Author Topic: unknown malware (Read 3453 times)

crunchtime · July 30, 2009, 05:52:28 pm

Not sure what this one accomplishes but its something nasty:
hxxp://cbbugltjud.com/progs/xfcgtyylqd/iejwn

The domains IP points to some additional domains that just scream sketchy:
cbbugltjud.com    A    195.2.253.240
www.cbbugltjud.com    A    195.2.253.240
cabkyykbbg.com    A    195.2.253.240
ccmguyldmn.com    A    195.2.253.240
cddcrjuwwz.com    A    195.2.253.240

MysteryFCM: Defanged www. domain ....

MysteryFCM · July 30, 2009, 09:37:28 pm

URL leads to an executable ........ looks like a rootkit infection according to the VT results;

http://www.virustotal.com/analisis/1803bca1ce2f4480746eeb6f6fca22623c226d14e92185f5caf529189656f2e4-1248990199

MysteryFCM · July 30, 2009, 09:44:57 pm

https://anubis.iseclab.org/?action=result&task_id=15fd13e266c663f2465e9c08352592acc

ocean · August 01, 2009, 12:29:53 am

from a quick analysis: it decrypts (TEA) a downloader in memory, uses an "internal PE loader" (that's why it uses kernel32.dll i think) and call the downloader. that download other executables from some online location (there are two locations possible haven't checked how it chooses one of these).

Code: [Select]

cbbugltjud.com
dbicrgzykf.net

which are known malware domains.

generate id and p as post parameters to uniq.php page but i haven't got an executble so far.

regards
ocean

Author Topic: unknown malware (Read 3453 times)

crunchtime

unknown malware

MysteryFCM

Re: unknown malware

MysteryFCM

Re: unknown malware

ocean

Re: unknown malware