Jump to content
Aerosol

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted

I searched and did not see this posted here yet, sorry if I missed it.

C2 domain: cybercrime[.]rocks

C2 URI struct: /cryptotolarance/add.php?hwid=[redacted]&winversion=[kernelversion]&pswd=[redacted]

Panel: hxxp://cybercrime[.]rocks/cryptotolarance/login.php

Payment onion returned from C2 on 3-18-15: iupfnqg2uaigwoei

I have not done any debugging/RE on this, but it seems to check Geoloc (api.wipmania.com) and if US is returned does not carry out part of its functionality.

Suricata rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Exaction Cryptolocker CnC Beacon"; flow:established,to_server; content:".php?"; http_uri; content:"hwid="; http_uri; content:"winversion="; http_uri; fast_pattern:only; content:"pswd="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,b5ea8f65bd7845aeaf0732b8aacacc86; classtype:trojan-activity; sid:1; rev:1;)

Download

Pass: 

infected

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...