Malware Related > Malware Analysis

40e80014.... what is going on here?

(1/2) > >>

tjs:
Does anyone know what is going on with these:

208.66.195.15/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002
208.66.195.71/40e8001430303030303030303030303030303030303031306c0000008766000000017600000002
208.66.194.180/40e8001430303030303030303030303030303030303031306c0000003c66000000007600000002
208.66.195.165/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002

I've noticed that by changing bits in the param, you get different malware. Sometimes you get duplicates, sometimes not. I've never gotten two different samples by passing the same param- and that applies to the different IPs.

Does anyone know what this is about? What is with the weird parameters? Does anyone have any clues about what these IPs are used for and how they work???


seg000:0101                 call    near ptr 1504h
seg000:0104                 xor     [bx+si], dh
seg000:0106                 xor     [bx+si], dh
seg000:0108                 xor     [bx+si], dh
seg000:010A                 xor     [bx+si], dh
seg000:010C                 xor     [bx+si], dh
seg000:010E                 xor     [bx+si], dh
seg000:0110                 xor     [bx+si], dh
seg000:0112                 xor     [bx+si], dh
seg000:0114                 xor     [bx+si], dh
seg000:0116                 xor     [bx+si], si
seg000:0118                 insb

--

seg000:0100  40 E8 00 14 30 30 30 30  30 30 30 30 30 30 30 30  @F.000000000000
seg000:0110  30 30 30 30 30 30 31 30  6C 00 00 00 4D 66 00 00  00000010l...Mf..
seg000:0120  00 00 76 00 00 00 02                              ..v...

Thanks,
tjs

tjs:
Examples:

208.66.195.15/40e8001430303030303030303030303030303030303031306c0000001c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000002c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000003c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000005c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000006c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000007c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000008c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000009c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c000000ac66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c000000bc66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c000000cc66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c000000dc66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c000000ec66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c000000fc66000000007600000002


All malware.. You can generate all sorts of random urls and get unique malware :S

andrewmccain:
I'm wondering the same thing. I posted links like these at   http://www.malwaredomainlist.com/forums/index.php?topic=1578.0

Since then my honeypot has found these urls...
hxxttp://208.66.194.180/40e8001430303030303030303030303030303030303031306c0000003c66000000007600000002
hxxttp://208.66.194.231/40e8001430303030303030303030303030303030303031306c0000003c66000000007600000002
hxxttp://208.66.195.15/40e8001430303030303030303030303030303030303031306c0000003c66000000007600000002
hxxttp://208.66.195.165/40e8001430303030303030303030303030303030303031306c0000003c66000000007600000002

hxxttp://208.66.194.180
hxxttp://208.66.194.180/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002
hxxttp://208.66.194.231
hxxttp://208.66.194.231/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002
hxxttp://208.66.195.15
hxxttp://208.66.195.15/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002
hxxttp://208.66.195.165
hxxttp://208.66.195.165/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002
hxxttp://208.66.195.71/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002

andrewmccain:
Might as well mention I first starting seeing these urls 2 weeks ago.

First discovered on 'ThePlanet'


--- Code: ---http://207.218.237.82/40e8001430303030303030303030303030303030303031306c0000005866000000007600000002
http://74.53.251.34/40e8001430303030303030303030303030303030303031306c0000005866000000007600000002
http://75.125.207.50/40e8001430303030303030303030303030303030303031306c0000005866000000007600000002
http://75.125.207.82/40e8001430303030303030303030303030303030303031306c0000005866000000007600000002
--- End code ---

Urls were reported and disabled.

andrewmccain:
If you search those ips on threatexpert.com you get some reports of malware downloading these urls

Here's one example...
http://www.threatexpert.com/reports.aspx?find=208.66.195.15&x=0&y=0

Navigation

[0] Message Index

[#] Next page

Go to full version