A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17675  by secObs
 Thu Jan 10, 2013 3:20 pm
Here it is the new java 0 day jar used by Blackhole. Exploit download Zbot.

Both files in attachment.

Jar: 483b40f21a9e97f0dc6c88a21fddc1ec
Zeus: f0e4b2c0e73d20cc535834b0d7faa6c2
You do not have the required permissions to view the files attached to this post.
 #17683  by p4r4n0id
 Sat Jan 12, 2013 9:20 am
Cassiel wrote:This is predicting trouble, any chances we can get an sample of what is being dropper/jar ?

EDIT:

Kafeine did full disclore, I have added his files here
JoeBox analysis for UTTER-OFFEND.exe (MD5: 237f8ffc0c24191c5bb7bd9099802ee4)

http://joe4security.blogspot.ch/2013/01 ... nical.html

p4r4n0id
 #17704  by Xylitol
 Sun Jan 13, 2013 8:08 pm
Silent jdb, cve 2013-0422 from Adwind Web Fake 1.4 (hackforums.net/showthread.php?tid=3128940)
https://www.virustotal.com/file/10f09d0 ... 358106689/ > 0/46
Code: Select all
https://rstforums.com/forum/63344-java-0day-cve-2013-0422-1-7u10.rst
also just saw this pdf 0day:
Code: Select all
https://damagelab.org/index.php?showtopic=23552&st=0
You do not have the required permissions to view the files attached to this post.
 #18254  by secObs
 Mon Feb 18, 2013 10:59 pm
@EKwatcher has spotted Cool EK using CVE-2013-0431.

It drops reveton and isn't heavely obfuscated.

Detection 2/45
https://www.virustotal.com/en/file/c..d9c/analysis/

MD5: 97ad65a3458e4d8551e4bc0ff4a8f97c
SHA-1: 98c61c132a918766c7565a719274fdefab33f7ff
You do not have the required permissions to view the files attached to this post.
 #18424  by Squirl
 Tue Mar 05, 2013 1:38 pm
I'm just working on obtaining the Jar - in the meantime, here's the payload after a successful exploit.
You do not have the required permissions to view the files attached to this post.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7