5 samples:
73ff24994746a90644c6961650c920b8fd502b2c
b8ccba69e0e7693661c789d4199a507550f94a2f
a7a7a22d778745bd7063e76aea185a7f4c156622
b2eeda85c8da204b349247ded3e152bc45cddcd6
182188d63eeab56ab390a1f80c218f8c5760ee58
p4r4n0id
A forum for reverse engineering, OS internals and malware analysis
Attachments
pwd: infected
(1.18 MiB) Downloaded 97 times
(1.18 MiB) Downloaded 97 times
Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/
http://p4r4n0id.com/
Config ? I hear there is one but I have not seen.
It is like sasquatch ?
http://en.wikipedia.org/wiki/Bigfoot
It is like sasquatch ?
http://en.wikipedia.org/wiki/Bigfoot
Yes there is a configuration for the bot, where there are specified C&C server(s), details to reach webinjects and the name of the botnet.
Soon I'll release more information about :)
Soon I'll release more information about :)
p4r4n0id wrote:5 samples:FYI - malwr.com shows that these samples all talk to same C&C
73ff24994746a90644c6961650c920b8fd502b2c
b8ccba69e0e7693661c789d4199a507550f94a2f
a7a7a22d778745bd7063e76aea185a7f4c156622
b2eeda85c8da204b349247ded3e152bc45cddcd6
182188d63eeab56ab390a1f80c218f8c5760ee58
p4r4n0id
random (sub)domains like this..
ny81mzh6fke1bs1wk.jipheuyi.su
9azuw1f1cnkw5k.www5.aithiego.su
bzexb9vbetf4.ohtheigh.cc
all resolve to the same IP:
208.91.197.54 (CN)
more static analysis:
https://malwr.com/analysis/YTE5YTllOTc0 ... hjNzA3Y2M/
https://malwr.com/analysis/ZmFiNjg4ODI0 ... Q0NTllNTc/
https://malwr.com/analysis/ODBkNmYxNDA4 ... JhMzNlMTE/
https://malwr.com/analysis/MTE5ZDkzMzUw ... k2NGUxOTA/
https://malwr.com/analysis/YWZjYzJmZGQz ... EwMGY4MGI/
forty-six wrote:& C2 = down :cry:what do you mean down?
nmap -v -v -n -F -PN -P0 -sS 208.91.197.54
Code: Select all
Starting Nmap 5.21 ( http://nmap.org ) at 2013-10-04 10:33 EDT
Initiating SYN Stealth Scan at 10:33
Scanning 208.91.197.54 [100 ports]
Discovered open port 53/tcp on 208.91.197.54
Discovered open port 80/tcp on 208.91.197.54
Completed SYN Stealth Scan at 10:33, 5.23s elapsed (100 total ports)
Nmap scan report for 208.91.197.54
Host is up (0.087s latency).
Scanned at 2013-10-04 10:33:54 EDT for 5s
Not shown: 98 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open httpbut it is redirecting browser requests to hxxp://searchtermresults.com/
patriq wrote:C2 is httpsforty-six wrote:& C2 = down :cry:what do you mean down?
nmap -v -v -n -F -PN -P0 -sS 208.91.197.54
Code: Select allStarting Nmap 5.21 ( http://nmap.org ) at 2013-10-04 10:33 EDT Initiating SYN Stealth Scan at 10:33 Scanning 208.91.197.54 [100 ports] Discovered open port 53/tcp on 208.91.197.54 Discovered open port 80/tcp on 208.91.197.54 Completed SYN Stealth Scan at 10:33, 5.23s elapsed (100 total ports) Nmap scan report for 208.91.197.54 Host is up (0.087s latency). Scanned at 2013-10-04 10:33:54 EDT for 5s Not shown: 98 filtered ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http
but it is redirecting browser requests to hxxp://searchtermresults.com/
First episode of my coauthored article on Caphaw:
http://quequero.org/2013/10/caphaw-shyl ... is-part-1/
Regards
http://quequero.org/2013/10/caphaw-shyl ... is-part-1/
Regards
Nice writeup.
File: about.exe
Size: 320512
MD5: 268356F56503099CB65F41C73E0EE624
Compiled Date: Tue, Oct 8 2013, 9:48:43 - 32 Bit EXE
File: about.exe
Size: 320512
MD5: 268356F56503099CB65F41C73E0EE624
Compiled Date: Tue, Oct 8 2013, 9:48:43 - 32 Bit EXE
Code: Select all
hxxps://eewuiwiu.cc/ping.html
hxxps://xigizubu.cc/ping.html
hxxps://eilahcha.cc/ping.html
hxxps://fey.su/ping.html
hxxps://exy.su/ping.html
Attachments
(214.66 KiB) Downloaded 99 times