I was asked to look at firnop.cn (IP: 18.104.22.168, PTR: B088.com) by Connie yesterday, due to it's containing some rather suspicious code. I was not to be disappointed.
As I told Connie, this one only allows access once per IP, after that, you get a lovely little 404. I thought this was only going to be a once per day job, but alas no, this is the second day and I still can't access the original code there now. Fear not, your clever blogger saved a copy of the original vURL result;
vURL Online - Results for firnop.cn
This shows some rather obscure code hidden once again in a form field, this time rosorur, which is then loaded dynamically courtesy of document.getElementById('rosorur').value. To decode this, we'll need two things;
1. Malzilla (malzilla.sourceforge.net)
Malzilla is my favourite tool for decoding obfuscased or encoded scripts, and has been since it's inception. If you're not using it already, and are working with malicious sites, give it a try.
2. Small change to the original code
The small change we need to make is to ditch the HTML, and move the content of the rosorur text box, to it's own variable. Once we've done this, we can simply change;
If we now run this through Malzilla, we're given the following results. The CLSID used in the code, is for the MSXML 4.0 component.
Unfortunately, the only ones I could actually download, were f=pdf and f=vispdf, so lets analyze those shall we? First of all, we need to uncompress them. For this we'll use pdftk.
If we then have Malzilla decode this, we're given yet another encoded script, that this time will need handled a little differently;
If we try having Malzilla actually decode this, Malzilla will freeze and crash, so instead, we'll have it convert the string to Hex, then save that. This gives us a new .bin file containing a hex dump. Loading this in Malzilla and using it's Shellcode Analyzer shows:
This shows us the executable coming from;
Detection sadly, is rubbish;
Sandbox report will be added once it's finished (tried Anubis but for some reason, it failed with an "XML could not be found" error)
Sadly, the sandboxes still haven't gotten back to me (submitted to Anubis and MS's sandboxes). However, I've just noticed on Honeyblogs feed that CWSandbox has this one (or a variant of it atleast as it's network activity shows firnop.cn), so that'll have to do;