Posted by: Dan O'Connor
backdoor, malware, malware analyzing, malware engineering, remnux, trojan
I picked up another similar listener to the Groupon one the other day. This again is an attached ZIP file with an exe inside.
It says its from paypai.com depending on your font the i will look like a L.
The exe looks like it has been reused but I don’t see any mention of it’s original file name. The original name appears to have been stickiestfilm.exe md5 42bbb627d3bcc12745e8a6fbd4b2c825.
It also appears to have been used in several other campaigns according to it’s technical data.
So far the only behavior I have seen is that it opens a command shell on local port 8000 TCP and awaits incoming connections. I did not see it send any out bound packets of yet.
Next is some source analysis.