No idea if author trashed it or...
So here you go... in plain text:
Now, for the winlock:
Firstly before adding a startup key and everything it call the gate directly:
The gate return your country code ('FR' for me) and use it to call landing:
The landing source is parsed and look if it contain '404' somewhere:
Everything is cool, so we call the same page again
Then it look for "ApplicationJ", if not found, the app crash like a crap later:
So.. let's troll it again:
Everything is cool again, the malware hide himself (READONLY|HIDDEN|SYSTEM)
Finaly he do some shit in registry, FirewallDisableNotify:
He retrieve APPDATA and...
Let's have a look on the C&C
• dns: 1 ›› ip: 18.104.22.168 - adresse: HOPOBTOP.HOPTO.ORG
Directory listing enabled, seem the guys is totally dumb:
RU (This one is interesting because it target Russia and the name of this file was in lower case not like the rest of landing who was in upper case, the page was also added to the server not at the same time as the rest according to the modification date, author have probably do the translation himself):
l - копия:
*.php.bak (ok guys, i will not troll this):
stat - копия:
Even the panel is lame, based on Aldi bot
Screenshots from the Ulocker coder.
Ah also... remember SpyEye idiots ?
They are back on Citadel, leaving install folders: