Author Topic: kokojamba.com (79.171.22.190)  (Read 5831 times)

0 Members and 1 Guest are viewing this topic.

March 09, 2010, 04:01:46 pm
Read 5831 times

Nachtmond

  • Newbie

  • Offline
  • *

  • 1
My first time contributing, so hopefully I'm following protocol correctly. :-)

Serving at least 1 verified malicious PDF: kokojamba[dot]com/a/s/files/clb[dot]pdf

Wepawet analysis:
http://wepawet.iseclab.org/view.php?hash=6b2a90f17d56ed6f4ae9a32d76331d6b&t=1268143098&type=js

Virustotal analysis:
http://www.virustotal.com/analisis/92583158104d402537de6214934d1d6a2c5086634cf0409ada6521570ada3e5f-1268100719

March 09, 2010, 04:47:35 pm
Reply #1

jboyhb

  • Jr. Member

  • Offline
  • **

  • 11
found a similar one.

kokojamba(dot)com/a/s/files/ie.swf

Wepawet analysis:
suspicious
http://wepawet.cs.ucsb.edu/view.php?hash=1ac3b47352d0b08997f3bba7e9993f4d&type=swf

virus total:
Clean

March 09, 2010, 08:28:16 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
My first time contributing, so hopefully I'm following protocol correctly. :-)


Welcome !

Thanks for submission.
Ruining the bad guy's day

March 10, 2010, 11:56:11 am
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

March 10, 2010, 03:42:18 pm
Reply #4

jboyhb

  • Jr. Member

  • Offline
  • **

  • 11
Domain is now: (79.171.22.190)

givechik(dot)com/k2/yakmea/aisehel.pdf


Wepawet analysis:
malicious
http://wepawet.cs.ucsb.edu/view.php?hash=cc675450ab8b0c298677fade2bd353b5&t=1268234929&type=js

March 10, 2010, 04:49:07 pm
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Domain is now: (79.171.22.190)

givechik(dot)com/k2/yakmea/aisehel.pdf


Thanks. Added to list. It's a SEO Sploit Pack.

Does anybody know an active url of magicrrt[dot]com at the same host ?

http://www.phat1.com/2010/03/10/is-techcrunch-serving-malware-now/
Ruining the bad guy's day

March 10, 2010, 04:55:59 pm
Reply #6

jboyhb

  • Jr. Member

  • Offline
  • **

  • 11
I have seen this:

IP: 79.171.22.190

magicrrt(dot)com/kv1/meoff/leerymhd.pdf

Wepawet analysis:
malicious
http://wepawet.iseclab.org/view.php?hash=f682dcfd21aa1695d8cad55c19656933&t=1268197907&type=js

March 10, 2010, 05:01:11 pm
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I have seen this:

IP: 79.171.22.190

magicrrt(dot)com/kv1/meoff/leerymhd.pdf


Right, but it is offline now. I found /kv1/ by Google too.

There was probably an advertisement redirecting to it.
Look here :

http://www.phat1.com/2010/03/10/is-techcrunch-serving-malware-now/

And it was probably an ad too which was directing to kokojamba.com.
Top referers in control panel are :

Code: [Select]
msn.foxsports.com 13464 729 5.41 %
msnbc.msn.com 13314 649 4.87 %
health.msn.com 11399 583 5.11 %
wonderwall.msn.com 11318 233 2.06 %
addictinggames.com 10327 404 3.91 %
-- 7205 481 6.68 %
ad.doubleclick.net 4307 175 4.06 %
shockwave.com 3996 170 4.25 %
zone.msn.com 3759 66 1.76 %
cnbc.com 3615 149 4.12 %
tv.msn.com 3109 94 3.02 %
my.msn.com 2951 44 1.49 %
mbd.scout.com 2293 71 3.1 %
moneycentral.msn.com 2250 47 2.09 %
music.msn.com 2103 153 7.28 %
digg.com 2098 81 3.86 %
movies.msn.com 2008 99 4.93 %
articles.moneycentral.msn.com 2006 89 4.44 %
business.com 1770 180 10.17 %
weather.msn.com 1534 26 1.69 %
mtv.com 1361 43 3.16 %
Ruining the bad guy's day

March 11, 2010, 04:06:35 pm
Reply #8

jboyhb

  • Jr. Member

  • Offline
  • **

  • 11

March 11, 2010, 05:45:22 pm
Reply #9

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day