Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Be VERY Careful with these links if you are on Windows. They are full of malware, only reading this text file is safe.
- Original Tweet:
- https://twitter.com/CodeMonkeyZ/status/1331830074350333953
- Disseminated by CodeMonkeyZ = Ron (ex-admin of 8kun (8chan) (4chan)) = a literal hacker.
- This is the "expert" person who appeared on Chanel Rion's 30 minute long Dominion Hacking expose - Which was Reposted by Donald J Trump himself on twitter and on youtube https://www.youtube.com/watch?v=746HTjhFifA
- Original PDF Link to the Kraken:
- https://defendingtherepublic.org/wp-content/uploads/2020/11/COMPLAINT-CJ-PEARSON-V.-KEMP-11.25.2020.pdf
- Non-Windows+Firefox immediately popped up a "Print" dialog box when I opened it along with a yellow arning. Suss.
- Then I scanned it on virustotal, and I'm familiar with how to analyze Windows malware. It needs to be fully audited, decompiled or sandboxed. BUT: VirusTotal Virus Scan = MALWARE!!!
- Adobe Acrobat Reader - Windows Type. Automatic Printing + w/ Embedded Javascript + Multiple nasty Windows Exploits
- Page 1:
- https://www.virustotal.com/gui/file/637a2f7b24b52034f457b9b7e52b31efc9aaf925e976c3aed40173871b204ac4/behavior/VirusTotal%20Jujubox
- Its complicated but the words on top explain best:
- "autoaction checks-user-input detect-debug-environment direct-cpu-clock-access js-embedded long-sleeps pdf runtime-modules"
- + all the .dll's and Registry Keys and Runtime Modules "LSALookup"/CRYPTBASE.dll
- LSA = Local Security Authority Lookup (your username/password)
- Cryptbase = Cryptographic DLL
- You can upload a normal PDF to virustotal - NONE OF THIS SHOULD EXIST - NO REASON FOR IT.
- Click "Full Report" to the right of the "Jujubox" for full "System Calls", "Process Tree", "Screenshot" (of spanish auto-print) - spanish can select the internal print menus and still evade detection.
- This is too complicated to explain but just believe me, I know how to read this stuff.
- Its elevating its privelege through a vulnerable print function, accessing a lot of serious windows system dll's, making registry keys, making system files, creating system services, scheduled tasks, embedding itself permanently, and exploiting the entire system. For what purpose, I cant be certain but its NOT good.
- Page 2:
- https://www.virustotal.com/gui/file/637a2f7b24b52034f457b9b7e52b31efc9aaf925e976c3aed40173871b204ac4/behavior/VirusTotal%20Sysmon
- Windows Media Player NSS\3.0\Servers\{...} = Set registry keys: WORK: admin: = set weak username/password to get in from outside
- UPNPHost - get onto the network
- Windows Media Player\wmpnetwk.exe = network
- dfdts.dll = Windows Disk Failure Diagnostic Module
- sdclt.exe = Windows Backup = duplicating/hiding in backup.
- taskhost.exe = System Tasks.
- wsqmcons.exe = Windows SQM Consolidator part of the Microsoft Customer Experience Improvement Program
- Sidney Powells actual website:
- https://defendingtherepublic.org/
- Virus Scan = CLEAN (cursory glance) - but curl index.html and note WordPress 5.5.3 and the style of coding
- https://www.virustotal.com/gui/url/070ee27102dc4f71204b7a361cd3d8d165c1a413f694034a69bf5c8ef11fb1fc/details
- other Squatter site:
- http://defendingtherepublic.com/
- https://www.virustotal.com/gui/url/957335c87ef6073e0e9328ac4c70950407d66ba14d39ae8494cea443c03d4351/details
- Status = Trackers + Suspicious code.
- d1hi41nc56pmug (https://d1hi41nc56pmug.cloudfront.net/static/js/2.e394861c.chunk.js)
- d1hi41nc56pmug (https://d1hi41nc56pmug.cloudfront.net/static/js/main.0d0530da.chunk.js
- main.0d0530da.chunk.js = RELATED TO MALWARE
- https://www.virustotal.com/gui/file/725e3784a2f3fbc25f958a77505cc3cd6dfdce8749d5b88a926083f00db756d5/relations
- acrotray.exe (Acrobat system tray)
- cad0e40d6c564c286b12f6807f06a869f7835a02b13aefe82f0c5ce90de7c1d2 = BIG MALWARE
- https://www.virustotal.com/gui/file/cad0e40d6c564c286b12f6807f06a869f7835a02b13aefe82f0c5ce90de7c1d2/detection
- d0943d85772285ae1d1db251c6b8d210.virus = BIG MALWARE
- https://www.virustotal.com/gui/file/f5ca72eca50ee24a32e61b3363895bed6dce01d9678c3663a1da3e71bea7449d/detection
- NON secure version
- http://defendingtherepublic.org/
- https://www.virustotal.com/gui/url/0abc67992b39fe6f7846db304ac1ed6a2695fa45c9bce7f121b5c3fbefad3ea1/details
- HTTP Response
- Final URL = https://ldfftar.org
- !!!!! IMPORTANT URL remember ldfftar.org its meaningful. !!!! - DO NOT GO HERE. MORE MAJOR MALWARE.
- https://www.virustotal.com/gui/file/2390024bac144cf28ad2e1c04bd7a2e416e6abb35d117b19e43e6ec8c4ed02ed/details
- curl ldfftar.org
- -------------------
- <script src="/_Incapsula_Resource?SWJIYLWA=5074a744e2e3d891814e9a2dace20bd4,719d34d31c8e3a6e6fffd425f7e032f3">
- </script>
- curl ldfftar.org/_Incapsula_Resource?SWJIYLWA=5074a744e2e3d891814e9a2dace20bd4,719d34d31c8e3a6e6fffd425f7e032f3
- Obfuscated JS = #1
- ----------------------
- b="766172205f3078656238303d5b275c7834345c7836335c7834625c7833335c7837375c7837315c7833335c7834335c7836385c7834385c7835325c7833315c7835395c7835365c7834395c783364272c275c7834355c783464.........
- ;eval((function(){for (var i=0;i<b.length;i+=2){z+=String.fromCharCode(parseInt(b.substring(i,i+2),16));} return z;})());})();
- NOTICE the eval = execution and the fromcharcode every 2 chars = Hex Bytes. = obfuscation
- original file rehosted @ https://files.catbox.moe/mas0lv
- Re-Decoded from that Obfuscated JS (by carefully running the "b" javascript into the "z" str without eval'ing it)
- ----------------------------------------
- #2 = MORE obfuscated JS
- "var _0xeb80=['\\x44\\x63\\x4b\\x33\\x77\\x71\\x33\\x43\\x68\\x48\\x52\\x31\\x59\\x56\\x49\\x3d','\\x45\\x4d\\x4b\\x39\\x77\\x71\\x30\\x6b\\x59\\x38\\x4f\\x6d\\x77\\x36\\x74\\x47\\x77\\x70\\x2f\\x43\\x69\\x32\\x42\\........................
- NOTICE this is shellcode, (executable exploit) 0xeb80 is a memory address and \\x44 etc are all hex ascii char codes
- Incapsula_resource_2 rehosted @ https://files.catbox.moe/dawicp
- Re-Decoded from that Obfuscated JS = #3
- -----------------------------------------
- Now that this decodes to a metric fuckton of concatenated Base64 strings + mixed in Javascript with complicated execution path. I stopped at this point. Its super gnarly.
- DcK3wq3ChHR1YVI=EMK9wq0kY8Omw6tGwp/Ci2B5w6bCmF7DvQbCvw==bSodb8KtMQ==woTDm8OSw5XDv8KSFDnCnMKQNw==wrImw5NQwqU=wpPCh8OaZQ==wpI0Jg==w7szJw==woUgDBbCgVbCisK6dsO9w4wswrZJTTvCs2suwrvCnlg3wp48KQrCqgjDpA==GsK9wrsla8Osw59wY8O6DA==XXXDlQ==wqw3PQY=w7FNeDDCgMK1w6Y=TyUfVcO+w4PCtVvCoAnDpMOAcQ==BncuFMKkwqI=wr00Qg==RsKHwofCn3pxf1Vqwqgmw6MSw6nDgcOAFcOgGcKAw5tYMsKkw63CjcOZwqvDjsK9wrx0wqFowroUw6/DuWXDhA==w4slLA==wqwkw5k=wrMiGA==woUFCg==H8K8wqclP8Kbwo3DrkHDu8OWwpoBwovCl8ORw5oKBi/CncKWKsONEAxSw6MZJULCjA==HTt1KgttEDUOK1fDukw=wpZawp5pacOhB8OJw7d1GlRkQGjCp8KeCWBNwqErUsORbsK9A1ZEwpDDl8OGwrUWBw==VTbCtBHCiMKzwoXClsO8Ig==OkIuMsK3woM=GDl1Jg==wqYzw4ttwrjCscO5XcO2wrPDg0TDusODwrsQw5rCjMObw51eRBJ1wrA8w5nDgMO3UHnDlg==w5vCv8OBCg==w7jCu8OBO8OSFTs=w5DDjMKuQ8KfIGrCq8Ktwr9Kb8OsM8O2TFY5CcKFwr0lF8OVworCl3TDizPDncOnw6XDgVE=aDYOUQ==OQfCpcKKN8OUBQ==wqd8w79pw7RVw4k6c8K9wqPDnzPDi8OtdcKuwp0=woLCssKIwq8yBA==LcK5wrrClA==EMKxwpI5E3rDlQ==w6pmVMOTwoPCiyURwpHCo1dtC8K+AMKOVkEhag==w74zw6B8w6lFw5gsw4AtEQ==WS3Dvw==bG7DtBc=wrITwqPCjz9Qw7s=QhrCgg==wqYFEwzDujc=GcK8wq0qc8Oqw5F6BcKxwooCG3M=IcKCwrI=w4cqHA==woU3w4tcacKIwocJbBQuw78JEMOYw6TDt3M=I8Oqw7c=YzLCoRA=wrxWwolPb8O/DQ==wqbDm1Urw6VLw67DoMOVwqZXw40=XcKkw7bCjSxsOFoswrh1w4Bww7DCg8OTVsOuQw==FX5Twq0+w5kLJArClg==w5HChgZINg==wq7CjcKpQw==DXbCghdswqLCjA==w4JcIA==KsK+wr/CicOwDzdawo8sWQJQw73Cv8KPwrp5wolTw4LDhwoLw759w6zCunPDu8KBwpLDgw3DuMKowr8iwoPCi8KRwqlWB8Kaw7DCh8KDIsKrKMOmw70NJQsCwqjCt19lw5/DthPDk0/Diw==MCxmw4DDlcK6w4BsHA==NTnDnA==w4wQw68=QTDCgw==üS|P?wì JEü
- 4
- ETC + MORE
- Proves these sites are directly related to her.
- -----------------------------------------------
- https://duckduckgo.com/?q=ldfftar.org <--malware
- https://duckduckgo.com/?q=fftar.org
- Youtube Account for FFTAR
- ---------------------------
- https://www.youtube.com/watch?v=iVqlYQHuwYQ = The Foundation for the American Republic (FFTAR) - Mission Video and Fundraising Ask! (FFTAR.ORG)
- 3 subscribers
- The Foundation for the American Republic was established to protect the vision of our forefathers and vision they had for a great nation. This video shows just how we do that and why the foundation needs your support!
- Twitter Account for FFTAR
- ---------------------------
- The Foundation for the American Republic promotes and defends the ideals, principles, values and vision of America’s Founders.
- 96 Following, 318 Followers. common to my own friend list: LaraLogan, MillieWeaver, TracyBeanz, etc
- Account exists with 0 content except for doing 4 Likes: ElonMusk, DonaldJTrump "We are going to win 2020 Election BIG Maga" -July 30th, RichHigginsDC, LisaMarieBoothe
Add Comment
Please, Sign In to add comment