New Malicious Iframe Code, Trojan.Java.Downloader and VBScript
Honeypots have reported another case of malicious iframe code that is generally added after the end of the HTML tag, at the end of the website page, as you can see from the image below:
We have also noted another website that redirects users to a fake porn video streaming website with the main objective to install a VBScript (using a Java applet downloader) in the user’s system and use cmd.exe to download and execute a keylogger:
hxxp:// habbo-sluts-exposed .tk |
The URL uses an iframe code to redirect the users to another website:
Extracted malicious URL:
hxxp:// b0ss.getenjoyment .net/two/ |
And now, there is another redirect:
<meta http-equiv="refresh" content="5;url=index2.html" /> |
The user is now redirected to:
hxxp:// b0ss.getenjoyment .net/two/index2.html |
The new URL contains the malicious VBScript:
Download the dumped malicious code (pass is novirusthanks.org):
malicious_code.zip / 1 KB
With a malicious Java file that is probably used to download the VBScript:
File: Client.jar Size: 2337 bytes MD5 Hash: A6091A6335EC1FD34E8358010C044270 SHA1 Hash: 126BEED0FCE70142207DE46D58C69AADFF71645C SHA256 Hash: 160D60C071F7A5E691C9B2537FCFA926EB9A80537D594B2E7382309E2ECD5F41 SHA384 Hash: EE4C9AC074E2B1FA5A2A28D586441008FA52FE2258DEF88AD39D4CBDA83934334FF7B4B16ABF85C44FAC565BB698B917 SHA512 Hash: EC422053D1852A1FD575485C8C8BFDF51C35347EBFED92A0A613854717EEE5933C6520936D7CE5FAA67B60A31DDC0D09F1B167EFA975D2CD9D814B51D09AB46D |
Antivirus scan report:
As we can see from:
The script download and execute the malicious PE file located at:
hxxp:// b0ss.getenjoyment .net/boss.exe |
File details:
File: boss.exe Size: 1280512 bytes MD5 Hash: C01246B6507DED92832F8A71BF1CDA2D SHA1 Hash: 792BB694A5944B4CF70DA803586F8440C7AD1D30 SHA256 Hash: 0C3E7B048309541BE48A2F716BEFC91C90F27409B8BF0E3767F0C4CF8C8435AF SHA384 Hash: 66EC0E377A78EB1EDCF63A26FA8C8E996D89A91CDCC034B507E1098592BB9E67C5C24F4AE9287AD421335D05311EF0A5 SHA512 Hash: ADF7AB9E2E05B788269C7B0FA46660687C868ED131162FDB29824DA54A8AC3C67F53962D43B900D8FFBC61050ADA46E53DFBA846C16461AD18E9703AA3ACEF02 |
Antivirus scan report:
Leave a Reply