Malware Related > Tools of the trade / Internet News
MalZilla
denmilu:
Hi MysteryFCM,
I think i need your help again, I have two files containing encrypted content, but this encrypt is not similar with some script i have seen, So can you show me how to decode them? And do you have any intruction if I use Firebug in this case?
I have attached 2 files bellow, and waiting your answer.
Thanks
MysteryFCM:
The first is a standard Gumblar script and decodes just fine without modification, in Malzilla.
The second requires you modify the script a bit, so the div becomes a var (using the id= as the var name). In this case;
--- Code: ---<div style="display:none" id="aots2010">60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62</div>
--- End code ---
Becomes;
--- Code: ---var aots2010 = "60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62";
--- End code ---
You then just make the necessary removal in the unescape string;
--- Code: ---var%20ww%20%3D%20document.getElementById%28%22aots2010%22%29.innerHTML
--- End code ---
Becomes;
--- Code: ---var%20ww%20%3D%20aots2010
--- End code ---
I don't use Firebug I'm afraid, so can't help with that one.
MysteryFCM:
I forgot to mention btw, the decoded result would be;
--- Code: ---var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}
--- End code ---
You'd then need to throw this together with the first, so it becomes;
--- Code: ---var aots2010 = "60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62";
var c = unescape('var%20ww%20%3D%20aots2010%3Bvar%20xx%20%3D%20ww.split%28%22%2C%22%29%3Bfor%20%28i%3D0%3B%20i%3Cxx.length%3B%20i++%29%7Byy%20%3D%20String.fromCharCode%28xx%5Bi%5D%29%3Bdocument.write%28yy%29%3B%7D');eval(c);
var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}
--- End code ---
Which decodes to;
--- Code: ---var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}<iframe src="http://www.jpcert.or.jp" style="display:none;" width="0" height="0"></iframe>
--- End code ---
denmilu:
Hi MysteryFCM,
Thanks for all of your helping, I was completed my lecture, and I think it was a success lecture. In my individual, I has learnt more about malware analysic and that will help me more on my work.
:D
Best Regards,
Den.
MysteryFCM:
My pleasure :)
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version