The 19y bitcoin address currently balance is 2.46 bitcoins. The 1L7 bitcoin address currently contains 3.96 bitcoins. (Figure 7)Ī text representation of the wallets are here (for your research): Once infected, users are instructed to pay 500 USD in Bitcoins to unlock their files. Assuming half of these are sandboxes and researchers, half of 348,637 is still a very large number. Keep in mind this number will include researchers, malware analysts, sandboxes, and infected users, and a few non-existent numbers scattered in between.
Using this, we can calculate and convert how many hosts have potentially been infected. With the lack of entries such as “0001”and “000q” existing (contains all letters of the alphabet) this tells me the attackers are using the following base 36 number scheme: In querying the attackers infrastructure, infected hosts start at “000q” as no entries exist prior to that. With the closeness of the numbers, this tells me the numbers are not random, but are actually incrementing. However, by executing the malware a second time, I was given a “number” very close to this, only a few letters off. Take note of the URL of my “personal” TOR page used during analysis:Īt the end of the URL, “7gzc” appears to be somewhat random to the naked eye.
0 kommentar(er)
