Thanks for the malware



I checked inbox today and found an interesting email:

From: bwukft zywcboq@163.com
Subject: 中国房市崩盘即将到来
中国房市崩盘即将到来!!!

The message was received from:

Received: from lenovo-2395031b (unknown [218.8.24.24])

218.8.24.24
inetnum: 218.7.0.0 – 218.10.255.255
netname: UNICOM-HL
country: CN

The attachment was a .rar:

VT: 2/41 (4.88%)
MD5: 62d8715bb97a561b2ca11808e549128a

It contained a .scr:

VT: 3/41 (7.32%)
MD5: ce919337d48d89deeee8867b2a0deb62

This dropped an executable:

VT: 2/39 (5.13%)
MD5: 6c327eff51ed352dcd80c55d6b8f7a81
Anubis Analysis Report.

Connections were made to on zaodaowo.gicp.net (125.211.13.70) port 8080.

125.211.13.70
inetnum: 125.211.0.0 – 125.211.255.255
netname: UNICOM-HL
descr: China Unicom Heilongjiang Province Network
descr: China Unicom
country: CN

If you leave it running for a while it starts to send back the list of files contained within directories such as:

C:\
C:\Documents and Settings\
C:\Documents and Settings\*\
C:\Documents and Settings\*\Favorites\
C:\Documents and Settings\*\Documents\
C:\Documents and Settings\*\Cookies

If cookies are present, they get sent to the C&C.

Connections to zaodaowo.gicp.net (125.211.13.70) port 80 show that it is a Windows box running AppServ Open Project – 2.5.9.

The PHP config page contains:

Server Administrator xlkinghan@163.com

That’s all the time I have right now, but thanks for the malware.

Post a comment.