I just thought that I should check that my "BHEK analyzis made easy" guide worked out fine, so I took a beer from the fridge and went over to URLquery and fetched a possible blackhole URL.
http://urlquery.net/report.php?id=1215790
See here for the guide: http://malforsec.blogspot.no/2013/03/analyzing-bhek2-made-easy_1.html
So here is what I got:
--2013-03-02 22:03:06-- hxxp://80.248.238.15/231a51bb54657c855360782e728bbf6d/q.php
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 22:50:26 GMT
Server: nginx/0.7.65
Content-Type: application/java-archive
X-Powered-By: PHP/5.3.2
Content-Length: 22404
ETag: "29a92c3eedd77110bc1dc12948eb909c"
Last-Modified: Sat, 02 Mar 2013 19:54:44 GMT
Accept-Ranges: bytes
Connection: close
Length: 22404 (22K) [application/java-archive]
Saving to: `q.php'
0K .......... .......... . 100% 230K=0.1s
2013-03-02 22:03:07 (230 KB/s) - `q.php' saved [22404/22404]
Since I did the mistake of adding Java to my User-agent it threw me a jar file right away. Badass!!
I dropped the Java part of the User-agent and got, as expected, the plugin detect
--2013-03-02 22:04:03-- hxxp://80.248.238.15/231a51bb54657c855360782e728bbf6d/q.php
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 22:51:23 GMT
Server: nginx/0.7.65
Content-Type: text/html
X-Powered-By: PHP/5.3.2
Connection: close
Length: unspecified [text/html]
Saving to: `q2.php'
0K .......... .......... .......... .......... .......... 430K
50K .......... .......... .......... .......... .......... 686K
100K .......... ... 388K=0.2s
2013-03-02 22:04:04 (508 KB/s) - `q2.php' saved [115742]
Exactly as shown in the guide :)
Wepawt did the job again and I could just fetch the BAD files:
Should get 2-3 PDF's, 1-2 SWF's and a couple of JAR's.
-
--2013-03-02 22:26:31-- hxxp://80.248.238.15/231a51bb54657c855360782e728bbf6d/q.php?xjnnfg=32:1h:1l:1l:1j&yglzthqd=33:3l:3n&cmjxuoea=1g:1n:32:33:1n:1n:1n:2v:31:1o&mccehrt=1g:1f:1d:1g:1f:1h
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 23:13:54 GMT
Server: nginx/0.7.65
Content-Type: application/pdf
X-Powered-By: PHP/5.3.2
Content-Length: 20389
ETag: "30beb650b5909878feedccd4f8700607"
Last-Modified: Sat, 02 Mar 2013 20:18:13 GMT
Accept-Ranges: bytes
Connection: close
Length: 20389 (20K) [application/pdf]
Saving to: `p1.pdf'
0K .......... ......... 100% 203K=0.1s
2013-03-02 22:26:35 (203 KB/s) - `p1.pdf' saved [20389/20389]
--2013-03-02 22:30:56-- hxxp://80.248.238.15//231a51bb54657c855360782e728bbf6d/q.php?pcuk=32:1h:1l:1l:1j&rkto=38&zqqlekft=1g:1n:32:33:1n:1n:1n:2v:31:1o&asmfjr=1g:1f:1d:1g:1f:1h
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 23:18:16 GMT
Server: nginx/0.7.65
Content-Type: application/pdf
X-Powered-By: PHP/5.3.2
Accept-Ranges: bytes
Content-Length: 10973
Content-Disposition: inline; filename=edcca.pdf
Connection: close
Length: 10973 (11K) [application/pdf]
Saving to: `p2.pdf'
0K .......... 100% 9.96K=1.1s
2013-03-02 22:30:58 (9.96 KB/s) - `p2.pdf' saved [10973/10973]
--2013-03-02 22:32:59-- hxxp://80.248.238.15//231a51bb54657c855360782e728bbf6d/q.php?pcuk=32:1h:1l:1l:1j&rkto=38&zqqlekft=1g:1n:32:33:1n:1n:1n:2v:31:1o&asmfjr=1o:1d:1i
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 23:20:19 GMT
Server: nginx/0.7.65
Content-Type: application/pdf
X-Powered-By: PHP/5.3.2
Accept-Ranges: bytes
Content-Length: 10006
Content-Disposition: inline; filename=7661e.pdf
Connection: close
Length: 10006 (9.8K) [application/pdf]
Saving to: `p2_a.pdf'
0K ......... 100% 10.6K=0.9s
2013-03-02 22:33:00 (10.6 KB/s) - `p2_a.pdf' saved [10006/10006]
--2013-03-02 22:33:45-- hxxp://80.248.238.15/231a51bb54657c855360782e728bbf6d/q.php?xjnnfg=32:1h:1l:1l:1j&yglzthqd=33:3l:3n&cmjxuoea=1g:1n:32:33:1n:1n:1n:2v:31:1o&mccehrt=1o:1d:1i
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 23:21:05 GMT
Server: nginx/0.7.65
Content-Type: application/pdf
X-Powered-By: PHP/5.3.2
Content-Length: 20389
ETag: "c0f111989697cf4e9311e5c7f2757b51"
Last-Modified: Sat, 02 Mar 2013 20:25:23 GMT
Accept-Ranges: bytes
Connection: close
Length: 20389 (20K) [application/pdf]
Saving to: `p1.pdf'
0K .......... ......... 100% 229K=0.09s
2013-03-02 22:33:45 (229 KB/s) - `p1.pdf' saved [20389/20389]
--2013-03-02 22:36:10-- hxxp://80.248.238.15/231a51bb54657c855360782e728bbf6d/q.php?xjnnfg=32:1h:1l:1l:1j&yglzthqd=33:3l:3n&cmjxuoea=1g:1n:32:33:1n:1n:1n:2v:31:1o&mccehrt=1g:1f:1d:1g:1f:1j
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 23:23:30 GMT
Server: nginx/0.7.65
Content-Type: application/pdf
X-Powered-By: PHP/5.3.2
Content-Length: 20341
ETag: "b58800750b75a9546ed7227f797d83f5"
Last-Modified: Sat, 02 Mar 2013 20:27:48 GMT
Accept-Ranges: bytes
Connection: close
Length: 20341 (20K) [application/pdf]
Saving to: `p3.pdf'
0K .......... ......... 100% 334K=0.06s
2013-03-02 22:36:11 (334 KB/s) - `p3.pdf' saved [20341/20341]
--2013-03-02 22:41:08-- hxxp://80.248.238.15/231a51bb54657c855360782e728bbf6d/q.php?iywghqq=32:1h:1l:1l:1j&yayuotd=3c:3e:39:3e:38:38&lfrj=1g:1n:32:33:1n:1n:1n:2v:31:1o&info=02e6ffb0a173ba4a727abaf74e10f62852e75f8c3b04706c3
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 23:28:28 GMT
Server: nginx/0.7.65
Content-Type: text/html
X-Powered-By: PHP/5.3.2
Connection: close
Length: unspecified [text/html]
Saving to: `f1.swf'
0K .. 1.29M=0.002s
2013-03-02 22:41:08 (1.29 MB/s) - `f1.swf' saved [2671]
--2013-03-02 22:45:16-- hxxp://80.248.238.15/231a51bb54657c855360782e728bbf6d/q.php?awzq=gtyfkz&rrgltzf=jwibjubx
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 23:32:36 GMT
Server: nginx/0.7.65
Content-Type: application/java-archive
X-Powered-By: PHP/5.3.2
Content-Length: 22404
ETag: "29a92c3eedd77110bc1dc12948eb909c"
Last-Modified: Sat, 02 Mar 2013 20:36:54 GMT
Accept-Ranges: bytes
Connection: close
Length: 22404 (22K) [application/java-archive]
Saving to: `j1.jar'
0K .......... .......... . 100% 333K=0.07s
2013-03-02 22:45:16 (333 KB/s) - `j1.jar' saved [22404/22404]
--2013-03-02 22:46:09-- hxxp://80.248.238.15/231a51bb54657c855360782e728bbf6d/q.php?awzq=gtyfkz&rrgltzf=jwibjubx
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 23:33:29 GMT
Server: nginx/0.7.65
Content-Type: application/java-archive
X-Powered-By: PHP/5.3.2
Content-Length: 22339
ETag: "91414b8f2a3f971352b8432a856ddf70"
Last-Modified: Sat, 02 Mar 2013 20:37:47 GMT
Accept-Ranges: bytes
Connection: close
Length: 22339 (22K) [application/java-archive]
Saving to: `j1_a.jar'
0K .......... .......... . 100% 33.3K=0.7s
2013-03-02 22:46:10 (33.3 KB/s) - `j1_a.jar' saved [22339/22339]
--2013-03-02 22:47:40-- hxxp://80.248.238.15/231a51bb54657c855360782e728bbf6d/q.php?awzq=gtyfkz&rrgltzf=jwibjubx
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 23:35:00 GMT
Server: nginx/0.7.65
Content-Type: application/java-archive
X-Powered-By: PHP/5.3.2
Content-Length: 22404
ETag: "29a92c3eedd77110bc1dc12948eb909c"
Last-Modified: Sat, 02 Mar 2013 20:39:18 GMT
Accept-Ranges: bytes
Connection: close
Length: 22404 (22K) [application/java-archive]
Saving to: `j2.jar'
0K .......... .......... . 100% 370K=0.06s
2013-03-02 22:47:41 (370 KB/s) - `j2.jar' saved [22404/22404]
--2013-03-02 22:48:40-- hxxp://80.248.238.15/231a51bb54657c855360782e728bbf6d/q.php?awzq=gtyfkz&rrgltzf=jwibjubx
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 23:36:00 GMT
Server: nginx/0.7.65
Content-Type: application/java-archive
X-Powered-By: PHP/5.3.2
Content-Length: 22339
ETag: "91414b8f2a3f971352b8432a856ddf70"
Last-Modified: Sat, 02 Mar 2013 20:40:18 GMT
Accept-Ranges: bytes
Connection: close
Length: 22339 (22K) [application/java-archive]
Saving to: `j2_a.jar'
0K .......... .......... . 100% 179K=0.1s
2013-03-02 22:48:41 (179 KB/s) - `j2_a.jar' saved [22339/22339]
Again Wepawet to the rescue giving us the final malware URL. No hard decoding work is needed so lets go and fetch the EXE:
--2013-03-02 23:09:26-- hxxp://80.248.238.15/231a51bb54657c855360782e728bbf6d/231a51bb54657c855360782e728bbf6d/q.php?ngqxjn=32:1h:1l:1l:1j&qhx=1g:1n:32:33:1n:1n:1n:2v:31:1o&lcrni=1h&fmhyeulp=tqugjmzo&yqmlyi=gtqthzo
Connecting to 80.248.238.15:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Mar 2013 23:56:46 GMT
Server: nginx/0.7.65
Content-Type: application/x-msdownload
X-Powered-By: PHP/5.3.2
Pragma: public
Expires: Sat, 02 Mar 2013 21:01:04 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary
Content-Length: 153960
Connection: close
Length: 153960 (150K) [application/x-msdownload]
Saving to: `e1.exe'
0K .......... .......... .......... .......... .......... 33% 416K 0s
50K .......... .......... .......... .......... .......... 66% 835K 0s
100K .......... .......... .......... .......... .......... 99% 1.41M 0s
150K 100% 671G=0.2s
2013-03-02 23:09:27 (700 KB/s) - `e1.exe' saved [153960/153960]
For reference here's the files fetched:
q2.php - landing page/plugin detect MD5: 01b360a11a8b0a4841107ed0201af81f Wepwwet: http://wepawet.iseclab.org/view.php?hash=01b360a11a8b0a4841107ed0201af81f&type=js p1 - PDF 1 MD5: 31dc5225fc63f04e3b67562d671d8c31 Wepawet: malicious http://wepawet.iseclab.org/view.php?hash=31dc5225fc63f04e3b67562d671d8c31&type=js CVE-2009-0927 p2 - PDF 2 MD5: da913464bea5e3d0f304a2d23a3a9b80 Wepawet: benign http://wepawet.iseclab.org/view.php?hash=da913464bea5e3d0f304a2d23a3a9b80&type=js Virustotal: 11/46 https://www.virustotal.com/nb/file/6cc4abe4a72ed33fe06f4c10be569e552351b2bda18af23b98b4a9bd1b904e6a/analysis/1362266822/ p2_a - PDF 3 MD5: bf3064f9508913d59ab5f2a9c4612659 Wepawet: benign http://wepawet.iseclab.org/view.php?hash=bf3064f9508913d59ab5f2a9c4612659&type=js Virustotal: 11/46 https://www.virustotal.com/nb/file/2f3efd4ac2e5cc1cdd3e179fb91d0838440040f12fc51147d05ac5f33df162d3/analysis/1362266844/ j1 - JAR 1 MD5: 29a92c3eedd77110bc1dc12948eb909c Virustotal: 1/46 https://www.virustotal.com/nb/file/ba2fc06b38dbfb50b676d6eadeac0799deb50d4325dc0cfb1b4fd18906e6f95f/analysis/1362263272/ j1_a.jar - JAR 2 MD5: 91414b8f2a3f971352b8432a856ddf70 Virustotal 1/45 https://www.virustotal.com/nb/file/bd49d9a2f354c6197e3373b66099652e18bf06a65154eb26db659857579e57aa/analysis/1362263287/ 1.swf - Flash 1 MD5: db2d3584fdbacdb7fd58fadc558144ae Virustotal: 12/46 https://www.virustotal.com/nb/file/6d55150b066434d213074c200e2d1b8485cada62d1472e0013f10c7f136c58b7/analysis/1362269811/ 1.exe - what they went through all the above trouble to give yo us... MD5: 7cf4f07f1771ad4c7cf97923c9825c61 Virustotal: 5/46 https://www.virustotal.com/nb/file/054aa312d8c16268d3e59062562b8e9347eeddd8f20b842b16bfebcdedd0690e/analysis/1362266575/ Probably Zeus.
That went well :)
Thanks to @unixfreaxjp for inspiration
No comments:
Post a Comment