JavaScript_obfuscation in keapeiros.xyz

On 2019-06-09T21:44:50.995951+00:00 we found suspicious pattern JavaScript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://keapeiros.xyz/1clk/12575

The suspicious code sample:

b'var _0x3ffe88' … b'var _0x48a7a7' … b'var _0x5435a0' … b'var _0x5ce606' … b'var _0xee0436' … b'var _0xee0436' … b'var _0x54b08e' … b'var _0x2ed3da' … b'var _0x23fb7e' … b'var _0x4ba6f5' … b'var _0x2f2fb9' … b'var _0x914b34' … b'var _0x5d1bac' … b'var _0x1a1808' … b'var _0x12c7ad' … b'var _0x4fdb37' … b'var _0x3679e4' … b'var _0x4eb4b8' … b'var _0x58ca02' … b'var _0x64a428' … b'var _0x5cc4bc' … b'var _0x220d76' … b'var _0x376d96' … b'var _0x403d70' … b'var _0x53ebd4' … b'var _0x252c93' … b'var _0x4ff1da' … b'var _0x4e3c67' … b'var _0x1662d8' … b'var _0x108be2' … b'var _0x5d8b1b' … b'var _0x37a3d1' … b'var _0x4c0f02' … b'var _0x417260' … b'var _0xb20ac9' … b'var _0x13870d' … b'var _0x370bcf' … b'var _0x13c19f' … b'var _0x585d73' … b'var _0x410bae' … b'var _0x49c42d' … b'var _0x3775dd' … b'var _0x327cfb' … b'var _0x561a83' … b'var _0xb18e15' … b'var _0x383e2e' … b'var _0x116232' … b'var _0x13e208' … b'var _0x26d863' … b'var _0xee287c' … b'var _0x4579ec' … b'var _0x64e60f' … b'_0x22fda1=_0x22fda1' … b'_0x5ce606=_0x560365' … b'_0x4a57f6=_0x386839' … b'_0x54b08e=_0x386839' … b'_0x2ed3da=_0x386839' … b'_0x4a57f6=_0x386839' … b'_0x4f75c9=_0x4f75c9' … b'_0x23fb7e=_0x4f75c9' … b'_0x1a1808=_0x5435a0' … b'_0x5d1bac=_0x5435a0' … b'_0x58ca02=_0x4eb4b8' … b'_0x64a428=_0x54e6d2' … b'_0x2d5a95=_0x121016' … b'_0x403d70=_0x3679e4' … b'_0x417260=_0x3e86c6' … b'_0x57db2b=_0x3e86c6' … b'_0x368f2f=_0x3e86c6' … b'_0xb20ac9=_0x5cc4bc' … b'_0x40a630=_0x368f2f' … b'_0x585d73=_0x13870d' … b'_0x49c42d=_0x376d96' … b'_0xb18e15=_0x49c42d' … b'_0x383e2e=_0x13870d' … b'_0x4f75c9(' … b'_0x582a04(' … b'_0x4ba6f5(' … b'_0x48a7a7(' … b'_0x121016(' … b'_0x3679e4(' … b'_0x37a3d1(' … b'_0x108be2(' … b'_0x252c93(' … b'_0x4e3c67(' … b'_0x108be2(' … b'_0x108be2(' … b'_0x108be2(' … b'_0x403d70(' … b'_0x5cc4bc(' … b'_0x13870d(' … b'_0x376d96(' … b'_0x13c19f(' … b'_0x13c19f(' … b'_0x561a83(' … b'_0x13e208(' … b'_0x13e208(' … b'_0x13e208(' … b'_0x13c19f(' … b'_0x410bae(' … b'_0x116232(' … b'_0x13e208(' … b'_0x13c19f(' … b'_0x13870d(' … b'_0x13c19f(' … b'_0x13c19f(' … b'_0x410bae(' … b'_0x410bae(' … b'_0x327cfb(' … b'_0x327cfb(' … b'_0xee287c(' … b'_0x13c19f(' … b'_0x13c19f(' … b'_0x3775dd(' … b'_0xee287c(' … b'_0x13c19f(' … b'function _0xee287c(' … b'return _0x4defa9' … b'return _0x23fb7e' … b'return _0x914b34' … b'return _0x4fdb37' … b'return _0x64a428' … b'return _0x58ca02' … b'return _0x55a5a9' … b'return _0x1662d8' … b'return _0x40a630' … b'return _0x370bcf'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!