Malware Domain List

Malware Related => Malware Analysis => Topic started by: crim on November 12, 2009, 07:19:37 pm

Title: Decode this?
Post by: crim on November 12, 2009, 07:19:37 pm
Does anyone know how i can decode this?
I've tried Wepawet & jsunpack and none of them are able to decode this
Title: Re: Decode this?
Post by: SysAdMini on November 12, 2009, 07:50:15 pm
Can you tell us the url of the script ?

The script requires "document.lastModified" property. I won't decode without this information.
Title: Re: Decode this?
Post by: crim on November 12, 2009, 09:20:29 pm
its fragus

Code: [Select]
http://redirectcounter1.com/news.php
/EDIT by SysAdMini: added Code tags
Title: Re: Decode this?
Post by: SysAdMini on November 12, 2009, 09:38:58 pm
Using Malzilla:
 
-download the script

-get the lastmodified property from http header : Last-Modified: Fri, 12 Dec 2008 11:11:40 GMT


-replace lastmodified by its value:

acghiw=document,
befkly=acghiw.lastModified,
copvwx=new Date(befkly).toUTCString()


acghiw=document,
befkly="Fri, 12 Dec 2008 11:11:40 GMT",
copvwx=new Date(befkly).toUTCString()

-run the script
-done

example encoded and decoded attached. pw=infected
Title: Re: Decode this?
Post by: SysAdMini on November 12, 2009, 09:56:53 pm
JavaScript anti-analysis tricks: last-modified
http://www.cs.ucsb.edu/~marco/blog/2009/10/javascript-anti-analysis-tricks-last-modified.html