Author Topic: Injected iframer  (Read 6376 times)

0 Members and 1 Guest are viewing this topic.

February 27, 2012, 05:16:03 am
Read 6376 times

michajp

  • Full Member

  • Offline
  • ***

  • 59
The following (Japanese) site contains an obfuscated iframer (on _first_ load only):

Code: [Select]
hxxp://2011.myojowaraku.net/
Iframe points to:

Code: [Select]
hxxp://heardthat.de.tf/in.cgi?2
#Note, the same site contained phishes at 2012-02-16 23:11:31 JST and similar iframer at 2012-02-17 23:04:05 JST.

Analysis:
http://urlquery.net/report.php?id=25445
http://jsunpack.jeek.org/?report=424dda16d567f31f296228335409a8632e4ecddd

February 28, 2012, 02:17:54 am
Reply #1

michajp

  • Full Member

  • Offline
  • ***

  • 59
Injected target changed:

Code: [Select]
hxxp://downthat.sg.tf/in.cgi?2
http://urlquery.net/report.php?id=25934

February 28, 2012, 08:00:05 am
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Hi Micha,

I don't see any malicious activity there.

These redirectors lead to hxxp://188.72.213.185/c/.

Content of this url is just "GOTCHA!"

Do you see anything else ?
Ruining the bad guy's day

February 28, 2012, 04:26:56 pm
Reply #3

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92
now downthat.sg.tf redirect to

Code: [Select]
http://gb.facebook4experts.com/direct.php?page=13adec71d62c3e90

February 29, 2012, 07:43:11 am
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
now downthat.sg.tf redirect to

Code: [Select]
http://gb.facebook4experts.com/direct.php?page=13adec71d62c3e90

Interesting. Not for me.
Ruining the bad guy's day

February 29, 2012, 09:08:38 am
Reply #5

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
now downthat.sg.tf redirect to

Code: [Select]
http://gb.facebook4experts.com/direct.php?page=13adec71d62c3e90

Interesting. Not for me.

The redirection is probably affected by Geo-location .
Mal-Aware