Analysis report for http://fnplbpnbvxqjrey.blogspot.com
Sample Overview
| URL | http://fnplbpnbvxqjrey.blogspot.com |
|---|---|
| MD5 | 5451b7ee7ea406a6479da71e42a2d479 |
| Analysis Started | 2009-09-29 01:54:19 |
| Report Generated | 2009-09-29 01:55:15 |
| Jsand version | 1.03.02 |
See the report for domain fnplbpnbvxqjrey.blogspot.com.
Detection results
| Detector | Result |
|---|---|
| Jsand 1.03.02 | suspicious |
This resource appears to be involved in the Koobface malware campaign.
Warning:
- The analyzed resource contains one or more syntax errors.
This may affect the detection of malicious code.
Exploits
No exploits were identified.Deobfuscation results
Evals
- (repeated 1 time)
window.attachEvent('onunload', exiter);
Writes
- (repeated 1 time)
<OBJECT id="iie" width="0" height="0" style="position:absolute; left:0;top:0;" CLASSID= "CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6" type="application/x-oleobject"> <PARAM NAME= "SendPlayStateChangeEvents" VALUE="True"> <PARAM NAME="AutoStart" VALUE="True"> <PARAM name="uiMode" value="none"> <PARAM name="PlayCount" value="9999"></OBJECT>
- (repeated 1 time)
<object codebase= "http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="640" height="390" align="middle" id="player" name="player" classid= "clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" ><param name="movie" value="player.swf?pid=6123" /> <param name="quality" value="high" /> <param name="play" value="true" /> <param name="loop" value= "true" /> <param name="scale" value="showall" /> <param name="wmode" value="window" /> <param name= "devicefont" value="false" /> <param name="bgcolor" value="#000000" /> <param name="menu" value= "false" /> <param name="allowFullScreen" value="false" /> <param name="allowScriptAccess" value= "sameDomain" /> <param name="salign" value="" /> </object>
Network Activity
Requests
| URL | Status | Content Type |
|---|---|---|
| http://fnplbpnbvxqjrey.blogspot.com | 200 | text/html |
| http://71.59.170.194/go.js?0x3E8/view/ | Timeout | application/x-empty |
| http://119.152.40.196/go.js?0x3E8/view/ | Timeout | application/x-empty |
| http://76.202.5.26/go.js?0x3E8/view/ | Timeout | application/x-empty |
| http://76.187.143.137/go.js?0x3E8/view/ | 200 | text/javascript |
| http://119.152.75.243/go.js?0x3E8/view/ | 401 | text/html |
| http://76.187.143.137/d=fnplbpnbvxqjrey.blogspot.com/0x3E8/view/ | 200 | text/html |
| about:blank | 200 | text/html |
| http://76.187.143.137/d=fnplbpnbvxqjrey.blogspot.com/0x3E8/view/setup.exe | 200 | application/x-msdos-program |
Redirects
No redirects.ActiveX controls
-
6BF52A52-394A-11D3-B153-00C04F79FAA6 Name Arg0 Count Methods launchURL http://pancho-2807.com/popup.php
1 http://76.187.143.137/d=fnplbpnbvxqjrey.blogspot.com/0x3E8/view/
1 Name Value Count Attributes PlayCount 9999
1 uiMode none
1 AutoStart True
1 SendPlayStateChangeEvents True
1 -
D27CDB6E-AE6D-11CF-96B8-444553540000 Name Value Count Attributes play true
1 scale showall
1 bgcolor #000000
2 menu false
2 salign ''
1 allowScriptAccess sameDomain
2 wmode window
1 allowFullScreen false
2 movie player.swf?pid=6123
2 devicefont false
1 quality high
2 loop true
1
Shellcode and Malware
No shellcode was identified.
Additional (potential) malware:
| URL | Type | Hash | Analysis |
|---|---|---|---|
| http://76.187.143.137/d=fnplbpnbvxqjrey.blogspot.com/0x3E8/view/ | N/A | N/A |
|
| http://76.187.143.137/d=fnplbpnbvxqjrey.blogspot.com/0x3E8/view/setup.exe | MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit | 3a32fbe2b704b6ae36fbd35637b2f46e | |
| http://pancho-2807.com/popup.php | N/A | N/A |
|