Sample Cybercrime Themed Photos

An image is worth a thousand words.

A Video of How Cybercriminals Configure Firefox to Access NAB's E-Banking System

A video is worth a thousand words.

A Video of How Cybercriminals Use InsuranceOnline to Gather Personal Information Intelligence

A video is worth a thousand words.

A Video of How Cybercriminals Bypass GMail's Valid Mobile Number Requirement Registration Process

A video is worth a thousand words.

 

A Video of Using the Che Anti-Browser Fingerprinting Browser and BeenVerified To Commit Online Fraud - Part Three

A video is worth a thousand words.

 

A Video of Using the Che Anti-Browser Fingerprinting Browser and BeenVerified To Commit Online Fraud - Part Two

A video is worth a thousand words.

 

A Video of Using the Che Anti-Browser Fingerprinting Browser and BeenVerified To Commit Online Fraud

A video is worth a thousand words.

The 911 S5 Proxy Botnet

The 911 S5 Proxies-as-a-Service was a prolific proxy service that was utilizing botnets to offer a very good degree of anonymity for the actions of its users online which often includes web sites scraping proxy chaining to avoid detection and improve their degree of anonymity and for other malicious activities which often include spam and port scanning activities.

Sample domains:

hxxp://911.re
hxxp://911.gg
hxxp://911s5.net
hxxp://911s5.org
hxxp://911s5.com
hxxp://maskypn.ce
hxxp://maskypn.org
hxxp://dewvpn.com
hxxp://dewvpn.net
hxxp://dewvpn.org
hxxp://dewvpn.ce
hxxp://proxygate.net
hxxp://shinevpn.com
hxxp://shinevpn.org
hxxp://paladinypn.com
hxxp://paladinypn.org
hxxp://shieldvpn.org
hxxp://cloudrouter.io
hxxp://cloudrouter.pro
hxxp://cloudrouting.net
hxxp://reachfresh.com
hxxp://updatepanel.ce
hxxp://upgradeportal.org

Sample photos:

Profiling the Gaza Hackers Team

In the following post I'll profile the Gaza Hackers Team.

Sample photos:

Primary group's domains:

hxxp://gaza-hacker.com
hxxp://hacker.ps
hxxp://gaza-hacker.net
hxxp://gaza-hack.org
hxxp://gaza-hack.info
hxxp://xhackerx.com
hxxp://gaza-hack.com
hxxp://gaza-hackers.com

Primary group's email address accounts:

moayy2ad@hotmail.com
c-e@hotmail.com
le0n005061@gmail.com

Related domain names registered using the same email address accounts:

hxxp://frontat.com
hxxp://nswaa.com
hxxp://elsahefa.com
hxxp://naji-albatta.com
hxxp://dr-sohila-edu.com
hxxp://samozico.com
hxxp://shahidn.com
hxxp://spider-rss.com
hxxp://sv4media.com
hxxp://m3n4.com
hxxp://shamaly.com
hxxp://g2mz.com
hxxp://4as7ab.com
hxxp://cfpalestine.com
hxxp://q8yh.com
hxxp://wac-yamama.org
hxxp://rawshna.org
hxxp://saawa.com
hxxp://4rbshare.com
hxxp://lajlek.com
hxxp://l7ens.com
hxxp://koraw.com
hxxp://kwgram.com
hxxp://gwafe.com
hxxp://q8ey.com
hxxp://x23x.com
hxxp://kuwaitpwr.com
hxxp://kuwaitfn.com
hxxp://abovlan.com
hxxp://q8pinq.com
hxxp://eli4s.com
hxxp://7koma.com
hxxp://juod.net
hxxp://topteamdns.com
hxxp://nhla7-uae.com
hxxp://3agil.com
hxxp://wtnfjr.com
hxxp://norislam.net
hxxp://universalimporting.com
hxxp://gaza-shell.com
hxxp://remas3.com
hxxp://3dshared.com
hxxp://3dm3mare.com
hxxp://al-ra3ed.com
hxxp://bissan-m.com
hxxp://bnimashhor.com
hxxp://pure4ever.net
hxxp://shaatha.com
hxxp://ispal.net
hxxp://paldream.net
hxxp://islhack.net
hxxp://adsyour.net
hxxp://bnimashhor.net
hxxp://mr-matrix.net
hxxp://amtaar-a.org
hxxp://darhuda.org
hxxp://downiphone.com
hxxp://6ayf.org
hxxp://jadoptical.com
hxxp://yomo-az.com
hxxp://bfbcps.com
hxxp://glaroo7y.com
hxxp://amal-ci.com
hxxp://q8gz.com
hxxp://dubai-g.com
hxxp://3mrrycam.com
hxxp://psdmate.com
hxxp://njomksa.com
hxxp://g-ghram.com
hxxp://coctael.com
hxxp://alhajere.info
hxxp://glaoman.com
hxxp://ascdascascasc.com
hxxp://m7b4.com
hxxp://shrooq.org
hxxp://3uz.com
hxxp://alhajere.net
hxxp://wt2n.com
hxxp://sfena.com
hxxp://artsformedia.com
hxxp://r-alfrsan.com
hxxp://arabgmaes.com
hxxp://studiomustapha.com
hxxp://adamttc.com
hxxp://helolhost.com
hxxp://soblslam.com
hxxp://forexufx.com
hxxp://dsfbdfbsdfgbdsf.com
hxxp://frsan-aslm.com
hxxp://g2z4.com
hxxp://ewfdssdcsdxc.com
hxxp://sam-sport.net
hxxp://fr4wa.com
hxxp://sama-a.net
hxxp://hayatk.net
hxxp://gallerycenter.net
hxxp://frfish.net
hxxp://q8ey.net
hxxp://cfpalestine.net
hxxp://m3n4.net
hxxp://wt2n.net
hxxp://gaza-sporting-club.net
hxxp://mo7et.net
hxxp://alnkhala.com
hxxp://alibel.info
hxxp://q8gz.net
hxxp://dlo3.net
hxxp://butt3rfly.net
hxxp://butt3rfly.org
hxxp://pnsport.net
hxxp://sawasport.net
hxxp://echotic.net
hxxp://healthclubxl.com
hxxp://dancingqueensdk.com
hxxp://dancingqueensuk.com
hxxp://nadinerandle.com
hxxp://hackers.tools
hxxp://pinkybarbie.com
hxxp://florencemodel.com
hxxp://hevreman.co.il
hxxp://radiousnice.com
hxxp://gaza-hacker.net
hxxp://hacker.ps
hxxp://gaza-hack.info
hxxp://gaza-hack.com
hxxp://gaza-hack.org
hxxp://gaza-hackers.com
hxxp://xhackerx.com
hxxp://gaza-hacker.com
hxxp://metasploit-unleashed.com
hxxp://divuae.com
hxxp://xensds.com
hxxp://e107arabic.com
hxxp://h-asiaa.com
hxxp://nsamat.com
hxxp://for-pal.com
hxxp://althbat.com
hxxp://islamdahalan.com
hxxp://37ob.com
hxxp://hamedwayel.com
hxxp://iraq-mawal.com
hxxp://waleedalshami.com
hxxp://fr27.com
hxxp://faloja.us
hxxp://stylatna.us
hxxp://llo9.com
hxxp://g-del3.com
hxxp://ye7g.com
hxxp://ks4-des.com
hxxp://5tmat.com
hxxp://3rab-moon.com
hxxp://nadauae.com
hxxp://ya7yati.com
hxxp://hayatl.com
hxxp://allsaed.com
hxxp://asrarmedia.com
hxxp://waw-c.com
hxxp://f5f5en.com
hxxp://w2tube.com
hxxp://decor4me.com
hxxp://hemo7.com
hxxp://gaz2.com
hxxp://for-rama.com
hxxp://vic-and-ikes.com
hxxp://ochotorena.com
hxxp://litodelacruz.com
hxxp://ignitemonthly.net
hxxp://stylepensacola.com
hxxp://litocruzxxx.com
hxxp://goldencamelph.com
hxxp://pensacolabookkeeping.com
hxxp://lito2012.com
hxxp://appleanddelucamgmnt.com
hxxp://jewellery-lito.com
hxxp://cocoaccountingservices.com
hxxp://pensacolabookkeepers.com
hxxp://elsaedps.com
hxxp://cocofastlane.com
hxxp://globalenergyalliance.com
hxxp://g2z4.net
hxxp://pauliteweb.com
hxxp://a-1specialized.com
hxxp://seeyamortgage.com
hxxp://debtpollution.com
hxxp://losmoles.com
hxxp://jerseycityhomesbroker.com
hxxp://woofwashers.com
hxxp://ignitemonthly.com
hxxp://homs-poets.com
hxxp://p23x.com
hxxp://perfarab.com
hxxp://aya-khaled.com
hxxp://3alm-a7lam.com
hxxp://walazhar.com
hxxp://aleys-training.com
hxxp://sh-alnoor.com
hxxp://enterdig.com
hxxp://nshir.com
hxxp://shublaq.com
hxxp://nahafat.com
hxxp://thwane.com
hxxp://bb-all.com
hxxp://bagdady.com
hxxp://a-lawsc.com
hxxp://nsgvoic.com
hxxp://adsyour.com
hxxp://yarmokg.com
hxxp://qlpal.com
hxxp://krameesh.net
hxxp://nialb.net
hxxp://3dmaxonline.net
hxxp://hmsaat.net
hxxp://psstad.com
hxxp://elbukhary.net
hxxp://gammashare.com
hxxp://sawayouth.com
hxxp://sadaalnaseem.com
hxxp://pro-fhed.com
hxxp://sh-elqloob.org
hxxp://gazaf.com
hxxp://pro-gsm.com
hxxp://ofoqm.com
hxxp://ah-ra-hi.com
hxxp://almehaan.com
hxxp://newgaza.com
hxxp://ip-center.net
hxxp://starsgifts.com
hxxp://althikagroup.com
hxxp://ids-ps.com
hxxp://alhabeel.com
hxxp://expodes.net
hxxp://3dm3mare.net
hxxp://3arabawinews.net
hxxp://perfarab.net
hxxp://banat2.net
hxxp://facearab.net
hxxp://azharpharm.com
hxxp://artecasa-ps.com
hxxp://snam-s.net
hxxp://byaadr.com
hxxp://t4video.com
hxxp://el-eman.com
hxxp://usp4.net
hxxp://wtn3wtr.com
hxxp://wegaza.com
hxxp://itcck.com
hxxp://tols.us
hxxp://w6na1.com
hxxp://crypal.com
hxxp://mohamed-assaf.com
hxxp://black-awadh.com
hxxp://b7ar-n.com
hxxp://h-m9mm.com
hxxp://almnsour.com
hxxp://alfjr-aljdid.com
hxxp://gazaday.com
hxxp://lbee7.com
hxxp://n4days.com
hxxp://qudssnaks.com
hxxp://alhost24.com
hxxp://flscool.com
hxxp://goldenws.com
hxxp://7zoorah.com
hxxp://freedom-ship.com
hxxp://djz-iq.com
hxxp://fine4host.com
hxxp://newsawa.com
hxxp://forshark.com
hxxp://l-voice.com
hxxp://ll9x.com
hxxp://m-suae.com
hxxp://e3lanz.com
hxxp://des4x.com
hxxp://rap-elemarat.com
hxxp://aljazeera-school.com
hxxp://aganyna.com
hxxp://2lwya.com
hxxp://7bobuae.com
hxxp://symbian-masters.com
hxxp://xn--ggblabcjfq0cxa9oea1b.com
hxxp://sh-qlq.com
hxxp://t7wani.com
hxxp://mujahedhisham.com
hxxp://tr-shyo5y.com
hxxp://vbu-host.com
hxxp://hwawe.com
hxxp://saawaa.com
hxxp://rapidleecharab.com
hxxp://abdullah-alhamami.com
hxxp://tiger-a.com
hxxp://rap4uae.com
hxxp://l3ynk.com
hxxp://roo7ii.com
hxxp://mwaal.com
hxxp://sona3m1.com
hxxp://thegreenplains.com
hxxp://pro-fahed.com
hxxp://fsoft1.com
hxxp://mobd3na.com
hxxp://t6wery.com
hxxp://xn--mgba9ayde0b.com
hxxp://9adam.com
hxxp://v4-sec.com
hxxp://basheerfam.com
hxxp://m-alkawari.com
hxxp://lhfh1.com
hxxp://alrafh.org
hxxp://alfaloja1.org
hxxp://sm-eyes.com
hxxp://n7l7.com
hxxp://janetalanwar.com
hxxp://world-pulse.com
hxxp://academy-expo.com
hxxp://krtas.com
hxxp://gaza-lenses.com
hxxp://arlams.com

Sample IPs known to have been involved in the campaign include:

192.52.167.118
204.152.203.99
192.161.48.59
192.52.167.118
185.82.202.207
173.254.236.130
168.235.86.156
167.160.36.101
107.191.47.42
84.200.68.163
72.11.148.147
23.229.3.70
84.200.68.163
23.229.3.70
204.152.203.99
192.52.167.118
168.235.86.156
167.160.36.101
192.52.166.115
131.72.136.28
109.200.23.207
131.72.136.124
66.155.23.36
172.227.95.162
162.220.246.117
162.220.246.117
192.253.246.169
192.99.111.228
192.52.167.125
185.33.168.150
198.105.117.37
185.45.193.4
198.105.122.96
131.72.136.11
131.72.136.171
84.200.17.147

Sample domains known to have been involved in the campaign include:

hxxp://education-support.space
hxxp://falcondefender.com
hxxp://support-update.ml
hxxp://such.market
hxxp://uae.kim
hxxp://natco1.no-ip.net
hxxp://gov.uae.kim
hxxp://natco3.no-ip.net
hxxp://up.uae.kim
hxxp://natco5.no-ip.net
hxxp://uptime.uae.kim
hxxp://nazer.zapto.org
hxxp://google.com.r3irv2ykn0qnd7vr7sqv7kg2qho3ab5tngl5avxi5iimz1jxw9pa9.uae.kim
hxxp://noredirecto.redirectme.net
hxxp://ajaxo.zapto.org
hxxp://nrehcnthrtfmyi.strangled.net
hxxp://backjadwer.bounceme.net
hxxp://ns2.negociosdesucesso.info
hxxp://backop.mooo.com
hxxp://offeline.webhop.net
hxxp://bandao.publicvm.com
hxxp://orango.redirectme.net
hxxp://bypasstesting.servehalflife.com
hxxp://redirectlnk.redirectme.net
hxxp://cbbnews.tk
hxxp://removalmalware.servecounterstrike.com
hxxp://cccam.serveblog.net
hxxp://mailchat.zapto.org
hxxp://chromeupdt.tk
hxxp://mp4.servemp3.com
hxxp://cnaci8gyolttkgmguzog.ignorelist.com
hxxp://rgoyfuadvkebxhjm.ddns.net
hxxp://cyber18.no-ip.net
hxxp://rotter2.publicvm.com
hxxp://deapka.sytes.net    rotter2.sytes.net
hxxp://depka.sytes.net
hxxp://safar.selfip.com
hxxp://dnsfor.dnsfor.me
hxxp://safara.sytes.net
hxxp://download.likescandy.com
hxxp://safari.linkpc.net
hxxp://downloadlog.linkpc.net
hxxp://spreng.vizvaz.com
hxxp://downloadmyhost.zapto.org
hxxp://store-legal.biz
hxxp://downloadskype.cf
hxxp://su.noip.us
hxxp://duntat.zapto.org
hxxp://tango.zapto.org
hxxp://fastbingcom.sytes.net
hxxp://test.cable-modem.org
hxxp://fatihah.zapto.org
hxxp://test.ns01.info
hxxp://gaonsmom.redirectme.net
hxxp://testcom.strangled.net
hxxp://goodday.zapto.org
hxxp://thenewupdate.chickenkiller.com
hxxp://googlecombq6xx.ddns.net
hxxp://thenewupdatee.redirectme.net
hxxp://gq4bp1baxfiblzqk.mrbasic.com
hxxp://tvnew.otzo.com
hxxp://haartezenglish.redirectme.net
hxxp://update.ciscofreak.com
hxxp://haartezenglish.strangled.net
hxxp://updatee.hopto.org
hxxp://help2014.linkpc.net
hxxp://updatee.serveblog.net
hxxp://httpo.sytes.net
hxxp://updato.ns01.info
hxxp://internetdownloadr.publicvm.com    use.mooo.com
hxxp://justded.justdied.com
hxxp://wallanews.publicvm.com
hxxp://kaliob.selfip.org    wallanews.sytes.net
hxxp://kaswer12.strangled.net
hxxp://Wcf6f0nqvjtUP4uN.mooo.com
hxxp://kolabdown.sytes.net
hxxp://webfile.myq-see.com
hxxp://ksm5sksm5sksm5s.zzux.com
hxxp://webfile.myq-see.com
hxxp://lastmoon.mooo.com
hxxp://ynet.ignorelist.com
hxxp://lilian.redirectme.net
hxxp://ynet.sytes.net
hxxp://live.isasecret.com
hxxp://may2008.dyndns.info
hxxp://menu.dyndns.biz
hxxp://flashsoft.no-ip.biz
hxxp://monagameel.chickenkiller.com
hxxp://hatamaya.chickenkiller.com
hxxp://powerhost.zapto.org
hxxp://helpme.no-ip.biz
hxxp://mjed10.no-ip.info
hxxp://good.zapto.org
hxxp://hint.zapto.org
hxxp://hint1.zapto.org
hxxp://natco1.no-ip.net
hxxp://natco2.no-ip.net
hxxp://natco3.no-ip.net
hxxp://natco4.no-ip.net
hxxp://loading.myftp.org
hxxp://skype.servemp3.com
hxxp://test.cable-modem.org
hxxp://idf.blogsite.org
hxxp://javaupdate.no-ip.info
hxxp://lokia.mine.nu
hxxp://www.hint-sms.com
hxxp://owner.no-ip.biz
hxxp://remoteback.no-ip.biz
hxxp://ramadi.no-ip.biz

Sample URLs known to have been involved in the campaign include:

hxxp://smail.otzo[.]com/W/Gfsdfsdfsrydkfpsdmfpsadsdfsdfsdfsdfdfsp.php
hxxp://smail.otzo[.]com/y/analysis--hezbollah.rar
hxxp://drive.google[.]com/uc?export=download&id=0B7XzN8DNbJKiQlFNRHdVTmpCd0U
hxxp://drive.google[.]com/uc?export=download&id=0BxaUrWGCqlWLMTQzMVFNOENIUFk
hxxp://drive.google[.]com/uc?export=download&id=0B7n4BFDObRocdm1uS2J4SWVUNWc
hxxp://drive.google[.]com/uc?export=download&id=0ByjYVMTYJB0saHlTalJ6ZWlWWGM
hxxp://support.mafy-koren[.]online/reg-update
hxxp://support.mafy-koren[.]online/UFeed.php

Sample MD5s known to have been involved in the campaign include:

59bab785127418972dda9da5571b73fd
07dae7dada9ec3fa22507dfa5921c993
4bd6a959cce13d1f5b5511a428e88c9c
2ba0e52b885cabfbcd88866ab4072f54
1d922e183418ac087933c526f7bd06c1
3ce39f8afce9463c6d90c00ce72edb86
77fd78042407a7318dba388da00700cc
a5b3fb5119fad72ac321d8d6416b6b92
30b843343590518e7b62c5f6db394bc2
2a654ecb26664013d8e2369fe9c0b565
b11b7b7b5bd80779dd885628d65e02e5
cc24cd17fa93fce7ea1128edeb9ee40b
5e906ccb3b67131e4771ca72609c0648
ad5531b085ef005ee12319e88fb8f674
2f5397ad6205ab4463e6e3be9aba4efe
0ae4345213cad388dbe38e2acda1a489
28a5e9b2ef5cfd2edb7f31d3da9a5a15
8655af063090ef192a7f1e0c05c7883f
6e66ed5d8c7d4ca9c2e96f2cc045eb94
d01848a20e0f5c4a7a7243bb98a7b26c
923844dfc3d5b21f288df9beaa958baf
639d768d575c45372ea707ed89423f36
b4ab538f592082373e9ab96373561713
b85c17f92629fec41502b44cf86ba859
6f08808d0be510698563d3b0443fe5a4
b8c6c8eeb9a18b1d4632bc8191db5517
ddff0a7643f4ff2fe777e768e7bae004
2395c798ca8628e735ac2d8d274cd230
bc6baf7a1d420d226a7a157b412a51d9
8ba38899a6446366724d98761dd10d46
d538e50df25e30f3c4252ce523507d23
a50da199db97abb2dfd6fd62b5a00f02
2a1884bdab940ea66b28599245e79fa9
2f30034885045bae4a201bf6b3913b54
23c3f3e93ea2ffe704abb602d04588c0
e5500274853f77be6ffba610dac2cae4
ffa1bdc105013e1cbb00483b412b98b8
0264076c190af6e1176e1abff47d1ae8
02ef03bd5e6dbf9c03e8504c9e797abd
302565aec2cd47bb6b62fa398144e0ad
f94385be79ed56ef77c961aa6d9eafbf
f6e8e1b239b66632fd77ac5edef7598d
a347d25ed2ee07cbfe4baaabc6ff768b
8921bf7c4ff825cb89099ddaa22c8cfd
674dec356cd9d8f24ef0f2ec73aaec88
3bb319214d83dfb8dc1f3c944fb06e3b
e20b5b300424fb1ea3c07a31f1279bde
826ab586b412d174b6abb78faa1f3737
42fca7968f6de3904225445312e4e985
5e255a512dd38ffc86a2a4f95c62c13f
3dcb43a83a53a965b40de316c1593bca
058368ede8f3b487768e1beb0070a4b8
e540076f48d7069bacb6d607f2d389d9
62b1e795a10bcd4412483a176df6bc77
699067ce203ab9893943905e5b76f106
39758da17265a07f2370cd04057ea749
11a00d29d583b66bedd8dfe728144850
f54c8a235c5cce30884f07b4a8351ebf
d5b63862b8328fb45c3dabdcdf070d0d
9ea2f8acddcd5ac32cfb45d5708b1e1e
bc42a09888de8b311f2e9ab0fc966c8c
948d32f3f12b8c7e47a6102ab968f705
c48cba5e50a58dcec3c57c5f7cc3332d
868781bcb4a4dcb1ed493cd353c9e9ab
658f47b30d545498e3895c5aa333ecb1
3c73f34e9119de7789f2c2b9d0ed0440
2b473f1f7c2b2b97f928c1fc497c0650
9dccb01facfbbb69429ef0faf4bc1bda
46cf06848e4d97fb3caa47c17cdd7a9e
4e8cbe3f2cf11d35827194fd016dbd7b
6eb17961e6b06f2472e4518589f66ab9
b4c8ff21441e99f8199b3a8d7e0a61b9
b0f49c2c29d3966125dd322a504799c6
4d0cbb45b47eb95a9d00aba9b0f7daad
ca78b173218ad8be863c7e00fec61f2f
18259503e5dfdf9f5c3fc98cdfac6b78
23108c347282ff101a2104bcf54204a8
0b074367862e1b0ae461900c8f8b81b6
76f9443edc9b71b2f2494cff6d4a26a8
89f2213a9a839af098e664aaa671111b
a5de87646ee943cd1f448a67fdbe2817
f982401e46864f640bcaedc200319109
ec5b360f5ff6251a08a14a2e95c4caa4
97576fa7a236679dbe3abe1a4e852026
c1ec435e97a4a4c5585392d738b5879f
2559fe4eb88561138ce292df5d0e099f
0abf3fa976372cbc8bf33162795e42a8
1f1e9958440d773c34415d9eb6334b25
0b3b1e2e22c548d8f53c2aa338abd66e
0aa7b256d2dcc8bd3914f895b134b225
b455426811b82cb412952f63d911d2a8
e431634699d7e5025ecdf7b51a800620
ff8e19ca8a224cc843bf0f2f74a3274e
7c5272f3f24acb225270dded72cfc1d4
8aeaa0c81a36449ec9613ca846e196f2
fc17f3b2e2c7f5f24d35899d95b8c4a6
926235fcf7b91442a405b5760a0729eb
963bfae19b3da5bece081dff1d1e3ef9
ebc9bdf9fdf0a9773899d96d24ac46f4
4a06d9989a8c3a9967c2011e5baf3010
4dc0bcdcfb3f3d794175b21872a76079
998f30457bc48a1a6567203e0ec3282e
91fc9d1b635fdee4e56aec32688a0e6c
940b3acdf1e26fcccf74a5a0359fb079
cebc8b51d51e442e2af8c86e70c8adf4
31f96add841594d35e6e97376114e756
6e416c45a833f959a63785892042595a
0dc102cfb87c937eeffe01a06f94e229
b7df947b4a67a884c751840f83c4405e
2eb1503751a7c74890096b1837c7bd81
c21d7165b25caf65d7f92ff758c1b5b1
0a67f9cc30083afb7e1f8295ae152bb6
15fc009d9caaa8f11d6c3da2b69ea06e
d9d1b0c467fa4999def6cd53447f1221
e9823b61e6ce999387de821dfbf6e741
2aad951dbecb6d4715b306b337ca5c34
ed53831468ddf4220e1dc3c3398f7f39
66ddf27517985a75b2317231b46a6f62
86be5f0d2303fb4a8a8e297a53ac0026
a1187de4c4b88e560d46940b820a6228
d14e0a3d408065b1551f2827b50b83ca
b6c8a6d6c35428779c5c65c1b273eba0
841565c67006e6a0a450c48054cf348c
c8202523f35295e8bc8cc1731edb0559
c03b5985f2504939da9874246a439e25
216689b2ca82f16a0cab3a2712c27da6
5b740b4623b2d1049c0036a6aae684b0
9c39d6f52e1e1be5ae61bab90971d054
e7e05001a294ebfe8a012dd3bce78e96
f68f85b0fbca450f0d5c8828063ad30d
3da8c22f5340850ee5a2c25b1d17fc27
9d144a828f757a90b86976ef0c906b3f
dbe2ac744a3947b6306e13ebccb718bf
861c90536b3b5a4a8309adbbfd5c4713
947557a55267dffb3f85e0d7496a3679
2bfe41d7fdb6f4c1e38db4a5c3eb1211
2bcdc5091c446e8b6888d802a3589e09
72fd6074915f8f123eb44b3dd475d36b
41454b390b73a45004b916b96c693312

Exposing an Indian Police Spyware Cyber Operation

This analysis is based on this Wired.com story.

Sample Gmail accounts known to have been involved in the campaign include:
jagdish.meshraam@gmail.com
drsnehapatil64@gmail.com
sinhamuskaan04@gmail.com
jennifergonzales789@gmail.com
payalshastri79@gmail.com

Sample malicious domains known to have been involved in the campaign:
researchplanet.zapto.org
socialstatistics.zapto.org
duniaenewsportal.ddns.net

Sample domain registrant email address accounts known to have been involved in the campaign include:
harpreet.singh1984@yahoo.com
marlenecharlton@outlook.com
abadaba@eml.cc
REUBEN123@RISEUP.NET

Related malicious domains known to have been involved in the campaign include:
hxxp://greenpeacesite.com
hxxp://new-agency.us
hxxp://chivalkarstone.com
hxxp://newmms.ru
hxxp://gayakwaad.com
hxxp://bbcworld-news.net
hxxp://newsinbbc.com

Spamvertized Github Powershell Malicious Software Executing Campaign Spotted in the Wild

Dear blog readers,

I've recently intercepted a currently circulating spamvertised campaign enticing users into interacting with a Powershell script ultimately tricking them into downloading and executing malicious software on their hosts.

Upon execution the sample downloads and drops additional malicious software.

Primary URL: hxxp://github-scanner.com

Sample download location: hxxp://github-scanner.com/l6E.exe

MD5: fac2188e4a28a0cf32bf4417d797b0f8

Once executed the sample phones back to:

hxxp://eemmbryequo.shop/api - 172.67.142.26

hxxp://2x.si/ta2.exe - 104.21.27.222 - MD5: 8199c105289d70af5446c7fd64496d7b

Once executed the second sample phones back to:

20.99.186.246

23.216.81.152

45.11.229.96

52.185.73.156 

An OSINT Profile of U.S Secret Service's Most Wanted Cybercriminal Danil Potekhin

In this analysis we’ll take a look at the Internet connected infrastructure of U.S Secret Service’s most wanted cybercriminal with a $10M reward Danil Potekhin using a variety of tools in terms of connecting the dots using current real time and historical passive DNS information to find out where he was and used to host his Web properties and domains online for the purpose of assisting other researchers organizations and vendors in terms of establishing the foundation for a successful Threat Hunting and cyber threat actor attribution efforts and that would also include U.S Law Enforcement.

Using several OSINT methodologies we managed to obtain his personal email including to also find several additional personal emails which are known to belong to him for the purpose of cross checking them for various domain registrations which would assist in our research and infrastructure mapping with success.

Sample personal email address accounts include: potekhin14@bk.ru; potekhinl4@bk.ru; potekhin.kg@yandex.ru

We’ve also managed to find one of his primary domains using current and historical WHOIS databases.

hxxp://agressivex.com (MD5: 922530c5371a3d029e4cc330e2d0f4d3 -> 194.58.56.61 -> 194.58.56.91) - 46.30.40.103 - Email: potekhin14@bk.ru; potekhinl4@bk.ru

Sample known responding IPs for hxxp://agressivex.com historically:
194.58.56.120
194.58.56.54
194.58.56.80
31.31.204.161
194.67.71.86
194.67.71.61

Related domain registrations:
web-studio@agressivex.com -> hxxp://firstplaymarket.store

First we started by doing the relatively easy part which is to launch a Technical Collection campaign using open source information including public and proprietary sources on our way to find as much actionable intelligence about Danil Potehin as possible. The next logical step was to begin processing and taking notes and then enriching the technical details which we obtained using open source information on our way to analyze and connect the dots where our ultimate goal for this assignment would be to provide as much actionable intelligence and technical details about his Internet connected infrastructure both in real time current Internet presence and activities including historical Internet footprint in terms of some of his Web properties which we have discovered using open source information including Technical Collection for processing enriching analyzing and connecting the dots on Danil's Internet whereabouts.

For starters we ended up with a pretty straightforward and obvious fact which no matter how awkward it may sound with Danil's name listed on U.S Secret Service's $10M reward web site is known to have been running a Android based botnet service on one of his primary domains which basically speaks for itself and is yet another indication on how the correlation of multiple public and proprietary databases can lead to the big picture where often a single detail can provide the big picture and most importantly all the details prior to doing proper Technical Collection including OSINT as a methodology including research enrichment and analysis of the obtained and processed data for Danil.

Sample photo:

hxxp://agressivex.com - 46.30.40.103 - AS 210079 - First Seen: 2019-08-26 Last Seen: 2020-05-19 - NS: ns2.eurobyte.ru
hxxp://deluxe-wash.com - 46.30.40.103 - AS 210079 - First Seen: 2019-08-26 Last Seen: 2020-01-18 - NS: ns1.eurobyte.ru
hxxp://agressivex.com - 194.58.56.58 - AS 57043 First Seen: 2019-09-27 Last Seen: 2019-09-27 - NS: ns4.eurobyte.ru

Sample domains known to belong to Danil Potekhin:
agressivex.com
kill-tourn.com
agressivex.com
deluxe-wash.com
muznet-vrn.net
alialiservices.com
frontagermaner.pw
hemoritanmak.pw
sennymotial.pw
miragenotax.pw
jikajikamorta.pw
frontagermaner.pw
hemoritanmak.pw
sennymotial.pw
miragenotax.pw
jikajikamorta.pw
claimid99033-irs.com
hertutaro.xyz
alijobjob.com
powerstick.pw
loveyourop.pw
bangbanghot.pw
bigbustown.pw
ionutikob.top
csbdanqqv.top
taoouresq.top
ultquoire.top
ufatildip.top
binvmdyrs.top
lewlatfab.top
jabgocmig.top
modobijat.top
babsepora.top
aidcorcsc.top
megaversj.top
mrofourps.top
fulcirdog.top
spyallasa.top
minhreage.top
delbanlom.top
deekrunth.top
pegptatho.top
wayirkurd.top
iostehoms.top
offgodtic.top
eseunisex.top
nowneymee.top
regdaynub.top
bopjobwed.top
colfynbai.top
gibpakmzi.top
saxgocger.top
dueashgnu.top
malbelcom.top
lahdurfba.top
dorgltdoz.top
saydefcry.top
qtoiboavo.top
orewigair.top
fracsmlye.top
ritasoiom.top
homeporn21.com
romnumepa.top
posdfmsgt.top
cwodeesot.top
dabpprlei.top
bidhabviz.top
lindwtrct.top
pahtenwoo.top
tryidehub.top
mendoweta.top
tygamiohm.top
recsawvav.top
mscpesroc.top
cyllamgmb.top
sunmlaitu.top
hrhpaccio.top
morjownow.top
cryopeexp.top
nefuhfsir.top
rigrsalex.top
nutlottop.top
haeetdemp.top
groseqeel.top
icstaghsm.top
urdpahgev.top
sexydaysnow.com
pyatasugh.top
rsjptagij.top
qqvtodpac.top
garnapsow.top
amuheyqsl.top
toomemaba.top
romrwdcop.top
fezallwog.top
bmapawrec.top
nabotared.top
namkudasd.top
findyoursexbuddytoday.com
ilovesosialsex.com
checknudephotosbase.com
iwanttobefuckedhard.com
oldestwomenwanttobefucked.com
onedaysexdating.com
jakagdbar.top
fuckmypussytoday.com
datingtube4sex.com
fuckmerightnowbaby.com
findyourpussynow.com
067894479.com
756744426.com
039288221.com

We’ve also managed to identify the domain name hxxp://alialiservices.com used here to come up with yet another related portfolio of malicious and fraudulent domains registered using the same personally identifiable email address account.

Related domain registrations:
067894479.com
039288221.com
900938923.com
756744426.com
iwanttobefuckedhard.com
checknudephotosbase.com
onedaysexdating.com
datingtube4sex.com
fuckmerightnowbaby.com
ilovesosialsex.com
fuckmypussytoday.com
sabosatur.top
asvvasrat.top
tayeraasf.top
tayreeafg.top
blessingbasketjob.com
564533466.com
fucksexporn21.com
dailysex18.com
porn21yearold.com
sexteenporn21.com
sexualporn21.com
seexteen18porn.com
oldsexmomporn.com
sexteen18now.com
sexualdance18.com
sexualteennice.com
sexxteens18.com
sexteen18today.com
sexydaysnow.com
findyoursexbuddytoday.com
findyourpussynow.com
oldestwomenwanttobefucked.com
iostehoms.top
ionutikob.top
eseunisex.top
ufatildip.top
lewlatfab.top
pegptatho.top
megaversj.top
colfynbai.top
taoouresq.top
regdaynub.top
saydefcry.top
jabgocmig.top
saxgocger.top
babsepora.top
fulcirdog.top
dueashgnu.top
csbdanqqv.top
minhreage.top
hemoritanmak.pw
bigbustown.pw
caughtfiles.pw
sennymotial.pw
fortuneultracam.pw
frontagermaner.pw
miragenotax.pw
jikajikamorta.pw
claimid99033-irs.com
hertutaro.xyz
alijobjob.com
webshoot.pw
sobbernews.pw
alybayshop.pw
sortbyname.pw
alishopnow.pw
playmediatv.pw
shoppingwithus.pw
pakitonat.pw
youcaught.pw
playtvmedia.pw
doodilkoka.pw
caughtyou.pw
holyxxxmamapumpum.pw
clickjumbitora.pw
buffertak.site
pollonex.com
pollonilex.com
poloneliex.com
polonilex.com
polonnliex.com
nuumtracker.net
adspeedtracking.net
adshotservice.net
adstrtacker.net
tracksbooster.net
poloniliex.com
adstotrack.net
trackservads.net
blttrex.com
myfilessee.pw
yupphdbks.top
pvcwccboo.top
lagdewluk.top
frtwbcrip.top
alamagpew.top
rapflathe.top
tivbumroc.top
lomenshoe.top
homeporn21.com
dicktoanalporn118.com
pornoanalll.com
pornoanimegirl18.com
pornosexxanal21.com
girlpussy18teen.com
porntubesexteen.com
mezluocie.top
jctcolplr.top
malbelcom.top
poloniexservices.site
poloniexcenter.site
bittrexworld.site
bittrexsolutions.site
poloniexworld.club
poloniexsolutions.club
bitfinexservices.club
poloniexcenter.club
bitfinexexchange.club
bitfinexcenter.club
bittrexworld.club
bittrexcenter.club
bitfinexworld.club
bitfinexsolutions.club
bittrex.site
bittrex.club
billingstadtracker.club
nesoddtangentracker.club
geminl.com
mergionaxomar.pw
bllttriex.com
picachu.pw
neskliyoka.club
bittrexservices.site
bittrexcenter.site
bithumbworld.site
bithumbsolutions.site
bithumbservices.site
poloniexworld.site
bithumbexchange.site
poloniexsolutions.site
bithumbcenter.site
bittrexbtc.com
bitfienex.com
analitics-service.com
winmoneytracker.club
trackernorway.club
rotnestracker.club
trackermag.club
wincashtracker.club
drobaktracker.club
arostracker.club
kjenntracker.club
vestfoldtracker.club
anebytracker.club
trackerwork.club
trackerblog.club
fezallwog.top
qqvtodpac.top
bmapawrec.top
amuheyqsl.top
jakagdbar.top
namkudasd.top
nabotared.top
morjownow.top
dabpprlei.top
mscpesroc.top
lindwtrct.top
pahtenwoo.top
tygamiohm.top
cyllamgmb.top
cwodeesot.top
groseqeel.top
hrhpaccio.top
tryidehub.top
pyatasugh.top
garnapsow.top
rsjptagij.top
toomemaba.top
romrwdcop.top
ultquoire.top
ritasoiom.top
wayirkurd.top
haeetdemp.top
sunmlaitu.top
urdpahgev.top
rigrsalex.top
nefuhfsir.top
mendoweta.top
posdfmsgt.top
nutlottop.top
icstaghsm.top
romnumepa.top
bidhabviz.top
cryopeexp.top
recsawvav.top
mrofourps.top
fracsmlye.top
orewigair.top
lahdurfba.top
delbanlom.top
qtoiboavo.top
deekrunth.top
modobijat.top
spyallasa.top
bopjobwed.top
dorgltdoz.top
nowneymee.top
gibpakmzi.top
binvmdyrs.top
aidcorcsc.top
offgodtic.top

Next by using VirusTotal we also managed to identify malicious samples phoning back to some of these related domains such as for instance:

20c87e0c160e657c393cdb10fe6b2f5d
5234ebc96a89a19cdb383c7342a7b11d
90639e11babbc7b19c1a18b050dd04bf
5cb1a99de8b2fc609c06813a76c52b52

Including:

3bd7b3263ba89be9e64fc1ef786bb302240dbdd0378916aefa362390fc0a15a5
85908ef943867d8f37dc279ba09ae3634ae71b3164b0f563117c733dc7041edc
892c587ee3a18d22efe2480252640aa55b870b2a381c0e6fa3edc1296f167299
8d7f4274c965bcf1cf7b90966797270c13d34a003f71b90a8974458e393871ce
1e8f15e386b6101a9daf19caaca091867c251040df5db252e30fe98b67654f75
aec6368fde53736fc0f6c02e1851bfabecb226b90d4553d78b25a85f435719da
37c4013699f3a052eb1c4c5ef50167db3a437daebc98788ba319c3032bdd5eb8
cb77288204095da074b39c6ae2ef65ddc06ed33209f4cde6da4dd78d20c62d40
e7f7eea370298c60a21805290f755b28c9a5b7d137d785c169e2da90087a681a
f63c724d8269b4c7511fce47790574b15c6f700743fe0a39b84bbf310e888354
0bc81dd4e2507449c61814d23c76c6272d5d0572522a2e9ac20ab40d233ab98f
0d7bd806b1d526b7e75fb86dbe040b1d13421f7a3c2932f15128c7cdad47e2af
76f42c0170de0f414efe47ce1fddaf571745f7420b5dd833dc9709942845ffc3

Where we could further go deeper into the inner workings of this campaign and malicious and fraudulent ecosystem possibly related to and operated by Danil Potkhin and his associates by figuring out a way to find out where these malicious samples phone back to once executed and try to establish the foundations for a successful connect the dots and build a bigger picture type of campaign and threat hunting efforts on our behalf.