rot13 encoded body

To evade static analysis, the document body can returned with each character rotated by some fixed amount in the response where JavaScript can decode it and append it to the DOM.

This helps defeat simple scanners which don't evaluate JavaScript.

Recent Detections

  • hxxps://broken-lab-2ee7[.]kristina74[.]workers[.]dev/
  • hxxps://broken-lab-2ee7[.]kristina74[.]workers[.]dev
  • hxxp://184[.]70[.]150[.]18:60001/storages.html?VGHBJGKFHVFJDKDFU...
  • hxxp://184[.]70[.]150[.]18:60001/storages.html?vghbjgkfhvfjdkdfu...
  • hxxp://184[.]70[.]150[.]18:60001/storages.html
  • hxxp://184[.]70[.]150[.]18:60001/storages.html#redacted@abuse.io...
  • hxxp://184[.]70[.]150[.]18:60001/storages.html#abuse@ionos.com
  • hxxps://ssogddyrealpasssc[.]web[.]app/
  • hxxps://ssogddyrealpasssc[.]firebaseapp[.]com/
  • hxxps://ssogddyrealpasssaa[.]firebaseapp[.]com/

IOK Rule (edit)

title: rot13 encoded body
description: |
  To evade static analysis, the document body can returned with each character rotated by 
  some fixed amount in the response where JavaScript can decode it and append it to the DOM.

  This helps defeat simple scanners which don't evaluate JavaScript.

detection:
  characterRotation:
    html|contains: "String.fromCharCode(s.charCodeAt(i)-1)"

  condition: characterRotation

tags:
  - anti-analysis