×

Notice: this is a preview of the original feed. Please, read our copyright notice. If you are the copyright holder of this feed click here.

feed

Tags: blogspot contagiodump google.ru russian contagio malware

contagio
malware dump...

by Mila, published: Tue 12 May 2015 06:30:00 AM CEST.

Favicon An Overview of Exploit Packs (Update 25) May 2015
12 May 2015, 6:30 am

Update May 12, 2015

Added CVE-2015-0359 and updates for CVE-2015-0336


Reference table : Exploit References 2014-2015


Update March 20, 2015

Added CVE-2015-0336

------------------------
Update February 19, 2015

Added Hanjuan Exploit kit and CVE-2015-3013 for Angler 

Update January 24, 2015 
http://www.kahusecurity.com

Added CVE-2015-3010, CVE-2015-3011 for Agler and a few reference articles. 
If you notice any errors, or some CVE that need to be removed (were retired by the pack authors), please let me know. Thank you very much!


Update December 12, 2014


Update Jan 8, 2014

 This is version 20 of the exploit pack table - see the added exploit packs and vulnerabilities listed below.

                                             Exploit Pack Table Update 20                                           
  Click to view or download from Google Apps

I want to give special thanks to Kafeine  L0NGC47,  Fibon and  Curt Shaffer for their help and update they made.  Note the new Yara rules sheet / tab for yara rules for exploit kit.
I also want to thank Kahu securityKafeineMalforsec and all security companies listed in References for their research.

If you wish to be a contributor (be able to update/change the exploits or add yara rules), please contact me :)
If you have additions or corrections, please email, leave post comments, or tweet (@snowfl0w) < thank you!

The Wild Wild West image was created by Kahu Security  - It shows current and retired (retiring) kits.

List of changed kits
Gong Da / GonDad Redkit 2.2 x2o (Redkit Light)Fiesta (=Neosploit)  Cool  Styxy DotkaChef
CVE-2011-3544CVE-2013-2551CVE-2013-2465CVE-2010-0188CVE-2010-0188CVE-2012-5692
CVE-2012-0507CVE-2013-2471CVE-2013-0074/3896CVE-2011-3402CVE-2013-1493
CVE-2012-1723CVE-2013-1493CVE-2013-0431
CVE-2013-0431
CVE-2013-2423
CVE-2012-1889CVE-2013-2460CVE-2013-0634 CVE-2013-1493
CVE-2012-4681CVE-2013-2551 CVE-2013-2423
CVE-2012-5076
CVE-2013-0422
CVE-2013-0634
CVE-2013-2465



Angler FlashPack = SafePack White Lotus Magnitude (Popads)Nuclear 3.x Sweet Orange 
CVE-2013-0074/3896CVE-2013-0074/3896CVE-2011-3544CVE-2011-3402CVE-2010-0188CVE-2013-2423
CVE-2013-0634CVE-2013-2551CVE-2013-2465CVE-2012-0507CVE-2012-1723CVE-2013-2471
CVE-2013-2551 CVE-2013-2551CVE-2013-0634CVE-2013-0422CVE-2013-2551
CVE-2013-5329CVE-2013-2460CVE-2013-2423
CVE-2013-2471 ??CVE-2013-2471CVE-2013-2460
CVE-2013-2551CVE-2013-2551

CK HiManNeutrino  Blackhole (last)Grandsoft  Private EK
CVE-2011-3544CVE-2010-0188CVE-2013-0431CVE-2013-0422CVE-2010-0188 CVE-2006-0003
CVE-2012-1889CVE-2011-3544CVE-2013-2460CVE-2013-2460CVE-2011-3544CVE-2010-0188
CVE-2012-4681CVE-2013-0634CVE-2013-2463*CVE-2013-2471CVE-2013-0422CVE-2011-3544
CVE-2012-4792*CVE-2013-2465CVE-2013-2465*and + all or someCVE-2013-2423CVE-2013-1347
CVE-2013-0422CVE-2013-2551CVE-2013-2551exploitsCVE-2013-2463CVE-2013-1493
CVE-2013-0634* switch 2463*<>2465*from the previousCVE-2013-2423
CVE-2013-3897Possibly + exploitsversionCVE-2013-2460
* removedfrom the previous
version

Sakura 1.x LightsOutGlazunov Rawin Flimkit  Cool EK (Kore-sh)Kore (formely Sibhost) 
cve-2013-2471CVE-2012-1723CVE-2013-2463CVE-2012-0507CVE-2012-1723CVE-2013-2460CVE-2013-2423
CVE-2013-2460CVE-2013-1347cve-2013-2471CVE-2013-1493CVE-2013-2423CVE-2013-2463CVE-2013-2460
and + all or someCVE-2013-1690CVE-2013-2423CVE-2013-2471CVE-2013-2463
exploitsCVE-2013-2465CVE-2013-2471
from the previous
version


Styx 4.0Cool Topic EK Nice EK
CVE-2010-0188CVE-2012-0755CVE-2013-2423CVE-2012-1723
CVE-2011-3402CVE-2012-1876
CVE-2012-1723CVE-2013-0634
CVE-2013-0422CVE-2013-2465
CVE-2013-1493cve-2013-2471
CVE-2013-2423and + all or some
CVE-2013-2460exploits
CVE-2013-2463from the previous
CVE-2013-2472version
CVE-2013-2551
Social Eng








=================================================================

The Explot Pack Table has been updated and you can view it here.

Exploit Pack Table Update 19.1  - View or Download from Google Apps

If you keep track of exploit packs and can/wish  to contribute and be able to make changes, please contact me (see email in my profile)
I want to thank L0NGC47, Fibon, and Kafeine,  Francois Paget, Eric Romang, and other researchers who sent information for their help.




Update April 28, 2013 - added CVE-2013-2423 (Released April 17, 2013) to several packs. 
Now the following packs serve the latest Java exploit (update your Java!)

  1. Styx
  2. Sweet Orange
  3. Neutrino
  4. Sakura
  5. Whitehole
  6. Cool
  7. Safe Pack
  8. Crime Boss
  9. CritX



Other changes
Updated:
  1. Whitehole
  2. Redkit
  3. Nuclear
  4. Sakura
  5. Cool Pack
  6. Blackhole
  7. Gong Da
Added:
  1. KaiXin
  2. Sibhost
  3. Popads 
  4. Alpha Pack
  5. Safe Pack
  6. Serenity
  7. SPL Pack

    There are 5 tabs in the bottom of the sheet
  1. 2011-2013
  2. References
  3. 2011 and older
  4. List of exploit kits
  5. V. 16 with older credits



March 2013
The Explot Pack Table, which has been just updated, has migrated to Google Apps - the link is below. The new format will allow easier viewing and access for those who volunteered their time to keep it up to date.

In particular, I want to thank
L0NGC47, Fibon, and Kafeine  for their help.

There are 5 tabs in the bottom of the sheet
  1. 2011-2013
  2. References
  3. 2011 and older
  4. List of exploit kits
  5. V. 16 with older credits
The updates include
  1. Neutrino  - new
  2. Cool Pack - update
  3. Sweet Orange - update
  4. SofosFO aka Stamp EK - new
  5. Styx 2.0 - new
  6. Impact - new
  7. CritXPack - new
  8. Gong Da  - update
  9. Redkit - update
  10. Whitehole - new
  11. Red Dot  - new





The long overdue Exploit pack table Update 17 is finally here. It got a colorful facelift and has newer packs (Dec. 2011-today) on a separate sheet for easier reading.
Updates / new entries for the following 13 packs have been added (see exploit listing below)


  1. Redkit 
  2. Neo Sploit
  3. Cool Pack
  4. Black hole 2.0
  5. Black hole 1.2.5
  6. Private no name
  7. Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)
  8. Nuclear 2.1  (Update to 2.0 - actual v. # is unknown)
  9. CrimeBoss
  10. Grandsoft
  11. Sweet Orange 1.1 Update to 1.0 actual v. # is unknown)
  12. Sweet Orange 1.0
  13. Phoenix  3.1.15
  14. NucSoft
  15. Sakura 1.1 (Update to 1.0  actual v. # is unknown)
  16. AssocAID (unconfirmed)  






Exploit lists for the added/updated packs


AssocAID (unconfirmed)
09-'12
CVE-2011-3106
CVE-2012-1876
CVE-2012-1880
CVE-2012-3683
Unknown CVE
5


Redkit
08-'12
CVE-2010-0188
CVE-2012-0507
CVE-2012-4681
3

Neo Sploit
09-'12
CVE-2012-1723
CVE-2012-4681
2?

Cool
08-'12
CVE-2006-0003
CVE-2010-0188
CVE-2011-3402
CVE-2012-0507
CVE-2012-1723
CVE-2012-4681
5

Black hole 2.0
09-'12
CVE-2006-0003
CVE-2010-0188
CVE-2012-0507
CVE-2012-1723
CVE-2012-4681
CVE-2012-4969 promised
5

Black hole 1.2.5
08-'12
CVE-2006-0003
CVE-2007-5659 /2008-0655
CVE-2008-2992
CVE-2009-0927
CVE-2010-0188
CVE-2010-1885
CVE-2011-0559
CVE-2011-2110
CVE-2012-1723
CVE-2012-1889
CVE-2012-4681
11

Private no name
09-'12
CVE-2010-0188
CVE-2012-1723
CVE-2012-4681
3

Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)
03-'12
CVE-2010-0188
CVE-2011-3544
CVE-2012-1723
CVE-2012-4681
4

Nuclear 2.1 (Update to 2.0 - actual v. # is unknown)
03-'12
CVE-2010-0188
CVE-2011-3544
CVE-2012-1723
3

CrimeBoss
09-'12
Java Signed Applet
CVE-2011-3544
CVE-2012-4681
3

Grandsoft
09-'12
CVE-2010-0188
CVE-2011-3544
2?

Sweet Orange 1.1
09-'12
CVE-2006-0003
CVE-2010-0188
CVE-2011-3544
CVE-2012-4681
4?

Sweet Orange 1.0
05-'12
CVE-2006-0003
CVE-2010-0188
CVE-2011-3544
3?

Phoenix  3.1.15
05-'12
CVE-2010-0842
CVE: 2010-0248
CVE-2011-2110
CVE-2011-2140
CVE: 2011-2371
CVE-2011-3544
CVE-2011-3659
Firefox social
CVE: 2012-0500
CVE-2012-0507
CVE-2012-0779
11

NucSoft
2012
CVE-2010-0188
CVE-2012-0507
2

Sakura 1.1
08-'12
CVE-2006-0003
CVE-2010-0806
CVE-2010-0842
CVE-2011-3544
CVE-2012-4681
5


Version 16. April 2, 2012

Thanks to Kahu security
for Wild Wild West graphic 

The full table in xls format - Version 16 can be downloaded from here. 



 










ADDITIONS AND CHANGES:

1. Blackhole Exploit Kit 1.2.3
Added:
  1. CVE-2011-0559 - Flash memory corruption via F-Secure
  2. CVE-2012-0507 - Java Atomic via Krebs on Security
  3. CVE-2011-3544 - Java Rhino  via Krebs on Security
2. Eleonore Exploit Kit 1.8.91 and above- via Kahu Security
Added:
  1. CVE-2012-0507 - Java Atomic- after 1.8.91was released
  2. CVE-2011-3544 - Java Rhino
  3. CVE-2011-3521 - Java Upd.27  see Timo HirvonenContagio, Kahu Security and Michael 'mihi' Schierl 
  4. CVE-2011-2462 - Adobe PDF U3D
Also includes
"Flash pack" (presumably the same as before)
"Quicktime" - CVE-2010-1818 ?
3. Incognito Exploit Pack v.2 and above 
there are rumors that Incognito development stopped after v.2 in 2011 and it is a different pack now. If you know, please send links or files.

Added after v.2 was released:
  1. CVE-2012-0507 - Java Atomic
See V.2 analysis via StopMalvertizing

4. Phoenix Exploit Kit v3.1 - via Malware Don't Need Coffee
Added:
  1. CVE-2012-0507 -  Java Atomic
  2. CVE-2011-3544 -  Java Rhino + Java TC (in one file)

5. Nuclear Pack v.2 - via TrustWave Spiderlabs


  1. CVE-2011-3544 Oracle Java Rhino
  2. CVE-2010-0840 JRE Trusted Method Chaining
  3. CVE-2010-0188 Acrobat Reader  – LibTIFF
  4. CVE-2006-0003 MDAC
6. Sakura Exploit Pack > v.1 via DaMaGeLaB

  1. CVE-2011-3544 - Java Rhino (It was in Exploitpack table v15, listing it to show all packs with this exploit)

7. Chinese Zhi Zhu Pack via Kahu Security and Francois Paget (McAfee)
  1. CVE-2012-0003 -  WMP MIDI 
  2. CVE-2011-1255 - IE Time Element Memory Corruption
  3. CVE-2011-2140 - Flash 10.3.183.x
  4. CVE-2011-2110 - Flash 10.3.181.x 
  5. CVE-2010-0806 - IEPeers

8. Gong Da Pack via Kahu Security 
  1. CVE-2011-2140  - Flash 10.3.183.x
  2. CVE-2012-0003 -  WMP MIDI  
  3. CVE-2011-3544 - Java Rhino 





  1. CVE-2010-0886 - Java SMB
  2. CVE-2010-0840 - JRE Trusted Method Chaining
  3. CVE-2008-2463 - Snapshot
  4. CVE-2010-0806 - IEPeers
  5. CVE-2007-5659/2008-0655 - Collab.collectEmailInfo
  6. CVE-2008-2992 - util.printf
  7. CVE-2009-0927 - getIco
  8. CVE-2009-4324 - newPlayer



Version 15. January 28, 2012

Additions - with many thanks to Kahu Security

 Hierarchy Exploit Pack
=================
CVE-2006-0003
CVE-2009-0927
CVE-2010-0094
CVE-2010-0188
CVE-2010-0806
CVE-2010-0840
CVE-2010-1297
CVE-2010-1885
CVE-2011-0611
JavaSignedApplet


Siberia Private
==========
CVE-2005-0055
CVE-2006-0003
CVE-2007-5659
CVE-2008-2463
CVE-2008-2992
CVE-2009-0075
CVE-2009-0927
CVE-2009-3867
CVE-2009-4324
CVE-2010-0806


Techno XPack
===========
CVE-2008-2992
CVE-2010-0188
CVE-2010-0842
CVE-2010-1297
CVE-2010-2884
CVE-2010-3552
CVE-2010-3654
JavaSignedApplet


"Yang Pack"
=========
CVE-2010-0806
CVE-2011-2110
CVE-2011-2140
CVE-2011-354




Version 14. January 19, 2012


Version 14 Exploit Pack table additions:

Credits for the excellent Wild Wild West (October 2011 edition) go to kahusecurity.com

With many thanks to  XyliBox (Xylitol - Steven),  Malware Intelligence blog,  and xakepy.cc for the information:

  1. Blackhole 1.2.1  (Java Rhino added, weaker Java exploits removed)
  2. Blackhole 1.2.1 (Java Skyline added)
  3. Sakura Exploit Pack 1.0  (new kid on the block, private pack)
  4. Phoenix 2.8. mini (condensed version of 2.7)
  5. Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)
If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .
























 
The full table in xls format - Version 14 can be downloaded from here. 

The exploit pack table in XLSX format
The exploit pack table in csv format 

P.S. There are always corrections and additions thanks to your feedback after the document release, come back in a day or two to check in case v.15 is out.



Version 13. Aug 20, 2011


Kahusecurity issued an updated version of their Wild Wild West graphic that will help you learn Who is Who in the world of exploit packs. You can view the full version of their post in the link above.

Version 13 exploit pack table additions:
  1. Bleeding Life 3.0
  2. Merry Christmas Pack (many thanks to kahusecurity.com)+
  3. Best Pack (many thanks to kahusecurity.com)
  4. Sava Pack (many thanks to kahusecurity.com)
  5. LinuQ 
  6. Eleonore 1.6.5
  7. Zero Pack
  8. Salo Pack (incomplete but it is also old)



List of packs in the table in alphabetical order
  1. Best Pack
  2. Blackhole Exploit 1.0
  3. Blackhole Exploit 1.1
  4. Bleeding Life 2.0
  5. Bleeding Life 3.0
  6. Bomba
  7. CRIMEPACK 2.2.1
  8. CRIMEPACK 2.2.8
  9. CRIMEPACK 3.0
  10. CRIMEPACK 3.1.3
  11. Dloader
  12. EL Fiiesta
  13. Eleonore 1.3.2
  14. Eleonore 1.4.1
  15. Eleonore 1.4.4 Moded
  16. Eleonore 1.6.3a
  17. Eleonore 1.6.4
  18. Eleonore 1.6.5
  19. Fragus 1
  20. Icepack
  21. Impassioned Framework 1.0
  22. Incognito
  23. iPack
  24. JustExploit
  25. Katrin
  26. Merry Christmas Pack
  27. Liberty  1.0.7
  28. Liberty 2.1.0*
  29. LinuQ pack
  30. Lupit
  31. Mpack
  32. Mushroom/unknown
  33. Open Source Exploit (Metapack)
  34. Papka
  35. Phoenix  2.0 
  36. Phoenix 2.1
  37. Phoenix 2.2
  38. Phoenix 2.3
  39. Phoenix 2.4
  40. Phoenix 2.5
  41. Phoenix 2.7
  42. Robopak
  43. Salo pack
  44. Sava Pack
  45. SEO Sploit pack
  46. Siberia
  47. T-Iframer
  48. Unique Pack Sploit 2.1
  49. Webattack
  50. Yes Exploit 3.0RC
  51. Zero Pack
  52. Zombie Infection kit
  53. Zopack


----------------------------------------------
Bleeding Life 3.0
New Version Ad is here 

Merry Christmas Pack
read analysis at
kahusecurity.com
  
Best Pack
read analysis at 
kahusecurity.com
Sava Pack
read analysis at
kahusecurity.com
Eleonore 1.6.5 
[+] CVE-2011-0611
[+] CVE-2011-0559
[+] CVE-2010-4452
[-] CVE-2010-0886
Salo Pack
Old (2009), added just for
the collection


Zero Pack
62 exploits from various packs (mostly Open Source pack)
LinuQ pack
Designed to compromise linux servers using vulnerable PHPMyAdmin. Comes with DDoS bot but any kind of code can be loaded for Linux botnet creation.
LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well.


It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack.
It is using
CVE-2009-1148 (unconfirmed)
CVE-2009-1149 (unconfirmed)
CVE-2009-1150 (unconfirmed)
CVE-2009-1151 (confirmed)




 ====================================================================
Version 12. May 26, 2011
additional changes (many thanks to kahusecurity.com)
Bomba
Papka

See the list of packs covered in the list below


The full table in xls format - Version 12 can be downloaded from here.
I want to thank everyone who sent packs and information  :)





Version 11 May 26, 2011 Changes:
    1. Phoenix2.7
    2. "Dloader" (well, dloader is a loader but the pack is  some unnamed pack http://damagelab.org/lofiversion/index.php?t=20852)
    3. nuclear pack
    4. Katrin
    5. Robopak
    6. Blackhole exploit kit 1.1.0
    7. Mushroom/unknown
    8. Open Source Exploit kit






    ====================================================================

    10. May 8, 2011 Version 10        Exploit Pack Table_V10May11
    First, I want to thank everyone who sent and posted comments for updates and corrections. 

    *** The Wild Wild West picture is from a great post about evolution of exploit packs by Kahu Security  Wild Wild West Update


    As usual, send your corrections and update lists.


    Changes:
    • Eleonore 1.6.4
    • Eleonore 1.6.3a
    • Incognito
    • Blackhole
    Go1Pack  (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack 
    Also, here is another article claiming it is not a fake http://community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx
    Go1 Pack CVE are reportedly
    CVE-2006-0003
    CVE-2009-0927
    CVE-2010-1423
    CVE-2010-1885

    Does anyone have this pack or see it offered for sale?

    Exploit kits I am planning to analyze and add (and/or find CVE listing for) are:

    • Open Source Exploit Kit
    • SALO
    • K0de

    Legend: 
    Black color entries by Francois Paget
    Red color entries by Gunther
    Blue color entries by Mila

    Also, here is a great presentation by Ratsoul (Donato Ferrante) about Java Exploits (http://www.inreverse.net/?p=1687)

    --------------------------------------------------------
     9.  April 5, 2011  Version 9        ExploitPackTable_V9Apr11

    It actually needs another update but I am posting it now and will issue version 10 as soon as I can.

    Changes:
    Phoenix 2.5
    IFramer
    Tornado
    Bleeding life

    Many thanks to Gunther for his contributions.
    If you wish to add some, please send your info together with the reference links. Also please feel free to send corrections if you notice any mistakes






    8. Update 8 Oct 22, 2010 Version 8 ExploitPackTable_V8Oct22-10

    Changes: 
    1. Eleonore 1.4.4 Moded added (thanks to malwareint.blogspot.com)
    2. Correction on CVE-2010-0746 in Phoenix 2.2 and 2.3. It is a mistake and the correct CVE is CVE-2010-0886 (thanks to etonshell for noticing)
    3. SEO Sploit pack added (thanks to whsbehind.blogspot.com,  evilcodecave.blogspot.com and blog.ahnlab.com)


    7. Update 7 Oct 18, 2010 Version 7 ExploitPackTable_V7Oct18-10 released
     thanks to SecNiche we have updates for Phoenix 2.4 :)
      
    We also added shorthand/slang/abbreviated names for exploits for easy matching of exploits to CVE in the future. Please send us more information re packs, exploit names that can be added in the list. Thank you!

     
    6. Update 6 Sept 27, 2010 Version 6 ExploitPackTable_V6Sept26-10 released
     Thanks to Francois Paget (McAfee) we have updates for Phoenix 2.2 and Phoenix 2.3


    5. Update 5. Sept 27, 2010 Version 5 ExploitPackTable_V5Sept26-10 released
    Added updates for Phoenix 2.1 and Crimepack 3.1.3

      
    4 Update 4  July 23, 2010  Version 4 ExploitPackTable_V4Ju23-10 released. Added a new Russian exploit kit called Zombie Infection Kit to the table. Read more at malwareview.com
    Update 3  July 7, 2010. Please read more about this on the Brian Krebs' blog Pirate Bay Hack Exposes User Booty 
    Update 2 June 27, 2010 Sorry but Impassioned Framework is back where it belongs - blue
    Update 1 June 24, 2010 Eleonore 1.4.1 columns was updated to include the correct list of the current exploits.

    Francois Paget  www.avertlabs.com kindly agreed to allow us to make additions to his Overview of Exploit Packs table published on Avertlabs (McAfee Blog)

    Many thanks to Gunther from ARTeam for his help with the update. There are a few blanks and question marks, please do no hesitate to email me if you know the answer or if you see any errors.



    Please click on the image below to expand it (it is a partial screenshot)  Impassioned Framework is tentatively marked a different color because the author claims it is a security audit tool not exploit pack. However, there was no sufficient information provided yet to validate such claims. The pack is temporarily/tentatively marked a different color. We'll keep you posted.


    Share this post


    Favicon Ask and you shall receive
    9 Mar 2015, 2:08 am


    I get emails from readers asking for specific malware samples and thought I would make a mini post about it.

    Yes, I often obtain samples from various sources for my own research.

     I am sometimes too lazy/busy to post them but don't mind sharing.
    If you are looking for a particular sample, feel free to ask. I might have it.

    Send MD5 (several or few samples). I cannot provide hundreds/thousands of samples or any kind of feeds. If you ask for a particular family, I might be able to help if I already have it.

    Unfortunately, I do not have time to do homework for students and provide very specific sets for malware with specific features as well as guarantee the C2s are still active.  Send your MD5(s) or at least malware family and I check if I have it :) If i have it, I will either send you or will post on the blog where you can download.

    If you emailed me in the past and never got an answer, please remind me. Sometimes emails are long with many questions and I flag them to reply to later, when I have time and they get buried or I forget. It does not happen very often but accept my apologies if it happened to you.

    Before you ask, check if it is already available via Contagio or Contagio Mobile.
    1. Search the blog using the search box on the right side
    2. Search here https://www.mediafire.com/folder/b8xxm22zrrqm4/BADINFECT
    3. Search here https://www.mediafire.com/folder/c2az029ch6cke/TRAFFIC_PATTERNS_COLLECTION
    4. Search here https://www.mediafire.com/folder/78npy8h7h0g9y/MOBILEMALWARE

    Cheers,  Mila

    Share this post


    Favicon Collection of Pcap files from malware analysis
    20 Feb 2015, 5:39 am

    Update: Feb 19. 2015

    We have been adding pcaps to the collection so remember to check out the folder ( Pcap collection) for the recent pcaps.

    I had a project to test some malicious and exploit pcaps and collected a lot of them (almost 1000) from various public sources. You can see them in the PUBLIC folder. The credits go to the authors of the pcaps listed in the name of each file. Please visit their blogs and sites to see more information about the pcaps, see their recent posts, and send them thanks. The public pcaps have no passwords on them.





    Update:Dec 13. 2014 


    Despite rare updates of this post, we have been adding pcaps to the collection so remember to check out the folder ( Pcap collection) for the recent pcaps!



    Update:Dec 31. 2013 - added new pcaps

    I did some spring cleaning yesterday and came up with these malware and exploit pcaps. Such pcaps are very useful for IDS and signature testing and development, general education, and malware identification. While there are some online public sandboxes offering pcaps for download like Cuckoo or Anubis but  looking for them is a tedious task and you cannot be totally sure the pcap is for the malware family supposedly analysed - in other words, if the sandbox says it is Zeus does not necessarily mean that it is.

    I found some good pcap repositories here (http://www.netresec.com/?page=PcapFiles) but there are very few pcaps from malware.

    These are from identified and verified (to the best of my knowledge and belief - email me if you find errors) malware samples.

    All of them show the first stage with the initial callback and most have the DNS requests as well. A few pcaps show extended malware runs (e.g. purplehaze pcap is over 500mb).
    Most pcaps are mine, a few are from online sandboxes, and one is borrowed from malware.dontneedcoffee.com. That said, I can probably find the corresponding samples for all that have MD5 listed if you really need them. Search contagio, some are posted with the samples.

    Each file has the following naming convention:
    BIN [RTF, PDF] - the filetype of the dropper used, malware family name, MD5, and year+month of the malware analysis.

    I will be adding more pcaps in the future. Please donate your pcaps from identified samples, I am sure many of you have.

    Thank you




    Download


    Download all together or separately.

    All pcaps archives have the same password (same scheme), email me if you need it. I tried posting it without any passwords and pass infected but they get flagged as malware. Modern AV rips though zips and zips with the pass 'infected' with ease.



    APT PCAPS

    See Library of Malware Traffic Patterns for the corresponding sample downloads and other details

    Download all together or separately.
    1. 2012-12-31 BIN_Xinmic_8761F29AF1AE2D6FACD0AE5F487484A5-pcap
    2. 2013-09-08 BIN_TrojanPage_86893886C7CBC7310F7675F4EFDE0A29-pcap
    3. 2013-09-08 BIN_Darkcomet_DC98ABBA995771480AECF4769A88756E-pcap
    4. 2013-09-02 8202_tbd_ 6D2C12085F0018DAEB9C1A53E53FD4D1-pcap
    5. 2013-09-02 BIN_8202_6d2c12085f0018daeb9c1a53e53fd4d1-pcap
    6. 2013-09-02 BIN_Vidgrab_6fd868e68037040c94215566852230ab-pcap
    7. 2013-09-02 BIN_PlugX_2ff2d518313475a612f095dd863c8aea-pcap
    8. 2013-09-02 BIN_Taidoor_46ef9b0f1419e26f2f37d9d3495c499f-pcap
    9. 2013-09-02 BIN_Vidgrab_660709324acb88ef11f71782af28a1f0-pcap
    10. 2013-09-02 BIN_Gh0st-gif_f4d4076dff760eb92e4ae559c2dc4525-pcap.zip
    11. 2013-07-15 BIN_Taleret.E_5328cfcb46ef18ecf7ba0d21a7adc02c.pcap
    12. 2013-05-14 BIN_Mediana_0AE47E3261EA0A2DBCE471B28DFFE007_2012-10.pcap
    13. 2013-05-14 BIN_Hupigon_8F90057AB244BD8B612CD09F566EAC0C
    14. 2013-05-14 BIN_LetsGo_yahoosb_b21ba443726385c11802a8ad731771c0_2011-07-19
    15. 2013-05-13 BIN_IXESHE_0F88D9B0D237B5FCDC0F985A548254F2-2013-05-pcap
    16. 2013-05-06 BIN_DNSWatch_protux_4F8A44EF66384CCFAB737C8D7ADB4BB8_2012-11-pcap
    17. 2013-05-06 BIN_9002_D4ED654BCDA42576FDDFE03361608CAA_2013-01-30-pcap
    18. 2013-05-06 BIN_BIN_RssFeeder_68EE5FDA371E4AC48DAD7FCB2C94BAC7-2012-06-pcap (not a common name, see the traffic ssheet http://bit.ly/maltraffic )
    19. 2013-04-30 BIN_MSWab_Yayih_FD1BE09E499E8E380424B3835FC973A8_us-pcap
    20. 2013-04-29 BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10-pcap
    21. 2013-04-29 BIN_XTremeRAT_DAEBFDED736903D234214ED4821EAF99_2013-04-13-pcap
    22. BIN_Enfal_Lurid_0fb1b0833f723682346041d72ed112f9_2013-01.pcap
    23. BIN_Gh0st_variant-v2010_B1D09374006E20FA795B2E70BF566C6D_2012-08.pcap
    24. BIN_Likseput_E019E37F19040059AB5662563F06B609_2012-10.pcap
    25. BIN_Nettravler_1f26e5f9b44c28b37b6cd13283838366.pcap
    26. BIN_Nettravler_DA5832657877514306EDD211DEF61AFE_2012-10.pcap
    27. BIN_Sanny-Daws_338D0B855421867732E05399A2D56670_2012-10.pcap
    28. BIN_Sofacy_a2a188cbf74c1be52681f998f8e9b6b5_2012-10.pcap
    29. BIN_Taidoor_40D79D1120638688AC7D9497CC819462_2012-10.pcap
    30. BIN_TrojanCookies_840BD11343D140916F45223BA05ABACB_2012_01.pcap
    31. PDF_CVE-2011-2462_Pdf_2011-12.pcap
    32. RTF_Mongall_Dropper_Cve-2012-0158_C6F01A6AD70DA7A554D48BDBF7C7E065_2013-01.pcap
    33. OSX_DocksterTrojan.pcap

    CRIMEWARE PCAPS

    See Library of Malware Traffic Patterns for the corresponding sample downloads and other details

    Download all together or separately.
    1. 2013-11-12_BIN_ChePro_2A5E5D3C536DA346849750A4B8C8613A-1.pcap
    2. 2013-10-15_BIN_cryptolocker_9CBB128E8211A7CD00729C159815CB1C.pcap
    3. 2013-09-20_BIN_Lader-dlGameoverZeus_12cfe1caa12991102d79a366d3aa79e9.pcap
    4. 2013-09-08 BIN_Tijcont_845B0945D5FE0E0AAA16234DC21484E0-pcap
    5. 2013-09-08 BIN_Kelihos_C94DC5C9BB7B99658C275B7337C64B33-pcap.zip
    6. 2013-08-19 BIN_Nitedrem_508af8c499102ad2ebc1a83fdbcefecb-pcap
    7. 2013-08-17 BIN_sality_CEAF4D9E1F408299144E75D7F29C1810-pcap
    8. 2013-08-15 BIN_torpigminiloader-pcap.zip
    9. 2013-13-08 EK_popads_109.236.80.170_2013-08-13.pcap
    10. 2013-11-08 BIN_Alinav5.3_4C754150639AA3A86CA4D6B6342820BE.pcap
    11. 2013-08-08 BIN_BitcoinMiner_F865C199024105A2FFDF5FA98F391D74-pcap
    12. 2013-08-07 BIN_ZeroAccess_Sirefef_C2A9CCC8C6A6DF1CA1725F955F991940_2013-08-pcap
    13. 2013-07-05 BIN_Kuluoz-Asprox_9F842AD20C50AD1AAB41F20B321BF84B
    14. 2013-05-31 Wordpress-Mutopy_Symmi_20A6EBF61243B760DD65F897236B6AD3-2pcap.pcap
    15. 2013-05-15 BIN_Zeus_b1551c676a54e9127cd0e7ea283b92cc-2012-04.pcap
    16. 2013-05-15 BIN_Gypthoy_3EE49121300384FF3C82EB9A1F06F288-2013-05.pcap
    17. 2013-05-12 BIN_PassAlert_B4A1368515C6C39ACEF63A4BC368EDB2-2013-05-13
    18. 2013-05-12 BIN_HorstProxy_EFE5529D697174914938F4ABF115F762-2013-05-13-pcap
    19. 2013-05-12 BIN_Bitcoinminer_12E717293715939C5196E604591A97DF-2013-05-12-pcap
    20. 2013-05-07 BIN_ZeroAccess_Sirefef_29A35124ABEAD63CD8DB2BBB469CBC7A_2013-05-pcapc
    21. 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
    22. 2013-05-05 BIN_GameThief_ECBA0FEB36F9EF975EE96D1694C8164C_2013-03-pcap
    23. 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
    24. 2013-04-27 EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04-pcap
    25. 2013-04-26 -- BIN_Citadel_3D6046E1218FB525805E5D8FDC605361-2013-04-samp 
    26. BIN_CitadelPacked_2012-05.pcap
    27. BIN_CitadelUnpacked_2012-05.pcap
    28. BIN_Cutwail_284Fb18Fab33C93Bc69Ce392D08Fd250_2012-10.pcap
    29. BIN_Darkmegi_2012-04.pcap
    30. BIN_DarknessDDoS_v8g_F03Bc8Dcc090607F38Ffb3A36Ccacf48_2011-01.pcap-
    31. BIN_dirtjumper_2011-10.pcap
    32. BIN_DNSChanger_2011-12.pcap
    33. BIN_Drowor_worm_0f015bb8e2f93fd7076f8d178df2450d_2013-04.pcap
    34. BIN_Googledocs_macadocs_2012-12.pcap
    35. BIN_Imaut_823e9bab188ad8cb30c14adc7e67066d.pcap
    36. BIN_IRCbot_c6716a417f82ccedf0f860b735ac0187_2013-04.pcap
    37. BIN_Kelihos_aka_Nap_0feaaa4adc31728e54b006ab9a7e6afa.pcap
    38. BIN_LoadMoney_MailRu_dl_4e801b46068b31b82dac65885a58ed9e_2013-04 .pcap
    39. BIN_purplehaze-2012-01.pcap
    40. BIN_ponyloader_470a6f47de43eff307a02f53db134289.pcap
    41. BIN_Ramnitpcap_2012-01.pcap
    42. BIN_Reedum_0ca4f93a848cf01348336a8c6ff22daf_2013-03.pcap
    43. BIN_SpyEye_2010-02.pcap
    44. BIN_Stabuniq_F31B797831B36A4877AA0FD173A7A4A2_2012-12.pcap
    45. BIN_Tbot_23AAB9C1C462F3FDFDDD98181E963230_2012-12.pcap
    46. BIN_Tbot_2E1814CCCF0C3BB2CC32E0A0671C0891_2012-12.pcap
    47. BIN_Tbot_5375FB5E867680FFB8E72D29DB9ABBD5_2012-12.pcap
    48. BIN_Tbot_A0552D1BC1A4897141CFA56F75C04857_2012-12.pcap
    49. BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap
    50. BIN_Tinba_2012-06.pcap
    51. BIN_Vobfus_634AA845F5B0B519B6D8A8670B994906_2012-12.pcap
    52. BIN_Xpaj_2012-05.pcap
    53. BIN_ZeroAccess_3169969E91F5FE5446909BBAB6E14D5D_2012-10.pcap
    54. BIN_ZeusGameover_2012-02.pcap
    55. BIN_Zeus_2010-12.pcap
    56. EK_Blackholev1_2012-03.pcap
    57. EK_Blackholev1_2012-08.pcap
    58. EK_Blackholev2_2012-09.pcap
    59. EK_Blackhole_Java_CVE-2012-4681_2012-08.pcap
    60. EK_Phoenix_2012-04.pcap
    61. EK_Smokekt150(Malwaredontneedcoffee)_2012-09.pcap -  credit malware.dontneedcoffee.com


    Share this post


    Favicon Equation samples - from the Kaspersky Report and additional
    17 Feb 2015, 7:22 am


    Here are a few samples from the report by Kaspersky Lab "Equation: The Death Star of Malware Galaxy" and additional samples of the same family. The full list is below




    Download all the samples listed below. Email me if you need the password





    List of files

    Files from the report:
    File NameMD5Size
    _SD_IP_CF.dll_03718676311DE33DD0B8F4F18CFFD48803718676311de33dd0b8f4f18cffd488368 KB
    Disk from Houston_6FE6C03B938580EBF9B82F3B9CD4C4AA6fe6c03b938580ebf9b82f3b9cd4c4aa61 KB
    DoubleFantasy_2A12630FF976BA0994143CA93FECD17F2a12630ff976ba0994143ca93fecd17f216 KB
    EquationDrug_4556CE5EB007AF1DE5BD3B457F0B216D4556ce5eb007af1de5bd3b457f0b216d372 KB
    EquationLaser_752AF597E6D9FD70396ACCC0B9013DBE752af597e6d9fd70396accc0b9013dbe130 KB
    Fanny_0A209AC0DE4AC033F31D6BA9191A8F7A0a209ac0de4ac033f31d6ba9191a8f7a180 KB
    GrayFish_9B1CA66AAB784DC5F1DFE635D8F8A9049b1ca66aab784dc5f1dfe635d8f8a904560 KB
    GROK_24A6EC8EBF9C0867ED1C097F4A653B8D24a6ec8ebf9c0867ed1c097f4a653b8d160 KB
    nls_933w.dll_11FB08B9126CDB4668B3F5135CF7A6C511fb08b9126cdb4668b3f5135cf7a6c5208 KB
    TripleFantasy_9180D5AFFE1E5DF0717D7385E7F543869180d5affe1e5df0717d7385e7f5438618 KB
    TripleFantasy_BA39212C5B58B97BFC9F5BC431170827ba39212c5b58b97bfc9f5bc431170827199 KB

    Additional Files:

    File NameMD5Size
    TripleFantasy_2DB76E2FCA15582D3984ACFC9F1243A92db76e2fca15582d3984acfc9f1243a918 KB
    TripleFantasy_3AF3DA4F6FC1A59FC7842D9BB1B0A2AE3af3da4f6fc1a59fc7842d9bb1b0a2ae18 KB
    TripleFantasy_89A388862905AD98F6C907ABEEA967C489a388862905ad98f6c907abeea967c418 KB
    TripleFantasy_416EE796925AC5B2533760FA880B9FFC416ee796925ac5b2533760fa880b9ffc18 KB
    TripleFantasy_3380BEF418E25E745795F698D7226EC03380bef418e25e745795f698d7226ec018 KB
    TripleFantasy_9180D5AFFE1E5DF0717D7385E7F543869180d5affe1e5df0717d7385e7f5438618 KB
    TripleFantasy_F17E0438DFF0D7A16365700A3B70D551f17e0438dff0d7a16365700a3b70d55118 KB
    FannyWorm_002F5E401F705FE91F44263E49D6C216002f5e401f705fe91f44263e49d6c216180 KB
    FannyWorm_00F5F27098D25A1961DF56A1C58398E200f5f27098d25a1961df56a1c58398e2180 KB
    FannyWorm_00FAE15224F3A3C46D20F2667FB1ED8900fae15224f3a3c46d20f2667fb1ed89180 KB
    FannyWorm_02D5EB43F5FC03F7ABC89C57B82C75F802d5eb43f5fc03f7abc89c57b82c75f8180 KB
    FannyWorm_0A78F4F0C5FC09C08DC1B54D7412BC580a78f4f0c5fc09c08dc1b54d7412bc58180 KB
    FannyWorm_0A209AC0DE4AC033F31D6BA9191A8F7A0a209ac0de4ac033f31d6ba9191a8f7a180 KB
    FannyWorm_0A704348BD37EA5CCD2E0A540EB010C20a704348bd37ea5ccd2e0a540eb010c2180 KB
    FannyWorm_0ACBDD008B62CD40BB1434ACA7500D5B0acbdd008b62cd40bb1434aca7500d5b180 KB
    FannyWorm_0B1FA00484E10F465533AAF08BD98B620b1fa00484e10f465533aaf08bd98b62180 KB
    FannyWorm_0B2B5B9050BD5EB14FDBC618702A2AD30b2b5b9050bd5eb14fdbc618702a2ad3180 KB
    FannyWorm_0B5F75E67B78D34DC4206BF49C7F09E90b5f75e67b78d34dc4206bf49c7f09e9180 KB
    FannyWorm_0C4BD72BD7119C562F81588978AC9DEF0c4bd72bd7119c562f81588978ac9def180 KB
    FannyWorm_0D1248BD21BA2487C08691EE60B8D80E0d1248bd21ba2487c08691ee60b8d80e180 KB
    FannyWorm_0E2313835CA0FA52D95500F83FE9F5D20e2313835ca0fa52d95500f83fe9f5d2180 KB
    FannyWorm_0F256B5884F46A15B80B60BBA88769660f256b5884f46a15b80b60bba8876966180 KB
    FannyWorm_0FD329C0ECC34C45A87414E3DAAD58190fd329c0ecc34c45a87414e3daad5819180 KB
    FannyWorm_1B27AC722847F5A3304E3896F0528FA41b27ac722847f5a3304e3896f0528fa4180 KB
    FannyWorm_1B9901D0F5F28C9275A697134D6E487A1b9901d0f5f28c9275a697134d6e487a180 KB
    FannyWorm_1CB7AE1BC76E139C89684F7797F520A11cb7ae1bc76e139c89684f7797f520a1180 KB
    FannyWorm_1D6C98E55203F0C51C0821FE52218DD81d6c98e55203f0c51c0821fe52218dd8180 KB
    FannyWorm_1DC305DCB4A51EA0DD10854A02A41B061dc305dcb4a51ea0dd10854a02a41b06180 KB
    FannyWorm_1DD86B28A2BC986B069C75BF5C6787B91dd86b28a2bc986b069c75bf5c6787b9180 KB
    FannyWorm_1EF39EB63DDFF30A3E37FEEFFB8FC7121ef39eb63ddff30a3e37feeffb8fc712180 KB
    FannyWorm_1F1DC3CF1D769D464DB9752C8CECC8721f1dc3cf1d769d464db9752c8cecc872180 KB
    FannyWorm_1F69160F1D91BF9A0EDA93829B75C5831f69160f1d91bf9a0eda93829b75c583180 KB
    FannyWorm_1FD210BA936FD11B46781E04BBC0F8B51fd210ba936fd11b46781e04bbc0f8b5180 KB
    FannyWorm_2A9F8131B996ADD197067B3BC9FA2F5A2a9f8131b996add197067b3bc9fa2f5a180 KB
    FannyWorm_2BB52B4C1BC0788BF701E6F5EE761A9B2bb52b4c1bc0788bf701e6f5ee761a9b180 KB
    FannyWorm_2C029BE8E3B0C9448ED5E88B52852ADE2c029be8e3b0c9448ed5e88b52852ade180 KB
    FannyWorm_2C35ED272225B4E134333BEA2B657A3F2c35ed272225b4e134333bea2b657a3f180 KB
    FannyWorm_2C87A3442C60C72F639CA7EB6754746A2c87a3442c60c72f639ca7eb6754746a180 KB
    FannyWorm_2C6595834DD5528235E8A9815276563E2c6595834dd5528235e8a9815276563e180 KB
    FannyWorm_2D088E08FD1B90342CAE128770063DBE2d088e08fd1b90342cae128770063dbe180 KB
    FannyWorm_2DA059A8BF3BC00BB809B28770044FF62da059a8bf3bc00bb809b28770044ff6180 KB
    FannyWorm_2E0E43F2B0499D631EDF1DD92F09BD2C2e0e43f2b0499d631edf1dd92f09bd2c180 KB
    FannyWorm_2E208B3D5953BD92C84031D3A7B8A2312e208b3d5953bd92c84031d3a7b8a231180 KB
    FannyWorm_2EBD5BD711CEB8D6B4F6EBA38D087BC92ebd5bd711ceb8d6b4f6eba38d087bc9180 KB
    FannyWorm_2F2A8DECA2539923B489D51DE9A278F42f2a8deca2539923b489d51de9a278f4180 KB
    FannyWorm_03A5AE64C62EB66DD7303801785D3F7B03a5ae64c62eb66dd7303801785d3f7b180 KB
    FannyWorm_03A64049747B2544A5EE08A2520495D803a64049747b2544a5ee08a2520495d8180 KB
    FannyWorm_3A3FEE2E8E1ABDD99A020EEB8EE2D2713a3fee2e8e1abdd99a020eeb8ee2d271180 KB
    FannyWorm_3A57ADB8740DA3EBEC1673D21F20D0FE3a57adb8740da3ebec1673d21f20d0fe180 KB
    FannyWorm_3A431D965B9537721BE721A48CCCDF0A3a431d965b9537721be721a48cccdf0a180 KB
    FannyWorm_3A71446564B4C060D99A8CCD2EB5D1613a71446564b4c060d99a8ccd2eb5d161180 KB
    FannyWorm_3AC8BC5E416D59666905489AEA3BE51E3ac8bc5e416d59666905489aea3be51e180 KB
    FannyWorm_3B496B8CD19789FABF00584475B607C73b496b8cd19789fabf00584475b607c7180 KB
    FannyWorm_3DE3419F6441A7F4D664077A43FB404B3de3419f6441a7f4d664077a43fb404b180 KB
    FannyWorm_3FBD798BCD7214FCBF5FAB05FAF9FD713fbd798bcd7214fcbf5fab05faf9fd71180 KB
    FannyWorm_04DDB75038698F66B9C43304A2C9224004ddb75038698f66b9c43304a2c92240180 KB
    FannyWorm_4A3B537879F3F29CD8D446C53E6B06C34a3b537879f3f29cd8d446c53e6b06c3180 KB
    FannyWorm_4AD2F62CE2EB72EFF45C61699BDCB1E34ad2f62ce2eb72eff45c61699bdcb1e3180 KB
    FannyWorm_4BC0FB2DC90112926AB2471FEF99BEB34bc0fb2dc90112926ab2471fef99beb3180 KB
    FannyWorm_4C31FE56FF4A46FBCD87B286512351774c31fe56ff4a46fbcd87b28651235177180 KB
    FannyWorm_4E58BD45A388E458C9F8FF09EB905CC04e58bd45a388e458c9f8ff09eb905cc0180 KB
    FannyWorm_4EA931A432BB9555483B41B3BC8E78E44ea931a432bb9555483b41b3bc8e78e4180 KB
    FannyWorm_4F79981D1F7091BE6AADCC4595EF5F764f79981d1f7091be6aadcc4595ef5f76180 KB
    FannyWorm_4FD969CEFB161CBBFE26897F097EDA714fd969cefb161cbbfe26897f097eda71180 KB
    FannyWorm_05A0274DDEA1D4E2D938EE0804DA41DB05a0274ddea1d4e2d938ee0804da41db180 KB
    FannyWorm_05E58526F763F069B4C86D209416F50A05e58526f763f069b4c86d209416f50a180 KB
    FannyWorm_5A5BED7FAE336B93C44B370A955182DA5a5bed7fae336b93c44b370a955182da180 KB
    FannyWorm_5A7DACC0C0F34005AB9710E6661285005a7dacc0c0f34005ab9710e666128500180 KB
    FannyWorm_5A723D3EF02DB234061C2F61A6E3B6A45a723d3ef02db234061c2f61a6e3b6a4180 KB
    FannyWorm_5B0F5F62EF3AE981FE48B6C29D7BEAB25b0f5f62ef3ae981fe48b6c29d7beab2180 KB
    FannyWorm_5BEC4783C551C46B15F7C5B20F94F4B95bec4783c551c46b15f7c5b20f94f4b9180 KB
    FannyWorm_5DC172E2C96B79EA7D855339F1B2403C5dc172e2c96b79ea7d855339f1b2403c180 KB
    FannyWorm_5E171B3A31279F9FCF21888AC0034B065e171b3a31279f9fcf21888ac0034b06180 KB
    FannyWorm_5F0E8984886B551CAE3EAAFA73D9B72B5f0e8984886b551cae3eaafa73d9b72b180 KB
    FannyWorm_5F5ABBE2E637D4F0B8AFE7F2342C29425f5abbe2e637d4f0b8afe7f2342c2942180 KB
    FannyWorm_5FF0E69BF258375E7EEFCC5AC3BDCF245ff0e69bf258375e7eefcc5ac3bdcf24180 KB
    FannyWorm_06A1824482848997877DA3F5CB83F19606a1824482848997877da3f5cb83f196180 KB
    FannyWorm_6ABB5FBCA4AB9FC730BA83F56C0B8C7A6abb5fbca4ab9fc730ba83f56c0b8c7a180 KB
    FannyWorm_6B28AFBF2362222FC501ED22F40A93CE6b28afbf2362222fc501ed22f40a93ce180 KB
    FannyWorm_6C28E8ED7B09DD7E052302614A3EF8D56c28e8ed7b09dd7e052302614a3ef8d5180 KB
    FannyWorm_6D10EB87D57FC0B3EB1C41CCCF0319F46d10eb87d57fc0b3eb1c41cccf0319f4180 KB
    FannyWorm_6DA22F42139A4A2365E7A9068D7B908A6da22f42139a4a2365e7a9068d7b908a180 KB
    FannyWorm_6DE614AD2B4D03F9DFCDF0251737D33D6de614ad2b4d03f9dfcdf0251737d33d180 KB
    FannyWorm_6E4F77DCDBB034CB4073D8C46BF23AE36e4f77dcdbb034cb4073d8c46bf23ae3180 KB
    FannyWorm_6F073003704CC5B5265A0A9F8EE851D16f073003704cc5b5265a0a9f8ee851d1180 KB
    FannyWorm_7A8518E46A1A7713653E34BBFB2B9AD87a8518e46a1a7713653e34bbfb2b9ad8180 KB
    FannyWorm_7AD2BFAB78FA74538DCDBE28DA54F1F47ad2bfab78fa74538dcdbe28da54f1f4180 KB
    FannyWorm_7B8D11CC2ED0CEBC39EF590EF6C890B17b8d11cc2ed0cebc39ef590ef6c890b1180 KB
    FannyWorm_7BC77CFDFEFB70225DDB57EF20C554AC7bc77cfdfefb70225ddb57ef20c554ac180 KB
    FannyWorm_7CCCAF9B08301D2C2ACB647EA04CA8E17cccaf9b08301d2c2acb647ea04ca8e1180 KB
    FannyWorm_7E6348F56508E43C900265EE5297B5777e6348f56508e43c900265ee5297b577180 KB
    FannyWorm_7FAABCE7D2564176480769A9D7B34A2C7faabce7d2564176480769a9d7b34a2c180 KB
    FannyWorm_8A41A5AD3AE353F16FF2FD92E8046AC38a41a5ad3ae353f16ff2fd92e8046ac3180 KB
    FannyWorm_8AD46BB2D0BEF97548EBBED2F6EEA2E18ad46bb2d0bef97548ebbed2f6eea2e1180 KB
    FannyWorm_8B1FE26A399F54CEE44493859C6E82AC8b1fe26a399f54cee44493859c6e82ac180 KB
    FannyWorm_8BAADB392A85A187360FCA5A4E56E6CF8baadb392a85a187360fca5a4e56e6cf180 KB
    FannyWorm_8BB0C5181D8AB57B879DEA3F987FBEDF8bb0c5181d8ab57b879dea3f987fbedf180 KB
    FannyWorm_8C7EF91A96E75C3D05EA5E54A0E9356C8c7ef91a96e75c3d05ea5e54a0e9356c180 KB
    FannyWorm_8E555220BD7F8C183ABF58071851E2B48e555220bd7f8c183abf58071851e2b4180 KB
    FannyWorm_8F2795EF9D0F8D7BAB6BCE6917BD95C68f2795ef9d0f8d7bab6bce6917bd95c6180 KB
    FannyWorm_8FE19689CC16FEA06BDFC9C39C515FA38fe19689cc16fea06bdfc9c39c515fa3180 KB
    FannyWorm_9A8DEF5CCEE1B32F4D237C1DD1EBA8C69a8def5ccee1b32f4d237c1dd1eba8c6180 KB
    FannyWorm_9A7165D3C7B84FE0E22881F653EADF7F9a7165d3c7b84fe0e22881f653eadf7f180 KB
    FannyWorm_9AD117B2E847F0786B09A2F80C4D95409ad117b2e847f0786b09a2f80c4d9540180 KB
    FannyWorm_9B6DBF8FE2DA2A6C5EC28D2A649AACB69b6dbf8fe2da2a6c5ec28d2a649aacb6180 KB
    FannyWorm_9CEAA8E3E7A105775B27976E79E22AD69ceaa8e3e7a105775b27976e79e22ad6180 KB
    FannyWorm_9E4D760C04565A8CBAF3E4EBDCA230929e4d760c04565a8cbaf3e4ebdca23092180 KB
    FannyWorm_9FB98B0D1A5B38B6A89CB478943C285B9fb98b0d1a5b38b6a89cb478943c285b180 KB
    FannyWorm_9FC2AA4D538B34651705B904C7823C6F9fc2aa4d538b34651705b904c7823c6f180 KB
    FannyWorm_10A9CAA724AE8EDC30C09F8372241C3210a9caa724ae8edc30c09f8372241c32180 KB
    FannyWorm_13B67C888EFEAF60A9A4FB1E4E182F2D13b67c888efeaf60a9a4fb1e4e182f2d180 KB
    FannyWorm_17D287E868AB1DBAFCA87EB48B0F848F17d287e868ab1dbafca87eb48b0f848f180 KB
    FannyWorm_18CB3574825FA409D5CBC0F67E8CC16218cb3574825fa409d5cbc0f67e8cc162180 KB
    FannyWorm_19EB57E93ED64F2BB9AAB0307ECE429119eb57e93ed64f2bb9aab0307ece4291180 KB
    FannyWorm_21A9C4073DBB1CB6127FDB932C95372C21a9c4073dbb1cb6127fdb932c95372c180 KB
    FannyWorm_21A6959A33909E3CDF27A455064D4D4D21a6959a33909e3cdf27a455064d4d4d180 KB
    FannyWorm_22DB66045FA1E39B5BF16FC63A85009822db66045fa1e39b5bf16fc63a850098180 KB
    FannyWorm_26C46A09CF1BDFF5AF503A406575809D26c46a09cf1bdff5af503a406575809d180 KB
    FannyWorm_27C5D028EE23A515DF4203EA6026E23E27c5d028ee23a515df4203ea6026e23e180 KB
    FannyWorm_29F2AB09FDFFC4006A4407C05BA11B6529f2ab09fdffc4006a4407c05ba11b65180 KB
    FannyWorm_29FDEC2FD992C2AB38E1DD41500190B929fdec2fd992c2ab38e1dd41500190b9180 KB
    FannyWorm_34A72BD61C9573C304D737A5CA5892B434a72bd61c9573c304d737a5ca5892b4180 KB
    FannyWorm_038E4FFBDF9334DD0B96F92104C4A5C0038e4ffbdf9334dd0b96f92104c4a5c0180 KB
    FannyWorm_40FEE20FE98995ACBDA82DBCDE0B674B40fee20fe98995acbda82dbcde0b674b180 KB
    FannyWorm_41D1E22FABD1CE4D21F5F7BE352B3A0741d1e22fabd1ce4d21f5f7be352b3a07180 KB
    FannyWorm_42D6B187E323E939781A813BABA5E7FC42d6b187e323e939781a813baba5e7fc180 KB
    FannyWorm_42DB500FC0359F9F794D4B7775E41C9942db500fc0359f9f794d4b7775e41c99180 KB
    FannyWorm_44BD4CF5E28D78CC66B828A57C99CA7444bd4cf5e28d78cc66b828a57c99ca74180 KB
    FannyWorm_0047C4A00161A8478DF31DBDEA44A19E0047c4a00161a8478df31dbdea44a19e180 KB
    FannyWorm_48BC620F4C5B14E30F173B0D0288784048bc620f4c5b14e30f173b0d02887840180 KB
    FannyWorm_48E958E3785BE0D5E074AD2CFCF2FEE448e958e3785be0d5e074ad2cfcf2fee4180 KB
    FannyWorm_49CB69039308B2613664515C5FA323E149cb69039308b2613664515c5fa323e1180 KB
    FannyWorm_54C7657B4D19C6AFAAF003A33270490754c7657b4d19c6afaaf003a332704907180 KB
    FannyWorm_54D7826F13C1116B0BE9077334713F1A54d7826f13c1116b0be9077334713f1a180 KB
    FannyWorm_56D85656C527242B493D9B19CB95370E56d85656c527242b493d9b19cb95370e180 KB
    FannyWorm_56F2494E349E7449FBB551D55272BC5756f2494e349e7449fbb551d55272bc57180 KB
    FannyWorm_56F9632349458AB6253DA1F30232662056f9632349458ab6253da1f302326620180 KB
    FannyWorm_56FF71E1F28E1F149E0E4CF8CE9811D156ff71e1f28e1f149e0e4cf8ce9811d1180 KB
    FannyWorm_57B64A212B4B3982793916A18FA4F48957b64a212b4b3982793916a18fa4f489180 KB
    FannyWorm_58EF8790939FCA73A20C6A04717A265958ef8790939fca73a20c6a04717a2659180 KB
    FannyWorm_60D21EE6548DE4673CBDDEF2D779ED2460d21ee6548de4673cbddef2d779ed24180 KB
    FannyWorm_0063BF5852FFB5BAABCDC34AD4F8F0BF0063bf5852ffb5baabcdc34ad4f8f0bf180 KB
    FannyWorm_063AD1284A8DFB82965B539EFD965547063ad1284a8dfb82965b539efd965547180 KB
    FannyWorm_63B2F98548174142F92FDFD995A2C70A63b2f98548174142f92fdfd995a2c70a180 KB
    FannyWorm_63ECB7FE79A5B541C35765CAF424A02163ecb7fe79a5b541c35765caf424a021180 KB
    FannyWorm_64A58CF7E810A77A5105D56B81AE820064a58cf7e810a77a5105d56b81ae8200180 KB
    FannyWorm_66A2A7AC521BE856DEED54FD8072D0E866a2a7ac521be856deed54fd8072d0e8180 KB
    FannyWorm_68E6EE88BA44ED0B9DE93D6812B5255E68e6ee88ba44ed0b9de93d6812b5255e180 KB
    FannyWorm_70B0214530810773E46AFA469A723CE370b0214530810773e46afa469a723ce3180 KB
    FannyWorm_72B16929F43533AC4BF953D90A52EB3772b16929f43533ac4bf953d90a52eb37180 KB
    FannyWorm_72F244452DF28865B37317369C33927D72f244452df28865b37317369c33927d180 KB
    FannyWorm_74AD35F0F4342F45038860CA0564AB8B74ad35f0f4342f45038860ca0564ab8b180 KB
    FannyWorm_75AC44F173AF6ACE7CC06E8406B03D3375ac44f173af6ace7cc06e8406b03d33180 KB
    FannyWorm_78B1FF3B04FAC35C890462225C5FBC4978b1ff3b04fac35c890462225c5fbc49180 KB
    FannyWorm_82C23B110C074E9630699D1F478CA07082c23b110c074e9630699d1f478ca070180 KB
    FannyWorm_83D4FD333C3FE0AA2E38C73FB31F68FC83d4fd333c3fe0aa2e38c73fb31f68fc180 KB
    FannyWorm_84E505227FDB2DD5D7D004659E5D34A084e505227fdb2dd5d7d004659e5d34a0180 KB
    FannyWorm_85CEE5AAA59CACAD80BF9792869845BA85cee5aaa59cacad80bf9792869845ba180 KB
    FannyWorm_86D89BAC8A165FCE91426BF84EB7B7FC86d89bac8a165fce91426bf84eb7b7fc180 KB
    FannyWorm_88E4147EFABA886FF16D6F058E8A25A688e4147efaba886ff16d6f058e8a25a6180 KB
    FannyWorm_89C216DF6B2B1A335738847A1F1A6CBC89c216df6b2b1a335738847a1f1a6cbc180 KB
    FannyWorm_90C8A317CBA47D7E3525B69862DDEF5890c8a317cba47d7e3525b69862ddef58180 KB
    FannyWorm_91B1F4A4FA5C26473AB678408EDCB91391b1f4a4fa5c26473ab678408edcb913180 KB
    FannyWorm_93B22ECC56A91F251D5E023A5C20B3A493b22ecc56a91f251d5e023a5c20b3a4180 KB
    FannyWorm_97B0A0EF6CB6B1EB8E325EB20BA0A8E397b0a0ef6cb6b1eb8e325eb20ba0a8e3180 KB
    FannyWorm_98E6B678B40329DAC41D8F42652C17A298e6b678b40329dac41d8f42652c17a2180 KB
    FannyWorm_99E8D4F1D2069EF84D9725AA206D6BA799e8d4f1d2069ef84d9725aa206d6ba7180 KB
    FannyWorm_101BC932D760F12A308E450EB97EFFA5101bc932d760f12a308e450eb97effa5180 KB
    FannyWorm_102A411051EF606241FBDC4361E55301102a411051ef606241fbdc4361e55301180 KB
    FannyWorm_149B980E2495DF13EDCEFED78716BA8D149b980e2495df13edcefed78716ba8d180 KB
    FannyWorm_151C7DA8C611BF9795D813A5806D6364151c7da8c611bf9795d813a5806d6364180 KB
    FannyWorm_152AD931B42A8DA9149DD73A8BFCFF69152ad931b42a8da9149dd73a8bfcff69180 KB
    FannyWorm_168AF91D1BA92A41679D5B5890DC71E7168af91d1ba92a41679d5b5890dc71e7180 KB
    FannyWorm_199E39BDA0AF0A062CCC734FACCF9213199e39bda0af0a062ccc734faccf9213180 KB
    FannyWorm_205FB6034381DFD9D19D076141397CF6205fb6034381dfd9d19d076141397cf6180 KB
    FannyWorm_242A7137788B0F0AEFCEA5C233C951B7242a7137788b0f0aefcea5c233c951b7180 KB
    FannyWorm_263B761FCEA771137F2EA9918E381B47263b761fcea771137f2ea9918e381b47180 KB
    FannyWorm_303B7527DB5B417719DAF9B0AE5B89AA303b7527db5b417719daf9b0ae5b89aa180 KB
    FannyWorm_318D5E8B3DA6C6F5E5041250CEB5D836318d5e8b3da6c6f5e5041250ceb5d836180 KB
    FannyWorm_0333F6533573D7A08B4DE47BD186EC650333f6533573d7a08b4de47bd186ec65180 KB
    FannyWorm_430F70CB70FE9D7E812F298F8B5B7DF4430f70cb70fe9d7e812f298f8b5b7df4180 KB
    FannyWorm_450A3EDECE8808F483203FE8988C4437450a3edece8808f483203fe8988c4437180 KB
    FannyWorm_487E79347D92F44507200792A7795C7B487e79347d92f44507200792a7795c7b180 KB
    FannyWorm_00535DCA6D6DB97128F6E12451C1E04E00535dca6d6db97128f6e12451c1e04e180 KB
    FannyWorm_545BEE90A5F356B114CA3A4823F14990545bee90a5f356b114ca3a4823f14990180 KB
    FannyWorm_595B08353458A0749D292E0E81C0FC01595b08353458a0749d292e0e81c0fc01180 KB
    FannyWorm_682C987506651FCAE56C32FFA1F70170682c987506651fcae56c32ffa1f70170180 KB
    FannyWorm_687F8BEC9484257500976C336E103A08687f8bec9484257500976c336e103a08180 KB
    FannyWorm_769C62FDD6E1D2C5D51094E2882886B0769c62fdd6e1d2c5d51094e2882886b0180 KB
    FannyWorm_782E5C2D319063405414D4E55D3DCFB3782e5c2d319063405414d4e55d3dcfb3180 KB
    FannyWorm_852FF77FC22FCC54F932540D1B0AFFBA852ff77fc22fcc54f932540d1b0affba180 KB
    FannyWorm_872E8E7C381FB805B87B88F31F77A772872e8e7c381fb805b87b88f31f77a772180 KB
    FannyWorm_878A3D4B91875E10F032B58D5DA3DDF1878a3d4b91875e10f032b58d5da3ddf1180 KB
    FannyWorm_963A24B864524DFA64BA4310537CE0E1963a24b864524dfa64ba4310537ce0e1180 KB
    FannyWorm_1163AD598B617EF336DD75D119182AD41163ad598b617ef336dd75d119182ad4180 KB
    FannyWorm_1355C1F173E78D3C1317EE2FB5CD95F11355c1f173e78d3c1317ee2fb5cd95f1180 KB
    FannyWorm_1643B9B5861CA495F83ED2DA144807281643b9b5861ca495f83ed2da14480728180 KB
    FannyWorm_1925B30A657EA0B5BFC62D3914F7855F1925b30a657ea0b5bfc62d3914f7855f180 KB
    FannyWorm_2062D7B0D9145ADBE0131CF1FB1FC35A2062d7b0d9145adbe0131cf1fb1fc35a180 KB
    FannyWorm_2249D5577D2C84BA1043376B77E6C24D2249d5577d2c84ba1043376b77e6c24d180 KB
    FannyWorm_2822D46611AD7FD71DFE5A1F4C79AB4B2822d46611ad7fd71dfe5a1f4c79ab4b180 KB
    FannyWorm_3177E1E3FCDF7AE79D5DA1ECA123E01A3177e1e3fcdf7ae79d5da1eca123e01a180 KB
    FannyWorm_4605A7396D892BBA0646BC73A02B28E94605a7396d892bba0646bc73a02b28e9180 KB
    FannyWorm_4902CD32C4AE98008BA24C0F40189E514902cd32c4ae98008ba24c0f40189e51180 KB
    FannyWorm_5118F69983A1544CAF4E3D244E1953045118f69983a1544caf4e3d244e195304180 KB
    FannyWorm_05187AA4D312FF06187C93D12DD5F1D005187aa4d312ff06187c93d12dd5f1d0180 KB
    FannyWorm_5686E5CDB415F7FB65A4A3D971F24E1C5686e5cdb415f7fb65a4a3d971f24e1c180 KB
    FannyWorm_6436A4FB7A8F37AC934C275D325208E66436a4fb7a8f37ac934c275d325208e6180 KB
    FannyWorm_6814B21455DEB552DF3B452EF0551EC16814b21455deb552df3b452ef0551ec1180 KB
    FannyWorm_7835CC94917B3A2B01B2D18925111DAD7835cc94917b3a2b01b2d18925111dad180 KB
    FannyWorm_7946D685C6E7E2D6370B6ADE5C6A2E8D7946d685c6e7e2d6370b6ade5c6a2e8d180 KB
    FannyWorm_07988B3B1AF58A47F7EE884E734D9A4507988b3b1af58a47f7ee884e734d9a45180 KB
    FannyWorm_8010AF50404647200A7BB51DE08AB9608010af50404647200a7bb51de08ab960180 KB
    FannyWorm_8051E04BAB3A6DB6226CC4D08890E9348051e04bab3a6db6226cc4d08890e934180 KB
    FannyWorm_8274AB71F9F67EA7AD141A48ACF8747A8274ab71f9f67ea7ad141a48acf8747a180 KB
    FannyWorm_8568A1CFA314525F49C98FAFBF85D14B8568a1cfa314525f49c98fafbf85d14b180 KB
    FannyWorm_8738E487218905E86BF6AD7988929ECB8738e487218905e86bf6ad7988929ecb180 KB
    FannyWorm_9120C2A26E1F4DC362CA338B8E014B209120c2a26e1f4dc362ca338b8e014b20180 KB
    FannyWorm_9563FD4AB7D619D565B47CD16104DC669563fd4ab7d619d565b47cd16104dc66180 KB
    FannyWorm_12298EF995A76C71FA54CBF279455A1412298ef995a76c71fa54cbf279455a14180 KB
    FannyWorm_13429F4899618F3529669A8CE850B51213429f4899618f3529669a8ce850b512180 KB
    FannyWorm_14222C1F10B2038F757BBC628C8DA8BA14222c1f10b2038f757bbc628c8da8ba180 KB
    FannyWorm_19507F6ADFAD9E754C3D26695DD6199319507f6adfad9e754c3d26695dd61993180 KB
    FannyWorm_24132E1E00071F33221C405399271B7424132e1e00071f33221c405399271b74180 KB
    FannyWorm_31457CB30CCAD20CDBC77B8C4B6F9B3F31457cb30ccad20cdbc77b8c4b6f9b3f180 KB
    FannyWorm_37085D946C77F521C3092F822BC3983F37085d946c77f521c3092f822bc3983f180 KB
    FannyWorm_38430B3311314A4DC01C2CDCD29A0D1038430b3311314a4dc01c2cdcd29a0d10180 KB
    FannyWorm_40000B4F52DCDEDB1E1D3BFD5C185CEC40000b4f52dcdedb1e1d3bfd5c185cec180 KB
    FannyWorm_44149D509BEA6C8C0C9FB86BBD0828E144149d509bea6c8c0c9fb86bbd0828e1180 KB
    FannyWorm_49622DDF195628F7A3400B7A9F98E60A49622ddf195628f7a3400b7a9f98e60a180 KB
    FannyWorm_053895AE9A145A74738BA85667AE2CD1053895ae9a145a74738ba85667ae2cd1180 KB
    FannyWorm_58786E35FA1D61D1BCD671987D10395758786e35fa1d61d1bcd671987d103957180 KB
    FannyWorm_68892E329FA28FE751B9EB16928EA98D68892e329fa28fe751b9eb16928ea98d180 KB
    FannyWorm_72312F1E2AE6900F169A2B7A88E14D9372312f1e2ae6900f169a2b7a88e14d93180 KB
    FannyWorm_74621A05BAFB868BDA8AEB6562DD36DF74621a05bafb868bda8aeb6562dd36df180 KB
    FannyWorm_94271AE895E359B606252395DF952F5F94271ae895e359b606252395df952f5f180 KB
    FannyWorm_246272DD6E9193E31745AD54138F875D246272dd6e9193e31745ad54138f875d180 KB
    FannyWorm_380258DE6E47749952B60E5307D22DC0380258de6e47749952b60e5307d22dc0180 KB
    FannyWorm_564950A5F4B3CA0E6ADE94C5CA5D8DE1564950a5f4b3ca0e6ade94c5ca5d8de1180 KB
    FannyWorm_600984D541D399B1894745B917E5380B600984d541d399b1894745b917e5380b180 KB
    FannyWorm_688526EDBEA2D61664EC629F6558365C688526edbea2d61664ec629f6558365c180 KB
    FannyWorm_0915237A0B1F095AACE0A50B823565710915237a0b1f095aace0a50b82356571180 KB
    FannyWorm_948603BD138DD8487FAAB3C0DA5EB573948603bd138dd8487faab3c0da5eb573180 KB
    FannyWorm_1173639E045C327554962500B6240EEB1173639e045c327554962500b6240eeb180 KB
    FannyWorm_4509385E247EF538CFB8CD42944EE4804509385e247ef538cfb8cd42944ee480180 KB
    FannyWorm_4810559ED364A18843178F1C4FCA49FC4810559ed364a18843178f1c4fca49fc180 KB
    FannyWorm_7808586DEC24D04567582F9CBD26EAD87808586dec24d04567582f9cbd26ead8180 KB
    FannyWorm_09344144F44E598E516793B36DE7822A09344144f44e598e516793b36de7822a180 KB
    FannyWorm_56897704C43DBFB60847A6DCA00DE2B056897704c43dbfb60847a6dca00de2b0180 KB
    FannyWorm_194686907B35B69C508AE1A82D105ACD194686907b35b69c508ae1a82d105acd180 KB
    FannyWorm_4984608139E2C5430A87028F84A2BBB74984608139e2c5430a87028f84a2bbb7180 KB
    FannyWorm_5328361825D0B1CCB0B157CEFF4E883E5328361825d0b1ccb0b157ceff4e883e180 KB
    FannyWorm_5821380182C7BFAA6646DB43134499175821380182c7bfaa6646db4313449917180 KB
    FannyWorm_36601898373E4153062DB98D1E7A3A2836601898373e4153062db98d1e7a3a28180 KB
    FannyWorm_939706730193E6BCFEB991DE4387BD3F939706730193e6bcfeb991de4387bd3f180 KB
    FannyWorm_A2C52AD8F66A14F7979C6BAFC4978142a2c52ad8f66a14f7979c6bafc4978142180 KB
    FannyWorm_A4E2ED5FF620A786C2F2E15A5F8A2D2Fa4e2ed5ff620a786c2f2e15a5f8a2d2f180 KB
    FannyWorm_A5E169E47BA828DD68417875AA8C0C94a5e169e47ba828dd68417875aa8c0c94180 KB
    FannyWorm_A5F2C5CA6B51A6BF48D795FB5AE63203a5f2c5ca6b51a6bf48d795fb5ae63203180 KB
    FannyWorm_A5F389947F03902A5ABD742B61637363a5f389947f03902a5abd742b61637363180 KB
    FannyWorm_A6BCACAB7E155A0C1B79BC5C8C96E5AFa6bcacab7e155a0c1b79bc5c8c96e5af180 KB
    FannyWorm_A7F4EEE46463BE30615903E395A323C5a7f4eee46463be30615903e395a323c5180 KB
    FannyWorm_A8A973B3861C8D2F18039432B9F38335a8a973b3861c8d2f18039432b9f38335180 KB
    FannyWorm_A43F67AF43730552864F84E2B051DEB4a43f67af43730552864f84e2b051deb4180 KB
    FannyWorm_A62BE32440D0602C76A72F96235567ACa62be32440d0602c76a72f96235567ac180 KB
    FannyWorm_A67E937C6C33B0A9CD83946CCFA666CAa67e937c6c33b0a9cd83946ccfa666ca180 KB
    FannyWorm_A68A56B4B3412E07436C7D195891E8BEa68a56b4b3412e07436c7d195891e8be180 KB
    FannyWorm_A76DC2F716AA5ED5CBBD23BBF1DE3005a76dc2f716aa5ed5cbbd23bbf1de3005180 KB
    FannyWorm_A82D41CFC3EE376D9252DD4912E35894a82d41cfc3ee376d9252dd4912e35894180 KB
    FannyWorm_A84FD0164200AD1AD0E34EEE9C663949a84fd0164200ad1ad0e34eee9c663949180 KB
    FannyWorm_A95B2EC5B67F8FDDA547A4A5A4B85543a95b2ec5b67f8fdda547a4a5a4b85543180 KB
    FannyWorm_A96DC17D52986BB9BA201550D5D41186a96dc17d52986bb9ba201550d5d41186180 KB
    FannyWorm_A00101CFC1EDD423CB34F758F8D0C62Ea00101cfc1edd423cb34f758f8d0c62e180 KB
    FannyWorm_A397A581C20BF93EB5C22CAD5A2AFCDDa397a581c20bf93eb5c22cad5a2afcdd180 KB
    FannyWorm_A498FCAC85DC2E97281781A08B1C1041a498fcac85dc2e97281781a08b1c1041180 KB
    FannyWorm_A801668543B30FCC3A254DE8183B2BA5a801668543b30fcc3a254de8183b2ba5180 KB
    FannyWorm_AAA06C8458F01BEDCAC5EC638C5C8B24aaa06c8458f01bedcac5ec638c5c8b24180 KB
    FannyWorm_AB75C7BF5AD32AF82D331B5EE76F2ECAab75c7bf5ad32af82d331b5ee76f2eca180 KB
    FannyWorm_ABFF989FBA8B34539CDDBDFF0A79EE8Dabff989fba8b34539cddbdff0a79ee8d180 KB
    FannyWorm_AC7A5C23B475E8BF54A1E60AE1A85F67ac7a5c23b475e8bf54a1e60ae1a85f67180 KB
    FannyWorm_AC50C31D680C763CCE26B4D979A11A5Cac50c31d680c763cce26b4d979a11a5c180 KB
    FannyWorm_AE58E6C03D7339DA70D061399F6DEFF3ae58e6c03d7339da70d061399f6deff3180 KB
    FannyWorm_AE668F29EDC14C02BE17DE3B4C00AD05ae668f29edc14c02be17de3b4c00ad05180 KB
    FannyWorm_AF8F1BFCCB6530E41B2F19FF0DE8BAB5af8f1bfccb6530e41b2f19ff0de8bab5180 KB
    FannyWorm_AF426F4980CE7E2F771742BEE1CC43DFaf426f4980ce7e2f771742bee1cc43df180 KB
    FannyWorm_AFF10DD15B2D39C18AE9EE96511A9D83aff10dd15b2d39c18ae9ee96511a9d83180 KB
    FannyWorm_B1C4ED725CB3443D16BE55EE5F00DCBDb1c4ed725cb3443d16be55ee5f00dcbd180 KB
    FannyWorm_B1CCEB79F74D48C94CA7E680A609BC65b1cceb79f74d48c94ca7e680a609bc65180 KB
    FannyWorm_B4B05BB97521494B342DA8524A6181EDb4b05bb97521494b342da8524a6181ed180 KB
    FannyWorm_B11DBC0C4E98B4CA224C18344CC5191Db11dbc0c4e98b4ca224c18344cc5191d180 KB
    FannyWorm_B38A91B1A5D23D418C5C6D6A0B066C30b38a91b1a5d23d418c5c6d6a0b066c30180 KB
    FannyWorm_B59F5C408FBA0E2CF503E0942AC46C56b59f5c408fba0e2cf503e0942ac46c56180 KB
    FannyWorm_B78E9C9A49AA507CB1F905FDD455CA35b78e9c9a49aa507cb1f905fdd455ca35180 KB
    FannyWorm_B322FB54B5E53F4EA93E04E5A2ABCCBCb322fb54b5e53f4ea93e04e5a2abccbc180 KB
    FannyWorm_B747BB2EDC15A07CE61BCE4FD1A33EADb747bb2edc15a07ce61bce4fd1a33ead180 KB
    FannyWorm_B9407C2933384F3E9461EAFB02749FECb9407c2933384f3e9461eafb02749fec180 KB
    FannyWorm_B5738307BAB3FBF4CF2BDD652B0AC88Ab5738307bab3fbf4cf2bdd652b0ac88a180 KB
    FannyWorm_BA38163FC6E75BB6ACD73BC7CF89089Bba38163fc6e75bb6acd73bc7cf89089b180 KB
    FannyWorm_BA43976BB23531A9D4DC5F0AFD07327Aba43976bb23531a9d4dc5f0afd07327a180 KB
    FannyWorm_BAC9A35D7CDF8C217B51C189A7B7B2FDbac9a35d7cdf8c217b51c189a7b7b2fd180 KB
    FannyWorm_BB5AA3E042C802C294FA233C4DB41393bb5aa3e042c802c294fa233c4db41393180 KB
    FannyWorm_BCC5D198A60878C03A114E45ACDFE417bcc5d198a60878c03a114e45acdfe417180 KB
    FannyWorm_BD7A693767DE2EAE08B4C63AAA84DB43bd7a693767de2eae08b4c63aaa84db43180 KB
    FannyWorm_BD9E6F35DC7FE987EEFA048ADC94D346bd9e6f35dc7fe987eefa048adc94d346180 KB
    FannyWorm_BDC3474D7A5566916DC0A2B3075D10BEbdc3474d7a5566916dc0a2b3075d10be180 KB
    FannyWorm_BED58D25C152BD5B4A9C022B5B863C72bed58d25c152bd5b4a9c022b5b863c72180 KB
    FannyWorm_BFDE4B5CD6CC89C6996C5E30C36F0273bfde4b5cd6cc89c6996c5e30c36f0273180 KB
    FannyWorm_C1F171A7689958EB500079AB0185915Fc1f171a7689958eb500079ab0185915f180 KB
    FannyWorm_C3DA3234A3764CA81D694C3935BF55CFc3da3234a3764ca81d694c3935bf55cf180 KB
    FannyWorm_C6E8841104D7D93F8AA11C1AC6E669EDc6e8841104d7d93f8aa11c1ac6e669ed180 KB
    FannyWorm_C47DE651EF941FECC5F1738984094689c47de651ef941fecc5f1738984094689180 KB
    FannyWorm_C69DFB1302032D28DF98AE70474809F2c69dfb1302032d28df98ae70474809f2180 KB
    FannyWorm_C303AFE1648D3B70591FEEFFE78125EDc303afe1648d3b70591feeffe78125ed180 KB
    FannyWorm_C05255625BB00EB12EAF95CB41FCC7F5c05255625bb00eb12eaf95cb41fcc7f5180 KB
    FannyWorm_CA67E52F1948802A3ED95C345D7C221Aca67e52f1948802a3ed95c345d7c221a180 KB
    FannyWorm_CA0080102EDC1380FFBF6E3E690C9229ca0080102edc1380ffbf6e3e690c9229180 KB
    FannyWorm_CBFAD455F0B313001DDC5B898A9527DFcbfad455f0b313001ddc5b898a9527df180 KB
    FannyWorm_CC9D8C6B3479DD4FB626080BB121FAD9cc9d8c6b3479dd4fb626080bb121fad9180 KB
    FannyWorm_CD6F75DCC55E022E3010E27E1F657535cd6f75dcc55e022e3010e27e1f657535180 KB
    FannyWorm_CE632C26186F93444C1F7EE67D63E367ce632c26186f93444c1f7ee67d63e367180 KB
    FannyWorm_CEAD6E447E17EEA51551C8D9ECE28996cead6e447e17eea51551c8d9ece28996180 KB
    FannyWorm_CEF313D70FF3C31316958D5CD2A4C23Acef313d70ff3c31316958d5cd2a4c23a180 KB
    FannyWorm_CFB84687E933DDAD2CBCD7BA2BC1D0A5cfb84687e933ddad2cbcd7ba2bc1d0a5180 KB
    FannyWorm_CFE2AB3F0FF585D3AC41241DEF6E5818cfe2ab3f0ff585d3ac41241def6e5818180 KB
    FannyWorm_D3E9D526EB2B257A9F1F9CEF22BB2911d3e9d526eb2b257a9f1f9cef22bb2911180 KB
    FannyWorm_D5E736B9FEDE558542AC3588E308108Ed5e736b9fede558542ac3588e308108e180 KB
    FannyWorm_D6AD56E705AE3C26E3D632C40CD686C3d6ad56e705ae3c26e3d632c40cd686c3180 KB
    FannyWorm_D7E241EA4619CEED15FA3FA31751C97Fd7e241ea4619ceed15fa3fa31751c97f180 KB
    FannyWorm_D7EB64F9644B83FCF9933F73A4C3D6E2d7eb64f9644b83fcf9933f73a4c3d6e2180 KB
    FannyWorm_D7F18DAFA65F16590AE0544A637886E0d7f18dafa65f16590ae0544a637886e0180 KB
    FannyWorm_D8A7AAD5247B224246DC79BACBBF3105d8a7aad5247b224246dc79bacbbf3105180 KB
    FannyWorm_D8C6E712BB308BFD98E9406BB2C742EBd8c6e712bb308bfd98e9406bb2c742eb180 KB
    FannyWorm_D9C5634687173631DD12E168B98016C4d9c5634687173631dd12e168b98016c4180 KB
    FannyWorm_D9CCA3C8F623D823F76CD2997CF51E4Cd9cca3c8f623d823f76cd2997cf51e4c180 KB
    FannyWorm_D34AACF1F8F1697B6EEEC0C696C79B44d34aacf1f8f1697b6eeec0c696c79b44180 KB
    FannyWorm_D181C6651911946B12C089EE638B01C4d181c6651911946b12c089ee638b01c4180 KB
    FannyWorm_D427C593B863638ED09FC852B8A3B9E6d427c593b863638ed09fc852b8a3b9e6180 KB
    FannyWorm_D602E83E0DCC3AF6A18A906257D37670d602e83e0dcc3af6a18a906257d37670180 KB
    FannyWorm_D725AD28ED161F160D6F8E9611CBD0D9d725ad28ed161f160d6f8e9611cbd0d9180 KB
    FannyWorm_D794C1E3A6A3118D8E0A89F15B9629DAd794c1e3a6a3118d8e0a89f15b9629da180 KB
    FannyWorm_D74485AE9CBD57132084CAF8261D00F4d74485ae9cbd57132084caf8261d00f4180 KB
    FannyWorm_D97413AB3D1312E3C10CE532427FCB16d97413ab3d1312e3c10ce532427fcb16180 KB
    FannyWorm_D725169048109CD96322A492A56CDB19d725169048109cd96322a492a56cdb19180 KB
    FannyWorm_DA1FF92D6C6FCE304264140515CBAD62da1ff92d6c6fce304264140515cbad62180 KB
    FannyWorm_DA9D9EF2AA44B33F1AB01F852E82F40Eda9d9ef2aa44b33f1ab01f852e82f40e180 KB
    FannyWorm_DA066470D7DB99848EDB677E5896E02Cda066470d7db99848edb677e5896e02c180 KB
    FannyWorm_DAFB3935EEA5CD4DA3065A837728A093dafb3935eea5cd4da3065a837728a093180 KB
    FannyWorm_DB7EAC1F97E3A75F7C373C16FD57B836db7eac1f97e3a75f7c373c16fd57b836180 KB
    FannyWorm_DB19266D25990725150DA793A93809A4db19266d25990725150da793a93809a4180 KB
    FannyWorm_DB37630DF9E74E83769C1E283CF2A47Ddb37630df9e74e83769c1e283cf2a47d180 KB
    FannyWorm_DB296461B2E02E2370CA05680879760Edb296461b2e02e2370ca05680879760e180 KB
    FannyWorm_DC7AD1008509D0A67DBAFDE8ECFFB4BEdc7ad1008509d0a67dbafde8ecffb4be180 KB
    FannyWorm_DC30E98AEE84B6C92B4E3EECDF96DD89dc30e98aee84b6c92b4e3eecdf96dd89180 KB
    FannyWorm_DD304F6023F506C82F1DF68ADB005C16dd304f6023f506c82f1df68adb005c16180 KB
    FannyWorm_DDEFF291518F4677C5FA7518F2A3D716ddeff291518f4677c5fa7518f2a3d716180 KB
    FannyWorm_DEAD476E45FDBD19D2CAF657112442E3dead476e45fdbd19d2caf657112442e3180 KB
    FannyWorm_DEE0D7B094A7C7689CFC66DEE54E0ECDdee0d7b094a7c7689cfc66dee54e0ecd180 KB
    FannyWorm_E2E44E5A156563E3D1902E8C34B295D8e2e44e5a156563e3d1902e8c34b295d8180 KB
    FannyWorm_E4E25DB65C227926956000FFDC428EAFe4e25db65c227926956000ffdc428eaf180 KB
    FannyWorm_E07D0DFF23B5FABE22F107ED634D026Ee07d0dff23b5fabe22f107ed634d026e180 KB
    FannyWorm_E10A9DF3745684581EA3CF5AB22E3E90e10a9df3745684581ea3cf5ab22e3e90180 KB
    FannyWorm_E10F5EDEE21623E734753F6F35672DAEe10f5edee21623e734753f6f35672dae180 KB
    FannyWorm_E62EDA3959D7AC27754AE1A97996D03Be62eda3959d7ac27754ae1a97996d03b180 KB
    FannyWorm_E68C8BEBC21A93E0CC638B793E345F63e68c8bebc21a93e0cc638b793e345f63180 KB
    FannyWorm_E76F734B6F717BB5987CD972ED9D0389e76f734b6f717bb5987cd972ed9d0389180 KB
    FannyWorm_E78A4E8BECA2CCD7E77889B3BEDBB729e78a4e8beca2ccd7e77889b3bedbb729180 KB
    FannyWorm_E762B8FCD20D62049DB35327D31D2709e762b8fcd20d62049db35327d31d2709180 KB
    FannyWorm_E2320F490CBB2E082E699EBEB0FAA917e2320f490cbb2e082e699ebeb0faa917180 KB
    FannyWorm_E4678EC7825DF4AC71E4F8DC9D806C7Be4678ec7825df4ac71e4f8dc9d806c7b180 KB
    FannyWorm_E3515334BB2BCB77D10ECEEDD9661BEBe3515334bb2bcb77d10eceedd9661beb180 KB
    FannyWorm_E33894883C1A1A5DDBE8E391225CD1FBe33894883c1a1a5ddbe8e391225cd1fb180 KB
    FannyWorm_E81665906732C73D27F005157B552A43e81665906732c73d27f005157b552a43180 KB
    FannyWorm_EA943C7CC83D853DE678C58B838FBD65ea943c7cc83d853de678c58b838fbd65180 KB
    FannyWorm_EAFD1A95D51662C41577E5833F290875eafd1a95d51662c41577e5833f290875180 KB
    FannyWorm_ECE7AA61BE647E85DDBE3B2A757837FAece7aa61be647e85ddbe3b2a757837fa180 KB
    FannyWorm_ED2E8BD08B3A4B90383BCEC3A9B41273ed2e8bd08b3a4b90383bcec3a9b41273180 KB
    FannyWorm_EE083C9213978F517E80FAA5C8557110ee083c9213978f517e80faa5c8557110180 KB
    FannyWorm_EE119065AA37ED346DB35B62003A720Eee119065aa37ed346db35b62003a720e180 KB
    FannyWorm_EEF3A1F9EAE6CBA0C00529A12B0666ABeef3a1f9eae6cba0c00529a12b0666ab180 KB
    FannyWorm_F1ECC7FF709F4386C1A3D2FF448FD5F9f1ecc7ff709f4386c1a3d2ff448fd5f9180 KB
    FannyWorm_F5AF8D37CABE19EF922306FD4A8F913Df5af8d37cabe19ef922306fd4a8f913d180 KB
    FannyWorm_F5F92322B0EA96FE78A3755188EB669Ef5f92322b0ea96fe78a3755188eb669e180 KB
    FannyWorm_F7DE4D38FE0FBCC9D362D471A5E0282Bf7de4d38fe0fbcc9d362d471a5e0282b180 KB
    FannyWorm_F22CF337F70B2306F3CA740338086912f22cf337f70b2306f3ca740338086912180 KB
    FannyWorm_F26CDE2983041867EDEF171AF7F7DA73f26cde2983041867edef171af7f7da73180 KB
    FannyWorm_F30D4488E520C6DB3AE59A87EE0245B4f30d4488e520c6db3ae59a87ee0245b4180 KB
    FannyWorm_F72B462536299D3063B1B2E1AD883429f72b462536299d3063b1b2e1ad883429180 KB
    FannyWorm_F3417EFC13A1ED1284625CA97AA49377f3417efc13a1ed1284625ca97aa49377180 KB
    FannyWorm_F4776D8F718F1BB836E6FBA9EBCB1E77f4776d8f718f1bb836e6fba9ebcb1e77180 KB
    FannyWorm_F5879F2121AEE5E49DFA7B39FC97F073f5879f2121aee5e49dfa7b39fc97f073180 KB
    FannyWorm_F8406D97147F90C3255AAA32452C7683f8406d97147f90c3255aaa32452c7683180 KB
    FannyWorm_F38544F22C57F7969915FF1919AC882Ff38544f22c57f7969915ff1919ac882f180 KB
    FannyWorm_F77534EBE9C8CCC5009B6A6BA06668CBf77534ebe9c8ccc5009b6a6ba06668cb180 KB
    FannyWorm_F493229F25A16952CEA321FD932F6976f493229f25a16952cea321fd932f6976180 KB
    FannyWorm_F4482216C514F5C59F1E9A91FBF84F3Af4482216c514f5c59f1e9a91fbf84f3a180 KB
    FannyWorm_FA1A156581F808628696E300C28AB9ABfa1a156581f808628696e300c28ab9ab180 KB
    FannyWorm_FA8C3438E459E7A437F5A2F551BA02CAfa8c3438e459e7a437f5a2f551ba02ca180 KB
    FannyWorm_FB82E3DD585746B14A0489B5F10E22D2fb82e3dd585746b14a0489b5f10e22d2180 KB
    FannyWorm_FCC3BCAD73BA57207CBF5CC00077E5B4fcc3bcad73ba57207cbf5cc00077e5b4180 KB
    FannyWorm_FE53A01127659A1A1E6EB451B55FFCAAfe53a01127659a1a1e6eb451b55ffcaa180 KB
    FannyWorm_FF7DA1D4CB2AA4ACC862033293BE699Cff7da1d4cb2aa4acc862033293be699c180 KB
    FannyWorm_FFAD870F291ACCCBE148673F579689DBffad870f291acccbe148673f579689db180 KB
    EquationLaser_0D1DC631B17DEED6E53D593DCC2E0CA10d1dc631b17deed6e53d593dcc2e0ca1130 KB
    EquationLaser_2FE4D4BC00266089DB7EAC05D1F086202fe4d4bc00266089db7eac05d1f08620130 KB
    EquationLaser_8E2C06B52F530C9F9B5C2C743A5BB28A8e2c06b52f530c9f9b5c2c743a5bb28a130 KB
    EquationLaser_32C53DF631217D0B5F9F46D3A924671532c53df631217d0b5f9f46d3a9246715130 KB
    EquationLaser_45DF8669908A259A22C44278C228972145df8669908a259a22c44278c2289721130 KB
    EquationLaser_6480843080ADD60B825EFE0532DC727B6480843080add60b825efe0532dc727b130 KB
    EquationLaser_C96284363374597A3AC4B07C77E8325Bc96284363374597a3ac4b07c77e8325b130 KB
    EquationLaser_DE356F2A55B25E04742423B5EC56DE93de356f2a55b25e04742423b5ec56de93130 KB

    Share this post


    Favicon Video archives of security conferences and workshops
    5 Jan 2015, 5:11 am

    Just some links for your enjoyment

    List of security conferences in 2014

    Video archives:




    AIDE (Appalachian Institute of Digital Evidence)


    Blackhat
    Botconf
    Bsides
    Chaos Communication Congress
    Defcon
    Derbycon
    Digital Bond's S4x14
    Circle City Con
    GrrCON Information Security Summit & Hacker Conference
    Hack in the box HITB
    InfowarCon

    Nullcon
    OWASP
    Ruxcon
    Shmoocon
    ShowMeCon
    SkyDogCon
    TakeDownCon
    Troopers
    Heidelberg Germany
    Virus Bulletin
    Workshops, How-tos, and Demos

    Special thanks to  Adrian Crenshaw for his collection of videos

    Share this post


    Favicon AlienSpy Java RAT samples and traffic information
    17 Nov 2014, 10:16 pm


    AlienSpy Java based cross platform RAT is another reincarnation of ever popular Unrecom/Adwind and Frutas RATs that have been circulating through 2014.

    It appears to be used in the same campaigns as was Unrccom/Adwind - see the references. If C2 responds, the java RAT downloads Jar files containing Windows Pony/Ponik loader. The RAT is crossplatform and installs and beacons from OSX and Linux as well. However, it did not download any additional malware while running on OSX and Linux.

    The samples, pcaps, and traffic protocol information  are available below.




    File information


    I
    File: DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
    Size: 131178
    MD5:  DB46ADCFAE462E7C475C171FBE66DF82

    File: 01234.exe (Pony loader dropped by FAB8DE636D6F1EC93EEECAADE8B9BC68 - Transfer.jar_
    Size: 792122
    MD5:  B5E7CD42B45F8670ADAF96BBCA5AE2D0

    II
    File: 79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar
    Size: 125985
    MD5:  79E9DD35AEF6558461C4B93CD0C55B76

    III
    File: B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
    Size: 49084
    MD5:  b2856b11ff23d35da2c9c906c61781ba


    Download


    Download. Email me if you need the password
    Original jar attachment files
    B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
    DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
    79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar

    Pcap files download
    AlienSpyRAT_B2856B11FF23D35DA2C9C906C61781BA.pcap
    AlienSpyRAT_79E9DD35AEF6558461C4B93CD0C55B76.pcap
    Pony_B5E7CD42B45F8670ADAF96BBCA5AE2D0.pcap
    AlienspyRAT_DB46ADCFAE462E7C475C171FBE66DF82-OSXLion.pcap
    AlienspyRAT_DB46ADCFAE462E7C475C171FBE66DF82-WinXP.pcap

    All files with created and downloaded


    References

    Research:
    Boredliner: Cracking obfuscated java code - Adwind 3 << detailed java analysis
    Fidelis: RAT in a jar:A phishing campaign using Unrecom May 21, 2014
    Crowdstrike: Adwind RAT rebranding
    Symantec:Adwind RAT
    Symantec: Frutas RAT
    Symantec: Ponik/Pony

    Java Serialization References: 
    https://docs.oracle.com/javase/7/docs/platform/serialization/spec/protocol.html
    http://www.kdgregory.com/index.php?page=java.serialization
    http://staf.cs.ui.ac.id/WebKuliah/java/MasteringJavaBeans/ch11.pdf


    Additional File details


    Alienspy RAT
    The following RAT config strings are extracted from memory dumps. Alienspy RAT is a reincarnated Unrecom/Adwind << Frutas RAT and is available from https://alienspy.net/
    As you see by the config, it is very similar to Unrecom/Adwind
    File: paymentadvice.jar
    Size: 131178

    MD5:  DB46ADCFAE462E7C475C171FBE66DF82
        ───paymentadvice.jar
            ├───META-INF
            │       MANIFEST.MF  <<MD5:  11691d9f7d585c528ca22f7ba6f4a131 Size: 90
            │
            ├───plugins
            │       Server.class <<MD5:  3d9ffbe03567067ae0d68124b5b7b748 Size: 520 << Strings are here
            │
            └───stub
                    EcryptedWrapper.class <<MD5:  f2701642ac72992c983cb85981a5aeb6 Size: 89870
                    EncryptedLoader.class <<MD5:  3edfd511873b30d1373a4dc54db336ee Size: 223356
                    EncryptedLoaderOld.class << MD5:  b0ef7ff41caf69d9ae076c605653c4c7 Size: 15816
                    stub.dll << MD5:  64fb8dfb8d25a0273081e78e7c40ca5e Size: 43648 << Strings are here


    Alienspy Rat Config strings
    DB46ADCFAE462E7C475C171FBE66DF82
    <!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
    <properties>
    <comment>AlienSpy</comment>
    <entry key="vbox">false</entry>
    <entry key="password">a2e74aef2c17329f0e8e8f347c62a6a03d16b944</entry>
    <entry key="p2">1079</entry>
    <entry key="p1">1077</entry>
    <entry key="ps_hacker">false</entry>
    <entry key="install_time">2000</entry>
    <entry key="taskmgr">false</entry>
    <entry key="connetion_time">2000</entry>
    <entry key="registryname">GKXeW0Yke7</entry>
    <entry key="wireshark">false</entry>
    <entry key="NAME">IHEAKA</entry>
    <entry key="jarname">unXX0JIhwW</entry>
    <entry key="dns">204.45.207.40</entry>
    <entry key="ps_explorer">false</entry>
    <entry key="msconfig">false</entry>
    <entry key="pluginfoldername">m4w6OAI02f</entry>
    <entry key="extensionname">xBQ</entry>
    <entry key="install">true</entry>
    <entry key="win_defender">false</entry>
    <entry key="uac">false</entry>
    <entry key="jarfoldername">9bor9J6cRd</entry>
    <entry key="mutex">xooJlYrm61</entry>
    <entry key="prefix">IHEAKA</entry>
    <entry key="restore_system">false</entry>
    <entry key="vmware">false</entry>
    <entry key="desktop">true</entry>
    <entry key="reconnetion_time">2000</entry>
    </properties>

    IP: 204.45.207.40
    Decimal: 3425554216
    Hostname: 212.clients.instantdedis.com
    ISP: FDCservers.net
    Country: United States
    State/Region: Colorado
    City: Denver



    79E9DD35AEF6558461C4B93CD0C55B76
    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
    <properties>
    <comment>AlienSpy</comment>
    <entry key="pluginfolder">fy0qFUFuLP</entry>
    <entry key="reconnetion_time">3000</entry>
    <entry key="ps_hacker">true</entry>
    <entry key="restore_system">true</entry>
    <entry key="pluginfoldername">fy0qFUFuLP</entry>
    <entry key="dns">38.89.137.248</entry>
    <entry key="install_time">3000</entry>
    <entry key="port2">1065</entry>
    <entry key="port1">1064</entry>
    <entry key="taskmgr">true</entry>
    <entry key="vmware">false</entry>
    <entry key="jarname">LcuSMagrlF</entry>
    <entry key="msconfig">true</entry>
    <entry key="mutex">VblVc5kEqY</entry>
    <entry key="install">true</entry>
    <entry key="instalar">true</entry>
    <entry key="vbox">false</entry>
    <entry key="password">7110eda4d09e062aa5e4a390b0a572ac0d2c0220</entry>
    <entry key="NAME">xmas things</entry>
    <entry key="extensionname">7h8</entry>
    <entry key="prefix">xmas</entry>
    <entry key="jarfoldername">jcwDpUEpCh</entry>
    <entry key="uac">true</entry>
    <entry key="win_defender">true</entry>
    <entry key="

    IP: 38.89.137.248
    Decimal: 643402232
    Hostname: 38.89.137.248
    ISP: Cogent Communications
    Country: United States us flag


    Created Files

    I
     DB46ADCFAE462E7C475C171FBE66DF82  paymentadvice.jar

    %USERPROFILE%\Application Data\evt88IWdHO\CnREgyvLBS.txt <<MD5:  abe6ef71e44d2e145033800d0dccea57 << strings are here (by classes)
    %USERPROFILE%\Application Data\evt88IWdHO\Desktop.ini
    %USERPROFILE%\Local Settings\Temp\asdqw15727804162199772615555.jar << Strings are here
    %USERPROFILE%\Local Settings\Temp\iWimMQLgpsT2624529381479181764.png (seen Transfer.jar in the stream) <<MD5:  fab8de636d6f1ec93eeecaade8b9bc68 Size: 755017 << Strings are here
    %USERPROFILE%\29OVHAabdr.tmp << timestamp file << Strings are here

    \deleted_files\%USERPROFILE%\\29OVHAabdr.tmp << timestamp file << Strings are here
    \deleted_files\%USERPROFILE%\\Application Data\9bor9J6cRd\Desktop.ini << Strings are here
    \deleted_files\%USERPROFILE%\\Application Data\9bor9J6cRd\unXX0JIhwW.txt <MD5:  DB46ADCFAE462E7C475C171FBE66DF82 < original jar << Strings are here
    \deleted_files\%USERPROFILE%\\Local Settings\Temp\14583359.bat << Strings are here
    \deleted_files\%USERPROFILE%\\Local Settings\Temp\asdqw4727319084772952101234.exe << Pony Downloader MD5:  b5e7cd42b45f8670adaf96bbca5ae2d0 Size: 792122 < Strings are here
    \deleted_files\%USERPROFILE%\\Local Settings\Temp\OiuFr7LcfXq1847924646026958055.vbs <<MD5:  9E1EDE0DEDADB7AF34C0222ADA2D58C9 Strings are here
    \deleted_files\%USERPROFILE%\\xooJlYrm61.tmp < timestamp file << Strings are here
    \deleted_files\C\WINDOWS\tem.txt - 0bytes

    IWIMMQLGPST2624529381479181764.PNG MD5: fab8de636d6f1ec93eeecaade8b9bc68

    ├───com
    │   └───java
    │       │   Main.class << MD5:  d020b9fdac0139d43997f9ec14fa5947 Size: 7232
    │       │   Manifest.mf << MD5:  a396d2898e8a83aa5233c4258de006e3 Size: 750412
    │               │   01234.exe << MD5:  b5e7cd42b45f8670adaf96bbca5ae2d0 Size: 792122
    │               │   15555.jar << MD5:  abe6ef71e44d2e145033800d0dccea57 Size: 50922
    │              
    │               └───15555
    │                   │   ID
    │                   │   Main.class << MD5:  d020b9fdac0139d43997f9ec14fa5947 Size: 7232
    │                   │   MANIFEST.MF << MD5:  a396d2898e8a83aa5233c4258de006e3 Size: 750412
    │                   │
    │                   ├───META-INF
    │                   └───plugins
    └───META-INF
            MANIFEST.MF << MD5:  042c2fa9077d96478ce585d210641d9a Size: 171


    File types
    1. 14583359.bat (.txt) "Text file"
    2. 29OVHAabdr.tmp (.txt) "Text file"
    3. asdqw15727804162199772615555.jar (.zip) "PKZIP Compressed"
    4. asdqw4727319084772952101234.exe (.exe) "Executable File" 
    5. CnREgyvLBS.txt (.zip) "PKZIP Compressed"
    6. Desktop.ini (.txt) "Text file"
    7. DFR5.tmp (.txt) "Text file"
    8. iWimMQLgpsT2624529381479181764.png (.zip) "Zip Compressed"
    9. iWimMQLgpsT2624529381479181764.png (.zip) "PKZIP Compressed"
    10. OiuFr7LcfXq1847924646026958055.vbs (.txt) "Vbs script file"
    11. tem.txt (.txt) "Text file"
    12. unXX0JIhwW.txt (.zip) "PKZIP Compressed"
    13. xooJlYrm61.tmp (.txt) "Text file"
    II

    79e9dd35aef6558461c4b93cd0c55b76 Purchase Order.jar
    Received: from magix-webmail (webmail.app.magix-online.com [193.254.184.250])
    by smtp.app.magix-online.com (Postfix) with ESMTPSA id B626052E77F;
    Sun, 16 Nov 2014 14:54:06 +0100 (CET)
    Received: from 206.217.192.188 ([206.217.192.188]) by
     webmail.magix-online.com (Horde Framework) with HTTP; Sun, 16 Nov 2014
     14:54:06 +0100
    Date: Sun, 16 Nov 2014 14:54:06 +0100
    Message-ID: <20141116145406.Horde.YL7L4Bi7ap6_NXm76DDEaw2@webmail.magix-online.com>
    From: Outokumpu Import Co Ltd <purchase@brentyil.org>
    Subject: Re: Confirm correct details
    Reply-to: jingwings@outlook.com
    User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)
    Content-Type: multipart/mixed; boundary="=_FMdois7zoq7xTAV91epZoQ6"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 8bit
    This message is in MIME format.
    --=_FMdois7zoq7xTAV91epZoQ6
    Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes
    Content-Disposition: inline
    Content-Transfer-Encoding: 8bit
    Dear Sir,
    Please confirm the attached purchase order for your reference.
    Please acknowledge Invoice for the final confirmation and confirm  
    details are correct so we can proceed accordingly.
    Please give me feedback through this email.
    IBRAHIM MOHAMMAD AL FAR
    Area Manager 
    Central Region
    Outokumpu Import Co Ltd
    Tel:   +966-11-265-2030
    Fax:  +966-11-265-0350
    Mob: +966-50 610 8743
    P.O Box: 172 Riyadh 11383
    Kingdom of Saudi Arabia
    --=_FMdois7zoq7xTAV91epZoQ6
    Content-Type: application/java-archive; name="Purchase Order.jar"
    Content-Description: Purchase Order.jar
    Content-Disposition: attachment; size=125985; filename="Purchase Order.jar"
    Content-Transfer-Encoding: base64

    File paths
    %USERPROFILE%\Application Data\jcwDpUEpCh\Desktop.ini
    %USERPROFILE%\Application Data\jcwDpUEpCh\LcuSMagrlF.txt
    %USERPROFILE%\Local Settings\History\History.IE5\MSHist012014111620141117\index.dat
    %USERPROFILE%\Local Settings\Temp\hsperfdata_Laura\3884
    %USERPROFILE%\VblVc5kEqY.tmp
    deleted_files\%USERPROFILE%\Local Settings\Temp\TaskNetworkGathor267205042636993976.reg
    deleted_files\%USERPROFILE%\VblVc5kEqY.tmp
    deleted_files\C\WINDOWS\tem.txt

    File types
    Desktop.ini (.txt) "Text file"
    index.dat (.txt) "Text file"
    LcuSMagrlF.txt (.zip) "PKZIP Compressed"
    TaskNetworkGathor267205042636993976.reg (.txt) "Text file"
    tem.txt (.txt) "Text file"
    VblVc5kEqY.tmp (.txt) "Text file"

    MD5 list
    Desktop.ini     e783bdd20a976eaeaae1ff4624487420
    index.dat       b431d50792262b0ef75a3d79a4ca4a81
    LcuSMagrlF.txt  79e9dd35aef6558461c4b93cd0c55b76
    79e9dd35aef6558461c4b93cd0c55b76.malware       79e9dd35aef6558461c4b93cd0c55b76
    TaskNetworkGathor267205042636993976.reg        6486acf0ca96ecdc981398855255b699 << Strings are here
    tem.txt         d41d8cd98f00b204e9800998ecf8427e
    VblVc5kEqY.tmp  b5c6ea9aaf042d88ee8cd61ec305880b

    III
    B2856B11FF23D35DA2C9C906C61781BA Purchase Order.jar
    File paths
    %USERPROFILE%\Application Data\Sys32\Desktop.ini
    %USERPROFILE%\Application Data\Sys32\Windows.jar.txt
    %USERPROFILE%\Local Settings\History\History.IE5\MSHist012014111620141117\index.dat
    %USERPROFILE%\Local Settings\Temp\hsperfdata_Laura\1132
    %USERPROFILE%\WWMI853JfC.tmp
    deleted_files\%USERPROFILE%\Local Settings\Temp\TaskNetworkGathor7441169770678304780.reg
    deleted_files\%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013110920131110\index.dat
    deleted_files\%USERPROFILE%\WWMI853JfC.tmp
    deleted_files\C\DFRA.tmp

    deleted_files\C\WINDOWS\tem

    File type list
    Desktop.ini (.txt) "Text file"
    DFRA.tmp (.txt) "Text file"
    index.dat (.txt) "Text file"
    TaskNetworkGathor7441169770678304780.reg (.txt) "Text file"
    tem (.txt) "Text file"
    Windows.jar.txt (.zip) "PKZIP Compressed"

    WWMI853JfC.tmp (.txt) "Text file"

    MD5 list
    Desktop.ini     e783bdd20a976eaeaae1ff4624487420
    DFRA.tmp        d41d8cd98f00b204e9800998ecf8427e
    index.dat       b431d50792262b0ef75a3d79a4ca4a81
    purchase.jar    b2856b11ff23d35da2c9c906c61781ba
    TaskNetworkGathor7441169770678304780.reg       311af3b9a52ffc58f46ad83afb1e93b6
    tem             d41d8cd98f00b204e9800998ecf8427e
    Windows.jar.txt b2856b11ff23d35da2c9c906c61781ba
    WWMI853JfC.tmp  8e222c61fc55c230407ef1eb21a7daa9



    Traffic Information

    Java Serialization Protocol traffic info

    DB46ADCFAE462E7C475C171FBE66DF82 traffic capture - Windows XP
    00000000  ac ed 00 05                                      ....
        00000000  ac ed 00 05                                      ....
    00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
    00000014  00                                               .
    00000015  78 70 00 00 03 2a 1f 8b  08 00 00 00 00 00 00 00 xp...*.. ........
    00000025  6d 54 dd 8e d3 46 18 1d  12 16 b2 bb 59 40 fc 5d mT...F.. ....Y@.]
    00000035  bb 52 2b 71 83 d7 76 1c  3b a1 12 10 58 16 36 2c .R+q..v. ;...X.6,
    00000045  14 95 56 1b 24 4b d6 17  7b 9c cc 66 3c e3 ce 8c ..V.$K.. {..f<...
    00000055  d7 a6 17 7d 8e 3e 44 1f  a0 12 2f c1 43 f4 b6 ef ...}.>D. ../.C...
    00000065  d0 cf 6c 76 1d 2a 22 d9  19 7b be 9f 73 be 73 c6 ..lv.*". .{..s.s.
    00000075  7f fd 4b b6 b4 22 77 4f  e1 0c ec d2 30 6e bf 53 ..K.."wO ....0n.S

    DB46ADCFAE462E7C475C171FBE66DF82 traffic capture - OSX Lion
    00000000  ac ed 00 05                                      ....
        00000000  ac ed 00 05                                      ....
    00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
    00000014  00                                               .
    00000015  78 70 00 00 03 33 1f 8b  08 00 00 00 00 00 00 00 xp...3.. ........
    00000025  75 54 cd 6e db 46 10 de  c8 b5 2d ff 26 c8 1f 7a uT.n.F.. ..-.&..z
    00000035  54 0f 45 7b d1 92 5c d1  94 89 02 4d 94 c0 b1 a5 T.E{..\. ...M....
    00000045  d8 4d 51 23 89 73 22 56  dc a5 b5 16 b9 cb ec 2e .MQ#.s"V ........

    B2856B11FF23D35DA2C9C906C61781BA on Windows XP
    00000000  ac ed 00 05                                      ....
        00000000  ac ed 00 05                                      ....
    00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
    00000014  00                                               .
    00000015  78 70 00 00 03 63 1f 8b  08 00 00 00 00 00 00 00 xp...c.. ........
    00000025  6d 54 5d 6e db 46 10 de  48 91 2d db 8a 13 24 41 mT]n.F.. H.-...$A
    00000035  fa ca 3e 14 08 0a 84 e6  bf a4 16 68 9a c4 75 1b ..>..... ...h..u.
    00000045  c3 6e 0d b8 85 13 80 00  31 22 57 d2 5a e4 ee 76 .n...... 1"W.Z..v

    79E9DD35AEF6558461C4B93CD0C55B76 - Windows XP
    00000000  ac ed 00 05                                      ....
        00000000  ac ed 00 05                                      ....
    00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
    00000014  00                                               .
    00000015  78 70 00 00 03 69 1f 8b  08 00 00 00 00 00 00 00 xp...i.. ........
    00000025  6d 54 dd 6e db 36 14 66  ed fc 38 89 9b 16 ed d0 mT.n.6.f ..8.....
    00000035  de 6a 17 03 8a 01 53 28  d9 92 ed 0d e8 d6 34 71 .j....S( ......4q

    00000045  b6 c0 19 02 64 69 3b c0  80 70 2c d1 36 6d 4a 62 ....di;. .p,.6mJb



    Serialization Protocol decoding:


    The following fields are part of the serialization protocol and are 'benign" and common.

    AC ED (¬í) - Java Serialization protocol magic STREAM_MAGIC = (short)0xaced. 
    00 05    -  Serialization Version STREAM_VERSION
    75    (u) - Specifies that this is a new array - newArray: TC_ARRAY
    72          (r) -  Specifies that this is a new class - newClassDesc: TC_CLASSDESC
    00 02        - Length of the class name
    5B 42 AC F3 17 F8 06 08 54 E0 ([B¬ó.ø..Tà) This is a Serial class name and version identifier section but data appears to be encrypted
    02 00   - Is Serializable Flag - SC_SERIALIZABLE 
    78 70  (xp)  - some low-level information identifying serialized fields
    1f 8b 08 00 00 00 00 00 00 00 - GZIP header as seen in the serialization stream

    As you see, all Windows traffic captures have identical fields  following the GZIP stream, while OSX traffic has different data. The jar files that had Pony Downloader payload did not have other OSX malware packaged and I saw no activity on OSX other than calling the C2 and writing to the randomly named timestamp file (e.g VblVc5kEqY.tmp - updating current timestamp in Unix epoch format)

    Combination of the Stream Magic exchange, plus all other benign fields in this order will create a usable signature. However, it will be prone to false positives unless you use fields after the GZIP header for OS specific signatures

    Another signature can be based on the transfer. jar download as seen below


    DB46ADCFAE462E7C475C171FBE66DF82  - downloading fab8de636d6f1ec93eeecaade8b9bc68 
    iWimMQLgpsT2624529381479181764.png (seen Transfer.jar in the stream) , which contains 15555.jar in Manifest.mf, which contains 15555.exe (Pony loader) in its' Manfest.mf

    IHEAKA _000C297  << IHEAKA is the name of the RAT client, it is different in each infection.

    00000000  ac ed 00 05                                      ....
        00000000  ac ed 00 05                                      ....
    00000004  77 04                                            w.
    00000006  00 00 00 01                                      ....
    0000000A  77 15                                            w.
    0000000C  00 13 49 48 45 41 4b 41  5f 30 30 30 43 32 39 37 ..IHEAKA _000C297
    0000001C  42 41 38 44 41                                   BA8DA
        00000004  77 0e 00 0c 54 72 61 6e  73 66 65 72 2e 6a 61 72 w...Tran sfer.jar
        00000014  7a 00 00 04 00 50 4b 03  04 14 00 08 08 08 00 46 z....PK. .......F
        00000024  0c 71 45 00 00 00 00 00  00 00 00 00 00 00 00 14 .qE..... ........
        00000034  00 04 00 4d 45 54 41 2d  49 4e 46 2f 4d 41 4e 49 ...META- INF/MANI
        00000044  46 45 53 54 2e 4d 46 fe  ca 00 00 4d 8d 4d 0b c2 FEST.MF. ...M.M..

    ---- snip----

    000ABBA0  00 09 00 00 00 31 35 35  35 35 2e 6a 61 72 74 97 .....155 55.jart.
        000ABBB0  43 70 26 8c a2 44 63 db  9c d8 b6 9d 7c b1 6d db Cp&..Dc. ....|.m.
        000ABBC0  c6 c4 b6 6d db b6 6d db  99 d8 76 f2 fe e5 dd bc ...m..m. ..v.....


    Pony downloader traffic

     HTTP requests
    URL: http://meetngreetindia.com/scala/gate.php
    TYPE: POST
    USER AGENT: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
    URL: http://meetngreetindia.com/scala/gate.php
    TYPE: GET
    USER AGENT: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
     DNS requests
    meetngreetindia.com (50.28.15.25)
     TCP connections
    50.28.15.25:80

    IP: 50.28.15.25
    Decimal: 840699673
    Hostname: mahanadi3.ewebguru.net
    ISP: Liquid Web
    Organization: eWebGuru
    State/Region: Michigan
    City: Lansing

    https://www.virustotal.com/en/ip-address/50.28.15.25/information/




    IP-Domain Information
    I
    DB46ADCFAE462E7C475C171FBE66DF82 paymentadvice.jar 
    IP: 204.45.207.40
    Decimal: 3425554216
    Hostname: 212.clients.instantdedis.com
    ISP: FDCservers.net
    Country: United States
    State/Region: Colorado
    City: Denver

    meetngreetindia.com (50.28.15.25)
     TCP connections
    50.28.15.25:80
    Decimal: 840699673
    Hostname: mahanadi3.ewebguru.net
    ISP: Liquid Web
    Organization: eWebGuru
    State/Region: Michigan
    City: Lansing

    II
    79E9DD35AEF6558461C4B93CD0C55B76 Purchase order.jar
    IP: 38.89.137.248
    Decimal: 643402232
    Hostname: 38.89.137.248
    ISP: Cogent Communications
    Country: United States us flag

    III
    2856B11FF23D35DA2C9C906C61781BA Purchase order.jar
    installone.no-ip.biz
    IP Address:   185.32.221.17
    Country:      Switzerland
    Network Name: CH-DATASOURCE-20130812
    Owner Name:   Datasource AG
    From IP:      185.32.220.0
    To IP:        185.32.223.255
    Allocated:    Yes
    Contact Name: Rolf Tschumi
    Address:      mgw online service, Roetihalde 12, CH-8820 Waedenswil
    Email:        rolf.tschumi@mgw.ch
    Abuse Email:  abuse@softplus.net
       








    Virustotal

    https://www.virustotal.com/en/file/02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45/analysis/SHA256: 02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45
    MD5 db46adcfae462e7c475c171fbe66df82
    SHA1 2b43211053d00147b2cb9847843911c771fd3db4
    SHA256 02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45
    ssdeep3072:VR/6ZQvChcDfJNBOFJKMRXcCqfrCUMBpXOg84WoUeonNTFN:LdvCGJN0FJ1RXcgBpXOjOjSNTFN
    File size 128.1 KB ( 131178 bytes )
    File type ZIP
    Magic literalZip archive data, at least v2.0 to extract
    TrID ZIP compressed archive (100.0%)
    File name: Payment Advice.jar
    Detection ratio: 6 / 54
    Analysis date: 2014-11-16 20:58:08 UTC ( 1 day, 4 hours ago )
    Ikarus Trojan.Java.Adwind 20141116
    TrendMicro JAVA_ADWIND.XXO 20141116
    TrendMicro-HouseCall JAVA_ADWIND.XXO 20141116
    DrWeb Java.Adwind.3 20141116
    Kaspersky HEUR:Trojan.Java.Generic 20141116
    ESET-NOD32 a variant of Java/Adwind.T 20141116

    https://www.virustotal.com/en/file/733c037f886d91b6874ac4a2de5b32ca1e7f7f992928b01579b76603b233110c/analysis/1416194595/
    SHA256: 733c037f886d91b6874ac4a2de5b32ca1e7f7f992928b01579b76603b233110c
    MD5 fab8de636d6f1ec93eeecaade8b9bc68
    File name: iWimMQLgpsT2624529381479181764.png
    Detection ratio: 23 / 53
    Analysis date: 2014-11-17 03:23:15 UTC ( 0 minutes ago )
    AVG Zbot.URE 20141116
    Qihoo-360 Win32/Trojan.fff 20141117
    ESET-NOD32 Win32/PSW.Fareit.A 20141117
    Fortinet W32/Inject.SXVW!tr 20141117
    Antiy-AVL Trojan[PSW]/Win32.Tepfer 20141117
    AVware Trojan.Win32.Generic!BT 20141117
    DrWeb Trojan.PWS.Stealer.13319 20141117
    Symantec Trojan.Maljava 20141117
    McAfee RDN/Generic Exploit!1m3 20141117
    McAfee-GW-Edition RDN/Generic Exploit!1m3 20141117
    Sophos Mal/JavaJar-A 20141117
    Avast Java:Malware-gen [Trj] 20141117
    Cyren Java/Agent.KS 20141117
    F-Prot Java/Agent.KS 20141117
    Kaspersky HEUR:Trojan.Java.Generic 20141117
    Emsisoft Gen:Variant.Kazy.494557 (B) 20141117
    Ad-Aware Gen:Variant.Kazy.494557 20141117
    BitDefender Gen:Variant.Kazy.494557 20141117
    F-Secure Gen:Variant.Kazy.494557 20141116
    GData Gen:Variant.Kazy.494557 20141117
    MicroWorld-eScan Gen:Variant.Kazy.494557 20141117
    Ikarus Exploit.Java.Agent 20141117
    Norman Adwind.E 20141116

    https://www.virustotal.com/en/file/91d71b06c99fe25271ba19c1c47c2d1ba85e78c2d7d5ae74e97417dc958dc725/analysis/
    MD5 b5e7cd42b45f8670adaf96bbca5ae2d0
    SHA256: 91d71b06c99fe25271ba19c1c47c2d1ba85e78c2d7d5ae74e97417dc958dc725
    File name: asdqw4727319084772952101234.exe
    Detection ratio: 12 / 54
    Analysis date: 2014-11-17 03:21:30 UTC
    AVG Zbot.URE 20141116
    AVware Trojan.Win32.Generic!BT 20141117
    Ad-Aware Gen:Variant.Kazy.494557 20141117
    Antiy-AVL Trojan[PSW]/Win32.Tepfer 20141116
    BitDefender Gen:Variant.Kazy.494557 20141117
    DrWeb Trojan.PWS.Stealer.13319 20141117
    ESET-NOD32 Win32/PSW.Fareit.A 20141117
    Emsisoft Gen:Variant.Kazy.494557 (B) 20141117
    F-Secure Gen:Variant.Kazy.494557 20141116
    GData Gen:Variant.Kazy.494557 20141117
    MicroWorld-eScan Gen:Variant.Kazy.494557 20141117
    Qihoo-360 Win32/Trojan.fff 20141117




    Share this post


    Favicon OnionDuke samples
    16 Nov 2014, 4:58 am


    Research:  F-Secure: OnionDuke: APT Attacks Via the Tor Network






    Download

    File attributes

    Size: 219136
    MD5:  28F96A57FA5FF663926E9BAD51A1D0CB

    Size: 126464
    MD5:  C8EB6040FD02D77660D19057A38FF769

    Size: 316928
    MD5:  D1CE79089578DA2D41F1AD901F7B1014


    Virustotal info

    https://www.virustotal.com/en/file/366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b/analysis/
    SHA256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
    File name: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
    Detection ratio: 8 / 52
    Analysis date: 2014-11-15 18:37:30 UTC ( 8 hours, 44 minutes ago ) 
    Antivirus Result Update
    Baidu-International Trojan.Win32.Agent.adYf 20141107
    F-Secure Backdoor:W32/OnionDuke.B 20141115
    Ikarus Trojan.Win32.Agent 20141115
    Kaspersky Backdoor.Win32.MiniDuke.x 20141115
    Norman OnionDuke.A 20141115
    Sophos Troj/Ransom-ALA 20141115
    Symantec Backdoor.Miniduke!gen4 20141115
    Tencent Win32.Trojan.Agent.Tbsl 20141115

    https://www.virustotal.com/en/file/366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b/analysis/

    SHA256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
    File name: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
    Detection ratio: 8 / 52
    Antivirus Result Update
    Baidu-International Trojan.Win32.Agent.adYf 20141107
    F-Secure Backdoor:W32/OnionDuke.B 20141115
    Ikarus Trojan.Win32.Agent 20141115
    Kaspersky Backdoor.Win32.MiniDuke.x 20141115
    Norman OnionDuke.A 20141115
    Sophos Troj/Ransom-ALA 20141115
    Symantec Backdoor.Miniduke!gen4 20141115
    Tencent Win32.Trojan.Agent.Tbsl 20141115

    https://www.virustotal.com/en/file/0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade/analysis/
    SHA256: 0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade
    File name: 0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade
    Detection ratio: 19 / 55
    Analysis date: 2014-11-15 18:37:25 UTC ( 8 hours, 47 minutes ago ) 
    Antivirus Result Update
    AVware Trojan.Win32.Generic!BT 20141115
    Ad-Aware Backdoor.Generic.933739 20141115
    Baidu-International Trojan.Win32.OnionDuke.BA 20141107
    BitDefender Backdoor.Generic.933739 20141115
    ESET-NOD32 a variant of Win32/OnionDuke.A 20141115
    Emsisoft Backdoor.Generic.933739 (B) 20141115
    F-Secure Backdoor:W32/OnionDuke.A 20141115
    GData Backdoor.Generic.933739 20141115
    Ikarus Trojan.Win32.Onionduke 20141115
    Kaspersky Backdoor.Win32.MiniDuke.x 20141115
    McAfee RDN/Generic BackDoor!zw 20141115
    McAfee-GW-Edition BehavesLike.Win32.Trojan.fh 20141114
    MicroWorld-eScan Backdoor.Generic.933739 20141115
    Norman OnionDuke.B 20141115
    Sophos Troj/Ransom-ANU 20141115
    Symantec Backdoor.Miniduke!gen4 20141115
    TrendMicro BKDR_ONIONDUKE.AD 20141115
    TrendMicro-HouseCall BKDR_ONIONDUKE.AD 20141115
    VIPRE Trojan.Win32.Generic!BT 20141115


    Share this post


    Favicon Wirelurker for OSX, iOS (Part I) and Windows (Part II) samples
    7 Nov 2014, 2:57 am

    PART II

    Wirelurker for Windows (WinLurker)

    Research: Palo Alto Claud Xiao: Wirelurker for Windows

    Sample credit: Claud Xiao



    PART I


    Research: Palo Alto Claud Xiao WIRELURKER: A New Era in iOS and OS X Malware

    Palo Alto |Claud Xiao - blog post Wirelurker

    Wirelurker Detector https://github.com/PaloAltoNetworks-BD/WireLurkerDetector


    Sample credit: Claud Xiao


    Download

    Download Part I
    Download Part II

    Email me if you need the password




    List of files
    List of hashes 

    Part II

    s+«sìÜ 3.4.1.dmg 925cc497f207ec4dbcf8198a1b785dbd
    apps.ipa 54d27da968c05d463ad3168285ec6097
    WhatsAppMessenger 2.11.7.exe eca91fa7e7350a4d2880d341866adf35
    使用说明.txt 3506a0c0199ed747b699ade765c0d0f8
    libxml2.dll c86bebc3d50d7964378c15b27b1c2caa
    libiconv-2_.dll 9c8170dc4a33631881120a467dc3e8f7
    msvcr100.dll bf38660a9125935658cfa3e53fdc7d65
    libz_.dll bd3d1f0a3eff8c4dd1e993f57185be75
    mfc100u.dll f841f32ad816dbf130f10d86fab99b1a

    zlib1.dll c7d4d685a0af2a09cbc21cb474358595


    │   apps.ipa
    │   σ╛«σìÜ 3.4.1.dmg

    └───WhatsAppMessenger 2.11.7
                libiconv-2_.dll
                libxml2.dll
                libz_.dll
                mfc100u.dll
                msvcr100.dll
                WhatsAppMessenger 2.11.7.exe
                zlib1.dll
                使用说明.txt


    Part I

    BikeBaron 15e8728b410bfffde8d54651a6efd162
    CleanApp c9841e34da270d94b35ae3f724160d5e
    com.apple.MailServiceAgentHelper dca13b4ff64bcd6876c13bbb4a22f450
    com.apple.appstore.PluginHelper c4264b9607a68de8b9bbbe30436f5f28
    com.apple.appstore.plughelper.plist 94a933c449948514a3ce634663f9ccf8
    com.apple.globalupdate.plist f92640bed6078075b508c9ffaa7f0a78
    com.apple.globalupdate.plist f92640bed6078075b508c9ffaa7f0a78
    com.apple.itunesupdate.plist 83317c311caa225b17ac14d3d504387d
    com.apple.machook_damon.plist 6507f0c41663f6d08f497ab41893d8d9
    com.apple.machook_damon.plist 6507f0c41663f6d08f497ab41893d8d9
    com.apple.MailServiceAgentHelper.plist e6e6a7845b4e00806da7d5e264eed72b
    com.apple.periodic-dd-mm-yy.plist bda470f4568dae8cb12344a346a181d9
    com.apple.systemkeychain-helper.plist fd7b1215f03ed1221065ee4508d41de3
    com.apple.watchproc.plist af772d9cca45a13ca323f90e7d874c2c
    FontMap1.cfg 204b4836a9944d0f19d6df8af3c009d5
    foundation 0ff51cd5fe0f88f02213d6612b007a45
    globalupdate 9037cf29ed485dae11e22955724a00e7
    globalupdate 9037cf29ed485dae11e22955724a00e7
    itunesupdate a8dfbd54da805d3c52afc521ab7b354b
    libcrypto.1.0.0.dylib 4c5384d667215098badb4e850890127b
    libcrypto.1.0.0.dylib 3b533eeb80ee14191893e9a73c017445
    libiconv.2.dylib 94f9882f5db1883e7295b44c440eb44c
    libiconv.2.dylib fac8ef9dabdb92806ea9b1fde43ad746
    libimobiledevice.4.dylib c596adb32c143430240abbf5aff02bc0
    libimobiledevice.4.dylib <