Awesome

marveloptics_malware

Deobfuscated and reverse engineered javascript malware

Writeup: https://blog.jse.li/posts/marveloptics-malware/

This malware was found on https://www.marveloptics.com/ embedded in the following URLs:

https://www.marveloptics.com/templates/moptics/js/vendor/modernizr.js
https://www.marveloptics.com/libraries/openid/openid.js

sha256 hashes:

cc4eb4839266c655c1bd4868d2994f68e44effd3249322eb37d3673954904f30  modernizr.js
d691b626a821c1bf93d1d75e4e8f0891c81b6f7a1e2c479eacdc18b9ec48d492  openid.js

Original copies are available in the original/ folder of this repository.

deobfuscated.js contains the output of js-beautify -x -s 2 original/openid.js > deobfuscated.js

pretty.js contains my own renamed variables and extensive comments.