Skip to content

Instantly share code, notes, and snippets.

@hasherezade hasherezade/pony_strings.txt Secret
Created Nov 14, 2015

Embed
What would you like to do?
Appendix to:
https://blog.malwarebytes.org
captured and filtered by: hasherezade
---
----
//visited sited:
----
http://windowsupdate.microsoft.com/update
http://forgedforce.com/images/wp/wp.php
http://marionainteriors.com/wordpress/wp-includes/images/wp/wp.php
http://interceptlabs.com/wp/wp-includes/images/wp/wp.php
http://encodesoftware.co.uk/images/smileys/wp/wp.php
http://handydiscount.co.uk/image/wp/wp.php
---
// common passwords list
---
123456
password
phpbb
qwerty
12345
jesus
12345678
1234
abc123
letmein
test
love
password1
hello
monkey
dragon
trustno1
111111
iloveyou
1234567
shadow
123456789
christ
sunshine
master
computer
princess
tigger
football
angel
jesus1
123123
whatever
freedom
killer
asdf
soccer
superman
michael
cheese
internet
joshua
fuckyou
blessed
baseball
starwars
000000
purple
jordan
faith
summer
ashley
buster
heaven
pepper
7777777
hunter
lovely
andrew
thomas
angels
charlie
daniel
1111
jennifer
single
hannah
qazwsx
happy
matrix
pass
aaaaaa
654321
amanda
nothing
ginger
mother
snoopy
jessica
welcome
pokemon
iloveyou1
11111
mustang
helpme
justin
jasmine
orange
testing
apple
michelle
peace
secret
grace
william
iloveyou2
nicole
666666
muffin
gateway
fuckyou1
asshole
hahaha
poop
blessing
blahblah
myspace1
matthew
canada
silver
robert
forever
asdfgh
rachel
rainbow
guitar
peanut
batman
cookie
bailey
soccer1
mickey
biteme
hello1
eminem
dakota
samantha
compaq
diamond
taylor
forum
john316
richard
blink182
peaches
cool
flower
scooter
banana
james
asdfasdf
victory
london
123qwe
123321
startrek
george
winner
maggie
trinity
online
123abc
chicken
junior
chris
passw0rd
austin
sparky
admin
merlin
google
friends
hope
shalom
nintendo
looking
harley
smokey
7777
joseph
lucky
digital
thunder
spirit
bandit
enter
anthony
corvette
hockey
power
benjamin
iloveyou!
1q2w3e
viper
genesis
knight
qwerty1
creative
foobar
adidas
rotimi
slayer
wisdom
praise
zxcvbnm
samuel
mike
dallas
green
testtest
maverick
onelove
david
mylove
church
friend
destiny
none
microsoft
222222
bubbles
11111111
cocacola
jordan23
ilovegod
football1
loving
nathan
emmanuel
scooby
fuckoff
sammy
maxwell
jason
john
1q2w3e4r
baby
red123
blabla
prince
qwert
chelsea
55555
angel1
hardcore
dexter
saved
112233
hallo
jasper
danielle
kitten
cassie
stella
prayer
hotdog
windows
mustdie
gates
billgates
ghbdtn
gfhjkm
1234567890
---
// known Pony artefact:
---
YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
MODU
---
// registry key:
---
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
UninstallString
DisplayName
.exe
---
// writes a registry key, faking WinRAR:
---
Software\WinRAR
open
---
// loaded modules and functions:
---
kernel32.dll
WTSGetActiveConsoleSessionId
ProcessIdToSessionId
netapi32.dll
NetApiBufferFree
NetUserEnum
ole32.dll
StgOpenStorage
advapi32.dll
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
CredEnumerateA
CredFree
CryptGetUserKey
CryptExportKey
CryptDestroyKey
CryptReleaseContext
RevertToSelf
OpenProcessToken
ImpersonateLoggedOnUser
GetTokenInformation
ConvertSidToStringSidA
LogonUserA
LookupPrivilegeValueA
AdjustTokenPrivileges
CreateProcessAsUserA
crypt32.dll
CryptUnprotectData
CertOpenSystemStoreA
CertEnumCertificatesInStore
CertCloseStore
CryptAcquireCertificatePrivateKey
msi.dll
MsiGetComponentPathA
pstorec.dll
PStoreCreateInstance
userenv.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
shell32.dll
SHGetFolderPathA
---
// searched folders:
---
My Documents
AppData
Local AppData
Cache
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
---
// registry key
---
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
---
// searched process:
---
explorer.exe
---
// searched prefix of SID
---
S-1-5-18
---
// loaded functions:
---
SeImpersonatePrivilege
SeTcbPrivilege
SeChangeNotifyPrivilege
SeCreateTokenPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
---
// for the network communication:
---
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: %lu
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Content-Length:
Location:
GET %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
\*.*
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
GetNativeSystemInfo
kernel32.dll
IsWow64Process
\NetSarang
.xfp
Client Hash
STATUS-IMPORT-OK
%d.exe
%02X
true
---
// related to the bash script for deleting the file:
---
%d.bat
"%s"
ShellExecuteA
:ktk
del %1
if exist %1 goto
ktk
del %0
---
// loaded functions and modules
---
shell32.dll
CreateFileA
ReadFile
CloseHandle
WriteFile
lstrlenA
GlobalLock
GlobalUnlock
LocalFree
LocalAlloc
GetTickCount
lstrcpyA
lstrcatA
GetFileAttributesA
ExpandEnvironmentStringsA
GetFileSize
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
LoadLibraryA
GetProcAddress
GetTempPathA
CreateDirectoryA
DeleteFileA
GetCurrentProcess
WideCharToMultiByte
GetLastError
lstrcmpA
CreateToolhelp32Snapshot
Process32First
OpenProcess
Process32Next
FindFirstFileA
lstrcmpiA
FindNextFileA
FindClose
GetModuleHandleA
GetVersionExA
GetLocaleInfoA
GetSystemInfo
Sleep
GetModuleFileNameA
LCMapStringA
ExitProcess
SetUnhandledExceptionFilter
kernel32.dll
CreateStreamOnHGlobal
GetHGlobalFromStream
CoCreateGuid
OleInitialize
ole32.dll
wsprintfA
user32.dll
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyA
RegSetValueExA
IsTextUnicode
RegOpenCurrentUser
GetUserNameA
advapi32.dll
ShellExecuteA
shell32.dll
InternetCrackUrlA
InternetCreateUrlA
wininet.dll
StrStrIA
StrRChrIA
StrToIntA
shlwapi.dll
inet_addr
gethostbyname
socket
connect
closesocket
send
select
recv
setsockopt
WSAStartup
wsock32.dll
LoadUserProfileA
UnloadUserProfile
userenv.dll
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.