JS/Exploit-Blacole!he​ur

This page shows details and results of our analysis on the malware JS/Exploit-Blacole!heur

Overview

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases –

Microsoft    -    Exploit:JS/Blacole.GB
Drweb        -    Exploit.BlackHole.129
Avast        -    JS:Decode-AGV
Avira        -    JS/Blacole.GB.155 Java script


Minimum Engine

5600.1067

File Length

0

Description Added

2013-05-03

Description Modified

2013-12-14

Malware Proliferation

Characteristics

“JS/Exploit-Blacole!heur” is detection for malicious Java code that exploits like CVE2012-1723, CVE2012-0507.

“JS/Exploit-Blacole!heur” is a generic detection for malicious Java code that exploits a vulnerability that allows the execution of arbitrary code. Also it will checks for the OS, browser and installed components such as Java, PDF and flash plug-in and it looks for vulnerable version of java.

“JS/Exploit-Blacole!heur” is a generic detection for obfuscated JavaScript that points to an Iframe to a remote malicious site.

“JS/Exploit-Blacole!heur”
is an obfuscated JavaScript that could be embedded into compromised websites. This Trojan will redirect the user to malicious websites and download other payload or executes browser exploits.

The "Backhole" exploit kit may exploit vulnerabilities in certain software that may be installed in the victim computer. After the successful exploitation, it may lead to the download and execution of other malicious files.

Upon execution, tries to load the java script and redirect the user to the following website with help of hidden iframe
  • hxxp://129.121.[Removed].207/70b86e9a04cec710/70b86e9a04cec710/a.php?vf=2w:1l:2v:30:31&ke=1i:31:32:1g:1n:1h:1l:1l:1n:31&o=1f&md=k&pg=o&jopa=6809998
Upon successful exploitation it also tries to connect the following URL to download other payloads
  • go[Removed]eapis.com
  • hxxp://129.121.[Removed].207/70b86e9a04cec710/70b86e9a04cec710/a.php?jnlp=3de182668d
  • hxxp://129.121.[Removed].207/70b86e9a04cec710/a.php?nbbdfjz=iqaaty&pjoaxd=xtu
  • hxxp://74.125.[Removed].114/gate.php
The following are the payloads download by the Trojan
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\26\2418615a-1276e216
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\26\2418615a-1276e216.idx
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\28\440395dc-6d048d92
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\28\440395dc-6d048d92.idx
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\8\1f62e308-48c68e3e
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\8\1f62e308-48c68e3e.idx
  • %APPDATA%\Sun\Java\Deployment\cache\6.0\8\1f62e308-6.0.lap
  • %USERPROFILE%\6809998.exe

Symptoms

Because this is a generic detection there is no specific description of the activity undertaken by JavaScript detected under this name, however these can include malicious activity such as downloading and executing files or scripts.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

Variants