A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18553  by EP_X0FF
 Sun Mar 17, 2013 5:23 am
Few Sirefef's with file infection feature. Payload modules + shellcode + ea code didn't changed for months.
Attachments
pass: malware
(432.42 KiB) Downloaded 106 times
 #18575  by 360Tencent
 Mon Mar 18, 2013 5:57 pm
https://www.virustotal.com/en/file/3bd2 ... 363628669/ (1/45)
infected
(161.08 KiB) Downloaded 78 times
complete story here

http://www.invincea.com/2013/03/k-i-a-d ... -invincea/

sweet orange exploit kit

ZeroAccess,Fareit/Pony PWS,FakeAV, Smoke bot...

3 files download from link above (not Zeroaccess)
infected
(501.66 KiB) Downloaded 74 times
 #18582  by EP_X0FF
 Tue Mar 19, 2013 6:54 am
kmd wrote:
360Tencent wrote:https://www.virustotal.com/en/file/3bd2 ... 363628669/ (1/45)
5548b0370a59b52eb52adbc4f505e9a1.zip
can any1 shread a light how to interpret sirefef configuration files?
Yes.

Configs are s32, s64 files in bundle (@ at disk).

They are lists of bootstart peers. 256 blocks of IP address + last update time value.
Code: Select all
typedef struct _speer {
	DWORD dwAddress;
	DWORD dwTime;
} speer, *pspeer;
These files are not encrypted and can be decoded well (they are transmitted however encrypted)
Code: Select all
	BYTE* p;
	LARGE_INTEGER time;
	TIME_FIELDS sTime;

	p = (BYTE*)&rec->dwAddress;

	RtlSecondsSince1980ToTime(rec->dwTime, &time);
	RtlTimeToTimeFields(&time, &sTime); 

	wsprintf(_strend(out), TEXT("[%03d] %u.%u.%u %u:%lu:%lu\t%u.%u.%u.%u\r\n"), 
		recnum, sTime.Year, sTime.Month, sTime.Day, sTime.Hour, sTime.Minute, sTime.Second,
		p[0], p[1], p[2], p[3]
	);
During work Sirefef connects with peers from these lists using UDP protocol (ports 16464 and 16465) and depending on state/commands (getL) periodically downloads updated lists of peers.
e.g. from last attach s32 decoded
Code: Select all
[000] 2013.3.18 13:43:32	222.254.253.254
[001] 2013.3.18 13:43:32	206.254.253.254
[002] 2013.3.18 13:43:32	197.254.253.254
[003] 2013.3.18 13:43:32	190.254.253.254
[004] 2013.3.18 13:43:32	184.254.253.254
[005] 2013.3.18 13:43:32	182.254.253.254
[006] 2013.3.18 13:43:32	180.254.253.254
[007] 2013.3.18 13:43:32	166.254.253.254
[008] 2013.3.18 13:43:32	220.224.242.158
[009] 2013.3.18 13:43:32	87.19.54.152
[010] 2013.3.18 13:43:32	213.213.252.110
[011] 2013.3.18 13:43:32	89.134.173.87
[012] 2013.3.18 13:43:32	106.66.193.182
[013] 2013.3.18 13:43:32	92.254.253.254
[014] 2013.3.18 13:43:32	88.254.253.254
[015] 2013.3.18 13:43:32	87.254.253.254
[016] 2013.3.18 13:43:32	24.177.187.254
[017] 2013.3.18 13:43:32	1.22.112.254
[018] 2013.3.18 13:43:32	195.62.0.2
[019] 2013.3.18 13:43:32	82.60.54.250
[020] 2013.3.18 13:43:32	87.55.172.250
[021] 2013.3.18 13:43:32	98.30.251.250
[022] 2013.3.18 13:43:32	72.207.250.251
[023] 2013.3.18 13:43:31	37.229.94.1
[024] 2013.3.18 13:43:31	184.91.20.28
[025] 2013.3.18 13:43:31	27.106.24.21
[026] 2013.3.18 13:43:31	175.199.94.17
[027] 2013.3.18 13:43:31	79.134.48.14
[028] 2013.3.18 13:43:31	176.201.84.30
[029] 2013.3.18 13:43:31	98.245.111.34
[030] 2013.3.18 13:43:31	68.202.109.1
[031] 2013.3.18 13:43:31	87.20.86.254
[032] 2013.3.18 13:43:31	204.195.187.244
[033] 2013.3.18 13:43:31	180.0.143.34
[034] 2013.3.18 13:43:31	84.125.11.40
[035] 2013.3.18 13:43:31	182.235.24.42
[036] 2013.3.18 13:43:31	79.116.12.50
[037] 2013.3.18 13:43:31	88.184.199.3
[038] 2013.3.18 13:43:31	190.78.88.62
[039] 2013.3.18 13:43:31	123.225.234.66
[040] 2013.3.18 13:43:31	12.53.117.237
[041] 2013.3.18 13:43:31	68.184.76.69
[042] 2013.3.18 13:43:31	115.254.253.254
[043] 2013.3.18 13:43:31	98.169.243.74
[044] 2013.3.18 13:43:31	94.253.134.78
[045] 2013.3.18 13:43:31	117.219.7.83
[046] 2013.3.18 13:43:31	117.254.253.254
[047] 2013.3.18 13:43:31	66.130.45.235
[048] 2013.3.18 13:43:31	184.21.87.92
[049] 2013.3.18 13:43:31	31.135.129.96
[050] 2013.3.18 13:43:31	93.102.36.233
[051] 2013.3.18 13:43:31	83.97.150.96
[052] 2013.3.18 13:43:31	114.183.175.230
[053] 2013.3.18 13:43:31	184.79.102.104
[054] 2013.3.18 13:43:31	96.41.206.110
[055] 2013.3.18 13:43:31	119.254.253.254
[056] 2013.3.18 13:43:31	37.44.72.112
[057] 2013.3.18 13:43:31	116.202.195.112
[058] 2013.3.18 13:43:31	88.156.173.114
[059] 2013.3.18 13:43:31	72.175.192.121
[060] 2013.3.18 13:43:31	151.58.151.127
[061] 2013.3.18 13:43:31	89.103.178.129
[062] 2013.3.18 13:43:31	69.124.81.132
[063] 2013.3.18 13:43:31	189.29.109.146
[064] 2013.3.18 13:43:31	118.171.23.210
[065] 2013.3.18 13:43:31	203.73.225.209
[066] 2013.3.18 13:43:31	65.3.160.11
[067] 2013.3.18 13:43:31	95.17.21.150
[068] 2013.3.18 13:43:31	98.225.81.151
[069] 2013.3.18 13:43:31	134.254.253.254
[070] 2013.3.18 13:43:31	212.142.65.153
[071] 2013.3.18 13:43:31	76.184.96.156
[072] 2013.3.18 13:43:31	135.254.253.254
[073] 2013.3.18 13:43:31	178.85.43.163
[074] 2013.3.18 13:43:31	2.180.164.163
[075] 2013.3.18 13:43:31	50.26.91.168
[076] 2013.3.18 13:43:31	190.140.177.194
[077] 2013.3.18 13:43:31	173.24.155.169
[078] 2013.3.18 13:43:31	62.45.207.171
[079] 2013.3.18 13:43:31	71.9.65.192
[080] 2013.3.18 13:43:31	182.170.74.172
[081] 2013.3.18 13:43:31	85.179.131.178
[082] 2013.3.18 13:43:31	122.121.119.181
[083] 2013.3.18 13:43:31	91.218.3.71
[084] 2013.3.18 13:43:30	213.65.118.185
[085] 2013.3.18 13:43:30	97.81.110.186
[086] 2013.3.18 13:43:30	36.234.11.187
[087] 2013.3.18 13:43:30	36.236.48.180
[088] 2013.3.18 13:43:30	200.126.205.179
[089] 2013.3.18 13:43:30	89.141.109.179
[090] 2013.3.18 13:43:30	2.192.89.179
[091] 2013.3.18 13:43:30	75.118.224.188
[092] 2013.3.18 13:43:30	61.58.107.177
[093] 2013.3.18 13:43:30	174.103.215.173
[094] 2013.3.18 13:43:30	88.185.145.172
[095] 2013.3.18 13:43:30	188.190.94.189
[096] 2013.3.18 13:43:30	2.178.28.172
[097] 2013.3.18 13:43:30	5.167.254.193
[098] 2013.3.18 13:43:30	174.108.78.171
[099] 2013.3.18 13:43:30	166.143.35.171
[100] 2013.3.18 13:43:30	68.102.236.170
[101] 2013.3.18 13:43:30	49.156.215.170
[102] 2013.3.18 13:43:30	84.0.170.194
[103] 2013.3.18 13:43:30	174.2.34.199
[104] 2013.3.18 13:43:30	72.241.215.164
[105] 2013.3.18 13:43:30	2.183.244.163
[106] 2013.3.18 13:43:30	65.31.82.200
[107] 2013.3.18 13:43:30	71.236.206.201
[108] 2013.3.18 13:43:30	24.178.88.162
[109] 2013.3.18 13:43:30	85.186.48.161
[110] 2013.3.18 13:43:30	5.14.245.160
[111] 2013.3.18 13:43:30	139.194.160.204
[112] 2013.3.18 13:43:30	111.241.72.158
[113] 2013.3.18 13:43:30	24.240.63.205
[114] 2013.3.18 13:43:30	199.192.212.205
[115] 2013.3.18 13:43:30	50.72.201.152
[116] 2013.3.18 13:43:30	5.15.192.152
[117] 2013.3.18 13:43:30	79.45.136.206
[118] 2013.3.18 13:43:30	177.131.220.206
[119] 2013.3.18 13:43:30	70.189.43.207
[120] 2013.3.18 13:43:30	95.74.50.207
[121] 2013.3.18 13:43:30	68.186.250.148
[122] 2013.3.18 13:43:30	115.246.235.147
[123] 2013.3.18 13:43:30	94.212.19.147
[124] 2013.3.18 13:43:30	71.235.83.210
[125] 2013.3.18 13:43:30	117.214.191.143
[126] 2013.3.18 13:43:30	115.241.172.143
[127] 2013.3.18 13:43:30	79.116.203.141
[128] 2013.3.18 13:43:30	190.51.59.141
[129] 2013.3.18 13:43:30	201.243.153.135
[130] 2013.3.18 13:43:30	89.231.178.219
[131] 2013.3.18 13:43:30	218.166.232.219
[132] 2013.3.18 13:43:30	36.230.93.128
[133] 2013.3.18 13:43:30	27.116.8.128
[134] 2013.3.18 13:43:30	217.203.124.224
[135] 2013.3.18 13:43:30	5.13.121.125
[136] 2013.3.18 13:43:30	24.196.166.124
[137] 2013.3.18 13:43:30	71.8.204.123
[138] 2013.3.18 13:43:30	76.127.138.122
[139] 2013.3.18 13:43:30	36.224.225.224
[140] 2013.3.18 13:43:30	106.1.249.117
[141] 2013.3.18 13:43:30	188.26.212.225
[142] 2013.3.18 13:43:30	68.119.218.225
[143] 2013.3.18 13:43:30	93.147.71.226
[144] 2013.3.18 13:43:30	150.214.39.112
[145] 2013.3.18 13:43:30	202.78.234.111
[146] 2013.3.18 13:43:30	87.206.175.111
[147] 2013.3.18 13:43:30	95.56.30.227
[148] 2013.3.18 13:43:30	113.193.64.229
[149] 2013.3.18 13:43:30	75.106.135.109
[150] 2013.3.18 13:43:30	77.70.74.11
[151] 2013.3.18 13:43:30	188.143.12.104
[152] 2013.3.18 13:43:30	68.206.166.97
[153] 2013.3.18 13:43:30	71.88.201.96
[154] 2013.3.18 13:43:30	81.219.7.10
[155] 2013.3.18 13:43:30	213.150.98.9
[156] 2013.3.18 13:43:30	98.86.211.94
[157] 2013.3.18 13:43:30	206.53.67.9
[158] 2013.3.18 13:43:30	75.97.130.91
[159] 2013.3.18 13:43:30	89.230.52.89
[160] 2013.3.18 13:43:30	76.89.23.89
[161] 2013.3.18 13:43:30	113.21.68.88
[162] 2013.3.18 13:43:30	116.202.4.7
[163] 2013.3.18 13:43:30	114.24.115.87
[164] 2013.3.18 13:43:30	174.60.146.86
[165] 2013.3.18 13:43:30	95.24.224.83
[166] 2013.3.18 13:43:30	64.179.185.235
[167] 2013.3.18 13:43:30	14.99.217.82
[168] 2013.3.18 13:43:30	118.95.110.80
[169] 2013.3.18 13:43:30	88.198.200.5
[170] 2013.3.18 13:43:30	68.0.73.78
[171] 2013.3.18 13:43:30	108.176.74.5
[172] 2013.3.18 13:43:30	70.78.69.74
[173] 2013.3.18 13:43:30	46.129.18.74
[174] 2013.3.18 13:43:30	89.29.147.71
[175] 2013.3.18 13:43:30	72.226.40.4
[176] 2013.3.18 13:43:30	84.54.166.70
[177] 2013.3.18 13:43:30	188.178.127.70
[178] 2013.3.18 13:43:30	96.35.99.69
[179] 2013.3.18 13:43:30	70.132.115.237
[180] 2013.3.18 13:43:30	114.41.204.68
[181] 2013.3.18 13:43:30	124.123.86.68
[182] 2013.3.18 13:43:30	74.193.137.238
[183] 2013.3.18 13:43:30	137.44.126.65
[184] 2013.3.18 13:43:30	210.237.55.65
[185] 2013.3.18 13:43:30	180.74.25.240
[186] 2013.3.18 13:43:30	66.69.88.55
[187] 2013.3.18 13:43:30	87.223.160.53
[188] 2013.3.18 13:43:30	66.30.140.53
[189] 2013.3.18 13:43:30	2.179.86.53
[190] 2013.3.18 13:43:30	119.237.175.52
[191] 2013.3.18 13:43:30	98.209.101.3
[192] 2013.3.18 13:43:30	1.163.13.47
[193] 2013.3.18 13:43:30	174.111.253.46
[194] 2013.3.18 13:43:30	98.198.120.45
[195] 2013.3.18 13:43:30	84.41.88.45
[196] 2013.3.18 13:43:30	80.179.226.43
[197] 2013.3.18 13:43:30	111.253.85.43
[198] 2013.3.18 13:43:30	75.73.56.43
[199] 2013.3.18 13:43:30	114.45.77.2
[200] 2013.3.18 13:43:30	158.181.189.40
[201] 2013.3.18 13:43:30	78.222.72.243
[202] 2013.3.18 13:43:30	209.168.156.38
[203] 2013.3.18 13:43:30	71.75.221.37
[204] 2013.3.18 13:43:30	24.92.63.37
[205] 2013.3.18 13:43:30	81.197.160.36
[206] 2013.3.18 13:43:30	190.72.139.36
[207] 2013.3.18 13:43:30	188.219.92.35
[208] 2013.3.18 13:43:30	67.87.152.244
[209] 2013.3.18 13:43:30	186.93.237.248
[210] 2013.3.18 13:43:30	174.64.186.32
[211] 2013.3.18 13:43:30	24.252.98.32
[212] 2013.3.18 13:43:30	218.173.47.32
[213] 2013.3.18 13:43:30	81.66.232.249
[214] 2013.3.18 13:43:30	50.21.132.29
[215] 2013.3.18 13:43:30	211.30.1.29
[216] 2013.3.18 13:43:30	24.254.167.28
[217] 2013.3.18 13:43:30	108.132.37.253
[218] 2013.3.18 13:43:30	208.71.219.27
[219] 2013.3.18 13:43:30	111.246.103.27
[220] 2013.3.18 13:43:30	46.129.61.27
[221] 2013.3.18 13:43:30	173.81.233.25
[222] 2013.3.18 13:43:30	76.16.207.24
[223] 2013.3.18 13:43:30	111.248.159.24
[224] 2013.3.18 13:43:30	125.230.99.23
[225] 2013.3.18 13:43:30	91.34.94.23
[226] 2013.3.18 13:43:30	68.44.131.21
[227] 2013.3.18 13:43:30	87.111.51.21
[228] 2013.3.18 13:43:30	87.250.62.253
[229] 2013.3.18 13:43:30	24.137.128.20
[230] 2013.3.18 13:43:30	93.199.48.20
[231] 2013.3.18 13:43:30	24.239.103.19
[232] 2013.3.18 13:43:30	71.196.122.18
[233] 2013.3.18 13:43:30	1.170.88.18
[234] 2013.3.18 13:43:30	125.224.226.253
[235] 2013.3.18 13:43:30	114.42.145.16
[236] 2013.3.18 13:43:30	116.75.17.254
[237] 2013.3.18 13:43:30	72.28.211.12
[238] 2013.3.18 13:43:30	202.43.160.12
[239] 2013.3.18 13:43:30	109.192.202.11
[240] 2013.3.18 13:43:30	87.122.119.149
[241] 2013.3.18 13:43:30	72.23.147.11
[242] 2013.3.18 13:43:30	114.84.241.0
[243] 2013.3.18 13:43:29	93.116.194.230
[244] 2013.3.18 13:43:29	98.24.228.233
[245] 2013.3.18 13:43:29	128.218.13.234
[246] 2013.3.18 13:43:29	5.43.79.235
[247] 2013.3.18 13:43:29	68.54.99.236
[248] 2013.3.18 13:43:29	175.204.146.236
[249] 2013.3.18 13:43:29	209.6.187.236
[250] 2013.3.18 13:43:29	189.12.71.240
[251] 2013.3.18 13:43:29	190.179.136.240
[252] 2013.3.18 13:43:29	85.95.214.240
[253] 2013.3.18 13:43:29	113.21.67.245
[254] 2013.3.18 13:43:29	62.175.168.247
[255] 2013.3.18 13:43:29	36.238.24.252
s64
Code: Select all
[000] 2013.3.18 13:43:32	90.146.30.34
[001] 2013.3.18 13:43:32	177.32.182.92
[002] 2013.3.18 13:43:32	98.167.169.98
[003] 2013.3.18 13:43:32	106.79.129.99
[004] 2013.3.18 13:43:32	24.33.81.105
[005] 2013.3.18 13:43:32	70.165.194.105
[006] 2013.3.18 13:43:32	76.123.68.107
[007] 2013.3.18 13:43:32	134.2.84.109
[008] 2013.3.18 13:43:32	66.74.30.110
[009] 2013.3.18 13:43:32	78.234.69.117
[010] 2013.3.18 13:43:32	119.171.31.120
[011] 2013.3.18 13:43:32	76.109.165.125
[012] 2013.3.18 13:43:32	98.217.69.152
[013] 2013.3.18 13:43:32	71.201.187.154
[014] 2013.3.18 13:43:32	184.48.195.155
[015] 2013.3.18 13:43:32	14.96.44.156
[016] 2013.3.18 13:43:32	78.130.118.47
[017] 2013.3.18 13:43:32	82.159.202.160
[018] 2013.3.18 13:43:32	76.111.189.164
[019] 2013.3.18 13:43:32	220.210.190.166
[020] 2013.3.18 13:43:32	203.165.212.246
[021] 2013.3.18 13:43:32	99.181.217.170
[022] 2013.3.18 13:43:32	69.1.21.29
[023] 2013.3.18 13:43:32	108.170.53.186
[024] 2013.3.18 13:43:32	24.167.96.240
[025] 2013.3.18 13:43:32	69.119.120.22
[026] 2013.3.18 13:43:32	101.128.211.19
[027] 2013.3.18 13:43:32	181.226.111.237
[028] 2013.3.18 13:43:32	123.236.12.17
[029] 2013.3.18 13:43:32	93.102.40.209
[030] 2013.3.18 13:43:32	70.160.105.1
[031] 2013.3.18 13:43:32	46.197.139.5
[032] 2013.3.18 13:43:32	76.167.46.214
[033] 2013.3.18 13:43:32	50.140.186.215
[034] 2013.3.18 13:43:32	66.189.234.215
[035] 2013.3.18 13:43:31	95.79.179.222
[036] 2013.3.18 13:43:31	114.79.145.2
[037] 2013.3.18 13:43:31	173.30.192.4
[038] 2013.3.18 13:43:31	69.39.41.217
[039] 2013.3.18 13:43:31	173.174.230.216
[040] 2013.3.18 13:43:31	67.80.64.223
[041] 2013.3.18 13:43:31	87.231.99.229
[042] 2013.3.18 13:43:31	189.157.47.215
[043] 2013.3.18 13:43:31	126.43.213.1
[044] 2013.3.18 13:43:31	24.220.218.213
[045] 2013.3.18 13:43:31	180.177.94.231
[046] 2013.3.18 13:43:31	72.215.7.7
[047] 2013.3.18 13:43:31	173.218.161.7
[048] 2013.3.18 13:43:31	69.143.27.211
[049] 2013.3.18 13:43:31	24.37.17.210
[050] 2013.3.18 13:43:31	85.228.34.236
[051] 2013.3.18 13:43:31	180.147.47.207
[052] 2013.3.18 13:43:31	69.139.42.8
[053] 2013.3.18 13:43:31	65.34.128.204
[054] 2013.3.18 13:43:31	219.3.44.10
[055] 2013.3.18 13:43:31	98.24.74.204
[056] 2013.3.18 13:43:31	67.53.131.10
[057] 2013.3.18 13:43:31	46.231.112.202
[058] 2013.3.18 13:43:31	81.94.72.15
[059] 2013.3.18 13:43:31	66.189.75.16
[060] 2013.3.18 13:43:31	69.159.95.198
[061] 2013.3.18 13:43:31	2.192.239.16
[062] 2013.3.18 13:43:31	121.162.21.237
[063] 2013.3.18 13:43:31	89.76.139.197
[064] 2013.3.18 13:43:31	130.111.52.18
[065] 2013.3.18 13:43:31	68.105.2.196
[066] 2013.3.18 13:43:31	85.85.39.238
[067] 2013.3.18 13:43:31	24.254.49.20
[068] 2013.3.18 13:43:31	173.217.57.194
[069] 2013.3.18 13:43:31	68.43.35.194
[070] 2013.3.18 13:43:31	76.181.197.193
[071] 2013.3.18 13:43:31	71.225.243.20
[072] 2013.3.18 13:43:31	97.85.66.188
[073] 2013.3.18 13:43:31	96.20.29.239
[074] 2013.3.18 13:43:31	87.16.207.22
[075] 2013.3.18 13:43:31	50.151.238.240
[076] 2013.3.18 13:43:31	5.34.3.24
[077] 2013.3.18 13:43:31	68.55.138.24
[078] 2013.3.18 13:43:31	64.33.200.24
[079] 2013.3.18 13:43:31	183.82.228.183
[080] 2013.3.18 13:43:31	111.250.134.25
[081] 2013.3.18 13:43:31	14.97.191.181
[082] 2013.3.18 13:43:31	115.241.168.25
[083] 2013.3.18 13:43:31	86.201.175.180
[084] 2013.3.18 13:43:31	61.207.78.180
[085] 2013.3.18 13:43:31	24.231.2.26
[086] 2013.3.18 13:43:31	76.93.20.180
[087] 2013.3.18 13:43:31	218.43.172.179
[088] 2013.3.18 13:43:31	96.28.211.178
[089] 2013.3.18 13:43:31	190.85.68.178
[090] 2013.3.18 13:43:31	173.27.201.177
[091] 2013.3.18 13:43:31	68.83.37.176
[092] 2013.3.18 13:43:31	1.23.86.26
[093] 2013.3.18 13:43:31	50.147.96.241
[094] 2013.3.18 13:43:31	50.9.169.246
[095] 2013.3.18 13:43:31	174.57.126.170
[096] 2013.3.18 13:43:31	77.41.246.29
[097] 2013.3.18 13:43:31	50.137.216.167
[098] 2013.3.18 13:43:31	36.230.93.248
[099] 2013.3.18 13:43:31	24.191.236.250
[100] 2013.3.18 13:43:31	194.123.111.163
[101] 2013.3.18 13:43:31	74.66.252.162
[102] 2013.3.18 13:43:31	68.61.143.252
[103] 2013.3.18 13:43:31	78.43.244.254
[104] 2013.3.18 13:43:31	96.25.244.158
[105] 2013.3.18 13:43:31	81.232.39.158
[106] 2013.3.18 13:43:31	70.120.215.157
[107] 2013.3.18 13:43:31	184.163.104.157
[108] 2013.3.18 13:43:31	87.254.253.254
[109] 2013.3.18 13:43:31	88.254.253.254
[110] 2013.3.18 13:43:31	92.254.253.254
[111] 2013.3.18 13:43:31	125.224.118.152
[112] 2013.3.18 13:43:31	115.254.253.254
[113] 2013.3.18 13:43:31	67.191.242.150
[114] 2013.3.18 13:43:31	24.217.163.147
[115] 2013.3.18 13:43:31	78.88.218.146
[116] 2013.3.18 13:43:31	219.121.99.144
[117] 2013.3.18 13:43:31	114.39.17.144
[118] 2013.3.18 13:43:31	75.93.49.141
[119] 2013.3.18 13:43:31	85.225.45.139
[120] 2013.3.18 13:43:31	24.226.152.138
[121] 2013.3.18 13:43:31	109.55.6.137
[122] 2013.3.18 13:43:31	90.129.92.136
[123] 2013.3.18 13:43:31	87.15.64.136
[124] 2013.3.18 13:43:31	27.54.2.132
[125] 2013.3.18 13:43:31	75.75.33.126
[126] 2013.3.18 13:43:31	75.97.192.125
[127] 2013.3.18 13:43:31	114.33.180.125
[128] 2013.3.18 13:43:31	173.16.175.125
[129] 2013.3.18 13:43:31	117.254.253.254
[130] 2013.3.18 13:43:31	76.169.41.123
[131] 2013.3.18 13:43:31	182.188.143.122
[132] 2013.3.18 13:43:31	119.254.253.254
[133] 2013.3.18 13:43:31	94.236.140.118
[134] 2013.3.18 13:43:31	24.78.198.117
[135] 2013.3.18 13:43:31	134.254.253.254
[136] 2013.3.18 13:43:31	210.198.126.115
[137] 2013.3.18 13:43:31	37.125.201.114
[138] 2013.3.18 13:43:31	178.202.121.114
[139] 2013.3.18 13:43:31	1.174.147.113
[140] 2013.3.18 13:43:31	109.237.155.112
[141] 2013.3.18 13:43:31	189.72.23.112
[142] 2013.3.18 13:43:31	24.207.204.110
[143] 2013.3.18 13:43:31	135.254.253.254
[144] 2013.3.18 13:43:31	14.97.112.109
[145] 2013.3.18 13:43:31	166.254.253.254
[146] 2013.3.18 13:43:31	42.72.170.108
[147] 2013.3.18 13:43:31	180.254.253.254
[148] 2013.3.18 13:43:31	182.254.253.254
[149] 2013.3.18 13:43:31	184.254.253.254
[150] 2013.3.18 13:43:31	95.169.211.104
[151] 2013.3.18 13:43:31	116.202.20.104
[152] 2013.3.18 13:43:31	220.141.172.103
[153] 2013.3.18 13:43:31	64.121.244.102
[154] 2013.3.18 13:43:31	122.151.74.102
[155] 2013.3.18 13:43:31	75.94.229.101
[156] 2013.3.18 13:43:31	14.96.68.101
[157] 2013.3.18 13:43:31	190.162.133.100
[158] 2013.3.18 13:43:31	107.42.106.100
[159] 2013.3.18 13:43:31	14.97.36.100
[160] 2013.3.18 13:43:31	190.19.180.99
[161] 2013.3.18 13:43:31	190.254.253.254
[162] 2013.3.18 13:43:31	27.3.102.99
[163] 2013.3.18 13:43:31	69.140.30.99
[164] 2013.3.18 13:43:31	197.254.253.254
[165] 2013.3.18 13:43:31	95.58.38.98
[166] 2013.3.18 13:43:31	184.56.196.97
[167] 2013.3.18 13:43:31	79.12.93.97
[168] 2013.3.18 13:43:31	186.103.66.97
[169] 2013.3.18 13:43:31	70.190.232.95
[170] 2013.3.18 13:43:31	14.96.219.95
[171] 2013.3.18 13:43:31	70.183.124.94
[172] 2013.3.18 13:43:31	200.82.228.93
[173] 2013.3.18 13:43:31	206.254.253.254
[174] 2013.3.18 13:43:31	69.224.54.91
[175] 2013.3.18 13:43:31	46.129.11.91
[176] 2013.3.18 13:43:31	106.1.113.90
[177] 2013.3.18 13:43:31	114.174.156.87
[178] 2013.3.18 13:43:31	72.184.138.85
[179] 2013.3.18 13:43:31	83.26.51.84
[180] 2013.3.18 13:43:31	75.142.169.82
[181] 2013.3.18 13:43:31	78.206.100.82
[182] 2013.3.18 13:43:31	187.88.137.81
[183] 2013.3.18 13:43:31	111.248.48.79
[184] 2013.3.18 13:43:31	24.172.232.76
[185] 2013.3.18 13:43:31	96.19.199.76
[186] 2013.3.18 13:43:31	190.39.19.76
[187] 2013.3.18 13:43:31	84.28.158.74
[188] 2013.3.18 13:43:31	84.16.208.73
[189] 2013.3.18 13:43:31	122.103.165.72
[190] 2013.3.18 13:43:31	59.6.176.71
[191] 2013.3.18 13:43:31	97.85.155.71
[192] 2013.3.18 13:43:31	181.165.12.70
[193] 2013.3.18 13:43:31	173.8.5.69
[194] 2013.3.18 13:43:31	72.39.208.68
[195] 2013.3.18 13:43:31	84.108.140.68
[196] 2013.3.18 13:43:31	69.180.247.65
[197] 2013.3.18 13:43:31	88.223.58.65
[198] 2013.3.18 13:43:31	71.91.14.65
[199] 2013.3.18 13:43:31	24.165.172.61
[200] 2013.3.18 13:43:31	69.24.234.55
[201] 2013.3.18 13:43:31	112.204.98.53
[202] 2013.3.18 13:43:31	62.107.202.52
[203] 2013.3.18 13:43:31	187.247.119.51
[204] 2013.3.18 13:43:31	76.117.110.51
[205] 2013.3.18 13:43:31	118.168.231.47
[206] 2013.3.18 13:43:31	74.161.97.160
[207] 2013.3.18 13:43:31	88.130.218.46
[208] 2013.3.18 13:43:31	153.160.164.46
[209] 2013.3.18 13:43:31	76.125.185.44
[210] 2013.3.18 13:43:31	69.118.66.41
[211] 2013.3.18 13:43:31	180.3.198.40
[212] 2013.3.18 13:43:31	115.241.190.40
[213] 2013.3.18 13:43:31	14.96.162.30
[214] 2013.3.18 13:43:31	222.254.253.254
[215] 2013.3.18 13:43:31	176.201.45.0
[216] 2013.3.18 13:43:30	98.164.13.32
[217] 2013.3.18 13:43:30	67.149.174.30
[218] 2013.3.18 13:43:30	67.189.45.35
[219] 2013.3.18 13:43:30	78.136.92.30
[220] 2013.3.18 13:43:30	24.128.118.170
[221] 2013.3.18 13:43:30	190.137.95.171
[222] 2013.3.18 13:43:30	72.23.37.172
[223] 2013.3.18 13:43:30	74.68.39.180
[224] 2013.3.18 13:43:30	68.107.139.181
[225] 2013.3.18 13:43:30	115.241.11.182
[226] 2013.3.18 13:43:30	24.166.97.185
[227] 2013.3.18 13:43:30	24.121.178.185
[228] 2013.3.18 13:43:30	67.253.66.24
[229] 2013.3.18 13:43:30	46.186.30.186
[230] 2013.3.18 13:43:30	78.60.42.23
[231] 2013.3.18 13:43:30	2.199.36.187
[232] 2013.3.18 13:43:30	64.179.149.22
[233] 2013.3.18 13:43:30	70.125.60.187
[234] 2013.3.18 13:43:30	71.8.17.191
[235] 2013.3.18 13:43:30	78.61.87.195
[236] 2013.3.18 13:43:30	93.81.131.195
[237] 2013.3.18 13:43:30	76.18.240.196
[238] 2013.3.18 13:43:30	72.133.204.197
[239] 2013.3.18 13:43:30	82.252.52.198
[240] 2013.3.18 13:43:30	85.199.92.16
[241] 2013.3.18 13:43:30	71.225.121.198
[242] 2013.3.18 13:43:30	50.72.128.15
[243] 2013.3.18 13:43:30	81.193.247.199
[244] 2013.3.18 13:43:30	74.67.42.13
[245] 2013.3.18 13:43:30	69.117.221.12
[246] 2013.3.18 13:43:30	24.1.145.203
[247] 2013.3.18 13:43:30	82.231.90.204
[248] 2013.3.18 13:43:30	108.171.124.205
[249] 2013.3.18 13:43:30	74.75.40.211
[250] 2013.3.18 13:43:30	195.177.86.211
[251] 2013.3.18 13:43:30	124.125.186.211
[252] 2013.3.18 13:43:30	189.105.87.218
[253] 2013.3.18 13:43:30	174.111.88.221
[254] 2013.3.18 13:43:30	98.183.253.230
[255] 2013.3.18 13:43:30	68.191.150.231
 #18588  by EP_X0FF
 Tue Mar 19, 2013 11:55 am
+6 more recrypted droppers

3ff680c7cda6904021003e6bf134a25de0ed43b0
5c6d66dff6c63703d9801e5230850b6ac8780f6f
8302bc22f781fb5c40a31c2382d372fc34bf3890
924bbdecd9bb139621c08c273eacd8145636c9ad
aa2dbe656e12519416e8d6cde564fda92736b7d6
fb04fd148ef4007986bca05eb1b01817f4328fa6

s32
Code: Select all
[000] 2013.3.19 10:51:28	187.39.73.125
[001] 2013.3.19 10:51:28	37.43.105.146
[002] 2013.3.19 10:51:28	79.163.8.155
[003] 2013.3.19 10:51:28	86.126.195.89
[004] 2013.3.19 10:51:28	118.233.251.168
[005] 2013.3.19 10:51:28	66.176.195.172
[006] 2013.3.19 10:51:28	87.110.121.207
[007] 2013.3.19 10:51:28	118.104.170.207
[008] 2013.3.19 10:51:28	110.12.56.124
[009] 2013.3.19 10:51:28	121.145.62.224
[010] 2013.3.19 10:51:27	119.254.253.254
[011] 2013.3.19 10:51:27	117.254.253.254
[012] 2013.3.19 10:51:27	115.254.253.254
[013] 2013.3.19 10:51:27	92.254.253.254
[014] 2013.3.19 10:51:27	88.254.253.254
[015] 2013.3.19 10:51:27	87.254.253.254
[016] 2013.3.19 10:51:27	113.38.129.254
[017] 2013.3.19 10:51:27	68.1.43.254
[018] 2013.3.19 10:51:27	66.203.221.253
[019] 2013.3.19 10:51:27	117.227.190.253
[020] 2013.3.19 10:51:27	71.87.235.18
[021] 2013.3.19 10:51:27	203.96.149.253
[022] 2013.3.19 10:51:27	74.57.152.252
[023] 2013.3.19 10:51:27	101.62.25.19
[024] 2013.3.19 10:51:27	76.107.44.252
[025] 2013.3.19 10:51:27	71.204.36.252
[026] 2013.3.19 10:51:27	118.0.152.251
[027] 2013.3.19 10:51:27	14.194.102.251
[028] 2013.3.19 10:51:27	71.230.210.5
[029] 2013.3.19 10:51:27	86.126.162.247
[030] 2013.3.19 10:51:27	71.45.108.247
[031] 2013.3.19 10:51:27	217.201.14.246
[032] 2013.3.19 10:51:27	78.48.65.6
[033] 2013.3.19 10:51:27	65.34.238.19
[034] 2013.3.19 10:51:27	85.42.39.26
[035] 2013.3.19 10:51:27	90.130.163.241
[036] 2013.3.19 10:51:27	219.124.139.239
[037] 2013.3.19 10:51:27	98.213.56.239
[038] 2013.3.19 10:51:27	98.217.233.26
[039] 2013.3.19 10:51:27	46.47.67.32
[040] 2013.3.19 10:51:27	95.176.226.236
[041] 2013.3.19 10:51:27	189.12.93.33
[042] 2013.3.19 10:51:27	84.74.97.33
[043] 2013.3.19 10:51:27	211.124.121.36
[044] 2013.3.19 10:51:27	65.24.151.36
[045] 2013.3.19 10:51:27	31.17.125.38
[046] 2013.3.19 10:51:27	178.137.93.10
[047] 2013.3.19 10:51:27	1.174.187.41
[048] 2013.3.19 10:51:27	50.157.135.45
[049] 2013.3.19 10:51:27	95.114.163.230
[050] 2013.3.19 10:51:27	213.109.94.229
[051] 2013.3.19 10:51:27	70.74.163.46
[052] 2013.3.19 10:51:27	97.89.105.47
[053] 2013.3.19 10:51:27	213.109.27.49
[054] 2013.3.19 10:51:27	188.4.160.57
[055] 2013.3.19 10:51:27	89.137.210.225
[056] 2013.3.19 10:51:27	134.254.253.254
[057] 2013.3.19 10:51:27	97.84.164.223
[058] 2013.3.19 10:51:27	124.181.110.222
[059] 2013.3.19 10:51:27	219.121.149.219
[060] 2013.3.19 10:51:27	118.165.154.58
[061] 2013.3.19 10:51:27	135.254.253.254
[062] 2013.3.19 10:51:27	202.60.161.64
[063] 2013.3.19 10:51:27	79.114.150.65
[064] 2013.3.19 10:51:27	50.7.216.66
[065] 2013.3.19 10:51:27	49.204.181.67
[066] 2013.3.19 10:51:27	89.132.140.212
[067] 2013.3.19 10:51:27	49.135.103.212
[068] 2013.3.19 10:51:27	166.254.253.254
[069] 2013.3.19 10:51:27	217.16.140.69
[070] 2013.3.19 10:51:27	180.254.253.254
[071] 2013.3.19 10:51:27	219.105.107.71
[072] 2013.3.19 10:51:27	178.25.84.206
[073] 2013.3.19 10:51:27	24.11.106.72
[074] 2013.3.19 10:51:27	109.53.218.205
[075] 2013.3.19 10:51:27	58.114.253.204
[076] 2013.3.19 10:51:27	82.14.235.72
[077] 2013.3.19 10:51:27	98.218.67.73
[078] 2013.3.19 10:51:27	88.207.114.199
[079] 2013.3.19 10:51:27	85.238.210.76
[080] 2013.3.19 10:51:27	183.83.30.77
[081] 2013.3.19 10:51:27	123.237.217.78
[082] 2013.3.19 10:51:27	114.146.12.79
[083] 2013.3.19 10:51:27	61.198.122.80
[084] 2013.3.19 10:51:27	87.96.156.80
[085] 2013.3.19 10:51:27	218.230.37.184
[086] 2013.3.19 10:51:27	123.2.146.180
[087] 2013.3.19 10:51:27	188.213.88.85
[088] 2013.3.19 10:51:27	97.92.68.86
[089] 2013.3.19 10:51:27	76.176.84.87
[090] 2013.3.19 10:51:27	41.200.100.87
[091] 2013.3.19 10:51:27	109.129.167.173
[092] 2013.3.19 10:51:27	41.82.11.173
[093] 2013.3.19 10:51:27	182.254.253.254
[094] 2013.3.19 10:51:27	178.91.43.172
[095] 2013.3.19 10:51:27	118.165.15.171
[096] 2013.3.19 10:51:27	71.92.37.88
[097] 2013.3.19 10:51:27	184.254.253.254
[098] 2013.3.19 10:51:27	178.175.120.88
[099] 2013.3.19 10:51:27	190.254.253.254
[100] 2013.3.19 10:51:27	66.153.195.92
[101] 2013.3.19 10:51:27	111.248.248.95
[102] 2013.3.19 10:51:27	76.169.69.162
[103] 2013.3.19 10:51:27	109.184.250.160
[104] 2013.3.19 10:51:27	85.24.27.98
[105] 2013.3.19 10:51:27	119.199.88.101
[106] 2013.3.19 10:51:27	210.20.69.159
[107] 2013.3.19 10:51:27	85.217.234.158
[108] 2013.3.19 10:51:27	198.254.151.103
[109] 2013.3.19 10:51:27	220.108.170.108
[110] 2013.3.19 10:51:27	197.254.253.254
[111] 2013.3.19 10:51:27	178.75.226.112
[112] 2013.3.19 10:51:27	75.128.119.150
[113] 2013.3.19 10:51:27	94.244.71.113
[114] 2013.3.19 10:51:27	1.165.73.115
[115] 2013.3.19 10:51:27	24.121.167.115
[116] 2013.3.19 10:51:27	74.78.188.147
[117] 2013.3.19 10:51:27	74.79.166.146
[118] 2013.3.19 10:51:27	206.254.253.254
[119] 2013.3.19 10:51:27	1.200.109.116
[120] 2013.3.19 10:51:27	176.63.42.142
[121] 2013.3.19 10:51:27	14.198.30.142
[122] 2013.3.19 10:51:27	184.57.167.215
[123] 2013.3.19 10:51:27	222.254.253.254
[124] 2013.3.19 10:51:27	184.167.117.128
[125] 2013.3.19 10:51:27	116.202.124.130
[126] 2013.3.19 10:51:27	89.176.20.134
[127] 2013.3.19 10:51:27	58.104.205.132
[128] 2013.3.19 10:51:27	109.125.170.14
[129] 2013.3.19 10:51:26	72.220.131.134
[130] 2013.3.19 10:51:26	188.2.188.128
[131] 2013.3.19 10:51:26	46.211.231.135
[132] 2013.3.19 10:51:26	79.42.253.127
[133] 2013.3.19 10:51:26	14.99.177.127
[134] 2013.3.19 10:51:26	67.176.145.127
[135] 2013.3.19 10:51:26	101.62.52.127
[136] 2013.3.19 10:51:26	75.231.76.126
[137] 2013.3.19 10:51:26	213.118.210.136
[138] 2013.3.19 10:51:26	50.142.233.124
[139] 2013.3.19 10:51:26	70.185.233.138
[140] 2013.3.19 10:51:26	70.81.245.120
[141] 2013.3.19 10:51:26	212.233.160.145
[142] 2013.3.19 10:51:26	14.97.41.148
[143] 2013.3.19 10:51:26	50.71.138.148
[144] 2013.3.19 10:51:26	72.132.169.148
[145] 2013.3.19 10:51:26	111.243.180.154
[146] 2013.3.19 10:51:26	189.58.120.110
[147] 2013.3.19 10:51:26	109.194.244.155
[148] 2013.3.19 10:51:26	98.218.173.107
[149] 2013.3.19 10:51:26	211.125.245.105
[150] 2013.3.19 10:51:26	98.164.90.157
[151] 2013.3.19 10:51:26	24.141.76.103
[152] 2013.3.19 10:51:26	24.155.33.160
[153] 2013.3.19 10:51:26	109.202.32.100
[154] 2013.3.19 10:51:26	71.195.164.98
[155] 2013.3.19 10:51:26	122.22.103.160
[156] 2013.3.19 10:51:26	84.46.251.96
[157] 2013.3.19 10:51:26	24.193.94.163
[158] 2013.3.19 10:51:26	174.48.223.94
[159] 2013.3.19 10:51:26	98.195.1.93
[160] 2013.3.19 10:51:26	188.127.115.163
[161] 2013.3.19 10:51:26	79.117.183.92
[162] 2013.3.19 10:51:26	126.44.114.164
[163] 2013.3.19 10:51:26	87.56.171.89
[164] 2013.3.19 10:51:26	76.64.131.88
[165] 2013.3.19 10:51:26	115.242.236.168
[166] 2013.3.19 10:51:26	75.139.57.169
[167] 2013.3.19 10:51:26	80.99.226.87
[168] 2013.3.19 10:51:26	62.18.81.175
[169] 2013.3.19 10:51:26	71.10.103.176
[170] 2013.3.19 10:51:26	46.239.136.178
[171] 2013.3.19 10:51:26	62.117.17.86
[172] 2013.3.19 10:51:26	207.191.223.179
[173] 2013.3.19 10:51:26	189.63.139.184
[174] 2013.3.19 10:51:26	98.30.63.186
[175] 2013.3.19 10:51:26	203.79.58.79
[176] 2013.3.19 10:51:26	24.196.122.190
[177] 2013.3.19 10:51:26	93.116.223.191
[178] 2013.3.19 10:51:26	114.134.210.78
[179] 2013.3.19 10:51:26	94.203.128.77
[180] 2013.3.19 10:51:26	121.144.244.194
[181] 2013.3.19 10:51:26	75.140.248.76
[182] 2013.3.19 10:51:26	78.102.164.197
[183] 2013.3.19 10:51:26	114.40.204.76
[184] 2013.3.19 10:51:26	119.14.117.199
[185] 2013.3.19 10:51:26	31.133.82.204
[186] 2013.3.19 10:51:26	87.247.59.206
[187] 2013.3.19 10:51:26	24.59.72.72
[188] 2013.3.19 10:51:26	88.216.117.206
[189] 2013.3.19 10:51:26	188.131.102.71
[190] 2013.3.19 10:51:26	60.237.146.207
[191] 2013.3.19 10:51:26	92.53.19.213
[192] 2013.3.19 10:51:26	68.65.37.213
[193] 2013.3.19 10:51:26	65.96.157.66
[194] 2013.3.19 10:51:26	89.138.87.66
[195] 2013.3.19 10:51:26	62.195.14.66
[196] 2013.3.19 10:51:26	79.45.160.65
[197] 2013.3.19 10:51:26	78.106.145.213
[198] 2013.3.19 10:51:26	190.213.240.64
[199] 2013.3.19 10:51:26	68.101.251.214
[200] 2013.3.19 10:51:26	186.223.4.61
[201] 2013.3.19 10:51:26	61.63.120.60
[202] 2013.3.19 10:51:26	31.134.35.60
[203] 2013.3.19 10:51:26	124.25.15.217
[204] 2013.3.19 10:51:26	69.244.50.226
[205] 2013.3.19 10:51:26	37.203.143.57
[206] 2013.3.19 10:51:26	46.119.124.57
[207] 2013.3.19 10:51:26	72.205.4.56
[208] 2013.3.19 10:51:26	119.224.243.52
[209] 2013.3.19 10:51:26	69.19.248.49
[210] 2013.3.19 10:51:26	176.13.138.227
[211] 2013.3.19 10:51:26	70.120.89.48
[212] 2013.3.19 10:51:26	78.106.44.228
[213] 2013.3.19 10:51:26	172.0.206.228
[214] 2013.3.19 10:51:26	187.71.66.46
[215] 2013.3.19 10:51:26	118.160.52.231
[216] 2013.3.19 10:51:26	78.97.61.44
[217] 2013.3.19 10:51:26	223.218.52.43
[218] 2013.3.19 10:51:26	70.180.47.43
[219] 2013.3.19 10:51:26	67.68.53.11
[220] 2013.3.19 10:51:26	128.70.124.8
[221] 2013.3.19 10:51:26	109.201.72.38
[222] 2013.3.19 10:51:26	95.86.26.8
[223] 2013.3.19 10:51:26	177.65.59.235
[224] 2013.3.19 10:51:26	67.182.45.36
[225] 2013.3.19 10:51:26	111.251.113.235
[226] 2013.3.19 10:51:26	24.240.112.6
[227] 2013.3.19 10:51:26	72.204.36.33
[228] 2013.3.19 10:51:26	96.41.50.238
[229] 2013.3.19 10:51:26	109.200.226.238
[230] 2013.3.19 10:51:26	97.82.189.26
[231] 2013.3.19 10:51:26	1.168.213.242
[232] 2013.3.19 10:51:26	79.115.75.21
[233] 2013.3.19 10:51:26	69.250.235.244
[234] 2013.3.19 10:51:26	188.163.63.19
[235] 2013.3.19 10:51:26	164.40.201.3
[236] 2013.3.19 10:51:26	114.37.179.253
[237] 2013.3.19 10:51:26	119.15.251.16
[238] 2013.3.19 10:51:26	115.252.38.15
[239] 2013.3.19 10:51:26	116.90.154.132
[240] 2013.3.19 10:51:26	197.253.7.14
[241] 2013.3.19 10:51:26	211.47.109.13
[242] 2013.3.19 10:51:26	153.132.172.12
[243] 2013.3.19 10:51:26	125.192.109.12
[244] 2013.3.19 10:51:26	71.10.161.1
[245] 2013.3.19 10:51:25	173.30.65.234
[246] 2013.3.19 10:51:25	113.21.68.234
[247] 2013.3.19 10:51:25	111.94.94.8
[248] 2013.3.19 10:51:25	88.191.88.8
[249] 2013.3.19 10:51:25	75.171.162.234
[250] 2013.3.19 10:51:25	77.240.237.7
[251] 2013.3.19 10:51:25	89.178.12.236
[252] 2013.3.19 10:51:25	92.76.156.245
[253] 2013.3.19 10:51:25	188.2.167.250
[254] 2013.3.19 10:51:25	221.86.234.3
[255] 2013.3.19 10:51:25	71.82.53.252
s64
Code: Select all
[000] 2013.3.19 10:51:12	189.18.240.57
[001] 2013.3.19 10:51:12	221.188.125.85
[002] 2013.3.19 10:51:12	142.217.47.97
[003] 2013.3.19 10:51:12	180.151.26.113
[004] 2013.3.19 10:51:12	118.237.70.121
[005] 2013.3.19 10:51:12	84.197.219.121
[006] 2013.3.19 10:51:12	65.60.233.132
[007] 2013.3.19 10:51:12	186.59.145.41
[008] 2013.3.19 10:51:12	112.205.81.163
[009] 2013.3.19 10:51:12	71.75.173.33
[010] 2013.3.19 10:51:12	75.33.41.182
[011] 2013.3.19 10:51:12	76.88.166.80
[012] 2013.3.19 10:51:12	180.46.0.30
[013] 2013.3.19 10:51:12	70.74.196.188
[014] 2013.3.19 10:51:12	24.53.14.17
[015] 2013.3.19 10:51:12	216.131.100.191
[016] 2013.3.19 10:51:12	24.218.128.198
[017] 2013.3.19 10:51:12	197.87.58.6
[018] 2013.3.19 10:51:12	24.167.14.213
[019] 2013.3.19 10:51:12	84.36.70.233
[020] 2013.3.19 10:51:12	115.240.78.247
[021] 2013.3.19 10:51:11	24.252.3.253
[022] 2013.3.19 10:51:11	182.167.229.252
[023] 2013.3.19 10:51:11	95.222.231.251
[024] 2013.3.19 10:51:11	178.201.243.250
[025] 2013.3.19 10:51:11	221.118.28.250
[026] 2013.3.19 10:51:11	76.170.8.253
[027] 2013.3.19 10:51:11	76.117.197.246
[028] 2013.3.19 10:51:11	85.29.151.244
[029] 2013.3.19 10:51:11	88.73.138.244
[030] 2013.3.19 10:51:11	74.58.117.244
[031] 2013.3.19 10:51:11	89.160.81.244
[032] 2013.3.19 10:51:11	85.27.54.243
[033] 2013.3.19 10:51:11	61.22.44.243
[034] 2013.3.19 10:51:11	180.198.123.241
[035] 2013.3.19 10:51:11	71.56.3.241
[036] 2013.3.19 10:51:11	174.108.76.240
[037] 2013.3.19 10:51:11	5.61.137.238
[038] 2013.3.19 10:51:11	24.116.109.233
[039] 2013.3.19 10:51:11	50.89.90.233
[040] 2013.3.19 10:51:11	107.10.34.253
[041] 2013.3.19 10:51:11	68.2.241.230
[042] 2013.3.19 10:51:11	188.32.224.228
[043] 2013.3.19 10:51:11	98.247.24.226
[044] 2013.3.19 10:51:11	27.98.4.225
[045] 2013.3.19 10:51:11	46.172.217.218
[046] 2013.3.19 10:51:11	93.102.59.215
[047] 2013.3.19 10:51:11	98.87.104.253
[048] 2013.3.19 10:51:11	71.65.194.212
[049] 2013.3.19 10:51:11	88.190.22.212
[050] 2013.3.19 10:51:11	76.107.110.211
[051] 2013.3.19 10:51:11	178.204.95.2
[052] 2013.3.19 10:51:11	67.85.66.211
[053] 2013.3.19 10:51:11	67.193.100.210
[054] 2013.3.19 10:51:11	94.67.37.3
[055] 2013.3.19 10:51:11	74.71.24.254
[056] 2013.3.19 10:51:11	184.189.87.6
[057] 2013.3.19 10:51:11	79.138.250.205
[058] 2013.3.19 10:51:11	83.209.90.205
[059] 2013.3.19 10:51:11	42.3.161.8
[060] 2013.3.19 10:51:11	86.126.122.201
[061] 2013.3.19 10:51:11	69.248.32.9
[062] 2013.3.19 10:51:11	183.83.3.201
[063] 2013.3.19 10:51:11	71.225.240.12
[064] 2013.3.19 10:51:11	178.157.199.254
[065] 2013.3.19 10:51:11	84.40.68.14
[066] 2013.3.19 10:51:11	88.246.123.195
[067] 2013.3.19 10:51:11	78.251.155.15
[068] 2013.3.19 10:51:11	123.193.102.16
[069] 2013.3.19 10:51:11	87.254.253.254
[070] 2013.3.19 10:51:11	88.254.253.254
[071] 2013.3.19 10:51:11	125.197.72.18
[072] 2013.3.19 10:51:11	173.217.167.189
[073] 2013.3.19 10:51:11	109.160.241.18
[074] 2013.3.19 10:51:11	92.254.253.254
[075] 2013.3.19 10:51:11	180.147.39.19
[076] 2013.3.19 10:51:11	69.248.45.19
[077] 2013.3.19 10:51:11	85.230.217.19
[078] 2013.3.19 10:51:11	79.114.33.28
[079] 2013.3.19 10:51:11	182.48.196.29
[080] 2013.3.19 10:51:11	115.254.253.254
[081] 2013.3.19 10:51:11	218.157.11.30
[082] 2013.3.19 10:51:11	87.18.225.183
[083] 2013.3.19 10:51:11	117.254.253.254
[084] 2013.3.19 10:51:11	77.122.11.183
[085] 2013.3.19 10:51:11	119.254.253.254
[086] 2013.3.19 10:51:11	75.140.96.30
[087] 2013.3.19 10:51:11	27.228.189.30
[088] 2013.3.19 10:51:11	94.225.9.181
[089] 2013.3.19 10:51:11	198.82.65.180
[090] 2013.3.19 10:51:11	115.187.60.179
[091] 2013.3.19 10:51:11	76.95.3.177
[092] 2013.3.19 10:51:11	76.22.10.175
[093] 2013.3.19 10:51:11	94.222.190.30
[094] 2013.3.19 10:51:11	74.71.29.31
[095] 2013.3.19 10:51:11	98.230.196.31
[096] 2013.3.19 10:51:11	123.201.160.32
[097] 2013.3.19 10:51:11	75.74.30.172
[098] 2013.3.19 10:51:11	134.254.253.254
[099] 2013.3.19 10:51:11	124.179.86.170
[100] 2013.3.19 10:51:11	113.37.47.170
[101] 2013.3.19 10:51:11	74.65.151.35
[102] 2013.3.19 10:51:11	2.193.228.167
[103] 2013.3.19 10:51:11	216.151.1.166
[104] 2013.3.19 10:51:11	98.154.155.36
[105] 2013.3.19 10:51:11	135.254.253.254
[106] 2013.3.19 10:51:11	110.132.0.160
[107] 2013.3.19 10:51:11	109.236.81.159
[108] 2013.3.19 10:51:11	14.99.118.158
[109] 2013.3.19 10:51:11	85.177.232.154
[110] 2013.3.19 10:51:11	98.198.178.153
[111] 2013.3.19 10:51:11	119.157.151.153
[112] 2013.3.19 10:51:11	180.196.51.152
[113] 2013.3.19 10:51:11	46.49.23.152
[114] 2013.3.19 10:51:11	108.199.5.152
[115] 2013.3.19 10:51:11	94.205.97.37
[116] 2013.3.19 10:51:11	166.254.253.254
[117] 2013.3.19 10:51:11	94.180.156.145
[118] 2013.3.19 10:51:11	78.223.70.145
[119] 2013.3.19 10:51:11	188.125.139.42
[120] 2013.3.19 10:51:11	82.81.78.43
[121] 2013.3.19 10:51:11	69.248.1.45
[122] 2013.3.19 10:51:11	62.18.63.48
[123] 2013.3.19 10:51:11	83.103.200.48
[124] 2013.3.19 10:51:11	173.16.185.49
[125] 2013.3.19 10:51:11	82.131.111.51
[126] 2013.3.19 10:51:11	151.232.45.52
[127] 2013.3.19 10:51:11	107.10.78.139
[128] 2013.3.19 10:51:11	188.230.10.139
[129] 2013.3.19 10:51:11	112.138.252.138
[130] 2013.3.19 10:51:11	69.244.216.138
[131] 2013.3.19 10:51:11	146.52.217.135
[132] 2013.3.19 10:51:11	180.254.253.254
[133] 2013.3.19 10:51:11	68.82.83.131
[134] 2013.3.19 10:51:11	67.160.3.125
[135] 2013.3.19 10:51:11	76.31.144.123
[136] 2013.3.19 10:51:11	182.254.253.254
[137] 2013.3.19 10:51:11	184.254.253.254
[138] 2013.3.19 10:51:11	67.168.196.115
[139] 2013.3.19 10:51:11	24.3.146.115
[140] 2013.3.19 10:51:11	190.254.253.254
[141] 2013.3.19 10:51:11	72.189.189.111
[142] 2013.3.19 10:51:11	76.127.148.110
[143] 2013.3.19 10:51:11	72.219.33.110
[144] 2013.3.19 10:51:11	71.75.219.107
[145] 2013.3.19 10:51:11	75.141.137.105
[146] 2013.3.19 10:51:11	173.233.189.102
[147] 2013.3.19 10:51:11	174.1.74.102
[148] 2013.3.19 10:51:11	220.130.160.101
[149] 2013.3.19 10:51:11	75.72.179.100
[150] 2013.3.19 10:51:11	66.190.99.52
[151] 2013.3.19 10:51:11	123.220.144.54
[152] 2013.3.19 10:51:11	197.254.253.254
[153] 2013.3.19 10:51:11	78.251.226.56
[154] 2013.3.19 10:51:11	202.213.119.96
[155] 2013.3.19 10:51:11	118.165.19.96
[156] 2013.3.19 10:51:11	58.3.190.95
[157] 2013.3.19 10:51:11	66.66.81.92
[158] 2013.3.19 10:51:11	98.30.185.90
[159] 2013.3.19 10:51:11	71.89.126.89
[160] 2013.3.19 10:51:11	50.147.109.88
[161] 2013.3.19 10:51:11	71.17.221.85
[162] 2013.3.19 10:51:11	206.254.253.254
[163] 2013.3.19 10:51:11	74.88.34.83
[164] 2013.3.19 10:51:11	95.113.208.80
[165] 2013.3.19 10:51:11	93.144.187.183
[166] 2013.3.19 10:51:11	178.237.177.79
[167] 2013.3.19 10:51:11	77.236.188.77
[168] 2013.3.19 10:51:11	68.198.203.76
[169] 2013.3.19 10:51:11	118.35.170.76
[170] 2013.3.19 10:51:11	178.119.34.75
[171] 2013.3.19 10:51:11	24.59.206.71
[172] 2013.3.19 10:51:11	94.180.38.71
[173] 2013.3.19 10:51:11	190.208.71.70
[174] 2013.3.19 10:51:11	70.118.26.70
[175] 2013.3.19 10:51:11	81.88.0.70
[176] 2013.3.19 10:51:11	222.254.253.254
[177] 2013.3.19 10:51:11	46.166.100.59
[178] 2013.3.19 10:51:11	188.105.77.59
[179] 2013.3.19 10:51:11	24.250.41.2
[180] 2013.3.19 10:51:10	78.221.193.65
[181] 2013.3.19 10:51:10	24.99.20.57
[182] 2013.3.19 10:51:10	98.155.213.96
[183] 2013.3.19 10:51:10	89.230.232.54
[184] 2013.3.19 10:51:10	107.15.201.54
[185] 2013.3.19 10:51:10	82.131.150.54
[186] 2013.3.19 10:51:10	114.48.72.98
[187] 2013.3.19 10:51:10	71.232.74.53
[188] 2013.3.19 10:51:10	76.19.248.99
[189] 2013.3.19 10:51:10	87.93.88.139
[190] 2013.3.19 10:51:10	58.153.138.139
[191] 2013.3.19 10:51:10	2.8.2.50
[192] 2013.3.19 10:51:10	75.67.127.140
[193] 2013.3.19 10:51:10	189.120.70.49
[194] 2013.3.19 10:51:10	72.23.54.49
[195] 2013.3.19 10:51:10	61.21.213.48
[196] 2013.3.19 10:51:10	173.16.141.140
[197] 2013.3.19 10:51:10	202.231.152.48
[198] 2013.3.19 10:51:10	75.68.137.48
[199] 2013.3.19 10:51:10	213.130.199.141
[200] 2013.3.19 10:51:10	24.94.56.48
[201] 2013.3.19 10:51:10	67.165.199.47
[202] 2013.3.19 10:51:10	80.186.205.45
[203] 2013.3.19 10:51:10	50.138.82.144
[204] 2013.3.19 10:51:10	50.72.17.44
[205] 2013.3.19 10:51:10	60.74.235.144
[206] 2013.3.19 10:51:10	188.24.36.145
[207] 2013.3.19 10:51:10	174.50.149.41
[208] 2013.3.19 10:51:10	5.56.206.147
[209] 2013.3.19 10:51:10	87.236.88.39
[210] 2013.3.19 10:51:10	77.180.167.38
[211] 2013.3.19 10:51:10	69.47.102.38
[212] 2013.3.19 10:51:10	58.182.32.38
[213] 2013.3.19 10:51:10	95.238.73.150
[214] 2013.3.19 10:51:10	96.42.54.37
[215] 2013.3.19 10:51:10	173.215.66.164
[216] 2013.3.19 10:51:10	205.204.85.168
[217] 2013.3.19 10:51:10	202.179.2.35
[218] 2013.3.19 10:51:10	71.90.125.171
[219] 2013.3.19 10:51:10	130.43.160.33
[220] 2013.3.19 10:51:10	180.21.159.33
[221] 2013.3.19 10:51:10	24.128.116.33
[222] 2013.3.19 10:51:10	67.87.77.33
[223] 2013.3.19 10:51:10	49.249.123.172
[224] 2013.3.19 10:51:10	67.167.111.32
[225] 2013.3.19 10:51:10	84.125.19.173
[226] 2013.3.19 10:51:10	68.43.104.31
[227] 2013.3.19 10:51:10	89.230.210.174
[228] 2013.3.19 10:51:10	142.161.245.30
[229] 2013.3.19 10:51:10	109.227.246.174
[230] 2013.3.19 10:51:10	114.174.47.181
[231] 2013.3.19 10:51:10	128.189.129.30
[232] 2013.3.19 10:51:10	67.177.80.181
[233] 2013.3.19 10:51:10	174.62.110.184
[234] 2013.3.19 10:51:10	188.0.29.185
[235] 2013.3.19 10:51:10	141.136.14.186
[236] 2013.3.19 10:51:10	24.246.71.186
[237] 2013.3.19 10:51:10	176.198.241.27
[238] 2013.3.19 10:51:10	94.180.206.23
[239] 2013.3.19 10:51:10	24.184.140.21
[240] 2013.3.19 10:51:10	130.243.186.186
[241] 2013.3.19 10:51:10	68.196.225.186
[242] 2013.3.19 10:51:10	24.215.119.187
[243] 2013.3.19 10:51:10	24.10.11.189
[244] 2013.3.19 10:51:10	59.105.31.191
[245] 2013.3.19 10:51:10	183.73.33.191
[246] 2013.3.19 10:51:10	101.99.144.192
[247] 2013.3.19 10:51:10	178.151.225.193
[248] 2013.3.19 10:51:10	187.14.159.196
[249] 2013.3.19 10:51:10	75.247.10.199
[250] 2013.3.19 10:51:10	114.163.17.201
[251] 2013.3.19 10:51:10	50.149.34.203
[252] 2013.3.19 10:51:10	86.52.126.207
[253] 2013.3.19 10:51:10	50.137.138.207
[254] 2013.3.19 10:51:10	123.236.35.210
[255] 2013.3.19 10:51:10	72.220.101.211
Attachments
pass: infected
(848.51 KiB) Downloaded 70 times
 #18592  by EP_X0FF
 Tue Mar 19, 2013 2:33 pm
kmd wrote:why this not posted before?
No one asked. Actually it is "somehow" described in few of this ocean of AV copy-paste articles about ZeroAccess botnet - "that's the list, here are IP's".
 #18652  by kmd
 Fri Mar 22, 2013 4:32 pm
interesting i gonna play with zeroaccess and how can i understand which command it used in packet. they are encrypted.
 #18653  by EP_X0FF
 Fri Mar 22, 2013 5:01 pm
kmd wrote:interesting i gonna play with zeroaccess and how can i understand which command it used in packet. they are encrypted.
Code: Select all
	INT c = sizeof(zpacket) >> 2;
	DWORD *p = (PDWORD)zpacket;
	DWORD k = 'ftp2';

	do {
		*p ^= k;
		k = _rotl(k, 1);
		p++; 
		--c;
	} while ( c != 0);
Apply to received zeroaccess data. Once dexored commands will be clearly visible. getL request commands 58 bytes length (request header + 16 bytes of zeroaccess packet), retL - 610 etc.
  • 1
  • 34
  • 35
  • 36
  • 37
  • 38
  • 56