In this analysis I'll discuss in depth the BakaSoftware franchise circa 2008 including in-depth and personally identifiable information on the cybercriminals behind it with the idea to empower law enforcement and the security industry with the necessary data and information that would eventually lead to the prosecution and tracking down of the cybercriminals behind BakaSoftware.
I can be reached at dancho.danchev@hush.com
Personal Photo of Gavril Danilkin - Founder and CEO of BakaSoftware:
Second Personal Photo of Gavril Danilkin - Founder and CEO of BakaSoftware:
Personally Identifiable Information regarding BakaSoftware's Founder and CEO - Gavril Danilkin:
Name: Gavril Danilkin
Email: gavril@penza.net; fido@penza.net; doncapone@mail.ru; gavril@sura.com.ru;
Mobile Phone: 8412631806; 89023537746; 841251-06-02; 841256-49-45; 841276-06-93
Skype: BakaDialer
Web Site: http://penza-stroika.narod.ru
BakaSoftware Social Network Visualization Graph courtesy of Maltego:
Personal Passport Photo of Gavril Danilkin's father Danilkin Vasily Vasilyevich:
Second Personal Passport Photo of Gavril Danilkin's father Danilkin Vasily Vasilyevich:
Malicious and Fraudulent Infrastructure reconnaissance:
hxxp://bakasoftware.com - 216.240.138.200 - Email: gavril@penza.net
hxxp://ns1.bakasoftware.com - 216.255.189.139 Email: support@tobesoftware.com
hxxp://tst.bakasoftware.com - 216.255.189.155 - Email: support@tobesoftware.com
hxxp://bakasoftware.net - 208.88.227.36; 208.88.227.36 - Email: krab@thekrab.com
hxxp://bakadialer.com
Personally Identifiable Information regarding BakaSoftware - TheKrab:
Name: TheKrab
Email: marck@gmail.com
Phone: +7 012-225-5252
Web site: http://smmprofi.ru/marck
Personal Photo of a known BakaSoftware Gang Member known as - TheKrab:
Related Personal Photo of a known BakaSoftware Gang Member known as - TheKrab:
It gets even more interesting to find out that BakaSoftware's Gavril Danilkin is currently running a rogue and potentially malicious rogueware and adware distributing affiliate-company known as Zaxar Limited. Let's take the time and effort and provide actionable intelligence on the infrastructure behind the campaign.
Related Zaxar Ltd Information:
Zaxar Limited
P.O. Box 54922,
Zip 3729,
Limassol, Cyprus
e-mail: secretary@zaxar.net
Related malicious URLs known to have participated in the campaign:
hxxp://zxrmedia.com/client/current_version6/cef_extensions.pak
hxxp://zxrmedia.com/client/current_version6/gameslist.dat
hxxp://zxrmedia.com/client/current_version6/calling.wav
hxxp://zxrmedia.com/client/current_version6/cef_100_percent.pak
hxxp://zxrmedia.com/client/current_version6/devtools_resources.pak
hxxp://zxrmedia.com/client/current_version6/cef.pak.info
Fraudulent and malicious rogue network infrastructure reconnaissance:
hxxp://zaxargames.com - 185.82.210.27; 185.82.210.24; 185.82.210.30
hxxp://zxrmedia.com - 185.82.210.5; 185.82.210.26; 188.42.129.36; 185.82.210.29
hxxp://zaxarstore.com - 185.82.210.24
hxxp://zaxargames.com
hxxp://zaxarsearch.com
Related malicious MD5s part of known to have participated in the campaign:
MD5: 5c60400d7663b9a3fedd93baf0156df9
MD5: 5dd18f122fbe022e6e366d79d5b2b8a0
MD5: 225802a12e3aaeb9773b681ebe96bbe7
MD5: a50ef877e6329d2851de3fd4f49b8f7a
MD5: c82f177911708cd8373f7d788ce5ef3a
MD5: 73b48b697e7e09e2325656734eaf9f48
MD5: 522cb664e0284abf055315d327ff9c6d
MD5: 225b1ab5889506d39643d736d15fe20d
MD5: 3ca8378d493d9aa1248359c44cb0eeb8
MD5: 7c897ce217b05bb1694a924afa34096c
MD5: 73b48b697e7e09e2325656734eaf9f48
MD5: 310e8b0e4f6dbd23c74b9fec300a24f6
Related malicious MD5s known to have participated in the campaign:
MD5: 225b1ab5889506d39643d736d15fe20d
MD5: 3ca8378d493d9aa1248359c44cb0eeb8
MD5: 7b2994888fdf0c08a357cc9c600c2c4d
MD5: 5b3fcbe6f8071e9035b8810dd3b0f143
MD5: 58d9aa76eaed4710e22f835c6c71159e
MD5: 3d327881d2950c3c7d0a58ecaa15720d
MD5: 37a90a8af1dd4c6b68cd54ddb8c6d37d
MD5: 409a8c35651363ab2ba8d1d39e257d82
MD5: 605425d1dbade7c978ebdc313b6312d5
Related malicious MD5s known to have participated in the campaign:
MD5: 201cfcfb1ed6dcaf229073318c4aaf06
MD5: 8a9b2c23cc50f9798159297d300b0c46
MD5: 0149de171a6530737b1ae82e9cf9b0cf
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
MD5: 36e083ae0d58cb2f342f4cb81d6af88c
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
MD5: 0149de171a6530737b1ae82e9cf9b0cf
MD5: 3092c54065a78ec88122e066bccf6238
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
MD5: 0149de171a6530737b1ae82e9cf9b0cf
MD5: 049684e041281f3f7c90fb75cdc70e09
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
MD5: 6d5edf93c1e4a2d1e2e5777884ed326f
MD5: 8998c75fbd86bb63d4151a810ba1b4de
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
Related malicious MD5s known to have participated in the campaign:
MD5: 3ca8378d493d9aa1248359c44cb0eeb8
MD5: 58d9aa76eaed4710e22f835c6c71159e
MD5: 7b2994888fdf0c08a357cc9c600c2c4d
MD5: 5b3fcbe6f8071e9035b8810dd3b0f143
MD5: 3d327881d2950c3c7d0a58ecaa15720d
MD5: 37a90a8af1dd4c6b68cd54ddb8c6d37d
MD5 :409a8c35651363ab2ba8d1d39e257d82
MD5 :605425d1dbade7c978ebdc313b6312d5
Related malicious MD5s known to have participated in the campaign:
MD5: dafe1c1189a6fc55800d0874ffd6567c
MD5: c66d0521a736b73bbd109dedba2da396
MD5: 6cce70d4d7280c7f3ec913217d2b3293
MD5: cab53b3a6cc7cd8c0b04e0521770b35c
MD5: f085905595f59ac025b67c3756babe99
MD5: 201cfcfb1ed6dcaf229073318c4aaf06
MD5: 41c2f3797480a1016741cbaa232da336
MD5: 6f31fd7b8de723a6e6bab77d22276e47
MD5: 0cc657e83c5a74b7edcfe0827a976d08
MD5: 3323e84cf633173db496c2f6402ffd81
MD5: 265c61469587e932f384e862a0c7065d
MD5: e9008ecb5da99d71c0541652aa6d5bc6
MD5: 26570d6bebf71373c25dbf1e53208444
MD5: e1086a5b5c504b95dda3fbd90758a429
MD5: 8998c75fbd86bb63d4151a810ba1b4de
MD5: 0743c40c4791f4cba8488a4a908f3a57
MD5: 36e083ae0d58cb2f342f4cb81d6af88c
MD5: 0357c02fc9fdeff9ad3f78876438256b
MD5: 3092c54065a78ec88122e066bccf6238
MD5: 1aed2fc8ca434c06a6ac90264634769c
MD5: ebdf43127a54c134bb3b01ce74bb5a42
MD5: 049684e041281f3f7c90fb75cdc70e09
MD5: 8a9b2c23cc50f9798159297d300b0c46
MD5: fa15abd8810b2e9349b7723b7cb1d132
MD5: 0149de171a6530737b1ae82e9cf9b0cf
MD5: 6d5edf93c1e4a2d1e2e5777884ed326f
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
MD5: 195377bef6d2b3cb5d56b387fca8ba60
Related malicious MD5s known to have participated in the campaign:
MD5: fec37b3989e590d0f3d78c6069bb0ca0
MD5: 1554933e1243dedb041fec9029ee087c
MD5: a860ed06f5d6f6ab390edfa39c59b164
MD5: 61032381f8fb14cac5f9da88651b45be
MD5: 4d53a34254cbc5723a5fb960fcd4a166
Related malicious MD5s known to have participated in the campaign:
MD5: 0357c02fc9fdeff9ad3f78876438256b
MD5: 201cfcfb1ed6dcaf229073318c4aaf06
MD5: 4900e194aaf35456f9b4a97e1ca38d99
MD5: 8a9b2c23cc50f9798159297d300b0c46
MD5: 2e4dc797e098104854dc555d93dd084a
MD5: 0149de171a6530737b1ae82e9cf9b0cf
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
MD5: f69ce553ed33506d82e12fabc6f7c67a
MD5: 6c1a294a9f6cb3279b68551501ca654a
MD5: fd6e30b879ea2347e1124376b5f2d1cf
Related malicious MD5s known to have participated in the campaign:
MD5: dafe1c1189a6fc55800d0874ffd6567c
MD5: c66d0521a736b73bbd109dedba2da396
MD5: 6cce70d4d7280c7f3ec913217d2b3293
MD5: cab53b3a6cc7cd8c0b04e0521770b35c
MD5: f085905595f59ac025b67c3756babe99
MD5: 201cfcfb1ed6dcaf229073318c4aaf06
MD5: 41c2f3797480a1016741cbaa232da336
MD5: 6f31fd7b8de723a6e6bab77d22276e47
MD5: 0cc657e83c5a74b7edcfe0827a976d08
MD5: 3323e84cf633173db496c2f6402ffd81
MD5: 265c61469587e932f384e862a0c7065d
MD5: e9008ecb5da99d71c0541652aa6d5bc6
MD5: 26570d6bebf71373c25dbf1e53208444
MD5: e1086a5b5c504b95dda3fbd90758a429
MD5: 8998c75fbd86bb63d4151a810ba1b4de
MD5: 0743c40c4791f4cba8488a4a908f3a57
MD5: 36e083ae0d58cb2f342f4cb81d6af88c
MD5: 0357c02fc9fdeff9ad3f78876438256b
MD5: 3092c54065a78ec88122e066bccf6238
MD5: 1aed2fc8ca434c06a6ac90264634769c
MD5: ebdf43127a54c134bb3b01ce74bb5a42
MD5: 049684e041281f3f7c90fb75cdc70e09
MD5: 8a9b2c23cc50f9798159297d300b0c46
MD5: Pfa15abd8810b2e9349b7723b7cb1d132
MD5: 0149de171a6530737b1ae82e9cf9b0cf
MD5: 6d5edf93c1e4a2d1e2e5777884ed326f
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
MD5: 195377bef6d2b3cb5d56b387fca8ba60
Related malicious MD5s known to have participated in the campaign:
MD5: 201cfcfb1ed6dcaf229073318c4aaf06
MD5: 8a9b2c23cc50f9798159297d300b0c46
MD5: 0149de171a6530737b1ae82e9cf9b0cf
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
MD5: 36e083ae0d58cb2f342f4cb81d6af88c
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
MD5: 0149de171a6530737b1ae82e9cf9b0cf
MD5: 3092c54065a78ec88122e066bccf6238
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
MD5: 0149de171a6530737b1ae82e9cf9b0cf
MD5: 0149de171a6530737b1ae82e9cf9b0cf
MD5: 049684e041281f3f7c90fb75cdc70e09
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
MD5: 6d5edf93c1e4a2d1e2e5777884ed326f
MD5: 8998c75fbd86bb63d4151a810ba1b4de
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7
Related malicious MD5s known to have participated in the campaign:
MD5: 23e3c313658bae8632bfc3196872daf3
MD5: 225802a12e3aaeb9773b681ebe96bbe7
MD5: 23e3c313658bae8632bfc3196872daf3
MD5: 225802a12e3aaeb9773b681ebe96bbe7
MD5: b37ac11b1cba7739eedac8082be6cc51
MD5: cbefcf14b0c24201c2b8eedaaff58738
MD5: 89724cced12e644a296cf9db1190ed1f
MD5: 12cc90ab2a0a2f0c8d208823aff36ad4
MD5: b2f616daf5512b640a70d3e3cc4c019b
MD5: 7dc92f595dbf2a5073a94c2ba3a90ed6
MD5: 25700c5457c42eb1ae5185b6f577f8e0
MD5: a236c6ab86df7738ab9a9fda53702a50
MD5: 55e705f62af72f54b8819dd504e0b793
MD5: cbefcf14b0c24201c2b8eedaaff58738
MD5: 797f1d671eb48c008aa2842cdbe28a91
MD5: cbefcf14b0c24201c2b8eedaaff58738
MD5: 93c1a7aa2885ac2b123fc16906ea01e0
MD5: b241d2a0f66a40eb07fbe0bca529e386
MD5: 244677c44af4648cea1d3142611dc4c3
MD5: 34dc108714b3fb92f41f3efac3e60ba5
MD5: 225802a12e3aaeb9773b681ebe96bbe7
MD5: f140fed5014b826c99fdd7429f8afb89
MD5: 3d02cbb7ed1c72c2df209a3342b9efed
MD5: 86f527fb98672055217428a77e337252
MD5: df393d5e0cc4cdbbd110d2a09cb42983
MD5: 894d046c09f338e657ec7828c4c69fc7
MD5: fc60d4b0fce4c4e3779762bce0f5b69d
MD5: f959e44ac691448a31c0e051fd39d2fa
MD5: 9cbe8022efc081c5ba3c1f291989277f
Related malicious MD5s known to have participated in the campaign:
MD5: e6025966d8f72a80884eb7be19d31fcb
MD5: 734a9c8b47712d396bcd1562a229517e
MD5: e6025966d8f72a80884eb7be19d31fcb
MD5: 9cbe8022efc081c5ba3c1f291989277f
Related domains known to have participated in the campaign:
hxxp://syscos15.ru
hxxp://y9807akgtzcrolb.nidetafzy.ru
hxxp://syscos19.ru
hxxp://sendme13.ru
hxxp://dysy.storial.ru
hxxp://sendme12.ru
hxxp://sendme9.ru
hxxp://sendme8.ru
hxxp://syscos30.ru
hxxp://syscos18.ru
Stay tuned!
