When #malware infector goes to Cloud: Trojan Banker in Free Cloud Storage - MediaFire

06 Sep 2012 This is really sad to know the infection goes to cloud, this is one true case example.
I grep the trojan infections in the phising databases just now, came to my interest the list of the file "Application+Form.zip" saved in the many infector urls. As I dns-reversed it came up with the Free Cloud Storage - MediaFire's url. The list and proof itself is as per below:

NetRange:       199.91.152.0 - 199.91.159.255
CIDR:           199.91.152.0/21
OriginAS:       AS46179
NetName:        MEDIAFIRE-IP-199-91-159-0-21
IP:             199.91.154.64

h00p://199.91.154.64/0zosrljb8eig/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/axfmj3yimhog/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/cbjb39yy2mtg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/mbl6b62bplfg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/q2p8bqdtdawg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/q8fm4zqkmkjg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/su5qgslo1dlg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/txh6n26njnlg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/v9c3p3zh5vqg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/0g1ttmtrg8pg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/f7rq37qx1s9g/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/k5493ofo85lg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/42tt073rt8mg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/sze9xfm656qg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.64/uomppw789gbg/uoqv786sj08g7e2/ApplicationForm.zip


NetRange:       199.91.152.0 - 199.91.159.255
CIDR:           199.91.152.0/21
OriginAS:       AS46179
NetName:        MEDIAFIRE-IP-199-91-159-0-21
IP:             199.91.154.107

h00p://199.91.154.107/1alpy8w96qjg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.107/613u633z438g/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.107/c6oipid67kzg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.107/l45b9swc4lvg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.107/rjim6bnfwjzg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.107/ud90mqgbtggg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.107/un8fcnc6npgg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.107/ynvn4i7525qg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.107/dsxdicu0oscg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.154.107/xagqhgwml7hg/uoqv786sj08g7e2/ApplicationForm.zip


NetRange:       205.196.120.0 - 205.196.123.255
CIDR:           205.196.120.0/22
OriginAS:       AS46179
NetName:        MEDIAFIRE-IP-205-196-120-0-22
IP:             205.196.120.110

h00p://205.196.120.110/0zsxf2wmc7zg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/1zkvem7l3ipg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/d1yheukvdr8g/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/dfdi9b6chudg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/hj0bpbgpc2rg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/sb9u45a424pg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/xsbmhu0su5rg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/28zr61bk88sg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/gi91y11z190g/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/j3bab9zbovyg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/tmdto78d7pqg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/381r6n65yyng/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/cmc1sjgaazzg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/pv4jkdpb7nzg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/hedpcf570tgg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/cyy4oe5dimbg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/72095k6k72ag/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/s875tvod3mwg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/yu4td1yx6vdg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/bt6l2tp1nwcg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/t0w3djft3pfg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://205.196.120.110/kl8a20aaadkg/uoqv786sj08g7e2/ApplicationForm.zip


NetRange:       199.91.152.0 - 199.91.159.255
CIDR:           199.91.152.0/21
OriginAS:       AS46179
NetName:        MEDIAFIRE-IP-199-91-159-0-21
IP:             199.91.153.124

h00p://199.91.153.124/4cd3dm7gtpzg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/zk1e4ecxarag/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/0okt4q6bj5wg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/3erqoa6mwalg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/420ko8d0jmng/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/7p3zi7vggg0g/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/7dqs3rj203ng/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/v73t589ijw1g/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/35jbz97j4vkg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/af1ofxzwxz6g/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/e4zta0q4y2ng/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/k5e5qrpfvqxg/uoqv786sj08g7e2/ApplicationForm.zip
h00p://199.91.153.124/iddo976x8rkg/uoqv786sj08g7e2/ApplicationForm.zip


A download PoC are below:

Case 1:
--22:40:15--  h00p://199.91.154.64/0zosrljb8eig/uoqv786sj08g7e2/ApplicationForm.
zip
           => `ApplicationForm.zip'
Connecting to 199.91.154.64:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: h00p://www.mediafire.com/?uoqv786sj08g7e2 [following]
--22:40:15--  h00p://www.mediafire.com/?uoqv786sj08g7e2
           => `index.html@uoqv786sj08g7e2'
Resolving www.mediafire.com... 205.196.120.6, 205.196.120.8
Connecting to www.mediafire.com|205.196.120.6|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: h00p://205.196.122.152/ipb7dusor0zg/uoqv786sj08g7e2/Application+Form.z
ip [following]
--22:40:16--  h00p://205.196.122.152/ipb7dusor0zg/uoqv786sj08g7e2/Application+Fo
rm.zip
           => `Application+Form.zip'
Connecting to 205.196.122.152:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 640,712 (626K) [application/zip]
100%[====================================>] 640,712      148.40K/s    ETA 00:00
22:40:21 (130.61 KB/s) - `Application+Form.zip' saved [640712/640712]

GET /0zosrljb8eig/uoqv786sj08g7e2/ApplicationForm.zip HTTP/1.0
User-Agent: MalwareMustDie/1.10.1
Accept: */*
Host: 199.91.154.64
Connection: Keep-Alive

HTTP/1.1 302 Found
Location: h00p://www.mediafire.com/?uoqv786sj08g7e2
Connection: Close

GET /?uoqv786sj08g7e2 HTTP/1.0
User-Agent: MalwareMustDie/1.10.1
Accept: */*
Host: www.mediafire.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Thu, 06 Sep 2012 13:41:36 GMT
Cache-control: no-cache
Pragma: no-cache
Expires: 0
Set-Cookie: ukey=7th4ubnj5cc2ucw0hhiemxt6bi6hh8z8; 
            expires=Thu, 07-Aug-2014 13:41:36 GMT; 
            path=/; domain=.mediafire.com; httponly
Location: h00p://199.91.153.246/4ejd935utdag/uoqv786sj08g7e2/Application+Form.zip
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Server: MediaFire

GET /4ejd935utdag/uoqv786sj08g7e2/Application+Form.zip HTTP/1.0
User-Agent: MalwareMustDie/1.10.1
Accept: */*
Host: 199.91.153.246
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: LRBD-stable-724
Date: Thu, 6 Sep 2012 13:41:37 GMT
Connection: close
Accept-Ranges: bytes
Content-transfer-encoding: binary
Content-Length: 640712
Content-Disposition: attachment; filename="Application Form.zip"
Content-Type: application/zip

Case 2 :
--22:46:34--  h00p://205.196.120.110/hj0bpbgpc2rg/uoqv786sj08g7e2/ApplicationForm.zip
           => `ApplicationForm.zip'
Connecting to 205.196.120.110:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: h00p://www.mediafire.com/?uoqv786sj08g7e2 [following]
--22:46:35--  h00p://www.mediafire.com/?uoqv786sj08g7e2
           => `index.html@uoqv786sj08g7e2'
Resolving www.mediafire.com... 205.196.120.6, 205.196.120.8
Connecting to www.mediafire.com|205.196.120.6|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: h00p://199.91.153.58/3h59697w91jg/uoqv786sj08g7e2/Application+Form.zip
 [following]
--22:46:36--  h00p://199.91.153.58/3h59697w91jg/uoqv786sj08g7e2/Application+Form
.zip
           => `Application+Form.zip.1'
Connecting to 199.91.153.58:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 640,712 (626K) [application/zip]
100%[====================================>] 640,712      155.64K/s    ETA 00:00
22:46:40 (149.68 KB/s) - `Application+Form.zip.1' saved [640712/640712]

GET /hj0bpbgpc2rg/uoqv786sj08g7e2/ApplicationForm.zip HTTP/1.0
User-Agent: MalwareMustDie/1.10.1
Accept: */*
Host: 205.196.120.110
Connection: Keep-Alive

HTTP/1.1 302 Found
Location: h00p://www.mediafire.com/?uoqv786sj08g7e2
Connection: Close

GET /?uoqv786sj08g7e2 HTTP/1.0
User-Agent: MalwareMustDie/1.10.1
Accept: */*
Host: www.mediafire.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Thu, 06 Sep 2012 13:46:27 GMT
Cache-control: no-cache
Pragma: no-cache
Expires: 0
Set-Cookie: ukey=5l8f4622p85a2nl61q8yadidbjjyx0wr; 
            expires=Thu, 07-Aug-2014 13:46:27 GMT; 
            path=/; domain=.mediafire.com; httponly
Location: h00p://199.91.153.58/3h59697w91jg/uoqv786sj08g7e2/Application+Form.zip
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Server: MediaFire

GET /3h59697w91jg/uoqv786sj08g7e2/Application+Form.zip HTTP/1.0
User-Agent: MalwareMustDie/1.10.1
Accept: */*
Host: 199.91.153.58
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: LRBD-stable-724
Date: Thu, 6 Sep 2012 13:46:27 GMT
Connection: close
Accept-Ranges: bytes
Content-transfer-encoding: binary
Content-Length: 640712
Content-Disposition: attachment; filename="Application Form.zip"
Content-Type: application/zip

I bet there are more of these, since I have to stop my scanning script 
because it looks never ending..

I downloaded it and it was a plain zip file contains this file:


According to the server's time stamp it looks like months ago 
released / uploaded trojan. A quicky of binary analysis below:
*) PE Information:
Entry Point at 0x132d3e
Virtual Address is 0x53493e
Sections:
   .text 0x2000 0x132944 1255936 <---Entry Point
   .sdata 0x136000 0x7d 512
   .rsrc 0x138000 0x10470 67072
   .reloc 0x14a000 0xc 512

*) Suspicious Points:
CRC Fail! Claimed:  0 Actual:  1358198
Compiled: 0x4F087C53 [Sat Jan 07 17:09:39 2012 UTC]
Compiler Trace: Microsoft Visual C# / Basic .NET /Microsoft Visual Studio .NET
Some URLs: 
Checking h00p://ns.adobe.com/xap/1.0/sType/ResourceRef# ... OK
Checking h00p://purl.org/dc/elements/1.1/ ... OK
Checking h00p://www.w3.org/1999/02/22-rdf-syntax-ns# ... OK
Checking h00p://ns.adobe.com/xap/1.0/mm/ ... OK
Checking h00p://ns.adobe.com/xap/1.0/ ... OK
Checking h00p://ns.adobe.com/photoshop/1.0/ ... OK
Checking h00p://ns.adobe.com/exif/1.0/ ... OK
Checking h00p://ns.adobe.com/tiff/1.0/ ... OK
Checking h00p://www.apple.com/DTDs/PropertyList-1.0.dtd ... OK

*) Attribute:
  LangID: 000004b0
  LegalCopyright: Copyright \xa9  2011
  Assembly Version: 1.0.0.0
  InternalName: ApplicationForm.exe
  FileVersion: 1.0.0.0
  ProductName: Microsoft Word
  ProductVersion: 1.0.0.0
  FileDescription: Microsoft Word
  OriginalFilename: ApplicationForm.exe

I bet many others already analyzed this sample so I just checked in into VT:
MD5:       0ce2039d64903171243b6206dc889807
File size: 1.3 MB ( 1325056 bytes )
File name: ApplicationForm.exe
File type: Win32 EXE
Detection: 30 / 42
Analysis date:  2012-05-07 20:38:32 UTC ( 4month ago ) 
URL: --->>>[CLICK]
Malware Names:
CAT-QuickHeal            : TrojanBanker.MSIL.MultiPhishi
McAfee                   : Artemis!0CE2039D6490
K7AntiVirus              : Trojan
TheHacker                : Trojan/MultiPhishing.aa
NOD32                    : a variant of MSIL/Spy.Banker.O
Symantec                 : Infostealer.Bancos
Norman                   : W32/Troj_Generic.NPFX
TrendMicro-HouseCall     : TROJ_SPNR.06B512
Avast                    : MSIL:Banker-A [Trj]
eSafe                    : Win32.Infostealer.Ba
Kaspersky                : Trojan-Banker.MSIL.MultiPhishing.aa
BitDefender              : Gen:Variant.Kazy.42127
Comodo                   : UnclassifiedMalware
F-Secure                 : Gen:Variant.Kazy.42127
DrWeb                    : Trojan.Siggen3.42852
VIPRE                    : Trojan.Win32.Generic!BT
AntiVir                  : TR/Kazy.42127.34
TrendMicro               : TROJ_SPNR.06B512
McAfee-GW-Edition        : Artemis!0CE2039D6490
Emsisoft                 : Trojan-Banker.MSIL!IK
Jiangmin                 : Trojan/Banker.MSIL.x
Antiy-AVL                : Trojan/MSIL.MultiPhishing.gen
Microsoft                : Trojan:Win32/Sisron
GData                    : Gen:Variant.Kazy.42127
VBA32                    : TrojanBanker.MSIL.MultiPhishing.aa
PCTools                  : Trojan-PSW.Bancos!rem
Ikarus                   : Trojan-Banker.MSIL
Fortinet                 : W32/MultiPhishing.AA!tr
AVG                      : Generic26.CGTQ
Panda                    : Generic Trojan

Yep, this is the trojan banker which steals your credentials.
It was last detected 4months ago according to the VT database.
I am not going to analyze this because of is an obvious known & well handled malware.
Complete technical analysis can be found in microsoft site↓
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
  Entry.aspx?
  Name=Trojan%3AWin32%2FSisron

And this trojan was reported suddenly grows according to this news↓
http://www.itp.net/587904-trojan-banker-attacks-escalate

Hope Media Fire see this blog to soon get rid of them from their server.
When #malware infector goes to Cloud: Trojan Banker in Free Cloud Storage - MediaFire

Recent Posts

MMD-0062-2017 - Credential harvesting by SSH Direct TCP Forward attack via IoT botnet 27 Feb 2017

MMD-0061-2016 - EnergyMech 2.8 overkill mod 28 Nov 2016

Linux Malware Research List Updated 22 Nov 2016
