×

Notice: this is a preview of the original feed. Please, read our copyright notice. If you are the copyright holder of this feed click here.

feed

Tags: blogspot contagiodump google.ru russian contagio malware

contagio
malware dump...

by Mila, published: Sun 14 Dec 2014 05:39:00 AM CET.

Favicon Collection of Pcap files from malware analysis
14 Dec 2014, 5:39 am
Update:Dec 13. 2014 


Despite rare updates of this post, we have been adding pcaps to the collection so remember to check out the folder ( Pcap collection) for the recent pcaps!









Update:Dec 31. 2013 - added new pcaps

I did some spring cleaning yesterday and came up with these malware and exploit pcaps. Such pcaps are very useful for IDS and signature testing and development, general education, and malware identification. While there are some online public sandboxes offering pcaps for download like Cuckoo or Anubis but  looking for them is a tedious task and you cannot be totally sure the pcap is for the malware family supposedly analysed - in other words, if the sandbox says it is Zeus does not necessarily mean that it is.

I found some good pcap repositories here (http://www.netresec.com/?page=PcapFiles) but there are very few pcaps from malware.

These are from identified and verified (to the best of my knowledge and belief - email me if you find errors) malware samples.

All of them show the first stage with the initial callback and most have the DNS requests as well. A few pcaps show extended malware runs (e.g. purplehaze pcap is over 500mb).
Most pcaps are mine, a few are from online sandboxes, and one is borrowed from malware.dontneedcoffee.com. That said, I can probably find the corresponding samples for all that have MD5 listed if you really need them. Search contagio, some are posted with the samples.

Each file has the following naming convention:
BIN [RTF, PDF] - the filetype of the dropper used, malware family name, MD5, and year+month of the malware analysis.

I will be adding more pcaps in the future. Please donate your pcaps from identified samples, I am sure many of you have.

Thank you




Download


Download all together or separately.

All pcaps archives have the same password (same scheme), email me if you need it. I tried posting it without any passwords and pass infected but they get flagged as malware. Modern AV rips though zips and zips with the pass 'infected' with ease.



APT PCAPS

See Library of Malware Traffic Patterns for the corresponding sample downloads and other details

Download all together or separately.
  1. 2012-12-31 BIN_Xinmic_8761F29AF1AE2D6FACD0AE5F487484A5-pcap
  2. 2013-09-08 BIN_TrojanPage_86893886C7CBC7310F7675F4EFDE0A29-pcap
  3. 2013-09-08 BIN_Darkcomet_DC98ABBA995771480AECF4769A88756E-pcap
  4. 2013-09-02 8202_tbd_ 6D2C12085F0018DAEB9C1A53E53FD4D1-pcap
  5. 2013-09-02 BIN_8202_6d2c12085f0018daeb9c1a53e53fd4d1-pcap
  6. 2013-09-02 BIN_Vidgrab_6fd868e68037040c94215566852230ab-pcap
  7. 2013-09-02 BIN_PlugX_2ff2d518313475a612f095dd863c8aea-pcap
  8. 2013-09-02 BIN_Taidoor_46ef9b0f1419e26f2f37d9d3495c499f-pcap
  9. 2013-09-02 BIN_Vidgrab_660709324acb88ef11f71782af28a1f0-pcap
  10. 2013-09-02 BIN_Gh0st-gif_f4d4076dff760eb92e4ae559c2dc4525-pcap.zip
  11. 2013-07-15 BIN_Taleret.E_5328cfcb46ef18ecf7ba0d21a7adc02c.pcap
  12. 2013-05-14 BIN_Mediana_0AE47E3261EA0A2DBCE471B28DFFE007_2012-10.pcap
  13. 2013-05-14 BIN_Hupigon_8F90057AB244BD8B612CD09F566EAC0C
  14. 2013-05-14 BIN_LetsGo_yahoosb_b21ba443726385c11802a8ad731771c0_2011-07-19
  15. 2013-05-13 BIN_IXESHE_0F88D9B0D237B5FCDC0F985A548254F2-2013-05-pcap
  16. 2013-05-06 BIN_DNSWatch_protux_4F8A44EF66384CCFAB737C8D7ADB4BB8_2012-11-pcap
  17. 2013-05-06 BIN_9002_D4ED654BCDA42576FDDFE03361608CAA_2013-01-30-pcap
  18. 2013-05-06 BIN_BIN_RssFeeder_68EE5FDA371E4AC48DAD7FCB2C94BAC7-2012-06-pcap (not a common name, see the traffic ssheet http://bit.ly/maltraffic )
  19. 2013-04-30 BIN_MSWab_Yayih_FD1BE09E499E8E380424B3835FC973A8_us-pcap
  20. 2013-04-29 BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10-pcap
  21. 2013-04-29 BIN_XTremeRAT_DAEBFDED736903D234214ED4821EAF99_2013-04-13-pcap
  22. BIN_Enfal_Lurid_0fb1b0833f723682346041d72ed112f9_2013-01.pcap
  23. BIN_Gh0st_variant-v2010_B1D09374006E20FA795B2E70BF566C6D_2012-08.pcap
  24. BIN_Likseput_E019E37F19040059AB5662563F06B609_2012-10.pcap
  25. BIN_Nettravler_1f26e5f9b44c28b37b6cd13283838366.pcap
  26. BIN_Nettravler_DA5832657877514306EDD211DEF61AFE_2012-10.pcap
  27. BIN_Sanny-Daws_338D0B855421867732E05399A2D56670_2012-10.pcap
  28. BIN_Sofacy_a2a188cbf74c1be52681f998f8e9b6b5_2012-10.pcap
  29. BIN_Taidoor_40D79D1120638688AC7D9497CC819462_2012-10.pcap
  30. BIN_TrojanCookies_840BD11343D140916F45223BA05ABACB_2012_01.pcap
  31. PDF_CVE-2011-2462_Pdf_2011-12.pcap
  32. RTF_Mongall_Dropper_Cve-2012-0158_C6F01A6AD70DA7A554D48BDBF7C7E065_2013-01.pcap
  33. OSX_DocksterTrojan.pcap

CRIMEWARE PCAPS

See Library of Malware Traffic Patterns for the corresponding sample downloads and other details

Download all together or separately.
  1. 2013-11-12_BIN_ChePro_2A5E5D3C536DA346849750A4B8C8613A-1.pcap
  2. 2013-10-15_BIN_cryptolocker_9CBB128E8211A7CD00729C159815CB1C.pcap
  3. 2013-09-20_BIN_Lader-dlGameoverZeus_12cfe1caa12991102d79a366d3aa79e9.pcap
  4. 2013-09-08 BIN_Tijcont_845B0945D5FE0E0AAA16234DC21484E0-pcap
  5. 2013-09-08 BIN_Kelihos_C94DC5C9BB7B99658C275B7337C64B33-pcap.zip
  6. 2013-08-19 BIN_Nitedrem_508af8c499102ad2ebc1a83fdbcefecb-pcap
  7. 2013-08-17 BIN_sality_CEAF4D9E1F408299144E75D7F29C1810-pcap
  8. 2013-08-15 BIN_torpigminiloader-pcap.zip
  9. 2013-13-08 EK_popads_109.236.80.170_2013-08-13.pcap
  10. 2013-11-08 BIN_Alinav5.3_4C754150639AA3A86CA4D6B6342820BE.pcap
  11. 2013-08-08 BIN_BitcoinMiner_F865C199024105A2FFDF5FA98F391D74-pcap
  12. 2013-08-07 BIN_ZeroAccess_Sirefef_C2A9CCC8C6A6DF1CA1725F955F991940_2013-08-pcap
  13. 2013-07-05 BIN_Kuluoz-Asprox_9F842AD20C50AD1AAB41F20B321BF84B
  14. 2013-05-31 Wordpress-Mutopy_Symmi_20A6EBF61243B760DD65F897236B6AD3-2pcap.pcap
  15. 2013-05-15 BIN_Zeus_b1551c676a54e9127cd0e7ea283b92cc-2012-04.pcap
  16. 2013-05-15 BIN_Gypthoy_3EE49121300384FF3C82EB9A1F06F288-2013-05.pcap
  17. 2013-05-12 BIN_PassAlert_B4A1368515C6C39ACEF63A4BC368EDB2-2013-05-13
  18. 2013-05-12 BIN_HorstProxy_EFE5529D697174914938F4ABF115F762-2013-05-13-pcap
  19. 2013-05-12 BIN_Bitcoinminer_12E717293715939C5196E604591A97DF-2013-05-12-pcap
  20. 2013-05-07 BIN_ZeroAccess_Sirefef_29A35124ABEAD63CD8DB2BBB469CBC7A_2013-05-pcapc
  21. 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
  22. 2013-05-05 BIN_GameThief_ECBA0FEB36F9EF975EE96D1694C8164C_2013-03-pcap
  23. 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
  24. 2013-04-27 EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04-pcap
  25. 2013-04-26 -- BIN_Citadel_3D6046E1218FB525805E5D8FDC605361-2013-04-samp 
  26. BIN_CitadelPacked_2012-05.pcap
  27. BIN_CitadelUnpacked_2012-05.pcap
  28. BIN_Cutwail_284Fb18Fab33C93Bc69Ce392D08Fd250_2012-10.pcap
  29. BIN_Darkmegi_2012-04.pcap
  30. BIN_DarknessDDoS_v8g_F03Bc8Dcc090607F38Ffb3A36Ccacf48_2011-01.pcap-
  31. BIN_dirtjumper_2011-10.pcap
  32. BIN_DNSChanger_2011-12.pcap
  33. BIN_Drowor_worm_0f015bb8e2f93fd7076f8d178df2450d_2013-04.pcap
  34. BIN_Googledocs_macadocs_2012-12.pcap
  35. BIN_Imaut_823e9bab188ad8cb30c14adc7e67066d.pcap
  36. BIN_IRCbot_c6716a417f82ccedf0f860b735ac0187_2013-04.pcap
  37. BIN_Kelihos_aka_Nap_0feaaa4adc31728e54b006ab9a7e6afa.pcap
  38. BIN_LoadMoney_MailRu_dl_4e801b46068b31b82dac65885a58ed9e_2013-04 .pcap
  39. BIN_purplehaze-2012-01.pcap
  40. BIN_ponyloader_470a6f47de43eff307a02f53db134289.pcap
  41. BIN_Ramnitpcap_2012-01.pcap
  42. BIN_Reedum_0ca4f93a848cf01348336a8c6ff22daf_2013-03.pcap
  43. BIN_SpyEye_2010-02.pcap
  44. BIN_Stabuniq_F31B797831B36A4877AA0FD173A7A4A2_2012-12.pcap
  45. BIN_Tbot_23AAB9C1C462F3FDFDDD98181E963230_2012-12.pcap
  46. BIN_Tbot_2E1814CCCF0C3BB2CC32E0A0671C0891_2012-12.pcap
  47. BIN_Tbot_5375FB5E867680FFB8E72D29DB9ABBD5_2012-12.pcap
  48. BIN_Tbot_A0552D1BC1A4897141CFA56F75C04857_2012-12.pcap
  49. BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap
  50. BIN_Tinba_2012-06.pcap
  51. BIN_Vobfus_634AA845F5B0B519B6D8A8670B994906_2012-12.pcap
  52. BIN_Xpaj_2012-05.pcap
  53. BIN_ZeroAccess_3169969E91F5FE5446909BBAB6E14D5D_2012-10.pcap
  54. BIN_ZeusGameover_2012-02.pcap
  55. BIN_Zeus_2010-12.pcap
  56. EK_Blackholev1_2012-03.pcap
  57. EK_Blackholev1_2012-08.pcap
  58. EK_Blackholev2_2012-09.pcap
  59. EK_Blackhole_Java_CVE-2012-4681_2012-08.pcap
  60. EK_Phoenix_2012-04.pcap
  61. EK_Smokekt150(Malwaredontneedcoffee)_2012-09.pcap -  credit malware.dontneedcoffee.com


Share this post


Favicon An Overview of Exploit Packs (Update 21) Dec 2014
12 Dec 2014, 10:30 pm
Update December 12, 2014


Reference table : Exploit References 2014







Update Jan 8, 2014

 This is version 20 of the exploit pack table - see the added exploit packs and vulnerabilities listed below.

                                             Exploit Pack Table Update 20                                           
  Click to view or download from Google Apps

I want to give special thanks to Kafeine  L0NGC47,  Fibon and  Curt Shaffer for their help and update they made.  Note the new Yara rules sheet / tab for yara rules for exploit kit.
I also want to thank Kahu securityKafeineMalforsec and all security companies listed in References for their research.

If you wish to be a contributor (be able to update/change the exploits or add yara rules), please contact me :)
If you have additions or corrections, please email, leave post comments, or tweet (@snowfl0w) < thank you!

The Wild Wild West image was created by Kahu Security  - It shows current and retired (retiring) kits.

List of changed kits
Gong Da / GonDad Redkit 2.2 x2o (Redkit Light)Fiesta (=Neosploit)  Cool  Styxy DotkaChef
CVE-2011-3544CVE-2013-2551CVE-2013-2465CVE-2010-0188CVE-2010-0188CVE-2012-5692
CVE-2012-0507CVE-2013-2471CVE-2013-0074/3896CVE-2011-3402CVE-2013-1493
CVE-2012-1723CVE-2013-1493CVE-2013-0431
CVE-2013-0431
CVE-2013-2423
CVE-2012-1889CVE-2013-2460CVE-2013-0634 CVE-2013-1493
CVE-2012-4681CVE-2013-2551 CVE-2013-2423
CVE-2012-5076
CVE-2013-0422
CVE-2013-0634
CVE-2013-2465



Angler FlashPack = SafePack White Lotus Magnitude (Popads)Nuclear 3.x Sweet Orange 
CVE-2013-0074/3896CVE-2013-0074/3896CVE-2011-3544CVE-2011-3402CVE-2010-0188CVE-2013-2423
CVE-2013-0634CVE-2013-2551CVE-2013-2465CVE-2012-0507CVE-2012-1723CVE-2013-2471
CVE-2013-2551 CVE-2013-2551CVE-2013-0634CVE-2013-0422CVE-2013-2551
CVE-2013-5329CVE-2013-2460CVE-2013-2423
CVE-2013-2471 ??CVE-2013-2471CVE-2013-2460
CVE-2013-2551CVE-2013-2551

CK HiManNeutrino  Blackhole (last)Grandsoft  Private EK
CVE-2011-3544CVE-2010-0188CVE-2013-0431CVE-2013-0422CVE-2010-0188 CVE-2006-0003
CVE-2012-1889CVE-2011-3544CVE-2013-2460CVE-2013-2460CVE-2011-3544CVE-2010-0188
CVE-2012-4681CVE-2013-0634CVE-2013-2463*CVE-2013-2471CVE-2013-0422CVE-2011-3544
CVE-2012-4792*CVE-2013-2465CVE-2013-2465*and + all or someCVE-2013-2423CVE-2013-1347
CVE-2013-0422CVE-2013-2551CVE-2013-2551exploitsCVE-2013-2463CVE-2013-1493
CVE-2013-0634* switch 2463*<>2465*from the previousCVE-2013-2423
CVE-2013-3897Possibly + exploitsversionCVE-2013-2460
* removedfrom the previous
version

Sakura 1.x LightsOutGlazunov Rawin Flimkit  Cool EK (Kore-sh)Kore (formely Sibhost) 
cve-2013-2471CVE-2012-1723CVE-2013-2463CVE-2012-0507CVE-2012-1723CVE-2013-2460CVE-2013-2423
CVE-2013-2460CVE-2013-1347cve-2013-2471CVE-2013-1493CVE-2013-2423CVE-2013-2463CVE-2013-2460
and + all or someCVE-2013-1690CVE-2013-2423CVE-2013-2471CVE-2013-2463
exploitsCVE-2013-2465CVE-2013-2471
from the previous
version


Styx 4.0Cool Topic EK Nice EK
CVE-2010-0188CVE-2012-0755CVE-2013-2423CVE-2012-1723
CVE-2011-3402CVE-2012-1876
CVE-2012-1723CVE-2013-0634
CVE-2013-0422CVE-2013-2465
CVE-2013-1493cve-2013-2471
CVE-2013-2423and + all or some
CVE-2013-2460exploits
CVE-2013-2463from the previous
CVE-2013-2472version
CVE-2013-2551
Social Eng








=================================================================

The Explot Pack Table has been updated and you can view it here.

Exploit Pack Table Update 19.1  - View or Download from Google Apps

If you keep track of exploit packs and can/wish  to contribute and be able to make changes, please contact me (see email in my profile)
I want to thank L0NGC47, Fibon, and Kafeine,  Francois Paget, Eric Romang, and other researchers who sent information for their help.




Update April 28, 2013 - added CVE-2013-2423 (Released April 17, 2013) to several packs. 
Now the following packs serve the latest Java exploit (update your Java!)

  1. Styx
  2. Sweet Orange
  3. Neutrino
  4. Sakura
  5. Whitehole
  6. Cool
  7. Safe Pack
  8. Crime Boss
  9. CritX



Other changes
Updated:
  1. Whitehole
  2. Redkit
  3. Nuclear
  4. Sakura
  5. Cool Pack
  6. Blackhole
  7. Gong Da
Added:
  1. KaiXin
  2. Sibhost
  3. Popads 
  4. Alpha Pack
  5. Safe Pack
  6. Serenity
  7. SPL Pack

    There are 5 tabs in the bottom of the sheet
  1. 2011-2013
  2. References
  3. 2011 and older
  4. List of exploit kits
  5. V. 16 with older credits



March 2013
The Explot Pack Table, which has been just updated, has migrated to Google Apps - the link is below. The new format will allow easier viewing and access for those who volunteered their time to keep it up to date.

In particular, I want to thank
L0NGC47, Fibon, and Kafeine  for their help.

There are 5 tabs in the bottom of the sheet
  1. 2011-2013
  2. References
  3. 2011 and older
  4. List of exploit kits
  5. V. 16 with older credits
The updates include
  1. Neutrino  - new
  2. Cool Pack - update
  3. Sweet Orange - update
  4. SofosFO aka Stamp EK - new
  5. Styx 2.0 - new
  6. Impact - new
  7. CritXPack - new
  8. Gong Da  - update
  9. Redkit - update
  10. Whitehole - new
  11. Red Dot  - new





The long overdue Exploit pack table Update 17 is finally here. It got a colorful facelift and has newer packs (Dec. 2011-today) on a separate sheet for easier reading.
Updates / new entries for the following 13 packs have been added (see exploit listing below)


  1. Redkit 
  2. Neo Sploit
  3. Cool Pack
  4. Black hole 2.0
  5. Black hole 1.2.5
  6. Private no name
  7. Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)
  8. Nuclear 2.1  (Update to 2.0 - actual v. # is unknown)
  9. CrimeBoss
  10. Grandsoft
  11. Sweet Orange 1.1 Update to 1.0 actual v. # is unknown)
  12. Sweet Orange 1.0
  13. Phoenix  3.1.15
  14. NucSoft
  15. Sakura 1.1 (Update to 1.0  actual v. # is unknown)
  16. AssocAID (unconfirmed)  






Exploit lists for the added/updated packs


AssocAID (unconfirmed)
09-'12
CVE-2011-3106
CVE-2012-1876
CVE-2012-1880
CVE-2012-3683
Unknown CVE
5


Redkit
08-'12
CVE-2010-0188
CVE-2012-0507
CVE-2012-4681
3

Neo Sploit
09-'12
CVE-2012-1723
CVE-2012-4681
2?

Cool
08-'12
CVE-2006-0003
CVE-2010-0188
CVE-2011-3402
CVE-2012-0507
CVE-2012-1723
CVE-2012-4681
5

Black hole 2.0
09-'12
CVE-2006-0003
CVE-2010-0188
CVE-2012-0507
CVE-2012-1723
CVE-2012-4681
CVE-2012-4969 promised
5

Black hole 1.2.5
08-'12
CVE-2006-0003
CVE-2007-5659 /2008-0655
CVE-2008-2992
CVE-2009-0927
CVE-2010-0188
CVE-2010-1885
CVE-2011-0559
CVE-2011-2110
CVE-2012-1723
CVE-2012-1889
CVE-2012-4681
11

Private no name
09-'12
CVE-2010-0188
CVE-2012-1723
CVE-2012-4681
3

Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)
03-'12
CVE-2010-0188
CVE-2011-3544
CVE-2012-1723
CVE-2012-4681
4

Nuclear 2.1 (Update to 2.0 - actual v. # is unknown)
03-'12
CVE-2010-0188
CVE-2011-3544
CVE-2012-1723
3

CrimeBoss
09-'12
Java Signed Applet
CVE-2011-3544
CVE-2012-4681
3

Grandsoft
09-'12
CVE-2010-0188
CVE-2011-3544
2?

Sweet Orange 1.1
09-'12
CVE-2006-0003
CVE-2010-0188
CVE-2011-3544
CVE-2012-4681
4?

Sweet Orange 1.0
05-'12
CVE-2006-0003
CVE-2010-0188
CVE-2011-3544
3?

Phoenix  3.1.15
05-'12
CVE-2010-0842
CVE: 2010-0248
CVE-2011-2110
CVE-2011-2140
CVE: 2011-2371
CVE-2011-3544
CVE-2011-3659
Firefox social
CVE: 2012-0500
CVE-2012-0507
CVE-2012-0779
11

NucSoft
2012
CVE-2010-0188
CVE-2012-0507
2

Sakura 1.1
08-'12
CVE-2006-0003
CVE-2010-0806
CVE-2010-0842
CVE-2011-3544
CVE-2012-4681
5


Version 16. April 2, 2012

Thanks to Kahu security
for Wild Wild West graphic 

The full table in xls format - Version 16 can be downloaded from here. 



 










ADDITIONS AND CHANGES:

1. Blackhole Exploit Kit 1.2.3
Added:
  1. CVE-2011-0559 - Flash memory corruption via F-Secure
  2. CVE-2012-0507 - Java Atomic via Krebs on Security
  3. CVE-2011-3544 - Java Rhino  via Krebs on Security
2. Eleonore Exploit Kit 1.8.91 and above- via Kahu Security
Added:
  1. CVE-2012-0507 - Java Atomic- after 1.8.91was released
  2. CVE-2011-3544 - Java Rhino
  3. CVE-2011-3521 - Java Upd.27  see Timo HirvonenContagio, Kahu Security and Michael 'mihi' Schierl 
  4. CVE-2011-2462 - Adobe PDF U3D
Also includes
"Flash pack" (presumably the same as before)
"Quicktime" - CVE-2010-1818 ?
3. Incognito Exploit Pack v.2 and above 
there are rumors that Incognito development stopped after v.2 in 2011 and it is a different pack now. If you know, please send links or files.

Added after v.2 was released:
  1. CVE-2012-0507 - Java Atomic
See V.2 analysis via StopMalvertizing

4. Phoenix Exploit Kit v3.1 - via Malware Don't Need Coffee
Added:
  1. CVE-2012-0507 -  Java Atomic
  2. CVE-2011-3544 -  Java Rhino + Java TC (in one file)

5. Nuclear Pack v.2 - via TrustWave Spiderlabs


  1. CVE-2011-3544 Oracle Java Rhino
  2. CVE-2010-0840 JRE Trusted Method Chaining
  3. CVE-2010-0188 Acrobat Reader  – LibTIFF
  4. CVE-2006-0003 MDAC
6. Sakura Exploit Pack > v.1 via DaMaGeLaB

  1. CVE-2011-3544 - Java Rhino (It was in Exploitpack table v15, listing it to show all packs with this exploit)

7. Chinese Zhi Zhu Pack via Kahu Security and Francois Paget (McAfee)
  1. CVE-2012-0003 -  WMP MIDI 
  2. CVE-2011-1255 - IE Time Element Memory Corruption
  3. CVE-2011-2140 - Flash 10.3.183.x
  4. CVE-2011-2110 - Flash 10.3.181.x 
  5. CVE-2010-0806 - IEPeers

8. Gong Da Pack via Kahu Security 
  1. CVE-2011-2140  - Flash 10.3.183.x
  2. CVE-2012-0003 -  WMP MIDI  
  3. CVE-2011-3544 - Java Rhino 





  1. CVE-2010-0886 - Java SMB
  2. CVE-2010-0840 - JRE Trusted Method Chaining
  3. CVE-2008-2463 - Snapshot
  4. CVE-2010-0806 - IEPeers
  5. CVE-2007-5659/2008-0655 - Collab.collectEmailInfo
  6. CVE-2008-2992 - util.printf
  7. CVE-2009-0927 - getIco
  8. CVE-2009-4324 - newPlayer



Version 15. January 28, 2012

Additions - with many thanks to Kahu Security

 Hierarchy Exploit Pack
=================
CVE-2006-0003
CVE-2009-0927
CVE-2010-0094
CVE-2010-0188
CVE-2010-0806
CVE-2010-0840
CVE-2010-1297
CVE-2010-1885
CVE-2011-0611
JavaSignedApplet


Siberia Private
==========
CVE-2005-0055
CVE-2006-0003
CVE-2007-5659
CVE-2008-2463
CVE-2008-2992
CVE-2009-0075
CVE-2009-0927
CVE-2009-3867
CVE-2009-4324
CVE-2010-0806


Techno XPack
===========
CVE-2008-2992
CVE-2010-0188
CVE-2010-0842
CVE-2010-1297
CVE-2010-2884
CVE-2010-3552
CVE-2010-3654
JavaSignedApplet


"Yang Pack"
=========
CVE-2010-0806
CVE-2011-2110
CVE-2011-2140
CVE-2011-354




Version 14. January 19, 2012


Version 14 Exploit Pack table additions:

Credits for the excellent Wild Wild West (October 2011 edition) go to kahusecurity.com

With many thanks to  XyliBox (Xylitol - Steven),  Malware Intelligence blog,  and xakepy.cc for the information:

  1. Blackhole 1.2.1  (Java Rhino added, weaker Java exploits removed)
  2. Blackhole 1.2.1 (Java Skyline added)
  3. Sakura Exploit Pack 1.0  (new kid on the block, private pack)
  4. Phoenix 2.8. mini (condensed version of 2.7)
  5. Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)
If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .
























 
The full table in xls format - Version 14 can be downloaded from here. 

The exploit pack table in XLSX format
The exploit pack table in csv format 

P.S. There are always corrections and additions thanks to your feedback after the document release, come back in a day or two to check in case v.15 is out.



Version 13. Aug 20, 2011


Kahusecurity issued an updated version of their Wild Wild West graphic that will help you learn Who is Who in the world of exploit packs. You can view the full version of their post in the link above.

Version 13 exploit pack table additions:
  1. Bleeding Life 3.0
  2. Merry Christmas Pack (many thanks to kahusecurity.com)+
  3. Best Pack (many thanks to kahusecurity.com)
  4. Sava Pack (many thanks to kahusecurity.com)
  5. LinuQ 
  6. Eleonore 1.6.5
  7. Zero Pack
  8. Salo Pack (incomplete but it is also old)



List of packs in the table in alphabetical order
  1. Best Pack
  2. Blackhole Exploit 1.0
  3. Blackhole Exploit 1.1
  4. Bleeding Life 2.0
  5. Bleeding Life 3.0
  6. Bomba
  7. CRIMEPACK 2.2.1
  8. CRIMEPACK 2.2.8
  9. CRIMEPACK 3.0
  10. CRIMEPACK 3.1.3
  11. Dloader
  12. EL Fiiesta
  13. Eleonore 1.3.2
  14. Eleonore 1.4.1
  15. Eleonore 1.4.4 Moded
  16. Eleonore 1.6.3a
  17. Eleonore 1.6.4
  18. Eleonore 1.6.5
  19. Fragus 1
  20. Icepack
  21. Impassioned Framework 1.0
  22. Incognito
  23. iPack
  24. JustExploit
  25. Katrin
  26. Merry Christmas Pack
  27. Liberty  1.0.7
  28. Liberty 2.1.0*
  29. LinuQ pack
  30. Lupit
  31. Mpack
  32. Mushroom/unknown
  33. Open Source Exploit (Metapack)
  34. Papka
  35. Phoenix  2.0 
  36. Phoenix 2.1
  37. Phoenix 2.2
  38. Phoenix 2.3
  39. Phoenix 2.4
  40. Phoenix 2.5
  41. Phoenix 2.7
  42. Robopak
  43. Salo pack
  44. Sava Pack
  45. SEO Sploit pack
  46. Siberia
  47. T-Iframer
  48. Unique Pack Sploit 2.1
  49. Webattack
  50. Yes Exploit 3.0RC
  51. Zero Pack
  52. Zombie Infection kit
  53. Zopack


----------------------------------------------
Bleeding Life 3.0
New Version Ad is here 

Merry Christmas Pack
read analysis at
kahusecurity.com
  
Best Pack
read analysis at 
kahusecurity.com
Sava Pack
read analysis at
kahusecurity.com
Eleonore 1.6.5 
[+] CVE-2011-0611
[+] CVE-2011-0559
[+] CVE-2010-4452
[-] CVE-2010-0886
Salo Pack
Old (2009), added just for
the collection


Zero Pack
62 exploits from various packs (mostly Open Source pack)
LinuQ pack
Designed to compromise linux servers using vulnerable PHPMyAdmin. Comes with DDoS bot but any kind of code can be loaded for Linux botnet creation.
LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well.


It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack.
It is using
CVE-2009-1148 (unconfirmed)
CVE-2009-1149 (unconfirmed)
CVE-2009-1150 (unconfirmed)
CVE-2009-1151 (confirmed)




 ====================================================================
Version 12. May 26, 2011
additional changes (many thanks to kahusecurity.com)
Bomba
Papka

See the list of packs covered in the list below


The full table in xls format - Version 12 can be downloaded from here.
I want to thank everyone who sent packs and information  :)





Version 11 May 26, 2011 Changes:
    1. Phoenix2.7
    2. "Dloader" (well, dloader is a loader but the pack is  some unnamed pack http://damagelab.org/lofiversion/index.php?t=20852)
    3. nuclear pack
    4. Katrin
    5. Robopak
    6. Blackhole exploit kit 1.1.0
    7. Mushroom/unknown
    8. Open Source Exploit kit






    ====================================================================

    10. May 8, 2011 Version 10        Exploit Pack Table_V10May11
    First, I want to thank everyone who sent and posted comments for updates and corrections. 

    *** The Wild Wild West picture is from a great post about evolution of exploit packs by Kahu Security  Wild Wild West Update


    As usual, send your corrections and update lists.


    Changes:
    • Eleonore 1.6.4
    • Eleonore 1.6.3a
    • Incognito
    • Blackhole
    Go1Pack  (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack 
    Also, here is another article claiming it is not a fake http://community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx
    Go1 Pack CVE are reportedly
    CVE-2006-0003
    CVE-2009-0927
    CVE-2010-1423
    CVE-2010-1885

    Does anyone have this pack or see it offered for sale?

    Exploit kits I am planning to analyze and add (and/or find CVE listing for) are:

    • Open Source Exploit Kit
    • SALO
    • K0de

    Legend: 
    Black color entries by Francois Paget
    Red color entries by Gunther
    Blue color entries by Mila

    Also, here is a great presentation by Ratsoul (Donato Ferrante) about Java Exploits (http://www.inreverse.net/?p=1687)

    --------------------------------------------------------
     9.  April 5, 2011  Version 9        ExploitPackTable_V9Apr11

    It actually needs another update but I am posting it now and will issue version 10 as soon as I can.

    Changes:
    Phoenix 2.5
    IFramer
    Tornado
    Bleeding life

    Many thanks to Gunther for his contributions.
    If you wish to add some, please send your info together with the reference links. Also please feel free to send corrections if you notice any mistakes






    8. Update 8 Oct 22, 2010 Version 8 ExploitPackTable_V8Oct22-10

    Changes: 
    1. Eleonore 1.4.4 Moded added (thanks to malwareint.blogspot.com)
    2. Correction on CVE-2010-0746 in Phoenix 2.2 and 2.3. It is a mistake and the correct CVE is CVE-2010-0886 (thanks to etonshell for noticing)
    3. SEO Sploit pack added (thanks to whsbehind.blogspot.com,  evilcodecave.blogspot.com and blog.ahnlab.com)


    7. Update 7 Oct 18, 2010 Version 7 ExploitPackTable_V7Oct18-10 released
     thanks to SecNiche we have updates for Phoenix 2.4 :)
      
    We also added shorthand/slang/abbreviated names for exploits for easy matching of exploits to CVE in the future. Please send us more information re packs, exploit names that can be added in the list. Thank you!

     
    6. Update 6 Sept 27, 2010 Version 6 ExploitPackTable_V6Sept26-10 released
     Thanks to Francois Paget (McAfee) we have updates for Phoenix 2.2 and Phoenix 2.3


    5. Update 5. Sept 27, 2010 Version 5 ExploitPackTable_V5Sept26-10 released
    Added updates for Phoenix 2.1 and Crimepack 3.1.3

      
    4 Update 4  July 23, 2010  Version 4 ExploitPackTable_V4Ju23-10 released. Added a new Russian exploit kit called Zombie Infection Kit to the table. Read more at malwareview.com
    Update 3  July 7, 2010. Please read more about this on the Brian Krebs' blog Pirate Bay Hack Exposes User Booty 
    Update 2 June 27, 2010 Sorry but Impassioned Framework is back where it belongs - blue
    Update 1 June 24, 2010 Eleonore 1.4.1 columns was updated to include the correct list of the current exploits.

    Francois Paget  www.avertlabs.com kindly agreed to allow us to make additions to his Overview of Exploit Packs table published on Avertlabs (McAfee Blog)

    Many thanks to Gunther from ARTeam for his help with the update. There are a few blanks and question marks, please do no hesitate to email me if you know the answer or if you see any errors.



    Please click on the image below to expand it (it is a partial screenshot)  Impassioned Framework is tentatively marked a different color because the author claims it is a security audit tool not exploit pack. However, there was no sufficient information provided yet to validate such claims. The pack is temporarily/tentatively marked a different color. We'll keep you posted.


    Share this post


    Favicon AlienSpy Java RAT samples and traffic information
    17 Nov 2014, 10:16 pm


    AlienSpy Java based cross platform RAT is another reincarnation of ever popular Unrecom/Adwind and Frutas RATs that have been circulating through 2014.

    It appears to be used in the same campaigns as was Unrccom/Adwind - see the references. If C2 responds, the java RAT downloads Jar files containing Windows Pony/Ponik loader. The RAT is crossplatform and installs and beacons from OSX and Linux as well. However, it did not download any additional malware while running on OSX and Linux.

    The samples, pcaps, and traffic protocol information  are available below.




    File information


    I
    File: DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
    Size: 131178
    MD5:  DB46ADCFAE462E7C475C171FBE66DF82

    File: 01234.exe (Pony loader dropped by FAB8DE636D6F1EC93EEECAADE8B9BC68 - Transfer.jar_
    Size: 792122
    MD5:  B5E7CD42B45F8670ADAF96BBCA5AE2D0

    II
    File: 79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar
    Size: 125985
    MD5:  79E9DD35AEF6558461C4B93CD0C55B76

    III
    File: B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
    Size: 49084
    MD5:  b2856b11ff23d35da2c9c906c61781ba


    Download


    Download. Email me if you need the password
    Original jar attachment files
    B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
    DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
    79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar

    Pcap files download
    AlienSpyRAT_B2856B11FF23D35DA2C9C906C61781BA.pcap
    AlienSpyRAT_79E9DD35AEF6558461C4B93CD0C55B76.pcap
    Pony_B5E7CD42B45F8670ADAF96BBCA5AE2D0.pcap
    AlienspyRAT_DB46ADCFAE462E7C475C171FBE66DF82-OSXLion.pcap
    AlienspyRAT_DB46ADCFAE462E7C475C171FBE66DF82-WinXP.pcap

    All files with created and downloaded


    References

    Research:
    Boredliner: Cracking obfuscated java code - Adwind 3 << detailed java analysis
    Fidelis: RAT in a jar:A phishing campaign using Unrecom May 21, 2014
    Crowdstrike: Adwind RAT rebranding
    Symantec:Adwind RAT
    Symantec: Frutas RAT
    Symantec: Ponik/Pony

    Java Serialization References: 
    https://docs.oracle.com/javase/7/docs/platform/serialization/spec/protocol.html
    http://www.kdgregory.com/index.php?page=java.serialization
    http://staf.cs.ui.ac.id/WebKuliah/java/MasteringJavaBeans/ch11.pdf


    Additional File details


    Alienspy RAT
    The following RAT config strings are extracted from memory dumps. Alienspy RAT is a reincarnated Unrecom/Adwind << Frutas RAT and is available from https://alienspy.net/
    As you see by the config, it is very similar to Unrecom/Adwind
    File: paymentadvice.jar
    Size: 131178

    MD5:  DB46ADCFAE462E7C475C171FBE66DF82
        ───paymentadvice.jar
            ├───META-INF
            │       MANIFEST.MF  <<MD5:  11691d9f7d585c528ca22f7ba6f4a131 Size: 90
            │
            ├───plugins
            │       Server.class <<MD5:  3d9ffbe03567067ae0d68124b5b7b748 Size: 520 << Strings are here
            │
            └───stub
                    EcryptedWrapper.class <<MD5:  f2701642ac72992c983cb85981a5aeb6 Size: 89870
                    EncryptedLoader.class <<MD5:  3edfd511873b30d1373a4dc54db336ee Size: 223356
                    EncryptedLoaderOld.class << MD5:  b0ef7ff41caf69d9ae076c605653c4c7 Size: 15816
                    stub.dll << MD5:  64fb8dfb8d25a0273081e78e7c40ca5e Size: 43648 << Strings are here


    Alienspy Rat Config strings
    DB46ADCFAE462E7C475C171FBE66DF82
    <!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
    <properties>
    <comment>AlienSpy</comment>
    <entry key="vbox">false</entry>
    <entry key="password">a2e74aef2c17329f0e8e8f347c62a6a03d16b944</entry>
    <entry key="p2">1079</entry>
    <entry key="p1">1077</entry>
    <entry key="ps_hacker">false</entry>
    <entry key="install_time">2000</entry>
    <entry key="taskmgr">false</entry>
    <entry key="connetion_time">2000</entry>
    <entry key="registryname">GKXeW0Yke7</entry>
    <entry key="wireshark">false</entry>
    <entry key="NAME">IHEAKA</entry>
    <entry key="jarname">unXX0JIhwW</entry>
    <entry key="dns">204.45.207.40</entry>
    <entry key="ps_explorer">false</entry>
    <entry key="msconfig">false</entry>
    <entry key="pluginfoldername">m4w6OAI02f</entry>
    <entry key="extensionname">xBQ</entry>
    <entry key="install">true</entry>
    <entry key="win_defender">false</entry>
    <entry key="uac">false</entry>
    <entry key="jarfoldername">9bor9J6cRd</entry>
    <entry key="mutex">xooJlYrm61</entry>
    <entry key="prefix">IHEAKA</entry>
    <entry key="restore_system">false</entry>
    <entry key="vmware">false</entry>
    <entry key="desktop">true</entry>
    <entry key="reconnetion_time">2000</entry>
    </properties>

    IP: 204.45.207.40
    Decimal: 3425554216
    Hostname: 212.clients.instantdedis.com
    ISP: FDCservers.net
    Country: United States
    State/Region: Colorado
    City: Denver



    79E9DD35AEF6558461C4B93CD0C55B76
    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
    <properties>
    <comment>AlienSpy</comment>
    <entry key="pluginfolder">fy0qFUFuLP</entry>
    <entry key="reconnetion_time">3000</entry>
    <entry key="ps_hacker">true</entry>
    <entry key="restore_system">true</entry>
    <entry key="pluginfoldername">fy0qFUFuLP</entry>
    <entry key="dns">38.89.137.248</entry>
    <entry key="install_time">3000</entry>
    <entry key="port2">1065</entry>
    <entry key="port1">1064</entry>
    <entry key="taskmgr">true</entry>
    <entry key="vmware">false</entry>
    <entry key="jarname">LcuSMagrlF</entry>
    <entry key="msconfig">true</entry>
    <entry key="mutex">VblVc5kEqY</entry>
    <entry key="install">true</entry>
    <entry key="instalar">true</entry>
    <entry key="vbox">false</entry>
    <entry key="password">7110eda4d09e062aa5e4a390b0a572ac0d2c0220</entry>
    <entry key="NAME">xmas things</entry>
    <entry key="extensionname">7h8</entry>
    <entry key="prefix">xmas</entry>
    <entry key="jarfoldername">jcwDpUEpCh</entry>
    <entry key="uac">true</entry>
    <entry key="win_defender">true</entry>
    <entry key="

    IP: 38.89.137.248
    Decimal: 643402232
    Hostname: 38.89.137.248
    ISP: Cogent Communications
    Country: United States us flag


    Created Files

    I
     DB46ADCFAE462E7C475C171FBE66DF82  paymentadvice.jar

    %USERPROFILE%\Application Data\evt88IWdHO\CnREgyvLBS.txt <<MD5:  abe6ef71e44d2e145033800d0dccea57 << strings are here (by classes)
    %USERPROFILE%\Application Data\evt88IWdHO\Desktop.ini
    %USERPROFILE%\Local Settings\Temp\asdqw15727804162199772615555.jar << Strings are here
    %USERPROFILE%\Local Settings\Temp\iWimMQLgpsT2624529381479181764.png (seen Transfer.jar in the stream) <<MD5:  fab8de636d6f1ec93eeecaade8b9bc68 Size: 755017 << Strings are here
    %USERPROFILE%\29OVHAabdr.tmp << timestamp file << Strings are here

    \deleted_files\%USERPROFILE%\\29OVHAabdr.tmp << timestamp file << Strings are here
    \deleted_files\%USERPROFILE%\\Application Data\9bor9J6cRd\Desktop.ini << Strings are here
    \deleted_files\%USERPROFILE%\\Application Data\9bor9J6cRd\unXX0JIhwW.txt <MD5:  DB46ADCFAE462E7C475C171FBE66DF82 < original jar << Strings are here
    \deleted_files\%USERPROFILE%\\Local Settings\Temp\14583359.bat << Strings are here
    \deleted_files\%USERPROFILE%\\Local Settings\Temp\asdqw4727319084772952101234.exe << Pony Downloader MD5:  b5e7cd42b45f8670adaf96bbca5ae2d0 Size: 792122 < Strings are here
    \deleted_files\%USERPROFILE%\\Local Settings\Temp\OiuFr7LcfXq1847924646026958055.vbs <<MD5:  9E1EDE0DEDADB7AF34C0222ADA2D58C9 Strings are here
    \deleted_files\%USERPROFILE%\\xooJlYrm61.tmp < timestamp file << Strings are here
    \deleted_files\C\WINDOWS\tem.txt - 0bytes

    IWIMMQLGPST2624529381479181764.PNG MD5: fab8de636d6f1ec93eeecaade8b9bc68

    ├───com
    │   └───java
    │       │   Main.class << MD5:  d020b9fdac0139d43997f9ec14fa5947 Size: 7232
    │       │   Manifest.mf << MD5:  a396d2898e8a83aa5233c4258de006e3 Size: 750412
    │               │   01234.exe << MD5:  b5e7cd42b45f8670adaf96bbca5ae2d0 Size: 792122
    │               │   15555.jar << MD5:  abe6ef71e44d2e145033800d0dccea57 Size: 50922
    │              
    │               └───15555
    │                   │   ID
    │                   │   Main.class << MD5:  d020b9fdac0139d43997f9ec14fa5947 Size: 7232
    │                   │   MANIFEST.MF << MD5:  a396d2898e8a83aa5233c4258de006e3 Size: 750412
    │                   │
    │                   ├───META-INF
    │                   └───plugins
    └───META-INF
            MANIFEST.MF << MD5:  042c2fa9077d96478ce585d210641d9a Size: 171


    File types
    1. 14583359.bat (.txt) "Text file"
    2. 29OVHAabdr.tmp (.txt) "Text file"
    3. asdqw15727804162199772615555.jar (.zip) "PKZIP Compressed"
    4. asdqw4727319084772952101234.exe (.exe) "Executable File" 
    5. CnREgyvLBS.txt (.zip) "PKZIP Compressed"
    6. Desktop.ini (.txt) "Text file"
    7. DFR5.tmp (.txt) "Text file"
    8. iWimMQLgpsT2624529381479181764.png (.zip) "Zip Compressed"
    9. iWimMQLgpsT2624529381479181764.png (.zip) "PKZIP Compressed"
    10. OiuFr7LcfXq1847924646026958055.vbs (.txt) "Vbs script file"
    11. tem.txt (.txt) "Text file"
    12. unXX0JIhwW.txt (.zip) "PKZIP Compressed"
    13. xooJlYrm61.tmp (.txt) "Text file"
    II

    79e9dd35aef6558461c4b93cd0c55b76 Purchase Order.jar
    Received: from magix-webmail (webmail.app.magix-online.com [193.254.184.250])
    by smtp.app.magix-online.com (Postfix) with ESMTPSA id B626052E77F;
    Sun, 16 Nov 2014 14:54:06 +0100 (CET)
    Received: from 206.217.192.188 ([206.217.192.188]) by
     webmail.magix-online.com (Horde Framework) with HTTP; Sun, 16 Nov 2014
     14:54:06 +0100
    Date: Sun, 16 Nov 2014 14:54:06 +0100
    Message-ID: <20141116145406.Horde.YL7L4Bi7ap6_NXm76DDEaw2@webmail.magix-online.com>
    From: Outokumpu Import Co Ltd <purchase@brentyil.org>
    Subject: Re: Confirm correct details
    Reply-to: jingwings@outlook.com
    User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)
    Content-Type: multipart/mixed; boundary="=_FMdois7zoq7xTAV91epZoQ6"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 8bit
    This message is in MIME format.
    --=_FMdois7zoq7xTAV91epZoQ6
    Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes
    Content-Disposition: inline
    Content-Transfer-Encoding: 8bit
    Dear Sir,
    Please confirm the attached purchase order for your reference.
    Please acknowledge Invoice for the final confirmation and confirm  
    details are correct so we can proceed accordingly.
    Please give me feedback through this email.
    IBRAHIM MOHAMMAD AL FAR
    Area Manager 
    Central Region
    Outokumpu Import Co Ltd
    Tel:   +966-11-265-2030
    Fax:  +966-11-265-0350
    Mob: +966-50 610 8743
    P.O Box: 172 Riyadh 11383
    Kingdom of Saudi Arabia
    --=_FMdois7zoq7xTAV91epZoQ6
    Content-Type: application/java-archive; name="Purchase Order.jar"
    Content-Description: Purchase Order.jar
    Content-Disposition: attachment; size=125985; filename="Purchase Order.jar"
    Content-Transfer-Encoding: base64

    File paths
    %USERPROFILE%\Application Data\jcwDpUEpCh\Desktop.ini
    %USERPROFILE%\Application Data\jcwDpUEpCh\LcuSMagrlF.txt
    %USERPROFILE%\Local Settings\History\History.IE5\MSHist012014111620141117\index.dat
    %USERPROFILE%\Local Settings\Temp\hsperfdata_Laura\3884
    %USERPROFILE%\VblVc5kEqY.tmp
    deleted_files\%USERPROFILE%\Local Settings\Temp\TaskNetworkGathor267205042636993976.reg
    deleted_files\%USERPROFILE%\VblVc5kEqY.tmp
    deleted_files\C\WINDOWS\tem.txt

    File types
    Desktop.ini (.txt) "Text file"
    index.dat (.txt) "Text file"
    LcuSMagrlF.txt (.zip) "PKZIP Compressed"
    TaskNetworkGathor267205042636993976.reg (.txt) "Text file"
    tem.txt (.txt) "Text file"
    VblVc5kEqY.tmp (.txt) "Text file"

    MD5 list
    Desktop.ini     e783bdd20a976eaeaae1ff4624487420
    index.dat       b431d50792262b0ef75a3d79a4ca4a81
    LcuSMagrlF.txt  79e9dd35aef6558461c4b93cd0c55b76
    79e9dd35aef6558461c4b93cd0c55b76.malware       79e9dd35aef6558461c4b93cd0c55b76
    TaskNetworkGathor267205042636993976.reg        6486acf0ca96ecdc981398855255b699 << Strings are here
    tem.txt         d41d8cd98f00b204e9800998ecf8427e
    VblVc5kEqY.tmp  b5c6ea9aaf042d88ee8cd61ec305880b

    III
    B2856B11FF23D35DA2C9C906C61781BA Purchase Order.jar
    File paths
    %USERPROFILE%\Application Data\Sys32\Desktop.ini
    %USERPROFILE%\Application Data\Sys32\Windows.jar.txt
    %USERPROFILE%\Local Settings\History\History.IE5\MSHist012014111620141117\index.dat
    %USERPROFILE%\Local Settings\Temp\hsperfdata_Laura\1132
    %USERPROFILE%\WWMI853JfC.tmp
    deleted_files\%USERPROFILE%\Local Settings\Temp\TaskNetworkGathor7441169770678304780.reg
    deleted_files\%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013110920131110\index.dat
    deleted_files\%USERPROFILE%\WWMI853JfC.tmp
    deleted_files\C\DFRA.tmp

    deleted_files\C\WINDOWS\tem

    File type list
    Desktop.ini (.txt) "Text file"
    DFRA.tmp (.txt) "Text file"
    index.dat (.txt) "Text file"
    TaskNetworkGathor7441169770678304780.reg (.txt) "Text file"
    tem (.txt) "Text file"
    Windows.jar.txt (.zip) "PKZIP Compressed"

    WWMI853JfC.tmp (.txt) "Text file"

    MD5 list
    Desktop.ini     e783bdd20a976eaeaae1ff4624487420
    DFRA.tmp        d41d8cd98f00b204e9800998ecf8427e
    index.dat       b431d50792262b0ef75a3d79a4ca4a81
    purchase.jar    b2856b11ff23d35da2c9c906c61781ba
    TaskNetworkGathor7441169770678304780.reg       311af3b9a52ffc58f46ad83afb1e93b6
    tem             d41d8cd98f00b204e9800998ecf8427e
    Windows.jar.txt b2856b11ff23d35da2c9c906c61781ba
    WWMI853JfC.tmp  8e222c61fc55c230407ef1eb21a7daa9



    Traffic Information

    Java Serialization Protocol traffic info

    DB46ADCFAE462E7C475C171FBE66DF82 traffic capture - Windows XP
    00000000  ac ed 00 05                                      ....
        00000000  ac ed 00 05                                      ....
    00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
    00000014  00                                               .
    00000015  78 70 00 00 03 2a 1f 8b  08 00 00 00 00 00 00 00 xp...*.. ........
    00000025  6d 54 dd 8e d3 46 18 1d  12 16 b2 bb 59 40 fc 5d mT...F.. ....Y@.]
    00000035  bb 52 2b 71 83 d7 76 1c  3b a1 12 10 58 16 36 2c .R+q..v. ;...X.6,
    00000045  14 95 56 1b 24 4b d6 17  7b 9c cc 66 3c e3 ce 8c ..V.$K.. {..f<...
    00000055  d7 a6 17 7d 8e 3e 44 1f  a0 12 2f c1 43 f4 b6 ef ...}.>D. ../.C...
    00000065  d0 cf 6c 76 1d 2a 22 d9  19 7b be 9f 73 be 73 c6 ..lv.*". .{..s.s.
    00000075  7f fd 4b b6 b4 22 77 4f  e1 0c ec d2 30 6e bf 53 ..K.."wO ....0n.S

    DB46ADCFAE462E7C475C171FBE66DF82 traffic capture - OSX Lion
    00000000  ac ed 00 05                                      ....
        00000000  ac ed 00 05                                      ....
    00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
    00000014  00                                               .
    00000015  78 70 00 00 03 33 1f 8b  08 00 00 00 00 00 00 00 xp...3.. ........
    00000025  75 54 cd 6e db 46 10 de  c8 b5 2d ff 26 c8 1f 7a uT.n.F.. ..-.&..z
    00000035  54 0f 45 7b d1 92 5c d1  94 89 02 4d 94 c0 b1 a5 T.E{..\. ...M....
    00000045  d8 4d 51 23 89 73 22 56  dc a5 b5 16 b9 cb ec 2e .MQ#.s"V ........

    B2856B11FF23D35DA2C9C906C61781BA on Windows XP
    00000000  ac ed 00 05                                      ....
        00000000  ac ed 00 05                                      ....
    00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
    00000014  00                                               .
    00000015  78 70 00 00 03 63 1f 8b  08 00 00 00 00 00 00 00 xp...c.. ........
    00000025  6d 54 5d 6e db 46 10 de  48 91 2d db 8a 13 24 41 mT]n.F.. H.-...$A
    00000035  fa ca 3e 14 08 0a 84 e6  bf a4 16 68 9a c4 75 1b ..>..... ...h..u.
    00000045  c3 6e 0d b8 85 13 80 00  31 22 57 d2 5a e4 ee 76 .n...... 1"W.Z..v

    79E9DD35AEF6558461C4B93CD0C55B76 - Windows XP
    00000000  ac ed 00 05                                      ....
        00000000  ac ed 00 05                                      ....
    00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
    00000014  00                                               .
    00000015  78 70 00 00 03 69 1f 8b  08 00 00 00 00 00 00 00 xp...i.. ........
    00000025  6d 54 dd 6e db 36 14 66  ed fc 38 89 9b 16 ed d0 mT.n.6.f ..8.....
    00000035  de 6a 17 03 8a 01 53 28  d9 92 ed 0d e8 d6 34 71 .j....S( ......4q

    00000045  b6 c0 19 02 64 69 3b c0  80 70 2c d1 36 6d 4a 62 ....di;. .p,.6mJb



    Serialization Protocol decoding:


    The following fields are part of the serialization protocol and are 'benign" and common.

    AC ED (¬í) - Java Serialization protocol magic STREAM_MAGIC = (short)0xaced. 
    00 05    -  Serialization Version STREAM_VERSION
    75    (u) - Specifies that this is a new array - newArray: TC_ARRAY
    72          (r) -  Specifies that this is a new class - newClassDesc: TC_CLASSDESC
    00 02        - Length of the class name
    5B 42 AC F3 17 F8 06 08 54 E0 ([B¬ó.ø..Tà) This is a Serial class name and version identifier section but data appears to be encrypted
    02 00   - Is Serializable Flag - SC_SERIALIZABLE 
    78 70  (xp)  - some low-level information identifying serialized fields
    1f 8b 08 00 00 00 00 00 00 00 - GZIP header as seen in the serialization stream

    As you see, all Windows traffic captures have identical fields  following the GZIP stream, while OSX traffic has different data. The jar files that had Pony Downloader payload did not have other OSX malware packaged and I saw no activity on OSX other than calling the C2 and writing to the randomly named timestamp file (e.g VblVc5kEqY.tmp - updating current timestamp in Unix epoch format)

    Combination of the Stream Magic exchange, plus all other benign fields in this order will create a usable signature. However, it will be prone to false positives unless you use fields after the GZIP header for OS specific signatures

    Another signature can be based on the transfer. jar download as seen below


    DB46ADCFAE462E7C475C171FBE66DF82  - downloading fab8de636d6f1ec93eeecaade8b9bc68 
    iWimMQLgpsT2624529381479181764.png (seen Transfer.jar in the stream) , which contains 15555.jar in Manifest.mf, which contains 15555.exe (Pony loader) in its' Manfest.mf

    IHEAKA _000C297  << IHEAKA is the name of the RAT client, it is different in each infection.

    00000000  ac ed 00 05                                      ....
        00000000  ac ed 00 05                                      ....
    00000004  77 04                                            w.
    00000006  00 00 00 01                                      ....
    0000000A  77 15                                            w.
    0000000C  00 13 49 48 45 41 4b 41  5f 30 30 30 43 32 39 37 ..IHEAKA _000C297
    0000001C  42 41 38 44 41                                   BA8DA
        00000004  77 0e 00 0c 54 72 61 6e  73 66 65 72 2e 6a 61 72 w...Tran sfer.jar
        00000014  7a 00 00 04 00 50 4b 03  04 14 00 08 08 08 00 46 z....PK. .......F
        00000024  0c 71 45 00 00 00 00 00  00 00 00 00 00 00 00 14 .qE..... ........
        00000034  00 04 00 4d 45 54 41 2d  49 4e 46 2f 4d 41 4e 49 ...META- INF/MANI
        00000044  46 45 53 54 2e 4d 46 fe  ca 00 00 4d 8d 4d 0b c2 FEST.MF. ...M.M..

    ---- snip----

    000ABBA0  00 09 00 00 00 31 35 35  35 35 2e 6a 61 72 74 97 .....155 55.jart.
        000ABBB0  43 70 26 8c a2 44 63 db  9c d8 b6 9d 7c b1 6d db Cp&..Dc. ....|.m.
        000ABBC0  c6 c4 b6 6d db b6 6d db  99 d8 76 f2 fe e5 dd bc ...m..m. ..v.....


    Pony downloader traffic

     HTTP requests
    URL: http://meetngreetindia.com/scala/gate.php
    TYPE: POST
    USER AGENT: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
    URL: http://meetngreetindia.com/scala/gate.php
    TYPE: GET
    USER AGENT: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
     DNS requests
    meetngreetindia.com (50.28.15.25)
     TCP connections
    50.28.15.25:80

    IP: 50.28.15.25
    Decimal: 840699673
    Hostname: mahanadi3.ewebguru.net
    ISP: Liquid Web
    Organization: eWebGuru
    State/Region: Michigan
    City: Lansing

    https://www.virustotal.com/en/ip-address/50.28.15.25/information/




    IP-Domain Information
    I
    DB46ADCFAE462E7C475C171FBE66DF82 paymentadvice.jar 
    IP: 204.45.207.40
    Decimal: 3425554216
    Hostname: 212.clients.instantdedis.com
    ISP: FDCservers.net
    Country: United States
    State/Region: Colorado
    City: Denver

    meetngreetindia.com (50.28.15.25)
     TCP connections
    50.28.15.25:80
    Decimal: 840699673
    Hostname: mahanadi3.ewebguru.net
    ISP: Liquid Web
    Organization: eWebGuru
    State/Region: Michigan
    City: Lansing

    II
    79E9DD35AEF6558461C4B93CD0C55B76 Purchase order.jar
    IP: 38.89.137.248
    Decimal: 643402232
    Hostname: 38.89.137.248
    ISP: Cogent Communications
    Country: United States us flag

    III
    2856B11FF23D35DA2C9C906C61781BA Purchase order.jar
    installone.no-ip.biz
    IP Address:   185.32.221.17
    Country:      Switzerland
    Network Name: CH-DATASOURCE-20130812
    Owner Name:   Datasource AG
    From IP:      185.32.220.0
    To IP:        185.32.223.255
    Allocated:    Yes
    Contact Name: Rolf Tschumi
    Address:      mgw online service, Roetihalde 12, CH-8820 Waedenswil
    Email:        rolf.tschumi@mgw.ch
    Abuse Email:  abuse@softplus.net
       








    Virustotal

    https://www.virustotal.com/en/file/02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45/analysis/SHA256: 02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45
    MD5 db46adcfae462e7c475c171fbe66df82
    SHA1 2b43211053d00147b2cb9847843911c771fd3db4
    SHA256 02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45
    ssdeep3072:VR/6ZQvChcDfJNBOFJKMRXcCqfrCUMBpXOg84WoUeonNTFN:LdvCGJN0FJ1RXcgBpXOjOjSNTFN
    File size 128.1 KB ( 131178 bytes )
    File type ZIP
    Magic literalZip archive data, at least v2.0 to extract
    TrID ZIP compressed archive (100.0%)
    File name: Payment Advice.jar
    Detection ratio: 6 / 54
    Analysis date: 2014-11-16 20:58:08 UTC ( 1 day, 4 hours ago )
    Ikarus Trojan.Java.Adwind 20141116
    TrendMicro JAVA_ADWIND.XXO 20141116
    TrendMicro-HouseCall JAVA_ADWIND.XXO 20141116
    DrWeb Java.Adwind.3 20141116
    Kaspersky HEUR:Trojan.Java.Generic 20141116
    ESET-NOD32 a variant of Java/Adwind.T 20141116

    https://www.virustotal.com/en/file/733c037f886d91b6874ac4a2de5b32ca1e7f7f992928b01579b76603b233110c/analysis/1416194595/
    SHA256: 733c037f886d91b6874ac4a2de5b32ca1e7f7f992928b01579b76603b233110c
    MD5 fab8de636d6f1ec93eeecaade8b9bc68
    File name: iWimMQLgpsT2624529381479181764.png
    Detection ratio: 23 / 53
    Analysis date: 2014-11-17 03:23:15 UTC ( 0 minutes ago )
    AVG Zbot.URE 20141116
    Qihoo-360 Win32/Trojan.fff 20141117
    ESET-NOD32 Win32/PSW.Fareit.A 20141117
    Fortinet W32/Inject.SXVW!tr 20141117
    Antiy-AVL Trojan[PSW]/Win32.Tepfer 20141117
    AVware Trojan.Win32.Generic!BT 20141117
    DrWeb Trojan.PWS.Stealer.13319 20141117
    Symantec Trojan.Maljava 20141117
    McAfee RDN/Generic Exploit!1m3 20141117
    McAfee-GW-Edition RDN/Generic Exploit!1m3 20141117
    Sophos Mal/JavaJar-A 20141117
    Avast Java:Malware-gen [Trj] 20141117
    Cyren Java/Agent.KS 20141117
    F-Prot Java/Agent.KS 20141117
    Kaspersky HEUR:Trojan.Java.Generic 20141117
    Emsisoft Gen:Variant.Kazy.494557 (B) 20141117
    Ad-Aware Gen:Variant.Kazy.494557 20141117
    BitDefender Gen:Variant.Kazy.494557 20141117
    F-Secure Gen:Variant.Kazy.494557 20141116
    GData Gen:Variant.Kazy.494557 20141117
    MicroWorld-eScan Gen:Variant.Kazy.494557 20141117
    Ikarus Exploit.Java.Agent 20141117
    Norman Adwind.E 20141116

    https://www.virustotal.com/en/file/91d71b06c99fe25271ba19c1c47c2d1ba85e78c2d7d5ae74e97417dc958dc725/analysis/
    MD5 b5e7cd42b45f8670adaf96bbca5ae2d0
    SHA256: 91d71b06c99fe25271ba19c1c47c2d1ba85e78c2d7d5ae74e97417dc958dc725
    File name: asdqw4727319084772952101234.exe
    Detection ratio: 12 / 54
    Analysis date: 2014-11-17 03:21:30 UTC
    AVG Zbot.URE 20141116
    AVware Trojan.Win32.Generic!BT 20141117
    Ad-Aware Gen:Variant.Kazy.494557 20141117
    Antiy-AVL Trojan[PSW]/Win32.Tepfer 20141116
    BitDefender Gen:Variant.Kazy.494557 20141117
    DrWeb Trojan.PWS.Stealer.13319 20141117
    ESET-NOD32 Win32/PSW.Fareit.A 20141117
    Emsisoft Gen:Variant.Kazy.494557 (B) 20141117
    F-Secure Gen:Variant.Kazy.494557 20141116
    GData Gen:Variant.Kazy.494557 20141117
    MicroWorld-eScan Gen:Variant.Kazy.494557 20141117
    Qihoo-360 Win32/Trojan.fff 20141117




    Share this post


    Favicon OnionDuke samples
    16 Nov 2014, 4:58 am


    Research:  F-Secure: OnionDuke: APT Attacks Via the Tor Network






    Download

    File attributes

    Size: 219136
    MD5:  28F96A57FA5FF663926E9BAD51A1D0CB

    Size: 126464
    MD5:  C8EB6040FD02D77660D19057A38FF769

    Size: 316928
    MD5:  D1CE79089578DA2D41F1AD901F7B1014


    Virustotal info

    https://www.virustotal.com/en/file/366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b/analysis/
    SHA256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
    File name: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
    Detection ratio: 8 / 52
    Analysis date: 2014-11-15 18:37:30 UTC ( 8 hours, 44 minutes ago ) 
    Antivirus Result Update
    Baidu-International Trojan.Win32.Agent.adYf 20141107
    F-Secure Backdoor:W32/OnionDuke.B 20141115
    Ikarus Trojan.Win32.Agent 20141115
    Kaspersky Backdoor.Win32.MiniDuke.x 20141115
    Norman OnionDuke.A 20141115
    Sophos Troj/Ransom-ALA 20141115
    Symantec Backdoor.Miniduke!gen4 20141115
    Tencent Win32.Trojan.Agent.Tbsl 20141115

    https://www.virustotal.com/en/file/366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b/analysis/

    SHA256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
    File name: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
    Detection ratio: 8 / 52
    Antivirus Result Update
    Baidu-International Trojan.Win32.Agent.adYf 20141107
    F-Secure Backdoor:W32/OnionDuke.B 20141115
    Ikarus Trojan.Win32.Agent 20141115
    Kaspersky Backdoor.Win32.MiniDuke.x 20141115
    Norman OnionDuke.A 20141115
    Sophos Troj/Ransom-ALA 20141115
    Symantec Backdoor.Miniduke!gen4 20141115
    Tencent Win32.Trojan.Agent.Tbsl 20141115

    https://www.virustotal.com/en/file/0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade/analysis/
    SHA256: 0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade
    File name: 0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade
    Detection ratio: 19 / 55
    Analysis date: 2014-11-15 18:37:25 UTC ( 8 hours, 47 minutes ago ) 
    Antivirus Result Update
    AVware Trojan.Win32.Generic!BT 20141115
    Ad-Aware Backdoor.Generic.933739 20141115
    Baidu-International Trojan.Win32.OnionDuke.BA 20141107
    BitDefender Backdoor.Generic.933739 20141115
    ESET-NOD32 a variant of Win32/OnionDuke.A 20141115
    Emsisoft Backdoor.Generic.933739 (B) 20141115
    F-Secure Backdoor:W32/OnionDuke.A 20141115
    GData Backdoor.Generic.933739 20141115
    Ikarus Trojan.Win32.Onionduke 20141115
    Kaspersky Backdoor.Win32.MiniDuke.x 20141115
    McAfee RDN/Generic BackDoor!zw 20141115
    McAfee-GW-Edition BehavesLike.Win32.Trojan.fh 20141114
    MicroWorld-eScan Backdoor.Generic.933739 20141115
    Norman OnionDuke.B 20141115
    Sophos Troj/Ransom-ANU 20141115
    Symantec Backdoor.Miniduke!gen4 20141115
    TrendMicro BKDR_ONIONDUKE.AD 20141115
    TrendMicro-HouseCall BKDR_ONIONDUKE.AD 20141115
    VIPRE Trojan.Win32.Generic!BT 20141115


    Share this post


    Favicon Wirelurker for OSX, iOS (Part I) and Windows (Part II) samples
    7 Nov 2014, 2:57 am

    PART II

    Wirelurker for Windows (WinLurker)

    Research: Palo Alto Claud Xiao: Wirelurker for Windows

    Sample credit: Claud Xiao



    PART I


    Research: Palo Alto Claud Xiao WIRELURKER: A New Era in iOS and OS X Malware

    Palo Alto |Claud Xiao - blog post Wirelurker

    Wirelurker Detector https://github.com/PaloAltoNetworks-BD/WireLurkerDetector


    Sample credit: Claud Xiao


    Download

    Download Part I
    Download Part II

    Email me if you need the password




    List of files
    List of hashes 

    Part II

    s+«sìÜ 3.4.1.dmg 925cc497f207ec4dbcf8198a1b785dbd
    apps.ipa 54d27da968c05d463ad3168285ec6097
    WhatsAppMessenger 2.11.7.exe eca91fa7e7350a4d2880d341866adf35
    使用说明.txt 3506a0c0199ed747b699ade765c0d0f8
    libxml2.dll c86bebc3d50d7964378c15b27b1c2caa
    libiconv-2_.dll 9c8170dc4a33631881120a467dc3e8f7
    msvcr100.dll bf38660a9125935658cfa3e53fdc7d65
    libz_.dll bd3d1f0a3eff8c4dd1e993f57185be75
    mfc100u.dll f841f32ad816dbf130f10d86fab99b1a

    zlib1.dll c7d4d685a0af2a09cbc21cb474358595


    │   apps.ipa
    │   σ╛«σìÜ 3.4.1.dmg

    └───WhatsAppMessenger 2.11.7
                libiconv-2_.dll
                libxml2.dll
                libz_.dll
                mfc100u.dll
                msvcr100.dll
                WhatsAppMessenger 2.11.7.exe
                zlib1.dll
                使用说明.txt


    Part I

    BikeBaron 15e8728b410bfffde8d54651a6efd162
    CleanApp c9841e34da270d94b35ae3f724160d5e
    com.apple.MailServiceAgentHelper dca13b4ff64bcd6876c13bbb4a22f450
    com.apple.appstore.PluginHelper c4264b9607a68de8b9bbbe30436f5f28
    com.apple.appstore.plughelper.plist 94a933c449948514a3ce634663f9ccf8
    com.apple.globalupdate.plist f92640bed6078075b508c9ffaa7f0a78
    com.apple.globalupdate.plist f92640bed6078075b508c9ffaa7f0a78
    com.apple.itunesupdate.plist 83317c311caa225b17ac14d3d504387d
    com.apple.machook_damon.plist 6507f0c41663f6d08f497ab41893d8d9
    com.apple.machook_damon.plist 6507f0c41663f6d08f497ab41893d8d9
    com.apple.MailServiceAgentHelper.plist e6e6a7845b4e00806da7d5e264eed72b
    com.apple.periodic-dd-mm-yy.plist bda470f4568dae8cb12344a346a181d9
    com.apple.systemkeychain-helper.plist fd7b1215f03ed1221065ee4508d41de3
    com.apple.watchproc.plist af772d9cca45a13ca323f90e7d874c2c
    FontMap1.cfg 204b4836a9944d0f19d6df8af3c009d5
    foundation 0ff51cd5fe0f88f02213d6612b007a45
    globalupdate 9037cf29ed485dae11e22955724a00e7
    globalupdate 9037cf29ed485dae11e22955724a00e7
    itunesupdate a8dfbd54da805d3c52afc521ab7b354b
    libcrypto.1.0.0.dylib 4c5384d667215098badb4e850890127b
    libcrypto.1.0.0.dylib 3b533eeb80ee14191893e9a73c017445
    libiconv.2.dylib 94f9882f5db1883e7295b44c440eb44c
    libiconv.2.dylib fac8ef9dabdb92806ea9b1fde43ad746
    libimobiledevice.4.dylib c596adb32c143430240abbf5aff02bc0
    libimobiledevice.4.dylib 5b0412e19ec0af5ce375b8ab5a0bc5db
    libiodb.dylib bc3aa0142fb15ea65de7833d65a70e36
    liblzma.5.dylib 5bdfd2a20123e0893ef59bd813b24105
    liblzma.5.dylib 9ebf9c0d25e418c8d0bed2a335aac8bf
    libplist.2.dylib 903cbde833c91b197283698b2400fc9b
    libplist.2.dylib 109a09389abef9a9388de08f7021b4cf
    libssl.1.0.0.dylib 49b937c9ff30a68a0f663828be7ea704
    libssl.1.0.0.dylib ab09435c0358b102a5d08f34aae3c244
    libusbmuxd.2.dylib e8e0663c7c9d843e0030b15e59eb6f52
    libusbmuxd.2.dylib 9efb552097cf4a408ea3bab4aa2bc957
    libxml2.2.dylib 34f14463f28d11bd0299f0d7a3985718
    libxml2.2.dylib 95506f9240efb416443fcd6d82a024b9
    libz.1.dylib 28ef588ba7919f751ae40719cf5cffc6
    libz.1.dylib f2b19c7a58e303f0a159a44d08c6df63
    libzip.2.dylib 2a42736c8eae3a4915bced2c6df50397
    machook 5b43df4fac4cac52412126a6c604853c
    machook ecb429951985837513fdf854e49d0682
    periodicdate aa6fe189baa355a65e6aafac1e765f41
    pphelper 2b79534f22a89f73d4bb45848659b59b
    sfbase.dylib bc3aa0142fb15ea65de7833d65a70e36
    sfbase.dylib bc3aa0142fb15ea65de7833d65a70e36
    sfbase_v4000.dylib 582fcd682f0f520e95af1d0713639864
    sfbase_v4001.dylib e40de392c613cd2f9e1e93c6ffd05246
    start e3a61139735301b866d8d109d715f102
    start e3a61139735301b866d8d109d715f102
    start.sh 3fa4e5fec53dfc9fc88ced651aa858c6
    stty5.11.pl dea26a823839b1b3a810d5e731d76aa2
    stty5.11.pl dea26a823839b1b3a810d5e731d76aa2
    systemkeychain-helper e03402006332a6e17c36e569178d2097
    watch.sh 358c48414219fdbbbbcff90c97295dff
    WatchProc a72fdbacfd5be14631437d0ab21ff960
    7b9e685e89b8c7e11f554b05cdd6819a 7b9e685e89b8c7e11f554b05cdd6819a
    update 93658b52b0f538c4f3e17fdf3860778c
    start.sh 9adfd4344092826ca39bbc441a9eb96f

    File listing

    ├───databases
    │       foundation
    ├───dropped
    │   ├───version_A
    │   │   │   com.apple.globalupdate.plist
    │   │   │   com.apple.machook_damon.plist
    │   │   │   globalupdate
    │   │   │   machook
    │   │   │   sfbase.dylib
    │   │   │   watch.sh
    │   │   │
    │   │   ├───dylib
    │   │   │       libcrypto.1.0.0.dylib
    │   │   │       libiconv.2.dylib
    │   │   │       libimobiledevice.4.dylib
    │   │   │       liblzma.5.dylib
    │   │   │       libplist.2.dylib
    │   │   │       libssl.1.0.0.dylib
    │   │   │       libusbmuxd.2.dylib
    │   │   │       libxml2.2.dylib
    │   │   │       libz.1.dylib
    │   │   │
    │   │   ├───log
    │   │   └───update
    │   ├───version_B
    │   │       com.apple.globalupdate.plist
    │   │       com.apple.itunesupdate.plist
    │   │       com.apple.machook_damon.plist
    │   │       com.apple.watchproc.plist
    │   │       globalupdate
    │   │       itunesupdate
    │   │       machook
    │   │       start
    │   │       WatchProc
    │   │
    │   └───version_C
    │       │   com.apple.appstore.plughelper.plist
    │       │   com.apple.appstore.PluginHelper
    │       │   com.apple.MailServiceAgentHelper
    │       │   com.apple.MailServiceAgentHelper.plist
    │       │   com.apple.periodic-dd-mm-yy.plist
    │       │   com.apple.systemkeychain-helper.plist
    │       │   periodicdate
    │       │   stty5.11.pl
    │       │   systemkeychain-helper
    │       │
    │       └───manpath.d
    │               libcrypto.1.0.0.dylib
    │               libiconv.2.dylib
    │               libimobiledevice.4.dylib
    │               libiodb.dylib
    │               liblzma.5.dylib
    │               libplist.2.dylib
    │               libssl.1.0.0.dylib
    │               libusbmuxd.2.dylib
    │               libxml2.2.dylib
    │               libz.1.dylib
    │               libzip.2.dylib
    ├───iOS
    │       sfbase.dylib
    │       sfbase_v4000.dylib
    │       sfbase_v4001.dylib
    │       start
    │       stty5.11.pl
    ├───IPAs
    │       7b9e685e89b8c7e11f554b05cdd6819a
    │       pphelper
    ├───original
    │       BikeBaron
    │       CleanApp
    │       FontMap1.cfg
    │       start.sh
    └───update
            start.sh
            update

    Share this post


    Favicon ShellShock payload sample Linux.Bashlet
    2 Oct 2014, 2:12 pm


    Someone kindly shared their sample of the shellshock malware described by the Malware Must die group - you can read their analysis here:
    MMD-0027-2014 - Linux ELF bash 0day (shellshock): The fun has only just begun...


    Download

    File: fu4k_2485040231A35B7A465361FAF92A512D
    Size: 152
    MD5: 2485040231A35B7A465361FAF92A512


    VIrustotal

    SHA256: e74b2ed6b8b005d6c2eea4c761a2565cde9aab81d5005ed86f45ebf5089add81
    File name: trzA114.tmp
    Detection ratio: 22 / 55
    Analysis date: 2014-10-02 05:12:29 UTC ( 6 hours, 50 minutes ago )
    Antivirus Result Update
    Ad-Aware Linux.Backdoor.H 20141002
    Avast ELF:Shellshock-A [Expl] 20141002
    Avira Linux/Small.152.A 20141002
    BitDefender Linux.Backdoor.H 20141002
    DrWeb Linux.BackDoor.Shellshock.2 20141002
    ESET-NOD32 Linux/Agent.AB 20141002
    Emsisoft Linux.Backdoor.H (B) 20141002
    F-Secure Linux.Backdoor.H 20141001
    Fortinet Linux/Small.CU!tr 20141002
    GData Linux.Backdoor.H 20141002
    Ikarus Backdoor.Linux.Small 20141002
    K7AntiVirus Trojan ( 0001140e1 ) 20141001
    K7GW Trojan ( 0001140e1 ) 20141001
    Kaspersky Backdoor.Linux.Small.cu 20141001
    MicroWorld-eScan Linux.Backdoor.H 20141002
    Qihoo-360 Trojan.Generic 20141002
    Sophos Linux/Bdoor-BGG 20141002
    Symantec Linux.Bashlet 20141002
    Tencent Win32.Trojan.Gen.Vdat 20141002
    TrendMicro ELF_BASHLET.A 20141002
    TrendMicro-HouseCall ELF_BASHLET.A 20141002
    nProtect Linux.Backdoor.H 20141001

    Share this post


    Favicon CZ Solution Ltd. signed samples of Xtreme Rat, Zeus, Spy-Net, Gh0st, BozokRAT and other
    21 Jul 2014, 6:57 am

    Here are all samples (+ more) mentioned in this post by Fireeye : The Little Signature That Could: The Curious Case of CZ Solution"
    All files are digitally signed with a "CZ Solutions" certificate making it easy to create a Yara or ClamAV signature.

    A few Zeus samples seem to be still beaconing. Most are sinkholed.
    The certificate is now revoked by VeriSign.

    Enjoy




    Download


    Download. Email me if you need the password





    File Information

    Listed by Fireeye 
    1. Xtreme Rat_78CED3B6C04D372CE10B6B8606B3B747 78ced3b6c04d372ce10b6b8606b3b747
    2. Spy-Net 2.6_6A56F6735F4B16A60F39B18842FD97D0 6_6A56F6735F4B16A60F39B18842FD97D0
    3. Xtreme Rat_7C00BA0FCBFEE6186994A8988A864385.msg msg 7c00ba0fcbfee6186994a8988a864385
    4. XtremeRAT 3.5 Private _2E776E18DEC61CF6CCD68FBACD55FAB3 2e776e18dec61cf6ccd68fbacd55fab3
    5. XtremeRAT 3.5 Private _BD70A7CAE3EBF85CF1EDD9EE776D8364 bd70a7cae3ebf85cf1edd9ee776d8364
    6. XtremeRAT 3.5 Private_0BE3B0E296BE33903BF76B8CD9CF52CA 0be3b0e296be33903bf76b8cd9cf52ca
    7. XtremeRAT 3.5 Private_7416EC2889227F046F48C15C45C102DA 7416ec2889227f046f48c15c45c102da
    8. XtremeRAT 3.5 Private_BE47EC66D861C35784DA527BF0F2E03A be47ec66d861c35784da527bf0f2e03a
    9. XtremeRAT 3.5 Private_C27232691DACF4CFF24A4D04B3B2896B c27232691dacf4cff24a4d04b3b2896b
    10. XtremeRAT 3.5 Private_E79636E4C7418544D188A29481C100BB e79636e4c7418544d188a29481c100bb
    11. Zeus_9C11EF09131A3373EEF5C9D83802D56B 9c11ef09131a3373eef5c9d83802d56b
    12. Zeus_DCD3E45D40C8817061F716557E7A05B6 dcd3e45d40c8817061f716557e7a05b6


    Additional (mix of RATs and Trojans)

    1. 2D186068153091927B26CD3A6831BE68 2d186068153091927b26cd3a6831be68
    2. 4A997E3395A8BB8D73193E158289F4CE 4a997e3395a8bb8d73193e158289f4ce
    3. 7E92A754AAAA0853469566D5DBF2E70C 7e92a754aaaa0853469566d5dbf2e70c
    4. 9CFD17C48FC0D300E4AA22E2C8C029D6 9cfd17c48fc0d300e4aa22e2c8c029d6
    5. 37FEE821695B664EBE66D55D8C0696F2 37fee821695b664ebe66d55d8c0696f2
    6. 445C22E94EAB61B3D4682824A19F8E92 445c22e94eab61b3d4682824a19f8e92
    7. 819B4C40F56F69C72E62EF06C85EA3E1 819b4c40f56f69c72e62ef06c85ea3e1
    8. 947C21CB8E28B854FF02C2241399A450 947c21cb8e28b854ff02c2241399a450
    9. 2859089CC3E31DA60C64D56C416175E2 2859089cc3e31da60c64d56c416175e2
    10. A9EE1BF62DEE532BE2BE217D3E4A8927 a9ee1bf62dee532be2be217d3e4a8927
    11. AC87BC7DD4B38FA3EBA23BF042B160CE ac87bc7dd4b38fa3eba23bf042b160ce
    12. B953FD2B3D5C10EC735681982D3C6352 b953fd2b3d5c10ec735681982d3c6352
    13. BD5188031BB8EB317FB58F0A49CCBF9C bd5188031bb8eb317fb58f0a49ccbf9c
    14. D7CF30E3DBFD32A1D1E38CEE464EC6A6 d7cf30e3dbfd32a1d1e38cee464ec6a6
    15. E1AFC706C8C96FACEDB6CB62E6CBFD2D e1afc706c8c96facedb6cb62e6cbfd2d
    16. Gh0stB_7A26BBD7B5942B49FC0A9CB7268BD030 7a26bbd7b5942b49fc0a9cb7268bd030
    17. SpyRat_E0B0BBA2F6399B0577C37E2A3BC3390A e0b0bba2f6399b0577c37e2a3bc3390a
    18. Zeus_0D8F9C5898596251233C3FD1DCB34161 0d8f9c5898596251233c3fd1dcb34161
    19. Zeus_7A6BBC32868A9F776452355F909F95D6 7a6bbc32868a9f776452355f909f95d6
    20. Zeus_7CD6C4A6103F23858C7ED047391F1D3B 7cd6c4a6103f23858c7ed047391f1d3b
    21. Zeus_52BE0408084F536E42FEB7C57F521592 52be0408084f536e42feb7c57f521592
    22. Zeus_5746DD569623431BA41A247FA64847D7 5746dd569623431ba41a247fa64847d7
    23. Zeus_A79089B5E6744C622D61BEFA40AF77D3 a79089b5e6744c622d61befa40af77d3
    24. Zeus_E2190F61B532BD51E585449BAAE31BC1 e2190f61b532bd51e585449baae31bc1
    25. Zeus_F76A509FEE28C5F65046D6DC072658B2 f76a509fee28c5f65046d6dc072658b2

    Share this post


    Favicon OSX malware and exploit collection (~100 files) + links and resources for OSX malware analysis
    22 Nov 2013, 6:22 pm


    'Tis the season.

    Here is a nice collection of ~100 Mac OS malware and Word document exploits carrying MacOS payload (all are CVE-2009-0563) along with links for OSX malware analysis.

    Please send your favorite tools for OSX if they are not listed.




    CVE-2009-0563

    CVE-2009-0563
    Stack-based buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Microsoft Office for Mac 2004 and 2008; Open XML File Format Converter for Mac; Microsoft Office Word Viewer 2003 SP3; Microsoft Office Word Viewer; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a Word document with a crafted tag containing an invalid length field, aka "Word Buffer Overflow Vulnerability."



    Links



    Some OSX malware analysis tools and links 


    Tools


    Malware in the provided package - links to research and news articles






    Download



    Download. Email me if you need the password
    OSX_CrisisB_a32e073132ae0439daca9c82b8119009 
    Additional older downloads

    1. OSX_Docklight payload  http://contagioexchange.blogspot.com/2012/05/019-speechdoc-macosxms09-027a-word.html 
    2. misc OSX malware on contagio http://contagiodump.blogspot.com/search/label/-%20OSX
    3. 30 samples of ancient Mac OS malware http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html



    List of files provided in this post


    1. OSX_AoboKeylogger_362D5DDB3924C625589B42030B66CA69
    2. OSX_BackTrack-A_B03276BFBF85CFDD7C8998004C1200DA
    3. OSX_Boonana_B3A0B0DA5AA01FF200CEBC8AF359A3C3
    4. OSX_ChatZum_487E5CD581587D63783CDD356DE9CF24
    5. OSX_ChatZum_57A4EB15CAA4FCC0A8F6AFBBD66C4859
    6. OSX_Clapzok_99FE5AD5FF514F5AAEA8E501DDBAF95B
    7. OSX_Crisis_04BBDA5B11FA0FD3C767CAF4719D6A4D
    8. OSX_Crisis_42C112036E319ED8DF0F55C7F4C0DA85
    9. OSX_CrisisBOSX_CrisisB_a32e073132ae0439daca9c82b8119009 _a32e073132ae0439daca9c82b8119009 
    10. OSX_Crisis_59FE83E0AE12E085E0FA301ECCA6776F
    11. OSX_Crisis_6F055150861D8D6E145E9ACA65F92822
    12. OSX_Crisis_A32E073132AE0439DACA9C82B8119009_Biglietto Visita
    13. OSX_Crisis_ACEC5F00057D3EC94849511F3EDDCB91
    14. OSX_Crisis_FAAB883598C8C379ACFD0B9DCCC93D0C
    15. OSX_Dockster_Backdoor_C6CA5071907A9B6E34E1C99413DCD142
    16. OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF
    17. OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF_Codec-M
    18. OSX_FkCodec_B4ECE10D1E706B87B065523A654D48A7_download.dmg
    19. OSX_FkCodec1C5AE9F1DD9FE6F506EAABD382925CA8_codec-M.safariextz
    20. OSX_Flashback_3DCB6D6A9EA8D9755EB61AE057B3D74A
    21. OSX_Flashback_9FCFE8EF92F51F1C29A26E1516EF7003_FlashPlayer-11-macos.pkg
    22. OSX_Flashback_C2819C3C183BBF7547CF76C6A004EA15_FlashPlayer-11-macos.pkg
    23. OSX_Fucobha_IceFog_A615DD792093191E9FC975132A2DB409A_CleanMyMac
    24. OSX_Fucobha_IceFog_B4249F9B49A9A177B4D2F4439373029A
    25. OSX_Fucobha_IceFog_CF1815491D41202EB8647341A8695E1E
    26. OSX_GetShell_68078CBD1A34EB7BE8A044287F05CCE4
    27. OSX_GetShell_AC99ACE403D31C7079C938F9B0FD0895
    28. OSX_GetShell_ACC2B4A595939F17F7D07DE2CF75CDC8
    29. OSX_Hacktool_Hoylecann_FED8E22AE6F080F9B05A309C7E48B5EF
    30. OSX_HellRaiser_CA74984601287459AFB7B39EBEBDD394
    31. OSX_HellRTS.AH_KeystrokeRecorder X Pref Editor_C19377D07A234D1585D85F8FA3CF77FB
    32. OSX_HellRTS_F1AD75AEB4B4C2883DF2221C8804DA2A.AH
    33. OSX_Hovdy_Backdoor_FED713CAC7012D25F60B236E6DDCF513
    34. OSX_Inqtana.zip
    35. OSX_Iservice_4C9E7EE7C0F5C19C68B45CA6C81F8D62
    36. OSX_Iservice_E34BA325F3EEB8DF07A09EE9FBF1071D
    37. OSX_Jahlav_12F32EACBB3CD2C5623EE6976A51913A_QuickTime.xpt
    38. OSX_Jahlav_CCB72243EF478EEFE90B5898EC32389B
    39. OSX_Jahlav_D7DDF72D17F889C2C5B302AC0A5FBDC5
    40. OSX_Jahlav_FB79A75A6152EF47BBF88AE8544545CC.pl
    41. OSX_Jahlav_flash.zip
    42. OSX_Kitmos_A_39FAA22EB9D6B750EC345EFCB38189F5
    43. OSX_Kitmos_A_3AA9C558D4D5F1B2A6D3CE47AA26315F
    44. OSX_Kitmos_A_B3D49091875DE190F200110C2F2032D4
    45. OSX_Lamadai_20F0D0CE8A413A51EB16DEE860021E6A
    46. OSX_Lamadai_DE90189F040494E3708D83A33E37E40E
    47. OSX_Leverage_A_Backdoor_C425D2BE8B4AF733A44EC1518F182BE8
    48. OSX_LocalRoot_3DC01743FB42E917E9F9EDE5009F10CD
    49. OSX_Macarena_A_BFC7B7B9D3E1DF9D6E1A31D3E7BED628
    50. OSX_MacDefender_8AE7163C7C3C02564A4C69DF1F7C483E_Archive.pax
    51. OSX_MacDefender_E187F4071723808560E135647245562A_Archive.pax
    52. OSX_MacKontrol_89C35C057655E67580EFD0FF8242D960
    53. OSX_MacKontrol_E88027E4BFC69B9D29CAEF6BAE0238E8_matiriyal.dmg
    54. OSX_Macsweeper_4836CC480796386ED6929C38E5AAD525
    55. OSX_Miner_DevilRobber_417369B713F1A5F3A3DC0DAF76BDCFD6
    56. OSX_Miner_DevilRobber_EE2BA586232007FA41703EB120AC7408
    57. OSX_Miner_F8EBF03E88928EBF91A8420E3D5993FE
    58. OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F
    59. OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F_Current events 2009 July 5
    60. OSX_OpinionSpy_C98AE54F4BE1082B4E82548D7511077E_Crystal-Clock-screensaver.zip
    61. OSX_OpinionSpy_CC33C95C59372AFCA60A0552A58D0EF8_Crystal-Clock-screensaver.zip
    62. OSX_PSides_32F4792B1141BA259067F9613E2E88B5
    63. OSX_PUP_AABEDBAAB63EF19657A3A82C930CCE18_Genieo_InstallGenieo.dmg
    64. OSX_PUP_PerfectKeylog_1B192319C8F41036A2D6B8E987809D42
    65. OSX_Renepo_80753666A54A8AE97BD6ED3A4E2F3702
    66. OSX_RevirA_FE4AEFE0A416192A1A6916F8FC1CE484_revir-a.dmg
    67. OSX_RevirC_Imuler_7DBA3A178662E7FF904D12F260F0FFF3
    68. OSX_Safari_B24C0E60AF3D3E836FBE8A92FBCC8EB7.dat
    69. OSX_SniperSpy
    70. OSX_Wirenet_50D4F0DA2E38874E417BD13B59F4C067
    71. OSX_Wirenet_B56AD86A4BACEF92EF46D36EABEF6467
    72. OSX_Wirenet_D048F7AE2D244A264E58AF67B1A20DB0
    73. OSX_Yontoo_16ACCB0ABC051D667640B1EE4FF3A7A1
    74. OSX_Yontoo_7C433B3AC0E8072BA5E6B57298E1B28B
    75. OSXWeapoX_7FDEBB5FEC63FB3739A79A66265BB765



    EXPLOITS
    OSX_CVE-2009-0563 targeting Tibetan and Uyghur activists (filenames shortened here)

    1. 0DA957B9B952420241F945A9A2C52A50_C2-alma.apple.cloudns.org_ParticipantsArrivalDeparture.doc
    2. 0E5110493FD197813068310E57467B44_C2-alma.apple.cloudns.org _Uighur Han unrest.doc
    3. 0E945428D07464EC33EBDFF5712FE788_C2-update.googmail.org_Jenwediki yighingha.doc
    4. 1218840F3B66832CC58C33C75AD3D419_C2-update.googmail.org_Uyghur_Xitayning Yengi Rehberlik.doc
    5. 1CE3C4A8907A242250D366586711CBDC_C2-alma.apple.cloudns.org _Rabiye_hanim_bilen_Dolkun_Isa.doc
    6. 2567399683111CFCB838C5DA80DF181D_Tibetan Parliament urges World to take concrete step on Tibet.doc
    7. 28821C5FD38B11EE630D87961C11A3D7_DUQning reyisi namzatlar isimliki.doc
    8. 3D28AE551B9BD4C62FFC6C72F5668D96_Tibet_The United Nations Commission for Human Rights.doc
    9. 3D90D04C09C6B4D5D52888C89BDE9685_Tibetan Parliament urges World.doc
    10. 567ECE88B2D6F4F12F0D0760C30605EE_C2-apple12.crabdance.com_list.doc
    11. 58A0A5824A6B30EA7EEBBB51818AE04B_uYGHUR_Jenwe yinghinining xeweri.doc
    12. 786A7D1A1DCEC50E6A89E3CC8F33A3AE_Uyghur_Dunya Uyghur Qurultayigha iane qilish toghrisida.doc
    13. 7D7A5C530A7DBF24C42145A0EFCC8669_kurban-bayrami.doc
    14. 8618BCCB98F7D20634EBEDC488981E86_C2-update.googmail.org_email73.doc
    15. 908116A30F53EDF9D1749E3F0F267680_Website-TGSL.doc
    16. 9F9F96D5C882528D08315201042647DF_C2-update.googmail.org_Uyghur_The Duke Program.doc
    17. BA76DE3471497A8B1858AF4A8C700AE1_www.uyghurcongress.org.doc
    18. C024E159A96F3292915B257070FC3325_Sartin-TGSL.doc
    19. DD7C486BC17772A5E96425271FA5ED4D_c2-apple12.crabdance.com_10. Jahresgedenktag.doc
    20. E510AE50B0344EFBE1F8888771C7446C_www.tughlan.com.doc
    21. E683339BCCFDEB0F06C7E567F2C284C5_Planning for action.doc
    22. ECE44C00D46BE019AFF38FD5D31B9110_C2-update.googmail.org_UAA 2012 Saylam Komtiti saylam.doc
    23. F81775C93F7337E0664F1D106E13C7B3_C2-update.googmail.org_Uyghur_Human Rights Education.doc
    24. FBE399BF714184ED7FEA313F36A86514_C2-apple12.crabdance.com_Uyghur_Putun Dunyadiki Sherqi.doc
    25. MacOSSabpub-A_43F281076E185E55BECE7EB2F0EC8164.doc


    Share this post


    Favicon Sandbox MIMIng. CVE-2012-0158 in MHTML samples and analysis
    3 Sep 2013, 7:52 am


    Wikipedia
    Update - Sept 4, 2013
    I added more descriptions and changed NjRat / Backdoor.LV to Vidgrab - in the traffic communications are similar to NjRat/Backdoor;lv but it does not use base64 and sends initial request starting with ...3 (0x01 0x00 0x00 0x00 0x33) followed by null bytes  - it does not start with  lv|

    I am still looking for names for a few other backdoors below, so if you recognize them, please let me know. 

    Recently, my custom sandbox has been trying to open some Word attachments in a browser because the filetype fingerprint service detected them as MIME HTML files. Browsers are usually the default applications for such types and they did contain the CVE-2012-0158 exploit. A quick Google lookup yielded a May 2013 report from the Chinese company Antiy  "The Latest APT Attack by Exploiting CVE-2012-0158 Vulnerability", which described this new exploit vector.
    Antiy noted that these MHTML files evade antivirus and indeed only half of vendors represented on Virustotal detect. However, many companies rely on their automated tools, inline and standalone sandboxes not just Antivirus to determine if the file is malicious.

    I checked how these files (file without any extension) were processed by other commercial and open source mailboxes. 3 out of 5 well known commercial and open source mail scan and web sandbox vendors returned no output or informed me that that filetype was not supported. While writing this post, I noticed that Malwaretracker also mentioned the rise in this vector usage in his post on Friday, so I am sure the sandbox vendors are fixing the issue as we speak.

    I checked 25 MHTML CVE-2012-0158 files and compared their targets (at least those I could obtain) and payload. The analysis showed a good variety of trojans and predominantly human rights (Tibet, Uyghur) activists. I will post a month worth of these files.
    CVE #

    CVE-2012-0158
    The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."


    Download

    Email me (see profile) if you need the password

    Download MIME HTML files only


     Download MIME HTML with their created and pcap files (10 mb zip = 1.2gb uncompressed MD5:  f19b49dc8cd7daa2c0a388ad043757a2)

    Folder contents ( name of some files changed on Sept 4 - see update above)

    1. 8-30 Plugx the translation D0D2079E1AB0E93C68DA9C293918A376
    2. 8-30 TBD-Arstechnica 4B31A4C3A633A0ADB9DBB8A5125DDA85
    3. 8-28 Surtr Conflict between VN and IN F8CCCCAA018E9EC96BCC65F4A9E549B1
    4. 8-28 TBD-Insta11 Tibet Sikyong Tour Program  658C55D6F92B2E8CCCCB82C6980CE2AB
    5. 8-27 Surtr TibetanNunReleased B5EC46322334D5712ACD386622EE0F04
    6. 8-27 Surtr CTA condemns 8BE76FCB0A2DA692CFD2DA0C85F2EC33
    7. 8-27 TBD-8202 Regarding double sponsor 9B41475A88D12183048A465FFD32EBF9
    8. 8-26 Vidgrab  NJRat-backdoorLV resume F0B821697949C713D9B17550A533ECFE
    9. 8-24 Vidgrab  NJRat-backdoorLV Judgement EBBE175A6EB8DC91E986FF21D66BCD70
    10. 8-24 TBD-8202 Members of Parliament 6DB8AA8455DF96CBAED8803536217ECB
    11. 8-22 Surtr Chinese police FEA931812540035C9A4D0950D50DD103
    12. 8-22 Vidgrab  NJRat-backdoorLVCitizens nomination BF4668C0A55903A0E4D5BA61D6B338CF
    13. 8-19 Vidgrab  NJRat-backdoorLV CNTiananmen Square AAED8F6D19F9617311B9E7630A5D214D
    14. 8-15 PlugX CN Tibetan writer 682A71EDB073760EA81241F7D701ED1D
    15. 8-14 TBD-Insta11 Second-time 59A14B490FE4BA650E31B67117302239
    16. 8-12 Taidoor Continental discipline 51708AE7F107FBE8B1C1F679DAFABBF7
    17. 8-07 Vidgrab  NJRat-backdoorLV People Power 539A1ADCC98ECEE099BF3B42A42E9099
    18. 7-30 Mongall CNGovernment 2A0BDC62EEB6ECF6783B954B20BE3DE9
    19. 7-30 Gh0st Apple 82644661F6639C9FCB021AD197B565F7


    P.S, pcap files for the malicious document that have not been described below (newer than Aug 24) are named by MD5 of the dropper MHTML document, not the malware binary.
    Some malware needs still need to be identified.

    Document Analysis 

    MHTML files (a small description you probably could read elsewhere)
    MIME HTML files have been around for ages and are so called "web archive" files allowing to embed media, inline images,  style sheets, objects like office files, flash files, and other goodies into one file. RFC 2557 is a short document describing it. They normally receive .mht extension and viewed in browsers. 

    Opening them in MS Word works too and works well for this exploit, although it is not the default application. This flexibility of res URI have been exploited in the past - see CVE-2004-0380 Microsoft Outlook Express MHTML Forced File Execution Vulnerability. For more damage via MHTML see  
    Generating Word documents and embedding all kinds of arbitrary objects is extremely easy via php and is very popular - just search for strings like 
    <!--[if gte mso 9]><xml> <o:DocumentProperties>  <o:Author>User123</o:Author>v

    and you will see many google hits on benign documents hosted on web servers. In addtion, check out this article Word document generation for how-tos.

    Malicious Indicators for MIME HTML files with CVE-2012-0158
    (as of Sept. 1, 2013 as they may mutate in the future)

    1. The vulnerable Windows Common control (MSCOMCTL.OCX - MS12-027)
    is present in clear text in one of the ActiveX object tags. I am not sure why they used ShockwaveFlash1 label for that object, maybe it also was used for flash .
    Venustech (Chinese security company) has a very detailed analysis of the exploit itself on their site CVE-2012-0158 Analysis Report 2012-04-28. There must be a similar detailed English language report somewhere too but with so many publications on CVE-2012-0158 incidents I could not immediately find it.

    span lang=3DEN-US><object classid=3D"CLSID:BDD1F04B-858B-11D1-B16A-00C0F0283628" id=3DShockwaveFlash1 width=3D9 height=3D9 data=3D"Doc1.files/ocxstg001.mso"></object..

    This is only control in use, the other three fixed by MS12-027 were not present.

    2. Content location path is always the same.

    Content-Location:  file:///C:/2673C891/Doc1.files/ocxstg001.mso - compare to a different path in the benign version of MIME document here: ocxstg001.mso.
    Object name ocxstg001.mso is an indicator of embedded Word Document. Decoding Base64 blob that follows it produces a file with the Word Document magic header number D0 CF 11 E0 A1 B1 1A E1. It can be benign  like here or malicious like in our example and will be detected as Shellcode and CVE-2012-0158 on Virustotal
    decoded Base64 blob

    3. All files contain Chinese language and font tags, even for English and Russian language documents 
    This one is not necessarily malicious, just an additional indicator.

    span lang=3DEN-USstyle=3D'font-size:10.5pt;mso-bidi-font-size:12.0pt;font-family:"Times New =
    Roman";mso-fareast-font-family:SimSun;mso-font-kerning:1.0pt;mso-ansi-language:EN-=
    mso-fareast-language:ZH-CN;mso-bidi-language:AR-SA'


    Payload Analysis 

    I will put the email and lure screenshots, lists of created files, pcaps and traffic (if C2 was not down),  malware family names and some brief indicators. The messages will be posted from the oldest July 30, 2013 to the newest August 30, 2013. Not all C2 were up or responding as expected, some pcaps have only initial callbacks.

    Note: all the "victim" information you may find in pcaps such as  IPs, sandbox user name, documents names that are being stolen- all are staged and fake.

    ________________________________________________________________________
    #1 Gh0st - July 30, 2013 China Labor Watch-Apple.doc 

    File name and MD5:
    China Labor Watch-Apple.doc
    82644661F6639C9FCB021AD197B565F7

    Payload malware family: Gh0st gif  
    Malware online mentions:
    Alienvault
    Deepend Research malware traffic library

    Delivery
    Email attachment. Header available upon request

    Created Files:
    C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\kbdmgr.dll

    C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\kbdmgr.exe

    Links are to Virustotal:
    dserver.doc c4aefcb1c3366e0e93458809db28c118
    DW20.exe 5d2a996e66369c93f9e0bdade6ac5299  - Strings
    kbdmgr.dll 41ae059e71838e68b16b2019afc6dec5
    kbdmgr.exe 5d2a996e66369c93f9e0bdade6ac5299

    Traffic:
    Download pcap here or above with all the files
    202.85.136.181 port 110
    ASN iAdvantage Limited - 9729
    IP Geo Location Central District, 00, HK

    GET /h.gif?pid =113&v=130586214568 HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Pragma: no-cache
    User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)
    Connection: Keep-Alive

    pDNS data:
    godson355.vicp.cc. A 202.85.136.181
    genniu.com. A 202.85.136.181
    www.genniu.com. A 202.85.136.181

    first seen 2013-03-29 11:20:09 -0000 last seen 2013-05-03 09:12:12 -0000 godson355.vicp.cc. A 50.117.115.89
    first seen 2013-03-12 10:40:18 -0000 last seen 2013-03-13 06:00:18 -0000 godson355.vicp.cc. A 58.154.26.31
    first seen 2012-07-18 21:30:07 -0000 last seen 2012-07-19 05:30:07 -0000 godson355.vicp.cc. A 59.123.56.154
    first seen 2012-07-20 10:30:06 -0000 last seen 2012-07-27 01:20:03 -0000 godson355.vicp.cc. A 59.180.7.43
    first seen 2012-07-19 07:00:07 -0000 last seen 2013-03-13 12:20:17 -0000 godson355.vicp.cc. A 61.178.77.111
    first seen 2012-09-06 09:00:14 -0000 last seen 2012-09-24 04:20:08 -0000 godson355.vicp.cc. A 61.178.77.111
    first seen 2012-09-06 09:00:14 -0000 last seen 2012-09-24 04:20:08 -0000 godson355.vicp.cc. A 164.100.25.26
    first seen 2012-07-20 04:30:08 -0000 last seen 2012-07-20 07:00:06 -0000 godson355.vicp.cc. A 61.234.4.233
    first seen 2012-10-29 12:40:08 -0000 last seen 2012-10-30 05:00:07 -0000 godson355.vicp.cc. A 61.234.4.239
    first seen 2013-03-13 13:40:17 -0000  last seen 2013-03-29 10:40:09 -0000 godson355.vicp.cc. A 65.19.141.203
    first seen 2013-03-11 06:00:18 -0000 last seen 2013-03-12 06:40:18 -0000 godson355.vicp.cc. A 65.25.15.26
    first seen 2012-07-27 03:40:03 -0000 last seen 2012-09-06 07:00:10 -0000 godson355.vicp.cc. A 164.100.25.39
    first seen 2012-09-24 13:00:07 -0000 last seen 2012-09-25 02:40:07 -0000 godson355.vicp.cc. A 164.100.56.21
    first seen 2012-09-25 11:20:07 -0000 last seen 2012-09-26 02:40:06 -0000 godson355.vicp.cc. A 164.100.64.36
    first seen 2013-06-30 01:05:38 -0000 last seen 2013-06-30 01:05:38 -0000 godson355.vicp.cc. A 202.85.136.181

    ________________________________________________________________________
    #2 Mongall - July 31, 2013 中央政府各機關派赴國外各地區出差人員生活費日支數額表.doc 政府各
    機關派赴國外各地區出差人員生活費日支數額表.doc
    中央政府各機關派赴國外各地區出差人員生活費日支數額表.doc
    Central Government Agency travel abroad personnel expenses at various regions Amount Table
    2A0BDC62EEB6ECF6783B954B20BE3DE9 16 / 46

    Delivery
    Email attachment. Header available upon request

    Payload malware family: Mongall
    Created files
    C:\WINDOWS\system32\netbridge.exe



    aa.doc d3160c603ab94a53feb18881a7917697
    DW20.exe d7dd5cda909190c6c03db5e7f8afd721  -Strings
    netbridge.exe d7dd5cda909190c6c03db5e7f8afd721

    Traffic:
    C2 is currently down - no pcap
    www.ndbssh.com
    port 5331

    GET /3000FC08000024FE0700363635353544304331303530313136300052656D6F746520504300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000070161646D696E000000000000000000000000000000000000000000000000000000000000000000000000 HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
    Host: www.ndbssh.com:5331
    Cache-Control: no-cache:

    Sponsoring Registrar ............ HICHINA ZHICHENG TECHNOLOGY LTD.
    Name Server ..................... dns15.hichina.com
                                      dns16.hichina.com
    Registrant ID ................... hc477142527-cn
    Registrant Name ................. jamaal jamaal
    Registrant Organization ......... jamaal
    Registrant Address .............. beijingshi
    Registrant City ................. beijing
    Registrant Province/State ....... BJ
    Registrant Postal Code .......... 510200
    Registrant Country Code ......... CN
    Registrant Phone Number ......... +86.01085986585
    Registrant Fax .................. +86.01085986585
    Registrant Email ................



    ________________________________________________________________________
    #3 Vidgrab August 7,2013 人民力量 - 2017年行政長官普選建議.doc

    File name and MD5:
    People Power - 2017 Chief Executive by universal suffrage proposal
    人民力量 - 2017年行政長官普選建議.doc
    539A1ADCC98ECEE099BF3B42A42E9099

    Payload malware family: Vidgrab












    Malware online mentions:  http://www.symantec.com/security_response/writeup.jsp?docid=2013-072614-2434-99&tabid=2

    Delivery
    Email attachment. Header available upon request

    Created Files:

    C\Documents and Settings\[Userprofilename]\Local Settings\Temp\DW20.exe
    C:\Documents and Settings\[Userprofilename]\Application Data\360\Live360.exe

    C:\Documents and Settings\[Userprofilename]\Application Data\temp\temp1.exe


    aa.doc  f73a8b503bd7aa9849616af3fe37c942
    DW20.exe  660709324acb88ef11f71782af28a1f0
    Live360.exe  660709324acb88ef11f71782af28a1f0
    temp1.exe     660709324acb88ef11f71782af28a1f0
    users.bin  e5ad512524b634f9eb4e2ab2f70531c8

    Traffic:
    Download pcap here or above with all the files
    222.77.70.233
    IP ASN Chinanet - 4134
    IP Geo Location Fuzhou, 07, CN

    ....3
    HTTP/1.1 301 Moved Permanently
    Location:http://windowsupdate.microsoft.com/
    Content-Type: text/html
    Connection: Keep-Alive
    <h1>Bad Request (Invalid Verb)</h1>
    .....HK|(172.16.253.130)|1067|WinXP|D|L|No|0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|.


    pDNS data:
    no record

    ________________________________________________________________________
    #4 Taidoor Aug 12, 2013 大陸紀檢組織運行揭密.doc


    File name and MD5:
    大陸紀檢組織運行揭密.doc
    Google translate makes no sense - something about discipline
    51708AE7F107FBE8B1C1F679DAFABBF7 13 / 45

    Payload malware family: Taidoor
    Malware online mentions:
    http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
    http://contagiodump.blogspot.com/2012/10/cve-2012-1535-sep9-2012-doc-data-for.html
    Deepend Research malware traffic library

    Created Files:

    ~dfds3.reg 5ef49f70a2b16eaaff0dc31a0f69c52c
    aa.doc c3c2d15604f02ba3688d5a35a7ef6531
    DW20.exe 46ef9b0f1419e26f2f37d9d3495c499f
    SysmonLog.exe  46ef9b0f1419e26f2f37d9d3495c499f
     Strings  
    Traffic:
    Download pcap here or above with all the files
    61.222.137.66
    IP Reverse Lookup ftp.hilosystems.com.tw
    IP ASN Data Communication Business Group - 3462
    IP Geo Location TW

    GET http://61.222.137.66:443/page.jsp?tq=pcudeb1161B9GF318E
    GET http://61.222.137.66:80/user.jsp?xg=arifuq1161B9GF318E

    pDNS data:
    ftp.hilosystems.com.tw. A 61.222.137.66


    ________________________________________________________________________
    #5 PlugX Aug 15, 2013 营救岗吉.doc 


    File name and MD5:
    营救岗吉.doc
    Rescue Gang Ji
    682A71EDB073760EA81241F7D701ED1D






    Payload malware family: PlugX
    Malware online mentions:
    http://nakedsecurity.sophos.com/2013/02/27/targeted-attack-nvidia-digital-signature/
    http://sophosnews.files.wordpress.com/2013/05/sophosszappanosplugxmalwarefactoryversion6-rev3.pdf
    http://www.contextis.com/files/PlugX_-_Payload_Extraction_March_2013_1.pdf
    https://www.circl.lu/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

    Created Files:

    C:\Documents and Settings\All Users\SxS\bug.log
    C:\Documents and Settings\All Users\SxS\hccutils.dll
    C:\Documents and Settings\All Users\SxS\hccutils.dll.hcc
    C:\Documents and Settings\All Users\SxS\hkcmd.exe
    C:\Documents and Settings\All Users\SxS\NvSmart.hlp

    a\Local Settings\Temp\RarSFX0\hccutils.dll
    \Local Settings\Temp\RarSFX0\hccutils.dll.hcc
    \Local Settings\Temp\word.doc




    Intel Digital Signature on hkcmd.exe
     Expires 4/23/2011
    bug.log e06eb95819c666d7a4326c79bcc24574
    DFR4.tmp d41d8cd98f00b204e9800998ecf8427e 0/47
    DW20.exe 2ff2d518313475a612f095dd863c8aea 4 / 47 - Strings 
    hccutils.dll         8682e9826cfa736f78660fe388b2b21f 3 / 47
    hccutils.dll.hcc a190aa9deabf549d1462ce058e1cc4a2
    hkcmd.exe 23f2c3dbdb65c898a11e7f4ddc598a10 0/47 Strings
    NvSmart.hlp 9fcb203a2f62acfb56be80188960c2fe 0 / 47

    word.doc         80fe8c4a0e555769c719ada476d15e15

    Traffic:
    Download pcap here or above with all the files
    113.10.246.46
    port 6000

    WHOIS Source: APNIC


    Intel Digital Signature on hkcmd.exe
     Expires 4/23/2011


    IP Address:   113.10.246.46
    Country:      Hong Kong
    Network Name: NWTBB-HK
    Owner Name:   NWT Broadband Service
    From IP:      113.10.246.0
    To IP:        113.10.246.255
    Allocated:    Yes
    Contact Name: Network Management Center
    Address:      17/F Chevalier Commercial Centre,, 8 Wang Hoi Road, Kowloon Bay,, Hong Kong.
    Email:        nmc@newworldtel.com
    Abuse Email:  abuse@newworldtel.com
    Phone:        + 852 - 2130-0120
    Fax:          + 852 - 2133 2175

    TCP    172.16.253.132:1074    113.10.246.46:6000     ESTABLISHED     3376
      C:\WINDOWS\system32\mswsock.dll
      C:\WINDOWS\system32\WS2_32.dll
      -- unknown component(s) --

      C:\WINDOWS\system32\kernel32.dll

                                                   | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
    172.16.253.132       <-> 113.10.246.46            132      9802      90      5426     222     15228

    pDNS data:
    no record

    ________________________________________________________________________
    #6 Vidgrab Aug 19, 2013 海内外民运人士策划六四25周年“重回天安门”活动(图片).doc

    File name and MD5:
    海内外民运人士策划六四25周年“重回天安门”活动(图片).doc
    25th anniversary of pro-democracy activists planning sixty-four "return to Tiananmen Square" campaign (picture). Doc
    aaed8f6d19f9617311b9e7630a5d214d



    Payload malware family: Vidgrab







    Malware online mentions: 
     http://www.symantec.com/security_response/writeup.jsp?docid=2013-072614-2434-99&tabid=2
      Delivery
      Email attachment. Header available upon request

      Created Files:
      \Application Data\360\Live360.exe
      \Application Data\temp\temp1.exe

      DW20.exe 6fd868e68037040c94215566852230ab
      Live360.exe 6fd868e68037040c94215566852230ab
      temp1.exe 6fd868e68037040c94215566852230ab
      users.bin f112d0caf2b49e99657d519eca8c1819
      word.doc 14af2f439bce8a236295b0e28c59ddc8

      Traffic:
      Download pcap here or above with all the files
      113.10.246.46
      port 9325
      inetnum:        113.10.246.0 - 113.10.246.255
      netname:        NWTBB-HK
      descr:          NWT Broadband Service
      country:        HK
      admin-c:        NC315-AP
      tech-c:         KW315-AP
      status:         ASSIGNED NON-PORTABLE
      remarks:        For network abuse email <>
      mnt-irt:        IRT-NEWWORLDTEL-HK
      changed:         20101208
      mnt-by:         MAINT-HK-NEWWORLDTEL
      source:         APNIC


      pDNS data:
      no record

      ________________________________________________________________________
      #7 Surtr Aug 20, 2013 Tibetan Self-Immolator.rtf 


      File name and MD5:
      Tibetan Self-Immolator.rtf
      6DBBD689FC4DADE6953FD221473DF4F0

      Payload malware family: Surtr (Smoaler)








      Malware online mentions:
      https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/
      http://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf

      Delivery
      Email attachment.

      Created Files:
      C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
      C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\QVLoOJ_Fra.dll
      C:\Documents and Settings\[Userprofilename]\Local Settings\Temp\DW20.dll

      0bJTrD.dll 51,840 KB
      3.dll                 22,208 KB
      DELLXT.dll 29,696 KB
      mTJxm6_One.dll 61,484 KB
      QVLoOJ_Fra.dll 68,224 KB

      DW20.dll 8e187ae152c48099f715af442339c340 43 KB  - Strings
      Exit.log 7fc56270e7a70fa81a5935b72eacbe29 1 KB
      Prod.t d9e3b52be43b06bf8004a4a2819da311 1 KB
      Proe.t dc4052397258ae1ffd61c7637a29acc5 1 KB
      3.tmp 4b319c6a7e6f30d16d8ca74bf6d4b495 40 KB


      Traffic: 
      No Pcap
      free1999.jkub.com

      pDNS data:
      no record

      ________________________________________________________________________
      #8 Vidgrab  Aug 22,2013 公民提名及提名委員會.doc 公民提名及提名委員會.doc
      File name and MD5:
      公民提名及提名委員會.doc
      Citizens nomination and nomination committee. Doc
      BF4668C0A55903A0E4D5BA61D6B338CF
      File





      strings: http://contagioexchange.blogspot.com/2013/09/njrat-backdoorlv-strings-apt.html

      Payload malware family: Vidgrab

      Malware online mentions: 
       http://www.symantec.com/security_response/writeup.jsp?docid=2013-072614-2434-99&tabid=2
        Delivery
        Email attachment.

        Created Files:
        C:\Documents and Settings\[UserProfileName}\Application Data\360\Live360.exe
        C:\Documents and Settings\[UserProfileName}\Application Data\temp\temp1.exe
        C:\Documents and Settings\[UserProfileName}\Local Settings\Temp\word.doc
        C:\Documents and Settings\[UserProfileName}\users.bin

        DW20.exe 588d3316d4bbfdbb25658d436f06ed96 116 KB
        Live360.exe 588d3316d4bbfdbb25658d436f06ed96 116 KB
        temp1.exe 588d3316d4bbfdbb25658d436f06ed96 116 KB
        users.bin 427c95e54c4d6062dd5cedf4cb12e348 1 KB
        word.doc 150d788d58a7b9c632cf20fecfabfab5 165 KB

        Traffic: C2 are down, no pcap

        DNS requests to:

        www.yahooip.net

         wanghao
         howah technology
         HuBeiShengWuHanShiWuHanDaXueXueShengGongYu12ChuangB605
         WuHanShi HuBeiSheng, 430070 CN
         +86.02787740588
        whthoughtful@163.com

        IP Address:   111.174.41.205
        Owner Name:   CHINANET HUBEI PROVINCE NETWORK
        Contact Name: CHINANET HB ADMIN
        Address:      8th floor of JinGuang Building, #232 of Macao Road, HanKou Wuhan Hubei Province, P.R.China
        Email:        hbadd@189.cn

        ----
        www.yahooprotect.com
        www.yahooprotect.net

         wanghao
         wuhan zhousafe co.ltd
         hubei wuhan wuhandaxue
         WuHanShi HuBeiSheng, 430070  CN
         +86.02787660801
        whthoughtful@163.com

        IP Address:   69.46.86.194
        Country:      USA - California
        Network Name: EGIHOSTING-4
        Address:      55 S. Market St., Suite 1616, San Jose


        pDNS data:

        ergobabyscarrier.ca. A 69.46.86.194
        www.wholesalenfljerseyshop.us. A 69.46.86.194
        oakleysunglassesoutlet-store.us. A 69.46.86.194
        www.oakleysunglassesoutlet-store.us. A 69.46.86.194
        dolphinsjerseysale.com. A 69.46.86.194
        www.dolphinsjerseysale.com. A 69.46.86.194
        www.newpanthersjerseys.com. A 69.46.86.194
        www.packerslimitedjersey.com. A 69.46.86.194
        www.buccaneersjerseysproshop.com. A 69.46.86.194
        www.eaglesjerseysproshop2012.com. A 69.46.86.194
        elitefootballjersey.org. A 69.46.86.194
        www.elitefootballjersey.org. A 69.46.86.194
        oakleysunglassesoutlet-store.org. A 69.46.86.194


        first seen 2013-05-03 04:13:44 -0000 last seen 2013-05-03 11:14:02 -0000 www.yahooip.net. A 59.173.24.14
        first seen 2013-04-27 14:13:37 -0000 last seen 2013-05-03 02:14:02 -0000 www.yahooip.net. A 111.172.61.245
        first seen 2013-04-05 21:13:37 -0000 last seen 2013-04-11 04:13:41 -0000 www.yahooip.net. A 111.173.194.8
        first seen 2013-04-23 02:13:57 -0000 last seen 2013-04-27 12:13:37 -0000 www.yahooip.net. A 111.173.195.28
        first seen 2012-09-06 19:26:41 -0000 last seen 2012-09-06 19:26:41 -0000 www.yahooip.net. A 111.174.39.148
        first seen 2013-04-12 12:13:21 -0000 last seen 2013-04-12 19:13:41 -0000 www.yahooip.net. A 111.174.105.69
        first seen 2012-09-24 21:26:29 -0000 last seen 2012-09-24 21:26:29 -0000 www.yahooip.net. A 202.130.112.237


        ________________________________________________________________________
        #9 Surtr Aug 22, 2013 against Tibetan.rtf

        File name and MD5:
        against Tibetan.rtf
        FEA931812540035C9A4D0950D50DD103

        Payload malware family: Surtr (Smoaler)
        Malware online mentions:
        https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/
        http://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf

        Delivery
        Email attachment. Header available upon request

        Created Files:
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\n47eeF.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\Z6r2sv_One.dll
        C:\Documents and Settings\[Userprofilename]\Local Settings\Temp\DW20.dll

        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Exit.log
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Prod.t
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Proe.t
        deleted_files\C\Documents and Settings\[Userprofilename]\Local Settings\Temp\4.dll
        deleted_files\C\Documents and Settings\[Userprofilename]\Local Settings\Temp\4.tmp


        4.dll                                                34,624 KB
        4.tmp         4b319c6a7e6f30d16d8ca74bf6d4b495 40 KB
        DELLXT.dll                                35,712 KB
        DW20.dll 8e187ae152c48099f715af442339c340 43 KB
        Exit.log 7fc56270e7a70fa81a5935b72eacbe29 1 KB
        n47eeF.dll                                61,484 KB
        Prod.t         d41d8cd98f00b204e9800998ecf8427e 0 KB
        Proe.t 41d8cd98f00b204e9800998ecf8427e 0 KB
        Z6r2sv_One.dll                                61,484 KB


        Traffic:
        no activity captured

        ________________________________________________________________________
        #10 8202 (TBD) Aug 24, 2013 attachment.doc 
        Tibetan Parliament to Convene 6th Session from 18 – 28 September

        File name and MD5:
        6DB8AA8455DF96CBAED8803536217ECB
        attachment.doc

        Payload malware family: TBD 8202
        I plan to have a closer look at this malware as I don't recognize it. It could be (related to) 9002 trojan.
        Delivery
        Email attachment. Header available upon request

        Created Files:
        C:\Documents and Settings\All Users\Application Data\8202u392325.log
        C:\Documents and Settings\All Users\Application Data\8202u3923pi.db
        C:\Documents and Settings\All Users\Application Data\Javame\Java\Jre\helper\103302\Adobe Flash Updated { 120433}.lnk
        C:\Documents and Settings\All Users\Application Data\Sun Orcal\Java\Jre\DATAS\SunJavaErrror.log
        C:\Documents and Settings\All Users\Application Data\Sun Orcal\Java\Jre\updateerror_2.log
        C:\Documents and Settings\All Users\Application Data\Sun Orcal\Java\Jre\updateerror_2tmp.log
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\4.tmp
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\DW20.dll

        deleted_files\C\Documents and Settings\All Users\Application Data\8202u39232d.log
        deleted_files\C\Documents and Settings\All Users\Application Data\8202u39232e.db
        deleted_files\C\Documents and Settings\All Users\Application Data\8202u39232s.db
        deleted_files\C\Documents and Settings\All Users\Application Data\Javame\Java\Jre\helper\103302\Adobe_FlashUpdate.lnk
        deleted_files\C\Documents and Settings\All Users\Application Data\len.txt
        deleted_files\C\Documents and Settings\All Users\Application Data\start.txt
        deleted_files\C\Documents and Settings\All Users\Application Data\Sun Orcal\Java\Jre\DATAS\error.log
        deleted_files\C\Documents and Settings\All Users\Application Data\Sun Orcal\Java\Jre\updateerror_2tmp.log

        Strings
        ~WINWORD e743b2c32ff43743046b0ce560abff25 599 KB
        start.txt c1d3f8cc1f46abaf2231637b5e67414a 1 KB
        len.txt db8700492269d59072aad57f54848fda 1 KB
        4.tmp 6d2c12085f0018daeb9c1a53e53fd4d1 56 KB
        updateerror_2tmp.log 60aea6d6f27cfb91f1461755e2283ffc 116 KB
        updateerror_2.log 60aea6d6f27cfb91f1461755e2283ffc 116 KB
        SunJavaErrror.log ba1e3b06c990e0c90e3a52ac7b4a42d4 36 KB
        error.log 2a4451d9989782f180df790d01f2997a 1 KB
        8202u392325.log d41d8cd98f00b204e9800998ecf8427e 0 KB
        8202u39232d.log ba1e3b06c990e0c90e3a52ac7b4a42d4 36 KB
        Adobe_FlashUpdate 8a15ca5527530c553e285805ca1dce2e 1 KB
        Adobe Flash Updated { 120433} 99a7f4ec2ea846ae5cbb0257cc0a8e20 1 KB
        DW20.dll 064ae9b451f0503982842c9f41a58053 59 KB
        8202u39232s.db a453bb1f1b5bb3f4810e38290190516c 1 KB
        8202u39232e.db 884ca4afc294779d168158496485ec3a 1 KB
        8202u3923pi.db 36e91eac9712bb3f3e1739a915b4b5b0 1 KB


        Traffic:
        Download pcap here or above with all the files

        sa.foundcloudsearch.com  
        Domain Name: FOUNDCLOUDSEARCH.COM
        Registrar URL: http://www.godaddy.com
        Registrant Name: Flsdjhfdsal dfyaldk
        Name Server: NS77.DOMAINCONTROL.COM
        Name Server: NS78.DOMAINCONTROL.COM

        IP Address:   192.200.99.194
        Country:      USA - California
        Network Name: GSI
        Owner Name:   GorillaServers, Inc.
        Allocated:    Yes
        Contact Name: GorillaServers, Inc.
        Address:      800 S Hope St, Suite B100, Los Angeles
        Email:        arin-tech@GorillaServers.com

          Proto  Local Address          Foreign Address        State           PID
          TCP    172.16.253.129:1045    192.200.99.194:80      ESTABLISHED     3892
          C:\WINDOWS\system32\mswsock.dll
          C:\WINDOWS\system32\ws2_32.dll

        ________________________________________________________________________
        #11 Vidgrab Aug 24 , 2013 judgment.doc

        File name and MD5:




        judgment.doc

        Delivery
        Email attachment. Header available upon request

        Payload malware family: Vidgrab
        C:\Documents and Settings\[UserprofileName]\Application Data\360\Live360.exe
        C:\Documents and Settings\[UserprofileName]\Application Data\temp\temp1.exe
        C:\Documents and Settings\[UserprofileName]\Local Settings\Temp\DW20.exe
        C\Documents and Settings\[UserprofileName]\users.bin

        DW20.exe 6fd868e68037040c94215566852230ab 116 KB (same as above)
        Live360.exe 6fd868e68037040c94215566852230ab 116 KB
        temp1.exe 6fd868e68037040c94215566852230ab 116 KB
        users.bin 354d4b710a3f9b570471d174c38ce66a 1 KB
        word.doc 17b9d6735a39576a0a598617954d4cdb 160 KB


        Traffic:

        ....3
        HTTP/1.1 301 Moved Permanently
        Location:http://windowsupdate.microsoft.com/
        Content-Type: text/html
        Connection: Keep-Alive
        <h1>Bad Request (Invalid Verb)</h1>
        ...20130819....|(172.16.253.130)|1067|WinXP|D|L|No|0..0....2..5..|No|V2010-v24|288|0|5aff68c5|0

        113.10.246.46 
        IP Address:   113.10.246.46
        Country:      Hong Kong
        Network Name: NWTBB-HK
        Owner Name:   NWT Broadband Service
        Contact Name: Network Management Center
        Address:      17/F Chevalier Commercial Centre,, 8 Wang Hoi Road, Kowloon Bay,, Hong Kong.
        Email:        nmc@newworldtel.com


        pDNS data:
        no record

        ________________________________________________________________________
        #12 Vidgrab  Aug 26, 2013 resume.doc

        File name and MD5:
        F0B821697949C713D9B17550A533ECFE
        resume.doc
        个人简历.doc

        Delivery
        Email attachment.

        Created Files:
        C:\Documents and Settings\[UserProfileName]\Application Data\360\Live360.exe
        C:\Documents and Settings\[UserProfileName]\Application Data\temp\temp1.exe
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\DW20.dll
        C:\Documents and Settings\[UserProfileName]\users.bin

        3.tmp 1164cf0c769f1656c235ba108874a9d6 116 KB
        Live360.exe 1164cf0c769f1656c235ba108874a9d6 116 KB
        temp1.exe 1164cf0c769f1656c235ba108874a9d6 116 KB
        users.bin dca2f9c264b782cf186a3eed5077b043 1 KB

        Traffic:
        no pcap
        DNS req for
        webposter.gicp.net

        pDNS data
        first seen 2012-01-03 01:39:09 -0000 last seen 2012-04-28 06:42:35 -0000 webposter.gicp.net. A 0.0.0.0
        first seen 2012-03-20 00:39:47 -0000 last seen 2012-03-20 00:39:47 -0000 webposter.gicp.net. A 1.234.3.186
        first seen 2013-07-31 16:45:13 -0000 last seen 2013-07-31 16:45:13 -0000 webposter.gicp.net. A 59.188.73.63
        first seen 2010-12-04 02:13:46 -0000 last seen 2010-12-05 03:10:12 -0000 webposter.gicp.net. A 61.152.93.40
        first seen 2010-12-19 02:47:54 -0000 last seen 2010-12-19 03:23:42 -0000 webposter.gicp.net. A 66.79.164.110
        first seen 2011-10-08 01:49:51 -0000 last seen 2012-02-14 01:35:45 -0000 webposter.gicp.net. A 111.68.2.34
        first seen 2012-03-20 06:41:49 -0000 last seen 2012-03-20 06:41:49 -0000 webposter.gicp.net. A 112.121.164.106
        first seen 2010-12-11 19:23:03 -0000 last seen 2010-12-11 21:15:24 -0000 webposter.gicp.net. A 117.71.149.130
        first seen 2010-10-10 13:07:50 -0000 last seen 2010-10-10 23:32:09 -0000 webposter.gicp.net. A 117.71.168.222
        first seen 2010-11-21 15:52:00 -0000 last seen 2010-11-21 23:44:54 -0000 webposter.gicp.net. A 117.71.197.145
        first seen 2010-12-26 03:18:45 -0000 last seen 2010-12-26 03:28:11 -0000 webposter.gicp.net. A 117.71.203.145
        first seen 2010-11-28 05:09:32 -0000 last seen 2010-11-28 07:53:30 -0000 webposter.gicp.net. A 117.71.207.107
        first seen 2010-11-28 03:25:56 -0000 last seen 2010-11-28 04:52:01 -0000 webposter.gicp.net. A 122.210.123.58
        first seen 2010-12-25 00:11:40 -0000 last seen 2010-12-25 00:28:36 -0000 webposter.gicp.net. A 123.101.134.12
        first seen 2010-11-28 07:54:43 -0000 last seen 2010-11-28 08:18:42 -0000 webposter.gicp.net. A 124.113.190.134
        first seen 2010-11-28 00:50:25 -0000 last seen 2010-11-28 01:32:14 -0000 webposter.gicp.net. A 124.113.194.85
        first seen 2010-11-28 08:36:23 -0000 last seen 2010-12-05 03:26:56 -0000 webposter.gicp.net. A 205.209.161.133
        first seen 2010-10-10 23:34:19 -0000 last seen 2013-07-31 04:19:02 -0000 webposter.gicp.net. A 220.179.124.85
        ________________________________________________________________________
        #13 Surtr (Smoaler) Aug 27, 2013 


        File name and MD5:
        CTA condemns alleged sexual assault on minor girl in Mundgod.doc
        8BE76FCB0A2DA692CFD2DA0C85F2EC33

        Payload malware family: Surtr (Smoaler)
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\cjwUon_One.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\leZOi1.dll
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\DW20.dll
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Exit.log
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Prod.t
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Proe.t
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\B.dll
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\B.tmp

        Name MD5 Checksum Size
        Exit.log 7fc56270e7a70fa81a5935b72eacbe29 1 KB
        Proe.t a529d1f0fa53b4326808288b2251c891 1 KB
        Prod.t c9ed72372fb6fe7c928c39f2672a52bf 1 KB
        dat9.tmp 58159b40b65d3e5446edd7e1d617c66f 5 KB
        ~WINWORD d1a75058f831f35134ad218eae5ad548 13 KB
        B.tmp 32f3ea95f8b39b1003ed138864205860 36 KB
        leZOi1.dll 20,524 KB
        DELLXT.dll 20,524 KB
        cjwUon_One.dll 20,524 KB
        B.dll 20,524 KB

        Traffic:
         no pcap

        ________________________________________________________________________
        #14 8202 TBD Aug 27 , 2013



        File name and MD5:
        Regarding Double Sponsor.doc
        9B41475A88D12183048A465FFD32EBF9

        Delivery
        Email attachment.

        Payload malware family: TBD (called here 8202.. for the created db files)
        Malware online mentions
        • Let me know if you can ID it.
        Created Files:

        ~WINWORD 25dd1a04d8d084581effea2aeb2e0011 13 KB
        start.txt          c1d3f8cc1f46abaf2231637b5e67414a 1 KB
        len.txt          db8700492269d59072aad57f54848fda 1 KB
        3.tmp          6d2c12085f0018daeb9c1a53e53fd4d1 56 KB
        updateerror_2tmp.log 60aea6d6f27cfb91f1461755e2283ffc 116 KB
        updateerror_2.log 60aea6d6f27cfb91f1461755e2283ffc 116 KB
        SunJavaErrror.log ba1e3b06c990e0c90e3a52ac7b4a42d4 36 KB
        error.log 75c73813b6a5dad200da4837c207a549 1 KB
        8202u392325.log d41d8cd98f00b204e9800998ecf8427e 0 KB
        8202u39232d.log ba1e3b06c990e0c90e3a52ac7b4a42d4 36 KB
        Adobe_FlashUpdate                    8a15ca5527530c553e285805ca1dce2e 1 KB
        Adobe Flash Updated { 123824} 1e22098b5fb61118a48daa780755e8cb 1 KB
        8202u39232s.db a453bb1f1b5bb3f4810e38290190516c 1 KB
        8202u39232e.db 884ca4afc294779d168158496485ec3a 1 KB
        8202u3923pi.db 36e91eac9712bb3f3e1739a915b4b5b0 1 KB

        Traffic:

        sa.foundcloudsearch.com

        Domain Name: FOUNDCLOUDSEARCH.COM
        Registrar URL: http://www.godaddy.com
        Registrant Name: Flsdjhfdsal dfyaldk
        Registrant Organization: 
        Name Server: NS77.DOMAINCONTROL.COM
        Name Server: NS78.DOMAINCONTROL.COM

        192.200.99.194
        Country:      USA - California
        Network Name: GSI
        Owner Name:   GorillaServers, Inc.
        Contact Name: GorillaServers, Inc.
        Address:      800 S Hope St, Suite B100, Los Angeles
        Email:        arin-tech@GorillaServers.com

        Traffic:
        Download pcap here or above with all the files

        pDNS data:
        mail2.netdacco.com. A 192.200.99.194

        ________________________________________________________________________
        #15 Surtr - Smoaler Aug 27 , 2013 The Great Calling.doc
                                     

        File name and MD5:
        The Great Calling.doc
         BD85FE0A7C5D15ADB57FB6B01043F4B6

        Delivery
        Email attachment. Header available upon request

        Payload malware family: Surtr (Smoaler)
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\Gki33A.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\oJDc43_One.dll
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\DW20.dll
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Exit.log
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Prod.t
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Proe.t
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\4.dll
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\4.tmp

        Exit.log 7fc56270e7a70fa81a5935b72eacbe29 1 KB
        Proe.t ec1c1b989ae29e84f4652b1476076810 1 KB
        Prod.t e38ad8e5bc99862fc0d36d57f9bda656 1 KB
        ~WINWORD 25e8bc41a4e59df2c16b4ce4eda85566 13 KB
        4.tmp 32f3ea95f8b39b1003ed138864205860 36 KB
        DW20.dll 1325ec00149cd2dd9a2982769f1fa12a 39 KB
        MSComctlLib.exd d29387fc9ed9dda50d5917830e237bb0 143 KB
        MSForms.exd 25472b982a9041f3e9f585226694ae23 163 KB
        DELLXT.dll 14,080 KB
        oJDc43_One.dll 20,524 KB
        Gki33A.dll 20,524 KB
        4.dll 20,524 KB


        no traffic


        ________________________________________________________________________
        #16 Surtr - Smoaler Aug 27 , 2013

        File name and MD5:
        B5EC46322334D5712ACD386622EE0F04
        Tibetan Nun Released From Jail.rtf 
        Delivery
        Email attachment. Header available upon request

        Payload malware family: Surtr (Smoaler)
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\HbEsg1_One.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\kr8mZP.dll
        C:\Documents and Settings\[UserProfileName]\Local Settings\History\History.IE5\MSHist012013083120130901\index.dat
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\DW20.dll 
        \deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        \deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Exit.log
        \deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Prod.t
        \deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Proe.t 
        \deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\4.dll
        \deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\4.tmp 

        Proe.t d41d8cd98f00b204e9800998ecf8427e 0 KB
        Prod.t d41d8cd98f00b204e9800998ecf8427e 0 KB
        Exit.log 7fc56270e7a70fa81a5935b72eacbe29 1 KB
        ~WINWORD 968ef270dafb0e602d0e05e6ad62a2d6 27 KB
        4.tmp 4b319c6a7e6f30d16d8ca74bf6d4b495 40 KB
        DW20.dll 8e187ae152c48099f715af442339c340 43 KB
        DELLXT.dll 21,760 KB
        4.dll                 43,520 KB
        kr8mZP.dll 61,484 KB
        HbEsg1_One.dll 61,484 KB


        Traffic:
        no traffic

        ________________________________________________________________________
        #17 TBD Insta11 Aug 25 , 2013 tibetTour Program.doc 

        File name and MD5:
        tibetTour Program.doc 
        658C55D6F92B2E8CCCCB82C6980CE2AB.txt

        Delivery
        Email attachment.

        Payload malware family: TBD Insta11 (named here by the payload name)
        Malware online mentions
        • Let me know if you ID it
        Created Files:

        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\code
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\data
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\insta11.exe
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\word.doc
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\install0.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\install1.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\install2.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\install3.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\install4.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\install5.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\kernel32.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\kernel64.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\DW20.exe
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\~$word.doc
        C:\WINDOWS\Temp\code
        C:\WINDOWS\Temp\data
        C:\WINDOWS\Temp\install0.dat
        C:\WINDOWS\Temp\install3.dat
        C:\WINDOWS\Temp\install4.dat
        C:\WINDOWS\Temp\kernel32.dat
        C:\WINDOWS\Temp\kernel64.dat
        C:\WINDOWS\Temp\work.dat


        data                  d6d60a7689f6f73d1ceb589df97dd868 10 KB
        code                582c61c67df96c561363e14bd080093b 3 KB
        insta11.exe               5f057a03ba1b211f00af97259027ad10 24 KB   0/46 VT
        DW20.exe                d7e7ef1f41635365148a7bb6e08f56ff 125 KB 0/46 VT
        word.doc        b502500ba5198135086a25c83722f261 153 KB
        work.dat        299ab2c8a3db4a57e64d1792060e27e8 44 KB
        kernel64.dat 7e4d72e2f92298c5c29ef0db8b34fd4a 14 KB
        kernel32.dat 5213596d2d17a01444767cfece9060e2 12 KB
        install5.dat b01bf5e4dc9c218b2c1a7b54fd1a9eaf 9 KB
        install4.dat d7560612e4634ba498720bbf909592d9 28 KB
        install3.dat 299ab2c8a3db4a57e64d1792060e27e8 44 KB
        install2.dat 91a28843d260c8314a69f2d6b29fa3a8 5 KB
        install1.dat ec52f53a553d1eaac48b26c8fab6a698 6 KB
        install0.dat ceb731fbb083edf3d41d660d097ff1a9 2 KB
        index.dat         8325e4c8bab8455e924303dc2a9a8c04 32 KB


        Traffic:
        no traffic





        To be continued...

        Share this post