A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7056  by Xylitol
 Mon Jul 04, 2011 10:43 am
+32
latest grabbed samples before the server shutdown.
Code: Select all
7/3/2011 - 8:06:55 PM - DD825EBA1F63E5867A8CC66DFCA82FB7_porno-rolik4.avi.exe.ViR - http://videoavipfree-cool.info/4/video/porno-rolik4.avi.exe
DONE! ~ WAITING
7/3/2011 - 9:07:09 PM -  Timeout: http://videoavipfree-cool.info/1/video/porno-rolik1.avi.exe
Attachments
pwd: xylibox
(1.42 MiB) Downloaded 54 times
 #7080  by EP_X0FF
 Tue Jul 05, 2011 6:07 am
Another mirror of porno-rolik
hxxp://sexloversosyavi.info/2/video/porno-rolik2.avi.exe

Unblock code: REMOTE

In attach dropper and unpacked.
Attachments
pass: malware
(61.29 KiB) Downloaded 56 times
 #7214  by EP_X0FF
 Mon Jul 11, 2011 2:09 pm
Winlock updated.

They now using new crypter - similar to that used on SpyEye (+ UPX over it).

In attach dropper and unpacked.

Number to call: 9057861720
Unblock code: SUPRA

Source

hxxp://argopornoclubfree.info/1/video/porno-rolik1.avi.exe
hxxp://argopornoclubfree.info/2/video/porno-rolik2.avi.exe
hxxp://argopornoclubfree.info/3/video/porno-rolik3.avi.exe
hxxp://argopornoclubfree.info/4/video/porno-rolik4.avi.exe
hxxp://argopornoclubfree.info/6/video/porno-rolik6.avi.exe
hxxp://argopornoclubfree.info/7/video/porno-rolik7.avi.exe
hxxp://argopornoclubfree.info/8/video/porno-rolik8.avi.exe

hxxp://pornoclubargofree.info/1/video/porno-rolik1.avi.exe
hxxp://pornoclubargofree.info/2/video/porno-rolik2.avi.exe
hxxp://pornoclubargofree.info/3/video/porno-rolik3.avi.exe
hxxp://pornoclubargofree.info/4/video/porno-rolik4.avi.exe
hxxp://pornoclubargofree.info/6/video/porno-rolik6.avi.exe
hxxp://pornoclubargofree.info/7/video/porno-rolik7.avi.exe
hxxp://pornoclubargofree.info/8/video/porno-rolik8.avi.exe

hxxp://freepornoargoclub.info/1/video/porno-rolik1.avi.exe
hxxp://freepornoargoclub.info/2/video/porno-rolik2.avi.exe
hxxp://freepornoargoclub.info/3/video/porno-rolik3.avi.exe
hxxp://freepornoargoclub.info/4/video/porno-rolik4.avi.exe
hxxp://freepornoargoclub.info/6/video/porno-rolik6.avi.exe
hxxp://freepornoargoclub.info/7/video/porno-rolik7.avi.exe
hxxp://freepornoargoclub.info/8/video/porno-rolik8.avi.exe
Attachments
pass: malware
(81.02 KiB) Downloaded 46 times
Last edited by EP_X0FF on Mon Jul 11, 2011 5:13 pm, edited 1 time in total. Reason: edit
 #7225  by Xylitol
 Tue Jul 12, 2011 12:53 pm
+300
Attachments
pwd: xylibox
(3.43 MiB) Downloaded 70 times
pwd: xylibox
(3.43 MiB) Downloaded 42 times
pwd: xylibox
(3.71 MiB) Downloaded 42 times
 #7226  by EP_X0FF
 Tue Jul 12, 2011 1:16 pm
Seems to be crypter has been refined/cleaned. Or they periodically packing winlocks by Mystic and after then with VB crap.

Original
http://www.virustotal.com/file-scan/rep ... 1310475599

Decrypted
http://www.virustotal.com/file-scan/rep ... 1310475825

Location is the same.


EDIT:

More locations:

hxxp://pornobestgirlsforfree.info/1/video/porno-rolik1.avi.exe
hxxp://pornobestgirlsforfree.info/2/video/porno-rolik2.avi.exe
hxxp://pornobestgirlsforfree.info/3/video/porno-rolik3.avi.exe
hxxp://pornobestgirlsforfree.info/4/video/porno-rolik4.avi.exe
hxxp://pornobestgirlsforfree.info/6/video/porno-rolik6.avi.exe
hxxp://pornobestgirlsforfree.info/7/video/porno-rolik7.avi.exe
hxxp://pornobestgirlsforfree.info/8/video/porno-rolik8.avi.exe

alias

hxxp://porevobestgoodsex.info/1/video/porno-rolik1.avi.exe
hxxp://porevobestgoodsex.info/2/video/porno-rolik2.avi.exe
hxxp://porevobestgoodsex.info/3/video/porno-rolik3.avi.exe
hxxp://porevobestgoodsex.info/4/video/porno-rolik4.avi.exe
hxxp://porevobestgoodsex.info/6/video/porno-rolik6.avi.exe
hxxp://porevobestgoodsex.info/7/video/porno-rolik7.avi.exe
hxxp://porevobestgoodsex.info/8/video/porno-rolik8.avi.exe

This one (see attach) multipacked - UPX/VBCrypter/UPX. Skiddies experimenting.
Attachments
pass: malware
(87.48 KiB) Downloaded 41 times
Last edited by EP_X0FF on Tue Jul 12, 2011 5:23 pm, edited 4 times in total. Reason: see edit
 #7288  by EP_X0FF
 Fri Jul 15, 2011 4:33 am
Tango down :)
15.7.2011 HTTP/1.1 302 Found
Date: Fri, 15 Jul 2011 06:12:22 GMT
Server: Apache/2.2.14 (Unix)
Location: http://veseliysexnada4e.info/1/xxx.html
Connection: close
Content-Type: text/html
7:31:32 15.7.2011 DNS Client error:
cannot connect to DNS server ns2.suspended-for.spam-and-abuse.com
cannot connect to DNS server ns1.suspended-for.spam-and-abuse.com
if someone willing to play with email of sucker responsible for this trash

bublikoff@yahoo.com
control question: Dog?
 #7292  by nickvth2009
 Fri Jul 15, 2011 8:53 am
WHOIS for IP address.
Code: Select all
IP Location: 	Germany Germany Marcel Edler Trading As Optimate-server
ASN:          AS197043
IP Address: 	 46.251.237.23 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
NetRange:       46.0.0.0 - 46.255.255.255
CIDR:           46.0.0.0/8
OriginAS:       
NetName:        46-RIPE
NetHandle:      NET-46-0-0-0-0
Parent:         
NetType:        Allocated to RIPE NCC
Comment:        These addresses have been further assigned to users in
Comment:        the RIPE NCC region. Contact information can be found in
Comment:        the RIPE database at http://www.ripe.net/whois
RegDate:        2009-09-29
Updated:        2009-09-30
Ref:            http://whois.arin.net/rest/net/NET-46-0-0-0-0

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:      
PostalCode:     1001EB
Country:        NL
RegDate:        
Updated:        2011-03-15
Ref:            http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

OrgTechHandle: RNO29-ARIN
OrgTechName:   RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444 
OrgTechEmail:  
OrgTechRef:    http://whois.arin.net/rest/poc/RNO29-ARIN

== Additional Information From whois://whois.ripe.net:43 ==

inetnum:         46.251.237.0 - 46.251.237.255
netname:         EXETEL-DE
descr:           EXETEL ISP
country:         DE
admin-c:         TJ1504-RIPE
tech-c:          TJ1504-RIPE
status:          ASSIGNED PA
mnt-by:          MNT-WHITE
mnt-lower:       MNT-WHITE
mnt-routes:      MNT-WHITE
source:          RIPE # Filtered

person:         Tim Joe
address:        Krantzstr 7
address:        DE-52070 Aachen
phone:          +49 2415380891
mnt-by:         MNT-WHITE
e-mail:         
nic-hdl:        TJ1504-RIPE
source:         RIPE # Filtered

route:          46.251.224.0/20
descr:          Webtraffic
origin:         AS197043
mnt-by:         MNT-WHITE
source:         RIPE # Filtered
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
  • 17