[TwinHeadedEagle]

As I know Desktop.ini is config file, and I need to look in it's content to find out where it refers to...

[Cassiel]

i have the file you wanted but no additional information about it.
if you find something let us know

[TwinHeadedEagle]

OK, I cleaned computer of user that opened the thread about this malware

Malware drops at following location

Code: Select all

c:\progra~2\locals~1\temp\msoppo.exe

Creating following reg key

Code: Select all

[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 
"0"="c:\progra~2\locals~1\temp\msoppo.exe"

Here is the VT report

https://www.virustotal.com/en/file/21b0 ... 361372494/

Attaching sample

[Userbased]

msoppo.exe attempts to connect to the following domains:

Code: Select all

xdqzpbcgrvkj.ru 
anam0rph.su 
orzdwjtvmein.in 
ygiudewsqhct.in 
bdcrqgonzmwuehky.nl 
somicrososoft.ru

The only one that currently resolves is somicrososoft.ru, where it connects to /in.php. It is a sample of andromeda 2.06. PCAP file is attached.

[aaSSfxxx]

I think pcap traffic is a little bit useless for andromeda, since the bot traffic is encrypted (with the bot key).

The bot key is stored with url list, and I wrote some tools (in python 2) which allow to extract andromeda config from an unpacked sample and query c&c co get stuff dropped by andromeda (in attach).

I also attached unpacked andromeda sample for people who doesn't want to fight against XPXAXCXK.

Virustotal (unpacked): https://www.virustotal.com/fr/file/d37d ... /analysis/

Virustotal (msoppo.exe): https://www.virustotal.com/fr/file/21b0 ... /analysis/

[grum]

:) maybe help me code tools for brute force C&C server login and pass very fast, real try with THydra but bad and can't crack it's

i need tools code in php or asm or perl maybe python or ruby, hope all can help!

[Xylitol]

:) maybe help me code tools for brute force C&C server login and pass very fast, real try with THydra but bad and can't crack it's

i need tools code in php or asm or perl maybe python or ruby, hope all can help!

hydra can do it, you just don't know how to use it.

[360Tencent]

https://blogs.technet.com/b/mmpc/archiv ... ected=true

[grum]

THydra last and bruteforce can help?

[EP_X0FF]

THydra last and bruteforce can help?

What kind of answer do you expect?

Yes, bruteforce can do it. No, we don't do it for you - do it yourself.