A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8252  by EP_X0FF
 Wed Aug 24, 2011 4:34 am
pigindrin wrote:Hello EP_XOFF, according to your response (page 24), I ´ve checked it and the spyeye version (.exe) is the same. But, I ´ve re-analyzed the sample and it seems the webinject is not the same. Could it be possible?
The C&C to where the malware connects is "263rdasd.com/hfgf/gate.php". Could give me a hand in order to get the webinject? Thanks!
Yes it is possible, servers list and other stuff of the same botmaster can be updated since they moving from server to server periodically after getting into trackers.
Pass for decrypted config of your sample B8861AB9ED87B79CC01DA26263373342

Both from binary and from archive configs attached
Attachments
(215.05 KiB) Downloaded 53 times
(5.37 KiB) Downloaded 49 times
 #8260  by pigindrin
 Wed Aug 24, 2011 7:09 pm
I supposed that. The webinjects could be updated by the botmaster. Thanks for your help. If u could share o give me a couple of tips, url, docs to follow in order to decrypt the spyeye v1.3x, it would be great. :)
 #8290  by EP_X0FF
 Sat Aug 27, 2011 12:45 am
SpyEye v1.3.45

pass for decrypted config: 6CB5879FB91A3B0175742B5FEC117205

Gates:
hxxp://www.eharmony.co.uk/indexx.php;300
hxxp://www.classicandsportscar.com/seo/tran.php;300
hxxp://magicmartini4en1.com/g/login.php;200
hxxp://magicmartini4en10.com/g/login.php;200
hxxp://magicmartini4en117.com/g/login.php;200
Plugins: customconnector

Original, unpacked and decrypted config in attach.

Payload of the Blackhole exploit kit (gera5man5rire.cz.cc/forum.php?post=a728a0e7c4bbccfd)

Original 17/ 43 (39.5%)
http://www.virustotal.com/file-scan/rep ... 1314404611

Unpacked 28/ 44 (63.6%)
http://www.virustotal.com/file-scan/rep ... 1314405589
Attachments
pass: malware
(211.88 KiB) Downloaded 51 times
 #8333  by EP_X0FF
 Mon Aug 29, 2011 3:46 pm
SpyEye v1.3.4x

Extracted as payload of downloader from Blackhole exploit kit.

Pass for decrypted config: 860E922737828539017E64299FB028D6

Gates:
hxxp://hydracock.ru/hydra/sneak.php;90
hxxp://womenlovetdqs.ru/women/calendar.php;90


Plugins: customconnector, ffcertgrabber, ftpbackconnect, rdp, socks5.

Original, unpacked and decrypted config in attach.

http://www.virustotal.com/file-scan/rep ... 1314630931
Attachments
pass: malware
(1.25 MiB) Downloaded 61 times
 #8352  by EP_X0FF
 Tue Aug 30, 2011 3:18 pm
SpyEye v1.3.4x

Extracted as payload of Blackhole exploit kit (kapihuta.co.tv/x11/index.php?tp=b9d37c27031fd84e)

Pass for decrypted config: 9F6EBAF3531712646467F0C54E0D7D24

Gates:
hxxp://frandiss.ru/network/user.php;300
hxxp://gallopusik.ru/phpinfo.php;300
Plugins: customconnect, ccgrabber.

Original, unpacked and decrypted config in attach.

VT 1/ 44 (2.3%)
http://www.virustotal.com/file-scan/rep ... 1314716572
Attachments
pass: malware
(293.93 KiB) Downloaded 52 times
 #8369  by EP_X0FF
 Thu Sep 01, 2011 3:33 am
SpyEye v1.3.4x

Payload of the Blackhole Exploit kit (erdgxrhtyjuyukopgf.cx.cc/main.php?page=c9d2deef18f3c158)

Pass for decrypted config: FD9EBD0F32D1D60DB9E58344C38FABEF

Gates:
hxxp://hoploit888.ru/dns.php;300
hxxp://karmemberitcnoit.ru/awstats.php;300
hxxp://babargeya789.ru/www-secure.php;300
Plugins: customconnect, ccgrabber.

Original, unpacked and decrypted config in attach.

308 Kb of webinjects

VT 1 /44 (2.3%)
http://www.virustotal.com/file-scan/rep ... 1314847523
Attachments
pass: malware
(424.87 KiB) Downloaded 70 times
 #8372  by EP_X0FF
 Thu Sep 01, 2011 3:16 pm
SpyEye v1.3.4x

Payload of the Blackhole Exploit kit (samirko.in/main.php?page=a580bb1f867050f5)

Pass for decrypted config: F2F9A724A66B581CEB0065DC9DEEEA15

Gates:
hxxp://chesterfield.net.in/default.php;300
hxxp://helterhealh.net/twitted.php;350
hxxp://nofrostengland.com/pics4upload.php;500
Plugins: customconnect, ActiveAZ.

Original, unpacked and decrypted config in attach.

VT 2/ 44 (4.5%)
http://www.virustotal.com/file-scan/rep ... 1314888801
Attachments
pass: malware
(450.32 KiB) Downloaded 68 times
  • 1
  • 23
  • 24
  • 25
  • 26
  • 27
  • 42