Small research done on severals compromissed RDP (and compromissed machines include a Medical one)
Mail extractor:
https://www.virustotal.com/file/24f48f4934872185983e7966bcfad309efee598c6b26f474929c2d9c3c341825/analysis/1360598076/Mass mailer:
https://www.virustotal.com/file/d04c0af99334244e070e65d07d329b1fbb13d19aeffff25a89ffb989ff9569f3/analysis/1360597550/Who come form
gicutzu.byethost33.com/vnc/ams1.zip
gicutzu.byethost33.com/vnc/ams.zip
Mailing:
Message body:
This is HTML source of message you composed. Do not modify here.
</COMMENT>To modify this message press HTML Messages Editor button.
</COMMENT><HTML><HEAD><TITLE></TITLE></HEAD><BODYbgcolor=#FFFFFF leftmargin=5 topmargin=5 rightmargin=5 bottommargin=5><FONTsize=2color=#000000 face="Arial"><DIV> DEAR SIR/MADAM
</DIV><DIV> </DIV><DIV>My name is Mercy Johnson am 75yrs old of age and I stay in white river
</DIV><DIV>New York City,USA.I am a good merchant, I have several industrial
</DIV><DIV>companies and good share in various banks in the world. I spend all my
</DIV><DIV>life on investment and corporate business. All the way I lost my
</DIV><DIV>husband and two beautiful kids in fatal accident that occurred in
</DIV><DIV>November 5th 2003.
</DIV><DIV> </DIV><DIV>I am a very greedy woman with all cost I dont know much and care about
</DIV><DIV>people, since when I have an experience of my families death, its
</DIV><DIV>difficult to sleep and give rest, later in the year 2004 February I
</DIV><DIV>was sent a letter of medical check up, as my personal doctor testify
</DIV><DIV>that I have a lung cancer, which can easily take off my life soon.
</DIV><DIV> </DIV><DIV>I found it uneasy to survive myself, because a lot f investment cannot
</DIV><DIV>be run and manage by me again. I quickly call up a pastor/prophet to
</DIV><DIV>give me positive thinking on this solution as my adviser. He minister
</DIV><DIV>to me to share my properties ,wealth, to motherless baby/orphanage
</DIV><DIV>homes/people that need money for survivor both student that need money
</DIV><DIV>for schooling, business woman and man for their investment and for
</DIV><DIV>future rising.
</DIV><DIV> </DIV><DIV>So therefore I am writing this letter to people who are really in need
</DIV><DIV>of help from me both student in college to contact me urgently, so
</DIV><DIV>that I can make an available preparation on that.
</DIV><DIV> </DIV><DIV>Especially women of the day, who are divorced by their husband, who
</DIV><DIV>cannot survive the mist of feeding their self, please contact me and
</DIV><DIV>stop weeping. Probably let me now what you really need the money for
</DIV><DIV>and if you can still help me to distribute money to nearest orphanage
</DIV><DIV>homes near your town. Now am so much with God, am now born again. May
</DIV><DIV>the lord bless you as you reach me, please to remind you, dont belongs
</DIV><DIV>to scammers or any act of fraud lent on internet. I will give more
</DIV><DIV>information to you as I await your response immediately.
</DIV><DIV> </DIV><DIV>Best Regards,
</DIV><DIV>Mrs. Mercy Johnson.
</DIV></FONT></BODY></HTML>GroundLabs.Card.Recon.v1.14.7-Lz0:
https://www.virustotal.com/fr/file/ce449ea544f8d524648d429faa1ae68b7572501cf21997d31c6b467f55e8600d/analysis/1360597849/Legit signed application but carders use it to find credit cards.
Win32/Spy.POSCardStealer.A:
https://www.virustotal.com/file/af35e64fac9c73bbaa5e8658cc5d8f3057a89e745fd8d9ffa2ef224209138dc2/analysis/1360596995/https://www.virustotal.com/file/180ed8d4e9d5ebdc7f7179b4cacc73ed0804e7c720d9710fcc20454a5ba163cb/analysis/1360596997/Win32/Spy.POSCardStealer.C:
Carding tentative:
Also found that on the history:
https://travelsim.bg/checkout_final.php?OrderID=2422&Message=Success.+%2800%29
kentus555@gmail.com
firefox history for another rdp:
"yancymagnus@gmail.com"
AutoComplete feature of browser says "markfenton46" for validshop and "samx" as captchaCraiglist mailer:
https://www.virustotal.com/fr/file/5408075078177c45bfca318d6291c078beb1eb0f6c8dd6fb1a3f007b2e280fff/analysis/1360711350/Phishing:
RDP scanner:
https://www.virustotal.com/file/d53fb2aa459eb50e3d16f17835db3246e3016389cfa63c126263e24fa18729e7/analysis/1360711410/ Game server:
VNC scanner:
https://www.virustotal.com/file/835dd84eed9acff7056ded87d9672d725b915924323b5981737bd2ed5162efb4/analysis/1360711486/After this first try, i've installed a keylogger to monitor carders activities.
Logs:
Screenshots took by the keylogger:
• dns: 2 ›› ip: 98.139.135.21 - adresse: WEIGHT-LOSS-RESOURCE.COM
Libery reserve on clipboard:
They download pictures of womens and creat fake dating profiles to contact people saying always the same things:
"koksjulian":
"SabensSandraDarleneF":
Registering a fake profile on 'POF'
"Hello my name is brotney" (fail)
Yahoo login:
Svetlana case:
Fake accounts on various dating sites, downloading a picture of a girl for "lavaplace":
Creating a fake profile:
Looking for people on "Zoosk":
And more and more:
Contacting a guys on "lavaplace":
And more and more, without forgiving to tell them a "happy valentines day":
Searching for more people:
Sending the same message to people:
Let's do some spam also:
Mail:
Some guys look surprised by the age difference:
---
Received messages on yahoo:
I don't talk about that here but compromised machines was also used alot for buy stuff with stolen credit cards according to my logs: LCD monitor, plane tickets... and some other shit's (i've not really looked what they have do with stolen money)
If you are part of the good force and interested by a copy of logs, drop me a mail.
Happy Valentine's Day.
