Advertisement
unixfreaxjp

Infection se undetected #Zbot/#Fareit variant via Blackhole2

Oct 1st, 2012
138
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Blackhole 2.0 w/plugin Detect
  2. Without shellcode, drops 2 Zbot.. blackdoor & stealer
  3. Mothership: 69.194.194.221
  4.  
  5. ============
  6. samples:
  7. =============
  8. 5d7efa0.exe (5/52) 79c701d0ef7e369ba82d6a77e7e4b42f https://www.virustotal.com/file/32ee0f16ff2e8034ae7b21a9ada852fa5ae0535f9c99fd9a5c8635573fdc2e3c/analysis/1349111222/
  9. updateflashplayer.exe (1/42) 272950443ed0ed5b2b9e0346f848f412 https://www.virustotal.com/file/341adaccb6d88cde2f4cbc0ea95dc25f56948266e9ac98490991e98a6851c142/analysis/1349111482/
  10. index.html (2/40) 7edae162a198089f69927ebd9929652b https://www.virustotal.com/file/11b7a52ae29d3c84d8f15fc211328e5e7cc8fda33959ce314d008b54c2cb270e/analysis/1349110087/
  11. js.js (2/42) 373c7eab6b2d0353bcf66bd37cfcde67 https://www.virustotal.com/file/2cc16d1a740e952caa2add649e2ebeb7397ca685137b08d50b1baacec88a3ea7/analysis/1349110384/
  12. raising-peak_suited.php (2/42) 4ae1a158abb001237fb719375b9e5e0e https://www.virustotal.com/file/fd12197c2759a0b7d79d8da7d05f34e840d1914eebc34659d80a8c2bf22379a1/analysis/1349110549/
  13.  
  14. ===================
  15. Chain of infection
  16. ===================
  17. h00p://mercantilcorma.mx/6fu4Dm5j/index.html
  18. h00p://cheerstuffreno.com/oZZETLq6/js.js
  19. h00p://free-onlinecasino.co.uk/B7BU1DC6/js.js
  20. h00p://jeanyipindonesia.com/DxAqbpsL/js.js
  21. h00p://69.194.194.221/links/raising-peak_suited.php
  22.  
  23. plugindetect obfs: http://pastebin.com/raw.php?i=h1ETdpgs
  24. plugindetect deobfs: http://pastebin.com/raw.php?i=79PDEWHp
  25.  
  26. (MDAC) CVE-2006-0003
  27. Object: BD96C556-65A3-11D0-983A-00C04FC29E36
  28. Shell.Application / msxml2.XMLh00p
  29. Payload: h00p://69.194.194.221/links/raising-peak_suited.php?jzcvg=343836040a&ljduq=37080537020508030636&iuwtdhw=04&nrni=ujpkpl&iwsvetyo=gmlb
  30. SaveToFile : .//..//5d7efa0.exe
  31.  
  32. mimeType : "application/pdf", navPluginObj : null,
  33. progID : ["AcroPDF.PDF", "PDF.PdfCtrl"],
  34. classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000",
  35. h00p://69.194.194.221/updateflashplayer.exe
  36.  
  37. =====================
  38. LOGS
  39. ======================
  40. --01:05:06-- http://mercantilcorma.mx/6fu4Dm5j/index.html
  41. => `index.html'
  42. Resolving mercantilcorma.mx... 67.23.249.227
  43. Connecting to mercantilcorma.mx|67.23.249.227|:80... connected.
  44. HTTP request sent, awaiting response... 200 OK
  45. Length: 437 [text/html]
  46. 01:05:07 (15.38 MB/s) - `index.html' saved [437/437]
  47.  
  48. --01:05:22-- http://cheerstuffreno.com/oZZETLq6/js.js
  49. => `js.js'
  50. Resolving cheerstuffreno.com... 50.118.59.251
  51. Connecting to cheerstuffreno.com|50.118.59.251|:80... connected.
  52. HTTP request sent, awaiting response... 200 OK
  53. Length: 72 [application/javascript]
  54. 01:05:23 (2.61 MB/s) - `js.js' saved [72/72]
  55.  
  56. // tor looks blocked perfectly....
  57. // gatling IP fetch script starts....
  58.  
  59. --01:23:34-- http://69.194.194.221/links/raising-peak_suited.php
  60. => `raising-peak_suited.php'
  61. Connecting to 69.194.194.221:80... connected.
  62. HTTP request sent, awaiting response... 200 OK
  63. Length: unspecified [text/html]
  64. 01:23:35 (54.79 KB/s) - `raising-peak_suited.php' saved [28905]
  65.  
  66. (MDAC) CVE-2006-0003
  67. Arbitrary file download via the Microsoft Data Access Components
  68. BD96C556-65A3-11D0-983A-00C04FC29E36
  69. Shell.Application
  70. msxml2.XMLHTTP
  71. SaveToFile : .//..//5d7efa0.exe
  72. http://69.194.194.221/links/raising-peak_suited.php?jzcvg=343836040a&ljduq=37080537020508030636&iuwtdhw=04&nrni=ujpkpl&iwsvetyo=gmlb
  73.  
  74. mimeType : "application/pdf", navPluginObj : null,
  75. progID : ["AcroPDF.PDF", "PDF.PdfCtrl"],
  76. classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000",
  77. http://69.194.194.221/updateflashplayer.exe
  78.  
  79.  
  80. --01:31:53-- http://69.194.194.221/updateflashplayer.exe
  81. => `updateflashplayer.exe'
  82. Connecting to 69.194.194.221:80... connected.
  83. HTTP request sent, awaiting response... 200 OK
  84. Length: 511,488 (500K) [application/octet-stream]
  85. 01:31:57 (165.71 KB/s) - `updateflashplayer.exe' saved [511488/511488]
  86.  
  87. 0000 4D 5A 50 00 03 00 00 00 00 00 0F 00 FF FF 00 00 MZP.............
  88. 0010 00 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 ........@.......
  89. 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  90. 0030 00 00 00 00 00 00 00 00 00 00 00 00 7C 00 00 00 ............|...
  91. 0040 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 ........!..L.!..
  92. 0050 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 This program mus
  93. 0060 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 t be run under W
  94. 0070 69 6E 33 32 0D 0A 24 37 00 00 00 00 50 45 00 00 in32..$7....PE..
  95. 0080 4C 01 04 00 00 00 00 00 00 00 00 00 00 00 00 00 L...............
  96. 0090 E0 00 0F 01 0B 01 06 00 00 10 00 00 00 BA 07 00 ................
  97.  
  98. --01:32:30-- http://69.194.194.221/links/raising-peak_suited.php?jzcvg=343836040a&ljduq=37080537020508030636&iuwtdhw=04&nrni=ujpkpl&iwsvetyo=gmlb
  99. => `raising-peak_suited.php@jzcvg=343836040a&ljduq=370805370205080306
  100. 36&iuwtdhw=04&nrni=ujpkpl&iwsvetyo=gmlb'
  101. Connecting to 69.194.194.221:80... connected.
  102. HTTP request sent, awaiting response... 200 OK
  103. Length: 117,760 (115K) [application/x-msdownload]
  104. 01:32:32 (102.29 KB/s) - `raising-peak_suited.php@jzcvg=343836040a&ljduq=3708053
  105. 7020508030636&iuwtdhw=04&nrni=ujpkpl&iwsvetyo=gmlb' saved [117760/117760]
  106.  
  107. 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
  108. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
  109. 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  110. 0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
  111. 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
  112. 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
  113. 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
  114. 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
  115. 0080 50 45 00 00 4C 01 07 00 17 4C 69 50 00 00 00 00 PE..L....LiP....
  116. 0090 00 00 00 00 E0 00 0F 03 0B 01 02 38 00 28 00 00 ...........8.(..
  117.  
  118. POST HTTP/1.1
  119. 69.194.194.221 POST /forum/viewtopic.php HTTP/1.0
  120. 69.194.194.221 POST /forum/viewtopic.php HTTP/1.0
  121. 69.194.194.221 POST /forum/viewtopic.php HTTP/1.0
  122.  
  123. ===========================
  124. Oct 1st, 2012
  125. ===========================
Advertisement
RAW Paste Data Copied
Advertisement