Saturday, August 19, 2017

Status of api.ipify.org - is it malicious or non malicious?

This site is found in many malware communication. So we are writing this post to clear the mist that it is not malicious. Please refer the below status from the security researcher community and look at the conclusion section for our comments.

Comments from security researchers: 
api.ipify.org is being used by malware C&C. As of the date of this post, the site itself is not currently malicious, instead it is being abused by malicious software.

To find related malware which at some point makes use of this API, use virustotal's search feture and enter these into it. Do not visit these sites with your browser!!!

77.79.81.251
77.79.81.241


https://virustotal.com/en/url/a5a3a9650cc71966caa70cd24d9e2c2cd75f2fc0e855f752680a65c1ac5a07c1/analysis/ 

https://virustotal.com/en/url/f0932fab71509884e4295ccfdffdf0f0b06ccd1f8b6d4a1164cd3a0a1c4cb444/analysis/ 
https://virustotal.com/en/file/cde02ef53df63d7181f4067475f141c0e1bcc96722d9a07ef1de53a705698d4b/analysis/1488298585/ 
https://sitecheck.sucuri.net/results/astechfitnes.com
https://virustotal.com/en/url/a5a3a9650cc71966caa70cd24d9e2c2cd75f2fc0e855f752680a65c1ac5a07c1/analysis/1490807692/ 
https://virustotal.com/en/file/63733fe624b6e2ca7941a30e33f2e664a973d91c5a28abe6204aab4a0062d917/analysis/ 
https://virustotal.com/en/url/a406838ee2d4ac737f26aadbf7e2d88563959f2c1f703b5f3d90e364505f3217/analysis/ 
https://virustotal.com/en/url/f0932fab71509884e4295ccfdffdf0f0b06ccd1f8b6d4a1164cd3a0a1c4cb444/analysis/ 
63733fe624b6e2ca7941a30e33f2e664a973d91c5a28abe6204aab4a0062d917
api.ipify.org
hedhesarbi.com
hedhesarbi.com/ls5/forum.php
mytahowre.ru/ls5/forum.php
ronyratres.ru/ls5/forum.php
thechmgroup.com
prowebhelper.net



Conclusion:
Many ransomware families used this public API to collect or gather the IP address of the infected machines aka victim machine details. But in many real world applications using this public API for legitimate purpose. So it can't be blocked. But keep an eye on this API and check for what it is used in your network.


Post made by
newWorld

Monday, August 7, 2017

Malspam Email Analysis by Malware Traffic Analysis Team:

In recent post of malware traffic analysis, they done a good analysis on malspam emails and how that spam campaign works. Please refer their post:

http://malware-traffic-analysis.net/2017/08/07/index.html















Please refer the following links to download the files of email, pcap, etc.
Zip archive of the emails:  2017-08-07-fake-BBB-malspam-emails.zip   11.5 kB (11,482 bytes)
- http://malware-traffic-analysis.net/2017/08/07/2017-08-07-fake-BBB-malspam-emails.zip

Zip archive of the pcap:  2017-08-07-fake-BBB-malspam-traffic.pcap.zip   54.6 kB (54,572 bytes)
- http://malware-traffic-analysis.net/2017/08/07/2017-08-07-fake-BBB-malspam-traffic.pcap.zip

Zip archive of the malware and artifacts:  2017-08-07-fake-BBB-malspam-artifacts-and-malware.zip   1.01 MB (1,008,835 bytes)
- http://malware-traffic-analysis.net/2017/08/07/2017-08-07-fake-BBB-malspam-artifacts-and-malware.zip

Note: ZIP files are password-protected with the standard password.


Post made by
newWorld

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...