ProDefence Ltd

Loading...

Zeus botnet simple analysis

A little analysis of Zeus botnet.

It was done for someone to see how it works and I share it with you.

bot.exe
  • OEP: 0040DCA0
  • COMPILER: Borland Delphi 6.0 – 7.0
  • MD5: 8a849d20c0a954f45566cec53acc9263
  • SHA-1: 764c29fd18c3f3c4d9ba3fe394655f2ed2ec0c01



Injects into remote processes
Injected into “explorer.exe”
 
Drops files:
 

giep.exe

MD5: 769919e56bd4e9e1e906559c1c36bdf6
SHA-1: 39ed72d34e02e1674742cb47bbd6ebdad13f7931
Reg: HKU\S-1-5-21-2442644137-1929233181-142757687-1000\Software\Microsoft\Windows\CurrentVersion\Run\{74A201A8-2DEE-69F0-F124-27DF3D9773DA}: “C:\Users\Insider\AppData\Roaming\Qioho\giep.exe”
https://www.virustotal.com/#/file/5069bc991ff37817bb05e6bb453c9c44d22ef2719bb0d4f72a3ca30c544f040c/detection

  • Same atributes like bot.exe

Some of the processes made by the bot.exe action:
 
  • CreateFile
  • RegOpenKey
  • RegisterClass
  • CoCreate
  • CreateThread
  • RegCreateKey
  • RegSetValue
  • ProcessStarted
 
 Network traffic:
 
In the same way it is using the /POST request for sending stealed data, when the victim visits some bank account, paypal…etc.
Botnet host directory and login page:
 

H**p://xxx.xxx/adminpanel/admin.php

The remove is easy. You just have to follow the path’s to find the droped executables and delete the created registers.
No comments:

OneDrive phishing campagne

They need OneDrive accounts now...

No comments:

Silent miner backdoor - Good AV detection

One engine detected this file! Hmmmm It's easy to become a miner....just that you will not be paid. By the way... it was posted in some forum like this: "**** Silence Miner - Make a lot of money "


No comments:

The message for the winners - Scam

I told you.... one day I will be rich!!! I only have to give her my personal data. Probably I will have to pay some taxes... and some other taxes... and after all that I will be.... just scammed!


No comments:

Browser Hijack – The journey – Cybersecurity research

A new software test.
Something announced as free … but it’s not really for free.
Today I wanted to see what level of browser hijacking is running out there.
Browses hijack:
“A program changes your home page, redirects browser typos to a search engine you have never heard of or to other sites. This is annoying, popping up ads and displaying unwanted site”
So.
I have seen alot of ”good” things like: a java ”update”, winning iphones, free apps, cassino offers, games, some redirections… etc.


This code was injected in my browser.
”xxxx.rsc.cdn77.org install malicious extensions, plug-ins, ads, banner ads, pop-up ads, etc and creates mess on your browsers. Even if mistakenly you click on any ads or link then also it redirects you to some other websites. It also uses cookie and keep spy on your online activities like browsing history, mostly visited websites, login, password details, etc. The redirect virus has the ability to disable the anti-virus and other security program without your knowledge.” Source: removemalwarevirus.com

Here you can see some of the domains i visited in this journey:
  • rsc.cdn77[.]org
  • liveadexchanger[.]com
  • static.199.55.201.138.clients.your-server[.]de
  • timetrackingext.xyz
  • 2048-game[.]review
    search.findthatsearch[.]com
    findthatsearch[.]com
    minesweepx[.]com
    solitaire4u2[.]com
    tetrigame[.]com
    certifiedwinners[.]info
    wtrtr1[.]com
    ads.dlvr[.]live
    betano[.]com
    digitaldsp[.]com
    c.codeonclick[.]com
    join.pro-gaming-world[.]com
I found some extra files on my browsers… .js , .cfg and .dll.
3327329.js — ”pref(“general.config.obscure_value”, 0);pref(“general.config.filename”, “3321791.cfg”);pref(“network.proxy.type”, 2);pref(“network.proxy.autoconfig_url”, “http://unstop-access.biz/wpad.dat?cb241ce907c6857bc3c28a220ec2076437981150”);pref(“network.proxy.autoconfig_url.include_path”, true);”
3321791.js — ”pref(“general.config.obscure_value”, 0);pref(“general.config.filename”, “3327329.cfg”);pref(“network.proxy.type”, 2);pref(“network.proxy.autoconfig_url”, “http://unstop-access.biz/wpad.dat?cb241ce907c6857bc3c28a220ec2076437981150”);pref(“network.proxy.autoconfig_url.include_path”, true);”
Adware Agent – PUA.YoBrowser:
myographical.dll = sandastros.dll
  • MD5: 8ecbfcb3c062755a3d5b3851cbe98357
  • SHA-1: 5d1cccd87d0e4d81090d288d201d9c4467765513
Virus Total Report
Virus Total Graph

Fake Java Update

Virus Total Report
It is clear that it is not a pleasant trip for those who do not know how to protect themselves.
Have fun & Stay safe!!!
http://www.prodefence.org/
No comments:

Blockchain phishing… Same campaign.. new domain.

I’m happy.
If I continue so.. I will become rich …
The same blockchain phishing campaign, but with new domain.


  • h**p://ainea.pro/2891/ INFO
  • h**p://schains.org/2183/ INFO
  • h**ps://blockch.ains.im/wallet/#/login INFO
# schains.org & bliockche.info  from the other post are in the same server LWSDNS.COM.
No further details are needed ….
No comments:

Blockchain scamming and more…

Hello.
I know … I know I’m very lucky.
I was just informed that someone made a payment on my bitcoin address.
…or just a phishing email?!?

Was a Japonese puzzle games website.
Today I do not have much time, but I’ll explain briefly.
An email with mistakes and a photo with hyperlink.
Involted domains:
  • ainea.pro INFO
  • aiin.info INFO     Japonese puzzle games. Redirected to .net
  • aiin.net INFO
  • blockchain.dk INFO
  • bliockche.info INFO
Links:
  • ainea.pro/2891/…..
  • bliockche.info/2183/…
  • blockch.aiin.info/wallet/#/login

OK.
I sent him an email reply and I hope he will answer me

… and a .doc file with some info about ”me”.

We’re waiting to see if he’ll open the document. We will know if he did it because it is not a simple word document.
… you understand what I mean!
That’s all for the moment.
If we have results … I will inform you!
Have fun & Stay safe!!!

http://www.prodefence.org/blockchain-scamming-and-more/
No comments:

2x Bitcoin scam – The magic application.

People still want to believe that the money are made easy with some application and without doing anything.
Click a button and you get money.
This weakness is exploited every day.
Here is a program that promises to double the profit by pressing that magic button.



To become credible, a demonstration video is a good way.
To become super credible, you make some false accounts and comment on your post.
This is a part of social engineering and works.
At one point, he changed his name, seeing he had potential victims in many countries.


Let’s see the application.
MD5: 19d6d6f312ec00998d379eec9fe21aa9
SHA-1: a5d27b1cf43cb5dcd7feeea279b70588c5910e12
*the -1 is mine! lol
It has a certain detection but insignificant.
The application does not steal, has no backdoor …
It is created by:
…looks like it’s his real name..
(his first name in the account is another … it seems to start with an M.)
As the application configuration looks like, it seems that the users who use it,are sending the bitcoin to an address added by the programmer.

After sending, they still expect someone to send them the double amount, but they will wait a lot and without success.
And let’s not forget … this is version 6.1!?!
We could continue because he still has some programs with such schemes, but time is limited!
In conclusion … I hope that Internet users will be more careful, do not believe in the wonders promised by the unknown!


Remember:
When something is free, you are not the customer but the product!


Have fun & Stay safe!!!

http://www.prodefence.org/bitcoin-scam-the-magic-application/
No comments:

Win32/Laziok malware – Cybersecurity research

This topic it is about Win32 / Laziok malware.
It does not matter where I found it.
His hidden activity is very intense. Seeks to install itself, wants to cancel the antivirus, modify the Registry, scans for instaled softwares…etc.
The .exe file has the smss name and with the same name I found it in other AV report. Seems that was detected and named as Win32/Laziok on 01.2015 for the first time, but noone has made a clear report about it.

After running the backdoored software… the smss.exe starts running in backgound creating a good environment.
Scans the whole system to find the computer protection software.
The smss infected file it is hidden on \Application Data\System\Oracle directory, but super hidden.
Easy to ignore becouse the original smss.exe is a windows process.
Tries to connect to a server where it is located the swoleoil.co domain.
  • URL: hxxp:///http://87.121.52.228/panel/includes/verif.php
    TYPE: GET
    USER AGENT: None
  • Organization Neterra Ltd.
  • Country Bulgaria
  • Detection ratio: 43 / 67 at this moment.
  • MD5 0947e4f35f823b37fd8352e643d6cf8c
  • SHA1 79b183a761470c3e3662ab64004072c70131a815

  • hxxp://87.121.52.228/panel/includes/country.php
  • hxxp://87.121.52.228/panel/includes/idcontact.php
  • hxxp://87.121.52.228/panel/includes/post.php
  • hxxp://87.121.52.228/panel/includes/verif.php
  • hxxp://87.121.52.228/panel/includes/chromix.exe
Domain:swoleoil.co
Registrar:Key-Systems GmbH
Registration Date:2014-05-08
Expiration Date:2018-05-07
Updated Date:2017-06-22
Status:ok
Name Servers: carter.ns.cloudflare.com/gwen.ns.cloudflare.com
The server seems to be empty at this time.
That’s all about this malware.
Source:Prodefence.org
Have fun & Stay safe!
No comments:
Subscribe to: Posts (Atom)