ACH Transaction Rejected

The samples we analyzed had a link to a malicious page at hxxp://cayambeturismo.gob.ec/zHyxgRft/index.html & hxxp://doctors.eyes.org/a6qYbbvX/index.html

ACH transaction rejected

This malicious page contained javascript that redirected victims to a Blackhole Exploit kit at

hxxp://85.25.189.174/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://85.25.189.174/q.php?f=2fcad&e=2
File: about.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,31,168 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://electrosa.com/8zvW2XE.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://electrosa.com/8zvW2XE.exe
4. hxxp://poetesa.ro/0SbvQR5X/5op0.exe

Gameover was installed in %APPDATA%\Yblaa\duoju.exe

MD5: a898d910ac17e2dc00333a410daeaa68
Size: 3,47,744 bytes
Timestamp: 2010:10:28 19:52:20+02:00

This Gameover Zeus variant posts to a dropzone at 190.200.120.150:17663. Webinjects were downloaded from 210.4.72.124:13525. The Gameover variant had a botid of “mf222a20″ and cid of “5555″.

Again, as noted in past few days Pony Downloader and Gameover Zeus both shared same properties:

Signature: Digitally signed by ‘wU5sF34khy4k0DMt30RspNOOm’
Certificate Validity: 04/20/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: