generic_javascript_obfuscation in thoonsie.click

On 2019-05-12T22:14:42.427756+00:00 we found suspicious pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://thoonsie.click/ajax/dropzone/9.…

The suspicious code sample:

b'atob' … b'atob' … b'atob' … b'atob' … b'atob' … b'"promiseOrFailByTimeout"' … b'"getIframeStyleByPosition"' … b'"checkCappingAndFrequency"' … b'"notificationsDelaySHR0cA=="' … b'"createIframeConfirmAndAskPermissions"' … b'"mobileVPositionWm9uZQ=="' … b'"desktopXPositionZone"' … b'"iframeRG9jIGlzIG5vdCByZWFkeSA6KA=="' … b'"c2tpcF9ieV9naWRfcookie"' … b'"iframeIGlzIG5vdCByZWFkeSBkb2MuYm9keSBvciBkb2Muhead"' … b'"getBoundingClientRect"' … b'"iframeX2RlbnlfY2xpY2tlZA=="' … b'"iframeX2FsbG93X2NsaWNrZWQ="' … b'"beforePermissionPrompt"' … b'"notificationUnsupported"' … b'"requestPermissionHandlerDone"' … b'"swFallbackErrorDomain"' … b'"ZXJyb3IgaXMgundefinedIG9yIG51bGw="' … b'"w77fiPfsgsIzHjjsqD5mp5b"' … b'"8gqjfePwnweqLfll5nUn7"' … b'"mfjpzp8wjpfmqD57w2Hjjsq"' … b'"mfjpzp8wjpfmqD57w2Hjjs"'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!