Adware/AdSafe

#25954 by 275751198
Sat May 30, 2015 3:15 pm

http://blogs.360.cn/blog/cloud-life/
https://translate.google.com/translate? ... loud-life/

Desktop.part1.rar

(1000 KiB) Downloaded 83 times

Desktop.part2.rar

(1000 KiB) Downloaded 69 times

Desktop.part3.rar

(1000 KiB) Downloaded 76 times

all sample collected by hx1997 . thanks

Username

275751198

Posts

16

Joined

Mon Jul 22, 2013 1:15 pm

Re: living in the world

#25957 by Xylitol
Sun May 31, 2015 2:17 am

part4 is missing, can't extract.
https://www.virustotal.com/en/file/d016 ... 433088628/
https://www.virustotal.com/en/file/23a0 ... 433088642/
https://www.virustotal.com/en/file/be6c ... 433088686/
https://www.virustotal.com/en/file/fb12 ... 433088731/

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: living in the world

#25958 by hx1997
Sun May 31, 2015 2:47 am

Part4 attached.

Attachments

Desktop.part4.rar

infected
(462.25 KiB) Downloaded 72 times

Username

hx1997

Posts

101

Joined

Sat Apr 07, 2012 12:16 am

Re: living in the world

#25961 by patriq
Sun May 31, 2015 4:52 pm

hxxp://so.lyehk .com/so.txt - contains text url of jpg:

hxxp://so.lyehk .com/123.jpg

123.jpg (744.22 KiB) Viewed 746 times

she has something hidden in those huge tits...

jpg has 'MZ' (0x4D, 0x5A) magic header at offset 0xE0DE

extract...

dd skip=57566 count=704511 if=123.jpg of=123.exe bs=1

IMAGE_FILE_DLL = 0x2000 (dll not PE exe)
Time Date Stamp = 2015/5/31

attached

(VT 15/56)
https://www.virustotal.com/en/file/2515 ... 433090514/

Attachments

cloud-life.zip

(645.04 KiB) Downloaded 62 times

Username

patriq

Posts

109

Joined

Fri Jun 28, 2013 8:11 pm

Re: living in the world

#25964 by Xylitol
Sun May 31, 2015 6:21 pm

142734eg5yntyabgf6yln6.dll (F3546FDE0E5E87F1176BA40790F6CCDE, payload discussed on blogs.360.cn)

Code: Select all

- hxtp://so.lyehk.com/kan.txt
- hxtp://so.lyehk.com/aaa/ (?!)

17CFB530DD79E69DDAF54D37F9F39252 (payload extracted by patriq)

Code: Select all

- hxtp://dlsw.br.baidu.com/ditui/zujian/bdBrowserSetup-5957-ftn_1050103329.exe
- hxtp://dlsw.br.baidu.com/ditui/zujian/BaiduSd.Setup.3.0.0.4611.youqian_1050103329.exe
- hxtp://www.xz9u.com/my_3_24_yy.exe
- hxtp://hao123.yndcj.com
- hxtp://dlied6.qq.com/invc/qqpcmgr/qudao/qqpcmgr_v10.8.16208.227_8881170_Silence.exe
- hxtp://dlsw.br.baidu.com/ditui/zujian/BaiduAn.Setup.0508.4.0.0.8000_1050103329.exe
- hxtp://down.hanhan521.com/Pack/xun_1086.exe
- hxtp://dlsw.br.baidu.com/ditui/zujian/BaiduPinyinSetup_2.13.3.00_sw-0000025962.exe
- hxtp://92935.vhost73.cloudvhost.net/99/test.asp?number=
- hxtp://92935.vhost73.cloudvhost.net/99/test.txt (?!)

https://www.virustotal.com/en/domain/so ... formation/
--
aa1d52710fde3081830b9219edc6e3e4f78c3695ec6c64ea0a66dc0db726148e

Code: Select all

- hxtp://so.lyehk.com/kan.txt
- hxtp://yunpan.cn/cVSSJgNW9jeJX
- hxtp://yunpan.cn/cKDnDDuM6Tpk5
- hxtp://so.lyehk.com/asp/mail.asp?qqnumber=
- hxtp://yunpan.cn/cVSPXc8R7CmNm
- hxtp://xmp.down.sandai.net/kankan/OnlineInstaller-VZdidas9.exe
- hxtp://9862d3.l26.yunpan.cn/share/verifyPassword?linkpassword=291f&shorturl=cjnuYwpsbX8vv
- hxtp://cache.yyupload.com/down/1932865/dongfang_7654_29738_t1_29738.exe
- hxtp://dlsw.br.baidu.com/ditui/zujian/BaiduSd.Setup.3.0.0.4611.youqian_1000025962.exe
- hxtp://cache.yyupload.com/down/1932865/sysdiag-c109_29738.exe
- hxtp://yunpan.cn/cjnuYwpsbX8vv
- hxtp://cache.yyupload.com/down/1932865/setup_kt7654_29738.exe
- hxtp://dlsw.br.baidu.com/ditui/zujian/BaiduAn.Setup.0508.4.0.0.8000_1000025962.exe
- hxtp://dlsw.br.baidu.com/ditui/zujian/bdBrowserSetup-7351-ftn_1000025962.exe
- hxtp://yunpan.cn/cjnuWRiwpEqm8
- hxtp://yunpan.cn/cKNrpCtFif53A
- hxtp://dlsw.br.baidu.com/ditui/zujian/BaiduPinyinSetup_2.13.3.00_sw-0000025962.exe
- hxtp://yunpan.cn/cAwI52HEWZvJu
- hxtp://so.lyehk.com/php/mail.asp?qqnumber=

--
2897cd4a8d018ecce88c97d298f0e3d85ed4feff793437c030f8922b27168429

Code: Select all

- hxtp://vod.xunlei.com/
- hxtp://so.lyehk.com/xunlei.txt
- hxtp://www.btup.net/s/

Attachments

2897cd4a8d018ecce88c97d298f0e3d85ed4feff793437c030f8922b27168429.zip

infected
(609.46 KiB) Downloaded 53 times

aa1d52710fde3081830b9219edc6e3e4f78c3695ec6c64ea0a66dc0db726148e.zip

infected
(114.67 KiB) Downloaded 46 times

test.txt.zip

(3.65 KiB) Downloaded 40 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: living in the world

#25998 by 275751198
Thu Jun 04, 2015 12:23 am

hx1997 wrote:Part4 attached.

BBS doesn't allow me to send more than 3 attachment :| :|

Username

275751198

Posts

16

Joined

Mon Jul 22, 2013 1:15 pm

Re: Adware/AdSafe

#26025 by Xylitol
Mon Jun 08, 2015 6:01 pm

http://vxvault.net/ViriList.php?MD5=B82 ... 4FE65DAF53
a0b6bc1b010496e79b0631af70617d46b7fdaff1000591cba24171d217b41caf
651b2a321f783f85b72bd869011860d0ed26fa3a559f39499e5c1b3922c85254

Code: Select all

- http://www.winimage.com/zLibDll
- http://so.lyehk.com/yan3.txt
- http://so.lyehk.com/a1.txt
- http://so.lyehk.com/abc.txt
- http://so.lyehk.com/so.txt
- http://so.qq00.cc/so.txt
- http://so.qq00.cc/yan3.txt
- http://so.lyehk.com/123.jpg

0x402B06 regarding web communication on the installer
0x407227 on P2PSearcher2.1.exe (main interest file)