uCares wrote:Some CP from provided samples :Too bad they patched the SQL injection yesterday.Code: Select all198.52.160.45/gate.php 654andro.net/phase/gate.php avastsupport.net/secure/gate.php blog.l0c4lh0st.pw/dhrgbv/mysql.php blog.l0c4lh0st.pw/kjvg/gate.php bz-bz.bz/3Vg6G4ULcCzAbbbdnXZLXjdw3QzamGkNCVV/gate.php ekhge35uf5.pw/pae/gate.php fedren.com/json/json.php i8xyz5tkuf.pw/pae/gate.php jbcompany.org/gate.php jrat.se/hemliga/porten.php ngdata.org/gate.php nortoncenter.net/secure/gate.php phasesupport.com/pos/gate.php ptah.vdsinside.com/dhrgbv/mysql.php ptah.vdsinside.com/kjvg/gate.php skoja.ru/hemliga/porten.php telemetric.pw/Vp845Z5SapkLjURRmEGaaR8Sv4vDSRHjSy/gate.php vcv.no-ip.biz/gate.php wutudo.su/hemliga/porten.php yadruw.com/json/json.php
A forum for reverse engineering, OS internals and malware analysis
MalwareTech wrote:Too bad they patched the SQL injection yesterday.It seems you have a vendetta against this particular Turd'ware :D
TheExecuter wrote:Well, SQL injection + plaintext password, how can i say no?MalwareTech wrote:Too bad they patched the SQL injection yesterday.It seems you have a vendetta against this particular Turd'ware :D
uCares wrote:Some CP from provided samples :Code: Select all198.52.160.45/gate.php 654andro.net/phase/gate.php avastsupport.net/secure/gate.php blog.l0c4lh0st.pw/dhrgbv/mysql.php blog.l0c4lh0st.pw/kjvg/gate.php bz-bz.bz/3Vg6G4ULcCzAbbbdnXZLXjdw3QzamGkNCVV/gate.php ekhge35uf5.pw/pae/gate.php fedren.com/json/json.php i8xyz5tkuf.pw/pae/gate.php jbcompany.org/gate.php jrat.se/hemliga/porten.php ngdata.org/gate.php nortoncenter.net/secure/gate.php phasesupport.com/pos/gate.php ptah.vdsinside.com/dhrgbv/mysql.php ptah.vdsinside.com/kjvg/gate.php skoja.ru/hemliga/porten.php telemetric.pw/Vp845Z5SapkLjURRmEGaaR8Sv4vDSRHjSy/gate.php vcv.no-ip.biz/gate.php wutudo.su/hemliga/porten.php yadruw.com/json/json.php
:shock: very surprised how you got the cp url from the bins. i tried hexing but didn't see it ( am not as expert as you guys, still learning )
care share practical steps ?
Vult wrote: :shock: very surprised how you got the cp url from the bins. i tried hexing but didn't see it ( am not as expert as you guys, still learning )Extracted from process memory (in these cases explorer.exe) during dynamic analysis
care share practical steps ?
Vult wrote:i tried hexingif you come just for that then you're not welcome here.
Also a simple cuckoo should do the tricks to get gate urls, in attach, php page from the ram scrapper plugin.
Attachments
infected
(6.14 KiB) Downloaded 90 times
(6.14 KiB) Downloaded 90 times
Xylitol wrote:not just for that buddy. but to learn real reversing.Vult wrote:i tried hexingif you come just for that then you're not welcome here.
Also a simple cuckoo should do the tricks to get gate urls, in attach, php page from the ram scrapper plugin.
For anyone (like me) wondering where the graphic interface (pretty nice) of the Command & Control come from:
http://themeforest.net/item/proton-ui-r ... me/6240793
The code of the malware is a copypaste, .htaccess is a copypaste, the code of the C&C is a copypaste, the graphic of the C&C is a copypaste...
WELL DONE HA(FU)CKERS-WANNA-BE!
http://themeforest.net/item/proton-ui-r ... me/6240793
The code of the malware is a copypaste, .htaccess is a copypaste, the code of the C&C is a copypaste, the graphic of the C&C is a copypaste...
WELL DONE HA(FU)CKERS-WANNA-BE!
Just for comedy section purpose:
Breaking news! TrendMicro found Phase!
Without a Trace: Fileless Malware Spotted in the Wild
http://blog.trendmicro.com/trendlabs-se ... -the-wild/
It seems corporate firewall in TrendMicro banned Google as well as Bing/Yahoo.
Breaking news! TrendMicro found Phase!
Without a Trace: Fileless Malware Spotted in the Wild
http://blog.trendmicro.com/trendlabs-se ... -the-wild/
It seems corporate firewall in TrendMicro banned Google as well as Bing/Yahoo.
Ring0 - the source of inspiration
