ACH Transfer Rejected

We analyzed following malicious URL which is used in ACH spam on April 25 2012:

hxxp://ft000267.ferozo.com/HbusWmxz/index.html

ACH Transfer rejected

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://crowclub.ca/nRDnUrDq/js.js”></script>
<script type=”text/javascript” src=”hxxp://zadar.hr/aAyhw3ey/js.js”></script>
<script type=”text/javascript” src=”hxxp://giupban24h.com/v3NcYEV4/js.js”></script>
<script type=”text/javascript” src=”hxxp://pacilg.org/RaQhf32L/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://216.119.142.235/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://216.119.142.235/q.php?f=2fcad&e=2
File: contacts.exe
MD5: 242e28a23fbea9dc1e1939eea326a0d2
Size: 1,10,176 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 2 identical Gameover Zeus payloads from following locations:

1. hxxp://power-tec.sk/D8aoPu86/XPVqAGE.exe
2. hxxp://valuemerge.com/aXS0mRNT/KXj.exe

Gameover was installed in %APPDATA%\Ucnye\azufyv.exe

MD5: 647c62cd30f6fb4ea00e8829359b0a82
Size: 2,74,016 bytes
Timestamp: 2010:11:03 14:49:13+01:00
Signature: This file is digitally signed by ‘tNzquyHloA4n3FFctsvudWw7x’
Certificate Validity: 04/24/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 89.44.245.126:17711. Webinjects were downloaded from 64.60.155.138:21835. The Gameover variant had a botid of “mf222a25″ and cid of “3005″.

Advertisements

3 Comments

  1. Posted April 26, 2012 at 6:32 pm | Permalink | Reply

    Why i cant see your post ?

  2. Posted December 6, 2012 at 6:58 pm | Permalink | Reply

    Öncelikle yazınız için teşekkür.ederiz. Böyle yazıların bilgilendirici nitelikte olduğunu düşünüyoruz. Tekrar teşekkürler.

  3. Posted February 5, 2013 at 4:03 am | Permalink | Reply

    My brother recommended I may like this website. He was once entirely right.
    This post truly made my day. You cann’t imagine simply how so much time I had spent for this info! Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: