JohnGalt14

Unit 78020 Malware Samples

Sep 24th, 2015
1,198
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # PLA Unit 78020 Malware
  2. # Report
  3. http://threatconnect.com/camerashy/?utm_campaign=CameraShy
  4.  
  5. # New Samples
  6. 34f3dcf6c1794451fe92afa917deb6e34480c261fde7339212a80e01e66d8425
  7. 4082a02ffbbebacb00fc46cbbc6755742bb5e286df3722e0119a2bd3969aedf7
  8. 5e399ac5fa11df3d7ab9e027763bc9fc5b0aa28e3d74e16f211d58b115f68687
  9. 6934af252166b9e1849ae996cb7f950ad1bb4d8fc210e4171faaa24028d30167
  10. 6ef334516aca217d83ca54339f8461074a0d1c14a908dd20c705c1a1f01f34be
  11. 90c06480945f3b2c151f19a57cf8b46375708c1dcbb69e68c64e52289384b7f7
  12. 99f559f6a041c49e3d7821346b475186ca16fbeba611074b513754336da396f5
  13. 9f635a260670dc44176d5946114afdb7b6c4a2b97baa038e6211b02d88657d25
  14. aad36ae7676bb3c905e95f87b6fec001cf0eb873104bb86f3e2da06f53dd3a34
  15. b1ef50dd82ad84b4e2e13eeb1021483ffda5886340d8150e9d59cfb5a0d4a148
  16. b32c45f1bce381b64e665402394f1a3ce7053e0b19972feea0212649aef3bfa7
  17. c373f446f2d3818d3a52fd20a689ccd368f715dd5e4c3feb94e14c274b1b179f
  18. e14e4194d058d43461679962be41ae4b47c20e4b88f0dede03a38c4cd7490376
  19. f2d49274c5135e440a6afe7b2328df77208b8bfe421658cd7c424eb670604b9b
  20. fde791aab5256b854bcec6b7d592fa4a12d2e123959d4e7cfd0074d7b92a8a0b
  21.  
  22. # Detection with Yara Rules
  23. # (not all results shown)
  24. # https://github.com/Neo23x0/Loki/blob/master/signatures/apt_unit78020_malware.yar
  25.  
  26. Unit78020_Malware_Gen1 ./4082a02ffbbebacb00fc46cbbc6755742bb5e286df3722e0119a2bd3969aedf7
  27. 0x11ecc:$x2: POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1
  28. 0x12030:$x3: GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1
  29. 0x11a7c:$s16: DRIVE_RAMDISK
  30. 0x11a98:$s16: DRIVE_RAMDISK
  31. 0x11ab4:$s16: DRIVE_RAMDISK
  32.  
  33. VT Detection Rate
  34. 40 / 57
  35.  
  36. Unit78020_Malware_Gen1 ./34f3dcf6c1794451fe92afa917deb6e34480c261fde7339212a80e01e66d8425
  37. 0x19b5a:$a1: dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)
  38. 0x1995c:$a3: Accept-Language:En-us/r/n
  39. 0x1999c:$s1: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
  40. 0x198b0:$s4: Content-Type:application/x-www-form-urlencoded/r/n
  41. 0x1c690:$s5: Hello World!
  42. 0x19918:$s6: Accept-Encoding:gzip,deflate/r/n
  43. 0x19b54:$s7: /%d%s%d
  44.  
  45. VT Detection Rate
  46. 44 / 57
  47.  
  48. Unit78020_Malware_Gen1 ./5e399ac5fa11df3d7ab9e027763bc9fc5b0aa28e3d74e16f211d58b115f68687
  49. 0x115fe:$a1: dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)
  50. 0x115bc:$a3: Accept-Language:En-us/r/n
  51. 0x11b34:$a4: \Office Start.lnk
  52. 0x116a0:$s1: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
  53. 0x118a8:$s3: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles
  54. 0x11510:$s4: Content-Type:application/x-www-form-urlencoded/r/n
  55. 0x16b38:$s5: Hello World!
  56. 0x11578:$s6: Accept-Encoding:gzip,deflate/r/n
  57. 0x115f8:$s7: /%d%s%d
  58. 0x16a82:$s9: WininetMM Version 1.0
  59. 0x16b56:$s10: WININETMM
  60.  
  61. VT Detection Rate
  62. 36 / 56
  63.  
  64. Unit78020_Malware_Gen1 ./6ef334516aca217d83ca54339f8461074a0d1c14a908dd20c705c1a1f01f34be
  65. 0x9c2c:$x2: POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1
  66. 0x9d90:$x3: GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1
  67. 0x97f8:$s16: DRIVE_RAMDISK
  68. 0x9814:$s16: DRIVE_RAMDISK
  69. 0x9830:$s16: DRIVE_RAMDISK
  70.  
  71. VT Detection Rate
  72. 50 / 57
  73.  
  74. Unit78020_Malware_Gen1 ./b1ef50dd82ad84b4e2e13eeb1021483ffda5886340d8150e9d59cfb5a0d4a148
  75. 0x11c06:$a1: dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)
  76. 0x11bc4:$a3: Accept-Language:En-us/r/n
  77. 0x120cc:$a4: \Office Start.lnk
  78. 0x11ca8:$s1: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
  79. 0x11e68:$s3: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles
  80. 0x11b18:$s4: Content-Type:application/x-www-form-urlencoded/r/n
  81. 0x17138:$s5: Hello World!
  82. 0x11b80:$s6: Accept-Encoding:gzip,deflate/r/n
  83. 0x11c00:$s7: /%d%s%d
  84. 0x17082:$s9: WininetMM Version 1.0
  85. 0x17156:$s10: WININETMM
  86.  
  87. VT Detection Rate
  88. 37 / 56
  89.  
  90. Unit78020_Malware_Gen1 ./fde791aab5256b854bcec6b7d592fa4a12d2e123959d4e7cfd0074d7b92a8a0b
  91. 0x11c16:$a1: dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)
  92. 0x11bd4:$a3: Accept-Language:En-us/r/n
  93. 0x12184:$a4: \Office Start.lnk
  94. 0x11cb8:$s1: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
  95. 0x11ea0:$s3: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles
  96. 0x11b28:$s4: Content-Type:application/x-www-form-urlencoded/r/n
  97. 0x17138:$s5: Hello World!
  98. 0x11b90:$s6: Accept-Encoding:gzip,deflate/r/n
  99. 0x11c10:$s7: /%d%s%d
  100. 0x12094:$s8: %02d-%02d-%02d %02d:%02d
  101. 0x17082:$s9: WininetMM Version 1.0
  102. 0x17156:$s10: WININETMM
  103.  
  104. VT Detection Rate
  105. 39 / 55
RAW Paste Data