Deobfuscated + reverse engineered javascript malware
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
original
README.md
WHOIS.txt
deobfuscated.js
pretty.js

README.md

marveloptics_malware

Deobfuscated and reverse engineered javascript malware

Writeup: https://blog.jse.li/posts/marveloptics-malware/

This malware was found on https://www.marveloptics.com/ embedded in the following URLs:

https://www.marveloptics.com/templates/moptics/js/vendor/modernizr.js
https://www.marveloptics.com/libraries/openid/openid.js

sha256 hashes:

cc4eb4839266c655c1bd4868d2994f68e44effd3249322eb37d3673954904f30  modernizr.js
d691b626a821c1bf93d1d75e4e8f0891c81b6f7a1e2c479eacdc18b9ec48d492  openid.js

Original copies are available in the original/ folder of this repository.

deobfuscated.js contains the output of js-beautify -x -s 2 original/openid.js > deobfuscated.js

pretty.js contains my own renamed variables and extensive comments.