We reveal javascript encrypted exploits, malicious iframe - Malzilla Russian manual
Being interested in information security, I often deal with infected sites containing frames for exploits, encrypted javascript, complicated redirects ... To facilitate the work, I use the open source program Malzilla . Unfortunately, there is very little information about this tool on the Russian Internet, so I want to translate the official manual to it. In total there are 6 parts, below is the translation of the first one.
Let's take a look at the following picture:
')
This is the content of the page, the link to which was sent to me along with spam.
To get direct links to malware, we will deal with the javascript function: unescape () . This is not a problem at all, a nuance
only that not all data transferred to this function should be processed by it. Since we will personally deal with this, you need
take care of which part should be skipped and which part should not.
Click the button "Send script to Decoder" , now in the active tab Decode click "Run script" :
In the bottom panel we can see the result - VBScript is used to download malicious files.
In the following example, we are dealing with a script that writes data directly to a binary file, bypassing the download.
Since it is written in VBScript, SpiderMonkey is not able to interpret it, therefore we will use other Malzilla functions.
First you need to copy the source code of the script in the tab "Misc Decoders tab" :
If you look at the first image from the current example, you will notice that the MZ signature is written to the file in the first step, and all other data in the second. We will do both operations in a single step. In the previous screenshot, I added \ u4D5A to the beginning of the code, which is the word MZ in ASCII encoding. Now you need to set the "Override default delimiter" value to \ u , since the next function will expect the value % u , but not \ u .
After clicking the "UCS2 To Hex" button , we get the following result:
Now click "Hex To File" and save the result to our hard disk.
The result of checking the file on VirusTotal.com :
The following example uses more complex transformations and math functions to decrypt data.
The eval () function is used to perform the decryption result, which is also the script:
;
We will change eval () to the document.write () function in order to see the source code of the script and not execute it. The result will be VBScript:
As you can see, we have a sequence of UNICODE codes that need to be converted.
Let's copy this code to the "Misc Decodres tab" tab and use the Decode UCS2 feature:
The result of the conversion will be the shellcode, and we also see the download address of the malicious file.
The following example is a bit more complicated than the previous ones.
Here we use a script known as dF (after the variable names are often used in this script, which changes to zX in our example):
After clicking Send Script To Decoder and executing the script, we will see the following:
Only the first part of the script is decrypted (highlighted in the screenshot) . Now select the decrypted script (without <script> tags) :
And paste it on top of the original script, in the part that is now decrypted:
Run the whole script again and take a look at the result:
Clear the entire top tab with the original script and paste the resulting code there:
Again press Run Script :
Scrolling down a bit we will see the familiar UNICODE characters:
We decipher them as shown in the previous example:
As a result, we have another shellcode with a direct link to the malware.
Finally, another use case:
Deciphering such a code manually will take a lot of time and effort ... In Malzilla, you can simply click Send Script To Decoder, send the script to the Decode tab, execute it, and get the result:
The URL in the screenshot is nothing more than a direct link to the infected file!
- Project website: malzilla.sourceforge.net
- Download: malzilla.sourceforge.net/downloads.html
Part 1
Let's take a look at the following picture:
')
This is the content of the page, the link to which was sent to me along with spam.
To get direct links to malware, we will deal with the javascript function: unescape () . This is not a problem at all, a nuance
only that not all data transferred to this function should be processed by it. Since we will personally deal with this, you need
take care of which part should be skipped and which part should not.
Click the button "Send script to Decoder" , now in the active tab Decode click "Run script" :
In the bottom panel we can see the result - VBScript is used to download malicious files.
In the following example, we are dealing with a script that writes data directly to a binary file, bypassing the download.
Since it is written in VBScript, SpiderMonkey is not able to interpret it, therefore we will use other Malzilla functions.
First you need to copy the source code of the script in the tab "Misc Decoders tab" :
If you look at the first image from the current example, you will notice that the MZ signature is written to the file in the first step, and all other data in the second. We will do both operations in a single step. In the previous screenshot, I added \ u4D5A to the beginning of the code, which is the word MZ in ASCII encoding. Now you need to set the "Override default delimiter" value to \ u , since the next function will expect the value % u , but not \ u .
After clicking the "UCS2 To Hex" button , we get the following result:
Now click "Hex To File" and save the result to our hard disk.
The result of checking the file on VirusTotal.com :
The following example uses more complex transformations and math functions to decrypt data.
The eval () function is used to perform the decryption result, which is also the script:
;We will change eval () to the document.write () function in order to see the source code of the script and not execute it. The result will be VBScript:
As you can see, we have a sequence of UNICODE codes that need to be converted.
Let's copy this code to the "Misc Decodres tab" tab and use the Decode UCS2 feature:
The result of the conversion will be the shellcode, and we also see the download address of the malicious file.
The following example is a bit more complicated than the previous ones.
Here we use a script known as dF (after the variable names are often used in this script, which changes to zX in our example):
After clicking Send Script To Decoder and executing the script, we will see the following:
Only the first part of the script is decrypted (highlighted in the screenshot) . Now select the decrypted script (without <script> tags) :
And paste it on top of the original script, in the part that is now decrypted:
Run the whole script again and take a look at the result:
Clear the entire top tab with the original script and paste the resulting code there:
Again press Run Script :
Scrolling down a bit we will see the familiar UNICODE characters:
We decipher them as shown in the previous example:
As a result, we have another shellcode with a direct link to the malware.
Finally, another use case:
Deciphering such a code manually will take a lot of time and effort ... In Malzilla, you can simply click Send Script To Decoder, send the script to the Decode tab, execute it, and get the result:
The URL in the screenshot is nothing more than a direct link to the infected file!
Source: https://habr.com/ru/post/73476/
All Articles