TerrorEK

Forum for analysis and discussion about malware.

TerrorEK

Postby sysopfb » Mon Mar 27, 2017 1:38 pm

@forty-six spotted this guys tweets where he released his panel source code -> @King_cobra666

Most of his tweets are random attacks at other EK systems. The 'uploader' portion from BlazeEK was sitting at 188.165.62.1 for awhile, panel calls itself Neptune source from uploader calls itself blaze and guy pushing it on twitter calls it Terror. Anyway he took down the code at 188. and replaced it with a message "Fuck off white hats" and his backend appears to of gone down so he released his source code and an empty sql file from I'm assuming his test system.

Using at least 0189 from metasploit which is how I found it... another shit EK dies off?
This seems appropriate
Image

Backend was at 141.105.69.20

Funny semi related comment from the blaze uploader code:
"// TODO: add a security check in case panel server is compromised"


Here's the db dump file from his backend before it went down
You do not have the required permissions to view the files attached to this post.
sysopfb
 
Posts: 90
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 52

Re: TerrorEK

Postby p1nk » Tue Mar 28, 2017 12:51 am

8603 hits

Does anyone have payloads it was spreading?
User avatar
p1nk
 
Posts: 39
Joined: Thu Oct 29, 2015 1:09 am
Reputation point: 2

Re: TerrorEK

Postby sysopfb » Tue Mar 28, 2017 1:50 am

p1nk wrote:8603 hits

Does anyone have payloads it was spreading?


All the payloads I went through were betabot, I'll upload some tomorrow when I'm back in the lab.
sysopfb
 
Posts: 90
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 52

Re: TerrorEK

Postby sysopfb » Tue Mar 28, 2017 1:40 pm

Here you go, I didn't go through all of them, looked like a bunch of garbage.

Betabots:
5851aadcaf088cf267d97e84ca45301a
7e3d5bd7a16229c5ddfd36ab52a5b055
2fa4c845ba511511da5b762a8893ab44
547b3176c269b1fb78c2ad337f033c1d
7bd79fe039d832b2b02ff4a78dc9ca87
c4a21f2754155985131669fb5521db37

newsofmyru.pw
xheaven.pw
swzgvvpnj54atkfbp6in.ru


c4a21f2754155985131669fb5521db37 downloaded zyklon from swzgvvpnj54atkfbp6in.ru/Ldr.exe

Open directory at swzgvvpnj54atkfbp6in.ru with zyklon panel and agenttesla
You do not have the required permissions to view the files attached to this post.
sysopfb
 
Posts: 90
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 52


Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests