Wednesday, August 31, 2016

Deobfuscating some more Javascript

Saw this paste with malicious javascript. If ou strip out all the malicious variable creations (_zds, se, _dd) and the eval statement at the end , and replace them all with console.log() statements, you can get a bit of a better picture. Then if you do the same routine again of repacing bad stuff with console.log statemnts you finally get this code

and in it there is a freeky looking variable that ends up containing the urls of interest.

var IGv7=[MMo+XQb1+Gd5 + VSv+Hb+Cl+Tj4+VKq+Pg + DSx+Pa + GYy+MEw1+Rj + Pf+NZa2 + Fb9+Fb+Ke+JPy+Ow9 + ORq+Sv+FOl7 + Cn, MMo+Ly5+YOv7 + AYc8+Sq6+So+Af1+Nu + Zz+ZKb + Zn1+Ik+Vy4+PRi5+Ho4+Gy9, VBg+DFu + ZDn + Cl0+Vw+Jc + Fs+Jp + Tu6+Vg7+OZv8 + UTt+Po+Cj3 + Gq8+EDt+Ag+LDc + Qn+St0+HNu + Sk6, MMo+Ly5+Qc7 + Vc9+Zn4 + ALt+Ui4 + BYt+Cc5+ZZq9 + Vm0+Ci5, Wq6 + Ya+Li5 + LJz3+Vg+Je1 + Yu8+ZPg+DFe5+HDm+Su1+Xz + XGx];

when printed out


["", "", "", "", ""]

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment