Name: Christian North 

Description: 
Using an IP Traffic Analyzer I've been developing in my spare time called TraceNet, I observed: 

	victim visits http://nrtjo.eu/true.php (59.53.91.102 - china telecom)

	GET/true.php  - (contains obfuscated javascript)
	GET /xxx.xxx - (contains obfuscated javascript decoder?)
	GET /favicon.ico -- 404
	GET /q.jar       
	GET /sdfj.jar
	GET /loading.php?spl=javadnw&J050006010  - (inline exe)
	GET //loading.php?spl=javad0             - (inline exe)


The victim's PC leaks the user's credentials in the form of an HTTP GET request to:

http://freeways.in/1111/gate.php?....  404


The incident appears to have started with a visit to http://nrtjo.eu/true.php which contains heavily obfuscated javascript.


I wrote a small utility to extract the executable file from the reassembled TCP stream containing 'chunked' Transfer-Encoding.


Reviewing "file.exe" MD5 5942ba36cf732097479c51986eee91ed with a hex editor revealed the packer was UPX

Decompressing file.exe with "upx -d" resulted in MD5 0f37839f48f7fc77e6d50e14657fb96e

Loading the malware into an isolated a VM invoked a connection attempt to 213.155.29.144 on TCP port 444.


Additional Text:
Here is the code I wrote to extract the chunked content transfer-encoding from reassembled TCP stream files.  This is highly experimental and lacks error checking although it seemed to get the job done.  

gcc -o xtc xtc.c
.
./xtc C0A81781-1066-3B355B66-80
Extracting Transfer Content: file.exe
chunk offset:    448 - size 7845 bytes
chunk offset:   8301 - size 8192 bytes
chunk offset:  16501 - size 24576 bytes
chunk offset:  41085 - size 27483 bytes