Malware Domain List

Malware Related => Malware Analysis => Topic started by: BADMAN on January 01, 2010, 04:27:54 pm

Title: Shaman's Dream
Post by: BADMAN on January 01, 2010, 04:27:54 pm
New exploit kit

Code: [Select]
inter-solutions.cn/ImNYbH63/auth.php Control panel
Code: [Select]
inter-solutions.cn/ImNYbH63/exe.php?exp=pdf PDF exploit
Code: [Select]
inter-solutions.cn/ImNYbH63/index.php?exp=2[3,4]other exploits
Who know something more about it ?!
I try to replace new Date() to  the lastmodified property from http header but script doesn't compile....
So how to decode this exploits ?
Title: Re: Shaman's Dream
Post by: SysAdMini on January 02, 2010, 11:33:41 pm
This one is a bit tricky to decode in Malzilla ,but you don't need "lastmodified" property.

I recommend a Javascript debugger like Google Chromes' integrated debugger. It's much easier than decoding in Malzilla
in this case.

This sample is tricky because you may not modify the code. Lines of decoding code are part of the algorithm.
You get a rubbish result if you modify the function "bMVFunc". But you have to modify this function ,because
Malzilla doesn't accept the original code ("qOGet is not a function").

Solution for Malzilla:
-Make a copy of the main function "bMVFunc",paste it and rename it to "bMVFunc2"
-modify function "bMVFunc2",replace "var qOGet = nInM["uEn6eJsEcEadpJeJ".replace(/[J68Ed]/g, new String)];" by "var qOGet = unescape;"
-modify "bMVFunc(arrayWGetD);" to "bMVFunc2(arrayWGetD);"
-run the script and you'll get the exploit code for a single exploit
-download the next exploit from url at the end of the page (e.g.index.php?exp=2) and repeat all the steps above until you have decoded all exploits

modified version of your sample attached
Title: Re: Shaman's Dream
Post by: BADMAN on January 03, 2010, 07:51:30 pm
THNX!
Title: Re: Shaman's Dream
Post by: SysAdMini on January 04, 2010, 10:36:13 pm
Unmasking the Dreaming Shaman - the Shamans Dream exploit kit
http://perpetualhorizon.blogspot.com/2010/01/unmasking-dreaming-shaman-shamans-dream.html