Poll

report malicious domain

1
0 (0%)
2
0 (0%)

Total Members Voted: 0

Author Topic: new Malicious Domains of the malware p2p  (Read 6104 times)

0 Members and 1 Guest are viewing this topic.

December 07, 2011, 09:38:02 pm
Read 6104 times

jesuselifelet

  • Newbie

  • Offline
  • *

  • 2
my English is bad

itīs han malicious domains that download trojan

hxxp://apple-iphone-5s.info/check/?f=
hxxp://codecforyou.com/check/

these pages every day is different Trojans not to be identified by anti-virus firms

these pages are open to run a malicious video (exploit video) downloaded from ares or emule p2p

This is a report of a malware of this page
report of threatexpert.com

Technical Details:

 
   File System Modifications

    The following files were created in the system:

#   Filename(s)   File Size   File Hash
1    %AppData%\f6dcfecc\@    2.048 bytes    MD5: 0x8B2AE2A4BB599B933E2CFC0FA6D9D1F3
SHA-1: 0x9970FE276FE56BA3BC2DA5CBEFA8F2928AF4CBE0
2    %AppData%\f6dcfecc\U\80000000.$
%AppData%\f6dcfecc\U\800000cb.$
%AppData%\f6dcfecc\U\800000cf.$    0 bytes    MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
3    %AppData%\f6dcfecc\X    60.416 bytes    MD5: 0x9F15EC503A6FB22210A45323936B63D2
SHA-1: 0xC0B47D70872A8362A7DB71A8541AC6E112D4B926
4    [file and pathname of the sample #1]    363.008 bytes    MD5: 0x3E6963E23A65A38C5D565073816E6BDC
SHA-1: 0xE158E81424F57D0C07A526F30F4A444EB4738EB5

    Note:
        %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

    The following directories were created:
        %AppData%\f6dcfecc
        %AppData%\f6dcfecc\U
        %Windir%\$NtUninstallKB63471$

    Notes:
        %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

 
   Registry Modifications

    The following Registry Keys were created:
        HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{e28737a6-9885-8927-b114-8a54e0fa45f0}
        HKEY_CURRENT_USER\Software\f6dcfecc

    The newly created Registry Values are:
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{e28737a6-9885-8927-b114-8a54e0fa45f0}]
            u = 0x0000001C
            cid = 36 EE 98 3D 97 E0 50 0E
        [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
            Shell = "%AppData%\f6dcfecc\X"

        so that X runs every time Windows starts
        [HKEY_CURRENT_USER\Software\f6dcfecc]
            qid = 0x5AB41B83
            u = 0x0000001C
            id = 36 EE 98 3D 97 E0 50 0E

 
   Other details

    There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host   Port Number
14.96.213.41   21810
190.105.102.181   21810
200.112.252.155   21810
201.164.198.244   21810
46.40.84.222   21810
91.218.169.218   21810
176.53.17.23   80
186.157.21.111   22292
188.187.57.113   22292
190.205.146.45   22292
72.200.29.195   22292
75.152.62.199   22292
77.77.245.215   22292
82.229.171.246   22292
88.11.127.0   22292
93.113.88.91   22292

    The data identified by the following URLs was then requested from the remote web server:
        http://wkhsryig.cn/stat2.php?w=28&i=0000000000000000000000005ab41b83&a=21
        http://wkhsryig.cn/stat2.php?w=28&i=0000000000000000000000005ab41b83&a=25
        http://wkhsryig.cn/stat2.php?w=28&i=0000000000000000000000005ab41b83&a=27
        http://wkhsryig.cn/stat2.php?w=28&i=0000000000000000000000005ab41b83&a=11
        http://wkhsryig.cn/bad.php?w=28&fail=0&i=1521752963
        http://ypeetdig.cn/stat2.php?w=28&i=392af8440000000036ee983d97e0500e&a=13
        http://wkhsryig.cn/stat2.php?w=28&i=0000000000000000000000005ab41b83&a=5
        http://wkhsryig.cn/stat2.php?w=28&i=0000000000000000000000005ab41b83&a=4
        http://wkhsryig.cn/stat2.php?w=28&i=0000000000000000000000005ab41b83&a=6
        http://wkhsryig.cn/stat2.php?w=28&i=0000000000000000000000005ab41b83&a=7
        http://wkhsryig.cn/stat2.php?w=28&i=0000000000000000000000005ab41b83&a=8
        http://wkhsryig.cn/stat2.php?w=28&i=0000000000000000000000005ab41b83&a=24
        http://wkhsryig.cn/stat2.php?w=28&i=0000000000000000000000005ab41b83&a=23
        http://wkhsryig.cn/stat2.php?w=28&i=0000000000000000000000005ab41b83&a=26

 
   Outbound traffic (potentially malicious)

    There was an outbound traffic produced on port 21810:

00000000 | E5AA C031 9B0F 1041 315B 7408 4D9B 39C1 | ...1...A1[t.M.9. 00000010 | A532 2743 | .2'C

    There was an outbound traffic produced on port 22292:

00000000 | E5AA C031 7D97 452F 315B 7408 4D9B 39C1 | ...1}.E/1[t.M.9. 00000010 | AC06 3C40 | ..<@

------------------------------------------------------------------------------------------------------------------------------------


name of malware is by
kaspersky:  Trojan.Win32.Jorik.ZAccess.azz
avira:         TR/Kazy.KG.The term "TR/
nod32:       Win32/Kryptik.WUU trojan
sophos:      Troj/Agent-UGF. An
etc.......................................................

December 07, 2011, 10:01:37 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks for submission and welcome to MDL.

Sample is rootkit ZeroAccess.

I have found some additional domains at same host.

http://www.malwaredomainlist.com/mdl.php?search=46.21.144.159&colsearch=IP&inactive=on


Please click "New Topic" instead of "Post new Poll" next time. Thank you.
Ruining the bad guy's day