Deobfuscated and reverse engineered javascript malware
Writeup: https://blog.jse.li/posts/marveloptics-malware/
This malware was found on https://www.marveloptics.com/
embedded in the following URLs:
https://www.marveloptics.com/templates/moptics/js/vendor/modernizr.js
https://www.marveloptics.com/libraries/openid/openid.js
sha256 hashes:
cc4eb4839266c655c1bd4868d2994f68e44effd3249322eb37d3673954904f30 modernizr.js
d691b626a821c1bf93d1d75e4e8f0891c81b6f7a1e2c479eacdc18b9ec48d492 openid.js
Original copies are available in the original/ folder of this repository.
deobfuscated.js contains the output
of js-beautify -x -s 2 original/openid.js > deobfuscated.js
pretty.js contains my own renamed variables and extensive comments.