API tools faq
paste
Advertisement
JohnGalt14

Unit 78020 Malware Samples

JohnGalt14
Sep 24th, 2015
1,550
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 4.29 KB | None | 0 0
raw download clone embed print report
  1. # PLA Unit 78020 Malware
  2. # Report
  3. http://threatconnect.com/camerashy/?utm_campaign=CameraShy
  4.  
  5. # New Samples
  6. 34f3dcf6c1794451fe92afa917deb6e34480c261fde7339212a80e01e66d8425
  7. 4082a02ffbbebacb00fc46cbbc6755742bb5e286df3722e0119a2bd3969aedf7
  8. 5e399ac5fa11df3d7ab9e027763bc9fc5b0aa28e3d74e16f211d58b115f68687
  9. 6934af252166b9e1849ae996cb7f950ad1bb4d8fc210e4171faaa24028d30167
  10. 6ef334516aca217d83ca54339f8461074a0d1c14a908dd20c705c1a1f01f34be
  11. 90c06480945f3b2c151f19a57cf8b46375708c1dcbb69e68c64e52289384b7f7
  12. 99f559f6a041c49e3d7821346b475186ca16fbeba611074b513754336da396f5
  13. 9f635a260670dc44176d5946114afdb7b6c4a2b97baa038e6211b02d88657d25
  14. aad36ae7676bb3c905e95f87b6fec001cf0eb873104bb86f3e2da06f53dd3a34
  15. b1ef50dd82ad84b4e2e13eeb1021483ffda5886340d8150e9d59cfb5a0d4a148
  16. b32c45f1bce381b64e665402394f1a3ce7053e0b19972feea0212649aef3bfa7
  17. c373f446f2d3818d3a52fd20a689ccd368f715dd5e4c3feb94e14c274b1b179f
  18. e14e4194d058d43461679962be41ae4b47c20e4b88f0dede03a38c4cd7490376
  19. f2d49274c5135e440a6afe7b2328df77208b8bfe421658cd7c424eb670604b9b
  20. fde791aab5256b854bcec6b7d592fa4a12d2e123959d4e7cfd0074d7b92a8a0b
  21.  
  22. # Detection with Yara Rules
  23. # (not all results shown)
  24. # https://github.com/Neo23x0/Loki/blob/master/signatures/apt_unit78020_malware.yar
  25.  
  26. Unit78020_Malware_Gen1 ./4082a02ffbbebacb00fc46cbbc6755742bb5e286df3722e0119a2bd3969aedf7
  27. 0x11ecc:$x2: POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1
  28. 0x12030:$x3: GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1
  29. 0x11a7c:$s16: DRIVE_RAMDISK
  30. 0x11a98:$s16: DRIVE_RAMDISK
  31. 0x11ab4:$s16: DRIVE_RAMDISK
  32.  
  33. VT Detection Rate
  34. 40 / 57
  35.  
  36. Unit78020_Malware_Gen1 ./34f3dcf6c1794451fe92afa917deb6e34480c261fde7339212a80e01e66d8425
  37. 0x19b5a:$a1: dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)
  38. 0x1995c:$a3: Accept-Language:En-us/r/n
  39. 0x1999c:$s1: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
  40. 0x198b0:$s4: Content-Type:application/x-www-form-urlencoded/r/n
  41. 0x1c690:$s5: Hello World!
  42. 0x19918:$s6: Accept-Encoding:gzip,deflate/r/n
  43. 0x19b54:$s7: /%d%s%d
  44.  
  45. VT Detection Rate
  46. 44 / 57
  47.  
  48. Unit78020_Malware_Gen1 ./5e399ac5fa11df3d7ab9e027763bc9fc5b0aa28e3d74e16f211d58b115f68687
  49. 0x115fe:$a1: dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)
  50. 0x115bc:$a3: Accept-Language:En-us/r/n
  51. 0x11b34:$a4: \Office Start.lnk
  52. 0x116a0:$s1: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
  53. 0x118a8:$s3: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles
  54. 0x11510:$s4: Content-Type:application/x-www-form-urlencoded/r/n
  55. 0x16b38:$s5: Hello World!
  56. 0x11578:$s6: Accept-Encoding:gzip,deflate/r/n
  57. 0x115f8:$s7: /%d%s%d
  58. 0x16a82:$s9: WininetMM Version 1.0
  59. 0x16b56:$s10: WININETMM
  60.  
  61. VT Detection Rate
  62. 36 / 56
  63.  
  64. Unit78020_Malware_Gen1 ./6ef334516aca217d83ca54339f8461074a0d1c14a908dd20c705c1a1f01f34be
  65. 0x9c2c:$x2: POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1
  66. 0x9d90:$x3: GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1
  67. 0x97f8:$s16: DRIVE_RAMDISK
  68. 0x9814:$s16: DRIVE_RAMDISK
  69. 0x9830:$s16: DRIVE_RAMDISK
  70.  
  71. VT Detection Rate
  72. 50 / 57
  73.  
  74. Unit78020_Malware_Gen1 ./b1ef50dd82ad84b4e2e13eeb1021483ffda5886340d8150e9d59cfb5a0d4a148
  75. 0x11c06:$a1: dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)
  76. 0x11bc4:$a3: Accept-Language:En-us/r/n
  77. 0x120cc:$a4: \Office Start.lnk
  78. 0x11ca8:$s1: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
  79. 0x11e68:$s3: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles
  80. 0x11b18:$s4: Content-Type:application/x-www-form-urlencoded/r/n
  81. 0x17138:$s5: Hello World!
  82. 0x11b80:$s6: Accept-Encoding:gzip,deflate/r/n
  83. 0x11c00:$s7: /%d%s%d
  84. 0x17082:$s9: WininetMM Version 1.0
  85. 0x17156:$s10: WININETMM
  86.  
  87. VT Detection Rate
  88. 37 / 56
  89.  
  90. Unit78020_Malware_Gen1 ./fde791aab5256b854bcec6b7d592fa4a12d2e123959d4e7cfd0074d7b92a8a0b
  91. 0x11c16:$a1: dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)
  92. 0x11bd4:$a3: Accept-Language:En-us/r/n
  93. 0x12184:$a4: \Office Start.lnk
  94. 0x11cb8:$s1: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
  95. 0x11ea0:$s3: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles
  96. 0x11b28:$s4: Content-Type:application/x-www-form-urlencoded/r/n
  97. 0x17138:$s5: Hello World!
  98. 0x11b90:$s6: Accept-Encoding:gzip,deflate/r/n
  99. 0x11c10:$s7: /%d%s%d
  100. 0x12094:$s8: %02d-%02d-%02d %02d:%02d
  101. 0x17082:$s9: WininetMM Version 1.0
  102. 0x17156:$s10: WININETMM
  103.  
  104. VT Detection Rate
  105. 39 / 55
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!