Thursday, 27 December 2012

Moneycloud PPI Affiliate (Simda.A)

New PPI affiliate appeared

I know it since the begining i was just bored to have a look..
 Via mails etc....


Statistic screenshot of a guys inside:


It's the end of 2012 so.. wanna laugh a bit ?
For fake screenshots i've not used a hacked server, i've just browsed hackforum and 'steal' a screenshot:

Hide the notepad and bot last response with my icq discution:


Was a bit delicate after he wanna test me:

I've made him wait the time i found a solution without harming people..
Finaly after that i was ready... but the support was away...

Affiliate page was not difficult to find, you just have to search the mail adress he used for icq.

And we have...
• dns: 1 ›› ip: - adresse: MONEYCLOUD.SU• dns: 1 ›› ip: - adresse: MCSTAT.SU

Hosted by Piradius.

Login page:

More cool you can even play to the game of 'who joined the aff'
If a member don't exist on the affiliate you will get this error message:
If the guys exist:
They have a 'test' account:
>username exist
>Invalid username

Ok, enought trolling, after 4 hours of idling the support is back on ICQ:

The account creation took 30 mins hmm... ok i've wait 1h in final:




EXE download:


So i've looked the source and...

I've says i will not troll them but it's hard to resist.
Wan't have a look on admin mode ?

Add a new member:

Add category:

User list:

Modify news:

Profile update:

Write batch:

Found also the way to view profil of guys

And what's do they load ?
Okay i even no need to reverse it, thanks !

For the sample he asked me to do 20-30 loads:

File downloaded from the panel:

No, seriously the file is interesting, it's a trojan downloader which payload is rootkit with file infector capabilities (infects fastfat.sys) + exploit on board (brief looking revealed CVE-2010-3338) + a lot of antivm, anti forensics and a bitcoin miner under VB RunPE.

I've grabbed the admin IP also but he's behind a proxy.
Moment : 22/12/2012 17:47:59
Ip :
Host :
ref : Unspecified
ua: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0
Moment : 22/12/2012 17:48:14
Ip :
Host :
ref : Unspecified
ua: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0

Happy holidays and see you in 2013!


  1. I LOVE your articles Steven !
    Happy new year and thanks.

  2. You are just awesome Xylitol!
    Have a very happy new year!

  3. Amusing read, keep up the good work in 2013!

  4. Happy new year :)

    PS. Temari is cute :3

  5. happy new year steven

  6. Happy new year !