HackDig : Dig high-quality web security articles for hacker

Deobfuscating PHPJiami

I was sent a PHP script that was protected by PHPJiami which you can find here. PHPJiami is a decent PHP obfuscator that appears to be able to bypass several online deobfuscators. Here’s what the script looks like: When you run it, you can see what the protected script does. At the top there’s a comments section. Let me change the uppercase
Publish At:2017-10-31 23:00 | Read:1958 | Comments:0 | Tags:Malscript deobfuscation php phpjiami

Static vs Dynamic Analysis and the Amusing Outcome

It all started with a malicious RTF document attached to an email and a request from reader Chris (thanks for your request and help!) to locate the embedded SWF object since it was believed to contain a hidden PE file. The RTF document contained a 2012 exploit which is described here. The difference between the two documents is that this one contained a SWF
Publish At:2017-02-28 04:20 | Read:3713 | Comments:0 | Tags:Malicious Email Malscript flash exploit malware rtf shellcod

Deobfuscating the Nemucod Downloader Script

Matt Decker from hybrid-cloudblog.com sent me this script he received via email and asked for help deobfuscating this so here we go… Here’s the WSF file he sent me: About half-way down the script, I come across this. Two variables should have caught your eye. Doing a search for the first variable name, I end up at the variable “vistaR
Publish At:2016-10-22 19:50 | Read:3986 | Comments:0 | Tags:Malscript Tools difference calculator javascript deobfuscati

Deobfuscating a Malicious PHP Downloader

A PHP script was sent to me by reader Nuno who got this from a hacked Joomla website and wanted to know what this was. He said this script was prepended to several legitimate PHP files. Looking into this a bit, I found that this is related to WordPress hacks via MailPoet back in 2014 according to Sucuri (here and here). The original script from 2014 is pre
Publish At:2016-10-16 09:40 | Read:3217 | Comments:0 | Tags:Malscript joomla mailpoet obfuscated php wordpress

Javascript Leads to Browser Hijacking

I came across this nasty-looking script that hijacks your browser. It appears to have been around in some shape or form since 2014 but this latest version deploys an aggressive tactic I’ve not seen before. Here’s what this script looks like: The script is composed of variables and functions but finding the beginning and ending of one is made d
Publish At:2016-10-08 18:35 | Read:3377 | Comments:0 | Tags:Malscript browser hijacking hhtxnet.com javascript wmi

Locky JS and URL Revealer

From various reports, it appears that the malicious Javascript files sent via email that pull Locky down is back. Let’s see what these scripts look like: At the bottom of the script, is this function that reverses the string above, joins the characters, then evaluates it: eval(aBN3DmdER7P.split(”).reverse().join(”)); Since we’re deal
Publish At:2016-06-23 09:05 | Read:3726 | Comments:0 | Tags:Malicious Email Malscript Tools downloader javascript locky

Deobfuscating a Hideous-Looking JS Downloader

One of my readers, Stefano from zanna.it (thanks!), sent me this little gem: In the midst of seemingly random strings, there are clues to its structure but there’s very little to go on. I started off by grabbing a portion of the script and having it show me what the variable contains. The string of gibberish is lined up in an array but only the last
Publish At:2016-02-22 12:55 | Read:3522 | Comments:0 | Tags:Malicious Email Malscript javascript deobfuscation javascrip

Script Deobfuscator Released

The purpose of this tool is to help you perform static analysis on obfuscated scripts. It’s often easier to dynamically analyze scripts but there are times when you just don’t know where to start or you just want a high-level view of what’s going on with the script. This tool may be able to help you. I already wrote a tool called PHP Scr
Publish At:2016-02-15 18:05 | Read:2984 | Comments:0 | Tags:Malscript Tools deobfuscation javascript php script deobfusc

Deobfuscating Magento Guruincsite Javascript

I saw this blog post by the super talented guys over at Sucuri and thought that it was just another URL redirection script hiding behind escaped characters but it turned out to be better than that. Here’s what the script looks like in its original form: When you unescape it, it looks like this. Notice that there’s two sections. The self-execut
Publish At:2015-10-22 01:55 | Read:2888 | Comments:0 | Tags:Malscript Tools converter javascript deobfuscation magento

New Javascript Deobfuscator Tool

This particular spam page redirect was brought to my attention by a colleague because it was getting past the web filters using Javascript obfuscation. In one version, the landing page uses a meta refresh tag. I guess it was getting caught too easily so they upped their game and are now using several layers of Javascript obfuscation. It starts off with spa
Publish At:2015-10-17 13:55 | Read:5149 | Comments:0 | Tags:Malscript Tools javascript deobfuscation revelo

Webshell with a Booby Trap

I came across three interesting PHP scripts that were presumably dropped by the same attacker. Perhaps this is old news but it’s something new to me. Here’s the first one which looks innocent enough. However, if you put in the wrong password, you can end up at a malicious or phishing page. hxxp://d.pxer.tk/i.php hxxp://a6shd.realshieldlinked.c
Publish At:2015-07-25 09:15 | Read:2544 | Comments:0 | Tags:Malscript backdoors php scripts webshells

Malicious Word Macro Caught Using Sneaky Trick

There has been a slew of malicious Word documents attached to email purporting to be invoices, receipts, etc. This particular one caught my eye but I’m not sure if this is an old trick. I just haven’t seen this method used before and thought it was quite clever. Here’s the email that had a zipped file attached. The zipped file contained
Publish At:2015-03-07 07:00 | Read:2647 | Comments:0 | Tags:Malicious Email Malscript email invoice macro malware vba vb

Deobfuscating a Wicked-Looking Script

Bart Blaze, one of my security researcher friends passed along this PHP script to me. Let’s have a look. It looks like PHP ate some Perl and barfed it out. First thing I asked myself is, “does this even run?” It looks like a mess but it actually runs just fine. This script makes clever use of bitwise operators. For example… $Yzu
Publish At:2015-03-04 15:05 | Read:2711 | Comments:0 | Tags:Malscript backdoor deobfuscation php obfuscation

Registry Dumper – Find and Dump Hidden Registry Keys

The cybercriminals behind Poweliks implemented two clever techniques in their malware. The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys. I’ll be focusing on the second method. The technique of hiding/protecting registry keys using a non-ASCII character goes all the way b
Publish At:2014-12-06 23:50 | Read:3471 | Comments:0 | Tags:Malscript Tools poweliks regdumper regedit registry

Drupal 7 SQL Injection Info

There’s a lot of sites covering this vulnerability but I wanted to document some indicators for anyone who might need it. Resources Drupal Security Advisory Drupal Public Service Annoucement Drupal Documentation on “Your Drupal Site Got Hacked. Now What?” Drupal Site Audit Volexity Blog Sururi Blog What follows is a brief walk-through of ev
Publish At:2014-11-03 05:30 | Read:3155 | Comments:0 | Tags:Malscript backdoor cve-2014-3704 drupal php

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud