Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-06-20 21:03:35 +gyroninja Didac: You want a partial RE I did of it?
- 2017-06-20 21:05:06 +gyroninja Let's see if I can get a hastebin up in here
- 2017-06-20 21:05:18 +gyroninja Didac: https://hastebin.com/nimajugumo.js
- 2017-06-20 21:05:37 +gyroninja Important stuff to look at are the strings
- 2017-06-20 21:06:27 <-- POJO (~quassel@PO.JO) has quit (Read error: Connection reset by peer)
- 2017-06-20 21:06:45 +gyroninja outer10 function is imortant
- 2017-06-20 21:06:51 +gyroninja it shows the different paylods for phoning home
- 2017-06-20 21:06:55 +gyroninja it uses
- 2017-06-20 21:07:12 +gyroninja WebSockets, WebRTC, XHR, and JSEP
- 2017-06-20 21:08:12 +gyroninja It also has the ability to eval remote js
- 2017-06-20 21:08:48 +gyroninja though IIRC it does so over https (if you are currently browsing over https)
- 2017-06-20 21:08:52 +gyroninja so you wouldn't be able to mitm
- 2017-06-20 21:10:14 +gyroninja I don't believe it leaks any of your information like what you are browsing
- 2017-06-20 21:10:24 +gyroninja just sends a request I believ
- 2017-06-20 21:10:41 +gyroninja (for webrtc payload it also sends your user agent)
- 2017-06-20 21:11:41 +gyroninja I could be wrong about it not leaking what you are looking at
- 2017-06-20 21:11:56 +gyroninja but I only spent a few hours RE'ing it
- 2017-06-20 21:12:47 +gyroninja 1 thing which I didn't really finish looking into was its use of sessionStorage / localStorage
- 2017-06-20 21:15:28 +gyroninja quick look over that code
- 2017-06-20 21:15:40 +gyroninja makes it looks like it looks through it
- 2017-06-20 21:15:54 +gyroninja and checks if there is a key that starts with VX8OUm
- 2017-06-20 21:17:49 +gyroninja It takes what's in there and extracts a timestamp and a url
- 2017-06-20 21:18:03 +gyroninja the timestamp is used to emulate a cookie which expires after 24 Hours
- 2017-06-20 21:18:38 +gyroninja *the url is actually a piece of js code
- 2017-06-20 21:18:41 +gyroninja which gets eval'd
- 2017-06-20 21:19:22 +gyroninja and that code looks to be related to the javascript loader framework it has
- 2017-06-20 21:20:07 +gyroninja hopefully that should be enough information to feed your interest
- 2017-06-20 21:37:49 +gyroninja actually the stuff in localstorage looks juicy
- 2017-06-20 21:37:54 +gyroninja going to decode some of it
- 2017-06-20 21:41:24 +gyroninja could only get 1
- 2017-06-20 21:42:53 +gyroninja https://hastebin.com/digeturiha.tex
- 2017-06-20 21:43:20 +gyroninja looks like some analytics for ad clicking
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement