Answer the question
In order to leave comments, you need to log in
K
K
KTG2017-01-19 11:54:54
KTG, 2017-01-19 11:54:54
How to understand what the virus is doing?
I got a file, *.hta
I opened it through notepad and saw that there was a Java script mixed with strange characters. I would like to understand what is happening there:
I will not throw the entire file here. In pieces:
From the beginning of the file to the declaration that there is JavaScript
/// f704ecce194f6cb527d03d5e1b5afb55
/// c0e152f5981ee279b42280709df856d8
/// c0ef953b42bc38c9efc332460b81ef9f
/// c926477716063e4ba57bf3b3038d3f39
<HTA:APPLICATION WINDOWSTATE='minimize'/>
/// 66b7e256a46842a1dd28cf3194ef076f
/// f7bd2ccc1e9b20e81d6b17b1ae84654f
<script language="JScript">Here something is announced ... there are many. Here is a piece of the script.
var _0x72a5=["\x32\x30\x32\x20\x38\x34\x30eval(function(_0xe78dx1,_0xe78dx2,_0xe78dx3,_0xe78dx4,_0xe78dx5,_0xe78dx6){_0xe78dx5= function(_0xe78dx3){return _0xe78dx3};Decoding from base64 this one "f7bd2ccc1e9b20e81d6b17b1ae84654f" does nothing.
It is not clear what kind of recording format is this: _0xe78dx1
And what is this recording format: "\x32\x30"?
3 answer(s)
@kpa6uu
@tomnolane
K
kpa6uu, 2017-01-19 @kpa6uu
This is a simple obfuscation of the code. In most cases, the malware decrypts itself before eval, where instead of executing the code, you can simply display it, analyzing its work further.
T
Tom Nolane, 2017-01-19 @tomnolane
remove eval, copy the rest to the browser console (of the wrong browser... for example IE) and look
even better: replace eval with alert! and don't be afraid
of anything your piece of code is incomplete or something...
Similar questions
1
A
S
M
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question