Malware collection

Forum for analysis and discussion about malware.

Re: Malware collection

Postby ikolor » Fri Jul 14, 2017 8:51 am

What is this any Scanner Japan.

http://45.77.23.20



Image
ikolor
 
Posts: 243
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Malware collection

Postby Antelox » Fri Jul 14, 2017 9:47 am

ikolor wrote:What is this any Scanner Japan.

http://45.77.23.20
]


Check this one: https://ivre.rocks/

BR,

Antelox
Antelox
 
Posts: 114
Joined: Sun Mar 21, 2010 10:38 pm
Reputation point: 91

Re: Malware collection

Postby ikolor » Fri Jul 14, 2017 4:49 pm

Sorry I ask but this scanner can show real malware code .And it is malware scrip

https://quttera.com/detailed_report/mswia.gov.pl

mswia.gov.pl/pl/batony/785%2CBezpieczny-Autobus-sprawdz-informacje-o-autobusie-lub-autokarze.html

Code: Select all
[[function getCookie(d){var b=d+"=";var a=document.cookie.split(";");for(var e=0;e<a.length;e++){var f=a[e].trim();if(f.indexOf(b)==0){return f.substring(b.length,f.length)}}return"false"}function deleteCookie(a){document.cookie=a+"=;expires=Thu, 01 Jan 1970 00:00:01 GMT;"}function confirmAgeement(){var a=getCookie("cookie_agree");if(a==1){document.getElementById("cookie_agree").style.display="none"}else{document.getElementById("cookie_agree").style.display="block"}}function isCookieEnabled(){setCookie("cookie_enabled","true");var a=getCookie("cookie_enabled");if(a=="true"){document.getElementById("show-cookies-disabled-div").style.display="none"}else{document.getElementById("show-cookies-disabled-div").style.display="block"}}function hideYouTube(){document.getElementById("you-tube-i-frame").style.display="none"}function showYouTube(){document.getElementById("you-tube-i-frame").style.display="block"}function showLoaderImage(){var a=document.getElementById("_bezpiecznyautobusportlet_WAR_bezpiecznyautobuspor
ikolor
 
Posts: 243
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Malware collection

Postby ikolor » Fri Jul 14, 2017 8:37 pm

For interesting hunt today .Was this script which not allow you go back in Browser.Firefox has problem run away .Second is website and software what I noticed porn website owner use .I don't know why ?.Thanks.
https://crystal-scripts.com/


Code: Select all
http://s-iwantyou.com/?crq=1tzRyaKTW6aml5%2FTzZHJk6mfopmP2ZKK0ZOjnXGizonW1tFvnaqoooeWoomXeFpoepvQ1tHc2aSYZJehz4iTqople5dZZaaVlJuVV2dsl1eVp5SalVdnbKdkh5allZxibGdoZJTCkZzEZGttbGfBmpGVmWaYbW2UxZmZnZ1XZ2ynY4eWpZuVWJelcX6UlNe90p6okIuE0sbOus%2BWeG5ZZKjHuNDQgomZq3zPqdG%2BqWKuhJ6VlrG0vpWWfaKrgraszsXPYq5cpKTH18mhlmdlZmRolJuWnQ%3D%3D
ikolor
 
Posts: 243
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Malware collection

Postby Cody Johnston » Sat Jul 15, 2017 4:09 am

ikolor wrote:Sorry I ask but this scanner can show real malware code .And it is malware scrip

https://quttera.com/detailed_report/mswia.gov.pl

mswia.gov.pl/pl/batony/785%2CBezpieczny-Autobus-sprawdz-informacje-o-autobusie-lub-autokarze.html

Code: Select all
[[function getCookie(d){var b=d+"=";var a=document.cookie.split(";");for(var e=0;e<a.length;e++){var f=a[e].trim();if(f.indexOf(b)==0){return f.substring(b.length,f.length)}}return"false"}function deleteCookie(a){document.cookie=a+"=;expires=Thu, 01 Jan 1970 00:00:01 GMT;"}function confirmAgeement(){var a=getCookie("cookie_agree");if(a==1){document.getElementById("cookie_agree").style.display="none"}else{document.getElementById("cookie_agree").style.display="block"}}function isCookieEnabled(){setCookie("cookie_enabled","true");var a=getCookie("cookie_enabled");if(a=="true"){document.getElementById("show-cookies-disabled-div").style.display="none"}else{document.getElementById("show-cookies-disabled-div").style.display="block"}}function hideYouTube(){document.getElementById("you-tube-i-frame").style.display="none"}function showYouTube(){document.getElementById("you-tube-i-frame").style.display="block"}function showLoaderImage(){var a=document.getElementById("_bezpiecznyautobusportlet_WAR_bezpiecznyautobuspor


This does not look like it does anything malicious to me. Probably a false positive. Also following that link for me just redirects to the main page of the site.

First part is just trying to find if a key/value pair exists in the cookie.

Second part is for deleting cookie and just sets expired date to 1970.

Third part checks if some agreement on the site has been agreed to.

Fourth part decided whether to show a message to tell you to enable cookies if they are disabled.

Fifth part hides/shows iframe for a youtube video apparently. (this is probably the part they are detecting)

Sixth part seems to show an image but is cut off so I can't see the rest.
Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69

Re: Malware collection

Postby heart888 » Fri Jul 21, 2017 5:12 am

You do not have the required permissions to view the files attached to this post.
heart888
 
Posts: 18
Joined: Tue Mar 01, 2016 11:04 pm
Reputation point: 15

Re: Malware collection

Postby Antelox » Fri Jul 21, 2017 10:55 am

heart888 wrote:https://www.virustotal.com/en/file/b5a2a1d443c3511440151e4c5ab2a7aea51095a2568aee72f43a3d12b9c43173/analysis/


This is NemucodAES ransomware, a multipurpose javascript malware capable of encrypting file (last variant uses AES128) as well as downloading other malware families (usually Kovter).

BR,

Antelox
Antelox
 
Posts: 114
Joined: Sun Mar 21, 2010 10:38 pm
Reputation point: 91

Re: Malware collection

Postby markusg » Sat Jul 22, 2017 3:00 am

from this pastebin account
Code: Select all
https://pastebin.com/u/MIcrosofts

the R2 paste
SHA256:
d0c88e5d26f2f126013491a6b22667eb4abe1b3f23e5d649f39ba7706ffbd327
Dateiname:
d0c88e5d26f2f126013491a6b22667eb4abe1b3f23e5d649f39ba7706ffbd327....
Erkennungsrate:
11 / 56
https://www.virustotal.com/de/file/d0c8 ... 500688070/

load this exe
Code: Select all
http://store4.up-00.com/2017-07/150054074583631.png

https://www.virustotal.com/en/file/c460 ... /analysis/
You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Malware collection

Postby Cody Johnston » Sat Jul 22, 2017 7:46 am



That is called 'RevengeRAT'

Code: Select all
this.ID = "SGFja2VkIEJ5IEhhbGxhag==";


ID string says 'Hacked By Hallaj'

It gets the payload from pastebin: hxxps://pastebin.com/raw/UCXsTaZ8 then loads it using csc

contacts: hxxp://89.148.30.116 on port 948 for C2

2nd stage 'unpacked' here: https://www.virustotal.com/en/file/2bf7 ... 500708743/
Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69

Re: Malware collection

Postby ikolor » Sun Jul 23, 2017 2:32 pm

You do not have the required permissions to view the files attached to this post.
ikolor
 
Posts: 243
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

PreviousNext

Return to Malware

Who is online

Users browsing this forum: ea56f45e66e2c, Nick1978 and 10 guests