Wepawet (alpha)

Home | About | Sample Reports | Support | News

Analysis report for http://schoefffayandtony.blogspot.com/

Sample Overview

URL	http://schoefffayandtony.blogspot.com/
MD5	1cee71ca71c0cfaa5c1e1ddc72752bd4
Analysis Started	2010-01-31 22:31:54
Report Generated	2010-01-31 22:32:45
Jsand version	1.03.02

See the report for domain schoefffayandtony.blogspot.com.

Detection results

Detector	Result
Jsand 1.03.02	suspicious

This resource appears to be involved in the Koobface malware campaign.

Exploits

No exploits were identified.

Deobfuscation results

Evals

• document.referrer
  

  (repeated 2 times)

• window.redirect
  

  (repeated 2 times)

• location.href
  

  (repeated 1 time)

• location.search
  

  (repeated 1 time)

• window.location.href = window.redirect;
  

  (repeated 1 time)

• window.attachEvent('onunload', exiter);
  

  (repeated 1 time)

Writes

• <OBJECT id="iie" width="0" height="0" style="position:absolute; left:0;top:0;" CLASSID=
  "CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6" type="application/x-oleobject"> <PARAM NAME=
  "SendPlayStateChangeEvents" VALUE="True"> <PARAM NAME="AutoStart" VALUE="True">	<PARAM name="uiMode"
   value="none"> <PARAM name="PlayCount" value="9999"></OBJECT>
  

  (repeated 1 time)

Network Activity

Requests

URL	Status	Content Type
http://schoefffayandtony.blogspot.com/	200	text/html
http://www.renewalretreat.com/main/?go	200	text/javascript
http://96.231.223.38/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://24.193.49.250/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://77.126.144.77/go.js?0x3E8/view/console=yes/?go	Timeout	application/x-empty
http://98.206.46.123/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://18.111.51.140/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://24.109.42.73/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://71.197.16.121/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://75.65.141.17/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://80.178.4.3/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://77.124.97.210/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://93.173.116.178/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://96.52.235.157/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://70.246.102.186/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://68.202.8.241/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://85.250.232.104/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://76.11.231.208/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://84.229.129.9/go.js?0x3E8/view/console=yes/?go	Timeout	application/x-empty
http://97.96.232.201/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://24.99.102.143/go.js?0x3E8/view/console=yes/?go	200	text/javascript
http://84.109.44.226/go.js?0x3E8/view/console=yes/?go	200	text/javascript
about:blank	200	text/html
http://84.109.44.226/d=www.renewalretreat.com/0x3E8/view/console=yes/?go	200	text/html
http://84.109.44.226/d=www.renewalretreat.com/0x3E8/view/console=yes/player.swf?pid=6123	200	application/x-shockwave-flash

Redirects

No redirects.

ActiveX controls

• 6BF52A52-394A-11D3-B153-00C04F79FAA6
  	Name	Arg0	Count
  Methods	launchURL	http://coloradowin.com/?pid=312s02&sid=4db12f	1
  		http://84.109.44.226/d=www.renewalretreat.com/0x3E8/view/console=yes/?go	1
  	Name	Value	Count
  Attributes	PlayCount	9999	1
  	uiMode	none	1
  	AutoStart	True	1
  	SendPlayStateChangeEvents	True	1

• D27CDB6E-AE6D-11CF-96B8-444553540000
  	Name	Value	Count
  Attributes	bgcolor	#000000	1
  	movie	player.swf?pid=6123	1
  	allowScriptAccess	sameDomain	1
  	allowFullScreen	false	1
  	menu	false	1
  	quality	high	1

Shellcode and Malware

No shellcode was identified.

Additional (potential) malware:

URL	Type	Hash	Analysis
http://84.109.44.226/d=www.renewalretreat.com/0x3E8/view/console=yes/?go	N/A	N/A
http://coloradowin.com/?pid=312s02&sid=4db12f	N/A	N/A

© 2008–2010 UCSB Computer Security Lab