Author Topic: Code probably harmless?  (Read 1387 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33571
  • malware fighter
Code probably harmless?
« on: July 18, 2014, 03:54:09 PM »
See: htxp://download.cdn.oovoo.com/download/oovoosetup.exe
SHA1: ec81346ab5e238d374e6fc35114458d4d8b1de13
Name: Suspicious-WI.
See: https://www.virustotal.com/nl/url/72491026abe789672ce605f6e27d577bdd8e74aab63272396cd9944a23767c85/analysis/1405690839/
and https://www.virustotal.com/nl/file/8c0fc26eac1907cc51f92ac760b110a8327f0da501d96ab80bf189dea0ee6b13/analysis/1405677116/
I get an empty response.
Also consider: http://zulu.zscaler.com/submission/show/2dba3ac0e4a77aefdc6b3b6d1d18acbc-1405691000
Quttera comes up with this:
static-wXw.cdn.oovoo.com/ga/oovoo_ga.js
Severity:   Suspicious
Reason:   Detected encoded JavaScript code commonly used to hide suspicious behaviour.
Details:   Generic
Offset:   10279
Threat dump:   File name: static-www.cdn.oovoo.com/ga/oovoo_ga.js
Code: [Select]
[[\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x61\x72]] -> http://wepawet.iseclab.org/view.php?hash=65f94e676ac70fd8bf98dc4188b856f3&t=1368475314&type=js  benign
see: http://www.exedb.com/systemfiles/oovoo_ga[1].js.html
Threat dump MD5:   8524417EAFE008993C354418E032E60F
File size[byte]:   34933
File type:   ASCII
MD5:   33AF41CEFE8506333DFDCE91FBB2EAEB

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Code probably harmless?
« Reply #2 on: July 18, 2014, 04:34:02 PM »
Hi Polonus,

The string above is in hex format and translates to:
Code: [Select]
||||||||ar
Likely a common obfuscation algorithm.

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33571
  • malware fighter
Re: Code probably harmless?
« Reply #3 on: July 18, 2014, 06:53:36 PM »
Hi !Donovan,

It is a variant of Google Analytics common tracking code, an obfuscated.
To check one could run it against these resources: http://http-sniffer.find-my-search.com/en/web-sniff-of/malcode.nl/
But alas no result from there.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!