Irregular Expressions

Aug 21 2012   12:35AM GMT

Paypai.com



Posted by: Dan O'Connor
Tags:
backdoor
malware
malware analyzing
malware engineering
remnux
trojan

I picked up another similar listener to the Groupon one the other day. This again is an attached ZIP file with an exe inside.

It says its from paypai.com depending on your font the i will look like a L.

The exe looks like it has been reused but I don’t see any mention of it’s original file name. The original name appears to have been stickiestfilm.exe md5 42bbb627d3bcc12745e8a6fbd4b2c825.

It also appears to have been used in several other campaigns according to it’s technical data.

https://www.virustotal.com/file/a9cbb0ac7ce189f4340fd23f295b118b28d74709c47205fed58c464e0ffcd942/analysis/

So far the only behavior I have seen is that it opens a command shell on local port 8000 TCP and awaits incoming connections. I did not see it send any out bound packets of yet.

Next is some source analysis.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: