0x3a.com 0x3a - Security Specialist and programmer by trade

0x3a.com
Title: 0x3a - Security Specialist and programmer by trade
Keywords: fake,ransomware,CryptoApp,antivirus,analysis
Description: I'm a guy with a blog, and I write entries sometimes (years apart in some cases...)
0x3a.com is ranked 4364847 in the world (amongst the 40 million domains). A low-numbered rank means that this website gets lots of visitors. This site is relatively popular among users in the united states. It gets 50% of its traffic from the united states .This site is estimated to be worth $4,467. This site has a low Pagerank(0/10). It has 1 backlinks. 0x3a.com has 43% seo score.

0x3a.com Information

Website / Domain: 0x3a.com
Website IP Address: 104.28.9.60
Domain DNS Server: alex.ns.cloudflare.com,mona.ns.cloudflare.com

0x3a.com Rank

Alexa Rank: 4364847
Google Page Rank: 0/10 (Google Pagerank Has Been Closed)

0x3a.com Traffic & Earnings

Purchase/Sale Value: $4,467
Daily Revenue: $12
Monthly Revenue $367
Yearly Revenue: $4,467
Daily Unique Visitors 1,126
Monthly Unique Visitors: 33,780
Yearly Unique Visitors: 410,990

0x3a.com WebSite Httpheader

StatusCode 200
Content-Type text/html; charset=utf-8
Date Sat, 06 Aug 2016 06:21:56 GMT
Server openresty

0x3a.com Keywords accounting

Keyword Count Percentage
fake 20 0.96%
ransomware 11 1.32%
CryptoApp 10 1.08%
antivirus 6 0.64%
analysis 10 0.96%

0x3a.com Traffic Sources Chart

0x3a.com Similar Website

Domain Site Title

0x3a.com Alexa Rank History Chart

0x3a.com aleax

0x3a.com Html To Plain Text

0x3a - Security Specialist and programmer by trade HOME ABOUT GITHUB TWITTER RSS Archive Search March 30, 2016 Playing games with an attacker: how I messed with someone trying to breach the CryptoWall tracker The game I played with an attacker described in this blog was inspired by a TED talk where someone played games with a 419 scammer: James Veitch - This is what happens when you reply to spam email On February 10th I released a wealth of information on the CryptoWall ransomware. I structured all the information about CryptoWall on a website and made it public in the form of a website known as the ‘CryptoWall Tracker’: https://www.cryptowalltracker.org/ When running a publicly accessible website you can expect to get 'free security advise’ from the internet in the form of web pentesting and whatnot. Most of the scans (pentests) are automated for all kinds of reasons; be it compromising websites to abuse it for CryptoWall proxies (as described [ here ]), or simply defacing it for Zone-H 'credits’. Some weeks ago I noticed someone started to poke the CryptoWall tracker website, this article describes the fun I had messing with the attacker (I’m assuming it was one person, more on that later). Keep reading 12:59pm | URL: https://tmblr.co/ZNK8wx24CuytF (View comments) (Notes: 1) Filed under: cryptowall cryptowalltracker tracker penesting website cloudflare attack attacker ukranian ukraine nginx database dump honeypot November 30, 2015 Inside Braviax/FakeRean: An analysis and history of a FakeAV family Since September 2014 I’ve been seeing a FakeAV family pop up from time to time. This family is known under two names, Braviax and FakeRean. The family has been active for quite some years, it was first spotted by S!Ri back in April 2009. In this blogpost I will perform an analysis on the current version of this family making it’s rounds online and a history of it starting back in 2009. A big thank you goes out to S!Ri for sharing some historical data on this group. The reason why I’m releasing this article now on a group active back in January of this year is that, if you follow the timeline I show below, is that they should have reappeared around this time of year (although I haven’t seen them yet). The Braviax/Fakerean family has quite some similarities with the Tritrax (dubbed Namechanger FakeAV) family I analyzed and hunted down back in February 2014 (Post: Analysis of the Tritax FakeAV family, their active campaign and the FakeAV social engineering kit). Braviax/Fakerean is also one constantly changing its name as you can see from a combination of screenshots made from samples starting in September 2014 until the start of January 2015: As said, back in September 2014 this new variant became active. After seeing it pass by multiple times I decided to look into it a bit. At some point I started noticing the name changes due to the fact that the website, website banner and the actual ‘antivirus’ names didn’t match up at all, I tweeted about this on the 27th of September: #FakeAV website calls it 'Rango Antivirus’, banner 'Win XP Security’, sample run 'A-Secure’ (https://t.co/EgYDdzDqFd) pic.twitter.com/i1amKQLsIy — Yonathan Klijnsma (@ydklijnsma) November 27, 2014 From this point on I started looking into this FakeAV threat some more, it started to hit quite often. Quite quickly I could pin this as one as part of the Fakerean/Braviax family and started to analyze it. Keep reading 11:30am | URL: https://tmblr.co/ZNK8wx1z2Xkk0 (View comments) Filed under: braviax fakerean fakeav analysis history antivirus fake security malware August 18, 2015 Development of the ‘CryptoApp’ ransomware finished; changes & active campaign Not even a day ago I blogged on a piece of ransomware named ‘CryptoApp’ which I discovered while it was still in its development & testing phase: [Analysis of a piece of ransomware in development: the story of ‘CryptoApp’]. After publication I was contacted by another analyst who was able to link the information from my blog to other samples from an actual campaign. He matched both PDB paths as wel as behaviour to these samples, this blog describes the changed made to CryptoApp as well as the active campaign. A thank you to the researcher who contacted me sharing information, you know who you are. I suggest reading my previous article on the discovery and full analysis of CryptoApp for the following to make any sense to you as its just a brief analysis and comparison. You can read the article here: [Analysis of a piece of ransomware in development: the story of ‘CryptoApp’] Analysis of the loader The lure for this campaign originated from Western Union spam messages leading to a download of a payload from: http://www[.]pikaitalia[.]it/catalogoonline/pages/transaction_certif_2412_installer[.]exe The file [transaction_certif_2412_installer.exe] has an interesting build date. (Again, this can be faked of course.) The date is the 12th of May, the same date as the original development version of CryptoApp was uploaded on Malwr.com: Inside the sample we find another interesting PDB path explaining its purpose (sort of): D:\projects\Finished - Downloader - edited by me\CoreDownloader\Release\CoreDownloader.pdb Keep reading 10:40pm | URL: https://tmblr.co/ZNK8wx1sIydjy (View comments) Filed under: ransomware CryptoApp August 17, 2015 Analysis of a piece of ransomware in development: the story of ‘CryptoApp’ Ransomware sure has had an uptick the past years; more and more variants appear while some have been leading the pack for the past years. This article is on a new ‘strain’, it dates to March this year from what I can tell. I haven’t seen any write-up or info about it yet (nor had any major incidents at $dayjob or heard of it from any other analysts). From what I can tell its still under development, this article will tell the story of this ransomware. Discovery I was going through some Tor hidden service addresses (onion addresses) I obtained by scraping. Normally there are a lot of markets and random 'hacker-for-hire’ sites but this one stood out. Its address (as of writing this article) is: guhvuoz7am24b5mv.onion Note: The service did go down at the start of August. It could be that the 'project’ was stopped or that the other simply moved to a new C2 to start his operation; with the old one being a test setup. When visiting the hidden service I was greeted with the following: This message looked like the kind seen with Ransomware like CryptoWall etc. It got my attention because it talks about files being cripted with RSA-2048 which is really similar to the CryptoWall message. After payment of the ransom files would be restored. Scrolling down we get section 2: This section says there are no ways to decrypt the file without the original key (makes sense if you use RSA on 2048). It also notes using any other tools than theirs would only make it worse. After this message we find section 3: This section talks about the ransom that needs to be paid, 1 Bitcoin. Examples are given where Bitcoins can be bought and the address the Bitcoin needs to be transfered to: 1AbwLtv7JTtbLmj8LrGq7TzCdkD4ZNET5C. There is also a link to a download of the decrypter which (with bold emphasis) only works after the ransom payment is made. Keep reading 11:20am | URL: https://tmblr.co/ZNK8wx1sBthVd (View comments) (Notes: 1) Filed under: CryptoApp ransomware Tor onion rsa June 1, 2015 Unusual njRat campaign originating from Saudi Arabia using FakeAV tactics While investigating an unrelated threat I ran into a rather interesting njRat campaign. It started with a website that was compromised and being abused as a 3rd layer C2 communication proxy. It seems those guys weren’t the only ones using it. When visiting the websites’ main page I was greeted with an alert pop-up: Looking at the page title and message content I was expecting some kind of fake support or fake antivirus page; I was correct (for this part): Waiting the result of the scan I was prompted by the usual ‘you need help click here’ messages: When clicking one of the buttons (or the X close button, basically anything on the page) your browser was presented with a download of ‘Antivirus 2015’: Keep reading 8:38am | URL: https://tmblr.co/ZNK8wx1m9ptpY (View comments) (Notes: 1) Filed under: njrat rat fake antivirus saudi arabia campaign RSS feed: http://blog.0x3a.com/rss 1 of 5 Next page Theme is The Atlantic by Peter Vidani for Tumblr.

0x3a.com Whois

Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
  Domain Name: 0X3A.COM
  Domain ID: 1529788913
  WHOIS Server: whois.enom.com
  Referral URL: http://www.enom.com
  Updated Date: 2015-09-29T17:12:03Z
  Creation Date: 2008-11-23T09:38:14Z
  Registry Expiry Date: 2016-11-23T09:38:14Z
  Sponsoring Registrar: eNom, Inc.
  Sponsoring Registrar IANA ID: 48
  Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
  Name Server: ALEX.NS.CLOUDFLARE.COM
  Name Server: MONA.NS.CLOUDFLARE.COM
  DNSSEC: unsigned
>>> Last update of whois database: Wed, 18 May 2016 09:43:30 GMT <<<
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars