Hola Tremolero aquí tienes la info que he podido sacar, no he indagado del todo pero bueno te puedes hacer a la idea:
URL: hxtp://scr4you.ru/580gop
Source URL:
http://pastebin.com/M4Zdya1n<
Ver iframes>
Análisis:
VT:
https://www.virustotal.com/es/url/8c4480e7d5b0a5e1e0073f3dd6956afa99fbec7e36247bbd1927ab80f0813e41/analysis/1417056284/SC:
http://sitecheck.sucuri.net/results/scr4you.ruQT:
http://quttera.com/sitescan/scr4you.ruAI: Anti-Anubis- Fatal error.
Traffic: --
WI: Anti - Error
Info:
IP address resolution:
178.208.83.13
Whois:
http://whois.domaintools.com/178.208.83.13HTTP Response headers:
via: HTTP/1.1 GWA
x-google-cache-control: remote-fetch
server: Apache
last-modified: Sun, 23 Nov 2014 23:11:32 GMT
connection: keep-alive
date: Thu, 27 Nov 2014 02:44:45 GMT
content-type: text/html
Archivo que descarga:
hxtps://www.dropbox.com/s/6chcr2y7a28soyo/LmG8gwXIejRa2l.scr?dl=1Análysis:
VT:
https://www.virustotal.com/es/file/acc91e917252fcaa17b216972b92d528fd6eb4c37c0b04e712552d59f73f1b3e/analysis/1417059200/ --> 0/61
Pcap file:
VT:
https://www.virustotal.com/es/file/f28910ec609055261f118232157df9b631a47ce2bef9f7288c6656cef7c8a072/analysis/ --> 10 alerts (2 snort/8 suricata)
CC:
http://camas.comodo.com/cgi-bin/submit?file=570974d26453a8ee217135a75ac078318a5392f9fcad159b2354b9e25428b6ecMS:
https://www.metascan-online.com/en/scanresult/file/7fa239ab11ff4165b6f542cd2deb3becMW:
https://malwr.com/analysis/OGI4YzNiMWM3MzI4NDAxMThlNDI3YTIzYzhlZjU1Mjc/Cambios:
C:\DOCUME~1\User\LOCALS~1\Temp\LmG8gwXIejRa2l.scr.config
C:\DOCUME~1\User\LOCALS~1\Temp\LmG8gwXIejRa2l.scr
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\machine.config
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\security.config
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
C:\Documents and Settings\User\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\security.config
C:\Documents and Settings\User\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index12.dat
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\DOCUME~1
C:\DOCUME~1\User
C:\DOCUME~1\User\LOCALS~1
C:\DOCUME~1\User\LOCALS~1\Temp
C:\DOCUME~1\User\LOCALS~1\Temp\LmG8gwXIejRa2l.INI
C:/DOCUME~1
C:/DOCUME~1/User
C:/DOCUME~1/User/LOCALS~1
C:/DOCUME~1/User/LOCALS~1/Temp
C:\WINDOWS\assembly\pubpol1.dat
C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\WINDOWS\system32\l_intl.nls
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\WINDOWS\system32\rsaenh.dll
C:\Documents and Settings\User
C:\Documents and Settings\User\LOCALS~1
C:\Device\Tcp6
C:\Device\Tcp
C:\Device\NetBT_Tcpip_{B83AF3AB-4FED-45D1-A8B8-9E66F3411813}
C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config
PIPE\lsarpc
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.1316.21756444
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.1316.21756444
C:\Documents and Settings\User\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.1316.21756454
Reg.Keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1547161642-507921405-839522115-1004
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index12
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\319545b3\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ca3778b\4451bff0
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6e9ac653\8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Provider Types\Type 001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Offload
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B83AF3AB-4FED-45D1-A8B8-9E66F3411813}
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\b1a55bd
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\7d04a1bb
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\7d04a1bb\18
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\19057a88\23
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName
ActiveComputerName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_CLASSES_ROOT\AppID\LmG8gwXIejRa2l.scr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
Mutexes:
Global\CLR_CASOFF_MUTEX
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
Global\.net clr networking
Strings:
#Strings
BinaryReader
System.IO
Stream
RijndaelManaged
System.Security.Cryptography
Exception
System
MemoryStream
CryptoStream
ICryptoTransform
CryptoStreamMode
SymmetricAlgorithm
CreateDecryptor
Encoding
System.Text
GetBytes
ReadBytes
Buffer
BlockCopy
get_Length
AppDomain
get_CurrentDomain
ReadByte
ResolveEventArgs
get_Name
add_AssemblyResolve
ResolveEventHandler
Module
System.Reflection
ResolveMethod
MethodBase
Assembly
GetManifestResourceStream
ReadInt32
GetString
get_UTF8
BitConverter
ToUInt32
Invoke
GetEntryAssembly
GetParameters
ParameterInfo
LoadModule
GetTypeFromHandle
RuntimeTypeHandle
get_Assembly
User.exe
mscorlib
ntdll.dll
kernel32.dll
<Module>
Dictionary`2
System.Collections.Generic
DeflateStream
System.IO.Compression
add_ResourceResolve
ToArray
Create
HashAlgorithm
ComputeHash
CompressionMode
Dispose
MemberInfo
get_Module
get_MetadataToken
ResolveSignature
GetExecutingAssembly
GetCurrentMethod
.cctor
FieldInfo
ConstructorInfo
DynamicMethod
System.Reflection.Emit
ILGenerator
GetFieldFromHandle
RuntimeFieldHandle
get_FieldType
CreateDelegate
Delegate
SetValue
get_ParameterType
OpCodes
Newobj
OpCode
get_DeclaringType
GetILGenerator
Ldarg_S
get_IsInterface
get_IsArray
MethodInfo
get_ReturnType
Object
get_IsStatic
Castclass
String
get_Chars
Callvirt
IDisposable
GetManifestResourceNames
IndexOf
sender
CompressShell
UInt32
UInt64
STAThreadAttribute
ValueType
Boolean
numBitLevels
Marshal
System.Runtime.InteropServices
SizeOf
TryGetValue
set_Item
MulticastDelegate
ProcessHandle
ProcessInformationClass
ProcessInformation
ProcessInformationLength
ReturnLength
NtQueryInformationProcess
NtSetInformationProcess
hObject
CloseHandle
IsDebuggerPresent
OutputDebugString
Thread
System.Threading
Environment
GetEnvironmentVariable
set_IsBackground
FailFast
ParameterizedThreadStart
get_IsAlive
get_CurrentThread
Debugger
System.Diagnostics
get_IsAttached
IsLogging
thread
lpAddress
dwSize
flNewProtect
lpflOldProtect
VirtualProtect
GetHINSTANCE
IntPtr
op_Explicit
get_FullyQualifiedName
op_Inequality
ConfusedByAttribute
Attribute
SuppressIldasmAttribute
System.Runtime.CompilerServices
___.netmodule
SteamStealer.Properties.Resources.resources
D_FUFW
Confuser v1.9.0.0
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
COR_ENABLE_PROFILING
COR_PROFILER
Profiler detected
Loop broken
Debugger detected (Managed)
<Unknown>
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
FileDescription
FileVersion
0.0.0.0
InternalName
User.exe
LegalCopyright
OriginalFilename
User.exe
ProductVersion
0.0.0.0
Assembly Version
0.0.0.0
++++++++++++++++
2º:
hxtp://stearommunity.com/id/OraclE/
VT:
https://www.virustotal.com/es/url/3ff2a16e77c157d019881bbde25f77bcd7db34cbbbbdf425a2c8c63badf58c7c/analysis/1417071903/ --> 6/61 Phising Site
Para mi que es el mismo personaje o grupo que intentan esparcir la infección via Steam.
Saludos.