Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie! $ date
- // Thu Jul 4 00:38:40 JST 2013
- // The malware: Trojan:Win32/Matsnu infection botnet
- // With Domain Registration in CHINA
- // Detected the Botnet Ips (For cleaning up purpose)
- // Huge infection in Germany using spam email attachment files:
- Anwaltschaft Kostenrechnung 03.07.2013 Apodiscounter Online Store GmbH.com
- Inkasso Forderung 03.07.2013 Thalia Online GmbH AG.com
- Anwaltschaft Mahnung 03.07.2013 Computeruniverse GmbH Online.com
- Inkasso Kostenrechnung 03.07.2013 Cunda Shop Online GmbH.com
- Inkasso Rechnung 03.07.2013 Pearl Shop Online GmbH.com
- Rechtsanwalt Aufforderung 03.07.2013 Reifen Online Store GmbH.com
- Inkasso Mahnung 03.07.2013 Dress-for-less Online Store GmbH.com
- Anwaltschaft Aufforderung 03.07.2013 TomTom Shop GmbH.com
- Anwaltschaft Kostenrechnung 03.07.2013 Weltbild Online Store GmbH.com
- Inkasso Mahnung 03.07.2013 Heine GmbH Online.co_
- file-5693314_com
- Anwaltschaft Forderung 03.07.2013 Norton Online Store GmbH.com
- Inkasso Rechnung 03.07.2013 Tchibo Shop GmbH.com
- Anwaltschaft Forderung 03.07.2013 Reifen GmbH Online.com
- Inkasso Mahnung 03.07.2013 Mindfactory Online GmbH.com
- Anwaltschaft Aufforderung 03.07.2013 Apple Online Store GmbH.com_
- Inkasso Mahnung 03.07.2013 Deichmann Online Store GmbH.com
- Rechtsanwalt Mahnung 03.07.2013 Moebel-profi GmbH Online.com
- Rechtsanwalt Kostenrechnung 03.07.2013 Dell Shop GmbH.com
- Inkasso Rechnung 03.07.2013 Yves-rocher Shop Online GmbH.com
- Anwaltschaft Kostenrechnung 03.07.2013 Planet-sports Online GmbH.com
- Rechtsanwalt Kostenrechnung 03.07.2013 Notebooksbilliger Shop Online GmbH.com
- Anwaltschaft Forderung 03.07.2013 Alternate GmbH.com
- // βThose are fresh Win32/Matsnu
- typical win32/matsnu, aiming Germany network using germany filename.
- reversed it to find anti VM, it messed up registry deep so we cant fire regedit & etc commands,
- The popup message appears a fake alert of Adobe Reader..
- malware used %temp% with random name (smallcaps 10 letters).pre
- Drops & runs Documents and Settings\Administrator\Cmclmohvdpk\random name (smallcaps 10 letters).exe
- YoU'll see code injection to the svchost.exe upon the malicious sample daemonized.
- Autostart detected at HKLM\Software\..\CurrentVersion\Winlogon
- //VT:
- https://www.virustotal.com/en/file/cea961f5a077e5cd24182bdb71451b61e96da75b55783e29e238d2c7a268fffc/analysis/
- ====================
- POINT OF BOTNETS
- ====================
- // Leads to the the below malicious proxy domains:
- privat-tor-service.com
- tor-connect-secure.com
- nvufvwieg.com
- bnamecorni.com
- vip-proxy-to-tor.com
- // Which are "currently" under these IP addresses:
- -------------------------------------------------------------------------------------------------
- IP | ASN | Prefix |ASName | CN | Domain |ISP of an IP Address
- -------------------------------------------------------------------------------------------------
- 5.135.198.41 | 16276 | 5.135.0.0/16 | OVH | FR | OVH.COM | OVH SYSTEMS
- 91.121.229.230 | 16276 | 91.121.0.0/16 | OVH | FR | OVH.COM | OVH SYSTEMS
- 162.210.175.114 | 46841 | 162.210.172.0/22 | FORKNETWORKING | US | - | FORK-NETWORKING LLC
- -------------------------------------------------------------------------------------------------
- // All of these domains is using China registrar:
- Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
- // With the below DNS:
- Name Server.......... ns2.usergateproxy.net
- Name Server.......... ns1.usergateproxy.net
- // Are receiving malware botnet requests from infected PC:
- * take one..
- h00p://privat-tor-service.com/forums.php?ltype=ld&ccr=1&id=E8933835454D4F480000&stat=0&ver=100613&loc=0x0409&os=Windows%20XP
- h00p://tor-connect-secure.com/forums.php?ltype=ld&ccr=1&id=E8933835454D4F480000&stat=0&ver=100613&loc=0x0409&os=Windows%20XP
- h00p://nvufvwieg.com/forums.php?ltype=ld&ccr=1&id=E8933835454D4F480000&stat=0&ver=100613&loc=0x0409&os=Windows%20XP
- :
- * take two..
- h00p://privat-tor-service.com/forums.php?id=34303541444341304238&stat=9&ver=01.024
- h00p://tor-connect-secure.com/forums.php?id=34303541444341304238&stat=9&ver=01.024
- :
- // These requests are aiming the below landing pages:
- - h00p://privat-tor-service.com/forums.php
- - h00p://tor-connect-secure.com/forums.php
- - h00p://nvufvwieg.com/forums.php
- - h00p://bnamecorni.com/file.php
- - h00p://bnamecorni.com/forums.php
- - h00p://vip-proxy-to-tor.com/forums.php
- // currently with the below replies:
- 84 1B 17 98 (4 bytes)
- // PoC:
- http://urlquery.net/report.php?id=3506956
- http://urlquery.net/report.php?id=3508147
- https://www.virustotal.com/en/url/a8af6fef1ac31f3fc165b53c7448e87ac138fd81b6ff9bd1fd6fe4a712b6e17c/analysis/
- // Verdict
- All of the evidence (sent URL, replies & recorded reports) show the malicious activity.
- It is on active infection, the clean up for this IP is in the highest priority to conduct.
- ADDITIONALS: DNS, pDNS, WHOIS information:
- // current DNS report if these three domains:
- privat-tor-service.com internet address = 5.135.198.41
- privat-tor-service.com internet address = 91.121.229.230
- privat-tor-service.com internet address = 162.210.175.114
- privat-tor-service.com
- primary name server = ns1.usergateproxy.net
- responsible mail addr = (root)
- serial = 1372864802
- refresh = 60 (1 min)
- retry = 120 (2 mins)
- expire = 1048576 (12 days 3 hours 16 mins 16 secs)
- default TTL = 300 (5 mins)
- privat-tor-service.com nameserver = ns1.usergateproxy.net
- privat-tor-service.com nameserver = ns2.usergateproxy.net
- ns1.usergateproxy.net internet address = 91.215.156.62
- ns2.usergateproxy.net internet address = 12.179.132.98
- tor-connect-secure.com internet address = 91.121.229.230
- tor-connect-secure.com internet address = 5.135.198.41
- tor-connect-secure.com internet address = 162.210.175.114
- tor-connect-secure.com
- primary name server = ns1.usergateproxy.net
- responsible mail addr = (root)
- serial = 1372865402
- refresh = 60 (1 min)
- retry = 120 (2 mins)
- expire = 1048576 (12 days 3 hours 16 mins 16 secs)
- default TTL = 300 (5 mins)
- tor-connect-secure.com nameserver = ns1.usergateproxy.net
- tor-connect-secure.com nameserver = ns2.usergateproxy.net
- tor-connect-secure.com nameserver = ns1.usergateproxy.net
- tor-connect-secure.com nameserver = ns2.usergateproxy.net
- ns1.usergateproxy.net internet address = 91.215.156.62
- ns2.usergateproxy.net internet address = 12.179.132.98
- nvufvwieg.com internet address = 91.121.229.230
- nvufvwieg.com internet address = 5.135.198.41
- nvufvwieg.com internet address = 162.210.175.114
- nvufvwieg.com
- primary name server = ns1.usergateproxy.net
- responsible mail addr = (root)
- serial = 1372865402
- refresh = 60 (1 min)
- retry = 120 (2 mins)
- expire = 1048576 (12 days 3 hours 16 mins 16 secs)
- default TTL = 300 (5 mins)
- nvufvwieg.com nameserver = ns1.usergateproxy.net
- nvufvwieg.com nameserver = ns2.usergateproxy.net
- nvufvwieg.com nameserver = ns2.usergateproxy.net
- nvufvwieg.com nameserver = ns1.usergateproxy.net
- ns1.usergateproxy.net internet address = 91.215.156.62
- ns2.usergateproxy.net internet address = 12.179.132.98
- // passive DNS reports:
- privat-tor-service.com A 14.63.198.119
- privat-tor-service.com A 62.152.59.248
- privat-tor-service.com A 67.202.109.141
- privat-tor-service.com A 88.150.221.56
- privat-tor-service.com A 91.121.229.230
- privat-tor-service.com A 109.95.23.4
- privat-tor-service.com A 162.210.175.114
- privat-tor-service.com A 184.22.36.4
- privat-tor-service.com A 202.147.169.211
- privat-tor-service.com A 206.72.193.180
- privat-tor-service.com NS ns1.usergateproxy.net
- privat-tor-service.com NS ns2.usergateproxy.net
- tor-connect-secure.com A 14.63.198.119
- tor-connect-secure.com A 62.152.59.248
- tor-connect-secure.com A 67.202.109.141
- tor-connect-secure.com A 88.150.221.56
- tor-connect-secure.com A 91.121.229.230
- tor-connect-secure.com A 109.95.23.4
- tor-connect-secure.com A 162.210.175.114
- tor-connect-secure.com A 184.22.36.4
- tor-connect-secure.com A 202.147.169.211
- tor-connect-secure.com A 206.72.193.180
- tor-connect-secure.com NS ns1.usergateproxy.net
- tor-connect-secure.com NS ns2.usergateproxy.net
- nvufvwieg.com A 14.63.198.119
- nvufvwieg.com A 62.152.59.248
- nvufvwieg.com A 67.202.109.141
- nvufvwieg.com A 88.150.221.56
- nvufvwieg.com A 91.121.229.230
- nvufvwieg.com A 109.95.23.4
- nvufvwieg.com A 162.210.175.114
- nvufvwieg.com A 184.22.36.4
- nvufvwieg.com A 202.147.169.211
- nvufvwieg.com A 206.72.193.180
- nvufvwieg.com NS ns1.usergateproxy.net
- nvufvwieg.com NS ns2.usergateproxy.net
- // WHOIS...China bad actors...
- Domain Name: PRIVAT-TOR-SERVICE.COM
- Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
- Whois Server: whois.dns.com.cn
- Referral URL: http://www.dns.com.cn
- Name Server: NS1.USERGATEPROXY.NET
- Name Server: NS2.USERGATEPROXY.NET
- Status: clientTransferProhibited
- Updated Date: 06-jun-2013
- Creation Date: 19-apr-2013
- Expiration Date: 19-apr-2014
- Domain Name.......... privat-tor-service.com
- Creation Date........ 2013-04-19 21:52:58
- Registration Date.... 2013-04-19 21:52:58
- Expiry Date.......... 2014-04-19 21:52:58
- Organisation Name.... liu wenge
- Organisation Address. jiefanglu344hao
- Organisation Address.
- Organisation Address. wuhan
- Organisation Address. 424000
- Organisation Address. HB
- Organisation Address. CN
- Domain Name: TOR-CONNECT-SECURE.COM
- Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
- Whois Server: whois.dns.com.cn
- Referral URL: http://www.dns.com.cn
- Name Server: NS1.USERGATEPROXY.NET
- Name Server: NS2.USERGATEPROXY.NET
- Status: clientTransferProhibited
- Updated Date: 19-apr-2013
- Creation Date: 19-apr-2013
- Expiration Date: 19-apr-2014
- Domain Name.......... tor-connect-secure.com
- Creation Date........ 2013-04-19 21:52:39
- Registration Date.... 2013-04-19 21:52:39
- Expiry Date.......... 2014-04-19 21:52:39
- Organisation Name.... liu wenge
- Organisation Address. jiefanglu344hao
- Organisation Address.
- Organisation Address. wuhan
- Organisation Address. 424000
- Organisation Address. HB
- Organisation Address. CN
- Domain Name: NVUFVWIEG.COM
- Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
- Whois Server: whois.dns.com.cn
- Referral URL: http://www.dns.com.cn
- Name Server: NS1.USERGATEPROXY.NET
- Name Server: NS2.USERGATEPROXY.NET
- Status: clientTransferProhibited
- Updated Date: 17-mar-2013
- Creation Date: 06-feb-2013
- Expiration Date: 06-feb-2014
- Domain Name.......... nvufvwieg.com
- Creation Date........ 2013-02-07 00:01:49
- Registration Date.... 2013-02-07 00:01:49
- Expiry Date.......... 2014-02-07 00:01:49
- Organisation Name.... liu wenge
- Organisation Address. jiefanglu344hao
- Organisation Address.
- Organisation Address. wuhan
- Organisation Address. 424000
- Organisation Address. HB
- Organisation Address. CN
- ----
- #MalwareMustDie!
- @unixfreaxjp /malware]$ date
- Thu Jul 4 01:01:18 JST 2013
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement