A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #11250  by CloneRanger
 Wed Jan 25, 2012 3:58 am
Hi, i wonder if you can explain this please.

Badware @ hxxp://www.claassen-eisbedarf.de

Allowed Scripting & Requests in FF.

Invokes FF Plugin Container which i allowed through my FW. Soon after i was notified that the Plugin Container had crashed. Avira alerted me to the Malware, but i allowed them to be DL'd after being prompted.

temp\wpbt0.dll found in Temporary Internet Files

Something automatically launched regsvr.32.exe ?

w.php?f=79&e=6 = hxxp://seriusmazaloa.com/w.php?f=79&e=6 = found in Temp file. When i copied it to my desktop it morphed into contacts[1].exe

hxxp://seriusmazaloa.com/w.php?f=79&e=6 is serving other Malware eg calc.exe

What i'm interested in, is how did w.php?f=79&e=6 morph into hxxp://seriusmazaloa.com/w.php?f=79&e=6 & then contacts[1].exe ?

TIA

PW = infected
Attachments
Temp int.gif
Temp int.gif (5.71 KiB) Viewed 713 times
Badware
(256.48 KiB) Downloaded 46 times
 #11268  by CloneRanger
 Wed Jan 25, 2012 8:27 pm
@ EP_X0FF

Hi, Thanks for the link :) I now see it was wpbt0.dll that automatically launched regsvr.32.exe after all ;)

I didn't find any info though as to how w.php?f=79&e=6 morphs into hxxp://seriusmazaloa.com/w.php?f=79&e=6 & then contacts[1].exe ?

Any info would be appreciated :)
 #11273  by EP_X0FF
 Thu Jan 26, 2012 2:20 am
CloneRanger wrote:@ EP_X0FF

Hi, Thanks for the link :) I now see it was wpbt0.dll that automatically launched regsvr.32.exe after all ;)

I didn't find any info though as to how w.php?f=79&e=6 morphs into hxxp://seriusmazaloa.com/w.php?f=79&e=6 & then contacts[1].exe ?

Any info would be appreciated :)
Blackhole executes java script when you visit it dropzone. This java script deobfuscates itself and executes another java script which is trying to launch exploits. In case of successful exploiting payload is dropped on target machine and it's launch executed. You probably don't know how Internet Explorer cache works if asking for
w.php?f=79&e=6 = hxxp://seriusmazaloa.com/w.php?f=79&e=6 = found in Temp file. When i copied it to my desktop it morphed into contacts[1].exe
Nothing is morhing.
w.php?f=79&e=6 = hxxp://seriusmazaloa.com/w.php?f=79&e=6
This is address of Blackhole payload, in cache it contains only half of full name -> w.php?f=79&e=6, why? I don't know ask Explorer developers. When you popup properties with Explorer it will display full URI address -> hxxp://seriusmazaloa.com/w.php?f=79&e=6. Once this cache item copied elsewhere outside it will be automatically renamed to it actual name as Blackhole script told -> contacts[1].exe (probably contacts.exe already exists in cache).
 #11288  by CloneRanger
 Thu Jan 26, 2012 11:59 am
@ EP_X0FF
You probably don't know how Internet Explorer cache works if asking for
Funny thing though, i was using FF !
Nothing is morhing.


OK, it just appeared that way to me.
in cache it contains only half of full name -> w.php?f=79&e=6, why? I don't know
Yeah, wierd. I wonder if the've discovered a new trick to try & hide the www ?
Once this cache item copied elsewhere outside it will be automatically renamed to it actual name as Blackhole script
Interesting, live & learn ;)

Thanks for the details etc :)
 #11293  by EP_X0FF
 Thu Jan 26, 2012 12:56 pm
I'm not familiar with modern firefox, because I stopped using it few years ago.

What I want to say is that weird naming on the picture you have attached - is only a way how windows shell (Explorer) shows contents of Temporary Internet Files.

You can see yourself - go to Temporary Internet Files. Every file will be displayed in such manner.