Tuesday, 24 February 2015

[EN] Malware analysis – Fake AV Downloader (part 1)

1.    Thanks for the sample file(s)

After writing my last article about malware analysis for Android[1], I decide to check some threats that may come from webpages. Today we can see more advertisement on web than it was few years ago. In case of malicious pages, “advertisements” added there now, more often probably will try to steal your data by installing some malware on your computer or by redirecting you to webpage containing exploit code for your browser(‘s plugin).

Few nice examples of ‘webpages’ like this, I found (again) on great Mila’s blog[0]. Thank’s again! ;)

(Hint: Don’t ask me for the password. Ask Mila via email.)



Let’s check the first one archive with HTML file, named “FakeAV Downloader”.


2.    First View

After unpacking our HTML sample, we can see that index.html file contains HTML and JavaScript code







Let’s copy the JavaScript code to new file, and save it as “ob1.html”. Now we can clean the code a little bit to see what is going on here:


As you can see, JS code is preparing “eval()” and “fromCharCode()” to use it later (with “n”):








3.    Second view

When I was trying to figure out how to deobfuscate this code, I found a link to very nice tool called JSDetox[2]. You can install it on Kali[4], but if there will be any problem with installation by “bundler”, try to install each packet manually (gem). It should helps.





After uploading our sample index.html to JSDetox, we can start deobfuscation  (“Analyse”) and get the results in few seconds:





Now we can see where new created <iframe> tag is trying to relocate us – iframe page is located on: hxxp://hivagdy.ru/count22.php.



Unfortunately, when I was checking this code, RU hostname was unavailable.


After that, I found some other interesting informations, for example:

a)    Correlation network topology[3]




b)    This host was used for: [5]






c)    and one more information:






So it seems now, that we have all information we need to decide that this index.html file (used in phishing campany for example) can be very dangerous for safety of our users/clients.

4.    More

Again big thanks for the sample files! ;)

If you have more, post the link(s) on comments or send me the email with subject “MALWARE”. Please remember to pack it with password ‘infected’ (zip/rar/whatever). (Without the password, email server will drop them.)




Materials described here:
[0] Mila’s blog – http://contagiodump.blogspot.com
[1] Android first steps in malware’s world -  http://hauntit.blogspot.com/2015/01/pl-analiza-aplikacji.html
[2] JSDetox - https://github.com/svent/jsdetox
[3] Exposure ISEC Lab – http://exposure.iseclab.org
[4] Kali Linux – https://www.kali.org
[5] http://files.deependresearch.org
[6] Malware URL – http://www.malwareurl.com 

[7] PacketStormSecurity - PDF version

Thanks ;)

o/



No comments:

Post a Comment

What do You think...?