Advertisement
MalwareMustDie

BHEK "closest" ver. Multiple payloads - 20130207 #2(Germany)

Feb 7th, 2013
1,375
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.04 KB | None | 0 0
  1. =========================================================
  2. #MalwareMustDie! BLOCK THESE URL AND 178.63.214.21 ASAP!!
  3. @unixfreaxjp Thu Feb 7 04:37:01 2013
  4. Blackhole "/closest/" version
  5. Multiple Landing Page, multiple Payload per landing page
  6.  
  7. At IP: 178.63.214.21 (Dynamic Addr)
  8. ---------------------------------------------------------------------------------
  9. ASN |Prefix |ASName |CN |Domain |ISP of an IP Address
  10. ---------------------------------------------------------------------------------
  11. 24940 | 178.63.0.0/16 | HETZNER | DE | YOUR-SERVER.DE | JUST HOSTING
  12.  
  13. MO: changes of the domain infector i.e. :
  14. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  15. 44edkjhgc.mymom.info
  16. 4wjgiwgjw.mymom.info
  17. 4drguvub.mywww.biz
  18. 5uwdfhwui.mywww.biz
  19. 4tyuijhbnm.mywww.biz
  20. 5jijefijdjw.mywww.biz
  21. ===========================================================
  22.  
  23. 1. http://178.63.214.21/closest/black_dragon.php
  24. 2. http://178.63.214.21/closest/984y3fh8u3hfu3jcihei.php
  25. 3. http://178.63.214.21/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php
  26. 4. http://178.63.214.21/closest/209tuj2dsljdglsgjwrigslgkjskga.php
  27. 5. http://178.63.214.21/closest/98y7y432ufh49gj23sldkkqowpsskfnv.php
  28. 6. http://178.63.214.21/closest/209tuj2dsljdglsgjwrigslgkjskga.php
  29.  
  30. landing page1: http://178.63.214.21/closest/black_dragon.php --> Cridex (27/45)
  31.  
  32. jar1: https://www.virustotal.com/file/32023c224aa49ad4187f610e09cb65a1c99bc11ea11c944a39cf4ff2f1f4b5e8/analysis/1360240607/
  33. jar2: https://www.virustotal.com/file/e22a7a11dfb2ac17de9f590f9a5f5f1f17afea5a46d9d61cef689bdd131df800/analysis/1360240617/
  34. pdf1: https://www.virustotal.com/file/bf74ba6d5bf1ea4a16d6a11a2819667ede24baacfe7c04525a8f1baa643c911c/analysis/1360240743/
  35. pdf2: https://www.virustotal.com/file/6357a00c86c9b36f15766e31c4c4f5cbb7385167fbfb766dd1188cb758c6c9c0/analysis/1360240751/
  36. Payload: https://www.virustotal.com/file/7876ab47a6ef51ef87545a2634528cf0d887d62f97675c97d74175714fc975ae/analysis/1360238712/
  37.  
  38. landing page2: http://178.63.214.21/closest/984y3fh8u3hfu3jcihei.php --> Trojan Dropper DLL (run w/rundll32.exe)
  39.  
  40. pdf1 https://www.virustotal.com/file/f7c54a821afec66e89d598e767d93b86a09f2332f8245babbfdc0c7d2cef4a8d/analysis/1360243427/
  41. pdf2 https://www.virustotal.com/file/5516d2525c0c5bf45625d1309d97a77df547a48d3517b5502e93c96c19158c80/analysis/1360243440/
  42. jar1 https://www.virustotal.com/file/32023c224aa49ad4187f610e09cb65a1c99bc11ea11c944a39cf4ff2f1f4b5e8/analysis/
  43. jar2 https://www.virustotal.com/file/e22a7a11dfb2ac17de9f590f9a5f5f1f17afea5a46d9d61cef689bdd131df800/analysis/
  44. Payload: https://www.virustotal.com/file/38a4e42d8a1de1c666d3672173862eab246193e7ab800a58883a23a49bd5ef31/analysis/
  45.  
  46.  
  47. The below landing page also loaded and weaponized:
  48. ^^^^^^^^^^^^^^^^^^^
  49. http://178.63.214.21/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php
  50. http://178.63.214.21/closest/209tuj2dsljdglsgjwrigslgkjskga.php
  51. http://178.63.214.21/closest/98y7y432ufh49gj23sldkkqowpsskfnv.php
  52. http://178.63.214.21/closest/209tuj2dsljdglsgjwrigslgkjskga.php
  53.  
  54. ----
  55. #MalwareMustDie!! @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement