A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21575  by patriq
 Thu Dec 05, 2013 2:17 am
more chinese food

Gh0st RAT

C&C
Code: Select all
cz88.net - 218.75.110.152
(almost) FUD
Code: Select all
7f1bfbcc10576a23b800dbd15576aa55  ii9900.exe 	(bot)
c97f3c932bf6bec7cd8944a023e4f433  S667.exe 	(bot)
63ca90f97c4c45d3f03c701085afa52c  Serve.dat	(bot)

029bad7f8b61133f8ae86986d3c116bf  养鸡场.exe	(admin console)
养鸡场 = Chicken farm (LOL, bot machines are chickens)
验证器 = Validator

(bot)
ii9900.exe
https://malwr.com/analysis/YWQ1YWNlNjhj ... IyMmVmNDY/

(console)
029bad7f8b61133f8ae86986d3c116bf 养鸡场.exe
https://malwr.com/analysis/ZGY0NTFkZWYy ... VlNWQ0NGE/
a few strings:
222.186.57.100
live.fc2.com (54.244.9.216)

This is the interesting part...
Code: Select all
qqwry.dat - config 
Have a look at the strings file pulled from the config.
Thousands of companies, organizations, universities, Gov, DoD etc.. mainly in IN, PK, US,
These bad guys are searching for goodies.. :twisted:
Attachments
(118.68 KiB) Downloaded 58 times
infected
(137.22 KiB) Downloaded 76 times
(4.65 MiB) Downloaded 55 times