String converterA malware writer will often hide certain keywords from the browser/human by encoding them in another format. This is typically done for hex coding (\xZZ), 16-bit unicode (\uZZZZ) and octal coding (\ZZZ). To test, enter a value, and then press the button and it will convert encoded string: [Test] |
A few examples
The strings are encoded so that it is difficult to detect malicious looking words. Thus \ZZZ is a octal code for the character, \uZZZZ is a Unicode character and \xZZ is a hex coding of a character:
- \\137\\x6b\\\u0065\\x79\\u0053\\u0074\\x72 Try
- \\u005f\\u0075\\164\\146\\u0038\\137\\u0065\\u006e\\u0063\\x6f\\x64\\u0065 Try
- \\u0065\\143\\157\\144\\145 Try
- \\u0064\\145\\u0063\\157\\144\\u0065" Try
These examples are taken from the following snippet of malware code [PCAP]:
var _={"\137\x6b\u0065\x79\u0053\u0074\x72":(function () { var pI="wxyz0123456789+/=",B="klmnopqrstuv",G="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg",h="hij"; return G+h+B+pI })(),"\u005f\u0075\164\146\u0038\137\u0065\u006e\u0063\x6f\x64\u0065":function(zt){zt=zt[(String.fromCharCode(0x72,0x65,0x70,108,0141,99,101))](/\r\n/g,(function () { var DS="n",nl="\\"; return nl+DS })());var MF="";var w;for(w=('XROQtltRu'.length-9);w<zt[((function () { var u="h",W="gt",n="len"; return n+W+u })())];w++){var S=zt[((function () { var s="t",PX="rCodeA",fs="cha"; return fs+PX+s })())](w);if(S<('TCMQW'.length*('q'.length*023+3)+18)){MF+=String[(String.fromCharCode(102,114,111,0x6d,0x43,0150,0x61,114,0x43,0157,100,101))](S);}else if((S>('TFrd'.length*(3*8+6)+7))&&(S<(0x1*1774+274))){MF+=String[((function () { var sD="Code",U="r",T="fromCha"; return T+U+sD })())] "\u0064\u0065\143\157\144\145":function(zt) "\u0064\145\u0063\157\144\u0065"
Character arrays
Another little trick is to build strings from the hex/octal/decimal codes for example:
- var e=String.fromCharCode(0x53,0141,0x66,0x61,0x72,105); - gives "safari" Try: here
- var K=String.fromCharCode(0x4c,105,0x6e,117,120); gives "linux" Try: here
- var J=String.fromCharCode(0101,110,0x64,114,111,105,100); gives "Android". Try: here
- var rM=String.fromCharCode(0127,0151,110,0x64,0x6f,0x77,0x73); gives "Windows". Try: here
- var v=String.fromCharCode(0116,101,0164,66,0x53,0104); gives "NetBSD" here
- var x=String.fromCharCode(0x4f,112,0x65,0156,66,0x53,0104); gives "OpenBSD" here
- var BK=String.fromCharCode(97,0162,109,108,0x65);
- var Ol=String.fromCharCode(0170,0x38,0x36);
More information: [Here]