A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21050  by p4r4n0id
 Thu Oct 03, 2013 5:41 pm
5 samples:

73ff24994746a90644c6961650c920b8fd502b2c
b8ccba69e0e7693661c789d4199a507550f94a2f
a7a7a22d778745bd7063e76aea185a7f4c156622
b2eeda85c8da204b349247ded3e152bc45cddcd6
182188d63eeab56ab390a1f80c218f8c5760ee58

p4r4n0id
Attachments
pwd: infected
(1.18 MiB) Downloaded 96 times
 #21069  by Evilcry
 Fri Oct 04, 2013 7:45 am
Yes there is a configuration for the bot, where there are specified C&C server(s), details to reach webinjects and the name of the botnet.
Soon I'll release more information about :)
 #21073  by patriq
 Fri Oct 04, 2013 1:23 pm
p4r4n0id wrote:5 samples:

73ff24994746a90644c6961650c920b8fd502b2c
b8ccba69e0e7693661c789d4199a507550f94a2f
a7a7a22d778745bd7063e76aea185a7f4c156622
b2eeda85c8da204b349247ded3e152bc45cddcd6
182188d63eeab56ab390a1f80c218f8c5760ee58

p4r4n0id
FYI - malwr.com shows that these samples all talk to same C&C

random (sub)domains like this..
ny81mzh6fke1bs1wk.jipheuyi.su
9azuw1f1cnkw5k.www5.aithiego.su
bzexb9vbetf4.ohtheigh.cc

all resolve to the same IP:
208.91.197.54 (CN)

more static analysis:
https://malwr.com/analysis/YTE5YTllOTc0 ... hjNzA3Y2M/
https://malwr.com/analysis/ZmFiNjg4ODI0 ... Q0NTllNTc/
https://malwr.com/analysis/ODBkNmYxNDA4 ... JhMzNlMTE/
https://malwr.com/analysis/MTE5ZDkzMzUw ... k2NGUxOTA/
https://malwr.com/analysis/YWZjYzJmZGQz ... EwMGY4MGI/
 #21076  by patriq
 Fri Oct 04, 2013 2:40 pm
forty-six wrote:& C2 = down :cry:
what do you mean down?

nmap -v -v -n -F -PN -P0 -sS 208.91.197.54
Code: Select all
Starting Nmap 5.21 ( http://nmap.org ) at 2013-10-04 10:33 EDT
Initiating SYN Stealth Scan at 10:33
Scanning 208.91.197.54 [100 ports]
Discovered open port 53/tcp on 208.91.197.54
Discovered open port 80/tcp on 208.91.197.54
Completed SYN Stealth Scan at 10:33, 5.23s elapsed (100 total ports)
Nmap scan report for 208.91.197.54
Host is up (0.087s latency).
Scanned at 2013-10-04 10:33:54 EDT for 5s
Not shown: 98 filtered ports
PORT   STATE SERVICE
53/tcp open  domain
80/tcp open  http

but it is redirecting browser requests to hxxp://searchtermresults.com/
 #21080  by forty-six
 Fri Oct 04, 2013 6:22 pm
patriq wrote:
forty-six wrote:& C2 = down :cry:
what do you mean down?

nmap -v -v -n -F -PN -P0 -sS 208.91.197.54
Code: Select all
Starting Nmap 5.21 ( http://nmap.org ) at 2013-10-04 10:33 EDT
Initiating SYN Stealth Scan at 10:33
Scanning 208.91.197.54 [100 ports]
Discovered open port 53/tcp on 208.91.197.54
Discovered open port 80/tcp on 208.91.197.54
Completed SYN Stealth Scan at 10:33, 5.23s elapsed (100 total ports)
Nmap scan report for 208.91.197.54
Host is up (0.087s latency).
Scanned at 2013-10-04 10:33:54 EDT for 5s
Not shown: 98 filtered ports
PORT   STATE SERVICE
53/tcp open  domain
80/tcp open  http

but it is redirecting browser requests to hxxp://searchtermresults.com/
C2 is https
 #21141  by forty-six
 Wed Oct 09, 2013 8:50 pm
Nice writeup.

File: about.exe
Size: 320512
MD5: 268356F56503099CB65F41C73E0EE624
Compiled Date: Tue, Oct 8 2013, 9:48:43 - 32 Bit EXE
Code: Select all
hxxps://eewuiwiu.cc/ping.html   
hxxps://xigizubu.cc/ping.html   
hxxps://eilahcha.cc/ping.html   
hxxps://fey.su/ping.html       
hxxps://exy.su/ping.html
Attachments
(214.66 KiB) Downloaded 99 times