="0" />
- </appSettings>
- <system.net>
- <settings>
- <httpWebRequest useUnsafeHeaderParsing="true"/>
- </settings>
- </system.net>
- <system.web>
- <httpRuntime maxRequestLength="19000"/>
- <webServices>
- <protocols>
- <add name="HttpGet"/>
- <add name="HttpPost"/>
- </protocols>
- </webServices>
- </system.web>
- <startup useLegacyV2RuntimeActivationPolicy="true">
- <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/>
- <supportedRuntime version="v2.0.50727"/>
- </startup>
- <runtime>
- <NetFx40_LegacySecurityPolicy enabled="true"/>
- </runtime>
- </configuration>
- ---
- #MalwareMustdie!
Add Comment
Please, Sign In to add comment