Apple Order Acknowledgement W244415849

Spam Subject:
Order Acknowledgment W244415849.

Malicious URL(s):

Apple-Order W244415849

Through JS redirector at hxxp://, spam lands victims to BH Exploit kit hosted at Following document.location script is used to eventually redirect victim to BH:


Victim machine is first infected with Pony downloader from the following location:

File: readme.exe
MD5: 43e83090e4a3d044b5df34f95f5c266e
Size: 1,46,432 bytes

This Pony Loader posts to a C&C at /pony/gate.php, hosted at IP address And then downloads 3 identical Gameover Zeus payloads from the following URL’s:


Gameover installes in %APPDAT%\Ygecpu\gyiky. It had following file properties:

MD5: 68abfd809fb0713d70f7a752806c257e
Size: 3,05,704 bytes
Digital Signature: This file is digitally signed by ‘nYZbvA3YL8XjBMx’
Certificate Validity: 04/10/2012 to 01/01/2040
Timestamp: 2010:11:02 17:04:24+01:00
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System

During analysis, Gameover Zeus variant dropzone was identified at &
Webinjects were downloaded from The Gameover variant had a BitID “ppca10” and CID “5555”.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: