VALERIO Pizza Order Confirmation

Order Confirmation

The sample we analyzed had a link to a malicious page at hxxp://

This malicious page contained javascript that redirected victims to a Phoenix Exploit kit at hxxp://
Phoenix kit first drops a CVE-2010-0188 PDF payload from hxxp:// PDF file had following properties:

File: kqbzaubpiqxnbn.pdf
MD5: 1b6f367a28de927e6573e803e555a297
Size: 13,163 bytes

Successful exploit in turn handed victims off to second exploit kit at hxxp:// This kit dropped a Pony downloader with following properties:

File: esfwatkocliuyn.exe
MD5: 5726463108bb6f26e6dd54763e85453b
Size: 1,35,264 bytes

Both these phoenix exploit kits are hosted at the following IP addresses on a same fast flux infrastructure:

Pony downloader posts to its dropzone at hxxp://, hosted at IP address It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://
2. hxxp://
3. hxxp://

Gameover was installed in %APPDATA%\Meizo\ehgea.exe

MD5: a3e56f7ba6cd98b2ac87596daf74e2aa
Size: 3,71,808 bytes
Timestamp: 2010:10:29 14:08:06+02:00

This Gameover Zeus variant posts to a dropzone at Webinjects were downloaded from The Gameover variant had a botid of “MF222a17” and cid of “5555”.

Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘VfnHcYKXDLnVlQizT9uLI4yhP’
Certificate Validity: 04/16/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: