Jump to content
Tuts 4 You

Deobfuscate malware JS (From Discord)


SciT

Recommended Posts

Hi.
Literally an hour ago, a massive phishing link was sent on the discord across all private messages and servers, which is why many channels blocked me and / or muddied me.
I remembered that some time ago I came across the so-called Discord Perks that improve the user experience. And last time I was not embarrassed by the fact that I load extraneous scripts without proper analysis. I found the files that I downloaded, began to analyze in more detail and found too suspicious and obvious malware insertions. Could you help de-obfuscate the part that was obfuscated to understand where and how the data was sent? A large number of people were affected by this plugin, as they saw ads on other resources, including videos.
The presence of such keywords as: POST, ip, token, authToken, userEmail, email, log, data, etc.

 

NitroPerks.plugin.js

Edited by SciT
eng formating
Link to comment
Share on other sites

  • 2 weeks later...

@RDGMax:kick:Did you even look at the results before you posted them? That sandbox output is completely useless.

Sandbox tried to run the file using WScript and failed spectacularly. All the important code is well protected and can't be extracted this way.

Link to comment
Share on other sites

48 minutes ago, kao said:

@RDGMax:kick:Did you even look at the results before you posted them? That sandbox output is completely useless.

Sandbox tried to run the file using WScript and failed spectacularly. All the important code is well protected and can't be extracted this way.

you don't see anything??? 🙈 that analysis is very useful for me. to take a decision.to classify as malware

 

Link to comment
Share on other sites

No, I don't see anything malicious there, for the reasons explained above.  If you disagree, I kindly invite you to show *exactly* where and what is to be considered malicious.

 

On 8/10/2021 at 4:01 PM, RDGMax said:

that analysis is very useful for me. to take a decision.to classify as malware

#1 - OP has already established that this file is malicious - that was not the question. The question was - what was stolen+how and where it was sent to? 

#2 - Would you call this file malicious too? (see attachment) :D https://www.hybrid-analysis.com/sample/017d4223a35619fe0002007e32e889796598846d8a131b8fd1cd3d0057c6fbb3/611556f3da7fb81f775036f1

 

 

 

1d10ts-v2.zip

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...