Mr Clean's dirt

[Mr Clean]

Code: [Select]

http://chezswing.com/jr/prop5.jpg

when is a jpg not a jpeg?
$ file prop5.jpg
prop5.jpg: PE executable for MS Windows (GUI) Intel 80386 32-bit

http://www.virustotal.com/analisis/58ba1e765843fc145cfcd922852f44ba

[Mr Clean]

Code: [Select]

hxxp://buidnote.com/nates/?h=9ag0?892bd46e0100f07002da639a9a060000000002c15031930001040900000000170

FYI Referrer was : http://ads.svx.adbrite.com/adserver/display_iab_ads.php?

http://www.virustotal.com/analisis/a3e53d33dd932f6a03fa227527201ffd
http://anubis.iseclab.org/?action=result&task_id=1d6b8b07b6f467394215282c531f2e5d6

[Mr Clean]

Code: [Select]

hxxp://79.117.131.32/pid=12100/type=videxp/setup.exe

Referrer = http://easter-egg-design-funny.diwyze.net/


http://www.virustotal.com/analisis/4f2e05693c24f10f714faba2295f9f4b
http://anubis.iseclab.org/?action=result&task_id=1aef76ba4318b1dd455f0eddf12bbf514


It looks like easter-egg-design-funny.diwyze.net lives in one of *those* neighbourhoods, look what lives just 2 doors down
http://www.malwaredomainlist.com/mdl.php?search=206.51.236&colsearch=All&quantity=50

[Mr Clean]

Code: [Select]

hxxp://www.sftcp.cn/qy.exe
same file different name
hxxp://www.sftcp.cn/tt.exe

http://www.virustotal.com/analisis/3ecb2e67a01872eef56442a3a01e7ea0
http://www.threatexpert.com/report.aspx?md5=966240056a38ac41c9f923ff251600a1

Code: [Select]

$ dig www.sftcp.cn +short
qqaa.9966.org.                 <--  gee that look's familiar
121.14.154.4


[SysAdMini]

Code: [Select]

hxxp://79.117.131.32/pid=12100/type=videxp/setup.exe

Referrer = http://easter-egg-design-funny.diwyze.net/



There are more easter eggs.

When I look at

Code: [Select]

easter-egg-design-funny.diwyze.net/scripts.js
there is an obfuscated iframe to

Code: [Select]

zodune.info/search.php?q=easter+egg+design+funny
redirects to

Code: [Select]

inetsecuritycenter.com/index.php?c=0&e=0&affid=08064

[Mr Clean]

Code: [Select]

hxxp://79.117.131.32/pid=12100/type=videxp/setup.exe

Referrer = http://easter-egg-design-funny.diwyze.net/



There are more easter eggs.

When I look at

Code: [Select]

easter-egg-design-funny.diwyze.net/scripts.js
there is an obfuscated iframe to

Code: [Select]

zodune.info/search.php?q=easter+egg+design+funny
redirects to

Code: [Select]

inetsecuritycenter.com/index.php?c=0&e=0&affid=08064

Code: [Select]

$ dig inetsecuritycenter.com +short
209.44.126.14    <---   has been on my naught list for quite some time now

http://www.malwaredomainlist.com/mdl.php?search=209.44.126&colsearch=All&quantity=50

[Mr Clean]

Code: [Select]

hxxp://79.117.131.32/pid=12100/type=videxp/setup.exe

Referrer = http://easter-egg-design-funny.diwyze.net/



There are more easter eggs.

When I look at

Code: [Select]

easter-egg-design-funny.diwyze.net/scripts.js
there is an obfuscated iframe to

Code: [Select]

zodune.info/search.php?q=easter+egg+design+funny
redirects to

Code: [Select]

inetsecuritycenter.com/index.php?c=0&e=0&affid=08064

Code: [Select]

$ dig inetsecuritycenter.com +short
209.44.126.14    <---   has been on my naught list for quite some time now

http://www.malwaredomainlist.com/mdl.php?search=209.44.126&colsearch=All&quantity=50

Oh goodie, PDF's too!!!!

Code: [Select]

http://79.117.131.32/pid=12100/type=videxp/spl/pdf.pdf

I can't download it now but the intent is implied.

ok, let's throw some dirt over top of this one and call it dead

[Mr Clean]

Code: [Select]

http://www.yutergfrg.cn/1.exe
http://www.virustotal.com/analisis/d61c4992c075cf3f164907a3f08b8aa4

Code: [Select]

http://www.asdfgsdfgsdf.cn/0330.exe
http://www.virustotal.com/analisis/0b26015cbfd6f1b00299cd5dedeefd38

Code: [Select]

http://www.arhjfgjdrf.cn/new.txt

contains:
open=y
url1= http://www.yutergfrg.cn/1.exe
url2= http://www.yutergfrg.cn/2.exe
url3= http://www.yutergfrg.cn/3.exe
url4= http://www.yutergfrg.cn/4.exe
url5= http://www.yutergfrg.cn/5.exe
url6= http://www.yutergfrg.cn/6.exe
url7= http://www.yutergfrg.cn/7.exe
url8= http://www.yutergfrg.cn/8.exe
url9= http://www.yutergfrg.cn/9.exe
url10= http://www.yutergfrg.cn/10.exe
url11= http://www.yutergfrg.cn/11.exe
url12= http://www.yutergfrg.cn/12.exe
url13= http://www.yutergfrg.cn/13.exe
url14= http://www.yutergfrg.cn/14.exe
url15= http://www.yutergfrg.cn/15.exe
url16= http://www.yutergfrg.cn/16.exe
url17= http://www.yutergfrg.cn/17.exe
url18= http://www.yutergfrg.cn/18.exe
url19= http://www.yutergfrg.cn/19.exe
url20= http://www.yutergfrg.cn/20.exe
url21= http://www.yutergfrg.cn/21.exe
url22= http://www.yutergfrg.cn/22.exe
url23= http://www.yutergfrg.cn/23.exe
url24= http://www.yutergfrg.cn/24.exe
url25= http://www.yutergfrg.cn/25.exe
url26= http://www.yutergfrg.cn/26.exe
url27= http://www.yutergfrg.cn/27.exe
url28= http://www.yutergfrg.cn/28.exe
url29= http://www.yutergfrg.cn/29.exe
url30= http://www.yutergfrg.cn/30.exe
url31= http://www.yutergfrg.cn/31.exe
url32= http://www.yutergfrg.cn/32.exe
url33= http://www.yutergfrg.cn/33.exe
url34= http://www.yutergfrg.cn/34.exe
url35= http://www.yutergfrg.cn/35.exe


Code: [Select]

$ dig www.asdfgsdfgsdf.cn +short
222.186.25.35

$ dig www.yutergfrg.cn +short
222.186.25.35

$ dig www.arhjfgjdrf.cn +short
222.186.25.35

$ dig www.yutergfrg.cn +short
222.186.25.35


http://www.bfk.de/bfk_dnslogger.html?query=222.186.25.35

[Mr Clean]

Code: [Select]

hxxp://dsafsa.daslxzcewralrocjn.cn/9.exe

$ dig dsafsa.daslxzcewralrocjn.cn +short
222.76.210.14

http://www.virustotal.com/analisis/460816a185773ade10a3bb04645f2c3f

[Mr Clean]

Code: [Select]

http://www.999mimi.net/QvodSetup3.exe

$ dig www.999mimi.net +short
208.98.13.131

http://www.virustotal.com/analisis/df61e99e65c43ec29c2eb1d91f72642c

[Mr Clean]

Code: [Select]

http://www.991uu.net/97fbq.exe

$ dig www.991uu.net +short
208.98.4.100

http://www.virustotal.com/analisis/df61e99e65c43ec29c2eb1d91f72642c

[sowhat-x]

Code:

hxxp://dsafsa.daslxzcewralrocjn.cn/9.exe

$ dig dsafsa.daslxzcewralrocjn.cn +short
222.76.210.14

http://www.virustotal.com/analisis/460816a185773ade10a3bb04645f2c3f

Now the guy who came up with this one,should really be something special...this sample certainly represents a unique case of ultimate stupidity.
Haven't properly analysed it as i'm not in front of a vm in the moment,i merely extracted the svchostr.exe and unpacked it...the results at VirusTotal:
http://www.virustotal.com/analisis/715b9f20ecd3b61ecfec3cd9f6c85f4e
So why the heck did he put himself in so much trouble in the first place...only god knows,lmao.... 

Here's the Anubis report as well:
http://anubis.iseclab.org/?action=result&task_id=12c7b74b4f8f197e4618d48d794c1802a&format=html

9.buzhidaoganshenmeyong.cn/bGetIp.aspx  -> GET
9.buzhidaoganshenmeyong.cn/BaiduClickerClient.asmx  -> POST

[SysAdMini]

ction=result&task_id=12c7b74b4f8f197e4618d48d794c1802a&format=html

9.buzhidaoganshenmeyong.cn/bGetIp.aspx  -> GET
9.buzhidaoganshenmeyong.cn/BaiduClickerClient.asmx  -> POST

Look at

Code: [Select]

9.buzhidaoganshenmeyong.cn/BaiduClickerClient.asmx
it gives you some functions.

[Mr Clean]

Code: [Select]

http://fullandtotalsecurity.com/js/jquery.js
http://fullandtotalsecurity.com/js/jquery-init.js
http://fullandtotalsecurity.com/images/alert.gif
http://fullandtotalsecurity.com/js/flist.js
http://fullandtotalsecurity.com/images/page_progressbar.gif
http://fullandtotalsecurity.com/images/i5000000.gif
http://fullandtotalsecurity.com/images/i1000000.gif
http://fullandtotalsecurity.com/images/i7000000.gif
http://fullandtotalsecurity.com/images/hdd.gif
http://fullandtotalsecurity.com/images/inf20000.gif
http://fullandtotalsecurity.com/images/i3000000.gif
http://fullandtotalsecurity.com/images/i4000000.gif
http://fullandtotalsecurity.com/images/qicon.gif
http://fullandtotalsecurity.com/images/window1.gif
http://fullandtotalsecurity.com/images/box_top_.gif
http://fullandtotalsecurity.com/images/progressbar.gif
http://fullandtotalsecurity.com/images/progressbar_green.gif
http://fullandtotalsecurity.com/images/hrline.gif
http://fullandtotalsecurity.com/images/i6000000.gif
http://fullandtotalsecurity.com/images/folder.gif

this one downloads the goodie
http://fullandtotalsecurity.com/download.php?affid=08043

$ dig fullandtotalsecurity.com +short
209.44.126.14


lot's of familiar family members
http://www.bfk.de/bfk_dnslogger.html?query=209.44.126.14

http://www.virustotal.com/analisis/b4ac2c66ddafca750b6adb7b0f4df84b
http://anubis.iseclab.org/?action=result&task_id=1173a2eece2951344a55bceade7e243a5

Code: [Select]

http://fullandtotalsecurity.com/install/ws.zip

$ unzip ws.zip
Archive:  ws.zip
  inflating: av.exe                 
  inflating: av.glu               
http://anubis.iseclab.org/?action=result&task_id=1f28d0fb468064264e118044b82e88cd4

http://www.virustotal.com/analisis/34ced6dce2a472fb933b738f735be320
http://www.virustotal.com/analisis/51a3c3ca22b080655c2332e8e06e5636

[MysteryFCM]

lot's of familiar family members
http://www.bfk.de/bfk_dnslogger.html?query=209.44.126.14

BFK must be out of date - most of those seem to be failing to resolve atm;

http://hosts-file.net/misc/hpObserver_-_209.44.126.14.html