Scan from a Xerox WorkCentre Pro #315614

The sample we analyzed had a link to a malicious page at

Scan from Xerox 315614

This malicious page contained javascript that redirected victims to a Blackhole Exploit kit at


BlackHole kit first droppes Pony from the following location:

File: contacts.exe
MD5: ce1e4177bb2605a8637e386c6f7ab737
Size: 1,29,632 bytes

Pony downloader posts to its dropzone at It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://
2. hxxp://
3. hxxp://

Gameover was installed in %APPDATA%\Jysah\gaihyl.exe

MD5: a898d910ac17e2dc00333a410daeaa68
Size: 3,47,744 bytes
Timestamp: 2010:10:31 04:27:18+01:00

This Gameover Zeus variant posts to a dropzone at Webinjects were downloaded from The Gameover variant had a botid of “MF222a19″ and cid of “5555″.

Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘VfnHcYKXDLnVlQizT9uLI4yhP’
Certificate Validity: 04/18/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: