A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29308  by Xylitol
 Sat Oct 01, 2016 1:47 pm
Found on a public ftp, almost in all dirs.
https://www.virustotal.com/en/file/8071 ... 475327873/
Calling stafftest[.]ru/test.html
The sample is referenced also here https://www.guardicore.com/2016/06/the- ... -campaign/
Rest of IoC from articles in attachment.
Attachments
infected
(3.37 MiB) Downloaded 71 times
infected
(2.89 MiB) Downloaded 70 times
infected
(1.4 MiB) Downloaded 101 times
 #30283  by Xylitol
 Thu Apr 27, 2017 11:28 am
Cryptomining malware on NAS servers ~ https://www.sophos.com/en-us/medialibra ... ervers.pdf
again photo.scr_ver24B - https://www.virustotal.com/en/file/8071 ... 493291485/
in the wild (public ftp on a nas):
Code: Select all
fXp://31.33.36.59/Family/Photo.scr
List of compromised hosts acting as distribution system:
Code: Select all
hxxp://007cw.com/TEMPLETS/DEFAULT/PHOTO.SCR
hxxp://092f66.jwcddns.com:8602/Photo.scr
hxxp://123.206.51.203/PHOTO.SCR
hxxp://144.17.150.76/Photo.scr
hxxp://164.177.49.133/Photo.scr
hxxp://166.166.109.225/photo.scr
hxxp://173.162.63.34/Photo.scr
hxxp://192.99.81.148/snd/Photo.scr
hxxp://192.99.81.148/snd/photo.scr
hxxp://202.143.165.164/student60/photo.scr
hxxp://203.195.133.183/HK/DATA/AEEA1301205886B7/DATA/PHOTO.SCR
hxxp://24.197.107.86/photo.scr
hxxp://37.58.170.20/Photo.scr
hxxp://61.155.172.77/pub/qsl2/qs760/zhongxinjt/AutoUpdate/Photo.scr
hxxp://66.150.164.193/test/whcmsinfinity/assets/js/tiny_mce/plugins/advimage/js/Photo.scr
hxxp://67.181.118.188:9000/shares/share/pfstudio/linked/Photo.scr
hxxp://77.247.159.193/Photo.scr
hxxp://80.11.181.69/Photo.scr
hxxp://87.20.127.177/Photo.scr
hxxp://ageing.nfe.go.th/photo.scr
hxxp://alfarealestate.controlliamo.com/Condivisa/Photo.scr
hxxp://and.idv.tw/Photo.scr
hxxp://aninya.ru/photo.scr
hxxp://case.prh5.com/Photo.scr
hxxp://creator.heryau.com/Photo.scr
hxxp://cyp.com.tw/Photo.scr
hxxp://dailymarketingtrends.com/Photo.scr
hxxp://daixueyi.com/PHOTO.SCR
hxxp://disabilities.nfe.go.th/counter/photo.scr
hxxp://fiwi-server1.uzh.ch/Photo.scr
hxxp://freeweb.t-2.net/html/Photo.scr
hxxp://ftp.energy-phoenix.com/Fact%20Exportacion/Photo.scr
hxxp://ftp.kmu.edu.tw/Win/driver/printer/PrinterServer/lemel/Photo.scr
hxxp://hoteia.com/en/blog/Photo.scr
hxxp://hoteia.com/fr/contact/photo.scr
hxxp://imacserveur.ch/generateur/photo.scr
hxxp://imxms.hosp.ncku.edu.tw/xms/data/120/content/336e7119d02e965b30c1/text/photo.scr
hxxp://korat.nfe.go.th/Photo.scr
hxxp://m.anyidai.com/Photo.scr
hxxp://mikhailovsky.dyndns.org/%D0%A1%D0%B5%D0%B2%D0%B8%D0%BB%D1%8C%D1%81%D0%BA%D0%B8%D0%B9%20%D1%86%D0%B8%D1%80%D1%8E%D0%BB%D1%8C%D0%BD%D0%B8%D0%BA/%D1%81%D1%82%D0%B0%D1%80%D1%8B%D0%B5%20%D0%BF%D0%BE%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B8/Photo.scr
hxxp://myroom.asia/pattaya/Photo.scr
hxxp://namfleg.me/about/guaranty/Photo.scr
hxxp://ngacute.ml/Photo.scr
hxxp://pce-bd.com/Photo.scr
hxxp://phayao.nfe.go.th/e_office/photo/Photo.scr
hxxp://pinlvzs.com/bgt/Photo.scr
hxxp://prettydangerous.ru/Photo.scr
hxxp://qptest.ru/Photo.zip
hxxp://sansalvador.colegiobautista.edu.sv/ingreso/Photo.scr
hxxp://sebi.org/Photo.scr
hxxp://slywonghk.mynetgear.com/ex2/Photo.scr
hxxp://tfhboy.cn/page/photo.scr
hxxp://www.and.idv.tw/Photo.scr
hxxp://www.dailymarketingtrends.com/Photo.scr
hxxp://www.dhupress.net/Photo.scr
hxxp://www.hoteia.com/fr/contact/Photo.scr
hxxp://www.myroom.asia/pattaya/Photo.scr
hxxp://www.nn-zx.com.cn/Photo.scr
hxxp://www.pinlvzs.com/cpzx/Photo.scr
hxxp://www.yaxu520.com/Photo.scr
hxxp://xjlxaz.cn/admin_wz/photo.scr
hxxp://yaxu520.com/Photo.scr
hxxps://2.236.241.36/shares/Pictures/Photo.scr
hxxps://apia.wd2go.com/api/1.0/rest/device_redirect?device_user_id=26742823&device_uri=%2Fapi%2F1.0%2Frest%2Ffile_contents%2FPublic%2FFAST%2FPhoto.scr%3Fdevice_user_id%3D26742823%26request_auth_code%3D3694880ffee3e5ba821d1c00352f6df3c35195458704bfa578ed0e095dac6c0f
hxxps://device4362642-c8512c59.wd2go.com:8443/api/1.0/rest/file_contents/Public/FAST/Photo.scr?device_user_id=26742823&request_auth_code=3694880ffee3e5ba821d1c00352f6df3c35195458704bfa578ed0e095dac6c0f
hxxps://imacserveur.ch/generateur/photo.scr
hxxps://sebi.org/Photo.scr

hxxp://106.185.35.155/Photo.scr
hxxps://93.113.29.50/Photo.scr

hxxp://121.65.252.239:81/Photo.scr
hxxp://alunalunindonesia.com/photoslide/Photo.scr
hxxp://fiwi-server1.uzh.ch/Photo.scr
hxxp://ftp.stjude.org/incoming/Photo.scr
hxxp://mikhailovsky.dyndns.org/ftp/Photo.scr
hxxp://sprg.ssl.berkeley.edu/sprite/TEST/incoming/Photo.scr
hxxp://testselect.ru/Photo.scr
hxxp://www.robsheehy.com/public_ftp/helpmerob/malware/Photo.scr

hxxp://jspmedia.co.kr/slide/photo.scr
hxxp://hunterupskirts.com/blocks/playlist_view/langs/IMG001.scr
Some of them are here http://vxvault.net/ViriList.php?MD5=ABA ... 6C75F64F05

Stats from moneropool:
Code: Select all
Address: 4Aa3TcU7ixMVcYwbsw8ENVbFwt4ZuqrNBVij5TRvPCTpGRK5BKBHQPu7ahT7z2A6547a5Lcn7yPZV1xU22ZbviqxUX7JVuP
Pending Balance: 0.348651439571 XMR
Total Paid: 2897.300000000000 XMR (right now meaning arround 62k $, ~47.51566205 BTC)
Last Share Submitted: less than a minute ago
Hash Rate: 17.90 KH/sec
Total Hashes Submitted: 582976789534