Friday, 20 December 2013

Win32/BruteForce.WP

DrWeb released a news about this malware in August, they know it as 'Trojan.WPCracker.1'
And more recently ~ 1e8cd0f0f1702820c870302520bc0176.

This executable communicate with a C&C at dorblu99.net
Let's have a closer look.

Login:

Main:

Bot info:

Broken wordpress:

Statistics:

Add domains:

Add admin panels:

Add logins:

Add passwords:

Add module for jm(zip):

Add module for wp(zip):

Add shell jm(php):

Cron brute:

Ban list:

Logs:

Domains list (downloaded by the malware to know wich wordpress he should brute force):
36k urls.

Roman of abuse.ch have also wrote an interesting post about this threat.

6 comments:

  1. delphi bot lolz not special

    ReplyDelete
  2. I can't understand did u hacked it?? If yes, how? Bruteforce / url bruteforce / sqli or someone gave you login:pass? I ask because it is really very strange that u can have access to every botnet. :)

    ReplyDelete
  3. When you bruteforce these panels, do they typically have weak credentials, or do you just have a really good wordlist and let it run for a while?

    ReplyDelete
  4. Replies
    1. how do you brute force the passwords? im trying to use hydra but isnt workin

      Delete
  5. Patience is the key :)

    ReplyDelete