freeflamec[.]top/read.php?f=1.gif
If you go directly to the link it'll download a file
If you run md5sum on the file you'll get a hash
c27b380afa8e88d2eba7c58a97d31be1
If you search that md5 on virus total
Which shows you some interesting details about it
If you run strings you'll see this is no php file, this is no .gif file, this is a windows executable
Something else interesting is that this web server read.php script is setup to only serve certain parameter values. If you try to pass in something like 2.gif instead of 1.gif you get an http 200 but no file.
If you try to leave the f parameter empty, you actually get a file but it's 0 bytes and empty
Thus I would venture to guess there are other parameter values you could pass that may serve up different payloads.
Also if you go to the root of the site they have it redirecting to godaddy.com so this is not a compromised site, it's simply a site setup with malicious purposes to serve certain hidden payloads.
If you type in any random php page name that doesn't exist you'll be able to tell the web server version it's running ( Apache/2.2.15 (CentOS) Server )
Poking around found another page that works (admin.php instead of read.php)
Which delivers a different payload with different hash ( 6ab4bfd0fa555fc570188af13409a669 ) which gives different virus total hits, another EXE
Actually it's interesting, this php file generates random cerber EXEs with different hashes every time you re-load it.
Good example of why signature based tools like AV are dying, because of stuff like this that is probably the same exact payload just slightly modified so that the hash changes every time.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.
lol, not all AVs are signature based only
ReplyDelete