Scan from a Xerox WorkCentre Pro #315614

The sample we analyzed had a link to a malicious page at http://shopdreambags.com/FD6YBhNw/index.html

Scan from Xerox 315614

This malicious page contained javascript that redirected victims to a Blackhole Exploit kit at

hxxp://184.22.115.24/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://184.22.115.24/q.php?f=2fcad&e=2
File: contacts.exe
MD5: ce1e4177bb2605a8637e386c6f7ab737
Size: 1,29,632 bytes

Pony downloader posts to its dropzone at 200.72.183.54//pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://poetesa.ro/0SbvQR5X/5op0.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://redman.com.br/zqDQMaNF/SRivXt.exe

Gameover was installed in %APPDATA%\Jysah\gaihyl.exe

MD5: a898d910ac17e2dc00333a410daeaa68
Size: 3,47,744 bytes
Timestamp: 2010:10:31 04:27:18+01:00

This Gameover Zeus variant posts to a dropzone at 187.105.228.200:11752. Webinjects were downloaded from 71.80.237.121:14268. The Gameover variant had a botid of “MF222a19″ and cid of “5555″.

Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘VfnHcYKXDLnVlQizT9uLI4yhP’
Certificate Validity: 04/18/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: