Analysis of a Suspicious Piece of JavaScript, (Sun, Feb 12th)

by natein Security Bulletinson Posted on

What to do on a cloudy lazy Sunday? You go hunting and review some alerts generated by your robots. Pastebin remains one of my favourite playground and you always find interesting stuff there. In a recent diary, I reported many malicious PE files[1] stored in Base64 but, today, I found a suspicious piece of JavaScript code[2]. It was posted by a valid account but it was its first pastie
2 : var _6101=34280B84F123A777A741D825 … stripped data … F713C589E
11 : _9837=_2519
15 : var _8383=_1472
16 : var _2078=_8383=_9837
24 : }
25 :
26 : var _1667=_6430=_5991
27 : var _3473=_3473=_6430

Its an interesting example of code obfuscation but not very complicated to reverse. After a quick check, we may assume that the malicious code is stored in the variable _6101 (line 2) and that the rest of the code is just used to deobfuscate it. Note also the presence of the string eval in 10. Thisshouldget you thinking. Lets review the code line by line:

Line3, _9332 contains the following string (hex-encoded): ABCDEF.

Line 5, _3603 contains the last characters of the payload: E.

Line 7, the payload is split based on the separators ABCDEF padding:5px 10px”>
34280,84,123,777,741,825,741,813,749,809,773,801,817,585,481,825,741,809,481,689,773,817,785,757,481,597,481,489,621,669,625,629,481,693,665,633,681,645,629,665,625,481,617,709,481,709,741,793,765,593,541,613,601,489,589,393,825,741,809,481,625,757,813,749,809,773,801,817,773,797,793,813,481,597,481,489,489,529,393,481,481,481,481,733,817,757,833,817,481, …

Line 8: _4029 contains an array of JavaScript functions

Line 9: _4678[1] contains 4 (String(parseInt(84)/21) = 4)

Line 10: The most important one: _5991 contains the eval // eval(_9837)
}

What is stored in the variable _9837? Is it malicious or just suspicious? The payload passed to eval() is a JavaScript code called CODE UNFRIEND by Yang. It looks to be a script to massively remove friends from a Facebook account. I posted a copy of the de-obfuscated payload on pastebin[3]. If it rings a bell to you, let me know.

[1]https://isc.sans.edu/forums/diary/Many+Malware+Samples+Found+on+Pastebin/22036/
[2]http://pastebin.com/raw/DmxeKdgw
[3]http://pastebin.com/yBWnQQ5P

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Post author

Written by