A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17190  by bsteo
 Sat Dec 15, 2012 9:06 am
Xylitol wrote:If someone know an alive c&c for dexter i can try to hack it.
11e2540739d7fbea1ab8f9aa7a107648.com 173.255.196.136
7186343a80c6fa32811804d23765cda4.com 173.255.196.136
e7dce8e4671f8f03a040d08bb08ec07a.com 173.255.196.136
e7bc2d0fceee1bdfd691a80c783173b4.com 173.255.196.136
815ad1c058df1b7ba9c0998e2aa8a7b4.com 173.255.196.136
67b3dba8bc6778101892eb77249db32e.com 176.31.62.78 176.31.62.77
fabcaa97871555b68aa095335975e613.com 50.116.41.199

from the binary the panel should be at: /portal1/gateway.php

Hmm, wanted to PM Xylitol but "We are sorry, but you are not authorised to use this feature. You may have just registered here and may need to participate more to be able to use this feature." :)
I'll PM you in another forum.
 #17203  by Xylitol
 Sat Dec 15, 2012 4:28 pm
for mm_bot.exe i have this (home made, not from malware server), still not tested
Code: Select all
<html>
<head>
<title>Xylitol work</title>
<meta name="author" content="EpicOut&H3R05"/>
<meta name="infos" content="The game"/>
<style media="screen" type="text/css">
body 
{
background:black;
color:red;
font-family:arial;
}
#auth
{
width:50%;
margin:auto;
padding:15px;
}
#auth h1,h4
{
text-align:center;
}
#auth input
{
background:black;
color:red;
border-radius:5px;
border-style:dashed;
display:block;
margin:auto;
padding:5px;
}
</style>
</head>
<div id="auth">
<h1>Your ID</h1>
<h4><i>(You need to have an id to view this content)</i></h4>
<form method="POST" action="<?php echo 'index.php'.$_GET['data'];?>">
<input type="password" name="id"/>
</form>
</div>
</html>
<?php
if(isset($_POST['password']) && htmlentities($_POST['password']) == "imaboss") {

      echo $_GET['data'].' a bien ete enregistre <br/>';
      file_put_contents("data.txt",$_GET['data']"\n",FILE_APPEND);
}
?>
After for Dexter, i've sent you a pm :)
 #17302  by Xylitol
 Thu Dec 20, 2012 1:11 pm
Various files from http://usa.visa.com/download/merchants/ ... 110609.pdf
some are clean, some not.
Attachments
infected
(843.29 KiB) Downloaded 173 times
infected
(1.67 MiB) Downloaded 156 times
infected
(1.43 MiB) Downloaded 156 times
infected
(1.59 MiB) Downloaded 156 times
infected
(1.68 MiB) Downloaded 157 times
infected
(1.68 MiB) Downloaded 158 times
infected
(1.13 MiB) Downloaded 156 times
infected
(1.75 MiB) Downloaded 160 times
infected
(1.19 MiB) Downloaded 160 times
infected
(961.05 KiB) Downloaded 174 times
 #17339  by Xylitol
 Sat Dec 22, 2012 11:18 am
Some files from http://usa.visa.com/download/merchants/ ... memory.pdf
But nothing really interesting at all.

another pdf but same seem not really interesting: http://usa.visa.com/download/merchants/ ... are_ip.pdf
anyway if you want files tell me and i will post here when i will have time.
Attachments
infected
(1.22 MiB) Downloaded 155 times
 #17352  by bsteo
 Sat Dec 22, 2012 7:48 pm
dnsmgr.exe is just a Perl script that search with REGEX for track1 and track2 and is "compiled" with Perl2exe, attached below.
Attachments
password "infected"
(1.36 KiB) Downloaded 155 times
 #17863  by Xylitol
 Fri Jan 25, 2013 7:26 pm
Attachments
infected
(69.43 KiB) Downloaded 193 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 25