Thursday 27 December 2012

Moneycloud PPI Affiliate (Simda.A)

New PPI affiliate appeared

I know it since the begining i was just bored to have a look..
 Via mails etc....

Advert:

Statistic screenshot of a guys inside:

ICQ:

It's the end of 2012 so.. wanna laugh a bit ?
For fake screenshots i've not used a hacked server, i've just browsed hackforum and 'steal' a screenshot:

Hide the notepad and bot last response with my icq discution:

mfw:

Was a bit delicate after he wanna test me:

I've made him wait the time i found a solution without harming people..
Finaly after that i was ready... but the support was away...

Affiliate page was not difficult to find, you just have to search the mail adress he used for icq.

And we have...
• dns: 1 ›› ip: 111.90.159.122 - adresse: MONEYCLOUD.SU• dns: 1 ›› ip: 46.183.220.14 - adresse: MCSTAT.SU

Hosted by Piradius.

Login page:

More cool you can even play to the game of 'who joined the aff'
If a member don't exist on the affiliate you will get this error message:
If the guys exist:
They have a 'test' account:
>username exist
>Invalid username


Ok, enought trolling, after 4 hours of idling the support is back on ICQ:

The account creation took 30 mins hmm... ok i've wait 1h in final:

Dashboard:

Stats:

Payements:

EXE download:

Profile:

So i've looked the source and...

add-teammember:
add-project:
categories:
I've says i will not troll them but it's hard to resist.
Wan't have a look on admin mode ?
 Dashboard:

Add a new member:

Add category:

User list:

Modify news:


Profile update:

Write batch:

Found also the way to view profil of guys


And what's do they load ?
Okay i even no need to reverse it, thanks !

For the sample he asked me to do 20-30 loads: https://www.virustotal.com/file/9d6367cca7b0de6f574ac622d7c12ef22d58b5268b12db9bd82de0d6b40ad184/analysis/1356133199/

File downloaded from the panel: https://www.virustotal.com/file/6a9683f64045ac8c95f77544125d8127cb889e69787fdb0c2ee7ffc861c425e5/analysis/1356140250/

No, seriously the file is interesting, it's a trojan downloader which payload is rootkit with file infector capabilities (infects fastfat.sys) + exploit on board (brief looking revealed CVE-2010-3338) + a lot of antivm, anti forensics and a bitcoin miner under VB RunPE.

I've grabbed the admin IP also but he's behind a proxy.
Moment : 22/12/2012 17:47:59
Ip : 95.140.125.62
Host : free-125-62.mediaworksit.net
ref : Unspecified
ua: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0
Moment : 22/12/2012 17:48:14
Ip : 95.140.125.62
Host : free-125-62.mediaworksit.net
ref : Unspecified
ua: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0




Happy holidays and see you in 2013!

7 comments:

  1. I LOVE your articles Steven !
    Happy new year and thanks.
    Faith.

    ReplyDelete
  2. You are just awesome Xylitol!
    Have a very happy new year!
    ^_^

    ReplyDelete
  3. Amusing read, keep up the good work in 2013!

    ReplyDelete
  4. Happy new year :)

    PS. Temari is cute :3

    ReplyDelete
  5. happy new year steven

    ReplyDelete
  6. Happy new year !

    ReplyDelete