DISCLAIMER:
KINDLY DO NOT VISIT ANY OF THE OBFUSCATED LINKS LISTED HERE, AS THEY WILL AFFECT YOUR SYSTEM. WE ARE NOT RESPONSIBLE OR IN CHARGE OF ANY POSSIBLE EFFECTS IF YOU ARE CLICKING ON THE FOLLOWING DESPITE THIS WARNING. READ OUR LEGAL SECTION BEFORE TRYING TO CONTACT US. THE DATA IN THIS SECTION OR IN ANY SECTION OF WWW.EVILFINGERS.COM ARE SOLELY FOR EDUCATIONAL PURPOSE.
121.12.173.218 has been really mischievous.
Following were some of the EXE's found upon analysis:
hxxp://121.12.173.218/6666.txt
and
hxxp://121.12.173.218/tan/ms.exe
Sections ( .nsp0 .nsp1 .nsp2 )
File: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
Packer: NsPack 2.9 -> North Star,
Size: 5368 bytes,
MD5: 45763bb0ea1fcd247a52bacd3124ea35
http://www.robtex.com/dot/121.12.173.218,121.8.0.0/13,AS4134,baidu-bai6.cn,baidu-baidudou4.cn,baidu-baiduyi.cn,baidu-baiduyi1.cn,baidu-baiduyi2.cn,baidu-baiduyi3.cn,baidu-baiduyi4.cn,baidu-baiduyi5.cn,baidu-baiduyi6.cn,baidu-baiduzi1.cn,baidu-baiduzi3.cn,baidu-baiduzi4.cn,baidu-baiduzi5.cn,baidu-baiduzi6.cn,baidu-baiduzi7.cn,baidu-baiduzi8.cn,baidu-baiguo9.cn,baidu-du8.cn,baidu-dudouai1.cn,baidu-dudouai10.cn,baidu-dudouai2.cn,baidu-dudouai4.cn,baidu-dudouai5.cn,baidu-dudouai6.cn,baidu-dudouai7.cn,baidu-dudouai8.cn,baidu-dudouai9.cn,baidu-opop.cn,baidu-opop2.cn,baidu-opop3.cn,baidu-opop4.cn,baidu-opop5.cn,baidu-opop6.cn,baidu-opop7.cn,baidudskllkjl.cn,baiduduyou.cn,baiduduyou1.cn,baiduduyou10.cn,baiduduyou11.cn,baiduduyou2.cn,baiduduyou3.cn,baiduduyou4.cn,baiduduyou5.cn,baiduduyou6.cn,baiduduyou7.cn,baiduduyou8.cn,baiduduyou9.cn,baidujkljlxx.cn,baiduybaiduio.cn,baiduyuxire.cn,baiduyuxirebn.cn,googlesemdication.cn,googlesyndixation.cn,googlesyndization.cn,qq.18i16.net!0NET1,1AS2,3A0,4A0,5A0,6A0,7A0,8A0,9A0,10A0,11A0,12A0,13A0,14A0,15A0,16A0,17A0,18A0,19A0,20A0,21A0,22A0,23A0,24A0,25A0,26A0,27A0,28A0,29A0,30A0,31A0,32A0,33A0,34A0,35A0,36A0,37A0,38A0,39A0,40A0,41A0,42A0,43A0,44A0,45A0,46A0,47A0,48A0,49A0,50A0,51A0,52A0,53A0,54A0,55A0,56A0,57A0!2.png
Anubis Analysis Report for 6666.txt
Anubis Analysis Report for ms.exe
6666.txt calls for a multitude of bad guys to continue this process:
6666.txt called 35 EXE's to malware species:
[file]
open=y
url1=hxxp://a.baidu-6661.com/newadsadsxk/newads01.exe
url2=
url3=hxxp://a.baidu-6661.com/newadsadsxk/newads03.exe
url4=
url5=hxxp://a.baidu-6661.com/newadsadsxk/newads05.exe
url6=hxxp://a.baidu-6661.com/newadsadsxk/newads06.exe
url7=hxxp://a.baidu-6661.com/newadsadsxk/newads07.exe
url8=hxxp://a.baidu-6661.com/newadsadsxk/newads08.exe
url9=hxxp://a.baidu-6661.com/newadsadsxk/newads09.exe
url10=hxxp://a.baidu-6661.com/newadsadsxk/newads10.exe
url11=
url12=hxxp://a.baidu-6661.com/newadsadsxk/newads12.exe
url13=hxxp://a.baidu-6661.com/newadsadsxk/newads13.exe
url14=hxxp://a.baidu-6661.com/newadsadsxk/newads14.exe
url15=hxxp://a.baidu-6661.com/newadsadsxk/newads15.exe
url16=hxxp://a.baidu-6661.com/newadsadsxk/newads16.exe
url17=hxxp://a.baidu-6661.com/newadsadsxk/newads17.exe
url18=hxxp://a.baidu-6661.com/newadsadsxk/newads18.exe
url19=hxxp://a.baidu-6661.com/newadsadsxk/newads19.exe
url20=hxxp://a.baidu-6661.com/newadsadsxk/newads20.exe
url21=hxxp://a.baidu-6661.com/newadsadsxk/newads21.exe
url22=hxxp://a.baidu-6661.com/newadsadsxk/newads22.exe
url23=
url24=hxxp://a.baidu-6661.com/newadsadsxk/newads24.exe
url25=hxxp://a.baidu-6661.com/newadsadsxk/newads25.exe
url26=hxxp://a.baidu-6661.com/newadsadsxk/newads26.exe
url27=hxxp://a.baidu-6661.com/newadsadsxk/newads27.exe
url28=hxxp://a.baidu-6661.com/newadsadsxk/newads28.exe
url29=hxxp://a.baidu-6661.com/newadsadsxk/newads29.exe
url30=hxxp://a.baidu-6661.com/newadsadsxk/newads30.exe
url31=
url32=hxxp://a.baidu-6661.com/newadsadsxk/newads32.exe
url33=hxxp://a.baidu-6661.com/newadsadsxk/newads33.exe
url34=
url35=hxxp://a.baidu-6661.com/newadsadsxk/newads35.exe
count=35
Analysis of one of the files that 6666.txt calls (hxxp://a.baidu-6661.com/newadsadsxk/newads01.exe)
Sections ( .Upack .rsrc )
File: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
Packer: Upack V0.37 -> Dwing,Upack_Patch or any Version -> Dwing,WinUpack v0.39 final (relocated image base) -> By Dwing (c)2005 (h2),
Strings:UNPACKED expl$aorer.exe
Strings:UNPACKED /cczongxz/shpost5.asp
Strings:UNPACKED /test/erge1128/post.asp
Strings:UNPACKED /cczongxz/mibao.asp
Strings:UNPACKED shcsrss.exeEvent
Strings:UNPACKED svchost.exe
Strings:UNPACKED csrss.exe
Strings:UNPACKED csrss.exeMutex
Strings:UNPACKED http://$a%s$a:%d%s?%s
Strings:UNPACKED 21$a2.103$a.11.59 passpo$art.wanmei.com
Strings:UNPACKED 212.1$a03.11.59 re$ag.163.c$aom
Strings:UNPACKED 21$a2.103.11.59 sde.ga$ame.sohu.com
Strings:UNPACKED 212.10$a3.11.59 ac$acount.ztgame.com
Strings:UNPACKED 212.103.11.59 pwd.s$ado.com
Strings:UNPACKED 2$a12.103.11.59 r$aeg.91.com
Strings:UNPACKED 21$a2.103$a.11.59 pass.kin$agsoft.com
Strings:UNPACKED 212$a.103.11.59 pa$assport.y$auyan.com
Strings:UNPACKED my.exe
Strings:UNPACKED r05022.exe
Strings:UNPACKED rundll32.exe
Size: 13083 bytes,
MD5: 4375b512ce566f970d51c7ff75ae3846
Anubis Report for hxxp://a.baidu-6661.com/newadsadsxk/newads01.exe
This is of course old news for many, based on ShadowServer reports and other stuff that has been notifying on IE7 0-day exploit. The interesting part is, this site is still active and still running these malwares...
- EF
No comments:
Post a Comment