Master in! Malicious JS code analysis

Let"s first describe the reason. Today, I received a blackmail saying that my password was leaked while visiting an insecure website. The hacker had all my information and gave me a Trojan horse implanted in my computer. It is useless to change my email password. If I don"t pay more than $900 in Bitcoin within 48 hours, my information will be posted on the Internet!
I almost believed it at first glance, and then I thought that my mailbox was set up by myself, which was only used to receive mail. I had never logged in anywhere else. After careful analysis, I thought it was deception, but in fact, there was no relevant information about me. Later, Google did confirm that it belonged to random collision, and if I was careless, I would really transfer money to him!
later, I wanted to know if there were any Trojans hidden in this email. I found that there were no attachments, so I opened the source code of this email and found that there was such a js, in it. I formatted it and posted it

.
< script >
var w = 3Dwindow;
if (w.performance || w.mozPerformance || w.msPerformance || w.webki = tPerformance) {
    var d = 3Ddocument;
    AKSB = 3Dw.AKSB || {}, AKSB.q = 3DAKSB.q || [], AKSB.m = ark = 3DAKSB.mark ||
    function(e, _) {
        AKSB.q.push(["mark", e, _ || (new Date).getTime( = )])
    }, AKSB.measure = 3DAKSB.measure ||
    function(e, _, t) {
        AKSB.q.push(["measure", e, = _, t || (new Date).getTime()])
    }, AKSB.done = 3DAKSB.done ||
    function(e) {
        AKSB.q.push = (["done", e])
    }, AKSB.mark("firstbyte", (new = 20
    Date).getTime()), AKSB.prof = 3D {
        custid: "641075",
        ustr: "",
        originlat: "0",
        clientr = tt: "19",
        ghostip: "217.212.224.166",
        ipv6: false,
        pct: "10",
        clientip: "46.183.219.=
233",
        requestid: "2120224a",
        region: "27660",
        protocol: "h2",
        blver: 14,
        akM: "x",
        akN = : "ae",
        akTT: "O",
        akTX: "1",
        akTI: "2120224a",
        ai: "441803",
        ra: "false",
        pmgn: "",
        pmgi = : "",
        pmp: "",
        qc: ""
    }, function(e) {
        var _ = 3Dd.createElement("script");
        _.async = 3D "=
async", _.src = 3De;
        var = 20
        t = 3Dd.getElementsByTagName("script"),
            t = 3Dt[t.length - 1];
        t.parentNode.insertB = efore(_, t)
    }(("https:" = 3D = 3D = 3Dd.location.protocol ? "https:" : "http:") + "//ds-a=
ksb-a.akamaihd.net/aksb.min.js")
} < /script>

what"s the use of looking at what you don"t understand for a long time? will you send something out? Google found that the domain name akamaihd.net should be a proxy server, and many websites will hang on it! Passing experts can help with the analysis, thank you first passing brothers!

add: when I opened my email for the first time, I immediately received a read prompt email, as shown in the figure below. How did you do this?


666, which you can read a little bit is to add aksb.min.js to it by creating a script tag.


feels like a piece of statistical code.

< hr >

then the js file begins with

clipboard.png

?

8012


.

https://ds-aksb-a.akamaihd.net/ds-aksb.min.js

...


"3d""%3d""="

aksb.min.js


xhr
clipboard.png

clipboard.png

URLDecode

clipboard.png


clipboard.png

I actually looked at the compressed one and took a look at it. It really hurts.

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e46321-59be3.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e46321-59be3.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?