Malware Domain List

Malware Related => Malicious Domains => Topic started by: Nachtmond on March 09, 2010, 04:01:46 pm

Title: kokojamba.com (79.171.22.190)
Post by: Nachtmond on March 09, 2010, 04:01:46 pm

My first time contributing, so hopefully I'm following protocol correctly. :-)

Serving at least 1 verified malicious PDF: kokojamba[dot]com/a/s/files/clb[dot]pdf

Wepawet analysis:
http://wepawet.iseclab.org/view.php?hash=6b2a90f17d56ed6f4ae9a32d76331d6b&t=1268143098&type=js

Virustotal analysis:
http://www.virustotal.com/analisis/92583158104d402537de6214934d1d6a2c5086634cf0409ada6521570ada3e5f-1268100719

Title: Re: kokojamba.com (79.171.22.190)
Post by: jboyhb on March 09, 2010, 04:47:35 pm

found a similar one.

kokojamba(dot)com/a/s/files/ie.swf

Wepawet analysis:
suspicious
http://wepawet.cs.ucsb.edu/view.php?hash=1ac3b47352d0b08997f3bba7e9993f4d&type=swf

virus total:
Clean

Title: Re: kokojamba.com (79.171.22.190)
Post by: SysAdMini on March 09, 2010, 08:28:16 pm

Quote from: Nachtmond on March 09, 2010, 04:01:46 pm

My first time contributing, so hopefully I'm following protocol correctly. :-)

Welcome !

Thanks for submission.

Title: Re: kokojamba.com (79.171.22.190)
Post by: SysAdMini on March 10, 2010, 11:56:11 am

http://www.cyberwart.com/blog/2010/03/09/hello-koko/

Title: Re: kokojamba.com (79.171.22.190)
Post by: jboyhb on March 10, 2010, 03:42:18 pm

Domain is now: (79.171.22.190)

givechik(dot)com/k2/yakmea/aisehel.pdf


Wepawet analysis:
malicious
http://wepawet.cs.ucsb.edu/view.php?hash=cc675450ab8b0c298677fade2bd353b5&t=1268234929&type=js

Title: Re: kokojamba.com (79.171.22.190)
Post by: SysAdMini on March 10, 2010, 04:49:07 pm

Quote from: jboyhb on March 10, 2010, 03:42:18 pm

Domain is now: (79.171.22.190)

givechik(dot)com/k2/yakmea/aisehel.pdf

Thanks. Added to list. It's a SEO Sploit Pack.

Does anybody know an active url of magicrrt[dot]com at the same host ?

http://www.phat1.com/2010/03/10/is-techcrunch-serving-malware-now/

Title: Re: kokojamba.com (79.171.22.190)
Post by: jboyhb on March 10, 2010, 04:55:59 pm

I have seen this:

IP: 79.171.22.190

magicrrt(dot)com/kv1/meoff/leerymhd.pdf

Wepawet analysis:
malicious
http://wepawet.iseclab.org/view.php?hash=f682dcfd21aa1695d8cad55c19656933&t=1268197907&type=js

Title: Re: kokojamba.com (79.171.22.190)
Post by: SysAdMini on March 10, 2010, 05:01:11 pm

Quote from: jboyhb on March 10, 2010, 04:55:59 pm

I have seen this:

IP: 79.171.22.190

magicrrt(dot)com/kv1/meoff/leerymhd.pdf

Right, but it is offline now. I found /kv1/ by Google too.

There was probably an advertisement redirecting to it.
Look here :

http://www.phat1.com/2010/03/10/is-techcrunch-serving-malware-now/

And it was probably an ad too which was directing to kokojamba.com.
Top referers in control panel are :

Code: [Select]

msn.foxsports.com 13464 729 5.41 %
msnbc.msn.com 13314 649 4.87 %
health.msn.com 11399 583 5.11 %
wonderwall.msn.com 11318 233 2.06 %
addictinggames.com 10327 404 3.91 %
-- 7205 481 6.68 %
ad.doubleclick.net 4307 175 4.06 %
shockwave.com 3996 170 4.25 %
zone.msn.com 3759 66 1.76 %
cnbc.com 3615 149 4.12 %
tv.msn.com 3109 94 3.02 %
my.msn.com 2951 44 1.49 %
mbd.scout.com 2293 71 3.1 %
moneycentral.msn.com 2250 47 2.09 %
music.msn.com 2103 153 7.28 %
digg.com 2098 81 3.86 %
movies.msn.com 2008 99 4.93 %
articles.moneycentral.msn.com 2006 89 4.44 %
business.com 1770 180 10.17 %
weather.msn.com 1534 26 1.69 %
mtv.com 1361 43 3.16 %

Title: Re: kokojamba.com (79.171.22.190)
Post by: jboyhb on March 11, 2010, 04:06:35 pm

IP is now 79.171.22.197

fridaytr(dot)com/k3/llegiti.php

Wepawet analysis:
Suspicious -
http://wepawet.cs.ucsb.edu/view.php?hash=b3d4f43cffd20c9330f2cfad06e1ca03&t=1268323462&type=js

Virustotal:
http://www.virustotal.com/analisis/214d843bc5da252af2267eab24312e71f72d96e880b6b0a220ec388562719c53-1268318421

Title: Re: kokojamba.com (79.171.22.190)
Post by: SysAdMini on March 11, 2010, 05:45:22 pm

Quote from: jboyhb on March 11, 2010, 04:06:35 pm

IP is now 79.171.22.197

fridaytr(dot)com/k3/llegiti.php

There are 2 SEO Sploit Packs
http://www.malwaredomainlist.com/mdl.php?search=fridaytr.com&colsearch=All&quantity=50&inactive=on