Posts

DTLMiner

Here is the timeline of DTLMiner, I'm working for Rising Antivirus and monitoring this malware. For more details please refer to links at the end of this blog.


2019.12.30Update 3rd-stage script: Try to modify DNS settings2019.12.28Fix abnormal domainAdd script for modify created scheduled tasks with abnormal domain2019.12.25Add hash check for Nvidia Graphic Card mining module, wfreerdp and mimikatzUpdate minerOptimize codesRemove registry changes of RDPEnlarge weak password dict2019.12.23Try to disable real-time protection of Windows Defender once lateral movement successfully on target computerRDP Brute module rollback to old version which uses wfreerdp to brute and execute command2019.12.17Update 3rd-stage script: Download special version of XMRig Miner when AMD or Nvidia Graphic Card found2019.12.15Update domain for downloading other modules2019.12.13Stop downloading OpenCL module and miner for Nvidia Graphic Card with 64-bit system, and try to rename them if already downloaded2…

Obfuscated JavaScript

Image
[Imported From X-Sec Blog, just for backup]

Recently we got a JavaScript file with heavily obfuscated codes. Let's try to de-obfuscate it and find out what it will do!


As you can see, the original file only has one line(exclude the comment line), its code is also being obfuscated, so first step we need to do is just formatting the code.


After formatted, we noticed the notification from Visual Studio Code:


And in the code we care about, there are lots of useless parameters in function call:


But we found a function whose parameter is being used:


r=2183, r-2183+2=2, n[2]=e.

In fact, this function will return the parameter we passed to it.

We also found a function called "hpd" which has never been called.

So, after removed such obfuscations, we get the following code(only shows main part):


Looks much better.

But, as for the second image, we still need to find out which string will each function return, so it's time to use Internet Explorer ;-)

After function resolve and …