8 replies to this topic

[Jaxryley]

hxxp://67.215.246.138/a9/aff_9.exe?u=i_7_0&spl=4

Quote

File aff_9.exe received on 03.31.2009 00:39:48 (CET)
Current status: finished
Result: 9/40 (22.50%)

Virus Total
File size: 46080 bytes

[shadaway]

Jaxryley, on Mar 30 2009, 10:41 PM, said:

hxxp://67.215.246.138/a9/aff_9.exe?u=i_7_0&spl=4

Virus Total
File size: 46080 bytes

Sorry for the newb question. My browser started opening to this link yesterday on it's own. I grabbed it today and did a search and found the site. One point to the forums for selling a copy of the software.

Anyway, what's this thing do? I know the host is owned by pacificrack.com but whois gives me nothing as the actual IP is not registered.

Running MByte Scan now and will register the moment the scan finishes.

Any input will be greatly appreciated.

[MysteryFCM]

http://hosts-file.ne...=67.215.246.138

IP PTR:  hosted.by.pacificrack.com

Netblock Information:


OrgName: Secured Private Network 
OrgID: SPNW
Address: 1740 East Garry Ave.
Address: Suite 234
City: Santa Ana
StateProv: CA
PostalCode: 92705
Country: US

NetRange: 67.215.224.0 - 67.215.255.255 
CIDR: 67.215.224.0/19 
OriginAS: AS22298
NetName: SPN3W
NetHandle: NET-67-215-224-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.SECUREDPRIVATENETWORK.NET
NameServer: NS2.SECUREDPRIVATENETWORK.NET
Comment: 
RegDate: 2007-10-18
Updated: 2008-10-08

RAbuseHandle: HOSTM519-ARIN
RAbuseName: Network Operations 
RAbusePhone: +1-877-434-2378
RAbuseEmail: noc@securedprivatenetwork.net 

RNOCHandle: HOSTM519-ARIN
RNOCName: Network Operations 
RNOCPhone: +1-877-434-2378
RNOCEmail: noc@securedprivatenetwork.net 

RTechHandle: HOSTM519-ARIN
RTechName: Network Operations 
RTechPhone: +1-877-434-2378
RTechEmail: noc@securedprivatenetwork.net 

OrgNOCHandle: HOSTM519-ARIN
OrgNOCName: Network Operations 
OrgNOCPhone: +1-877-434-2378
OrgNOCEmail: noc@securedprivatenetwork.net

OrgTechHandle: HOSTM519-ARIN
OrgTechName: Network Operations 
OrgTechPhone: +1-877-434-2378
OrgTechEmail: noc@securedprivatenetwork.net

[Jaxryley]

shadaway, on Apr 3 2009, 01:35 AM, said:

Anyway, what's this thing do?

Ran it in a vm to see what it gets up to where it seemed to change a few things but then stayed dormant but it could be vm aware?

Only a brief test and not really qualified in these things.

Quote

FILE ADDED! C:\WINDOWS\vcmcryp2.dll
REG ADDED! HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Hpuhiruxecaba
REG ADDED! HKLM SOFTWARE\Microsoft\Cryptography\RNG Seed bin:jBspLcPQP4qernwHVdC0DfEptJnow9xF9w9rVi7f37pi3R2N6bkh2iMvdOB7cE8IVTc6CGgW8JaG
wIPJXi6Fl5tkrYHdkdcOEVzcQkoRYZI=
REG ADDED! HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Hpuhiruxecaba Rrukupiseriyovu bin:QwE4A1gFUQdBCUQLSA1BD0cRQRNIFWAXexl3G38dbB9ZIVIjFiUIJ0wpRitALS4v
REG ADDED! HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Hpuhiruxecaba Rvoturovi "61"
REG ADDED! HKLM SYSTEM\ControlSet001\Control\Lsa Notification Packages mul:c2NlY2xpAHZjbWNyeXAyLmRsbAAA
REG ADDED! HKLM SYSTEM\CurrentControlSet\Control\Lsa Notification Packages mul:c2NlY2xpAHZjbWNyeXAyLmRsbAAA
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU bin:IAAAAGEBAABwGplfXLTJAQ==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Ira\Qrfxgbc\nss_9.rkr bin:IAAAAAYAAABwGplfXLTJAQ==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_HVFPHG bin:IAAAAIcAAADAbJdfXLTJAQ==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Documents and Settings\Ven\Desktop\aff_9.exe "ISR Debug 32-bit Engine"
REG DELETED! HKLM SOFTWARE\Microsoft\Cryptography\RNG Seed bin:/OH226Iac3EpimE6iNUnU4sz7fwlOrE+rCepdJJpj/2UHnenv4a1E4EqzhTtdjH35/YJPJhfX3MdhprzgNvJiVrs04pj+PoW5tIRSpcnlSk=
REG DELETED! HKLM SYSTEM\ControlSet001\Control\Lsa Notification Packages mul:c2NlY2xpAAA=
REG DELETED! HKLM SYSTEM\CurrentControlSet\Control\Lsa Notification Packages mul:c2NlY2xpAAA=
REG DELETED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU bin:IAAAAGABAACw+MRWXLTJAQ==
REG DELETED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_HVFPHG bin:HwAAAIYAAACwdmwOXLTJAQ==

[MysteryFCM]

Just an FYI, the "Lsa Notification Packages" entries;

REG ADDED! HKLM SYSTEM\ControlSet001\Control\Lsa Notification Packages mul:c2NlY2xpAHZjbWNyeXAyLmRsbAAA
REG ADDED! HKLM SYSTEM\CurrentControlSet\Control\Lsa Notification Packages mul:c2NlY2xpAHZjbWNyeXAyLmRsbAAA

Decode to;

scecli
vcmcryp2.dll

[Jaxryley]

Thanks MysteryFCM, I really dunno how you decoded that?

Reran "aff_9.exe" to have a look at the "vcmcryp2.dll" it had dropped but this time around it dropped a "poylmt.dll" instead.

Quote

File poylmt.dll received on 04.03.2009 01:28:29 (CET)
Current status: finished
Result: 14/40 (35.00%)

Virus Total
File size: 46080 bytes

Hmm, posting from within the vm where it is active and Firefox has shutdown on me a couple of times?

[MysteryFCM]

Load vURL DE > Misc > paste the string in the box > Decode Base64

I've not actually looked at the files themselves yet.

/edit

Forgot to mention, if you've got Malzilla, that'll decode Base64 too (on the Misc Decoders tab)

[MysteryFCM]

Can you upload the aff_9.exe file to the staff area please? (links returning a 404)

[MysteryFCM]

Related;

http://www.malwaredomainlist.com/forums/in...msg8489#msg8489