Cheshire Cat | Windows NT dusty malware?

#26470 by Snakebyte
Sun Aug 09, 2015 1:45 am

Windows NT samples from defon talk today:
https://www.defcon.org/html/defcon-23/d ... quis-Boire

Standard password

Attachments

samples.7z

(90.38 KiB) Downloaded 82 times

Username

Snakebyte

Posts

12

Joined

Tue Oct 07, 2014 9:33 am

Re: Cheshire Cat | Windows NT dusty malware?

#26490 by Artilllerie
Mon Aug 10, 2015 10:34 am

Many things in the dll package :

Username

Artilllerie

Posts

25

Joined

Thu Dec 13, 2012 11:32 am

Re: Cheshire Cat | Windows NT dusty malware?

#26491 by R136a1
Mon Aug 10, 2015 4:35 pm

List of extracted domain names:

Code: Select all

www.divextreme-ar.com
www.crazy-jump.com
www.dive-extreme.com
www.tandemskydive-ar.com
www.groupdive.com
www.skydivelessons.com
www.bungee4you-br.com
www.brazil-crazybungee.com
www.bungeejumping-br.com
www.groupbungee-br.com

www.divextreme-au.com
www.crazyjump-uy.com
www.stuntjumps.com
www.tandemskydive-au.com
www.groupdive-au.com
www.au-skydivelessons.com
www.bungee4you-uy.com
www.uruguay-crazybungee.com
www.bungeejumping-uy.com
www.groupbungee-uy.com

www.circlesofourlives-ir.com
www.clickflowers-hk.com
www.cropcirclestours.com
www.irelancropcircles.com
www.ir-cool.com
www.magnificentcircles.com
www.china-flowershop.com
www.hongkong-bouquets.com
www.beautifuldaisies.com
www.rosesinchina.com

Last block explains why Kaspersky calls this malware "Flowershop". If you hurry up you can set up some sinkholes...

Malware Reversing
http://www.malware-reversing.com

Username

R136a1

Rank

Forum Admin

Posts

272

Joined

Wed Jul 13, 2011 4:30 pm

Location

Netherlands

Re: Cheshire Cat | Windows NT dusty malware?

#26507 by Snakebyte
Thu Aug 13, 2015 8:10 am

Did Kaspersky do a writeup on this?

Username

Snakebyte

Posts

12

Joined

Tue Oct 07, 2014 9:33 am

Re: Cheshire Cat | Windows NT dusty malware?

#26511 by Artilllerie
Fri Aug 14, 2015 8:47 am

Don't find anything about It on "kaspersky.com" domains, It's seem they don't cover a specifical report for this malware yet with Flowershop as name.

Username

Artilllerie

Posts

25

Joined

Thu Dec 13, 2012 11:32 am

Re: Cheshire Cat | Windows NT dusty malware?

#26514 by RedFrank
Fri Aug 14, 2015 12:35 pm

Nearly no activity on these C2s in the US. Any targeting information?

Username

RedFrank

Posts

1

Joined

Fri Nov 14, 2014 6:52 pm

Re: Cheshire Cat | Windows NT dusty malware?

#26521 by R136a1
Sat Aug 15, 2015 11:01 am

No, there is no paper or article by Kaspersky about this threat. I was referring to the signature of the samples.

Malware Reversing
http://www.malware-reversing.com

Username

R136a1

Rank

Forum Admin

Posts

272

Joined

Wed Jul 13, 2011 4:30 pm

Location

Netherlands

Re: Cheshire Cat | Windows NT dusty malware?

#26541 by dhuss
Mon Aug 17, 2015 9:06 pm

Some more domains in the attached sample

Code: Select all

www.holidayapartments4you.com
www.euro-rafting.com
www.holidayapartments-Paris.com
www.paris-holidayapartments.com
www.franceholidayapartments.com
www.apartmentsin-paris.com
www.raftingholiday.com
www.eurorafting-tr.com
www.turkeyextremerafting.com
www.raftingtours-turkey.com

Attachments

fa1e5eec39910a34ede1c4351ccecec8.7z

pwd: infected
(66.92 KiB) Downloaded 47 times

Username

dhuss

Posts

7

Joined

Mon Apr 14, 2014 4:17 pm