Monday 10 June 2013

Trojan:Win32/Tobfy.M Affiliate

Came across a Tobfy sample today, things was interesting so here is a post.
I will skip the reversing part: i'm a bit bored to take 50 screenshots and go step by step about what's do the 'M' version of Tobfy. (this winlock is very primitive and relatively easy to understand)
So, let's go directly to the C&C part.

French landing when loaded (buggy IP retrieving, and geoloc):
• dns: 1 ›› ip: 91.226.212.174 - adresse: HKKPOGMPG.POLEXT-FREEHOST.RU
• dns: 1 ›› ip: 91.226.212.174 - adresse: AREKOV.COM


Login:
Registration:

News:

Statistics:

Checks:

Links/EXE (39090a097cfbe4ab766317e5f3d74b53):

Rules:

Affiliate stats:
(Ignore the 'admin' account, it's also made by me)

Affiliate Checks:


Some samples took from the server:
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2214&start=10#p19581

I'm a bit unaware about Tobfy but that the first time i see this one on affiliate system.

No comments:

Post a Comment