Added Sentry debugging, getting long string as undefined

Question

We're building a Angular 1.x app with Bootstrap components. We recently added Sentry debugging to site and just got this error:

'PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX' is undefined

browser = IE 11.0
device = Other
level = error
logger = javascript
os = Windows 8.1

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; InfoPath.3; MDDCJS; rv:11.0) like Gecko

I found a couple of references on Twitter but nothing else. Anyone seen this before? How can I fix this?

Answer 1

That's probably a malware works, mostly reported on windows platform. As you can see from the question, comments and from the internet; all reported for windows systems. According to few malicious activity logging/analysis/reporting service (see ref links below); the malware writes/ends the file with a series of “PADDINGPADDINGXX” strings.

Search in extracted strings section of following sites

• https://www.hybrid-analysis.com/sample/90fa224a030dc8c20e31bc5a6bd02885605e36d01646f40151ba23741830efb7?environmentId=1
• https://totalhash.cymru.com/analysis/?d88d47519bcc49b5c3b345e98e87d20b8928a2c3
• https://www.reverse.it/sample/8cb0a45f5a071c0f521a8afb62335e23fdcc3a3e06bac9a392bff1a89b40cf8c?environmentId=100
• https://www.reverse.it/sample/3f62bec0770de977b84b61c4f72813120f8d6fb6eb4caf96dc7e8e7b4676e444?environmentId=100
• https://www.zscaler.com/blogs/research/current-trojan-ambler-activity
• https://malwr.com/analysis/MzIyYmFkMWM1M2FmNDVlM2JlZjBmYmYwZmM4NDIwMTI/

Answer 2

This is a speculative answer. But I intend this to be a resource collection of links pointing towards understanding this issue. Feel free to improve this!

• Malware analysis of rtfn.exe
• Visual Studio error :: Error occurring due to one click amazon toolbar
• Bloated application size
• Releasing a game for different platforms :: It states the following:

  ac2game.dat is just your windows .exe renamed. You can snip out the unnecessary executable parts by opening it in a hex editor and searching for the string "PADDING". There is a block of text that repeats "PADDINGXX" for a bit, then "CLIB". Chop out everything before CLIB (but leave CLIB). This saves a little space.

• Extracting resources with dlls
• 4 lines PADDINGXX at the end of executable
• interesting IRC log

  It's always good to sumble upon a good 1.8k block of "PADDINGXXPADDINGXXPADDINGXX"

All of this leads me to believe that this occurs when memory is allocated, but not utilised. So in your case IE spaghetti code must have picked up some of this.