Wednesday, January 13, 2010

Jan 13 CVE-2009-4324 Re: Project from spoofed [Redacted]@state.gov 13 Jan 2010 06:17:21 -0000



Download  116d92f036f68d325068f3c7bbf1d535 - Project.pdf as a password protected archive (please contact me if you need the password)

Update Jan. 22, 2010 - CW Sandbox analysis kindly provided by TarunKumar Singh (below)




 -----Original

Message-----
From: XXXXX (Real name here)
[mailto:XXXXXX@state
.gov]
Sent: 2010-01-13 1:17
AM
To: XXXXXX
Subject: Re: Project
Importance: High

Dear

I will bring your email
to his attention at
that time.

With regards,
Lesley Rich

Header:
Received: (qmail 6296 invoked from network); 13 Jan 2010 06:17:21 -0000
Received: from unknown (HELO state.gov) (115.92.107.178)
  by XXXXXXXXXXX
Received: from ¼òÌå²âÊÔ (unknown [192.168.7.110])
    by 192.168.7.110 (Coremail) with SMTP id _bJCALesoEAeAFMU.1
    for XXXXXXXXXXXXX Wed, 13 Jan 2010 14:17:15 +0800 (CST)
X-Originating-IP: [192.168.7.110]
Date: Wed, 13 Jan 2010 14:17:15 +0800
From: "=?GB2312?B?QnJlbW5lciwgU3VlIEw=?="
Subject: =?GB2312?B?UmU6IFByb2plY3Q=?=
To: XXXXXXXXXXXXXXXXXXX
X-Priority: 1
X-mailer: FastMail 1.5 [cn]
Mime-Version: 1.0
Content-Type: multipart/mixed;
    boundary="------=_Next_Part_0019055250.467"


Hostname: 115.92.107.178
ISP: LG DACOM Corporation
Organization: LG DACOM Corporation
Type: Cable/DSL
Country: Korea, Republic of  
State/Region: 11
City: Seoul
Latitude: 37.5664
Longitude: 126.9997

This file was already analyzed
 http://www.virustotal.com/analisis/ac3849e1c3ddf124f17c2ed7e8d3463fda2a37116d711a99b82c743c0c1a32ac-1263106258











http://www.virustotal.com/analisis/ac3849e1c3ddf124f17c2ed7e8d3463fda2a37116d711a99b82c743c0c1a32ac-1263938027
 File Project.pdf received on 2010.01.19 21:53:47 (UTC)
Result: 18/41 (43.90%)
a-squared 4.5.0.50 2010.01.19 Exploit.JS.Pdfka!IK
Authentium 5.2.0.5 2010.01.19 PDF/Expl.FO
BitDefender 7.2 2010.01.19 Exploit.PDF-JS.Gen
CAT-QuickHeal 10.00 2010.01.19 Expoit.PDF.FlateDecode
ClamAV 0.94.1 2010.01.19 Exploit.PDF-9757
Comodo 3640 2010.01.19 UnclassifiedMalware
DrWeb 5.0.1.12222 2010.01.19 Exploit.PDF.687
eSafe 7.0.17.0 2010.01.19 Win32.Pidief.H
F-Secure 9.0.15370.0 2010.01.19 Exploit.PDF-JS.Gen
GData 19 2010.01.19 Exploit.PDF-JS.Gen
Ikarus T3.1.1.80.0 2010.01.19 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.01.19 Exploit.JS.Pdfka.adn
McAfee-GW-Edition 6.8.5 2010.01.19 Heuristic.BehavesLike.PDF.Shellcode.Z
Microsoft 1.5302 2010.01.19 Exploit:JS/Heapspray
nProtect 2009.1.8.0 2010.01.19 Exploit.PDF-JS.Gen.C02
PCTools 7.0.3.5 2010.01.19 Trojan.Pidief
Symantec 20091.2.0.41 2010.01.19 Trojan.Pidief.H
TrendMicro 9.120.0.1004 2010.01.19 TROJ_PDFKA.AK
Additional information
File size: 149706 bytes
MD5   : 116d92f036f68d325068f3c7bbf1d535

 Vicheck.ca has this file under a different name already
https://www.vicheck.ca/md5query.php?hash=116d92f036f68d325068f3c7bbf1d535
 kernel32, ExitProcess, Javascript obfuscation using unescape, , Javascript obfuscation using unescape, , Javascript possible obfuscation using unescape, , PDF Exploit call to media.newPlayer, , , ,

Wepawet
http://wepawet.iseclab.org/view.php?hash=116d92f036f68d325068f3c7bbf1d535&type=js
File Project.pdf
Analysis Started 2010-01-19 14:15:12
Report Generated 2010-01-19 14:16:24
Jsand 1.03.02 benign


Here is CW Sandbox analysis kindly provided by TarunKumar Singh


Created Files...
  • File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.exe
  • File Type: file
  • Source File Hash: 88fd19e48625e623a4d6abb5d5b78445
  • Creation/Distribution: CREATE_ALWAYS
  • Desired Access: FILE_ANY_ACCESS
  • Share Access: FILE_SHARE_WRITE
  • Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
  • Stored as: 88fd19e48625e623a4d6abb5d5b78445.exe
  • File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ÄêÙR×´.pdf
  • File Type: file
  • Source File Hash: dc0a02619771b5d2d0887267c67b87a6
  • Creation/Distribution: CREATE_ALWAYS
  • Desired Access: FILE_ANY_ACCESS
  • Share Access: FILE_SHARE_WRITE
  • Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
  • Stored as: dc0a02619771b5d2d0887267c67b87a6.pdf

    Store Created Files Section...



    • Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.exe (36974 Bytes.)
    • Destination: 88fd19e48625e623a4d6abb5d5b78445.exe
    • Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ÄêÙR×´.pdf (57536 Bytes.)
    • Destination: dc0a02619771b5d2d0887267c67b87a6.pdf




        Registrey Section...
  • Created Keys...



    • Key: HKEY_LOCAL_MACHINE\System\WSZXSGANXFJVAYSXYQGNXKQY




  • Open Keys...



    • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\8.0\ORO
    • Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters






No comments:

Post a Comment