Fwd: Scan from a Hewlett-Packard ScanJet #468974

We analyzed following malicious URLs which are used in HP Scan spams:

hxxp://eksitonas.lt/KzHz5BzZ/index.html
hxxp://casagustosa.gr/zo799HVs/index.html

This malicious page contained 3 javascripts as shown below

hxxp://yasonrafilm.com/ZAsUDjH1/js.js
hxxp://lsdkft.hu/bC1BxCbJ/js.js
hxxp://www.aafaq.ca/sxuvf5jV/js.js

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://208.117.43.8/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://208.117.43.8/q.php?f=2fcad&e=2
File: about.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,10,688 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 4 identical Gameover Zeus payloads from following locations:

1. hxxp://power-tec.sk/D8aoPu86/XPVqAGE.exe
2. hxxp://synergieassurance.com/AnJVfWxx/aFa.exe
3. hxxp://20272.w72.wedos.net/w7y74z3H/Hzt.exe
4. hxxp://electrosa.com/8zvW2XE.exe

Gameover was installed in %APPDATA%\Ociw\ilji.exe

MD5: 80bd579d484ac4742b75952fb1a2d694
Size: 2,74,016 bytes
Timestamp: 2010:11:03 04:51:09+01:00
Signature: This file is digitally signed by ‘tNzquyHloA4n3FFctsvudWw7x’
Certificate Validity: 04/24/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 86.35.218.231:17554. Webinjects were downloaded from 189.78.203.103:29161. The Gameover variant had a botid of “MF222a24″ and cid of “3005″.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: