195.88.144.99/194.8.251.160 - eleonore exploit kits

[eoin.miller]

Looks like an eleonore exploit kit(s).

195.88.144.99 - nuyamnyam.ru www.updatemicd.in
194.8.251.160 - dfhjdfst.com medicinada.com

PDF exploit here:
http://medicinada.com/usaa4803/pdf.php

Wepawet report on PDF:
http://wepawet.iseclab.org/view.php?hash=1704d2d08983519a179b6c266917bfa1&type=js

[philipp]

Code: [Select]

200 http://medicinada.com/usaa4803/
200 http://medicinada.com/usaa4803/index.html
200 http://medicinada.com/usaa4803/index.php
200 http://medicinada.com/usaa4803/install.php
200 http://medicinada.com/usaa4803/load.php (MD5: 613b0104901655e5b9156bac46fc50d6)
200 http://medicinada.com/usaa4803/pdf.php
200 http://medicinada.com/usaa4803/stat.php
200 http://medicinada.com/usaa4803/i/
403 http://medicinada.com/usaa4803/load/
200 http://medicinada.com/usaa4803/i/1.php
200 http://medicinada.com/usaa4803/i/index.php
200 http://medicinada.com/usaa4803/load/load.exe (MD5: 613b0104901655e5b9156bac46fc50d6)


[eoin.miller]

Looks like one of the payloads is Win32/Ambler.A

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAmbler.A