De-obfuscating Malware (Subtracting Hex)

Recently I came across some webpages that were referring to the Redkit malware.  The page that I was directed to contained some javascript like the following:


Then I noticed in the javascript that it was subtracting 5 from the hex values after the !40 was converted to a hex value.

So I built this quick python script to convert the hex to decimal subtract 5 and then back to hex. (I also noticed another webpage variation that would subtract 7)

#!/usr/bin/env python

ins = open("temp", "r")
array = []
for line in ins:
    print hex(int(line, 16) - 5)

Then I used the hex to ASCII converter to pull the websites out that I was interested in seeing that were being obfuscated.


Popular posts from this blog

Netflix Streaming Blocked by Sophos UTM

BSides 2016 Hackers Challenge

VBA - Script to Download a file from a URL

IoT Malware Analysis - CnC Server - Part 3

vulnhub - Pandora's Box by c0ne Level 1 - Following walkthrough by strata