API tools faq
paste
unixfreaxjp

#OCJP-003 - CHINESE TROJAN FOUND IN SERVER AT JAPAN IDC

unixfreaxjp
Jan 28th, 2012
785
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 28.58 KB
raw download clone embed print report
  1. =============================================
  2. IF YOU FIND THIS AMALWARE ANALYSIS
  3. PLEASE HELP TO BLOCK THIS INFECTED URL/IP:
  4.  
  5. hxxp://diybbb.com/update.exe
  6. IP: 106.187.46.93
  7.  
  8. BECAUSE SOMEONE POORLY TRIED TO REGENERATE THE
  9. TROJAN DROPPER, BACKDOOR, DOWNLOADER FLyStudio.
  10. THIS MALWARE ORIGINATED FROM CHINA
  11. AND USING JAPAN NETWORK TO TRY TO SPREAD IT.
  12.  
  13. VIRUS TOTAL DETECTED ONLY 25/42
  14. https://www.virustotal.com/file/84a6adc0975102ca72cdebcf28f9d962d13742aad5980483ded1e38e93162392/analysis/1327754643/
  15. SO IF YOU NEED SAMPLE OF THIS, GRAB IT NOW!
  16.  
  17. SEE SCREENSHOT ANALYSIS HERE:
  18. Japanese: http://unixfreaxjp.blogspot.com/2012/01/ocjp-003-nihonn.html
  19. English: http://bit.ly/A1tofm
  20. THANK'S - UNIXFREAXJP -
  21. =============================================
  22. Sat Jan 28 20:37:20 JST 201
  23. --20:37:04-- http://diybbb.com/update.exe
  24. => `update.exe.1'
  25. Resolving diybbb.com... 106.187.46.93
  26. Connecting to diybbb.com|106.187.46.93|:80... connected.
  27. HTTP request sent, awaiting response... 200 OK
  28. Length: 870,186 (850K) [application/octet-stream]
  29. 100%[====================================>] 870,186 1.49M/s
  30. 20:37:05 (1.49 MB/s) - `update.exe.1' saved [870186/870186]
  31.  
  32. SHA256: 84a6adc0975102ca72cdebcf28f9d962d13742aad5980483ded1e38e93162392
  33. SHA1: 9085cfda0b6e0fc9384afe97f37a1323a0358b9f
  34. MD5: 8eef0a7b25c397a3c14179563c8a0f49
  35. File size: 849.8 KB ( 870186 bytes )
  36. File name: update.exe
  37. First Detected: 2011-12-05
  38. Last Detected: 2012-01-28
  39.  
  40. =======================================
  41. 1. BINARY ANALYSIS
  42. =======================================
  43. Valid PE file (Both IMAGE_SCN_MEM_WRITE & IMAGE_SCN_MEM_EXECUTE are set)
  44. Written CRC & Actual CRC are different: Claimed: 0 ; Actual: 899,309
  45. Suspicious timestamp : 0x59BFFA3 [Mon Dec 25 05:33:23 1972 UTC
  46. Suspicious Compile Time: 1972-12-25 14:33:23
  47. Identified packer :Installer VISE Custom
  48. Suspicious Section Name: IMAGE_SECTION_HEADER Entropy: 7.7067096641
  49. [IMAGE_SECTION_HEADER]
  50. Name: .data
  51. Misc: 0x23000
  52. Misc_PhysicalAddress: 0x23000
  53. Misc_VirtualSize: 0x23000
  54. VirtualAddress: 0x9000
  55. SizeOfRawData: 0x23000
  56. PointerToRawData: 0x9000
  57. PointerToRelocations: 0x0
  58. PointerToLinenumbers: 0x0
  59. NumberOfRelocations: 0x0
  60. NumberOfLinenumbers: 0x0
  61. Characteristics: 0xE0000040
  62.  
  63. ----------------------------------
  64. Malware loads following DLLs
  65. ----------------------------------
  66. [IMAGE_IMPORT_DESCRIPTOR]
  67. OriginalFirstThunk: 0x6690
  68. Characteristics: 0x6690
  69. TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
  70. ForwarderChain: 0x0
  71. Name: 0x67EA
  72. FirstThunk: 0x6000
  73.  
  74. KERNEL32.dll.GetProcAddress Hint[318] <--- Anti Debugging traces
  75. KERNEL32.dll.LoadLibraryA Hint[450] <---- Anti Debugging traces
  76. KERNEL32.dll.CloseHandle Hint[27] <-----Anti Debugging traces
  77. KERNEL32.dll.WriteFile Hint[735]
  78. KERNEL32.dll.CreateDirectoryA Hint[45] <----- Why has to create a folder?
  79. KERNEL32.dll.GetTempPathA Hint[357]
  80. KERNEL32.dll.ReadFile Hint[536]
  81. KERNEL32.dll.SetFilePointer Hint[618]
  82. KERNEL32.dll.CreateFileA Hint[52] <------ Why has to create a file?
  83. KERNEL32.dll.GetModuleFileNameA Hint[292]
  84. KERNEL32.dll.GetStringTypeA Hint[339]
  85. KERNEL32.dll.LCMapStringW Hint[448]
  86. KERNEL32.dll.LCMapStringA Hint[447]
  87. KERNEL32.dll.HeapAlloc Hint[409]
  88. KERNEL32.dll.HeapFree Hint[415]
  89. KERNEL32.dll.GetModuleHandleA Hint[294]
  90. KERNEL32.dll.GetStartupInfoA Hint[336]
  91. KERNEL32.dll.GetCommandLineA Hint[202] <--- Why need to run a command line?
  92. KERNEL32.dll.GetVersion Hint[372]
  93. KERNEL32.dll.ExitProcess Hint[125]
  94. KERNEL32.dll.HeapDestroy Hint[413]
  95. KERNEL32.dll.HeapCreate Hint[411] <---- DEP setting change trace
  96. KERNEL32.dll.VirtualFree Hint[703] <---- DEP setting change trace
  97. KERNEL32.dll.VirtualAlloc Hint[699] <---- DEP setting change trace
  98. KERNEL32.dll.HeapReAlloc Hint[418] <---- DEP setting change trace
  99. KERNEL32.dll.TerminateProcess Hint[670] <---Why has to terminate a process? which?
  100. KERNEL32.dll.GetCurrentProcess Hint[247] <-----Anti Debugging traces
  101. KERNEL32.dll.UnhandledExceptionFilter Hint[685]
  102. KERNEL32.dll.FreeEnvironmentStringsA Hint[178]
  103. KERNEL32.dll.FreeEnvironmentStringsW Hint[179]
  104. KERNEL32.dll.WideCharToMultiByte Hint[722]
  105. KERNEL32.dll.GetEnvironmentStrings Hint[262]
  106. KERNEL32.dll.GetEnvironmentStringsW Hint[264]
  107. KERNEL32.dll.SetHandleCount Hint[621]
  108. KERNEL32.dll.GetStdHandle Hint[338]
  109. KERNEL32.dll.GetFileType Hint[277]
  110. KERNEL32.dll.RtlUnwind Hint[559]
  111. KERNEL32.dll.GetCPInfo Hint[191]
  112. KERNEL32.dll.GetACP Hint[185]
  113. KERNEL32.dll.GetOEMCP Hint[305]
  114. KERNEL32.dll.MultiByteToWideChar Hint[484]
  115. KERNEL32.dll.GetStringTypeW Hint[342]
  116. USER32.dll.MessageBoxA Hint[446]
  117. USER32.dll.wsprintfA Hint[684]
  118. ------------------------------------------------
  119. Address of very suspicious process above:
  120. ------------------------------------------------
  121. 0x406000 GetProcAddress
  122. 0x406004 LoadLibraryA
  123. 0x406008 CloseHandle
  124. 0x406068 GetCurrentProcess
  125. 0x406020 CreateFileA
  126. 0x406054 HeapCreate
  127. 0x40605c VirtualAlloc
  128.  
  129. ------------------------------------------------------------
  130. Detection ratio: 25 / 42
  131. Analysis date: 2012-01-28 12:44:03 UTC ( 0 分 ago )
  132. SHA256:84a6adc0975102ca72cdebcf28f9d962d13742aad5980483ded1e38e93162392
  133.  
  134. Antivirus Result Update
  135. ------------------------------------------------------------
  136. AhnLab-V3 Win32/Flystudio.worm.Gen 20120127
  137. AntiVir - 20120127
  138. Antiy-AVL - 20120128
  139. Avast - 20120128
  140. AVG BackDoor.FlyAgent.D 20120128
  141. BitDefender - 20120128
  142. ByteHero - 20120126
  143. CAT-QuickHeal Win32.Trojan-Dropper.VBS.p.5 20120127
  144. ClamAV Trojan.Agent-64034 20120128
  145. Commtouch W32/FlyStudio.A.gen!Eldorado 20120128
  146. Comodo TrojWare.Win32.Agent.pkd 20120128
  147. DrWeb - 20120128
  148. Emsisoft Trojan-Dropper.Win32.Binder!IK 20120128
  149. eSafe Win32.TrojanAgent.Dq 20120126
  150. eTrust-Vet Win32/SillyAutorun.ALB 20120127
  151. F-Prot W32/FlyStudio.A.gen!Eldorado 20120127
  152. F-Secure Trojan:W32/Agent.DQOD 20120128
  153. Fortinet W32/BDoor.DRV!tr 20120128
  154. GData - 20120128
  155. Ikarus Trojan-Dropper.Win32.Binder 20120128
  156. Jiangmin - 20120127
  157. K7AntiVirus Riskware 20120127
  158. Kaspersky - 20120128
  159. McAfee BackDoor-DRV.gen.c 20120127
  160. McAfee-GW-Ed. BackDoor-DRV.gen.c 20120128
  161. Microsoft - 20120128
  162. NOD32 Win32/FlyStudio.OHX 20120128
  163. Norman W32/Suspicious_Gen2.RZVIX 20120127
  164. nProtect - 20120128
  165. Panda Trj/CI.A 20120128
  166. PCTools - 20120128
  167. Rising - 20120118
  168. Sophos Troj/Agent-OKI 20120128
  169. SUPERAntiSpyWr - 20120128
  170. Symantec WS.Reputation.1 20120128
  171. TheHacker Trojan/Downloader.Flystudio.gen 20120127
  172. TrendMicro TROJ_SPNR.15A912 20120128
  173. Trend-HouseCall TROJ_SPNR.0BLQ11 20120128
  174. VBA32 - 20120126
  175. VIPRE Trojan.Win32.Autorun.dm (v) 20120128
  176. ViRobot - 20120128
  177. VirusBuster - 20120127
  178. ------------------------------------------------------------
  179.  
  180. =============================================
  181. 2. NETWORK & DOMAIN REGISTRATION
  182. =============================================
  183.  
  184. ------------------------------------------
  185. Domain Name: DIYBBB.COM
  186. ------------------------------------------
  187. Registrar: XIN NET TECHNOLOGY CORPORATION
  188. Whois Server: whois.paycenter.com.cn
  189. Referral URL: http://www.xinnet.com
  190. Name Server: F1G1NS1.DNSPOD.NET
  191. Name Server: F1G1NS2.DNSPOD.NET
  192. Status: ok
  193. Updated Date: 24-dec-2011
  194. Creation Date: 28-aug-2010
  195. Expiration Date: 28-aug-2013
  196. ------------------------------------------
  197. Cross Check:
  198. ------------------------------------------
  199. Domain Name : diybbb.com
  200. PunnyCode : diybbb.com
  201. Creation Date : 2010-08-29 11:00:42
  202. Updated Date : 2011-12-25 10:27:26
  203. Expiration Date : 2013-08-29 11:00:39
  204. ------------------------------------------
  205. Administrative /Technical/Billing Contact:
  206. ------------------------------------------
  207. Name : LIN YAN
  208. Organization : LIN YAN
  209. Address : TIANHE QU BUYNOW C1507
  210. City : GuangZhou
  211. Province/State : Guangdong
  212. Country : CN
  213. Postal Code : 510000
  214. Phone Number : 86-020-62683253
  215. Fax : 86-020-62683286
  216. Email : mimidi@126.com
  217.  
  218. -------------------------------------------
  219. DNS DUMP
  220. -------------------------------------------
  221. diybbb.com. 476 IN A 106.187.46.93
  222. www.diybbb.com. 454 IN A 106.187.46.93
  223. diybbb.com. 476 IN SOA f1g1ns1.dnspod.net. freednsadmin.dnspod.com. 1324728081 3600 180 1209600 180
  224. diybbb.com. 476 IN TXT "v=spf1 include:spf.163.com ~all"
  225. spf.163.com. 17921 IN TXT "v=spf1 include:a.spf.163.com include:b.spf.163.com -all"
  226. a.spf.163.com. 18000 IN TXT "v=spf1 ip4:220.181.12.0/22 ip4:220.181.31.0/24 ip4:123.125.50.0/24 ip4:220.181.72.0/24 ip4:123.58.178.0/24 ip4:123.58.177.0/24 ip4:42.99.128.0/28 ip4:113.108.225.0/24 ip4:218.107.63.0/24 -all"
  227. b.spf.163.com. 18000 IN TXT "v=spf1 ip4:176.32.85.45 ip4:176.32.86.149 ip4:46.51.243.229 ip4:176.34.24.103 ip4:176.34.24.136 ip4:176.34.26.118 -all"
  228. diybbb.com. 476 IN MX 10 mx.ym.163.com.
  229. diybbb.com. 476 IN NS f1g1ns2.dnspod.net.
  230. diybbb.com. 476 IN NS f1g1ns1.dnspod.net.
  231. diybbb.com. 476 IN NS f1g1ns1.dnspod.net.
  232. diybbb.com. 476 IN NS f1g1ns2.dnspod.net.
  233. f1g1ns1.dnspod.net. 164000 IN A 119.167.195.6
  234. f1g1ns1.dnspod.net. 164000 IN A 122.225.217.192
  235. f1g1ns1.dnspod.net. 164000 IN A 180.153.10.150
  236. f1g1ns1.dnspod.net. 164000 IN A 183.60.52.217
  237. f1g1ns2.dnspod.net. 164977 IN A 112.90.143.29
  238. f1g1ns2.dnspod.net. 164977 IN A 122.225.217.191
  239. f1g1ns2.dnspod.net. 164977 IN A 180.153.10.151
  240. f1g1ns2.dnspod.net. 164977 IN A 180.153.162.150
  241.  
  242.  
  243. +-f1g1ns1.dnspod.net (119.167.195.6)
  244. | +-f1g1ns1.dnspod.net (122.225.217.192)
  245. | | +-f1g1ns1.dnspod.net (180.153.10.150)
  246. | | | +-f1g1ns1.dnspod.net (183.60.52.217)
  247. | | | | +-f1g1ns2.dnspod.net (122.225.217.191)
  248. | | | | | +-f1g1ns2.dnspod.net (180.153.10.151)
  249. | | | | | | +-f1g1ns2.dnspod.net (180.153.162.150)
  250. | | | | | | | +-f1g1ns2.dnspod.net (112.90.143.29)
  251. | | | | | | | |
  252. ---------------------------------------------------------------------------------------
  253. Tracing to diybbb.com[a] via 202.238.95.24, maximum of 1 retries
  254. 202.238.95.24 (202.238.95.24)
  255. ---------------------------------------------------------------------------------------
  256. |\___ c.gtld-servers.net [com] (192.26.92.30)
  257. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) Got authoritative answer
  258. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) Got authoritative answer
  259. | |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  260. | |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  261. | |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) *
  262. | |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) *
  263. | |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  264. | \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  265. |\___ b.gtld-servers.net [com] (2001:0503:231d:0000:0000:0000:0002:0030) *
  266. |\___ b.gtld-servers.net [com] (192.33.14.30)
  267. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) Got authoritative answer
  268. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) *
  269. | |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  270. | |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  271. | |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) Got authoritative answer [received type is cname]
  272. | |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) Got authoritative answer
  273. | |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  274. | \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  275. |\___ e.gtld-servers.net [com] (192.12.94.30)
  276. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) Got authoritative answer
  277. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) Got authoritative answer
  278. | |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  279. | |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  280. | |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) Got authoritative answer [received type is cname]
  281. | |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) Got authoritative answer
  282. | |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  283. | \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  284. |\___ f.gtld-servers.net [com] (192.35.51.30)
  285. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) *
  286. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) *
  287. | |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  288. | |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  289. | |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) Got authoritative answer [received type is cname]
  290. | |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) Got authoritative answer
  291. | |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  292. | \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  293. |\___ k.gtld-servers.net [com] (192.52.178.30)
  294. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) Got authoritative answer
  295. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) Got authoritative answer
  296. | |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  297. | |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  298. | |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) Got authoritative answer [received type is cname]
  299. | |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) Got authoritative answer
  300. | |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  301. | \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  302. |\___ g.gtld-servers.net [com] (192.42.93.30)
  303. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) Got authoritative answer
  304. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) Got authoritative answer
  305. | |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  306. | |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  307. | |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) Got authoritative answer [received type is cname]
  308. | |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) Got authoritative answer
  309. | |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  310. | \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  311. |\___ i.gtld-servers.net [com] (192.43.172.30)
  312. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) Got authoritative answer
  313. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) *
  314. | |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  315. | |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  316. | |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) Got authoritative answer [received type is cname]
  317. | |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) *
  318. | |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  319. | \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  320. |\___ h.gtld-servers.net [com] (192.54.112.30)
  321. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) *
  322. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) Got authoritative answer
  323. | |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  324. | |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  325. | |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) Got authoritative answer [received type is cname]
  326. | |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) Got authoritative answer
  327. | |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  328. | \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  329. |\___ m.gtld-servers.net [com] (192.55.83.30)
  330. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) Got authoritative answer
  331. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) *
  332. | |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  333. | |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  334. | |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) Got authoritative answer [received type is cname]
  335. | |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) Got authoritative answer
  336. | |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  337. | \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  338. |\___ a.gtld-servers.net [com] (2001:0503:a83e:0000:0000:0000:0002:0030) *
  339. |\___ a.gtld-servers.net [com] (192.5.6.30)
  340. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) Got authoritative answer
  341. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) Got authoritative answer
  342. | |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  343. | |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  344. | |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) Got authoritative answer [received type is cname]
  345. | |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) *
  346. | |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  347. | \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  348. |\___ j.gtld-servers.net [com] (192.48.79.30)
  349. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) Got authoritative answer
  350. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) Got authoritative answer
  351. | |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  352. | |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  353. | |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) Got authoritative answer [received type is cname]
  354. | |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) Got authoritative answer
  355. | |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  356. | \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  357. |\___ l.gtld-servers.net [com] (192.41.162.30)
  358. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) Got authoritative answer
  359. | |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) Got authoritative answer
  360. | |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  361. | |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  362. | |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) Got authoritative answer [received type is cname]
  363. | |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) Got authoritative answer
  364. | |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  365. | \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  366. \___ d.gtld-servers.net [com] (192.31.80.30)
  367. |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.162.150) Got authoritative answer
  368. |\___ f1g1ns2.dnspod.net [diybbb.com] (180.153.10.151) Got authoritative answer
  369. |\___ f1g1ns2.dnspod.net [diybbb.com] (122.225.217.191) Got authoritative answer
  370. |\___ f1g1ns2.dnspod.net [diybbb.com] (112.90.143.29) Got authoritative answer
  371. |\___ f1g1ns1.dnspod.net [diybbb.com] (183.60.52.217) Got authoritative answer [received type is cname]
  372. |\___ f1g1ns1.dnspod.net [diybbb.com] (180.153.10.150) Got authoritative answer
  373. |\___ f1g1ns1.dnspod.net [diybbb.com] (122.225.217.192) Got authoritative answer
  374. \___ f1g1ns1.dnspod.net [diybbb.com] (119.167.195.6) *
  375. ------------------------------------------
  376. GENERAL:
  377. ------------------------------------------
  378. IP ADDRESS : 106.187.46.93
  379. REVERSE DNS: 93.46.187.106.in-addr.arpa domain name pointer li389-93.members.linode.com.
  380. ASNumber : 2516
  381. Prefix : 106.187.0.0/18
  382. AS Name : KDDI
  383. country : Japan
  384. ISP Info : LINODE LLC
  385.  
  386. Traceroute:
  387.  
  388. 118.159.225.5 (118.159.225.5) 1.667 ms 11.820 ms 1.442 ms
  389. otejbb204.kddnet.ad.jp (59.128.7.194) 1.063 ms otejbb203.kddnet.ad.jp (59.128.7.129) 1.030 ms otejbb203.kddnet.ad.jp (59.128.7.193) 1.319 ms
  390. cm-fcu203.kddnet.ad.jp (124.215.194.180) 2.555 ms 8.531 ms cm-fcu203.kddnet.ad.jp (124.215.194.164) 2.900 ms
  391. 124.215.199.122 (124.215.199.122) 3.096 ms 3.105 ms 3.323 ms
  392. li389-93.members.linode.com (106.187.46.93) 3.331 ms 3.074 ms 2.393 ms
  393. ------------------------------------------
  394. INTERNET/NETWORK via JPNIC
  395. ------------------------------------------
  396. inetnum: 106.187.40.0 - 106.187.47.255
  397. netname: LINODE
  398. descr: Linode, LLC
  399. country: JP
  400. admin-c: KB2156JP
  401. tech-c: KB2156JP
  402. remarks: This information has been partially mirrored by APNIC from
  403. remarks: JPNIC. To obtain more specific information, please use the
  404. remarks: JPNIC WHOIS Gateway at
  405. remarks: http://www.nic.ad.jp/en/db/whois/en-gateway.html or
  406. remarks: whois.nic.ad.jp for WHOIS client. (The WHOIS client
  407. remarks: defaults to Japanese output, use the /e switch for English
  408. remarks: output)
  409. changed: apnic-ftp@nic.ad.jp 20110714
  410. changed: apnic-ftp@nic.ad.jp 20110811
  411. source: JPNIC
  412. ------------------------------------------
  413. Contact Information: [担当者情報]
  414. ------------------------------------------
  415. a. [JPNICハンドル] KB2156JP
  416. b. [氏名] Brett Kaplan
  417. c. [Last, First] Brett, Kaplan
  418. d. [電子メイル] bKaplan@linode.com
  419. f. [組織名] Linode, LLC
  420. g. [Organization] Linode, LLC
  421. k. [部署]
  422. l. [Division]
  423. m. [肩書]
  424. n. [Title]
  425. o. [電話番号] +1-609-593-7103
  426. p. [FAX番号]
  427. y. [通知アドレス]
  428. [最終更新] 2011/07/14 14:20:07(JST)
  429. db-staff@nic.ad.jp
  430. Additional Contacts:
  431. contact information for 106.187.46.93
  432. dns@linode.com (responsible for linode.com,46.187.106.in-addr.arpa)
  433. read-txt-record-of-zone-first-dns-admin@apnic.net (responsible for 106.in-addr.arpa)
  434. nstld@iana.org (responsible for in-addr.arpa,in-addr-servers.arpa)
  435. dns-admin@apnic.net (responsible for apnic.net)
  436. hostmaster@lacnic.net (responsible for lacnic.net)
  437. bind@arin.net (responsible for arin.net)
  438. dns@ripe.net (responsible for ripe.net)
  439.  
  440. ------------------------------------------
  441. INTERNET/NETWORK via APNIC
  442. ------------------------------------------
  443. inetnum: 106.128.0.0 - 106.191.255.255
  444. netname: KDDI
  445. descr: KDDI CORPORATION
  446. descr: GARDEN AIR TOWER,3-10-10,Iidabashi,Chiyoda-ku,Tokyo
  447. country: JP
  448. admin-c: JNIC1-AP
  449. tech-c: JNIC1-AP
  450. status: ALLOCATED PORTABLE
  451. remarks: Email address for spam or abuse complaints abuse@dion.ne.jp
  452. changed: hm-changed@apnic.net 20110315
  453. mnt-irt: IRT-JPNIC-JP
  454. mnt-by: MAINT-JPNIC
  455. mnt-lower: MAINT-JPNIC
  456. source: APNIC
  457.  
  458.  
  459. =================================
  460. 3. BEHAVIOUR ANALYSIS
  461. =================================
  462. * Load-time Dll:
  463. C:\​WINDOWS\​system32\​ntdll.dll 0x7C900000 0x000AF000
  464. C:\​WINDOWS\​system32\​kernel32.dll 0x7C800000 0x000F6000
  465. C:\​WINDOWS\​system32\​USER32.dll 0x7E410000 0x00091000
  466. C:\​WINDOWS\​system32\​GDI32.dll 0x77F10000 0x00049000
  467.  
  468. * Run-time Dlls:
  469. C:\​DOC~\​..1\​Temp\​E_N4\​krnln.fnr 0x10000000 0x0011A000
  470. C:\​WINDOWS\​system32\​COMCTL32.dll 0x5D090000 0x0009A000
  471. C:\​WINDOWS\​system32\​OLEPRO32.DLL 0x5EDD0000 0x00017000
  472. C:\​WINDOWS\​system32\​WS2HELP.dll 0x71AA0000 0x00008000
  473. C:\​WINDOWS\​system32\​WS2_32.dll 0x71AB0000 0x00017000
  474. C:\​WINDOWS\​system32\​WINSPOOL.DRV 0x73000000 0x00026000
  475. C:\​WINDOWS\​system32\​DCIMAN32.DLL 0x73BC0000 0x00006000
  476. C:\​WINDOWS\​system32\​MSCTF.dll 0x74720000 0x0004C000
  477. :
  478.  
  479. * Registry Created:
  480. HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Multimedia\​DrawDib
  481.  
  482. * Modified:
  483. HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Multimedia\​DrawDib
  484. ===> vga.drv 800x600x16(565 0) 31,31,31,31
  485.  
  486. * Registry Malware Directories Created:
  487. %Temp% \E_N4
  488. %System% \13E92A\
  489.  
  490. * Malware Files Dropped
  491. %Temp% \E_N4
  492. %Temp% \E_N4\EThread.fne (Malware apps Interface)
  493. %Temp% \E_N4\iext6.fne
  494. %Temp% \E_N4\krnln.fnr (Malware kernel support library)
  495. %Temp% \E_N4\shell.fne (Malware shell support library)
  496. %Temp% \E_N4\spec.fne
  497.  
  498. You can view these drops at this Address:
  499. 0000000090B8 0000004090B8 0 krnln
  500. 0000000090BE 0000004090BE 0 d09f2340818511d396f6aaf844c7e325
  501. 0000000090F2 0000004090F2 0 EThread
  502. 0000000090FA 0000004090FA 0 5F99C1642A2F4e03850721B4F5D7C3F8
  503. 000000009131 000000409131 0 A512548E76954B6E92C21055517615B0
  504. 000000009165 000000409165 0 shell
  505. 00000000916B 00000040916B 0 52F260023059454187AF826A3C07AF2A
  506. 0000000091A7 0000004091A7 0 iext6
  507. 0000000091AD 0000004091AD 0 {E60056EA-07A8-4bf5-B6F0-DF05DE6FAE1F}
  508.  
  509.  
  510. Malware Files Copied:
  511. %System%\ 13E92A\EThread.fne
  512. %System%\ 13E92A\iext6.fne
  513. %System%\ 13E92A\krnln.fnr
  514. %System%\ 13E92A\shell.fne
  515. %System%\ 13E92A\spec.fne
  516.  
  517. Dropped Malware Components Malware Detection Reputations:
  518. -----------------------------------------------------------
  519. %Temp%\E_N4\EThread.fne (previous sample: internet.fne)
  520. %System%\13E92A\EThread.fne
  521. Size: 184,320 bytes
  522. MD5: 0xC93E19032EFD345023E240A0E9F570BA
  523. SHA-1: 0xBC7AD7302513317F3C8663FAC8328A9DA588252D
  524. Verdict:
  525. Trojan.Galapoper [PCTools]
  526. Trojan.Galapoper.A [Symantec]
  527. Tool-EPLLib.gen.b [McAfee]
  528. Mal/EncPk-NB [Sophos]
  529. possible-Threat.HackTool.EPLLib [Ikarus]
  530. packed with PE-Crypt.CF [Kaspersky Lab]
  531. -----------------------------------------------------------
  532. %Temp%\E_N4\krnln.fnr
  533. %System%\13E92A\krnln.fnr
  534. Size: 701,824 bytes
  535. MD5: 0x6E32451019FDB76AB888F6FB5F5836E0
  536. SHA-1: 0xF9E495276C9AD994DDBE0D1716F37081266273A9
  537. Verdict:
  538. Trojan.Gen [PCTools]
  539. Trojan.Gen [Symantec]
  540. Mal/EncPk-NB [Sophos]
  541. Trojan.Win32.Gendal [Ikarus]
  542. packed with PE-Crypt.CF [Kaspersky Lab]
  543. -----------------------------------------------------------
  544. %Temp%\E_N4\shell.fne
  545. %System%\13E92A\shell.fne
  546. Size: 40,960 bytes
  547. MD5: 0xA82A3F811F1A01C9EEBF7E76C8C3CD6C
  548. SHA-1: 0x96C026497D308450E460F058E3B0B68D75C0684A
  549. Verdict:
  550. Trojan.Generic [PCTools]
  551. Trojan Horse [Symantec]
  552. Generic PWS.y!hv.s [McAfee]
  553. Mal/EncPk-NB [Sophos]
  554. Trojan:Win32/Orsam!rts [Microsoft]
  555. Trojan.Peed [Ikarus]
  556. Win-Trojan/Xema.variant [AhnLab]
  557. packed with PE-Crypt.CF [Kaspersky Lab]
  558. -----------------------------------------------------------
  559. %Temp%\E_N4\spec.fne
  560. %System%\13E92A\spec.fne
  561. Size: 73,728 bytes
  562. MD5: 0x2C6AECDD5D8D812C5BF1D678252B1901
  563. SHA-1: 0x65976048B550BDE89CEC8B45CF40060688C96A12
  564. Verdict:
  565. Trojan.Generic [PCTools]
  566. Trojan Horse [Symantec]
  567. Vundo.gen.cg [McAfee]
  568. Mal/EncPk-NB [Sophos]
  569. Trojan:Win32/Trabin!rts [Microsoft]
  570. Trojan.Peed [Ikarus]
  571. Win-Trojan/Xema.variant [AhnLab]
  572. packed with PE-Crypt.CF [Kaspersky Lab]
  573. -----------------------------------------------------------
  574. Similar Case Reference same root malware:
  575. http://www.threatexpert.com/report.aspx?md5=c6b7fc243b0c298388bbf24ec85574a4
  576. http://www.threatexpert.com/report.aspx?md5=ba7010c0ee3832b7ff4f1fe759b7b44e
  577.  
  578. NETWORK ACTIVITIES:
  579. In codes there were registered attempts to establish connection with the remote hosts.
  580. --------------------------------
  581. Remote Host Port Number
  582. ---------------------------------
  583. 173.252.216.29 80
  584. 96.44.133.98 80
  585. ---------------------------------
  586. (GET) HTTP/1.1
  587. ---------------------------------
  588. 1. hxxp://www.aikest.com/reg.asp?a=5331 (Cracked)
  589. 2. hxxp://www.chuangqilm.com/iclk/?zoneid=7887&uid=5331
  590. 3. (unCracked URL....)
  591. 4. (unCracked URL....)
  592. 5. (unCracked URL....)
  593.  
  594. -----------------------------------------------------------
  595. ANALYZED BY ZERODAY JAPAN http://0day.jp
  596. IN OPERATION CLEAN JAPAN #OCJP-003
  597. http://unixfreaxjp.blogspot.com
  598. BY HENDRIK ADRIAN (VT/Twitter: @unixfreaxjp )
RAW Paste Data
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!