Posts

Showing posts from October, 2015

Phishing and their "obfuscated" code

Image
PLEASE DO NOT TRY THIS UNLESS YOU KNOW WHAT YOU ARE DOING.
JUST DON'T.
I usually receive a lot of phishing and sometimes i get a mail where they attach a zip file.
after giving that zip to the antivirus, i opened it. i found this 2 files:


Now the .txt file tells you to double click the .js which is a WSH script and is what we are going to "reverse".

Ok, so this is the .js file.


now it looks like a mess.. or maybe not?
if you look closely you'll see something interesting:
There are 2 vars, one long which looks like a key then a longer one which looks like an encrypted message.
After that there is a for loop and what looks like a XOR operation:

Now the most simple cryptographic method is XOR and we have at the start something that looks like a key; So let's clean the code!
To do that, I simply use the search and replace function in Notepad++ (most of the text editors have this function).
So we have our key and our encrypted data (enc_data) and then the loop code

As you can see…