I was looking for some interesting malware samples and came across with hilarious but rogue domain using McAfee name. It is actually a URL shortening service hosted on this domain. If you want to try, do it here by clicking this http://mcaf.ee.
Typically, the shortening and expansion process work as presented below
mcaf.ee~> s http://www.google.com
> The shortened url is >> http://mcaf.ee/f1cd29 << [Copy]
mcaf.ee~> e http://mcaf.ee/f1cd29 > The expanded url is >> http://www.google.com << [Copy]
mcaf.ee~>
Following URL's are accessed by this service for primary actions.
[1] hxxp://mcaf.ee/api/shorten?callback=jsonp1337557363223&input_url=http%3A%2F%2Fwww.google.com
[2] hxxpp://mcaf.ee/assets/ZeroClipboard10.swf
The analysis of ZeroClipboard10.swf is present here : http://jsunpack.jeek.org/?report=5c4bf5f21ec4870d16e89e9d8f32bee124a8344b
Other interesting links are as follows:
hxxp://mcaf.ee/config?geekmode=1
hxxp://mcaf.ee/js/geek.js
The domain still up as for now. You might want to take a look :)
1 comments:
Are you sure this is brandjacking?
Post a Comment