1

I clicked on "It's like you" virus in Facebook Messenger. Then I archived the original link with archive.ph (archive.today), and during the process the site showed me this: https://pastebin.com/e91wZmqP (WARNING! Do not click on any of the links in the paste; they might contain harmful code.)

The most suspicious js file was the one on the site kiigame. I made an archive, it contains only the text of the script: https://archive.ph/EAXyP

The main content of the script seems encrypted(?), as it uses hexadecimal codes for words. Do you know any way to decipher the hexadecimal codes to see what this script does exactly? My main concern is if it installed any (hidden) extension (like keylogger) in my browser (I use Google Chrome on Ubuntu).

schroeder
  • 123,438
  • 55
  • 284
  • 319
lekenczey_muki
  • 11
  • 2
  • The hexadecimal codes aren't encryption nor even encoding; they are simply replacements for human readable function and variable names and, as such, irreversible. However, the structure becomes easier to read with proper indentation. You could use e.g. https://beautifier.io/ – Esa Jokinen Mar 14 '21 at 06:01
  • Not possible. Browser prompts to confirm installation of extension and also display its permissions. Also, the extension will remain disabled if it's not available in chrome store. – defalt Mar 14 '21 at 06:56

1 Answers1

0

As I see the source code looks like obfuscated, when I de obfuscate the source it seems like an phisher ? It is asking for FB credentials also has some FB styling and setting/updating some cookies, the best thing what you can do is clean your cache and try malware scan.

mrSotirow
  • 152
  • 1
  • 3