Link from where I started:
And this link directed me to here:
h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/vSdOqASe.jar
Error 402 and payment Required .
Request URL:h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/vSdOqASe.jar Request Method:GET Status Code:402 Payment Required Response Header Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Content-Length:0 Content-Type:text/html; charset=utf-8 Date:Mon, 08 Apr 2013 13:16:25 GMT Expires:Thu, 19 Nov 1981 08:52:00 GMT Pragma:no-cache Server:nginx/0.7.64 X-Powered-By:ASP.NET version 4 X-Powered-By:HPHP
Suspicious isn’t it..
So I proceeded by getting in the sub directories of the server and it resulted in the link
h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL
Which automatically lead to a blank webpage.
Response for h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/pdfx.html
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Content-Length:817 Content-Type:text/html;charset=utf-8 Date:Mon, 08 Apr 2013 15:49:50 GMT Expires:Thu, 19 Nov 1981 08:52:00 GMT Pragma:no-cache Server:nginx/0.7.64 X-Mode:HTML X-Powered-By:ASP.NET version 4 X-Powered-By:HPHPResponse for “h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/zmiohek.html”
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Content-Encoding:gzip Content-Length:1676 Content-Type:text/html;charset=utf-8 Date:Mon, 08 Apr 2013 15:49:51 GMT Expires:Thu, 19 Nov 1981 08:52:00 GMT Pragma:no-cache Server:nginx/0.7.64 X-Mode:HTML X-Powered-By:ASP.NET version 4 X-Powered-By:HPHP
When I tried to analysed its source then find out a variable storing the web address.
<script> var icEVKt; var Owsfe;CvkiFV='RHaLS';if (CvkiFV=='Yiwvd') vPUR='CnYEdy'; var XXwVKa="h00p://xfecajsmipichbex[dot]in/dkCSD30yLXI0ANWV0N3ab0JYAK0i1gr0xpz10m3aM0kkMd0odNL0RERP17ZDG16mRL0N8KM0XG9d0S0XG0GzNV05JZ10HrMA02rUm0AUgY0kQdn11pUL0qQQt0DZQ012fm611kpG0FebV0oNUn08f3o0gxYY0MaW413LKv03FP40Er9118am10Jld80lyyk11HiD0gmv2/TL7vbliVHL.exe?IUABFhcBXOgtL0ce=m&h=32"; </script>
now use
wget –save-headers -d h00p://xfecajsmipichbex[dot]in/dkCSD30yLXI0ANWV0N3ab0JYAK0i1gr0xpz10m3aM0kkMd0odNL0RERP17ZDG16mRL0N8KM0XG9d0S0XG0GzNV05JZ10HrMA02rUm0AUgY0kQdn11pUL0qQQt0DZQ012fm611kpG0FebV0oNUn08f3o0gxYY0MaW413LKv03FP40Er9118am10Jld80lyyk11HiD0gmv2/TL7vbliVHL.exe?IUABFhcBXOgtL0ce=m&h=32
-d for debugging and –save-headers for saving the headers.
Or
Simply paste this in your browser to download the exe 😉
Now this is the Analysis Report of this file using Virus total and it says 8/45
Anubis Report for this exe
http://anubis.iseclab.org/?action=result&task_id=1956ca7159064b544fd05dd3c6c72cd5e&format=pdf
Dig Report
dig XFECAJSMIPICHBEX.IN ANY ; <<>> DiG 9.8.3-P1 <<>> XFECAJSMIPICHBEX.IN ANY ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5853 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;XFECAJSMIPICHBEX.IN. IN ANY ;; ANSWER SECTION: XFECAJSMIPICHBEX.IN. 28800 IN A 192.210.150.43 XFECAJSMIPICHBEX.IN. 7200 IN SOA erdomain.mercury.orderbox-dns.com. founderapi.email.com. 2013040403 7200 7200 172800 38400 XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.mars.orderbox-dns.com. XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.venus.orderbox-dns.com. XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.mercury.orderbox-dns.com. XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.earth.orderbox-dns.com. ;; Query time: 401 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Tue Apr 9 11:42:38 2013 ;; MSG SIZE rcvd: 239
whois xfecajsmipichbex.in Domain ID:D7196301-AFIN Domain Name:XFECAJSMIPICHBEX.IN Created On:04-Apr-2013 21:46:01 UTC Last Updated On:04-Apr-2013 21:46:03 UTC Expiration Date:04-Apr-2014 21:46:01 UTC Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN) Status:CLIENT TRANSFER PROHIBITED Status:TRANSFER PROHIBITED Status:ADDPERIOD Registrant ID:WIQ_27213783 Registrant Name:founder api Registrant Organization:N/A Registrant Street1:foundap 4 Registrant City:new york Registrant State/Province:New York Registrant Postal Code:10006 Registrant Country:US Registrant Phone:+1.5274563219 Registrant Email:founderapi@email.com
Domains hosted over Same IP Virus total report:
https://www.virustotal.com/en/ip-address/192.210.150.43/information/
If you check the WhoIs for every domain you will find the same credentials like phone number,
Screen shot for h00p://192.210.150.43/
Screen shot for Geographical address locator.
According to the http://wepawet.iseclab.org/view.php?hash=453609c244e3925ce0fe662a71eba0a8&t=1365501256&type=js
Code there are 2 PDF but able to download just 1 of those 2.
Pdf downloaded
TLfeaOwS.pdf
Header for page “h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/TLfeaOwS.pdf”
PDF Data over browser:
%PDF-1.6 %�� 18 0 obj <> endobj 6 0 obj <> endobj 22 0 obj <> endobj 8 0 obj <> stream 1.6511*pdf Piexnlaypa
endstream endobj 20 0 obj <> endobj 23 0 obj <> endobj 5 0 obj <> endobj 1 0 obj <> endobj 21 0 obj <> endobj 7 0 obj <> /XObject <<>>>> endobj 19 0 obj <> endobj xref 0 24 trailer <> startxref 802 %%EOFCache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0</pre> Content-Encoding:gzip Content-Length:5531 Content-Type:text/html;charset=utf-8 Date:Tue, 09 Apr 2013 13:17:17 GMT Expires:Thu, 19 Nov 1981 08:52:00 GMT Pragma:no-cache Server:nginx/0.7.64 X-Mode:HTML X-Powered-By:ASP.NET version 4 X-Powered-By:HPHP
Virus total report for the pdf file
Which confirm this as malicious.
Snap Shot of all the files.
Every time you download the file it’s goign to give some random name to it.
#MalwareMustDie
Apr 28, 2013 @ 03:20:07
Hi it’s me, I am also visiting this site regularly, this website is really good and the people are genuinely sharing good thoughts.
May 22, 2013 @ 08:19:13
Hi there! I could have sworn I’ve been to your blog before but after browsing through a few of the posts I realized it’s new to me.
Anyhow, I’m certainly delighted I stumbled upon it and I’ll be bookmarking it and checking back regularly!
Jul 11, 2013 @ 08:15:05
Awesome issues here. I am very glad to see your article.
Thanks so much and I am having a look forward to contact you.
Will you kindly drop me a e-mail?
Jul 11, 2013 @ 13:48:56
or you can ask here whatever you want 🙂