Let's take a look at the
following picture (click for larger version):
This is the contents from a link that I've received in a eCard spam mail.
That's not a big deal, but not all the data supplied to the unescape function need to be unescaped,
so, if we are doing it manually, we would need to take care which part need to be unescaped and
which part should remain as it is.
Click on Send script to Decoder, and Run script on Decoder tab after that brings the following results:
In the lower box on Decoder tab one can see the results - a VBScript used to download and run the malicious file.
In the next example we are dealing with a script that writes directly to a binary file, no downloading.
As the script is written in VBScript, which can't be interpreted by SpiderMonkey engine, we will use some other Malzilla's functions.
First, we will copy the data from the script to the box on Misc Decoders tab:
If you take a look at the first picture from this example, you can see that the MZ signature is written to the file in one step, and the rest of the data in second step.
We will do it in one single step. On previous picture I have added \u4D5A at the beginning of the code sequence, which is the ASCII representation of the letters MZ.
Don't get fooled by \u marks in the sequence, this data sequence has nothing to do with Unicode, as the data is not a text, but just a data that will be written to a EXE file.
Now, we need to enter \u in Override default delimiter box, as the next used function would expect the delimiter to be %u, and not \u.
After clicking on UCS2 To Hex button, we will have the following situation:
Now, we will click on Hex To File and save the result as a binary file on the HDD.
Checking the resulting file on Virustotal.com reveals the following:
The next example uses more complicated transformations and math. functions for decoding the data.
Function eval() is used to run the result of the decoded data as the result of decoding is also a script:
We will change the eval() function to document.write() (deprecated in Malzilla 0.9.2, eval() is intercepted automatically), as we actually want to see the script, not to run it.
The result of running the script is a VBScript:
As you can see, we have a sequence of Unicode codes that needs to be escaped.
We will copy/paste the sequence to the box on Misc Decoders tab, and use Decode UCS2 to see what is hiding there:
The result of unescaping is a shellcode, and the download address of the malware file is visible.
The shellcode looks broken because I didn't bother to remove quotation and addition marks before clicking on Decode UCS2.
As all I want is the link, I do not care about the shellcode.
Next example is a bit more complicated than previous examples.
It is using a script known as dF (after the name of the variable often used in this script, which is changed to zX in our sample):
After clicking on Send Script To Decoder and running the script, we will have the following situation:
As you can see, just the first part of the script is decoded (selected text on the picture, just for the purpose of explaining what is decoded and what isn't).
Now, we will select the decoded script (just the script, without <script> tags):
and copy it over the original part (which is now decoded):
Now, we will run the whole script again. As can be seen on the next picture, the result is also a script:
Clear the upper box, in lower box select the script between the <script> tags and copy it to the upper box:
After running the script again, we have the following results:
Scrolling down a bit reveals a sequence of Unicode codes that need to be unescaped:
Doing like in the previous example (copy the data to Misc Decoders tab and using Decode UCS2 button), we will get the following:
As it can be seen, it is another shellcode with a plaintext link to the malicious file.
And one more example of usage:
The transformations used for decoding would take a lot of time if someone would try to decode the data manually.
In Malzilla you can just click on Send Script To Decoder, and Run script on Decoder tab after that, and you have the following:
The link you can see on the picture is a direct link for downloading the malicious file.
So, that was all for this time. More examples of Malzilla's usage will follow as soon as I get some time to write them.