A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24735  by MalwareTech
 Wed Dec 24, 2014 2:26 pm
uCares wrote:Some CP from provided samples :
Code: Select all
198.52.160.45/gate.php
654andro.net/phase/gate.php
avastsupport.net/secure/gate.php
blog.l0c4lh0st.pw/dhrgbv/mysql.php
blog.l0c4lh0st.pw/kjvg/gate.php
bz-bz.bz/3Vg6G4ULcCzAbbbdnXZLXjdw3QzamGkNCVV/gate.php
ekhge35uf5.pw/pae/gate.php
fedren.com/json/json.php
i8xyz5tkuf.pw/pae/gate.php
jbcompany.org/gate.php
jrat.se/hemliga/porten.php
ngdata.org/gate.php
nortoncenter.net/secure/gate.php
phasesupport.com/pos/gate.php
ptah.vdsinside.com/dhrgbv/mysql.php
ptah.vdsinside.com/kjvg/gate.php
skoja.ru/hemliga/porten.php
telemetric.pw/Vp845Z5SapkLjURRmEGaaR8Sv4vDSRHjSy/gate.php
vcv.no-ip.biz/gate.php
wutudo.su/hemliga/porten.php
yadruw.com/json/json.php
Too bad they patched the SQL injection yesterday.
 #24738  by MalwareTech
 Wed Dec 24, 2014 5:51 pm
TheExecuter wrote:
MalwareTech wrote:Too bad they patched the SQL injection yesterday.
It seems you have a vendetta against this particular Turd'ware :D
Well, SQL injection + plaintext password, how can i say no? :-)
 #24743  by Vult
 Thu Dec 25, 2014 1:13 pm
uCares wrote:Some CP from provided samples :
Code: Select all
198.52.160.45/gate.php
654andro.net/phase/gate.php
avastsupport.net/secure/gate.php
blog.l0c4lh0st.pw/dhrgbv/mysql.php
blog.l0c4lh0st.pw/kjvg/gate.php
bz-bz.bz/3Vg6G4ULcCzAbbbdnXZLXjdw3QzamGkNCVV/gate.php
ekhge35uf5.pw/pae/gate.php
fedren.com/json/json.php
i8xyz5tkuf.pw/pae/gate.php
jbcompany.org/gate.php
jrat.se/hemliga/porten.php
ngdata.org/gate.php
nortoncenter.net/secure/gate.php
phasesupport.com/pos/gate.php
ptah.vdsinside.com/dhrgbv/mysql.php
ptah.vdsinside.com/kjvg/gate.php
skoja.ru/hemliga/porten.php
telemetric.pw/Vp845Z5SapkLjURRmEGaaR8Sv4vDSRHjSy/gate.php
vcv.no-ip.biz/gate.php
wutudo.su/hemliga/porten.php
yadruw.com/json/json.php

:shock: very surprised how you got the cp url from the bins. i tried hexing but didn't see it ( am not as expert as you guys, still learning )
care share practical steps ?
 #24745  by uCares
 Thu Dec 25, 2014 2:26 pm
Vult wrote: :shock: very surprised how you got the cp url from the bins. i tried hexing but didn't see it ( am not as expert as you guys, still learning )
care share practical steps ?
Extracted from process memory (in these cases explorer.exe) during dynamic analysis
 #24746  by Xylitol
 Thu Dec 25, 2014 3:20 pm
Vult wrote:i tried hexing
if you come just for that then you're not welcome here.
Also a simple cuckoo should do the tricks to get gate urls, in attach, php page from the ram scrapper plugin.
Attachments
infected
(6.14 KiB) Downloaded 89 times
 #24750  by Vult
 Thu Dec 25, 2014 4:37 pm
Xylitol wrote:
Vult wrote:i tried hexing
if you come just for that then you're not welcome here.
Also a simple cuckoo should do the tricks to get gate urls, in attach, php page from the ram scrapper plugin.
not just for that buddy. but to learn real reversing.