generic_javascript_obfuscation5 in c8n.mytrade.link

On 2020-09-03T10:58:04.519220+00:00 we found pattern generic_javascript_obfuscation5, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://c8n.mytrade.link/web-www/_next/… referenced from https://mytrade.link/ .

Code sample:

b'["url","method","data"],i=["headers","auth","proxy","params"],s=["baseURL","\xc2\xb6\xc2\xb6\xc2\xa7\xc2\xb1\xc3\xba+\xc2\x99\x17\xc2\xaa\xc2\xb9\xc3\xab-","transformResponse","\xc2\xa5\xc2\xaa\xc3\x9a\xc2\x9a\xc3\x84\xc2\x9e\xc2\xae&\xc2\xa5\xc2\x8b7\xc2\xab","timeout","timeoutMessage","withCredentials","adapter","\xc2\xad\xc3\xab)\xc2\xa2{\x1eO*^","xsrfCookieName","xsrfHeaderName",' … b'["headers","auth","proxy","params"],s=["baseURL","\xc2\xb6\xc2\xb6\xc2\xa7\xc2\xb1\xc3\xba+\xc2\x99\x17\xc2\xaa\xc2\xb9\xc3\xab-","transformResponse","\xc2\xa5\xc2\xaa\xc3\x9a\xc2\x9a\xc3\x84\xc2\x9e\xc2\xae&\xc2\xa5\xc2\x8b7\xc2\xab","timeout","timeoutMessage","withCredentials","adapter","\xc2\xad\xc3\xab)\xc2\xa2{\x1eO*^","xsrfCookieName","xsrfHeaderName",' … b'["baseURL","\xc2\xb6\xc2\xb6\xc2\xa7\xc2\xb1\xc3\xba+\xc2\x99\x17\xc2\xaa\xc2\xb9\xc3\xab-","transformResponse","\xc2\xa5\xc2\xaa\xc3\x9a\xc2\x9a\xc3\x84\xc2\x9e\xc2\xae&\xc2\xa5\xc2\x8b7\xc2\xab","timeout","timeoutMessage","withCredentials","adapter","\xc2\xad\xc3\xab)\xc2\xa2{\x1eO*^","xsrfCookieName","xsrfHeaderName",' … b'["age","authorization","content-length","content-type","etag","expires","from","host","if-modified-since","if-unmodified-since","last-modified","\xc2\x96\xc2\x87\x1a\xc2\xb6*\'","max-forwards","proxy-authorization","referer","retry-after",'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!