Gorynych/DiamondFox (hosted in Hungary Budapest Doclerweb Kft)

Thanks to Xylitol for panels and executables.



Panels :

hxxp://computergraphics.in/
hxxp://my-right.fr/
hxxp://bntnl.com/

Files :
PO_37263_pdf.com > bntnl.com/Diamond/Panel/post.php?pl=&slots=1 HTTP/1.1

Xylitol posted a vid with the vulnerability of the Panel.


Now the ruski behind this shit updated the panel.

Hosting infos :
http://whois.domaintools.com/80.77.123.90

KUKU v4.08 beta(Malware hosted in Germany Dortmund 1&1 Internet Ag)

Another version from this malware some domains changed.

makemegood24.com 213.165.83.176
1453eea.makemegood24.com 74.208.153.9
aaakemegood24.com 146.148.34.125
ww11.aaakemegood24.com 166.78.106.200
abakemegood24.com 50.21.181.152
acakemegood24.com 74.208.164.166
adakemegood24.com 74.208.153.9
aeakemegood24.com 87.106.20.192
afakemegood24.com
perfectchoice1.com 193.166.255.171
1459e2b.perfectchoice1.com 193.166.255.171


All hosts

74.208.164.166
87.106.253.18
54.210.47.225
166.78.106.200
87.106.20.192
213.165.83.176
87.106.250.34
193.166.255.171

URL'S

http://1453eea.makemegood24.com/?1453eea=21315306&id=212331279066

GET /?1453eea=21315306&id=212331279066 HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Host: 1453eea.makemegood24.com
Cache-Control: no-cache

http://perfectchoice1.com/?1459c9a=21339290&id=212331279066

GET /?1459c9a=21339290&id=212331279066 HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Host: perfectchoice1.com
Cache-Control: no-cache

http://aaakemegood24.com/?14540b7=21315767&id=212331279066

GET /?14540b7=21315767&id=212331279066 HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Host: aaakemegood24.com
Cache-Control: no-cache

http://adakemegood24.com/?14547fd=21317629&id=212331279066

GET /?14547fd=21317629&id=212331279066 HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Host: adakemegood24.com
Cache-Control: no-cache

http://acakemegood24.com/?145454a=21316938&id=212331279066

GET /?145454a=21316938&id=212331279066 HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Host: acakemegood24.com
Cache-Control: no-cache

http://ww11.aaakemegood24.com/

GET / HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Connection: Keep-Alive
Cache-Control: no-cache
Host: ww11.aaakemegood24.com

http://abakemegood24.com/?1454374=21316468&id=212331279066

GET /?1454374=21316468&id=212331279066 HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Host: abakemegood24.com
Cache-Control: no-cache

Sample here


Hosting infos :
http://whois.domaintools.com/213.165.83.176

gohome.cathosting.ninja(IRC botnet hosted in Netherlands Roosendaal Nforce Entertainment B.v.)

Thanks to the anonymous guy  who send me the executable.

Domains used from the botnet to connect to the server : gohome.cathosting.ninja
IRC connection : 188.209.49.76:6667

Files downloaded from the botnet :

URL: hxxp://sunnyamk.com/biox.exe
URL: hxxp://sunnyamk.com/11111111111111111111111111111111111111111.exe
URL: hxxp://sunnyamk.com/qVQLzrpnA7D1X3KwCPse4y00hP6aHIXyiQiyyhlX.exe

All Domains :

Domain Address Country
www.sunnyamk.com 188.209.49.76 Romania
sunnyamk.com 188.209.49.76 Romania
gohome.cathosting.ninja 188.209.49.76 Romania

Samples here.

More on video

http://postimg.org/image/whd5v4zhh/




jdsiwiqweiqwyreqwi.com(Maybe Pony)

Contacts domains

details
    "34324325kgkgfkgf.com"
    "dsffdsk323721372131.com"
    "fdshjfsh324332432.com"
    "jdsiwiqweiqwyreqwi.com"

Runs shell commands

details
    "cmd /c C:\Users\PSPUBWS\AppData\Local\Temp\243765.bat" "C:\38650f5c2beb183eaaba236d1b576c255a9be49af34db85705bed16d23ea11" on 2015-6-6.13:57:14.679

Dropped files

details
    "UserInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
    "17 The Notorious B.I.G. - Suicidal Thoughts.flac" has type "data"
    "subtleties.dll" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
    "243765.bat" has type "ASCII text, with CRLF, CR line terminators"

Checks on FTP client related files

details
    "" opened file "C:\Program Files\Common Files\Ipswitch\WS_FTP\" (DesiredAccess: 1048577, OpenOptions: 16417)
    "" opened file "C:\Users\PSPUBWS\AppData\Roaming\SmartFTP\" (DesiredAccess: 1048577, OpenOptions: 16417)
    "" opened file "C:\ProgramData\SmartFTP\" (DesiredAccess: 1048577, OpenOptions: 16417)
    "" opened file "C:\Users\PSPUBWS\AppData\Local\SmartFTP\" (DesiredAccess: 1048577, OpenOptions: 16417)

Hosting infos

KUKU406beta(Malware stealing passwords hosted in Germany Dortmund 1&1 Internet Ag)

This is spreading through torrents and cracks and looks like passwd stealer.

Domains and ip's used :

makemegood24.com         213.165.83.176
e710e2.makemegood24.com 87.106.20.192
aaakemegood24.com         146.148.34.125
ww11.aaakemegood24.com 166.78.106.200
abakemegood24.com         74.208.153.9
acakemegood24.com         87.106.20.192
adakemegood24.com         213.165.83.176
aeakemegood24.com         74.208.164.166
afakemegood24.com
perfectchoice1.com                 193.166.255.171
e71ec5.perfectchoice1.com 193.166.255.171
bparfectchoice1.com         109.74.196.143
bpbrfectchoice1.com         87.106.20.192
bpcrfectchoice1.com         52.28.3.6
bpdrfectchoice1.com
bperfectchoice1.com         52.28.3.6
bpfrfectchoice1.com
cash-ddt.net                         87.106.20.192
e7ce24.cash-ddt.net         87.106.253.18
ccaah-ddt.net                         50.21.181.152


HTTP Requests

 http://adakemegood24.com/?e718b5=15145141&id=150819103501

GET /?e718b5=15145141&id=150819103501 HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Host: adakemegood24.com
Cache-Control: no-cache

http://ww11.aaakemegood24.com/

GET / HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Connection: Keep-Alive
Cache-Control: no-cache
Host: ww11.aaakemegood24.com

http://bpcrfectchoice1.com/?e778fb=15169787&id=150819103501

GET /?e778fb=15169787&id=150819103501 HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Host: bpcrfectchoice1.com
Cache-Control: no-cache

http://bpbrfectchoice1.com/?e77710=15169296&id=150819103501

GET /?e77710=15169296&id=150819103501 HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Host: bpbrfectchoice1.com
Cache-Control: no-cache

http://e710e2.makemegood24.com/?e710e2=15143138&id=150819103501

GET /?e710e2=15143138&id=150819103501 HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Host: e710e2.makemegood24.com
Cache-Control: no-cache

http://e7ce24.cash-ddt.net/?e7ce24=15191588&id=150819103501

GET /?e7ce24=15191588&id=150819103501 HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Host: e7ce24.cash-ddt.net
Cache-Control: no-cache

http://aeakemegood24.com/?e71b18=15145752&id=150819103501

GET /?e71b18=15145752&id=150819103501 HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Host: aeakemegood24.com
Cache-Control: no-cache

http://aaakemegood24.com/?e712af=15143599&id=150819103501

GET /?e712af=15143599&id=150819103501 HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Host: aaakemegood24.com
Cache-Control: no-cache

http://bperfectchoice1.com/?e77a6d=15170157&id=150819103501

GET /?e77a6d=15170157&id=150819103501 HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Host: bperfectchoice1.com
Cache-Control: no-cache

http://perfectchoice1.com/?e71d21=15146273&id=150819103501

GET /?e71d21=15146273&id=150819103501 HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Host: perfectchoice1.com
Cache-Control: no-cache

http://acakemegood24.com/?e71757=15144791&id=150819103501

GET /?e71757=15144791&id=150819103501 HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Host: acakemegood24.com
Cache-Control: no-cache

http://abakemegood24.com/?e71562=15144290&id=150819103501

GET /?e71562=15144290&id=150819103501 HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Host: abakemegood24.com
Cache-Control: no-cache

http://makemegood24.com/?e70e4d=15142477&id=150819103501

GET /?e70e4d=15142477&id=150819103501 HTTP/1.1
User-Agent: KUKU v4.08 beta =150819103501
Host: makemegood24.com
Cache-Control: no-cache

Get files here and here

Hosting infos.