Resolved a.loader.ws to 198.144.121.130
Andromeda
Server: a.loader.ws
Gate file: /ad/image.php
Plugins
Rootkit: http://a.loader.ws/ad/r.pack
Socks: http://a.loader.ws/ad/s.pack
Formgrabber: http://a.loader.ws/ad/f.pack
Gate file: /ad/fg.php
Multilocker
Server: a.loader.ws
Gate file: /l/lending/tds.php
UPDATE:
New domain used from the hecker:
Resolved : [j87gyuh7uh.org] To [37.143.12.145] the rest is same files paths etc
from same guy 2 domains not activated yet
j87gyuh7uh.org
fvfvtrvrtv5fg.org
Hosting infos: http://whois.domaintools.com/198.144.121.130
Anonymous - December 24, 2012 at 12:24 am
hey pig can you check this sample? connects to hosted-by.ihc.ru which is a vps. Haven't captured traffic but the c&c seems to be up. http://www.mediafire.com/?r3ug59b9otz4z34
Thanks
Pig - December 24, 2012 at 1:42 am
thank you for submiting the sample
now he uses new domain wich is:
Resolved : [j87gyuh7uh.org] To [37.143.12.145]the rest is same as the post
these 2 domains from same file arent active right now:
j87gyuh7uh.org
fvfvtrvrtv5fg.org
I_Post_Ur_Info - December 24, 2012 at 2:53 am
Connects to j87gyuh7uh.org, downloads passworded zip archive from /ad4/?ejxc=c18LABgRAFQwSDIAYAEAALuVgb5htF6k, and on next login or reboot gives you a ransom page. http://imgur.com/fmdCq
Kafeine - December 24, 2012 at 10:46 am
This is Lyposit (see botnets.fr/index.php/Lyposit)
There are lyposit folder in :
/ad/
/ad3/
/data2/
And the server is Hosting a Nuclear Pack
Anonymous - December 24, 2012 at 10:25 am
Thank you, was being served by orange pack and i believed to to be a locker. just my laziness haha