FedEx & Wire Transfer

Subject: Re_Wire Transfer (3935SH506).
URL: /loadit/fondos/file-index.htm


Subject: Fedex Delivery Confirmation 351301.


Victim is eventually redirected to a Phoenix Exploit kit at sonografx[.]ru:8080 /navigator/jueoaritjuir.php hosted at IP addresse(s):

Phoenix controller downloads a PDF from samsonikonyou[.]ru:8080 /navigator/alisgtypezfq1.pdf. This PDF is identified as exploiting CVE-2010-0188. This flash exploit had following properties.

Name: gukzxtjpcsjobn.pdf
Size: 13,237 bytes
MD5: df6f147dcd68fbaa26a7d941958dc58d

Exploit forces victim to download a Pony downloader from poosdfhhsppsdns[.]su:8080 /navigator/frf3.php?i=15. This pony downloader had following properties:

File: dsarcubqinhsjqkugsbm.exe
MD5: 9485f9d0afac1f929f49aafe31e7000c
Size: 94,760 bytes
Timestamp: 2012:04:04 17:09:33+02:00

Pony downloader’s dropzone is running at /pony/gate.php. Pony then downloads 3 identical Gameover Zeus payloads from:

1. /6rBQWWdx/9ZR.exe
2. /bo0B7BgS/bhsuZJdf.exe
3. /dCWhyHtG/XbKbb5L.exe

Gameover Zeus is installed as %AppData%/ikwyp.exe with following properties:

MD5: c8c3fa05dc37232a0643834dded6dced
Size: 3,04,168 bytes
Timestamp: 2010:10:28 15:51:02+02:00

This payload is digitally signed by ‘GggvpYSuFAF7Uqd’. Certificate is valid from 04/04/2012 to 01/01/2040.

Note, this Gameover payload connects to a dropzone at and uses bot id of “mf2222a4”.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: