polonus
1
See: https://www.virustotal.com/nl/url/1120d041f7b2e291ec60cde6aa626de43cdf3dc14e7e175fa6c111e6e66578e0/analysis/1385499478/
and http://urlquery.net/report.php?id=8010908 and http://jsunpack.jeek.org/?report=9a37de7ed0ed38676d2eb67a117a2420e9d8d95d
code hick-up: aaaaa5 dot com/js/p.js benign
[nothing detected] (script) aaaaa5 dot com/js/p.js
status: (referer=1366879499.pa334.asia/llbei/?id=wXw.tssanhui.com)saved 2715 bytes da5034759aa63917d5abe0be0901685379f03b90
info: [img] img.webscan.360 dot cn/status/pai/hash/c1db4da50299ddf6873d4ea33b33d59a
info: [decodingLevel=0] found JavaScript
error: undefined variable G
error: undefined function G.winB
info: [element] URL=aaaaa5 dot com/js/undefined → http://jsunpack.jeek.org/?report=ddbe4502ea917f28a29ed82e65c3565d21679ab5
info: [decodingLevel=1] found JavaScript
suspicious:
Suspicious on iFrame check: Suspicious order.html’
Site abuse in the past on IP: https://www.projecthoneypot.org/ip_67.198.188.11
Listed on same IP: http://webscan-s.360.cn/sameip/index/?url=1366684994.l.pa343.asia
polonus
polonus
2
Code seemed benign here: http://wepawet.iseclab.org/view.php?hash=eb8ac32891d032a56dffd51ee75e5b5f&t=1385502049&type=js
External links to check:
htxp://1383740992.t.pa663.info/wawa/?id=‘+d+’&ref=pft → ‘’
htxp://1383740992.t.pa663.info/llbei/?id=‘+d+’&ref=pft → ‘’
htxp://1383740992.t.pa663.info/weiku/?id=‘+d+’&ref=pft → ‘’
htxp://1383740992.t.pa663.info/dsb/?id=‘+d+’&ref=pft → ‘’
htxp://1383740992.t.pa663.info/gdmhs/?id=‘+d+’&ref=pft → ‘’ all trackcode → http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://www.1383740992.t.pa663.info/&uag=MSIE+8.0+Trident&ref=http://www.google.com&aen=&req=GET&ver=1.1&fmt=AUTO
aw tracking code to search for event listeners (handlers) in different views (addListener code) in see code quote here:
ref.indexOf(‘360 dot cn/warn/’)·>·0·||·ref.indexOf(‘c.pc.qq dot com’)·>·0·||·ref.indexOf(‘api.pc120 dot com’)·>·0·||·ref.indexOf(‘safe.ie.sogou dot com’)·
This is to be considered as malicious:
https://www.virustotal.com/nl/domain/api.pc120.com/information/
Verdict probably trojan dropper code,
pol