No I wasnt looking for a crack , I was looking for their hijacks lol..
Opening the cracks.ws site instantly loads a browser hijack attempt , including a IRC trojan and a few xxxx.exe files , leading up to a full hijack of the desktop.
================
Sites Logged :
================
totsex.net
fuck-access.com
www.loadcash.biz
195.225.176.38/
72.36.176.236
66.98.244.106
totsex.net
66.98.128.0 - 66.98.255.255
Everyones Internet, Inc.
72.36.176.236
72.36.128.0 - 72.36.223.255
Layered Technologies, Inc.
got this :
http://castlecops.com/s6898-path_cmd32_exe...ardProfile.html
Sophos analysis of another cmd32.exe version:
http://www.sophos.com/virusinfo/analyses/trojdloaderhf.html
QUOTE
Troj/Dloader-HF is a downloader Trojan.
Troj/Dloader-HF attempts to copy itself to the Windows system folder with the filename CMD32.EXE and to set the following entry in the registry so as to run itself on system startup, resetting this value periodically:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ControlPanel =
<Windows system folder>\cmd32.exe internat.dll,LoadKeyboardProfile
Troj/Dloader-HF attempts to download files from the following websites to numbered files with DAT extensions or to the files CC.C or UU.U:
hxxp ://dapsol.com
hxxp ://www.awmcash.biz
Troj/Dloader-HF then copies the downloaded files to the Windows system folder with the following filenames and executes them:
usxxcxzcb.exe
lpzxczxct.exe
izxczxcr.exe
intrcxzcxzcon.exe
intffdsronsad.exe
intfsdffdsronsad.exe
intronsad.exe
Troj/Dloader-HF attempts to copy itself to the Windows system folder with the filename CMD32.EXE and to set the following entry in the registry so as to run itself on system startup, resetting this value periodically:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ControlPanel =
<Windows system folder>\cmd32.exe internat.dll,LoadKeyboardProfile
Troj/Dloader-HF attempts to download files from the following websites to numbered files with DAT extensions or to the files CC.C or UU.U:
hxxp ://dapsol.com
hxxp ://www.awmcash.biz
Troj/Dloader-HF then copies the downloaded files to the Windows system folder with the following filenames and executes them:
usxxcxzcb.exe
lpzxczxct.exe
izxczxcr.exe
intrcxzcxzcon.exe
intffdsronsad.exe
intfsdffdsronsad.exe
intronsad.exe
and this :
Outpost logs ...
QUOTE
06:34:50 Internet Explorer hxxp ://www.loadcash.biz/adverts/19/msits.exe www.loadcash.biz URL
06:34:50 Internet Explorer GET /adverts/19/msits.exe www.loadcash.biz REQUEST
06:34:50 Internet Explorer OK www.loadcash.biz ANSWER - 200
06:34:45 Internet Explorer OK www.loadcash.biz ANSWER - 200
06:34:45 Internet Explorer hxxp ://www.loadcash.biz//adverts//42//main.chm www.loadcash.biz URL
06:34:45 Internet Explorer GET //adverts//42//main.chm www.loadcash.biz REQUEST
06:34:40 Internet Explorer OK www.loadcash.biz ANSWER - 200
06:34:40 Internet Explorer OK totsex.net ANSWER - 200
06:34:39 Internet Explorer hxxp ://195.225.176.38/adverts/42/sploit.anr www.loadcash.biz URL
06:34:39 Internet Explorer GET /pload.php totsex.net REQUEST
06:34:39 Internet Explorer GET /adverts/42/sploit.anr www.loadcash.biz REQUEST
06:34:39 Internet Explorer hxxp ://totsex.net/pload.php totsex.net URL
06:34:38 Internet Explorer OK www.loadcash.biz ANSWER - 200
06:34:37 Internet Explorer http ://195.225.176.38/adverts/42/1.htm www.loadcash.biz URL
06:34:37 Internet Explorer GET /adverts/42/1.htm www.loadcash.biz REQUEST
06:34:37 Internet Explorer OK fuck-access.com ANSWER - 200
06:34:36 Internet Explorer GET /b/?id=st00001&x=1&r=hxxp ://totsex.net/&bgcolor=808080&text=FFFFFF&link=FFFF00&vlink=FFFF00&alink=99FF00&font=Verdana&cash=1178 fuck-access.com REQUEST
06:34:36 Internet Explorer hxxp ://72.36.176.236/b/?id=st00001&x=1&r=hxxp ://totsex.net/&bgcolor=808080&text=FFFFFF&link=FFFF00&vlink=FFFF00&alink=99FF00&font=Verdana&cash=1178 fuck-access.com URL
06:34:35 Internet Explorer OK totsex.net ANSWER - 200
06:34:34 Internet Explorer hxxp ://totsex.net/ totsex.net URL
06:34:34 Internet Explorer GET / totsex.net REQUEST
06:34:34 Internet Explorer Found fuck-access.com ANSWER - 302
06:34:33 Internet Explorer hxxp ://fuck-access.com/i/?id=st00071&r=hxxp ://www.crackz.ws/ fuck-access.com URL
06:34:50 Internet Explorer GET /adverts/19/msits.exe www.loadcash.biz REQUEST
06:34:50 Internet Explorer OK www.loadcash.biz ANSWER - 200
06:34:45 Internet Explorer OK www.loadcash.biz ANSWER - 200
06:34:45 Internet Explorer hxxp ://www.loadcash.biz//adverts//42//main.chm www.loadcash.biz URL
06:34:45 Internet Explorer GET //adverts//42//main.chm www.loadcash.biz REQUEST
06:34:40 Internet Explorer OK www.loadcash.biz ANSWER - 200
06:34:40 Internet Explorer OK totsex.net ANSWER - 200
06:34:39 Internet Explorer hxxp ://195.225.176.38/adverts/42/sploit.anr www.loadcash.biz URL
06:34:39 Internet Explorer GET /pload.php totsex.net REQUEST
06:34:39 Internet Explorer GET /adverts/42/sploit.anr www.loadcash.biz REQUEST
06:34:39 Internet Explorer hxxp ://totsex.net/pload.php totsex.net URL
06:34:38 Internet Explorer OK www.loadcash.biz ANSWER - 200
06:34:37 Internet Explorer http ://195.225.176.38/adverts/42/1.htm www.loadcash.biz URL
06:34:37 Internet Explorer GET /adverts/42/1.htm www.loadcash.biz REQUEST
06:34:37 Internet Explorer OK fuck-access.com ANSWER - 200
06:34:36 Internet Explorer GET /b/?id=st00001&x=1&r=hxxp ://totsex.net/&bgcolor=808080&text=FFFFFF&link=FFFF00&vlink=FFFF00&alink=99FF00&font=Verdana&cash=1178 fuck-access.com REQUEST
06:34:36 Internet Explorer hxxp ://72.36.176.236/b/?id=st00001&x=1&r=hxxp ://totsex.net/&bgcolor=808080&text=FFFFFF&link=FFFF00&vlink=FFFF00&alink=99FF00&font=Verdana&cash=1178 fuck-access.com URL
06:34:35 Internet Explorer OK totsex.net ANSWER - 200
06:34:34 Internet Explorer hxxp ://totsex.net/ totsex.net URL
06:34:34 Internet Explorer GET / totsex.net REQUEST
06:34:34 Internet Explorer Found fuck-access.com ANSWER - 302
06:34:33 Internet Explorer hxxp ://fuck-access.com/i/?id=st00071&r=hxxp ://www.crackz.ws/ fuck-access.com URL
and some xxxx.exe files ...
Disassembled one of the xxxx.exe files , programmed in delphi , which holds the following urls to load even more files from loadcash.biz
CODE
SLP0040365C_hxxp___www_loadcash_biz_adverts_:
db ' z11.exe '
Align 4
dd FFFFFFFFh
dd 00000005h
SLP0040364C_1_dat:
db '1.dat'
Align 4
dd FFFFFFFFh
dd 0000002Fh
SLP0040365C_hxxp___www_loadcash_biz_adverts_:
db 'hxxp ://www.loadcash.biz/adverts/soft/reserv.exe'
Align 4
dd FFFFFFFFh
dd 00000007h
SLP00403694_z12_exe:
db 'z12.exe'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP004036A4_2_dat:
db '2.dat'
Align 4
dd FFFFFFFFh
dd 0000002Bh
SLP004036B4_hxxp___www_loadcash_biz_adverts_:
db 'hxxp ://www.loadcash.biz/adverts/soft/12.exe'
Align 4
dd FFFFFFFFh
dd 00000007h
SLP004036E8_z13_exe:
db 'z13.exe'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP004036F8_3_dat:
db '3.dat'
Align 4
dd FFFFFFFFh
dd 0000002Dh
SLP00403708_http___www_loadcash_biz_adverts_:
db 'hxxp://www.loadcash.biz/adverts/soft/ieac.exe'
Align 4
dd FFFFFFFFh
dd 00000007h
SLP00403740_z14_exe:
db 'z14.exe'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP00403750_4_dat:
db '4.dat'
Align 4
dd FFFFFFFFh
dd 0000002Dh
SLP00403760_http___www_loadcash_biz_temp_sof:
db 'hxxp://www.loadcash.biz/temp_soft/on-line.exe'
Align 4
dd FFFFFFFFh
dd 00000007h
SLP00403798_z15_exe:
db 'z15.exe'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP004037A8_6_dat:
db '6.dat'
Align 4
dd FFFFFFFFh
dd 00000030h
SLP004037B8_http___www_loadcash_biz_adverts_:
db 'hxxp ://www.loadcash.biz/adverts/soft/desktop.exe'
Align 8
dd FFFFFFFFh
dd 00000007h
SLP004037F4_z16_exe:
db 'z16.exe'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP00403804_7_dat:
db '7.dat'
Align 4
dd FFFFFFFFh
dd 00000030h
SLP00403814_http___www_loadcash_biz_adverts_:
db 'hxxp ://www.loadcash.biz/adverts/soft/toolbar.exe'
Align 4
dd FFFFFFFFh
dd 00000009h
SLP00403850_cmd32_exe:
db 'cmd32.exe'
Align 4
dd FFFFFFFFh
dd 0000000Bh
SLP00403864_twink64_exe:
db 'twink64.exe'
Align 4
dd FFFFFFFFh
dd 0000000Ah
SLP00403878_host32_exe:
db 'host32.exe'
Align 4
dd FFFFFFFFh
dd 0000000Dh
SLP0040388C_intronsad_exe:
db 'intronsad.exe'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP004038A4_5_dat:
db '5.dat'
Align 4
dd FFFFFFFFh
dd 0000002Eh
SLP004038B4_http___www_loadcash_biz_adverts_:
db 'hxxp ://www.loadcash.biz/adverts/soft/block.exe'
Align 4
dd FFFFFFFFh
dd 0000002Eh
SLP004038EC_Software_Microsoft_Windows_Curre:
db 'Software\Microsoft\Windows\CurrentVersion\Run\'
Align 4
dd FFFFFFFFh
dd 00000021h
SLP00403924__internat_dll_LoadKeyboardProfil:
db ' internat.dll,LoadKeyboardProfile '
Align 4
dd FFFFFFFFh
dd 0000000Ch
SLP00403950_ControlPanel:
db 'ControlPanel'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP00403968__adv_:
db '?adv='
Align 4
dd FFFFFFFFh
dd 00000005h
SLP00403978__num_:
db '&num='
Align 4
db ' z11.exe '
Align 4
dd FFFFFFFFh
dd 00000005h
SLP0040364C_1_dat:
db '1.dat'
Align 4
dd FFFFFFFFh
dd 0000002Fh
SLP0040365C_hxxp___www_loadcash_biz_adverts_:
db 'hxxp ://www.loadcash.biz/adverts/soft/reserv.exe'
Align 4
dd FFFFFFFFh
dd 00000007h
SLP00403694_z12_exe:
db 'z12.exe'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP004036A4_2_dat:
db '2.dat'
Align 4
dd FFFFFFFFh
dd 0000002Bh
SLP004036B4_hxxp___www_loadcash_biz_adverts_:
db 'hxxp ://www.loadcash.biz/adverts/soft/12.exe'
Align 4
dd FFFFFFFFh
dd 00000007h
SLP004036E8_z13_exe:
db 'z13.exe'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP004036F8_3_dat:
db '3.dat'
Align 4
dd FFFFFFFFh
dd 0000002Dh
SLP00403708_http___www_loadcash_biz_adverts_:
db 'hxxp://www.loadcash.biz/adverts/soft/ieac.exe'
Align 4
dd FFFFFFFFh
dd 00000007h
SLP00403740_z14_exe:
db 'z14.exe'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP00403750_4_dat:
db '4.dat'
Align 4
dd FFFFFFFFh
dd 0000002Dh
SLP00403760_http___www_loadcash_biz_temp_sof:
db 'hxxp://www.loadcash.biz/temp_soft/on-line.exe'
Align 4
dd FFFFFFFFh
dd 00000007h
SLP00403798_z15_exe:
db 'z15.exe'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP004037A8_6_dat:
db '6.dat'
Align 4
dd FFFFFFFFh
dd 00000030h
SLP004037B8_http___www_loadcash_biz_adverts_:
db 'hxxp ://www.loadcash.biz/adverts/soft/desktop.exe'
Align 8
dd FFFFFFFFh
dd 00000007h
SLP004037F4_z16_exe:
db 'z16.exe'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP00403804_7_dat:
db '7.dat'
Align 4
dd FFFFFFFFh
dd 00000030h
SLP00403814_http___www_loadcash_biz_adverts_:
db 'hxxp ://www.loadcash.biz/adverts/soft/toolbar.exe'
Align 4
dd FFFFFFFFh
dd 00000009h
SLP00403850_cmd32_exe:
db 'cmd32.exe'
Align 4
dd FFFFFFFFh
dd 0000000Bh
SLP00403864_twink64_exe:
db 'twink64.exe'
Align 4
dd FFFFFFFFh
dd 0000000Ah
SLP00403878_host32_exe:
db 'host32.exe'
Align 4
dd FFFFFFFFh
dd 0000000Dh
SLP0040388C_intronsad_exe:
db 'intronsad.exe'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP004038A4_5_dat:
db '5.dat'
Align 4
dd FFFFFFFFh
dd 0000002Eh
SLP004038B4_http___www_loadcash_biz_adverts_:
db 'hxxp ://www.loadcash.biz/adverts/soft/block.exe'
Align 4
dd FFFFFFFFh
dd 0000002Eh
SLP004038EC_Software_Microsoft_Windows_Curre:
db 'Software\Microsoft\Windows\CurrentVersion\Run\'
Align 4
dd FFFFFFFFh
dd 00000021h
SLP00403924__internat_dll_LoadKeyboardProfil:
db ' internat.dll,LoadKeyboardProfile '
Align 4
dd FFFFFFFFh
dd 0000000Ch
SLP00403950_ControlPanel:
db 'ControlPanel'
Align 4
dd FFFFFFFFh
dd 00000005h
SLP00403968__adv_:
db '?adv='
Align 4
dd FFFFFFFFh
dd 00000005h
SLP00403978__num_:
db '&num='
Align 4
