Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Added Sentry debugging, getting long string as undefined

We're building a Angular 1.x app with Bootstrap components. We recently added Sentry debugging to site and just got this error:

'PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX' is undefined

browser = IE 11.0
device = Other
level = error
logger = javascript
os = Windows 8.1

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; InfoPath.3; MDDCJS; rv:11.0) like Gecko

I found a couple of references on Twitter but nothing else. Anyone seen this before? How can I fix this?

like image 628
mryarbles Avatar asked Jun 20 '16 17:06

mryarbles


2 Answers

That's probably a malware works, mostly reported on windows platform. As you can see from the question, comments and from the internet; all reported for windows systems. According to few malicious activity logging/analysis/reporting service (see ref links below); the malware writes/ends the file with a series of “PADDINGPADDINGXX” strings.

Search in extracted strings section of following sites

  • https://www.hybrid-analysis.com/sample/90fa224a030dc8c20e31bc5a6bd02885605e36d01646f40151ba23741830efb7?environmentId=1
  • https://totalhash.cymru.com/analysis/?d88d47519bcc49b5c3b345e98e87d20b8928a2c3
  • https://www.reverse.it/sample/8cb0a45f5a071c0f521a8afb62335e23fdcc3a3e06bac9a392bff1a89b40cf8c?environmentId=100
  • https://www.reverse.it/sample/3f62bec0770de977b84b61c4f72813120f8d6fb6eb4caf96dc7e8e7b4676e444?environmentId=100
  • https://www.zscaler.com/blogs/research/current-trojan-ambler-activity
  • https://malwr.com/analysis/MzIyYmFkMWM1M2FmNDVlM2JlZjBmYmYwZmM4NDIwMTI/
like image 89
Syed Ekram Uddin Avatar answered Nov 03 '22 15:11

Syed Ekram Uddin


This is a speculative answer. But I intend this to be a resource collection of links pointing towards understanding this issue. Feel free to improve this!

  • Malware analysis of rtfn.exe
  • Visual Studio error :: Error occurring due to one click amazon toolbar
  • Bloated application size
  • Releasing a game for different platforms :: It states the following:

    ac2game.dat is just your windows .exe renamed. You can snip out the unnecessary executable parts by opening it in a hex editor and searching for the string "PADDING". There is a block of text that repeats "PADDINGXX" for a bit, then "CLIB". Chop out everything before CLIB (but leave CLIB). This saves a little space.

  • Extracting resources with dlls
  • 4 lines PADDINGXX at the end of executable
  • interesting IRC log

    It's always good to sumble upon a good 1.8k block of "PADDINGXXPADDINGXXPADDINGXX"

All of this leads me to believe that this occurs when memory is allocated, but not utilised. So in your case IE spaghetti code must have picked up some of this.

like image 3
TheChetan Avatar answered Nov 03 '22 13:11

TheChetan