Here is the interaction from the first post, for part 2 I'm adding my analysis and further information about the interaction. (Thanks for your patience on my scattered writting attempts.) Additionally it was pointed out that the request/response has been jumbled together for this data. I'm in the process of finding a compromised site and bouncing it off a windows vm that will hopefully yield Much more information including exploits/playloads delivered (Thanks Darren).
200 text/html 482:16466 GET hxxp://pboysxaj.co.tv/7aoptmzxwahwllhr/
302 text/html 692:365 GET hxxp://pboysxaj.co.tv/b1e346d3ca0b910ebf905deac0f9b8938176zxw
200 text/html 664:23214 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?3
200 application/x-shockwave-flash 543:1706 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 272:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 384:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 384:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 text/plain 281:8036 GET hxxp://91.226.78.47/shrgr.class
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 363:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:871884 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 352:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8
Here goes my analysis:
First page coming from the compromised referer:
200 text/html 482:16466 GET hxxp://pboysxaj.co.tv/7aoptmzxwahwllhr/
Redirect to landing page:
302 text/html 692:365 GET hxxp://pboysxaj.co.tv/b1e346d3ca0b910ebf905deac0f9b8938176zxw
Landing page used to determine plugins and vulnerabilties:
200 text/html 664:23214 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?3
**Note how the responses for these three are text/html versus below**
First exploit served:
200 application/x-shockwave-flash 543:1706 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
Success, and Payload download: (look at the size)
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
Success? Payload download: (look at the size)(unknown why this is a duplicate)
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
Interesting Additional download after payload: (denied here)
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
Second exploit served:
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
Success, Payload download: (look at the size)
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Success, Payload download: (undetermined why this is a duplicate)
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
Repeat of a seemingly Additional download: (denied again)
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
Repeat of a seemingly Additional download: (denied again)
302 272:2528 GET hxxp://91.226.78.47/shrgr.class
Third exploit served:
200 application/octet-stream 384:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Forth exploit served:
200 application/octet-stream 384:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
Success on Additional download
200 text/plain 281:8036 GET hxxp://91.226.78.47/shrgr.class
Repeat of a seemingly Additional download: (denied again)
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
Repeat of a seemingly Additional download: (denied again)
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
Repeat of a seemingly Additional download: (denied again)
302 363:2528 GET hxxp://91.226.78.47/shrgr.class
Third exploit served (again):
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Forth exploit served (again):
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
Third exploit served (again):
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Success, Payload download: (undetermined why this is a duplicate)
200 application/octet-stream 449:871884 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
Uknown what this transaction is:
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
Third Exploit attempt:
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
Success, Payload download:
200 application/octet-stream 352:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8
These are my assumptions of the transactions, however as I said before I am working on finding a live site to test out in a honeyclient/VM situation.
More to come, hopefully with even more data next time.
If you've seen interaction like this please contact me, I'd like to combine forces on this and dig into it deeper and understand what the pack is and who is running it, what it's serving up.
Thanks again!
Paul
@demon117 (twitter)
No comments:
Post a Comment