Author Topic: martuz.cn -(95.129.145.58)  (Read 11265 times)

0 Members and 1 Guest are viewing this topic.

May 18, 2009, 09:04:53 am
Read 11265 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
gumblar.cn has a successor :

martuz.cn

Code: [Select]
martuz.cn/vid/?id=0
downloads a pdf exploit
Code: [Select]
martuz.cn/vid/?id=2http://www.virustotal.com/analisis/71dcf146b308af42b4e7d51142c7bd90 3/40
BitDefender   7.2   2009.05.18   Exploit.PDF-JS.Gen
Sunbelt   3.2.1858.2   2009.05.17   Exploit.PDF-JS.Gen (v)
Symantec   1.4.4.12   2009.05.18   Bloodhound.PDF.7
http://wepawet.cs.ucsb.edu/view.php?hash=6830abddd7a716b2b4f8a93cfabc01dd&type=js

and a flash exploit
Code: [Select]
martuz.cn/vid/?id=3http://www.virustotal.com/analisis/6a529be0a99a47aec0af841b371ecb03 0/40

payload is a badly detected trojan
Code: [Select]
martuz.cn/vid/?id=10&http://www.virustotal.com/analisis/26ccc949ec81029591bbb6c33476a9de 6/40
AntiVir   7.9.0.168   2009.05.18   HEUR/Crypted.E
eSafe   7.0.17.0   2009.05.17   Suspicious File
Prevx   3.0   2009.05.18   Medium Risk Malware
Rising   21.30.01.00   2009.05.18   Trojan.Spy.Win32.Delf.dpt
Symantec   1.4.4.12   2009.05.18   Backdoor.Trojan
TrendMicro   8.950.0.1092   2009.05.18   PAK_Generic.001
http://www.threatexpert.com/report.aspx?md5=2131112053ed144c46277b9024bcf39f




Ruining the bad guy's day

May 18, 2009, 09:46:05 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
Ruining the bad guy's day

May 18, 2009, 09:27:08 pm
Reply #2

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Found the exploit that came with this domain


May 19, 2009, 09:11:27 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
Ruining the bad guy's day

May 19, 2009, 10:33:11 pm
Reply #4

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
two hours ago
http://wepawet.iseclab.org/view.php?hash=13e9dafef418b538fdb1b34144a269ec&t=1242764583&type=js

updated with new scripts:
http://wepawet.iseclab.org/view.php?hash=9944fbc2873a20af8963a3eda934ae79&t=1242771345&type=js

190.1.246.170
exe:
Code: [Select]
hxxp://ruisjop.com/liloadercdi.php?id=3536002
Wepawet
VirusTotal - 38/39 (97.44%)
Anubis

Code: [Select]
hxxp://ruisjop.com/p1d2f3.php?id=3536002
Wepawet (link)
Wepawet (pdf)
VirusTotal - 14/40 (35%)

ThreatExpert

Quote
From ANUBIS:1033 to 99.49.23.215:80 - [peskostruikaz[.]com] 
Request: GET /auq.php?d2aff5=1972515&id=14671282555627 
Response: 200 "OK" 
From ANUBIS:1035 to 72.167.131.174:80 - [johnsonbodyshop[.]com] 
Request: GET /images/logo.gif?d4c599=1992031&id=14671282555627 
Response: 200 "OK" 

Quote
hxxp://peskostruikaz.com/auq.php?211ffb=310125&id=4111362546981
hxxp://johnsonbodyshop.com/images/logo.gif?2d35a7=423265&id=4111362546981
hxxp://shopatforgetmenot.com/images/mainlogo.gif?2d6c57=425265&id=4111362546981
hxxp://corporateshelters.com/images/logo.gif?2da377=427281&id=4111362546981

May 20, 2009, 09:23:38 pm
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
Ruining the bad guy's day

May 21, 2009, 02:36:22 pm
Reply #6

boston

  • Sr. Member

  • Offline
  • ****

  • 175
a fix tool:
http://jpshortstuff.247fixes.com/beta/DaonolFix.exe

btw:
could anyone explain what the function of this c:\_.e file is?
thanks a lot.

May 21, 2009, 07:11:20 pm
Reply #7

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
could anyone explain what the function of this c:\_.e file is?

Not without a sample ....

/edit

Thanks to a friend (;)), it has been determined previously, that _.exe is a backdoor trojan.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 21, 2009, 07:33:39 pm
Reply #8

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
Ruining the bad guy's day

May 21, 2009, 07:36:08 pm
Reply #9

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
Ruining the bad guy's day

May 22, 2009, 03:48:08 pm
Reply #10

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
Attached you find the joebox analysis report of the executable.
Ruining the bad guy's day