A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6857  by EP_X0FF
 Sat Jun 18, 2011 12:49 pm
Comes with Remote Desktop plugin, funny part of this. Below is Total Commander config data. Funny part is this TC was used on botmaster computer when he created this package.

Hello, Владелец!
[MkDirHistory]
0=tcmd
1=fiesta
2=!data
3=msvcrt
4=config
5=cfg
6=builder-config
7=wtf
8=Stub
9=new
10=!source
11=cryptor
12=fucckc
13=v0.31b
14=main-admin-panel v1.0.564
15=formgrabber-admin-panel v1.0.382
16=tools
17=upload
18=scripts
19=!
20=MS Win

[Selection]
0=*.sln
1=*.c;*.cpp;*.h;*.hpp
2=socks5.dll
3=packer.exe
4=*.*

[RenameTemplates]
0=[N]
1=[N]__fuckoff__
2=bt_[N]
3=[N] (No Sitekey)
4=[C]-[N]
5=page-[C]
6=day40 ([C])
7=HCube Theme - Page [C]
8=File[C]
9=Archive_[YMD]
10=[=audioinfo.Artist] - [=audioinfo.Title]
11=[=tc.fullname]_[="v"tc.versionstring]

[RenameSearchFind]
0=myrundll32
1=51
2=logger
3=ie
4=template_win32
5=template_win32.cpp
6=iframer
7=exception
8=byteconv
9=ffhookdll
10=_
11=ff
12=knocker
13=serv
14=test
15=Socks5
16=.exe
17=ffhook
18=droppersect
19=Block All

[Command line history]
0=cmd
1=notepad
2=mspaint

[DirMenu]
[SearchName]
0=*.rar

[SearchIn]
0=\\VBOXSVR\Input\

[Buttonbar]
Buttonheight=21
FlatIcons=1
SmallIcons=1
SmallIconSize=28
XPstyle=1

[RightHistory]
0=c:\
1=c:\RestorePoin\
2=c:\Windows\System32\
3=c:\Windows\
4=c:\Program Files (x86)\Mozilla Firefox\
5=c:\Program Files (x86)\
6=c:\Program Files (x86)\Internet Explorer\
7=c:\Program Files\
8=c:\Program Files\Internet Explorer\
9=c:\Data\
10=c:\Documents and Settings\
11=c:\Documents and Settings\Владелец\Рабочий стол\
12=c:\Documents and Settings\Владелец\
13=c:\Documents and Settings\WinStaAccount\
14=c:\Users\

[LeftHistory]
0=c:\
1=\\VBOXSVR\Input\
2=\\VBOXSVR\Input\ffhookdlld.rar/
3=::{208D2C60-3AEA-1069-A2D7-08002B30309D}|\\Сетевое окружение\
4=::{208D2C60-3AEA-1069-A2D7-08002B30309D}\
5=C:\ProgramData\
Image

Yes of course this TC is totally pirated :) Registered to Lili Shen from China.
 #6858  by EP_X0FF
 Sat Jun 18, 2011 1:37 pm
spySpreader directs to some url with obfuscated java script

See attach for both original and deobfuscated.

Java crap attached also.

Exploit PDF and extracted from it payload attached.

Who wants to play with Blackhole Exploit Kit here is direct link hxxp://facebook-vote.com/forum.php?tp=ed402b19f555ec1d
Attachments
pass: malware
(33.6 KiB) Downloaded 53 times
pass: malware
(9.72 KiB) Downloaded 56 times
obfuscated and deobfuscated
(16.58 KiB) Downloaded 53 times
 #6875  by EP_X0FF
 Mon Jun 20, 2011 2:30 am
v1.3.x

Gates:
hxxp://www.primaryconnectserver.org/server/gate.php;30
hxxp://www.erfotofreefactory.co.cc/freeware/gate.php;90
hxxp://www.primaryconnectserver.com/user/gate.php;40
hxxp://www.dfjhjhfdsfsvcv.co.cc/dafdwwe24wwrf/gate.php;50
hxxp://www.cossusffsfecvdsions.com/uddaser/gate.php;90
hxxp://www.sdsfe3rrsdfe33.co.cc/dsasdasdrf/gate.php;90
hxxp://www.dfjrer42wqaa.co.cc/dsffdsfdrf/gate.php;90
hxxp://www.aaasdaweawdscawwrg.co.cc/dsdsdfaawwrf/gate.php;90
http://www.virustotal.com/file-scan/rep ... 1308532072
Attachments
pass: malware
(127.04 KiB) Downloaded 47 times
pass: FEDA7534E2C3725954CEC9228912738E
(5.13 KiB) Downloaded 49 times
 #6888  by EP_X0FF
 Mon Jun 20, 2011 11:44 am
gritland wrote:http://www.virustotal.com/file-scan/report.html?id=6dede3dd678a0efaf4c78164552c61e7d13557448027bf13e2817770f2d9838a-1308569007
dumped from sandbox. used seh in entry point
PECompact->VB Crypter->UPX

In attach unpacked.

Gates:
hxxp://yxatotato.com/gemoroi/gate.php;300
hxxp://lespilil.ru/beGav0rhpz/error404.php;300
hxxp://lespililivodkypili.ru/mybt/hz/gate.php;300
Attachments
pass: 5EFA5CDED661CA2D6DFFE677FD58C01F
(78.25 KiB) Downloaded 53 times
pass: malware
(183.67 KiB) Downloaded 50 times
 #6893  by EP_X0FF
 Mon Jun 20, 2011 10:17 pm
http://www.virustotal.com/file-scan/report.html?id=69d563e4ac813278ed6df59331ff268e6d1e7377f9446fbe9469863adb7598bb-1308596413
Gates:
hxxp://www.bongabonsalesoncon.co.tv/ga/gaweba.php;90
hxxp://www.bongabonsalesoncon200.co.tv/ga/gaweba.php;90
hxxp://www.bongabonsalesoncon400.co.tv/ga/gaweba.php;90
http://www.virustotal.com/file-scan/report.html?id=37da0b41013173b85e41787b847071fe19cbd92591c430b9d6e0cc7861fc1549-1308596825
Gates:
hxxp://host-checkker.net/ASdhgas6d/sdhgas/yrgdate13.php;350
hxxp://befirstchild.net/bFeIN_L/50x.html.php;350
hxxp://nofrostengland.com/hYtgfE/dgTrfdbbbf.php;350
Attachments
pass: 9B24636E1BB55960CF9B8F04A905FE96
(79.7 KiB) Downloaded 47 times
pass: 9DBE0B70BC77CE2D944BD57D5551517A
(5.23 KiB) Downloaded 48 times
 #6905  by EP_X0FF
 Wed Jun 22, 2011 12:58 pm
v1.3.x

Gates:
hxxp://www.mobilupdateonline.org/new/gate.php;20
hxxp://www.blird.co.cc/form/gate.php;20
hxxp://www.koksin.co.cc/ssh/gate.php;20
hxxp://www.sergun9.co.cc/pop/gate.php;20
Pass for decrypted config: ABF7345A504CB6AB9C9FCFB3DCEF6973

All in attach (dropper, unpacked dropper, decrypted config).
Attachments
pass: malware
(211.16 KiB) Downloaded 53 times
  • 1
  • 15
  • 16
  • 17
  • 18
  • 19
  • 42