A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26939  by sysopfb
 Tue Oct 13, 2015 11:42 pm
http://www.justice.gov/opa/pr/bugat-bot ... e-disabled

Andrey Ghinkul, aka Andrei Ghincul and Smilex, 30, of Moldova, was charged in a nine-count indictment unsealed today in the Western District of Pennsylvania with criminal conspiracy, unauthorized computer access with intent to defraud, damaging a computer, wire fraud and bank fraud. Ghinkul was arrested on Aug. 28, 2015 in Cyprus. The United States is seeking his extradition.
 #27011  by malwarelabs
 Mon Oct 19, 2015 2:32 pm
I don't know if it's something known or not but on each payload link you can find a readme file and some statistics about download rate.
For exemple:
hXXp://178.62.7.183:8080/uniq/load.php (hXXp://178.62.7.183:8080/uniq/file/crypted120med.exe ) -> https://www.virustotal.com/en/file/2d10 ... /analysis/
hXXp://178.62.7.183:8080/uniq/readme:
Code: Select all
--------- Описание ---------
Скрипт для выдачи файла и фиксации уников в мускуле (уникальность сверяется по ипам). Файл располагается в папке "file", под любым именем, с расширением exe, но только в единственном экземпляре.
load.php - скрипт для захода, активирующий счетчик и выдающий файл.
stat.php - стата.
install.php - установщик таблицы в мускул.
--------- Установка ---------
Данные доступа к БД MySQL настраиваются в lib/DBConfig.php. Затем с браузера переходим на install.php и, если все нормально, нас сразу кидает на стату.
--------- Логирование ошибок ---------
В папку "logs" пишутся ошибки php-скриптов и проблемы с выдачей файла.
Ошибки выводятся выводятся прямо в браузер везде, кроме как на load.php (юзеру совсем необязательно знать, что у нас мускул отвалился; к тому же иначе корректно не выдастся файл).
--------------
Code: Select all
--------- Description ---------
Script for serving files and storing unique ones in MySQL(uniqueness is defined by IPs). The file is located in the folder called 'file'. It has to be the only file in the folder. The filename can by anything, but the extension has to be 'exe'.
load.php - is entering script that activates the counter and serves the file.
stat.php - is statistics page.
install.php - creates tables in MySQL
--------- Installation ---------
Login details for MySQL database are set in lib/DBConfig.php. Next, using the browser to open install.php. If everything went well, you'll be redirected to statisctics page.
--------- Error Logging ---------
PHP script errors and issues with serving the files are recorded in 'logs' folder.
The errors are dispalyed in the browser for every page, except 'load.php'(users don't have to know MySQL went down; and also it will not serve the file)
--------------
hXXp://178.62.7.183:8080/uniq/stat.php
Image
Last edited by Xylitol on Mon Oct 19, 2015 9:37 pm, edited 1 time in total. Reason: Added English translation (thanks @Malwageddon)
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15