Jump to content


Photo

mjackson.1ffli.com.mx + ogzhnsltk.com


  • Please log in to reply
3 replies to this topic

#1 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,382 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 30 June 2009 - 11:29 AM

Sunbelt tried hiding the URL, but I found it anyway ......

Init:
http://mjackson.1ffli.com.mx/x-files/

Payload:
http://mjackson.1ffli.com.mx/x-files/x-file-MJacksonsKiller.exe

Exploit:
http://ogzhnsltk.com/plugins/index.php
http://ogzhnsltk.com/plugins/getexe.php
http://ogzhnsltk.com/plugins/pdf.php

Ref:
http://sunbeltblog.b...ot-dont-go.html

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#2 Fatdcuk

Fatdcuk

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 20,542 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 30 June 2009 - 11:56 AM

Thanks Steven,

Have added the URL for harvesting, will checkout the Z-bot variant to see if it has new install pattern.

Usually we hold extremely high sucess rate against the installed z-bots which mitigates chasing the millions of custom packed droppers :D
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 Fatdcuk

Fatdcuk

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 20,542 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 30 June 2009 - 12:01 PM

Is sdra64.exe variant and the cat ate it :D
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#4 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,382 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 30 June 2009 - 12:02 PM

hehe cool :D

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users