SHARE
TWEET

2019-02-09 - Fake Updates campaign pushes Chthonic

malware_traffic Feb 8th, 2019 (edited) 1,086 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2019-02-08 - FAKE UPDATES CAMPAIGN PUSHES CHTHONIC BANKING TROJAN
  2.  
  3. - I was able to consistently generate a fake Chrome update page by viewing premieragentnetwork[.]com.
  4. - See indicators below.
  5.  
  6. 2019-02-08 AT APPROXIMATELY 22:04 UTC:
  7.  
  8. - 75.98.175[.]121 port 443 - premieragentnetwork[.]com - GET /
  9. - Something from the above site led directly or indirectly to the below traffic:
  10. - 45.124.190[.]186 port 443 - click.clickanalytics208[.]com - GET /s_code.js?[long string with details of victim's host]
  11. - 93.95.100[.]178 port 443 - pond.codingbit[.]com - unknown, but similar to other traffic from 93.95.100[.]178 listed below.
  12.  
  13. 2019-02-08 AT APPROXIMATELY 23:11 UTC:
  14.  
  15. - 75.98.175[.]121 port 443 - premieragentnetwork[.]com - GET /
  16. - Something from the above site led directly or indirectly to the below traffic:
  17. - 45.124.190[.]186 port 443 - click.clickanalytics208[.]com - GET /s_code.js?[long string with details of victim's host]
  18. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/article/index.php?h=240&x=365260&e=3f28235c536e1a7538fcbfdb5b6185d8
  19. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/chromefiles/css.css
  20. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/chromefiles/chrome.min.css
  21. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/chromefiles/chrome_logo_2x.png
  22. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/chromefiles/chrome-32.png
  23. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/chromefiles/chrome-new.jpg
  24. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/article/index.php?h=240&x=365260&e=3f28235c536e1a7538fcbfdb5b6185d8&st=1
  25. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/chromefiles/DXI1ORHCpsQm3Vp6mXoaTegdm0LZdjqr5-oayXSOefg.woff2
  26. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/chromefiles/cJZKeOuBrn4kERxqtaUH3VtXRa8TVwTICgirnJhmVJw.woff2
  27. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/chromefiles/k3k702ZOKiLJc3WVjuplzOgdm0LZdjqr5-oayXSOefg.woff2
  28. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/chromefiles/MTP_ySUJH_bn48VBG8sNSugdm0LZdjqr5-oayXSOefg.woff2
  29. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/article/index.php?h=240&x=365260&e=3f28235c536e1a7538fcbfdb5b6185d8&st=2
  30. - 93.95.100[.]178 port 443 - milk.alchemydesigns.co[.]in/article/index.php?h=240&x=365260&e=3f28235c536e1a7538fcbfdb5b6185d8&st=3
  31. - port 443 - dl.dropboxusercontent[.]com - GET /s/khkxwbuf47le5x2/Chrome_77.12.js?dl=1
  32.  
  33. 2019-02-08 AT APPROXIMATELY 23:40 UTC:
  34.  
  35. - 75.98.175[.]121 port 443 - premieragentnetwork[.]com - GET /
  36. - Something from the above site led directly or indirectly to the below traffic:
  37. - 45.124.190[.]186 port 443 - click.clickanalytics208[.]com - GET /s_code.js?[long string with details of victim's host]
  38. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /forums/article.php?l=240&h=248318&j=4661bc9b60cad3f841e90305cc1353ca
  39. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /chromefiles/css.css
  40. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /chromefiles/chrome.min.css
  41. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /chromefiles/chrome_logo_2x.png
  42. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /chromefiles/chrome-new.jpg
  43. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /chromefiles/chrome-32.png
  44. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /chromefiles/k3k702ZOKiLJc3WVjuplzOgdm0LZdjqr5-oayXSOefg.woff2
  45. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /chromefiles/cJZKeOuBrn4kERxqtaUH3VtXRa8TVwTICgirnJhmVJw.woff2
  46. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /chromefiles/DXI1ORHCpsQm3Vp6mXoaTegdm0LZdjqr5-oayXSOefg.woff2
  47. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /chromefiles/MTP_ySUJH_bn48VBG8sNSugdm0LZdjqr5-oayXSOefg.woff2
  48. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /forums/article.php?l=240&h=248318&j=4661bc9b60cad3f841e90305cc1353ca&st=1
  49. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /forums/article.php?l=240&h=248318&j=4661bc9b60cad3f841e90305cc1353ca&st=2
  50. - 93.95.100[.]178 port 443 - snap.cr-acad[.]com - GET /forums/article.php?l=240&h=248318&j=4661bc9b60cad3f841e90305cc1353ca&st=3
  51. - port 443 - dl.dropboxusercontent[.]com - GET /s/7ryfokv40rpkib9/Chrome_77.41.js?dl=1
  52.  
  53. POST INFECTION TRAFFIC WHEN THE DOWNLOADED JS FILE WORKED:
  54.  
  55. - 188.165.62[.]40 port 80 - bf6505c9.static.spillpalletonline[.]com - POST /pixel.gif
  56. - 188.165.62[.]40 port 80 - bf6505c9.static.spillpalletonline[.]com - POST /pixel.gif?ss&ss1img
  57. - 188.165.62[.]40 port 80 - bf6505c9.static.spillpalletonline[.]com - POST /pixel.gif?ss&ss2img
  58. [system rebooted twice, the second time almost immediately after the first]
  59. - 185.229.224[.]120 port 80 - afroamericanec[.]bit - POST /en/
  60. - 185.229.224[.]120 port 80 - afroamericanec[.]bit - POST /en/www/
  61.  
  62. DOWNLOADED .JS FILE:
  63.  
  64. - SHA256 hash: 6fdafc85e2f2d1f480b094ccdcfedda1de1035b6bf19b28aa3f1625c13149e8c
  65. - File name: Chrome_77.46.js
  66. - File size: 42,304 bytes
  67. - File description: .js malware downloader disguised as Chrome update
  68. - Any.Run analysis: https://app.any.run/tasks/ae572ace-da09-4b37-9b0d-48d7d97ffbb8
  69. - CAPE sandbox: https://cape.contextis.com/analysis/35793/
  70. - Reverse.it: https://www.reverse.it/sample/6fdafc85e2f2d1f480b094ccdcfedda1de1035b6bf19b28aa3f1625c13149e8c
  71.  
  72. FOLLOW-UP MALWARE: CHTHONIC
  73.  
  74. - SHA256 hash: SHA-256  266e7f2587ce35b7bd34f38e4ce0262c022e11de4ef499b161cc2bbe7d20a05a
  75. - File name: Chrome_77.46.exe
  76. - File size: 406,792 bytes
  77. - File description: Chthonic Banking Trojan retrieved by .js downloader
  78. - Any.Run analysis: https://app.any.run/tasks/47e109b4-a81e-482f-ac2a-20ad50da25b8
  79. - CAPE sandbox: https://cape.contextis.com/analysis/35791/
  80. - Reverse.it: https://www.reverse.it/sample/266e7f2587ce35b7bd34f38e4ce0262c022e11de4ef499b161cc2bbe7d20a05a
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top