Threat Name: Geodo
File Download Locations:
These are live malware files, download with caution.
| hXXp://altvramagazine.com:80/wp-content/themes/altura/cr_mss3.exe |
| hXXp://aqua-system.com.ua/AXMqjiFob |
| hXXp://arasshahintools.com:80/wp-content/themes/darya/cr_mss3.exe |
| hXXp://bicycle.ns.ca:80/wp-content/themes/shadow/cr_mss3.exe |
| hXXp://conservation-wildlife.asn.au/eSxai7o0d/Status_zu_Sendung_916907832086.zip |
| hXXp://cucifineart.com/wp-content/Z5LIHdweGyb/Status_zu_Sendung_916907832086.zip |
| hXXp://dpsharma.com/wp-content/themes/twentyfifteen/Hvcmrq2un/Status_zu_Sendung_916907832086.zip |
| hXXp://fcmtravel.co.ke/7HTCkvNV |
| hXXp://www.allcameras.tk:80/wp-content/themes/twentyfifteen/cr_mss3.exe |
| hXXp://www.hairlosstreatments4u.com:80/4KVHAGFUPB/949.exe |
| hXXp://www.hertzlease.com.mt:80/mCVXg3ucvfG/949.exe |
Virustotal File Analysis:
Command and Control Servers:
Request Method: POST
121.50.46.81:8080
173.230.130.252:8080
188.165.235.13:8080
192.126.123.10:8080
192.163.204.172:8080
200.159.128.189:8080
200.75.7.92:8080
201.175.17.35:8080
42.62.40.103:8080
User-agent Strings:
I have yet to determine if these are unique to the malware or not, so please be careful using them to block and/or detect malicious network traffic. If anyone has anymore information on these, then please leave a comment.
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Further Reading:
Geodo Tracker - website dedicated to tracking all Geodo information. The owner of the site has a blog as well and is well worth the reading.
Hybrid Analysis Results - sandbox analysis results for the executable of the zip file listed above.
Thanks for sharing.
ReplyDelete