SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware.atob_fcc

malware.atob_fcc

Description:
Malicious scripts that use two layers of obfuscation: Base64 (decodeded via the atob JavaScript function) and arrays of character codes (decoded via the fromCharCode function). These might be not he only levels of obfuscation.

Example of the two layers of obfuscation

First layer: atob

var ​WMLPZBKSRZ = atob​('​dmFyIEFDUFFZWVhBVE4gPSBTdHJpbmcuZnJvbUNoYXJDb2RlKDExIC0gMSwgMTIxIC0gM...skipped...IDQpO2V2YWwoQUNQUVlZWEFUTik7');
  eval​(WMLPZBKSRZ);

Second layer: fromCharCode

var ACPQYYXATN = String.​fromCharCode(1​1 - 1, 121 - 3, 106 - 9, 121 - 7, 39 - 7, 113 - 6,...skipped..., 16 - 6, 14 - 4);​ev​al​(​ACPQYYXATN);

Affecting: Any web site (no specific target).