tommyslav.name (Ginemo winlocker hosted by justhost.in.ua)

Resolved tommyslav.name to 91.213.8.52

I saw Malekal tweet that someone was using an exploit kit on adf.ly to distribute andromeda.
I had already posted the andromeda, and had suspected that it was the cracked version. I just entered the gate info into the builder, ran the build and watched it download this.

Server:  tommyslav.name
Gate file:  /panell/landing/gate.php
Ransom page tds:  /panell/landing/redirme.php

Nice of the owner to leave info pages on the server.

Hosting infos: http://whois.domaintools.com/91.213.8.52

EDIT: an additional winlocker panel is hosted in the same ip

Server:  oppnetter.biz.ua
Gate file:  /panel/landing/gate.php
Ransom page tds:  /panel/landing/redirme.php

Categories: Uncategorized