Skip navigation.
Home

Another Stration Run...

Those guys are pretty busy, 18 different packers/scramblers used in this sample this morning:

2e908d07dcd1a131ff64961c75890bce
7ad860ecf541824a3daf4fc829266f56
be220034958e7369761949a932b96aca
a138388c1af6c628733745609ba498e3
65f456f982dc38d47490032157dfc8fe
b62c3228a6caed5b834c3d0a28a7bedc
a4f213f0b4f7afbf19faaf3d8d912224
78976940ce94caa30623eafe3076caf8
73f8867c9cdcc72d142b5c8681604d5f
edc3499f2ebe9b6668974860b5959174
dc3a63af5243753f1c4d796b32f5e4c5
5132be46ec677e9c7d506e1c35a323d6
b60982c23f96dbfc603368115ec11267
7ef34b1c024b46602b8a2d54b8ea6ad9
885ed3407b5cc783e6ad4a1f2fd75b5f
f78972289ac9b39143e7c5e200f4bbf6
0792d134c6cd84372cd829256f6a361a
d676d4d72dc659bb876d6a2b786bf5e2

It does the same thing as it usually does, download stuff, mass mail etc.

It downloads:

http://www6.ertikadeswiokinganfujas.com/chr/901/nt.exe - 4d04e4deb8329f6ab18b436c1109cd60
http://www4.ertikadeswiokinganfujas.com/chr/901/nt.exe - b6156f675072c2908942b260c365f88c
http://genfushijinkertiondase.com/chr/901/s.exe?lid=A590474043D777851476 - 06a1f6065fba7dbcb503c0d86c17be9d

and execute the files on the system

Creates these files:

C:\Windows\tpup.c
C:\Windows\tpup.dat
C:\Windows\tpup.exe
C:\Windows\tpup.s
C:\Windows\tpup.wax
C:\Windows\tpup.z
C:\Windows\system32\knblzhsqua.exe
C:\Windows\system32\e1.dll

add "tpup = C:\Windows\tpup.exe s" to the
hklm->software->microsoft->windows->currentversion->run registry

Anyway, i dont have time to do a better analysis on this one atm, maybe later or another day :)

//Drean

Another version

I've also seen a variant this morning with the following hash:

885ED3407B5CC783E6AD4A1F2FD75B5F

I haven't taken a look @ it yet though (lazy) but VirusTotal gives spotty results. As of 9am CST it was about 50/50.