Infected Webpage

hxxp://petroffpianostudio[.]com/ (This may now be cleaned up at the time of posting)

It looks like the the aforementioned webpage is infected with a redirect to download suspect files

Traffic observed after the infection suggests that it will attempt to download executable files from a few different locations.

hxxp://talk-of-the-tyne.co.uk/download1264/
hxxp://willy.pro.br/download3299/
hxxp://freight.eu.com/download3696/

The analysis of the files on hybrid analysis does confirm that these are malicious files

https://www.hybrid-analysis.com/sample/e8d2f149de58eb45b398a84d6d27d568ab1d239584edcb55531fe11da2f9c51b?environmentId=100

Once the executable file is on the host machine, it then attempts to call out to the following

173.230.137.155
206.214.220.79

Upon further analysis we have another file which has been downloaded from the following location

hxxp://matchpointpro.com/lDu52756eeJMW/

https://www.virustotal.com/en/file/4b97fa91d9f33392fde84a2af3500a78621a71b80b3d3486a7b70cdd47187ce3/analysis/1492020556/

https://www.hybrid-analysis.com/sample/4b97fa91d9f33392fde84a2af3500a78621a71b80b3d3486a7b70cdd47187ce3?environmentId=100

I revisited the links later in the day and have a bit more details, we can see they are still serving executable files. Chrome is now blocking and suggesting these files are malicious, and also so is internet explorer. I have not tried them on firefox at this time.

GET /download3299/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: willy.pro.br
Cache-Control: max-age=259200
Connection: keep-alive

HTTP/1.1 200 OK
Date: Wed, 12 Apr 2017 18:16:51 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Keep-Alive: timeout=15
Server: Apache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename="6274.exe"
Content-Transfer-Encoding: binary


GET /download1264/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-GB
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: talk-of-the-tyne.co.uk
Cache-Control: max-age=259200
Connection: keep-alive

HTTP/1.1 200 OK
Date: Wed, 12 Apr 2017 18:16:09 GMT
Server: Apache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename="5198.exe"
Content-Transfer-Encoding: binary
Vary: User-Agent
X-Powered-By: PleskLin
MS-Author-Via: DAV
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream


GET /lDu52756eeJMW/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Host: matchpointpro.com
Cache-Control: max-age=259200
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 12 Apr 2017 18:11:09 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Keep-Alive: timeout=15
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename="5345.exe"
Content-Transfer-Encoding: binary
ngpass_ngall: 1

 

Still in the process of building my Analysis Lab, so this is not quite how I would like to post, but some information is better than none.

Leave a Reply

Your email address will not be published. Required fields are marked *