New PPI affiliate appeared
I know it since the begining i was just bored to have a look..
Statistic screenshot of a guys inside:
It's the end of 2012 so.. wanna laugh a bit ?
For fake screenshots i've not used a hacked server, i've just browsed hackforum and 'steal' a screenshot:
Hide the notepad and bot last response with my icq discution:
Was a bit delicate after he wanna test me:
I've made him wait the time i found a solution without harming people..
Finaly after that i was ready... but the support was away...
Affiliate page was not difficult to find, you just have to search the mail adress he used for icq.
And we have...
• dns: 1 ›› ip: 184.108.40.206 - adresse: MONEYCLOUD.SU• dns: 1 ›› ip: 220.127.116.11 - adresse: MCSTAT.SU
More cool you can even play to the game of 'who joined the aff'
If a member don't exist on the affiliate you will get this error message:
Ok, enought trolling, after 4 hours of idling the support is back on ICQ:
The account creation took 30 mins hmm... ok i've wait 1h in final:
So i've looked the source and...
Wan't have a look on admin mode ?
Add a new member:
Found also the way to view profil of guys
For the sample he asked me to do 20-30 loads: https://www.virustotal.com/file/9d6367cca7b0de6f574ac622d7c12ef22d58b5268b12db9bd82de0d6b40ad184/analysis/1356133199/
File downloaded from the panel: https://www.virustotal.com/file/6a9683f64045ac8c95f77544125d8127cb889e69787fdb0c2ee7ffc861c425e5/analysis/1356140250/
No, seriously the file is interesting, it's a trojan downloader which payload is rootkit with file infector capabilities (infects fastfat.sys) + exploit on board (brief looking revealed CVE-2010-3338) + a lot of antivm, anti forensics and a bitcoin miner under VB RunPE.
I've grabbed the admin IP also but he's behind a proxy.
Happy holidays and see you in 2013!