New Malicious Iframe Code, Trojan.Java.Downloader and VBScript

Posted by on Saturday, February 4th, 2012  |  18,498 views

Honeypots have reported another case of malicious iframe code that is generally added after the end of the HTML tag, at the end of the website page, as you can see from the image below:

Malicious Iframe Code

We have also noted another website that redirects users to a fake porn video streaming website with the main objective to install a VBScript (using a Java applet downloader) in the user’s system and use cmd.exe to download and execute a keylogger:

hxxp:// habbo-sluts-exposed .tk

The URL uses an iframe code to redirect the users to another website:

Iframe Code

Extracted malicious URL:

hxxp:// b0ss.getenjoyment .net/two/

And now, there is another redirect:

<meta http-equiv="refresh" content="5;url=index2.html" />

The user is now redirected to:

hxxp:// b0ss.getenjoyment .net/two/index2.html

The new URL contains the malicious VBScript:

VB Script

Download the dumped malicious code (pass is novirusthanks.org):
malicious_code.zip / 1 KB

With a malicious Java file that is probably used to download the VBScript:

File: Client.jar
Size: 2337 bytes
MD5 Hash: A6091A6335EC1FD34E8358010C044270
SHA1 Hash: 126BEED0FCE70142207DE46D58C69AADFF71645C
SHA256 Hash: 160D60C071F7A5E691C9B2537FCFA926EB9A80537D594B2E7382309E2ECD5F41
SHA384 Hash: EE4C9AC074E2B1FA5A2A28D586441008FA52FE2258DEF88AD39D4CBDA83934334FF7B4B16ABF85C44FAC565BB698B917
SHA512 Hash: EC422053D1852A1FD575485C8C8BFDF51C35347EBFED92A0A613854717EEE5933C6520936D7CE5FAA67B60A31DDC0D09F1B167EFA975D2CD9D814B51D09AB46D

Antivirus scan report:

Antivirus report

As we can see from:

Executable File Download

The script download and execute the malicious PE file located at:

hxxp:// b0ss.getenjoyment .net/boss.exe

File details:

File: boss.exe
Size: 1280512 bytes
MD5 Hash: C01246B6507DED92832F8A71BF1CDA2D
SHA1 Hash: 792BB694A5944B4CF70DA803586F8440C7AD1D30
SHA256 Hash: 0C3E7B048309541BE48A2F716BEFC91C90F27409B8BF0E3767F0C4CF8C8435AF
SHA384 Hash: 66EC0E377A78EB1EDCF63A26FA8C8E996D89A91CDCC034B507E1098592BB9E67C5C24F4AE9287AD421335D05311EF0A5
SHA512 Hash: ADF7AB9E2E05B788269C7B0FA46660687C868ED131162FDB29824DA54A8AC3C67F53962D43B900D8FFBC61050ADA46E53DFBA846C16461AD18E9703AA3ACEF02

Antivirus scan report:

Antivirus Report

Posted by on Saturday, February 4th, 2012 at 6:01 pm and filed under Security News with tags , , , . You can skip to the end and leave a response. Pinging is currently not allowed.

Random Posts

Previous Posts